| Updated: October 28, 2024 |
QNX Neutrino supports multiple ways to access cryptography services.
The QNX Cryptography Library (qcrypto) is a thin shim layer which provides a unified cryptography API on the system. It also allows system integrators to select which cryptography providers to ship on the system without requiring changes to source code that uses the qcrypto API. The selection of the proper cryptography provider by components is done through a 'tag' system which is an integral part of the qcrypto library. A 'tag' is a keyword that specifies the cryptography provider that should provide the functionality required by the component interfacing with qcrypto. By default, when the tag value is NULL, the tag value is the executable name of the process.
This library also allows the end user to write custom plugins that offer cryptography services through other third-party libraries or hardware cryptography devices.
For QNX Neutrino system components, this library provides cryptography support and allows system integrators to choose the cryptography provider for each system component.
For more information, see “QNX Cryptography Library”.
OpenSSL cryptography support is available via the libraries libcrypto.so.2.1 and libssl.so.2.1 and the openssl utility.
For more information, including openssl commands see “https://www.openssl.org/docs/man1.1.1/. ”.
The OpenSSL that QNX Neutrino provides allows you to redirect to devcrypto calls for cryptography operations that use the OpenSSL EVP API. This redirection allows access to EVP functions without recompiling application programs using OpenSSL.
For processes that use or link to the OpenSSL library (libcrypto), the following environment variable automatically redirects cryptography operations:
OPENSSL_CRYPTODEV=["alg1 ,alg2 ,..."|all] process_path argswhere "alg1 ,alg2 ,..." are the algorithms that will be handled by devcrypto instead of OpenSSL's internal implementation. (Specify the algorithms using the names that OpenSSL uses internally.) Alternatively, specify all to redirect to devcrypto all algorithms that it supports; unsupported algorithms use OpenSSL.
In addition, specifying OPENSSL_CRYPTODEV_DEBUG provides debug output related to the algorithm registration.
In addition, the crypto library from OpenSSL included in QNX Neutrino provides the following additional digest algorithms:
In some environments, OpenSSL interferes with Valgrind or GNU debugging by generating SIGKILL signals.
To avoid this problem with Valgrind, specify the following option:--sigill-diagnostics=no
For GNU debugger (GDB), see “When debugging I observe SIGILL during OpenSSL initialization: why?” in the OpenSSL Project's Frequently Asked Questions information: “https://www.openssl.org/docs/faq.html#PROG”
The devcrypto service provides cryptography support through the "standard" /dev/crypto interface (similar to OpenBSD's cryptodev userspace API). The QNX Neutrino /dev/crypto is a driver that exposes an interface that uses I/O control calls to perform cryptography operations (MAC, digest, cipher, AEAD cipher, etc.). The devcrypto plugin API allows you to create a software backend to devcrypto, which provides access to either software or hardware cryptographic accelerators.
For more information, see “The devcrypto service”.