GmSSL - Enhance Cross-Platform Security with National Standard Encryption through GmSSL

GmSSL: A Comprehensive Overview

Introduction to GmSSL

GmSSL is an open-source cryptographic library developed by Peking University. It offers comprehensive coverage of domestic cryptographic algorithms, standards, and secure communication protocols. The library is versatile, supporting major operating systems and processors, including mobile platforms. It also interfaces with typical domestic cryptographic hardware such as cryptographic keys and cards. GmSSL provides a rich set of command-line tools and multiple programming language interfaces.

Key Features

Lightweight and Efficient: GmSSL version 3.0 significantly reduces memory usage and binary code size. It is designed to function without dynamic memory, making it ideal for low-power embedded environments such as microcontrollers (MCU) and System-on-Chip (SOC). This efficiency allows developers to embed domestic cryptographic algorithms and SSL protocols easily into existing projects.
Compliance: The library is configurable to include only domestic algorithms and protocols (TLCP protocol), simplifying compliance with cryptographic product model testing and avoiding security and compliance issues caused by non-compliant algorithms.
Security: GmSSL 3.0 supports the TLS 1.3 protocol, which marks a significant improvement in security and communication latency over previous TLS versions. The library also supports the RFC 8998 domestic cipher suite and provides default support for key encryption protection to enhance resistance against side-channel attacks.
Cross-Platform Support: The project is designed to be easily cross-platform. It utilizes a CMake build system that interfaces well with tools like Visual Studio and Android NDK. Developers can also manually create Makefiles to compile and tailor the library for unique environments.

Download and Installation

The main branch of GmSSL is version 3.1.1, which enhances cross-platform features, particularly for Windows/Visual Studio compatibility. Developers targeting Windows, Android, or iOS platforms should use this version. The installation process involves using CMake to build and test the software, concluding with a system installation that sets up the gmssl command-line tool and relevant library files.

Core Functionality

Cryptographic Algorithms

Block Ciphers: SM4 with various modes (CBC, CTR, GCM, etc.), and AES (CBC, CTR, GCM)
Stream Ciphers: ZUC/ZUC-256, ChaCha20
Hash Functions: SM3, SHA-1, SHA-224/256/384/512
Public Key Cryptography: SM2 encryption/signature, SM9 encryption/signature
MAC Algorithms: HMAC, GHASH, CBC-MAC
Key Derivation: PBKDF2, HKDF
Random Number Generators: Intel RDRAND, HASH_DRBG (NIST.SP.800-90A)

Certificates and Digital Envelopes

Certificates: X.509, CRL, CSR (PKCS #10)
Private Key Encryption: PEM format private key encrypted with SM4/SM3
Digital Envelopes: SM2 encrypted messages (GM/T 0010-2012)

SSL Protocol

TLCP 1.1: Supporting suite TLS_ECC_SM4_CBC_SM3
TLS 1.2: Supporting suite TLS_ECDHE_SM4_CBC_SM3
TLS 1.3: Supporting suite TLS_SM4_GCM_SM3

Multi-language Interfaces

GmSSL supports multiple programming language bindings, including Java, PHP, Go, Python, and JavaScript, allowing developers to integrate cryptographic functions into diverse applications efficiently.

Support for Domestic Cryptographic Hardware

GmSSL includes support for domestic SDF and SKF cryptographic hardware commonly used in server encryption solutions. For development and testing, a software module SoftSDF is provided, which can later be replaced with hardware solutions for deployment.

OpenSSL Compatibility

While GmSSL 3.0 rewrote its codebase and is not directly compatible with OpenSSL, an OpenSSL Compatibility Layer is available. This allows applications that rely on OpenSSL, such as Nginx, to leverage GmSSL's functionalities.

Performance Benchmarks

Performance tests on single-core, single-thread setups have shown impressive speeds across various cryptographic operations, with benchmarks conducted on machines like the MacBook Pro and MacBook Air confirming the library's efficiency.

Recent Updates

Since version 3.1.1, improvements include enhanced algorithm performance, extended support for various SM4 encryption modes, new command-line options, and the removal of deprecated algorithms like RC4 and MD5.

Developers

The GmSSL project is supported by contributions from numerous developers, enhancing its functionality and maintaining its compliance with domestic cryptographic standards. For those interested in a dynamic timeline of the project's evolving popularity, a star chart visualization is readily available.