OpenSSL3.0 learning II encryption library algorithm acquisition CSDN creation punch in

Posted by spiritssight on Thu, 27 Jan 2022 12:41:57 +0100

📒 Blog home page: Actor's blog
🎉 Welcome to pay attention 🔎 give the thumbs-up 👍 Collection ⭐ Leave a message 📝
❤️ Look forward to communicating together!
🙏 The author's level is very limited. If you find an error, please let me know. Thank you!
🌺 If you have any questions, you can communicate by private letter!!!

🥦 Algorithm acquisition

In order to use the algorithm, you must first "get" the implementation of the algorithm. Getting is the process of viewing available implementations, applying selection criteria (querying strings through attributes), and finally selecting the implementation to use.

OpenSSL supports two types of extraction - explicit and implicit.

🥬 Property query string

When extracting the algorithm, you can specify the attribute query string to guide the selection process. For example, you can use the attribute query string of "provider=default" to force the selection to consider only the algorithm implementation in the default provider.

Property query strings can be explicitly specified as arguments to functions. EVP can also be used_ set_ default_ The properties function specifies the default property query string for the entire library context. If both default and function specific properties are specified, they are combined. Function specific properties override conflicting default properties.

🥒 Explicit acquisition

Users of the OpenSSL library never directly query the provider for algorithm implementation. In contrast, various OpenSSL API s typically have explicit fetch functions that do this, and they return the appropriate algorithm objects to the user. For example, EVP_MD_fetch can be used to explicitly obtain the summary algorithm implementation. When the object is no longer needed, the user is responsible for releasing the object returned from the function.

These fetch functions follow a fairly common pattern, in which three parameters are passed:

  • Library context
    Only providers loaded in this library context are considered by the fetch function. If no provider is loaded in this library context, the default provider is loaded as a fallback.
  • identifier
    For all currently implemented extraction functions, this is the algorithm name.
  • Property query string
    Used to guide the algorithm to implement the selected attribute query string.

The obtained algorithm implementations can then be used with other different functions that use them. For example, EVP_ DigestInit_ The ex function will an EVP_MD object as a parameter, which may be from the previous EVP_MD_ Returned in the call to fetch.

🌶️ Implicit extraction

OpenSSL has many functions that return algorithm objects without associated implementation, such as EVP_sha256 ,EVP_blake2b512 or EVP_aes_128_cbc. These are for compatibility with OpenSSL before version 3.0, where explicit fetching is not available.

When they are associated with EVP_DigestInit_ex or EVP_ CipherInit_ When ex and other functions are used together, the actual implementation is obtained implicitly using the default search criteria.

In some cases, implicit extraction may also occur when NULL algorithm parameters are provided. In this case, the algorithm implementation is implicitly obtained by using the default search criteria and the algorithm name consistent with the context of the algorithm.

🌽 Get examples

The following section provides a series of examples of the implementation of the acquisition algorithm.

Gets any available implementations of SHA2-256 in the default context. Note that some algorithms have aliases. So "SHA256" and "SHA2-256" are synonymous:

 EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", NULL);
 ...
 EVP_MD_free(md);

Get any available implementations of AES-128-CBC in the default context:

 EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES-128-CBC", NULL);
 ...
 EVP_CIPHER_free(cipher);

Get the implementation of SHA2-256 from the default provider in the default context:

 EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider=default");
 ...
 EVP_MD_free(md);

Gets the SHA2-256 implementation that is not from the default provider in the default context:

 EVP_MD *md = EVP_MD_fetch(NULL, "SHA2-256", "provider!=default");
 ...
 EVP_MD_free(md);

Gets the implementation of SHA2-256 from the default provider in the specified context:

 EVP_MD *md = EVP_MD_fetch(ctx, "SHA2-256", "provider=default");
 ...
 EVP_MD_free(md);

Load the old provider into the default context and get the implementation of WHIRLPOOL from it:

 /* This only needs to be done once - usually at application start up */
 OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
 
 EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy");
 ...
 EVP_MD_free(md);

Note that in the above example, the property string "provider=legacy" is optional because assuming no other provider is loaded, the only implementation of the "whirlpool" algorithm is in the "legacy" provider. Also note that if you need a default provider in addition to other providers, you should explicitly load the provider:

 /* This only needs to be done once - usually at application start up */
 OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
 OSSL_PROVIDER *default = OSSL_PROVIDER_load(NULL, "default");
 
 EVP_MD *md_whirlpool = EVP_MD_fetch(NULL, "whirlpool", NULL);
 EVP_MD *md_sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
 ...
 EVP_MD_free(md_whirlpool);
 EVP_MD_free(md_sha256);

Topics: C OpenSSL security cryptology