From dac9bbe2ba5577f63d161b0ed545d72f08fb87da35de2b33bd7b7db9daa3544b Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 28 Jul 2021 10:42:52 +0000 Subject: [PATCH] Accepting request 908852 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/908852 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=28 --- openssl-3.changes | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/openssl-3.changes b/openssl-3.changes index a780c5b..7623f63 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -93,6 +93,40 @@ Sat May 1 19:58:48 UTC 2021 - Jason Sikes to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate SM2 keys directly and must not create an EVP_PKEY_EC key first. +------------------------------------------------------------------- +Mon Apr 19 12:35:57 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 14 + * A public key check is now performed during EVP_PKEY_derive_set_peer(). + Previously DH was internally doing this during EVP_PKEY_derive(). + * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, + EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations + are deprecated. They are not invoked by the OpenSSL library anymore and + are replaced by direct checks of the key operation against the key type + when the operation is initialized. + * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for + more key types including RSA, DSA, ED25519, X25519, ED448 and X448. + Previously (in 1.1.1) they would return -2. For key types that do not have + parameters then EVP_PKEY_param_check() will always return 1. + * The output from numerous "printing" functions such as X509_signature_print(), + X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been + amended such that there may be cosmetic differences between the output + observed in 1.1.1 and 3.0. This also applies to the "-text" output from the + x509 and crl applications. + * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) + for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. + Correct the semantics of checking the validation chain in case ESSCertID{,v2} + contains more than one certificate identifier: This means that all + certificates referenced there MUST be part of the validation chain. + * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA + capable processors. + * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM + parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose + is to support encryption and decryption of a digital envelope that is both + authenticated and encrypted using AES GCM mode. + ------------------------------------------------------------------- Wed Apr 14 17:55:21 UTC 2021 - Pedro Monreal