I-OpenSSL 3.0.0 iza notshintsho olukhulu kunye nezixhasi

Darkcrizt

Imizuzu ye4

Emva kweminyaka emithathu yophuhliso kunye neenguqulelo zetyala ezili-19 ukukhutshwa kwenguqulelo entsha ye-OpenSSL 3.0.0 kuye kwabhengezwa kutshanje eyiphi ineenguqu ezingaphezu kwama-7500 inegalelo ngabaphuhlisi abangama-350 kwaye ikwabonisa utshintsho olukhulu kwinombolo yenguqulo kwaye oko kungenxa yotshintsho kwinani lendabuko.

Ukusukela ngoku ukuya phambili, inamba yokuqala (eNkulu) kwinombolo yenguqulo iya kutshintsha kuphela xa ukungqinelana kwaphulwe kwinqanaba le-API / ABI, kwaye eyesibini (encinci) xa ukusebenza kunyuswe ngaphandle kokutshintsha i-API / ABI. Uhlaziyo lokulungisa luya kuthumela ngenombolo yesithathu (patch) utshintsho. Inombolo engu-3.0.0 ikhethwe kwangoko emva ko-1.1.1 ukunqanda ukungqubana kunye nemodyuli ye-FIPS phantsi kophuhliso lwe-OpenSSL, eyayinenombolo engu-2.x.

Utshintsho lwesibini olukhulu lweprojekthi yayiyi Utshintsho olusuka kwilayisensi ezimbini (I-OpenSSL kunye ne-SSLeay) kwilayisenisi ye-Apache 2.0. Ilayisensi yemveli ye-OpenSSL eyayisetyenziswa ngaphambili yayisekwe kwilayisensi ye-Apache 1.0 yelayisensi kwaye ifuna ukukhankanywa okucacileyo kwe-OpenSSL kwimpahla yokwazisa xa usebenzisa iilayibrari ze-OpenSSL, kunye nenqaku elikhethekileyo ukuba ngaba i-OpenSSL yathunyelwa nemveliso.

Ezi mfuno zenze ukuba ilayisensi yangaphambili ihambelane ne-GPL, isenza ukuba kube nzima ukusebenzisa i-OpenSSL kwiiprojekthi ezinelayisensi ye-GPL. Ukuthintela oku kungangqinelani, iiprojekthi ze-GPL zanyanzelwa ukuba zisebenzise izivumelwano ezithile zamaphepha-mvume, apho umbhalo ophambili we-GPL wongezwa ngegatya elivumela ngokucacileyo isicelo ukuba siqhagamshele kwithala leencwadi le-OpenSSL kwaye likhankanya ukuba i-GPL ayisebenzi ekubophelelweni I-OpenSSL.

Yintoni entsha kwi-OpenSSL 3.0.0

Ngenxalenye yezinto ezintsha ezinikezelwe kwi-OpenSSL 3.0.0 sinokuyifumana loo nto Imodyuli entsha ye-FIPS icetyisiwe, que kubandakanya ukumiliselwa kwe-cryptographic algorithms ehlangabezana nomgangatho wokhuseleko we-FIPS 140-2 (inkqubo yokuqinisekiswa kwemodyuli icwangciselwe ukuqala kule nyanga, kwaye isiqinisekiso se-FIPS 140-2 silindeleke kunyaka olandelayo). Imodyuli entsha kulula ukuyisebenzisa kwaye ukunxibelelana nezicelo ezininzi akusayi kuba nzima kunokutshintsha ifayile yoqwalaselo. Ngokuzenzekelayo, i-FIPS ikhubazekile kwaye ifuna ukuba yenziwe-ukuba ibe fips ukhetho ukuze lwenziwe.

Kwi-libcrypto umxholo wabanikezeli beenkonzo abaqhagamshelwe waphunyezwa ethathe indawo yeinjini (i-ENGINE API yehlisiwe). Ngoncedo lwabathengisi, unokongeza ukuphunyezwa kwealgorithm yakho kwimisebenzi enje ngokubethela, ukuguqulela, ukwenza isitshixo, ukubala kwe-MAC, ukudala kunye nokuqinisekisa iisiginitsha zedijithali.

Kuyacaciswa ukuba yongeza inkxaso yeCMP, que Ingasetyenziselwa ukucela izatifikethi kwiseva ye-CA, ukuvuselela izatifikethi kunye nokubuyisa izatifikethi. Ukusebenza nge-CMP kwenziwa sisixhobo esitsha se-opensl-cmp, esisebenzisa inkxaso kwifomathi yeCRMF kunye nokuhanjiswa kwezicelo ngaphezulu kwe-HTTP / HTTPS.

Kwakhona Inkqubo emitsha yokujongana nesitshixo kuphakanyisiwe: I-EVP_KDF (Umsebenzi oSisiseko wokuSebenza kwe-API), eyenza lula ukudityaniswa kokuphunyezwa kweKDF kunye nePRF. I-API endala ye-EVP_PKEY, apho i-scrypt algorithms, i-TLS1 PRF kunye ne-HKDF zazifumaneka, zahlengahlengiswa njengoluhlu oluphakathi oluphunyezwe ngaphezulu kwe-EVP_KDF kunye ne-EVP_MAC APIs.

Kwaye ekuphunyezweni komgaqo I-TLS ibonelela ngesakhono sokusebenzisa umxhasi we-TLS kunye neseva eyakhelwe kwi-kernel ye-Linux ukukhawulezisa imisebenzi. Ukwenza uphumezo lwe-TLS olunikezwe yi-Linux kernel, ukhetho lwe- "SSL_OP_ENABLE_KTLS" okanye useto "lwe-ktls" kufuneka lwenziwe.

Kwelinye icala kuyakhankanywa ukuba Inxalenye ebalulekileyo ye-API isiwe kudidi olwehlisiweyo-Ukusebenzisa iifowuni ezihlisiweyo kwikhowudi yeprojekthi kuya kuvelisa isilumkiso ngexesha lokudityaniswa. Inkqubo ye- Umgangatho ophantsi we-API idityaniswe nee-algorithms ezithile ibhengezwe ngokusemthethweni ukuba ayisasebenzi.

Inkxaso esemthethweni kwi-OpenSSL 3.0.0 ngoku inikezelwa kuphela kwi-EVP APIs ekumgangatho ophezulu, ethathwe kwiindidi ezithile zealgorithms (le API ibandakanya, umzekelo, i-EVP_EncryptInit_ex, EVP_EncryptUpdate, kunye nemisebenzi ye-EVP_EncryptFinal). Ii-API ezingasasebenziyo ziya kususwa kwenye yezinto ezikhulu ezizayo. Ukuphunyezwa kwe-algorithm yelifa, njenge-MD2 kunye ne-DES, efumaneka kwi-EVP API, ihanjiselwe kwimodyuli eyahlukileyo "yelifa", ekhubazeke ngokungagqibekanga.

Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.