I-OpenSSL 3.0.0 iza nenqwaba yezinguquko ezinkulu nezithuthukisi

Ngemuva kweminyaka emithathu yentuthuko nezinguqulo ezingama-19 zezilingo kukhishwe inguqulo entsha ye-OpenSSL 3.0.0 okuyi inezinguquko ezingaphezu kuka-7500 inikelwe ngabathuthukisi abangama-350 futhi lokho futhi kumelela ushintsho olukhulu kunombolo yenguqulo futhi lokho kungenxa yokushintshelwa ezinombolweni zendabuko.

Kusukela manje kuqhubeke, idijithi yokuqala (Omkhulu) kunombolo yenguqulo izoshintsha kuphela uma ukuhambisana kwephulwa ezingeni le-API / ABI, bese kuthi okwesibili (Okuncane) lapho ukusebenza kwandiswa ngaphandle kokushintsha i-API / ABI. Ukuvuselelwa kokulungiswa kuzothunyelwa ngoshintsho lwamadijithi wesithathu (patch). Inombolo engu-3.0.0 yakhethwa ngokushesha ngemuva kuka-1.1.1 ukugwema ukushayisana nemodyuli ye-FIPS eyayisakhiwa i-OpenSSL, eyayinenombolo engu-2.x.

Ushintsho olukhulu lwesibili lwephrojekthi kwaba yi- inguquko isuka kwilayisense ekabili (I-OpenSSL ne-SSLeay) kwilayisense le-Apache 2.0. Ilayisense yomdabu ye-OpenSSL esetshenziswe phambilini ibisuselwa kwilayisensi ye-Apache 1.0 yelifa futhi ibidinga ukubalulwa okusobala kwe-OpenSSL ezintweni zokuphromotha lapho usebenzisa imitapo yolwazi ye-OpenSSL, nenothi elikhethekile uma ngabe i-OpenSSL ithunyelwe nomkhiqizo.

Lezi zidingo zenze ukuthi ilayisense langaphambilini lingahambelani ne-GPL, okwenza kube nzima ukusebenzisa i-OpenSSL kumaphrojekthi anelayisense ye-GPL. Ukugwema lokhu kungahambisani, amaphrojekthi we-GPL aphoqeleka ukuphoqelela izivumelwano ezithile zamalayisense, lapho umbhalo oyinhloko we-GPL wanezelwa ngesigatshana esivumela ngokusobala ukuthi uhlelo lokusebenza luxhumane nomtapo wezincwadi we-OpenSSL futhi sisho ukuthi i-GPL ayisebenzi ekubophezeleni ku-OpenSSL .

Yini okusha ku-OpenSSL 3.0.0

Ngokwengxenye yezinto ezintsha ezethulwe ku-OpenSSL 3.0.0 singakuthola lokho imoduli entsha ye-FIPS iphakanyisiwe, lokho kufaka phakathi ukusetshenziswa kwama-cryptographic algorithms ehlangabezana nezinga lokuphepha le-FIPS 140-2 (inqubo yesitifiketi semodyuli ihlelelwe ukuqala kule nyanga, futhi isitifiketi se-FIPS 140-2 kulindeleke ngonyaka ozayo). Imodyuli entsha kulula kakhulu ukuyisebenzisa futhi ukuxhuma ezinhlelweni eziningi ngeke kusaba nzima njengokushintsha ifayela lokumisa. Ngokuzenzakalelayo, i-FIPS ikhutshaziwe futhi idinga ukuthi inketho yokunika amandla-fips inikwe amandla.

Ku-libcrypto umqondo wabanikezeli bezinsizakalo abaxhunyiwe waqaliswa ethathe isikhundla somqondo wezinjini (i-ENGINE API yehlisiwe). Ngosizo lwabathengisi, ungangeza ukuqaliswa kwe-algorithm yakho kwemisebenzi efana nokubethela, ukubhala ngemfihlo, ukukhiqiza ukhiye, ukubalwa kwe-MAC, ukudala nokuqinisekiswa kwamasiginesha edijithali.

Kubuye kuqhakanjiswe lokho ungeze ukusekelwa kwe-CMP, ukuthi Ingasetshenziselwa ukucela izitifiketi kwiseva ye-CA, ukuvuselela izitifiketi, nokubuyisa izitifiketi. Ukusebenza ne-CMP kwenziwa yinkampani entsha evula i-openssl-cmp, ebuye isebenzise ukusekelwa kwefomethi ye-CRMF nokudluliswa kwezicelo nge-HTTP / HTTPS.

Futhi Kuphakanyiswe i-interface entsha yohlelo lokukhiqiza ukhiye: I-EVP_KDF (Key Derivation Function API), eyenza kube lula ukufakwa kokuqaliswa okusha kwe-KDF ne-PRF. I-EVP_PKEY API yakudala, lapho ama-scrypt algorithms, i-TLS1 PRF ne-HKDF ibitholakala khona, iphinde yahlelwa kabusha njengesendlalelo esiphakathi esisetshenziswe ngaphezulu kwama-API we-EVP_KDF ne-EVP_MAC.

Futhi ekusetshenzisweni kweprotocol I-TLS inikeza amandla wokusebenzisa iklayenti le-TLS neseva eyakhelwe ku-Linux kernel ukusheshisa ukusebenza. Ukuze unike amandla ukuqaliswa kwe-TLS okunikezwe i-Linux kernel, inketho ye- "SSL_OP_ENABLE_KTLS" noma izilungiselelo ze- "enable-ktls" kumele zinikwe amandla.

Ngakolunye uhlangothi kushiwo lokho ingxenye ebalulekile ye-API idluliselwe esigabeni esehlisiwe- Usebenzisa izingcingo ezehlisiwe kukhodi yakho yamaphrojekthi kuzokhipha isexwayiso ngesikhathi sokuhlanganiswa. I- I-API yezinga eliphansi kuxhunyaniswe nama-algorithms athile kumenyezelwe ngokusemthethweni ukuthi ayisasebenzi.

Ukwesekwa okusemthethweni ku-OpenSSL 3.0.0 manje kunikezwa kuphela ama-API aphezulu we-EVP, athathwe ezinhlotsheni ezithile zama-algorithms (le API ifaka, ngokwesibonelo, i-EVP_EncryptInit_ex, EVP_EncryptUpdate, kanye nemisebenzi ye-EVP_EncryptFinal). Ama-API angasasebenzi azosuswa kokunye ukukhishwa okukhulu okulandelayo. Ukuqaliswa kwe-algorithm yefa, okufana ne-MD2 ne-DES, okutholakala nge-EVP API, kuyiswe kwimodyuli ehlukile "yefa", ekhutshazwe ngokuzenzakalela.

Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.