ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Tso tawm ntawm OpenSSL 3.0.0 cryptographic tsev qiv ntawv

Tso tawm ntawm OpenSSL 3.0.0 cryptographic tsev qiv ntawv

Tom qab peb xyoos ntawm kev txhim kho thiab 19 qhov kev xeem tawm, lub tsev qiv ntawv OpenSSL 3.0.0 tau tso tawm nrog kev ua raws li SSL / TLS cov txheej txheem thiab ntau yam encryption algorithms. Cov ceg tshiab suav nrog cov kev hloov pauv uas cuam tshuam rov qab sib raug zoo ntawm API thiab ABI qib, tab sis cov kev hloov pauv yuav tsis cuam tshuam rau kev ua haujlwm ntawm cov ntawv thov feem ntau uas yuav tsum tau rov tsim kho dua los ntawm OpenSSL 1.1.1. Cov ceg yav dhau los ntawm OpenSSL 1.1.1 yuav txhawb nqa txog lub Cuaj Hli 2023.

Ib qho kev hloov pauv tseem ceeb hauv tus lej version yog vim qhov hloov pauv mus rau "Major.Minor.Patch" tus lej. Txij no mus, thawj tus lej (loj) hauv tus lej version yuav hloov tsuas yog kev sib raug zoo raug tawg ntawm API / ABI qib, thiab tus thib ob (Me) yuav hloov thaum ua haujlwm tau nce ntxiv yam tsis hloov API / ABI. Kev kho tshiab yuav raug xa nrog kev hloov pauv rau tus lej thib peb (Patch). Tus naj npawb 3.0.0 tam sim ntawd tom qab 1.1.1 raug xaiv kom tsis txhob sib tshooj nrog qhov tam sim no tab tom txhim kho FIPS module rau OpenSSL, uas 2.x tus lej tau siv.

Qhov kev hloov pauv tseem ceeb thib ob rau txoj haujlwm yog kev hloov pauv ntawm daim ntawv tso cai dual (OpenSSL thiab SSLeay) mus rau Apache 2.0 daim ntawv tso cai. Daim ntawv tso cai OpenSSL yav dhau los yog raws li cov ntawv sau tseg ntawm Apache 1.0 daim ntawv tso cai thiab yuav tsum tau hais meej meej ntawm OpenSSL hauv cov khoom lag luam thaum siv OpenSSL cov tsev qiv ntawv, nrog rau kev ceeb toom tshwj xeeb yog tias OpenSSL tau muab los ua ib feem ntawm cov khoom. Cov kev cai no ua rau daim ntawv tso cai qub tsis sib haum nrog GPL, ua rau nws nyuaj rau siv OpenSSL hauv GPL-licensed tej yaam num. Txhawm rau kom tau txais ib puag ncig qhov tsis sib xws, GPL cov phiaj xwm raug yuam kom siv cov ntawv cog lus tshwj xeeb uas cov ntawv tseem ceeb ntawm GPL tau ntxiv nrog cov nqe lus uas tau tso cai rau daim ntawv thov txuas nrog OpenSSL lub tsev qiv ntawv thiab tau hais tias cov kev cai ntawm GPL tsis tau. siv rau kev txuas nrog OpenSSL.

Piv rau OpenSSL 1.1.1 ceg, OpenSSL 3.0.0 ntxiv ntau dua 7500 kev hloov pauv tau pab los ntawm 350 tus tsim tawm. Kev tsim kho tseem ceeb ntawm OpenSSL 3.0.0:

  • Ib qho tshiab FIPS module tau raug npaj, suav nrog kev siv cryptographic algorithms uas ua raws li FIPS 140-2 tus qauv kev ruaj ntseg (cov txheej txheem ntawv pov thawj rau lub module tau teem caij pib lub hlis no, thiab FIPS 140-2 daim ntawv pov thawj xav tau rau xyoo tom ntej). Tus tshiab module yog qhov yooj yim dua rau siv thiab txuas rau ntau daim ntawv thov yuav tsis yooj yim dua li hloov cov ntaub ntawv teeb tsa. Los ntawm lub neej ntawd, FIPS module yog neeg xiam thiab xav tau qhov kev xaiv qhib-fips kom qhib.
  • libcrypto siv lub tswv yim ntawm cov neeg muab kev pabcuam pluggable, uas tau hloov lub tswvyim ntawm lub tshuab (lub ENGINE API tau raug deprecated). Nrog kev pab los ntawm cov chaw muab kev pabcuam, koj tuaj yeem ntxiv koj tus kheej kev siv cov algorithms rau kev ua haujlwm xws li encryption, decryption, tseem ceeb tiam, MAC xam, tsim thiab txheeb xyuas cov kos npe digital. Nws yog ua tau rau ob qho tib si txuas cov tshiab thiab tsim lwm txoj kev siv ntawm kev txhawb nqa algorithms (los ntawm lub neej ntawd, tus kws kho mob ua rau hauv OpenSSL yog tam sim no siv rau txhua algorithm).
  • Ntxiv kev txhawb nqa rau Daim Ntawv Pov Thawj Tswj Hwm (RFC 4210), uas tuaj yeem siv los thov daim ntawv pov thawj los ntawm CA server, hloov daim ntawv pov thawj, thiab tshem tawm daim ntawv pov thawj. Ua haujlwm nrog CMP yog ua los ntawm kev siv cov khoom siv tshiab openssl-cmp, uas tseem txhawb nqa hom CRMF (RFC 4211) thiab xa cov lus thov ntawm HTTP / HTTPS (RFC 6712).
  • Ib tus neeg siv khoom puv ntoob rau HTTP thiab HTTPS raws tu qauv tau siv, txhawb nqa GET thiab POST txoj hauv kev, thov kev hloov pauv, ua haujlwm los ntawm lub npe, ASN.1 encoding thiab sijhawm ua haujlwm.
  • Ib qho tshiab EVP_MAC (Message Authentication Code API) tau ntxiv los ua kom nws yooj yim dua ntxiv cov kev siv tshiab ntawm mock inserts.
  • Lub software tshiab interface rau tsim cov yuam sij yog npaj siab - EVP_KDF (Key Derivation Function API), uas ua kom yooj yim ntxiv ntawm kev siv tshiab ntawm KDF thiab PRF. Cov qub EVP_PKEY API, dhau los ntawm cov scrypt, TLS1 PRF thiab HKDF algorithms muaj, tau raug kho dua tshiab nyob rau hauv daim ntawv ntawm cov txheej txheem siv rau sab saum toj ntawm EVP_KDF thiab EVP_MAC APIs.
  • Kev ua raws li TLS raws tu qauv muab lub peev xwm los siv TLS tus neeg siv khoom thiab cov neeg rau zaub mov tsim rau hauv Linux ntsiav kom ua haujlwm nrawm. Txhawm rau qhib TLS kev siv los ntawm Linux ntsiav, koj yuav tsum ua kom "SSL_OP_ENABLE_KTLS" kev xaiv lossis "pab-ktls" teeb tsa.
  • Ntxiv kev txhawb nqa rau cov algorithms tshiab:
    • Qhov tseem ceeb tiam algorithms (KDF) yog "SINGLE STEP" thiab "SSH".
    • Simulated insertion algorithms (MAC) yog "GMAC" thiab "KMAC".
    • RSA Key Encapsulation Algorithm (KEM) "RSASVE".
    • Encryption algorithm "AES-SIV" (RFC-8452).
    • Ntxiv hu rau EVP API nrog kev txhawb nqa rau cov ntawv ciphers rov qab siv AES algorithm los encrypt cov yuam sij (Key Wrap): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP- INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" thiab "AES-256-WRAP-PAD-INV".
    • Ntxiv kev txhawb nqa rau ciphertext qiv (CTS) algorithms rau EVP API: "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", "CAMELLIA-128-CBC -CTS", "CAMELLIA-192-CBC-CTS" thiab "CAMELLIA-256-CBC-CTS".
    • Ntxiv kev txhawb nqa rau CAdES-BES digital kos npe (RFC 5126).
    • AES_GCM siv lub AuthEnvelopedData (RFC 5083) parameter los pab encryption thiab decryption ntawm cov lus authenticated thiab encrypted siv hom AES GCM.
  • PKCS7_get_octet_string thiab PKCS7_type_is_lwm txoj haujlwm tau ntxiv rau pej xeem API.
  • PKCS#12 API hloov lub neej ntawd algorithms siv hauv PKCS12_create() ua haujlwm nrog PBKDF2 thiab AES, thiab siv SHA-256 algorithm los xam MAC. Txhawm rau rov ua tus cwj pwm yav dhau los, qhov kev xaiv "-legacy" yog muab. Ntxiv ntau tus xov tooj tshiab txuas ntxiv rau PKCS12_*_ex, PKCS5_*_ex thiab PKCS8_*_ex, xws li PKCS12_add_key_ex().PKCS12_create_ex() thiab PKCS12_decrypt_skey_ex().
  • Rau lub Windows platform, kev txhawb nqa xov synchronization siv SRWLock mechanism tau ntxiv.
  • Ntxiv ib qho tshiab tracing API, enabled ntawm qhov enable-trace parameter.
  • Qhov ntau ntawm cov yuam sij txhawb nqa hauv EVP_PKEY_public_check() thiab EVP_PKEY_param_check() cov haujlwm tau nthuav dav: RSA, DSA, ED25519, X25519, ED448 thiab X448.
  • RAND_DRBG subsystem tau raug tshem tawm, hloov los ntawm EVP_RAND API. Cov haujlwm FIPS_mode() thiab FIPS_mode_set() tau raug tshem tawm.
  • Ib feem tseem ceeb ntawm API tau ua tsis tiav - siv kev hu xov tooj tsis siv neeg hauv txoj haujlwm code yuav ua rau ceeb toom thaum muab tso ua ke. Nrog rau qib qis APIs khi rau qee qhov kev siv ntawm algorithms (piv txwv li, AES_set_encrypt_key thiab AES_encrypt) tau raug tshaj tawm tias tsis siv lawm. Kev txhawb nqa hauv OpenSSL 3.0.0 tam sim no tsuas yog muab rau cov qib siab EVP APIs uas tau pom los ntawm ib tus neeg algorithm hom (qhov API no suav nrog, piv txwv li, EVP_EncryptInit_ex, EVP_EncryptUpdate, thiab EVP_EncryptFinal functions). Deprecated APIs yuav raug tshem tawm hauv ib qho ntawm cov kev tshaj tawm loj tom ntej. Kev siv cov txheej txheem qub qub xws li MD2 thiab DES, muaj los ntawm EVP API, tau raug hloov mus rau qhov "legacy" module, uas yog neeg xiam oob qhab los ntawm lub neej ntawd.
  • Cov ntaub ntawv thiab cov ntawv xeem tau nthuav dav heev. Piv rau ceg 1.1.1, qhov ntim ntawm cov ntaub ntawv tau nce los ntawm 94%, thiab qhov loj ntawm qhov kev xeem suite code tau nce 54%.

Tau qhov twg los: opennet.ru

Ntxiv ib saib