From: Pauli Date: Tue, 25 Feb 2020 04:29:30 +0000 (+1000) Subject: cmdline app: add provider commandline options. X-Git-Tag: openssl-3.0.0-alpha1~316 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=6bd4e3f231d74578b97821d981d42583fec5c2f3 cmdline app: add provider commandline options. Add a -provider option to allow providers to be loaded. This option can be specified multiple times. Add a -provider_path option to allow the path to providers to be specified. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11167) --- diff --git a/apps/ca.c b/apps/ca.c index f201efe3af..84e1905d38 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -148,7 +148,7 @@ typedef enum OPTION_choice { OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS, OPT_RAND_SERIAL, - OPT_R_ENUM, OPT_SM2ID, OPT_SM2HEXID, + OPT_R_ENUM, OPT_SM2ID, OPT_SM2HEXID, OPT_PROV_ENUM, /* Do not change the order here; see related case statements below */ OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE } OPTION_CHOICE; @@ -237,6 +237,7 @@ const OPTIONS ca_options[] = { {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"certreq", 0, 0, "Certificate requests to be signed (optional)"}, @@ -361,6 +362,10 @@ opthelp: if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_KEY: key = opt_arg(); break; diff --git a/apps/ciphers.c b/apps/ciphers.c index 280a5ab477..9bbc12aeec 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -27,7 +27,7 @@ typedef enum OPTION_choice { OPT_PSK, OPT_SRP, OPT_CIPHERSUITES, - OPT_V, OPT_UPPER_V, OPT_S + OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS ciphers_options[] = { @@ -67,6 +67,7 @@ const OPTIONS ciphers_options[] = { #endif {"ciphersuites", OPT_CIPHERSUITES, 's', "Configure the TLSv1.3 ciphersuites to use"}, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"cipher", 0, 0, "Cipher string to decode (optional)"}, @@ -169,6 +170,10 @@ int ciphers_main(int argc, char **argv) case OPT_CIPHERSUITES: ciphersuites = opt_arg(); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argv = opt_rest(); diff --git a/apps/cms.c b/apps/cms.c index 9c92e79658..c8c303ea37 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -83,6 +83,7 @@ typedef enum OPTION_choice { OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE, OPT_R_ENUM, + OPT_PROV_ENUM, OPT_V_ENUM, OPT_CIPHER, OPT_ORIGINATOR @@ -220,6 +221,7 @@ const OPTIONS cms_options[] = { OPT_R_OPTIONS, OPT_V_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"cert", 0, 0, "Recipient certs (optional; used only when encrypting)"}, @@ -621,6 +623,10 @@ int cms_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_3DES_WRAP: # ifndef OPENSSL_NO_DES wrap_cipher = EVP_des_ede3_wrap(); diff --git a/apps/crl.c b/apps/crl.c index 14410f3512..5e0a517a1b 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -24,7 +24,7 @@ typedef enum OPTION_choice { OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT, OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_TEXT, OPT_HASH, - OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD + OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS crl_options[] = { @@ -69,6 +69,7 @@ const OPTIONS crl_options[] = { "Do not load certificates from the default certificates directory"}, {"no-CAstore", OPT_NOCASTORE, '-', "Do not load certificates from the default certificates store"}, + OPT_PROV_OPTIONS, {NULL} }; @@ -193,6 +194,11 @@ int crl_main(int argc, char **argv) case OPT_MD: if (!opt_md(opt_unknown(), &digest)) goto opthelp; + break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/crl2p7.c b/apps/crl2p7.c index ffbee4cbff..53bc88f750 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -23,7 +23,8 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS crl2pkcs7_options[] = { @@ -40,6 +41,8 @@ const OPTIONS crl2pkcs7_options[] = { OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file"}, {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -93,6 +96,10 @@ int crl2pkcs7_main(int argc, char **argv) if (!sk_OPENSSL_STRING_push(certflst, opt_arg())) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/dgst.c b/apps/dgst.c index 7a81cb28dc..dcb4c094c7 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -42,7 +42,7 @@ typedef enum OPTION_choice { OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_DIGEST, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS dgst_options[] = { @@ -82,6 +82,7 @@ const OPTIONS dgst_options[] = { "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"file", 0, 0, "Files to digest (optional; default is stdin)"}, @@ -208,6 +209,10 @@ int dgst_main(int argc, char **argv) goto opthelp; md = m; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/dhparam.c b/apps/dhparam.c index acff366158..3f694c5a35 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -41,7 +41,7 @@ typedef enum OPTION_choice { OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT, OPT_DSAPARAM, OPT_C, OPT_2, OPT_3, OPT_5, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS dhparam_options[] = { @@ -73,6 +73,7 @@ const OPTIONS dhparam_options[] = { {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"numbits", 0, 0, "Number of bits if generating parameters (optional)"}, @@ -151,6 +152,10 @@ int dhparam_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/dsa.c b/apps/dsa.c index 9704a34c39..082aa96476 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -35,7 +35,8 @@ typedef enum OPTION_choice { /* Do not change the order here; see case statements below */ OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN, - OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT + OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS dsa_options[] = { @@ -66,6 +67,7 @@ const OPTIONS dsa_options[] = { {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + OPT_PROV_OPTIONS, {NULL} }; @@ -147,6 +149,10 @@ int dsa_main(int argc, char **argv) if (!opt_cipher(opt_unknown(), &enc)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/dsaparam.c b/apps/dsaparam.c index eebffa0ee5..04e09e7950 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -36,7 +36,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS dsaparam_options[] = { @@ -62,6 +62,7 @@ const OPTIONS dsaparam_options[] = { {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"numbits", 0, 0, "Number of bits if generating parameters (optional)"}, @@ -122,6 +123,10 @@ int dsaparam_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_NOOUT: noout = 1; break; diff --git a/apps/ec.c b/apps/ec.c index 3d901bbad3..6a3879922c 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -40,7 +40,7 @@ typedef enum OPTION_choice { OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER, - OPT_NO_PUBLIC, OPT_CHECK + OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS ec_options[] = { @@ -70,6 +70,8 @@ const OPTIONS ec_options[] = { {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, {"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -161,6 +163,10 @@ int ec_main(int argc, char **argv) case OPT_CHECK: check = 1; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/ecparam.c b/apps/ecparam.c index 307eb1f37e..ed4f4f1fd8 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -31,7 +31,7 @@ typedef enum OPTION_choice { OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME, OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS ecparam_options[] = { @@ -67,6 +67,7 @@ const OPTIONS ecparam_options[] = { {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -169,6 +170,10 @@ int ecparam_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; diff --git a/apps/enc.c b/apps/enc.c index 2b23564fab..74fd6f8469 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -45,7 +45,7 @@ typedef enum OPTION_choice { OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS enc_options[] = { @@ -97,6 +97,7 @@ const OPTIONS enc_options[] = { {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -288,6 +289,10 @@ int enc_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } if (opt_num_rest() != 0) { diff --git a/apps/gendsa.c b/apps/gendsa.c index a64ac16a97..cf24416bd7 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -31,7 +31,7 @@ NON_EMPTY_TRANSLATION_UNIT typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS gendsa_options[] = { @@ -47,6 +47,7 @@ const OPTIONS gendsa_options[] = { {"out", OPT_OUT, '>', "Output the key to the specified file"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, {"verbose", OPT_VERBOSE, '-', "Verbose output"}, @@ -92,6 +93,10 @@ int gendsa_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &enc)) goto end; diff --git a/apps/genpkey.c b/apps/genpkey.c index 3ae508c1c8..ef2979dd55 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -24,7 +24,8 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE, - OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER + OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS genpkey_options[] = { @@ -46,6 +47,8 @@ const OPTIONS genpkey_options[] = { {"text", OPT_TEXT, '-', "Print the in text"}, {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"}, + OPT_PROV_OPTIONS, + /* This is deliberately last. */ {OPT_HELP_STR, 1, 1, "Order of options may be important! See the documentation.\n"}, @@ -131,6 +134,11 @@ int genpkey_main(int argc, char **argv) BIO_printf(bio_err, "%s: cipher mode not supported\n", prog); goto end; } + break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/genrsa.c b/apps/genrsa.c index c45fe19b12..3f76d9bada 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -41,7 +41,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_3, OPT_F4, OPT_ENGINE, OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS genrsa_options[] = { @@ -66,6 +66,7 @@ const OPTIONS genrsa_options[] = { {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"numbits", 0, 0, "Size of key in bits"}, @@ -121,6 +122,10 @@ opthelp: if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_PASSOUT: passoutarg = opt_arg(); break; diff --git a/apps/include/opt.h b/apps/include/opt.h index ac2c236024..b4257cca7d 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -265,6 +265,24 @@ OPT_R__FIRST: case OPT_R__LAST: break; \ case OPT_R_RAND: case OPT_R_WRITERAND +/* + * Provider options. + */ +# define OPT_PROV_ENUM \ + OPT_PROV__FIRST=1600, \ + OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, \ + OPT_PROV__LAST + +# define OPT_PROV_OPTIONS \ + OPT_SECTION("Provider"), \ + { "provider", OPT_PROV_PROVIDER, 's', "Provder to load (can be specified multiple times)" }, \ + { "provider_path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path" } + +# define OPT_PROV_CASES \ + OPT_PROV__FIRST: case OPT_PROV__LAST: break; \ + case OPT_PROV_PROVIDER: \ + case OPT_PROV_PROVIDER_PATH + /* * Option parsing. */ @@ -348,6 +366,7 @@ char **opt_rest(void); int opt_num_rest(void); int opt_verify(int i, X509_VERIFY_PARAM *vpm); int opt_rand(int i); +int opt_provider(int i); void opt_help(const OPTIONS * list); void opt_print(const OPTIONS * opt, int doingparams, int width); int opt_format_error(const char *s, unsigned long flags); diff --git a/apps/kdf.c b/apps/kdf.c index 82818f1ff3..0162ac899a 100644 --- a/apps/kdf.c +++ b/apps/kdf.c @@ -19,7 +19,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT + OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS kdf_options[] = { @@ -36,6 +37,8 @@ const OPTIONS kdf_options[] = { {"binary", OPT_BIN, '-', "Output in binary format (default is hexadecimal)"}, + OPT_PROV_OPTIONS, + OPT_PARAMETERS(), {"kdf_name", 0, 0, "Name of the KDF algorithm"}, {NULL} @@ -80,6 +83,10 @@ opthelp: if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg())) goto opthelp; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto err; + break; } } argc = opt_num_rest(); diff --git a/apps/lib/app_provider.c b/apps/lib/app_provider.c new file mode 100644 index 0000000000..ac01e8826b --- /dev/null +++ b/apps/lib/app_provider.c @@ -0,0 +1,51 @@ +/* + * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "apps.h" +#include +#include + +/* + * See comments in opt_verify for explanation of this. + */ +enum prov_range { OPT_PROV_ENUM }; + +static int opt_provider_load(const char *provider) +{ + OSSL_PROVIDER *prov; + + prov = OSSL_PROVIDER_load(NULL, provider); + if (prov == NULL) { + opt_printf_stderr("%s: unable to load provider %s\n", + opt_getprog(), provider); + return 0; + } + return 1; +} + +static int opt_provider_path(const char *path) +{ + if (path != NULL && *path == '\0') + path = NULL; + return OSSL_PROVIDER_set_default_search_path(NULL, path); +} + +int opt_provider(int opt) +{ + switch ((enum prov_range)opt) { + case OPT_PROV__FIRST: + case OPT_PROV__LAST: + return 1; + case OPT_PROV_PROVIDER: + return opt_provider_load(opt_arg()); + case OPT_PROV_PROVIDER_PATH: + return opt_provider_path(opt_arg()); + } + return 0; +} diff --git a/apps/lib/build.info b/apps/lib/build.info index 3f68a2ed35..a7be58b101 100644 --- a/apps/lib/build.info +++ b/apps/lib/build.info @@ -9,7 +9,7 @@ ENDIF # Source for libapps $LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \ - columns.c app_params.c names.c + columns.c app_params.c names.c app_provider.c IF[{- !$disabled{apps} -}] LIBS{noinst}=../libapps.a diff --git a/apps/list.c b/apps/list.c index e8bb8533bb..28fd5c800e 100644 --- a/apps/list.c +++ b/apps/list.c @@ -617,7 +617,8 @@ typedef enum HELPLIST_CHOICE { OPT_COMMANDS, OPT_DIGEST_COMMANDS, OPT_MAC_ALGORITHMS, OPT_OPTIONS, OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS, OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_ENGINES, OPT_DISABLED, - OPT_KDF_ALGORITHMS, OPT_MISSING_HELP, OPT_OBJECTS + OPT_KDF_ALGORITHMS, OPT_MISSING_HELP, OPT_OBJECTS, + OPT_PROV_ENUM } HELPLIST_CHOICE; const OPTIONS list_options[] = { @@ -655,6 +656,8 @@ const OPTIONS list_options[] = { "List options for specified command"}, {"objects", OPT_OBJECTS, '-', "List built in objects (OID<->name mappings)"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -741,6 +744,10 @@ opthelp: case OPT_VERBOSE: verbose = 1; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + return 1; + break; } done = 1; } diff --git a/apps/mac.c b/apps/mac.c index 6abcfcd4e8..bc236a7bf8 100644 --- a/apps/mac.c +++ b/apps/mac.c @@ -21,7 +21,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_MACOPT, OPT_BIN, OPT_IN, OPT_OUT + OPT_MACOPT, OPT_BIN, OPT_IN, OPT_OUT, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS mac_options[] = { @@ -40,6 +41,8 @@ const OPTIONS mac_options[] = { {"binary", OPT_BIN, '-', "Output in binary format (default is hexadecimal)"}, + OPT_PROV_OPTIONS, + OPT_PARAMETERS(), {"mac_name", 0, 0, "MAC algorithm"}, {NULL} @@ -89,6 +92,10 @@ opthelp: if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg())) goto opthelp; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto err; + break; } } argc = opt_num_rest(); diff --git a/apps/nseq.c b/apps/nseq.c index 9d1e0950e8..e9aeea98a0 100644 --- a/apps/nseq.c +++ b/apps/nseq.c @@ -16,7 +16,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_TOSEQ, OPT_IN, OPT_OUT + OPT_TOSEQ, OPT_IN, OPT_OUT, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS nseq_options[] = { @@ -29,6 +30,8 @@ const OPTIONS nseq_options[] = { OPT_SECTION("Output"), {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"}, {"out", OPT_OUT, '>', "Output file"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -62,6 +65,10 @@ int nseq_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/ocsp.c b/apps/ocsp.c index 3297b4287a..3c6b8cbd88 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -137,7 +137,7 @@ typedef enum OPTION_choice { OPT_RCID, OPT_V_ENUM, OPT_MD, - OPT_MULTI + OPT_MULTI, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS ocsp_options[] = { @@ -230,6 +230,7 @@ const OPTIONS ocsp_options[] = { {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, OPT_V_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -541,6 +542,10 @@ int ocsp_main(int argc, char **argv) multi = atoi(opt_arg()); # endif break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } if (trailing_md) { diff --git a/apps/passwd.c b/apps/passwd.c index 4626eeb249..f3faa58536 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -58,7 +58,7 @@ typedef enum OPTION_choice { OPT_IN, OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1, OPT_1, OPT_5, OPT_6, OPT_CRYPT, OPT_AIXMD5, OPT_SALT, OPT_STDIN, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS passwd_options[] = { @@ -90,6 +90,7 @@ const OPTIONS passwd_options[] = { #endif OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"password", 0, 0, "Password text to digest (optional)"}, @@ -191,6 +192,10 @@ int passwd_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 091318b67d..c2448a74f5 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -58,7 +58,7 @@ typedef enum OPTION_choice { OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkcs12_options[] = { @@ -130,6 +130,7 @@ const OPTIONS pkcs12_options[] = { {"", OPT_CIPHER, '-', "Any supported cipher"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -307,6 +308,10 @@ int pkcs12_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/pkcs7.c b/apps/pkcs7.c index bd1cb1013c..9c74d99aca 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -23,7 +23,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, - OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE + OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkcs7_options[] = { @@ -45,6 +46,8 @@ const OPTIONS pkcs7_options[] = { {"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"}, {"print_certs", OPT_PRINT_CERTS, '-', "Print_certs print any certs or crl in the input"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -99,6 +102,10 @@ int pkcs7_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 1ccaff06f8..b058ea1980 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -26,7 +26,7 @@ typedef enum OPTION_choice { #endif OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT, OPT_TRADITIONAL, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkcs8_options[] = { @@ -63,6 +63,7 @@ const OPTIONS pkcs8_options[] = { #endif OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -127,6 +128,10 @@ int pkcs8_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_TRADITIONAL: traditional = 1; break; diff --git a/apps/pkey.c b/apps/pkey.c index 54709f656e..e90b3a5960 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -37,7 +37,8 @@ typedef enum OPTION_choice { OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB, OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK, - OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM + OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkey_options[] = { @@ -72,6 +73,7 @@ const OPTIONS pkey_options[] = { {"text", OPT_TEXT, '-', "Output in plaintext as well"}, {"noout", OPT_NOOUT, '-', "Don't output the key"}, + OPT_PROV_OPTIONS, {NULL} }; @@ -177,6 +179,10 @@ int pkey_main(int argc, char **argv) ec_asn1_flag = i; break; #endif + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index 5521909d99..441523ddc4 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -19,7 +19,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, - OPT_ENGINE, OPT_CHECK + OPT_ENGINE, OPT_CHECK, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkeyparam_options[] = { @@ -37,6 +38,8 @@ const OPTIONS pkeyparam_options[] = { {"out", OPT_OUT, '>', "Output file"}, {"text", OPT_TEXT, '-', "Print parameters as text"}, {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -81,6 +84,10 @@ int pkeyparam_main(int argc, char **argv) case OPT_CHECK: check = 1; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 5bc436576d..7f11b168f5 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -44,7 +44,7 @@ typedef enum OPTION_choice { OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN, OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF, - OPT_KDFLEN, OPT_R_ENUM, + OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM, OPT_RAWIN, OPT_DIGEST } OPTION_CHOICE; @@ -92,6 +92,7 @@ const OPTIONS pkeyutl_options[] = { {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -165,6 +166,10 @@ int pkeyutl_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; diff --git a/apps/prime.c b/apps/prime.c index 5345e5b6d0..ff25f9085b 100644 --- a/apps/prime.c +++ b/apps/prime.c @@ -15,7 +15,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS + OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS prime_options[] = { @@ -32,6 +33,8 @@ const OPTIONS prime_options[] = { {"safe", OPT_SAFE, '-', "When used with -generate, generate a safe prime"}, + OPT_PROV_OPTIONS, + OPT_PARAMETERS(), {"number", 0, 0, "Number(s) to check for primality if not generating"}, {NULL} @@ -72,6 +75,10 @@ opthelp: /* ignore parameter and argument */ opt_arg(); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/rand.c b/apps/rand.c index 421ebfc203..7dc14cb3b2 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -21,7 +21,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_OUT, OPT_ENGINE, OPT_BASE64, OPT_HEX, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS rand_options[] = { @@ -39,6 +39,7 @@ const OPTIONS rand_options[] = { {"hex", OPT_HEX, '-', "Hex encode output"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"num", 0, 0, "Number of bytes to generate"}, @@ -81,6 +82,10 @@ int rand_main(int argc, char **argv) case OPT_HEX: format = FORMAT_TEXT; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/rehash.c b/apps/rehash.c index b7e6e7ec18..de54064244 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -447,7 +447,8 @@ static int do_dir(const char *dirname, enum Hash h) typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE + OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS rehash_options[] = { @@ -463,6 +464,8 @@ const OPTIONS rehash_options[] = { OPT_SECTION("Output"), {"v", OPT_VERBOSE, '-', "Verbose output"}, + OPT_PROV_OPTIONS, + OPT_PARAMETERS(), {"directory", 0, 0, "One or more directories to process (optional)"}, {NULL} @@ -499,6 +502,10 @@ int rehash_main(int argc, char **argv) case OPT_VERBOSE: verbose = 1; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/req.c b/apps/req.c index 7140705f09..dcad9dc238 100644 --- a/apps/req.c +++ b/apps/req.c @@ -91,7 +91,7 @@ typedef enum OPTION_choice { OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SM2ID, OPT_SM2HEXID, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS req_options[] = { @@ -160,6 +160,7 @@ const OPTIONS req_options[] = { {"modulus", OPT_MODULUS, '-', "RSA modulus"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -331,6 +332,10 @@ int req_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_NEWKEY: keyalg = opt_arg(); newreq = 1; diff --git a/apps/rsa.c b/apps/rsa.c index 7d03a862a0..d626bbb31a 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -36,7 +36,8 @@ typedef enum OPTION_choice { OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, /* Do not change the order here; see case statements below */ OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG, - OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER + OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS rsa_options[] = { @@ -71,6 +72,8 @@ const OPTIONS rsa_options[] = { {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"}, {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"}, # endif + + OPT_PROV_OPTIONS, {NULL} }; @@ -160,6 +163,10 @@ int rsa_main(int argc, char **argv) if (!opt_cipher(opt_unknown(), &enc)) goto opthelp; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/rsautl.c b/apps/rsautl.c index 7bb9096bcd..b72f527ce4 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -37,7 +37,7 @@ typedef enum OPTION_choice { OPT_RSA_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931, OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS rsautl_options[] = { @@ -72,6 +72,7 @@ const OPTIONS rsautl_options[] = { {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -169,6 +170,10 @@ int rsautl_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/s_client.c b/apps/s_client.c index 7803785018..c06f2c824f 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -600,7 +600,7 @@ typedef enum OPTION_choice { OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME, OPT_ENABLE_PHA, OPT_SCTP_LABEL_BUG, - OPT_R_ENUM + OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS s_client_options[] = { @@ -817,6 +817,7 @@ const OPTIONS s_client_options[] = { {"chainCAfile", OPT_CHAINCAFILE, '<', "CA file for certificate chain (PEM format)"}, OPT_X_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"host:port", 0, 0, "Where to connect; same as -connect option"}, @@ -1225,6 +1226,10 @@ int s_client_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_IGN_EOF: c_ign_eof = 1; break; diff --git a/apps/s_server.c b/apps/s_server.c index 69d9e04876..4016270d54 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -757,7 +757,8 @@ typedef enum OPTION_choice { OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, - OPT_X_ENUM + OPT_X_ENUM, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS s_server_options[] = { @@ -992,6 +993,7 @@ const OPTIONS s_server_options[] = { {"chainCAfile", OPT_CHAINCAFILE, '<', "CA file for certificate chain (PEM format)"}, OPT_X_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -1566,6 +1568,10 @@ int s_server_main(int argc, char *argv[]) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_SERVERNAME: tlsextcbp.servername = opt_arg(); break; diff --git a/apps/s_time.c b/apps/s_time.c index babbdbe13e..28e82f7cae 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -48,7 +48,8 @@ typedef enum OPTION_choice { OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3, - OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3 + OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS s_time_options[] = { @@ -99,6 +100,7 @@ const OPTIONS s_time_options[] = { {"no-CAstore", OPT_NOCASTORE, '-', "Do not load certificates from the default certificates store URI"}, + OPT_PROV_OPTIONS, {NULL} }; @@ -226,6 +228,10 @@ int s_time_main(int argc, char **argv) min_version = TLS1_3_VERSION; max_version = TLS1_3_VERSION; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/smime.c b/apps/smime.c index 149d3151ee..c7f74d4812 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -42,7 +42,7 @@ typedef enum OPTION_choice { OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD, OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE, - OPT_R_ENUM, + OPT_R_ENUM, OPT_PROV_ENUM, OPT_V_ENUM, OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTFORM, OPT_CONTENT @@ -121,6 +121,7 @@ const OPTIONS smime_options[] = { OPT_R_OPTIONS, OPT_V_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"cert", 0, 0, "Recipient certs, used when encrypting"}, @@ -244,6 +245,10 @@ int smime_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; diff --git a/apps/speed.c b/apps/speed.c index 13285d6355..9d4ab2c330 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -253,7 +253,7 @@ static int opt_found(const char *name, unsigned int *result, typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ELAPSED, OPT_EVP, OPT_HMAC, OPT_DECRYPT, OPT_ENGINE, OPT_MULTI, - OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM, + OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM, OPT_PROV_ENUM, OPT_PRIMES, OPT_SECONDS, OPT_BYTES, OPT_AEAD, OPT_CMAC } OPTION_CHOICE; @@ -301,6 +301,7 @@ const OPTIONS speed_options[] = { "Use specified offset to mis-align buffers"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"algorithm", 0, 0, "Algorithm(s) to test (optional; otherwise tests all)"}, @@ -1706,6 +1707,10 @@ int speed_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_PRIMES: #ifndef OPENSSL_NO_DEPRECATED_3_0 if (!opt_int(opt_arg(), &primes)) diff --git a/apps/spkac.c b/apps/spkac.c index 75e246a110..dbd3d45216 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -24,7 +24,8 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT, OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, - OPT_SPKSECT, OPT_KEYFORM + OPT_SPKSECT, OPT_KEYFORM, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS spkac_options[] = { @@ -49,6 +50,8 @@ const OPTIONS spkac_options[] = { {"noout", OPT_NOOUT, '-', "Don't print SPKAC"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"verify", OPT_VERIFY, '-', "Verify SPKAC signature"}, + + OPT_PROV_OPTIONS, {NULL} }; @@ -116,6 +119,10 @@ int spkac_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/srp.c b/apps/srp.c index e7a18d68cb..646e86f11a 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -193,7 +193,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD, OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO, - OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM + OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS srp_options[] = { @@ -222,6 +222,7 @@ const OPTIONS srp_options[] = { {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, OPT_PARAMETERS(), {"user", 0, 0, "Username(s) to process (optional)"}, @@ -297,6 +298,10 @@ int srp_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/storeutl.c b/apps/storeutl.c index 85fb1ed860..c03eb08f0b 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -27,7 +27,7 @@ typedef enum OPTION_choice { OPT_SEARCHFOR_CERTS, OPT_SEARCHFOR_KEYS, OPT_SEARCHFOR_CRLS, OPT_CRITERION_SUBJECT, OPT_CRITERION_ISSUER, OPT_CRITERION_SERIAL, OPT_CRITERION_FINGERPRINT, OPT_CRITERION_ALIAS, - OPT_MD + OPT_MD, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS storeutl_options[] = { @@ -59,6 +59,8 @@ const OPTIONS storeutl_options[] = { {"text", OPT_TEXT, '-', "Print a text form of the objects"}, {"noout", OPT_NOOUT, '-', "No PEM output, just status"}, + OPT_PROV_OPTIONS, + OPT_PARAMETERS(), {"uri", 0, 0, "URI of the store object"}, {NULL} @@ -250,6 +252,10 @@ int storeutl_main(int argc, char *argv[]) case OPT_MD: if (!opt_md(opt_unknown(), &digest)) goto opthelp; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/ts.c b/apps/ts.c index c651c8e5cd..3d380bebf0 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -86,7 +86,7 @@ typedef enum OPTION_choice { OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT, OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER, OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED, - OPT_MD, OPT_V_ENUM, OPT_R_ENUM + OPT_MD, OPT_V_ENUM, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS ts_options[] = { @@ -127,6 +127,7 @@ const OPTIONS ts_options[] = { OPT_R_OPTIONS, OPT_V_OPTIONS, + OPT_PROV_OPTIONS, {NULL} }; @@ -219,6 +220,10 @@ int ts_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_TSPOLICY: policy = opt_arg(); break; diff --git a/apps/verify.c b/apps/verify.c index 5c5042117d..82ca35e971 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -31,7 +31,8 @@ typedef enum OPTION_choice { OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, OPT_V_ENUM, OPT_NAMEOPT, - OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID + OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID, + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS verify_options[] = { @@ -73,6 +74,8 @@ const OPTIONS verify_options[] = { "Specify a hex ID string to verify an SM2 certificate"}, #endif + OPT_PROV_OPTIONS, + OPT_PARAMETERS(), {"cert", 0, 0, "Certificate(s) to verify (optional; stdin used otherwise)"}, {NULL} @@ -209,6 +212,10 @@ int verify_main(int argc, char **argv) goto end; } break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; } } argc = opt_num_rest(); diff --git a/apps/x509.c b/apps/x509.c index a8ec118180..3176cf528c 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -61,7 +61,7 @@ typedef enum OPTION_choice { OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES, - OPT_R_ENUM, OPT_EXT + OPT_R_ENUM, OPT_PROV_ENUM, OPT_EXT } OPTION_CHOICE; const OPTIONS x509_options[] = { @@ -144,6 +144,7 @@ const OPTIONS x509_options[] = { "The CA key, must be PEM format; if not in CAfile"}, {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, OPT_R_OPTIONS, + OPT_PROV_OPTIONS, {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, @@ -270,6 +271,10 @@ int x509_main(int argc, char **argv) if (!opt_rand(o)) goto end; break; + case OPT_PROV_CASES: + if (!opt_provider(o)) + goto end; + break; case OPT_EXTENSIONS: extsect = opt_arg(); break; diff --git a/crypto/provider_core.c b/crypto/provider_core.c index cac325407f..026e784bae 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include "crypto/cryptlib.h" @@ -92,6 +93,7 @@ static int ossl_provider_cmp(const OSSL_PROVIDER * const *a, struct provider_store_st { STACK_OF(OSSL_PROVIDER) *providers; CRYPTO_RWLOCK *lock; + char *default_path; unsigned int use_fallbacks:1; }; @@ -101,6 +103,7 @@ static void provider_store_free(void *vstore) if (store == NULL) return; + OPENSSL_free(store->default_path); sk_OSSL_PROVIDER_pop_free(store->providers, ossl_provider_free); CRYPTO_THREAD_lock_free(store->lock); OPENSSL_free(store); @@ -384,6 +387,29 @@ int ossl_provider_add_parameter(OSSL_PROVIDER *prov, */ static const OSSL_DISPATCH *core_dispatch; /* Define further down */ +int OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *libctx, const char *path) +{ + struct provider_store_st *store; + char *p = NULL; + + if (path != NULL) { + p = OPENSSL_strdup(path); + if (p == NULL) { + CRYPTOerr(0, ERR_R_MALLOC_FAILURE); + return 0; + } + } + if ((store = get_provider_store(libctx)) != NULL + && CRYPTO_THREAD_write_lock(store->lock)) { + OPENSSL_free(store->default_path); + store->default_path = p; + CRYPTO_THREAD_unlock(store->lock); + return 1; + } + OPENSSL_free(p); + return 0; +} + /* * Internal version that doesn't affect the store flags, and thereby avoid * locking. Direct callers must remember to set the store flags when @@ -413,15 +439,24 @@ static int provider_activate(OSSL_PROVIDER *prov) char *allocated_path = NULL; const char *module_path = NULL; char *merged_path = NULL; - const char *load_dir = ossl_safe_getenv("OPENSSL_MODULES"); + const char *load_dir = NULL; + struct provider_store_st *store; if ((prov->module = DSO_new()) == NULL) { /* DSO_new() generates an error already */ return 0; } - if (load_dir == NULL) - load_dir = MODULESDIR; + if ((store = get_provider_store(prov->libctx)) == NULL + || !CRYPTO_THREAD_read_lock(store->lock)) + return 0; + load_dir = store->default_path; + + if (load_dir == NULL) { + load_dir = ossl_safe_getenv("OPENSSL_MODULES"); + if (load_dir == NULL) + load_dir = MODULESDIR; + } DSO_ctrl(prov->module, DSO_CTRL_SET_FLAGS, DSO_FLAG_NAME_TRANSLATION_EXT_ONLY, NULL); @@ -432,6 +467,7 @@ static int provider_activate(OSSL_PROVIDER *prov) DSO_convert_filename(prov->module, prov->name); if (module_path != NULL) merged_path = DSO_merge(prov->module, module_path, load_dir); + CRYPTO_THREAD_unlock(store->lock); if (merged_path == NULL || (DSO_load(prov->module, merged_path, NULL, 0)) == NULL) { diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 720db228cb..8eef310ca4 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -59,6 +59,7 @@ B B [B<-sm2-hex-id> I] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I...] =for openssl ifdef engine sm2-id sm2-hex-id @@ -308,6 +309,8 @@ certificate. The argument for this option is string of hexadecimal digits. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 CRL OPTIONS diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index 5997b6d543..6e6b150d24 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in @@ -23,6 +23,7 @@ B B [B<-stdname>] [B<-convert> I] [B<-ciphersuites> I] +{- $OpenSSL::safe::opt_provider_synopsis -} [I] =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp @@ -41,6 +42,8 @@ determine the appropriate cipherlist. Print a usage message. +{- $OpenSSL::safe::opt_provider_item -} + =item B<-s> Only list supported ciphers: those consistent with the security level, and diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index 161408fdcb..944135bbed 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -81,6 +81,7 @@ B B {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I ...] =for openssl ifdef des-wrap engine @@ -490,6 +491,8 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =item I ... One or more certificates of message recipients: used when encrypting diff --git a/doc/man1/openssl-crl.pod.in b/doc/man1/openssl-crl.pod.in index c1272c2580..c1bd31a4a2 100644 --- a/doc/man1/openssl-crl.pod.in +++ b/doc/man1/openssl-crl.pod.in @@ -29,6 +29,7 @@ B B [B<-nextupdate>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef hash_old @@ -123,6 +124,8 @@ Output the nextUpdate field. {- $OpenSSL::safe::opt_trust_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-crl2pkcs7.pod.in b/doc/man1/openssl-crl2pkcs7.pod.in index 187b6a5856..ee7f57d7a4 100644 --- a/doc/man1/openssl-crl2pkcs7.pod.in +++ b/doc/man1/openssl-crl2pkcs7.pod.in @@ -15,6 +15,7 @@ B B [B<-out> I] [B<-certfile> I] [B<-nocrl>] +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -62,6 +63,8 @@ files. Normally a CRL is included in the output file. With this option no CRL is included in the output file and a CRL is not read from the input file. +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in index caa5b0a45a..fad5b93fe3 100644 --- a/doc/man1/openssl-dgst.pod.in +++ b/doc/man1/openssl-dgst.pod.in @@ -32,6 +32,7 @@ B B|I {- $OpenSSL::safe::opt_engine_synopsis -} [B<-engine_impl> I] {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I ...] =head1 DESCRIPTION @@ -184,6 +185,8 @@ used or it is configured to do so, see L. When used with the B<-engine> option, it specifies to also use engine I for digest operations. +{- $OpenSSL::safe::opt_provider_item -} + =item I ... File or files to digest. If no files are specified then standard input is diff --git a/doc/man1/openssl-dhparam.pod.in b/doc/man1/openssl-dhparam.pod.in index 906af1c25c..2e45b248cf 100644 --- a/doc/man1/openssl-dhparam.pod.in +++ b/doc/man1/openssl-dhparam.pod.in @@ -23,6 +23,7 @@ B [B<-5>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I] =for openssl ifdef dsaparam engine @@ -109,6 +110,8 @@ be loaded by calling the get_dhNNNN() function. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl-dsa.pod.in b/doc/man1/openssl-dsa.pod.in index 03fcb7d09b..ef05e978f1 100644 --- a/doc/man1/openssl-dsa.pod.in +++ b/doc/man1/openssl-dsa.pod.in @@ -37,6 +37,7 @@ B B [B<-pubin>] [B<-pubout>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef pvk-string pvk-weak pvk-none engine @@ -123,6 +124,8 @@ a public key. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-dsaparam.pod.in b/doc/man1/openssl-dsaparam.pod.in index 51d44bd9ac..13e8d78857 100644 --- a/doc/man1/openssl-dsaparam.pod.in +++ b/doc/man1/openssl-dsaparam.pod.in @@ -20,6 +20,7 @@ B [B<-verbose>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I] =head1 DESCRIPTION @@ -93,6 +94,8 @@ This option specifies that a parameter set should be generated of size I. It must be the last option. If this option is included then the input file (if any) is ignored. +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 SEE ALSO diff --git a/doc/man1/openssl-ec.pod.in b/doc/man1/openssl-ec.pod.in index ed85ca04b8..f493a5373a 100644 --- a/doc/man1/openssl-ec.pod.in +++ b/doc/man1/openssl-ec.pod.in @@ -32,6 +32,7 @@ B B [B<-no_public>] [B<-check>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -141,6 +142,8 @@ This option checks the consistency of an EC private or public key. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-ecparam.pod.in b/doc/man1/openssl-ecparam.pod.in index 934bf5a380..a42fa35ee4 100644 --- a/doc/man1/openssl-ecparam.pod.in +++ b/doc/man1/openssl-ecparam.pod.in @@ -26,6 +26,7 @@ B [B<-genkey>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -130,6 +131,8 @@ This option will generate an EC private key using the specified parameters. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index 6b8ab2a265..a2cb11a6b9 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -40,6 +40,7 @@ B B|I [B<-none>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef z engine ciphers @@ -197,6 +198,8 @@ Use NULL cipher (no encryption or decryption of input). {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + {- $OpenSSL::safe::opt_engine_item -} =back diff --git a/doc/man1/openssl-gendsa.pod.in b/doc/man1/openssl-gendsa.pod.in index f1f8fe5b91..88fc6118a2 100644 --- a/doc/man1/openssl-gendsa.pod.in +++ b/doc/man1/openssl-gendsa.pod.in @@ -26,6 +26,7 @@ B B [B<-verbose>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I] =for openssl ifdef engine @@ -76,6 +77,8 @@ The DSA parameter file to use. The parameters in this file determine the size of the private key. DSA parameters can be generated and examined using the L command. +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl-genpkey.pod.in b/doc/man1/openssl-genpkey.pod.in index c031f238af..4f1128a049 100644 --- a/doc/man1/openssl-genpkey.pod.in +++ b/doc/man1/openssl-genpkey.pod.in @@ -23,6 +23,7 @@ B B [B<-genparam>] [B<-text>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -104,6 +105,8 @@ parameters along with the PEM or DER structure. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 KEY GENERATION OPTIONS diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in index 348f8cbbc6..a351a53cdb 100644 --- a/doc/man1/openssl-genrsa.pod.in +++ b/doc/man1/openssl-genrsa.pod.in @@ -30,6 +30,7 @@ B B [B<-verbose>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [B] =for openssl ifdef engine @@ -85,6 +86,8 @@ Print extra details about the operations being performed. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =item B The size of the private key to generate in bits. This must be the last option diff --git a/doc/man1/openssl-kdf.pod.in b/doc/man1/openssl-kdf.pod.in index 5073ac09fc..d7d8732c80 100644 --- a/doc/man1/openssl-kdf.pod.in +++ b/doc/man1/openssl-kdf.pod.in @@ -13,6 +13,7 @@ B [B<-keylen> I] [B<-out> I] [B<-binary>] +{- $OpenSSL::safe::opt_provider_synopsis -} I =head1 DESCRIPTION @@ -80,6 +81,8 @@ To see the list of supported digests, use the command I. =back +{- $OpenSSL::safe::opt_provider_item -} + =item I Specifies the name of a supported KDF algorithm which will be used. diff --git a/doc/man1/openssl-list.pod.in b/doc/man1/openssl-list.pod.in index dc5572e6a3..4ac7b5dce3 100644 --- a/doc/man1/openssl-list.pod.in +++ b/doc/man1/openssl-list.pod.in @@ -24,6 +24,7 @@ B [B<-disabled>] [B<-objects>] [B<-options> I] +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -103,6 +104,8 @@ of what type of parameter it takes, if any. This is an internal option, used for checking that the documentation is complete. +{- $OpenSSL::safe::opt_provider_item -} + =back =head2 Display of algorithm names diff --git a/doc/man1/openssl-mac.pod.in b/doc/man1/openssl-mac.pod.in index 5cc65f6c8d..3090149032 100644 --- a/doc/man1/openssl-mac.pod.in +++ b/doc/man1/openssl-mac.pod.in @@ -13,6 +13,7 @@ B [B<-in> I] [B<-out> I] [B<-binary>] +{- $OpenSSL::safe::opt_provider_synopsis -} I =head1 DESCRIPTION @@ -100,6 +101,8 @@ The default is the empty string "". =back +{- $OpenSSL::safe::opt_provider_item -} + =item I Specifies the name of a supported MAC algorithm which will be used. diff --git a/doc/man1/openssl-nseq.pod.in b/doc/man1/openssl-nseq.pod.in index 3d29ae878f..02db15323e 100644 --- a/doc/man1/openssl-nseq.pod.in +++ b/doc/man1/openssl-nseq.pod.in @@ -12,6 +12,7 @@ B B [B<-in> I] [B<-out> I] [B<-toseq>] +{- $OpenSSL::safe::opt_provider_synopsis -} =head1 DESCRIPTION @@ -49,6 +50,8 @@ is the certificates contained in it. With the B<-toseq> option the situation is reversed: a Netscape certificate sequence is created from a file of certificates. +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index 6b4c25cda9..efa627b8a9 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -70,6 +70,7 @@ B B [B<-I>] {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef multi @@ -269,6 +270,8 @@ digest used by subsequent certificate identifiers. {- $OpenSSL::safe::opt_v_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head2 OCSP Server Options diff --git a/doc/man1/openssl-passwd.pod.in b/doc/man1/openssl-passwd.pod.in index 83ef7ba674..ce2b69134c 100644 --- a/doc/man1/openssl-passwd.pod.in +++ b/doc/man1/openssl-passwd.pod.in @@ -23,6 +23,7 @@ B [B<-table>] [B<-reverse>] {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I] =for openssl ifdef crypt @@ -100,6 +101,8 @@ When the B<-table> option is used, reverse the order of cleartext and hash. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 7d562b002e..631eec7282 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -57,6 +57,7 @@ B B {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -293,6 +294,8 @@ Write I as a Microsoft CSP name. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl-pkcs7.pod.in b/doc/man1/openssl-pkcs7.pod.in index 77ef9f9558..0a12d2379a 100644 --- a/doc/man1/openssl-pkcs7.pod.in +++ b/doc/man1/openssl-pkcs7.pod.in @@ -22,6 +22,7 @@ B B [B<-text>] [B<-noout>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -77,6 +78,8 @@ if B<-print_certs> is set). {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-pkcs8.pod.in b/doc/man1/openssl-pkcs8.pod.in index 34b469ddbc..f9e5fb1dcb 100644 --- a/doc/man1/openssl-pkcs8.pod.in +++ b/doc/man1/openssl-pkcs8.pod.in @@ -29,6 +29,7 @@ B B [B<-scrypt_p> I

] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine scrypt scrypt_N scrypt_r scrypt_p @@ -150,6 +151,8 @@ Sets the scrypt I, I or I

parameters. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl-pkey.pod.in b/doc/man1/openssl-pkey.pod.in index 31bf005f74..8460aed1fa 100644 --- a/doc/man1/openssl-pkey.pod.in +++ b/doc/man1/openssl-pkey.pod.in @@ -31,6 +31,7 @@ B B [B<-ec_conv_form> I] [B<-ec_param_enc> I] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -142,6 +143,8 @@ is currently not implemented in OpenSSL. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-pkeyparam.pod.in b/doc/man1/openssl-pkeyparam.pod.in index 4488119121..7f9d351ac2 100644 --- a/doc/man1/openssl-pkeyparam.pod.in +++ b/doc/man1/openssl-pkeyparam.pod.in @@ -19,6 +19,7 @@ B B [B<-noout>] [B<-check>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -59,6 +60,8 @@ This option checks the correctness of parameters. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in index c239a0469a..0bca483871 100644 --- a/doc/man1/openssl-pkeyutl.pod.in +++ b/doc/man1/openssl-pkeyutl.pod.in @@ -37,6 +37,7 @@ B B {- $OpenSSL::safe::opt_engine_synopsis -} [B<-engine_impl>] {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine engine_impl @@ -188,6 +189,8 @@ engine I for crypto operations. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl-prime.pod.in b/doc/man1/openssl-prime.pod.in index 9aafabe602..3aee9014a0 100644 --- a/doc/man1/openssl-prime.pod.in +++ b/doc/man1/openssl-prime.pod.in @@ -13,6 +13,7 @@ B [B<-generate>] [B<-bits> I] [B<-safe>] +{- $OpenSSL::safe::opt_provider_synopsis -} [B<-checks> I] [I ...] @@ -49,6 +50,8 @@ Generate a prime with I bits. When used with B<-generate>, generates a "safe" prime. If the number generated is I, then check that C<(I-1)/2> is also prime. +{- $OpenSSL::safe::opt_provider_item -} + =item B<-checks> I This parameter is ignored. diff --git a/doc/man1/openssl-rand.pod.in b/doc/man1/openssl-rand.pod.in index 5e76b228ab..8a6c8933a9 100644 --- a/doc/man1/openssl-rand.pod.in +++ b/doc/man1/openssl-rand.pod.in @@ -14,6 +14,7 @@ B [B<-hex>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} I =for openssl ifdef engine @@ -53,6 +54,8 @@ Show the output as a hex string. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 SEE ALSO diff --git a/doc/man1/openssl-rehash.pod.in b/doc/man1/openssl-rehash.pod.in index 428de47db7..e21d07e9a9 100644 --- a/doc/man1/openssl-rehash.pod.in +++ b/doc/man1/openssl-rehash.pod.in @@ -19,6 +19,7 @@ B [B<-compat>] [B<-n>] [B<-v>] +{- $OpenSSL::safe::opt_provider_synopsis -} [I] ... B @@ -27,6 +28,7 @@ B [B<-old>] [B<-n>] [B<-v>] +{- $OpenSSL::safe::opt_provider_synopsis -} [I] ... =head1 DESCRIPTION @@ -117,6 +119,8 @@ releases. Print messages about old links removed and new links created. By default, this command only lists each directory as it is processed. +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 ENVIRONMENT diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 598e6a8d54..703a208bc1 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -51,6 +51,7 @@ B B {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine keygen_engine sm2-id sm2-hex-id @@ -323,6 +324,8 @@ argument for this option is string of hexadecimal digits. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 CONFIGURATION FILE FORMAT diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index 5b867225ac..e2c0b24a1a 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -40,6 +40,7 @@ B B [B<-RSAPublicKey_in>] [B<-RSAPublicKey_out>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef pvk-strong pvk-weak pvk-none engine @@ -136,6 +137,8 @@ Like B<-pubin> and B<-pubout> except B format is used instead. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in index 1a3a1516e3..d28e672817 100644 --- a/doc/man1/openssl-rsautl.pod.in +++ b/doc/man1/openssl-rsautl.pod.in @@ -33,6 +33,7 @@ B B [B<-asn1parse>] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -126,6 +127,8 @@ B<-verify> option. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 0d3f54e1a2..982c54ae9e 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -120,6 +120,7 @@ B B {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_s_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} [B<-ssl_client_engine> I] {- $OpenSSL::safe::opt_v_synopsis -} @@ -758,6 +759,8 @@ Set the minimal acceptable length, in bits, for B. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + {- $OpenSSL::safe::opt_engine_item -} =item B<-ssl_client_engine> I diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index b31d4f6a2c..9a5ef10d0a 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -140,6 +140,7 @@ B B {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef unix 4 6 unlink no_dhe nextprotoneg use_srtp engine @@ -661,6 +662,8 @@ data that was sent will be rejected. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + {- $OpenSSL::safe::opt_v_item -} If the server requests a client certificate, then diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in index cf8759108a..8cdc2b4347 100644 --- a/doc/man1/openssl-s_time.pod.in +++ b/doc/man1/openssl-s_time.pod.in @@ -28,6 +28,7 @@ B B {- $OpenSSL::safe::opt_name_synopsis -} [B<-cafile> I] {- $OpenSSL::safe::opt_trust_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 @@ -122,6 +123,8 @@ can establish. {- $OpenSSL::safe::opt_trust_item -} +{- $OpenSSL::safe::opt_provider_item -} + =item B<-cafile> I This is an obsolete synonym for B<-CAfile>. diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index e9500924ef..c6775505a9 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -49,6 +49,7 @@ B B {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} I ... =for openssl ifdef engine @@ -288,6 +289,8 @@ Any verification errors cause the command to exit. {- $OpenSSL::safe::opt_r_item -} +{- $OpenSSL::safe::opt_provider_item -} + =item I ... One or more certificates of message recipients, used when encrypting diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in index a15320c0fb..ac0e6b1ced 100644 --- a/doc/man1/openssl-speed.pod.in +++ b/doc/man1/openssl-speed.pod.in @@ -25,6 +25,7 @@ B [B<-mr>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I ...] =for openssl ifdef hmac cmac multi async_jobs engine @@ -103,6 +104,8 @@ Produce the summary in a mechanical, machine-readable, format. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =item I ... If any I is given, then those algorithms are tested, otherwise a diff --git a/doc/man1/openssl-spkac.pod.in b/doc/man1/openssl-spkac.pod.in index bfb17d1208..4ea15fa57a 100644 --- a/doc/man1/openssl-spkac.pod.in +++ b/doc/man1/openssl-spkac.pod.in @@ -25,6 +25,7 @@ B B [B<-noout>] [B<-verify>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -99,6 +100,8 @@ Verifies the digital signature on the supplied SPKAC. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 EXAMPLES diff --git a/doc/man1/openssl-srp.pod.in b/doc/man1/openssl-srp.pod.in index e9955d5c40..ce480246ee 100644 --- a/doc/man1/openssl-srp.pod.in +++ b/doc/man1/openssl-srp.pod.in @@ -23,6 +23,7 @@ B [B<-passout> I] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [I ...] =for openssl ifdef engine @@ -74,6 +75,8 @@ see L. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + {- $OpenSSL::safe::opt_r_synopsis -} =back diff --git a/doc/man1/openssl-storeutl.pod.in b/doc/man1/openssl-storeutl.pod.in index 3bfca0873e..75c30651fc 100644 --- a/doc/man1/openssl-storeutl.pod.in +++ b/doc/man1/openssl-storeutl.pod.in @@ -28,6 +28,7 @@ B B [B<-fingerprint> I] [B<-I>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} I ... =head1 DESCRIPTION @@ -110,6 +111,8 @@ The digest that was used to compute the fingerprint given with B<-fingerprint>. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head1 SEE ALSO diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index f115f45072..8d5e66e6d6 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -23,6 +23,7 @@ B<-query> [B<-out> I] [B<-text>] {- $OpenSSL::safe::opt_r_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} B B B<-reply> @@ -42,6 +43,7 @@ B<-reply> [B<-token_out>] [B<-text>] {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} B B B<-verify> @@ -54,6 +56,7 @@ B<-verify> [B<-CApath> I

] [B<-CAstore> I] {- $OpenSSL::safe::opt_v_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine @@ -285,6 +288,8 @@ instead of DER. (Optional) {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head2 Timestamp Response verification diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index 3f13f307e1..fd41bbeb37 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -21,6 +21,7 @@ B B {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_v_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} [B<-->] [I ...] @@ -91,6 +92,8 @@ B<-trusted>, B<-untrusted> or B<-CRLfile> options. {- $OpenSSL::safe::opt_v_item -} +{- $OpenSSL::safe::opt_provider_item -} + =item B<--> Indicates the last option. All arguments following this are assumed to be diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 1ec2110100..8cf03d937e 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -75,6 +75,7 @@ B B {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} +{- $OpenSSL::safe::opt_provider_synopsis -} =for openssl ifdef engine subject_hash_old issuer_hash_old @@ -135,6 +136,8 @@ Cannot be used with the B<-days> option. {- $OpenSSL::safe::opt_engine_item -} +{- $OpenSSL::safe::opt_provider_item -} + =back =head2 Display Options diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index bd3daa1a14..2f56ab7592 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -755,6 +755,26 @@ This file can be used in a subsequent command invocation. =back +=head2 Provider Options + +With the move to provider based cryptographic operations in OpenSSL 3.0, +options were added to allow specific providers or sets of providers to be used. + +=over 4 + +=item B<-provider> I + +Use the provider identified by I and use all the methods it +implements (algorithms, key storage, etc.). This option can be specified +multiple time to load more than one provider. + +=item B<-provider_path> I + +Specify the search I that is used to locate provider modules. The format +of I varies depending on the operating system being used. + +=back + =head2 Extended Verification Options Sometimes there may be more than one certificate chain leading to an diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index f4f8a3bd5e..8cedbadf09 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -2,6 +2,7 @@ =head1 NAME +OSSL_PROVIDER_set_default_search_path, OSSL_PROVIDER, OSSL_PROVIDER_load, OSSL_PROVIDER_unload, OSSL_PROVIDER_available, OSSL_PROVIDER_gettable_params, OSSL_PROVIDER_get_params, @@ -13,6 +14,9 @@ OSSL_PROVIDER_add_builtin, OSSL_PROVIDER_name - provider routines typedef struct ossl_provider_st OSSL_PROVIDER; + void OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *libctx, + const char *path); + OSSL_PROVIDER *OSSL_PROVIDER_load(OPENSSL_CTX *libctx, const char *name); int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); int OSSL_PROVIDER_available(OPENSSL_CTX *libctx, const char *name); @@ -39,6 +43,11 @@ L for further details. =head2 Functions +OSSL_PROVIDER_set_default_search_path() specifies the default search B +that is to be used for looking for providers in the specified B. +If left unspecified, an environment variable and a fall back default value will +be used instead. + OSSL_PROVIDER_add_builtin() is used to add a built in provider to B store in the given library context, by associating a provider name with a provider initialization function. diff --git a/doc/perlvars.pm b/doc/perlvars.pm index bae8b15e83..82d6e5a157 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -88,6 +88,17 @@ $OpenSSL::safe::opt_r_item = "" . "\n" . "See L for details."; +# Provider options +$OpenSSL::safe::opt_provider_synopsis = "" +. "[B<-provider> I]\n" +. "[B<-provider_path> I]"; +$OpenSSL::safe::opt_provider_item = "" +. "=item B<-provider> I\n" +. "\n" +. "=item B<-provider_path> I\n" +. "\n" +. "See L."; + # Engine option $OpenSSL::safe::opt_engine_synopsis = "" . "[B<-engine> I]"; diff --git a/include/openssl/provider.h b/include/openssl/provider.h index 86dabf42ce..c17f1d46fc 100644 --- a/include/openssl/provider.h +++ b/include/openssl/provider.h @@ -16,6 +16,9 @@ extern "C" { # endif +/* Set the default provider search path */ +int OSSL_PROVIDER_set_default_search_path(OPENSSL_CTX *, const char *path); + /* Load and unload a provider */ OSSL_PROVIDER *OSSL_PROVIDER_load(OPENSSL_CTX *, const char *name); int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); diff --git a/util/libcrypto.num b/util/libcrypto.num index 8334b99361..d7a94f8adf 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4955,3 +4955,4 @@ OSSL_SELF_TEST_free ? 3_0_0 EXIST::FUNCTION: OSSL_SELF_TEST_onbegin ? 3_0_0 EXIST::FUNCTION: OSSL_SELF_TEST_oncorrupt_byte ? 3_0_0 EXIST::FUNCTION: OSSL_SELF_TEST_onend ? 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_set_default_search_path ? 3_0_0 EXIST::FUNCTION: