Cryptography for system integrators

Updated: May 06, 2022

QNX Neutrino supports multiple ways to access cryptography services.

QNX Cryptography Library

The QNX Cryptography Library (qcrypto) is a thin shim layer which provides a unified cryptography API on the system. It also allows system integrators to select which cryptography providers to ship on the system without requiring changes to source code that uses the qcrypto API. The selection of the proper cryptography provider by components is done through a 'tag' system which is an integral part of the qcrypto library. A 'tag' is a keyword that specifies the cryptography provider that should provide the functionality required by the component interfacing with qcrypto. By default, when the tag value is NULL, the tag value is the executable name of the process.

This library also allows the end user to write custom plugins that offer cryptography services through other third-party libraries or hardware cryptography devices.

For QNX Neutrino system components, this library provides cryptography support and allows system integrators to choose the cryptography provider for each system component.

Note: mkqnximage supports the --certicom and --tomcrypt options, which demonstrate how to enable this feature.

For more information, see QNX Cryptography Library.

OpenSSL

QNX Neutrino ships with the latest Long Term Support (LTS) version of OpenSSL, which currently is version 1.1.1. It is also used by many third-party components such as networking-related utilities.

OpenSSL cryptography support is available via the libraries libcrypto.so.2.1 and libssl.so.2.1 and the openssl utility.

For more information, including openssl commands see “https://www.openssl.org/docs/man1.1.1/. ”.

OpenSSL devcrypto extensions

The OpenSSL that QNX Neutrino provides allows you to redirect to devcrypto calls for cryptography operations that use the OpenSSL EVP API. This redirection allows access to EVP functions without recompiling application programs using OpenSSL.

For processes that use or link to the OpenSSL library (libcrypto), the following environment variable automatically redirects cryptography operations:

OPENSSL_CRYPTODEV=["alg1 ,alg2 ,..."|all] process_path  args
where "alg1 ,alg2 ,..." are the algorithms that will be handled by devcrypto instead of OpenSSL's internal implementation. (Specify the algorithms using the names that OpenSSL uses internally.) Alternatively, specify all to redirect to devcrypto all algorithms that it supports; unsupported algorithms use OpenSSL.

In addition, specifying OPENSSL_CRYPTODEV_DEBUG provides debug output related to the algorithm registration.

OpenSSL changes

In addition, the crypto library from OpenSSL included in QNX Neutrino provides the following additional digest algorithms:

Using Valgrind tools and the GNU debugger (GDB) with OpenSSL

In some environments, OpenSSL interferes with Valgrind or GNU debugging by generating SIGKILL signals.

To avoid this problem with Valgrind, specify the following option:
--sigill-diagnostics=no

For GNU debugger (GDB), see “When debugging I observe SIGILL during OpenSSL initialization: why?” in the OpenSSL Project's Frequently Asked Questions information: “https://www.openssl.org/docs/faq.html#PROG”

devcrypto

The devcrypto service provides cryptography support through the "standard" /dev/crypto interface (similar to OpenBSD's cryptodev userspace API). The QNX Neutrino /dev/crypto is a driver that exposes an interface that uses I/O control calls to perform cryptography operations (MAC, digest, cipher, AEAD cipher, etc.). The devcrypto plugin API allows you to create a software backend to devcrypto, which provides access to either software or hardware cryptographic accelerators.

For more information, see The devcrypto service.

Note: To find out which cryptography service a feature uses, see the documentation for each feature.