ProHoster > Blog > litaba tsa inthanete > Ho lokolloa ha OpenSSL 3.0.0 Cryptographic Library

Ho lokolloa ha OpenSSL 3.0.0 Cryptographic Library

Kamora lilemo tse tharo tsa nts'etsopele le ho lokolloa ha liteko tse 19, laebrari ea OpenSSL 3.0.0 e ile ea lokolloa ka ts'ebetsong ea liprothokholo tsa SSL/TLS le li-algorithms tse fapaneng tsa encryption. Lekala le lecha le kenyelletsa liphetoho tse senyang ho lumellana ho khutlela morao boemong ba API le ABI, empa liphetoho li ke ke tsa ama ts'ebetso ea likopo tse ngata tse hlokang ho tsosolosoa ho tloha OpenSSL 1.1.1. Lekala le fetileng la OpenSSL 1.1.1 le tla tšehetsoa ho fihlela Loetse 2023.

Phetoho e kholo ea nomoro ea phetolelo e bakoa ke ho fetela ho "Major.Minor.Patch" ea setso. Ho tloha joale ho ea pele, palo ea pele (e kholo) ka palo ea phetolelo e tla fetoha feela haeba ho lumellana ho robehile boemong ba API / ABI, 'me ea bobeli (Nnyane) e tla fetoha ha ts'ebetso e eketseha ntle le ho fetola API / ABI. Lintlafatso tse lokisoang li tla tlisoa ka phetoho ho nomoro ea boraro (Patch). Nomoro ea 3.0.0 hang ka mor'a 1.1.1 e khethiloe ho qoba ho kopana le mojule oa FIPS o ntseng o tsoela pele oa OpenSSL, oo ​​2.x linomoro li sebelisitsoeng ho oona.

Phetoho ea bobeli ea bohlokoa bakeng sa morero e bile phetoho ho tloha ho laesense e 'meli (OpenSSL le SSLeay) ho ea ho laesense ea Apache 2.0. Laesense ea pele ea thepa ea OpenSSL e ne e ipapisitse le sengoloa sa lengolo la tumello ea Apache 1.0 mme e hloka hore ho buuoe ka ho hlaka ka OpenSSL ka thepa ea ho bapatsa ha ho sebelisoa lilaeborari tsa OpenSSL, hammoho le tsebiso e khethehileng haeba OpenSSL e fanoe e le karolo ea sehlahisoa. Litlhoko tsena li entse hore laesense ea khale e se lumellane le GPL, e leng ho etsang hore ho be thata ho sebelisa OpenSSL mererong e nang le tumello ea GPL. Ho qoba ho se lumellane hona, merero ea GPL e ile ea qobelloa ho sebelisa litumellano tse khethehileng tsa laesense moo mongolo oa mantlha oa GPL o neng o tlatselletsoa ka poleloana e lumellang ka ho hlaka hore kopo e hokahane le laeborari ea OpenSSL mme e boletse hore litlhoko tsa GPL ha lia ka tsa etsa joalo. sebetsa ho hokahanya le OpenSSL.

Ha ho bapisoa le lekala la OpenSSL 1.1.1, OpenSSL 3.0.0 e kentse liphetoho tse fetang 7500 tse kentsoeng ke bahlahisi ba 350. Mekhoa e mecha ea OpenSSL 3.0.0:

  • Ho entsoe tlhahiso ea mojule o mocha oa FIPS, ho kenyeletsoa le ho kengoa tšebetsong ha li-cryptographic algorithms tse tsamaellanang le maemo a ts'ireletso a FIPS 140-2 (mokhoa oa ho fana ka setifikeiti bakeng sa mojule ona o reretsoe ho qala khoeling ena, 'me ho lebelletsoe setifikeiti sa FIPS 140-2 selemong se tlang). Mojule o mocha o bonolo haholo ho o sebelisa mme ho o hokahanya le lits'ebetso tse ngata ho ke ke ha ba thata ho feta ho fetola faele ea tlhophiso. Ka nako e sa lekanyetsoang, mojule oa FIPS o koetsoe 'me o hloka hore khetho ea enable-fips e khonehe.
  • libcrypto e sebelisa mohopolo oa bafani ba pluggable, e ileng ea nkela mohopolo oa lienjine sebaka (Engine API e tlositsoe). Ka thuso ea bafani, o ka eketsa ts'ebetsong ea li-algorithms bakeng sa ts'ebetso e joalo ka encryption, decryption, key generation, calculation MAC, popo le netefatso ea signature tsa dijithale. Hoa khoneha ho hokahanya tse ncha le ho theha mekhoa e meng ea ts'ebetsong ea li-algorithms tse seng li tšehetsoa (ka ho feletseng, mofani ea hahiloeng ho OpenSSL hona joale o sebelisoa bakeng sa algorithm e 'ngoe le e' ngoe).
  • Tšehetso e ekelitsoeng bakeng sa Setifikeiti sa Tsamaiso ea Setifikeiti (RFC 4210), e ka sebelisoang ho kopa setifikeiti ho tsoa ho seva sa CA, litifikeiti tsa ntlafatso, le ho hlakola litifikeiti. Ho sebetsa le CMP ho etsoa ka tšebeliso e ncha ea openssl-cmp, e ts'ehetsang sebopeho sa CRMF (RFC 4211) le ho romella likopo ka HTTP/HTTPS (RFC 6712).
  • Moreki ea felletseng bakeng sa liprothokholo tsa HTTP le HTTPS o kentsoe ts'ebetsong, ho ts'ehetsa mekhoa ea GET le POST, ho kopa redirection, ho sebetsa ka proxy, ASN.1 encoding le ho sebetsa ha nako.
  • Ho ekelitsoe EVP_MAC e ncha (Message Authentication Code API) ho etsa hore ho be bonolo ho kenya ts'ebetsong e ncha ea ho kenya mock.
  • Sesebelisoa se secha sa software bakeng sa ho hlahisa linotlolo se hlahisitsoe - EVP_KDF (Key Derivation Function API), e nolofatsang kenyelletso ea ts'ebetsong e ncha ea KDF le PRF. EVP_PKEY API ea khale, eo ka eona li-algorithms tsa scrypt, TLS1 PRF le HKDF li neng li fumaneha, li nchafalitsoe ka mokhoa oa lera le kentsoeng ka holim'a EVP_KDF le EVP_MAC APIs.
  • Ts'ebetsong ea protocol ea TLS e fana ka bokhoni ba ho sebelisa moreki oa TLS le seva e hahiloeng ka har'a kernel ea Linux ho potlakisa ts'ebetso. Ho nolofalletsa ts'ebetsong ea TLS e fanoeng ke Linux kernel, u tlameha ho lumella "SSL_OP_ENABLE_KTLS" khetho kapa "enable-ktls" setting.
  • Tšehetso e ekelitsoeng bakeng sa li-algorithms tse ncha:
    • Key generation algorithms (KDF) ke "SINGLE STEP" le "SSH".
    • Mekhoa ea ho kenya e etsisoang (MAC) ke “GMAC” le “KMAC”.
    • RSA Key Encapsulation Algorithm (KEM) "RSASVE".
    • Algorithm ea ho kenyelletsa "AES-SIV" (RFC-8452).
    • E kentse mehala ho EVP API e tšehetsang li-ciphers tse fapaneng tse sebelisang algorithm ea AES ho notlela linotlolo (Key Wrap): "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV ” , "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" le "AES-256-WRAP-PAD-INV".
    • Tšehetso e ekelitsoeng bakeng sa li-algorithms tsa ciphertext borrowing (CTS) ho EVP API: "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", "CAMELLIA-128-CBC -CTS" "," CAMELLIA-192-CBC-CTS" le "CAMELLIA-256-CBC-CTS".
    • Tšehetso e ekelitsoeng bakeng sa li-signature tsa dijithale tsa CAdES-BES (RFC 5126).
    • AES_GCM e sebelisa paramethara ea AuthEnvelopedData (RFC 5083) ho nolofalletsa ho ngolla le ho hlakoloa ha melaetsa e netefalitsoeng le e kentsoeng ka mokhoa oa AES GCM.
  • Mesebetsi ea PKCS7_get_octet_string le PKCS7_type_is_other e kentsoe ho API ea sechaba.
  • PKCS#12 API e nka sebaka sa dikgatotharabololo tsa kamehla tse sebediswang tshebetsong ya PKCS12_create() ka PBKDF2 le AES, mme e sebedisa algorithm ya SHA-256 ho bala MAC. Ho tsosolosa boitšoaro bo fetileng, khetho ea "-legacy" e fanoa. E kentse palo e kholo ea mehala e mecha ho PKCS12_*_ex, PKCS5_*_ex le PKCS8_*_ex, joalo ka PKCS12_add_key_ex().PKCS12_create_ex() le PKCS12_decrypt_skey_ex().
  • Bakeng sa sethala sa Windows, ts'ehetso ea khokahano ea likhoele e sebelisang mochini oa SRWLock e kentsoe.
  • E kentse API e ncha ea ho latedisa, e nolofaletswang ka paramethara ya enable-trace.
  • Bongata ba linotlolo tse tšehetsoeng ke mesebetsi ea EVP_PKEY_public_check() le EVP_PKEY_param_check() li ekelitsoe: RSA, DSA, ED25519, X25519, ED448 le X448.
  • Sesebelisoa sa RAND_DRBG se tlositsoe, 'me sa nkeloa sebaka ke EVP_RAND API. FIPS_mode() le FIPS_mode_set() ditshebetso di tlositswe.
  • Karolo ea bohlokoa ea API e se e sa sebetse - ho sebelisa mehala e sa sebetseng ho khoutu ea projeke ho tla hlahisa litemoso nakong ea ho bokelloa. Ho kenyeletsoa le li-API tsa boemo bo tlase tse hokahaneng le ts'ebetsong e itseng ea li-algorithms (mohlala, AES_set_encrypt_key le AES_encrypt) li phatlalalitsoe ka molao hore ha li sa sebetsa. Ts'ehetso ea semmuso ho OpenSSL 3.0.0 e se e fanoe feela bakeng sa li-API tsa boemo bo holimo tsa EVP tse nkiloeng mefuteng ea algorithm ea motho ka mong (API ena e kenyelletsa, mohlala, EVP_EncryptInit_ex, EVP_EncryptUpdate, le EVP_EncryptFinal mesebetsi). Li-API tse sa sebetseng li tla tlosoa ho e 'ngoe ea likhatiso tse latelang tse kholo. Ts'ebetsong ea li-algorithms tsa lefa tse kang MD2 le DES, tse fumanehang ka EVP API, li fetiselitsoe mojuleng o arohaneng oa "legacy", o thibetsoeng ka ho sa feleng.
  • Litokomane le lethathamo la liteko li ekelitsoe haholo. Ha ho bapisoa le lekala la 1.1.1, palo ea litokomane e eketsehile ka 94%, 'me boholo ba khoutu ea test suite bo eketsehile ka 54%.

Source: opennet.ru

Eketsa ka tlhaloso