mirror of
https://github.com/openharmony/third_party_openhitls.git
synced 2026-07-01 10:05:26 -04:00
update feature of doc
Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
+28
-14
@@ -5,30 +5,44 @@
|
||||
|
||||
## 概述
|
||||
|
||||
openHiTLS架构高度模块化,可通过模块和特性配置。RAM/ROM尺寸取决于所选的特性。openHiTLS为密码算法提供最佳性能优化。当前已支持5个组件和算法特性可按需配置,支持ARM、x86架构CPU上的算法性能优化,更多架构和特性待规划。
|
||||
openHiTLS架构高度模块化,可通过模块和特性配置。RAM/ROM尺寸取决于所选的特性。openHiTLS为密码算法提供最佳性能优化。当前已支持5个组件和算法特性可按需配置,已经通过ISO19790认证,支持ARM、x86架构CPU上的算法性能优化,更多架构和特性待规划。
|
||||
|
||||
## 特性简介
|
||||
|
||||
### 功能特性
|
||||
|
||||
- 协议:支持TLS1.3, TLS1.3-Hybrid-Key-Exchange, TLS-Provider, TLS-Multi-KeyShare, TLS-Custom-Extension, TLCP, DTLCP, TLS1.2, DTLS1.2, Auth;
|
||||
- 算法:支持ML-DSA,ML-KEM,SLH-DSA,AES,SM4,Chacha20,RSA,RSA-Bind,DSA,ECDSA,ECDH,DH,SM2,DRBG,DRBG-GM,HKDF,SCRYPT,PBKDF2,SHA2,SHA3,MD5,SM3,HMAC等;
|
||||
- 证书:支持证书、CRL解析,证书、CRL验证,证书请求、生成等;
|
||||
- 协议:
|
||||
- TLS: 支持TLS1.3,TLS1.3-Hybrid-Key-Exchange,TLS-Provider,TLS-Multi-KeyShare,TLS-Custom-Extension,TLCP,DTLCP,TLS1.2,DTLS1.2;
|
||||
- 认证:支持 Privacy Pass token,HOTP,TOTP,SPAKE2+ 等认证协议;
|
||||
- 算法:
|
||||
- 后量子算法:ML-DSA,ML-KEM,SLH-DSA,XMSS,Classic McEliece,FrodoKEM;
|
||||
- 对称算法:AES,SM4,Chacha20 以及各类对称加密模式;
|
||||
- 传统非对称算法:RSA,RSA-Bind,DSA,ECDSA,EDDSA,ECDH,DH,SM2,SM9,Paillier,ElGamal;
|
||||
- 随机数:DRBG,GM-DRBG;
|
||||
- 密钥派生:HKDF,SCRYPT,PBKDF2;
|
||||
- 哈希算法:SHA系列,MD5,SM3;
|
||||
- 消息认证码:HMAC,CMAC;
|
||||
- 其他:HPKE;
|
||||
- PKI:
|
||||
- 后量子能力:支持XMSS,ML-DSA,ML-KEM,SLH-DSA证书能力,ML-DSA CMS SignedData能力;
|
||||
- 传统证书能力:支持X509解析验证,CRL解析验证,CSR请求生成,证书链生成,部分/全部证书链验证
|
||||
- PKCS7,PKCS8,PKCS12等;
|
||||
- 命令行:支持基础命令,随机数,加解密,密钥和参数管理,证书等;
|
||||
|
||||
### DFX特性
|
||||
|
||||
- 特性高度模块化,支持按需裁剪特性
|
||||
- 基于ARMv8、x8664 CPU算法性能优化
|
||||
- 支持基于日志和错误堆栈功能维测
|
||||
- 特性高度模块化,支持按需裁剪特性;
|
||||
- 基于ARMv8、ARMv7、x86_64 CPU算法性能优化;
|
||||
- 支持基于日志和错误堆栈功能维测;
|
||||
|
||||
## 组件简介
|
||||
|
||||
目前,openHiTLS有5个组件,其中BSL组件需和其他组件一起使用。
|
||||
- BSL是Base Support Layer的缩写,提供基础C类标准的增强功能和OS适配器,需与其他模块一起使用
|
||||
- 密码算法组件(Crypto)提供了完整的密码功能,且性能较优。该组件既可以被TLS使用,也可与BSL一起使用
|
||||
- TLS是Transport Layer Security的缩写,涵盖了TLS1.3及之前的TLS版本,会与Crypto、BSL以及其他三方密码组件或PKI库一起使用
|
||||
- PKI组件提供证书、CRL解析,证书、CRL验证以及证书请求、生成等功能
|
||||
- Auth认证组件提供了认证功能,当前提供了基于RFC9578的publicly token认证功能
|
||||
- BSL是Base Support Layer的缩写,提供基础C类标准的增强功能和OS适配器,需与其他模块一起使用;
|
||||
- Crypto提供了完整的密码功能,且性能较优。该组件既可以被TLS使用,也可与BSL一起使用;
|
||||
- TLS是Transport Layer Security的缩写,涵盖了TLS1.3及之前的TLS版本,会与Crypto、BSL以及其他三方密码组件或PKI库一起使用;
|
||||
- PKI组件提供证书、CRL解析,证书、CRL验证以及证书请求、生成等功能;
|
||||
- Auth认证组件提供了认证功能,当前提供Privacy Pass token认证功能,TOTP/HOTP,SPAKE2+等协议;
|
||||
|
||||
## 开发
|
||||
|
||||
@@ -74,7 +88,7 @@ Secure C 官方仓库地址:<https://gitee.com/openeuler/libboundscheck>。
|
||||
|
||||
### 致应用开发人员
|
||||
|
||||
正式版本的源码镜像尚未正式开放、还在规划当中。
|
||||
正式版本的源码镜像尚未正式开放,还在规划当中。
|
||||
|
||||
|
||||
官方代码仓库托管在<https://gitcode.com/openhitls>,您可以通过如下命令将Git库克隆为一个本地副本进行使用:
|
||||
@@ -108,7 +122,7 @@ python3 ../configure.py ["option"]
|
||||
python3 ../configure.py --enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth --lib_type static --bits=64 --system=linux
|
||||
```
|
||||
|
||||
* x8664优化全量构建:
|
||||
* x86_64优化全量构建:
|
||||
```
|
||||
python3 ../configure.py --enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth --lib_type static --bits=64 --system=linux --asm_type x8664
|
||||
```
|
||||
|
||||
@@ -5,30 +5,44 @@ Welcome to visit the openHiTLS Code Repository, which is under the openHiTLS com
|
||||
|
||||
## Overview
|
||||
|
||||
The architecture of openHiTLS is highly modular, and openHiTLS can be configured in modules and features. The RAM/ROM footprint depends on the features selected. It provides the optimal performance optimization for cryptographic algorithms. Currently, 5 components and cryptographic algorithms are configured, and the performance optimization of ShangMi cryptographic algorithms on ARM, x86 is ready. More architectures and features are to be planned.
|
||||
The architecture of openHiTLS is highly modular, and openHiTLS can be configured in modules and features. The RAM/ROM footprint depends on the features selected. It provides the optimal performance optimization for cryptographic algorithms. Currently, 5 components and cryptographic algorithms are configured, ISO19790 certified, and the performance optimization of ShangMi cryptographic algorithms on ARM, x86 is ready. More architectures and features are to be planned.
|
||||
|
||||
## Feature Introduction
|
||||
|
||||
### Functional Features
|
||||
|
||||
- Protocols:Support TLS1.3, TLS1.3-Hybrid-Key-Exchange, TLS-Provider, TLS-Multi-KeyShare, TLS-Custom-Extension, TLCP, DTLCP, TLS1.2, DTLS1.2, Auth;
|
||||
- Algorithms:Support ML-DSA,ML-KEM,SLH-DSA,AES,SM4,Chacha20,RSA,RSA-Bind,DSA,ECDSA,ECDH,DH,SM2,DRBG,DRBG-GM,HKDF,SCRYPT,PBKDF2,SHA2,SHA3,MD5,SM3,HMAC etc.;
|
||||
- PKI:Support Certificate, CRL parsing, Certificate, CRL validation, Certificate requests, generation etc.
|
||||
- Protocols:
|
||||
- TLS: Support TLS1.3, TLS1.3-Hybrid-Key-Exchange, TLS-Provider, TLS-Multi-KeyShare, TLS-Custom-Extension, TLCP, DTLCP, TLS1.2, DTLS1.2.
|
||||
- Authentication: Support Privacy Pass token, HOTP, TOTP, SPAKE2+.
|
||||
- Algorithms:
|
||||
- Post-quantum algorithms: ML-DSA, ML-KEM, SLH-DSA, XMSS, Classic McEliece, FrodoKEM.
|
||||
- Symmetric algorithms: AES, SM4, Chacha20, and various symmetric encryption modes.
|
||||
- Traditional asymmetric algorithms: RSA, RSA-Bind, DSA, ECDSA, EDDSA, ECDH, DH, SM2, SM9, Paillier, ElGamal.
|
||||
- Random: DRBG, DRBG-GM.
|
||||
- Key derivation: HKDF, SCRYPT, PBKDF2.
|
||||
- Hash: SHA series, MD5, SM3.
|
||||
- Message authentication code: HMAC, CMAC.
|
||||
- Others: HPKE.
|
||||
- PKI:
|
||||
- Post-quantum capabilities: Support XMSS, ML-DSA, ML-KEM, SLH-DSA certificate capabilities, ML-DSA CMS SignedData capability.
|
||||
- Traditional certificate capabilities: Support X509 parsing and verification, CRL parsing and verification, CSR request generation, certificate chain generation, partial/full certificate chain validation
|
||||
- PKCS7, PKCS8, PKCS12, etc.
|
||||
- Command line: Support basic commands, random numbers, encryption and decryption, key and parameter management, certificates and so on.
|
||||
|
||||
### DFX Features
|
||||
|
||||
- Highly modular features, support trimming features as required.
|
||||
- Algorithm performance optimization based on ARMv8 and x8664 CPU.
|
||||
- Highly modular features, support trimming features as required.
|
||||
- Algorithm performance optimization based on ARMv8, ARMv7, x86_64 CPU.
|
||||
- Support for maintainability and testability based on logging and error stack functionality.
|
||||
|
||||
## Component Introduction
|
||||
|
||||
openHiTLS include 5 components currently. The BSL component will be used with other components.
|
||||
- The bsl is short for Base Support Layer, which provides the base C standand enhanced functions and OS adapter. It will be used with other modules
|
||||
- The crypto is short for cryptographic algorithms, which provides the full cryptographic functions with high performance. It will be used by tls, and can also be used with bsl
|
||||
- The tls is short for Transport Layer Security, which provides all tls protocol versions up to tls1.3. It will be used with crypto and bsl or other third-party crypto and pki libraries
|
||||
- The PKI component provides functions such as certificate and CRL parsing, certificate and CRL validation, as well as certificate request and generation.
|
||||
- The Auth component provides the authentication function. Currently, it provides the publicly token authentication based on RFC9578
|
||||
Currently, openHiTLS has 5 components. The BSL component will be used with other components.
|
||||
- BSL is short for Base Support Layer, which provides the base C standard enhanced functions and OS adapter. It will be used with other modules.
|
||||
- Crypto provides the full cryptographic functions with high performance. It will be used by tls, and can also be used with bsl.
|
||||
- TLS is short for Transport Layer Security, which covers TLS1.3 and previous TLS versions. It will be used with crypto, bsl and other third-party cryptographic components or PKI libraries.
|
||||
- PKI component provides functions such as certificate and CRL parsing, certificate and CRL validation, as well as certificate request and generation.
|
||||
- Auth authentication component provides authentication functions. Currently, it provides Privacy Pass token, TOTP/HOTP, SPAKE2+.
|
||||
|
||||
## Development
|
||||
|
||||
@@ -81,7 +95,7 @@ The official source code repository is located at <https://gitcode.com/openhitls
|
||||
```
|
||||
git clone https://gitcode.com/openhitls/openhitls.git
|
||||
```
|
||||
If you are going to contribute, you need to fork the openhitls repository on gitee and clone your public fork instead:
|
||||
If you are going to contribute, you need to fork the openhitls repository on gitcode and clone your public fork instead:
|
||||
```
|
||||
git clone https://gitcode.com/"your gitcode name"/openhitls.git
|
||||
```
|
||||
@@ -107,12 +121,12 @@ python3 ../configure.py ["option"]
|
||||
python3 ../configure.py --enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth --lib_type static --bits=64 --system=linux
|
||||
```
|
||||
|
||||
* x8664 Optimize the full build:
|
||||
* x86_64 Optimize the full build:
|
||||
```
|
||||
python3 ../configure.py --enable hitls_bsl hitls_crypto hitls_tls hitls_pki hitls_auth --lib_type static --bits=64 --system=linux --asm_type x8664
|
||||
```
|
||||
|
||||
* build the app:
|
||||
* build the app:
|
||||
```
|
||||
python3 ../configure.py --executes hitls
|
||||
```
|
||||
|
||||
@@ -1,12 +1,85 @@
|
||||
# Version Mapping
|
||||
# Release Notes
|
||||
|
||||
Version: openHiTLS 0.1.0 alpha1
|
||||
Version: openHiTLS 0.3.0
|
||||
|
||||
# New Features
|
||||
|
||||
**openHiTLS supports the following features:**
|
||||
**openHiTLS 0.3.0 adds the following features:**
|
||||
|
||||
* SM2, SM3, and SM4 commercial encryption algorithms
|
||||
* (D)TLS, TLCP secure transmission protocol
|
||||
* On-demand feature configuration to meet users' requirements for compact RAM and ROM
|
||||
* Arm-based and x86-based performance optimization of commercial encryption algorithms to meet high-performance requirements
|
||||
### Post-Quantum Cryptographic Algorithms
|
||||
* ML-DSA algorithm support
|
||||
* XMSS algorithm support
|
||||
* Classic McEliece algorithm support
|
||||
* FrodoKEM algorithm support
|
||||
* XMSS, ML-DSA, ML-KEM, SLH-DSA certificate capabilities
|
||||
* ML-DSA CMS SignedData capability
|
||||
|
||||
### Authentication Protocols
|
||||
* SPAKE2+ protocol
|
||||
* HOTP/TOTP
|
||||
|
||||
### PKI and Certificates
|
||||
* X25519 certificate support
|
||||
* Enhanced certificate verification: partial chain verification, external public key verification, hostname verification
|
||||
* CMS: SignedData encoding/decoding and signature verification support
|
||||
* Enhanced PKCS12: CRL-bag, key-bag, secret-bag support, provider offload support
|
||||
|
||||
### Cryptographic Algorithms
|
||||
* AES-WRAP, RSA ISO9796-2:1997 signature
|
||||
* SM4-HCTR, SM4-CCM modes
|
||||
* SHA256-MB multi-buffer interface
|
||||
* nistp192 curve
|
||||
* Asymmetric algorithm key verification
|
||||
* Random number fork reseeding capability
|
||||
* Paillier algorithm homomorphic operation support
|
||||
* SM9 Identity-Based Cryptography
|
||||
|
||||
### TLS
|
||||
* Enhanced protocol certificate usability
|
||||
* Certificate loading from Buffer
|
||||
* CRL support
|
||||
* Certificate loading from directory
|
||||
* Enhanced session management
|
||||
* DTLS MTU transmission optimization
|
||||
* Handshake buffer memory minimization
|
||||
* RFC8998 cipher suite support
|
||||
* Certificate Authorities extension support
|
||||
* TLS_FALLBACK_SCSV support
|
||||
|
||||
### Command Line
|
||||
New command line tools, supporting:
|
||||
* Basic commands: help, list
|
||||
* Random number: rand
|
||||
* Encryption/decryption: enc, mac, dgst, kdf
|
||||
* Key and parameter management: genpkey, pkey, param...
|
||||
* Certificate and PKI: req, x509, pkcs7, pkcs12, crl...
|
||||
* SSL/TLS client and server: s_client, s_server
|
||||
* Password and storage: passwd
|
||||
|
||||
### Performance and Platform
|
||||
* SM2/SM3 ARMv7 assembly optimization
|
||||
* Darwin/macOS cross-platform support
|
||||
* STM32F407 build configuration
|
||||
|
||||
### Authentication Related
|
||||
* ISO19790 Provider
|
||||
* SM Provider
|
||||
|
||||
### Bug Fixes
|
||||
* Fixed cipher suite inconsistency in HRR scenario
|
||||
* Fixed ticket nonceLen parsing failure
|
||||
* Fixed certificate UTC time support before year 2000
|
||||
* T61 string format support
|
||||
* PSS certificate signature algorithm matching fix
|
||||
* Fixed DRBG, ML-KEM, and atomic lock memory leaks
|
||||
* Fixed DH key derivation leading zero issue
|
||||
* Fixed DRBG entropy source waste issue
|
||||
* Fixed BMP encoding issue
|
||||
* Fixed certificate parsing address offset issue
|
||||
* Fixed scrypt integer overflow issue
|
||||
* Fixed initialization function order issue
|
||||
* Fixed decode address offset issue
|
||||
* Fixed AES-XTS assembly optimization issue
|
||||
* Fixed symmetric algorithm assembly calling convention issue
|
||||
* Fixed decode framework P8 key password input issue
|
||||
* Fixed certificate key codec module memory issue
|
||||
|
||||
@@ -1,19 +1,73 @@
|
||||
# Overview
|
||||
|
||||
openHiTLS aims to provide efficient and agile cryptography suites for all scenarios. With the elastic architecture of hierarchical modules and features, features can be selected and constructed as required, supporting applications in all scenarios to meet different requirements for RAM and ROM, computing performance, and feature satisfaction. Currently, openHiTLS supports cryptographic algorithms, secure communication protocols (TLS, DTLS, and TLCP), Arm-based performance optimization of commercial encryption algorithms, **and Hybrid Key Exchange**. More features are to be planned and welcome to participate in co-construction.
|
||||
openHiTLS aims to provide efficient and agile cryptography suites for all scenarios. With the elastic architecture of hierarchical modules and features, features can be selected and constructed as required, supporting applications in all scenarios to meet different requirements for RAM and ROM, computing performance, and feature satisfaction. Currently, openHiTLS supports cryptographic algorithms, secure communication protocols (TLS, DTLS, and TLCP), performance optimization of commercial encryption algorithms based on ARM and x86, **and supports Hybrid Key Exchange and Post-Quantum cryptographic algorithms**. More features are to be planned and welcome to participate in co-construction.
|
||||
|
||||
# Feature Description
|
||||
|
||||
1. Supported Features
|
||||
## 1. Supported Features
|
||||
|
||||
1.1. Key functional features are as follows:
|
||||
### 1.1 Key Functional Features
|
||||
|
||||
* TLS protocols: TLS1.2, TLS1.3, DTLS1.2, and TLCP
|
||||
* Encryption and decryption cryptographic algorithms: AES, SM4, Chacha20, RSA, (EC)DSA, (EC)DH, SM2, DRBG, HKDF, SCRYPT, PBKDF2, SHA2, SHA3, MD5, SM3, HMAC, PKI, and auth.
|
||||
#### Post-Quantum Algorithms
|
||||
- ML-KEM
|
||||
- ML-DSA
|
||||
- SLH-DSA
|
||||
- XMSS
|
||||
- Classic McEliece
|
||||
- FrodoKEM
|
||||
|
||||
1.2. Non-functional features are as follows:
|
||||
#### Protocol Support
|
||||
- TLS1.3, TLS1.3-Hybrid-Key-Exchange, TLS-Provider, TLS-Multi-KeyShare, TLS-Custom-Extension
|
||||
- TLCP, DTLCP
|
||||
- TLS1.2, DTLS1.2
|
||||
|
||||
* Elastic architecture: Modules and features can be selected and constructed as required
|
||||
* Performance optimization: The Arm-based and x86-based performance optimization of commercial encryption algorithms is supported
|
||||
* Maintainability and testability: The log and error stack functions are supported
|
||||
#### Symmetric Algorithms
|
||||
- AES, SM4, Chacha20, and various symmetric encryption modes.
|
||||
|
||||
#### Traditional Asymmetric Algorithms
|
||||
- RSA, RSA-Bind, DSA, ECDSA, EDDSA, ECDH, DH, SM2, SM9, Paillier, ElGamal
|
||||
|
||||
#### Authentication Protocols
|
||||
- Privacy Pass, HOTP, TOTP, SPAKE2+
|
||||
|
||||
#### Others
|
||||
- DRBG, GM-DRBG
|
||||
- HKDF, SCRYPT, PBKDF2
|
||||
- SHA1, SHA2, SHA3, SHA256-MB, MD5, SM3
|
||||
- HMAC, CMAC
|
||||
- HPKE
|
||||
|
||||
#### Certificates and PKI
|
||||
- Post-Quantum certificates
|
||||
- Certificate and CRL parsing and verification
|
||||
- Certificate requests and generation
|
||||
- Certificate chain generation, partial/full certificate chain validation
|
||||
- PKCS7, PKCS8, PKCS12
|
||||
|
||||
#### Command Line Tools
|
||||
- Basic commands, random numbers, encryption and decryption
|
||||
- Key and parameter management
|
||||
- Certificate and PKI management
|
||||
- SSL/TLS client and server
|
||||
|
||||
### 1.2 Non-Functional Features
|
||||
|
||||
#### Elastic Architecture
|
||||
- Highly modular features, support on-demand trimming
|
||||
- Protocol minimization configuration
|
||||
- Handshake buffer memory minimization
|
||||
|
||||
#### Performance Optimization
|
||||
- Algorithm performance optimization based on ARMv8, ARMv7, x86_64 CPU
|
||||
- ML-KEM performance optimization
|
||||
|
||||
#### Maintainability and Testability
|
||||
- Logging and error stack functionality
|
||||
- BSL_ERR module ErrorStack printing
|
||||
- Enhanced sensitive data cleanup
|
||||
|
||||
## 2. Planned Features
|
||||
|
||||
- Further optimization and integration of post-quantum cryptographic algorithms
|
||||
- Further performance optimization and memory footprint reduction
|
||||
- Support for more platforms
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
# Change History
|
||||
|
||||
| Date | Issue | Change Description |
|
||||
| ---------- | ----------------- | -------------------------------- |
|
||||
| 2024-01-25| The first release of openHiTLS.| First release of version alpha.|
|
||||
+78
-7
@@ -1,14 +1,85 @@
|
||||
# 配套关系
|
||||
# 发行声明
|
||||
|
||||
版本: openHiTLS 0.1.0 alpha1
|
||||
版本: openHiTLS 0.3.0
|
||||
|
||||
# 新特性
|
||||
|
||||
**openHiTLS**
|
||||
**openHiTLS 0.3.0 新增以下特性:**
|
||||
|
||||
* 支持SM2、SM3、SM4商密算法功能
|
||||
* 支持(D)TLS、TLCP安全传输协议功能
|
||||
* 支持特性按需构建、满足用户RAM/ROM小型化诉求
|
||||
* 支持基于ARM、x86的指令级商密算法性能优化,满足商密算法高性能诉求
|
||||
### 后量子密码算法
|
||||
* 支持ML-DSA
|
||||
* 支持XMSS
|
||||
* 支持Classic McEliece
|
||||
* 支持FrodoKEM
|
||||
* 支持XMSS,ML-DSA,ML-KEM,SLH-DSA证书能力
|
||||
* 支持ML-DSA CMS SignedData能力
|
||||
|
||||
### 认证协议
|
||||
* 支持SPAKE2+
|
||||
* 支持HOTP/TOTP
|
||||
|
||||
### PKI与证书
|
||||
* 支持X25519证书
|
||||
* 增强证书验证: 部分证书链验证、外部公钥验证、Hostname验证
|
||||
* CMS:支持SignedData编解码与签名验签
|
||||
* PKCS12增强: 支持CRL-bag、key-bag、secret-bag,支持provider卸载
|
||||
|
||||
### 算法
|
||||
* 支持AES-WRAP、RSA ISO9796-2:1997签名
|
||||
* 支持SM4-HCTR、SM4-CCM模式
|
||||
* 支持SHA256-MB多缓冲接口
|
||||
* 支持nistp192曲线
|
||||
* 支持非对称算法密钥检查
|
||||
* 支持随机数fork后补种能力
|
||||
* Paillier算法支持同态运算
|
||||
* 支持SM9标识密码算法
|
||||
|
||||
### TLS
|
||||
* 协议证书易用性增强
|
||||
* 支持从Buffer加载证书
|
||||
* 支持CRL
|
||||
* 支持从目录加载证书
|
||||
* session管理能力增强
|
||||
* DTLS mtu传输优化
|
||||
* 握手Buffer内存最小化
|
||||
* 新增RFC8998密码套件支持
|
||||
* 新增Certificate Authorities扩展支持
|
||||
* 新增TLS_FALLBACK_SCSV支持
|
||||
|
||||
### 命令行
|
||||
新增命令行,支持的命令如下:
|
||||
* 基础命令: help,list
|
||||
* 随机数: rand
|
||||
* 加解密: enc,mac,dgst,kdf
|
||||
* 密钥和参数管理: genpkey,pkey,param ...
|
||||
* 证书和PKI: req,x509,pkcs7,pkcs12,crl ...
|
||||
* SSL/TLS客户端和服务端: s_client,s_server
|
||||
* 密码和存储: passwd
|
||||
|
||||
### 性能与平台
|
||||
* SM2/SM3 ARMv7汇编优化
|
||||
* 新增Darwin/macOS跨平台支持
|
||||
* 新增STM32F407编译配置
|
||||
|
||||
### 认证相关
|
||||
* 新增ISO19790 Provider
|
||||
* 新增支持国密一级 Provider支撑认证
|
||||
|
||||
### 缺陷修复
|
||||
* 修复HRR场景密码套件不一致问题
|
||||
* 修复解析ticket nonceLen 为0时返回失败的问题
|
||||
* 修复证书不支持2000年前的UTC时间问题
|
||||
* T61字符串格式支持
|
||||
* PSS证书签名算法匹配问题修复
|
||||
* 修复DRBG,ML-KEM和原子锁内存泄漏问题
|
||||
* 修复DH密钥派生前导0问题
|
||||
* DRBG修复熵源浪费的问题
|
||||
* 修复bmp encoding编码问题
|
||||
* 修复证书解析地址偏移问题
|
||||
* 修复scrypt整数溢出问题
|
||||
* 修复初始化函数顺序问题
|
||||
* 修复decode地址偏移问题
|
||||
* 修复aes-xts汇编优化问题
|
||||
* 修复对称算法汇编调用约定问题
|
||||
* 修复decode框架p8密钥不支持传入口令问题
|
||||
* 修复证书密钥编解码模块内存问题
|
||||
|
||||
+61
-10
@@ -1,22 +1,73 @@
|
||||
# 产品概述
|
||||
|
||||
openHiTLS的目标是提供高效敏捷的全场景密码学套件,通过模块分层特性分级的弹性架构,实现特性按需选择和扩展,支撑全场景应用满足RAM/ROM内存、计算性能、特性满足度等不同需求;当前已支持密码算法功能以及TLS、DTLS、TLCP安全通信协议功能,商密算法支持基于ARM 指令的性能优化,**并支持混合密钥交换(Hybrid Key Exchange)**,更多特性待规划、欢迎参与共建。
|
||||
openHiTLS的目标是提供高效敏捷的全场景密码学套件,通过模块分层特性分级的弹性架构,实现特性按需选择和扩展,支撑全场景应用满足RAM/ROM内存、计算性能、特性满足度等不同需求;当前已支持密码算法功能以及TLS、DTLS、TLCP安全通信协议功能,商密算法支持基于ARM、x86指令的性能优化,**并支持混合密钥交换(Hybrid Key Exchange)和后量子密码算法**,更多特性待规划、欢迎参与共建。
|
||||
|
||||
# 特性介绍
|
||||
|
||||
1. 已支持的特性
|
||||
## 1. 已支持的特性
|
||||
|
||||
1.1. 关键功能特性:
|
||||
### 1.1 关键功能特性
|
||||
|
||||
* 传输层安全协议:TLS1.2、TLS1.3、DTLS1.2、TLCP1.1;
|
||||
* 加解密密码算法:AES、SM4、Chacha20、RSA、(EC)DSA、(EC)DH、SM2、DRBG、HKDF、SCRYPT、PBKDF2、SHA2、SHA3、MD5、SM3、HMAC、
|
||||
PKI、 Auth
|
||||
#### 后量子算法
|
||||
- ML-KEM
|
||||
- ML-DSA
|
||||
- SLH-DSA
|
||||
- XMSS
|
||||
- Classic McEliece
|
||||
- FrodoKEM
|
||||
|
||||
1.2. 非功能性特性:
|
||||
#### 协议支持
|
||||
- TLS1.3、TLS1.3-Hybrid-Key-Exchange、TLS-Provider、TLS-Multi-KeyShare、TLS-Custom-Extension
|
||||
- TLCP、DTLCP
|
||||
- TLS1.2、DTLS1.2
|
||||
|
||||
* 弹性架构:支持模块和特性按需选择和构建功能
|
||||
* 性能优化:支持基于ARM、x86指令的性能优化的商密算法功能
|
||||
* 可维可测性:支持日志和错误栈功能
|
||||
#### 对称算法
|
||||
- AES、SM4、Chacha20、各类对称算法模式
|
||||
|
||||
#### 传统非对称算法
|
||||
- RSA、RSA-Bind、DSA、ECDSA、EDDSA、ECDH、DH、SM2、SM9、Paillier、ElGamal
|
||||
|
||||
#### 认证协议
|
||||
- Privacy Pass、HOTP、TOTP、SPAKE2+
|
||||
|
||||
#### 其他
|
||||
- DRBG、GM-DRBG
|
||||
- HKDF、SCRYPT、PBKDF2
|
||||
- SHA1、SHA2、SHA3、SHA256-MB、MD5、SM3
|
||||
- HMAC、CMAC
|
||||
- HPKE
|
||||
|
||||
#### 证书与PKI
|
||||
- 后量子证书
|
||||
- 证书、CRL解析、验证
|
||||
- 证书请求、生成
|
||||
- 证书链生成,部分/全部证书链验证
|
||||
- PKCS7、PKCS8、PKCS12
|
||||
|
||||
#### 命令行工具
|
||||
- 基础命令、随机数、加解密
|
||||
- 密钥和参数管理
|
||||
- 证书和PKI管理
|
||||
- SSL/TLS客户端和服务端
|
||||
|
||||
### 1.2 非功能性特性
|
||||
|
||||
#### 弹性架构
|
||||
- 特性高度模块化,支持按需裁剪
|
||||
- 协议最小化配置
|
||||
- 握手缓冲区内存最小化
|
||||
|
||||
#### 性能优化
|
||||
- 基于ARMv8、ARMv7、x86_64 CPU算法性能优化
|
||||
- ML-KEM性能优化
|
||||
|
||||
#### 可维可测性
|
||||
- 基于日志和错误堆栈功能维测
|
||||
- BSL_ERR模块ErrorStack打印
|
||||
- 敏感数据清理增强
|
||||
|
||||
## 2. 计划特性
|
||||
|
||||
- 更多后量子密码算法的优化和集成
|
||||
- 进一步的性能优化和内存占用减少
|
||||
- 更多平台的适配支持
|
||||
|
||||
@@ -35,7 +35,7 @@ openHiTLS架构高度模块化,RAM/ROM尺寸取决于所选的特性及优化
|
||||
["ecc", "x25519"] // hpke 第二组多选依赖
|
||||
]
|
||||
}
|
||||
},
|
||||
},
|
||||
"asm": {
|
||||
"x8664": {
|
||||
"sha1": {"ins_set":["x8664", "avx512"]},
|
||||
@@ -47,7 +47,7 @@ openHiTLS架构高度模块化,RAM/ROM尺寸取决于所选的特性及优化
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
},
|
||||
"hitls_tls": {...},
|
||||
"hitls_pki": {...},
|
||||
...
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
# 修订记录
|
||||
|
||||
| 日期 | 版本 | 变更说明 |
|
||||
| ---------- | ----------------- | -------------------------------- |
|
||||
| 2024/5/15 | openHiTLS首个版本 | 首次发布alpha版本 |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user