Accepting request 873726 from security:tls:unstable

- Update to 3.0.0 Alpha 12
  * The SRP APIs have been deprecated. The old APIs do not work via
    providers, and there is no EVP interface to them. Unfortunately
    there is no replacement for these APIs at this time.
  * Add a compile time option to prevent the caching of provider
    fetched algorithms. This is enabled by including the
    no-cached-fetch option at configuration time.
  * Combining the Configure options no-ec and no-dh no longer
    disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms
    then it cannot support connections with TLSv1.3. However OpenSSL
    now supports "pluggable" groups through providers.
  * The undocumented function X509_certificate_type() has been
    deprecated; applications can use X509_get0_pubkey() and
    X509_get0_signature() to get the same information.
  * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range()
    functions. They are identical to BN_rand() and BN_rand_range()
    respectively.
  * The default key generation method for the regular 2-prime RSA keys
    was changed to the FIPS 186-4 B.3.6 method (Generation of Probable
    Primes with Conditions Based on Auxiliary Probable Primes). This
    method is slower than the original method.
  * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex()
    functions. They are replaced with the BN_check_prime() function
    that avoids possible misuse and always uses at least 64 rounds of
    the Miller-Rabin primality test.
  * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn()
    as they are not useful with non-deprecated functions.

- Update to 3.0.0 Alpha 11
  * Deprecated the obsolete X9.31 RSA key generation related

OBS-URL: https://build.opensuse.org/request/show/873726
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=23

openssl-3.0.0-alpha12.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c
+size 14142492

openssl-3.0.0-alpha12.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwsACgkQ2cTSbQ5g
+RJE4Wgf6A+BC1k0BFDx27kWfKX0gT2BrD4CjFqRFVXaYVp5GzV2+Z4t4i1YxO94P
+VsZffgiepSkh9I4a1pnzrv8AQtljkNLInmfWjONL7wBmo7eIu5uevXojUR78xSTA
+gF9TNs3w40krdUlhut7KUQ6BYaqLL1QEBMWRgnMlgtDGB0MIy6u6CMj+Fhhzy7Fx
+PXhb4D74ZSVKNwalWIu3C0NtsNmfNs//o//gYq2k1bkoJlw+pjEHs6SQR0AD9Q+i
+Cu4UIyhke/sURHonykkBRbyemJFzjWt6QUpNfb8f5AJAUFxm6S1FwT+e3iyolOGv
+kjmGBO7H48PAsVnCgg03O9kk1KJurA==
+=Kxt4
+-----END PGP SIGNATURE-----

openssl-3.0.0-alpha9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6
-size 14058484

openssl-3.0.0-alpha9.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g
-RJFDvwgAuocCys3M1rapCg2mwusx+Pl64TBgWVEJ3HwINnNu7DYMmvYSkN3YW94K
-6YI7YH1god1/HhWqVxfAatDfctDfNz+k04m+L2v01d13OiHSajTx+J+2QSOltclD
-V/Cswo/abj79YCz24d9785Py++PTkv/bd4wHvQD2i6OkCtK18Z1GNP90gjZ+Nf4a
-1FLCA9W5CiN0yq3SodH6qe61XascIevYABu2o0LhU/tX9morrFsv0bazl3fZIiBL
-DmkNbDn765WFAkhUKRrTRsCs9jJNwEQUYWtuA4Orjni3BDTaNTo6ij0ZjkBUxHfk
-G5gbrIX+CGBPjSe+ROTa4E50SlGFSg==
-=JUas
------END PGP SIGNATURE-----

openssl-3.changes

@@ -1,3 +1,102 @@
+-------------------------------------------------------------------
+Fri Feb 19 08:58:35 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 12
+  * The SRP APIs have been deprecated. The old APIs do not work via
+    providers, and there is no EVP interface to them. Unfortunately
+    there is no replacement for these APIs at this time.
+  * Add a compile time option to prevent the caching of provider
+    fetched algorithms. This is enabled by including the
+    no-cached-fetch option at configuration time.
+  * Combining the Configure options no-ec and no-dh no longer
+    disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms
+    then it cannot support connections with TLSv1.3. However OpenSSL
+    now supports "pluggable" groups through providers.
+  * The undocumented function X509_certificate_type() has been
+    deprecated; applications can use X509_get0_pubkey() and
+    X509_get0_signature() to get the same information.
+  * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range()
+    functions. They are identical to BN_rand() and BN_rand_range()
+    respectively.
+  * The default key generation method for the regular 2-prime RSA keys
+    was changed to the FIPS 186-4 B.3.6 method (Generation of Probable
+    Primes with Conditions Based on Auxiliary Probable Primes). This
+    method is slower than the original method.
+  * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex()
+    functions. They are replaced with the BN_check_prime() function
+    that avoids possible misuse and always uses at least 64 rounds of
+    the Miller-Rabin primality test.
+  * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn()
+    as they are not useful with non-deprecated functions.
+
+-------------------------------------------------------------------
+Fri Feb 12 11:47:35 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 11
+  * Deprecated the obsolete X9.31 RSA key generation related
+    functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(),
+    and BN_X931_generate_prime_ex().
+  * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*().
+    These were used to collect all necessary data to form a HTTP
+    request, and to perform the HTTP transfer with that request.
+    With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the
+    deprecated functions are replaced with OSSL_HTTP_REQ_CTX_*().
+  * Validation of SM2 keys has been separated from the validation of
+    regular EC keys, allowing to improve the SM2 validation process
+    to reject loaded private keys that are not conforming to the SM2
+    ISO standard. In particular, a private scalar 'k' outside the
+    range '1 <= k < n-1' is now correctly rejected.
+  * Behavior of the 'pkey' app is changed, when using the '-check'
+    or '-pubcheck' switches: a validation failure triggers an early
+    exit, returning a failure exit status to the parent process.
+  * Changed behavior of SSL_CTX_set_ciphersuites() and
+    SSL_set_ciphersuites() to ignore unknown ciphers.
+  * All of the low level EC_KEY functions have been deprecated.
+  * Functions that read and write EC_KEY objects and that assign or
+    obtain EC_KEY objects from an EVP_PKEY are also deprecated.
+  * Added the '-copy_extensions' option to the 'x509' command for use
+    with '-req' and '-x509toreq'. When given with the 'copy' or
+    'copyall' argument, all extensions in the request are copied to
+    the certificate or vice versa.
+  * Added the '-copy_extensions' option to the 'req' command for use
+    with '-x509'. When given with the 'copy' or 'copyall' argument,
+    all extensions in the certification request are copied to the
+    certificate.
+  * The 'x509', 'req', and 'ca' commands now make sure that X.509v3
+    certificates they generate are by default RFC 5280 compliant in
+    the following sense: There is a subjectKeyIdentifier extension
+    with a hash value of the public key and for not self-signed certs
+    there is an authorityKeyIdentifier extension with a keyIdentifier
+    field or issuer information identifying the signing key. This is
+    done unless some configuration overrides the new default behavior,
+    such as 'subjectKeyIdentifier = none' and 'authorityKeyIdentifier
+    = none'.
+
+-------------------------------------------------------------------
+Sat Jan  9 10:05:06 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 10 (CVE-2020-1971)
+  * See full changelog: www.openssl.org/news/changelog.html
+  * Fixed NULL pointer deref in the GENERAL_NAME_cmp function
+    This function could crash if both GENERAL_NAMEs contain an
+    EDIPARTYNAME. If an attacker can control both items being
+    compared then this could lead to a possible denial of service
+    attack. OpenSSL itself uses the GENERAL_NAME_cmp function for
+    two purposes:
+    1) Comparing CRL distribution point names between an available
+       CRL and a CRL distribution point embedded in an X509 certificate
+    2) When verifying that a timestamp response token signer matches
+       the timestamp authority name (exposed via the API functions
+       TS_RESP_verify_response and TS_RESP_verify_token)
+  * The -cipher-commands and -digest-commands options of the
+    command line utility list has been deprecated. Instead use
+    the -cipher-algorithms and -digest-algorithms options.
+  * Additionally functions that read and write DH objects such as
+    d2i_DHparams, i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams
+    and other similar functions have also been deprecated.
+    Applications should instead use the OSSL_DECODER and OSSL_ENCODER
+    APIs to read and write DH files.
+
 -------------------------------------------------------------------
 Thu Dec 17 09:26:56 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
 

openssl-3.spec

@@ -20,7 +20,7 @@
 %define sover 3
 %define _rname  openssl
 %define vernum 3.0.0
-%define relnum alpha9
+%define relnum alpha12
 %define dash_version %{vernum}-%{relnum}
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!