1 files changed, 38 insertions, 23 deletions
diff --git a/src/lib/libcrypto/doc/PKCS7_encrypt.pod b/src/lib/libcrypto/doc/PKCS7_encrypt.pod
index 1a507b22a2..2cd925a7e0 100644
--- a/src/lib/libcrypto/doc/PKCS7_encrypt.pod
+++ b/src/lib/libcrypto/doc/PKCS7_encrypt.pod
@@ -6,7 +6,9 @@ PKCS7_encrypt - create a PKCS#7 envelopedData structure
 =head1 SYNOPSIS
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
+ #include <openssl/pkcs7.h>
+ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
 =head1 DESCRIPTION
@@ -16,43 +18,55 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
 =head1 NOTES
-Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates
+Only RSA keys are supported in PKCS#7 and envelopedData so the recipient
-supplied to this function must all contain RSA public keys, though they do not have to
+certificates supplied to this function must all contain RSA public keys, though
-be signed using the RSA algorithm.
+they do not have to be signed using the RSA algorithm.
-EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because
+EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
-most clients will support it.
+because most clients will support it.
-Some old "export grade" clients may only support weak encryption using 40 or 64 bit
+Some old "export grade" clients may only support weak encryption using 40 or 64
-RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively.
+bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc()
+respectively.
-The algorithm passed in the B<cipher> parameter must support ASN1 encoding of its
+The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
-parameters. 
+its parameters. 
-Many browsers implement a "sign and encrypt" option which is simply an S/MIME 
+Many browsers implement a "sign and encrypt" option which is simply an S/MIME
 envelopedData containing an S/MIME signed message. This can be readily produced
 by storing the S/MIME signed message in a memory BIO and passing it to
 PKCS7_encrypt().
 The following flags can be passed in the B<flags> parameter.
-If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended
+If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are
-to the data.
+prepended to the data.
-Normally the supplied content is translated into MIME canonical format (as required
+Normally the supplied content is translated into MIME canonical format (as
-by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This
+required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation
-option should be used if the supplied data is in binary format otherwise the translation
+occurs. This option should be used if the supplied data is in binary format
-will corrupt it. If B<PKCS7_BINARY> is set then B<PKCS7_TEXT> is ignored.
+otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then
+B<PKCS7_TEXT> is ignored.
-=head1 RETURN VALUES
+If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output
+suitable for streaming I/O: no data is read from the BIO B<in>.
-PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred.
+=head1 NOTES
-The error can be obtained from ERR_get_error(3).
-=head1 BUGS
+If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not>
+complete and outputting its contents via a function that does not
+properly finalize the B<PKCS7> structure will give unpredictable 
+results.
-The lack of single pass processing and need to hold all data in memory as
+Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
-mentioned in PKCS7_sign() also applies to PKCS7_verify().
+PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization
+can be performed by obtaining the streaming ASN1 B<BIO> directly using
+BIO_new_PKCS7().
+=head1 RETURN VALUES
+PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred.
+The error can be obtained from ERR_get_error(3).
 =head1 SEE ALSO
@@ -61,5 +75,6 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
 =head1 HISTORY
 PKCS7_decrypt() was added to OpenSSL 0.9.5
+The B<PKCS7_STREAM> flag was first supported in OpenSSL 1.0.0.
 =cut

diff --git a/src/lib/libcrypto/doc/PKCS7_encrypt.pod b/src/lib/libcrypto/doc/PKCS7_encrypt.pod index 1a507b22a2..2cd925a7e0 100644 --- a/src/lib/libcrypto/doc/PKCS7_encrypt.pod +++ b/src/lib/libcrypto/doc/PKCS7_encrypt.pod
@@ -6,7 +6,9 @@ PKCS7_encrypt - create a PKCS#7 envelopedData structure
6		6
7	=head1 SYNOPSIS	7	=head1 SYNOPSIS
8		8
9	PKCS7 PKCS7_encrypt(STACK_OF(X509) certs, BIO in, const EVP_CIPHER cipher, int flags);	9	#include <openssl/pkcs7.h>
		10
		11	PKCS7 PKCS7_encrypt(STACK_OF(X509) certs, BIO in, const EVP_CIPHER cipher, int flags);
10		12
11	=head1 DESCRIPTION	13	=head1 DESCRIPTION
12		14
@@ -16,43 +18,55 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
16		18
17	=head1 NOTES	19	=head1 NOTES
18		20
19	Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates	21	Only RSA keys are supported in PKCS#7 and envelopedData so the recipient
20	supplied to this function must all contain RSA public keys, though they do not have to	22	certificates supplied to this function must all contain RSA public keys, though
21	be signed using the RSA algorithm.	23	they do not have to be signed using the RSA algorithm.
22		24
23	EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because	25	EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use
24	most clients will support it.	26	because most clients will support it.
25		27
26	Some old "export grade" clients may only support weak encryption using 40 or 64 bit	28	Some old "export grade" clients may only support weak encryption using 40 or 64
27	RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively.	29	bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc()
		30	respectively.
28		31
29	The algorithm passed in the B<cipher> parameter must support ASN1 encoding of its	32	The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
30	parameters.	33	its parameters.
31		34
32	Many browsers implement a "sign and encrypt" option which is simply an S/MIME	35	Many browsers implement a "sign and encrypt" option which is simply an S/MIME
33	envelopedData containing an S/MIME signed message. This can be readily produced	36	envelopedData containing an S/MIME signed message. This can be readily produced
34	by storing the S/MIME signed message in a memory BIO and passing it to	37	by storing the S/MIME signed message in a memory BIO and passing it to
35	PKCS7_encrypt().	38	PKCS7_encrypt().
36		39
37	The following flags can be passed in the B<flags> parameter.	40	The following flags can be passed in the B<flags> parameter.
38		41
39	If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended	42	If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are
40	to the data.	43	prepended to the data.
41		44
42	Normally the supplied content is translated into MIME canonical format (as required	45	Normally the supplied content is translated into MIME canonical format (as
43	by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This	46	required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation
44	option should be used if the supplied data is in binary format otherwise the translation	47	occurs. This option should be used if the supplied data is in binary format
45	will corrupt it. If B<PKCS7_BINARY> is set then B<PKCS7_TEXT> is ignored.	48	otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then
		49	B<PKCS7_TEXT> is ignored.
46		50
47	=head1 RETURN VALUES	51	If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output
		52	suitable for streaming I/O: no data is read from the BIO B<in>.
48		53
49	PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred.	54	=head1 NOTES
50	The error can be obtained from ERR_get_error(3).
51		55
52	=head1 BUGS	56	If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not>
		57	complete and outputting its contents via a function that does not
		58	properly finalize the B<PKCS7> structure will give unpredictable
		59	results.
53		60
54	The lack of single pass processing and need to hold all data in memory as	61	Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(),
55	mentioned in PKCS7_sign() also applies to PKCS7_verify().	62	PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization
		63	can be performed by obtaining the streaming ASN1 B<BIO> directly using
		64	BIO_new_PKCS7().
		65
		66	=head1 RETURN VALUES
		67
		68	PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred.
		69	The error can be obtained from ERR_get_error(3).
56		70
57	=head1 SEE ALSO	71	=head1 SEE ALSO
58		72
@@ -61,5 +75,6 @@ L<ERR_get_error(3)\|ERR_get_error(3)>, L<PKCS7_decrypt(3)\|PKCS7_decrypt(3)>
61	=head1 HISTORY	75	=head1 HISTORY
62		76
63	PKCS7_decrypt() was added to OpenSSL 0.9.5	77	PKCS7_decrypt() was added to OpenSSL 0.9.5
		78	The B<PKCS7_STREAM> flag was first supported in OpenSSL 1.0.0.
64		79
65	=cut	80	=cut