openssl-prebuild/linux_amd64/share/man/man7/provider.7

.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.el \{\
.    de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PROVIDER 7"
.TH PROVIDER 7 "2020-03-02" "3.0.0-dev" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
provider \- OpenSSL operation implementation providers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
#include <openssl/provider.h>
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.SS "General"
.IX Subsection "General"
A \fIprovider\fR, in OpenSSL terms, is a unit of code that provides one
or more implementations for various operations for diverse algorithms
that one might want to perform.
.PP
An \fIoperation\fR is something one wants to do, such as encryption and
decryption, key derivation, \s-1MAC\s0 calculation, signing and verification,
etc.
.PP
An \fIalgorithm\fR is a named method to perform an operation.
Very often, the algorithms revolve around cryptographic operations,
but may also revolve around other types of operation, such as managing
certain types of objects.
.SS "Provider"
.IX Subsection "Provider"
\&\fI\s-1NOTE:\s0 This section is mostly interesting for provider authors.\fR
.PP
A \fIprovider\fR offers an initialization function, as a set of base
functions in the form of an \fB\s-1OSSL_DISPATCH\s0\fR array, and by extension,
a set of \fB\s-1OSSL_ALGORITHM\s0\fRs (see \fIopenssl\-core.h\fR\|(7)).
It may be a dynamically loadable module, or may be built-in, in
OpenSSL libraries or in the application.
If it's a dynamically loadable module, the initialization function
must be named \f(CW\*(C`OSSL_provider_init\*(C'\fR and must be exported.
If it's built-in, the initialization function may have any name.
.PP
The initialization function must have the following signature:
.PP
.Vb 3
\& int NAME(const OSSL_PROVIDER *provider,
\&          const OSSL_DISPATCH *in, const OSSL_DISPATCH **out,
\&          void **provctx);
.Ve
.PP
\&\fIprovider\fR is the OpenSSL library object for the provider, and works
as a handle for everything the OpenSSL libraries need to know about
the provider.
For the provider itself, it may hold some interesting information,
and is also passed to some of the functions given in the dispatch
array \fIin\fR.
.PP
\&\fIin\fR is a dispatch array of base functions offered by the OpenSSL
libraries, and the available functions are further described in
\&\fIprovider\-base\fR\|(7).
.PP
\&\fI*out\fR must be assigned a dispatch array of base functions that the
provider offers to the OpenSSL libraries.
The functions that may be offered are further described in
\&\fIprovider\-base\fR\|(7), and they are the central means of communication
between the OpenSSL libraries and the provider.
.PP
\&\fI*provctx\fR should be assigned a provider specific context to allow
the provider multiple simultaneous uses.
This pointer will be passed to various operation functions offered by
the provider.
.PP
One of the functions the provider offers to the OpenSSL libraries is
the central mechanism for the OpenSSL libraries to get access to
operation implementations for diverse algorithms.
Its referred to with the number \fB\s-1OSSL_FUNC_PROVIDER_QUERY_OPERATION\s0\fR
and has the following signature:
.PP
.Vb 3
\& const OSSL_ALGORITHM *provider_query_operation(void *provctx,
\&                                                int operation_id,
\&                                                const int *no_store);
.Ve
.PP
\&\fIprovctx\fR is the provider specific context that was passed back by
the initialization function.
.PP
\&\fIoperation_id\fR is an operation identity (see \*(L"Operations\*(R" below).
.PP
\&\fIno_store\fR is a flag back to the OpenSSL libraries which, when
nonzero, signifies that the OpenSSL libraries will not store a
reference to the returned data in their internal store of
implementations.
.PP
The returned \fB\s-1OSSL_ALGORITHM\s0\fR is the foundation of any OpenSSL
library \s-1API\s0 that uses providers for their implementation, most
commonly in the \fIfetching\fR type of functions
(see \*(L"Fetching algorithms\*(R" below).
.SS "Operations"
.IX Subsection "Operations"
\&\fI\s-1NOTE:\s0 This section is mostly interesting for provider authors.\fR
.PP
Operations are referred to with numbers, via macros with names
starting with \f(CW\*(C`OSSL_OP_\*(C'\fR.
.PP
With each operation comes a set of defined function types that a
provider may or may not offer, depending on its needs.
.PP
Currently available operations are:
.IP "Digests" 4
.IX Item "Digests"
In the OpenSSL libraries, the corresponding method object is
\&\fB\s-1EVP_MD\s0\fR.
The number for this operation is \fB\s-1OSSL_OP_DIGEST\s0\fR.
The functions the provider can offer are described in
\&\fIprovider\-digest\fR\|(7)
.IP "Symmetric ciphers" 4
.IX Item "Symmetric ciphers"
In the OpenSSL libraries, the corresponding method object is
\&\fB\s-1EVP_CIPHER\s0\fR.
The number for this operation is \fB\s-1OSSL_OP_CIPHER\s0\fR.
The functions the provider can offer are described in
\&\fIprovider\-cipher\fR\|(7)
.IP "Message Authentication Code (\s-1MAC\s0)" 4
.IX Item "Message Authentication Code (MAC)"
In the OpenSSL libraries, the corresponding method object is
\&\fB\s-1EVP_MAC\s0\fR.
The number for this operation is \fB\s-1OSSL_OP_MAC\s0\fR.
The functions the provider can offer are described in
\&\fIprovider\-mac\fR\|(7)
.IP "Key Derivation Function (\s-1KDF\s0)" 4
.IX Item "Key Derivation Function (KDF)"
In the OpenSSL libraries, the corresponding method object is
\&\fB\s-1EVP_KDF\s0\fR.
The number for this operation is \fB\s-1OSSL_OP_KDF\s0\fR.
The functions the provider can offer are described in
\&\fIprovider\-kdf\fR\|(7)
.IP "Key Exchange" 4
.IX Item "Key Exchange"
In the OpenSSL libraries, the corresponding method object is
\&\fB\s-1EVP_KEYEXCH\s0\fR.
The number for this operation is \fB\s-1OSSL_OP_KEYEXCH\s0\fR.
The functions the provider can offer are described in
\&\fIprovider\-keyexch\fR\|(7)
.IP "Serialization" 4
.IX Item "Serialization"
In the OpenSSL libraries, the corresponding method object is
\&\fB\s-1OSSL_SERIALIZER\s0\fR.
The number for this operation is \fB\s-1OSSL_OP_SERIALIZER\s0\fR.
The functions the provider can offer are described in
\&\fIprovider\-serializer\fR\|(7)
.SS "Fetching algorithms"
.IX Subsection "Fetching algorithms"
\fIExplicit fetch\fR
.IX Subsection "Explicit fetch"
.PP
\&\fI\s-1NOTE:\s0 This section is mostly interesting to OpenSSL users.\fR
.PP
Users of the OpenSSL libraries never query the provider directly for
its diverse implementations and dispatch tables.
Instead, the diverse OpenSSL APIs often have fetching functions that
do the work, and they return an appropriate method object back to the
user.
These functions usually have the name \f(CW\*(C`APINAME_fetch\*(C'\fR, where
\&\f(CW\*(C`APINAME\*(C'\fR is the name of the \s-1API\s0, for example \fIEVP_MD_fetch\fR\|(3).
.PP
These fetching functions follow a fairly common pattern, where three
arguments are passed:
.IP "The library context" 4
.IX Item "The library context"
See \s-1\fIOPENSSL_CTX\s0\fR\|(3) for a more detailed description.
This may be \s-1NULL\s0 to signify the default (global) library context, or a
context created by the user.
Only providers loaded in this library context (see
\&\fIOSSL_PROVIDER_load\fR\|(3)) will be considered by the fetching
function.
.IP "An identifier" 4
.IX Item "An identifier"
This is most commonly an algorithm name (this is the case for all \s-1EVP\s0
methods), but may also be called something else.
.IP "A property query string" 4
.IX Item "A property query string"
See \fIproperty\fR\|(7) for a more detailed description.
This is used to select more exactly which providers will get to offer
an implementation.
.PP
The method object that is fetched can then be used with diverse other
functions that use them, for example \fIEVP_DigestInit_ex\fR\|(3).
.PP
\fIImplicit fetch\fR
.IX Subsection "Implicit fetch"
.PP
\&\fI\s-1NOTE:\s0 This section is mostly interesting to OpenSSL users.\fR
.PP
OpenSSL has a number of functions that return a method object with no
associated implementation, such as \fIEVP_sha256\fR\|(3),
\&\fIEVP_blake2b512\fR\|(3) or \fIEVP_aes_128_cbc\fR\|(3), which are present for
compatibility with OpenSSL before version 3.0.
.PP
When they are used with functions like \fIEVP_DigestInit_ex\fR\|(3) or
\&\fIEVP_CipherInit_ex\fR\|(3), the actual implementation to be used is
fetched implicitly using default search criteria.
.PP
Implicit fetching can also occur when a \s-1NULL\s0 algorithm parameter is
supplied.
In this case an algorithm implementation is implicitly fetched using
default search criteria and an algorithm name that is consistent with
the type of \s-1EVP_PKEY\s0 being used.
.PP
\fIAlgorithm naming\fR
.IX Subsection "Algorithm naming"
.PP
Algorithm names are case insensitive. Any particular algorithm can have multiple
aliases associated with it. The canonical OpenSSL naming scheme follows this
format:
.PP
ALGNAME[\s-1VERSION\s0?][\-SUBNAME[\s-1VERSION\s0?]?][\-SIZE?][\-MODE?]
.PP
\&\s-1VERSION\s0 is only present if there are multiple versions of an algorithm (e.g.
\&\s-1MD2\s0, \s-1MD4\s0, \s-1MD5\s0).  It may be omitted if there is only one version.
.PP
\&\s-1SUBNAME\s0 may be present where multiple algorithms are combined together,
e.g. \s-1MD5\-SHA1\s0.
.PP
\&\s-1SIZE\s0 is only present if multiple versions of an algorithm exist with different
sizes (e.g. \s-1AES\-128\-CBC\s0, \s-1AES\-256\-CBC\s0)
.PP
\&\s-1MODE\s0 is only present where applicable.
.PP
Other aliases may exist for example where standards bodies or common practice
use alternative names or names that OpenSSL has used historically.
.SH "OPENSSL PROVIDERS"
.IX Header "OPENSSL PROVIDERS"
OpenSSL comes with a set of providers.
.PP
The algorithms available in each of these providers may vary due to build time
configuration options. The \fIopenssl\-list\fR\|(1) command can be used to list the
currently available algorithms.
.PP
The names of the algorithms shown from \fIopenssl\-list\fR\|(1) can be used as an
algorithm identifier to the appropriate fetching function.
.SS "Default provider"
.IX Subsection "Default provider"
The default provider is built in as part of the \fIlibcrypto\fR library.
Should it be needed (if other providers are loaded and offer
implementations of the same algorithms), the property \*(L"provider=default\*(R"
can be used as a search criterion for these implementations. Some
non-cryptographic algorithms (such as serializers for loading keys and
parameters from files) are not \s-1FIPS\s0 algorithm implementations in themselves but
support algorithms from the \s-1FIPS\s0 provider and are allowed for use in \*(L"\s-1FIPS\s0
mode\*(R". The property \*(L"fips=yes\*(R" can be used to select such algorithms.
.SS "\s-1FIPS\s0 provider"
.IX Subsection "FIPS provider"
The \s-1FIPS\s0 provider is a dynamically loadable module, and must therefore
be loaded explicitly, either in code or through OpenSSL configuration
(see \fIconfig\fR\|(5)).
Should it be needed (if other providers are loaded and offer
implementations of the same algorithms), the property \*(L"provider=fips\*(R" can
be used as a search criterion for these implementations. All algorithm
implementations in the \s-1FIPS\s0 provider can also be selected with the property
\&\*(L"fips=yes\*(R".
.SS "Legacy provider"
.IX Subsection "Legacy provider"
The legacy provider is a dynamically loadable module, and must therefore
be loaded explicitly, either in code or through OpenSSL configuration
(see \fIconfig\fR\|(5)).
Should it be needed (if other providers are loaded and offer
implementations of the same algorithms), the property \*(L"provider=legacy\*(R" can be
used as a search criterion for these implementations.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.SS "Fetching"
.IX Subsection "Fetching"
Fetch any available implementation of \s-1SHA2\-256\s0 in the default context:
.PP
.Vb 3
\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", NULL);
\& ...
\& EVP_MD_meth_free(md);
.Ve
.PP
Fetch any available implementation of \s-1AES\-128\-CBC\s0 in the default context:
.PP
.Vb 3
\& EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES\-128\-CBC", NULL);
\& ...
\& EVP_CIPHER_meth_free(cipher);
.Ve
.PP
Fetch an implementation of \s-1SHA2\-256\s0 from the default provider in the default
context:
.PP
.Vb 3
\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider=default");
\& ...
\& EVP_MD_meth_free(md);
.Ve
.PP
Fetch an implementation of \s-1SHA2\-256\s0 that is not from the default provider in the
default context:
.PP
.Vb 3
\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider!=default");
\& ...
\& EVP_MD_meth_free(md);
.Ve
.PP
Fetch an implementation of \s-1SHA2\-256\s0 from the default provider in the specified
context:
.PP
.Vb 3
\& EVP_MD *md = EVP_MD_fetch(ctx, "SHA2\-256", "provider=default");
\& ...
\& EVP_MD_meth_free(md);
.Ve
.PP
Load the legacy provider into the default context and then fetch an
implementation of \s-1WHIRLPOOL\s0 from it:
.PP
.Vb 2
\& /* This only needs to be done once \- usually at application start up */
\& OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
\&
\& EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy");
\& ...
\& EVP_MD_meth_free(md);
.Ve
.PP
Note that in the above example the property string \*(L"provider=legacy\*(R" is optional
since, assuming no other providers have been loaded, the only implementation of
the \*(L"whirlpool\*(R" algorithm is in the \*(L"legacy\*(R" provider. Also note that the
default provider should be explicitly loaded if it is required in addition to
other providers:
.PP
.Vb 3
\& /* This only needs to be done once \- usually at application start up */
\& OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
\& OSSL_PROVIDER *default = OSSL_PROVIDER_load(NULL, "default");
\&
\& EVP_MD *md_whirlpool = EVP_MD_fetch(NULL, "whirlpool", NULL);
\& EVP_MD *md_sha256 = EVP_MD_fetch(NULL, "SHA2\-256", NULL);
\& ...
\& EVP_MD_meth_free(md_whirlpool);
\& EVP_MD_meth_free(md_sha256);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIEVP_DigestInit_ex\fR\|(3), \fIEVP_EncryptInit_ex\fR\|(3),
\&\s-1\fIOPENSSL_CTX\s0\fR\|(3),
\&\fIEVP_set_default_properties\fR\|(3),
\&\fIEVP_MD_fetch\fR\|(3),
\&\fIEVP_CIPHER_fetch\fR\|(3),
\&\fIEVP_KEYMGMT_fetch\fR\|(3),
\&\fIopenssl\-core.h\fR\|(7),
\&\fIprovider\-base\fR\|(7),
\&\fIprovider\-digest\fR\|(7),
\&\fIprovider\-cipher\fR\|(7),
\&\fIprovider\-keyexch\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The concept of providers and everything surrounding them was
introduced in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.