diff --git a/openssl-3.0.0-alpha12.tar.gz b/openssl-3.0.0-alpha12.tar.gz new file mode 100644 index 0000000..1226da4 --- /dev/null +++ b/openssl-3.0.0-alpha12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c +size 14142492 diff --git a/openssl-3.0.0-alpha12.tar.gz.asc b/openssl-3.0.0-alpha12.tar.gz.asc new file mode 100644 index 0000000..77192db --- /dev/null +++ b/openssl-3.0.0-alpha12.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwsACgkQ2cTSbQ5g +RJE4Wgf6A+BC1k0BFDx27kWfKX0gT2BrD4CjFqRFVXaYVp5GzV2+Z4t4i1YxO94P +VsZffgiepSkh9I4a1pnzrv8AQtljkNLInmfWjONL7wBmo7eIu5uevXojUR78xSTA +gF9TNs3w40krdUlhut7KUQ6BYaqLL1QEBMWRgnMlgtDGB0MIy6u6CMj+Fhhzy7Fx +PXhb4D74ZSVKNwalWIu3C0NtsNmfNs//o//gYq2k1bkoJlw+pjEHs6SQR0AD9Q+i +Cu4UIyhke/sURHonykkBRbyemJFzjWt6QUpNfb8f5AJAUFxm6S1FwT+e3iyolOGv +kjmGBO7H48PAsVnCgg03O9kk1KJurA== +=Kxt4 +-----END PGP SIGNATURE----- diff --git a/openssl-3.0.0-alpha9.tar.gz b/openssl-3.0.0-alpha9.tar.gz deleted file mode 100644 index c05375b..0000000 --- a/openssl-3.0.0-alpha9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6 -size 14058484 diff --git a/openssl-3.0.0-alpha9.tar.gz.asc b/openssl-3.0.0-alpha9.tar.gz.asc deleted file mode 100644 index 23b7395..0000000 --- a/openssl-3.0.0-alpha9.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g -RJFDvwgAuocCys3M1rapCg2mwusx+Pl64TBgWVEJ3HwINnNu7DYMmvYSkN3YW94K -6YI7YH1god1/HhWqVxfAatDfctDfNz+k04m+L2v01d13OiHSajTx+J+2QSOltclD -V/Cswo/abj79YCz24d9785Py++PTkv/bd4wHvQD2i6OkCtK18Z1GNP90gjZ+Nf4a -1FLCA9W5CiN0yq3SodH6qe61XascIevYABu2o0LhU/tX9morrFsv0bazl3fZIiBL -DmkNbDn765WFAkhUKRrTRsCs9jJNwEQUYWtuA4Orjni3BDTaNTo6ij0ZjkBUxHfk -G5gbrIX+CGBPjSe+ROTa4E50SlGFSg== -=JUas ------END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 7c3a7fe..fdb376e 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,102 @@ +------------------------------------------------------------------- +Fri Feb 19 08:58:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 12 + * The SRP APIs have been deprecated. The old APIs do not work via + providers, and there is no EVP interface to them. Unfortunately + there is no replacement for these APIs at this time. + * Add a compile time option to prevent the caching of provider + fetched algorithms. This is enabled by including the + no-cached-fetch option at configuration time. + * Combining the Configure options no-ec and no-dh no longer + disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms + then it cannot support connections with TLSv1.3. However OpenSSL + now supports "pluggable" groups through providers. + * The undocumented function X509_certificate_type() has been + deprecated; applications can use X509_get0_pubkey() and + X509_get0_signature() to get the same information. + * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() + functions. They are identical to BN_rand() and BN_rand_range() + respectively. + * The default key generation method for the regular 2-prime RSA keys + was changed to the FIPS 186-4 B.3.6 method (Generation of Probable + Primes with Conditions Based on Auxiliary Probable Primes). This + method is slower than the original method. + * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() + functions. They are replaced with the BN_check_prime() function + that avoids possible misuse and always uses at least 64 rounds of + the Miller-Rabin primality test. + * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + as they are not useful with non-deprecated functions. + +------------------------------------------------------------------- +Fri Feb 12 11:47:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 11 + * Deprecated the obsolete X9.31 RSA key generation related + functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), + and BN_X931_generate_prime_ex(). + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*(). + These were used to collect all necessary data to form a HTTP + request, and to perform the HTTP transfer with that request. + With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the + deprecated functions are replaced with OSSL_HTTP_REQ_CTX_*(). + * Validation of SM2 keys has been separated from the validation of + regular EC keys, allowing to improve the SM2 validation process + to reject loaded private keys that are not conforming to the SM2 + ISO standard. In particular, a private scalar 'k' outside the + range '1 <= k < n-1' is now correctly rejected. + * Behavior of the 'pkey' app is changed, when using the '-check' + or '-pubcheck' switches: a validation failure triggers an early + exit, returning a failure exit status to the parent process. + * Changed behavior of SSL_CTX_set_ciphersuites() and + SSL_set_ciphersuites() to ignore unknown ciphers. + * All of the low level EC_KEY functions have been deprecated. + * Functions that read and write EC_KEY objects and that assign or + obtain EC_KEY objects from an EVP_PKEY are also deprecated. + * Added the '-copy_extensions' option to the 'x509' command for use + with '-req' and '-x509toreq'. When given with the 'copy' or + 'copyall' argument, all extensions in the request are copied to + the certificate or vice versa. + * Added the '-copy_extensions' option to the 'req' command for use + with '-x509'. When given with the 'copy' or 'copyall' argument, + all extensions in the certification request are copied to the + certificate. + * The 'x509', 'req', and 'ca' commands now make sure that X.509v3 + certificates they generate are by default RFC 5280 compliant in + the following sense: There is a subjectKeyIdentifier extension + with a hash value of the public key and for not self-signed certs + there is an authorityKeyIdentifier extension with a keyIdentifier + field or issuer information identifying the signing key. This is + done unless some configuration overrides the new default behavior, + such as 'subjectKeyIdentifier = none' and 'authorityKeyIdentifier + = none'. + +------------------------------------------------------------------- +Sat Jan 9 10:05:06 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 10 (CVE-2020-1971) + * See full changelog: www.openssl.org/news/changelog.html + * Fixed NULL pointer deref in the GENERAL_NAME_cmp function + This function could crash if both GENERAL_NAMEs contain an + EDIPARTYNAME. If an attacker can control both items being + compared then this could lead to a possible denial of service + attack. OpenSSL itself uses the GENERAL_NAME_cmp function for + two purposes: + 1) Comparing CRL distribution point names between an available + CRL and a CRL distribution point embedded in an X509 certificate + 2) When verifying that a timestamp response token signer matches + the timestamp authority name (exposed via the API functions + TS_RESP_verify_response and TS_RESP_verify_token) + * The -cipher-commands and -digest-commands options of the + command line utility list has been deprecated. Instead use + the -cipher-algorithms and -digest-algorithms options. + * Additionally functions that read and write DH objects such as + d2i_DHparams, i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams + and other similar functions have also been deprecated. + Applications should instead use the OSSL_DECODER and OSSL_ENCODER + APIs to read and write DH files. + ------------------------------------------------------------------- Thu Dec 17 09:26:56 UTC 2020 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index c03b4c9..bbf8575 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -20,7 +20,7 @@ %define sover 3 %define _rname openssl %define vernum 3.0.0 -%define relnum alpha9 +%define relnum alpha12 %define dash_version %{vernum}-%{relnum} Name: openssl-3 # Don't forget to update the version in the "openssl" package!