ProHoster > Blog > internet news > OpenSSL 3.1.0 Cryptographic Library Release

OpenSSL 3.1.0 Cryptographic Library Release

After a year and a half of development, the OpenSSL 3.1.0 library was released with the implementation of the SSL / TLS protocols and various encryption algorithms. Support for OpenSSL 3.1 will continue until March 2025. Support for legacy OpenSSL 3.0 and 1.1.1 branches will continue until September 2026 and September 2023, respectively. The project code is distributed under the Apache 2.0 license.

Main innovations of OpenSSL 3.1.0:

  • The FIPS module implements support for cryptographic algorithms that comply with the FIPS 140-3 security standard. The module certification process has begun to obtain FIPS 140-3 compliance certification. Until certification is complete after upgrading OpenSSL to the 3.1 branch, users can continue to use a FIPS module certified for FIPS 140-2. Of the changes in the new version of the module, the inclusion of the Triple DES ECB, Triple DES CBC and EdDSA algorithms, which have not yet been tested for compliance with FIPS requirements, is noted. Also in the new version, optimizations have been made to improve performance and a transition has been made to running internal tests with each module load, and not just after installation.
  • Reworked OSSL_LIB_CTX code. The new option is free from unnecessary locks and allows you to achieve higher performance.
  • Improved performance of the encoder and decoder frameworks.
  • Performed performance optimization related to the use of internal structures (hash tables) and caching.
  • Improved speed of generating RSA keys in FIPS mode.
  • AES-GCM, ChaCha20, SM3, SM4, and SM4-GCM algorithms have specific assembler optimizations for different processor architectures. For example, AES-GCM code is accelerated using the AVX512 vAES and vPCLMULQDQ instructions.
  • Support for the KMAC (KECCAK Message Authentication Code) algorithm has been added to KBKDF (Key Based Key Derivation Function).
  • Various "OBJ_*" functions have been adapted for use in multi-threaded code.
  • Added the ability to use the RNDR instruction and RNDRRS registers available in processors based on the AArch64 architecture to generate pseudo-random numbers.
  • The OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio functions have been deprecated. Deprecated DEFINE_LHASH_OF macro.

Source: opennet.ru

Add a comment