Next major version of GmSSL!

Overview

GmSSL 3.0 Dev

GmSSL的2.x版本的开发始于2016年,目前主分支在功能上实现了对主要国密算法、标准和协议的覆盖,并成功应用于多种互联网场景中。但是随着GmSSL在物联网、区块链等新场景中的应用,及在密码产品合规检测过程中的实践,我们发现应用对GmSSL提出了一些新的需求。由于很难在基于OpenSSL的GmSSL 2.x版本上满足新需求,因此我们重新设计了GmSSL的架构,GmSSL也迎来第三个大版本——GmSSL 3.0。

主要新特性

  • 超轻量:GmSSL 3.0大幅度降低了内存需求和二进制代码体积,不依赖动态内存,可以用于无操作系统的低功耗嵌入式环境(MCU、SOC等),开发者也可以更容易地将国密算法和SSL协议嵌入到现有的项目中。
  • 更合规:GmSSL 3.0 可以配置为仅包含国密算法和国密协议(TLCP协议),依赖GmSSL 的密码应用更容易满足密码产品型号检测的要求,避免由于混杂非国密算法、不安全算法等导致的安全问题和合规问题。
  • 更安全:TLS 1.3在安全性和通信延迟上相对之前的TLS协议有巨大的提升,GmSSL 3.0支持TLS 1.3协议和RFC 8998的国密套件。GmSSL 3.0默认支持密钥的加密保护,提升了密码算法的抗侧信道攻击能力。
  • 跨平台:GmSSL 3.0更容易跨平台,构建系统不再依赖Perl,默认的CMake构建系统可以容易地和Visual Studio、Android NDK等默认编译工具配合使用,开发者也可以手工编写Makefile在特殊环境中编译、剪裁。

主要功能

密码算法

  • 分组密码:SM4 (CBC, CTR, GCM), AES (GCM)
  • 序列密码:ZUC/ZUC-256, ChaCha20, RC4
  • 哈希函数: SM3, SHA-224/256/384/512, SHA-1, MD5
  • 公钥密码算法:SM2, SM9, ECDH, ECDSA
  • 椭圆曲线参数:SM2, NIST-P256
  • 伪随机数生成器:HASH_DRBG (NIST.SP.800-90A)
  • MAC算法:HMAC, GHASH
  • 密钥导出函数:PBKDF2、HKDF

PKI相关标准

  • 数字证书:X.509证书, CRL, CSR (PKCS #10)
  • 私钥加密格式:口令加密私钥PEM格式 (PKCS #8)
  • 数字信封:SM2加密签名消 (GM/T 0010-2012)

SSL协议

  • TLCP 1.1,支持密码套件:ECDHE_SM4_CBC_SM3 {0xE0,0x11} (GB/T 38636-2020、GM/T 0024-2014)
  • TLS 1.2,支持密码套件:ECDHE_SM4_CBC_SM3 {0xE0,0x11} (GB/T 38636-2020、GM/T 0024-2014、RFC 5246)
  • TLS 1.3,支持密码套件:TLS_SM4_GCM_SM3 {0x00,0xC6} +ECDHE/SM2 (RFC 8998), TLS_AES_128_GCM_SHA256 + ECDHE/ECDSA/NIST-P256
You might also like...
zlib replacement with optimizations for "next generation" systems.

zlib-ng zlib data compression library for the next generation systems Maintained by Hans Kristian Rosbach aka Dead2 (zlib-ng àt circlestorm dót org) C

nanomsg-next-generation -- light-weight brokerless messaging

nng - nanomsg-next-gen ℹ️ If you are looking for the legacy version of nanomsg, please see the nanomsg repository. This project is a rewrite of the Sc

zlib replacement with optimizations for "next generation" systems.

zlib-ng zlib data compression library for the next generation systems Maintained by Hans Kristian Rosbach aka Dead2 (zlib-ng àt circlestorm dót org) C

Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin
Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin

A CPU scheduler determines an order for the execution of its scheduled processes; it decides which process will run according to a certain data structure that keeps track of the processes in the system and their status.

Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin.
Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin.

A CPU scheduler determines an order for the execution of its scheduled processes; it decides which process will run according to a certain data structure that keeps track of the processes in the system and their status. A process, upon creation, has one of the three states: Running, Ready, Blocked (doing I/O, using other resources than CPU or waiting on unavailable resource).

The purpose of this application is to allow a chronological shuffling of tv shows. The selected TV Shows maybe shuffled however the episodes will be selected based on next unwatched.
The purpose of this application is to allow a chronological shuffling of tv shows. The selected TV Shows maybe shuffled however the episodes will be selected based on next unwatched.

TvShuffleForPlex Description The purpose of this application is to allow a chronological shuffling of tv shows. The selected TV Shows maybe shuffled h

zlib replacement with optimizations for "next generation" systems.

zlib-ng zlib data compression library for the next generation systems Maintained by Hans Kristian Rosbach aka Dead2 (zlib-ng àt circlestorm dót org) C

This repository accompanies Ray Tracing Gems II: Next Generation Rendering with DXR, Vulkan, and OptiX
This repository accompanies Ray Tracing Gems II: Next Generation Rendering with DXR, Vulkan, and OptiX

Apress Source Code This repository accompanies Ray Tracing Gems II: Next Generation Rendering with DXR, Vulkan, and OptiX by Adam Marrs, Peter Shirley

FluidNC - The next generation of motion control firmware
FluidNC - The next generation of motion control firmware

FluidNC (CNC Controller) For ESP32 Introduction FluidNC is the next generation of Grbl_ESP32. It has a lot of improvements over Grbl_ESP32 as listed b

StarRocks is a next-gen sub-second MPP database for full analysis senarios, including multi-dimensional analytics, real-time analytics and ad-hoc query, formerly known as DorisDB.

StarRocks is a next-gen sub-second MPP database for full analysis senarios, including multi-dimensional analytics, real-time analytics and ad-hoc query, formerly known as DorisDB.

Next gen. of NekoCal: An open-source hackable and programmable e-paper display

NekoInk NekoInk is an open-source, programmable, and versatile E-paper display platform. It offers connectivity options to various type of E-paper scr

How To Build The NeXT ROM Monitor From Sources

How To Build The NeXT ROM Monitor From Sources

A next generation media player, with vim-like bindings

MusicKid A next generation media player, with vim-like bindings Installation Clone the repo git clone git-url cd MusicKid/Final Install dependencies

this project is a function in c to take the next line of a file or a file descriptor. this is a project of 42 school.
this project is a function in c to take the next line of a file or a file descriptor. this is a project of 42 school.

Get Next Line of 42. Make with ❤︎ for Luiz Cezario 📌 Index What's this Repo? List of Archives Technologies How to Run Find a Bug? Or somenthing need

Next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns.

Blacksmith Rowhammer Fuzzer This repository provides the code accompanying the paper Blacksmith: Scalable Rowhammering in the Frequency Domain that is

Next Index to Query Kmer Intersection

NIQKI NIQKI stand for Next Index to Query K-mer Intersection. NIQKI is an sketch based software, similar to Mash or Dashing, which can index the large

FT_PRINTF is a 42 project that will allow me to remake the printf function (included in stdio.h) to be able to reuse it in my next projects.

FT_PRINTF FT_PRINTF is a 42 project that will allow me to remake the printf function (included in stdio.h) to be able to reuse it in my next project

Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor

Get Next Line is a project at 42. It is a function that reads a file and allows you to read a line ending with a newline character from a file descriptor. When you call the function again on the same file, it grabs the next line

Rule Processor Y is a next-gen Rule processor with complex multibyte character support

ruleprocessorY Rule Processor Y is a next-gen Rule processor with multibyte character support. It applies rules to wordlists in order to transform the

Comments
  • BUG修复

    BUG修复

    1. 证书的RDN判断类型就足够了,而外的校验会使得兼容性变差,因此关闭RDN的而外检查项。
    2. 兼容PEM中END部分不以\n结尾的证书文件读取问题。
    3. 兼容了证书签名算法中可选参数存在为NULL的情况。
    4. 按照《GMT0015 5.2.2》 对于TBSCertificate中可选参数 issuerUniqueID 和 subjectUniqueID需要根据是否存在来判断是否序列化,否则会造成读取和DER序列化内容不一致,造成验证失效。
    5. SM2默认ID预处理1 加速目前存在问题,暂时注释,望得到修复。
    6. 加大RDN中country字段长度用于适应非标准的自定义名称,增加兼容性。
    7. 在验证签名证书和加密证书时,根证书的读取只需要一次就可以。(签名证书和加密证书往往成对存在)
    8. 修复服务端密钥交换消息验证不通过问题,修复了签名值没有正确解析复制导致,签名验证失效的问题。
    opened by Trisia 0
  • bug

    bug

    typedef enum X509_CRLReason { X509_cr_unspecified = 0, X509_cr_key_compromise, X509_cr_ca_compromise, X509_cr_affiliation_changed, X509_cr_superseded, X509_cr_cessation_of_operation, X509_cr_certificate_hold, X509_cr_7_not_assigned = 7, X509_cr_remove_from_crl, X509_cr_privilege_withdrawn, X509_cr_aa_compromise, } CRL_REASON;

    const char *crl_reason_text(int reason) { switch (reason) { case X509_cr_unspecified: return "unspecified"; case X509_cr_key_compromise: return "keyCompromise"; case X509_cr_ca_compromise: return "cACompromise"; case X509_cr_affiliation_changed: return "affiliationChanged"; case X509_cr_superseded: return "superseded"; case X509_cr_cessation_of_operation: return "cessationOfOperation"; case X509_cr_certificate_hold: return "certificateHold"; case X509_cr_remove_from_crl: return "removeFromCRL"; case X509_cr_privilege_withdrawn: return "privilegeWithdrawn"; case X509_cr_aa_compromise: return "aACompromise"; } return NULL; }

    opened by shatanyumi 0
  • fix gcc compile error:  use option -std=c99 or -std=gnu99 to compile your…

    fix gcc compile error: use option -std=c99 or -std=gnu99 to compile your…

    fix gcc compile error below, add compile option -std=cc99.

    src/des.c: In function 'permute':
    src/des.c:188:2: error: 'for' loop initial declarations are only allowed in C99 mode
      for (size_t i = 0; i < n; i++) {
      ^
    src/des.c:188:2: note: use option -std=c99 or -std=gnu99 to compile your code
    make[2]: *** [CMakeFiles/gmssl.dir/build.make:588: CMakeFiles/gmssl.dir/src/des.c.o] Error 1
    
    opened by taomaree 1
Owner
Zhi Guan
Zhi Guan
A special version of Packet Batch that utilizes AF_XDP Linux sockets (this should be faster than the standard version, but not as fast as the DPDK).

Packet Batch (AF_XDP) Description This is a special version of Packet Batch that utilizes AF_XDP sockets instead of AF_PACKETv3 (which is what the sta

Packet Batch 17 Nov 9, 2022
A special version of Packet Batch that utilizes the DPDK (this should be faster than the standard version).

Packet Batch (DPDK) Description This is a special version of Packet Batch that utilizes the DPDK, a kernel-bypass library. This does not use any form

Packet Batch 10 Oct 30, 2022
A modding SDK that allows you to interact with a modified version of Cocos 2DX v2.2.3 utilized by Geometry Dash

What is CappuccinoSDK CappucinoSDK is a modding utility that allows you to interact with a modified version of the game engine Cocos-2DX v2.2.3, which

null 18 Oct 29, 2022
This repository to emulate the progression on World of Warcraft (AzerothCore) based servers, from the version 3.0 to 3.3.5a

WoltkProgression Author: Silker This repository contains all the files required to emulate the progression on World of Warcraft private servers runnin

Silker 15 Aug 22, 2022
Get fresh version of openssl using prefab dependencies!

OpenSSL static library + prefab Easy to use solution to bake fresh version of OpenSLL into your NDK Library Before you start This package made for usi

ibitcy 4 Dec 10, 2021
🐧MAJOR BUG GRANTS ROOT FOR ALL MAJOR LINUX DISTRIBUTIONS

?? MAJOR BUG GRANTS ROOT FOR ALL MAJOR LINUX DISTRIBUTIONS CTF quality exploit bla bla irresponsible disclosure terminal: [email protected]:~$ wget https://g

George Filippas 11 Jun 22, 2022
libelf as part of elfutils has been a major pain in the ass.

libelf in zig libelf as part of elfutils has been a major pain in the ass. All I want to do is make statically compiled programs that use eBPF (libbpf

Matthew Knight 13 Jul 21, 2021
[WIP] Provide conversion between the major representations of 3D rotation and display the pose

+++++++++++++++++++++ Under development +++++++++++++++++++++ Rotation Master Provide conversion between the following representations of 3D rotation

iwatake 183 Nov 19, 2022
Bluebox is a very simple game written in C. It's my first major project, inspired by ThePowderToy and World2D.

About: Bluebox is a very simple game written in C. It's my first major project, inspired by ThePowderToy and World2D. Bluebox is 100% open-source. Eve

Aggelos 1 Aug 16, 2022