ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > FurSSL 3.0.0 Siidaynta Maktabada Cryptographic

FurSSL 3.0.0 Siidaynta Maktabada Cryptographic

Ka dib saddex sano oo horumarineed iyo 19 imtixaan oo la sii daayay, maktabadda OpenSSL 3.0.0 ayaa la sii daayay iyada oo la hirgeliyay borotokoolka SSL/TLS iyo algorithms sir ah oo kala duwan. Laanta cusub waxaa ka mid ah isbeddelada jebiya iswaafajinta gadaal ee heerka API iyo ABI, laakiin isbeddeladu ma saameyn doonaan hawlgalka badi codsiyada u baahan dib u dhiska si ay uga haajiraan OpenSSL 1.1.1. Laantii hore ee OpenSSL 1.1.1 waa la taageeri doonaa ilaa Sebtembar 2023.

Isbeddel weyn oo ku yimid nambarka nooca waxaa sabab u ah u gudubka nambarada caadiga ah ee "Major.Minor.Patch". Hadda wixii ka dambeeya, nambarka koowaad (Major) ee nambarka nooca ayaa isbeddeli doona oo keliya haddii iswaafajinta la jebiyo heerka API/ABI, kan labaadna (Yar) wuu isbeddeli doonaa marka shaqada la kordhiyo iyada oo aan la beddelin API/ABI. Cusboonaysiinta saxda ah ayaa lagu soo gudbin doonaa iyadoo la bedelayo lambarka saddexaad (Patch). Lambarka 3.0.0 isla markiiba ka dib 1.1.1 ayaa la doortay si looga fogaado isku dhufashada moduleka FIPS ee hadda socda ee OpenSSL, kaas oo lambarka 2.x loo isticmaalay.

Isbeddelka labaad ee muhiimka ah ee mashruuca wuxuu ahaa ka gudubka shatiga laba-geesoodka ah (OpenSSL iyo SSLeay) una gudubtay shatiga Apache 2.0. Shatiga OpenSSL-kii hore ee lahaanshaha lahaa wuxuu ku salaysnaa qoraalka dhaxalka Apache 1.0 shatiga wuxuuna u baahday in si cad loo sheego OpenSSL agab suuqgeyneed marka la isticmaalayo maktabadaha OpenSSL, iyo sidoo kale ogeysiis gaar ah haddii OpenSSL la bixiyay iyada oo qayb ka ah alaabta. Shuruudahani waxay ka dhigeen shatigii hore mid aan la socon karin GPL, taas oo adkeynaysa isticmaalka OpenSSL ee mashaariicda shatiga GPL. Si loo helo iswaafajin la'aantan, mashaariicda GPL waxaa lagu qasbay in ay isticmaalaan heshiisyo shati oo gaar ah kaas oo qoraalka ugu muhiimsan ee GPL lagu daray qodob si cad u ogolaanaya codsiga in lagu xiro maktabadda OpenSSL oo lagu xusay in shuruudaha GPL aysan ahayn. Codso ku xidhidhiyaha OpenSSL

Marka la barbar dhigo laanta OpenSSL 1.1.1, OpenSSL 3.0.0 waxay ku dartay in ka badan 7500 isbeddel oo ay ku biiriyeen 350 horumariye. Hal-abuurka ugu muhiimsan ee OpenSSL 3.0.0:

  • Module cusub oo FIPS ah ayaa la soo jeediyay, oo ay ku jiraan hirgelinta algorithmaadka sirta ah ee raacaya heerka amniga FIPS 140-2 (habka shahaadaynta moduleka ayaa loo qorsheeyay inay bilaabato bishaan, iyo shahaado FIPS 140-2 ayaa la filayaa sanadka soo socda). Module-ka cusub aad buu u fudud yahay in la isticmaalo oo ku xidhidhiyaha codsiyo badan ma noqon doonto mid aad uga adag in la beddelo faylka qaabaynta. Sida caadiga ah, moduleka FIPS waa naafo wuxuuna u baahan yahay ikhtiyaarka karti-fips in la furo.
  • libcrypto waxay fulisaa fikradda bixiyayaasha la xidhi karo, taas oo beddeshay fikradda matoorada (ENGINE API waa la jaray). Caawinta bixiyeyaasha, waxaad ku dari kartaa fulintaada algorithms ee hawlgallada sida sirta, decryption, jiilka muhiimka ah, xisaabinta MAC, abuurista iyo xaqiijinta saxeexyada dhijitaalka ah. Waa suurtogal in la isku xidho kuwa cusub oo la abuuro hirgelin ka duwan algorithms-yada hore loo taageeray (sida caadiga ah, bixiyaha lagu dhisay OpenSSL ayaa hadda loo isticmaalaa algorithm kasta).
  • Taageero lagu daray borotokoolka Maareynta Shahaadada (RFC 4210), kaas oo loo isticmaali karo in lagu codsado shahaadooyinka serverka CA, cusboonaysiinta shahaadooyinka, lagana buriyo shahaadooyinka. La shaqaynta CMP waxa lagu fuliyaa iyadoo la isticmaalayo utility openssl-cmp cusub, kaas oo sidoo kale taageera qaabka CRMF (RFC 4211) iyo soo diri codsiyada HTTP/HTTPS (RFC 6712).
  • Macmiil buuxa oo loogu talagalay borotokoolka HTTP iyo HTTPS ayaa la hirgeliyay, isagoo taageeraya hababka GET iyo POST, codso dib u habeyn, ka shaqeynta wakiil, ASN.1 codeynta iyo habaynta waqtiga.
  • EVP_MAC cusub (Fariinta Xaqiijinta Koodhka API) ayaa lagu daray si ay u fududaato in lagu daro hirgalinta cusub ee gashashka jeesjeeska ah.
  • Interface software cusub oo loogu talagalay abuurista furayaasha ayaa la soo jeediyay - EVP_KDF (Furaha Soo saarista Function API), kaas oo fududaynaya ku darida fulinta cusub ee KDF iyo PRF. API-gii hore ee EVP_PKEY, kaas oo lagu heli jiray xaraf-qodobeedka, TLS1 PRF iyo HKDF, ayaa dib loo naqshadeeyay oo qaab lakab ah oo lagu hirgeliyay dusha sare ee EVP_KDF iyo EVP_MAC APIs.
  • Hirgelinta borotokoolka TLS waxa uu bixiyaa awoodda isticmaalka macmiilka TLS iyo server-ka lagu dhex dhisay kernel Linux si loo dardargeliyo hawlaha. Si aad awood ugu siiso fulinta TLS ee ay bixiso kernel Linux, waa inaad awood u yeelataa "SSL_OP_ENABLE_KTLS" ikhtiyaarka ama goobta "enable-ktls".
  • Taageerada lagu daray algorithms-yada cusub:
    • Algorithms-yada jiilka muhiimka ah (KDF) waa "HAL TALLAABO" iyo "SSH".
    • Algorithms-ka la isku dhejiyay (MAC) waa "GMAC" iyo "KMAC".
    • Algorithm-ka Kobcinta Furaha ee RSA (KEM) "RSASVE".
    • Sirta algorithm "AES-SIV" (RFC-8452).
    • Wicitaannada lagu daray EVP API oo taageero u ah ciphers-rogadka iyadoo la adeegsanayo algorithm AES si loo xafido furayaasha (Qeybta Furaha): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP- INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" iyo "AES-256-WRAP-PAD-INV".
    • Taageerada lagu daray algorithms-ka amaahashada ciphertext (CTS) ee EVP API: "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", "CAMELLIA-128-CBC -CTS", "CAMELLIA-192-CBC-CTS" iyo "CAMELLIA-256-CBC-CTS".
    • Taageero lagu daray CAdES-BES saxeexyada dhijitaalka ah (RFC 5126).
    • AES_GCM waxay fulisaa xudunta AuthEnvelopedData (RFC 5083) si ay awood u siiso sirta iyo kala saarida fariimaha la xaqiijiyay oo la siray iyadoo la adeegsanayo qaabka AES GCM.
  • PKCS7_get_octet_string iyo PKCS7_type_is_shaqo kale ayaa lagu daray API dadweynaha.
  • PKCS#12 API waxay beddeshaa algorithms-yada caadiga ah ee loo isticmaalo PKCS12_create() shaqada PBKDF2 iyo AES, oo waxay isticmaashaa SHA-256 algorithm si ay u xisaabiso MAC. Si loo soo celiyo dhaqankii hore, doorashada "-legacy" ayaa la bixiyaa. Waxaa lagu daray tiro badan oo wicitaano cusub ah PKCS12_*_ex, PKCS5_*_ex iyo PKCS8_*_ex, sida PKCS12_add_key_ex() .PKCS12_create_ex() iyo PKCS12_decrypt_skey_ex().
  • Qalabka Windows, taageerada isku xidhka dunta iyadoo la adeegsanayo habka SRWLock ayaa lagu daray.
  • Waxaa lagu daray API baafinta cusub, oo lagu kartiyeeyay cabbirka karti-raadinta.
  • Kala duwanaanshaha furayaasha lagu taageeray hawlaha EVP_PKEY_public_check() iyo EVP_PKEY_param_check() waa la balaariyay: RSA, DSA, ED25519, X25519, ED448 iyo X448.
  • Nidaam hoosaadka RAND_DRBG waa la saaray, waxaa lagu bedelay EVP_RAND API. FIPS_mode() iyo FIPS_mode_set() hawlaha waa la saaray.
  • Qayb muhiim ah oo API-ga ka mid ah ayaa laga dhigay mid duugowday - iyadoo la isticmaalayo wicitaanno duug ah oo ku jira koodka mashruuca waxay keeni doontaa digniino inta lagu jiro ururinta. Oo ay ku jiraan API-yada hoose ee ku xidhan qaar ka mid ah hirgelinta algoorithms (tusaale, AES_set_encrypt_key iyo AES_encrypt) ayaa si rasmi ah loogu dhawaaqay inay duugoobeen. Taageerada rasmiga ah ee OpenSSL 3.0.0 ayaa hadda la bixiyaa oo kaliya EVP API-yada heerka sare ah oo laga soo minguuriyay noocyada algorithm ee shaqsiyeed (API-kan waxaa ku jira, tusaale ahaan, EVP_EncryptInit_ex, EVP_EncryptUpdate, iyo EVP_EncryptFinal functional). API-yada go'ay ayaa laga saari doonaa mid ka mid ah siideynnada waaweyn ee soo socda. Hirgelinta algorithmsyada dhaxalka ah sida MD2 iyo DES, ee laga heli karo EVP API, ayaa loo raray qayb "dhaxal ah" oo gooni ah, kaas oo si caadi ah u naafo ah.
  • Dukumeentiyada iyo qolka imtixaanka si weyn ayaa loo ballaariyay. Marka la barbardhigo laanta 1.1.1, mugga dukumeentigu wuxuu kordhay 94%, iyo cabbirka koodhka qolka imtixaanka ayaa kordhay 54%.

Source: opennet.ru

Add a comment