ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kokuqala kokuphunyezwa kweprotocol ye-TLS 1.3 kwiJava kunye nee-algorithms ze-GOST ngokuhambelana ne-RFC 9367

Ukukhutshwa kokuqala kokuphunyezwa kweprotocol ye-TLS 1.3 kwiJava kunye nee-algorithms ze-GOST ngokuhambelana ne-RFC 9367

Imodyuli i-crypto-gost-tls13 iqulethe ukuphunyezwa I-TLS 1.3 (RFC 8446 + RFC 9367) nge-GOST cryptography. Olu khuphelo luyinguqulelo yokuqala yelayibrari kwaye lulungele ukusetyenziswa ngaphakathi.

Uphawu olukhethekileyo lwelayibrari kukusetyenziswa kwayo kweJava kuphela. Yonke imisebenzi ye-cryptographic yenziwa kusetyenziswa izixhobo zelayibrari ezakhelwe ngaphakathi, ngaphandle kokuxhomekeka kwangaphandle.

Le yenye yeendlela zokuqala zokusebenzisa i-TLS 1.3 ene-GOST kwiJava, ngoko ke uvavanyo lwe-interop lwenziwe kangangoko kunokwenzeka.

Apha ngezantsi kukho ubuchule bethala leencwadi.

  1. Iiprotokholi:
  • Ukuxhawulana ngesandla: epheleleyo (umthengi/umncedisi), emfutshane (i-PSK), i-mutual (mTLS).
  • I-ALPN (RFC 7301) - Ingxoxo yeProtokholi yoLuhlu lweSicelo (HTTP/2, HTTP/1.1).
  • I-SNI (RFC 6066) - Isalathiso segama umncedisi ukuthunyelwa kwabasebenzi abaninzi abaqeshisayo.
  • Uhlaziyo lweKeyUpdate (RFC 8446 §4.6.3) – ukuhlaziya amaqhosha okubethela ithrafikhi.
  • Iisuite zeCipher: TLS_KUZNYECHIK_MGM_STREEBOG_256_L/S.
  • I-ECDHE: I-CryptoPro-A (256-bit), i-CryptoPro-B (512-bit)
  • Ukutshintsha isitshixo se-TLSTREE ngerekhodi nganye — ukutshintsha isitshixo se-encryption kwirekhodi nganye ye-TLS.
  • Ukuqhekeka kunye nokuhlanganiswa kwakhona kwezandla kunye neerekhodi (RFC 8446 §5.1).
  • Ukuqalisa kwakhona kweseshoni: I-PSK ngeNewSessionTicket (i-PskStore ikwimemori, isetyenziswa kanye).
  • Ukudibanisa i-OCSP: umncedisi ifaka impendulo ye-OCSP kwisatifikethi.
  • Imiyalezo emva kokuxhawulana: I-NewSessionTicket (gcina i-PSK).
  1. Ukrozo:
  • Ishedyuli ephambili: HKDF-Streebog (RFC 5869) ngaphezulu kweTLS 1.3 (RFC 8446 §7.1).
  • Ukukhuselwa kwerekhodi: MGM-AEAD (Kuznyechik) kunye nonce ngokwe-RFC 8446 §5.3.
  • Amaqhosha exesha elifutshane ayacinywa emva kokusetyenziswa.
  1. Izatifikethi:
  • Ukuhlaziya i-X.509v3 (GOST R 34.10-2012) — i-DER parser eyakhelwe ngaphakathi.
  • Ikhonkco lokuqinisekisa: iisayinitsha, i-DN (umniki → umxholo), Izithintelo eziSisiseko, Ukusetyenziswa kweSisitshixo, Ukusetyenziswa kweSisitshixo * esoNgeziweyo (i-serverAuth / i-clientAuth), i-pathLen.
  • Ukujonga igama lomphathi: dNSName + iPAaddress (RFC 6125).
  • Ukuqinisekiswa kweempendulo ze-OCSP (RFC 6960).

4.Ezothutho:

  • Uthutho lweTlsport - ujongano.
  • I-InMemoryTlsTransport - kwiimvavanyo kunye neemeko zenkqubo enye (umgca wememori).
  • I-SocketTlsTransport — ivimba i-I/O ngaphezulu kwe-java.net.Socket.
  • I-ChannelTlsTransport - Uthutho olusekelwe kwi-NIO SocketChannel (imo yokuvimba, enokuphazanyiswa).
  1. Ukuxhawulana inyathelo ngenyathelo:
  • I-TlsHandshakeEngine yimatshini yesizwe yokuxhawulana (edityaniswe ne-I/O). Isebenzisa i-TlsSession njenge-orchestrator kwaye ifanelekile ukudityaniswa ne-JSSE (SSLEngine).
  1. I-ByteBuffer API:
  • I-TlsRecord.protect/unprotect — I-ByteBuffer igqithisa kakhulu ukuze kudityaniswe i-zero-copy ne-NIO. Izitshixo zokulayisha:
  • I-Pkcs12Loader — ifunda i-PFX (PKCS#12) nge-PBKDF2-HMAC-SHA256 + AES-256-CBC.
  1. Ukuphela kweseshoni:
  • vala_ukwazisa - lungisa ukuvala ngokwemigaqo.
  • Ukusula izinto ezibalulekileyo xa uvala okanye wenza impazamo.
  • Isilumkiso sokuphatha: esibulalayo - ukuvala kwangoko + ukucima.
  1. Ukhuseleko lokuphunyezwa:
  • Uthelekiso lwexesha eliqhelekileyo lwe-verify_data kunye nee-PSK binders (ukhuseleko ekuhlaselweni kwexesha)
  • Ukusula izinto ezingundoqo: tshabalalisa() kuzo zonke izinto ngeezitshixo (TlsKeySchedule, TlsTrafficKeys, TlsRecord, HandshakeContext), xa kuvalwa, lumkisa ngengozi, ngaphandle xa uxhawulana ngesandla
  • Ukhuseleko lwe-DoS: imida kubude betsheyini yesatifikethi (10), imiyalezo yasemva kokuxhawulana, ubungakanani berekhodi.
  • I-MGM nonce: I-MSB ye-byte yokuqala isusiwe kwi-ICN (RFC 9058 §3, RFC 9367 §3.3).
  • Isitshixo sabucala se-ECDHE kunye ne-handshake transcript ziyatshatyalaliswa emva kokuba i-handshake igqityiwe.
  • Izinto zesitshixo se-HMAC ziyacinywa emva kokusetyenziswa (HkdfStreebog, KdfGostR3411_2012_256).
  1. Imida:
  • I-PSK yokuqalisa kwakhona kuphela (i-0-RTT kunye ne-PSK yangaphandle azixhaswa).
  • Kuphela yi-psk_dhe_ke (i-PSK emsulwa ngaphandle kwe-ECDHE ayixhaswa).
  • I-HelloRetryRequest (RFC 8446 §4.1.4) ayixhaswa - kusetyenziswa iqela elinye kuphela elibizwa ngegama (i-GC256A ngokuzenzekelayo).
  • I-GOST kuphela (ii-cipher suites ezingezizo ze-GOST azixhaswa).
  1. Uvavanyo:
  • Ithala leencwadi liqulathe iiMvavanyo zeeMpendulo eziKnown ezivela kwi-RFC 9367 Appendix A.1 (iinguqulelo ze-L kunye ne-S)—ishedyuli epheleleyo yesitshixo, i-TLSTREE, i-AEAD, kunye ne-ECDHE. Ikwadlula uluhlu olupheleleyo lweemvavanyo ze-KAT.
  • Uvavanyo olu-4 lokudibanisa (self-interop) ngokusebenzisa iisokhethi zeTCP zokwenyani.
  • Uvavanyo lweFuzz lwabahlalutyi: I-TlsMessageParser (iindlela ezi-8), i-TlsDerParser (iindlela ezi-3), i-TlsOcspVerifier (indlela e-1), ukuqinisekisa ukhuseleko kunye nokunciphisa i-vector yokuhlasela kubahlalutyi.
  1. Izisombululo zoyilo:
  • I-TlsHandshakeEngine - umatshini wesimo ohlukaniswe kwi-I/O (kwimodyuli ye-JSSE yexesha elizayo).
  • Ukugqithisa kweByteBuffer kweTlsRecord.protect/unprotect kwi-NIO/JSSE.
  • I-TLSTREE cache (TlsTreeCache) - ukubalwa kwakhona kwamanqanaba atshintshiweyo kuphela (RFC 9367).
  • I-InMemoryTlsTransport.Pair sisibini esisebenza kwicala elinye sovavanyo kunye nonxibelelwano lwenkqubo enye.

Ithala leencwadi lisasazwa phantsi kwelayisenisi yasimahla.

umthombo: linux.org.ru

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster