remove CMS manuals; beck@ agress with the general idea

18 files changed, 1 insertions, 2127 deletions

diff --git a/lib/libcrypto/man/BIO_new_CMS.3 b/lib/libcrypto/man/BIO_new_CMS.3
deleted file mode 100644
index 312c39ad1cf..00000000000
--- a/lib/libcrypto/man/BIO_new_CMS.3
+++ /dev/null
@@ -1,83 +0,0 @@
-.Dd $Mdocdate: September 9 2015 $
-.Dt BIO_NEW_CMS 3
-.Os
-.Sh NAME
-.Nm BIO_new_CMS
-.Nd CMS streaming filter BIO
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft BIO *
-.Fo BIO_new_CMS
-.Fa "BIO *out"
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_new_CMS
-returns a streaming filter BIO chain based on
-.Fa cms .
-The output of the filter is written to
-.Fa out .
-Any data written to the chain is automatically translated
-to a BER format CMS structure of the appropriate type.
-.Sh RETURN VALUES
-.Fn BIO_new_CMS
-returns a BIO chain when successful or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh NOTES
-The chain returned by this function behaves like a standard filter BIO.
-It supports non blocking I/O.
-Content is processed and streamed on the fly and not all held in memory
-at once: so it is possible to encode very large structures.
-After all content has been written through the chain
-.Xr BIO_flush 3
-must be called to finalise the structure.
-.Pp
-The
-.Dv CMS_STREAM
-flag must be included in the corresponding
-.Fa flags
-parameter of the
-.Fa cms
-creation function.
-.Pp
-If an application wishes to write additional data to
-.Fa out ,
-BIOs should be removed from the chain using
-.Xr BIO_pop 3
-and freed with
-.Xr BIO_free 3
-until
-.Fa out
-is reached.
-If no additional data needs to be written,
-.Xr BIO_free_all 3
-can be called to free up the whole chain.
-.Pp
-Any content written through the filter is used verbatim:
-no canonical translation is performed.
-.Pp
-It is possible to chain multiple BIOs to, for example,
-create a triple wrapped signed, enveloped, signed structure.
-In this case it is the application's responsibility
-to set the inner content type of any outer
-.Vt CMS_ContentInfo
-structures.
-.Pp
-Large numbers of small writes through the chain should be avoided as this
-will produce an output consisting of lots of OCTET STRING structures.
-Prepending a
-.Xr BIO_f_buffer 3
-buffering BIO will prevent this.
-.Sh SEE ALSO
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn BIO_new_CMS
-was added to OpenSSL 1.0.0.
-.Sh BUGS
-There is currently no corresponding inverse BIO
-which can decode a CMS structure on the fly.
diff --git a/lib/libcrypto/man/CMS_add0_cert.3 b/lib/libcrypto/man/CMS_add0_cert.3
deleted file mode 100644
index b02eb066730..00000000000
--- a/lib/libcrypto/man/CMS_add0_cert.3
+++ /dev/null
@@ -1,127 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_ADD0_CERT 3
-.Os
-.Sh NAME
-.Nm CMS_add0_cert ,
-.Nm CMS_add1_cert ,
-.Nm CMS_get1_certs ,
-.Nm CMS_add0_crl ,
-.Nm CMS_add1_crl ,
-.Nm CMS_get1_crls
-.Nd CMS certificate and CRL utility functions
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_add0_cert
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo CMS_add1_cert
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *cert"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo CMS_get1_certs
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_add0_crl
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509_CRL *crl"
-.Fc
-.Ft int
-.Fo CMS_add1_crl
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509_CRL *crl"
-.Fc
-.Ft STACK_OF(X509_CRL) *
-.Fo CMS_get1_crls
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_add0_cert
-and
-.Fn CMS_add1_cert
-add certificate
-.Fa cert
-to
-.Fa cms .
-.Fa cms
-must be of type signed data or enveloped data.
-.Pp
-.Fn CMS_get1_certs
-returns all certificates in
-.Fa cms .
-.Pp
-.Fn CMS_add0_crl
-and
-.Fn CMS_add1_crl
-add CRL
-.Fa crl
-to
-.Fa cms .
-.Fn CMS_get1_crls
-returns any CRLs in
-.Fa cms .
-.Sh NOTES
-The
-.Vt CMS_ContentInfo
-structure
-.Fa cms
-must be of type signed data or enveloped data or an error will be
-returned.
-.Pp
-For signed data, certificates and CRLs are added to the
-.Fa certificates
-and
-.Fa crls
-fields of the SignedData structure.
-For enveloped data, they are added to
-.Fa OriginatorInfo .
-.Pp
-As the
-.Sq 0
-implies,
-.Fn CMS_add0_cert
-adds
-.Fa cert
-internally to
-.Fa cms
-and it must not be freed up after the call, as opposed to
-.Fn CMS_add1_cert
-where
-.Fa cert
-must be freed up.
-.Pp
-The same certificate or CRL must not be added to the same cms structure
-more than once.
-.Sh RETURN VALUES
-.Fn CMS_add0_cert ,
-.Fn CMS_add1_cert ,
-.Fn CMS_add0_crl ,
-and
-.Fn CMS_add1_crl
-return 1 for success and 0 for failure.
-.Pp
-.Fn CMS_get1_certs
-and
-.Fn CMS_get1_crls
-return the STACK of certificates or CRLs or
-.Dv NULL
-if there are none or an error occurs.
-The only error which will occur in practice is if the
-.Fa cms
-type is invalid.
-.Sh SEE ALSO
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_add0_cert ,
-.Fn CMS_add1_cert ,
-.Fn CMS_get1_certs ,
-.Fn CMS_add0_crl
-and
-.Fn CMS_get1_crls
-were all first added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/lib/libcrypto/man/CMS_add1_recipient_cert.3
deleted file mode 100644
index 4e848446a66..00000000000
--- a/lib/libcrypto/man/CMS_add1_recipient_cert.3
+++ /dev/null
@@ -1,115 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_ADD1_RECIPIENT_CERT 3
-.Os
-.Sh NAME
-.Nm CMS_add1_recipient_cert ,
-.Nm CMS_add0_recipient_key
-.Nd add recipients to a CMS enveloped data structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_RecipientInfo *
-.Fo CMS_add1_recipient_cert
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *recip"
-.Fa "unsigned int flags"
-.Fc
-.Ft CMS_RecipientInfo *
-.Fo CMS_add0_recipient_key
-.Fa "CMS_ContentInfo *cms"
-.Fa "int nid"
-.Fa "unsigned char *key"
-.Fa "size_t keylen"
-.Fa "unsigned char *id"
-.Fa "size_t idlen"
-.Fa "ASN1_GENERALIZEDTIME *date"
-.Fa "ASN1_OBJECT *otherTypeId"
-.Fa "ASN1_TYPE *otherType"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_add1_recipient_cert
-adds recipient
-.Fa recip
-to the
-.Vt CMS_ContentInfo
-enveloped data structure
-.Fa cms
-as a KeyTransRecipientInfo structure.
-.Pp
-.Fn CMS_add0_recipient_key
-adds the symmetric key
-.Fa key
-of length
-.Fa keylen
-using the wrapping algorithm
-.Fa nid ,
-identifier
-.Fa id
-of length
-.Fa idlen
-and optional values
-.Fa date ,
-.Fa otherTypeId ,
-and
-.Fa otherType
-to the
-.Vt CMS_ContentInfo
-enveloped data structure
-.Fa cms
-as a KEKRecipientInfo structure.
-.Pp
-The
-.Vt CMS_ContentInfo
-structure should be obtained from an initial call to
-.Xr CMS_encrypt 3
-with the flag
-.Dv CMS_PARTIAL
-set.
-.Sh NOTES
-The main purpose of this function is to provide finer control over a CMS
-enveloped data structure where the simpler
-.Xr CMS_encrypt 3
-function defaults are not appropriate.
-For example if one or more KEKRecipientInfo structures need to be added.
-New attributes can also be added using the returned
-.Vt CMS_RecipientInfo
-structure and the CMS attribute utility functions.
-.Pp
-OpenSSL will by default identify recipient certificates using issuer
-name and serial number.
-If
-.Dv CMS_USE_KEYID
-is set, it will use the subject key identifier value instead.
-An error occurs if all recipient certificates do not have a subject key
-identifier extension.
-.Pp
-Currently only AES based key wrapping algorithms are supported for
-.Fa nid ,
-specifically:
-.Dv NID_id_aes128_wrap ,
-.Dv NID_id_aes192_wrap ,
-and
-.Dv NID_id_aes256_wrap .
-If
-.Fa nid
-is set to
-.Dv NID_undef ,
-then an AES wrap algorithm will be used consistent with
-.Fa keylen .
-.Sh RETURN VALUES
-.Fn CMS_add1_recipient_cert
-and
-.Fn CMS_add0_recipient_key
-return an internal pointer to the
-.Vt CMS_RecipientInfo
-structure just added or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr CMS_decrypt 3 ,
-.Xr CMS_final 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_add1_recipient_cert
-and
-.Fn CMS_add0_recipient_key
-were added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_add1_signer.3 b/lib/libcrypto/man/CMS_add1_signer.3
deleted file mode 100644
index 403ec5b8e3b..00000000000
--- a/lib/libcrypto/man/CMS_add1_signer.3
+++ /dev/null
@@ -1,161 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_SIGN_ADD1_SIGNER 3
-.Os
-.Sh NAME
-.Nm CMS_add1_signer ,
-.Nm CMS_SignerInfo_sign
-.Nd add a signer to a CMS_ContentInfo signed data structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_SignerInfo *
-.Fo CMS_add1_signer
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *md"
-.Fa "unsigned int flags"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_sign
-.Fa "CMS_SignerInfo *si"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_add1_signer
-adds a signer with certificate
-.Fa signcert
-and private key
-.Fa pkey
-using message digest
-.Fa md
-to the
-.Vt CMS_ContentInfo
-SignedData structure
-.Fa cms .
-.Pp
-The
-.Vt CMS_ContentInfo
-structure should be obtained from an initial call to
-.Xr CMS_sign 3
-with the flag
-.Dv CMS_PARTIAL
-set or in the case or re-signing a valid
-.Vt CMS_ContentInfo
-SignedData structure.
-.Pp
-If the
-.Fa md
-parameter is
-.Dv NULL ,
-then the default digest for the public key algorithm will be used.
-.Pp
-Unless the
-.Dv CMS_REUSE_DIGEST
-flag is set, the returned
-.Vt CMS_ContentInfo
-structure is not complete and must be finalized either by streaming
-(if applicable) or a call to
-.Xr CMS_final 3 .
-.Pp
-The
-.Fn CMS_SignerInfo_sign
-function will explicitly sign a
-.Vt CMS_SignerInfo
-structure, its main use is when
-.Dv CMS_REUSE_DIGEST
-and
-.Dv CMS_PARTIAL
-flags are both set.
-.Sh NOTES
-The main purpose of
-.Fn CMS_add1_signer
-is to provide finer control over a CMS signed data structure where the
-simpler
-.Xr CMS_sign 3
-function defaults are not appropriate.
-For example if multiple signers or non default digest algorithms are
-needed.
-New attributes can also be added using the returned
-.Vt CMS_SignerInfo
-structure and the CMS attribute utility functions or the CMS signed
-receipt request functions.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter.
-.Pp
-If
-.Dv CMS_REUSE_DIGEST
-is set, then an attempt is made to copy the content digest value from the
-.Dv CMS_ContentInfo
-structure: to add a signer to an existing structure.
-An error occurs if a matching digest value cannot be found to copy.
-The returned
-.Dv CMS_ContentInfo
-structure will be valid and finalized when this flag is set.
-.Pp
-If
-.Dv CMS_PARTIAL
-is set in addition to
-.Dv CMS_REUSE_DIGEST
-then the
-.Vt CMS_SignerInfo
-structure will not be finalized so additional attributes can be added.
-In this case an explicit call to
-.Fn CMS_SignerInfo_sign
-is needed to finalize it.
-.Pp
-If
-.Dv CMS_NOCERTS
-is set, the signer's certificate will not be included in the
-.Vt CMS_ContentInfo
-structure, the signer's certificate must still be supplied in the
-.Fa signcert
-parameter though.
-This can reduce the size of the signature if the signers certificate can
-be obtained by other means: for example a previously signed message.
-.Pp
-The SignedData structure includes several CMS signedAttributes including
-the signing time, the CMS content type and the supported list of ciphers
-in an SMIMECapabilities attribute.
-If
-.Dv CMS_NOATTR
-is set, then no signedAttributes will be used.
-If
-.Dv CMS_NOSMIMECAP
-is set, then just the SMIMECapabilities are omitted.
-.Pp
-OpenSSL will by default identify signing certificates using issuer name
-and serial number.
-If
-.Dv CMS_USE_KEYID
-is set, it will use the subject key identifier value instead.
-An error occurs if the signing certificate does not have a subject key
-identifier extension.
-.Pp
-If present, the SMIMECapabilities attribute indicates support for the
-following algorithms in preference order: 256 bit AES, Gost R3411-94,
-Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
-RC2, DES and 40 bit RC2.
-If any of these algorithms is not available then it will not be
-included: for example the GOST algorithms will not be included if
-the GOST ENGINE is not loaded.
-.Pp
-.Fn CMS_add1_signer
-returns an internal pointer to the
-.Dv CMS_SignerInfo
-structure just added.
-This can be used to set additional attributes before it is finalized.
-.Sh RETURN VALUES
-.Fn CMS_add1_signer
-returns an internal pointer to the
-.Vt CMS_SignerInfo
-structure just added or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr CMS_final 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_add1_signer
-was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_compress.3 b/lib/libcrypto/man/CMS_compress.3
deleted file mode 100644
index 1330464441b..00000000000
--- a/lib/libcrypto/man/CMS_compress.3
+++ /dev/null
@@ -1,110 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_COMPRESS 3
-.Os
-.Sh NAME
-.Nm CMS_compress
-.Nd create a CMS CompressedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_compress
-.Fa "BIO *in"
-.Fa "int comp_nid"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_compress
-creates and returns a CMS CompressedData structure.
-.Fa comp_nid
-is the compression algorithm to use or
-.Dv NID_undef
-to use the default algorithm (zlib compression).
-.Fa in
-is the content to be compressed.
-.Fa flags
-is an optional set of flags.
-.Sh NOTES
-The only currently supported compression algorithm is zlib using the NID
-.Dv NID_zlib_compression .
-.Pp
-If zlib support is not compiled into OpenSSL then
-.Fn CMS_compress
-will return an error.
-.Pp
-If the
-.Dv CMS_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are prepended to the data.
-.Pp
-Normally the supplied content is translated into MIME canonical format
-(as required by the S/MIME specifications); if
-.Dv CMS_BINARY
-is set, no translation occurs.
-This option should be used if the supplied data is in binary format;
-otherwise the translation will corrupt it.
-If
-.Dv CMS_BINARY
-is set then
-.Dv CMS_TEXT
-is ignored.
-.Pp
-If the
-.Dv CMS_STREAM
-flag is set a partial
-.Vt CMS_ContentInfo
-structure is returned suitable for streaming I/O: no data is read from
-the
-.Vt BIO
-.Fa in .
-.Pp
-The compressed data is included in the
-.Vt CMS_ContentInfo
-structure, unless
-.Dv CMS_DETACHED
-is set, in which case it is omitted.
-This is rarely used in practice and is not supported by
-.Xr SMIME_write_CMS 3 .
-.Sh NOTES
-If the flag
-.Dv CMS_STREAM
-is set, the returned
-.Vt CMS_ContentInfo
-structure is
-.Em not
-complete and outputting its contents via a function that does not
-properly finalize the
-.Vt CMS_ContentInfo
-structure will give unpredictable results.
-.Pp
-Several functions including
-.Xr SMIME_write_CMS 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-.Xr PEM_write_bio_CMS_stream 3
-finalize the structure.
-Alternatively finalization can be performed by obtaining the streaming
-ASN1
-.Vt BIO
-directly using
-.Xr BIO_new_CMS 3 .
-.Pp
-Additional compression parameters such as the zlib compression level
-cannot currently be set.
-.Sh RETURN VALUES
-.Fn CMS_compress
-returns either a
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_uncompress 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_compress
-was added to OpenSSL 0.9.8.
-The
-.Dv CMS_STREAM
-flag was first supported in OpenSSL 1.0.0.
diff --git a/lib/libcrypto/man/CMS_decrypt.3 b/lib/libcrypto/man/CMS_decrypt.3
deleted file mode 100644
index 3a34f10783c..00000000000
--- a/lib/libcrypto/man/CMS_decrypt.3
+++ /dev/null
@@ -1,127 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_DECRYPT 3
-.Os
-.Sh NAME
-.Nm CMS_decrypt
-.Nd decrypt content from a CMS envelopedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_decrypt
-.Fa "CMS_ContentInfo *cms"
-.Fa "EVP_PKEY *pkey"
-.Fa "X509 *cert"
-.Fa "BIO *dcont"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_decrypt
-extracts and decrypts the content from a CMS EnvelopedData structure.
-.Fa pkey
-is the private key of the recipient,
-.Fa cert
-is the recipient's certificate,
-.Fa out
-is a
-.Vt BIO
-to write the content to and
-.Fa flags
-is an optional set of flags.
-.Pp
-The
-.Fa dcont
-parameter is used in the rare case where the encrypted content is
-detached.
-It will normally be set to
-.Dv NULL .
-.Sh NOTES
-.Xr OpenSSL_add_all_algorithms 3
-(or equivalent) should be called before using this function or errors
-about unknown algorithms will occur.
-.Pp
-Although the recipients certificate is not needed to decrypt the data it
-is needed to locate the appropriate (of possible several) recipients in
-the CMS structure.
-.Pp
-If
-.Fa cert
-is set to
-.Dv NULL ,
-all possible recipients are tried.
-This case however is problematic.
-To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA
-padding) all recipients are tried whether they succeed or not.
-If no recipient succeeds then a random symmetric key is used to decrypt
-the content: this will typically output garbage and may (but is not
-guaranteed to) ultimately return a padding error only.
-If
-.Fn CMS_decrypt
-just returned an error when all recipient encrypted keys failed to
-decrypt an attacker could use this in a timing attack.
-If the special flag
-.Dv CMS_DEBUG_DECRYPT
-is set then the above behaviour is modified and an error
-.Em is
-returned if no recipient encrypted key can be decrypted
-.Em without
-generating a random content encryption key.
-Applications should use this flag with
-.Sy extreme caution
-especially in automated gateways as it can leave them open to attack.
-.Pp
-It is possible to determine the correct recipient key by other means
-(for example looking them up in a database) and setting them in the CMS
-structure in advance using the CMS utility functions such as
-.Xr CMS_set1_pkey 3 .
-In this case both
-.Fa cert
-and
-.Fa pkey
-should be set to
-.Dv NULL .
-.Pp
-To process KEKRecipientInfo types
-.Xr CMS_set1_key 3
-or
-.Xr CMS_RecipientInfo_set0_key 3
-and
-.Xr CMS_ReceipientInfo_decrypt 3
-should be called before
-.Fn CMS_decrypt
-and
-.Fa cert
-and
-.Fa pkey
-set to
-.Dv NULL .
-.Pp
-The following flags can be passed in the
-.Fa flags
-parameter:
-.Pp
-If the
-.Dv CMS_TEXT
-flag is set MIME headers for type
-.Sy text/plain
-are deleted from the content.
-If the content is not of type
-.Sy text/plain
-then an error is returned.
-.Sh RETURN VALUES
-.Fn CMS_decrypt
-returns either 1 for success or 0 for failure.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh BUGS
-The lack of single pass processing and the need to hold all data in
-memory as mentioned in
-.Xr CMS_verify 3
-also applies to
-.Fn CMS_decrypt .
-.Sh SEE ALSO
-.Xr CMS_encrypt 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_decrypt
-was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_encrypt.3 b/lib/libcrypto/man/CMS_encrypt.3
deleted file mode 100644
index 5d7b0bf4704..00000000000
--- a/lib/libcrypto/man/CMS_encrypt.3
+++ /dev/null
@@ -1,152 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm CMS_encrypt
-.Nd create a CMS envelopedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_encrypt
-.Fa "STACK_OF(X509) *certs"
-.Fa "BIO *in"
-.Fa "const EVP_CIPHER *cipher"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_encrypt
-creates and returns a CMS EnvelopedData structure.
-.Fa certs
-is a list of recipient certificates.
-.Fa in
-is the content to be encrypted.
-.Fa cipher
-is the symmetric cipher to use.
-.Fa flags
-is an optional set of flags.
-.Sh NOTES
-Only certificates carrying RSA keys are supported so the recipient
-certificates supplied to this function must all contain RSA public keys,
-though they do not have to be signed using the RSA algorithm.
-.Pp
-The algorithm passed in the
-.Fa cipher
-parameter must support ASN1 encoding of its parameters.
-.Pp
-Many browsers implement a "sign and encrypt" option which is simply an
-S/MIME envelopedData containing an S/MIME signed message.
-This can be readily produced by storing the S/MIME signed message in a
-memory BIO and passing it to
-.Fn CMS_encrypt .
-.Pp
-The following flags can be passed in the
-.Fa flags
-parameter:
-.Pp
-If the
-.Dv CMS_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are prepended to the data.
-.Pp
-Normally the supplied content is translated into MIME canonical format
-(as required by the S/MIME specifications); if
-.Dv CMS_BINARY
-is set, no translation occurs.
-This option should be used if the supplied data is in binary format;
-otherwise the translation will corrupt it.
-If
-.Dv CMS_BINARY
-is set then
-.Dv CMS_TEXT
-is ignored.
-.Pp
-OpenSSL will by default identify recipient certificates using issuer
-name and serial number.
-If
-.Dv CMS_USE_KEYID
-is set, it will use the subject key identifier value instead.
-An error occurs if all recipient certificates do not have a subject key
-identifier extension.
-.Pp
-If the
-.Dv CMS_STREAM
-flag is set, a partial
-.Vt CMS_ContentInfo
-structure is returned suitable for streaming I/O: no data is read from the
-.Vt BIO
-.Fa in .
-.Pp
-If the
-.Dv CMS_PARTIAL
-flag is set, a partial
-.Vt CMS_ContentInfo
-structure is returned to which additional recipients and attributes can
-be added before finalization.
-.Pp
-The data being encrypted is included in the
-.Vt CMS_ContentInfo
-structure, unless
-.Dv CMS_DETACHED
-is set, in which case it is omitted.
-This is rarely used in practice and is not supported by
-.Xr SMIME_write_CMS 3 .
-.Pp
-If the flag
-.Dv CMS_STREAM
-is set, the returned
-.Vt CMS_ContentInfo
-structure is
-.Em not
-complete and outputting its contents via a function that does not
-properly finalize the
-.Vt CMS_ContentInfo
-structure will give unpredictable results.
-.Pp
-Several functions including
-.Xr SMIME_write_CMS 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-.Xr PEM_write_bio_CMS_stream 3
-finalize the structure.
-Alternatively finalization can be performed by obtaining the streaming
-ASN1
-.Vt BIO
-directly using
-.Xr BIO_new_CMS 3 .
-.Pp
-The recipients specified in
-.Fa certs
-use a CMS KeyTransRecipientInfo info structure.
-KEKRecipientInfo is also supported using the flag
-.Dv CMS_PARTIAL
-and
-.Xr CMS_add0_recipient_key 3 .
-.Pp
-The parameter
-.Fa certs
-may be
-.Dv NULL
-if
-.Dv CMS_PARTIAL
-is set and recipients are added later using
-.Xr CMS_add1_recipient_cert 3
-or
-.Xr CMS_add0_recipient_key 3 .
-.Sh RETURN VALUES
-.Fn CMS_encrypt
-returns either a
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_decrypt 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_encrypt
-was added to OpenSSL 0.9.8.
-The
-.Dv CMS_STREAM
-flag was first supported in OpenSSL 1.0.0.
diff --git a/lib/libcrypto/man/CMS_final.3 b/lib/libcrypto/man/CMS_final.3
deleted file mode 100644
index 4e7912a4e00..00000000000
--- a/lib/libcrypto/man/CMS_final.3
+++ /dev/null
@@ -1,48 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_FINAL 3
-.Os
-.Sh NAME
-.Nm CMS_final
-.Nd finalise a CMS_ContentInfo structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_final
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *data"
-.Fa "BIO *dcont"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_final
-finalises the structure
-.Fa cms .
-Its purpose is to perform any operations necessary on
-.Fa cms
-(digest computation for example) and set the appropriate fields.
-The parameter
-.Fa data
-contains the content to be processed.
-The
-.Fa dcont
-parameter contains a
-.Vt BIO
-to write content to after processing: this is
-only used with detached data and will usually be set to
-.Dv NULL .
-.Sh NOTES
-This function will normally be called when the
-.Dv CMS_PARTIAL
-flag is used.
-It should only be used when streaming is not performed because the
-streaming I/O functions perform finalisation operations internally.
-.Sh RETURN VALUES
-.Fn CMS_final
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_final
-was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/lib/libcrypto/man/CMS_get0_RecipientInfos.3
deleted file mode 100644
index 4db69b57b8a..00000000000
--- a/lib/libcrypto/man/CMS_get0_RecipientInfos.3
+++ /dev/null
@@ -1,251 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_GET0_RECIPIENTINFOS 3
-.Os
-.Sh NAME
-.Nm CMS_get0_RecipientInfos ,
-.Nm CMS_RecipientInfo_type ,
-.Nm CMS_RecipientInfo_ktri_get0_signer_id ,
-.Nm CMS_RecipientInfo_ktri_cert_cmp ,
-.Nm CMS_RecipientInfo_set0_pkey ,
-.Nm CMS_RecipientInfo_kekri_get0_id ,
-.Nm CMS_RecipientInfo_kekri_id_cmp ,
-.Nm CMS_RecipientInfo_set0_key ,
-.Nm CMS_RecipientInfo_decrypt ,
-.Nm CMS_RecipientInfo_encrypt
-.Nd CMS envelopedData RecipientInfo routines
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft STACK_OF(CMS_RecipientInfo) *
-.Fo CMS_get0_RecipientInfos
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_type
-.Fa "CMS_RecipientInfo *ri"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_ktri_get0_signer_id
-.Fa "CMS_RecipientInfo *ri"
-.Fa "ASN1_OCTET_STRING **keyid"
-.Fa "X509_NAME **issuer"
-.Fa "ASN1_INTEGER **sno"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_ktri_cert_cmp
-.Fa "CMS_RecipientInfo *ri"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_set0_pkey
-.Fa "CMS_RecipientInfo *ri"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_kekri_get0_id
-.Fa "CMS_RecipientInfo *ri"
-.Fa "X509_ALGOR **palg"
-.Fa "ASN1_OCTET_STRING **pid"
-.Fa "ASN1_GENERALIZEDTIME **pdate"
-.Fa "ASN1_OBJECT **potherid"
-.Fa "ASN1_TYPE **pothertype"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_kekri_id_cmp
-.Fa "CMS_RecipientInfo *ri"
-.Fa "const unsigned char *id"
-.Fa "size_t idlen"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_set0_key
-.Fa "CMS_RecipientInfo *ri"
-.Fa "unsigned char *key"
-.Fa "size_t keylen"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_decrypt
-.Fa "CMS_ContentInfo *cms"
-.Fa "CMS_RecipientInfo *ri"
-.Fc
-.Sh DESCRIPTION
-The function
-.Fn CMS_get0_RecipientInfos
-returns all the
-.Vt CMS_RecipientInfo
-structures associated with a CMS EnvelopedData structure.
-.Pp
-.Fn CMS_RecipientInfo_type
-returns the type of the
-.Vt CMS_RecipientInfo
-structure
-.Fa ri .
-It will currently return
-.Dv CMS_RECIPINFO_TRANS ,
-.Dv CMS_RECIPINFO_AGREE ,
-.Dv CMS_RECIPINFO_KEK ,
-.Dv CMS_RECIPINFO_PASS ,
-or
-.Dv CMS_RECIPINFO_OTHER .
-.Pp
-.Fn CMS_RecipientInfo_ktri_get0_signer_id
-retrieves the certificate recipient identifier associated with a
-specific
-.Vt CMS_RecipientInfo
-structure
-.Fa ri ,
-which must be of type
-.Dv CMS_RECIPINFO_TRANS .
-Either the keyidentifier will be set in
-.Fa keyid
-or
-.Em both
-issuer name and serial number in
-.Fa issuer
-and
-.Fa sno .
-.Pp
-.Fn CMS_RecipientInfo_ktri_cert_cmp
-compares the certificate
-.Fa cert
-against the
-.Vt CMS_RecipientInfo
-structure
-.Fa ri ,
-which must be of type
-.Dv CMS_RECIPINFO_TRANS .
-It returns zero if the
-comparison is successful and non zero if not.
-.Pp
-.Fn CMS_RecipientInfo_set0_pkey
-associates the private key
-.Fa pkey
-with the
-.Vt CMS_RecipientInfo
-structure
-.Fa ri ,
-which must be of type
-.Dv CMS_RECIPINFO_TRANS .
-.Pp
-.Fn CMS_RecipientInfo_kekri_get0_id
-retrieves the key information from the
-.Vt CMS_RecipientInfo
-structure
-.Fa ri
-which must be of type
-.Dv CMS_RECIPINFO_KEK .
-Any of the remaining parameters can be
-.Dv NULL
-if the application is not interested in the value of a field.
-Where a field is optional and absent,
-.Dv NULL
-will be written to the corresponding parameter.
-The
-.Sy keyEncryptionAlgorithm
-field is written to
-.Fa palg ,
-the
-.Sy keyIdentifier
-field is written to
-.Fa pid ,
-the
-.Sy date
-field if present is written to
-.Fa pdate ,
-if the
-.Sy other
-field is present the components
-.Sy keyAttrId
-and
-.Sy keyAttr
-are written to the parameters
-.Fa potherid
-and
-.Fa pothertype .
-.Pp
-.Fn CMS_RecipientInfo_kekri_id_cmp
-compares the ID in the
-.Fa id
-and
-.Fa idlen
-parameters against the
-.Sy keyIdentifier
-.Vt CMS_RecipientInfo
-structure
-.Fa ri ,
-which must be of type
-.Dv CMS_RECIPINFO_KEK .
-It returns zero if the comparison is successful and non zero if not.
-.Pp
-.Fn CMS_RecipientInfo_set0_key
-associates the symmetric key
-.Fa key
-of length
-.Fa keylen
-with the
-.Vt CMS_RecipientInfo
-structure
-.Fa ri ,
-which must be of type
-.Dv CMS_RECIPINFO_KEK .
-.Pp
-.Fn CMS_RecipientInfo_decrypt
-attempts to decrypt the
-.Vt CMS_RecipientInfo
-structure
-.Fa ri
-in structure
-.Fa cms .
-A key must have been associated with the structure first.
-.Sh NOTES
-The main purpose of these functions is to enable an application to
-lookup recipient keys using any appropriate technique when the simpler
-method of
-.Xr CMS_decrypt 3
-is not appropriate.
-.Pp
-In typical usage, an application will retrieve all
-.Vt CMS_RecipientInfo
-structures using
-.Fn CMS_get0_RecipientInfos
-and check the type of each using
-.Fn CMS_RecipientInfo_type .
-Depending on the type, the
-.Vt CMS_RecipientInfo
-structure can be ignored or its key identifier data retrieved using
-an appropriate function.
-Then if the corresponding secret or private key can be obtained by any
-appropriate means it can then associated with the structure and
-.Xr CMS_RecpientInfo_decrypt 3
-called.
-If successful,
-.Xr CMS_decrypt 3
-can be called with a
-.Dv NULL
-key to decrypt the enveloped content.
-.Sh RETURN VALUES
-.Fn CMS_get0_RecipientInfos
-returns all
-.Vt CMS_RecipientInfo
-structures, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn CMS_RecipientInfo_ktri_get0_signer_id ,
-.Fn CMS_RecipientInfo_set0_pkey ,
-.Fn CMS_RecipientInfo_kekri_get0_id ,
-.Fn CMS_RecipientInfo_set0_key ,
-and
-.Fn CMS_RecipientInfo_decrypt
-return 1 for success or 0 if an error occurs.
-.Pp
-.Fn CMS_RecipientInfo_ktri_cert_cmp
-and
-.Fn CMS_RecipientInfo_kekri_id_cmp
-return 0 for a successful comparison and non zero otherwise.
-.Pp
-Any error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_decrypt 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-These functions were first was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/lib/libcrypto/man/CMS_get0_SignerInfos.3
deleted file mode 100644
index 99aab48193f..00000000000
--- a/lib/libcrypto/man/CMS_get0_SignerInfos.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_GET0_SIGNERINFOS 3
-.Os
-.Sh NAME
-.Nm CMS_get0_SignerInfos ,
-.Nm CMS_SignerInfo_get0_signer_id ,
-.Nm CMS_SignerInfo_cert_cmp ,
-.Nm CMS_set1_signer_certs
-.Nd CMS signedData signer functions
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft STACK_OF(CMS_SignerInfo) *
-.Fo CMS_get0_SignerInfos
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_get0_signer_id
-.Fa "CMS_SignerInfo *si"
-.Fa "ASN1_OCTET_STRING **keyid"
-.Fa "X509_NAME **issuer"
-.Fa "ASN1_INTEGER **sno"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_cert_cmp
-.Fa "CMS_SignerInfo *si"
-.Fa "X509 *cert"
-.Fc
-.Ft void
-.Fo CMS_SignerInfo_set1_signer_cert
-.Fa "CMS_SignerInfo *si"
-.Fa "X509 *signer"
-.Fc
-.Sh DESCRIPTION
-The function
-.Fn CMS_get0_SignerInfos
-returns all the
-.Vt CMS_SignerInfo
-structures associated with a CMS signedData structure.
-.Pp
-.Fn CMS_SignerInfo_get0_signer_id
-retrieves the certificate signer identifier associated with a specific
-.Vt CMS_SignerInfo
-structure
-.Fa si .
-Either the keyidentifier will be set in
-.Fa keyid
-or
-.Em both
-issuer name and serial number in
-.Fa issuer
-and
-.Fa sno .
-.Pp
-.Fn CMS_SignerInfo_cert_cmp
-compares the certificate
-.Fa cert
-against the signer identifier
-.Fa si .
-It returns zero if the comparison is successful and non zero if not.
-.Pp
-.Fn CMS_SignerInfo_set1_signer_cert
-sets the signers certificate of
-.Fa si
-to
-.Fa signer .
-.Sh NOTES
-The main purpose of these functions is to enable an application to
-lookup signers certificates using any appropriate technique when the
-simpler method of
-.Xr CMS_verify 3
-is not appropriate.
-.Pp
-In typical usage and application will retrieve all
-.Vt CMS_SignerInfo
-structures using
-.Fn CMS_get0_SignerInfo
-and retrieve the identifier information using CMS.
-It will then obtain the signer certificate by some unspecified means
-(or return and error if it cannot be found) and set it using
-.Fn CMS_SignerInfo_set1_signer_cert .
-.Pp
-Once all signer certificates have been set,
-.Xr CMS_verify 3
-can be used.
-.Pp
-Although
-.Fn CMS_get0_SignerInfos
-can return
-.Dv NULL
-if an error occur
-.Em or
-if there are no signers, this is not a problem in practice because the
-only error which can occur is if the
-.Fa cms
-structure is not of type signedData due to application error.
-.Sh RETURN VALUES
-.Fn CMS_get0_SignerInfos
-returns all
-.Vt CMS_SignerInfo
-structures, or
-.Dv NULL
-if there are no signers or an error occurs.
-.Pp
-.Fn CMS_SignerInfo_get0_signer_id
-returns 1 for success and 0 for failure.
-.Pp
-.Fn CMS_SignerInfo_cert_cmp
-returns 0 for a successful comparison and non zero otherwise.
-.Pp
-.Fn CMS_SignerInfo_set1_signer_cert
-does not return a value.
-.Pp
-Any error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_verify 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-These functions were first was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_get0_type.3 b/lib/libcrypto/man/CMS_get0_type.3
deleted file mode 100644
index e77dd655e6a..00000000000
--- a/lib/libcrypto/man/CMS_get0_type.3
+++ /dev/null
@@ -1,95 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_GET0_TYPE 3
-.Os
-.Sh NAME
-.Nm CMS_get0_type ,
-.Nm CMS_set1_eContentType ,
-.Nm CMS_get0_eContentType
-.Nd get and set CMS content types
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft const ASN1_OBJECT *
-.Fo CMS_get0_type
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_set1_eContentType
-.Fa "CMS_ContentInfo *cms"
-.Fa "const ASN1_OBJECT *oid"
-.Fc
-.Ft const ASN1_OBJECT *
-.Fo CMS_get0_eContentType
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_get0_type
-returns the content type of a
-.Vt CMS_ContentInfo
-structure as an
-.Vt ASN1_OBJECT
-pointer.
-An application can then decide how to process the
-.Vt CMS_ContentInfo
-structure based on this value.
-.Pp
-.Fn CMS_set1_eContentType
-sets the embedded content type of a
-.Vt CMS_ContentInfo
-structure.
-It should be called with CMS functions with the
-.Dv CMS_PARTIAL
-flag and
-.Em before
-the structure is finalised, otherwise the results are undefined.
-.Pp
-.Fn CMS_get0_eContentType
-returns a pointer to the embedded content type.
-.Sh NOTES
-As the
-.Sq 0
-implies,
-.Fn CMS_get0_type
-and
-.Fn CMS_get0_eContentType
-return internal pointers which should
-.Em not
-be freed up.
-.Fn CMS_set1_eContentType
-copies the supplied OID and it
-.Em should
-be freed up after use.
-.Pp
-The
-.Vt ASN1_OBJECT
-values returned can be converted to an integer NID value using
-.Xr OBJ_obj2nid 3 .
-For the currently supported content types the following values are
-returned:
-.Bd -unfilled -offset indent
-.Dv NID_pkcs7_data
-.Dv NID_pkcs7_signed
-.Dv NID_pkcs7_digest
-.Dv NID_id_smime_ct_compressedData
-.Dv NID_pkcs7_encrypted
-.Dv NID_pkcs7_enveloped
-.Ed
-.Sh RETURN VALUES
-.Fn CMS_get0_type
-and
-.Fn CMS_get0_eContentType
-return an
-.Vt ASN1_OBJECT
-structure.
-.Pp
-.Fn CMS_set1_eContentType
-returns 1 for success or 0 if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_get0_type ,
-.Fn CMS_set1_eContentType ,
-and
-.Fn CMS_get0_eContentType
-were all first added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
deleted file mode 100644
index ab19f87fab1..00000000000
--- a/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
+++ /dev/null
@@ -1,143 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_GET1_RECEIPTREQUEST 3
-.Os
-.Sh NAME
-.Nm CMS_ReceiptRequest_create0 ,
-.Nm CMS_add1_ReceiptRequest ,
-.Nm CMS_get1_ReceiptRequest ,
-.Nm CMS_ReceiptRequest_get0_values
-.Nd CMS signed receipt request functions
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ReceiptRequest *
-.Fo CMS_ReceiptRequest_create0
-.Fa "unsigned char *id"
-.Fa "int idlen"
-.Fa "int allorfirst"
-.Fa "STACK_OF(GENERAL_NAMES) *receiptList"
-.Fa "STACK_OF(GENERAL_NAMES) *receiptsTo"
-.Fc
-.Ft int
-.Fo CMS_add1_ReceiptRequest
-.Fa "CMS_SignerInfo *si"
-.Fa "CMS_ReceiptRequest *rr"
-.Fc
-.Ft int
-.Fo CMS_get1_ReceiptRequest
-.Fa "CMS_SignerInfo *si"
-.Fa "CMS_ReceiptRequest **prr"
-.Fc
-.Ft void
-.Fo CMS_ReceiptRequest_get0_values
-.Fa "CMS_ReceiptRequest *rr"
-.Fa "ASN1_STRING **pcid"
-.Fa "int *pallorfirst"
-.Fa "STACK_OF(GENERAL_NAMES) **plist"
-.Fa "STACK_OF(GENERAL_NAMES) **prto"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_ReceiptRequest_create0
-creates a signed receipt request structure.
-The
-.Sy signedContentIdentifier
-field is set using
-.Fa id
-and
-.Fa idlen ,
-or it is set to 32 bytes of pseudo random data if
-.Fa id
-is
-.Dv NULL .
-If
-.Fa receiptList
-is
-.Dv NULL ,
-the
-.Sy allOrFirstTier
-option in
-.Sy receiptsFrom
-is used and set to the value of the
-.Fa allorfirst
-parameter.
-If
-.Fa receiptList
-is not
-.Dv NULL ,
-the
-.Sy receiptList
-option in
-.Sy receiptsFrom
-is used.
-The
-.Fa receiptsTo
-parameter specifies the
-.Sy receiptsTo
-field value.
-.Pp
-The
-.Fn CMS_add1_ReceiptRequest
-function adds a signed receipt request
-.Fa rr
-to the
-.Vt CMS_SignerInfo
-structure
-.Fa si .
-.Pp
-.Fn CMS_get1_ReceiptRequest
-looks for a signed receipt request in
-.Fa si .
-If any is found, it is decoded and written to
-.Fa prr .
-.Pp
-.Fn CMS_ReceiptRequest_get0_values
-retrieves the values of a receipt request.
-The signedContentIdentifier is copied to
-.Fa pcid .
-If the
-.Sy allOrFirstTier
-option of
-.Sy receiptsFrom
-is used, its value is copied to
-.Fa pallorfirst ;
-otherwise the
-.Sy receiptList
-field is copied to
-.Fa plist .
-The
-.Sy receiptsTo
-parameter is copied to
-.Fa prto .
-.Sh NOTES
-For more details of the meaning of the fields see RFC2634.
-.Pp
-The contents of a signed receipt should only be considered meaningful if
-the corresponding
-.Vt CMS_ContentInfo
-structure can be successfully verified using
-.Xr CMS_verify 3 .
-.Sh RETURN VALUES
-.Fn CMS_ReceiptRequest_create0
-returns a signed receipt request structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn CMS_add1_ReceiptRequest
-returns 1 for success or 0 is an error occurred.
-.Pp
-.Fn CMS_get1_ReceiptRequest
-returns 1 is a signed receipt request is found and decoded.
-It returns 0 if a signed receipt request is not present and -1 if it is
-present but malformed.
-.Sh SEE ALSO
-.Xr CMS_sign 3 ,
-.Xr CMS_sign_receipt 3 ,
-.Xr CMS_verify 3 ,
-.Xr CMS_verify_receipt 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_ReceiptRequest_create0 ,
-.Fn CMS_add1_ReceiptRequest ,
-.Fn CMS_get1_ReceiptRequest ,
-and
-.Fn CMS_ReceiptRequest_get0_values
-were added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_sign.3 b/lib/libcrypto/man/CMS_sign.3
deleted file mode 100644
index af75a20d6bb..00000000000
--- a/lib/libcrypto/man/CMS_sign.3
+++ /dev/null
@@ -1,199 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_SIGN 3
-.Os
-.Sh NAME
-.Nm CMS_sign
-.Nd create a CMS SignedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_sign
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "STACK_OF(X509) *certs"
-.Fa "BIO *data"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_sign
-creates and returns a CMS SignedData structure.
-.Fa signcert
-is the certificate to sign with,
-.Fa pkey
-is the corresponding private key.
-.Fa certs
-is an optional additional set of certificates to include in the CMS
-structure (for example any intermediate CAs in the chain).
-Any or all of these parameters can be
-.Dv NULL ,
-see
-.Sx NOTES
-below.
-.Pp
-The data to be signed is read from
-.Fa data .
-.Pp
-.Fa flags
-is an optional set of flags.
-.Sh NOTES
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter.
-.Pp
-Many S/MIME clients expect the signed content to include valid MIME
-headers.
-If the
-.Dv CMS_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are prepended to the data.
-.Pp
-If
-.Dv CMS_NOCERTS
-is set, the signer's certificate will not be included in the
-.Vt CMS_ContentInfo
-structure, the signer's certificate must still be supplied in the
-.Fa signcert
-parameter though.
-This can reduce the size of the signature if the signers certificate can
-be obtained by other means: for example a previously signed message.
-.Pp
-The data being signed is included in the
-.Vt CMS_ContentInfo
-structure, unless
-.Dv CMS_DETACHED
-is set, in which case it is omitted.
-This is used for
-.Vt CMS_ContentInfo
-detached signatures which are used in S/MIME plaintext signed
-messages for example.
-.Pp
-Normally the supplied content is translated into MIME canonical format
-(as required by the S/MIME specifications); if
-.Dv CMS_BINARY
-is set, no translation occurs.
-This option should be used if the supplied data is in binary format;
-otherwise the translation will corrupt it.
-.Pp
-The SignedData structure includes several CMS signedAttributes including
-the signing time, the CMS content type and the supported list of ciphers
-in an SMIMECapabilities attribute.
-If
-.Dv CMS_NOATTR
-is set, then no signedAttributes will be used.
-If
-.Dv CMS_NOSMIMECAP
-is set, then just the SMIMECapabilities are omitted.
-.Pp
-If present, the SMIMECapabilities attribute indicates support for the
-following algorithms in preference order: 256 bit AES, Gost R3411-94,
-Gost 28147-89, 192 bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit
-RC2, DES and 40 bit RC2.
-If any of these algorithms is not available, then it will not be
-included: for example the GOST algorithms will not be included if
-the GOST ENGINE is not loaded.
-.Pp
-OpenSSL will by default identify signing certificates using issuer name
-and serial number.
-If
-.Dv CMS_USE_KEYID
-is set, it will use the subject key identifier value instead.
-An error occurs if the signing certificate does not have a subject key
-identifier extension.
-.Pp
-If the flag
-.Dv CMS_STREAM
-is set, then the returned
-.Vt CMS_ContentInfo
-structure is just initialized ready to perform the signing operation.
-The signing is however
-.Em not
-performed and the data to be signed is not read from the
-.Fa data
-parameter.
-Signing is deferred until after the data has been written.
-In this way, data can be signed in a single pass.
-.Pp
-If the
-.Dv CMS_PARTIAL
-flag is set, a partial
-.Vt CMS_ContentInfo
-structure is output to which additional signers and capabilities can be
-added before finalization.
-.Pp
-If the flag
-.Dv CMS_STREAM
-is set, the returned
-.Vt CMS_ContentInfo
-structure is
-.Em not
-complete and outputting its contents via a function that does not
-properly finalize the
-.Vt CMS_ContentInfo
-structure will give unpredictable results.
-.Pp
-Several functions including
-.Xr SMIME_write_CMS 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-.Xr PEM_write_bio_CMS_stream 3
-finalize the structure.
-Alternatively finalization can be performed by obtaining the streaming
-ASN1
-.Vt BIO
-directly using
-.Xr BIO_new_CMS 3 .
-.Pp
-If a signer is specified, it will use the default digest for the signing
-algorithm.
-This is SHA1 for both RSA and DSA keys.
-.Pp
-If
-.Fa signcert
-and
-.Fa pkey
-are
-.Dv NULL ,
-then a certificates only CMS structure is output.
-.Pp
-The function
-.Fn CMS_sign
-is a basic CMS signing function whose output will be suitable for many
-purposes.
-For finer control of the output format the
-.Fa certs ,
-.Fa signcert
-and
-.Fa pkey
-parameters can all be
-.Dv NULL
-and the
-.Dv CMS_PARTIAL
-flag set.
-Then one or more signers can be added using the function
-.Xr CMS_sign_add1_signer 3 ,
-non default digests can be used and custom attributes added.
-.Xr CMS_final 3
-must then be called to finalize the structure if streaming is not
-enabled.
-.Sh RETURN VALUES
-.Fn CMS_sign
-returns either a valid
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_verify 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_sign
-was added to OpenSSL 0.9.8.
-.Pp
-The
-.Dv CMS_STREAM
-flag is only supported for detached data in OpenSSL 0.9.8.
-It is supported for embedded data in OpenSSL 1.0.0 and later.
-.Sh BUGS
-Some attributes such as counter signatures are not supported.
diff --git a/lib/libcrypto/man/CMS_sign_receipt.3 b/lib/libcrypto/man/CMS_sign_receipt.3
deleted file mode 100644
index de7a8c0e10e..00000000000
--- a/lib/libcrypto/man/CMS_sign_receipt.3
+++ /dev/null
@@ -1,61 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_SIGN_RECEIPT 3
-.Os
-.Sh NAME
-.Nm CMS_sign_receipt
-.Nd create a CMS signed receipt
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_sign_receipt
-.Fa "CMS_SignerInfo *si"
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "STACK_OF(X509) *certs"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_sign_receipt
-creates and returns a CMS signed receipt structure.
-.Fa si
-is the
-.Vt CMS_SignerInfo
-structure containing the signed receipt request.
-.Fa signcert
-is the certificate to sign with,
-.Fa pkey
-is the corresponding private key.
-.Fa certs
-is an optional additional set of certificates to include in the CMS
-structure (for example any intermediate CAs in the chain).
-.Pp
-.Fa flags
-is an optional set of flags.
-.Sh NOTES
-This functions behaves in a similar way to
-.Xr CMS_sign 3
-except the flag values
-.Dv CMS_DETACHED ,
-.Dv CMS_BINARY ,
-.Dv CMS_NOATTR ,
-.Dv CMS_TEXT ,
-and
-.Dv CMS_STREAM
-are not supported, since they do not make sense in the context of
-signed receipts.
-.Sh RETURN VALUES
-.Fn CMS_sign_receipt
-returns either a valid
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_sign 3 ,
-.Xr CMS_verify_receipt 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_sign_receipt
-was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/CMS_uncompress.3 b/lib/libcrypto/man/CMS_uncompress.3
deleted file mode 100644
index c651f24de2f..00000000000
--- a/lib/libcrypto/man/CMS_uncompress.3
+++ /dev/null
@@ -1,70 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_UNCOMPRESS 3
-.Os
-.Sh NAME
-.Nm CMS_uncompress
-.Nd uncompress a CMS CompressedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_uncompress
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *dcont"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_uncompress
-extracts and uncompresses the content from a CMS CompressedData
-structure
-.Fa cms .
-.Fa data
-is a
-.Vt BIO
-to write the content to and
-.Fa flags
-is an optional set of flags.
-.Pp
-The
-.Fa dcont
-parameter is used in the rare case where the compressed content is
-detached.
-It will normally be set to
-.Dv NULL .
-.Sh NOTES
-The only currently supported compression algorithm is zlib: if the
-structure indicates the use of any other algorithm, an error is returned.
-.Pp
-If zlib support is not compiled into OpenSSL, then
-.Fn CMS_uncompress
-will always return an error.
-.Pp
-The following flags can be passed in the
-.Fa flags
-parameter:
-.Pp
-If the
-.Dv CMS_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are deleted from the content.
-If the content is not of type
-.Sy text/plain ,
-then an error is returned.
-.Sh RETURN VALUES
-.Fn CMS_uncompress
-returns either 1 for success or 0 for failure.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_compress 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_uncompress
-was added to OpenSSL 0.9.8.
-.Sh BUGS
-The lack of single pass processing and the need to hold all data in
-memory as mentioned in
-.Xr CMS_verify 3
-also applies to
-.Xr CMS_decompress 3 .
diff --git a/lib/libcrypto/man/CMS_verify.3 b/lib/libcrypto/man/CMS_verify.3
deleted file mode 100644
index 0ab1baf6b35..00000000000
--- a/lib/libcrypto/man/CMS_verify.3
+++ /dev/null
@@ -1,188 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_VERIFY 3
-.Os
-.Sh NAME
-.Nm CMS_verify ,
-.Nm CMS_get0_signers
-.Nd verify a CMS SignedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_verify
-.Fa "CMS_ContentInfo *cms"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *store"
-.Fa "BIO *indata"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo CMS_get0_signers
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_verify
-verifies a CMS SignedData structure.
-.Fa cms
-is the
-.Vt CMS_ContentInfo
-structure to verify.
-.Fa certs
-is a set of certificates in which to search for the signing
-certificate(s).
-.Fa store
-is a trusted certificate store used for chain verification.
-.Fa indata
-is the detached content if the content is not present in
-.Fa cms .
-The content is written to
-.Fa out
-if it is not
-.Dv NULL .
-.Pp
-.Fa flags
-is an optional set of flags, which can be used to modify the verify
-operation.
-.Pp
-.Fn CMS_get0_signers
-retrieves the signing certificate(s) from
-.Fa cms ,
-it must be called after a successful
-.Fn CMS_verify
-operation.
-.Sh VERIFY PROCESS
-Normally the verify process proceeds as follows.
-.Pp
-Initially some sanity checks are performed on
-.Fa cms .
-The type of
-.Fa cms
-must be SignedData.
-There must be at least one signature on the data and if the content is
-detached
-.Fa indata
-cannot be
-.Dv NULL .
-.Pp
-An attempt is made to locate all the signing certificate(s), first
-looking in the
-.Fa certs
-parameter (if it is not
-.Dv NULL )
-and then looking in any certificates contained in the
-.Fa cms
-structure itself.
-If no signing certificate can be located, the operation fails.
-.Pp
-Each signing certificate is chain verified using the
-.Sy smimesign
-purpose and the supplied trusted certificate store.
-Any internal certificates in the message are used as untrusted CAs.
-If CRL checking is enabled in
-.Fa store ,
-any internal CRLs are used in addition to attempting to look them up in
-.Fa store .
-If any chain verify fails, an error code is returned.
-.Pp
-Finally the signed content is read (and written to
-.Fa out
-is it is not
-.Dv NULL )
-and the signature is checked.
-.Pp
-If all signatures verify correctly, then the function is successful.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter to change the default verify behaviour.
-.Pp
-If
-.Dv CMS_NOINTERN
-is set, the certificates in the message itself are not searched when
-locating the signing certificate(s).
-This means that all the signing certificates must be in the
-.Fa certs
-parameter.
-.Pp
-If
-.Dv CMS_NOCRL
-is set, and CRL checking is enabled in
-.Fa store ,
-then any CRLs in the message itself are ignored.
-.Pp
-If the
-.Dv CMS_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are deleted from the content.
-If the content is not of type
-.Sy text/plain ,
-then an error is returned.
-.Pp
-If
-.Dv CMS_NO_SIGNER_CERT_VERIFY
-is set, the signing certificates are not verified.
-.Pp
-If
-.Dv CMS_NO_ATTR_VERIFY
-is set, the signed attributes signature is not verified.
-.Pp
-If
-.Dv CMS_NO_CONTENT_VERIFY
-is set, then the content digest is not checked.
-.Sh NOTES
-One application of
-.Dv CMS_NOINTERN
-is to only accept messages signed by a small number of certificates.
-The acceptable certificates would be passed in the
-.Fa certs
-parameter.
-In this case, if the signer is not one of the certificates supplied in
-.Fa certs ,
-then the verify will fail because the signer cannot be found.
-.Pp
-In some cases the standard techniques for looking up and validating
-certificates are not appropriate: for example an application may wish to
-lookup certificates in a database or perform customised verification.
-This can be achieved by setting and verifying the signers certificates
-manually using the signed data utility functions.
-.Pp
-Care should be taken when modifying the default verify behaviour, for
-example setting
-.Dv CMS_NO_CONTENT_VERIFY
-will totally disable all content verification and any modified content
-will be considered valid.
-This combination is however useful if one merely wishes to write the
-content to
-.Fa out
-and its validity is not considered important.
-.Pp
-Chain verification should arguably be performed using the signing time
-rather than the current time.
-However since the signing time is supplied by the signer it cannot be
-trusted without additional evidence (such as a trusted timestamp).
-.Sh RETURN VALUES
-.Fn CMS_verify
-returns 1 for a successful verification and zero if an error occurred.
-.Pp
-.Fn CMS_get0_signers
-returns all signers or
-.Dv NULL
-if an error occurred.
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_verify
-was added to OpenSSL 0.9.8.
-.Sh BUGS
-The trusted certificate store is not searched for the signing
-certificate, this is primarily due to the inadequacies of the current
-.Vt X509_STORE
-functionality.
-.Pp
-The lack of single pass processing means that the signed content must
-all be held in memory if it is not detached.
diff --git a/lib/libcrypto/man/CMS_verify_receipt.3 b/lib/libcrypto/man/CMS_verify_receipt.3
deleted file mode 100644
index 0977f267bc2..00000000000
--- a/lib/libcrypto/man/CMS_verify_receipt.3
+++ /dev/null
@@ -1,55 +0,0 @@
-.Dd $Mdocdate: November 11 2015 $
-.Dt CMS_VERIFY_RECEIPT 3
-.Os
-.Sh NAME
-.Nm CMS_verify_receipt
-.Nd verify a CMS signed receipt
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_verify_receipt
-.Fa "CMS_ContentInfo *rcms"
-.Fa "CMS_ContentInfo *ocms"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *store"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_verify_receipt
-verifies a CMS signed receipt.
-.Fa rcms
-is the signed receipt to verify.
-.Fa ocms
-is the original SignedData structure containing the receipt request.
-.Fa certs
-is a set of certificates in which to search for the signing certificate.
-.Fa store
-is a trusted certificate store (used for chain verification).
-.Pp
-.Fa flags
-is an optional set of flags, which can be used to modify the verify
-operation.
-.Sh NOTES
-This functions behaves in a similar way to
-.Xr CMS_verify 3
-except the flag values
-.Dv CMS_DETACHED ,
-.Dv CMS_BINARY ,
-.Dv CMS_TEXT ,
-and
-.Dv CMS_STREAM
-are not supported since they do not make sense in the context of signed
-receipts.
-.Sh RETURN VALUES
-.Fn CMS_verify_receipt
-returns 1 for a successful verification and zero if an error occurred.
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_sign_receipt 3 ,
-.Xr CMS_verify 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_verify_receipt
-was added to OpenSSL 0.9.8.
diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index e74a6d56bfc..1dfcf8700d4 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.33 2016/09/03 12:42:47 beck Exp $
+# $OpenBSD: Makefile,v 1.34 2016/09/05 10:43:42 schwarze Exp $
 
 .include <bsd.own.mk>		# for NOMAN
 
@@ -21,7 +21,6 @@ MAN=	\
 	BIO_f_null.3 \
 	BIO_find_type.3 \
 	BIO_new.3 \
-	BIO_new_CMS.3 \
 	BIO_push.3 \
 	BIO_read.3 \
 	BIO_s_accept.3 \
@@ -201,27 +200,6 @@ GENMAN= \
 
 MAN+=	${GENMAN}
 
-#MAN+=	CMS_add0_cert.3 \
-#	CMS_add1_recipient_cert.3 \
-#	CMS_add1_signer.3 \
-#	CMS_compress.3 \
-#	CMS_decrypt.3 \
-#	CMS_encrypt.3 \
-#	CMS_final.3 \
-#	CMS_get0_RecipientInfos.3 \
-#	CMS_get0_SignerInfos.3 \
-#	CMS_get0_type.3 \
-#	CMS_get1_ReceiptRequest.3 \
-#	CMS_sign.3 \
-#	CMS_sign_receipt.3 \
-#	CMS_uncompress.3 \
-#	CMS_verify.3 \
-#	CMS_verify_receipt.3 \
-#	PEM_write_bio_CMS_stream.3 \
-#	SMIME_read_CMS.3 \
-#	SMIME_write_CMS.3 \
-#	i2d_CMS_bio_stream.3 \
-
 .include <bsd.man.mk>
 .else
 maninstall: