Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kwa laibulale yachinsinsi ya OpenSSL 3.0.0

Kutulutsidwa kwa laibulale yachinsinsi ya OpenSSL 3.0.0

Pambuyo pazaka zitatu zachitukuko ndi kutulutsidwa kwa mayeso 19, laibulale ya OpenSSL 3.0.0 idatulutsidwa ndikukhazikitsa ma protocol a SSL/TLS ndi ma algorithms osiyanasiyana obisa. Nthambi yatsopanoyi ikuphatikizapo zosintha zomwe zimaphwanya kugwirizanitsa mmbuyo pa mlingo wa API ndi ABI, koma kusintha sikudzakhudza ntchito ya mapulogalamu ambiri omwe amafunikira kumangidwanso kuti asamuke kuchokera ku OpenSSL 1.1.1. Nthambi yam'mbuyomu ya OpenSSL 1.1.1 idzathandizidwa mpaka Seputembara 2023.

Kusintha kwakukulu mu nambala yamtunduwu ndi chifukwa cha kusintha kwa chiwerengero cha "Major.Minor.Patch". Kuyambira tsopano, chiwerengero choyamba (Chachikulu) mu chiwerengero cha Baibulo chidzasintha pokhapokha ngati kugwirizanitsa kuphwanyidwa pa mlingo wa API / ABI, ndipo chachiwiri (Minor) chidzasintha pamene ntchito ikuwonjezeka popanda kusintha API / ABI. Zosintha zowongolera zidzaperekedwa ndikusintha kwa manambala achitatu (Patch). Nambala 3.0.0 mwamsanga pambuyo pa 1.1.1 inasankhidwa kuti ipewe kuphatikizika ndi module ya FIPS yomwe ikukula pa OpenSSL, yomwe manambala a 2.x anagwiritsidwa ntchito.

Kusintha kwachiwiri kofunikira kwa polojekitiyi kunali kusintha kuchokera ku chilolezo chapawiri (OpenSSL ndi SSLeay) kupita ku chilolezo cha Apache 2.0. Layisensi yam'mbuyomu ya OpenSSL idatengera zolemba za chilolezo cha Apache 1.0 ndipo idafunikira kutchulidwa momveka bwino za OpenSSL pazotsatsa mukamagwiritsa ntchito malaibulale a OpenSSL, komanso chidziwitso chapadera ngati OpenSSL idaperekedwa ngati gawo lazogulitsa. Zofunikira izi zidapangitsa kuti laisensi yakaleyo isagwirizane ndi GPL, zomwe zimapangitsa kuti zikhale zovuta kugwiritsa ntchito OpenSSL m'mapulojekiti omwe ali ndi chilolezo cha GPL. Kuti athane ndi kusagwirizanaku, mapulojekiti a GPL adakakamizika kugwiritsa ntchito mapangano a laisensi omwe mawu akulu a GPL adawonjezeredwa ndi ndime yomwe idalola kuti pulogalamuyi ikhale yolumikizidwa ndi laibulale ya OpenSSL ndipo idanenanso kuti zofunikira za GPL sizinatero. gwiritsani ntchito kulumikizana ndi OpenSSL.

Poyerekeza ndi nthambi ya OpenSSL 1.1.1, OpenSSL 3.0.0 idawonjezera zosintha zopitilira 7500 zoperekedwa ndi opanga 350. Zatsopano zazikulu za OpenSSL 3.0.0:

  • Njira yatsopano ya FIPS yaperekedwa, kuphatikizapo kukhazikitsidwa kwa ndondomeko ya cryptographic algorithms yomwe ikugwirizana ndi chitetezo cha FIPS 140-2 (ndondomeko ya certification ya gawoli iyamba mwezi uno, ndipo chitsimikiziro cha FIPS 140-2 chikuyembekezeka chaka chamawa). Gawo latsopanoli ndilosavuta kugwiritsa ntchito ndikulilumikiza ku mapulogalamu ambiri sikudzakhala kovuta kuposa kusintha fayilo yosinthira. Mwachikhazikitso, gawo la FIPS limayimitsidwa ndipo limafuna kuti mafips azitha kuyatsidwa.
  • libcrypto imagwiritsa ntchito lingaliro la operekera pluggable, omwe adalowa m'malo mwa lingaliro la injini (ENGINE API yachotsedwa). Mothandizidwa ndi opereka, mutha kuwonjezera ma aligorivimu anu pamachitidwe monga encryption, decryption, m'badwo wofunikira, kuwerengera kwa MAC, kupanga ndi kutsimikizira siginecha ya digito. Ndizotheka kulumikiza zatsopano ndikupanga njira zina zama algorithms omwe adathandizidwa kale (mwachisawawa, wopereka womangidwa mu OpenSSL tsopano amagwiritsidwa ntchito pa aligorivimu iliyonse).
  • Thandizo lowonjezera la Certificate Management Protocol (RFC 4210), lomwe lingagwiritsidwe ntchito popempha ziphaso kuchokera ku seva ya CA, ziphaso zosintha, ndi kuchotsa ziphaso. Kugwira ntchito ndi CMP kumachitika pogwiritsa ntchito pulogalamu yatsopano ya openssl-cmp, yomwe imathandiziranso mawonekedwe a CRMF (RFC 4211) ndikutumiza zopempha kudzera pa HTTP/HTTPS (RFC 6712).
  • Makasitomala athunthu a ma protocol a HTTP ndi HTTPS akhazikitsidwa, kuthandizira njira za GET ndi POST, kupempha kutumizidwanso, kugwira ntchito kudzera mu proxy, ASN.1 encoding ndi kukonza nthawi.
  • EVP_MAC yatsopano (Message Authentication Code API) yawonjezedwa kuti zikhale zosavuta kuwonjezera kukhazikitsa kwatsopano kwa zoyika moseketsa.
  • Pulogalamu yatsopano yopangira makiyi ikuperekedwa - EVP_KDF (Key Derivation Function API), yomwe imathandizira kuwonjezera kukhazikitsidwa kwatsopano kwa KDF ndi PRF. API yakale ya EVP_PKEY, yomwe ma scrypt, TLS1 PRF ndi HKDF ma algorithms analipo, yakonzedwanso ngati gawo lomwe likugwiritsidwa ntchito pamwamba pa EVP_KDF ndi EVP_MAC API.
  • Kukhazikitsidwa kwa protocol ya TLS kumapereka mwayi wogwiritsa ntchito kasitomala wa TLS ndi seva yomangidwa mu Linux kernel kuti ntchitoyo ifulumire. Kuti mutsegule TLS yoperekedwa ndi Linux kernel, muyenera kuyatsa "SSL_OP_ENABLE_KTLS" kapena "enable-ktls" zochunira.
  • Zowonjezera zothandizira ma algorithms atsopano:
    • Key generation algorithms (KDF) ndi "SINGLE STEP" ndi "SSH".
    • Ma algorithms oyeserera (MAC) ndi "GMAC" ndi "KMAC".
    • RSA Key Encapsulation Algorithm (KEM) "RSASVE".
    • Algorithm yachinsinsi "AES-SIV" (RFC-8452).
    • Mafoni owonjezera ku EVP API mothandizidwa ndi ma ciphers osinthira pogwiritsa ntchito algorithm ya AES kubisa makiyi (Key Wrap): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP- INV” , "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" ndi "AES-256-WRAP-PAD-INV".
    • Kuwonjezedwa kwa ma algorithms a ciphertext borrowing (CTS) ku EVP API: “AES-128-CBC-CTS”, “AES-192-CBC-CTS”, “AES-256-CBC-CTS”, “CAMELLIA-128-CBC -CTS” ", "CAMELLIA-192-CBC-CTS" ndi "CAMELLIA-256-CBC-CTS".
    • Thandizo lowonjezera la ma signature a digito a CAdES-BES (RFC 5126).
    • AES_GCM imagwiritsa ntchito gawo la AuthEnvelopedData (RFC 5083) kuti athe kubisa ndi kumasulira mauthenga otsimikizika ndi kusungidwa pogwiritsa ntchito njira ya AES GCM.
  • PKCS7_get_octet_string ndi PKCS7_type_is_zina ntchito zawonjezedwa ku API ya anthu onse.
  • PKCS#12 API imalowa m'malo mwa ma aligorivimu osasinthika omwe amagwiritsidwa ntchito mu PKCS12_create() ntchito ndi PBKDF2 ndi AES, ndipo amagwiritsa ntchito algorithm ya SHA-256 kuwerengera MAC. Kubwezeretsa machitidwe akale, njira ya "-legacy" imaperekedwa. Onjezani mafoni owonjezera atsopano ku PKCS12_*_ex, PKCS5_*_ex ndi PKCS8_*_ex, monga PKCS12_add_key_ex().PKCS12_create_ex() ndi PKCS12_decrypt_skey_ex().
  • Pa nsanja ya Windows, chithandizo cholumikizira ulusi pogwiritsa ntchito makina a SRWLock awonjezedwa.
  • Onjezani API yatsopano yolondolera, yoyatsidwa kudzera pagawo lothandizira.
  • Makiyi osiyanasiyana omwe amathandizidwa muzochita za EVP_PKEY_public_check() ndi EVP_PKEY_param_check() awonjezedwa: RSA, DSA, ED25519, X25519, ED448 ndi X448.
  • Dongosolo laling'ono la RAND_DRBG lachotsedwa, m'malo mwake ndi EVP_RAND API. Ntchito za FIPS_mode() ndi FIPS_mode_set() zachotsedwa.
  • Gawo lalikulu la API lakhala lachikale - kugwiritsa ntchito mafoni osatha mu code ya polojekiti kumabweretsa machenjezo pakuphatikiza. Kuphatikizira ma API apansi olumikizidwa ndi kukhazikitsidwa kwa ma aligorivimu (mwachitsanzo, AES_set_encrypt_key ndi AES_encrypt) zanenedwa kuti sizinagwiritsidwe ntchito. Thandizo lovomerezeka mu OpenSSL 3.0.0 tsopano likungoperekedwa kwa ma EVP API apamwamba omwe amachotsedwa ku mitundu ya algorithm (API iyi imaphatikizapo, mwachitsanzo, EVP_EncryptInit_ex, EVP_EncryptUpdate, ndi EVP_EncryptFinal ntchito). Ma API osiyidwa adzachotsedwa mu imodzi mwazotulutsa zazikulu zotsatirazi. Kukhazikitsidwa kwa ma aligorivimu akale monga MD2 ndi DES, omwe akupezeka kudzera mu EVP API, asunthidwa kupita ku gawo lina la "cholowa", lomwe limayimitsidwa mwachisawawa.
  • Zolemba ndi test suite zakulitsidwa kwambiri. Poyerekeza ndi nthambi 1.1.1, kuchuluka kwa zolemba zawonjezeka ndi 94%, ndipo kukula kwa test suite code kwawonjezeka ndi 54%.

Source: opennet.ru

Kuwonjezera ndemanga