WO2024040846A1 - Data processing method and apparatus, electronic device, and storage medium - Google Patents

Data processing method and apparatus, electronic device, and storage medium Download PDF

Info

Publication number
WO2024040846A1
WO2024040846A1 PCT/CN2022/144150 CN2022144150W WO2024040846A1 WO 2024040846 A1 WO2024040846 A1 WO 2024040846A1 CN 2022144150 W CN2022144150 W CN 2022144150W WO 2024040846 A1 WO2024040846 A1 WO 2024040846A1
Authority
WO
WIPO (PCT)
Prior art keywords
coroutine
level
processing
encryption
ssl
Prior art date
Application number
PCT/CN2022/144150
Other languages
French (fr)
Chinese (zh)
Inventor
王阳
樊俊诚
吴亚东
Original Assignee
奇安信网神信息技术(北京)股份有限公司
奇安信科技集团股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 奇安信网神信息技术(北京)股份有限公司, 奇安信科技集团股份有限公司 filed Critical 奇安信网神信息技术(北京)股份有限公司
Publication of WO2024040846A1 publication Critical patent/WO2024040846A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present application relates to the field of communication technology, specifically, to a data processing method, device, electronic equipment and storage medium.
  • the Secure Sockets Protocol SSL (Secure Sockets Layer) is between the application layer and the transport layer.
  • the application layer data is no longer directly passed to the transport layer, but to the SSL layer.
  • the SSL layer controls the slave application.
  • the data received by the layer is encrypted, which ensures the security of the communication between the client and the server and prevents it from being monitored and tampered with.
  • SSL proxy is used as an implementation method of the SSL layer.
  • the implementation process of SSL proxy often involves a large number of encryption and decryption operations. These encryption and decryption operations consume a large amount of computing resources of the device CPU, causing the CPU load to be too high, thereby affecting the device. Other business processing performance.
  • the purpose of the embodiments of the present application is to provide a data processing method, device, electronic device and storage medium to improve the problem of the existing method that consumes a large amount of computing resources of the CPU and affects other business processing performance of the device.
  • embodiments of the present application provide a data processing method applied to a network intermediate device, where the network intermediate device is deployed with an SSL proxy service.
  • the method includes:
  • the second-level coroutine performs relevant operations specified by the SSL protocol on the current message after preprocessing is completed.
  • the second-level coroutine performs the encryption and decryption operation of the data, it submits the encryption and decryption operation to Hardware acceleration device performs asynchronous processing.
  • this method can realize the code logic level by designing a first-level coroutine and a second-level coroutine under the SSL proxy service. These two-level coroutines are used to process the messages that require SSL proxy service respectively.
  • the layering can effectively improve the processing performance of SSL proxy services, and the message processing process of the network intermediate device can receive messages from various services and process them accordingly, which allows the network intermediate device to process more services This can improve the performance of network intermediate devices in processing other services.
  • the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
  • the method further includes:
  • the task processing results of the encryption and decryption operations are monitored through the message processing process.
  • the method further includes:
  • the monitoring of the task processing results of the encryption and decryption operations through the message processing process includes:
  • the message processing process monitors the task processing results of the encryption and decryption operations in the hardware execution task queue.
  • the message processing process can detect the task processing results of multiple encryption and decryption operations by monitoring the hardware execution task queue. , improve detection efficiency.
  • the method also includes:
  • the message processing process After the message processing process detects that the task processing of the encryption and decryption operation is completed, the message processing process restores the execution site of the first-level coroutine and switches to the first-level coroutine;
  • the results of the encryption and decryption operations are obtained from the hardware acceleration device through the secondary coroutine, and the related operations specified by the SSL protocol are continued to be performed.
  • the secondary coroutine resumes execution, it obtains the results of the encryption and decryption operations from the hardware acceleration device and continues to perform related operations. In this way, the secondary coroutine and the hardware acceleration device can implement asynchronous processing of messages. Improved processing performance of SSL proxy service.
  • the related operations specified by the SSL protocol are performed on the current message after the preprocessing is completed through the second-level coroutine, including:
  • the SSL handshake negotiation operation or corresponding message processing operation is performed on the current message after preprocessing is completed through the second-level coroutine.
  • the layering of code logic can be achieved through two-level coroutines, and through the cooperation between the first-level coroutines and the second-level coroutines, the processing performance of SSL proxy service packets can be improved.
  • preprocessing the current message through the first-level coroutine includes:
  • the certificate obtained from the server is re-issued through the first-level coroutine, so that the current message is processed using the re-issued certificate.
  • Simple preprocessing operations are performed on the messages through the first-level coroutine, so that specific message operations can be processed by the second-level coroutine. This can realize the layering of agent logic levels, give full play to the advantages of the coroutine, and improve SSL security.
  • the processing performance of the proxy service is performed using Simple preprocessing operations.
  • the network intermediate device is a firewall
  • the hardware acceleration device is an accelerator card based on QAT technology.
  • embodiments of the present application provide a data processing device that runs on a network intermediate device.
  • the network intermediate device is deployed with an SSL proxy service.
  • the device includes:
  • the coroutine switching module is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy service.
  • the first-level coroutine is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy service.
  • a first-level coroutine processing module used to preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
  • the secondary coroutine processing module is used to perform related operations specified by the SSL protocol on the current message after preprocessing is completed through the secondary coroutine, wherein the secondary coroutine performs the encryption and decryption operation of the data. , submitting the encryption and decryption operations to the hardware acceleration device for asynchronous processing.
  • embodiments of the present application provide an electronic device, including a processor and a memory.
  • the memory stores computer-readable instructions.
  • the computer-readable instructions When executed by the processor, the operation is as described above.
  • a first aspect provides steps in the method.
  • embodiments of the present application provide a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed by a processor, the steps in the method provided in the above-mentioned first aspect are executed.
  • Figure 1 is a flow chart of a data processing method provided by an embodiment of the present application.
  • Figure 2 is an interaction flow chart between two-level coroutines provided by an embodiment of the present application.
  • Figure 3 is a structural block diagram of a data processing device provided by an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of an electronic device for executing a data processing method provided by an embodiment of the present application.
  • system and “network” in the embodiments of this application can be used interchangeably.
  • Multiple means two or more.
  • plural may also be understood as “at least two” in the embodiments of this application.
  • And/or describes the relationship between related objects, indicating that there can be three relationships. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and B exists alone.
  • the character "/”, unless otherwise specified, generally indicates that the related objects are in an "or” relationship.
  • the embodiment of the present application provides a data processing method, which is applied to a network intermediate device.
  • An SSL proxy service is deployed in the network intermediate device.
  • a first-level coroutine and a second-level coroutine are designed under the SSL proxy service. These two-level coroutines are They are respectively used to process the messages that require SSL proxy service, which can realize the stratification of the code logic level and effectively improve the processing performance of SSL proxy service.
  • the message processing process of the network intermediate device can receive various services. This allows the network intermediate device to process packets in more business scenarios, not just SSL proxy service packets. This can improve the performance of the network intermediate device in processing other services.
  • the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
  • Figure 1 is a flow chart of a data processing method provided by an embodiment of the present application. The method is applied to a network intermediate device and includes the following steps:
  • Step S110 Receive the current message sent by the server or client through the message processing process of the network intermediate device. When it is determined that the current message requires SSL proxy service, switch to the first-level coroutine of the SSL proxy service.
  • the network intermediate device in the embodiment of this application may refer to a gateway, a router, a firewall, and other devices.
  • the network intermediate device may be used to process communication messages between the client and the server accordingly.
  • an SSL proxy service is deployed in the network intermediate device, so that the network intermediate device can serve as an SSL proxy server to communicate with the client and server respectively.
  • the client when the client communicates with the server, the client will send a Client Hello message and initiate an SSL connection.
  • the network intermediate device After receiving the message, the network intermediate device will parse and cache the message, and send its own Client Hello to the server. message, the server responds to the message and returns the Server Hello message and server certificate to the network intermediate device.
  • the network intermediate device will act as a proxy client to complete the SSL handshake with the server, establish an SSL connection, and then the network intermediate device sends the message to the client.
  • the client After the client completes the verification of the certificate with its own Server Hello message and the re-issued certificate, it completes the SSL handshake with the network intermediate device and establishes an SSL connection.
  • the messages transmitted between the client, the network intermediate device and the server are all encrypted messages.
  • the network intermediate device can decrypt the messages received from the client or server, and can secure the decrypted messages. Content is inspected or audited before being re-encrypted and sent to the client or server.
  • the network intermediate device will involve a large number of encryption and decryption operations during the SSL proxy process. These encryption and decryption operations will consume a lot of computing resources of the network intermediate device's CPU. However, the network intermediate device also involves the processing of other business packets, and also It requires consuming CPU resources. In order to reduce the occupation of CPU computing resources by encryption and decryption operations, the embodiment of this application proposes a two-level coroutine to process the messages of the SSL proxy service and send the encryption and decryption operations to the hardware acceleration device for processing. This solution eliminates the need for the CPU of the network intermediate device to perform encryption and decryption operations, and the network intermediate device can also have more resources to process more other business packets.
  • the packet processing process of the network intermediate device may refer to the main process of the network intermediate device, which can be used to process a variety of business packets, such as SSL proxy service packets, filter, intercept, and secure other business packets. Detection, etc.
  • the message processing process can process them directly, while for messages from the SSL proxy service, the messages can be submitted to the two-level coroutine of the SSL proxy service for processing. In this way, the message processing The process can still process other business packets synchronously and is not affected by the processing of SSL proxy service packets. This can improve the performance of network intermediate devices in processing concurrent services.
  • the first-level coroutine and the second-level coroutine can be created for the SSL proxy service.
  • Using the coroutine to process the packets of the SSL proxy service can release the resource occupation of the packet processing process, so that the packet processing process can continue synchronously. Process other business messages.
  • Coroutine means that a function containing multiple instruction statements can no longer be executed from the first instruction statement of the multiple instruction statements every time, but from the last call in the process of calling the function. Execution continues from the paused position. Specifically, when the coroutine function is called for the first time, a coroutine context will be allocated on the stack to save the return address of the initiator, entry parameters, variables, and release of control rights to system resources. Location and other information, when the coroutine calls the function again, the calling environment will be restored based on the saved coroutine context, and then the function will continue to execute from the location where execution was last suspended. In this way, the coroutine mechanism can be used to easily protect and restore the execution site.
  • a two-level coroutine mechanism is used to process the messages of the SSL proxy service.
  • Each level of coroutine completes the corresponding message processing action.
  • the first-level coroutine can preprocess the message, and Specific message processing operations are placed in the second-level coroutine, so that rapid processing of messages can be achieved through the cooperation of the two-level coroutine.
  • the interactive messages between the client and the server will be forwarded through the network intermediate device. If the current message received by the message processing process of the network intermediate device requires SSL proxy service, it needs to be forwarded through When the SSL proxy service is processing, it switches to the first-level coroutine of the SSL proxy service for processing.
  • the network intermediate device can determine whether SSL proxy service is required based on some information carried in the current message, such as determining whether the current message is a Hello message sent by the client or the server, or whether it is a communication between the client or the server. Messages transmitted by SSL connections, etc.
  • Step S120 Preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the processing is completed.
  • the preprocessing here can refer to some basic processing of the message. For example, if the current message is the first message that requires SSL proxy service, if the current message is the first time the client sends a Client Hello message, At this time, the preprocessing operation may include the first-level coroutine re-issuing the certificate obtained from the server (such as replacing the issuer and the key pair used in the certificate), so as to use the re-issued certificate to process the current message, The network intermediate device replies to the client with a Server Hello message and a re-issued server certificate for the current message, so that the subsequent client can use the key pair of the re-issued server certificate to encrypt the message.
  • the preprocessing operation may include the first-level coroutine re-issuing the certificate obtained from the server (such as replacing the issuer and the key pair used in the certificate), so as to use the re-issued certificate to process the current message.
  • the network intermediate device replies to the client with a Server Hello message and a re-issued server
  • the preprocessing operation may also include some initialization of SSL, such as the protocol version used, the supported algorithm suite, etc.
  • Preprocessing operations can also include operations such as parsing messages, such as parsing the extended fields required for the Client Hello message sent by the client (such as whether to support Application-Layer Protocol Negotiation (ALPN), server name indication (Server Name Indication, SNI), etc.).
  • preprocessing operations can also include determining whether session reuse is needed, etc.
  • preprocessing operations can be set according to needs. These preprocessing operations can be considered as some preparations for the message, and the specific message processing operations can be handed over to the secondary coroutine. deal with.
  • the first-level coroutine can use preprocessing operations to establish an SSL connection with the client on behalf of the server and the client with the server, and the context information of the SSL connection can be maintained in the first-level coroutine. After the client or server sends a message through the SSL connection, the context information can be restored in the first-level coroutine and the message can continue to be processed.
  • Step S130 Use the second-level coroutine to perform related operations specified by the SSL protocol on the current message after preprocessing.
  • the second-level coroutine can perform related operations specified by the SSL protocol on the current message, such as based on the negotiation status of the current SSL connection. , construct a reply message corresponding to the current message, and send it to the corresponding server or client, or generate or obtain the key of the corresponding algorithm suite according to the type of algorithm suite used in the negotiation process, etc. Or performing relevant operations specified by the SSL protocol also includes performing SSL handshake negotiation operations or corresponding message processing operations on the current message.
  • the SSL handshake negotiation operation here means that the network intermediate device can perform SSL handshake negotiation with the other party on behalf of the client or server.
  • the corresponding message processing operation may refer to the encryption and decryption operation of the message, the forwarding operation, or other operations involved in the SSL proxy service, such as decrypting the message obtained from one side, Transparently transmit the plaintext to the other side of the SSL proxy, or re-encrypt the plaintext before sending it out. You can also decide whether to send the plaintext information to other services through mirroring according to the policy configuration for security inspection.
  • the secondary coroutine performs encryption and decryption operations on data
  • the encryption and decryption operations are submitted to the hardware acceleration device for asynchronous processing.
  • the secondary coroutine here may refer to the Open Secure Sockets Layer Protocol (OpenSSL).
  • OpenSSL Open Secure Sockets Layer Protocol
  • Submitting encryption and decryption operations to the hardware acceleration device can be understood as using the interface function provided by OpenSSL to call the engine of the hardware acceleration device in the kernel mode.
  • the engine drives the hardware acceleration device to process encryption and decryption operations. For example, when the second-level coroutine performs encryption and decryption operations, it generates corresponding asynchronous tasks and then directly enters the corresponding processing engine.
  • the hardware acceleration device can be an accelerator card based on Quick Assist Technology (QAT).
  • the processing engine can be QAT Engine.
  • the processing engine can call the QAT driver in the kernel mode to drive the hardware acceleration device to process the acceleration.
  • Decryption operations are processed asynchronously.
  • the hardware acceleration device can process encryption and decryption tasks asynchronously, and the two-level coroutine of the SSL proxy service can process other messages asynchronously, without the need for additional network intermediate devices to perform encryption and decryption operations, giving full play to the hardware acceleration device. processing capabilities to maximize the performance of network intermediate devices.
  • the two-level coroutines are used to process the messages that require SSL proxy service, which can realize the separation of the code logic level. layer, which can effectively improve the processing performance of SSL proxy services, and the message processing process of the network intermediate device can receive messages from various services and process them accordingly, which allows the network intermediate device to handle more business scenarios.
  • packets not just SSL proxy service packets, which can improve the performance of network intermediate devices in processing other services.
  • the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
  • the second-level coroutine can also save its Execution site (that is, you can continue execution from the paused point after resuming the site next time), and switch back to the first-level coroutine, then save the execution site of the first-level coroutine, and switch back to the message processing process, and then you can use the message processing process to Monitor the task processing results of encryption and decryption operations.
  • the second-level coroutine finally switches back to the message processing process.
  • the message processing process can monitor the task processing results of the encryption and decryption operations.
  • the message processing process can Create a monitoring task, mainly used to monitor the task processing results of this encryption and decryption operation. If the processing is completed, after the processing is completed, you can continue to obtain the encrypted and decrypted messages through the two-level coroutine. Subsequent network intermediate devices can continue to process the encrypted and decrypted packets, such as forwarding them to the client or server.
  • the SSL proxy service involves many encryption and decryption operations, many encryption and decryption operation tasks will be submitted to the hardware acceleration device.
  • the above-mentioned save level 2 At the execution site of the coroutine, after switching back to the first-level coroutine, the encryption and decryption operation tasks can also be added to the hardware execution task queue through the first-level coroutine, and the encryption and decryption operations in the task queue can be performed on the hardware through the message processing process. Monitor the results of task processing.
  • the hardware execution task queue can be used to store each encryption and decryption operation task processed by the hardware acceleration device.
  • the processing result of each encryption and decryption task by the hardware acceleration device can be marked in the hardware execution task queue. If the processing is not completed, it is marked as 0. , if the processing is completed, it will be marked as 1.
  • the mark here can be flexibly set according to actual needs, as long as the message processing process can know the task processing results of the encryption and decryption operations from the hardware execution task queue. In this way, the message processing process can know whether the encryption and decryption operation is completed through the tag representing the task processing result corresponding to the encryption and decryption operation in the hardware execution task queue. If the processing is completed, it can be processed through the two-level coroutine of the SSL proxy service. Obtain the message after the corresponding encryption and decryption operation.
  • the message processing process monitors the hardware execution task queue, it can read the task processing results of the encryption and decryption operations from the hardware execution task queue regularly or in real time.
  • the message processing process can detect the task processing results of multiple encryption and decryption operations by monitoring the hardware execution task queue. , improve detection efficiency.
  • the message processing process restores the execution site of the first-level coroutine, switches to the first-level coroutine, and then passes the first-level coroutine.
  • the coroutine restores the execution site of the second-level coroutine and switches to the second-level coroutine.
  • the results of the encryption and decryption operations can be obtained from the hardware acceleration device through the second-level coroutine and continue to perform related operations specified by the SSL protocol.
  • the message processing process detects that the encryption and decryption operation task processing is completed in the hardware execution task queue, it switches to the first-level coroutine.
  • the first-level coroutine restores the previously saved execution scene and continues to execute according to the current logic, that is, Switch to the second-level coroutine.
  • the second-level coroutine restores the previously saved execution scene. Since the second-level coroutine submits the encryption and decryption operations to the hardware acceleration device, it is equivalent to the second-level coroutine suspending the task of performing the encryption and decryption operations. Therefore, the secondary coroutine can resume performing encryption and decryption operations at this time.
  • the secondary coroutine obtains the processing results of the encryption and decryption operations from the hardware acceleration device, such as the current message after encryption and decryption, and then can perform encryption and decryption.
  • the current message after the current message continues to perform related operations specified by the SSL protocol, such as forwarding to the client or server through an SSL connection, that is, continuing to perform the operations on the message after encryption and decryption in the SSL protocol, such as continuing to perform the SSL handshake process or continuing to
  • the message is subsequently processed, and the above process is repeated when the next hanging point is encountered. That is, when the next message requiring SSL proxy service is encountered, the same process is followed, or the relevant operations specified by the SSL protocol are performed here, including the above.
  • the operation mentioned in step S130 is, when the next message requiring SSL proxy service is encountered, the same process is followed, or the relevant operations specified by the SSL protocol are performed here, including the above.
  • the secondary coroutine After the secondary coroutine obtains the results of the encryption and decryption tasks, it can end the previously created encryption and decryption tasks, that is, release the created encryption and decryption tasks. If there are multiple encryption and decryption tasks, each time the results of the encryption and decryption tasks are obtained, the encryption and decryption tasks will be released. The decryption task is released and switched back to the first-level coroutine. The first-level coroutine will also release the previously created asynchronous task and switch back to the message processing process.
  • the secondary coroutine resumes execution, it obtains the results of the encryption and decryption operations from the hardware acceleration device and continues to perform related operations. In this way, the secondary coroutine and the hardware acceleration device can implement asynchronous processing of messages. Improved processing performance of SSL proxy service.
  • User Space user mode
  • Kernel Space kernel state
  • ssl_entry SSL proxy entity
  • ssl_entryasync Asynchronous tasks in SSL proxy entities
  • Libsg_ssl library function that implements SSL protocol
  • OpenSSL async Asynchronous tasks in OpenSSL, that is, second-level coroutines
  • Libsg_crypto library functions that implement various cryptography algorithms
  • Qat Engine The engine library file provided by third-party Intel that supports the use of QAT can also be understood as the QAT engine;
  • QAT Driver QAT driver
  • app_proc application layer processing
  • SSL agent asynchronous processing scheduling function
  • sslasync job asynchronous task of SSL proxy
  • SSL agent asynchronous task startup function (switched from the message processing process to the first-level coroutine of the SSL agent for processing);
  • SSL_connect function to initiate SSL connection
  • ssl_start_async_job Asynchronous processing function in SSL (allocate OpenSSL async, record asynchronous processing status, etc.);
  • ASYNC_start_job function to allocate asynchronous tasks in OpenSSL
  • async_fibre_swapcontext asynchronous task startup function in OpenSSL (switched from the first-level coroutine of the SSL agent to the second-level coroutine of OpenSSL);
  • ssl_op_intern SSL internal asynchronous processing function
  • ASYNC_PAUSE The status returned when an asynchronous task is not completed
  • SSL agent asynchronous task switching function (switching between the message processing process and the first-level coroutine of the SSL agent);
  • ASYNC_resume_job OpenSSL asynchronous task recovery operation
  • ASYNC_FINISH The status returned after asynchronous task processing is completed
  • SSL_ERROR_WANT_ASYNC The status returned by SSL when the asynchronous task is not completed
  • SSL_ERROR_NONE an SSL status code
  • ssl_async_poll_hw SSL proxy poll function (query QAT processing results).
  • the main message process dp After the main message process dp receives the current message, if the current message requires SSL proxy service, it switches to the first-level coroutine of the SSL proxy service through the ssl_async_schedule function.
  • the first-level coroutine preprocesses the current message, including creating a sslasync job (this task is used to preprocess the message), that is, creating an asynchronous task, initiating an SSL connection through the SSL_connect function, and switching to the second-level coroutine by calling Libsg_ssl. Processed in level coroutine.
  • the secondary coroutine executes the encryption and decryption operation, it creates an asynchronous task (ASYNC_start_job).
  • ASYNC_start_job the secondary coroutine can create an asynchronous task for each encryption and decryption operation and submit the encryption and decryption operation to the QAT engine.
  • the QAT engine uses the interface The function calls the QAT driver to drive QAT to process encryption and decryption operations.
  • the second-level coroutine saves the execution scene (that is, ASYNC_PAUSE), and then switches back to the first-level coroutine.
  • the first-level coroutine saves the execution scene (that is, saves sslasync job), and finally switches to the message processing process, and the message processing process executes the hardware Task queue for monitoring (ssl_async_poll_hw).
  • the message processing process switches to the first-level coroutine, restores the execution site of the first-level coroutine (ssl_fibre_switch), then switches to the second-level coroutine, restores the execution site of the second-level coroutine (ASYNC_resume_job), and reads QAT through the QAT driver The result of the encryption and decryption operation on the message.
  • the task execution of the encryption and decryption operation in the second-level coroutine ends (ASYNC_FINISH), that is, the asynchronous task created by the second-level coroutine obtains the corresponding encryption and decryption result in the second-level coroutine. Then it is released and switches to the first-level coroutine.
  • the first-level coroutine finally switches to the message processing process and releases the asynchronous tasks created by the first-level coroutine (release sslasync job). That is, the asynchronous tasks of the first-level coroutine can be processed in the second-level coroutine.
  • the level coroutine is released after performing relevant operations specified by the SSL protocol.
  • the asynchronous task of the two-level coroutine is suspended after the second-level coroutine submits the encryption and decryption operation to QAT, and is resumed after the message processing process detects that the encryption and decryption operation task is completed.
  • the embodiment of the present application submits the encryption and decryption operations to the hardware acceleration device for asynchronous processing, which can solve the problem of low performance caused by using CPU resources to perform encryption and decryption operations in a synchronous manner in the original method, and through the two-level coroutine Processing of SSL proxy service packets allows the packet processing process of the network intermediate device to simultaneously process other business packets and improve packet processing efficiency.
  • the processing process of the two-level coroutine realizes the stratification of the code logic level, and can also effectively improve the processing performance of messages. Since the coroutine mechanism can save context information, the context information can be used to restore the execution site and continue execution during the next execution. Therefore, it can also solve the difficulty of state preservation and reentry during the SSL proxy service process.
  • coroutines are also more lightweight, thus avoiding the problem of frequent switching between kernel mode and user mode when using processes and threads, which leads to a lot of switching time.
  • FIG. 3 is a structural block diagram of a data processing device 200 provided by an embodiment of the present application.
  • the device 200 may be a module, program segment or code on an electronic device (ie, a network intermediate device). It should be understood that the device 200 corresponds to the above-mentioned method embodiment in Figure 1 and can perform various steps involved in the method embodiment in Figure 1. For specific functions of the device 200, please refer to the above description. To avoid repetition, the detailed description is appropriately omitted here. .
  • the device 200 includes:
  • the coroutine switching module 210 is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy.
  • the first-level coroutine of the service is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy.
  • the first-level coroutine processing module 220 is used to preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
  • the secondary coroutine processing module 230 is used to perform related operations specified by the SSL protocol on the current message after preprocessing is completed through the secondary coroutine, wherein the secondary coroutine performs encryption and decryption operations on the data.
  • the encryption and decryption operations are submitted to the hardware acceleration device for asynchronous processing.
  • the device 200 also includes:
  • a monitoring module is used to save the execution site of the second-level coroutine and switch back to the first-level coroutine; to save the execution site of the first-level coroutine and switch back to the message processing process; through the The message processing process monitors the task processing results of the encryption and decryption operations.
  • the monitoring module is also configured to add the task of encryption and decryption operations to the hardware execution task queue through the first-level coroutine; and add the task to the hardware execution task queue through the message processing process.
  • the task processing results of the encryption and decryption operations are monitored.
  • the device 200 also includes:
  • a result acquisition module configured to restore the execution site of the first-level coroutine through the message processing process and switch to the first-level coroutine after the message processing process detects that the task processing of the encryption and decryption operation is completed.
  • level coroutine restore the execution site of the level two coroutine through the level one coroutine, and switch to the level two coroutine; obtain the added value from the hardware acceleration device through the level two coroutine Decrypt the results of the operation and continue to perform related operations specified by the SSL protocol.
  • the second-level coroutine processing module 230 is configured to perform an SSL handshake negotiation operation or corresponding message processing operation on the current message after preprocessing is completed through the second-level coroutine.
  • the first-level coroutine processing module 220 is used to obtain the certificate from the server through the first-level coroutine. Re-issuance is performed to process the current message using the re-issued certificate.
  • the network intermediate device is a firewall
  • the hardware acceleration device is an accelerator card based on QAT technology.
  • Figure 4 is a schematic structural diagram of an electronic device for executing a data processing method provided by an embodiment of the present application.
  • the electronic device may include: at least one processor 310, such as a CPU, and at least one communication interface 320. , at least one memory 330 and at least one communication bus 340.
  • the communication bus 340 is used to realize direct connection communication between these components.
  • the communication interface 320 of the device in the embodiment of this application is used to communicate signaling or data with other node devices.
  • the memory 330 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the memory 330 may optionally be at least one storage device located remotely from the aforementioned processor.
  • Computer-readable instructions are stored in the memory 330. When the computer-readable instructions are executed by the processor 310, the electronic device performs the method process shown in FIG. 1 above.
  • FIG. 4 is only illustrative, and the electronic device may also include more or fewer components than shown in FIG. 4 , or have a different configuration than that shown in FIG. 4 .
  • Each component shown in Figure 4 can be implemented in hardware, software, or a combination thereof.
  • Embodiments of the present application provide a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed by a processor, the method process executed by the electronic device in the method embodiment shown in Figure 1 is executed.
  • the computer program product includes a computer program stored on a non-transitory computer-readable storage medium.
  • the computer program includes program instructions.
  • the program instructions When the program instructions are executed by a computer, the computer
  • the methods provided by the above method embodiments can be executed, for example, including: receiving the current message sent by the server or the client through the message processing process of the network intermediate device, and determining that the current message requires SSL proxy service.
  • switch to the first-level coroutine of the SSL proxy service preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed.
  • embodiments of the present application provide a data processing method, device, electronic device and storage medium.
  • the method designs a first-level coroutine and a second-level coroutine under the SSL proxy service.
  • the two-level coroutine uses For processing packets that require SSL proxy service, it can realize the layering of code logic level, which can effectively improve the processing performance of SSL proxy service, and the packet processing process of the network intermediate device can receive packets of various services. And process them accordingly, so that the network intermediate device can process packets in more business scenarios, not just SSL proxy service packets, which can improve the performance of the network intermediate device in processing other services.
  • the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between each other shown or discussed may be through some communication interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
  • units described as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional module in each embodiment of the present application can be integrated together to form an independent part, each module can exist alone, or two or more modules can be integrated to form an independent part.
  • relational terms such as first, second, etc. are used only to distinguish one entity or operation from another entity or operation and do not necessarily require or imply the existence of any such entity or operation between these entities or operations. Actual relationship or sequence.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present application relates to the technical field of communications, and provides a data processing method and apparatus, an electronic device, and a storage medium. According to the method, two levels of coroutines are designed under an SSL proxy service for respectively processing messages requiring the SSL proxy service, such that layering of a code logic level is realized, and the processing performance of the SSL proxy service can be effectively improved; moreover, a message processing process in a network middlebox can receive messages of various services and correspondingly process the messages, such that the network middlebox can process messages in more service scenarios instead of only processing messages of the SSL proxy service, and thus the performance of the network middlebox for processing other services can be improved. In addition, according to the present solution, an encryption/decryption operation is issued to a hardware acceleration apparatus for processing, such that the performance of the hardware acceleration apparatus can be fully exerted, and the consumption of computing resources of a CPU in the network middlebox is reduced, thereby further improving the performance of the CPU for processing concurrent services.

Description

数据处理方法、装置、电子设备及存储介质Data processing methods, devices, electronic equipment and storage media
相关申请的交叉引用Cross-references to related applications
本申请要求于2022年08月23日提交中国国家知识产权局的申请号为202211017571.7、名称为“数据处理方法、装置、电子设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application with application number 202211017571.7 and titled "Data processing methods, devices, electronic equipment and storage media" submitted to the State Intellectual Property Office of China on August 23, 2022, the entire content of which is incorporated by reference. incorporated in this application.
技术领域Technical field
本申请涉及通信技术领域,具体而言,涉及一种数据处理方法、装置、电子设备及存储介质。The present application relates to the field of communication technology, specifically, to a data processing method, device, electronic equipment and storage medium.
背景技术Background technique
安全套接字协议SSL(Secure Sockets Layer,安全套接字协议)介于应用层和传输层之间,应用层数据不再直接传递给传输层,而是传递给SSL层,SSL层对从应用层收到的数据进行加密,这就保证了客户端和服务器之间的通信的安全性,防止被监听和篡改。The Secure Sockets Protocol SSL (Secure Sockets Layer) is between the application layer and the transport layer. The application layer data is no longer directly passed to the transport layer, but to the SSL layer. The SSL layer controls the slave application. The data received by the layer is encrypted, which ensures the security of the communication between the client and the server and prevents it from being monitored and tampered with.
通常SSL代理作为SSL层的一种实现方式,而SSL代理实现过程中往往会涉及到大量的加解密操作,这些加解密操作会耗费设备CPU大量的计算资源,导致CPU负载过高,进而影响设备其他业务处理性能。Generally, SSL proxy is used as an implementation method of the SSL layer. The implementation process of SSL proxy often involves a large number of encryption and decryption operations. These encryption and decryption operations consume a large amount of computing resources of the device CPU, causing the CPU load to be too high, thereby affecting the device. Other business processing performance.
发明内容Contents of the invention
本申请实施例的目的在于提供一种数据处理方法、装置、电子设备及存储介质,用以改善现有的方式需要耗费CPU大量的计算资源而影响设备的其他业务处理性能的问题。The purpose of the embodiments of the present application is to provide a data processing method, device, electronic device and storage medium to improve the problem of the existing method that consumes a large amount of computing resources of the CPU and affects other business processing performance of the device.
第一方面,本申请实施例提供了一种数据处理方法,应用于网络中间设备,所述网络中间设备部署有SSL代理服务,所述方法包括:In a first aspect, embodiments of the present application provide a data processing method applied to a network intermediate device, where the network intermediate device is deployed with an SSL proxy service. The method includes:
通过所述网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定所述当前报文需要进行SSL代理服务时,切换至所述SSL代理服务的一级协程;Receive the current message sent by the server or client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the first-level coroutine of the SSL proxy service;
通过所述一级协程对所述当前报文进行预处理,并在预处理完成后切换至所述SSL代理服务的二级协程;Preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,其中,所述二级协程在执行到数据的加解密操作时,将所述加解密操作提交给硬件加速装置进行异步处理。The second-level coroutine performs relevant operations specified by the SSL protocol on the current message after preprocessing is completed. When the second-level coroutine performs the encryption and decryption operation of the data, it submits the encryption and decryption operation to Hardware acceleration device performs asynchronous processing.
在上述实现过程中,该方法通过在SSL代理服务下设计一级协程和二级协程,这两级协程分别用于对需要进行SSL代理服务的报文进行处理,能够实现代码逻辑层面的分层,可有效提高对SSL代理服务的处理性能,而网络中间设备的报文处理进程可以接收各种服务的报文并对其进行相应处理,这样可以使得网络中间设备能够处理更多业务场景下的报 文,而不仅仅处理SSL代理服务的报文,如此可提高网络中间设备处理其他业务的性能。并且本申请方案中将加解密操作下发给硬件加速装置来处理,如此可充分发挥出硬件加速装置的性能,减少网络中间设备中CPU的计算资源的消耗,进而进一步提高CPU对并发业务处理的性能。In the above implementation process, this method can realize the code logic level by designing a first-level coroutine and a second-level coroutine under the SSL proxy service. These two-level coroutines are used to process the messages that require SSL proxy service respectively. The layering can effectively improve the processing performance of SSL proxy services, and the message processing process of the network intermediate device can receive messages from various services and process them accordingly, which allows the network intermediate device to process more services This can improve the performance of network intermediate devices in processing other services. Moreover, in this application solution, the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
可选地,通过所述二级协程将所述加解密操作提交给硬件加速装置进行异步处理后,所述方法还包括:Optionally, after submitting the encryption and decryption operations to the hardware acceleration device for asynchronous processing through the secondary coroutine, the method further includes:
保存所述二级协程的执行现场,并切换回所述一级协程;Save the execution scene of the second-level coroutine and switch back to the first-level coroutine;
保存所述一级协程的执行现场,并切换回所述报文处理进程;Save the execution scene of the first-level coroutine and switch back to the message processing process;
通过所述报文处理进程对所述加解密操作的任务处理结果进行监测。The task processing results of the encryption and decryption operations are monitored through the message processing process.
在上述实现过程中,通过保存一级协程和二级协程的执行现场,这样在下次调用时,可以恢复执行现场后继续执行,如此可不需要重头开始执行,提高处理效率。In the above implementation process, by saving the execution scene of the first-level coroutine and the second-level coroutine, the execution scene can be restored and continued execution the next time it is called. This eliminates the need to restart the execution and improves processing efficiency.
可选地,所述切换回所述一级协程之后,还包括:Optionally, after switching back to the first-level coroutine, the method further includes:
通过所述一级协程将所述加解密操作的任务添加到硬件执行任务队列中;Add the encryption and decryption operation tasks to the hardware execution task queue through the first-level coroutine;
所述通过所述报文处理进程对所述加解密操作的任务处理结果进行监测,包括:The monitoring of the task processing results of the encryption and decryption operations through the message processing process includes:
通过所述报文处理进程对所述硬件执行任务队列中的所述加解密操作的任务处理结果进行监测。The message processing process monitors the task processing results of the encryption and decryption operations in the hardware execution task queue.
在上述实现过程中,由于硬件执行任务队列可以存储多个加解密操作的任务,所以报文处理进程通过对硬件执行任务队列进行监测,可一并对多个加解密操作的任务处理结果进行检测,提高检测效率。In the above implementation process, since the hardware execution task queue can store tasks for multiple encryption and decryption operations, the message processing process can detect the task processing results of multiple encryption and decryption operations by monitoring the hardware execution task queue. , improve detection efficiency.
可选地,所述方法还包括:Optionally, the method also includes:
在所述报文处理进程检测到所述加解密操作的任务处理完成后,通过所述报文处理进程恢复所述一级协程的执行现场,并切换至所述一级协程;After the message processing process detects that the task processing of the encryption and decryption operation is completed, the message processing process restores the execution site of the first-level coroutine and switches to the first-level coroutine;
通过所述一级协程恢复所述二级协程的执行现场,并切换至所述二级协程;Restore the execution site of the second-level coroutine through the first-level coroutine, and switch to the second-level coroutine;
通过所述二级协程从所述硬件加速装置处获取所述加解密操作的结果,并继续执行SSL协议规定的相关操作。The results of the encryption and decryption operations are obtained from the hardware acceleration device through the secondary coroutine, and the related operations specified by the SSL protocol are continued to be performed.
在上述实现过程中,二级协程恢复执行现场后从硬件加速装置中获取加解密操作的结果,并继续执行相关操作,如此二级协程和硬件加速装置可实现对报文的异步处理,提高了对SSL代理服务的处理性能。In the above implementation process, after the secondary coroutine resumes execution, it obtains the results of the encryption and decryption operations from the hardware acceleration device and continues to perform related operations. In this way, the secondary coroutine and the hardware acceleration device can implement asynchronous processing of messages. Improved processing performance of SSL proxy service.
可选地,所述通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,包括:Optionally, the related operations specified by the SSL protocol are performed on the current message after the preprocessing is completed through the second-level coroutine, including:
通过所述二级协程对预处理完成后的当前报文执行SSL握手协商操作或相应的报文处理操作。如此可通过两级协程实现代码逻辑层面的分层,且通过一级协程和二级协程之间 的相互配合,可提高对SSL代理服务的报文的处理性能。The SSL handshake negotiation operation or corresponding message processing operation is performed on the current message after preprocessing is completed through the second-level coroutine. In this way, the layering of code logic can be achieved through two-level coroutines, and through the cooperation between the first-level coroutines and the second-level coroutines, the processing performance of SSL proxy service packets can be improved.
可选地,在所述当前报文为首个需要进行SSL代理服务的报文时,所述通过所述一级协程对所述当前报文进行预处理,包括:Optionally, when the current message is the first message that requires SSL proxy service, preprocessing the current message through the first-level coroutine includes:
通过所述一级协程将从所述服务器获取到的证书进行重新签发,以利用重新签发的证书对所述当前报文进行处理。通过一级协程来对报文进行简单的预处理操作,这样可将具体的报文操作给二级协程处理,如此可实现代理逻辑层面分层,充分发挥协程的优势,提高对SSL代理服务的处理性能。The certificate obtained from the server is re-issued through the first-level coroutine, so that the current message is processed using the re-issued certificate. Simple preprocessing operations are performed on the messages through the first-level coroutine, so that specific message operations can be processed by the second-level coroutine. This can realize the layering of agent logic levels, give full play to the advantages of the coroutine, and improve SSL security. The processing performance of the proxy service.
可选地,所述网络中间设备为防火墙,所述硬件加速装置为基于QAT技术的加速卡。Optionally, the network intermediate device is a firewall, and the hardware acceleration device is an accelerator card based on QAT technology.
第二方面,本申请实施例提供了一种数据处理装置,运行于网络中间设备,所述网络中间设备部署有SSL代理服务,所述装置包括:In the second aspect, embodiments of the present application provide a data processing device that runs on a network intermediate device. The network intermediate device is deployed with an SSL proxy service. The device includes:
协程切换模块,用于通过所述网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定所述当前报文需要进行SSL代理服务时,切换至所述SSL代理服务的一级协程;The coroutine switching module is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy service. The first-level coroutine;
一级协程处理模块,用于通过所述一级协程对所述当前报文进行预处理,并在预处理完成后切换至所述SSL代理服务的二级协程;A first-level coroutine processing module, used to preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
二级协程处理模块,用于通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,其中,所述二级协程在执行到数据的加解密操作时,将所述加解密操作提交给硬件加速装置进行异步处理。The secondary coroutine processing module is used to perform related operations specified by the SSL protocol on the current message after preprocessing is completed through the secondary coroutine, wherein the secondary coroutine performs the encryption and decryption operation of the data. , submitting the encryption and decryption operations to the hardware acceleration device for asynchronous processing.
第三方面,本申请实施例提供一种电子设备,包括处理器以及存储器,所述存储器存储有计算机可读取指令,当所述计算机可读取指令由所述处理器执行时,运行如上述第一方面提供的所述方法中的步骤。In a third aspect, embodiments of the present application provide an electronic device, including a processor and a memory. The memory stores computer-readable instructions. When the computer-readable instructions are executed by the processor, the operation is as described above. A first aspect provides steps in the method.
第四方面,本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时运行如上述第一方面提供的所述方法中的步骤。In a fourth aspect, embodiments of the present application provide a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps in the method provided in the above-mentioned first aspect are executed.
本申请的其他特征和优点将在随后的说明书阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请实施例了解。本申请的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
附图说明Description of drawings
为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present application, therefore This should not be regarded as limiting the scope. For those of ordinary skill in the art, other relevant drawings can be obtained based on these drawings without exerting creative efforts.
图1为本申请实施例提供的一种数据处理方法的流程图;Figure 1 is a flow chart of a data processing method provided by an embodiment of the present application;
图2为本申请实施例提供的一种两级协程之间的交互流程图;Figure 2 is an interaction flow chart between two-level coroutines provided by an embodiment of the present application;
图3为本申请实施例提供的一种数据处理装置的结构框图;Figure 3 is a structural block diagram of a data processing device provided by an embodiment of the present application;
图4为本申请实施例提供的一种用于执行数据处理方法的电子设备的结构示意图。FIG. 4 is a schematic structural diagram of an electronic device for executing a data processing method provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中附图,对本申请实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of this application.
需要说明的是,本申请实施例中的术语“系统”和“网络”可被互换使用。“多个”是指两个或两个以上,鉴于此,本申请实施例中也可以将“多个”理解为“至少两个”。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,字符“/”,如无特殊说明,一般表示前后关联对象是一种“或”的关系。It should be noted that the terms "system" and "network" in the embodiments of this application can be used interchangeably. "Multiple" means two or more. In view of this, "plurality" may also be understood as "at least two" in the embodiments of this application. "And/or" describes the relationship between related objects, indicating that there can be three relationships. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/", unless otherwise specified, generally indicates that the related objects are in an "or" relationship.
本申请实施例提供一种数据处理方法,该方法应用于网络中间设备,该网络中间设备中部署有SSL代理服务,SSL代理服务下设计有一级协程和二级协程,这两级协程分别用于对需要进行SSL代理服务的报文进行处理,能够实现代码逻辑层面的分层,可有效提高对SSL代理服务的处理性能,而网络中间设备的报文处理进程可以接收各种服务的报文并对其进行相应处理,这样可以使得网络中间设备能够处理更多业务场景下的报文,而不仅仅处理SSL代理服务的报文,如此可提高网络中间设备处理其他业务的性能。并且本申请方案中将加解密操作下发给硬件加速装置来处理,如此可充分发挥出硬件加速装置的性能,减少网络中间设备中CPU的计算资源的消耗,进而进一步提高CPU对并发业务处理的性能。The embodiment of the present application provides a data processing method, which is applied to a network intermediate device. An SSL proxy service is deployed in the network intermediate device. A first-level coroutine and a second-level coroutine are designed under the SSL proxy service. These two-level coroutines are They are respectively used to process the messages that require SSL proxy service, which can realize the stratification of the code logic level and effectively improve the processing performance of SSL proxy service. The message processing process of the network intermediate device can receive various services. This allows the network intermediate device to process packets in more business scenarios, not just SSL proxy service packets. This can improve the performance of the network intermediate device in processing other services. Moreover, in this application solution, the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
请参照图1,图1为本申请实施例提供的一种数据处理方法的流程图,该方法应用于网络中间设备,包括如下步骤:Please refer to Figure 1. Figure 1 is a flow chart of a data processing method provided by an embodiment of the present application. The method is applied to a network intermediate device and includes the following steps:
步骤S110:通过网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定当前报文需要进行SSL代理服务时,切换至SSL代理服务的一级协程。Step S110: Receive the current message sent by the server or client through the message processing process of the network intermediate device. When it is determined that the current message requires SSL proxy service, switch to the first-level coroutine of the SSL proxy service.
本申请实施例中的网络中间设备可以是指网关、路由器、防火墙等设备,网络中间设备可用于对客户端与服务器之间的通信报文进行相应的处理。为了确保客户端与服务器之间通信的安全性,网络中间设备中部署有SSL代理服务,这样网络中间设备可以作为SSL代理服务器分别与客户端和服务器进行通信。The network intermediate device in the embodiment of this application may refer to a gateway, a router, a firewall, and other devices. The network intermediate device may be used to process communication messages between the client and the server accordingly. In order to ensure the security of communication between the client and the server, an SSL proxy service is deployed in the network intermediate device, so that the network intermediate device can serve as an SSL proxy server to communicate with the client and server respectively.
例如,客户端在与服务器进行通信时,客户端会发送Client Hello报文,发起一个SSL连接,网络中间设备接收到该报文后,解析和缓存该报文,并向服务器发送自己的Client Hello报文,服务器响应该报文,向网络中间设备返回Server Hello报文和服务器证书,此时网络中间设备会作为代理客户端与服务器完成SSL握手,建立SSL连接,然后网络中间 设备向客户端发送自己的Server Hello报文和重新签发的证书,客户端完成对证书的校验后,与网络中间设备完成SSL握手,建立SSL连接。此后,客户端、网络中间设备与服务器之间传输的报文均为加密的报文,网络中间设备可将从客户端或服务器接收到的报文进行解密,可对解密后的报文进行安全内容检测或审计,然后再重新加密后发送给客户端或服务器。For example, when the client communicates with the server, the client will send a Client Hello message and initiate an SSL connection. After receiving the message, the network intermediate device will parse and cache the message, and send its own Client Hello to the server. message, the server responds to the message and returns the Server Hello message and server certificate to the network intermediate device. At this time, the network intermediate device will act as a proxy client to complete the SSL handshake with the server, establish an SSL connection, and then the network intermediate device sends the message to the client. After the client completes the verification of the certificate with its own Server Hello message and the re-issued certificate, it completes the SSL handshake with the network intermediate device and establishes an SSL connection. After that, the messages transmitted between the client, the network intermediate device and the server are all encrypted messages. The network intermediate device can decrypt the messages received from the client or server, and can secure the decrypted messages. Content is inspected or audited before being re-encrypted and sent to the client or server.
所以,网络中间设备在SSL代理过程中会涉及到大量的加解密操作,这些加解密操作会消耗网络中间设备的CPU的大量计算资源,但是网络中间设备还涉及到其他业务报文的处理,也需要消耗CPU资源,为了降低加解密操作对CPU计算资源的占用,本申请实施例中提出两级协程对SSL代理服务的报文进行处理,且将加解密操作下发给硬件加速装置进行处理的方案,这样就无需网络中间设备的CPU来进行加解密操作,网络中间设备也可以有更多的资源来处理更多其他业务报文。Therefore, the network intermediate device will involve a large number of encryption and decryption operations during the SSL proxy process. These encryption and decryption operations will consume a lot of computing resources of the network intermediate device's CPU. However, the network intermediate device also involves the processing of other business packets, and also It requires consuming CPU resources. In order to reduce the occupation of CPU computing resources by encryption and decryption operations, the embodiment of this application proposes a two-level coroutine to process the messages of the SSL proxy service and send the encryption and decryption operations to the hardware acceleration device for processing. This solution eliminates the need for the CPU of the network intermediate device to perform encryption and decryption operations, and the network intermediate device can also have more resources to process more other business packets.
其中,网络中间设备的报文处理进程可以是指网络中间设备的主进程,其可以用于处理多种业务报文,比如SSL代理服务的报文、对其他业务报文进行过滤、拦截、安全检测等,对于其他业务的报文,报文处理进程可以直接进行处理,而对于SSL代理服务的报文,则可以将报文提交给SSL代理服务的两级协程来处理,这样报文处理进程依然可以同步处理其他业务报文,并不受处理SSL代理服务报文的影响,如此可提高网络中间设备处理并发业务的性能。Among them, the packet processing process of the network intermediate device may refer to the main process of the network intermediate device, which can be used to process a variety of business packets, such as SSL proxy service packets, filter, intercept, and secure other business packets. Detection, etc. For messages from other services, the message processing process can process them directly, while for messages from the SSL proxy service, the messages can be submitted to the two-level coroutine of the SSL proxy service for processing. In this way, the message processing The process can still process other business packets synchronously and is not affected by the processing of SSL proxy service packets. This can improve the performance of network intermediate devices in processing concurrent services.
一级协程和二级协程可以是为SSL代理服务所创建的,使用协程来处理SSL代理服务的报文,可以释放报文处理进程的资源占用,使得报文处理进程可以同步地继续处理其他业务报文。The first-level coroutine and the second-level coroutine can be created for the SSL proxy service. Using the coroutine to process the packets of the SSL proxy service can release the resource occupation of the packet processing process, so that the packet processing process can continue synchronously. Process other business messages.
协程是指可以让一个包含多个指令语句的函数不再每次都从该多个指令语句的第一个指令语句处执行,而是从在调用该函数的过程中,从在上次调用暂停的位置继续往下执行,具体来讲,在初次调用协程函数时,会在堆栈上分配一个协程上下文来保存发起端的返回地址,入口参数、具备变量以及释放对系统资源的控制权的位置等信息,当协程再次调用函数时,会基于保存的协程上下文恢复调用环境,然后从上次暂停执行的位置继续执行函数,如此利用协程机制可便于保护和恢复执行现场。而本申请实施例中采用两级协程的机制来对SSL代理服务的报文进行处理,每级协程完成相应的报文处理动作,比如一级协程可以对报文进行预处理,而具体的报文处理操作放在二级协程,这样可以通过两级协程的配合,实现报文的快速处理。Coroutine means that a function containing multiple instruction statements can no longer be executed from the first instruction statement of the multiple instruction statements every time, but from the last call in the process of calling the function. Execution continues from the paused position. Specifically, when the coroutine function is called for the first time, a coroutine context will be allocated on the stack to save the return address of the initiator, entry parameters, variables, and release of control rights to system resources. Location and other information, when the coroutine calls the function again, the calling environment will be restored based on the saved coroutine context, and then the function will continue to execute from the location where execution was last suspended. In this way, the coroutine mechanism can be used to easily protect and restore the execution site. In the embodiment of this application, a two-level coroutine mechanism is used to process the messages of the SSL proxy service. Each level of coroutine completes the corresponding message processing action. For example, the first-level coroutine can preprocess the message, and Specific message processing operations are placed in the second-level coroutine, so that rapid processing of messages can be achieved through the cooperation of the two-level coroutine.
在本步骤S110中,客户端和服务器之间的交互报文会通过网络中间设备进行转发,如果网络中间设备的报文处理进程接收到的当前报文是需要进行SSL代理服务时,即需要通过SSL代理服务进行处理时,则切换到SSL代理服务的一级协程来处理。这里网络中间设 备可以通过当前报文携带的一些信息来确定是否需要进行SSL代理服务,如判断当前报文是否为客户端或服务器发出的Hello报文,或者是否是客户端或服务端之间通过SSL连接传输的报文等。In this step S110, the interactive messages between the client and the server will be forwarded through the network intermediate device. If the current message received by the message processing process of the network intermediate device requires SSL proxy service, it needs to be forwarded through When the SSL proxy service is processing, it switches to the first-level coroutine of the SSL proxy service for processing. Here, the network intermediate device can determine whether SSL proxy service is required based on some information carried in the current message, such as determining whether the current message is a Hello message sent by the client or the server, or whether it is a communication between the client or the server. Messages transmitted by SSL connections, etc.
步骤S120:通过一级协程对当前报文进行预处理,并在处理完成后切换至SSL代理服务的二级协程。Step S120: Preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the processing is completed.
其中,这里的预处理可以是指对报文进行一些基本处理,比如若当前报文是首个需要进行SSL代理服务的报文,如当前报文是第一次客户端发送Client Hello报文,此时预处理操作可包括一级协程将从服务器获取到的证书进行重新签发(比如替换签发者和证书使用的密钥对),以利用重新签发的证书对所述当前报文进行处理,网络中间设备针对当前报文向客户端回复Server Hello报文和重新签发的服务器证书,这样后续客户端可利用重新签发的服务器证书的密钥对来对报文进行加密。Among them, the preprocessing here can refer to some basic processing of the message. For example, if the current message is the first message that requires SSL proxy service, if the current message is the first time the client sends a Client Hello message, At this time, the preprocessing operation may include the first-level coroutine re-issuing the certificate obtained from the server (such as replacing the issuer and the key pair used in the certificate), so as to use the re-issued certificate to process the current message, The network intermediate device replies to the client with a Server Hello message and a re-issued server certificate for the current message, so that the subsequent client can use the key pair of the re-issued server certificate to encrypt the message.
另外,在初始建立SSL连接时,预处理操作还可以包括对SSL的一些初始化,比如包括使用的协议版本、支持的算法套件等。预处理操作还可以包括对报文进行解析等操作,如对客户端发送的Client Hello报文解析需要的扩展字段(如是否支持应用层协议协商(Application-Layer Protocol Negotiation,ALPN)、服务器名称指示(Server Name Indication,SNI)等)。此外,预处理操作还可以包括判断是否需要做会话复用等。In addition, when initially establishing an SSL connection, the preprocessing operation may also include some initialization of SSL, such as the protocol version used, the supported algorithm suite, etc. Preprocessing operations can also include operations such as parsing messages, such as parsing the extended fields required for the Client Hello message sent by the client (such as whether to support Application-Layer Protocol Negotiation (ALPN), server name indication (Server Name Indication, SNI), etc.). In addition, preprocessing operations can also include determining whether session reuse is needed, etc.
可以理解地,在实际应用中,预处理的操作可以根据需求进行设置,这些预处理的操作可以认为是对报文的一些准备工作,而具体的报文处理操作可以交由二级协程来处理。It is understandable that in actual applications, preprocessing operations can be set according to needs. These preprocessing operations can be considered as some preparations for the message, and the specific message processing operations can be handed over to the secondary coroutine. deal with.
所以,一级协程可以通过预处理操作来代替服务器与客户端建立SSL连接,以及代替客户端与服务器建立SSL连接,并且在一级协程中可维护SSL连接的上下文信息,在下一次接收端客户端或服务器通过该SSL连接发送的报文后,可在一级协程中恢复上下文信息,继续对报文进行处理。Therefore, the first-level coroutine can use preprocessing operations to establish an SSL connection with the client on behalf of the server and the client with the server, and the context information of the SSL connection can be maintained in the first-level coroutine. After the client or server sends a message through the SSL connection, the context information can be restored in the first-level coroutine and the message can continue to be processed.
步骤S130:通过二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作。Step S130: Use the second-level coroutine to perform related operations specified by the SSL protocol on the current message after preprocessing.
一级协程在对当前报文进行预处理完成后,切换到二级协程,此时可由二级协程来对当前报文执行SSL协议规定的相关操作,比如根据当前SSL连接的协商状态,构造当前报文对应的回复报文,并发送给对应的服务器或客户端,或者根据协商过程中使用的算法套件类型,产生或获取相应算法套件的密钥等。或者执行SSL协议规定的相关操作还包括对当前报文执行SSL握手协商操作或相应的报文处理操作,这里的SSL握手协商操作是指网络中间设备可代表客户端或服务器与对方进行SSL握手协商,如协商加解密的密钥对,相应的报文处理操作可以是指报文的加解密操作、转发操作或其他SSL代理服务涉及到的操作等,如从一侧解密获取到的报文,将明文透传给SSL代理的另一侧,或者将明文重新加密后发出,也可以根据策略配置决定是否将明文信息通过镜像发送给其他业务进行安全检 查。After the first-level coroutine completes preprocessing of the current message, it switches to the second-level coroutine. At this time, the second-level coroutine can perform related operations specified by the SSL protocol on the current message, such as based on the negotiation status of the current SSL connection. , construct a reply message corresponding to the current message, and send it to the corresponding server or client, or generate or obtain the key of the corresponding algorithm suite according to the type of algorithm suite used in the negotiation process, etc. Or performing relevant operations specified by the SSL protocol also includes performing SSL handshake negotiation operations or corresponding message processing operations on the current message. The SSL handshake negotiation operation here means that the network intermediate device can perform SSL handshake negotiation with the other party on behalf of the client or server. , such as negotiating a key pair for encryption and decryption. The corresponding message processing operation may refer to the encryption and decryption operation of the message, the forwarding operation, or other operations involved in the SSL proxy service, such as decrypting the message obtained from one side, Transparently transmit the plaintext to the other side of the SSL proxy, or re-encrypt the plaintext before sending it out. You can also decide whether to send the plaintext information to other services through mirroring according to the policy configuration for security inspection.
当然,这里如果二级协程在执行到数据的加解密操作时,为了减轻网络中间设备CPU的计算负担,将加解密操作提交给硬件加速装置进行异步处理。Of course, when the secondary coroutine performs encryption and decryption operations on data, in order to reduce the computational burden on the network intermediate device CPU, the encryption and decryption operations are submitted to the hardware acceleration device for asynchronous processing.
这里的二级协程可以是指开放式安全套接层协议(OpenSSL),将加解密操作提交给硬件加速装置可以理解为是利用OpenSSL提供的接口函数调用内核态中的硬件加速装置的引擎,由引擎来驱动硬件加速装置对加解密操作进行处理。比如二级协程在执行到加解密操作时,产生相应的异步任务,然后直接进入相应的处理引擎。The secondary coroutine here may refer to the Open Secure Sockets Layer Protocol (OpenSSL). Submitting encryption and decryption operations to the hardware acceleration device can be understood as using the interface function provided by OpenSSL to call the engine of the hardware acceleration device in the kernel mode. The engine drives the hardware acceleration device to process encryption and decryption operations. For example, when the second-level coroutine performs encryption and decryption operations, it generates corresponding asynchronous tasks and then directly enters the corresponding processing engine.
其中,硬件加速装置可以为基于快速辅助技术(Quick Assist Technology,QAT)的加速卡,此时该处理引擎可以为QAT Engine,处理引擎可调用内核态中的QAT驱动,以驱动硬件加速装置对加解密操作进行异步处理。这种情况下,硬件加速装置可以异步地处理加解密任务,而SSL代理服务的两级协程可以异步地处理其他报文,不用网络中间设备额外来执行加解密操作,充分发挥了硬件加速装置的处理能力,实现网络中间设备的性能的最大限度的提升。Among them, the hardware acceleration device can be an accelerator card based on Quick Assist Technology (QAT). In this case, the processing engine can be QAT Engine. The processing engine can call the QAT driver in the kernel mode to drive the hardware acceleration device to process the acceleration. Decryption operations are processed asynchronously. In this case, the hardware acceleration device can process encryption and decryption tasks asynchronously, and the two-level coroutine of the SSL proxy service can process other messages asynchronously, without the need for additional network intermediate devices to perform encryption and decryption operations, giving full play to the hardware acceleration device. processing capabilities to maximize the performance of network intermediate devices.
在上述实现过程中,通过在SSL代理服务下设计一级协程和二级协程,这两级协程分别用于对需要进行SSL代理服务的报文进行处理,能够实现代码逻辑层面的分层,可有效提高对SSL代理服务的处理性能,而网络中间设备的报文处理进程可以接收各种服务的报文并对其进行相应处理,这样可以使得网络中间设备能够处理更多业务场景下的报文,而不仅仅处理SSL代理服务的报文,如此可提高网络中间设备处理其他业务的性能。并且本申请方案中将加解密操作下发给硬件加速装置来处理,如此可充分发挥出硬件加速装置的性能,减少网络中间设备中CPU的计算资源的消耗,进而进一步提高CPU对并发业务处理的性能。In the above implementation process, by designing the first-level coroutine and the second-level coroutine under the SSL proxy service, the two-level coroutines are used to process the messages that require SSL proxy service, which can realize the separation of the code logic level. layer, which can effectively improve the processing performance of SSL proxy services, and the message processing process of the network intermediate device can receive messages from various services and process them accordingly, which allows the network intermediate device to handle more business scenarios. packets, not just SSL proxy service packets, which can improve the performance of network intermediate devices in processing other services. Moreover, in this application solution, the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
在上述实施例的基础上,为了使得两级协程和硬件加速装置能够异步处理,在通过二级协程将加解密操作提交给硬件加速装置进行异步处理后,二级协程还可以保存其执行现场(即下次恢复现场后可从暂停处继续执行),并切换回一级协程,然后保存一级协程的执行现场,并切换回报文处理进程,然后可通过报文处理进程对加解密操作的任务处理结果进行监测。On the basis of the above embodiment, in order to enable the two-level coroutine and the hardware acceleration device to process asynchronously, after the encryption and decryption operations are submitted to the hardware acceleration device for asynchronous processing through the secondary coroutine, the second-level coroutine can also save its Execution site (that is, you can continue execution from the paused point after resuming the site next time), and switch back to the first-level coroutine, then save the execution site of the first-level coroutine, and switch back to the message processing process, and then you can use the message processing process to Monitor the task processing results of encryption and decryption operations.
也就是说,二级协程在将加解密操作提交给硬件加速装置后,最后切换回报文处理进程,此时报文处理进程可对加解密操作的任务处理结果进行监测,比如报文处理进程可创建一个监测任务,主要用于监测此次的加解密操作的任务处理结果,如是否处理完成,处理完成后可继续通过两级协程来获得加解密后的报文。后续网络中间设备可将加解密完成后的报文继续处理,如转发给客户端或服务器。That is to say, after submitting the encryption and decryption operations to the hardware acceleration device, the second-level coroutine finally switches back to the message processing process. At this time, the message processing process can monitor the task processing results of the encryption and decryption operations. For example, the message processing process can Create a monitoring task, mainly used to monitor the task processing results of this encryption and decryption operation. If the processing is completed, after the processing is completed, you can continue to obtain the encrypted and decrypted messages through the two-level coroutine. Subsequent network intermediate devices can continue to process the encrypted and decrypted packets, such as forwarding them to the client or server.
在上述实现过程中,通过保存一级协程和二级协程的执行现场,这样在下次调用时, 可以恢复执行现场后继续执行,如此可不需要重头开始执行,提高处理效率。In the above implementation process, by saving the execution scene of the first-level coroutine and the second-level coroutine, the execution scene can be restored and continued execution the next time it is called. This eliminates the need to restart execution and improves processing efficiency.
在上述实施例的基础上,由于SSL代理服务中涉及到很多加解密操作,所以会有很多加解密操作的任务提交给硬件加速装置,为了提高报文处理进程的监测效率,在上述保存二级协程的执行现场,切换回一级协程后,还可以通过一级协程将加解密操作的任务添加到硬件执行任务队列中,通过报文处理进程对硬件执行任务队列中的加解密操作的任务处理结果进行监测。On the basis of the above embodiment, since the SSL proxy service involves many encryption and decryption operations, many encryption and decryption operation tasks will be submitted to the hardware acceleration device. In order to improve the monitoring efficiency of the message processing process, the above-mentioned save level 2 At the execution site of the coroutine, after switching back to the first-level coroutine, the encryption and decryption operation tasks can also be added to the hardware execution task queue through the first-level coroutine, and the encryption and decryption operations in the task queue can be performed on the hardware through the message processing process. Monitor the results of task processing.
这里硬件执行任务队列可用于存储硬件加速装置所处理的各个加解密操作任务,硬件加速装置针对每个加解密任务的处理结果可在硬件执行任务队列中进行标记,如未处理完成,标记为0,如果处理完成则标记为1,当然,这里的标记可以根据实际需求灵活设置,只要报文处理进程能够从硬件执行任务队列中知晓加解密操作的任务处理结果即可。这样报文处理进程可在硬件执行任务队列中通过加解密操作对应的表征任务处理结果的标记来知晓该加解密操作是否处理完成,如果处理完成,则可通过SSL代理服务的两级协程来获取相应的加解密操作后的报文。Here, the hardware execution task queue can be used to store each encryption and decryption operation task processed by the hardware acceleration device. The processing result of each encryption and decryption task by the hardware acceleration device can be marked in the hardware execution task queue. If the processing is not completed, it is marked as 0. , if the processing is completed, it will be marked as 1. Of course, the mark here can be flexibly set according to actual needs, as long as the message processing process can know the task processing results of the encryption and decryption operations from the hardware execution task queue. In this way, the message processing process can know whether the encryption and decryption operation is completed through the tag representing the task processing result corresponding to the encryption and decryption operation in the hardware execution task queue. If the processing is completed, it can be processed through the two-level coroutine of the SSL proxy service. Obtain the message after the corresponding encryption and decryption operation.
其中报文处理进程在监测硬件执行任务队列时,可以定时或实时从硬件执行任务队列中来读取加解密操作的任务处理结果。When the message processing process monitors the hardware execution task queue, it can read the task processing results of the encryption and decryption operations from the hardware execution task queue regularly or in real time.
在上述实现过程中,由于硬件执行任务队列可以存储多个加解密操作的任务,所以报文处理进程通过对硬件执行任务队列进行监测,可一并对多个加解密操作的任务处理结果进行检测,提高检测效率。In the above implementation process, since the hardware execution task queue can store tasks for multiple encryption and decryption operations, the message processing process can detect the task processing results of multiple encryption and decryption operations by monitoring the hardware execution task queue. , improve detection efficiency.
在上述实施例的基础上,在报文处理进程检测到加解密操作的任务处理完成后,通过报文处理进程恢复一级协程的执行现场,并切换至一级协程,然后通过一级协程恢复二级协程的执行现场,并切换至二级协程,此时可通过二级协程从硬件加速装置处获取加解密操作的结果,并继续执行SSL协议规定的相关操作。Based on the above embodiment, after the message processing process detects that the task processing of the encryption and decryption operation is completed, the message processing process restores the execution site of the first-level coroutine, switches to the first-level coroutine, and then passes the first-level coroutine. The coroutine restores the execution site of the second-level coroutine and switches to the second-level coroutine. At this time, the results of the encryption and decryption operations can be obtained from the hardware acceleration device through the second-level coroutine and continue to perform related operations specified by the SSL protocol.
例如,报文处理进程在硬件执行任务队列中检测到加解密操作的任务处理完成,则切换到一级协程,此时一级协程恢复之前保存的执行现场,继续按照当前逻辑执行,即切换到二级协程,二级协程恢复之前保存的执行现场,二级协程由于将加解密操作提交给了硬件加速装置,相当于二级协程将执行加解密操作的任务暂停了,所以二级协程此时可恢复执行加解密操作,此时可以理解为二级协程从硬件加速装置中获取加解密操作的处理结果,如加解密后的当前报文,然后可对加解密后的当前报文继续执行SSL协议规定的相关操作,如通过SSL连接转发给客户端或服务器等,即继续执行SSL协议中加解密后对报文的操作,比如继续执行SSL握手过程或继续对报文进行后续处理,碰到下个挂起点时重复上述过程,即碰到下个需要SSL代理服务的报文时,按照同样的过程进行处理,或者这里执行SSL协议规定的相关操作还包括上述步骤S130中所说的操作。For example, when the message processing process detects that the encryption and decryption operation task processing is completed in the hardware execution task queue, it switches to the first-level coroutine. At this time, the first-level coroutine restores the previously saved execution scene and continues to execute according to the current logic, that is, Switch to the second-level coroutine. The second-level coroutine restores the previously saved execution scene. Since the second-level coroutine submits the encryption and decryption operations to the hardware acceleration device, it is equivalent to the second-level coroutine suspending the task of performing the encryption and decryption operations. Therefore, the secondary coroutine can resume performing encryption and decryption operations at this time. At this time, it can be understood that the secondary coroutine obtains the processing results of the encryption and decryption operations from the hardware acceleration device, such as the current message after encryption and decryption, and then can perform encryption and decryption. The current message after the current message continues to perform related operations specified by the SSL protocol, such as forwarding to the client or server through an SSL connection, that is, continuing to perform the operations on the message after encryption and decryption in the SSL protocol, such as continuing to perform the SSL handshake process or continuing to The message is subsequently processed, and the above process is repeated when the next hanging point is encountered. That is, when the next message requiring SSL proxy service is encountered, the same process is followed, or the relevant operations specified by the SSL protocol are performed here, including the above. The operation mentioned in step S130.
二级协程获取到加解密任务的结果后,可结束之前创建的加解密任务,即释放创建的加解密任务,如果有多个加解密任务,每获得加解密任务的结果后,就将加解密任务释放,并切换回一级协程,一级协程也会释放之前创建的异步任务,并切换回报文处理进程。After the secondary coroutine obtains the results of the encryption and decryption tasks, it can end the previously created encryption and decryption tasks, that is, release the created encryption and decryption tasks. If there are multiple encryption and decryption tasks, each time the results of the encryption and decryption tasks are obtained, the encryption and decryption tasks will be released. The decryption task is released and switched back to the first-level coroutine. The first-level coroutine will also release the previously created asynchronous task and switch back to the message processing process.
在上述实现过程中,二级协程恢复执行现场后从硬件加速装置中获取加解密操作的结果,并继续执行相关操作,如此二级协程和硬件加速装置可实现对报文的异步处理,提高了对SSL代理服务的处理性能。In the above implementation process, after the secondary coroutine resumes execution, it obtains the results of the encryption and decryption operations from the hardware acceleration device and continues to perform related operations. In this way, the secondary coroutine and the hardware acceleration device can implement asynchronous processing of messages. Improved processing performance of SSL proxy service.
为了对上述实施例中的过程更清楚的描述,可结合图2中所示的交互过程进行理解,其中以下为图2中各个函数的释义或功能:In order to describe the process in the above embodiment more clearly, it can be understood in conjunction with the interactive process shown in Figure 2, where the following is the interpretation or function of each function in Figure 2:
User Space:用户态;User Space: user mode;
Kernel Space:内核态;Kernel Space: kernel state;
dp:报文处理进程;dp: message processing process;
ssl_entry:SSL代理实体;ssl_entry: SSL proxy entity;
ssl_entryasync:SSL代理实体中的异步任务;ssl_entryasync: Asynchronous tasks in SSL proxy entities;
Libsg_ssl:实现SSL协议的库函数;Libsg_ssl: library function that implements SSL protocol;
OpenSSL async:OpenSSL中的异步任务,即二级协程;OpenSSL async: Asynchronous tasks in OpenSSL, that is, second-level coroutines;
Libsg_crypto:实现密码学各种算法的库函数;Libsg_crypto: library functions that implement various cryptography algorithms;
Qat Engine:第三方Intel提供的支持使用QAT的engine库文件,也可以理解为QAT引擎;Qat Engine: The engine library file provided by third-party Intel that supports the use of QAT can also be understood as the QAT engine;
QAT Driver:QAT的驱动;QAT Driver: QAT driver;
app_proc:应用层处理;app_proc: application layer processing;
ssl_async_schedule:SSL代理异步处理调度函数;ssl_async_schedule: SSL agent asynchronous processing scheduling function;
sslasync job:SSL代理的异步任务;sslasync job: asynchronous task of SSL proxy;
ssl_fibre_start:SSL代理异步任务启动函数(从报文处理进程切到SSL代理的一级协程中处理);ssl_fibre_start: SSL agent asynchronous task startup function (switched from the message processing process to the first-level coroutine of the SSL agent for processing);
SSL_connect:发起SSL连接的函数;SSL_connect: function to initiate SSL connection;
ssl_start_async_job:SSL中的异步处理函数(分配OpenSSL async,记录异步处理状态等);ssl_start_async_job: Asynchronous processing function in SSL (allocate OpenSSL async, record asynchronous processing status, etc.);
ASYNC_start_job:OpenSSL中分配异步任务的函数;ASYNC_start_job: function to allocate asynchronous tasks in OpenSSL;
async_fibre_swapcontext:OpenSSL中异步任务启动函数(从SSL代理的一级协程切到OpenSSL二级协程中);async_fibre_swapcontext: asynchronous task startup function in OpenSSL (switched from the first-level coroutine of the SSL agent to the second-level coroutine of OpenSSL);
ssl_op_intern:SSL内部异步处理函数;ssl_op_intern: SSL internal asynchronous processing function;
Cpa Crypto OP:调用QAT接口操作;Cpa Crypto OP: Call QAT interface operation;
ASYNC_PAUSE:异步任务未完成返回的状态;ASYNC_PAUSE: The status returned when an asynchronous task is not completed;
ssl_fibre_switch:SSL代理异步任务切换函数(在报文处理进程和SSL代理的一级协程间切换);ssl_fibre_switch: SSL agent asynchronous task switching function (switching between the message processing process and the first-level coroutine of the SSL agent);
ASYNC_resume_job:OpenSSL异步任务恢复操作;ASYNC_resume_job: OpenSSL asynchronous task recovery operation;
ASYNC_FINISH:异步任务处理完成返回的状态;ASYNC_FINISH: The status returned after asynchronous task processing is completed;
SSL_ERROR_WANT_ASYNC:异步任务未完成时,SSL返回的状态;SSL_ERROR_WANT_ASYNC: The status returned by SSL when the asynchronous task is not completed;
SSL_ERROR_NONE:一个SSL状态码;SSL_ERROR_NONE: an SSL status code;
ssl_async_poll_hw:SSL代理poll函数(查询QAT处理结果)。ssl_async_poll_hw: SSL proxy poll function (query QAT processing results).
下面简单介绍图2的执行过程:报文主进程dp接收到当前报文后,若当前报文需要进行SSL代理服务,则通过ssl_async_schedule函数切换到SSL代理服务的一级协程。一级协程对当前报文进行预处理,包括创建sslasync job(该任务则用于对报文进行预处理),即创建一个异步任务,并通过SSL_connect函数发起SSL连接,通过调用Libsg_ssl切换到二级协程中处理。The following is a brief introduction to the execution process in Figure 2: After the main message process dp receives the current message, if the current message requires SSL proxy service, it switches to the first-level coroutine of the SSL proxy service through the ssl_async_schedule function. The first-level coroutine preprocesses the current message, including creating a sslasync job (this task is used to preprocess the message), that is, creating an asynchronous task, initiating an SSL connection through the SSL_connect function, and switching to the second-level coroutine by calling Libsg_ssl. Processed in level coroutine.
二级协程在执行到加解密操作时,创建异步任务(ASYNC_start_job),这里二级协程可针对每个加解密操作均创建一个异步任务,将加解密操作提交给QAT引擎,QAT引擎通过接口函数调用QAT驱动,以驱动QAT对加解密操作进行处理。然后二级协程保存执行现场(即ASYNC_PAUSE),然后切换回一级协程,一级协程保存执行现场(即保存sslasync job),最后切换到报文处理进程,报文处理进程对硬件执行任务队列进行监测(ssl_async_poll_hw)。When the secondary coroutine executes the encryption and decryption operation, it creates an asynchronous task (ASYNC_start_job). Here, the secondary coroutine can create an asynchronous task for each encryption and decryption operation and submit the encryption and decryption operation to the QAT engine. The QAT engine uses the interface The function calls the QAT driver to drive QAT to process encryption and decryption operations. Then the second-level coroutine saves the execution scene (that is, ASYNC_PAUSE), and then switches back to the first-level coroutine. The first-level coroutine saves the execution scene (that is, saves sslasync job), and finally switches to the message processing process, and the message processing process executes the hardware Task queue for monitoring (ssl_async_poll_hw).
然后报文处理进程切换到一级协程,恢复一级协程的执行现场(ssl_fibre_switch),然后切换到二级协程,恢复二级协程的执行现场(ASYNC_resume_job),通过QAT驱动读取QAT对报文进行加解密操作的结果,此时二级协程中该加解密操作的任务执行结束(ASYNC_FINISH),即二级协程创建的异步任务在二级协程获得相应的加解密的结果后被释放,切换到一级协程,一级协程最后切换到报文处理进程,并释放一级协程创建的异步任务(释放sslasync job),即一级协程的异步任务可以在二级协程执行完SSL协议规定的相关操作后释放。两级协程的异步任务在二级协程将加解密操作提交给QAT后被挂起,而在报文处理进程检测到加解密操作任务处理完成后恢复。Then the message processing process switches to the first-level coroutine, restores the execution site of the first-level coroutine (ssl_fibre_switch), then switches to the second-level coroutine, restores the execution site of the second-level coroutine (ASYNC_resume_job), and reads QAT through the QAT driver The result of the encryption and decryption operation on the message. At this time, the task execution of the encryption and decryption operation in the second-level coroutine ends (ASYNC_FINISH), that is, the asynchronous task created by the second-level coroutine obtains the corresponding encryption and decryption result in the second-level coroutine. Then it is released and switches to the first-level coroutine. The first-level coroutine finally switches to the message processing process and releases the asynchronous tasks created by the first-level coroutine (release sslasync job). That is, the asynchronous tasks of the first-level coroutine can be processed in the second-level coroutine. The level coroutine is released after performing relevant operations specified by the SSL protocol. The asynchronous task of the two-level coroutine is suspended after the second-level coroutine submits the encryption and decryption operation to QAT, and is resumed after the message processing process detects that the encryption and decryption operation task is completed.
所以,本申请实施例通过将加解密操作提交给硬件加速装置进行异步处理,如此可以解决原有方式中利用CPU资源以同步方式进行加解密运算而导致性能低的问题,并且通过两级协程的对SSL代理服务的报文进行处理,使得网络中间设备的报文处理进程可以同步处理其他业务报文,提高报文处理效率。两级协程的处理过程实现了代码逻辑层面的分层,也可有效提高对报文的处理性能,由于协程机制能够保存上下文信息,下次执行时可通过 上下文信息恢复执行现场继续执行,所以还可以解决SSL代理服务过程中状态的保存与重入的困难。并且协程也更轻量,以此避免了采用进程和线程面临着内核态和用户态需要频繁切换导致耗费许多切换时间的问题。Therefore, the embodiment of the present application submits the encryption and decryption operations to the hardware acceleration device for asynchronous processing, which can solve the problem of low performance caused by using CPU resources to perform encryption and decryption operations in a synchronous manner in the original method, and through the two-level coroutine Processing of SSL proxy service packets allows the packet processing process of the network intermediate device to simultaneously process other business packets and improve packet processing efficiency. The processing process of the two-level coroutine realizes the stratification of the code logic level, and can also effectively improve the processing performance of messages. Since the coroutine mechanism can save context information, the context information can be used to restore the execution site and continue execution during the next execution. Therefore, it can also solve the difficulty of state preservation and reentry during the SSL proxy service process. Moreover, coroutines are also more lightweight, thus avoiding the problem of frequent switching between kernel mode and user mode when using processes and threads, which leads to a lot of switching time.
请参照图3,图3为本申请实施例提供的一种数据处理装置200的结构框图,该装置200可以是电子设备(即网络中间设备)上的模块、程序段或代码。应理解,该装置200与上述图1方法实施例对应,能够执行图1方法实施例涉及的各个步骤,该装置200具体的功能可以参见上文中的描述,为避免重复,此处适当省略详细描述。Please refer to FIG. 3 , which is a structural block diagram of a data processing device 200 provided by an embodiment of the present application. The device 200 may be a module, program segment or code on an electronic device (ie, a network intermediate device). It should be understood that the device 200 corresponds to the above-mentioned method embodiment in Figure 1 and can perform various steps involved in the method embodiment in Figure 1. For specific functions of the device 200, please refer to the above description. To avoid repetition, the detailed description is appropriately omitted here. .
可选地,所述装置200包括:Optionally, the device 200 includes:
协程切换模块210,用于通过所述网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定所述当前报文需要进行SSL代理服务时,切换至所述SSL代理服务的一级协程;The coroutine switching module 210 is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy. The first-level coroutine of the service;
一级协程处理模块220,用于通过所述一级协程对所述当前报文进行预处理,并在预处理完成后切换至所述SSL代理服务的二级协程;The first-level coroutine processing module 220 is used to preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
二级协程处理模块230,用于通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,其中,所述二级协程在执行到数据的加解密操作时,将所述加解密操作提交给硬件加速装置进行异步处理。The secondary coroutine processing module 230 is used to perform related operations specified by the SSL protocol on the current message after preprocessing is completed through the secondary coroutine, wherein the secondary coroutine performs encryption and decryption operations on the data. When, the encryption and decryption operations are submitted to the hardware acceleration device for asynchronous processing.
可选地,所述装置200还包括:Optionally, the device 200 also includes:
监测模块,用于保存所述二级协程的执行现场,并切换回所述一级协程;保存所述一级协程的执行现场,并切换回所述报文处理进程;通过所述报文处理进程对所述加解密操作的任务处理结果进行监测。A monitoring module is used to save the execution site of the second-level coroutine and switch back to the first-level coroutine; to save the execution site of the first-level coroutine and switch back to the message processing process; through the The message processing process monitors the task processing results of the encryption and decryption operations.
可选地,所述监测模块,还用于通过所述一级协程将所述加解密操作的任务添加到硬件执行任务队列中;通过所述报文处理进程对所述硬件执行任务队列中的所述加解密操作的任务处理结果进行监测。Optionally, the monitoring module is also configured to add the task of encryption and decryption operations to the hardware execution task queue through the first-level coroutine; and add the task to the hardware execution task queue through the message processing process. The task processing results of the encryption and decryption operations are monitored.
可选地,所述装置200还包括:Optionally, the device 200 also includes:
结果获取模块,用于在所述报文处理进程检测到所述加解密操作的任务处理完成后,通过所述报文处理进程恢复所述一级协程的执行现场,并切换至所述一级协程;通过所述一级协程恢复所述二级协程的执行现场,并切换至所述二级协程;通过所述二级协程从所述硬件加速装置处获取所述加解密操作的结果,并继续执行SSL协议规定的相关操作。A result acquisition module, configured to restore the execution site of the first-level coroutine through the message processing process and switch to the first-level coroutine after the message processing process detects that the task processing of the encryption and decryption operation is completed. level coroutine; restore the execution site of the level two coroutine through the level one coroutine, and switch to the level two coroutine; obtain the added value from the hardware acceleration device through the level two coroutine Decrypt the results of the operation and continue to perform related operations specified by the SSL protocol.
可选地,所述二级协程处理模块230,用于通过所述二级协程对预处理完成后的当前报文执行SSL握手协商操作或相应的报文处理操作。Optionally, the second-level coroutine processing module 230 is configured to perform an SSL handshake negotiation operation or corresponding message processing operation on the current message after preprocessing is completed through the second-level coroutine.
可选地,在所述当前报文为首个需要进行SSL代理服务的报文时,所述一级协程处理模块220,用于通过所述一级协程将从所述服务器获取到的证书进行重新签发,以利用重 新签发的证书对所述当前报文进行处理。Optionally, when the current message is the first message that requires SSL proxy service, the first-level coroutine processing module 220 is used to obtain the certificate from the server through the first-level coroutine. Re-issuance is performed to process the current message using the re-issued certificate.
可选地,所述网络中间设备为防火墙,所述硬件加速装置为基于QAT技术的加速卡。Optionally, the network intermediate device is a firewall, and the hardware acceleration device is an accelerator card based on QAT technology.
需要说明的是,本领域技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再重复描述。It should be noted that those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working process of the above-described device can be referred to the corresponding process in the foregoing method embodiment, and will not be repeated here.
请参照图4,图4为本申请实施例提供的一种用于执行数据处理方法的电子设备的结构示意图,所述电子设备可以包括:至少一个处理器310,例如CPU,至少一个通信接口320,至少一个存储器330和至少一个通信总线340。其中,通信总线340用于实现这些组件直接的连接通信。其中,本申请实施例中设备的通信接口320用于与其他节点设备进行信令或数据的通信。存储器330可以是高速RAM存储器,也可以是非易失性的存储器(non-volatile memory),例如至少一个磁盘存储器。存储器330可选的还可以是至少一个位于远离前述处理器的存储装置。存储器330中存储有计算机可读取指令,当所述计算机可读取指令由所述处理器310执行时,电子设备执行上述图1所示方法过程。Please refer to Figure 4. Figure 4 is a schematic structural diagram of an electronic device for executing a data processing method provided by an embodiment of the present application. The electronic device may include: at least one processor 310, such as a CPU, and at least one communication interface 320. , at least one memory 330 and at least one communication bus 340. Among them, the communication bus 340 is used to realize direct connection communication between these components. Among them, the communication interface 320 of the device in the embodiment of this application is used to communicate signaling or data with other node devices. The memory 330 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 330 may optionally be at least one storage device located remotely from the aforementioned processor. Computer-readable instructions are stored in the memory 330. When the computer-readable instructions are executed by the processor 310, the electronic device performs the method process shown in FIG. 1 above.
可以理解,图4所示的结构仅为示意,所述电子设备还可包括比图4中所示更多或者更少的组件,或者具有与图4所示不同的配置。图4中所示的各组件可以采用硬件、软件或其组合实现。It can be understood that the structure shown in FIG. 4 is only illustrative, and the electronic device may also include more or fewer components than shown in FIG. 4 , or have a different configuration than that shown in FIG. 4 . Each component shown in Figure 4 can be implemented in hardware, software, or a combination thereof.
本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时,执行如图1所示方法实施例中电子设备所执行的方法过程。Embodiments of the present application provide a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the method process executed by the electronic device in the method embodiment shown in Figure 1 is executed.
本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如,包括:通过所述网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定所述当前报文需要进行SSL代理服务时,切换至所述SSL代理服务的一级协程;通过所述一级协程对所述当前报文进行预处理,并在预处理完成后切换至所述SSL代理服务的二级协程;通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,其中,所述二级协程在执行到数据的加解密操作时,将所述加解密操作提交给硬件加速装置进行异步处理。This embodiment discloses a computer program product. The computer program product includes a computer program stored on a non-transitory computer-readable storage medium. The computer program includes program instructions. When the program instructions are executed by a computer, the computer The methods provided by the above method embodiments can be executed, for example, including: receiving the current message sent by the server or the client through the message processing process of the network intermediate device, and determining that the current message requires SSL proxy service. When, switch to the first-level coroutine of the SSL proxy service; preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed. ; Use the second-level coroutine to perform related operations specified by the SSL protocol on the current message after preprocessing is completed, wherein the second-level coroutine submits the encryption and decryption operation when performing the encryption and decryption operation of the data. Perform asynchronous processing for hardware acceleration devices.
综上所述,本申请实施例提供一种数据处理方法、装置、电子设备及存储介质,该方法通过在SSL代理服务下设计一级协程和二级协程,这两级协程分别用于对需要进行SSL代理服务的报文进行处理,能够实现代码逻辑层面的分层,可有效提高对SSL代理服务的处理性能,而网络中间设备的报文处理进程可以接收各种服务的报文并对其进行相应处理,这样可以使得网络中间设备能够处理更多业务场景下的报文,而不仅仅处理SSL代理服务的报文,如此可提高网络中间设备处理其他业务的性能。并且本申请方案中将加解密操作下发给硬件加速装置来处理,如此可充分发挥出硬件加速装置的性能,减少网络中间设备 中CPU的计算资源的消耗,进而进一步提高CPU对并发业务处理的性能。To sum up, embodiments of the present application provide a data processing method, device, electronic device and storage medium. The method designs a first-level coroutine and a second-level coroutine under the SSL proxy service. The two-level coroutine uses For processing packets that require SSL proxy service, it can realize the layering of code logic level, which can effectively improve the processing performance of SSL proxy service, and the packet processing process of the network intermediate device can receive packets of various services. And process them accordingly, so that the network intermediate device can process packets in more business scenarios, not just SSL proxy service packets, which can improve the performance of the network intermediate device in processing other services. Moreover, in this application solution, the encryption and decryption operations are sent to the hardware acceleration device for processing. This can fully utilize the performance of the hardware acceleration device, reduce the consumption of computing resources of the CPU in the network intermediate device, and further improve the CPU's efficiency in concurrent business processing. performance.
在本申请所提供的实施例中,应该理解到,所揭露装置和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some communication interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
另外,作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。In addition, units described as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
再者,在本申请各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。Furthermore, each functional module in each embodiment of the present application can be integrated together to form an independent part, each module can exist alone, or two or more modules can be integrated to form an independent part.
在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。In this document, relational terms such as first, second, etc. are used only to distinguish one entity or operation from another entity or operation and do not necessarily require or imply the existence of any such entity or operation between these entities or operations. Actual relationship or sequence.
以上所述仅为本申请的实施例而已,并不用于限制本申请的保护范围,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are only examples of the present application and are not intended to limit the scope of protection of the present application. For those skilled in the art, the present application may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this application shall be included in the protection scope of this application.

Claims (10)

  1. 一种数据处理方法,其特征在于,应用于网络中间设备,所述网络中间设备部署有SSL代理服务,所述方法包括:A data processing method, characterized in that it is applied to a network intermediate device, and the network intermediate device is deployed with an SSL proxy service. The method includes:
    通过所述网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定所述当前报文需要进行SSL代理服务时,切换至所述SSL代理服务的一级协程;Receive the current message sent by the server or client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the first-level coroutine of the SSL proxy service;
    通过所述一级协程对所述当前报文进行预处理,并在预处理完成后切换至所述SSL代理服务的二级协程;Preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
    通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,其中,所述二级协程在执行到数据的加解密操作时,将所述加解密操作提交给硬件加速装置进行异步处理。The second-level coroutine performs relevant operations specified by the SSL protocol on the current message after preprocessing is completed. When the second-level coroutine performs the encryption and decryption operation of the data, it submits the encryption and decryption operation to Hardware acceleration device performs asynchronous processing.
  2. 根据权利要求1所述的方法,其特征在于,通过所述二级协程将所述加解密操作提交给硬件加速装置进行异步处理后,所述方法还包括:The method according to claim 1, characterized in that, after submitting the encryption and decryption operations to a hardware acceleration device for asynchronous processing through the secondary coroutine, the method further includes:
    保存所述二级协程的执行现场,并切换回所述一级协程;Save the execution scene of the second-level coroutine and switch back to the first-level coroutine;
    保存所述一级协程的执行现场,并切换回所述报文处理进程;Save the execution scene of the first-level coroutine and switch back to the message processing process;
    通过所述报文处理进程对所述加解密操作的任务处理结果进行监测。The task processing results of the encryption and decryption operations are monitored through the message processing process.
  3. 根据权利要求2所述的方法,其特征在于,所述切换回所述一级协程之后,还包括:The method according to claim 2, characterized in that after switching back to the first-level coroutine, it further includes:
    通过所述一级协程将所述加解密操作的任务添加到硬件执行任务队列中;Add the encryption and decryption operation tasks to the hardware execution task queue through the first-level coroutine;
    所述通过所述报文处理进程对所述加解密操作的任务处理结果进行监测,包括:The monitoring of the task processing results of the encryption and decryption operations through the message processing process includes:
    通过所述报文处理进程对所述硬件执行任务队列中的所述加解密操作的任务处理结果进行监测。The message processing process monitors the task processing results of the encryption and decryption operations in the hardware execution task queue.
  4. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method of claim 2, further comprising:
    在所述报文处理进程检测到所述加解密操作的任务处理完成后,通过所述报文处理进程恢复所述一级协程的执行现场,并切换至所述一级协程;After the message processing process detects that the task processing of the encryption and decryption operation is completed, the message processing process restores the execution site of the first-level coroutine and switches to the first-level coroutine;
    通过所述一级协程恢复所述二级协程的执行现场,并切换至所述二级协程;Restore the execution site of the second-level coroutine through the first-level coroutine, and switch to the second-level coroutine;
    通过所述二级协程从所述硬件加速装置处获取所述加解密操作的结果,并继续执行SSL协议规定的相关操作。The results of the encryption and decryption operations are obtained from the hardware acceleration device through the secondary coroutine, and the related operations specified by the SSL protocol are continued to be performed.
  5. 根据权利要求1所述的方法,其特征在于,所述通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,包括:The method according to claim 1, characterized in that the related operations specified by the SSL protocol are performed on the current message after preprocessing is completed through the secondary coroutine, including:
    通过所述二级协程对预处理完成后的当前报文执行SSL握手协商操作或相应的报文处理操作。The SSL handshake negotiation operation or corresponding message processing operation is performed on the current message after preprocessing is completed through the second-level coroutine.
  6. 根据权利要求1所述的方法,其特征在于,在所述当前报文为首个需要进行SSL代 理服务的报文时,所述通过所述一级协程对所述当前报文进行预处理,包括:The method according to claim 1, characterized in that when the current message is the first message that requires SSL proxy service, the current message is preprocessed through the first-level coroutine, include:
    通过所述一级协程将从所述服务器获取到的证书进行重新签发,以利用重新签发的证书对所述当前报文进行处理。The certificate obtained from the server is re-issued through the first-level coroutine, so that the current message is processed using the re-issued certificate.
  7. 根据权利要求1-6任一所述的方法,其特征在于,所述网络中间设备为防火墙,所述硬件加速装置为基于QAT技术的加速卡。The method according to any one of claims 1 to 6, characterized in that the network intermediate device is a firewall, and the hardware acceleration device is an accelerator card based on QAT technology.
  8. 一种数据处理装置,其特征在于,运行于网络中间设备,所述网络中间设备部署有SSL代理服务,所述装置包括:A data processing device, characterized in that it runs on a network intermediate device, and the network intermediate device is deployed with an SSL proxy service. The device includes:
    协程切换模块,用于通过所述网络中间设备的报文处理进程接收服务器或客户端发送的当前报文,在确定所述当前报文需要进行SSL代理服务时,切换至所述SSL代理服务的一级协程;The coroutine switching module is used to receive the current message sent by the server or the client through the message processing process of the network intermediate device, and when it is determined that the current message requires SSL proxy service, switch to the SSL proxy service. The first-level coroutine;
    一级协程处理模块,用于通过所述一级协程对所述当前报文进行预处理,并在预处理完成后切换至所述SSL代理服务的二级协程;A first-level coroutine processing module, used to preprocess the current message through the first-level coroutine, and switch to the second-level coroutine of the SSL proxy service after the preprocessing is completed;
    二级协程处理模块,用于通过所述二级协程对预处理完成后的当前报文执行SSL协议规定的相关操作,其中,所述二级协程在执行到数据的加解密操作时,将所述加解密操作提交给硬件加速装置进行异步处理。The secondary coroutine processing module is used to perform related operations specified by the SSL protocol on the current message after preprocessing is completed through the secondary coroutine, wherein the secondary coroutine performs the encryption and decryption operation of the data. , submitting the encryption and decryption operations to the hardware acceleration device for asynchronous processing.
  9. 一种电子设备,其特征在于,包括处理器以及存储器,所述存储器存储有计算机可读取指令,当所述计算机可读取指令由所述处理器执行时,运行如权利要求1-7任一所述的方法。An electronic device, characterized in that it includes a processor and a memory, and the memory stores computer-readable instructions. When the computer-readable instructions are executed by the processor, any of claims 1-7 is executed. The method described in 1.
  10. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时运行如权利要求1-7任一所述的方法。A computer-readable storage medium on which a computer program is stored, characterized in that when the computer program is executed by a processor, the method according to any one of claims 1-7 is executed.
PCT/CN2022/144150 2022-08-23 2022-12-30 Data processing method and apparatus, electronic device, and storage medium WO2024040846A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211017571.7 2022-08-23
CN202211017571.7A CN115426403A (en) 2022-08-23 2022-08-23 Data processing method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2024040846A1 true WO2024040846A1 (en) 2024-02-29

Family

ID=84197748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/144150 WO2024040846A1 (en) 2022-08-23 2022-12-30 Data processing method and apparatus, electronic device, and storage medium

Country Status (2)

Country Link
CN (1) CN115426403A (en)
WO (1) WO2024040846A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115426403A (en) * 2022-08-23 2022-12-02 奇安信网神信息技术(北京)股份有限公司 Data processing method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160127414A1 (en) * 2014-10-29 2016-05-05 International Business Machines Corporation TLS connection abandoning
CN110647383A (en) * 2019-09-23 2020-01-03 青岛联众智芯科技有限公司 Application management method based on docker container and computing device
CN112104679A (en) * 2019-06-17 2020-12-18 北京京东尚科信息技术有限公司 Method, apparatus, device and medium for processing hypertext transfer protocol request
CN113535344A (en) * 2020-04-16 2021-10-22 广州虎牙科技有限公司 Network data processing method and device, server and storage medium
CN113810397A (en) * 2021-09-09 2021-12-17 山石网科通信技术股份有限公司 Protocol data processing method and device
CN115426403A (en) * 2022-08-23 2022-12-02 奇安信网神信息技术(北京)股份有限公司 Data processing method and device, electronic equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110071933B (en) * 2019-04-28 2021-11-12 深圳前海微众银行股份有限公司 Secure socket layer acceleration method, device, equipment and readable storage medium
CN110247984B (en) * 2019-06-27 2022-02-22 腾讯科技(深圳)有限公司 Service processing method, device and storage medium
CN114338629A (en) * 2020-09-25 2022-04-12 北京金山云网络技术有限公司 Data processing method, device, equipment and medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160127414A1 (en) * 2014-10-29 2016-05-05 International Business Machines Corporation TLS connection abandoning
CN112104679A (en) * 2019-06-17 2020-12-18 北京京东尚科信息技术有限公司 Method, apparatus, device and medium for processing hypertext transfer protocol request
CN110647383A (en) * 2019-09-23 2020-01-03 青岛联众智芯科技有限公司 Application management method based on docker container and computing device
CN113535344A (en) * 2020-04-16 2021-10-22 广州虎牙科技有限公司 Network data processing method and device, server and storage medium
CN113810397A (en) * 2021-09-09 2021-12-17 山石网科通信技术股份有限公司 Protocol data processing method and device
CN115426403A (en) * 2022-08-23 2022-12-02 奇安信网神信息技术(北京)股份有限公司 Data processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN115426403A (en) 2022-12-02

Similar Documents

Publication Publication Date Title
Moon et al. {AccelTCP}: Accelerating network applications with stateful {TCP} offloading
US10698717B2 (en) Accelerator virtualization method and apparatus, and centralized resource manager
US11356418B2 (en) Systems and methods for using unencrypted communication tunnels
US10353722B2 (en) System and method of offloading cryptography processing from a virtual machine to a management module
CN111448788B (en) Method for tracking SSL session state for SSL optimization of SAAS-based applications
US11050566B2 (en) Method for securing the rendezvous connection in a cloud service using routing tokens
US9166862B1 (en) Distributed caching system
US7631182B1 (en) Secure protocol handshake offload using TNICs
US12028442B2 (en) Accessing security hardware keys
CN104994032B (en) A kind of method and apparatus of information processing
CN108063813B (en) Method and system for parallelizing password service network in cluster environment
US11068398B2 (en) Distributed caching system
CN111628976A (en) Message processing method, device, equipment and medium
CN111625496A (en) Method, device and equipment for deploying distributed file system in virtual machine environment
WO2024040846A1 (en) Data processing method and apparatus, electronic device, and storage medium
CN113810397B (en) Protocol data processing method and device
CN114584541B (en) Method for accelerating virtual machine network
CN111212117A (en) Remote interaction method and device
US20020161834A1 (en) Method and apparatus for clustered SSL accelerator
CN115379028B (en) DPDK-based high-performance password service method, device, equipment and medium
CN110545320A (en) Intranet data interaction method and equipment
JP2012227829A (en) Image processor and control method therefor
Emdadi et al. Implementing the TLS Protocol on a Bare PC
WO2018028359A1 (en) Service processing method and device, and storage medium and electronic device
US11818173B2 (en) Reducing memory footprint after TLS connection establishment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22956377

Country of ref document: EP

Kind code of ref document: A1