Introduction to OpenSSL
OpenSSL is an open source software library that includes secure socket layer and transport layer security protocols. It has almost become the de facto standard in the security field. Most servers and clients use it. Some hardware encryption algorithms usually require the use of the command OpenSSL
lineOpenSSL
tool for verification. In practical applications, OpenSSL
a dynamic engine framework can be provided to facilitate users to use cryptographic devices to complete hardware acceleration.
Introduction to GmSSL
OpenSSL
The corresponding open source project in China is GmSSL , which adds national secret algorithms, such as SM2/SM3/SM4/SM9
etc., and also adds support for national cryptographic standards, such as SKF/SDF/IPSEC
etc.
Introduction to OpenSSL Engine
OpenSSL
Provides Engine
a loading framework for third parties to facilitate users to use their own hardware devices to complete cryptographic algorithms. For example, server manufacturers can complete HTTPS acceleration through OpenSSL
the engine . OpenSSL 1.1.1
After the version, support for asynchronous mode is added, which makes the use of OpenSSL Engine
hardware acceleration a general acceleration method. For intel
example QAT
, in China, Jiangnan Tianan and so on. The rest of this article will describe how to complete the writing of the OpenSSL
dynamic engine.
Writing an OpenSSL Engine
In addition to international algorithms, there may be requirements for national encryption algorithms in practical applications. For example, some applications need to use national encryption suites SM2-WITH-SMS4-SM3
for TLS
connection. This article will use GmSSL to complete the implementation of the engine. The sample code of this article can refer to gmssl_engine . OpenSSL
Provides engine-related information Demo
. When writing an engine, first ENGINE_set_x
complete engine-related information and interface configuration through the interface:
static int bind_gmssl_engine(ENGINE *e, const char *id)
{
int ret = 1;
gmssl_engine_create_ciphers();
ret &= ENGINE_set_id(e, engine_id);
ret &= ENGINE_set_name(e, engine_name);
ret &= ENGINE_set_ciphers(e, gmssl_engine_ciphers);
ret &= ENGINE_set_pkey_meths(e, gmssl_engine_pkey);
ret &= ENGINE_set_destroy_function(e, engine_destroy);
ret &= ENGINE_set_init_function(e, engine_init);
ret &= ENGINE_set_finish_function(e, engine_finish);
ret &= ENGINE_set_ctrl_function(e, engine_ctrl);
ret &= ENGINE_set_cmd_defns(e, cmd_defns);
_assert(ret != 0, ret);
return ret;
}
The registration of the engine is completed through IMPLEMENT_DYNAMIC_BIND_FN
the macro definition:
IMPLEMENT_DYNAMIC_BIND_FN(bind_gmssl_engine)
IMPLEMENT_DYNAMIC_CHECK_FN()
In this way, you only need to implement the relevant interfaces registered in the engine, such as the interfaces ENGINE_set_pkey_meths
set through the interfaces above gmssl_engine_pkey
. Taking the Pkey interface as an example, the method registration EVP_PKEY_meth_set_x
is completed through the interface . PKEY
Here you can also PKEY
complete the registration through the sub-methods, for example, ECC
in EC_KEY_METHOD
the OpenSSL speed
speed test, you can directly call the sub-method to complete it. The advantage of this is that you can use speed
the tool to complete the performance test, but PKEY
the interface is more general and includes all public key algorithms. Currently GmSSL
supports The public key algorithm of is related NID
as follows:
# define EVP_PKEY_NONE NID_undef
# define EVP_PKEY_RSA NID_rsaEncryption
# define EVP_PKEY_RSA2 NID_rsa
# define EVP_PKEY_DSA NID_dsa
# define EVP_PKEY_DSA1 NID_dsa_2
# define EVP_PKEY_DSA2 NID_dsaWithSHA
# define EVP_PKEY_DSA3 NID_dsaWithSHA1
# define EVP_PKEY_DSA4 NID_dsaWithSHA1_2
# define EVP_PKEY_DH NID_dhKeyAgreement
# define EVP_PKEY_DHX NID_dhpublicnumber
# define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
# define EVP_PKEY_HMAC NID_hmac
# define EVP_PKEY_CMAC NID_cmac
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF NID_hkdf
# define EVP_PKEY_PAILLIER NID_paillier
# define EVP_PKEY_SM9_MASTER NID_id_sm9MasterSecret
# define EVP_PKEY_SM9 NID_id_sm9PublicKey
OpenSSL
It also supports asynchronous mode. It is necessary to add related interfaces in the engine ASYNC_x
to complete the suspend and wake-up operations. In the process of asynchronous mode, first ASYNC_start_job
create asynchrony through the interface Job
. After the engine-related acceleration interface unloads the task to the hardware, ASYNC_get_wait_ctx
the current asynchrony is obtained through the interface job
, and through ASYNC_WAIT_CTX_get_fd
the interface Get the asynchronous handle, suspend the task by reading the asynchronous handle, wake up the task through the callback function to continue execution after the hardware calculation is completed, this process is similar to the process of suspending the character, wake up the character by writing the asynchronous handle . Since no hardware device is used in the example code, asynchronous mode is not added, but it is very important in practical applications.
Summarize
OpenSSL
Not only does it provide a lot of practical tools, its engine framework is also very important in practical applications, and the corresponding ones are GmSSL
also excellent. From NGINX
encryption OpenSSL
to PCIE
encryption cards, the HTTPS
connection speed becomes faster.