1=pod 2 3=head1 NAME 4 5provider - OpenSSL operation implementation providers 6 7=head1 SYNOPSIS 8 9=for openssl generic 10 11#include <openssl/provider.h> 12 13=head1 DESCRIPTION 14 15=head2 General 16 17This page contains information useful to provider authors. 18 19A I<provider>, in OpenSSL terms, is a unit of code that provides one 20or more implementations for various operations for diverse algorithms 21that one might want to perform. 22 23An I<operation> is something one wants to do, such as encryption and 24decryption, key derivation, MAC calculation, signing and verification, 25etc. 26 27An I<algorithm> is a named method to perform an operation. 28Very often, the algorithms revolve around cryptographic operations, 29but may also revolve around other types of operation, such as managing 30certain types of objects. 31 32See L<crypto(7)> for further details. 33 34=head2 Provider 35 36A I<provider> offers an initialization function, as a set of base 37functions in the form of an B<OSSL_DISPATCH> array, and by extension, 38a set of B<OSSL_ALGORITHM>s (see L<openssl-core.h(7)>). 39It may be a dynamically loadable module, or may be built-in, in 40OpenSSL libraries or in the application. 41If it's a dynamically loadable module, the initialization function 42must be named C<OSSL_provider_init> and must be exported. 43If it's built-in, the initialization function may have any name. 44 45The initialization function must have the following signature: 46 47 int NAME(const OSSL_CORE_HANDLE *handle, 48 const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, 49 void **provctx); 50 51I<handle> is the OpenSSL library object for the provider, and works 52as a handle for everything the OpenSSL libraries need to know about 53the provider. 54For the provider itself, it is passed to some of the functions given in the 55dispatch array I<in>. 56 57I<in> is a dispatch array of base functions offered by the OpenSSL 58libraries, and the available functions are further described in 59L<provider-base(7)>. 60 61I<*out> must be assigned a dispatch array of base functions that the 62provider offers to the OpenSSL libraries. 63The functions that may be offered are further described in 64L<provider-base(7)>, and they are the central means of communication 65between the OpenSSL libraries and the provider. 66 67I<*provctx> should be assigned a provider specific context to allow 68the provider multiple simultaneous uses. 69This pointer will be passed to various operation functions offered by 70the provider. 71 72Note that the provider will not be made available for applications to use until 73the initialization function has completed and returned successfully. 74 75One of the functions the provider offers to the OpenSSL libraries is 76the central mechanism for the OpenSSL libraries to get access to 77operation implementations for diverse algorithms. 78Its referred to with the number B<OSSL_FUNC_PROVIDER_QUERY_OPERATION> 79and has the following signature: 80 81 const OSSL_ALGORITHM *provider_query_operation(void *provctx, 82 int operation_id, 83 const int *no_store); 84 85I<provctx> is the provider specific context that was passed back by 86the initialization function. 87 88I<operation_id> is an operation identity (see L</Operations> below). 89 90I<no_store> is a flag back to the OpenSSL libraries which, when 91nonzero, signifies that the OpenSSL libraries will not store a 92reference to the returned data in their internal store of 93implementations. 94 95The returned B<OSSL_ALGORITHM> is the foundation of any OpenSSL 96library API that uses providers for their implementation, most 97commonly in the I<fetching> type of functions 98(see L<crypto(7)/ALGORITHM FETCHING>). 99 100=head2 Operations 101 102Operations are referred to with numbers, via macros with names 103starting with C<OSSL_OP_>. 104 105With each operation comes a set of defined function types that a 106provider may or may not offer, depending on its needs. 107 108Currently available operations are: 109 110=over 4 111 112=item Digests 113 114In the OpenSSL libraries, the corresponding method object is 115B<EVP_MD>. 116The number for this operation is B<OSSL_OP_DIGEST>. 117The functions the provider can offer are described in 118L<provider-digest(7)> 119 120=item Symmetric ciphers 121 122In the OpenSSL libraries, the corresponding method object is 123B<EVP_CIPHER>. 124The number for this operation is B<OSSL_OP_CIPHER>. 125The functions the provider can offer are described in 126L<provider-cipher(7)> 127 128=item Message Authentication Code (MAC) 129 130In the OpenSSL libraries, the corresponding method object is 131B<EVP_MAC>. 132The number for this operation is B<OSSL_OP_MAC>. 133The functions the provider can offer are described in 134L<provider-mac(7)> 135 136=item Key Derivation Function (KDF) 137 138In the OpenSSL libraries, the corresponding method object is 139B<EVP_KDF>. 140The number for this operation is B<OSSL_OP_KDF>. 141The functions the provider can offer are described in 142L<provider-kdf(7)> 143 144=item Key Exchange 145 146In the OpenSSL libraries, the corresponding method object is 147B<EVP_KEYEXCH>. 148The number for this operation is B<OSSL_OP_KEYEXCH>. 149The functions the provider can offer are described in 150L<provider-keyexch(7)> 151 152=item Asymmetric Ciphers 153 154In the OpenSSL libraries, the corresponding method object is 155B<EVP_ASYM_CIPHER>. 156The number for this operation is B<OSSL_OP_ASYM_CIPHER>. 157The functions the provider can offer are described in 158L<provider-asym_cipher(7)> 159 160=item Asymmetric Key Encapsulation 161 162In the OpenSSL libraries, the corresponding method object is B<EVP_KEM>. 163The number for this operation is B<OSSL_OP_KEM>. 164The functions the provider can offer are described in L<provider-kem(7)> 165 166=item Encoding 167 168In the OpenSSL libraries, the corresponding method object is 169B<OSSL_ENCODER>. 170The number for this operation is B<OSSL_OP_ENCODER>. 171The functions the provider can offer are described in 172L<provider-encoder(7)> 173 174=back 175 176=head3 Algorithm naming 177 178Algorithm names are case insensitive. Any particular algorithm can have multiple 179aliases associated with it. The canonical OpenSSL naming scheme follows this 180format: 181 182ALGNAME[VERSION?][-SUBNAME[VERSION?]?][-SIZE?][-MODE?] 183 184VERSION is only present if there are multiple versions of an algorithm (e.g. 185MD2, MD4, MD5). It may be omitted if there is only one version. 186 187SUBNAME may be present where multiple algorithms are combined together, 188e.g. MD5-SHA1. 189 190SIZE is only present if multiple versions of an algorithm exist with different 191sizes (e.g. AES-128-CBC, AES-256-CBC) 192 193MODE is only present where applicable. 194 195Other aliases may exist for example where standards bodies or common practice 196use alternative names or names that OpenSSL has used historically. 197 198=head1 OPENSSL PROVIDERS 199 200OpenSSL provides a number of its own providers. These are the default, base, 201fips, legacy and null providers. See L<crypto(7)> for an overview of these 202providers. 203 204=head1 SEE ALSO 205 206L<EVP_DigestInit_ex(3)>, L<EVP_EncryptInit_ex(3)>, 207L<OSSL_LIB_CTX(3)>, 208L<EVP_set_default_properties(3)>, 209L<EVP_MD_fetch(3)>, 210L<EVP_CIPHER_fetch(3)>, 211L<EVP_KEYMGMT_fetch(3)>, 212L<openssl-core.h(7)>, 213L<provider-base(7)>, 214L<provider-digest(7)>, 215L<provider-cipher(7)>, 216L<provider-keyexch(7)> 217 218=head1 HISTORY 219 220The concept of providers and everything surrounding them was 221introduced in OpenSSL 3.0. 222 223=head1 COPYRIGHT 224 225Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. 226 227Licensed under the Apache License 2.0 (the "License"). You may not use 228this file except in compliance with the License. You can obtain a copy 229in the file LICENSE in the source distribution or at 230L<https://www.openssl.org/source/license.html>. 231 232=cut 233