Adjust comments and impl structure per PR feedback

crypto/fipsmodule/rsa/rsa.c

@@ -837,12 +837,14 @@ void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa) {
 }
 
 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) {
-  if (ctx != NULL && ctx->pmeth != NULL
-      && ctx->pmeth->pkey_id != EVP_PKEY_RSA
-      && ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) {
+  if (ctx != NULL && ctx->pmeth != NULL) {
+    if (ctx->pmeth->pkey_id == EVP_PKEY_RSA ||
+        ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) {
+      return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
+    }
     return -1;
   }
-  return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2);
+  return 0;
 }
 
 // ------------- KEY CHECKING FUNCTIONS ----------------

include/openssl/rsa.h

@@ -739,12 +739,15 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
 // a private exponent having blinding disabled.
 OPENSSL_EXPORT OPENSSL_DEPRECATED void RSA_blinding_off_temp_for_accp_compatibility(RSA *rsa);
 
-// RSA_pkey_ctx_ctrl is a vestigial function that has been obsoleted by the EVP
-// interface. Use |EVP_PKEY_CTX_ctrl| instead.
+// RSA_pkey_ctx_ctrl is a vestigial OpenSSL function that has been obsoleted by
+// the EVP interface. External callers should not use this. Internal callers
+// should use |EVP_PKEY_CTX_ctrl| instead.
 //
 // This function directly calls |EVP_PKEY_CTX_ctrl| with some guards around the
-// key's "type". If key type is not RSA or RSA-PSS, -1 is returned.
-OPENSSL_EXPORT OPENSSL_DEPRECATED int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2);
+// key's type. The key type must either be RSA or RSA-PSS, otherwise -1 is
+// returned.
+OPENSSL_EXPORT OPENSSL_DEPRECATED int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd,
+                                                        int p1, void *p2);
 
 // RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
 // should use instead. It returns NULL on error, or a newly-allocated |RSA| on