Algorithm Library

OpenSSL Cryptographic Interface

OpenSSL is a common cryptographic algorithm library software that supports SM2, SM3, and SM4 algorithms. You can invoke the encryption and decryption functions of SM series cryptographic algorithms through command lines or APIs.

Prerequisites

OpenSSL 1.1.1m-6 or later

shell
$ rpm -qa openssl
openssl-1.1.1m-6.oe2209.x86_64

How to Use

Scenario 1: Using the CLI to Call Cryptographic Algorithms

  1. SM2 public key algorithm

    Generate an SM2 private key.

    shell
    openssl ecparam -genkey -name SM2 -out priv.key

    Generate a public key based on the private key.

    shell
    $ openssl ec -in priv.key -pubout -out pub.key
    read EC key
    writing EC key

    Use the SM2 algorithm to sign the file and set the message digest algorithm to SM3.

    shell
    openssl dgst -sm3 -sign priv.key -out data.sig data

    Use the public key to verify the signature.

    shell
    $ openssl dgst -sm3 -verify pub.key -signature data.sig data
    Verified OK
  2. SM3 message digest algorithm

    Use the SM3 algorithm for data digest.

    shell
    $ openssl dgst -sm3 data
    SM3(data)= a794922bb9f0a034257f6c7090a3e8429801a42d422c21f1473e83b7f7eac385
  3. SM4 symmetric cipher algorithm

    Use the SM4 algorithm to encrypt data. -K and -iv specify the key value and IV value used for encryption, respectively. Generally, the key value and IV value need to be randomly generated.

    shell
    openssl enc -sm4 -in data -K 123456789ABCDEF0123456789ABCDEF0 -iv 123456789ABCDEF0123456789ABCDEF0 -out data.enc

    Use the SM4 algorithm to decrypt data.

    shell
    openssl enc -d -sm4 -in data.enc -K 123456789ABCDEF0123456789ABCDEF0 -iv 123456789ABCDEF0123456789ABCDEF0 -out data.raw

    Compare the encrypted and decrypted data. The results are consistent.

    shell
    diff data data.raw

Scenario 2: Using APIs to Call Cryptographic Algorithms

You can directly install openssl-help and query the man manual.

shell
yum install openssl-help
man sm2
man EVP_sm3
man EVP_sm4_cbc

Kernel Cryptographic Interface

Overview

The cryptographic algorithms of the Linux kernel is managed by the crypto framework. Different algorithm implementations can be registered and invoked in the crypto framework. Kernel 5.10 provided by openEuler supports ShangMi (SM) series cryptographic algorithms (SM2, SM3, and SM4). The SM2 and SM3 algorithms are compiled in the kernel by default, and the SM4 algorithm is provided as a kernel module.

Prerequisites

Kernel 5.10.0-106 or later

shell
# rpm -qa kernel
kernel-5.10.0-106.1.0.55.oe2209.x86_64

How to Use

Scenario 1: Querying the Cryptographic Algorithms Supported by the Kernel

Use /proc/crypto to query the registered SM series cryptographic algorithms. By default, the SM2 and SM3 algorithms are loaded.

shell
$ cat /proc/crypto | grep sm3 -A8
name         : sm3
driver       : sm3-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 32

$ cat /proc/crypto | grep sm2 -A6
name         : sm2
driver       : sm2-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : akcipher

By default, the SM4 algorithm is not loaded. You need to insert the corresponding module first.

shell
$ modprobe sm4-generic
$ cat /proc/crypto | grep sm4 -A8
name         : sm4
driver       : sm4-generic
module       : sm4_generic
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 16

Scenario 2: Calling Algorithm APIs

The method of calling SM series cryptographic algorithms is the same as that of calling other algorithms of the same type. For details, see the Linux kernel document.

text
https://www.kernel.org/doc/html/v5.10/crypto/userspace-if.html

Scenario 3: Optimizing Algorithm Performance Through Instruction Sets

The crypto framework allows registration of algorithm implementations related to the architecture. The algorithm performance can be optimized through a specific instruction set. Currently, the kernel 5.10 of openEuler supports algorithm performance optimization using the following instruction sets.

DriverInstruction SetPriority
sm4-neon(ecb/cbc/cfb/ctr)ARM64-NEON200
sm3-avxx86-AVX300
sm4-aesni-avx (ecb/cbc/cfb/ctr)x86-AVX400
sm4-aesni-avx 2(ecb/cbc/cfb/ctr)x86-AVX2500

When multiple instances of the same algorithm are registered, the default algorithm is selected based on the registered priority of each algorithm instance. A larger priority value indicates a higher priority. The priority of a pure software algorithm (with the suffix -generic) is fixed to 100. By default, the performance optimization through instruction sets is disabled for the SM series cryptographic algorithms and is provided for users in the form of a kernel module. For example, to enable the AVX instruction set optimization of the SM3 algorithm, do as follows:

shell
$ modprobe sm3-avx
$ cat /proc/crypto | grep sm3 -A8
name         : sm3
driver       : sm3-avx
module       : sm3_avx_x86_64
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 32

......

Notes

  1. The prerequisite for enabling algorithm instruction set optimization is that the CPU supports the corresponding instruction set. You can query the instruction set supported by the CPU by calling /proc/cpuinfo.
  2. Calling a specific instruction set has certain overhead. Therefore, it cannot be ensured that the performance optimized by the instruction set is higher than that of software implementation in all scenarios.
  3. The optimization through some instruction sets has certain restrictions. For example, the NEON instruction set has optimization effect only in the encryption mode that supports parallel computing.