In rsa.h rev. 1.40, gilles@ provided several new RSA_METHOD accessors.

Update the documentation.
OK tb@ jmc@

5 files changed, 499 insertions, 46 deletions

diff --git a/lib/libcrypto/man/RSA_generate_key.3 b/lib/libcrypto/man/RSA_generate_key.3
index 3ac3885f13d..80bae6824c0 100644
--- a/lib/libcrypto/man/RSA_generate_key.3
+++ b/lib/libcrypto/man/RSA_generate_key.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: RSA_generate_key.3,v 1.11 2018/03/27 17:35:50 schwarze Exp $
+.\"	$OpenBSD: RSA_generate_key.3,v 1.12 2019/06/08 09:53:15 schwarze Exp $
 .\"	OpenSSL RSA_generate_key.pod bb6c5e7f Feb 5 10:29:22 2017 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2019 $
 .Dt RSA_GENERATE_KEY 3
 .Os
 .Sh NAME
@@ -144,6 +144,7 @@ The error codes can be obtained by
 .Xr BN_generate_prime 3 ,
 .Xr ERR_get_error 3 ,
 .Xr RSA_get0_key 3 ,
+.Xr RSA_meth_set_keygen 3 ,
 .Xr RSA_new 3
 .Sh HISTORY
 .Fn RSA_generate_key
diff --git a/lib/libcrypto/man/RSA_meth_new.3 b/lib/libcrypto/man/RSA_meth_new.3
index 137e0cad87f..8faab9490d0 100644
--- a/lib/libcrypto/man/RSA_meth_new.3
+++ b/lib/libcrypto/man/RSA_meth_new.3
@@ -1,10 +1,11 @@
-.\" $OpenBSD: RSA_meth_new.3,v 1.3 2018/09/12 15:09:22 jmc Exp $
-.\" selective merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400
+.\" $OpenBSD: RSA_meth_new.3,v 1.4 2019/06/08 09:53:15 schwarze Exp $
+.\" full merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400
+.\" selective merge up to: OpenSSL 24907560 Sep 17 07:47:42 2018 +1000
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -65,18 +66,41 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 12 2018 $
+.Dd $Mdocdate: June 8 2019 $
 .Dt RSA_METH_NEW 3
 .Os
 .Sh NAME
 .Nm RSA_meth_new ,
 .Nm RSA_meth_dup ,
 .Nm RSA_meth_free ,
-.Nm RSA_meth_get_finish ,
+.Nm RSA_meth_get0_name ,
 .Nm RSA_meth_set1_name ,
+.Nm RSA_meth_get_flags ,
+.Nm RSA_meth_set_flags ,
+.Nm RSA_meth_get0_app_data ,
+.Nm RSA_meth_set0_app_data ,
+.Nm RSA_meth_get_init ,
+.Nm RSA_meth_set_init ,
+.Nm RSA_meth_get_finish ,
 .Nm RSA_meth_set_finish ,
+.Nm RSA_meth_get_pub_enc ,
+.Nm RSA_meth_set_pub_enc ,
+.Nm RSA_meth_get_pub_dec ,
+.Nm RSA_meth_set_pub_dec ,
+.Nm RSA_meth_get_priv_enc ,
 .Nm RSA_meth_set_priv_enc ,
-.Nm RSA_meth_set_priv_dec
+.Nm RSA_meth_get_priv_dec ,
+.Nm RSA_meth_set_priv_dec ,
+.Nm RSA_meth_get_sign ,
+.Nm RSA_meth_set_sign ,
+.Nm RSA_meth_get_verify ,
+.Nm RSA_meth_set_verify ,
+.Nm RSA_meth_get_mod_exp ,
+.Nm RSA_meth_set_mod_exp ,
+.Nm RSA_meth_get_bn_mod_exp ,
+.Nm RSA_meth_set_bn_mod_exp ,
+.Nm RSA_meth_get_keygen ,
+.Nm RSA_meth_set_keygen
 .Nd build up RSA methods
 .Sh SYNOPSIS
 .In openssl/rsa.h
@@ -93,30 +117,177 @@
 .Fo RSA_meth_free
 .Fa "RSA_METHOD *meth"
 .Fc
+.Ft const char *
+.Fo RSA_meth_get0_name
+.Fa "const RSA_METHOD *meth"
+.Fc
 .Ft int
 .Fo RSA_meth_set1_name
 .Fa "RSA_METHOD *meth"
 .Fa "const char *name"
 .Fc
 .Ft int
-.Fn "(*RSA_meth_get_finish(const RSA_METHOD *meth))" "RSA *rsa"
+.Fo RSA_meth_get_flags
+.Fa "const RSA_METHOD *meth"
+.Fc
+.Ft int
+.Fo RSA_meth_set_flags
+.Fa "RSA_METHOD *meth"
+.Fa "int flags"
+.Fc
+.Ft void *
+.Fo RSA_meth_get0_app_data
+.Fa "const RSA_METHOD *meth"
+.Fc
+.Ft int
+.Fo RSA_meth_set0_app_data
+.Fa "RSA_METHOD *meth"
+.Fa "void *app_data"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_init(const RSA_METHOD *meth))"
+.Fa "RSA *rsa"
+.Fc
+.Ft int
+.Fo "RSA_meth_set_init"
+.Fa "RSA_METHOD *meth"
+.Fa "int (*init)(RSA *rsa)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_finish(const RSA_METHOD *meth))"
+.Fa "RSA *rsa"
+.Fc
 .Ft int
 .Fo RSA_meth_set_finish
 .Fa "RSA_METHOD *meth"
 .Fa "int (*finish)(RSA *rsa)"
 .Fc
 .Ft int
+.Fo "(*RSA_meth_get_pub_enc(const RSA_METHOD *meth))"
+.Fa "int flen"
+.Fa "const unsigned char *from"
+.Fa "unsigned char *to"
+.Fa "RSA *rsa"
+.Fa "int padding"
+.Fc
+.Ft int
+.Fo RSA_meth_set_pub_enc
+.Fa "RSA_METHOD *meth"
+.Fa "int (*pub_enc)(int flen, const unsigned char *from,\
+ unsigned char *to, RSA *rsa, int padding)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_pub_dec(const RSA_METHOD *meth))"
+.Fa "int flen"
+.Fa "const unsigned char *from"
+.Fa "unsigned char *to"
+.Fa "RSA *rsa"
+.Fa "int padding"
+.Fc
+.Ft int
+.Fo RSA_meth_set_pub_dec
+.Fa "RSA_METHOD *meth"
+.Fa "int (*pub_dec)(int flen, const unsigned char *from,\
+ unsigned char *to, RSA *rsa, int padding)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_priv_enc(const RSA_METHOD *meth))"
+.Fa "int flen"
+.Fa "const unsigned char *from"
+.Fa "unsigned char *to"
+.Fa "RSA *rsa"
+.Fa "int padding"
+.Fc
+.Ft int
 .Fo RSA_meth_set_priv_enc
 .Fa "RSA_METHOD *meth"
 .Fa "int (*priv_enc)(int flen, const unsigned char *from,\
  unsigned char *to, RSA *rsa, int padding)"
 .Fc
 .Ft int
+.Fo "(*RSA_meth_get_priv_dec(const RSA_METHOD *meth))"
+.Fa "int flen"
+.Fa "const unsigned char *from"
+.Fa "unsigned char *to"
+.Fa "RSA *rsa"
+.Fa "int padding"
+.Fc
+.Ft int
 .Fo RSA_meth_set_priv_dec
 .Fa "RSA_METHOD *meth"
 .Fa "int (*priv_dec)(int flen, const unsigned char *from,\
  unsigned char *to, RSA *rsa, int padding)"
 .Fc
+.Ft int
+.Fo "(*RSA_meth_get_sign(const RSA_METHOD *meth))"
+.Fa "int type"
+.Fa "const unsigned char *m"
+.Fa "unsigned int m_length"
+.Fa "unsigned char *sigret"
+.Fa "unsigned int *siglen"
+.Fa "const RSA *rsa"
+.Fc
+.Ft int
+.Fo RSA_meth_set_sign
+.Fa "RSA_METHOD *rsa"
+.Fa "int (*sign)(int type, const unsigned char *m, unsigned int m_length,\
+ unsigned char *sigret, unsigned int *siglen, const RSA *rsa)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_verify(const RSA_METHOD *meth))"
+.Fa "int dtype"
+.Fa "const unsigned char *m"
+.Fa "unsigned int m_length"
+.Fa "const unsigned char *sigbuf"
+.Fa "unsigned int siglen"
+.Fa "const RSA *rsa"
+.Fc
+.Ft int
+.Fo RSA_meth_set_verify
+.Fa "RSA_METHOD *rsa"
+.Fa "int (*verify)(int dtype, const unsigned char *m,\
+ unsigned int m_length, const unsigned char *sigbuf,\
+ unsigned int siglen, const RSA *rsa)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_mod_exp(const RSA_METHOD *meth))"
+.Fa "BIGNUM *r0"
+.Fa "const BIGNUM *i"
+.Fa "RSA *rsa"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo RSA_meth_set_mod_exp
+.Fa "RSA_METHOD *meth"
+.Fa "int (*mod_exp)(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))"
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *m"
+.Fa "BN_CTX *ctx"
+.Fa "BN_MONT_CTX *m_ctx"
+.Fc
+.Ft int
+.Fo RSA_meth_set_bn_mod_exp
+.Fa "RSA_METHOD *meth"
+.Fa "int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,\
+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)"
+.Fc
+.Ft int
+.Fo "(*RSA_meth_get_keygen(const RSA_METHOD *meth))"
+.Fa "RSA *rsa"
+.Fa "int bits"
+.Fa "BIGNUM *e"
+.Fa "BN_GENCB *cb"
+.Fc
+.Ft int
+.Fo RSA_meth_set_keygen
+.Fa "RSA_METHOD *meth"
+.Fa "int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)"
+.Fc
 .Sh DESCRIPTION
 The
 .Vt RSA_METHOD
@@ -137,11 +308,15 @@ object constructed from this
 .Vt RSA_METHOD
 will have the given
 .Fa flags
-set by default.
+set by default, as if they were set with
+.Xr RSA_set_flags 3 .
 .Pp
 .Fn RSA_meth_dup
 creates a deep copy of
-.Fa meth .
+.Fa meth ,
+except that a pointer stored into it with
+.Fn RSA_meth_set0_app_data
+is copied as a pointer without creating a copy of its content.
 This might be useful for creating a new
 .Vt RSA_METHOD
 based on an existing one, but with some differences.
@@ -149,15 +324,80 @@ based on an existing one, but with some differences.
 .Fn RSA_meth_free
 destroys
 .Fa meth
-and frees any memory associated with it.
+and frees any memory associated with it,
+except that memory pointed to by a pointer set with
+.Fn RSA_meth_set0_app_data
+is not freed.
+If
+.Fa meth
+is
+.Dv NULL ,
+no action occurs.
 .Pp
+.Fn RSA_meth_get0_name
+returns an internal pointer to the name of
+.Fa meth .
 .Fn RSA_meth_set1_name
-Stores a copy of the NUL-terminated
+stores a copy of the NUL-terminated
 .Fa name
 in the
 .Vt RSA_METHOD
-object after freeing the previously stored
-.Fa name .
+object after freeing the previously stored name.
+Method names are ignored by the default RSA implementation
+but can be used by alternative implementations
+and by the application program.
+.Pp
+.Fn RSA_meth_get_flags
+retrieves the flags from
+.Fa meth .
+Flags are documented in
+.Xr RSA_test_flags 3 .
+.Fn RSA_meth_set_flags
+overwrites all flags in
+.Fa meth .
+Unlike
+.Xr RSA_set_flags 3 ,
+it does not preserve any flags that were set before the call.
+.Pp
+.Fn RSA_meth_get0_app_data
+and
+.Fn RSA_meth_set0_app_data
+get and set a pointer to implementation-specific data.
+The function
+.Fn RSA_meth_free
+does not
+.Xr free 3
+the memory pointed to by
+.Fa app_data .
+The default RSA implementation does not use
+.Fa app_data .
+.Pp
+.Fn RSA_meth_get_init
+and
+.Fn RSA_meth_set_init
+get and set an optional function used when creating a new
+.Vt RSA
+object.
+Unless
+.Fa init
+is
+.Dv NULL ,
+it will be called at the end of
+.Xr RSA_new 3 ,
+.Xr RSA_new_method 3 ,
+and
+.Xr RSA_set_method 3 ,
+passing a pointer to the newly allocated or reset
+.Vt RSA
+object as an argument.
+The default RSA implementation,
+.Xr RSA_PKCS1_SSLeay 3 ,
+contains an
+.Fa init
+function equivalent to calling
+.Xr RSA_set_flags 3
+with an argument of
+.Dv RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE .
 .Pp
 .Fn RSA_meth_get_finish
 and
@@ -170,24 +410,125 @@ Unless
 is
 .Dv NULL ,
 it will be called from
+.Xr RSA_set_method 3
+and from
 .Xr RSA_free 3 .
-It takes the same argument
+It takes the same argument as
+.Xr RSA_free 3
 and is intended to do RSA implementation specific cleanup.
 The memory used by the
 .Vt RSA
 object itself should not be freed by the
 .Fa finish
 function.
+The default RSA implementation contains a
+.Fa finish
+function freeing the memory used by the
+.Dv RSA_FLAG_CACHE_PUBLIC
+and
+.Dv RSA_FLAG_CACHE_PRIVATE
+caches.
 .Pp
-.Fn RSA_meth_set_priv_enc
+.Fn RSA_meth_get_pub_enc ,
+.Fn RSA_meth_set_pub_enc ,
+.Fn RSA_meth_get_pub_dec ,
+.Fn RSA_meth_set_pub_dec ,
+.Fn RSA_meth_get_priv_enc ,
+.Fn RSA_meth_set_priv_enc ,
+.Fn RSA_meth_get_priv_dec ,
 and
 .Fn RSA_meth_set_priv_dec
-set the functions used for private key encryption and decryption.
+get and set the mandatory functions
+used for public and private key encryption and decryption.
 These functions will be called from
+.Xr RSA_public_encrypt 3 ,
+.Xr RSA_public_decrypt 3 ,
+.Xr RSA_private_encrypt 3 ,
+and
+.Xr RSA_private_decrypt 3 ,
+respectively, and take the same parameters as those.
+.Pp
+.Fn RSA_meth_get_sign ,
+.Fn RSA_meth_set_sign ,
+.Fn RSA_meth_get_verify ,
+and
+.Fn RSA_meth_set_verify
+get and set the optional functions
+used for creating and verifying an RSA signature.
+If the flag
+.Dv RSA_FLAG_SIGN_VER
+is set on the
+.Vt RSA
+object in question and
+.Fa sign
+or
+.Fa verify
+is not
+.Dv NULL ,
+it will be called from
+.Xr RSA_sign 3
+or
+.Xr RSA_verify 3 ,
+respectively, and take the same parameters as those.
+Otherwise,
+.Xr RSA_private_encrypt 3
+or
+.Xr RSA_public_decrypt 3
+will be used instead.
+.Pp
+.Fn RSA_meth_get_mod_exp
+and
+.Fn RSA_meth_set_mod_exp
+get and set the function used for CRT computations involving the
+.Fa p ,
+.Fa q ,
+.Fa dmp1 ,
+.Fa dmq1 ,
+and
+.Fa iqmp
+fields of an
+.Vt RSA
+object.
+It is used by the default RSA implementation during
+.Xr RSA_private_encrypt 3
+and
 .Xr RSA_private_decrypt 3
+when the required components of the private key are available
+or when the
+.Dv RSA_FLAG_EXT_PKEY
+flag is set.
+.Pp
+.Fn RSA_meth_get_bn_mod_exp
+and
+.Fn RSA_meth_set_bn_mod_exp
+get and set the function used for CRT computations,
+specifically the value r =
+.Fa a
+\(ha
+.Fa p
+mod
+.Fa m .
+It is used by the default RSA implementation during
+.Xr RSA_public_encrypt 3
 and
+.Xr RSA_public_decrypt 3
+and as a fallback during
 .Xr RSA_private_encrypt 3
-and take the same parameters as those.
+and
+.Xr RSA_private_decrypt 3 .
+.Pp
+.Fn RSA_meth_get_keygen
+and
+.Fn RSA_meth_set_keygen
+get and set the optional function used for generating a new RSA key pair.
+Unless
+.Fa keygen
+is
+.Dv NULL ,
+it will be called from
+.Xr RSA_generate_key_ex 3
+and takes the same parameters.
+Otherwise, a builtin default implementation is used.
 .Sh RETURN VALUES
 .Fn RSA_meth_new
 and
@@ -198,20 +539,87 @@ object or
 .Dv NULL
 on failure.
 .Pp
+.Fn RSA_meth_get0_name
+returns an internal pointer which must not be freed by the caller.
+.Pp
+.Fn RSA_meth_get_flags
+returns zero or more
+.Dv RSA_FLAG_*
+constants OR'ed together, or 0 if no flags are set in
+.Fa meth .
+.Pp
+.Fn RSA_meth_get0_app_data
+returns the pointer that was earlier passed to
+.Fn RSA_meth_set0_app_data
+or
+.Dv NULL
+otherwise.
+.Pp
+All other
+.Fn RSA_meth_get_*
+functions return the appropriate function pointer that has been set
+with the corresponding
+.Fn RSA_meth_set_*
+function, or
+.Dv NULL
+if no such pointer has been set in
+.Fa meth .
+.Pp
 All
 .Fn RSA_meth_set*
 functions return 1 on success or 0 on failure.
+In the current implementation, only
+.Fn RSA_meth_set1_name
+can actually fail.
 .Sh SEE ALSO
+.Xr RSA_generate_key_ex 3 ,
 .Xr RSA_new 3 ,
-.Xr RSA_private_decrypt 3 ,
 .Xr RSA_private_encrypt 3 ,
-.Xr RSA_set_method 3
+.Xr RSA_public_encrypt 3 ,
+.Xr RSA_set_flags 3 ,
+.Xr RSA_set_method 3 ,
+.Xr RSA_sign 3
 .Sh HISTORY
 These functions first appeared in OpenSSL 1.1.0.
-.Fn RSA_meth_get_finish
+.Fn RSA_meth_new ,
+.Fn RSA_meth_dup ,
+.Fn RSA_meth_free ,
+.Fn RSA_meth_set_finish ,
+.Fn RSA_meth_set_priv_enc ,
 and
-.Fn RSA_meth_set1_name
+.Fn RSA_meth_set_priv_dec
 have been available since
+.Ox 6.3 ,
+.Fn RSA_meth_set1_name
+and
+.Fn RSA_meth_get_finish
+since
 .Ox 6.4 ,
-all the other functions since
-.Ox 6.3 .
+and
+.Fn RSA_meth_get0_name ,
+.Fn RSA_meth_get_flags ,
+.Fn RSA_meth_set_flags ,
+.Fn RSA_meth_get0_app_data ,
+.Fn RSA_meth_set0_app_data ,
+.Fn RSA_meth_get_init ,
+.Fn RSA_meth_set_init ,
+.Fn RSA_meth_set_finish ,
+.Fn RSA_meth_get_pub_enc ,
+.Fn RSA_meth_set_pub_enc ,
+.Fn RSA_meth_get_pub_dec ,
+.Fn RSA_meth_set_pub_dec ,
+.Fn RSA_meth_get_priv_enc ,
+.Fn RSA_meth_get_priv_dec ,
+.Fn RSA_meth_get_sign ,
+.Fn RSA_meth_set_sign ,
+.Fn RSA_meth_get_verify ,
+.Fn RSA_meth_set_verify ,
+.Fn RSA_meth_get_mod_exp ,
+.Fn RSA_meth_set_mod_exp ,
+.Fn RSA_meth_get_bn_mod_exp ,
+.Fn RSA_meth_set_bn_mod_exp ,
+.Fn RSA_meth_get_keygen ,
+and
+.Fn RSA_meth_set_keygen
+since
+.Ox 6.6 .
diff --git a/lib/libcrypto/man/RSA_new.3 b/lib/libcrypto/man/RSA_new.3
index 8f0e2c2a5eb..7e40c119874 100644
--- a/lib/libcrypto/man/RSA_new.3
+++ b/lib/libcrypto/man/RSA_new.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: RSA_new.3,v 1.11 2019/06/06 01:06:59 schwarze Exp $
+.\"	$OpenBSD: RSA_new.3,v 1.12 2019/06/08 09:53:15 schwarze Exp $
 .\"	OpenSSL doc/man3/RSA_new.pod 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"	OpenSSL doc/crypto/rsa.pod 35d2e327 Jun 3 16:19:49 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2019 $
 .Dt RSA_NEW 3
 .Os
 .Sh NAME
@@ -88,7 +88,15 @@ increments the reference count by 1.
 .Pp
 .Fn RSA_free
 decrements the reference count by 1.
-If it reaches 0, it frees the
+If it reaches 0, it calls the optional
+.Fa finish
+function set up with
+.Xr RSA_meth_set_finish 3 ,
+calls
+.Xr ENGINE_finish 3
+if
+.Fa rsa
+uses an engine, and frees the
 .Vt RSA
 structure and its components.
 The key is erased before the memory is returned to the system.
diff --git a/lib/libcrypto/man/RSA_set_method.3 b/lib/libcrypto/man/RSA_set_method.3
index 524430b6f85..53d41f5516e 100644
--- a/lib/libcrypto/man/RSA_set_method.3
+++ b/lib/libcrypto/man/RSA_set_method.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: RSA_set_method.3,v 1.13 2019/05/20 06:04:45 jmc Exp $
+.\"	$OpenBSD: RSA_set_method.3,v 1.14 2019/06/08 09:53:15 schwarze Exp $
 .\"	OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 20 2019 $
+.Dd $Mdocdate: June 8 2019 $
 .Dt RSA_SET_METHOD 3
 .Os
 .Sh NAME
@@ -121,12 +121,25 @@ selects
 .Fa meth
 to perform all operations using the key
 .Fa rsa .
-This replaces the
+This replaces the previous
 .Vt RSA_METHOD
-used by the RSA key, and if the previous method was supplied by an
+used by the RSA key, calling the
+.Fa finish
+function set up with
+.Xr RSA_meth_set_finish 3
+if any, and if the previous method was supplied by an
 .Vt ENGINE ,
 .Xr ENGINE_finish 3
 is called on it.
+If
+.Fa meth
+contains an
+.Fa init
+function set up with
+.Xr RSA_meth_set_init 3 ,
+that function is called just before returning from
+.Fn RSA_set_method .
+.Pp
 It is possible to have RSA keys that only work with certain
 .Vt RSA_METHOD
 implementations (e.g. from an
@@ -148,14 +161,19 @@ to be valid as long as the RSA key itself is valid and does not
 have its implementation changed by
 .Fn RSA_set_method .
 .Pp
+The misleadingly named function
 .Fn RSA_flags
 returns the flags that are set for the current
 .Vt RSA_METHOD
 of
 .Fa rsa .
+The flags used by
+.Fa rsa
+itself can instead be tested with
+.Xr RSA_test_flags 3 .
 See the
 .Sx BUGS
-section.
+section for more details.
 .Pp
 .Fn RSA_new_method
 allocates and initializes an
@@ -175,6 +193,18 @@ the default method controlled by
 .Fn RSA_set_default_method
 is used.
 .Pp
+The initial
+.Fa flags
+are copied from the
+.Vt RSA_METHOD
+object used and will not be affected by later changes to that object,
+but may be modified by the optional
+.Fa init
+function which may have been set up with
+.Xr RSA_meth_set_init 3
+and which is called just before returning from
+.Fn RSA_new_method .
+.Pp
 The
 .Dv RSA_METHOD
 structure is defined as follows:
@@ -185,27 +215,28 @@ typedef struct rsa_meth_st
 	const char *name;
 
      /* encrypt */
-	int (*rsa_pub_enc)(int flen, unsigned char *from,
+	int (*rsa_pub_enc)(int flen, const unsigned char *from,
           unsigned char *to, RSA *rsa, int padding);
 
      /* verify arbitrary data */
-	int (*rsa_pub_dec)(int flen, unsigned char *from,
+	int (*rsa_pub_dec)(int flen, const unsigned char *from,
           unsigned char *to, RSA *rsa, int padding);
 
      /* sign arbitrary data */
-	int (*rsa_priv_enc)(int flen, unsigned char *from,
+	int (*rsa_priv_enc)(int flen, const unsigned char *from,
           unsigned char *to, RSA *rsa, int padding);
 
      /* decrypt */
-	int (*rsa_priv_dec)(int flen, unsigned char *from,
+	int (*rsa_priv_dec)(int flen, const unsigned char *from,
           unsigned char *to, RSA *rsa, int padding);
 
      /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some
                                         implementations) */
-	int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+	int (*rsa_mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+	  BN_CTX *ctx);
 
      /* compute r = a ^ p mod m (May be NULL for some implementations) */
-	int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
           const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
      /* called at RSA_new */
@@ -218,7 +249,6 @@ typedef struct rsa_meth_st
       *                            operations, even if p,q,dmp1,dmq1,iqmp
       *                            are NULL
       * RSA_FLAG_SIGN_VER        - enable rsa_sign and rsa_verify
-      * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
       */
 	int flags;
 
@@ -227,14 +257,19 @@ typedef struct rsa_meth_st
      /* sign. For backward compatibility, this is used only
       * if (flags & RSA_FLAG_SIGN_VER)
       */
-	int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+	int (*rsa_sign)(int type, const unsigned char *m,
+	  unsigned int m_len, unsigned char *sigret,
+	  unsigned int *siglen, const RSA *rsa);
 
      /* verify. For backward compatibility, this is used only
       * if (flags & RSA_FLAG_SIGN_VER)
       */
-	int (*rsa_verify)(int type, unsigned char *m, unsigned int m_len,
-           unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+	int (*rsa_verify)(int type, const unsigned char *m,
+	  unsigned int m_len, const unsigned char *sigbuf,
+	  unsigned int siglen, const RSA *rsa);
+
+     /* called at RSA_generate_key_ex; may be NULL */
+	int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
 
 } RSA_METHOD;
 .Ed
diff --git a/lib/libcrypto/man/RSA_sign.3 b/lib/libcrypto/man/RSA_sign.3
index 80e0b0e9577..166f2310a5b 100644
--- a/lib/libcrypto/man/RSA_sign.3
+++ b/lib/libcrypto/man/RSA_sign.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: RSA_sign.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"	$OpenBSD: RSA_sign.3,v 1.7 2019/06/08 09:53:15 schwarze Exp $
 .\"	OpenSSL aa90ca11 Aug 20 15:48:56 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2019 $
 .Dt RSA_SIGN 3
 .Os
 .Sh NAME
@@ -133,6 +133,7 @@ The error codes can be obtained by
 .Xr ERR_get_error 3 .
 .Sh SEE ALSO
 .Xr ERR_get_error 3 ,
+.Xr RSA_meth_set_sign 3 ,
 .Xr RSA_new 3 ,
 .Xr RSA_private_encrypt 3 ,
 .Xr RSA_public_decrypt 3