Introduction to OpenSSL
OpenSSL is an open source software library that includes secure socket layer and transport layer security protocols. It has almost become the de facto standard in the security field. Most servers and clients use it. Some hardware encryption algorithms usually require the use of the command OpenSSLlineOpenSSL tool for verification. In practical applications, OpenSSLa dynamic engine framework can be provided to facilitate users to use cryptographic devices to complete hardware acceleration.
Introduction to GmSSL
OpenSSLThe corresponding open source project in China is GmSSL , which adds national secret algorithms, such as SM2/SM3/SM4/SM9etc., and also adds support for national cryptographic standards, such as SKF/SDF/IPSECetc.
Introduction to OpenSSL Engine
OpenSSLProvides Enginea loading framework for third parties to facilitate users to use their own hardware devices to complete cryptographic algorithms. For example, server manufacturers can complete HTTPS acceleration through OpenSSLthe engine . OpenSSL 1.1.1After the version, support for asynchronous mode is added, which makes the use of OpenSSL Enginehardware acceleration a general acceleration method. For intelexample QAT, in China, Jiangnan Tianan and so on. The rest of this article will describe how to complete the writing of the OpenSSLdynamic engine.
Writing an OpenSSL Engine
In addition to international algorithms, there may be requirements for national encryption algorithms in practical applications. For example, some applications need to use national encryption suites SM2-WITH-SMS4-SM3for TLSconnection. This article will use GmSSL to complete the implementation of the engine. The sample code of this article can refer to gmssl_engine . OpenSSLProvides engine-related information Demo. When writing an engine, first ENGINE_set_xcomplete engine-related information and interface configuration through the interface:
static int bind_gmssl_engine(ENGINE *e, const char *id)
{
int ret = 1;
gmssl_engine_create_ciphers();
ret &= ENGINE_set_id(e, engine_id);
ret &= ENGINE_set_name(e, engine_name);
ret &= ENGINE_set_ciphers(e, gmssl_engine_ciphers);
ret &= ENGINE_set_pkey_meths(e, gmssl_engine_pkey);
ret &= ENGINE_set_destroy_function(e, engine_destroy);
ret &= ENGINE_set_init_function(e, engine_init);
ret &= ENGINE_set_finish_function(e, engine_finish);
ret &= ENGINE_set_ctrl_function(e, engine_ctrl);
ret &= ENGINE_set_cmd_defns(e, cmd_defns);
_assert(ret != 0, ret);
return ret;
}
The registration of the engine is completed through IMPLEMENT_DYNAMIC_BIND_FNthe macro definition:
IMPLEMENT_DYNAMIC_BIND_FN(bind_gmssl_engine)
IMPLEMENT_DYNAMIC_CHECK_FN()
In this way, you only need to implement the relevant interfaces registered in the engine, such as the interfaces ENGINE_set_pkey_methsset through the interfaces above gmssl_engine_pkey. Taking the Pkey interface as an example, the method registration EVP_PKEY_meth_set_xis completed through the interface . PKEYHere you can also PKEYcomplete the registration through the sub-methods, for example, ECCin EC_KEY_METHODthe OpenSSL speedspeed test, you can directly call the sub-method to complete it. The advantage of this is that you can use speedthe tool to complete the performance test, but PKEYthe interface is more general and includes all public key algorithms. Currently GmSSLsupports The public key algorithm of is related NIDas follows:
# define EVP_PKEY_NONE NID_undef
# define EVP_PKEY_RSA NID_rsaEncryption
# define EVP_PKEY_RSA2 NID_rsa
# define EVP_PKEY_DSA NID_dsa
# define EVP_PKEY_DSA1 NID_dsa_2
# define EVP_PKEY_DSA2 NID_dsaWithSHA
# define EVP_PKEY_DSA3 NID_dsaWithSHA1
# define EVP_PKEY_DSA4 NID_dsaWithSHA1_2
# define EVP_PKEY_DH NID_dhKeyAgreement
# define EVP_PKEY_DHX NID_dhpublicnumber
# define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
# define EVP_PKEY_HMAC NID_hmac
# define EVP_PKEY_CMAC NID_cmac
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF NID_hkdf
# define EVP_PKEY_PAILLIER NID_paillier
# define EVP_PKEY_SM9_MASTER NID_id_sm9MasterSecret
# define EVP_PKEY_SM9 NID_id_sm9PublicKey
OpenSSLIt also supports asynchronous mode. It is necessary to add related interfaces in the engine ASYNC_xto complete the suspend and wake-up operations. In the process of asynchronous mode, first ASYNC_start_jobcreate asynchrony through the interface Job. After the engine-related acceleration interface unloads the task to the hardware, ASYNC_get_wait_ctxthe current asynchrony is obtained through the interface job, and through ASYNC_WAIT_CTX_get_fdthe interface Get the asynchronous handle, suspend the task by reading the asynchronous handle, wake up the task through the callback function to continue execution after the hardware calculation is completed, this process is similar to the process of suspending the character, wake up the character by writing the asynchronous handle . Since no hardware device is used in the example code, asynchronous mode is not added, but it is very important in practical applications.
Summarize
OpenSSLNot only does it provide a lot of practical tools, its engine framework is also very important in practical applications, and the corresponding ones are GmSSLalso excellent. From NGINXencryption OpenSSLto PCIEencryption cards, the HTTPSconnection speed becomes faster.