ProHoster > Блог > ozi ịntanetị > MepeeSSL 3.0.0 Mwepụta Ọbá akwụkwọ Cryptographic

MepeeSSL 3.0.0 Mwepụta Ọbá akwụkwọ Cryptographic

Mgbe afọ atọ nke mmepe na mwepụta ule 19 gasịrị, ewepụtara ọbá akwụkwọ OpenSSL 3.0.0 na mmejuputa ụkpụrụ SSL/TLS yana algorithms nzuzo dị iche iche. Alaka ọhụrụ ahụ gụnyere mgbanwe ndị na-agbaji ndakọrịta azụ na ọkwa API na ABI, mana mgbanwe ndị ahụ agaghị emetụta ọrụ nke ọtụtụ ngwa chọrọ nrụgharị iji si na OpenSSL 1.1.1 kwaga. A ga-akwado ngalaba mbụ nke OpenSSL 1.1.1 ruo Septemba 2023.

Mgbanwe dị ịrịba ama na ọnụọgụ ụdị bụ n'ihi mgbanwe na ọnụọgụ "Major.Minor.Patch" omenala. Site ugbu a gaa n'ihu, ọnụọgụ mbụ (Major) na nọmba ụdị ga-agbanwe naanị ma ọ bụrụ na agbajikwa ndakọrịta na ọkwa API / ABI, na nke abụọ (Obere) ga-agbanwe mgbe arụ ọrụ na-abawanye na-enweghị ịgbanwe API / ABI. A ga-ebunye mmelite mmezi site na mgbanwe gaa na nkeji atọ (Patch). Nọmba 3.0.0 ozugbo ahọpụtara 1.1.1 iji zere ndakọrịta na modul FIPS dị ugbu a maka OpenSSL, nke ejiri nọmba 2.x mee ihe.

Mgbanwe nke abụọ dị mkpa maka ọrụ ahụ bụ mgbanwe site na ikikere abụọ (OpenSSL na SSLeay) gaa na ikike Apache 2.0. Ikikere OpenSSL mbụ nwere dabere na ederede nke ikike Apache 1.0 nke ketara wee chọọ ka akpọpụta OpenSSL n'ụzọ doro anya na ngwa ahịa mgbe ị na-eji ọba akwụkwọ OpenSSL, yana ọkwa pụrụ iche ma ọ bụrụ na enyere OpenSSL dịka akụkụ nke ngwaahịa ahụ. Ihe ndị a chọrọ mere ka akwụkwọ ikike ochie ghara ikwekọ na GPL, na-eme ka o sie ike iji OpenSSL na ọrụ ikikere GPL. Iji nweta gburugburu ndakọrịtaghị nke a, a manyere ọrụ GPL iji nkwekọrịta ikike ụfọdụ nke etinyere isi ederede GPL na nkebi nke kwere ka ejikọta ngwa ahụ na ọbá akwụkwọ OpenSSL ma kwuo na ihe GPL chọrọ emeghị. tinye maka ijikọ na OpenSSL.

Tụnyere alaka OpenSSL 1.1.1, OpenSSL 3.0.0 gbakwunyere karịa mgbanwe 7500 nke ndị mmepe 350 nyere aka. Isi ihe ọhụrụ nke OpenSSL 3.0.0:

  • A tụpụtara modul FIPS ọhụrụ, gụnyere mmejuputa algọridim nke cryptographic nke na-agbaso ụkpụrụ nchekwa FIPS 140-2 (usoro asambodo maka modul ahụ ga-amalite n'ọnwa a, na-atụ anya asambodo FIPS 140-2 n'afọ ọzọ). Modul ọhụrụ ahụ dị mfe iji na ijikọ ya na ọtụtụ ngwa agaghị adị ike karịa ịgbanwe faịlụ nhazi. Site na ndabara, modul FIPS nwere nkwarụ na-achọ ka emee ka emee-fips nhọrọ.
  • libcrypto na-emejuputa echiche nke ndị na-enye pluggable, bụ nke dochie anya echiche nke engines (ENGINE API e deprecated). Site n'enyemaka nke ndị na-enye ọrụ, ị nwere ike ịgbakwunye mmejuputa nke algorithms nke gị maka ọrụ ndị dị ka izo ya ezo, decryption, isi ọgbọ, mgbako MAC, ịmepụta na nkwenye nke mbinye aka dijitalụ. Ọ ga-ekwe omume ijikọ ndị ọhụrụ ma mepụta mmemme ọzọ nke algọridim akwadoro (site na ndabara, a na-eji onye na-eweta n'ime OpenSSL ugbu a maka algọridim ọ bụla).
  • Nkwado agbakwunyere maka Asambodo Management Protocol (RFC 4210), nke enwere ike iji rịọ asambodo sitere na sava ca, nwelite asambodo, na kagbuo asambodo. A na-arụ ọrụ na CMP site na iji ngwa openssl-cmp ọhụrụ, nke na-akwado usoro CRMF (RFC 4211) na izipu arịrịọ site na HTTP/HTTPS (RFC 6712).
  • E mejuputara onye ahịa zuru oke maka usoro HTTP na HTTPS, na-akwado usoro GET na POST, rịọ redirection, na-arụ ọrụ site na proxy, ASN.1 encoding na nhazi oge.
  • Egbakwunyela EVP_MAC ọhụrụ (koodu API) iji mee ka ọ dị mfe ịgbakwunye mmejuputa mmejuputa iwu ọhụrụ nke ntinye mock.
  • A na-atụpụta interface ngwanrọ ọhụrụ maka iwepụta igodo - EVP_KDF (Key Derivation Function API), nke na-eme ka mgbakwunye nke mmemme ọhụrụ nke KDF na PRF dị mfe. EVP_PKEY API ochie, nke scrypt, TLS1 PRF na HKDF algọridim dị, ka edegharịrị n'ụdị oyi akwa etinyere n'elu EVP_KDF na EVP_MAC API.
  • Mmejuputa iwu TLS na-enye ikike iji onye ahịa TLS na ihe nkesa arụnyere n'ime kernel Linux iji mee ka ọrụ dị ngwa. Iji mee ka mmejuputa TLS nke Linux kernel nyere, ị ga-emerịrị nhọrọ "SSL_OP_ENABLE_KTLS" ma ọ bụ ntọala "enable-ktls".
  • Nkwado agbakwunyere maka algọridim ọhụrụ:
    • Algọridim ndị isi ọgbọ (KDF) bụ "OTU STEP" na "SSH".
    • Algọridim ntinye ihe atụpụtara (MAC) bụ “GMAC” na “KMAC”.
    • Algorithm Key Encapsulation Algorithm (KEM) "RSASVE".
    • Algọridim nzuzo "AES-SIV" (RFC-8452).
    • Oku agbakwunyere na EVP API nke na-akwado ciphers ntụgharị site na iji AES algọridim iji zoo igodo (Key Wrap): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV" " , "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" na "AES-256-WRAP-PAD-INV".
    • Nkwado agbakwunyere maka algọridim ciphertext borrowing (CTS) na EVP API: "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", "CAMELLIA-128-CBC -CTS", "CAMELLIA-192-CBC-CTS" na "CAMELLIA-256-CBC-CTS".
    • Nkwado agbakwunyere maka mbinye aka dijitalụ CAdES-BES (RFC 5126).
    • AES_GCM na-emejuputa AuthEnvelopedData (RFC 5083) paramita iji mee ka izo ya ezo na decryption ozi enwetara na ezoro ezo site na iji ụdị AES GCM.
  • Agbakwunyela PKCS7_get_octet_string na PKCS7_type_is_ọrụ ndị ọzọ na API ọha.
  • PKCS#12 API nọchiri algọridim ndabara ejiri na PKCS12_create() ọrụ na PBKDF2 na AES, wee jiri SHA-256 algọridim gbakọọ MAC. Iji weghachi omume gara aga, a na-enye nhọrọ "-legacy". Agbakwunyere ọnụ ọgụgụ dị ukwuu nke oku agbatịkwu ọhụrụ na PKCS12_*_ex, PKCS5_*_ex na PKCS8_*_ex, dị ka PKCS12_add_key_ex() .PKCS12_create_ex() na PKCS12_decrypt_skey_ex().
  • Maka ikpo okwu Windows, agbakwunyela nkwado maka mmekọrịta eri na iji usoro SRWLock.
  • Etinyere API nchụso ọhụrụ, enyere ya aka site na njiri ike-trace.
  • Agbasawanye igodo igodo akwadoro na ọrụ EVP_PKEY_public_check() na EVP_PKEY_param_check(): RSA, DSA, ED25519, X25519, ED448 na X448.
  • Ewepụla sistemụ RAND_DRBG, jiri EVP_RAND API dochie ya. Ewepụla ọrụ FIPS_mode() na FIPS_mode_set().
  • Otu akụkụ dị ịrịba ama nke API emewo ka ọ gharazie ike - iji oku emechabeghị eme na koodu oru ngo ga-ebute ịdọ aka ná ntị n'oge nchịkọta. Gụnyere API ndị dị ala ejirila ụfọdụ mmejuputa algọridim (dịka ọmụmaatụ, AES_set_encrypt_key na AES_encrypt) ekwuputala na ha agaghịzi adị. Nkwado gọọmentị na OpenSSL 3.0.0 bụ naanị maka API EVP dị elu ewepụtara site na ụdị algọridim n'otu n'otu ( API a gụnyere, dịka ọmụmaatụ, EVP_EncryptInit_ex, EVP_EncryptUpdate, na ọrụ EVP_EncryptFinal). A ga-ewepụ API ndị kwụsịrị n'otu n'ime mwepụta ndị na-esote. Mmejuputa algọridim dị ka MD2 na DES, nke dị site na API EVP, ebugharịla na modul "ihe nketa" dị iche, nke nwere nkwarụ na ndabara.
  • Agbasawanyela akwụkwọ na ụlọ nyocha nke ọma. E jiri ya tụnyere alaka 1.1.1, ọnụ ọgụgụ akwụkwọ abawanyela site na 94%, na ọnụ ọgụgụ nke koodu ụlọ nyocha abawanyela site na 54%.

isi: opennet.ru

Tinye a comment