upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-04-29 18:32:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/secure/lib/libcrypto/man/man3/RSA_set_method.3
Pierre Pronchery b077aed33b Merge OpenSSL 3.0.9 
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0.  OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0.  For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0.  Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1.  The process of updating to contemporary APIs can continue after
this merge.

Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit.  Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g.  haproxy).
Investigation will continue for these.

Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.

PR:		271615
PR:		271656 [exp-run]
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2023-06-23 18:53:36 -04:00

328 lines
12 KiB
Groff
Raw Blame History

.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_SET_METHOD 3"
.TH RSA_SET_METHOD 3 "2023-05-30" "3.0.9" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_set_default_method, RSA_get_default_method, RSA_set_method,
RSA_get_method, RSA_PKCS1_OpenSSL, RSA_flags,
RSA_new_method \- select RSA method
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
.Ve
.PP
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
see \fBopenssl_user_macros\fR\|(7):
.PP
.Vb 1
\& void RSA_set_default_method(const RSA_METHOD *meth);
\&
\& const RSA_METHOD *RSA_get_default_method(void);
\&
\& int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
\&
\& const RSA_METHOD *RSA_get_method(const RSA *rsa);
\&
\& const RSA_METHOD *RSA_PKCS1_OpenSSL(void);
\&
\& int RSA_flags(const RSA *rsa);
\&
\& RSA *RSA_new_method(ENGINE *engine);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
All of the functions described on this page are deprecated.
Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
.PP
An \fB\s-1RSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1RSA\s0
operations. By modifying the method, alternative implementations such as
hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
important information about how these \s-1RSA API\s0 functions are affected by the
use of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
.PP
Initially, the default \s-1RSA_METHOD\s0 is the OpenSSL internal implementation,
as returned by \fBRSA_PKCS1_OpenSSL()\fR.
.PP
\&\fBRSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1RSA\s0
structures created later.
\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
been set as a default for \s-1RSA,\s0 so this function is no longer recommended.
This function is not thread-safe and should not be called at the same time
as other OpenSSL functions.
.PP
\&\fBRSA_get_default_method()\fR returns a pointer to the current default
\&\s-1RSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
whether the \s-1ENGINE API\s0 is being used, so this function is no longer
recommended.
.PP
\&\fBRSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
\&\fBrsa\fR. This will replace the \s-1RSA_METHOD\s0 used by the \s-1RSA\s0 key and if the
previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
be released during the change. It is possible to have \s-1RSA\s0 keys that only
work with certain \s-1RSA_METHOD\s0 implementations (e.g. from an \s-1ENGINE\s0 module
that supports embedded hardware-protected keys), and in such cases
attempting to change the \s-1RSA_METHOD\s0 for the key can have unexpected
results.
.PP
\&\fBRSA_get_method()\fR returns a pointer to the \s-1RSA_METHOD\s0 being used by \fBrsa\fR.
This method may or may not be supplied by an \s-1ENGINE\s0 implementation, but if
it is, the return value can only be guaranteed to be valid as long as the
\&\s-1RSA\s0 key itself is valid and does not have its implementation changed by
\&\fBRSA_set_method()\fR.
.PP
\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current
\&\s-1RSA_METHOD.\s0 See the \s-1BUGS\s0 section.
.PP
\&\fBRSA_new_method()\fR allocates and initializes an \s-1RSA\s0 structure so that
\&\fBengine\fR will be used for the \s-1RSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the
default \s-1ENGINE\s0 for \s-1RSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set,
the \s-1RSA_METHOD\s0 controlled by \fBRSA_set_default_method()\fR is used.
.PP
\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current method.
.PP
\&\fBRSA_new_method()\fR allocates and initializes an \fB\s-1RSA\s0\fR structure so that
\&\fBmethod\fR will be used for the \s-1RSA\s0 operations. If \fBmethod\fR is \fB\s-1NULL\s0\fR,
the default method is used.
.SH "THE RSA_METHOD STRUCTURE"
.IX Header "THE RSA_METHOD STRUCTURE"
.Vb 4
\& typedef struct rsa_meth_st
\& {
\& /* name of the implementation */
\& const char *name;
\&
\& /* encrypt */
\& int (*rsa_pub_enc)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* verify arbitrary data */
\& int (*rsa_pub_dec)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* sign arbitrary data */
\& int (*rsa_priv_enc)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* decrypt */
\& int (*rsa_priv_dec)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* compute r0 = r0 ^ I mod rsa\->n (May be NULL for some implementations) */
\& int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
\&
\& /* compute r = a ^ p mod m (May be NULL for some implementations) */
\& int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
\&
\& /* called at RSA_new */
\& int (*init)(RSA *rsa);
\&
\& /* called at RSA_free */
\& int (*finish)(RSA *rsa);
\&
\& /*
\& * RSA_FLAG_EXT_PKEY \- rsa_mod_exp is called for private key
\& * operations, even if p,q,dmp1,dmq1,iqmp
\& * are NULL
\& * RSA_METHOD_FLAG_NO_CHECK \- don\*(Aqt check pub/private match
\& */
\& int flags;
\&
\& char *app_data; /* ?? */
\&
\& int (*rsa_sign)(int type,
\& const unsigned char *m, unsigned int m_length,
\& unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
\& int (*rsa_verify)(int dtype,
\& const unsigned char *m, unsigned int m_length,
\& const unsigned char *sigbuf, unsigned int siglen,
\& const RSA *rsa);
\& /* keygen. If NULL built\-in RSA key generation will be used */
\& int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
\&
\& } RSA_METHOD;
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_PKCS1_OpenSSL()\fR, \fBRSA_PKCS1_null_method()\fR, \fBRSA_get_default_method()\fR
and \fBRSA_get_method()\fR return pointers to the respective RSA_METHODs.
.PP
\&\fBRSA_set_default_method()\fR returns no value.
.PP
\&\fBRSA_set_method()\fR returns a pointer to the old \s-1RSA_METHOD\s0 implementation
that was replaced. However, this return value should probably be ignored
because if it was supplied by an \s-1ENGINE,\s0 the pointer could be invalidated
at any time if the \s-1ENGINE\s0 is unloaded (in fact it could be unloaded as a
result of the \fBRSA_set_method()\fR function releasing its handle to the
\&\s-1ENGINE\s0). For this reason, the return type may be replaced with a \fBvoid\fR
declaration in a future release.
.PP
\&\fBRSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained
by \fBERR_get_error\fR\|(3) if the allocation fails. Otherwise
it returns a pointer to the newly allocated structure.
.SH "BUGS"
.IX Header "BUGS"
The behaviour of \fBRSA_flags()\fR is a mis-feature that is left as-is for now
to avoid creating compatibility problems. \s-1RSA\s0 functionality, such as the
encryption functions, are controlled by the \fBflags\fR value in the \s-1RSA\s0 key
itself, not by the \fBflags\fR value in the \s-1RSA_METHOD\s0 attached to the \s-1RSA\s0 key
(which is what this function returns). If the flags element of an \s-1RSA\s0 key
is changed, the changes will be honoured by \s-1RSA\s0 functionality but will not
be reflected in the return value of the \fBRSA_flags()\fR function \- in effect
\&\fBRSA_flags()\fR behaves more like an \fBRSA_default_flags()\fR function (which does
not currently exist).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRSA_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
All of these functions were deprecated in OpenSSL 3.0.
.PP
The \fBRSA_null_method()\fR, which was a partial attempt to avoid patent issues,
was replaced to always return \s-1NULL\s0 in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
Reference in a new issue View git blame Copy permalink