CryptoDev for Linux
来源:互联网 发布:网络舆情管理 编辑:程序博客网 时间:2024/04/29 10:50
CryptoDev for Linux
Device /dev/crypto (aka CryptoDev) is a way for userspace processes to use cryptographic algorithms provided by kernel CryptoAPI modules. For example a process that needs to AES-encrypt some data can either:
- Have the AES algorithm built in, or
- Use an external library like OpenSSL that will do the encryption, or
- Ask the kernel to do the encryption
Although in most cases using the external library for cryptographic tasks would be the best option, sometimes it may come handy to have a kernel interface for it as well. Using it one may create a really lightweight programs (see cryptodev-demo.c) supporting cryptography without any additional libraries.
The CryptoDev was originally introduced in OpenBSD (at least as far as I know :-), later ported to FreeBSD and on this page you can find my port for Linux 2.6. Because kernel internals differ a lot between BSD and Linux I only attempted to keep the API (i.e. the semantics used when talking with /dev/crypto) and wrote the driver itself from scratch.
Linux kernel patches
To enable /dev/crypto device patch your kernel with the following patch and configure with
Linux kernel 2.6.27+
- cryptodev-20091126.tar.bz2 — 2014-09-21 13:36
- Standalone module, doesn't require kernel patching, simply unpack and run
make && make install
. - Known to work with 2.6.32 and probably later kernels as well.
- Thanks Nikos Mavrogiannopoulos for the port to 2.6.27
Linux kernel 2.6.8
- cryptodev-2.6.8.diff — 2014-09-21 13:36, MD5, gpg signature
The module takes two parameters:
- verbosity=
- This is 0 by default, i.e. no messages about CryptoDev usage are printed. Use 1 if you are developing or using a program that accesses /dev/crypto and is having problems with it. This way some detailed error messages will be print if things go wrong. If you really want to have your log full of messages about CryptoDev usage, set verbosity to 2.
- enable_stats=
- The driver can collect statistics about CryptoDev usage. For now it can tell you how many bytes was encrypted or decrypted during each session, what size had the biggest request and what was the average size per request. By default this is 0, i.e. no statistics are collected. Set enable_stats=1 and verbosity=2 if you want to be getting the statistics described above.
The parameters can be changed even when the module is already loaded by writing to /sys/module/cryptodev/{enable_stats,verbosity}.
Userspace demo
The basic structure of a program using CryptoDev is following:
fd = open("/dev/crypto");ioctl(fd, CIOCGSESSION);ioctl(fd, CIOCRYPT);[... repeat CIOCRYPT ioctls ...]ioctl(fd, CIOCFSESSION);close(fd);
On OpenBSD it is needed to clone the filedescriptor before actually using it. This is also supported on Linux, but not required:
fd = open("/dev/crypto");ioctl(fd, CRIOGET, &fd_new);ioctl(fd_new, CIOCGSESSION);ioctl(fd_new, CIOCRYPT);[... repeat CIOCRYPT ioctls ...]ioctl(fd_new, CIOCFSESSION);close(fd_new);close(fd);
Indeed, there are some structures floating around, but the for the overview this is enough. See the following demo for details:
- CryptoDev usage demo
- cryptodev-demo1.c (Colorized)
- CryptoDev with OpenSSL
- cryptodev-demo2.c (Colorized)
CryptoDev support for OpenSSL
If you want to combine the (dis:-)advantages of using both OpenSSL and CryptoDev you may want to give the following patch a try:
- openssl-0.9.8k-cryptodev.diff — 2014-09-21 13:36
- Apply this patch to the original openssl-0.9.8k.tar.gz and recompile.
- openssl-0.9.7d-cryptodev.diff — 2014-09-21 13:36, MD5, gpg signature
- Apply this patch to the original openssl-0.9.7d.tar.gz and recompile.
Using CryptoAPI in the Linux kernel
(This is a bit off-topic here :-)
CryptoAPI is a Linux in-kernel infrastructure that offers cryptography to all other subsystems. It provides a single API for accessing different ciphers and digests.
- Simple Linux kernel module that shows how the encryption and decryption can be used:
- cryptoapi-demo.c (Colorized)
Useful CryptoAPI-related links:
- CryptoAPI mailing list
- Archive and subscription page
- VIA PadLock support for Linux
- Patches for Kernel and OpenSSL
- CryptoDev for Linux
- CryptoDev for OpenSSL example
- 硬件加密框架ocf cryptodev-linux介绍
- CryptoDev usage demo
- CVS for linux安装!
- Firebird FOR LINUX
- Resources for Linux
- WPS2005 For Linux 序列号
- VNC settings for Linux
- uClinux for Linux Programmers
- WWW-Browsers for Linux
- emacs configuration for Linux
- 安装realplayer for linux
- Foxit Reader for Linux
- ora9i for linux安装
- HelixServer 11 for Linux
- oracle10g for linux 安装
- XAMPP for Linux/windows
- CentOs 配置KeepAlived 做双机热备切换
- 2014ACM/ICPC亚洲区广州站 部分题解
- Rcnn->Sppnet->Fast Rcnn->Faster Rcnn->R-FCN->Yolo
- ScrollView
- Joint Head Pose / Soft Label Estimation for Human Recognition In-The-Wild [2016]
- CryptoDev for Linux
- 多语言网站(如何实现网站的多语言版本?)
- Linux用户权限管理
- 前端控制器模式-设计模式
- Android闹钟 AlarmManager的使用
- EJB到底是什么
- Leetcode 94. Binary Tree Inorder Traversal
- 这只是个开始,写在CSDN博客访问量破百万
- hashMap集合遍利方式