21 files changed, 3388 insertions, 0 deletions

diff --git a/src/lib/libcrypto/man/BIO_new_CMS.3 b/src/lib/libcrypto/man/BIO_new_CMS.3
new file mode 100644
index 0000000000..d35fb0b7bf
--- /dev/null
+++ b/src/lib/libcrypto/man/BIO_new_CMS.3
@@ -0,0 +1,138 @@
+.\" $OpenBSD: BIO_new_CMS.3,v 1.4 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt BIO_NEW_CMS 3
+.Os
+.Sh NAME
+.Nm BIO_new_CMS
+.Nd CMS streaming filter BIO
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft BIO *
+.Fo BIO_new_CMS
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn BIO_new_CMS
+returns a streaming filter
+.Vt BIO
+chain based on
+.Fa cms .
+The output of the filter is written to
+.Fa out .
+Any data written to the chain is automatically translated
+to a BER format CMS structure of the appropriate type.
+.Pp
+The chain returned by this function behaves like a standard filter
+.Vt BIO .
+It supports non blocking I/O.
+Content is processed and streamed on the fly and not all held in memory
+at once: so it is possible to encode very large structures.
+After all content has been written through the chain,
+.Xr BIO_flush 3
+must be called to finalise the structure.
+.Pp
+The
+.Dv CMS_STREAM
+flag must be included in the corresponding
+.Fa flags
+parameter of the
+.Fa cms
+creation function.
+.Pp
+If an application wishes to write additional data to
+.Fa out ,
+BIOs should be removed from the chain using
+.Xr BIO_pop 3
+and freed with
+.Xr BIO_free 3
+until
+.Fa out
+is reached.
+If no additional data needs to be written,
+.Xr BIO_free_all 3
+can be called to free up the whole chain.
+.Pp
+Any content written through the filter is used verbatim:
+no canonical translation is performed.
+.Pp
+It is possible to chain multiple BIOs to, for example,
+create a triple wrapped signed, enveloped, signed structure.
+In this case it is the application's responsibility
+to set the inner content type of any outer
+.Vt CMS_ContentInfo
+structures.
+.Pp
+Large numbers of small writes through the chain should be avoided as this
+will produce an output consisting of lots of OCTET STRING structures.
+Prepending a
+.Xr BIO_f_buffer 3
+buffering BIO will prevent this.
+.Sh RETURN VALUES
+.Fn BIO_new_CMS
+returns a
+.Vt BIO
+chain when successful or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3
+.Sh HISTORY
+The
+.Fn BIO_new_CMS
+function was added in OpenSSL 1.0.0.
+.Sh BUGS
+There is currently no corresponding inverse BIO
+which can decode a CMS structure on the fly.
diff --git a/src/lib/libcrypto/man/CMS_add0_cert.3 b/src/lib/libcrypto/man/CMS_add0_cert.3
new file mode 100644
index 0000000000..9f99e2259f
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_add0_cert.3
@@ -0,0 +1,177 @@
+.\" $OpenBSD: CMS_add0_cert.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ADD0_CERT 3
+.Os
+.Sh NAME
+.Nm CMS_add0_cert ,
+.Nm CMS_add1_cert ,
+.Nm CMS_get1_certs ,
+.Nm CMS_add0_crl ,
+.Nm CMS_add1_crl ,
+.Nm CMS_get1_crls
+.Nd CMS certificate and CRL utility functions
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_add0_cert
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo CMS_add1_cert
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *cert"
+.Fc
+.Ft STACK_OF(X509) *
+.Fo CMS_get1_certs
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_add0_crl
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509_CRL *crl"
+.Fc
+.Ft int
+.Fo CMS_add1_crl
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509_CRL *crl"
+.Fc
+.Ft STACK_OF(X509_CRL) *
+.Fo CMS_get1_crls
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_add0_cert
+and
+.Fn CMS_add1_cert
+add the certificate
+.Fa cert
+to
+.Fa cms .
+.Fa cms
+must be of type signed data or enveloped data.
+.Pp
+.Fn CMS_get1_certs
+returns all certificates in
+.Fa cms .
+.Pp
+.Fn CMS_add0_crl
+and
+.Fn CMS_add1_crl
+add the CRL
+.Fa crl
+to
+.Fa cms .
+.Fn CMS_get1_crls
+returns any CRLs in
+.Fa cms .
+.Pp
+The
+.Vt CMS_ContentInfo
+structure
+.Fa cms
+must be of type signed data or enveloped data or an error will be
+returned.
+.Pp
+The signed data certificates and CRLs are added to the
+.Sy certificates
+and
+.Sy crls
+fields of the SignedData structure.
+For enveloped data, they are added to
+.Sy OriginatorInfo .
+.Pp
+As the
+.Sq 0
+in the function name implies,
+.Fn CMS_add0_cert
+adds
+.Fa cert
+internally to
+.Fa cms
+and it must not be freed up after the call, as opposed to
+.Fn CMS_add1_cert
+where
+.Fa cert
+must be freed up.
+.Pp
+The same certificate or CRL must not be added to the same cms structure
+more than once.
+.Sh RETURN VALUES
+.Fn CMS_add0_cert ,
+.Fn CMS_add1_cert ,
+.Fn CMS_add0_crl ,
+and
+.Fn CMS_add1_crl
+return 1 for success or 0 for failure.
+.Pp
+.Fn CMS_get1_certs
+and
+.Fn CMS_get1_crls
+return the STACK of certificates or CRLs or
+.Dv NULL
+if there are none or an error occurs.
+The only error which will occur in practice is if the
+.Fa cms
+type is invalid.
+.Sh SEE ALSO
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_add0_cert ,
+.Fn CMS_add1_cert ,
+.Fn CMS_get1_certs ,
+.Fn CMS_add0_crl
+and
+.Fn CMS_get1_crls
+were all first added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
new file mode 100644
index 0000000000..47307fdaa1
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
@@ -0,0 +1,165 @@
+.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ADD1_RECIPIENT_CERT 3
+.Os
+.Sh NAME
+.Nm CMS_add1_recipient_cert ,
+.Nm CMS_add0_recipient_key
+.Nd add recipients to a CMS enveloped data structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_RecipientInfo *
+.Fo CMS_add1_recipient_cert
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *recip"
+.Fa "unsigned int flags"
+.Fc
+.Ft CMS_RecipientInfo *
+.Fo CMS_add0_recipient_key
+.Fa "CMS_ContentInfo *cms"
+.Fa "int nid"
+.Fa "unsigned char *key"
+.Fa "size_t keylen"
+.Fa "unsigned char *id"
+.Fa "size_t idlen"
+.Fa "ASN1_GENERALIZEDTIME *date"
+.Fa "ASN1_OBJECT *otherTypeId"
+.Fa "ASN1_TYPE *otherType"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_add1_recipient_cert
+adds the recipient
+.Fa recip
+to the
+.Vt CMS_ContentInfo
+enveloped data structure
+.Fa cms
+as a KeyTransRecipientInfo structure.
+.Pp
+.Fn CMS_add0_recipient_key
+adds the symmetric key
+.Fa key
+of length
+.Fa keylen
+using the wrapping algorithm
+.Fa nid ,
+the identifier
+.Fa id
+of length
+.Fa idlen ,
+and the optional values
+.Fa date ,
+.Fa otherTypeId
+and
+.Fa otherType
+to the
+.Vt CMS_ContentInfo
+enveloped data structure
+.Fa cms
+as a KEKRecipientInfo structure.
+.Pp
+The
+.Vt CMS_ContentInfo
+structure should be obtained from an initial call to
+.Xr CMS_encrypt 3
+with the flag
+.Dv CMS_PARTIAL
+set.
+.Pp
+The main purpose of this function is to provide finer control over a CMS
+enveloped data structure where the simpler
+.Xr CMS_encrypt 3
+function defaults are not appropriate,
+for example if one or more KEKRecipientInfo structures need to be added.
+New attributes can also be added using the returned
+.Vt CMS_RecipientInfo
+structure and the CMS attribute utility functions.
+.Pp
+By default, recipient certificates are identified using issuer
+name and serial number.
+If the flag
+.Dv CMS_USE_KEYID
+is set, it will use the subject key identifier value instead.
+An error occurs if all recipient certificates do not have a subject key
+identifier extension.
+.Pp
+Currently only AES based key wrapping algorithms are supported for
+.Fa nid ,
+specifically
+.Dv NID_id_aes128_wrap ,
+.Dv NID_id_aes192_wrap ,
+and
+.Dv NID_id_aes256_wrap .
+If
+.Fa nid
+is set to
+.Dv NID_undef ,
+then an AES wrap algorithm will be used consistent with
+.Fa keylen .
+.Sh RETURN VALUES
+.Fn CMS_add1_recipient_cert
+and
+.Fn CMS_add0_recipient_key
+return an internal pointer to the
+.Vt CMS_RecipientInfo
+structure just added or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_final 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_add1_recipient_cert
+and
+.Fn CMS_add0_recipient_key
+were added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_add1_signer.3 b/src/lib/libcrypto/man/CMS_add1_signer.3
new file mode 100644
index 0000000000..065e15c7be
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_add1_signer.3
@@ -0,0 +1,203 @@
+.\" $OpenBSD: CMS_add1_signer.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ADD1_SIGNER 3
+.Os
+.Sh NAME
+.Nm CMS_add1_signer ,
+.Nm CMS_SignerInfo_sign
+.Nd add a signer to a CMS_ContentInfo signed data structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_SignerInfo *
+.Fo CMS_add1_signer
+.Fa "CMS_ContentInfo *cms"
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_MD *md"
+.Fa "unsigned int flags"
+.Fc
+.Ft int
+.Fo CMS_SignerInfo_sign
+.Fa "CMS_SignerInfo *si"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_add1_signer
+adds a signer with certificate
+.Fa signcert
+and private key
+.Fa pkey
+using message digest
+.Fa md
+to the
+.Vt CMS_ContentInfo
+SignedData structure
+.Fa cms .
+.Pp
+The
+.Vt CMS_ContentInfo
+structure should be obtained from an initial call to
+.Xr CMS_sign 3
+with the flag
+.Dv CMS_PARTIAL
+set or in the case or re-signing a valid
+.Vt CMS_ContentInfo
+SignedData structure.
+.Pp
+If the
+.Fa md
+parameter is
+.Dv NULL ,
+then the default digest for the public key algorithm will be used.
+.Pp
+Unless the
+.Dv CMS_REUSE_DIGEST
+flag is set, the returned
+.Vt CMS_ContentInfo
+structure is not complete and must be finalized either by streaming
+(if applicable) or a call to
+.Xr CMS_final 3 .
+.Pp
+The
+.Fn CMS_SignerInfo_sign
+function will explicitly sign a
+.Vt CMS_SignerInfo
+structure.
+Its main use is when the
+.Dv CMS_REUSE_DIGEST
+and
+.Dv CMS_PARTIAL
+flags are both set.
+.Pp
+The main purpose of
+.Fn CMS_add1_signer
+is to provide finer control over a CMS signed data structure where the
+simpler
+.Xr CMS_sign 3
+function defaults are not appropriate, for example if multiple signers
+or non default digest algorithms are needed.
+New attributes can also be added using the returned
+.Vt CMS_SignerInfo
+structure and the CMS attribute utility functions or the CMS signed
+receipt request functions.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_REUSE_DIGEST
+Attempt to copy the content digest value from the
+.Vt CMS_ContentInfo
+structure to add a signer to an existing structure.
+An error occurs if a matching digest value cannot be found to copy.
+The returned
+.Vt CMS_ContentInfo
+structure will be valid and finalized when this flag is set.
+.It Dv CMS_PARTIAL
+If this flag is set in addition to
+.Dv CMS_REUSE_DIGEST ,
+then the
+.Vt CMS_SignerInfo
+structure will not be finalized so additional attributes can be added.
+In this case an explicit call to
+.Fn CMS_SignerInfo_sign
+is needed to finalize it.
+.It Dv CMS_NOCERTS
+Do not include the signer's certificate in the
+.Vt CMS_ContentInfo
+structure.
+The signer's certificate must still be supplied in the
+.Fa signcert
+parameter though.
+This can reduce the size of the signature if the signer's certificate can
+be obtained by other means, for example from a previously signed message.
+.Pp
+The SignedData structure includes several CMS signedAttributes including
+the signing time, the CMS content type and the supported list of ciphers
+in an SMIMECapabilities attribute.
+.It Dv CMS_NOATTR
+Use no signedAttributes.
+.It Dv CMS_NOSMIMECAP
+Omit just the SMIMECapabilities.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify signing certificates.
+An error occurs if the signing certificate does not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.El
+.Pp
+If present, the SMIMECapabilities attribute indicates support for the
+following algorithms in preference order: 256 bit AES, Gost R3411-94,
+Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
+RC2, DES and 40 bit RC2.
+If any of these algorithms is not available then it will not be
+included: for example the GOST algorithms will not be included if
+the GOST ENGINE is not loaded.
+.Pp
+.Fn CMS_add1_signer
+returns an internal pointer to the
+.Vt CMS_SignerInfo
+structure just added.
+This can be used to set additional attributes before it is finalized.
+.Sh RETURN VALUES
+.Fn CMS_add1_signer
+returns an internal pointer to the
+.Vt CMS_SignerInfo
+structure just added or
+.Dv NULL
+if an error occurs.
+.Sh SEE ALSO
+.Xr CMS_final 3 ,
+.Xr CMS_sign 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_add1_signer
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_compress.3 b/src/lib/libcrypto/man/CMS_compress.3
new file mode 100644
index 0000000000..64bab79617
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_compress.3
@@ -0,0 +1,157 @@
+.\" $OpenBSD: CMS_compress.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_COMPRESS 3
+.Os
+.Sh NAME
+.Nm CMS_compress
+.Nd create a CMS CompressedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_compress
+.Fa "BIO *in"
+.Fa "int comp_nid"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_compress
+creates and returns a CMS CompressedData structure.
+.Fa comp_nid
+is the compression algorithm to use or
+.Dv NID_undef
+to use the default algorithm (zlib compression).
+.Fa in
+is the content to be compressed.
+.Fa flags
+is an optional set of flags.
+.Pp
+The only currently supported compression algorithm is zlib using the NID
+.Dv NID_zlib_compression .
+.Pp
+If zlib support is not compiled in, then
+.Fn CMS_compress
+will return an error.
+.Pp
+If the
+.Dv CMS_TEXT
+flag is set, MIME headers for type text/plain are prepended to the data.
+.Pp
+Normally the supplied content is translated into MIME canonical format
+(as required by the S/MIME specifications); if
+.Dv CMS_BINARY
+is set, no translation occurs.
+This option should be used if the supplied data is in binary format.
+Otherwise, the translation will corrupt it.
+If
+.Dv CMS_BINARY
+is set then
+.Dv CMS_TEXT
+is ignored.
+.Pp
+If the
+.Dv CMS_STREAM
+flag is set, a partial
+.Vt CMS_ContentInfo
+structure is returned suitable for streaming I/O: no data is read from
+the BIO
+.Fa in .
+.Pp
+The compressed data is included in the
+.Vt CMS_ContentInfo
+structure unless
+.Dv CMS_DETACHED
+is set, in which case it is omitted.
+This is rarely used in practice and is not supported by
+.Xr SMIME_write_CMS 3 .
+.Pp
+If the flag
+.Dv CMS_STREAM
+is set, the returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+.Pp
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+and
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.Pp
+Additional compression parameters such as the zlib compression level
+cannot currently be set.
+.Sh RETURN VALUES
+.Fn CMS_compress
+returns either a
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_uncompress 3
+.Sh HISTORY
+.Fn CMS_compress
+was added to OpenSSL 0.9.8.
+The
+.Dv CMS_STREAM
+flag was added in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/CMS_decrypt.3 b/src/lib/libcrypto/man/CMS_decrypt.3
new file mode 100644
index 0000000000..de37b357a1
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_decrypt.3
@@ -0,0 +1,169 @@
+.\" $OpenBSD: CMS_decrypt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2014 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_DECRYPT 3
+.Os
+.Sh NAME
+.Nm CMS_decrypt
+.Nd decrypt content from a CMS envelopedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_decrypt
+.Fa "CMS_ContentInfo *cms"
+.Fa "EVP_PKEY *pkey"
+.Fa "X509 *cert"
+.Fa "BIO *dcont"
+.Fa "BIO *out"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_decrypt
+extracts and decrypts the content from a CMS EnvelopedData structure.
+.Fa pkey
+is the private key of the recipient,
+.Fa cert
+is the recipient's certificate,
+.Fa out
+is a
+.Vt BIO
+to write the content to and
+.Fa flags
+is an optional set of flags.
+.Pp
+The
+.Fa dcont
+parameter is used in the rare case where the encrypted content is
+detached.
+It will normally be set to
+.Dv NULL .
+.Pp
+Although the recipients certificate is not needed to decrypt the data it
+is needed to locate the appropriate (of possible several) recipients in
+the CMS structure.
+.Pp
+If
+.Fa cert
+is set to
+.Dv NULL ,
+all possible recipients are tried.
+This case however is problematic.
+To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA
+padding) all recipients are tried whether they succeed or not.
+If no recipient succeeds then a random symmetric key is used to decrypt
+the content: this will typically output garbage and may (but is not
+guaranteed to) ultimately return a padding error only.
+If
+.Fn CMS_decrypt
+just returned an error when all recipient encrypted keys failed to
+decrypt an attacker could use this in a timing attack.
+If the special flag
+.Dv CMS_DEBUG_DECRYPT
+is set, then the above behaviour is modified and an error
+.Em is
+returned if no recipient encrypted key can be decrypted
+.Em without
+generating a random content encryption key.
+Applications should use this flag with extreme caution
+especially in automated gateways as it can leave them open to attack.
+.Pp
+It is possible to determine the correct recipient key by other means
+(for example looking them up in a database) and setting them in the CMS
+structure in advance using the CMS utility functions such as
+.Xr CMS_set1_pkey 3 .
+In this case both
+.Fa cert
+and
+.Fa pkey
+should be set to
+.Dv NULL .
+.Pp
+To process KEKRecipientInfo types,
+.Xr CMS_set1_key 3
+or
+.Xr CMS_RecipientInfo_set0_key 3
+and
+.Xr CMS_RecipientInfo_decrypt 3
+should be called before
+.Fn CMS_decrypt
+and
+.Fa cert
+and
+.Fa pkey
+set to
+.Dv NULL .
+.Pp
+The following flags can be passed in the
+.Fa flags
+parameter:
+.Pp
+If the
+.Dv CMS_TEXT
+flag is set, MIME headers for type text/plain
+are deleted from the content.
+If the content is not of type text/plain,
+then an error is returned.
+.Sh RETURN VALUES
+.Fn CMS_decrypt
+returns either 1 for success or 0 for failure.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_encrypt 3
+.Sh HISTORY
+.Fn CMS_decrypt
+was added to OpenSSL 0.9.8.
+.Sh BUGS
+The lack of single pass processing and the need to hold all data in
+memory as mentioned in
+.Xr CMS_verify 3
+also applies to
+.Fn CMS_decrypt .
diff --git a/src/lib/libcrypto/man/CMS_encrypt.3 b/src/lib/libcrypto/man/CMS_encrypt.3
new file mode 100644
index 0000000000..8550de2c9f
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_encrypt.3
@@ -0,0 +1,190 @@
+.\" $OpenBSD: CMS_encrypt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_ENCRYPT 3
+.Os
+.Sh NAME
+.Nm CMS_encrypt
+.Nd create a CMS envelopedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_encrypt
+.Fa "STACK_OF(X509) *certs"
+.Fa "BIO *in"
+.Fa "const EVP_CIPHER *cipher"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_encrypt
+creates and returns a CMS EnvelopedData structure.
+.Fa certs
+is a list of recipient certificates.
+.Fa in
+is the content to be encrypted.
+.Fa cipher
+is the symmetric cipher to use.
+.Fa flags
+is an optional set of flags.
+.Pp
+Only certificates carrying RSA, Diffie-Hellman or EC keys are supported
+by this function.
+.Pp
+.Xr EVP_des_ede3_cbc 3
+(triple DES) is the algorithm of choice for S/MIME use because most
+clients will support it.
+.Pp
+The algorithm passed in the
+.Fa cipher
+parameter must support ASN1 encoding of its parameters.
+.Pp
+Many browsers implement a "sign and encrypt" option which is simply an
+S/MIME envelopedData containing an S/MIME signed message.
+This can be readily produced by storing the S/MIME signed message in a
+memory BIO and passing it to
+.Fn CMS_encrypt .
+.Pp
+The following flags can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_TEXT
+MIME headers for type text/plain are prepended to the data.
+.It Dv CMS_BINARY
+Do not translate the supplied content into MIME canonical format
+even though that is required by the S/MIME specifications.
+This option should be used if the supplied data is in binary format.
+Otherwise, the translation will corrupt it.
+If
+.Dv CMS_BINARY
+is set, then
+.Dv CMS_TEXT
+is ignored.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify recipient certificates.
+An error occurs if all recipient certificates do not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.It Dv CMS_STREAM
+Return a partial
+.Vt CMS_ContentInfo
+structure suitable for streaming I/O: no data is read from the BIO
+.Fa in .
+.It Dv CMS_PARTIAL
+Return a partial
+.Vt CMS_ContentInfo
+structure to which additional recipients and attributes can
+be added before finalization.
+.It Dv CMS_DETACHED
+Omit the data being encrypted from the
+.Vt CMS_ContentInfo
+structure.
+This is rarely used in practice and is not supported by
+.Xr SMIME_write_CMS 3 .
+.El
+.Pp
+If the flag
+.Dv CMS_STREAM
+is set, the returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+.Pp
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.Pp
+The recipients specified in
+.Fa certs
+use a CMS KeyTransRecipientInfo info structure.
+KEKRecipientInfo is also supported using the flag
+.Dv CMS_PARTIAL
+and
+.Xr CMS_add0_recipient_key 3 .
+.Pp
+The parameter
+.Fa certs
+may be
+.Dv NULL
+if
+.Dv CMS_PARTIAL
+is set and recipients are added later using
+.Xr CMS_add1_recipient_cert 3
+or
+.Xr CMS_add0_recipient_key 3 .
+.Sh RETURN VALUES
+.Fn CMS_encrypt
+returns either a
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_decrypt 3
+.Sh HISTORY
+.Fn CMS_encrypt
+was added to OpenSSL 0.9.8.
+The
+.Sy CMS_STREAM
+flag was first supported in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/CMS_final.3 b/src/lib/libcrypto/man/CMS_final.3
new file mode 100644
index 0000000000..8404005c74
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_final.3
@@ -0,0 +1,98 @@
+.\" $OpenBSD: CMS_final.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_FINAL 3
+.Os
+.Sh NAME
+.Nm CMS_final
+.Nd finalise a CMS_ContentInfo structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_final
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "BIO *dcont"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_final
+finalises the structure
+.Fa cms .
+Its purpose is to perform any operations necessary on
+.Fa cms
+(digest computation for example) and set the appropriate fields.
+The parameter
+.Fa data
+contains the content to be processed.
+The
+.Fa dcont
+parameter contains a
+.Vt BIO
+to write content to after processing: this is
+only used with detached data and will usually be set to
+.Dv NULL .
+.Pp
+This function will normally be called when the
+.Dv CMS_PARTIAL
+flag is used.
+It should only be used when streaming is not performed because the
+streaming I/O functions perform finalisation operations internally.
+.Sh RETURN VALUES
+.Fn CMS_final
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_final
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
new file mode 100644
index 0000000000..07c16c5675
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
@@ -0,0 +1,323 @@
+.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2013 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET0_RECIPIENTINFOS 3
+.Os
+.Sh NAME
+.Nm CMS_get0_RecipientInfos ,
+.Nm CMS_RecipientInfo_type ,
+.Nm CMS_RecipientInfo_ktri_get0_signer_id ,
+.Nm CMS_RecipientInfo_ktri_cert_cmp ,
+.Nm CMS_RecipientInfo_set0_pkey ,
+.Nm CMS_RecipientInfo_kekri_get0_id ,
+.Nm CMS_RecipientInfo_kekri_id_cmp ,
+.Nm CMS_RecipientInfo_set0_key ,
+.Nm CMS_RecipientInfo_decrypt ,
+.Nm CMS_RecipientInfo_encrypt
+.Nd CMS envelopedData RecipientInfo routines
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft STACK_OF(CMS_RecipientInfo) *
+.Fo CMS_get0_RecipientInfos
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_type
+.Fa "CMS_RecipientInfo *ri"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_ktri_get0_signer_id
+.Fa "CMS_RecipientInfo *ri"
+.Fa "ASN1_OCTET_STRING **keyid"
+.Fa "X509_NAME **issuer"
+.Fa "ASN1_INTEGER **sno"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_ktri_cert_cmp
+.Fa "CMS_RecipientInfo *ri"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_set0_pkey
+.Fa "CMS_RecipientInfo *ri"
+.Fa "EVP_PKEY *pkey"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_kekri_get0_id
+.Fa "CMS_RecipientInfo *ri"
+.Fa "X509_ALGOR **palg"
+.Fa "ASN1_OCTET_STRING **pid"
+.Fa "ASN1_GENERALIZEDTIME **pdate"
+.Fa "ASN1_OBJECT **potherid"
+.Fa "ASN1_TYPE **pothertype"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_kekri_id_cmp
+.Fa "CMS_RecipientInfo *ri"
+.Fa "const unsigned char *id"
+.Fa "size_t idlen"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_set0_key
+.Fa "CMS_RecipientInfo *ri"
+.Fa "unsigned char *key"
+.Fa "size_t keylen"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_decrypt
+.Fa "CMS_ContentInfo *cms"
+.Fa "CMS_RecipientInfo *ri"
+.Fc
+.Ft int
+.Fo CMS_RecipientInfo_encrypt
+.Fa "CMS_ContentInfo *cms"
+.Fa "CMS_RecipientInfo *ri"
+.Fc
+.Sh DESCRIPTION
+The function
+.Fn CMS_get0_RecipientInfos
+returns all the
+.Vt CMS_RecipientInfo
+structures associated with a CMS EnvelopedData structure.
+.Pp
+.Fn CMS_RecipientInfo_type
+returns the type of the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri .
+It will currently return
+.Dv CMS_RECIPINFO_TRANS ,
+.Dv CMS_RECIPINFO_AGREE ,
+.Dv CMS_RECIPINFO_KEK ,
+.Dv CMS_RECIPINFO_PASS ,
+or
+.Dv CMS_RECIPINFO_OTHER .
+.Pp
+.Fn CMS_RecipientInfo_ktri_get0_signer_id
+retrieves the certificate recipient identifier associated with a
+specific
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_TRANS .
+Either the keyidentifier will be set in
+.Fa keyid
+or
+.Em both
+issuer name and serial number in
+.Fa issuer
+and
+.Fa sno .
+.Pp
+.Fn CMS_RecipientInfo_ktri_cert_cmp
+compares the certificate
+.Fa cert
+against the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_TRANS .
+It returns zero if the comparison is successful or non-zero if not.
+.Pp
+.Fn CMS_RecipientInfo_set0_pkey
+associates the private key
+.Fa pkey
+with the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_TRANS .
+.Pp
+.Fn CMS_RecipientInfo_kekri_get0_id
+retrieves the key information from the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri
+which must be of type
+.Dv CMS_RECIPINFO_KEK .
+Any of the remaining parameters can be
+.Dv NULL
+if the application is not interested in the value of a field.
+Where a field is optional and absent,
+.Dv NULL
+will be written to the corresponding parameter.
+The keyEncryptionAlgorithm field is written to
+.Fa palg ,
+the keyIdentifier field is written to
+.Fa pid ,
+the
+.Sy date
+field if present is written to
+.Fa pdate .
+If the
+.Sy other
+field is present the components
+.Sy keyAttrId
+and
+.Sy keyAttr
+are written to the parameters
+.Fa potherid
+and
+.Fa pothertype .
+.Pp
+.Fn CMS_RecipientInfo_kekri_id_cmp
+compares the ID in the
+.Fa id
+and
+.Fa idlen
+parameters against the keyIdentifier
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_KEK .
+It returns zero if the comparison is successful or non-zero if not.
+.Pp
+.Fn CMS_RecipientInfo_set0_key
+associates the symmetric key
+.Fa key
+of length
+.Fa keylen
+with the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri ,
+which must be of type
+.Dv CMS_RECIPINFO_KEK .
+.Pp
+.Fn CMS_RecipientInfo_decrypt
+attempts to decrypt the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri
+in structure
+.Fa cms .
+A key must have been associated with the structure first.
+.Pp
+.Fn CMS_RecipientInfo_encrypt
+attempts to encrypt the
+.Vt CMS_RecipientInfo
+structure
+.Fa ri
+in structure
+.Fa cms .
+A key must have been associated with the structure first and the content
+encryption key must be available: for example by a previous call to
+.Fn CMS_RecipientInfo_decrypt .
+.Pp
+The main purpose of these functions is to enable an application to
+lookup recipient keys using any appropriate technique when the simpler
+method of
+.Xr CMS_decrypt 3
+is not appropriate.
+.Pp
+In typical usage, an application will retrieve all
+.Vt CMS_RecipientInfo
+structures using
+.Fn CMS_get0_RecipientInfos
+and check the type of each using
+.Fn CMS_RecipientInfo_type .
+Depending on the type, the
+.Vt CMS_RecipientInfo
+structure can be ignored or its key identifier data retrieved using
+an appropriate function.
+If the corresponding secret or private key can be obtained by any
+appropriate means it can then be associated with the structure and
+.Fn CMS_RecipientInfo_decrypt
+called.
+If successful,
+.Xr CMS_decrypt 3
+can be called with a
+.Dv NULL
+key to decrypt the enveloped content.
+.Pp
+The function
+.Fn CMS_RecipientInfo_encrypt
+can be used to add a new recipient to an existing enveloped data
+structure.
+Typically an application will first decrypt an appropriate
+.Vt CMS_RecipientInfo
+structure to make the content encrypt key available.
+Ot will then add a new recipient using a function such as
+.Xr CMS_add1_recipient_cert 3
+and finally encrypt the content encryption key using
+.Fn CMS_RecipientInfo_encrypt .
+.Sh RETURN VALUES
+.Fn CMS_get0_RecipientInfos
+returns all
+.Vt CMS_RecipientInfo
+structures, or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn CMS_RecipientInfo_ktri_get0_signer_id ,
+.Fn CMS_RecipientInfo_set0_pkey ,
+.Fn CMS_RecipientInfo_kekri_get0_id ,
+.Fn CMS_RecipientInfo_set0_key ,
+.Fn CMS_RecipientInfo_decrypt ,
+and
+.Fn CMS_RecipientInfo_encrypt
+return 1 for success or 0 if an error occurs.
+.Pp
+.Fn CMS_RecipientInfo_ktri_cert_cmp
+and
+.Fn CMS_RecipientInfo_kekri_id_cmp
+return 0 for a successful comparison or non-zero otherwise.
+.Pp
+Any error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_decrypt 3
+.Sh HISTORY
+These functions were first was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
new file mode 100644
index 0000000000..b9c8fee366
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
@@ -0,0 +1,180 @@
+.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2013 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET0_SIGNERINFOS 3
+.Os
+.Sh NAME
+.Nm CMS_get0_SignerInfos ,
+.Nm CMS_SignerInfo_get0_signer_id ,
+.Nm CMS_SignerInfo_get0_signature ,
+.Nm CMS_SignerInfo_cert_cmp ,
+.Nm CMS_SignerInfo_set1_signer_cert
+.Nd CMS signedData signer functions
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft STACK_OF(CMS_SignerInfo) *
+.Fo CMS_get0_SignerInfos
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_SignerInfo_get0_signer_id
+.Fa "CMS_SignerInfo *si"
+.Fa "ASN1_OCTET_STRING **keyid"
+.Fa "X509_NAME **issuer"
+.Fa "ASN1_INTEGER **sno"
+.Fc
+.Ft ASN1_OCTET_STRING *
+.Fo CMS_SignerInfo_get0_signature
+.Fa "CMS_SignerInfo *si"
+.Fc
+.Ft int
+.Fo CMS_SignerInfo_cert_cmp
+.Fa "CMS_SignerInfo *si"
+.Fa "X509 *cert"
+.Fc
+.Ft void
+.Fo CMS_SignerInfo_set1_signer_cert
+.Fa "CMS_SignerInfo *si"
+.Fa "X509 *signer"
+.Fc
+.Sh DESCRIPTION
+The function
+.Fn CMS_get0_SignerInfos
+returns all the
+.Vt CMS_SignerInfo
+structures associated with a CMS signedData structure.
+.Pp
+.Fn CMS_SignerInfo_get0_signer_id
+retrieves the certificate signer identifier associated with a specific
+.Vt CMS_SignerInfo
+structure
+.Fa si .
+Either the keyidentifier will be set in
+.Fa keyid
+or
+.Em both
+issuer name and serial number in
+.Fa issuer
+and
+.Fa sno .
+.Pp
+.Fn CMS_SignerInfo_get0_signature
+retrieves the signature associated with
+.Fa si
+in a pointer to an
+.Vt ASN1_OCTET_STRING
+structure.
+This pointer returned corresponds to the internal signature value of
+.Fa si
+so it may be read or modified.
+.Pp
+.Fn CMS_SignerInfo_cert_cmp
+compares the certificate
+.Fa cert
+against the signer identifier
+.Fa si .
+It returns zero if the comparison is successful or non-zero if not.
+.Pp
+.Fn CMS_SignerInfo_set1_signer_cert
+sets the signers certificate of
+.Fa si
+to
+.Fa signer .
+.Pp
+The main purpose of these functions is to enable an application to
+lookup signers certificates using any appropriate technique when the
+simpler method of
+.Xr CMS_verify 3
+is not appropriate.
+.Pp
+In typical usage an application will retrieve all
+.Vt CMS_SignerInfo
+structures using
+.Fn CMS_get0_SignerInfos
+and retrieve the identifier information using CMS.
+It will then obtain the signer certificate by some unspecified means
+(or return and error if it cannot be found) and set it using
+.Fn CMS_SignerInfo_set1_signer_cert .
+.Pp
+Once all signer certificates have been set,
+.Xr CMS_verify 3
+can be used.
+.Pp
+Although
+.Fn CMS_get0_SignerInfos
+can return
+.Dv NULL
+if an error occurs
+.Em or
+if there are no signers, this is not a problem in practice because the
+only error which can occur is if the
+.Fa cms
+structure is not of type signedData due to application error.
+.Sh RETURN VALUES
+.Fn CMS_get0_SignerInfos
+returns all
+.Vt CMS_SignerInfo
+structures, or
+.Dv NULL
+if there are no signers or an error occurs.
+.Pp
+.Fn CMS_SignerInfo_get0_signer_id
+returns 1 for success or 0 for failure.
+.Pp
+.Fn CMS_SignerInfo_cert_cmp
+returns 0 for a successful comparison or non-zero otherwise.
+.Pp
+Any error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_verify 3
+.Sh HISTORY
+These functions were first was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get0_type.3 b/src/lib/libcrypto/man/CMS_get0_type.3
new file mode 100644
index 0000000000..982826c7ca
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get0_type.3
@@ -0,0 +1,174 @@
+.\" $OpenBSD: CMS_get0_type.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008, 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET0_TYPE 3
+.Os
+.Sh NAME
+.Nm CMS_get0_type ,
+.Nm CMS_set1_eContentType ,
+.Nm CMS_get0_eContentType ,
+.Nm CMS_get0_content
+.Nd get and set CMS content types and content
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft const ASN1_OBJECT *
+.Fo CMS_get0_type
+.Fa "const CMS_ContentInfo *cms"
+.Fc
+.Ft int
+.Fo CMS_set1_eContentType
+.Fa "CMS_ContentInfo *cms"
+.Fa "const ASN1_OBJECT *oid"
+.Fc
+.Ft const ASN1_OBJECT *
+.Fo CMS_get0_eContentType
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Ft ASN1_OCTET_STRING **
+.Fo CMS_get0_content
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_get0_type
+returns the content type of a
+.Vt CMS_ContentInfo
+structure as an
+.Vt ASN1_OBJECT
+pointer.
+An application can then decide how to process the
+.Vt CMS_ContentInfo
+structure based on this value.
+.Pp
+.Fn CMS_set1_eContentType
+sets the embedded content type of a
+.Vt CMS_ContentInfo
+structure.
+It should be called with CMS functions (such as
+.Xr CMS_sign 3 ,
+.Xr CMS_encrypt 3 )
+with the
+.Dv CMS_PARTIAL
+flag and
+.Em before
+the structure is finalised, otherwise the results are undefined.
+.Pp
+.Fn CMS_get0_eContentType
+returns a pointer to the embedded content type.
+.Pp
+.Fn CMS_get0_content
+returns a pointer to the
+.Vt ASN1_OCTET_STRING
+pointer containing the embedded content.
+.Pp
+As the
+.Sq 0
+in the function names imply,
+.Fn CMS_get0_type ,
+.Fn CMS_get0_eContentType ,
+and
+.Fn CMS_get0_content
+return internal pointers which should
+.Em not
+be freed up.
+.Fn CMS_set1_eContentType
+copies the supplied OID and it
+.Em should
+be freed up after use.
+.Pp
+The
+.Vt ASN1_OBJECT
+values returned can be converted to an integer NID value using
+.Xr OBJ_obj2nid 3 .
+For the currently supported content types the following values are
+returned:
+.Dv NID_pkcs7_data ,
+.Dv NID_pkcs7_signed ,
+.Dv NID_pkcs7_digest ,
+.Dv NID_id_smime_ct_compressedData ,
+.Dv NID_pkcs7_encrypted ,
+.Dv NID_pkcs7_enveloped .
+.Pp
+The return value of
+.Fn CMS_get0_content
+is a pointer to the
+.Vt ASN1_OCTET_STRING
+content pointer.
+That means that for example after
+.Pp
+.Dl ASN1_OCTET_STRING **pconf = CMS_get0_content(cms);
+.Pp
+.Pf * Va pconf
+could be
+.Dv NULL
+if there is no embedded content.
+Applications can access, modify or create the embedded content in a
+.Vt CMS_ContentInfo
+structure using this function.
+Applications usually will not need to modify the embedded content as it
+is normally set by higher level functions.
+.Sh RETURN VALUES
+.Fn CMS_get0_type
+and
+.Fn CMS_get0_eContentType
+return an
+.Vt ASN1_OBJECT
+structure.
+.Pp
+.Fn CMS_set1_eContentType
+returns 1 for success or 0 if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh HISTORY
+.Fn CMS_get0_type ,
+.Fn CMS_set1_eContentType ,
+and
+.Fn CMS_get0_eContentType
+were all first added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
new file mode 100644
index 0000000000..d944f606d8
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
@@ -0,0 +1,175 @@
+.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_GET1_RECEIPTREQUEST 3
+.Os
+.Sh NAME
+.Nm CMS_ReceiptRequest_create0 ,
+.Nm CMS_add1_ReceiptRequest ,
+.Nm CMS_get1_ReceiptRequest ,
+.Nm CMS_ReceiptRequest_get0_values
+.Nd CMS signed receipt request functions
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ReceiptRequest *
+.Fo CMS_ReceiptRequest_create0
+.Fa "unsigned char *id"
+.Fa "int idlen"
+.Fa "int allorfirst"
+.Fa "STACK_OF(GENERAL_NAMES) *receiptList"
+.Fa "STACK_OF(GENERAL_NAMES) *receiptsTo"
+.Fc
+.Ft int
+.Fo CMS_add1_ReceiptRequest
+.Fa "CMS_SignerInfo *si"
+.Fa "CMS_ReceiptRequest *rr"
+.Fc
+.Ft int
+.Fo CMS_get1_ReceiptRequest
+.Fa "CMS_SignerInfo *si"
+.Fa "CMS_ReceiptRequest **prr"
+.Fc
+.Ft void
+.Fo CMS_ReceiptRequest_get0_values
+.Fa "CMS_ReceiptRequest *rr"
+.Fa "ASN1_STRING **pcid"
+.Fa "int *pallorfirst"
+.Fa "STACK_OF(GENERAL_NAMES) **plist"
+.Fa "STACK_OF(GENERAL_NAMES) **prto"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_ReceiptRequest_create0
+creates a signed receipt request structure.
+The signedContentIdentifier field is set using
+.Fa id
+and
+.Fa idlen ,
+or it is set to 32 bytes of pseudo random data if
+.Fa id
+is
+.Dv NULL .
+If
+.Fa receiptList
+is
+.Dv NULL ,
+the allOrFirstTier option in receiptsFrom
+is used and set to the value of the
+.Fa allorfirst
+parameter.
+If
+.Fa receiptList
+is not
+.Dv NULL ,
+the receiptList option in receiptsFrom is used.
+The
+.Fa receiptsTo
+parameter specifies the receiptsTo field value.
+.Pp
+The
+.Fn CMS_add1_ReceiptRequest
+function adds a signed receipt request
+.Fa rr
+to the
+.Vt CMS_SignerInfo
+structure
+.Fa si .
+.Pp
+.Fn CMS_get1_ReceiptRequest
+looks for a signed receipt request in
+.Fa si .
+If any is found, it is decoded and written to
+.Fa prr .
+.Pp
+.Fn CMS_ReceiptRequest_get0_values
+retrieves the values of a receipt request.
+The signedContentIdentifier is copied to
+.Fa pcid .
+If the allOrFirstTier option of receiptsFrom is used,
+its value is copied to
+.Fa pallorfirst ;
+otherwise the receiptList field is copied to
+.Fa plist .
+The receiptsTo parameter is copied to
+.Fa prto .
+.Pp
+For more details on the meaning of the fields see RFC2634.
+.Pp
+The contents of a signed receipt should only be considered meaningful if
+the corresponding
+.Vt CMS_ContentInfo
+structure can be successfully verified using
+.Xr CMS_verify 3 .
+.Sh RETURN VALUES
+.Fn CMS_ReceiptRequest_create0
+returns a signed receipt request structure or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn CMS_add1_ReceiptRequest
+returns 1 for success or 0 if an error occurred.
+.Pp
+.Fn CMS_get1_ReceiptRequest
+returns 1 is a signed receipt request is found and decoded.
+It returns 0 if a signed receipt request is not present or -1 if it is
+present but malformed.
+.Sh SEE ALSO
+.Xr CMS_sign 3 ,
+.Xr CMS_sign_receipt 3 ,
+.Xr CMS_verify 3 ,
+.Xr CMS_verify_receipt 3 ,
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn CMS_ReceiptRequest_create0 ,
+.Fn CMS_add1_ReceiptRequest ,
+.Fn CMS_get1_ReceiptRequest ,
+and
+.Fn CMS_ReceiptRequest_get0_values
+were added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
new file mode 100644
index 0000000000..54d95f4a5d
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_sign.3
@@ -0,0 +1,224 @@
+.\" $OpenBSD: CMS_sign.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_SIGN 3
+.Os
+.Sh NAME
+.Nm CMS_sign
+.Nd create a CMS SignedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_sign
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "STACK_OF(X509) *certs"
+.Fa "BIO *data"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_sign
+creates and returns a CMS SignedData structure.
+.Fa signcert
+is the certificate to sign with,
+.Fa pkey
+is the corresponding private key.
+.Fa certs
+is an optional additional set of certificates to include in the CMS
+structure (for example any intermediate CAs in the chain).
+Any or all of these parameters can be
+.Dv NULL .
+.Pp
+The data to be signed is read from
+.Fa data .
+.Pp
+.Fa flags
+is an optional set of flags.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_TEXT
+Prepend MIME headers for the type text/plain to the data.
+Many S/MIME clients expect the signed content to include valid MIME
+headers.
+.It Dv CMS_NOCERTS
+Do not include the signer's certificate in the
+.Vt CMS_ContentInfo
+structure.
+The signer's certificate must still be supplied in the
+.Fa signcert
+parameter though.
+This can reduce the size of the signature if the signers certificate can
+be obtained by other means: for example a previously signed message.
+.It Dv CMS_DETACHED
+Omit the data being signed from the
+.Vt CMS_ContentInfo
+structure.
+This is used for
+.Vt CMS_ContentInfo
+detached signatures which are used in S/MIME plaintext signed messages
+for example.
+.It Dv CMS_BINARY
+Do not translate the supplied content into MIME canonical format
+even though that is required by the S/MIME specifications.
+This option should be used if the supplied data is in binary format.
+Otherwise the translation will corrupt it.
+.It Dv CMS_NOATTR
+Do not use any signedAttributes.
+By default, the SignedData structure includes several CMS
+signedAttributes including the signing time, the CMS content type,
+and the supported list of ciphers in an SMIMECapabilities attribute.
+.It Dv CMS_NOSMIMECAP
+Omit just the SMIMECapabilities.
+If present, the SMIMECapabilities attribute indicates support for the
+following algorithms in preference order: 256 bit AES, Gost R3411-94,
+Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
+RC2, DES and 40 bit RC2.
+If any of these algorithms is not available, then it will not be
+included: for example the GOST algorithms will not be included if
+the GOST ENGINE is not loaded.
+.It Dv CMS_USE_KEYID
+Use the subject key identifier value to identify signing certificates.
+An error occurs if the signing certificate does not have a subject key
+identifier extension.
+By default, issuer name and serial number are used instead.
+.It Dv CMS_STREAM
+Only initialize the returned
+.Vt CMS_ContentInfo
+structure to prepare it for performing the signing operation.
+The signing is however
+.Em not
+performed and the data to be signed is not read from the
+.Fa data
+parameter.
+Signing is deferred until after the data has been written.
+In this way, data can be signed in a single pass.
+The returned
+.Vt CMS_ContentInfo
+structure is
+.Em not
+complete and outputting its contents via a function that does not
+properly finalize the
+.Vt CMS_ContentInfo
+structure will give unpredictable results.
+Several functions including
+.Xr SMIME_write_CMS 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+or
+.Xr PEM_write_bio_CMS_stream 3
+finalize the structure.
+Alternatively, finalization can be performed by obtaining the streaming
+ASN1
+.Vt BIO
+directly using
+.Xr BIO_new_CMS 3 .
+.It Dv CMS_PARTIAL
+Output a partial
+.Vt CMS_ContentInfo
+structure to which additional signers and capabilities can be
+added before finalization.
+.El
+.Pp
+If a signer is specified, it will use the default digest for the signing
+algorithm.
+This is SHA1 for both RSA and DSA keys.
+.Pp
+If
+.Fa signcert
+and
+.Fa pkey
+are
+.Dv NULL ,
+then a certificates only CMS structure is output.
+.Pp
+The function
+.Fn CMS_sign
+is a basic CMS signing function whose output will be suitable for many
+purposes.
+For finer control of the output format the
+.Fa certs ,
+.Fa signcert
+and
+.Fa pkey
+parameters can all be
+.Dv NULL
+and the
+.Dv CMS_PARTIAL
+flag set.
+Then one or more signers can be added using the function
+.Xr CMS_sign_add1_signer 3 ,
+non default digests can be used and custom attributes added.
+.Xr CMS_final 3
+must then be called to finalize the structure if streaming is not
+enabled.
+.Sh RETURN VALUES
+.Fn CMS_sign
+returns either a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_verify 3
+.Sh HISTORY
+.Fn CMS_sign
+was added to OpenSSL 0.9.8.
+.Pp
+The
+.Dv CMS_STREAM
+flag is only supported for detached data in OpenSSL 0.9.8, it is
+supported for embedded data in OpenSSL 1.0.0 and later.
+.Sh BUGS
+Some attributes such as counter signatures are not supported.
diff --git a/src/lib/libcrypto/man/CMS_sign_receipt.3 b/src/lib/libcrypto/man/CMS_sign_receipt.3
new file mode 100644
index 0000000000..7ddff976cc
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_sign_receipt.3
@@ -0,0 +1,110 @@
+.\" $OpenBSD: CMS_sign_receipt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_SIGN_RECEIPT 3
+.Os
+.Sh NAME
+.Nm CMS_sign_receipt
+.Nd create a CMS signed receipt
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo CMS_sign_receipt
+.Fa "CMS_SignerInfo *si"
+.Fa "X509 *signcert"
+.Fa "EVP_PKEY *pkey"
+.Fa "STACK_OF(X509) *certs"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_sign_receipt
+creates and returns a CMS signed receipt structure.
+.Fa si
+is the
+.Vt CMS_SignerInfo
+structure containing the signed receipt request.
+.Fa signcert
+is the certificate to sign with,
+.Fa pkey
+is the corresponding private key.
+.Fa certs
+is an optional additional set of certificates to include in the CMS
+structure (for example any intermediate CAs in the chain).
+.Pp
+.Fa flags
+is an optional set of flags.
+.Pp
+This functions behaves in a similar way to
+.Xr CMS_sign 3
+except the flag values
+.Dv CMS_DETACHED ,
+.Dv CMS_BINARY ,
+.Dv CMS_NOATTR ,
+.Dv CMS_TEXT ,
+and
+.Dv CMS_STREAM
+are not supported since they do not make sense in the context of
+signed receipts.
+.Sh RETURN VALUES
+.Fn CMS_sign_receipt
+returns either a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_sign 3 ,
+.Xr CMS_verify_receipt 3
+.Sh HISTORY
+.Fn CMS_sign_receipt
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/CMS_uncompress.3 b/src/lib/libcrypto/man/CMS_uncompress.3
new file mode 100644
index 0000000000..50926b7358
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_uncompress.3
@@ -0,0 +1,111 @@
+.\" $OpenBSD: CMS_uncompress.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_UNCOMPRESS 3
+.Os
+.Sh NAME
+.Nm CMS_uncompress
+.Nd uncompress a CMS CompressedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_uncompress
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *dcont"
+.Fa "BIO *out"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_uncompress
+extracts and uncompresses the content from a CMS CompressedData
+structure
+.Fa cms .
+.Fa out
+is a
+.Vt BIO
+to write the content to and
+.Fa flags
+is an optional set of flags.
+.Pp
+The
+.Fa dcont
+parameter is used in the rare case where the compressed content is
+detached.
+It will normally be set to
+.Dv NULL .
+.Pp
+The only currently supported compression algorithm is zlib: if the
+structure indicates the use of any other algorithm, an error is returned.
+.Pp
+If zlib support is not compiled in, then
+.Fn CMS_uncompress
+will always return an error.
+.Pp
+If the
+.Dv CMS_TEXT
+flag is set, MIME headers for type text/plain are deleted from the content.
+If the content is not of type text/plain, an error is returned.
+.Sh RETURN VALUES
+.Fn CMS_uncompress
+returns either 1 for success or 0 for failure.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_compress 3
+.Sh HISTORY
+.Fn CMS_uncompress
+was added to OpenSSL 0.9.8.
+.Sh BUGS
+The lack of single pass processing and the need to hold all data in
+memory as mentioned in
+.Xr CMS_verify 3
+also applies to
+.Fn CMS_uncompress .
diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3
new file mode 100644
index 0000000000..cec1dc06d8
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_verify.3
@@ -0,0 +1,223 @@
+.\" $OpenBSD: CMS_verify.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_VERIFY 3
+.Os
+.Sh NAME
+.Nm CMS_verify ,
+.Nm CMS_get0_signers
+.Nd verify a CMS SignedData structure
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_verify
+.Fa "CMS_ContentInfo *cms"
+.Fa "STACK_OF(X509) *certs"
+.Fa "X509_STORE *store"
+.Fa "BIO *indata"
+.Fa "BIO *out"
+.Fa "unsigned int flags"
+.Fc
+.Ft STACK_OF(X509) *
+.Fo CMS_get0_signers
+.Fa "CMS_ContentInfo *cms"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_verify
+verifies a CMS SignedData structure.
+.Fa cms
+is the
+.Vt CMS_ContentInfo
+structure to verify.
+.Fa certs
+is a set of certificates in which to search for the signing
+certificate(s).
+.Fa store
+is a trusted certificate store used for chain verification.
+.Fa indata
+is the detached content if the content is not present in
+.Fa cms .
+The content is written to
+.Fa out
+if it is not
+.Dv NULL .
+.Pp
+.Fa flags
+is an optional set of flags, which can be used to modify the verify
+operation.
+.Pp
+.Fn CMS_get0_signers
+retrieves the signing certificate(s) from
+.Fa cms .
+It must be called after a successful
+.Fn CMS_verify
+operation.
+.Pp
+Normally the verify process proceeds as follows.
+.Pp
+Initially some sanity checks are performed on
+.Fa cms .
+The type of
+.Fa cms
+must be SignedData.
+There must be at least one signature on the data and if the content is
+detached;
+.Fa indata
+cannot be
+.Dv NULL .
+.Pp
+An attempt is made to locate all the signing certificate(s), first
+looking in the
+.Fa certs
+parameter (if it is not
+.Dv NULL )
+and then looking in any certificates contained in the
+.Fa cms
+structure itself.
+If any signing certificate cannot be located, the operation fails.
+.Pp
+Each signing certificate is chain verified using the
+.Sy smimesign
+purpose and the supplied trusted certificate store.
+Any internal certificates in the message are used as untrusted CAs.
+If CRL checking is enabled in
+.Fa store ,
+any internal CRLs are used in addition to attempting to look them up in
+.Fa store .
+If any chain verify fails, an error code is returned.
+.Pp
+Finally the signed content is read (and written to
+.Fa out
+if it is not
+.Dv NULL )
+and the signature is checked.
+.Pp
+If all signatures verify correctly, then the function is successful.
+.Pp
+Any of the following flags (OR'ed together) can be passed in the
+.Fa flags
+parameter to change the default verify behaviour:
+.Bl -tag -width Ds
+.It Dv CMS_NOINTERN
+Do not use the certificates in the message itself when
+locating the signing certificate(s).
+This means that all the signing certificates must be in the
+.Fa certs
+parameter.
+.It Dv CMS_NOCRL
+If CRL checking is enabled in
+.Fa store ,
+then any CRLs in the message itself are ignored.
+It Dv CMS_TEXT
+MIME headers for type text/plain are deleted from the content.
+If the content is not of type text/plain, an error is returned.
+.It Dv CMS_NO_SIGNER_CERT_VERIFY
+Do not verify signing certificates.
+.It Dv CMS_NO_ATTR_VERIFY
+Do not check the signed attributes signature.
+.It Dv CMS_NO_CONTENT_VERIFY
+Do not check the content digest.
+.El
+.Pp
+One application of
+.Dv CMS_NOINTERN
+is to only accept messages signed by a small number of certificates.
+The acceptable certificates would be passed in the
+.Fa certs
+parameter.
+In this case, if the signer is not one of the certificates supplied in
+.Fa certs ,
+then the verify will fail because the signer cannot be found.
+.Pp
+In some cases the standard techniques for looking up and validating
+certificates are not appropriate: for example an application may wish to
+lookup certificates in a database or perform customised verification.
+This can be achieved by setting and verifying the signers certificates
+manually using the signed data utility functions.
+.Pp
+Care should be taken when modifying the default verify behaviour, for
+example setting
+.Dv CMS_NO_CONTENT_VERIFY
+will totally disable all content verification and any modified content
+will be considered valid.
+This combination is however useful if one merely wishes to write the
+content to
+.Fa out
+and its validity is not considered important.
+.Pp
+Chain verification should arguably be performed using the signing time
+rather than the current time.
+However since the signing time is supplied by the signer it cannot be
+trusted without additional evidence (such as a trusted timestamp).
+.Sh RETURN VALUES
+.Fn CMS_verify
+returns 1 for a successful verification or zero if an error occurred.
+.Pp
+.Fn CMS_get0_signers
+returns all signers or
+.Dv NULL
+if an error occurred.
+.Pp
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_sign 3
+.Sh HISTORY
+.Fn CMS_verify
+was added to OpenSSL 0.9.8.
+.Sh BUGS
+The trusted certificate store is not searched for the signing certificate.
+This is primarily due to the inadequacies of the current
+.Vt X509_STORE
+functionality.
+.Pp
+The lack of single pass processing means that the signed content must
+all be held in memory if it is not detached.
diff --git a/src/lib/libcrypto/man/CMS_verify_receipt.3 b/src/lib/libcrypto/man/CMS_verify_receipt.3
new file mode 100644
index 0000000000..33bb43ed8d
--- /dev/null
+++ b/src/lib/libcrypto/man/CMS_verify_receipt.3
@@ -0,0 +1,104 @@
+.\" $OpenBSD: CMS_verify_receipt.3,v 1.3 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt CMS_VERIFY_RECEIPT 3
+.Os
+.Sh NAME
+.Nm CMS_verify_receipt
+.Nd verify a CMS signed receipt
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo CMS_verify_receipt
+.Fa "CMS_ContentInfo *rcms"
+.Fa "CMS_ContentInfo *ocms"
+.Fa "STACK_OF(X509) *certs"
+.Fa "X509_STORE *store"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn CMS_verify_receipt
+verifies a CMS signed receipt.
+.Fa rcms
+is the signed receipt to verify.
+.Fa ocms
+is the original SignedData structure containing the receipt request.
+.Fa certs
+is a set of certificates in which to search for the signing certificate.
+.Fa store
+is a trusted certificate store (used for chain verification).
+.Pp
+.Fa flags
+is an optional set of flags, which can be used to modify the verify
+operation.
+.Pp
+This functions behaves in a similar way to
+.Xr CMS_verify 3
+except the flag values
+.Dv CMS_DETACHED ,
+.Dv CMS_BINARY ,
+.Dv CMS_TEXT ,
+and
+.Dv CMS_STREAM
+are not supported since they do not make sense in the context of signed
+receipts.
+.Sh RETURN VALUES
+.Fn CMS_verify_receipt
+returns 1 for a successful verification or zero if an error occurred.
+.Pp
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_sign_receipt 3 ,
+.Xr CMS_verify 3
+.Sh HISTORY
+.Fn CMS_verify_receipt
+was added to OpenSSL 0.9.8.
diff --git a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
new file mode 100644
index 0000000000..ad1688ba14
--- /dev/null
+++ b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
@@ -0,0 +1,93 @@
+.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt PEM_WRITE_BIO_CMS_STREAM 3
+.Os
+.Sh NAME
+.Nm PEM_write_bio_CMS_stream
+.Nd output CMS_ContentInfo structure in PEM format
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo PEM_write_bio_CMS_stream
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn PEM_write_bio_CMS_stream
+outputs a
+.Vt CMS_ContentInfo
+structure in PEM format.
+.Pp
+It is otherwise identical to the function
+.Xr SMIME_write_CMS 3 .
+.Pp
+This function is effectively a version of
+.Xr PEM_write_bio_CMS 3
+supporting streaming.
+.Sh RETURN VALUES
+.Fn PEM_write_bio_CMS_stream
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_verify 3 ,
+.Xr ERR_get_error 3 ,
+.Xr i2d_CMS_bio_stream 3 ,
+.Xr PEM_write 3 ,
+.Xr SMIME_write_CMS 3
+.Sh HISTORY
+The
+.Fn PEM_write_bio_CMS_stream
+function was added in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/SMIME_read_CMS.3 b/src/lib/libcrypto/man/SMIME_read_CMS.3
new file mode 100644
index 0000000000..17f60b11ec
--- /dev/null
+++ b/src/lib/libcrypto/man/SMIME_read_CMS.3
@@ -0,0 +1,146 @@
+.\" $OpenBSD: SMIME_read_CMS.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt SMIME_READ_CMS 3
+.Os
+.Sh NAME
+.Nm SMIME_read_CMS
+.Nd parse S/MIME message
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft CMS_ContentInfo *
+.Fo SMIME_read_CMS
+.Fa "BIO *in"
+.Fa "BIO **bcont"
+.Fc
+.Sh DESCRIPTION
+.Fn SMIME_read_CMS
+parses a message in S/MIME format.
+.Pp
+.Fa in
+is a
+.Vt BIO
+to read the message from.
+.Pp
+If cleartext signing is used, then the content is saved in a memory BIO
+which is written to
+.Pf * Fa bcont ;
+otherwise
+.Pf * Fa bcont
+is set to
+.Dv NULL .
+.Pp
+The parsed
+.Vt CMS_ContentInfo
+structure is returned, or
+.Dv NULL
+if an error occurred.
+.Pp
+If
+.Pf * Fa bcont
+is not
+.Dv NULL ,
+then the message is clear text signed.
+.Pf * Fa bcont
+can then be passed to
+.Xr CMS_verify 3
+with the
+.Dv CMS_DETACHED
+flag set.
+.Pp
+Otherwise the type of the returned structure can be determined using
+.Xr CMS_get0_type 3 .
+.Pp
+To support future functionality if
+.Fa bcont
+is not
+.Dv NULL ,
+.Pf * Fa bcont
+should be initialized to
+.Dv NULL .
+For example:
+.Bd -literal -offset indent
+BIO *cont = NULL;
+CMS_ContentInfo *cms;
+
+cms = SMIME_read_CMS(in, &cont);
+.Ed
+.Sh RETURN VALUES
+.Fn SMIME_read_CMS
+returns a valid
+.Vt CMS_ContentInfo
+structure or
+.Dv NULL
+if an error occurred.
+The error can be obtained from
+.Xr ERR_get_error 3 .
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_type 3 ,
+.Xr CMS_verify 3 ,
+.Xr SMIME_write_CMS 3
+.Sh BUGS
+The MIME parser used by
+.Fn SMIME_read_CMS
+is somewhat primitive.
+While it will handle most S/MIME messages, more complex compound formats
+may not work.
+.Pp
+The parser assumes that the
+.Vt CMS_ContentInfo
+structure is always base64 encoded and will not handle the case
+where it is in binary format or uses quoted printable format.
+.Pp
+The use of a memory BIO to hold the signed content limits the size of
+message which can be processed due to memory restraints: a streaming
+single pass option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_write_CMS.3 b/src/lib/libcrypto/man/SMIME_write_CMS.3
new file mode 100644
index 0000000000..c9afa5e5a5
--- /dev/null
+++ b/src/lib/libcrypto/man/SMIME_write_CMS.3
@@ -0,0 +1,133 @@
+.\" $OpenBSD: SMIME_write_CMS.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt SMIME_WRITE_CMS 3
+.Os
+.Sh NAME
+.Nm SMIME_write_CMS
+.Nd convert CMS structure to S/MIME format
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo SMIME_write_CMS
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn SMIME_write_CMS
+adds the appropriate MIME headers to a CMS structure to produce an
+S/MIME message.
+.Pp
+.Fa out
+is the
+.Vt BIO
+to write the data to.
+.Fa cms
+is the appropriate
+.Vt CMS_ContentInfo
+structure.
+If streaming is enabled, then the content must be supplied in the
+.Fa data
+argument.
+.Fa flags
+is an optional set of flags.
+.Pp
+The following flags can be passed in the
+.Fa flags
+parameter:
+.Bl -tag -width Ds
+.It Dv CMS_DETACHED
+Use cleartext signing.
+This option only makes sense for SignedData where
+.Dv CMS_DETACHED
+is also set when
+.Xr CMS_sign 3
+is called.
+.Pp
+If cleartext signing is used and
+.Dv CMS_STREAM
+is not set, then the data must be read twice:
+once to compute the signature in
+.Xr CMS_sign 3
+and once to output the S/MIME message.
+.It Dv CMS_TEXT
+Add MIME headers for type text/plain to the content.
+This only makes sense if
+.Dv CMS_DETACHED
+is also set.
+.It Dv CMS_STREAM
+Perform streaming.
+This flag should only be set if
+.Dv CMS_STREAM
+was also set in the previous call to a
+.Vt CMS_ContentInfo
+creation function.
+.Pp
+If streaming is performed, the content is output in BER format using
+indefinite length constructed encoding except in the case of signed data
+with detached content where the content is absent and DER format is
+used.
+.El
+.Sh RETURN VALUES
+.Fn SMIME_write_CMS
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_verify 3 ,
+.Xr ERR_get_error 3
+.Sh BUGS
+.Fn SMIME_write_CMS
+always base64 encodes CMS structures.
+There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
new file mode 100644
index 0000000000..3615c01ccb
--- /dev/null
+++ b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
@@ -0,0 +1,95 @@
+.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.1 2019/08/10 23:41:22 schwarze Exp $
+.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 10 2019 $
+.Dt I2D_CMS_BIO_STREAM 3
+.Os
+.Sh NAME
+.Nm i2d_CMS_bio_stream
+.Nd output CMS_ContentInfo structure in BER format
+.Sh SYNOPSIS
+.In openssl/cms.h
+.Ft int
+.Fo i2d_CMS_bio_stream
+.Fa "BIO *out"
+.Fa "CMS_ContentInfo *cms"
+.Fa "BIO *data"
+.Fa "int flags"
+.Fc
+.Sh DESCRIPTION
+.Fn i2d_CMS_bio_stream
+outputs a
+.Vt CMS_ContentInfo
+structure in BER format.
+.Pp
+It is otherwise identical to the function
+.Xr SMIME_write_CMS 3 .
+.Pp
+This function is effectively a version of
+.Xr i2d_CMS_bio 3
+supporting streaming.
+.Sh RETURN VALUES
+.Fn i2d_CMS_bio_stream
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr CMS_decrypt 3 ,
+.Xr CMS_encrypt 3 ,
+.Xr CMS_sign 3 ,
+.Xr CMS_verify 3 ,
+.Xr ERR_get_error 3 ,
+.Xr PEM_write_bio_CMS_stream 3 ,
+.Xr SMIME_write_CMS 3
+.Sh HISTORY
+The
+.Fn i2d_CMS_bio_stream
+function was added in OpenSSL 1.0.0.
+.Sh BUGS
+The prefix "i2d" is arguably wrong because the function outputs BER
+format.