diff options
author | Matt Caswell <matt@openssl.org> | 2020-02-14 22:49:26 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-02-21 20:17:02 +0000 |
commit | 745fc918e7eeb86b2ac541325a8ae5c6e374ee56 (patch) | |
tree | 9c79d0d5d784ec0251bb08f51ab20a04c42e69cc /doc | |
parent | 980a880ee5a85b94caac3049c7d3be0b765d97d3 (diff) | |
download | openssl-new-745fc918e7eeb86b2ac541325a8ae5c6e374ee56.tar.gz |
Introduce the provider property
Replace the properties default, fips and legacy with a single property
called "provider". So, for example, instead of writing "default=yes" to
get algorithms from the default provider you would instead write
"provider=default". We also have a new "fips" property to indicate that
an algorithm is compatible with FIPS mode. This applies to all the
algorithms in the FIPS provider, as well as any non-cryptographic
algorithms (currently only serializers).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11097)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man7/EVP_MAC-BLAKE2.pod | 4 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-CMAC.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-GMAC.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-HMAC.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-KMAC.pod | 4 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-Poly1305.pod | 2 | ||||
-rw-r--r-- | doc/man7/EVP_MAC-Siphash.pod | 2 | ||||
-rw-r--r-- | doc/man7/property.pod | 12 | ||||
-rw-r--r-- | doc/man7/provider.pod | 26 |
9 files changed, 31 insertions, 25 deletions
diff --git a/doc/man7/EVP_MAC-BLAKE2.pod b/doc/man7/EVP_MAC-BLAKE2.pod index 99b20bdc76..1a18ed7d10 100644 --- a/doc/man7/EVP_MAC-BLAKE2.pod +++ b/doc/man7/EVP_MAC-BLAKE2.pod @@ -16,9 +16,9 @@ properties, to be used with EVP_MAC_fetch(): =over 4 -=item "BLAKE2BMAC", "default=yes" +=item "BLAKE2BMAC", "provider=default" -=item "BLAKE2SMAC", "default=yes" +=item "BLAKE2SMAC", "provider=default" =back diff --git a/doc/man7/EVP_MAC-CMAC.pod b/doc/man7/EVP_MAC-CMAC.pod index af6face8a7..5e570ce854 100644 --- a/doc/man7/EVP_MAC-CMAC.pod +++ b/doc/man7/EVP_MAC-CMAC.pod @@ -15,7 +15,7 @@ used with EVP_MAC_fetch(): =over 4 -=item "CMAC", "default=yes" +=item "CMAC", "provider=default" or "provider=fips" =back diff --git a/doc/man7/EVP_MAC-GMAC.pod b/doc/man7/EVP_MAC-GMAC.pod index dbc5fb2570..3994868c04 100644 --- a/doc/man7/EVP_MAC-GMAC.pod +++ b/doc/man7/EVP_MAC-GMAC.pod @@ -15,7 +15,7 @@ used with EVP_MAC_fetch(): =over 4 -=item "GMAC", "default=yes" +=item "GMAC", "provider=default" or "provider=fips" =back diff --git a/doc/man7/EVP_MAC-HMAC.pod b/doc/man7/EVP_MAC-HMAC.pod index cc6c993b7b..452606dea1 100644 --- a/doc/man7/EVP_MAC-HMAC.pod +++ b/doc/man7/EVP_MAC-HMAC.pod @@ -15,7 +15,7 @@ used with EVP_MAC_fetch(): =over 4 -=item "HMAC", "default=yes" +=item "HMAC", "provider=default" or "provider=fips" =back diff --git a/doc/man7/EVP_MAC-KMAC.pod b/doc/man7/EVP_MAC-KMAC.pod index ac5dddfa41..5a70c0dd38 100644 --- a/doc/man7/EVP_MAC-KMAC.pod +++ b/doc/man7/EVP_MAC-KMAC.pod @@ -16,9 +16,9 @@ properties, to be used with EVP_MAC_fetch(): =over 4 -=item "KMAC-128", "default=yes" +=item "KMAC-128", "provider=default" or "provider=fips" -=item "KMAC-256", "default=yes" +=item "KMAC-256", "provider=default" or "provider=fips" =back diff --git a/doc/man7/EVP_MAC-Poly1305.pod b/doc/man7/EVP_MAC-Poly1305.pod index c54e30e141..fab5379b19 100644 --- a/doc/man7/EVP_MAC-Poly1305.pod +++ b/doc/man7/EVP_MAC-Poly1305.pod @@ -15,7 +15,7 @@ used with EVP_MAC_fetch(): =over 4 -=item "POLY1305", "default=yes" +=item "POLY1305", "provider=default" =back diff --git a/doc/man7/EVP_MAC-Siphash.pod b/doc/man7/EVP_MAC-Siphash.pod index 50d09c159b..4c41ca6ab2 100644 --- a/doc/man7/EVP_MAC-Siphash.pod +++ b/doc/man7/EVP_MAC-Siphash.pod @@ -15,7 +15,7 @@ used with EVP_MAC_fetch(): =over 4 -=item "SIPHASH", "default=yes" +=item "SIPHASH", "provider=default" =back diff --git a/doc/man7/property.pod b/doc/man7/property.pod index 5b329ee6f3..bc45afb279 100644 --- a/doc/man7/property.pod +++ b/doc/man7/property.pod @@ -52,15 +52,15 @@ The full syntax for property definitions appears below. Each implementation of an algorithm can define any number of properties. -For example, the default provider defines the property I<default=yes> +For example, the default provider defines the property I<provider=default> for all of its algorithms. -Likewise, the FIPS provider defines I<fips=yes> and the legacy provider -defines I<legacy=yes> for all of their algorithms. +Likewise, OpenSSL's FIPS provider defines I<provider=fips> and the legacy +provider defines I<provider=legacy> for all of their algorithms. =head2 Queries A I<property query clause> is a single conditional test. -For example, "fips=yes", "default!=yes" or "?iteration.count!=3". +For example, "fips=yes", "provider!=default" or "?iteration.count!=3". The first two represent mandatory clauses, such clauses B<must> match for any algorithm to even be under consideration. The third clause represents an optional clause. @@ -117,8 +117,8 @@ Ordering of optional clauses is not significant. =head2 Shortcut In order to permit a more concise expression of boolean properties, there -is one short cut: a property name alone (e.g. "default") is -exactly equivalent to "default=yes" in both definitions and queries. +is one short cut: a property name alone (e.g. "my.property") is +exactly equivalent to "my.property=yes" in both definitions and queries. =head2 Global and Local diff --git a/doc/man7/provider.pod b/doc/man7/provider.pod index d2fef9beee..de8e2499d9 100644 --- a/doc/man7/provider.pod +++ b/doc/man7/provider.pod @@ -260,8 +260,12 @@ algorithm identifier to the appropriate fetching function. The default provider is built in as part of the F<libcrypto> library. Should it be needed (if other providers are loaded and offer -implementations of the same algorithms), the property "default=yes" -can be used as a search criterion for these implementations. +implementations of the same algorithms), the property "provider=default" +can be used as a search criterion for these implementations. Some +non-cryptographic algorithms (such as serializers for loading keys and +parameters from files) are not FIPS algorithm implementations in themselves but +support algorithms from the FIPS provider and are allowed for use in "FIPS +mode". The property "fips=yes" can be used to select such algorithms. =head2 FIPS provider @@ -269,8 +273,10 @@ The FIPS provider is a dynamically loadable module, and must therefore be loaded explicitly, either in code or through OpenSSL configuration (see L<config(5)>). Should it be needed (if other providers are loaded and offer -implementations of the same algorithms), the property "fips=yes" can -be used as a search criterion for these implementations. +implementations of the same algorithms), the property "provider=fips" can +be used as a search criterion for these implementations. All algorithm +implementations in the FIPS provider can also be selected with the property +"fips=yes". =head2 Legacy provider @@ -278,7 +284,7 @@ The legacy provider is a dynamically loadable module, and must therefore be loaded explicitly, either in code or through OpenSSL configuration (see L<config(5)>). Should it be needed (if other providers are loaded and offer -implementations of the same algorithms), the property "legacy=yes" can be +implementations of the same algorithms), the property "provider=legacy" can be used as a search criterion for these implementations. =head1 EXAMPLES @@ -300,21 +306,21 @@ Fetch any available implementation of AES-128-CBC in the default context: Fetch an implementation of SHA2-256 from the default provider in the default context: - EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "default=yes"); + EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider=default"); ... EVP_MD_meth_free(md); Fetch an implementation of SHA2-256 that is not from the default provider in the default context: - EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "default=no"); + EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider!=default"); ... EVP_MD_meth_free(md); Fetch an implementation of SHA2-256 from the default provider in the specified context: - EVP_MD *md = EVP_MD_fetch(ctx, "SHA2-256", "default=yes"); + EVP_MD *md = EVP_MD_fetch(ctx, "SHA2-256", "provider=default"); ... EVP_MD_meth_free(md); @@ -324,11 +330,11 @@ implementation of WHIRLPOOL from it: /* This only needs to be done once - usually at application start up */ OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy"); - EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "legacy=yes"); + EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy"); ... EVP_MD_meth_free(md); -Note that in the above example the property string "legacy=yes" is optional +Note that in the above example the property string "provider=legacy" is optional since, assuming no other providers have been loaded, the only implementation of the "whirlpool" algorithm is in the "legacy" provider. Also note that the default provider should be explicitly loaded if it is required in addition to |