ProHoster > Blog > internet nhau > OpenSSL 3.0.0 Cryptographic Library Kuburitswa

OpenSSL 3.0.0 Cryptographic Library Kuburitswa

Mushure memakore matatu ebudiriro uye gumi nemapfumbamwe kuburitswa kwebvunzo, raibhurari yeOpenSSL 19 yakaburitswa nekuitwa kweSSL/TLS protocol uye akasiyana encryption algorithms. Bazi idzva rinosanganisira shanduko dzinotyora kumashure kuenderana pachiyero cheAPI neABI, asi shanduko hadzizokanganisa kushanda kwezvikumbiro zvakawanda zvinoda kuvaka patsva kuti zvitame kubva kuOpenSSL 3.0.0. Bazi rekare reOpenSSL 1.1.1 richatsigirwa kusvika Gunyana 1.1.1.

Shanduko yakakosha munhamba yeshanduro imhaka yeshanduko kune yechinyakare "Major.Minor.Patch" manhamba. Kubva zvino zvichienda mberi, nhamba yekutanga (Makuru) munhamba yeshanduro ichachinja chete kana kuwirirana kwakaputsika pachiyero cheAPI / ABI, uye chechipiri (Minor) chichachinja kana kushanda kuchiwedzerwa pasina kuchinja API / ABI. Kugadzirisa zvigadziriso zvichaunzwa neshanduko kune yechitatu manhamba (Patch). Nhamba 3.0.0 pakarepo mushure me 1.1.1 yakasarudzwa kudzivirira kupindirana neiyo iri kuvandudzwa FIPS module yeOpenSSL, iyo yakashandiswa nhamba 2.x.

Yechipiri yakakosha shanduko yepurojekiti yaive shanduko kubva kune mbiri rezinesi (OpenSSL uye SSLeay) kuenda kune Apache 2.0 rezinesi. Rezinesi rekare reOpenSSL rainge rakavakirwa pamavara erezinesi reApache 1.0 uye raida kutaurwa pachena kweOpenSSL muzvinhu zvekushambadzira kana uchishandisa maraibhurari eOpenSSL, pamwe nechiziviso chakakosha kana OpenSSL yakapihwa sechikamu chechigadzirwa. Izvi zvinodikanwa zvakaita kuti rezinesi rekare risawirirane neGPL, zvichiita kuti zviome kushandisa OpenSSL mumapurojekiti ane rezinesi reGPL. Kuti titenderere nekusapindirana uku, mapurojekiti eGPL akamanikidzwa kushandisa zvibvumirano zverezinesi umo iwo manyoro makuru eGPL akawedzeredzwa nechirevo chaibvumira kuti chikumbiro chacho chibatanidzwe neraibhurari yeOpenSSL uye akataura kuti zvaidiwa neGPL hazvina. shandisa kubatanidza neOpenSSL.

Tichienzanisa nebazi reOpenSSL 1.1.1, OpenSSL 3.0.0 yakawedzera shanduko dzinopfuura zviuru zvinomwe nemazana mashanu dzakapihwa nevagadziri mazana matatu nemakumi mashanu. Hunhu hutsva hwe OpenSSL 7500:

  • A new FIPS module yakatsanangurwa, kusanganisira kuitiswa kwecryptographic algorithms inoenderana neFIPS 140-2 chengetedzo mwero (maitiro echitupa emodule akarongwa kutanga mwedzi uno, uye FIPS 140-2 certification inotarisirwa gore rinouya). Iyo module nyowani iri nyore kushandisa uye kuibatanidza kune akawanda maapplication hakuzove kwakaoma pane kushandura faira yekumisikidza. Nekumisikidza, iyo FIPS module yakadzimwa uye inoda iyo yekugonesa-fips sarudzo kuti igoneswe.
  • libcrypto inoshandisa pfungwa yevanopa pluggable, iyo yakatsiva pfungwa yeinjini (iyo ENGINE API yakabviswa). Nerubatsiro rwevanopa, unogona kuwedzera ako ega mashandisirwo ealgorithms ekuita senge encryption, decryption, kiyi chizvarwa, MAC kuverenga, kusikwa uye kuoneswa kwemasiginecha edhijitari. Izvo zvinogoneka kune ese ari maviri kubatanidza matsva uye kugadzira mamwe mashandisirwo eakatotsigirwa algorithms (nekuda, mupi akavakirwa muOpenSSL ave kushandiswa kune yega algorithm).
  • Yakawedzerwa rutsigiro rweSitifiketi Management Protocol (RFC 4210), iyo inogona kushandiswa kukumbira zvitupa kubva kuCA server, zvitupa zvekuvandudza, uye kudzosa zvitupa. Kushanda neCMP kunoitwa uchishandisa itsva openssl-cmp utility, iyo inotsigirawo CRMF fomati (RFC 4211) uye kutumira zvikumbiro kuburikidza neHTTP/HTTPS (RFC 6712).
  • Mutengi akazara weHTTP neHTTPS protocol akashandiswa, achitsigira nzira dzeGET nePOST, kukumbira redirection, kushanda kuburikidza neproxy, ASN.1 encoding uye timeout processing.
  • EVP_MAC itsva (Message Authentication Code API) yakawedzerwa kuti zvive nyore kuwedzera mashandisirwo matsva ekunyomba kuisa.
  • Iyo itsva software interface yekugadzira makiyi inotsanangurwa - EVP_KDF (Key Derivation Function API), iyo inorerutsa kuwedzera kwekushandisa kutsva kweKDF nePRF. Iyo yekare EVP_PKEY API, kuburikidza neiyo scrypt, TLS1 PRF neHKDF algorithms yaivepo, yakagadziridzwa muchimiro chedhiza rinoitwa pamusoro peEVP_KDF neEVP_MAC APIs.
  • Kuitwa kweTLS protocol kunopa kugona kushandisa mutengi weTLS uye sevha yakavakirwa muLinux kernel kuti ikurumidze kushanda. Kugonesa kuita kweTLS kunoitwa neLinux kernel, unofanira kugonesa "SSL_OP_ENABLE_KTLS" sarudzo kana "enable-ktls" kuseta.
  • Yakawedzera rutsigiro rwealgorithms nyowani:
    • Kiyi yechizvarwa algorithms (KDF) ndeye "SINGLE STEP" uye "SSH".
    • Simulated kuisa algorithms (MAC) ndeye "GMAC" uye "KMAC".
    • RSA Key Encapsulation Algorithm (KEM) "RSASVE".
    • Encryption algorithm "AES-SIV" (RFC-8452).
    • Yakawedzera mafoni kuEVP API nerutsigiro rwe inverse ciphers uchishandisa AES algorithm kuvharidzira makiyi (Key Wrap): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP- INV” , "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" uye "AES-256-WRAP-PAD-INV".
    • Yakawedzerwa rutsigiro rwekukwereta kweciphertext (CTS) algorithms kuEVP API: β€œAES-128-CBC-CTS”, β€œAES-192-CBC-CTS”, β€œAES-256-CBC-CTS”, β€œCAMELLIA-128-CBC -CTS" "," CAMELLIA-192-CBC-CTS" uye "CAMELLIA-256-CBC-CTS".
    • Yakawedzerwa rutsigiro rweCADES-BES masaini edhijitari (RFC 5126).
    • AES_GCM inoshandisa iyo AuthEnvelopedData (RFC 5083) parameter kuti igone kuvharidzira uye kudhipfenyura kwemeseji yakasimbiswa uye yakavharidzirwa uchishandisa iyo AES GCM modhi.
  • Iyo PKCS7_get_octet_string uye PKCS7_type_is_mamwe mabasa akawedzerwa kune yeruzhinji API.
  • PKCS#12 API inotsiva maalgorithms ekutanga anoshandiswa muPKCS12_create() basa nePBKDF2 neAES, uye inoshandisa SHA-256 algorithm kuverenga MAC. Kudzoreredza maitiro apfuura, iyo "-legacy" sarudzo inopihwa. Yakawedzera nhamba huru yemafoni matsva akawedzerwa kuPKCS12_*_ex, PKCS5_*_ex uye PKCS8_*_ex, sePKCS12_add_key_ex().PKCS12_create_ex() uye PKCS12_decrypt_skey_ex().
  • YeWindows platform, tsigiro yekuwiriranisa tambo uchishandisa iyo SRWLock michina yakawedzerwa.
  • Yakawedzera API nyowani yekutsvaga, inogoneswa kuburikidza neiyo inogonesa-trace paramende.
  • Huwandu hwemakiyi anotsigirwa muEVP_PKEY_public_check() uye EVP_PKEY_param_check() mabasa awedzerwa: RSA, DSA, ED25519, X25519, ED448 uye X448.
  • Iyo RAND_DRBG subsystem yabviswa, yatsiviwa neEVP_RAND API. Iyo FIPS_mode() uye FIPS_mode_set() mabasa abviswa.
  • Chikamu chakakosha cheAPI chakaitwa kuti chisisashande - kushandisa nhare dzechinyakare mukodhi yeprojekiti kunozokonzera yambiro panguva yekubatanidza. Kusanganisira yakaderera-level APIs akasungirirwa kune mamwe mashandisirwo ealgorithms (semuenzaniso, AES_set_encrypt_key uye AES_encrypt) zvakanzi hazvichashandi. Tsigiro yepamutemo muOpenSSL 3.0.0 yave kungopihwa epamusoro-level EVP APIs akatorwa kubva kune ega algorithm marudzi (iyi API inosanganisira, semuenzaniso, EVP_EncryptInit_ex, EVP_EncryptUpdate, uye EVP_EncryptFinal mabasa). MaAPI akaregwa achabviswa mune imwe yeanotevera makuru ekuburitswa. Kuitwa kwenhaka algorithms seMD2 neDES, inowanikwa kuburikidza neEVP API, yakaendeswa kune yakaparadzana "legacy" module, iyo inovharwa nekusarudzika.
  • Zvinyorwa uye test suite zvakawedzerwa zvakanyanya. Kuenzaniswa nebazi 1.1.1, vhoriyamu yezvinyorwa yakawedzera ne94%, uye ukuru hwetest suite code yakawedzera ne54%.

Source: opennet.ru

Voeg