1=pod 2 3=head1 NAME 4 5provider - OpenSSL operation implementation providers 6 7=head1 SYNOPSIS 8 9=for openssl generic 10 11#include <openssl/provider.h> 12 13=head1 DESCRIPTION 14 15=head2 General 16 17This page contains information useful to provider authors. 18 19A I<provider>, in OpenSSL terms, is a unit of code that provides one 20or more implementations for various operations for diverse algorithms 21that one might want to perform. 22 23An I<operation> is something one wants to do, such as encryption and 24decryption, key derivation, MAC calculation, signing and verification, 25etc. 26 27An I<algorithm> is a named method to perform an operation. 28Very often, the algorithms revolve around cryptographic operations, 29but may also revolve around other types of operation, such as managing 30certain types of objects. 31 32See L<crypto(7)> for further details. 33 34=head2 Provider 35 36A I<provider> offers an initialization function, as a set of base 37functions in the form of an L<OSSL_DISPATCH(3)> array, and by extension, 38a set of L<OSSL_ALGORITHM(3)>s (see L<openssl-core.h(7)>). 39It may be a dynamically loadable module, or may be built-in, in 40OpenSSL libraries or in the application. 41If it's a dynamically loadable module, the initialization function 42must be named C<OSSL_provider_init> and must be exported. 43If it's built-in, the initialization function may have any name. 44 45The initialization function must have the following signature: 46 47 int NAME(const OSSL_CORE_HANDLE *handle, 48 const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, 49 void **provctx); 50 51I<handle> is the OpenSSL library object for the provider, and works 52as a handle for everything the OpenSSL libraries need to know about 53the provider. 54For the provider itself, it is passed to some of the functions given in the 55dispatch array I<in>. 56 57I<in> is a dispatch array of base functions offered by the OpenSSL 58libraries, and the available functions are further described in 59L<provider-base(7)>. 60 61I<*out> must be assigned a dispatch array of base functions that the 62provider offers to the OpenSSL libraries. 63The functions that may be offered are further described in 64L<provider-base(7)>, and they are the central means of communication 65between the OpenSSL libraries and the provider. 66 67I<*provctx> should be assigned a provider specific context to allow 68the provider multiple simultaneous uses. 69This pointer will be passed to various operation functions offered by 70the provider. 71 72Note that the provider will not be made available for applications to use until 73the initialization function has completed and returned successfully. 74 75One of the functions the provider offers to the OpenSSL libraries is 76the central mechanism for the OpenSSL libraries to get access to 77operation implementations for diverse algorithms. 78Its referred to with the number B<OSSL_FUNC_PROVIDER_QUERY_OPERATION> 79and has the following signature: 80 81 const OSSL_ALGORITHM *provider_query_operation(void *provctx, 82 int operation_id, 83 const int *no_store); 84 85I<provctx> is the provider specific context that was passed back by 86the initialization function. 87 88I<operation_id> is an operation identity (see L</Operations> below). 89 90I<no_store> is a flag back to the OpenSSL libraries which, when 91nonzero, signifies that the OpenSSL libraries will not store a 92reference to the returned data in their internal store of 93implementations. 94 95The returned L<OSSL_ALGORITHM(3)> is the foundation of any OpenSSL 96library API that uses providers for their implementation, most 97commonly in the I<fetching> type of functions 98(see L<crypto(7)/ALGORITHM FETCHING>). 99 100=head2 Operations 101 102Operations are referred to with numbers, via macros with names 103starting with C<OSSL_OP_>. 104 105With each operation comes a set of defined function types that a 106provider may or may not offer, depending on its needs. 107 108Currently available operations are: 109 110=over 4 111 112=item Digests 113 114In the OpenSSL libraries, the corresponding method object is 115B<EVP_MD>. 116The number for this operation is B<OSSL_OP_DIGEST>. 117The functions the provider can offer are described in 118L<provider-digest(7)>. 119 120=item Symmetric ciphers 121 122In the OpenSSL libraries, the corresponding method object is 123B<EVP_CIPHER>. 124The number for this operation is B<OSSL_OP_CIPHER>. 125The functions the provider can offer are described in 126L<provider-cipher(7)>. 127 128=item Message Authentication Code (MAC) 129 130In the OpenSSL libraries, the corresponding method object is 131B<EVP_MAC>. 132The number for this operation is B<OSSL_OP_MAC>. 133The functions the provider can offer are described in 134L<provider-mac(7)>. 135 136=item Key Derivation Function (KDF) 137 138In the OpenSSL libraries, the corresponding method object is 139B<EVP_KDF>. 140The number for this operation is B<OSSL_OP_KDF>. 141The functions the provider can offer are described in 142L<provider-kdf(7)>. 143 144=item Key Exchange 145 146In the OpenSSL libraries, the corresponding method object is 147B<EVP_KEYEXCH>. 148The number for this operation is B<OSSL_OP_KEYEXCH>. 149The functions the provider can offer are described in 150L<provider-keyexch(7)>. 151 152=item Asymmetric Ciphers 153 154In the OpenSSL libraries, the corresponding method object is 155B<EVP_ASYM_CIPHER>. 156The number for this operation is B<OSSL_OP_ASYM_CIPHER>. 157The functions the provider can offer are described in 158L<provider-asym_cipher(7)>. 159 160=item Asymmetric Key Encapsulation 161 162In the OpenSSL libraries, the corresponding method object is B<EVP_KEM>. 163The number for this operation is B<OSSL_OP_KEM>. 164The functions the provider can offer are described in L<provider-kem(7)>. 165 166=item Encoding 167 168In the OpenSSL libraries, the corresponding method object is 169B<OSSL_ENCODER>. 170The number for this operation is B<OSSL_OP_ENCODER>. 171The functions the provider can offer are described in 172L<provider-encoder(7)>. 173 174=item Decoding 175 176In the OpenSSL libraries, the corresponding method object is 177B<OSSL_DECODER>. 178The number for this operation is B<OSSL_OP_DECODER>. 179The functions the provider can offer are described in 180L<provider-decoder(7)>. 181 182=item Random Number Generation 183 184The number for this operation is B<OSSL_OP_RAND>. 185The functions the provider can offer for random number generation are described 186in L<provider-rand(7)>. 187 188=item Key Management 189 190The number for this operation is B<OSSL_OP_KEYMGMT>. 191The functions the provider can offer for key management are described in 192L<provider-keymgmt(7)>. 193 194=item Signing and Signature Verification 195 196The number for this operation is B<OSSL_OP_SIGNATURE>. 197The functions the provider can offer for digital signatures are described in 198L<provider-signature(7)>. 199 200=item Store Management 201 202The number for this operation is B<OSSL_OP_STORE>. 203The functions the provider can offer for store management are described in 204L<provider-storemgmt(7)>. 205 206=back 207 208=head3 Algorithm naming 209 210Algorithm names are case insensitive. Any particular algorithm can have multiple 211aliases associated with it. The canonical OpenSSL naming scheme follows this 212format: 213 214ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?] 215 216VERSION is only present if there are multiple versions of an algorithm (e.g. 217MD2, MD4, MD5). It may be omitted if there is only one version. 218 219SUBNAME may be present where multiple algorithms are combined together, 220e.g. MD5-SHA1. 221 222SIZE is only present if multiple versions of an algorithm exist with different 223sizes (e.g. AES-128-CBC, AES-256-CBC) 224 225MODE is only present where applicable. 226 227Other aliases may exist for example where standards bodies or common practice 228use alternative names or names that OpenSSL has used historically. 229 230=head3 Provider dependencies 231 232Providers may depend for their proper operation on the availability of 233(functionality implemented in) other providers. As there is no mechanism to 234express such dependencies towards the OpenSSL core, provider authors must 235take care that such dependencies are either completely avoided or made visible 236to users, e.g., by documentation and/or defensive programming, e.g., 237outputting error messages if required external dependencies are not available, 238e.g., when no provider implementing the required functionality has been 239activated. In particular, provider initialization should not depend on other 240providers already having been initialized. 241 242=head3 Note on naming clashes 243 244It is possible to register the same algorithm name from within different 245providers. Users should note that if no property query is specified, or 246more than one implementation matches the property query then it is 247unspecified which implementation of a particular algorithm will be returned. 248Such naming clashes may also occur if algorithms only differ in 249capitalization as L</Algorithm naming> is case insensitive. 250 251=head1 OPENSSL PROVIDERS 252 253OpenSSL provides a number of its own providers. These are the default, base, 254fips, legacy and null providers. See L<crypto(7)> for an overview of these 255providers. 256 257=head1 SEE ALSO 258 259L<EVP_DigestInit_ex(3)>, L<EVP_EncryptInit_ex(3)>, 260L<OSSL_LIB_CTX(3)>, 261L<EVP_set_default_properties(3)>, 262L<EVP_MD_fetch(3)>, 263L<EVP_CIPHER_fetch(3)>, 264L<EVP_KEYMGMT_fetch(3)>, 265L<openssl-core.h(7)>, 266L<provider-base(7)>, 267L<provider-digest(7)>, 268L<provider-cipher(7)>, 269L<provider-keyexch(7)> 270 271=head1 HISTORY 272 273The concept of providers and everything surrounding them was 274introduced in OpenSSL 3.0. 275 276=head1 COPYRIGHT 277 278Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. 279 280Licensed under the Apache License 2.0 (the "License"). You may not use 281this file except in compliance with the License. You can obtain a copy 282in the file LICENSE in the source distribution or at 283L<https://www.openssl.org/source/license.html>. 284 285=cut 286
