Re-convert and re-import the CMS manual pages from OpenSSL 1.1.1

(which are still under a free license) with pod2mdoc(1) now that
jsing@ has begun work to provide these APIs.
Some formatting was improved and some typos were fixed, but apart
from that, little was changed, so there is still much to polish.

21 files changed, 3388 insertions, 0 deletions

diff --git a/src/lib/libcrypto/man/BIO_new_CMS.3 b/src/lib/libcrypto/man/BIO_new_CMS.3
new file mode 100644
index 0000000000..d35fb0b7bf
--- /dev/null
+++ b/src/lib/libcrypto/man/BIO_new_CMS.3
@@ -0,0 +1,138 @@
+.\" $OpenBSD: BIO_new_CMS.3,v 1.4 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt BIO_NEW_CMS 3
+.Os
+.Sh NAME
+.Nm BIO_new_CMS
+.Nd CMS streaming filter BIO
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft BIO *
+.Fo BIO_new_CMS
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn BIO_new_CMS
+returns a streaming filter
+.Vt BIO
+chain based on
+.Fa cms .
+The output of the filter is written to
+.Fa out .
+Any data written to the chain is automatically translated
+to a BER format CMS structure of the appropriate type.
+.Pp
+The chain returned by this function behaves like a standard filter
+.Vt BIO .
+It supports non blocking I/O.
+Content is processed and streamed on the fly and not all held in memory
+at once: so it is possible to encode very large structures.
+After all content has been written through the chain,
+.Xr BIO_flush 3
+must be called to finalise the structure.
+.Pp
+The
+.Dv CMS_STREAM
+flag must be included in the corresponding
+.Fa flags
+parameter of the
+.Fa cms
+creation function.
+.Pp
+If an application wishes to write additional data to
+.Fa out ,
+BIOs should be removed from the chain using
+.Xr BIO_pop 3
+and freed with
+.Xr BIO_free 3
+until
+.Fa out
+is reached.
+If no additional data needs to be written,
+.Xr BIO_free_all 3
+can be called to free up the whole chain.
+.Pp
+Any content written through the filter is used verbatim:
+no canonical translation is performed.
+.Pp
+It is possible to chain multiple BIOs to, for example,
+create a triple wrapped signed, enveloped, signed structure.
+In this case it is the application's responsibility
+to set the inner content type of any outer
+.Vt CMS_ContentInfo
+structures.
+.Pp
+Large numbers of small writes through the chain should be avoided as this
+will produce an output consisting of lots of OCTET STRING structures.
+Prepending a
+.Xr BIO_f_buffer 3
+buffering BIO will prevent this.
+.Sh RETURN VALUES
+.Fn BIO_new_CMS
+returns a
+.Vt BIO
+chain when successful or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3
+.Sh HISTORY
+The
+.Fn BIO_new_CMS
+function was added in OpenSSL 1.0.0.
+.Sh BUGS
+There is currently no corresponding inverse BIO
+which can decode a CMS structure on the fly.
diff --git a/src/lib/libcrypto/man/CMS_add0_cert.3 b/src/lib/libcrypto/man/CMS_add0_cert.3
new file mode 100644
index 0000000000..9f99e2259f
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_add0_cert.3
@@ -0,0 +1,177 @@
+.\" $OpenBSD: CMS_add0_cert.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ADD0_CERT 3
+.Os
+.Sh NAME
+.Nm CMS_add0_cert ,
+.Nm CMS_add1_cert ,
+.Nm CMS_get1_certs ,
+.Nm CMS_add0_crl ,
+.Nm CMS_add1_crl ,
+.Nm CMS_get1_crls
+.Nd CMS certificate and CRL utility functions
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_add0_cert
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo CMS_add1_cert
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *cert"
+.Fc
+.Ft STACK_OF(X509) *
+.Fo CMS_get1_certs
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_add0_crl
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509_CRL *crl"
+.Fc
+.Ft int
+.Fo CMS_add1_crl
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509_CRL *crl"
+.Fc
+.Ft STACK_OF(X509_CRL) *
+.Fo CMS_get1_crls
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_add0_cert
+and
+.Fn CMS_add1_cert
+add the certificate
+.Fa cert
+to
+.Fa cms .
+.Fa cms
+must be of type signed data or enveloped data.
+.Pp
+.Fn CMS_get1_certs
+returns all certificates in
+.Fa cms .
+.Pp
+.Fn CMS_add0_crl
+and
+.Fn CMS_add1_crl
+add the CRL
+.Fa crl
+to
+.Fa cms .
+.Fn CMS_get1_crls
+returns any CRLs in
+.Fa cms .
+.Pp
+The
+.Vt CMS_ContentInfo
+structure
+.Fa cms
+must be of type signed data or enveloped data or an error will be
+returned.
+.Pp
+The signed data certificates and CRLs are added to the
+.Sy certificates
+and
+.Sy crls
+fields of the SignedData structure.
+For enveloped data, they are added to
+.Sy OriginatorInfo .
+.Pp
+As the
+.Sq 0
+in the function name implies,
+.Fn CMS_add0_cert
+adds
+.Fa cert
+internally to
+.Fa cms
+and it must not be freed up after the call, as opposed to
+.Fn CMS_add1_cert
+where
+.Fa cert
+must be freed up.
+.Pp
+The same certificate or CRL must not be added to the same cms structure
+more than once.
+.Sh RETURN VALUES
+.Fn CMS_add0_cert ,
+.Fn CMS_add1_cert ,
+.Fn CMS_add0_crl ,
+and
+.Fn CMS_add1_crl
+return 1 for success or 0 for failure.
+.Pp
+.Fn CMS_get1_certs
+and
+.Fn CMS_get1_crls
+return the STACK of certificates or CRLs or
+.Dv NULL
+if there are none or an error occurs.
+The only error which will occur in practice is if the
+.Fa cms
+type is invalid.
+.Sh SEE ALSO
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_add0_cert ,
+.Fn CMS_add1_cert ,
+.Fn CMS_get1_certs ,
+.Fn CMS_add0_crl
+and
+.Fn CMS_get1_crls
+were all first added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
new file mode 100644
index 0000000000..47307fdaa1
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
@@ -0,0 +1,165 @@
+.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ADD1_RECIPIENT_CERT 3
+.Os
+.Sh NAME
+.Nm CMS_add1_recipient_cert ,
+.Nm CMS_add0_recipient_key
+.Nd add recipients to a CMS enveloped data structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_RecipientInfo *
+.Fo CMS_add1_recipient_cert
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *recip"
+.Fa "unsigned int flags"
+.Fc
+.Ft CMS_RecipientInfo *
+.Fo CMS_add0_recipient_key
+.Fa "CMS_ContentInfo *cms"
+.Fa "int nid"
+.Fa "unsigned char *key"
+.Fa "size_t keylen"
+.Fa "unsigned char *id"
+.Fa "size_t idlen"
+.Fa "ASN1_GENERALIZEDTIME *date"
+.Fa "ASN1_OBJECT *otherTypeId"
+.Fa "ASN1_TYPE *otherType"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_add1_recipient_cert
+adds the recipient
+.Fa recip
+to the
+.Vt CMS_ContentInfo
+enveloped data structure
+.Fa cms
+as a KeyTransRecipientInfo structure.
+.Pp
+.Fn CMS_add0_recipient_key
+adds the symmetric key
+.Fa key
+of length
+.Fa keylen
+using the wrapping algorithm
+.Fa nid ,
+the identifier
+.Fa id
+of length
+.Fa idlen ,
+and the optional values
+.Fa date ,
+.Fa otherTypeId
+and
+.Fa otherType
+to the
+.Vt CMS_ContentInfo
+enveloped data structure
+.Fa cms
+as a KEKRecipientInfo structure.
+.Pp
+The
+.Vt CMS_ContentInfo
+structure should be obtained from an initial call to
+.Xr CMS_encrypt 3
+with the flag
+.Dv CMS_PARTIAL
+set.
+.Pp
+The main purpose of this function is to provide finer control over a CMS
+enveloped data structure where the simpler
+.Xr CMS_encrypt 3
+function defaults are not appropriate,
+for example if one or more KEKRecipientInfo structures need to be added.
+New attributes can also be added using the returned
+.Vt CMS_RecipientInfo
+structure and the CMS attribute utility functions.
+.Pp
+By default, recipient certificates are identified using issuer
+name and serial number.
+If the flag
+.Dv CMS_USE_KEYID
+is set, it will use the subject key identifier value instead.
+An error occurs if all recipient certificates do not have a subject key
+identifier extension.
+.Pp
+Currently only AES based key wrapping algorithms are supported for
+.Fa nid ,
+specifically
+.Dv NID_id_aes128_wrap ,
+.Dv NID_id_aes192_wrap ,
+and
+.Dv NID_id_aes256_wrap .
+If
+.Fa nid
+is set to
+.Dv NID_undef ,
+then an AES wrap algorithm will be used consistent with
+.Fa keylen .
+.Sh RETURN VALUES
+.Fn CMS_add1_recipient_cert
+and
+.Fn CMS_add0_recipient_key
+return an internal pointer to the
+.Vt CMS_RecipientInfo
+structure just added or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_final 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_add1_recipient_cert
+and
+.Fn CMS_add0_recipient_key
+were added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_add1_signer.3 b/src/lib/libcrypto/man/CMS_add1_signer.3
new file mode 100644
index 0000000000..065e15c7be
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_add1_signer.3
@@ -0,0 +1,203 @@
+.\" $OpenBSD: CMS_add1_signer.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ADD1_SIGNER 3
+.Os
+.Sh NAME
+.Nm CMS_add1_signer ,
+.Nm CMS_SignerInfo_sign
+.Nd add a signer to a CMS_ContentInfo signed data structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_SignerInfo *
+.Fo CMS_add1_signer
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_MD *md"
+.Fa "unsigned int flags"
+.Fc
+.Ft int
+.Fo CMS_SignerInfo_sign
+.Fa "CMS_SignerInfo *si"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_add1_signer
+adds a signer with certificate
+.Fa signcert
+and private key
+.Fa pkey
+using message digest
+.Fa md
+to the
+.Vt CMS_ContentInfo
+SignedData structure
+.Fa cms .
+.Pp
+The
+.Vt CMS_ContentInfo
+structure should be obtained from an initial call to
+.Xr CMS_sign 3
+with the flag
+.Dv CMS_PARTIAL
+set or in the case or re-signing a valid
+.Vt CMS_ContentInfo
+SignedData structure.
+.Pp
+If the
+.Fa md
+parameter is
+.Dv NULL ,
+then the default digest for the public key algorithm will be used.
+.Pp
+Unless the
+.Dv CMS_REUSE_DIGEST
+flag is set, the returned
+.Vt CMS_ContentInfo
+structure is not complete and must be finalized either by streaming
+(if applicable) or a call to
+.Xr CMS_final 3 .
+.Pp
+The
+.Fn CMS_SignerInfo_sign
+function will explicitly sign a
+.Vt CMS_SignerInfo
+structure.
+Its main use is when the
+.Dv CMS_REUSE_DIGEST
+and
+.Dv CMS_PARTIAL
+flags are both set.
+.Pp
+The main purpose of
+.Fn CMS_add1_signer
+is to provide finer control over a CMS signed data structure where the
+simpler
+.Xr CMS_sign 3
+function defaults are not appropriate, for example if multiple signers
+or non default digest algorithms are needed.
+New attributes can also be added using the returned
+.Vt CMS_SignerInfo
+structure and the CMS attribute utility functions or the CMS signed
+receipt request functions.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_REUSE_DIGEST
+Attempt to copy the content digest value from the
+.Vt CMS_ContentInfo
+structure to add a signer to an existing structure.
+An error occurs if a matching digest value cannot be found to copy.
+The returned
+.Vt CMS_ContentInfo
+structure will be valid and finalized when this flag is set.
+.It Dv CMS_PARTIAL
+If this flag is set in addition to
+.Dv CMS_REUSE_DIGEST ,
+then the
+.Vt CMS_SignerInfo
+structure will not be finalized so additional attributes can be added.
+In this case an explicit call to
+.Fn CMS_SignerInfo_sign
+is needed to finalize it.
+.It Dv CMS_NOCERTS
+Do not include the signer's certificate in the
+.Vt CMS_ContentInfo
+structure.
+The signer's certificate must still be supplied in the
+.Fa signcert
+parameter though.
+This can reduce the size of the signature if the signer's certificate can
+be obtained by other means, for example from a previously signed message.
+.Pp
+The SignedData structure includes several CMS signedAttributes including
+the signing time, the CMS content type and the supported list of ciphers
+in an SMIMECapabilities attribute.
+.It Dv CMS_NOATTR
+Use no signedAttributes.
+.It Dv CMS_NOSMIMECAP
+Omit just the SMIMECapabilities.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify signing certificates.
+An error occurs if the signing certificate does not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.El
+.Pp
+If present, the SMIMECapabilities attribute indicates support for the
+following algorithms in preference order: 256 bit AES, Gost R3411-94,
+Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
+RC2, DES and 40 bit RC2.
+If any of these algorithms is not available then it will not be
+included: for example the GOST algorithms will not be included if
+the GOST ENGINE is not loaded.
+.Pp
+.Fn CMS_add1_signer
+returns an internal pointer to the
+.Vt CMS_SignerInfo
+structure just added.
+This can be used to set additional attributes before it is finalized.
+.Sh RETURN VALUES
+.Fn CMS_add1_signer
+returns an internal pointer to the
+.Vt CMS_SignerInfo
+structure just added or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr CMS_final 3 ,
+.Xr CMS_sign 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_add1_signer
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_compress.3 b/src/lib/libcrypto/man/CMS_compress.3
new file mode 100644
index 0000000000..64bab79617
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_compress.3
@@ -0,0 +1,157 @@
+.\" $OpenBSD: CMS_compress.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_COMPRESS 3
+.Os
+.Sh NAME
+.Nm CMS_compress
+.Nd create a CMS CompressedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_compress
+.Fa "BIO *in"
+.Fa "int comp_nid"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_compress
+creates and returns a CMS CompressedData structure.
+.Fa comp_nid
+is the compression algorithm to use or
+.Dv NID_undef
+to use the default algorithm (zlib compression).
+.Fa in
+is the content to be compressed.
+.Fa flags
+is an optional set of flags.
+.Pp
+The only currently supported compression algorithm is zlib using the NID
+.Dv NID_zlib_compression .
+.Pp
+If zlib support is not compiled in, then
+.Fn CMS_compress
+will return an error.
+.Pp
+If the
+.Dv CMS_TEXT
+flag is set, MIME headers for type text/plain are prepended to the data.
+.Pp
+Normally the supplied content is translated into MIME canonical format
+(as required by the S/MIME specifications); if
+.Dv CMS_BINARY
+is set, no translation occurs.
+This option should be used if the supplied data is in binary format.
+Otherwise, the translation will corrupt it.
+If
+.Dv CMS_BINARY
+is set then
+.Dv CMS_TEXT
+is ignored.
+.Pp
+If the
+.Dv CMS_STREAM
+flag is set, a partial
+.Vt CMS_ContentInfo
+structure is returned suitable for streaming I/O: no data is read from
+the BIO
+.Fa in .
+.Pp
+The compressed data is included in the
+.Vt CMS_ContentInfo
+structure unless
+.Dv CMS_DETACHED
+is set, in which case it is omitted.
+This is rarely used in practice and is not supported by
+.Xr SMIME_write_CMS 3 .
+.Pp
+If the flag
+.Dv CMS_STREAM
+is set, the returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+.Pp
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+and
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.Pp
+Additional compression parameters such as the zlib compression level
+cannot currently be set.
+.Sh RETURN VALUES
+.Fn CMS_compress
+returns either a
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_uncompress 3
+.Sh HISTORY
+.Fn CMS_compress
+was added to OpenSSL 0.9.8.
+The
+.Dv CMS_STREAM
+flag was added in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/CMS_decrypt.3 b/src/lib/libcrypto/man/CMS_decrypt.3
new file mode 100644
index 0000000000..de37b357a1
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_decrypt.3
@@ -0,0 +1,169 @@
+.\" $OpenBSD: CMS_decrypt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2014 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_DECRYPT 3
+.Os
+.Sh NAME
+.Nm CMS_decrypt
+.Nd decrypt content from a CMS envelopedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_decrypt
+.Fa "CMS_ContentInfo *cms"
+.Fa "EVP_PKEY *pkey"
+.Fa "X509 *cert"
+.Fa "BIO *dcont"
+.Fa "BIO *out"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_decrypt
+extracts and decrypts the content from a CMS EnvelopedData structure.
+.Fa pkey
+is the private key of the recipient,
+.Fa cert
+is the recipient's certificate,
+.Fa out
+is a
+.Vt BIO
+to write the content to and
+.Fa flags
+is an optional set of flags.
+.Pp
+The
+.Fa dcont
+parameter is used in the rare case where the encrypted content is
+detached.
+It will normally be set to
+.Dv NULL .
+.Pp
+Although the recipients certificate is not needed to decrypt the data it
+is needed to locate the appropriate (of possible several) recipients in
+the CMS structure.
+.Pp
+If
+.Fa cert
+is set to
+.Dv NULL ,
+all possible recipients are tried.
+This case however is problematic.
+To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA
+padding) all recipients are tried whether they succeed or not.
+If no recipient succeeds then a random symmetric key is used to decrypt
+the content: this will typically output garbage and may (but is not
+guaranteed to) ultimately return a padding error only.
+If
+.Fn CMS_decrypt
+just returned an error when all recipient encrypted keys failed to
+decrypt an attacker could use this in a timing attack.
+If the special flag
+.Dv CMS_DEBUG_DECRYPT
+is set, then the above behaviour is modified and an error
+.Em is
+returned if no recipient encrypted key can be decrypted
+.Em without
+generating a random content encryption key.
+Applications should use this flag with extreme caution
+especially in automated gateways as it can leave them open to attack.
+.Pp
+It is possible to determine the correct recipient key by other means
+(for example looking them up in a database) and setting them in the CMS
+structure in advance using the CMS utility functions such as
+.Xr CMS_set1_pkey 3 .
+In this case both
+.Fa cert
+and
+.Fa pkey
+should be set to
+.Dv NULL .
+.Pp
+To process KEKRecipientInfo types,
+.Xr CMS_set1_key 3
+or
+.Xr CMS_RecipientInfo_set0_key 3
+and
+.Xr CMS_RecipientInfo_decrypt 3
+should be called before
+.Fn CMS_decrypt
+and
+.Fa cert
+and
+.Fa pkey
+set to
+.Dv NULL .
+.Pp
+The following flags can be passed in the
+.Fa flags
+parameter:
+.Pp
+If the
+.Dv CMS_TEXT
+flag is set, MIME headers for type text/plain
+are deleted from the content.
+If the content is not of type text/plain,
+then an error is returned.
+.Sh RETURN VALUES
+.Fn CMS_decrypt
+returns either 1 for success or 0 for failure.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_encrypt 3
+.Sh HISTORY
+.Fn CMS_decrypt
+was added to OpenSSL 0.9.8.
+.Sh BUGS
+The lack of single pass processing and the need to hold all data in
+memory as mentioned in
+.Xr CMS_verify 3
+also applies to
+.Fn CMS_decrypt .
diff --git a/src/lib/libcrypto/man/CMS_encrypt.3 b/src/lib/libcrypto/man/CMS_encrypt.3
new file mode 100644
index 0000000000..8550de2c9f
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_encrypt.3
@@ -0,0 +1,190 @@
+.\" $OpenBSD: CMS_encrypt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ENCRYPT 3
+.Os
+.Sh NAME
+.Nm CMS_encrypt
+.Nd create a CMS envelopedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_encrypt
+.Fa "STACK_OF(X509) *certs"
+.Fa "BIO *in"
+.Fa "const EVP_CIPHER *cipher"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_encrypt
+creates and returns a CMS EnvelopedData structure.
+.Fa certs
+is a list of recipient certificates.
+.Fa in
+is the content to be encrypted.
+.Fa cipher
+is the symmetric cipher to use.
+.Fa flags
+is an optional set of flags.
+.Pp
+Only certificates carrying RSA, Diffie-Hellman or EC keys are supported
+by this function.
+.Pp
+.Xr EVP_des_ede3_cbc 3
+(triple DES) is the algorithm of choice for S/MIME use because most
+clients will support it.
+.Pp
+The algorithm passed in the
+.Fa cipher
+parameter must support ASN1 encoding of its parameters.
+.Pp
+Many browsers implement a "sign and encrypt" option which is simply an
+S/MIME envelopedData containing an S/MIME signed message.
+This can be readily produced by storing the S/MIME signed message in a
+memory BIO and passing it to
+.Fn CMS_encrypt .
+.Pp
+The following flags can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_TEXT
+MIME headers for type text/plain are prepended to the data.
+.It Dv CMS_BINARY
+Do not translate the supplied content into MIME canonical format
+even though that is required by the S/MIME specifications.
+This option should be used if the supplied data is in binary format.
+Otherwise, the translation will corrupt it.
+If
+.Dv CMS_BINARY
+is set, then
+.Dv CMS_TEXT
+is ignored.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify recipient certificates.
+An error occurs if all recipient certificates do not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.It Dv CMS_STREAM
+Return a partial
+.Vt CMS_ContentInfo
+structure suitable for streaming I/O: no data is read from the BIO
+.Fa in .
+.It Dv CMS_PARTIAL
+Return a partial
+.Vt CMS_ContentInfo
+structure to which additional recipients and attributes can
+be added before finalization.
+.It Dv CMS_DETACHED
+Omit the data being encrypted from the
+.Vt CMS_ContentInfo
+structure.
+This is rarely used in practice and is not supported by
+.Xr SMIME_write_CMS 3 .
+.El
+.Pp
+If the flag
+.Dv CMS_STREAM
+is set, the returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+.Pp
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.Pp
+The recipients specified in
+.Fa certs
+use a CMS KeyTransRecipientInfo info structure.
+KEKRecipientInfo is also supported using the flag
+.Dv CMS_PARTIAL
+and
+.Xr CMS_add0_recipient_key 3 .
+.Pp
+The parameter
+.Fa certs
+may be
+.Dv NULL
+if
+.Dv CMS_PARTIAL
+is set and recipients are added later using
+.Xr CMS_add1_recipient_cert 3
+or
+.Xr CMS_add0_recipient_key 3 .
+.Sh RETURN VALUES
+.Fn CMS_encrypt
+returns either a
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_decrypt 3
+.Sh HISTORY
+.Fn CMS_encrypt
+was added to OpenSSL 0.9.8.
+The
+.Sy CMS_STREAM
+flag was first supported in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/CMS_final.3 b/src/lib/libcrypto/man/CMS_final.3
new file mode 100644
index 0000000000..8404005c74
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_final.3
@@ -0,0 +1,98 @@
+.\" $OpenBSD: CMS_final.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_FINAL 3
+.Os
+.Sh NAME
+.Nm CMS_final
+.Nd finalise a CMS_ContentInfo structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_final
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "BIO *dcont"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_final
+finalises the structure
+.Fa cms .
+Its purpose is to perform any operations necessary on
+.Fa cms
+(digest computation for example) and set the appropriate fields.
+The parameter
+.Fa data
+contains the content to be processed.
+The
+.Fa dcont
+parameter contains a
+.Vt BIO
+to write content to after processing: this is
+only used with detached data and will usually be set to
+.Dv NULL .
+.Pp
+This function will normally be called when the
+.Dv CMS_PARTIAL
+flag is used.
+It should only be used when streaming is not performed because the
+streaming I/O functions perform finalisation operations internally.
+.Sh RETURN VALUES
+.Fn CMS_final
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_final
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
new file mode 100644
index 0000000000..07c16c5675
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
@@ -0,0 +1,323 @@
+.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2013 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET0_RECIPIENTINFOS 3
+.Os
+.Sh NAME
+.Nm CMS_get0_RecipientInfos ,
+.Nm CMS_RecipientInfo_type ,
+.Nm CMS_RecipientInfo_ktri_get0_signer_id ,
+.Nm CMS_RecipientInfo_ktri_cert_cmp ,
+.Nm CMS_RecipientInfo_set0_pkey ,
+.Nm CMS_RecipientInfo_kekri_get0_id ,
+.Nm CMS_RecipientInfo_kekri_id_cmp ,
+.Nm CMS_RecipientInfo_set0_key ,
+.Nm CMS_RecipientInfo_decrypt ,
+.Nm CMS_RecipientInfo_encrypt
+.Nd CMS envelopedData RecipientInfo routines
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft STACK_OF(CMS_RecipientInfo) *
+.Fo CMS_get0_RecipientInfos
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_type
+.Fa "CMS_RecipientInfo *ri"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_ktri_get0_signer_id
+.Fa "CMS_RecipientInfo *ri"
+.Fa "ASN1_OCTET_STRING **keyid"
+.Fa "X509_NAME **issuer"
+.Fa "ASN1_INTEGER **sno"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_ktri_cert_cmp
+.Fa "CMS_RecipientInfo *ri"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_set0_pkey
+.Fa "CMS_RecipientInfo *ri"
+.Fa "EVP_PKEY *pkey"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_kekri_get0_id
+.Fa "CMS_RecipientInfo *ri"
+.Fa "X509_ALGOR **palg"
+.Fa "ASN1_OCTET_STRING **pid"
+.Fa "ASN1_GENERALIZEDTIME **pdate"
+.Fa "ASN1_OBJECT **potherid"
+.Fa "ASN1_TYPE **pothertype"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_kekri_id_cmp
+.Fa "CMS_RecipientInfo *ri"
+.Fa "const unsigned char *id"
+.Fa "size_t idlen"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_set0_key
+.Fa "CMS_RecipientInfo *ri"
+.Fa "unsigned char *key"
+.Fa "size_t keylen"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_decrypt
+.Fa "CMS_ContentInfo *cms"
+.Fa "CMS_RecipientInfo *ri"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_encrypt
+.Fa "CMS_ContentInfo *cms"
+.Fa "CMS_RecipientInfo *ri"
+.Fc
+.Sh DESCRIPTION
+The function
+.Fn CMS_get0_RecipientInfos
+returns all the
+.Vt CMS_RecipientInfo
+structures associated with a CMS EnvelopedData structure.
+.Pp
+.Fn CMS_RecipientInfo_type
+returns the type of the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri .
+It will currently return
+.Dv CMS_RECIPINFO_TRANS ,
+.Dv CMS_RECIPINFO_AGREE ,
+.Dv CMS_RECIPINFO_KEK ,
+.Dv CMS_RECIPINFO_PASS ,
+or
+.Dv CMS_RECIPINFO_OTHER .
+.Pp
+.Fn CMS_RecipientInfo_ktri_get0_signer_id
+retrieves the certificate recipient identifier associated with a
+specific
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_TRANS .
+Either the keyidentifier will be set in
+.Fa keyid
+or
+.Em both
+issuer name and serial number in
+.Fa issuer
+and
+.Fa sno .
+.Pp
+.Fn CMS_RecipientInfo_ktri_cert_cmp
+compares the certificate
+.Fa cert
+against the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_TRANS .
+It returns zero if the comparison is successful or non-zero if not.
+.Pp
+.Fn CMS_RecipientInfo_set0_pkey
+associates the private key
+.Fa pkey
+with the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_TRANS .
+.Pp
+.Fn CMS_RecipientInfo_kekri_get0_id
+retrieves the key information from the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri
+which must be of type
+.Dv CMS_RECIPINFO_KEK .
+Any of the remaining parameters can be
+.Dv NULL
+if the application is not interested in the value of a field.
+Where a field is optional and absent,
+.Dv NULL
+will be written to the corresponding parameter.
+The keyEncryptionAlgorithm field is written to
+.Fa palg ,
+the keyIdentifier field is written to
+.Fa pid ,
+the
+.Sy date
+field if present is written to
+.Fa pdate .
+If the
+.Sy other
+field is present the components
+.Sy keyAttrId
+and
+.Sy keyAttr
+are written to the parameters
+.Fa potherid
+and
+.Fa pothertype .
+.Pp
+.Fn CMS_RecipientInfo_kekri_id_cmp
+compares the ID in the
+.Fa id
+and
+.Fa idlen
+parameters against the keyIdentifier
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_KEK .
+It returns zero if the comparison is successful or non-zero if not.
+.Pp
+.Fn CMS_RecipientInfo_set0_key
+associates the symmetric key
+.Fa key
+of length
+.Fa keylen
+with the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_KEK .
+.Pp
+.Fn CMS_RecipientInfo_decrypt
+attempts to decrypt the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri
+in structure
+.Fa cms .
+A key must have been associated with the structure first.
+.Pp
+.Fn CMS_RecipientInfo_encrypt
+attempts to encrypt the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri
+in structure
+.Fa cms .
+A key must have been associated with the structure first and the content
+encryption key must be available: for example by a previous call to
+.Fn CMS_RecipientInfo_decrypt .
+.Pp
+The main purpose of these functions is to enable an application to
+lookup recipient keys using any appropriate technique when the simpler
+method of
+.Xr CMS_decrypt 3
+is not appropriate.
+.Pp
+In typical usage, an application will retrieve all
+.Vt CMS_RecipientInfo
+structures using
+.Fn CMS_get0_RecipientInfos
+and check the type of each using
+.Fn CMS_RecipientInfo_type .
+Depending on the type, the
+.Vt CMS_RecipientInfo
+structure can be ignored or its key identifier data retrieved using
+an appropriate function.
+If the corresponding secret or private key can be obtained by any
+appropriate means it can then be associated with the structure and
+.Fn CMS_RecipientInfo_decrypt
+called.
+If successful,
+.Xr CMS_decrypt 3
+can be called with a
+.Dv NULL
+key to decrypt the enveloped content.
+.Pp
+The function
+.Fn CMS_RecipientInfo_encrypt
+can be used to add a new recipient to an existing enveloped data
+structure.
+Typically an application will first decrypt an appropriate
+.Vt CMS_RecipientInfo
+structure to make the content encrypt key available.
+Ot will then add a new recipient using a function such as
+.Xr CMS_add1_recipient_cert 3
+and finally encrypt the content encryption key using
+.Fn CMS_RecipientInfo_encrypt .
+.Sh RETURN VALUES
+.Fn CMS_get0_RecipientInfos
+returns all
+.Vt CMS_RecipientInfo
+structures, or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn CMS_RecipientInfo_ktri_get0_signer_id ,
+.Fn CMS_RecipientInfo_set0_pkey ,
+.Fn CMS_RecipientInfo_kekri_get0_id ,
+.Fn CMS_RecipientInfo_set0_key ,
+.Fn CMS_RecipientInfo_decrypt ,
+and
+.Fn CMS_RecipientInfo_encrypt
+return 1 for success or 0 if an error occurs.
+.Pp
+.Fn CMS_RecipientInfo_ktri_cert_cmp
+and
+.Fn CMS_RecipientInfo_kekri_id_cmp
+return 0 for a successful comparison or non-zero otherwise.
+.Pp
+Any error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_decrypt 3
+.Sh HISTORY
+These functions were first was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
new file mode 100644
index 0000000000..b9c8fee366
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
@@ -0,0 +1,180 @@
+.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2013 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET0_SIGNERINFOS 3
+.Os
+.Sh NAME
+.Nm CMS_get0_SignerInfos ,
+.Nm CMS_SignerInfo_get0_signer_id ,
+.Nm CMS_SignerInfo_get0_signature ,
+.Nm CMS_SignerInfo_cert_cmp ,
+.Nm CMS_SignerInfo_set1_signer_cert
+.Nd CMS signedData signer functions
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft STACK_OF(CMS_SignerInfo) *
+.Fo CMS_get0_SignerInfos
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_SignerInfo_get0_signer_id
+.Fa "CMS_SignerInfo *si"
+.Fa "ASN1_OCTET_STRING **keyid"
+.Fa "X509_NAME **issuer"
+.Fa "ASN1_INTEGER **sno"
+.Fc
+.Ft ASN1_OCTET_STRING *
+.Fo CMS_SignerInfo_get0_signature
+.Fa "CMS_SignerInfo *si"
+.Fc
+.Ft int
+.Fo CMS_SignerInfo_cert_cmp
+.Fa "CMS_SignerInfo *si"
+.Fa "X509 *cert"
+.Fc
+.Ft void
+.Fo CMS_SignerInfo_set1_signer_cert
+.Fa "CMS_SignerInfo *si"
+.Fa "X509 *signer"
+.Fc
+.Sh DESCRIPTION
+The function
+.Fn CMS_get0_SignerInfos
+returns all the
+.Vt CMS_SignerInfo
+structures associated with a CMS signedData structure.
+.Pp
+.Fn CMS_SignerInfo_get0_signer_id
+retrieves the certificate signer identifier associated with a specific
+.Vt CMS_SignerInfo
+structure
+.Fa si .
+Either the keyidentifier will be set in
+.Fa keyid
+or
+.Em both
+issuer name and serial number in
+.Fa issuer
+and
+.Fa sno .
+.Pp
+.Fn CMS_SignerInfo_get0_signature
+retrieves the signature associated with
+.Fa si
+in a pointer to an
+.Vt ASN1_OCTET_STRING
+structure.
+This pointer returned corresponds to the internal signature value of
+.Fa si
+so it may be read or modified.
+.Pp
+.Fn CMS_SignerInfo_cert_cmp
+compares the certificate
+.Fa cert
+against the signer identifier
+.Fa si .
+It returns zero if the comparison is successful or non-zero if not.
+.Pp
+.Fn CMS_SignerInfo_set1_signer_cert
+sets the signers certificate of
+.Fa si
+to
+.Fa signer .
+.Pp
+The main purpose of these functions is to enable an application to
+lookup signers certificates using any appropriate technique when the
+simpler method of
+.Xr CMS_verify 3
+is not appropriate.
+.Pp
+In typical usage an application will retrieve all
+.Vt CMS_SignerInfo
+structures using
+.Fn CMS_get0_SignerInfos
+and retrieve the identifier information using CMS.
+It will then obtain the signer certificate by some unspecified means
+(or return and error if it cannot be found) and set it using
+.Fn CMS_SignerInfo_set1_signer_cert .
+.Pp
+Once all signer certificates have been set,
+.Xr CMS_verify 3
+can be used.
+.Pp
+Although
+.Fn CMS_get0_SignerInfos
+can return
+.Dv NULL
+if an error occurs
+.Em or
+if there are no signers, this is not a problem in practice because the
+only error which can occur is if the
+.Fa cms
+structure is not of type signedData due to application error.
+.Sh RETURN VALUES
+.Fn CMS_get0_SignerInfos
+returns all
+.Vt CMS_SignerInfo
+structures, or
+.Dv NULL
+if there are no signers or an error occurs.
+.Pp
+.Fn CMS_SignerInfo_get0_signer_id
+returns 1 for success or 0 for failure.
+.Pp
+.Fn CMS_SignerInfo_cert_cmp
+returns 0 for a successful comparison or non-zero otherwise.
+.Pp
+Any error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_verify 3
+.Sh HISTORY
+These functions were first was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get0_type.3 b/src/lib/libcrypto/man/CMS_get0_type.3
new file mode 100644
index 0000000000..982826c7ca
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get0_type.3
@@ -0,0 +1,174 @@
+.\" $OpenBSD: CMS_get0_type.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET0_TYPE 3
+.Os
+.Sh NAME
+.Nm CMS_get0_type ,
+.Nm CMS_set1_eContentType ,
+.Nm CMS_get0_eContentType ,
+.Nm CMS_get0_content
+.Nd get and set CMS content types and content
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft const ASN1_OBJECT *
+.Fo CMS_get0_type
+.Fa "const CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_set1_eContentType
+.Fa "CMS_ContentInfo *cms"
+.Fa "const ASN1_OBJECT *oid"
+.Fc
+.Ft const ASN1_OBJECT *
+.Fo CMS_get0_eContentType
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft ASN1_OCTET_STRING **
+.Fo CMS_get0_content
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_get0_type
+returns the content type of a
+.Vt CMS_ContentInfo
+structure as an
+.Vt ASN1_OBJECT
+pointer.
+An application can then decide how to process the
+.Vt CMS_ContentInfo
+structure based on this value.
+.Pp
+.Fn CMS_set1_eContentType
+sets the embedded content type of a
+.Vt CMS_ContentInfo
+structure.
+It should be called with CMS functions (such as
+.Xr CMS_sign 3 ,
+.Xr CMS_encrypt 3 )
+with the
+.Dv CMS_PARTIAL
+flag and
+.Em before
+the structure is finalised, otherwise the results are undefined.
+.Pp
+.Fn CMS_get0_eContentType
+returns a pointer to the embedded content type.
+.Pp
+.Fn CMS_get0_content
+returns a pointer to the
+.Vt ASN1_OCTET_STRING
+pointer containing the embedded content.
+.Pp
+As the
+.Sq 0
+in the function names imply,
+.Fn CMS_get0_type ,
+.Fn CMS_get0_eContentType ,
+and
+.Fn CMS_get0_content
+return internal pointers which should
+.Em not
+be freed up.
+.Fn CMS_set1_eContentType
+copies the supplied OID and it
+.Em should
+be freed up after use.
+.Pp
+The
+.Vt ASN1_OBJECT
+values returned can be converted to an integer NID value using
+.Xr OBJ_obj2nid 3 .
+For the currently supported content types the following values are
+returned:
+.Dv NID_pkcs7_data ,
+.Dv NID_pkcs7_signed ,
+.Dv NID_pkcs7_digest ,
+.Dv NID_id_smime_ct_compressedData ,
+.Dv NID_pkcs7_encrypted ,
+.Dv NID_pkcs7_enveloped .
+.Pp
+The return value of
+.Fn CMS_get0_content
+is a pointer to the
+.Vt ASN1_OCTET_STRING
+content pointer.
+That means that for example after
+.Pp
+.Dl ASN1_OCTET_STRING **pconf = CMS_get0_content(cms);
+.Pp
+.Pf * Va pconf
+could be
+.Dv NULL
+if there is no embedded content.
+Applications can access, modify or create the embedded content in a
+.Vt CMS_ContentInfo
+structure using this function.
+Applications usually will not need to modify the embedded content as it
+is normally set by higher level functions.
+.Sh RETURN VALUES
+.Fn CMS_get0_type
+and
+.Fn CMS_get0_eContentType
+return an
+.Vt ASN1_OBJECT
+structure.
+.Pp
+.Fn CMS_set1_eContentType
+returns 1 for success or 0 if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh HISTORY
+.Fn CMS_get0_type ,
+.Fn CMS_set1_eContentType ,
+and
+.Fn CMS_get0_eContentType
+were all first added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
new file mode 100644
index 0000000000..d944f606d8
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
@@ -0,0 +1,175 @@
+.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET1_RECEIPTREQUEST 3
+.Os
+.Sh NAME
+.Nm CMS_ReceiptRequest_create0 ,
+.Nm CMS_add1_ReceiptRequest ,
+.Nm CMS_get1_ReceiptRequest ,
+.Nm CMS_ReceiptRequest_get0_values
+.Nd CMS signed receipt request functions
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ReceiptRequest *
+.Fo CMS_ReceiptRequest_create0
+.Fa "unsigned char *id"
+.Fa "int idlen"
+.Fa "int allorfirst"
+.Fa "STACK_OF(GENERAL_NAMES) *receiptList"
+.Fa "STACK_OF(GENERAL_NAMES) *receiptsTo"
+.Fc
+.Ft int
+.Fo CMS_add1_ReceiptRequest
+.Fa "CMS_SignerInfo *si"
+.Fa "CMS_ReceiptRequest *rr"
+.Fc
+.Ft int
+.Fo CMS_get1_ReceiptRequest
+.Fa "CMS_SignerInfo *si"
+.Fa "CMS_ReceiptRequest **prr"
+.Fc
+.Ft void
+.Fo CMS_ReceiptRequest_get0_values
+.Fa "CMS_ReceiptRequest *rr"
+.Fa "ASN1_STRING **pcid"
+.Fa "int *pallorfirst"
+.Fa "STACK_OF(GENERAL_NAMES) **plist"
+.Fa "STACK_OF(GENERAL_NAMES) **prto"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_ReceiptRequest_create0
+creates a signed receipt request structure.
+The signedContentIdentifier field is set using
+.Fa id
+and
+.Fa idlen ,
+or it is set to 32 bytes of pseudo random data if
+.Fa id
+is
+.Dv NULL .
+If
+.Fa receiptList
+is
+.Dv NULL ,
+the allOrFirstTier option in receiptsFrom
+is used and set to the value of the
+.Fa allorfirst
+parameter.
+If
+.Fa receiptList
+is not
+.Dv NULL ,
+the receiptList option in receiptsFrom is used.
+The
+.Fa receiptsTo
+parameter specifies the receiptsTo field value.
+.Pp
+The
+.Fn CMS_add1_ReceiptRequest
+function adds a signed receipt request
+.Fa rr
+to the
+.Vt CMS_SignerInfo
+structure
+.Fa si .
+.Pp
+.Fn CMS_get1_ReceiptRequest
+looks for a signed receipt request in
+.Fa si .
+If any is found, it is decoded and written to
+.Fa prr .
+.Pp
+.Fn CMS_ReceiptRequest_get0_values
+retrieves the values of a receipt request.
+The signedContentIdentifier is copied to
+.Fa pcid .
+If the allOrFirstTier option of receiptsFrom is used,
+its value is copied to
+.Fa pallorfirst ;
+otherwise the receiptList field is copied to
+.Fa plist .
+The receiptsTo parameter is copied to
+.Fa prto .
+.Pp
+For more details on the meaning of the fields see RFC2634.
+.Pp
+The contents of a signed receipt should only be considered meaningful if
+the corresponding
+.Vt CMS_ContentInfo
+structure can be successfully verified using
+.Xr CMS_verify 3 .
+.Sh RETURN VALUES
+.Fn CMS_ReceiptRequest_create0
+returns a signed receipt request structure or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn CMS_add1_ReceiptRequest
+returns 1 for success or 0 if an error occurred.
+.Pp
+.Fn CMS_get1_ReceiptRequest
+returns 1 is a signed receipt request is found and decoded.
+It returns 0 if a signed receipt request is not present or -1 if it is
+present but malformed.
+.Sh SEE ALSO
+.Xr CMS_sign 3 ,
+.Xr CMS_sign_receipt 3 ,
+.Xr CMS_verify 3 ,
+.Xr CMS_verify_receipt 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_ReceiptRequest_create0 ,
+.Fn CMS_add1_ReceiptRequest ,
+.Fn CMS_get1_ReceiptRequest ,
+and
+.Fn CMS_ReceiptRequest_get0_values
+were added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
new file mode 100644
index 0000000000..54d95f4a5d
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_sign.3
@@ -0,0 +1,224 @@
+.\" $OpenBSD: CMS_sign.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_SIGN 3
+.Os
+.Sh NAME
+.Nm CMS_sign
+.Nd create a CMS SignedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_sign
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "STACK_OF(X509) *certs"
+.Fa "BIO *data"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_sign
+creates and returns a CMS SignedData structure.
+.Fa signcert
+is the certificate to sign with,
+.Fa pkey
+is the corresponding private key.
+.Fa certs
+is an optional additional set of certificates to include in the CMS
+structure (for example any intermediate CAs in the chain).
+Any or all of these parameters can be
+.Dv NULL .
+.Pp
+The data to be signed is read from
+.Fa data .
+.Pp
+.Fa flags
+is an optional set of flags.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_TEXT
+Prepend MIME headers for the type text/plain to the data.
+Many S/MIME clients expect the signed content to include valid MIME
+headers.
+.It Dv CMS_NOCERTS
+Do not include the signer's certificate in the
+.Vt CMS_ContentInfo
+structure.
+The signer's certificate must still be supplied in the
+.Fa signcert
+parameter though.
+This can reduce the size of the signature if the signers certificate can
+be obtained by other means: for example a previously signed message.
+.It Dv CMS_DETACHED
+Omit the data being signed from the
+.Vt CMS_ContentInfo
+structure.
+This is used for
+.Vt CMS_ContentInfo
+detached signatures which are used in S/MIME plaintext signed messages
+for example.
+.It Dv CMS_BINARY
+Do not translate the supplied content into MIME canonical format
+even though that is required by the S/MIME specifications.
+This option should be used if the supplied data is in binary format.
+Otherwise the translation will corrupt it.
+.It Dv CMS_NOATTR
+Do not use any signedAttributes.
+By default, the SignedData structure includes several CMS
+signedAttributes including the signing time, the CMS content type,
+and the supported list of ciphers in an SMIMECapabilities attribute.
+.It Dv CMS_NOSMIMECAP
+Omit just the SMIMECapabilities.
+If present, the SMIMECapabilities attribute indicates support for the
+following algorithms in preference order: 256 bit AES, Gost R3411-94,
+Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
+RC2, DES and 40 bit RC2.
+If any of these algorithms is not available, then it will not be
+included: for example the GOST algorithms will not be included if
+the GOST ENGINE is not loaded.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify signing certificates.
+An error occurs if the signing certificate does not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.It Dv CMS_STREAM
+Only initialize the returned
+.Vt CMS_ContentInfo
+structure to prepare it for performing the signing operation.
+The signing is however
+.Em not
+performed and the data to be signed is not read from the
+.Fa data
+parameter.
+Signing is deferred until after the data has been written.
+In this way, data can be signed in a single pass.
+The returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+or
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively, finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.It Dv CMS_PARTIAL
+Output a partial
+.Vt CMS_ContentInfo
+structure to which additional signers and capabilities can be
+added before finalization.
+.El
+.Pp
+If a signer is specified, it will use the default digest for the signing
+algorithm.
+This is SHA1 for both RSA and DSA keys.
+.Pp
+If
+.Fa signcert
+and
+.Fa pkey
+are
+.Dv NULL ,
+then a certificates only CMS structure is output.
+.Pp
+The function
+.Fn CMS_sign
+is a basic CMS signing function whose output will be suitable for many
+purposes.
+For finer control of the output format the
+.Fa certs ,
+.Fa signcert
+and
+.Fa pkey
+parameters can all be
+.Dv NULL
+and the
+.Dv CMS_PARTIAL
+flag set.
+Then one or more signers can be added using the function
+.Xr CMS_sign_add1_signer 3 ,
+non default digests can be used and custom attributes added.
+.Xr CMS_final 3
+must then be called to finalize the structure if streaming is not
+enabled.
+.Sh RETURN VALUES
+.Fn CMS_sign
+returns either a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_verify 3
+.Sh HISTORY
+.Fn CMS_sign
+was added to OpenSSL 0.9.8.
+.Pp
+The
+.Dv CMS_STREAM
+flag is only supported for detached data in OpenSSL 0.9.8, it is
+supported for embedded data in OpenSSL 1.0.0 and later.
+.Sh BUGS
+Some attributes such as counter signatures are not supported.
diff --git a/src/lib/libcrypto/man/CMS_sign_receipt.3 b/src/lib/libcrypto/man/CMS_sign_receipt.3
new file mode 100644
index 0000000000..7ddff976cc
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_sign_receipt.3
@@ -0,0 +1,110 @@
+.\" $OpenBSD: CMS_sign_receipt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_SIGN_RECEIPT 3
+.Os
+.Sh NAME
+.Nm CMS_sign_receipt
+.Nd create a CMS signed receipt
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_sign_receipt
+.Fa "CMS_SignerInfo *si"
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "STACK_OF(X509) *certs"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_sign_receipt
+creates and returns a CMS signed receipt structure.
+.Fa si
+is the
+.Vt CMS_SignerInfo
+structure containing the signed receipt request.
+.Fa signcert
+is the certificate to sign with,
+.Fa pkey
+is the corresponding private key.
+.Fa certs
+is an optional additional set of certificates to include in the CMS
+structure (for example any intermediate CAs in the chain).
+.Pp
+.Fa flags
+is an optional set of flags.
+.Pp
+This functions behaves in a similar way to
+.Xr CMS_sign 3
+except the flag values
+.Dv CMS_DETACHED ,
+.Dv CMS_BINARY ,
+.Dv CMS_NOATTR ,
+.Dv CMS_TEXT ,
+and
+.Dv CMS_STREAM
+are not supported since they do not make sense in the context of
+signed receipts.
+.Sh RETURN VALUES
+.Fn CMS_sign_receipt
+returns either a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_sign 3 ,
+.Xr CMS_verify_receipt 3
+.Sh HISTORY
+.Fn CMS_sign_receipt
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_uncompress.3 b/src/lib/libcrypto/man/CMS_uncompress.3
new file mode 100644
index 0000000000..50926b7358
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_uncompress.3
@@ -0,0 +1,111 @@
+.\" $OpenBSD: CMS_uncompress.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_UNCOMPRESS 3
+.Os
+.Sh NAME
+.Nm CMS_uncompress
+.Nd uncompress a CMS CompressedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_uncompress
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *dcont"
+.Fa "BIO *out"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_uncompress
+extracts and uncompresses the content from a CMS CompressedData
+structure
+.Fa cms .
+.Fa out
+is a
+.Vt BIO
+to write the content to and
+.Fa flags
+is an optional set of flags.
+.Pp
+The
+.Fa dcont
+parameter is used in the rare case where the compressed content is
+detached.
+It will normally be set to
+.Dv NULL .
+.Pp
+The only currently supported compression algorithm is zlib: if the
+structure indicates the use of any other algorithm, an error is returned.
+.Pp
+If zlib support is not compiled in, then
+.Fn CMS_uncompress
+will always return an error.
+.Pp
+If the
+.Dv CMS_TEXT
+flag is set, MIME headers for type text/plain are deleted from the content.
+If the content is not of type text/plain, an error is returned.
+.Sh RETURN VALUES
+.Fn CMS_uncompress
+returns either 1 for success or 0 for failure.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_compress 3
+.Sh HISTORY
+.Fn CMS_uncompress
+was added to OpenSSL 0.9.8.
+.Sh BUGS
+The lack of single pass processing and the need to hold all data in
+memory as mentioned in
+.Xr CMS_verify 3
+also applies to
+.Fn CMS_uncompress .
diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3
new file mode 100644
index 0000000000..cec1dc06d8
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_verify.3
@@ -0,0 +1,223 @@
+.\" $OpenBSD: CMS_verify.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_VERIFY 3
+.Os
+.Sh NAME
+.Nm CMS_verify ,
+.Nm CMS_get0_signers
+.Nd verify a CMS SignedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_verify
+.Fa "CMS_ContentInfo *cms"
+.Fa "STACK_OF(X509) *certs"
+.Fa "X509_STORE *store"
+.Fa "BIO *indata"
+.Fa "BIO *out"
+.Fa "unsigned int flags"
+.Fc
+.Ft STACK_OF(X509) *
+.Fo CMS_get0_signers
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_verify
+verifies a CMS SignedData structure.
+.Fa cms
+is the
+.Vt CMS_ContentInfo
+structure to verify.
+.Fa certs
+is a set of certificates in which to search for the signing
+certificate(s).
+.Fa store
+is a trusted certificate store used for chain verification.
+.Fa indata
+is the detached content if the content is not present in
+.Fa cms .
+The content is written to
+.Fa out
+if it is not
+.Dv NULL .
+.Pp
+.Fa flags
+is an optional set of flags, which can be used to modify the verify
+operation.
+.Pp
+.Fn CMS_get0_signers
+retrieves the signing certificate(s) from
+.Fa cms .
+It must be called after a successful
+.Fn CMS_verify
+operation.
+.Pp
+Normally the verify process proceeds as follows.
+.Pp
+Initially some sanity checks are performed on
+.Fa cms .
+The type of
+.Fa cms
+must be SignedData.
+There must be at least one signature on the data and if the content is
+detached;
+.Fa indata
+cannot be
+.Dv NULL .
+.Pp
+An attempt is made to locate all the signing certificate(s), first
+looking in the
+.Fa certs
+parameter (if it is not
+.Dv NULL )
+and then looking in any certificates contained in the
+.Fa cms
+structure itself.
+If any signing certificate cannot be located, the operation fails.
+.Pp
+Each signing certificate is chain verified using the
+.Sy smimesign
+purpose and the supplied trusted certificate store.
+Any internal certificates in the message are used as untrusted CAs.
+If CRL checking is enabled in
+.Fa store ,
+any internal CRLs are used in addition to attempting to look them up in
+.Fa store .
+If any chain verify fails, an error code is returned.
+.Pp
+Finally the signed content is read (and written to
+.Fa out
+if it is not
+.Dv NULL )
+and the signature is checked.
+.Pp
+If all signatures verify correctly, then the function is successful.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter to change the default verify behaviour:
+.Bl -tag -width Ds
+.It Dv CMS_NOINTERN
+Do not use the certificates in the message itself when
+locating the signing certificate(s).
+This means that all the signing certificates must be in the
+.Fa certs
+parameter.
+.It Dv CMS_NOCRL
+If CRL checking is enabled in
+.Fa store ,
+then any CRLs in the message itself are ignored.
+It Dv CMS_TEXT
+MIME headers for type text/plain are deleted from the content.
+If the content is not of type text/plain, an error is returned.
+.It Dv CMS_NO_SIGNER_CERT_VERIFY
+Do not verify signing certificates.
+.It Dv CMS_NO_ATTR_VERIFY
+Do not check the signed attributes signature.
+.It Dv CMS_NO_CONTENT_VERIFY
+Do not check the content digest.
+.El
+.Pp
+One application of
+.Dv CMS_NOINTERN
+is to only accept messages signed by a small number of certificates.
+The acceptable certificates would be passed in the
+.Fa certs
+parameter.
+In this case, if the signer is not one of the certificates supplied in
+.Fa certs ,
+then the verify will fail because the signer cannot be found.
+.Pp
+In some cases the standard techniques for looking up and validating
+certificates are not appropriate: for example an application may wish to
+lookup certificates in a database or perform customised verification.
+This can be achieved by setting and verifying the signers certificates
+manually using the signed data utility functions.
+.Pp
+Care should be taken when modifying the default verify behaviour, for
+example setting
+.Dv CMS_NO_CONTENT_VERIFY
+will totally disable all content verification and any modified content
+will be considered valid.
+This combination is however useful if one merely wishes to write the
+content to
+.Fa out
+and its validity is not considered important.
+.Pp
+Chain verification should arguably be performed using the signing time
+rather than the current time.
+However since the signing time is supplied by the signer it cannot be
+trusted without additional evidence (such as a trusted timestamp).
+.Sh RETURN VALUES
+.Fn CMS_verify
+returns 1 for a successful verification or zero if an error occurred.
+.Pp
+.Fn CMS_get0_signers
+returns all signers or
+.Dv NULL
+if an error occurred.
+.Pp
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_sign 3
+.Sh HISTORY
+.Fn CMS_verify
+was added to OpenSSL 0.9.8.
+.Sh BUGS
+The trusted certificate store is not searched for the signing certificate.
+This is primarily due to the inadequacies of the current
+.Vt X509_STORE
+functionality.
+.Pp
+The lack of single pass processing means that the signed content must
+all be held in memory if it is not detached.
diff --git a/src/lib/libcrypto/man/CMS_verify_receipt.3 b/src/lib/libcrypto/man/CMS_verify_receipt.3
new file mode 100644
index 0000000000..33bb43ed8d
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_verify_receipt.3
@@ -0,0 +1,104 @@
+.\" $OpenBSD: CMS_verify_receipt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_VERIFY_RECEIPT 3
+.Os
+.Sh NAME
+.Nm CMS_verify_receipt
+.Nd verify a CMS signed receipt
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_verify_receipt
+.Fa "CMS_ContentInfo *rcms"
+.Fa "CMS_ContentInfo *ocms"
+.Fa "STACK_OF(X509) *certs"
+.Fa "X509_STORE *store"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_verify_receipt
+verifies a CMS signed receipt.
+.Fa rcms
+is the signed receipt to verify.
+.Fa ocms
+is the original SignedData structure containing the receipt request.
+.Fa certs
+is a set of certificates in which to search for the signing certificate.
+.Fa store
+is a trusted certificate store (used for chain verification).
+.Pp
+.Fa flags
+is an optional set of flags, which can be used to modify the verify
+operation.
+.Pp
+This functions behaves in a similar way to
+.Xr CMS_verify 3
+except the flag values
+.Dv CMS_DETACHED ,
+.Dv CMS_BINARY ,
+.Dv CMS_TEXT ,
+and
+.Dv CMS_STREAM
+are not supported since they do not make sense in the context of signed
+receipts.
+.Sh RETURN VALUES
+.Fn CMS_verify_receipt
+returns 1 for a successful verification or zero if an error occurred.
+.Pp
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_sign_receipt 3 ,
+.Xr CMS_verify 3
+.Sh HISTORY
+.Fn CMS_verify_receipt
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
new file mode 100644
index 0000000000..ad1688ba14
--- /dev/null
+++ b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
@@ -0,0 +1,93 @@
+.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt PEM_WRITE_BIO_CMS_STREAM 3
+.Os
+.Sh NAME
+.Nm PEM_write_bio_CMS_stream
+.Nd output CMS_ContentInfo structure in PEM format
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo PEM_write_bio_CMS_stream
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn PEM_write_bio_CMS_stream
+outputs a
+.Vt CMS_ContentInfo
+structure in PEM format.
+.Pp
+It is otherwise identical to the function
+.Xr SMIME_write_CMS 3 .
+.Pp
+This function is effectively a version of
+.Xr PEM_write_bio_CMS 3
+supporting streaming.
+.Sh RETURN VALUES
+.Fn PEM_write_bio_CMS_stream
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_verify 3 ,
+.Xr ERR_get_error 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+.Xr PEM_write 3 ,
+.Xr SMIME_write_CMS 3
+.Sh HISTORY
+The
+.Fn PEM_write_bio_CMS_stream
+function was added in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/SMIME_read_CMS.3 b/src/lib/libcrypto/man/SMIME_read_CMS.3
new file mode 100644
index 0000000000..17f60b11ec
--- /dev/null
+++ b/src/lib/libcrypto/man/SMIME_read_CMS.3
@@ -0,0 +1,146 @@
+.\" $OpenBSD: SMIME_read_CMS.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt SMIME_READ_CMS 3
+.Os
+.Sh NAME
+.Nm SMIME_read_CMS
+.Nd parse S/MIME message
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo SMIME_read_CMS
+.Fa "BIO *in"
+.Fa "BIO **bcont"
+.Fc
+.Sh DESCRIPTION
+.Fn SMIME_read_CMS
+parses a message in S/MIME format.
+.Pp
+.Fa in
+is a
+.Vt BIO
+to read the message from.
+.Pp
+If cleartext signing is used, then the content is saved in a memory BIO
+which is written to
+.Pf * Fa bcont ;
+otherwise
+.Pf * Fa bcont
+is set to
+.Dv NULL .
+.Pp
+The parsed
+.Vt CMS_ContentInfo
+structure is returned, or
+.Dv NULL
+if an error occurred.
+.Pp
+If
+.Pf * Fa bcont
+is not
+.Dv NULL ,
+then the message is clear text signed.
+.Pf * Fa bcont
+can then be passed to
+.Xr CMS_verify 3
+with the
+.Dv CMS_DETACHED
+flag set.
+.Pp
+Otherwise the type of the returned structure can be determined using
+.Xr CMS_get0_type 3 .
+.Pp
+To support future functionality if
+.Fa bcont
+is not
+.Dv NULL ,
+.Pf * Fa bcont
+should be initialized to
+.Dv NULL .
+For example:
+.Bd -literal -offset indent
+BIO *cont = NULL;
+CMS_ContentInfo *cms;
+
+cms = SMIME_read_CMS(in, &cont);
+.Ed
+.Sh RETURN VALUES
+.Fn SMIME_read_CMS
+returns a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_type 3 ,
+.Xr CMS_verify 3 ,
+.Xr SMIME_write_CMS 3
+.Sh BUGS
+The MIME parser used by
+.Fn SMIME_read_CMS
+is somewhat primitive.
+While it will handle most S/MIME messages, more complex compound formats
+may not work.
+.Pp
+The parser assumes that the
+.Vt CMS_ContentInfo
+structure is always base64 encoded and will not handle the case
+where it is in binary format or uses quoted printable format.
+.Pp
+The use of a memory BIO to hold the signed content limits the size of
+message which can be processed due to memory restraints: a streaming
+single pass option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_write_CMS.3 b/src/lib/libcrypto/man/SMIME_write_CMS.3
new file mode 100644
index 0000000000..c9afa5e5a5
--- /dev/null
+++ b/src/lib/libcrypto/man/SMIME_write_CMS.3
@@ -0,0 +1,133 @@
+.\" $OpenBSD: SMIME_write_CMS.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt SMIME_WRITE_CMS 3
+.Os
+.Sh NAME
+.Nm SMIME_write_CMS
+.Nd convert CMS structure to S/MIME format
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo SMIME_write_CMS
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn SMIME_write_CMS
+adds the appropriate MIME headers to a CMS structure to produce an
+S/MIME message.
+.Pp
+.Fa out
+is the
+.Vt BIO
+to write the data to.
+.Fa cms
+is the appropriate
+.Vt CMS_ContentInfo
+structure.
+If streaming is enabled, then the content must be supplied in the
+.Fa data
+argument.
+.Fa flags
+is an optional set of flags.
+.Pp
+The following flags can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_DETACHED
+Use cleartext signing.
+This option only makes sense for SignedData where
+.Dv CMS_DETACHED
+is also set when
+.Xr CMS_sign 3
+is called.
+.Pp
+If cleartext signing is used and
+.Dv CMS_STREAM
+is not set, then the data must be read twice:
+once to compute the signature in
+.Xr CMS_sign 3
+and once to output the S/MIME message.
+.It Dv CMS_TEXT
+Add MIME headers for type text/plain to the content.
+This only makes sense if
+.Dv CMS_DETACHED
+is also set.
+.It Dv CMS_STREAM
+Perform streaming.
+This flag should only be set if
+.Dv CMS_STREAM
+was also set in the previous call to a
+.Vt CMS_ContentInfo
+creation function.
+.Pp
+If streaming is performed, the content is output in BER format using
+indefinite length constructed encoding except in the case of signed data
+with detached content where the content is absent and DER format is
+used.
+.El
+.Sh RETURN VALUES
+.Fn SMIME_write_CMS
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_verify 3 ,
+.Xr ERR_get_error 3
+.Sh BUGS
+.Fn SMIME_write_CMS
+always base64 encodes CMS structures.
+There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
new file mode 100644
index 0000000000..3615c01ccb
--- /dev/null
+++ b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
@@ -0,0 +1,95 @@
+.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt I2D_CMS_BIO_STREAM 3
+.Os
+.Sh NAME
+.Nm i2d_CMS_bio_stream
+.Nd output CMS_ContentInfo structure in BER format
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo i2d_CMS_bio_stream
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn i2d_CMS_bio_stream
+outputs a
+.Vt CMS_ContentInfo
+structure in BER format.
+.Pp
+It is otherwise identical to the function
+.Xr SMIME_write_CMS 3 .
+.Pp
+This function is effectively a version of
+.Xr i2d_CMS_bio 3
+supporting streaming.
+.Sh RETURN VALUES
+.Fn i2d_CMS_bio_stream
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_verify 3 ,
+.Xr ERR_get_error 3 ,
+.Xr PEM_write_bio_CMS_stream 3 ,
+.Xr SMIME_write_CMS 3
+.Sh HISTORY
+The
+.Fn i2d_CMS_bio_stream
+function was added in OpenSSL 1.0.0.
+.Sh BUGS
+The prefix "i2d" is arguably wrong because the function outputs BER
+format.