OpenSSL with Linux kernel crypto API

Matt Caswell matt at openssl.org
Fri Jan 13 10:15:14 UTC 2023


On 13/01/2023 05:08, Hareesh Das Ulleri wrote:
> Dear OpenSSL users,
> 
>    I have few questions regarding OpenSSL 3.0.7 and Linux 5.10.
> 
>    Does OpenSSL 3.0.7 support the use of linux Cryptodev or AF_ALGO. Or 
> does it need any separate build configurations to work with Linux kernel 
> crypto API interface (Is there any man page for this) ? My understanding 
> is that, as a default OpenSSL uses its own user-space crypto 
> implementations (in libcrypto) without calling linux kernel for its 
> crypto operations, please clarify.
> 

Correct - OpenSSL implements its own userspace crypto without going 
through the kernel (mostly). There is some kernel crypto use in the 
following areas:
- There is an AFALG engine which provides some limited support to a few 
afalg ciphers. But of course engines are considered legacy and using one 
from within a provider is probably unwise.
- Libssl has some capabilities to integrate with the Kernel TLS module 
to offload encryption/decryption of TLS records.

> Does  OpenSSL recommend to use Kernel Crypto API interface driver to interact 
> with HSM cryption kernel module?

OpenSSL makes no recommendation about this at all either way.

Matt


More information about the openssl-users mailing list