Ngemuva kweminyaka emithathu yentuthuko nezinguqulo ezingama-19 zezilingo kukhishwe inguqulo entsha ye-OpenSSL 3.0.0 okuyi inezinguquko ezingaphezu kuka-7500 inikelwe ngabathuthukisi abangama-350 futhi lokho futhi kumelela ushintsho olukhulu kunombolo yenguqulo futhi lokho kungenxa yokushintshelwa ezinombolweni zendabuko.
Kusukela manje kuqhubeke, idijithi yokuqala (Omkhulu) kunombolo yenguqulo izoshintsha kuphela uma ukuhambisana kwephulwa ezingeni le-API / ABI, bese kuthi okwesibili (Okuncane) lapho ukusebenza kwandiswa ngaphandle kokushintsha i-API / ABI. Ukuvuselelwa kokulungiswa kuzothunyelwa ngoshintsho lwamadijithi wesithathu (patch). Inombolo engu-3.0.0 yakhethwa ngokushesha ngemuva kuka-1.1.1 ukugwema ukushayisana nemodyuli ye-FIPS eyayisakhiwa i-OpenSSL, eyayinenombolo engu-2.x.
Ushintsho olukhulu lwesibili lwephrojekthi kwaba yi- inguquko isuka kwilayisense ekabili (I-OpenSSL ne-SSLeay) kwilayisense le-Apache 2.0. Ilayisense yomdabu ye-OpenSSL esetshenziswe phambilini ibisuselwa kwilayisensi ye-Apache 1.0 yelifa futhi ibidinga ukubalulwa okusobala kwe-OpenSSL ezintweni zokuphromotha lapho usebenzisa imitapo yolwazi ye-OpenSSL, nenothi elikhethekile uma ngabe i-OpenSSL ithunyelwe nomkhiqizo.
Lezi zidingo zenze ukuthi ilayisense langaphambilini lingahambelani ne-GPL, okwenza kube nzima ukusebenzisa i-OpenSSL kumaphrojekthi anelayisense ye-GPL. Ukugwema lokhu kungahambisani, amaphrojekthi we-GPL aphoqeleka ukuphoqelela izivumelwano ezithile zamalayisense, lapho umbhalo oyinhloko we-GPL wanezelwa ngesigatshana esivumela ngokusobala ukuthi uhlelo lokusebenza luxhumane nomtapo wezincwadi we-OpenSSL futhi sisho ukuthi i-GPL ayisebenzi ekubophezeleni ku-OpenSSL .
Yini okusha ku-OpenSSL 3.0.0
Ngokwengxenye yezinto ezintsha ezethulwe ku-OpenSSL 3.0.0 singakuthola lokho imoduli entsha ye-FIPS iphakanyisiwe, lokho kufaka phakathi ukusetshenziswa kwama-cryptographic algorithms ehlangabezana nezinga lokuphepha le-FIPS 140-2 (inqubo yesitifiketi semodyuli ihlelelwe ukuqala kule nyanga, futhi isitifiketi se-FIPS 140-2 kulindeleke ngonyaka ozayo). Imodyuli entsha kulula kakhulu ukuyisebenzisa futhi ukuxhuma ezinhlelweni eziningi ngeke kusaba nzima njengokushintsha ifayela lokumisa. Ngokuzenzakalelayo, i-FIPS ikhutshaziwe futhi idinga ukuthi inketho yokunika amandla-fips inikwe amandla.
Ku-libcrypto umqondo wabanikezeli bezinsizakalo abaxhunyiwe waqaliswa ethathe isikhundla somqondo wezinjini (i-ENGINE API yehlisiwe). Ngosizo lwabathengisi, ungangeza ukuqaliswa kwe-algorithm yakho kwemisebenzi efana nokubethela, ukubhala ngemfihlo, ukukhiqiza ukhiye, ukubalwa kwe-MAC, ukudala nokuqinisekiswa kwamasiginesha edijithali.
Kubuye kuqhakanjiswe lokho ungeze ukusekelwa kwe-CMP, ukuthi Ingasetshenziselwa ukucela izitifiketi kwiseva ye-CA, ukuvuselela izitifiketi, nokubuyisa izitifiketi. Ukusebenza ne-CMP kwenziwa yinkampani entsha evula i-openssl-cmp, ebuye isebenzise ukusekelwa kwefomethi ye-CRMF nokudluliswa kwezicelo nge-HTTP / HTTPS.
Futhi Kuphakanyiswe i-interface entsha yohlelo lokukhiqiza ukhiye: I-EVP_KDF (Key Derivation Function API), eyenza kube lula ukufakwa kokuqaliswa okusha kwe-KDF ne-PRF. I-EVP_PKEY API yakudala, lapho ama-scrypt algorithms, i-TLS1 PRF ne-HKDF ibitholakala khona, iphinde yahlelwa kabusha njengesendlalelo esiphakathi esisetshenziswe ngaphezulu kwama-API we-EVP_KDF ne-EVP_MAC.
Futhi ekusetshenzisweni kweprotocol I-TLS inikeza amandla wokusebenzisa iklayenti le-TLS neseva eyakhelwe ku-Linux kernel ukusheshisa ukusebenza. Ukuze unike amandla ukuqaliswa kwe-TLS okunikezwe i-Linux kernel, inketho ye- "SSL_OP_ENABLE_KTLS" noma izilungiselelo ze- "enable-ktls" kumele zinikwe amandla.
Ngakolunye uhlangothi kushiwo lokho ingxenye ebalulekile ye-API idluliselwe esigabeni esehlisiwe- Usebenzisa izingcingo ezehlisiwe kukhodi yakho yamaphrojekthi kuzokhipha isexwayiso ngesikhathi sokuhlanganiswa. I- I-API yezinga eliphansi kuxhunyaniswe nama-algorithms athile kumenyezelwe ngokusemthethweni ukuthi ayisasebenzi.
Ukwesekwa okusemthethweni ku-OpenSSL 3.0.0 manje kunikezwa kuphela ama-API aphezulu we-EVP, athathwe ezinhlotsheni ezithile zama-algorithms (le API ifaka, ngokwesibonelo, i-EVP_EncryptInit_ex, EVP_EncryptUpdate, kanye nemisebenzi ye-EVP_EncryptFinal). Ama-API angasasebenzi azosuswa kokunye ukukhishwa okukhulu okulandelayo. Ukuqaliswa kwe-algorithm yefa, okufana ne-MD2 ne-DES, okutholakala nge-EVP API, kuyiswe kwimodyuli ehlukile "yefa", ekhutshazwe ngokuzenzakalela.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.