ProHoster > Блог > labaran intanet > Sakin ɗakin karatu na sirri na OpenSSL 3.0.0

Sakin ɗakin karatu na sirri na OpenSSL 3.0.0

Bayan shekaru uku na haɓakawa da fitowar gwaji na 19, an sake buɗe ɗakin karatu na OpenSSL 3.0.0 tare da aiwatar da ka'idojin SSL/TLS da algorithms ɓoye daban-daban. Sabon reshe ya haɗa da canje-canjen da ke karya daidaituwar baya a matakin API da ABI, amma sauye-sauyen ba za su shafi aikin yawancin aikace-aikacen da ke buƙatar sake ginawa don ƙaura daga OpenSSL 1.1.1 ba. Za a tallafawa reshe na baya na OpenSSL 1.1.1 har zuwa Satumba 2023.

Babban canji a lambar sigar shine saboda sauyawa zuwa lambar "Major.Minor.Patch" na gargajiya. Daga yanzu, lambobi na farko (Major) a cikin lambar sigar za ta canza kawai idan an karya daidaituwa a matakin API/ABI, kuma na biyu (Ƙananan) zai canza lokacin da aka haɓaka aiki ba tare da canza API/ABI ba. Za a isar da sabuntawar gyara tare da canji zuwa lamba ta uku (Patch). Lambar 3.0.0 nan da nan bayan an zaɓi 1.1.1 don guje wa haɗuwa tare da tsarin ci gaba na FIPS a halin yanzu don OpenSSL, wanda aka yi amfani da lambar 2.x.

Canji mai mahimmanci na biyu don aikin shine sauyawa daga lasisin biyu (OpenSSL da SSLeay) zuwa lasisin Apache 2.0. Lasisin OpenSSL na baya-bayan nan ya dogara ne akan rubutun gadon lasisin Apache 1.0 kuma yana buƙatar fayyace fayyace na OpenSSL a cikin kayan talla lokacin amfani da ɗakunan karatu na OpenSSL, da kuma sanarwa ta musamman idan an bayar da OpenSSL azaman ɓangaren samfurin. Waɗannan buƙatun sun sa tsohon lasisi ya yi daidai da GPL, yana mai da wahala a yi amfani da OpenSSL a ayyukan lasisin GPL. Don samun kusa da wannan rashin daidaituwa, an tilasta ayyukan GPL yin amfani da takamaiman yarjejeniyar lasisi wanda aka ƙara babban rubutun GPL tare da wani sashe wanda ya ba da izinin haɗa aikace-aikacen tare da ɗakin karatu na OpenSSL kuma ya ambaci cewa buƙatun GPL ba su yi ba. Yi amfani da haɗin kai tare da OpenSSL.

Idan aka kwatanta da OpenSSL 1.1.1 reshen, OpenSSL 3.0.0 ya ƙara fiye da canje-canje 7500 waɗanda masu haɓaka 350 suka bayar. Babban sabbin abubuwa na OpenSSL 3.0.0:

  • An gabatar da sabon tsarin FIPS, gami da aiwatar da algorithms na sirri wanda ya dace da daidaitaccen tsaro na FIPS 140-2 (an tsara tsarin ba da takaddun shaida na module ɗin a wannan watan, kuma ana sa ran takaddun FIPS 140-2 a shekara mai zuwa). Sabon tsarin yana da sauƙin amfani kuma haɗa shi zuwa aikace-aikace da yawa ba zai zama da wahala ba fiye da canza fayil ɗin sanyi. Ta hanyar tsoho, an kashe tsarin FIPS kuma yana buƙatar zaɓin kunna-fips don kunna.
  • libcrypto yana aiwatar da manufar masu samar da pluggable, wanda ya maye gurbin tunanin injuna (an cire ENGINE API). Tare da taimakon masu samarwa, zaku iya ƙara aiwatar da ayyukan ku na algorithms don irin waɗannan ayyuka kamar ɓoyewa, ɓarnawa, tsara maɓalli, lissafin MAC, ƙirƙira da tabbatar da sa hannun dijital. Yana yiwuwa a haɗa sababbi biyu kuma ƙirƙirar madadin aiwatarwa na algorithms da aka riga aka goyan baya (ta tsohuwa, ana amfani da mai bada da aka gina a cikin OpenSSL yanzu don kowane algorithm).
  • Ƙara goyon baya don Yarjejeniyar Gudanar da Takaddun shaida (RFC 4210), wanda za'a iya amfani dashi don buƙatar takaddun shaida daga uwar garken CA, sabunta takaddun shaida, da soke takaddun shaida. Ana yin aiki tare da CMP ta amfani da sabon kayan aikin openssl-cmp, wanda kuma yana goyan bayan tsarin CRMF (RFC 4211) da aika buƙatun ta HTTP/HTTPS (RFC 6712).
  • An aiwatar da cikakken abokin ciniki don ka'idodin HTTP da HTTPS, yana tallafawa hanyoyin GET da POST, buƙatar sake juyawa, aiki ta hanyar wakili, ASN.1 encoding da sarrafa lokaci.
  • An ƙara sabon EVP_MAC (Lambar Tabbatar da Saƙon API) don sauƙaƙa don ƙara sabbin aiwatar da abubuwan izgili.
  • An gabatar da sabon ƙirar software don samar da maɓallai - EVP_KDF (Key Derivation Action API), wanda ke sauƙaƙe ƙara sabbin aiwatar da KDF da PRF. Tsohuwar EVP_PKEY API, ta inda aka sami scrypt, TLS1 PRF da HKDF algorithms, an sake tsara shi ta hanyar Layer da aka aiwatar a saman EVP_KDF da EVP_MAC APIs.
  • Aiwatar da ƙa'idar TLS tana ba da damar yin amfani da abokin ciniki na TLS da uwar garken da aka gina a cikin kernel na Linux don haɓaka ayyuka. Don ba da damar aiwatar da TLS da kernel Linux ke bayarwa, dole ne ku kunna zaɓin "SSL_OP_ENABLE_KTLS" ko saitin "enable-ktls".
  • Ƙarin tallafi don sababbin algorithms:
    • Algorithms na ƙarni na mahimmanci (KDF) sune "SINGLE STEP" da "SSH".
    • Algorithms na shigar da simulated (MAC) sune “GMAC” da “KMAC”.
    • RSA Key Encapsulation Algorithm (KEM) "RSASVE".
    • Encryption algorithm "AES-SIV" (RFC-8452).
    • Ƙara kira zuwa API na EVP tare da goyan bayan sifofi masu juyawa ta amfani da algorithm AES don ɓoye maɓallan (Key Wrap): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP- INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" da "AES-256-WRAP-PAD-INV".
    • Ƙara goyon baya don ciphertext aro (CTS) algorithms zuwa EVP API: "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", "CAMELLIA-128-CBC -CTS", "CAMELLIA-192-CBC-CTS" da "CAMELLIA-256-CBC-CTS".
    • Ƙara tallafi don sa hannun dijital na CAdES-BES (RFC 5126).
    • AES_GCM yana aiwatar da ma'aunin AuthEnvelopedData (RFC 5083) don ba da damar ɓoyewa da ɓarna saƙon da aka inganta da rufaffen ta amfani da yanayin AES GCM.
  • An ƙara PKCS7_get_octet_string da PKCS7_type_is_wasu ayyuka zuwa API na jama'a.
  • PKCS#12 API yana maye gurbin tsoffin algorithms da aka yi amfani da su a cikin aikin PKCS12_create() tare da PBKDF2 da AES, kuma yana amfani da algorithm SHA-256 don ƙididdige MAC. Don dawo da halayen da suka gabata, an ba da zaɓin "-legacy". An ƙara babban adadin sabbin ƙarin kira zuwa PKCS12_*_ex, PKCS5_*_ex da PKCS8_*_ex, kamar PKCS12_add_key_ex() .PKCS12_create_ex() da PKCS12_decrypt_skey_ex().
  • Don dandalin Windows, an ƙara goyan baya don aiki tare da zaren ta amfani da tsarin SRWLock.
  • An ƙara sabon API na ganowa, wanda aka kunna ta hanyar ma'aunin kunnawa.
  • An faɗaɗa kewayon maɓallan da ke tallafawa a cikin ayyukan EVP_PKEY_public_check() da EVP_PKEY_param_check() ayyuka: RSA, DSA, ED25519, X25519, ED448 da X448.
  • An cire tsarin RAND_DRBG, EVP_RAND API ya maye gurbinsa. An cire ayyukan FIPS_mode() da FIPS_mode_set().
  • Wani muhimmin sashi na API ɗin an mayar da shi baya aiki - yin amfani da tsofaffin kira a lambar aikin zai haifar da faɗakarwa yayin haɗawa. Haɗe da ƙananan APIs waɗanda ke da alaƙa da wasu aiwatar da algorithms (misali, AES_set_encrypt_key da AES_encrypt) an ayyana su a hukumance. Tallafin hukuma a cikin OpenSSL 3.0.0 yanzu ana bayar da shi ne kawai don APIs masu girma na EVP waɗanda aka taƙaita daga nau'ikan algorithm guda ɗaya (wannan API ɗin ya haɗa da, misali, EVP_EncryptInit_ex, EVP_EncryptUpdate, da ayyukan EVP_EncryptFinal). APIs ɗin da aka yanke za a cire a cikin ɗayan manyan fitowar na gaba. Aiwatar da abubuwan algorithms na gado kamar MD2 da DES, waɗanda ake samu ta hanyar EVP API, an ƙaura zuwa wani keɓantaccen tsarin "gado", wanda aka kashe ta tsohuwa.
  • Takaddun bayanai da rukunin gwaji an faɗaɗa su sosai. Idan aka kwatanta da reshe na 1.1.1, adadin takardun ya karu da 94%, kuma girman lambar gwajin gwajin ya karu da 54%.

source: budenet.ru

Add a comment