- Translation OPENSSL HANDBOOK | Programing Reference For .Net,Java,C

Translation OPENSSL HANDBOOK

4.6 engine use

OpenSSL have to be accelerated to support embedded passwords. Use engine object model, an application can be a change in the reference model, the reference model in the following description is a hardware device most. Such support is embedded in the OpenSSL 0.9.6 version, this version appeared in the name of the engine; OpenSSL such support will be the main branch of restrictions from the beginning of this version 0.9.7. 0.9.7 this will be a more robust version of the characteristics of the engine package for a detailed description at the same time, 0.9.6 engine including some simple function for the establishment of an engine object. These features appear in the process of writing and has not changed. If there are changes, we will be in accordance with the relevant information upgrade our website. Probably thinking is very simple: We are looking for an object used to represent We hope that the use of the hardware types, and then we tell OpenSSL use our choice of equipment. Cases 4-17 provided a short code, we use examples to explain how to achieve this operation.

Cases allowing the use of hardware engines 4-17

ENGINE * e;

If (! (E = ENGINE_by_id ( "cswift")))

Fprintf (stderr, "Error finding specified ENGINE \ n");

Else if (! ENGINE_set_default (e, ENGINE_METHOD_ALL))

Fprintf (stderr, "Error using ENGINE \ n");

Else

Fprintf (stderr, "Engine successfully enabled \ n")

ENGINE_by_id called this function, he will be used in the method for embedding and implementation, but also an engine to return to object. This function should be the parameters of a single link we followed the process of the implementation of the same body. Form 4-2 shows the method can be used to support hardware and software coding.

Form 4-2. Support hardware and software engine

Openssl use ordinary engine is embedded function for encryption.

This is the default.

Openbsd_dev_crypto established in the open BSD operating system, the engine built using embedded in the core operating system level for the password.

Cswift password for hardware acceleration.

Chil for nCipher CHIL hardware acceleration.

Atalla for Compaq Atalla hardware acceleration.

Nuron Nuron for hardware acceleration.

Broadcom uBSec Ubsec for hardware acceleration.

Aep Aep for hardware acceleration.

SureWare Sureware for hardware acceleration.

We are the engine for objects should be used to inform ENGINE_set_default to allow use of specific functional areas encryption engine. The second parameter allows us to elaborate on our engine allows restrictions on the work. For example, if we have a RSA can only work on the engine, such as the one at the request of 4-17, this request will be dealt with RSA by the engine. On the other hand, if we use our request ENGINE_set_default RSA request ENGINE_METHOD_DSA engine at the same time, will not allow any OpenSSL encryption engine for the request, because the signs allowed to work only in the DSA engine function. Table 4-3 provides a complete restriction on the use of our list. They can operate in the logic OR bundled together.

Table 4-3, a sign of ENGINE_set_default

Flag description

ENGINE_METHOD_RSA restrictions on the use of RSA only engine operation.

ENGINE_METHOD_DSA restrictions on the use of DSA only engine operation.

ENGINE_METHOD_DH restricted use only in the DH engine operation.

ENGINE_METHOD_RAND engine restrictions used in only a few random operation.

ENGINE_METHOD_CIPHERS restricted engines use only zero balance in the operation.

ENGINE_METHOD_DIGESTS restricted use only in the digestive engine operation.

Allow the use of any ENGINE_METHOD_ALL OpenSSL implementation of the above-mentioned functions.

Remove set the default engine, the engine object can be applied to other typical of several places OpenSSL 0.9.7 version. For example, from EVP_EncryptInit function can be wrong and can be replaced by EVP_EncryptInit_ex this function. Here, "ex" function with an additional parameters: engine object. Roughly speaking, these engines assign function can be replaced with a null value targets, we will be able to use the default engine OpenSSL. If we have requested ENGINE_set_default again request the default has been the engine of change if there is no such request, the embedded software will be used.

Application of these new "ex" function is to allow more good operating apply to each request encryption equipment. This accelerator we have more than one password is particularly useful, and we can depending on the application procedures to use them.

Chapter V SSL / TLS Programming

OpenSSL library is the main features of its security Interface Layer (SSL) and transport layer security (TLS) protocol. Initially developed by Netscape for the protection of the security of online transactions, this agreement now become a common thread exchange security guarantees. Netscape, the first public version of SSL, we are now being called SSL2 version.

5.1SSL Program Design

OpenSSL is the American Petroleum Institute for SSL development process. As discussed in Chapter 1, the completion of its SSL security objectives may be inefficient. These factors for the development of mixed use is a difficult task. Achievement of a concern in the release of the plan secret hope that we attack the problem in three steps. In each step, developers must provide some applications - drugs and knowledge to determine SSL do its work. For example, was to enable a developer to a high degree of coexistence can trap the choice of design will be different from the browser to be a high degree of concern with the serve for a developer to do for the people.

When the realization of an SSL customers, the next steps for the development to provide a plate or serve for compliance. As we will start a small example of the establishment and on top of it. This example will be taken into account until we meet all the steps have been thought. In each step, we will introduce an American Petroleum Institute small dose in all the steps, the developer should be able to design a thought for SSL to be able to more clearly. Complete these steps is not the end of the road, however. In order to have to address the needs of many applications, we need to compare and further investigate the American Petroleum Institute further feature

5.1.1 security applications

We will use two very simple application: from the customer returned to the console data for customers and serve. We aim to increase the two applications so that they can run their work. In other words, we will implement procedures to prove that each link. When we passed Path Generation: SSL procedures, we believe that every developer must do this work during this period.

Where a total of four documents: common.h, common.c, client.c and server.c. Decoding of 5-1 in the cases presented. 5-4 We also have the use of the decoder in the case of 4-2 has been given, so we can multi-threaded operation, such as UNIX systems, we can continue to use the POSIX threads.

Cases 5-1. Common.h

1 # include <openssl/bio.h>

2 # include <openssl/err.h>

3 # include <openssl/rand.h>

4 # include <openssl/ssl.h>

5 # include <openssl/x509v3.h>

7 # ifndef WIN32

8 # include <pthread.h>

9 # define THREAD_CC

10 # define THREAD_TYPE pthread_t

11 # define THREAD_CREATE (tid, entry, arg) pthread_create (& (tid), NULL, \

12 (entry), (arg))

13 # else

14 # include <windows.h>

15 # define THREAD_CC _ _cdecl

16 # define THREAD_TYPE DWORD

17 # define THREAD_CREATE (tid, entry, arg) do (_beginthread ((entry), 0,

(Arg)); \

18 (tid) =

GetCurrentThreadId (); \

19) while (0)

20 # endif

# Define PORT 22, "6001"

23 # define SERVER "splat.zork.org"

24 # define CLIENT "shell.zork.org"

26 # define int_error (msg) handle_error (__FILE__, __LINE_ _, msg)

27 void handle_error (const char * file, int lineno, const char * msg);

29 void init_OpenSSL (void);

Cases 5-2, common.c, handle_error report to the wrong function under a definition. Error handling application examples in this point in trouble, you would prefer a more user-friendly interface for the use of their own error handling. In short, it does not apply to all the error handling, common.c documents to the multi-OpenSSL is the definition initialization function, the initialization, and call the wrong string, and when the error occurred when printing error stack SSL_load_error_strings request, we access can read the wrong message. Calling these from memory diagnostic information. Usually, in the work of decoding error in calling these diagnostic information is a good idea.

As we have established in the SSL support in the same common.c through the implementation of user access and server functions, data acquisition will common.H prototype.

Cases 5-2. Common.c

1 # include "common.h"

3 void handle_error (const char * file, int lineno, const char * msg)

5 fprintf (stderr, "% s **:% i% s \ n", file, lineno, msg);

6 ERR_print_errors_fp (stderr);

7 exit (-1);

10 void init_OpenSSL (void)

11 (

12 if (! THREAD_setup () | |! SSL_library_init ())

13 (

14 fprintf (stderr, "** OpenSSL initialization failed! \ N");

15 exit (-1);

16)

17 SSL_load_error_strings ();

18)

Application of a large number of customers in the case of 5-3, client.c. At a higher level, it resulted in a 6001-oriented service port connection, as in common.h. Specified. Once the connection was established, before arrival in the EOF, which read data from stdin. As obtain from the data sent to the same server connectivity. Attention to the fact that, although we use OpenSSL to interface communication, we can still use SSL protocol. No. 27-29 to establish a new BIO_METHOD from BIO_s_connect back to the BIO object; BIO_new_connect is a simple function to accomplish their tasks. If there is no error occurred ,31-32 will actually make a TCP connection and check for errors. When a successful connection, do_client_loop sustained data read and write data to the stdin. If the error occurred, or in writing EOF read in the console reception, this function withdrawal procedure.

Cases 5-3 client.c

1 # include "common.h"

3 void do_client_loop (BIO * conn)

5 int err, nwritten;

6 char buf [80];

8 for (;;)

9 (

10 if (! Fgets (buf, sizeof (buf), stdin))

11 break;

12 for (nwritten = 0; nwritten <sizeof (buf); nwritten + =

Err)

13 (

Err = 14 BIO_write (conn, buf + nwritten, strlen (buf) –

Nwritten);

15 if (err <= 0)

16 return;

17)

18)

19)

21 int main (int argc, char * argv [])

22 (

BIO * conn 23;

25 init_OpenSSL ();

27 conn = BIO_new_connect (SERVER ":" PORT);

28 if (! Conn)

29 int_error ( "Error creating connection BIO");

31 if (BIO_do_connect (conn) <= 0)

32 int_error ( "Error connecting to remote machine");

34 fprintf (stderr, "Connection opened \ n");

35 do_client_loop (conn);

36 fprintf (stderr, "Connection closed \ n");

38 BIO_free (conn);

39 return 0;

40)

Server applications in the case of 5-4, server.c, different in many ways from other user programs. When we use the initialization function, it caused a different type of BIO, a return from BIO_s_accept BIO_METHOD based on the category, BIO this category have a server interface can accept remote transmission. 50-51 in the first line, there is a port for the 6001 BIO_do_accept bundled interface; next BIO_do_accept lock wait for a long-distance connection. The cycle continued until a successful connection, and when a connection returned interface connected to the BIO do_server_loop produce a new connecting threads, from the simple interface do_server_loop read and write data to stdout. If a mistake here, the function returned to the suspension and thread. For example, 33 firms have ERR_remove_state for threading a wrong queue memory.

Cases 5-4. Server Application

1 # include "common.h"

3 void do_server_loop (BIO * conn)

5 int err, nread;

6 char buf [80];

8 do

9 (

10 for (nread = 0; nread <sizeof (buf); nread = + err)

11 (

Err = 12 BIO_read (conn, buf + nread, sizeof (buf) –

Nread);

13 if (err <= 0)

14 break;

15)

16 fwrite (buf, 1, nread, stdout);

17)

18 while (err> 0);

19)

21 void THREAD_CC server_thread (void * arg)

22 (

BIO * client = 23 (BIO *) arg;

25 # ifndef WIN32

26 pthread_detach (pthread_self ());

27 # endif

28 fprintf (stderr, "Connection opened \ n");

29 do_server_loop (client);

30 fprintf (stderr, "Connection closed \ n");

32 BIO_free (client);

33 ERR_remove_state (0);

34 # ifdef WIN32

35 _endthread ();

36 # endif

37)

39 int main (int argc, char * argv [])

40 (

41 acc BIO * * client;

42 THREAD_TYPE tid;

44 init_OpenSSL ();

46 BIO_new_accept acc = (PORT);

47 if (! Acc)

48 int_error ( "Error creating server socket");

50 if (BIO_do_accept (acc) <= 0)

51 int_error ( "Error binding server socket");

53 for (;;)

54 (

55 if (BIO_do_accept (acc) <= 0)

56 int_error ( "Error accepting connection");

BIO_pop client = 58 (acc);

59 THREAD_CREATE (tid, server_thread, client);

60)

62 BIO_free (acc);

63 return 0;

64)

Now we know the examples of application, we will gradually learn to use SSL communication.

5.1.2 Step 1:: SSL version of choice and a certificate for

In order to connect the SSL security, we must ensure that the correct choice of security and provide accurate version of that information. As it is we have a preliminary understanding of SSL API, we will hide function and structure of the background information.

Bookmark it: These icons link to social bookmarking sites where readers can share and discover new web pages.