ProHoster > Ibhulogi > iindaba ze-intanethi > I-OpenSSL 3.0.0 Ukukhutshwa kweThala leencwadi eliCryptographic

I-OpenSSL 3.0.0 Ukukhutshwa kweThala leencwadi eliCryptographic

Emva kweminyaka emithathu yophuhliso kunye nokukhutshwa kovavanyo lwe-19, ilayibrari ye-OpenSSL 3.0.0 yakhululwa ngokuphunyezwa kweeprothokholi ze-SSL / TLS kunye neendlela ezahlukeneyo zokubethela. Isebe elitsha libandakanya utshintsho oluqhekeza ukuhambelana ngasemva kwinqanaba le-API kunye ne-ABI, kodwa utshintsho aluyi kuchaphazela ukusebenza kwezicelo ezininzi ezifuna ukwakhiwa kwakhona ukufuduka kwi-OpenSSL 1.1.1. Isebe langaphambili le-OpenSSL 1.1.1 liya kuxhaswa kude kube nguSeptemba 2023.

Utshintsho olubalulekileyo kwinombolo yoguqulelo lubangelwa kukutshintshela kwinani lemveli elithi "Major.Minor.Patch". Ukususela ngoku, idijithi yokuqala (enkulu) kwinombolo yenguqulo iya kutshintsha kuphela ukuba ukuhambelana kuphukile kwinqanaba le-API / ABI, kwaye okwesibini (iNcinci) iya kutshintsha xa ukusebenza kwanda ngaphandle kokutshintsha i-API / ABI. Uhlaziyo oluchanekileyo luya kuhanjiswa kunye notshintsho kwidijithi yesithathu (Patch). Inani elingu-3.0.0 ngokukhawuleza emva ko-1.1.1 likhethwe ukunqanda ukugqithelana ngemodyuli ephantsi yophuhliso ye-FIPS ye-OpenSSL, apho amanani 2.x asetyenzisiweyo.

Utshintsho lwesibini olubalulekileyo lweprojekthi lutshintsho ukusuka kwilayisenisi ezimbini (i-OpenSSL kunye ne-SSLeay) ukuya kwilayisensi ye-Apache 2.0. Ilayisensi yangaphambili ye-OpenSSL yobunini yayisekelwe kumbhalo welayisensi ye-Apache 1.0 yelifa kwaye ifuna ukukhankanywa okucacileyo kwe-OpenSSL kwizinto zentengiso xa kusetyenziswa amathala eencwadi e-OpenSSL, kunye nesaziso esikhethekileyo ukuba i-OpenSSL ibinikiwe njengenxalenye yemveliso. Ezi mfuno zenze ilayisenisi endala ingahambelani ne-GPL, nto leyo eyenza kube nzima ukusebenzisa i-OpenSSL kwiiprojekthi ezinelayisenisi ze-GPL. Ukujikeleza oku kungahambelani, iiprojekthi ze-GPL zanyanzeliswa ukuba zisebenzise izivumelwano zelayisensi ezithile apho isicatshulwa esiphambili se-GPL saye safakelwa igatya elivumela ngokucacileyo ukuba isicelo sidityaniswe nethala leencwadi le-OpenSSL kwaye likhankanye ukuba iimfuno ze-GPL azizange zisebenze. faka isicelo sokudibanisa ne-OpenSSL.

Xa kuthelekiswa nesebe le-OpenSSL 1.1.1, i-OpenSSL 3.0.0 yongeza ngaphezu kweenguqu ze-7500 ezifakwe ngabaphuhlisi be-350. Iinguqulelo eziphambili ze-OpenSSL 3.0.0:

  • Imodyuli entsha ye-FIPS iye yacetywa, kubandakanywa ukuphunyezwa kwe-cryptographic algorithms ethobela umgangatho wokhuseleko we-FIPS 140-2 (inkqubo yoqinisekiso lwemodyuli icwangciselwe ukuqalisa kule nyanga, kwaye isiqinisekiso se-FIPS 140-2 silindeleke kulo nyaka uzayo). Imodyuli entsha ilula kakhulu ukuyisebenzisa kwaye ukuyidibanisa kwizicelo ezininzi akusayi kuba nzima kunokutshintsha ifayile yoqwalaselo. Ngokungagqibekanga, imodyuli ye-FIPS ivaliwe kwaye ifuna i-fips-fips khetho yenziwe ukuba yenziwe.
  • I-libcrypto isebenzisa ingcamango yababoneleli abafakelwayo, abathathe indawo yengcamango yeenjini (i-ENGINE API iye yachithwa). Ngoncedo lwababoneleli, unokongeza okwakho ukuphunyezwa kwe-algorithms kwimisebenzi efana ne-encryption, decryption, isizukulwana esibalulekileyo, ukubalwa kwe-MAC, ukudala kunye nokuqinisekiswa kweesignesha zedijithali. Kuyenzeka ukuba zombini ziqhagamshele ezintsha kwaye zenze okunye ukuphunyezwa kwee-algorithms esele zixhaswa (ngokungagqibekanga, umboneleli owakhiwe kwi-OpenSSL ngoku usetyenziswa kwi-algorithm nganye).
  • Inkxaso eyongeziweyo yeProtocol yoLawulo lweSatifikethi (RFC 4210), enokusetyenziswa ukucela izatifikethi kwiseva ye-CA, izatifikethi zohlaziyo, kunye nokurhoxisa izatifikethi. Ukusebenza kunye ne-CMP kuqhutyelwa ngokusebenzisa i-openssl-cmp entsha entsha, ekwaxhasa ifomathi ye-CRMF (RFC 4211) kunye nokuthumela izicelo nge-HTTP / HTTPS (RFC 6712).
  • Umxhasi opheleleyo we-HTTP kunye ne-HTTPS iprothokholi iphunyeziwe, ixhasa iindlela ze-GET kunye ne-POST, i-redirection yesicelo, isebenze nge-proxy, i-ASN.1 ye-encoding kunye ne-timeout processing.
  • I-EVP_MAC entsha (i-API yeKhowudi yoQinisekiso loMyalezo) yongezwe ukwenza kube lula ukongeza ukuphunyezwa okutsha kofakelo lokuhlekisa.
  • Ujongano lwesoftware olutsha lokuvelisa izitshixo luyacetywa - EVP_KDF (Key Derivation Function API), eyenza lula ukongezwa komiliselo olutsha lwe-KDF kunye nePRF. I-API endala ye-EVP_PKEY, apho i-scrypt, i-TLS1 PRF kunye ne-HKDF i-algorithms yayifumaneka, ihlaziywe ngokutsha ngendlela yomaleko ophunyezwe phezulu kwe-EVP_KDF kunye ne-EVP_MAC APIs.
  • Ukuphunyezwa kweprotocol ye-TLS inika amandla okusebenzisa umxhasi we-TLS kunye neseva eyakhelwe kwi-Linux kernel ukukhawulezisa imisebenzi. Ukwenza uphumezo lwe-TLS olunikezwe yiLinux kernel, kufuneka uvule "SSL_OP_ENABLE_KTLS" ukhetho okanye "enable-ktls" useto.
  • Inkxaso eyongeziweyo yee-algorithms ezintsha:
    • Ii-algorithms zokuvelisa ezingundoqo (KDF) zezi "INYATHELO ELILODWA" kunye ne "SSH".
    • Ii-algorithms ezifanisiweyo zofakelo (MAC) yi-β€œGMAC” kunye ne-β€œKMAC”.
    • I-RSA Key Encapsulation Algorithm (KEM) "RSASVE".
    • I-algorithm ye-Encryption "AES-SIV" (RFC-8452).
    • Iifowuni ezongeziweyo kwi-EVP API ngenkxaso ye-ciphers e-inverse usebenzisa i-algorithm ye-AES ukubethela izitshixo (i-Key Wrap): "I-AES-128-WRAP-INV", "i-AES-192-WRAP-INV", "i-AES-256-WRAP- INV” , "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" kunye ne "AES-256-WRAP-PAD-INV".
    • Inkxaso eyongeziweyo yokuboleka kwe-ciphertext (CTS) algorithms kwi-EVP API: "AES-128-CBC-CTS", "AES-192-CBC-CTS", "AES-256-CBC-CTS", "CAMELLIA-128-CBC -CTS" "," CAMELLIA-192-CBC-CTS" kunye ne "CAMELLIA-256-CBC-CTS".
    • Inkxaso eyongeziweyo yeesignitsha zedijithali ze-CAdES-BES (RFC 5126).
    • I-AES_GCM isebenzisa i-AuthEnvelopedData (RFC 5083) iparameter ukwenza uguqulelo oluntsonkothileyo kunye noguqulelo oluntsonkothileyo lwemiyalezo eqinisekisiweyo kunye nentsonkothileyo kusetyenziswa imo ye-AES GCM.
  • I-PKCS7_get_octet_string kunye ne-PKCS7_type_is_other function zongezwe kwi-API yoluntu.
  • I-PKCS#12 API ithatha indawo yealgorithms engagqibekanga esetyenziswe kwi-PKCS12_create() umsebenzi nge-PBKDF2 kunye ne-AES, kwaye isebenzisa i-algorithm ye-SHA-256 ukubala i-MAC. Ukubuyisela ukuziphatha kwangaphambili, "-legacy" ukhetho lunikiwe. Kongezwe inani elikhulu leefowuni ezandisiweyo ezintsha kwi-PKCS12_*_ex, PKCS5_*_ex kunye ne-PKCS8_*_ex, ezifana ne-PKCS12_add_key_ex().PKCS12_create_ex() kunye ne-PKCS12_decrypt_skey_ex().
  • Kwiqonga leWindows, inkxaso yongqamaniso lwentambo kusetyenziswa indlela ye-SRWLock yongeziwe.
  • Yongezwe i-API entsha yokulandela, eyenziwe kusetyenziswa iparamitha yokukhangela.
  • Uluhlu lwamaqhosha axhaswayo kwi-EVP_PKEY_public_check () kunye ne-EVP_PKEY_param_check () imisebenzi yandisiwe: RSA, DSA, ED25519, X25519, ED448 kunye X448.
  • Inkqubo esezantsi ye-RAND_DRBG isusiwe, endaweni yayo yi-EVP_RAND API. Imowudi ye-FIPS () kunye ne-FIPS_mode_set() isusiwe.
  • Inxalenye ebalulekileyo ye-API inikwe ixesha elide - ukusebenzisa iifowuni eziphelelwe yisikhathi kwikhowudi yeprojekthi kuya kubangela izilumkiso ngexesha lokuhlanganiswa. Ukuquka i-APIs ekumgangatho ophantsi ebotshelelwe kumiliselo oluthile lwe-algorithms (umzekelo, i-AES_set_encrypt_key kunye ne-AES_encrypt) zibhengezwe ngokusemthethweni ukuba ziphelelwe lixesha. Inkxaso esemthethweni kwi-OpenSSL 3.0.0 ngoku inikezelwa kuphela kwizinga eliphezulu le-EVP APIs ezicatshulwa kwiintlobo ze-algorithm zomntu ngamnye (le API ibandakanya, umzekelo, i-EVP_EncryptInit_ex, EVP_EncryptUpdate, kunye ne-EVP_EncryptFinal imisebenzi). Ii-APIs eziyehliweyo ziya kususwa kwenye yokukhutshwa okukhulu okulandelayo. Ukuphunyezwa kwe-algorithms yelifa njenge-MD2 kunye ne-DES, ekhoyo nge-EVP API, ihanjiswe kwimodyuli "yelifa" eyahlukileyo, ekhutshaziweyo ngokungagqibekanga.
  • Amaxwebhu kunye novavanyo lwandisiwe kakhulu. Xa kuthelekiswa nesebe 1.1.1, umthamo wamaxwebhu unyuke nge-94%, kwaye ubungakanani bekhowudi yovavanyo lonyuke ngama-54%.

umthombo: opennet.ru

Yongeza izimvo