1 files changed, 98 insertions, 54 deletions

diff --git a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
index c1a9f051d0..5e344d9c63 100644
--- a/src/lib/libcrypto/man/SMIME_write_PKCS7.3
+++ b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
@@ -1,10 +1,10 @@
-.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.9 2021/12/14 15:46:48 schwarze Exp $
+.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.12 2025/06/11 23:16:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -66,13 +66,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_WRITE_PKCS7 3
 .Os
 .Sh NAME
 .Nm SMIME_write_PKCS7
 .Nd convert PKCS#7 structure to S/MIME format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo SMIME_write_PKCS7
@@ -83,48 +84,81 @@
 .Fc
 .Sh DESCRIPTION
 .Fn SMIME_write_PKCS7
-adds the appropriate MIME headers to a PKCS#7 structure to produce an
-S/MIME message.
-.Pp
+generates an S/MIME message on
 .Fa out
-is the
-.Vt BIO
-to write the data to.
-.Fa p7
-is the appropriate
-.Vt PKCS7
-structure.
+by writing MIME 1.0 headers
+followed by a BER- and base64-encoded serialization of
+.Fa p7 .
+The BER encoding uses the DER format except as described for
+.Dv PKCS7_STREAM
+below.
 If streaming is enabled, then the content must be supplied in the
 .Fa data
 argument.
-.Fa flags
-is an optional set of flags.
 .Pp
-The following flags can be passed in the
+The
 .Fa flags
-parameter.
-.Pp
+can be the logical OR of zero or more of the following bits:
+.Bl -tag -width Ds
+.It Dv PKCS7_DETACHED
+Use cleartext signing and generate a
+.Qq multipart/signed
+S/MIME message.
+The content is read from
+.Fa data .
 If
-.Dv PKCS7_DETACHED
-is set, then cleartext signing will be used.
-This option only makes sense for signedData where
+.Fa data
+is a
+.Dv NULL
+pointer, this flag is ignored.
+.Pp
+This flag is only supported for signedData where
 .Dv PKCS7_DETACHED
 is also set when
 .Xr PKCS7_sign 3
-is also called.
+is called.
 .Pp
-If the
-.Dv PKCS7_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are added to the content.
-This only makes sense if
+If
+.Dv PKCS7_STREAM
+is not set, the data must be read twice: once to compute the
+signature in
+.Xr PKCS7_sign 3
+and once to output the S/MIME message.
+.Pp
+If
+.Dv PKCS7_DETACHED
+is ignored or not specified, the smime-type is chosen according to the type of
+.Fa p7 :
+.Bl -tag -width Ds
+.It Dv NID_pkcs7_enveloped
+.Qq enveloped-data
+.It Dv NID_pkcs7_signed
+.Bl -tag -width Msigned-dataM -compact
+.It Qq signed-data
+if
+.Fa p7
+specifies any digest algorithm
+.It Qq certs-only
+otherwise
+.El
+.It Dv NID_id_smime_ct_compressedData
+.Qq compressed-data
+.El
+.It Dv PKCS7_REUSE_DIGEST
+Skip the calls to
+.Xr PKCS7_dataInit 3
+and
+.Xr PKCS7_dataFinal 3 .
+This flag has no effect unless
 .Dv PKCS7_DETACHED
 is also set.
+.It Dv PKCS7_STREAM
+Perform streaming by reading the content from
+.Fa data .
+This only works if
+.Dv PKCS7_DETACHED
+is not specified.
 .Pp
-If the
-.Dv PKCS7_STREAM
-flag is set, streaming is performed.
 This flag should only be set if
 .Dv PKCS7_STREAM
 was also set in the previous call to
@@ -132,13 +166,28 @@ was also set in the previous call to
 or
 .Xr PKCS7_encrypt 3 .
 .Pp
-The bit
-.Dv SMIME_OLDMIME
-is inverted before passing on the
-.Fa flags
-to
-.Xr SMIME_write_ASN1 3 .
-Consequently, if this bit is set in the
+The content is output in BER format using indefinite length constructed
+encoding except in the case of signed data with detached content
+where the content is absent and DER format is used.
+.It Dv PKCS7_TEXT
+Prepend the line
+.Qq Content-Type: text/plain
+to the content.
+This only makes sense if
+.Dv PKCS7_DETACHED
+is also set.
+It is ignored if the flag
+.Dv SMIME_BINARY
+is also set.
+.It Dv SMIME_BINARY
+If specified, this flag is passed through to
+.Xr SMIME_crlf_copy 3 .
+.It Dv SMIME_CRLFEOL
+End MIME header lines with pairs of carriage return and newline characters.
+By default, no carriage return characters are written
+and header lines are ended with newline characters only.
+.It Dv SMIME_OLDMIME
+If this bit is set in the
 .Fa flags
 argument,
 .Qq application/pkcs7-mime
@@ -150,35 +199,30 @@ Otherwise,
 or
 .Qq application/x-pkcs7-signature
 is used.
-.Pp
-If cleartext signing is being used and
-.Dv PKCS7_STREAM
-is not set, then the data must be read twice: once to compute the
-signature in
-.Xr PKCS7_sign 3
-and once to output the S/MIME message.
-.Pp
-If streaming is performed, the content is output in BER format using
-indefinite length constructed encoding except in the case of signed
-data with detached content where the content is absent and DER
-format is used.
+.El
 .Sh RETURN VALUES
-Upon successful completion, 1 is returned;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
+.Fn SMIME_write_PKCS7
+is intended to return 1 on success or 0 on failure.
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr i2d_PKCS7_bio_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
 .Xr PEM_write_PKCS7 3 ,
 .Xr PKCS7_final 3 ,
 .Xr PKCS7_new 3 ,
+.Xr SMIME_crlf_copy 3 ,
 .Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3
 .Sh HISTORY
 .Fn SMIME_write_PKCS7
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
 .Sh BUGS
 .Fn SMIME_write_PKCS7
+ignores most errors and is likely to return 1
+even after producing corrupt or incomplete output.
+.Pp
+.Fn SMIME_write_PKCS7
 always base64 encodes PKCS#7 structures.
 There should be an option to disable this.