Add 'on demand self test' and status test to providers

The default and legacy providers currently return 1 for status and self test checks.
Added test to show the 3 different stages the

Add 'on demand self test' and status test to providers

The default and legacy providers currently return 1 for status and self test checks.
Added test to show the 3 different stages the self test can be run (for installation, loading and on demand).

For the fips provider:
- If the on demand self test fails, then any subsequent fetches should also fail. To implement this the
cached algorithms are flushed on failure.
- getting the self test callback in the fips provider is a bit complicated since the callback hangs off the core
libctx (as it is set by the application) not the actual fips library context. Also the callback can be set at
any time not just during the OSSL_provider_init() so it is calculated each time before doing any self test.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11752)

show more ...

Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12222)

Add the OSSL_PROVIDER_get_capabilities() API function

Provide a function to applications to query the capabilities that a
provider can perform.

Reviewed-by: Shane Lontis <shane.

Add the OSSL_PROVIDER_get_capabilities() API function

Provide a function to applications to query the capabilities that a
provider can perform.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

show more ...

Implement OSSL_PROVIDER_get0_provider_ctx()

Implement a function which enables us to get hold of the provider ctx
for a loaded provider.

Reviewed-by: Shane Lontis <shane.lontis@

Implement OSSL_PROVIDER_get0_provider_ctx()

Implement a function which enables us to get hold of the provider ctx
for a loaded provider.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)

show more ...

CORE: query for operations only once per provider (unless no_store is true)

When a desired algorithm wasn't available, we didn't register anywhere
that an attempt had been made, with the

CORE: query for operations only once per provider (unless no_store is true)

When a desired algorithm wasn't available, we didn't register anywhere
that an attempt had been made, with the result that next time the same
attempt was made, the whole process would be done again.

To avoid this churn, we register a bit for each operation that has
been queried in the libcrypto provider object, and test it before
trying the same query and method construction loop again.

If course, if the provider has told us not to cache, we don't register
this bit.

Fixes #11814

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11842)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)

Add FIPS Self test kats for digests

Added an API to optionally set a self test callback.
The callback has the following 2 purposes
(1) Output information about the KAT tests.
(2)

Add FIPS Self test kats for digests

Added an API to optionally set a self test callback.
The callback has the following 2 purposes
(1) Output information about the KAT tests.
(2) Allow the ability to corrupt one of the KAT's
The fipsinstall program uses the API.

Some KATS are not included in this PR since the required functionality did not yet exist in the provider.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10374)

show more ...

Prepare EVP_MAC infrastructure for moving all MACs to providers

Quite a few adaptations are needed, most prominently the added code
to allow provider based MACs.

As part of this

Prepare EVP_MAC infrastructure for moving all MACs to providers

Quite a few adaptations are needed, most prominently the added code
to allow provider based MACs.

As part of this, all the old information functions are gone, except
for EVP_MAC_name(). Some of them will reappear later, for example
EVP_MAC_do_all() in some form.

MACs by EVP_PKEY was particularly difficult to deal with, as they
need to allocate and deallocate EVP_MAC_CTXs "under the hood", and
thereby implicitly fetch the corresponding EVP_MAC. This means that
EVP_MACs can't be constant in a EVP_MAC_CTX, as their reference count
may need to be incremented and decremented as part of the allocation
or deallocation of the EVP_MAC_CTX. It may be that other provider
based EVP operation types may need to be handled in a similar manner.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8877)

show more ...

Rename provider and core get_param_types functions

It was argued that names like SOMETHING_set_param_types were confusing,
and a rename has been proposed to SOMETHING_settable_params, an

Rename provider and core get_param_types functions

It was argued that names like SOMETHING_set_param_types were confusing,
and a rename has been proposed to SOMETHING_settable_params, and by
consequence, SOMETHING_get_param_types is renamed
SOMETHING_gettable_params.

This changes implements this change for the dispatched provider and
core functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9591)

show more ...

Load the config file by default

Previously we only loaded the config file by default for libssl. Now we do
it for libcrypto too.

Reviewed-by: Richard Levitte <levitte@openssl.or

Load the config file by default

Previously we only loaded the config file by default for libssl. Now we do
it for libcrypto too.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9492)

show more ...

Add functions to see if a provider is available for use.

Public function OSSL_PROVIDER_available() takes a library context and
a provider name, and returns 1 if it's available for use, i

Add functions to see if a provider is available for use.

Public function OSSL_PROVIDER_available() takes a library context and
a provider name, and returns 1 if it's available for use, i.e. if it's
possible to fetch implementations from it, otherwise 0.

Internal function ossl_provider_activated() returns 1 if the given
OSSL_PROVIDER is activated, otherwise 0.

To make this possible, the activation of fallbacks got refactored out
to a separate function, which ended up simplifying the code.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9398)

show more ...

Replace OSSL_ITEM with OSSL_PARAM as parameter descriptor, everywhere

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9346)

ossl_provider_upref to ossl_provider_up_ref

Common pattern is that the routines to increment the reference count
are called something_up_ref, not something_upref. Adapt
ossl_provide

ossl_provider_upref to ossl_provider_up_ref

Common pattern is that the routines to increment the reference count
are called something_up_ref, not something_upref. Adapt
ossl_provider_upref() accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9293)

show more ...

Change OSSL_PARAM return size to not be a pointer.

Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by:

Change OSSL_PARAM return size to not be a pointer.

Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)

show more ...

Constify OSSL_PROVIDER getter input parameters

Some OSSL_PROVIDER getters took a non-const OSSL_PROVIDER parameter.
There's no reason to do so.

Reviewed-by: Tomas Mraz <tmraz@fe

Constify OSSL_PROVIDER getter input parameters

Some OSSL_PROVIDER getters took a non-const OSSL_PROVIDER parameter.
There's no reason to do so.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9054)

show more ...

Replumbing: give the possibility for the provider to create a context

OSSL_provider_init() gets another output parameter, holding a pointer
to a provider side context. It's entirely up

Replumbing: give the possibility for the provider to create a context

OSSL_provider_init() gets another output parameter, holding a pointer
to a provider side context. It's entirely up to the provider to
define the context and what it's being used for. This pointer is
passed back to other provider functions, typically the provider global
get_params and set_params functions, and also the diverse algorithm
context creators, and of course, the teardown function.

With this, a provider can be instantiated more than once, or be
re-loaded as the case may be, while maintaining instance state.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8848)

show more ...

Replumbing: add a configuration module for providers

This configuration module supports a configuration structure pretty
much like the engine configuration module, i.e. something like th

Replumbing: add a configuration module for providers

This configuration module supports a configuration structure pretty
much like the engine configuration module, i.e. something like this:

openssl_conf = openssl_init

[openssl_init]
providers = provider_section

[provider_section]
# Configure the provider named "foo"
foo = foo_section
# Configure the provider named "bar"
bar = bar_section

[foo_section]
# Override name given in the provider section
identity = myfoo
# The exact path of the module. This is platform specific
module_path = /opt/openssl/modules/foo.so
# Whether it should be automatically activated. Value is unimportant
activate = whatever

# Anything else goes as well, and becomes parameters that the
# provider can get
what = 1
# sub-sections will be followed as well
ever = ever_section

[ever_section]
cookie = monster

All the configurations in a provider section and its sub-sections
become parameters for the provider to get, i.e. the "foo" provider
will be able to get values for the following keys (with associated
values shown):

identity => myfoo
module_path => /opt/openssl/modules/foo.so
activate => whatever
what => 1
ever.cookie => monster

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)

show more ...

Replumbing: add functionality to set provider parameters

Provider parameters are parameters set by the core that the provider
can retrieve. The primary use it to support making OpenSSL

Replumbing: add functionality to set provider parameters

Provider parameters are parameters set by the core that the provider
can retrieve. The primary use it to support making OpenSSL
configuration data available to the provider.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8549)

show more ...

Replumbing: add fallback provider capability

To ensure that old applications aren't left without any provider, and
at the same time not forcing any default provider on applications that

Replumbing: add fallback provider capability

To ensure that old applications aren't left without any provider, and
at the same time not forcing any default provider on applications that
know how to deal with them, we device the concept of fallback
providers, which are automatically activated if no other provider is
already activated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8480)

show more ...

Replumbing: Add support for the provider query_operation function

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)

Replumbing: Add an OSSL_PROVIDER iterator with callback

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8340)

Replumbing: Add the Provider Object, type OSSL_PROVIDER

The OSSL_PROVIDER is the core object involved in loading a provider
module, initialize a provider and do the initial communication

Replumbing: Add the Provider Object, type OSSL_PROVIDER

The OSSL_PROVIDER is the core object involved in loading a provider
module, initialize a provider and do the initial communication of
provider wide and core wide dispatch tables.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8287)

show more ...