Use 'over 2' for bullet lists.

(cherry picked from commit 7ea8ceab4b21d93eb272a89bff73958010d5c2c4)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)

10 files changed, 108 insertions, 45 deletions

diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index d807394adb..2ec9837075 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -187,7 +187,6 @@ response. (Optional)
 This option specifies a previously created time stamp request in DER
 format that will be printed into the output file. Useful when you need
 to examine the content of a request in human-readable
-
 format. (Optional)
 
 =item B<-out> request.tsq
@@ -609,25 +608,35 @@ You could also look at the 'test' directory for more examples.
 If you find any bugs or you have suggestions please write to
 Zoltan Glozik <zglozik@opentsa.org>. Known issues:
 
-=over 4
+=over 2
 
-=item * No support for time stamps over SMTP, though it is quite easy
+=item *
+
+No support for time stamps over SMTP, though it is quite easy
 to implement an automatic e-mail based TSA with L<procmail(1)>
 and L<perl(1)>. HTTP server support is provided in the form of
 a separate apache module. HTTP client support is provided by
 L<tsget(1)>. Pure TCP/IP protocol is not supported.
 
-=item * The file containing the last serial number of the TSA is not
+=item *
+
+The file containing the last serial number of the TSA is not
 locked when being read or written. This is a problem if more than one
 instance of L<openssl(1)> is trying to create a time stamp
 response at the same time. This is not an issue when using the apache
 server module, it does proper locking.
 
-=item * Look for the FIXME word in the source files.
+=item *
+
+Look for the FIXME word in the source files.
+
+=item *
+
+The source code should really be reviewed by somebody else, too.
 
-=item * The source code should really be reviewed by somebody else, too.
+=item *
 
-=item * More testing is needed, I have done only some basic tests (see
+More testing is needed, I have done only some basic tests (see
 test/testtsa).
 
 =back
@@ -640,7 +649,7 @@ L<config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/crypto/BN_copy.pod b/doc/crypto/BN_copy.pod
index 500f4b2ee5..46de544286 100644
--- a/doc/crypto/BN_copy.pod
+++ b/doc/crypto/BN_copy.pod
@@ -29,7 +29,7 @@ B<BN_FLG_CONSTTIME> flag set for constant time operations. The temporary copy in
 B<dest> will share some internal state with B<b>. For this reason the following
 restrictions apply to the use of B<dest>:
 
-=over 4
+=over 2
 
 =item *
 
diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod
index a4ef2302f6..c97536b5c4 100644
--- a/doc/crypto/BN_generate_prime.pod
+++ b/doc/crypto/BN_generate_prime.pod
@@ -55,7 +55,7 @@ If B<ret> is not B<NULL>, it will be used to store the number.
 
 If B<cb> is not B<NULL>, it is used as follows:
 
-=over 4
+=over 2
 
 =item *
 
diff --git a/doc/crypto/CRYPTO_THREAD_run_once.pod b/doc/crypto/CRYPTO_THREAD_run_once.pod
index 7795a04477..b256a18637 100644
--- a/doc/crypto/CRYPTO_THREAD_run_once.pod
+++ b/doc/crypto/CRYPTO_THREAD_run_once.pod
@@ -32,9 +32,10 @@ supported by OpenSSL.
 
 The following multi-threading function are provided:
 
-=over 4
+=over 2
 
 =item *
+
 CRYPTO_THREAD_run_once() can be used to perform one-time initialization.
 The B<once> argument must be a pointer to a static object of type
 B<CRYPTO_ONCE> that was statically initialized to the value
@@ -45,22 +46,28 @@ In particular, this can be used to allocate locks in a thread-safe manner,
 which can then be used with the locking functions below.
 
 =item *
+
 CRYPTO_THREAD_lock_new() allocates, initializes and returns a new read/write
 lock.
 
 =item *
+
 CRYPTO_THREAD_read_lock() locks the provided B<lock> for reading.
 
 =item *
+
 CRYPTO_THREAD_write_lock() locks the provided B<lock> for writing.
 
 =item *
+
 CRYPTO_THREAD_unlock() unlocks the previously locked B<lock>.
 
 =item *
+
 CRYPTO_THREAD_lock_frees() frees the provided B<lock>.
 
 =item *
+
 CRYPTO_atomic_add() atomically adds B<amount> to B<val> and returns the
 result of the operation in B<ret>. B<lock> will be locked, unless atomic
 operations are supported on the specific platform. Because of this, if a
@@ -149,7 +156,7 @@ You can find out if OpenSSL was configured with thread support:
 
 =head1 SEE ALSO
 
-L<crypto(3)>
+L<crypto(7)>
 
 =head1 COPYRIGHT
 
diff --git a/doc/crypto/CT_POLICY_EVAL_CTX_new.pod b/doc/crypto/CT_POLICY_EVAL_CTX_new.pod
index fedc58d08a..4d0cae3bbf 100644
--- a/doc/crypto/CT_POLICY_EVAL_CTX_new.pod
+++ b/doc/crypto/CT_POLICY_EVAL_CTX_new.pod
@@ -32,15 +32,23 @@ This policy may be, for example, that at least one valid SCT is available. To
 determine this, an SCT's timestamp and signature must be verified.
 This requires:
 
-=over
+=over 2
 
-=item * the public key of the log that issued the SCT
+=item *
 
-=item * the certificate that the SCT was issued for
+the public key of the log that issued the SCT
 
-=item * the issuer certificate (if the SCT was issued for a pre-certificate)
+=item *
 
-=item * the current time
+the certificate that the SCT was issued for
+
+=item *
+
+the issuer certificate (if the SCT was issued for a pre-certificate)
+
+=item *
+
+the current time
 
 =back
 
@@ -49,22 +57,30 @@ The above requirements are met using the setters described below.
 CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This
 should then be populated using:
 
-=over
+=over 2
 
-=item * CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for
+=item *
+
+CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for
 
 Increments the reference count of the certificate.
 
-=item * CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate
+=item *
+
+CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate
 
 Increments the reference count of the certificate.
 
-=item * CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs
+=item *
+
+CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs
 
 Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the
 CT_POLICY_EVAL_CTX.
 
-=item * CT_POLICY_EVAL_CTX_set_time() to set the time SCTs should be compared with to determine if they are valid
+=item *
+
+CT_POLICY_EVAL_CTX_set_time() to set the time SCTs should be compared with to determine if they are valid
 
 The SCT timestamp will be compared to this time to check whether the SCT was
 issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index ca2c2ce7bb..fc051495f6 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -42,7 +42,7 @@ called as shown below. For information on the BN_GENCB structure and the
 BN_GENCB_call function discussed below, refer to
 L<BN_generate_prime(3)>.
 
-=over 4
+=over 2
 
 =item *
 
@@ -107,7 +107,7 @@ Seed lengths E<gt> 20 are not supported.
 
 =head1 SEE ALSO
 
-L<dsa(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DSA_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>,
 L<DSA_free(3)>, L<BN_generate_prime(3)>
 
 =head1 COPYRIGHT
diff --git a/doc/crypto/RSA_generate_key.pod b/doc/crypto/RSA_generate_key.pod
index 24e05bd8a7..e51c0b147b 100644
--- a/doc/crypto/RSA_generate_key.pod
+++ b/doc/crypto/RSA_generate_key.pod
@@ -32,7 +32,7 @@ progress of the key generation. If B<cb> is not B<NULL>, it
 will be called as follows using the BN_GENCB_call() function
 described on the L<BN_generate_prime(3)> page.
 
-=over 4
+=over 2
 
 =item *
 
diff --git a/doc/crypto/SCT_new.pod b/doc/crypto/SCT_new.pod
index 086e389ff4..e85b21ca1b 100644
--- a/doc/crypto/SCT_new.pod
+++ b/doc/crypto/SCT_new.pod
@@ -84,31 +84,45 @@ An internal representation of an SCT can be created in one of two ways.
 The first option is to create a blank SCT, using SCT_new(), and then populate
 it using:
 
-=over
+=over 2
 
-=item * SCT_set_version() to set the SCT version.
+=item *
+
+SCT_set_version() to set the SCT version.
 
 Only SCT_VERSION_V1 is currently supported.
 
-=item * SCT_set_log_entry_type() to set the type of certificate the SCT was issued for:
+=item *
+
+SCT_set_log_entry_type() to set the type of certificate the SCT was issued for:
 
 B<CT_LOG_ENTRY_TYPE_X509> for a normal certificate.
 B<CT_LOG_ENTRY_TYPE_PRECERT> for a pre-certificate.
 
-=item * SCT_set0_log_id() or SCT_set1_log_id() to set the LogID of the CT log that the SCT came from.
+=item *
+
+SCT_set0_log_id() or SCT_set1_log_id() to set the LogID of the CT log that the SCT came from.
 
 The former takes ownership, whereas the latter makes a copy.
 See RFC 6962, Section 3.2 for the definition of LogID.
 
-=item * SCT_set_timestamp() to set the time the SCT was issued (epoch time in milliseconds).
+=item *
+
+SCT_set_timestamp() to set the time the SCT was issued (epoch time in milliseconds).
+
+=item *
+
+SCT_set_signature_nid() to set the NID of the signature.
 
-=item * SCT_set_signature_nid() to set the NID of the signature.
+=item *
 
-=item * SCT_set0_signature() or SCT_set1_signature() to set the raw signature value.
+SCT_set0_signature() or SCT_set1_signature() to set the raw signature value.
 
 The former takes ownership, whereas the latter makes a copy.
 
-=item * SCT_set0_extensions() or B<SCT_set1_extensions> to provide SCT extensions.
+=item *
+
+SCT_set0_extensions() or B<SCT_set1_extensions> to provide SCT extensions.
 
 The former takes ownership, whereas the latter makes a copy.
 
@@ -117,22 +131,33 @@ The former takes ownership, whereas the latter makes a copy.
 Alternatively, the SCT can be pre-populated from the following data using
 SCT_new_from_base64():
 
-=over
+=over 2
+
+=item *
+
+The SCT version (only SCT_VERSION_V1 is currently supported).
 
-=item * The SCT version (only SCT_VERSION_V1 is currently supported).
+=item *
 
-=item * The LogID (see RFC 6962, Section 3.2), base64 encoded.
+The LogID (see RFC 6962, Section 3.2), base64 encoded.
 
-=item * The type of certificate the SCT was issued for:
+=item *
 
+The type of certificate the SCT was issued for:
 B<CT_LOG_ENTRY_TYPE_X509> for a normal certificate.
 B<CT_LOG_ENTRY_TYPE_PRECERT> for a pre-certificate.
 
-=item * The time that the SCT was issued (epoch time in milliseconds).
+=item *
+
+The time that the SCT was issued (epoch time in milliseconds).
+
+=item *
+
+The SCT extensions, base64 encoded.
 
-=item * The SCT extensions, base64 encoded.
+=item *
 
-=item * The SCT signature, base64 encoded.
+The SCT signature, base64 encoded.
 
 =back
 
diff --git a/doc/crypto/SCT_validate.pod b/doc/crypto/SCT_validate.pod
index 9868a282b5..5ff0e8c459 100644
--- a/doc/crypto/SCT_validate.pod
+++ b/doc/crypto/SCT_validate.pod
@@ -31,20 +31,26 @@ SCT_get_validation_status().
 
 A CT_POLICY_EVAL_CTX must be provided that specifies:
 
-=over
+=over 2
 
-=item * The certificate the SCT was issued for.
+=item *
+
+The certificate the SCT was issued for.
 
 Failure to provide the certificate will result in the validation status being
 SCT_VALIDATION_STATUS_UNVERIFIED.
 
-=item * The issuer of that certificate.
+=item *
+
+The issuer of that certificate.
 
 This is only required if the SCT was issued for a pre-certificate
 (see RFC 6962). If it is required but not provided, the validation status will
 be SCT_VALIDATION_STATUS_UNVERIFIED.
 
-=item * A CTLOG_STORE that contains the CT log that issued this SCT.
+=item *
+
+A CTLOG_STORE that contains the CT log that issued this SCT.
 
 If the SCT was issued by a log that is not in this CTLOG_STORE, the validation
 status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
diff --git a/doc/ssl/SSL_set_bio.pod b/doc/ssl/SSL_set_bio.pod
index 104f40678f..4230940bdb 100644
--- a/doc/ssl/SSL_set_bio.pod
+++ b/doc/ssl/SSL_set_bio.pod
@@ -37,7 +37,7 @@ the rules for this are much more complex. For this reason this function is
 considered a legacy function and SSL_set0_rbio() and SSL_set0_wbio() should be
 used in preference. The ownership rules are as follows:
 
-=over 4
+=over 2
 
 =item *