Issue OpenSSL 3.6.0 With EVP_Skey Support And Elimination Of Buffer Overflow

Altus Intel
Altus Intel
  • Date Time

took the release of the library openssl 3.6.0 , offering with the implementation of the SSL/TLS protocols and various encryption algorithms. Openssl 3.6 is assigned to releases with the usual term of support (LTS), updates for which are produced within 13 months. Support for past branches OpenSSL 3.5 LTS, 3.4, 3.3, 3.2 and 3.0 LTS will last until April 2030, October 2026, November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 and November 2025 September 2026, respectively. The project code is distributed under the license Apache 2.0.

main innovations :

  • added support for the structure evp_skey ( symmetric key ) to present symmetrical keys as opaque (opaque) objects. Unlike the RAW-key, represented by an array of bytes, the key structure is abstracted in the EVP_Skey and contains additional metadata. It is permissible to use EVP_Skyy in functions encryption , keys exchange and the formation of keys ( KDF ). To work with the EVP_Skey keys, the functions of EVP_KDF_CTX_SET_SKEY (), EVP_KDF_DERIVE_SYY () and EVP_PKEY_DERIVE_SYYY ().
  • added support for verification of digital signatures based on the scheme lms (leighton-micali signatures) using hash-functions and tree-like hash-shaped measures (Merkle Tree, the each branch verifies all the underlying branches and nodes). Digital signatures of LMS resistant to selection on a quantum computer and are designed to certify the integrity of firmware and applications.
  • security categories NIST for objects pkey (open and closed keys). Safety category is carried out through configuration
    “Security-Category”. To check the level of security, the EVP_PKEY_GET_SECURITY_CATEGORY () function has been added. The level of safety reflects resistance to selection on quantum computers and can take integral values ​​from 0 to 5:

    • 0 – implementation, not persistent for hacking on quantum computers;
    • 1/3/5 – implementation does not exclude the search on the quantum computer in the block cipher with 128/196 -bit The key;
    • 2/4 – implementation does not exclude the search on the quantum computer of conflict in 256/384 -bit hashe).
/Reports, release notes, official announcements.

© 2025 - Altus Intel