1 files changed, 84 insertions, 43 deletions
diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod
index 14917dd35f..0687c2242a 100644
--- a/src/lib/libcrypto/doc/RSA_set_method.pod
+++ b/src/lib/libcrypto/doc/RSA_set_method.pod
@@ -11,52 +11,64 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 #include <openssl/rsa.h>
 #include <openssl/engine.h>
- void RSA_set_default_openssl_method(RSA_METHOD *meth);
+ void RSA_set_default_method(const RSA_METHOD *meth);
- RSA_METHOD *RSA_get_default_openssl_method(void);
+ RSA_METHOD *RSA_get_default_method(void);
- int RSA_set_method(RSA *rsa, ENGINE *engine);
+ int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
- RSA_METHOD *RSA_get_method(RSA *rsa);
+ RSA_METHOD *RSA_get_method(const RSA *rsa);
 RSA_METHOD *RSA_PKCS1_SSLeay(void);
 RSA_METHOD *RSA_null_method(void);
- int RSA_flags(RSA *rsa);
+ int RSA_flags(const RSA *rsa);
 RSA *RSA_new_method(ENGINE *engine);
 =head1 DESCRIPTION
 An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
-operations. By modifying the method, alternative implementations
+operations. By modifying the method, alternative implementations such as
-such as hardware accelerators may be used.
+hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these RSA API functions are affected by the
-Initially, the default is to use the OpenSSL internal implementation.
+use of B<ENGINE> API calls.
-RSA_PKCS1_SSLeay() returns a pointer to that method.
+Initially, the default RSA_METHOD is the OpenSSL internal implementation,
-RSA_set_default_openssl_method() makes B<meth> the default method for all B<RSA>
+as returned by RSA_PKCS1_SSLeay().
-structures created later. B<NB:> This is true only whilst the default engine
-for RSA operations remains as "openssl". ENGINEs provide an
+RSA_set_default_method() makes B<meth> the default method for all RSA
-encapsulation for implementations of one or more algorithms at a time, and all
+structures created later. B<NB>: This is true only whilst no ENGINE has
-the RSA functions mentioned here operate within the scope of the default
+been set as a default for RSA, so this function is no longer recommended.
-"openssl" engine.
+RSA_get_default_method() returns a pointer to the current default
-RSA_get_default_openssl_method() returns a pointer to the current default
+RSA_METHOD. However, the meaningfulness of this result is dependant on
-method for the "openssl" engine.
+whether the ENGINE API is being used, so this function is no longer 
+recommended.
-RSA_set_method() selects B<engine> for all operations using the key
-B<rsa>.
+RSA_set_method() selects B<meth> to perform all operations using the key
+B<rsa>. This will replace the RSA_METHOD used by the RSA key and if the
-RSA_get_method() returns a pointer to the RSA_METHOD from the currently
+previous method was supplied by an ENGINE, the handle to that ENGINE will
-selected ENGINE for B<rsa>.
+be released during the change. It is possible to have RSA keys that only
+work with certain RSA_METHOD implementations (eg. from an ENGINE module
-RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
+that supports embedded hardware-protected keys), and in such cases
+attempting to change the RSA_METHOD for the key can have unexpected
+results.
+RSA_get_method() returns a pointer to the RSA_METHOD being used by B<rsa>.
+This method may or may not be supplied by an ENGINE implementation, but if
+it is, the return value can only be guaranteed to be valid as long as the
+RSA key itself is valid and does not have its implementation changed by
+RSA_set_method().
+RSA_flags() returns the B<flags> that are set for B<rsa>'s current
+RSA_METHOD. See the BUGS section.
 RSA_new_method() allocates and initializes an RSA structure so that
-B<engine> will be used for the RSA operations. If B<engine> is NULL,
+B<engine> will be used for the RSA operations. If B<engine> is NULL, the
-the default engine for RSA operations is used.
+default ENGINE for RSA operations is used, and if no default ENGINE is set,
+the RSA_METHOD controlled by RSA_set_default_method() is used.
 =head1 THE RSA_METHOD STRUCTURE
@@ -121,22 +133,45 @@ the default engine for RSA operations is used.
 =head1 RETURN VALUES
-RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_openssl_method()
+RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_method()
 and RSA_get_method() return pointers to the respective RSA_METHODs.
-RSA_set_default_openssl_method() returns no value.
+RSA_set_default_method() returns no value.
-RSA_set_method() selects B<engine> as the engine that will be responsible for
+RSA_set_method() returns a pointer to the old RSA_METHOD implementation
-all operations using the structure B<rsa>. If this function completes successfully,
+that was replaced. However, this return value should probably be ignored
-then the B<rsa> structure will have its own functional reference of B<engine>, so
+because if it was supplied by an ENGINE, the pointer could be invalidated
-the caller should remember to free their own reference to B<engine> when they are
+at any time if the ENGINE is unloaded (in fact it could be unloaded as a
-finished with it. NB: An ENGINE's RSA_METHOD can be retrieved (or set) by
+result of the RSA_set_method() function releasing its handle to the
-ENGINE_get_RSA() or ENGINE_set_RSA().
+ENGINE). For this reason, the return type may be replaced with a B<void>
+declaration in a future release.
-RSA_new_method() returns NULL and sets an error code that can be
+RSA_new_method() returns NULL and sets an error code that can be obtained
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
+by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
 it returns a pointer to the newly allocated structure.
+=head1 NOTES
+As of version 0.9.7, RSA_METHOD implementations are grouped together with
+other algorithmic APIs (eg. DSA_METHOD, EVP_CIPHER, etc) into B<ENGINE>
+modules. If a default ENGINE is specified for RSA functionality using an
+ENGINE API function, that will override any RSA defaults set using the RSA
+API (ie.  RSA_set_default_method()). For this reason, the ENGINE API is the
+recommended way to control default implementations for use in RSA and other
+cryptographic algorithms.
+=head1 BUGS
+The behaviour of RSA_flags() is a mis-feature that is left as-is for now
+to avoid creating compatibility problems. RSA functionality, such as the
+encryption functions, are controlled by the B<flags> value in the RSA key
+itself, not by the B<flags> value in the RSA_METHOD attached to the RSA key
+(which is what this function returns). If the flags element of an RSA key
+is changed, the changes will be honoured by RSA functionality but will not
+be reflected in the return value of the RSA_flags() function - in effect
+RSA_flags() behaves more like an RSA_default_flags() function (which does
+not currently exist).
 =head1 SEE ALSO
 L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
@@ -149,8 +184,14 @@ well as the rsa_sign and rsa_verify components of RSA_METHOD were
 added in OpenSSL 0.9.4.
 RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
-replaced RSA_set_default_method() and RSA_get_default_method() respectively,
+replaced RSA_set_default_method() and RSA_get_default_method()
-and RSA_set_method() and RSA_new_method() were altered to use B<ENGINE>s
+respectively, and RSA_set_method() and RSA_new_method() were altered to use
-rather than B<RSA_METHOD>s during development of OpenSSL 0.9.6.
+B<ENGINE>s rather than B<RSA_METHOD>s during development of the engine
+version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the ENGINE
+API was restructured so that this change was reversed, and behaviour of the
+other functions resembled more closely the previous behaviour. The
+behaviour of defaults in the ENGINE API now transparently overrides the
+behaviour of defaults in the RSA API without requiring changing these
+function prototypes.
 =cut

diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod index 14917dd35f..0687c2242a 100644 --- a/src/lib/libcrypto/doc/RSA_set_method.pod +++ b/src/lib/libcrypto/doc/RSA_set_method.pod
@@ -11,52 +11,64 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
11	#include <openssl/rsa.h>	11	#include <openssl/rsa.h>
12	#include <openssl/engine.h>	12	#include <openssl/engine.h>
13		13
14	void RSA_set_default_openssl_method(RSA_METHOD *meth);	14	void RSA_set_default_method(const RSA_METHOD *meth);
15		15
16	RSA_METHOD *RSA_get_default_openssl_method(void);	16	RSA_METHOD *RSA_get_default_method(void);
17		17
18	int RSA_set_method(RSA rsa, ENGINE engine);	18	int RSA_set_method(RSA rsa, const RSA_METHOD meth);
19		19
20	RSA_METHOD RSA_get_method(RSA rsa);	20	RSA_METHOD RSA_get_method(const RSA rsa);
21		21
22	RSA_METHOD *RSA_PKCS1_SSLeay(void);	22	RSA_METHOD *RSA_PKCS1_SSLeay(void);
23		23
24	RSA_METHOD *RSA_null_method(void);	24	RSA_METHOD *RSA_null_method(void);
25		25
26	int RSA_flags(RSA *rsa);	26	int RSA_flags(const RSA *rsa);
27		27
28	RSA RSA_new_method(ENGINE engine);	28	RSA RSA_new_method(ENGINE engine);
29		29
30	=head1 DESCRIPTION	30	=head1 DESCRIPTION
31		31
32	An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA	32	An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
33	operations. By modifying the method, alternative implementations	33	operations. By modifying the method, alternative implementations such as
34	such as hardware accelerators may be used.	34	hardware accelerators may be used. IMPORTANT: See the NOTES section for
35		35	important information about how these RSA API functions are affected by the
36	Initially, the default is to use the OpenSSL internal implementation.	36	use of B<ENGINE> API calls.
37	RSA_PKCS1_SSLeay() returns a pointer to that method.	37
38		38	Initially, the default RSA_METHOD is the OpenSSL internal implementation,
39	RSA_set_default_openssl_method() makes B<meth> the default method for all B<RSA>	39	as returned by RSA_PKCS1_SSLeay().
40	structures created later. B<NB:> This is true only whilst the default engine	40
41	for RSA operations remains as "openssl". ENGINEs provide an	41	RSA_set_default_method() makes B<meth> the default method for all RSA
42	encapsulation for implementations of one or more algorithms at a time, and all	42	structures created later. B<NB>: This is true only whilst no ENGINE has
43	the RSA functions mentioned here operate within the scope of the default	43	been set as a default for RSA, so this function is no longer recommended.
44	"openssl" engine.	44
45		45	RSA_get_default_method() returns a pointer to the current default
46	RSA_get_default_openssl_method() returns a pointer to the current default	46	RSA_METHOD. However, the meaningfulness of this result is dependant on
47	method for the "openssl" engine.	47	whether the ENGINE API is being used, so this function is no longer
48		48	recommended.
49	RSA_set_method() selects B<engine> for all operations using the key	49
50	B<rsa>.	50	RSA_set_method() selects B<meth> to perform all operations using the key
51		51	B<rsa>. This will replace the RSA_METHOD used by the RSA key and if the
52	RSA_get_method() returns a pointer to the RSA_METHOD from the currently	52	previous method was supplied by an ENGINE, the handle to that ENGINE will
53	selected ENGINE for B<rsa>.	53	be released during the change. It is possible to have RSA keys that only
54		54	work with certain RSA_METHOD implementations (eg. from an ENGINE module
55	RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.	55	that supports embedded hardware-protected keys), and in such cases
		56	attempting to change the RSA_METHOD for the key can have unexpected
		57	results.
		58
		59	RSA_get_method() returns a pointer to the RSA_METHOD being used by B<rsa>.
		60	This method may or may not be supplied by an ENGINE implementation, but if
		61	it is, the return value can only be guaranteed to be valid as long as the
		62	RSA key itself is valid and does not have its implementation changed by
		63	RSA_set_method().
		64
		65	RSA_flags() returns the B<flags> that are set for B<rsa>'s current
		66	RSA_METHOD. See the BUGS section.
56		67
57	RSA_new_method() allocates and initializes an RSA structure so that	68	RSA_new_method() allocates and initializes an RSA structure so that
58	B<engine> will be used for the RSA operations. If B<engine> is NULL,	69	B<engine> will be used for the RSA operations. If B<engine> is NULL, the
59	the default engine for RSA operations is used.	70	default ENGINE for RSA operations is used, and if no default ENGINE is set,
		71	the RSA_METHOD controlled by RSA_set_default_method() is used.
60		72
61	=head1 THE RSA_METHOD STRUCTURE	73	=head1 THE RSA_METHOD STRUCTURE
62		74
@@ -121,22 +133,45 @@ the default engine for RSA operations is used.
121		133
122	=head1 RETURN VALUES	134	=head1 RETURN VALUES
123		135
124	RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_openssl_method()	136	RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_method()
125	and RSA_get_method() return pointers to the respective RSA_METHODs.	137	and RSA_get_method() return pointers to the respective RSA_METHODs.
126		138
127	RSA_set_default_openssl_method() returns no value.	139	RSA_set_default_method() returns no value.
128		140
129	RSA_set_method() selects B<engine> as the engine that will be responsible for	141	RSA_set_method() returns a pointer to the old RSA_METHOD implementation
130	all operations using the structure B<rsa>. If this function completes successfully,	142	that was replaced. However, this return value should probably be ignored
131	then the B<rsa> structure will have its own functional reference of B<engine>, so	143	because if it was supplied by an ENGINE, the pointer could be invalidated
132	the caller should remember to free their own reference to B<engine> when they are	144	at any time if the ENGINE is unloaded (in fact it could be unloaded as a
133	finished with it. NB: An ENGINE's RSA_METHOD can be retrieved (or set) by	145	result of the RSA_set_method() function releasing its handle to the
134	ENGINE_get_RSA() or ENGINE_set_RSA().	146	ENGINE). For this reason, the return type may be replaced with a B<void>
		147	declaration in a future release.
135		148
136	RSA_new_method() returns NULL and sets an error code that can be	149	RSA_new_method() returns NULL and sets an error code that can be obtained
137	obtained by L<ERR_get_error(3)\|ERR_get_error(3)> if the allocation fails. Otherwise	150	by L<ERR_get_error(3)\|ERR_get_error(3)> if the allocation fails. Otherwise
138	it returns a pointer to the newly allocated structure.	151	it returns a pointer to the newly allocated structure.
139		152
		153	=head1 NOTES
		154
		155	As of version 0.9.7, RSA_METHOD implementations are grouped together with
		156	other algorithmic APIs (eg. DSA_METHOD, EVP_CIPHER, etc) into B<ENGINE>
		157	modules. If a default ENGINE is specified for RSA functionality using an
		158	ENGINE API function, that will override any RSA defaults set using the RSA
		159	API (ie. RSA_set_default_method()). For this reason, the ENGINE API is the
		160	recommended way to control default implementations for use in RSA and other
		161	cryptographic algorithms.
		162
		163	=head1 BUGS
		164
		165	The behaviour of RSA_flags() is a mis-feature that is left as-is for now
		166	to avoid creating compatibility problems. RSA functionality, such as the
		167	encryption functions, are controlled by the B<flags> value in the RSA key
		168	itself, not by the B<flags> value in the RSA_METHOD attached to the RSA key
		169	(which is what this function returns). If the flags element of an RSA key
		170	is changed, the changes will be honoured by RSA functionality but will not
		171	be reflected in the return value of the RSA_flags() function - in effect
		172	RSA_flags() behaves more like an RSA_default_flags() function (which does
		173	not currently exist).
		174
140	=head1 SEE ALSO	175	=head1 SEE ALSO
141		176
142	L<rsa(3)\|rsa(3)>, L<RSA_new(3)\|RSA_new(3)>	177	L<rsa(3)\|rsa(3)>, L<RSA_new(3)\|RSA_new(3)>
@@ -149,8 +184,14 @@ well as the rsa_sign and rsa_verify components of RSA_METHOD were
149	added in OpenSSL 0.9.4.	184	added in OpenSSL 0.9.4.
150		185
151	RSA_set_default_openssl_method() and RSA_get_default_openssl_method()	186	RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
152	replaced RSA_set_default_method() and RSA_get_default_method() respectively,	187	replaced RSA_set_default_method() and RSA_get_default_method()
153	and RSA_set_method() and RSA_new_method() were altered to use B<ENGINE>s	188	respectively, and RSA_set_method() and RSA_new_method() were altered to use
154	rather than B<RSA_METHOD>s during development of OpenSSL 0.9.6.	189	B<ENGINE>s rather than B<RSA_METHOD>s during development of the engine
		190	version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the ENGINE
		191	API was restructured so that this change was reversed, and behaviour of the
		192	other functions resembled more closely the previous behaviour. The
		193	behaviour of defaults in the ENGINE API now transparently overrides the
		194	behaviour of defaults in the RSA API without requiring changing these
		195	function prototypes.
155		196
156	=cut	197	=cut