xref: /netbsd-src/crypto/external/bsd/openssl/dist/doc/man7/provider.pod (revision b0d1725196a7921d003d2c66a14f186abda4176b) 
1*b0d17251Schristos=pod
2*b0d17251Schristos
3*b0d17251Schristos=head1 NAME
4*b0d17251Schristos
5*b0d17251Schristosprovider - OpenSSL operation implementation providers
6*b0d17251Schristos
7*b0d17251Schristos=head1 SYNOPSIS
8*b0d17251Schristos
9*b0d17251Schristos=for openssl generic
10*b0d17251Schristos
11*b0d17251Schristos#include <openssl/provider.h>
12*b0d17251Schristos
13*b0d17251Schristos=head1 DESCRIPTION
14*b0d17251Schristos
15*b0d17251Schristos=head2 General
16*b0d17251Schristos
17*b0d17251SchristosThis page contains information useful to provider authors.
18*b0d17251Schristos
19*b0d17251SchristosA I<provider>, in OpenSSL terms, is a unit of code that provides one
20*b0d17251Schristosor more implementations for various operations for diverse algorithms
21*b0d17251Schristosthat one might want to perform.
22*b0d17251Schristos
23*b0d17251SchristosAn I<operation> is something one wants to do, such as encryption and
24*b0d17251Schristosdecryption, key derivation, MAC calculation, signing and verification,
25*b0d17251Schristosetc.
26*b0d17251Schristos
27*b0d17251SchristosAn I<algorithm> is a named method to perform an operation.
28*b0d17251SchristosVery often, the algorithms revolve around cryptographic operations,
29*b0d17251Schristosbut may also revolve around other types of operation, such as managing
30*b0d17251Schristoscertain types of objects.
31*b0d17251Schristos
32*b0d17251SchristosSee L<crypto(7)> for further details.
33*b0d17251Schristos
34*b0d17251Schristos=head2 Provider
35*b0d17251Schristos
36*b0d17251SchristosA I<provider> offers an initialization function, as a set of base
37*b0d17251Schristosfunctions in the form of an L<OSSL_DISPATCH(3)> array, and by extension,
38*b0d17251Schristosa set of L<OSSL_ALGORITHM(3)>s (see L<openssl-core.h(7)>).
39*b0d17251SchristosIt may be a dynamically loadable module, or may be built-in, in
40*b0d17251SchristosOpenSSL libraries or in the application.
41*b0d17251SchristosIf it's a dynamically loadable module, the initialization function
42*b0d17251Schristosmust be named C<OSSL_provider_init> and must be exported.
43*b0d17251SchristosIf it's built-in, the initialization function may have any name.
44*b0d17251Schristos
45*b0d17251SchristosThe initialization function must have the following signature:
46*b0d17251Schristos
47*b0d17251Schristos int NAME(const OSSL_CORE_HANDLE *handle,
48*b0d17251Schristos          const OSSL_DISPATCH *in, const OSSL_DISPATCH **out,
49*b0d17251Schristos          void **provctx);
50*b0d17251Schristos
51*b0d17251SchristosI<handle> is the OpenSSL library object for the provider, and works
52*b0d17251Schristosas a handle for everything the OpenSSL libraries need to know about
53*b0d17251Schristosthe provider.
54*b0d17251SchristosFor the provider itself, it is passed to some of the functions given in the
55*b0d17251Schristosdispatch array I<in>.
56*b0d17251Schristos
57*b0d17251SchristosI<in> is a dispatch array of base functions offered by the OpenSSL
58*b0d17251Schristoslibraries, and the available functions are further described in
59*b0d17251SchristosL<provider-base(7)>.
60*b0d17251Schristos
61*b0d17251SchristosI<*out> must be assigned a dispatch array of base functions that the
62*b0d17251Schristosprovider offers to the OpenSSL libraries.
63*b0d17251SchristosThe functions that may be offered are further described in
64*b0d17251SchristosL<provider-base(7)>, and they are the central means of communication
65*b0d17251Schristosbetween the OpenSSL libraries and the provider.
66*b0d17251Schristos
67*b0d17251SchristosI<*provctx> should be assigned a provider specific context to allow
68*b0d17251Schristosthe provider multiple simultaneous uses.
69*b0d17251SchristosThis pointer will be passed to various operation functions offered by
70*b0d17251Schristosthe provider.
71*b0d17251Schristos
72*b0d17251SchristosNote that the provider will not be made available for applications to use until
73*b0d17251Schristosthe initialization function has completed and returned successfully.
74*b0d17251Schristos
75*b0d17251SchristosOne of the functions the provider offers to the OpenSSL libraries is
76*b0d17251Schristosthe central mechanism for the OpenSSL libraries to get access to
77*b0d17251Schristosoperation implementations for diverse algorithms.
78*b0d17251SchristosIts referred to with the number B<OSSL_FUNC_PROVIDER_QUERY_OPERATION>
79*b0d17251Schristosand has the following signature:
80*b0d17251Schristos
81*b0d17251Schristos const OSSL_ALGORITHM *provider_query_operation(void *provctx,
82*b0d17251Schristos                                                int operation_id,
83*b0d17251Schristos                                                const int *no_store);
84*b0d17251Schristos
85*b0d17251SchristosI<provctx> is the provider specific context that was passed back by
86*b0d17251Schristosthe initialization function.
87*b0d17251Schristos
88*b0d17251SchristosI<operation_id> is an operation identity (see L</Operations> below).
89*b0d17251Schristos
90*b0d17251SchristosI<no_store> is a flag back to the OpenSSL libraries which, when
91*b0d17251Schristosnonzero, signifies that the OpenSSL libraries will not store a
92*b0d17251Schristosreference to the returned data in their internal store of
93*b0d17251Schristosimplementations.
94*b0d17251Schristos
95*b0d17251SchristosThe returned L<OSSL_ALGORITHM(3)> is the foundation of any OpenSSL
96*b0d17251Schristoslibrary API that uses providers for their implementation, most
97*b0d17251Schristoscommonly in the I<fetching> type of functions
98*b0d17251Schristos(see L<crypto(7)/ALGORITHM FETCHING>).
99*b0d17251Schristos
100*b0d17251Schristos=head2 Operations
101*b0d17251Schristos
102*b0d17251SchristosOperations are referred to with numbers, via macros with names
103*b0d17251Schristosstarting with C<OSSL_OP_>.
104*b0d17251Schristos
105*b0d17251SchristosWith each operation comes a set of defined function types that a
106*b0d17251Schristosprovider may or may not offer, depending on its needs.
107*b0d17251Schristos
108*b0d17251SchristosCurrently available operations are:
109*b0d17251Schristos
110*b0d17251Schristos=over 4
111*b0d17251Schristos
112*b0d17251Schristos=item Digests
113*b0d17251Schristos
114*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
115*b0d17251SchristosB<EVP_MD>.
116*b0d17251SchristosThe number for this operation is B<OSSL_OP_DIGEST>.
117*b0d17251SchristosThe functions the provider can offer are described in
118*b0d17251SchristosL<provider-digest(7)>.
119*b0d17251Schristos
120*b0d17251Schristos=item Symmetric ciphers
121*b0d17251Schristos
122*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
123*b0d17251SchristosB<EVP_CIPHER>.
124*b0d17251SchristosThe number for this operation is B<OSSL_OP_CIPHER>.
125*b0d17251SchristosThe functions the provider can offer are described in
126*b0d17251SchristosL<provider-cipher(7)>.
127*b0d17251Schristos
128*b0d17251Schristos=item Message Authentication Code (MAC)
129*b0d17251Schristos
130*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
131*b0d17251SchristosB<EVP_MAC>.
132*b0d17251SchristosThe number for this operation is B<OSSL_OP_MAC>.
133*b0d17251SchristosThe functions the provider can offer are described in
134*b0d17251SchristosL<provider-mac(7)>.
135*b0d17251Schristos
136*b0d17251Schristos=item Key Derivation Function (KDF)
137*b0d17251Schristos
138*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
139*b0d17251SchristosB<EVP_KDF>.
140*b0d17251SchristosThe number for this operation is B<OSSL_OP_KDF>.
141*b0d17251SchristosThe functions the provider can offer are described in
142*b0d17251SchristosL<provider-kdf(7)>.
143*b0d17251Schristos
144*b0d17251Schristos=item Key Exchange
145*b0d17251Schristos
146*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
147*b0d17251SchristosB<EVP_KEYEXCH>.
148*b0d17251SchristosThe number for this operation is B<OSSL_OP_KEYEXCH>.
149*b0d17251SchristosThe functions the provider can offer are described in
150*b0d17251SchristosL<provider-keyexch(7)>.
151*b0d17251Schristos
152*b0d17251Schristos=item Asymmetric Ciphers
153*b0d17251Schristos
154*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
155*b0d17251SchristosB<EVP_ASYM_CIPHER>.
156*b0d17251SchristosThe number for this operation is B<OSSL_OP_ASYM_CIPHER>.
157*b0d17251SchristosThe functions the provider can offer are described in
158*b0d17251SchristosL<provider-asym_cipher(7)>.
159*b0d17251Schristos
160*b0d17251Schristos=item Asymmetric Key Encapsulation
161*b0d17251Schristos
162*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is B<EVP_KEM>.
163*b0d17251SchristosThe number for this operation is B<OSSL_OP_KEM>.
164*b0d17251SchristosThe functions the provider can offer are described in L<provider-kem(7)>.
165*b0d17251Schristos
166*b0d17251Schristos=item Encoding
167*b0d17251Schristos
168*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
169*b0d17251SchristosB<OSSL_ENCODER>.
170*b0d17251SchristosThe number for this operation is B<OSSL_OP_ENCODER>.
171*b0d17251SchristosThe functions the provider can offer are described in
172*b0d17251SchristosL<provider-encoder(7)>.
173*b0d17251Schristos
174*b0d17251Schristos=item Decoding
175*b0d17251Schristos
176*b0d17251SchristosIn the OpenSSL libraries, the corresponding method object is
177*b0d17251SchristosB<OSSL_DECODER>.
178*b0d17251SchristosThe number for this operation is B<OSSL_OP_DECODER>.
179*b0d17251SchristosThe functions the provider can offer are described in
180*b0d17251SchristosL<provider-decoder(7)>.
181*b0d17251Schristos
182*b0d17251Schristos=item Random Number Generation
183*b0d17251Schristos
184*b0d17251SchristosThe number for this operation is B<OSSL_OP_RAND>.
185*b0d17251SchristosThe functions the provider can offer for random number generation are described
186*b0d17251Schristosin L<provider-rand(7)>.
187*b0d17251Schristos
188*b0d17251Schristos=item Key Management
189*b0d17251Schristos
190*b0d17251SchristosThe number for this operation is B<OSSL_OP_KEYMGMT>.
191*b0d17251SchristosThe functions the provider can offer for key management are described in
192*b0d17251SchristosL<provider-keymgmt(7)>.
193*b0d17251Schristos
194*b0d17251Schristos=item Signing and Signature Verification
195*b0d17251Schristos
196*b0d17251SchristosThe number for this operation is B<OSSL_OP_SIGNATURE>.
197*b0d17251SchristosThe functions the provider can offer for digital signatures are described in
198*b0d17251SchristosL<provider-signature(7)>.
199*b0d17251Schristos
200*b0d17251Schristos=item Store Management
201*b0d17251Schristos
202*b0d17251SchristosThe number for this operation is B<OSSL_OP_STORE>.
203*b0d17251SchristosThe functions the provider can offer for store management are described in
204*b0d17251SchristosL<provider-storemgmt(7)>.
205*b0d17251Schristos
206*b0d17251Schristos=back
207*b0d17251Schristos
208*b0d17251Schristos=head3 Algorithm naming
209*b0d17251Schristos
210*b0d17251SchristosAlgorithm names are case insensitive. Any particular algorithm can have multiple
211*b0d17251Schristosaliases associated with it. The canonical OpenSSL naming scheme follows this
212*b0d17251Schristosformat:
213*b0d17251Schristos
214*b0d17251SchristosALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?]
215*b0d17251Schristos
216*b0d17251SchristosVERSION is only present if there are multiple versions of an algorithm (e.g.
217*b0d17251SchristosMD2, MD4, MD5).  It may be omitted if there is only one version.
218*b0d17251Schristos
219*b0d17251SchristosSUBNAME may be present where multiple algorithms are combined together,
220*b0d17251Schristose.g. MD5-SHA1.
221*b0d17251Schristos
222*b0d17251SchristosSIZE is only present if multiple versions of an algorithm exist with different
223*b0d17251Schristossizes (e.g. AES-128-CBC, AES-256-CBC)
224*b0d17251Schristos
225*b0d17251SchristosMODE is only present where applicable.
226*b0d17251Schristos
227*b0d17251SchristosOther aliases may exist for example where standards bodies or common practice
228*b0d17251Schristosuse alternative names or names that OpenSSL has used historically.
229*b0d17251Schristos
230*b0d17251Schristos=head1 OPENSSL PROVIDERS
231*b0d17251Schristos
232*b0d17251SchristosOpenSSL provides a number of its own providers. These are the default, base,
233*b0d17251Schristosfips, legacy and null providers. See L<crypto(7)> for an overview of these
234*b0d17251Schristosproviders.
235*b0d17251Schristos
236*b0d17251Schristos=head1 SEE ALSO
237*b0d17251Schristos
238*b0d17251SchristosL<EVP_DigestInit_ex(3)>, L<EVP_EncryptInit_ex(3)>,
239*b0d17251SchristosL<OSSL_LIB_CTX(3)>,
240*b0d17251SchristosL<EVP_set_default_properties(3)>,
241*b0d17251SchristosL<EVP_MD_fetch(3)>,
242*b0d17251SchristosL<EVP_CIPHER_fetch(3)>,
243*b0d17251SchristosL<EVP_KEYMGMT_fetch(3)>,
244*b0d17251SchristosL<openssl-core.h(7)>,
245*b0d17251SchristosL<provider-base(7)>,
246*b0d17251SchristosL<provider-digest(7)>,
247*b0d17251SchristosL<provider-cipher(7)>,
248*b0d17251SchristosL<provider-keyexch(7)>
249*b0d17251Schristos
250*b0d17251Schristos=head1 HISTORY
251*b0d17251Schristos
252*b0d17251SchristosThe concept of providers and everything surrounding them was
253*b0d17251Schristosintroduced in OpenSSL 3.0.
254*b0d17251Schristos
255*b0d17251Schristos=head1 COPYRIGHT
256*b0d17251Schristos
257*b0d17251SchristosCopyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
258*b0d17251Schristos
259*b0d17251SchristosLicensed under the Apache License 2.0 (the "License").  You may not use
260*b0d17251Schristosthis file except in compliance with the License.  You can obtain a copy
261*b0d17251Schristosin the file LICENSE in the source distribution or at
262*b0d17251SchristosL<https://www.openssl.org/source/license.html>.
263*b0d17251Schristos
264*b0d17251Schristos=cut
265