OpenSSL source code structure

OpenSSL source code mainly consists of the eay library, SSL library, tool source code, sample source code, and test source code.


The eay library is a basic library function and provides many functions. The source code is stored in the crypto directory. Includes the following content:


1) ASN.1 DER encoding and decoding (crypto/ASN1 directory ), it includes the encoding and decoding of basic ASN1 objects and the most basic functions such as digital certificate requests, digital certificates, CRL Revocation Lists, and pkcs8. These functions are mainly implemented through macros.


2) Abstract io (Bio, crypto/Bio directory). functions in this directory abstract various input and output, including files, memory, standard input and output, socket, and SSL protocols.


3) large number operations (crypto/BN directory). files in this directory implement various large number operations. These large numbers are mainly used for key generation and various encryption and decryption operations in asymmetric algorithms. In addition, a large number of auxiliary functions are provided for users, such as mutual conversion between memory and large numbers.


4) character cache operation (crypto/buffer directory ).


5) read the configuration file (crypto/conf directory). The main configuration file of OpenSSL is OpenSSL. CNF. The functions in this directory implement read operations on configuration files in this format.


6) DSO (dynamic shared object, crypto/DSO directory). files in this directory mainly abstract the dynamic library loading functions of various platforms and provide users with a unified interface.


7) Hardware engine (crypto/Engine Directory) and hardware engine interface. If you want to write your own hardware engine, you must implement the interface specified by it.


8) handle errors (crypto/err directory). When an error occurs in a program, OpenSSL can display errors in the form of stacks. This directory contains only basic error handling interfaces. Specific error information is provided by each module. The files used by each module for error handling are generally * _ err.. c files.


9) symmetric algorithms, asymmetric algorithms, and digest algorithm encapsulation (crypto/EVP directory ).


10) HMAC (crypto/HMAC directory) implements MAC Based on symmetric algorithms.


11) the hash table (crypto/lhash directory) implements the hash table data structure. In OpenSSL, many data structures are stored in a hash. For example, configuration information, SSL session, and ASN.1 object information.


12) digital certificate online authentication (crypto/OCSP directory), implements OCSP protocol coding/decoding, certificate validity calculation, and other functions.


13) crypto/PEM is used to generate and read various PEM format files, including various keys, digital certificate requests, digital certificates, pkcs7 messages, and pkcs8 messages.


14) pkcs7 message syntax (crypto/pkcs7 directory), mainly to construct and parse pkcs7 messages;


15) the PKCS12 Certificate Format (crypto/pckcs12 directory) is used to construct and parse the PKCS12 certificate.


16) the queue (crypto/pqueue directory) implements the queue data structure and is mainly used for dtls.


17) the random number (crypto/Rand directory) is used to generate pseudo-random numbers and support user-defined random number generation.


18) the stack (crypto/stack directory) implements the stack data structure.


19) supports threads (crypto/Threads). OpenSSL supports multithreading, but you must implement related interfaces.


20) Text Database (crypto/txt_db directory ).


21) X509 digital certificate (crypto/X509 directory and crypto/x509v3), including digital certificate application, digital certificate and CRL construction, resolution, signature verification, and other functions;


22) symmetric algorithms (crypto/AES, crypto/BF, crypto/cast, ccrypto/OMP, and crypto/DES ).


23) asymmetric algorithms (crypto/DH, crypto/DSA, crypto/EC, and crypto/ecdh ).


24) digest algorithms (crypto/md2, crypto/md4, crypto/MD5 and crypto/Sha) and key exchange/authentication algorithms (crypto/DH and crypto/krb5 ).


All the source code of the SSL library is in the SSL directory, including the source code of SSLv2, SSLv3, tlsv1, and dtls. Each version basically has the client source code (* _ clnt. c), service source code (* _ srvr. c), general source code (* _ both. c), underlying package source code (* _ Pkt. c), method source code (* _ meth. c) and various key computing Source Code related to the Protocol (* _ ENC. c.


The tool source code is mainly in the crypto/program directory. during compilation, only openssl(openssl.exe under windows) executable files are compiled. This command contains various command tools. Each source code in this directory can be compiled separately.


The sample source code is under the demo directory. In addition, the engines Directory provides the source code of several hardware supported by OpenSSL, which can also be used as a reference for engine writing.


The test source code is mainly in the test directory.

//////////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// /////////////

SSL is the abbreviation of Secure Socket Layer (Secure Sockets Layer Protocol). It aims to ensure the confidentiality and reliability of communication between two applications and support both the server side and the client side. Protocol modification prevents attackers from eavesdropping on communications between users/server applications, and always authenticates servers. Users can also be authenticated.

The entire OpenSSL software package can be divided into three main functional parts: cryptographic algorithm library, SSL protocol library, and applications. The directory structure of OpenSSL is naturally planned around these three functional parts.

Encryption Algorithm: symmetric encryption asymmetric encryption information Summary algorithm key and Protocol management SSL and TSL protocols

Symmetric algorithms use a key. Given a plaintext and a key, the encrypted ciphertext is generated. The length of the ciphertext is roughly the same as that of the plaintext. During decryption, the key is the same as the encryption key.


Symmetric algorithms mainly have four encryption modes:


(1) Electronic cipher book (ECB)


This mode is the earliest and simplest mode. It divides the encrypted data into several groups. The size of each group is the same as the length of the encryption key, and then each group uses the same key for encryption.


The disadvantage is that the electronic encoding thin mode uses one key to encrypt all blocks of the message. If the plain block is re-restored in the original message, the corresponding ciphertext blocks in the encrypted message will also be repeated. Therefore, the thin mode of electronic encoding is suitable for encrypting small messages.


(2) encrypted blockchain mode Cipher Block Chaining (CBC)


In CBC mode, the plaintext is first divided into fixed-length blocks, and then the ciphertext output from the previous encrypted block is different or operated from the next plaintext block to be encrypted, encrypt the calculation result with the key to obtain the ciphertext. When the first plaintext block is encrypted, an initialization vector is required because there is no encrypted ciphertext. Unlike the ECB method, the connection relationship makes the ciphertext and plaintext no longer have a one-to-one relationship, making it more difficult to crack, and overcomes attacks that can be achieved by simply switching the ciphertext block.


(3) encrypted feedback mode Cipher Feedback mode (CFB)


Character-oriented application encryption uses the stream encryption method. You can use the encrypted feedback mode. In this mode, data is encrypted with a smaller unit. For example, it can be 8 bits. The length is smaller than the defined block length (usually 64 bits ). The encryption steps are as follows:


A) Use a 64-bit initialization vector. The initialization vector is placed in the shift register and encrypted in the first step to generate the corresponding 64-bit initial ciphertext. B) Perform the exclusive or operation on the leftmost 8 bits of the initial vector and the first 8 bits of the plaintext, generate the first part of the ciphertext (assuming C), and then transmit C to the receiver;


C) shifts the bit of the vector (that is, the content of the shift register where the initialization vector is located) to eight places left, so that the 8 bits on the far right of the shift register are unpredictable data, and fill in the content of C; d) Step 1-3 until all plaintext units are encrypted.


Reverse decryption process


4) output feedback mode (ofB)


The output feedback mode is similar to that of CFB. The only difference is that the encrypted text in CFB is entered in the next stage of the encryption process, while in ofB, the input in the initial vector encryption process is entered in the next stage of the encryption process.


Abstract: An algorithm can generate special output formats. This algorithm features that the ciphertext output after computation is fixed regardless of the length of the raw data entered by the user, the principle of this algorithm is to extract the original data in some form according to certain calculation rules. This extraction is the abstract, and the data content of the abstract is closely related to the original data, as long as the original data changes slightly, the output "abstract" is completely different. Therefore, the algorithm based on this principle can provide a sound guarantee for data integrity. However, because the output ciphertext is the fixed length value after the original data is extracted, it cannot be restored to the original data, that is, the message digest algorithm is irreversible, theoretically, the original data content cannot be obtained through reverse operations, so it can only be used for data integrity verification.


Currently, there are not many algorithms that have been retained after years of verification development, including md2, md4, MD5, Sha, and SHA-1/256/383/512.


Common digest algorithms include MD5 and sha1. The output result of D5 is 16 bytes, and the output result of sha1 is 20 bytes.


In the public key and password system, encryption and decryption use different keys, which are mutually dependent: that is, the Information encrypted with either of the keys can only be decrypted with the other key. This allows both parties to perform confidential communication without prior key exchange. The encryption key and algorithm are made public to the public. Everyone can use this key to encrypt the file and send it to the receiver. This encryption key is also called a public key. After receiving the encrypted file, the Receiver, it can use its decryption key for decryption. This key is owned by itself and does not need to be distributed. Therefore, it is also called a private key.


Applications: includes key generation, certificate management, format conversion, data encryption and signature, SSL testing, and other auxiliary configuration functions.

The engine mechanism aims to enable OpenSSL to transparently use third-party software encryption libraries or hardware encryption devices for encryption.

Bio is a high-level IO Interface provided by OpenSSL. This interface encapsulates almost all types of Io interfaces, such as memory access, file access, and socket. This greatly improves code reusability,

OpenSSL provides a complete set of solutions and supports API functions for the generation and management of random numbers. The quality of random numbers is an important prerequisite for determining whether a key is secure.

From: http://hi.baidu.com/zeficie/blog/item/3a22440efdf5b8fe36d12235.html