Sync from SUSE:ALP:Source:Standard:1.0 gnutls revision a3376efb8f91a7caca1aef66c58b169d

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

baselibs.conf

@@ -0,0 +1,7 @@
+libgnutls30
+  obsoletes "gnutls-<targettype>"
+  provides "libgnutls30-hmac-<targettype> = <version>-%release"
+  obsoletes "libgnutls30-hmac-<targettype> < <version>-%release"
+libgnutls-devel
+  requires -libgnutls-<targettype>
+  requires "libgnutls30-<targettype> = <version>"

gnutls-3.5.11-skip-trust-store-tests.patch

@@ -0,0 +1,31 @@
+From: Andreas Stieger <astieger@suse.com>
+Date: Thu, 18 May 2017 10:31:42 +0200
+References: https://build.opensuse.org/request/show/493998
+Upstream: never
+
+trust-store test added in 
+https://gitlab.com/gnutls/gnutls/commit/8d740ae87fae9c1237421dd24825b78103c5da36
+need ca-certificates-mozilla to run.
+
+[  242s] FAIL: trust-store
+[  242s] =================
+[  242s]
+[  242s] doit:64: no certificates were found in system trust store!
+[  242s] FAIL trust-store (exit status: 1)
+
+But this would create a build cycle. Skip test.
+
+Index: gnutls-3.6.15/tests/trust-store.c
+===================================================================
+--- gnutls-3.6.15.orig/tests/trust-store.c	2020-09-08 10:24:24.018094247 +0200
++++ gnutls-3.6.15/tests/trust-store.c	2020-09-08 10:24:25.534104346 +0200
+@@ -44,6 +44,9 @@ static void tls_log_func(int level, cons
+ 
+ void doit(void)
+ {
++	/* building without ca-certificates-mozilla, skip test */
++	exit(77);
++
+ 	gnutls_certificate_credentials_t x509_cred;
+ 	int ret;
+ 

gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch

@@ -0,0 +1,112 @@
+Index: gnutls-3.8.0/lib/fips.c
+===================================================================
+--- gnutls-3.8.0.orig/lib/fips.c
++++ gnutls-3.8.0/lib/fips.c
+@@ -171,16 +171,28 @@ struct hmac_entry {
+ struct hmac_file {
+ 	int version;
+ 	struct hmac_entry gnutls;
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	struct hmac_entry nettle;
+ 	struct hmac_entry hogweed;
+ 	struct hmac_entry gmp;
++#endif
+ };
+ 
+ struct lib_paths {
+ 	char gnutls[GNUTLS_PATH_MAX];
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	char nettle[GNUTLS_PATH_MAX];
+ 	char hogweed[GNUTLS_PATH_MAX];
+ 	char gmp[GNUTLS_PATH_MAX];
++#endif
+ };
+ 
+ /*
+@@ -241,12 +253,18 @@ static int handler(void *user, const cha
+ 		}
+ 	} else if (!strcmp(section, GNUTLS_LIBRARY_NAME)) {
+ 		return lib_handler(&p->gnutls, section, name, value);
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	} else if (!strcmp(section, NETTLE_LIBRARY_NAME)) {
+ 		return lib_handler(&p->nettle, section, name, value);
+ 	} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
+ 		return lib_handler(&p->hogweed, section, name, value);
+ 	} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
+ 		return lib_handler(&p->gmp, section, name, value);
++#endif
+ 	} else {
+ 		return 0;
+ 	}
+@@ -391,12 +409,18 @@ static int callback(struct dl_phdr_info
+ 
+ 	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+ 	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
+ 	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
++#endif
+ 	return 0;
+ }
+ 
+@@ -409,6 +433,11 @@ static int load_lib_paths(struct lib_pat
+ 		_gnutls_debug_log("Gnutls library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
++#if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	if (paths->nettle[0] == '\0') {
+ 		_gnutls_debug_log("Nettle library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+@@ -421,7 +450,7 @@ static int load_lib_paths(struct lib_pat
+ 		_gnutls_debug_log("Gmp library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
+-
++#endif
+ 	return GNUTLS_E_SUCCESS;
+ }
+ 
+@@ -467,6 +496,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
+ 	if (ret < 0)
+ 		return ret;
++# if 0
++	/* Disable nettle, hogweed and gpm HMAC verification as
++	 * they are calculated during build of the respective
++	 * packages and can differ from the ones listed here.
++	 */
+ 	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ 	if (ret < 0)
+ 		return ret;
+@@ -476,6 +510,7 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ 	if (ret < 0)
+ 		return ret;
++# endif
+ 
+ 	return 0;
+ }

gnutls-FIPS-TLS_KDF_selftest.patch

@@ -0,0 +1,31 @@
+Index: gnutls-3.7.7/lib/fips.c
+===================================================================
+--- gnutls-3.7.7.orig/lib/fips.c
++++ gnutls-3.7.7/lib/fips.c
+@@ -517,6 +517,26 @@ int _gnutls_fips_perform_self_checks2(vo
+ 		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
+ 	}
+ 
++        /* KDF */
++
++	char derived[512];
++
++	gnutls_datum_t secret = { (void *)"\x04\x50\xb0\xea\x9e\xcd\x36\x02\xee\x0d\x76\xc5\xc3\xc8\x6f\x4a", 16 };
++	gnutls_datum_t seed = { (void *)"\x20\x7a\xcc\x02\x54\xb8\x67\xf5\xb9\x25\xb4\x5a\x33\x60\x1d\x8b", 16 };
++	gnutls_datum_t label = { (void *)"test label", 10 };
++	gnutls_datum_t expected = { (void *)"\xae\x67\x9e\x0e\x71\x4f\x59\x75\x76\x37\x68\xb1\x66\x97\x9e\x1d", 16 };
++
++	ret = _gnutls_prf_raw(GNUTLS_MAC_SHA256, secret.size, secret.data,
++		label.size, (char*)label.data, seed.size, seed.data, expected.size, derived);
++	if (ret < 0) {
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
++	}
++
++	ret = memcmp(derived, expected.data, expected.size);
++	if (ret != 0) {
++		return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR);
++	}
++
+ 	/* PK */
+ 	ret = gnutls_pk_self_test(0, GNUTLS_PK_RSA);
+ 	if (ret < 0) {

gnutls-FIPS-jitterentropy.patch

@@ -0,0 +1,225 @@
+Index: gnutls-3.8.1/lib/nettle/sysrng-linux.c
+===================================================================
+--- gnutls-3.8.1.orig/lib/nettle/sysrng-linux.c
++++ gnutls-3.8.1/lib/nettle/sysrng-linux.c
+@@ -49,6 +49,15 @@
+ get_entropy_func _rnd_get_system_entropy = NULL;
+ 
+ #if defined(__linux__)
++# if defined(ENABLE_FIPS140)
++#  define HAVE_JENT
++#  include <jitterentropy.h>
++/* Per thread context of random generator, and a flag to indicate initialization */
++static _Thread_local struct rand_data* ec = NULL;
++static _Thread_local int jent_initialized = 0;
++/* Declare function to fix a missing-prototypes compilation warning */
++void FIPS_jent_entropy_deinit(void);
++# endif
+ #ifdef HAVE_GETRANDOM
+ #include <sys/random.h>
+ #else
+@@ -68,6 +77,101 @@ static ssize_t _getrandom0(void *buf, si
+ #endif
+ #endif
+ 
++# if defined(ENABLE_FIPS140)
++#  if defined(HAVE_JENT)
++/* check whether the CPU Jitter entropy collector is available. */
++static unsigned FIPS_jent_entropy_init(void)
++{
++       unsigned int rv = 1;
++       unsigned int osr = 1;    /* <OSR> Oversampling rate */
++       unsigned int flags = 0;  /* JENT_FORCE_FIPS
++                                 * JENT_DISABLE_MEMORY_ACCESS
++                                 * JENT_DISABLE_INTERNAL_TIMER
++                                 * JENT_FORCE_INTERNAL_TIMER
++                                 * JENT_MAX_MEMSIZE_{32,64,128,256,512}kB
++                                 * JENT_MAX_MEMSIZE_{1,2,4,8,16,32,64,128,256,512}MB
++                                 */
++
++       /* Set the FIPS flag. */
++       flags |= JENT_FORCE_FIPS;
++
++       /* Do not re-initialize jent. */
++       if (jent_initialized == 0) {
++               if (jent_entropy_init_ex(osr, flags))
++                       return 0;
++               jent_initialized = 1;
++       }
++
++       /* Allocate the entropy collector. */
++       if (ec == NULL) {
++               ec = jent_entropy_collector_alloc(osr, flags);
++               if (ec == NULL) {
++                       rv = 0;
++               }
++       }
++
++       return rv;
++}
++
++void FIPS_jent_entropy_deinit(void)
++{
++       /* Free the entropy collector. */
++       if (ec != NULL) {
++               jent_entropy_collector_free(ec);
++               ec = NULL;
++       }
++
++       jent_initialized = 0;
++
++       return;
++}
++
++/* returns exactly the amount of bytes requested */
++static int force_jent(void *buf, size_t buflen, unsigned int flags,
++                     unsigned int osr)
++{
++       static int jent_bytes = -1;
++
++       if (buf == NULL || buflen == 0) {
++               return -1;
++       }
++
++       /* Ensure the entropy source has been fully initiated. */
++       if (jent_initialized == 0 || ec == NULL) {
++               if (!FIPS_jent_entropy_init()) {
++                       return -1;
++               }
++       }
++
++       /* Get entropy bytes. */
++       jent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
++
++       return jent_bytes;
++}
++
++static int _rnd_get_system_entropy_jent(void* _rnd, size_t size)
++{
++       int ret;
++       unsigned int osr = 1;
++       unsigned int flags = 0;
++
++       /* Set the FIPS flag. */
++       flags |= JENT_FORCE_FIPS;
++
++       ret = force_jent(_rnd, size, flags, osr);
++       if (ret < 0) {
++               int e = errno;
++               gnutls_assert();
++               _gnutls_debug_log("Failed to use jent: %s\n", strerror(e));
++               FIPS_jent_entropy_deinit();
++               return GNUTLS_E_RANDOM_DEVICE_ERROR;
++       }
++
++       return 0;
++}
++#  endif
++# endif
++
+ static unsigned have_getrandom(void)
+ {
+ 	char c;
+@@ -163,6 +267,24 @@ int _rnd_system_entropy_init(void)
+ 	int urandom_fd;
+ 
+ #if defined(__linux__)
++# if defined(ENABLE_FIPS140)
++#  if defined(HAVE_JENT)
++	/* Enable jitterentropy usage if available */
++	if (FIPS_jent_entropy_init()) {
++		_rnd_get_system_entropy = _rnd_get_system_entropy_jent;
++		_gnutls_debug_log("jitterentropy random generator was selected\n");
++		return 0;
++	} else {
++		_gnutls_debug_log("jitterentropy is not available\n");
++		/* Set error state when FIPS_jent_entropy_init failed and FIPS mode is enabled */
++		if (_gnutls_fips_mode_enabled()) {
++			_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
++			_gnutls_switch_lib_state(LIB_STATE_ERROR);
++			return gnutls_assert_val(GNUTLS_E_RANDOM_DEVICE_ERROR);
++		}
++	}
++#  endif
++# endif
+ 	/* Enable getrandom() usage if available */
+ 	if (have_getrandom()) {
+ 		_rnd_get_system_entropy = _rnd_get_system_entropy_getrandom;
+@@ -193,5 +315,12 @@ int _rnd_system_entropy_init(void)
+ void _rnd_system_entropy_deinit(void)
+ {
+ 	/* A no-op now when we open and close /dev/urandom every time */
++#if defined(__linux__)
++# if defined(ENABLE_FIPS140)
++#  if defined(HAVE_JENT)
++	FIPS_jent_entropy_deinit();
++#  endif
++# endif
++#endif
+ 	return;
+ }
+Index: gnutls-3.8.1/lib/nettle/Makefile.in
+===================================================================
+--- gnutls-3.8.1.orig/lib/nettle/Makefile.in
++++ gnutls-3.8.1/lib/nettle/Makefile.in
+@@ -402,7 +402,7 @@ am__v_CC_1 =
+ CCLD = $(CC)
+ LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
++	$(AM_LDFLAGS) $(LDFLAGS) -ljitterentropy -o $@
+ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+ am__v_CCLD_0 = @echo "  CCLD    " $@;
+Index: gnutls-3.8.1/lib/nettle/Makefile.am
+===================================================================
+--- gnutls-3.8.1.orig/lib/nettle/Makefile.am
++++ gnutls-3.8.1/lib/nettle/Makefile.am
+@@ -20,7 +20,7 @@
+ 
+ include $(top_srcdir)/lib/common.mk
+ 
+-AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS)
++AM_CFLAGS += $(HOGWEED_CFLAGS) $(GMP_CFLAGS) -ljitterentropy
+ 
+ AM_CPPFLAGS = \
+ 	-I$(srcdir)/int		\
+Index: gnutls-3.8.1/lib/nettle/rnd-fips.c
+===================================================================
+--- gnutls-3.8.1.orig/lib/nettle/rnd-fips.c
++++ gnutls-3.8.1/lib/nettle/rnd-fips.c
+@@ -129,6 +129,10 @@ static int drbg_init(struct fips_ctx *fc
+ 	uint8_t buffer[DRBG_AES_SEED_SIZE];
+ 	int ret;
+ 
++	ret = _rnd_get_system_entropy(buffer, sizeof(buffer));
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++
+ 	ret = get_entropy(fctx, buffer, sizeof(buffer));
+ 	if (ret < 0) {
+ 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+@@ -153,6 +157,10 @@ static int drbg_reseed(struct fips_ctx *
+ 	uint8_t buffer[DRBG_AES_SEED_SIZE];
+ 	int ret;
+ 
++	ret = _rnd_get_system_entropy(buffer, sizeof(buffer));
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++
+ 	ret = get_entropy(fctx, buffer, sizeof(buffer));
+ 	if (ret < 0) {
+ 		_gnutls_switch_fips_state(GNUTLS_FIPS140_OP_ERROR);
+Index: gnutls-3.8.1/tests/Makefile.am
+===================================================================
+--- gnutls-3.8.1.orig/tests/Makefile.am
++++ gnutls-3.8.1/tests/Makefile.am
+@@ -208,7 +208,7 @@ ctests += mini-record-2 simple gnutls_hm
+ 	 dtls12-cert-key-exchange dtls10-cert-key-exchange x509-cert-callback-legacy \
+ 	 keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 dtls-session-ticket-lost \
+ 	 tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \
+-	 set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
++	 set_x509_key_file_ocsp client-fastopen srp rng-pthread \
+ 	 safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
+ 	 safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
+ 	 rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \

gnutls-disable-flaky-test-dtls-resume.patch

@@ -0,0 +1,13 @@
+Index: gnutls-3.7.8/tests/Makefile.am
+===================================================================
+--- gnutls-3.7.8.orig/tests/Makefile.am
++++ gnutls-3.7.8/tests/Makefile.am
+@@ -508,7 +508,7 @@ if !WINDOWS
+ # List of tests not available/functional under windows
+ #
+ 
+-dist_check_SCRIPTS += dtls/dtls.sh dtls/dtls-resume.sh #dtls/dtls-nb
++dist_check_SCRIPTS += dtls/dtls.sh #dtls/dtls-resume.sh #dtls/dtls-nb
+ 
+ indirect_tests += dtls-stress
+ 

gnutls-srp-test-SIGPIPE.patch

@@ -0,0 +1,22 @@
+Index: gnutls-3.8.1/tests/srp.c
+===================================================================
+--- gnutls-3.8.1.orig/tests/srp.c
++++ gnutls-3.8.1/tests/srp.c
+@@ -287,7 +289,7 @@ static void start(const char *name, cons
+ 	if (child) {
+ 		int status;
+ 		/* parent */
+-		close(fd[0]);
++		/* close(fd[0]); */
+ 		client(fd[1], prio, user, pass, exp_err);
+ 		if (exp_err < 0) {
+ 			kill(child, SIGTERM);
+@@ -297,7 +299,7 @@ static void start(const char *name, cons
+ 			check_wait_status(status);
+ 		}
+ 	} else {
+-		close(fd[1]);
++		/* close(fd[1]); */
+ 		server(fd[0], prio);
+ 		exit(0);
+ 	}

gnutls.keyring

@@ -0,0 +1,226 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEYcRaoxYJKwYBBAHaRw8BAQdA5U8Cb4ZMYCjuAa6tqNKbRxXzycS2iLvNzWki
+bGD2fe60JVpvbHRhbiBGcmlkcmljaCA8emZyaWRyaWNAcmVkaGF0LmNvbT6ImgQT
+FgoAQgIbAwULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AWIQRdRssPdjQFpwU1
+VvR6daZIs/kiDAUCZZQM4wUJCXNMwAAKCRB6daZIs/kiDBq0AQD4kutiBvEtpeI5
+oHE5am/JgQUbUNQ8hGiHeJ+epRc5NQEA0xzJPYCIlvZ4jgf7K7RiKkqjzozOLwun
+GummhMd1vQ24OARhxFqjEgorBgEEAZdVAQUBAQdAxKg6y4A69qT7doTni8/zKuKy
+QKXEORZTCNxkcnz3dXoDAQgHiH4EGBYKACYCGwwWIQRdRssPdjQFpwU1VvR6daZI
+s/kiDAUCZZQL3wUJCXNLvAAKCRB6daZIs/kiDCtdAQC6p+B26g72CLXjq6xmaLqs
+1fi1auyPW/SnNRbbaW9UlwD/Up5lkp+r2n5d74vj4Y43nORpipb4kR3mP5g4SZak
+IQKZAg0ESmfuLgEQAKHTAV7YHndSUjFY5DfCsrdMjIembP3PIwKR0g/vHVvvhn9L
+FkDs3y46TkFCHcYsGdhOEmXcxJY4CClui7IjkSH1/7JnbsCgGRBx3wl4dyRsu9cL
+EbwY86fVypIFSy6z7q24bzosjeu50lIqwVna4fRqZF8lIEGfJuuizLl1OfnkYgnc
+FupZ1pM/u40VZEzOLoMDj2bzzSEnaq6eS4A5f+ryS8ql9G4kJ2Z72RdlzWXzwWoZ
+QSV0JVikb5KN0IU/0KZklFiEXpS5EdJlfIlPDVYyainuBiPYXdBOyh2d/V714OO7
+/JanOY8HhYAK2us7vDM+W5+x6UU0isfDHq3KS/N+VphODZuuf2imZlMAzt5heEGT
+wAS85cKDWrhReJIa0WmjAFRW2g4ZAeVILbXw6dDJowSwLsJqBvURCpk1tee9wxXM
+whxdwocVIBCuTn4h81NA6iTwUhZdabxNhUOpUilYQoOAePQ/Bw9a2mSGOWAg/TVr
+m6+u+/TDVOrY1yMumnJjKegS8RsZaiOS7iXIJRZ1YAv2fmHcgKXIEKp0fw4y10vd
+aJsYiWRs5xZd+xH4VREK/l6zAxECVkq7Mt/pjIPOllVbI6h75Bz5LgOXwn5Z5js+
+q40nAZ20uSVKLTjfpVgq6niSChPeIAdhU4G3QrTecO2CeybZTGIRH57X3RhXABEB
+AAG0HkRhaWtpIFVlbm8gPHVlbm9AdW5peHVzZXIub3JnPokCVAQTAQIAPgIbAwIe
+AQIXgAULCQgHAwUVCgkICwUWAgMBABYhBEYiJcO0bzSHn8hJbNYFhI7X5phxBQJb
+qxq7BQkaqS4NAAoJENYFhI7X5phx7qYP/R0/oCwNjM0treJEL7U1CAaPD8VMOrzl
+Fvc4Kx5pJq5VLoMTpl1ikgyk/LAbNleWdgxCEtAGf4NbI9nxyV6Jh2EwGSwLf/HV
+Kh5x6kWwRMqpSY5NcgJsQeAIojJT0ui3HANwNxvqcIHCsPlCjSbKidgEkl/PGiSJ
+j/UiP/OJ5Z0DqKg7hrd29XgVuBMIKcFQXysiHfy+N+9UQbHtb6qjkriRZAZ4Jb6Q
+LrwIzMqKOINj2NNKtxH1AaosxLQ+pcsmRA3OQPPKk5ptQE70+R+OiGbFbfkL4Uui
+gjhMAf9qmppiMnxq9gkt/lLteCpTFZZ2FeL9mSKu9eN0jewweVVcZdgm0vVmub4m
+rrkciJGl8Le3dZG3sZ1KYink6gSbYY8bJCfYo36+JqQx9KmyAQKLV8YwgQGlHyy/
+6vHZdsPRsugmR0dbZEXxr0VE/CI26Ed68u2ZxtscVdurWeNhsFnJpY8Dljah8QYn
+kObRp7DyEMUqD9cDC7Jlmgdq8fe9IIPxVNfDgHub6gh15dA7XdRWB2Fd1rtSQ0xM
+/so3rfMDrssJ25RTkbA6gLNy54NO1Pz2xpsuL3MLlVF0xFdCIf7LD95vikfcXY6R
+iaJwniDS6bm1UOkaRzgG/o5FERS7Ea9cowsxoxypybDHefH0Qn74J6B4BtgEB3cg
+fiJHjFjSzTcetBlEYWlraSBVZW5vIDx1ZW5vQGdudS5vcmc+iQJVBBMBCAA/AhsD
+BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBEYiJcO0bzSHn8hJbNYFhI7X5phx
+BQJknpE0BQkf2j2GAAoJENYFhI7X5phxAzUP/2WLxI23iiF12lVVlxj84g3F/XyE
+u7oi5nVHY9wtmw0PoM3/sHHDO4H2LXH9Beb4Nitpvzy3WkMMOiAGdoDad0CC8gD8
+TChjAd4vh5arT9PGgTHNUdp33m80j5xl0TuDEvfbXaoL2ZTyW4TApmpiPX+a024L
+mx+Xf+WBj8PlEjXSjh21mXQs+L3gZGwZFXc2VoQNg/rBGt9rmv2JcaO4q+BbVhY6
+o1PYL0C7RBWfz/sdIhWazYMa8L243a4LQU6CkILwum0yJ37ERJ2jkGc8NaHsqXCi
+zbmFFp3If6u7F7iFrIN0W76hUL69nwszGlz4OyLHJsDLDnp1fJbOBk2gZZCMoFIS
+OXqxTZPUdxbjWaVNRz1/ze5LcGF5yB52lgqOxykZCIIGs9mn11Q1kWPoB2BovoXd
+fqTgMwx68qvQXWUzHj8fVemA3kCwqK9udjFok62GVKBy7uxBes+Le74aMg17Pp3R
+siMuL4jpTppEuBpc5/gMQDJSv53niGWLyrUCa+9lDGqxpHiV+SRrEXekQlFCi+cG
+FS36mT/Vnvsnss4ioKjEPWv4OuASkC78GvGMSXZrFMHrILgRrLhErbO/g8d2/+X9
+3p02A5R9vbhdOSOAgjvvGLPzR7LidOoBOZYaTq28HB7cNmBkpAp4cM59pQwTVZYm
+ryZF066njjn5TEoVuQINBEtrT7wBEACjRnNKXpiD/tbVSiF3bicZpf4C1JFIDvvJ
+HQZEuK35SqeAe/tUpMAwbBfgW5sExUoB3Cy1lEK2Bi1kO7GU+tkdCHhi6jrcLYiM
+g7QXavYZ/ebYHVfhVY2vGhOJVz4qm0/WvQYT3OpJSqrD1jT+AbRpDxFk9h2CBPw1
+roBrh8TqYKyIOBPSswLwP05IKk9h7SwQnl/stXRchLMVaMrKL33V2bpZSI4NtYhJ
+QGzX7PHVsv4JYBCXCeFRhAJwLLySfGM3DXdAChsOjtGob/sW84Kv5YM65sHxmhit
+4NC5o5IxVQntvYaOsTafF9KOC8egostPsARxUNNihGYvJ5WL8NS2wQVMWsiRMK+/
+QsK6PEMXny4q9+lMPGBZpuGicUX68RIIJynAaHatdorA0hFSDQIVxbhDTQdrBnmt
+fSx33Yd9LlaW+oFz3oNtsUP57JQMvn7/RYMSheRqtlhSOOHQV/DdORo2B1uhd2Dl
+uZOzsVz88o/2eZ9dhO8ArNhQRpWgcx7dq+kI7FyUH0Idrw29qD3IT/PnEOTF84ro
+l0HEagP1ozVB32krJIDRQleTmdTogtT69FYLHnK9fYrk1m3Pcc3TWb/1PCcccN0D
+2RJCl2kry5wJdx6g2bi7wg4twpRJshi5jREPJAAGNy5MKA+oon6D6gbwwNP3xuz/
+/9BU0AUDYQARAQABiQJ+BBgBCAByBYJkorMiCRDWBYSO1+aYcUcUAAAAAAAeACBz
+YWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeZgZGsUjuRusvhjME6v0SyZCTB
+ZHc9vQ5i7qV5OPZtLgIbDBYhBEYiJcO0bzSHn8hJbNYFhI7X5phxAADssg/9G6Sj
+nPi7yLDgXwmdQnZS20afRXa+T/YrsupbcKtXz+9As/QeZjnwuWI+LMDEjQSGnbQ4
+w4Uyz5hnpRnWYDq62hsFml1eJr5xwImscJMUYkVdBVTxvrYn9Dxr+C+FkeJfBIkO
+qZpFfe03VNwNU7zm6lg2BzKzBY3MY0nm/J/fWhmIXGOvUXHmRC6NnRkiTQcLsPU5
+TrJoDXP3qI2shr77IE3TFZ60xD1mdoaZol+CQEXjoAzd+PuWBltdkMVSqtLFkyEy
+L0kup+u/JdBrZxDNKRYwvoIi+cpzefq6Cp52L4WOhKxYQxrGPaFXzuOjf5uA6YHj
+nikhvtm2W1C4FxEJ9OaDgP5EtdUmwnAOdPc+uNwpmChpFZmno26pqZfl7st6hjWK
+qc9bEGncemxqregsCZPz8S/xHtFIKG7tGu7bmXVqnlkbz40t+1dQSN7jM6/pEIKr
+2xWiZOnQ9/1cwuS84ZIQiwvOT4tGlLxnhdPjrCdgjtse2rf0Z1e29D36VKvxEQvh
+lyAkqu4/8polwDVjHA3e3wlM8oCIoV4QvWWiqwaYmcFIk67TeTFx/rADZdDk/1w6
+Ym+aOkPah1KLj7ERikSi3L3WJsrqZl7ij7fW8UrU5hz1Ncwc5cshFtdICAHA2ZpT
+vELN+aCng2VkpPsR3NGa4ihB2Rbyq2SsGJdkf1OZAg0EV+o2lwEQAKWMXF8xc4hs
+2nI+Tl6s/QTiw1X8gGJCztuEpLgVUqfL8bmQx91t1F7bpfVBN/wmrxXcWDZCTnlZ
+NFJ81F/5AyMr1d8CBCuFaBHNx5KIl0Mo96wlFlYt2ANIjs2duM70fNgQPx0NgV9U
+ZrvuXtW7hH7G+bQE83NvEjBg/OC16JaImRK9IV3FMsv4V7H5QrUwe9dAkN/EnaKk
+I6B4jTd2DBq4JPfK+0FmEj/09Fv8N9EPgUm/TQePzOedMRhON9qX7vTczHsslmqD
+d5DSXbCgYamiuI0e3Xw48i07R6Bz5h0/gm6PKzS7effIKopZJitF4/ry5m2/ryf9
+piv0koeaC+ygYTALnWmqlS2PeFUbxfqvllz0nUk2wGsHVIeBKAkMeWyvluqFPLey
+zouexNl99s86fMhvMKCUbYNN1CvwMJtXCmabaviN1sbMrWa8UdW4h5RNxs4ot/9M
+uZOtTTJNtRbESXiyB8VTQuBZAh+eUTkuSa2AC4O6M1UEnc+a5pzRVy99MF335Kat
+S42S50THIshZvCehjZNL/BHXnyd1Acqf9VBJZXJYLuvw3wlH2qYl2GGS7fR6V4ii
+94dp/EE/kOZyzx5DJSNd6evYLwgJsFQvkGGqsCy8myXfDjK5Y+gx5kxBinikAigk
+OcnwYBlAlXBs2mxmG0qiCO2ooMl8/g0rABEBAAG0J0FsZXhhbmRlciBTb3NlZGtp
+biA8bW9ua0B1bmJvaWxlZC5pbmZvPokCTgQTAQgAIQIbAwIeAQIXgAUCV+o3dAUL
+CQgHAwUVCgkICwUWAgMBAAAhCRCw6d0gsp8UMhYhBOmHq39+iWZ3dtBbO7Dp3SCy
+nxQyflAP/1o4u6QvvBqAA4SK8eDgCaDjfKltjDn52jx4JfxBWlfS/zdnz8qPDTXX
+iEh2JKpitlG+bmRnSngOqPH+sfFQvUz7czidUfF+Tlt0jO3Q/Zt5/OiGh3vgmOre
+B4I5cObNGQmT/Ma5si6NfTQU0+okvd3j6fRNswsNP26TF+m7gSd27/S1/WkGLe+D
+Ukq+fYXjCNn4qCg9KthAULJkZWiCP2rok/m2xCHmAq0ALVyDTE/IKRbDEqc04qsI
+/XqGPavLdHmG8On1g8sek7QvJKkRgN29BUzdS6KBYfZGSLJ9KLGST7BPegyFLXvD
+SMxUx4KrJRxgytMcmzI5SYTA6u6RdA1t5AY6Jw17YgP4Ba/yPPTbrTxJb7qM4NOA
+1c/xc+j3+A6bWjLUbHMESlldcZae3s9cFjmOfDW9jn0WcmV2e4W1u2kTF0um1kfV
+8kriiHKKT0RJ8iVLfpJpnJ0/7hgsyUE4O8BH1J+Pho0zVfTE1TBp1FwRZJQ3ls9X
+3f5Zpn/KZy7gjseQSPx6r7pra7U5gSv/0Y1qDRrNvtULt1+0SobAmzp84iqn3GRd
+/NybJz5jB526fm16WIE3MLoEB2yj+T+4AQ5Va1NHLqRR5oXa/anIzzFrmoUe8dRY
+le/PhIvHEjzRrMzLFrmXX6eQZH1Gle59KbCFJus0bfSE0PL0xmKsuQINBGEgbmMB
+EAC6sAEM9vo0ocfnyAlhmG+clkdNIH0J8NLzZIbnHOAfTnnLzUeWOT14JR7Q//kT
+CdorjbX0dWD/+TRIwFHdXtLQngqaqSc77+1nRkx/4R5tbzJrd/FYA/4zk+sPpDHD
+idcntJQ5chduyiuESn3L0H0OT0muck0g92BAkGATaswNWLLnu/TC1486krkG0aQx
+DDFIYggzJR6v/saCrTGtMVMOhoMcWKGGQpFCYznB+3scYucTc4o9CGY/hpYeukZZ
+72xmaYWZqIQnCm7pfLyJWNkw70EO1r1EBStuhYWEUqgTfgfu6KQHRpRiMPWf0Oss
+44DQR5fIkY/VTCBeIWOdX2TC6qVfgMKASfIyYzPMorDtAcrXhRb4aEZqh9p7AjLs
+8izfFR8/GSdoxIda3b+cfFPZ5dk05oOS3wkMQOy5ZeGv/jp8WZds7MC9+xNMhdZ9
+4hRU6dN7S6yq+btrgPLWXk96yl4VZkwRz9fxk7PqZZ8riz9VAfKE2llkC5pEXx09
+B0oUxu9DXzGZI9acOG3YAtXlezhCaS6AcvQZbQ7CXKHd/sGXrf9T+sqYX9k4FnLm
+7eoWHH0rEMC3QVPGbIs4rGZbjBBybVrgSL8ShFpmhw9F1PyD6ug2t41NBIbZr9e2
+eFaVO2LaPpZPoKFGZoILrtB/vW32BmQV20Ibr7cK2dPcbQARAQABiQI2BBgBCAAg
+FiEE6Yerf36JZnd20Fs7sOndILKfFDIFAmEgbmMCGyAACgkQsOndILKfFDKCmw/7
+BUinZ7uO+ax1hV25Emdg9qJsbtW32FLMypecexEK/CrOM+fadQe+xzPOoSlHw5tS
+1ZB4rdKUT0jIingmmgaBWFd0FQPSsxHlERvhTfgDBlzAl7CkFisOPYY/ErL+lCjM
+4t8VgsHsQZQZ7Nx7wMuIbT99n1lt79lt3YXgkZfIerDmb5mWuGP10b1/GDFv0s2R
+T2dyNfdTNFtfzpehA4ea7Qgcz1ayqeyjWqDpoIXP+KCC368vv7kukBrdSpn7RLS2
+xYeP8zB8ovfe+TzYc7ZSt9UdjbW7U7qzU49Kq5C4n/qvj7R5kcAm+UDSLVrvnbAf
+nLVWWfgo0sOmtD5/EoMhlgKtN6DrVTSgf6xW6oWsf+8Pz1NROhqLwkcDvpET6zuT
+YEWOK9vFik3XEtdaSlONvaBPN8aYfjoPze28MgEEcf3dw/+QIczw8+kXWXjmAHth
+L8RpC1fiMmdOXlB1d7gkUPQkJmc4NeRM53fgE097IbXbEFhMtDSu8yzKltG70ahO
+WoNKwdArrQhbiFKc4hoCx/caRy8jK0kFb5ZaNkljbtyQWFXm75lEDpaa2RFvE0T7
+pFrMnrOEts0tlJwEf5s/SxWpFniXW7mCov3eYFnrE8Lgq173z7NmjmMTms29bro8
+UW8eHMflRchZsrEUAQOtlA3k159Wt/2MTK9LnIz1I7a5Ag0EV+o3eQEQAL7E7DWm
+gc1YdUV35LU1JCYqu8LScbyPtnilMYjgYORLc2DqXLIBWuIdP7hQ8lkQosQmn+oj
+EfIEBpwbU+q5fsyxK31nReXxQQgDGwobjdGsZykjf6Dj1Jd9y2LDsBpZnvpFVhqp
+YAv3bmyaGpIh+9y5xyLRsCTloVL1R+JyHuOromVllR25+zFwvoFhjfq27VK9QjTF
+DYzqhdr3e0sx1LKb0DaiDHc8PT2LBjmND7KMGUKOjDwiFY6Uxd1eTB6Y+FkkwfMa
+bk1JRgF+rGA9pvy0sjJcWkbTvW8erBJhhWNN4V7rtSHMMRdzFvqzhgWeO7r3TarK
+js7pQCM8t+rnT7YFm1n0rHLfW7ECV6WBvWyk1N7a0C4Q5ekJ+fls4U+Iy20bOmhs
+3vRxNA0XaGdp/NH1ldi5KExYbTpQpNQ0XK6j1KwE+TdM24v7su6qWGgmWUJKWFfC
+ms+/zwAVGypTXa7rDi9X/+Ubb8nLLkQbf4W4/OrXBWffkbG+4J2EDRxF1UeHrHu5
+NpnFP8J7sWYKV45Vh3pK5le2zYbDPF84Ge6BY2wiYvvWnPEqg7pLPZfaRSMJkqxT
+QLSwnHf8vBvVXHAmp0WpYwOYBE+onFcZX3/t8d2uiEKuhElNfxdC1O4UolaBBEpz
+FC9hN1IXWIpTgRLo+G4ket8FlTugwe+l1HN9ABEBAAGJBFUEGAEIAAkFAlfqN3kC
+GwICQAkQsOndILKfFDLBXSAEGQEIAAYFAlfqN3kACgkQQSdIpAr8wvsH/hAAlSnz
+UTzOU+x7/P4fPxl9M7dLWcOIKaaGrjNExz9bVCGXGnHZR3f4gRl/bowRFjGi++vh
+nlCz2Hj18lFRXG3HjlSOwdzJYSa6ZMqdA2AW4167kJtQNEXpfV//C5mXhfe3U68O
+33+acvqU5cG4/+QNvun81j8SQlOyYJlsQwW6W1EH2wxfuvpid3SNn5yDZ7GFhfZh
+oxBwzITWRiWifcy8r3xufAVrFZKwAMvWrG5LRJD6pgyW/1oMsWUIH0U+QD0vgBoa
+RCAW/gqLRf2836n7PeZaLuqiHMQgYOUs41KJ9jy6rYiHLuZsZPJ4luFbFuUylJxj
+KUfnjVuAoBhm9XouywKckE3oXUf2Sa504MQlo+pNvtf4LK8RALpkTe8joq5olEnV
+NNIq+UBxK0ZEG6SaCnf4wtYcL4uUVgLj/QYm9fob3gakVlfEVZx2SnCqrB2NAtMO
+RUo1iOm//EwAnaFP4XaqPEQLZaEnKF454n05xFvt21UGgM81z2q9DrAbAolrpf3Y
+8LtC42TQTMlGmyVmxUzgqyVcDc8Pjj0VP+9twp8za31bPXs88/o3E+tYIN46pxYV
+9fWxdns+eNupVm8ZeZ+sblhkQGb2yyOPM7SEsP4MKzITPHheBxSzniYo0D6jrX4A
+lDza7Gjw4YsOxus2NlhzBsWxmTpYat1QSW8cEQgWIQTph6t/folmd3bQWzuw6d0g
+sp8UMpnkEACd4nfSJZIVX/jGtbR9kwOhnchAEkW9nwCxwgujJxvkPSqgMLbwtGhv
+KMunhOOU10JWWT2pZ6JvYTzRRPJwl8snXwNlv9HKa/XUlbo7SGuliAya0J3UKxtG
+Jd9+yOj81BznQjlZF18yqjERP1cyewmuGIUEqU1ODVE5SVajZSSOpe9EnT0TENZ3
+SJcodwtg8rd1V4pqUecx5cpG01szohDuqXJ1NbvoRIYXbxwyx9b7JK3YuoDhRylG
+rmCyP5n5Sb0J+5yfcOL33CPVK7SLladTlopCcaeieIIMSqMdUSHpLKqvOrRt3Cz7
+9A777L9MHND1yf2Mm/IQlih/1d6JblNSJ2znD7hfpo1ReYmzYtG35a3m6FZt4QT1
+5gGLQ0QC9a4s4LpqY9zPxaW9jpQPsyodoiCk/j2ZkwHLIa580V3Kh6dxjI+LwXlZ
+/9T+Q/C3L5Has5yBijtCdekyrsD6XVfEn5gg+yFkDc6TKYCGhsro0yA9J+BOGRD2
+HDxVbH3njCiP5wDvxIgOQLN06LQLDX+Qq++MRnJe4e0i1CQA+ow7ROSGUEPX7k3p
+qoxJcQ2i2SCKz1PooV/ii/iN1PfU/IK3GAJEO2ktpQM9APKP//tvc00CAbarnlc9
+G22yWAxW3R5JN7SfeX+lqC+Mok1cS7WGCQOOOC+B0EelTaj6Zcb7wbkCDQRX6jaX
+ARAAxAQjAzi2kzXnWnX6yAkijTQk0j5raWb7+2Qprqr+I4ZbjEFiQFodw7Ei8eFt
+sY5LSSvFWe8WXl0Ahvmfi+/9TPFwgEtLWTOqguCjJQN0VkOfjhEDWLuAFHoa3IzV
+ySoZhDgIDQ/LY7cRg+Ryi0AaInesYx0cxdYkt93X1tPtcV4q7KiTIWZWBsWlBZF3
+qHgneIfq6lBObjd/QfKhaFGleXi4UhJfcwnVj01h6dCKWUSNPRr6/sbdQztsnDYn
+ghka+pdUAmVqpj+Cpb0ppUuzO78tW0lImybRUGOomhivQbw2/TcYcgwQmdUi7+Ie
+Td/8H9Msff2P9u54vFbhUt1XlNk4KWyOi2Xu9CvidXqNcg6wpdAPthIjeZ3tRT3H
+nFt9N5cPlhaQwV7SuGx9eaiMk2Oj2dBPvV4M18guwfA98iyNJ4tBmmiFLagfaDuN
+aMgyt5cQA0tORt5d8AUoF3OrYQ/wdiToa6IJ7RO2WaSlFaYOHFJzMUDLNSUzKbVI
+OR7No7QIOvKYJR4njnHBgIK5AeQNu5ucBxbFDOqnmu0E75pHOrVn8l5OOuHN/EiO
+SGzRTdSh/iVftUgZC3vj+XnIlen1RBU63DRkFn97knlQGtmJgi6yIJhWHYk9LvDG
+rUAdtPgrIr4844O3E5ZNTDW0YTmWtkfqnmfgEVBUdMWjj1sAEQEAAYkCNgQYAQgA
+CQUCV+o2lwIbDAAhCRCw6d0gsp8UMhYhBOmHq39+iWZ3dtBbO7Dp3SCynxQy0eUP
+/RLpSjdHZzZxJ0gorRbNkUZ+hJL4eCZC+V+JGBvTgLd58lN8ah/vqQafn3vUXwB4
+3tW/if/Oz9ZRrLhfPtfROEQjxroo4xNRY9PPrEO1yQ5O6i81CcZGRKpZ391Q2fPl
+2+lWT4VKXpn+XbF33FXAox9Rdfc/H5bXF+EiT00EnuxKWv6yyC48lNgKGBmSdhRE
+iXTzzRzGxBxN3GWQV+2rIrHMy3Bp2DgKb2kHLhA2sLg8oCoszhWcW1+le34ioqNB
+Yt/HLvM+nVzxgrD6RMQg0aiFQJvIw68Z48g5oD44xIjJT6YWXLbZA0XaXLn+m1CR
+6xqxSeXsXSCnvbF5KQs6MsxKFs07T2GDEMuHJO35IfEfg1JWWgzqJfGe8bKBeQ2U
+wFaZrYlmOYpq4VIdWwgDHlzuXynb/7MLe6NyxJPun57Ex7NsS//sfrR5nPunk43e
+0W0lqmT50WJxRhBHhxXmkQ0fH6tzra8GJxo99+MJzaSfENvdRz39BQXM56nv0/1w
+lRdfqJJcqYqVav/gKvKaB5eH3dXHKGZK5YSiQbtvqKBOwsOhHxtvsE18lu5LwiYd
+nTaI0DmUcl2o4iC0+cpSFSesGSGd2XIIid0E4yre89Cf4kfuCQhvUkBrgYwU3mFM
+/MhgH9hH7MKAmRVfm+pwNOk3owA/vBcSuRRLeeVGDGeqmQINBFOsE5ABEADD/k0t
+8to+R0kPhr2k7d0P/p1SYgxkwSaYgdv4/MgO/yEbQDMsqs1mw88mWnFKKdbH4QUS
+qCj21SiiJVrcoY7dNNapkKNiaMNCylAxkLtDw9/up0AVdkJ/7iHvrKlwIb3SBQV1
+oJYBrXF9rzFBtkW9NhLc+DzloeHfPtABCIi0XoIOGSDn+RQvppe/13phBj+2fd5I
+LNWiHfKIrr6228TynSPqy7H4z5DYcnYIJ7f7FO+MgaZjj28GFCyCFz7DMJsR/JX8
+CDsaOHvBsBRtBIKSQ7ce9KtAnemsmyGVkaHpGvxo3gaWj8pROIiQRbDYfXXvMbpT
+Yh/OTxbbx3SgBNjk3fH6ZjYZXuz+1kjJ9aajRKWvhZbMCjKEGjm3n+PrYdd2o9W6
+j5+aOhSWDs54z7froPmt291NdykF4kHb3W3SwGaIACV3/ZorrwG8wHhnV8dEwqTr
+E6xcTIwr2+C07yFDKrSgTbZsjEb6RbZA9SKsj6+ct8TrAxVPAigj7eMdWcF8yxxQ
+CCZci8UIx9hyHAfr4fKCYl0KlG3SoZ8kTKiB0AvjsK+QowE7gKuHeKOvEn8cb2Di
+BWjDfJoTO19xhzm51jxcDneIkVoeSg5QJqtiQZybyhf7vP9vl1fS9O8I9y1uR2lC
+x7UkWAGTTVTtzs+O47125jsj/BjLMECT/Ub33QARAQABtCBUaW0gUsO8aHNlbiA8
+dGltLnJ1ZWhzZW5AZ214LmRlPokCTgQTAQoAOAIbAwULCQgHAwUVCgkICwUWAgMB
+AAIeAQIXgBYhBByyfbyYYUstWEFkbQgwLbaiZwQoBQJgRRE9AAoJEAgwLbaiZwQo
+1nQP/igf0pGcHlUqHSGmaapDoqRJfHcwUMfC3FjK4fmV94D3KUVU9txWbb02qX5n
+1yQXcpweHEAQEY7YVUbZLND2kMqq/unyi6TqdXK6wtz1t6tO2IsPXceAzI5pC6hX
+QbN/sQIBD+ytdUVpvuOGDLUfbn95PYqNx/2t3GzW2hSglt6MUFDHVvQpglkQnCGI
+1C2ulqPOarKcxggH4pTWQ2PR9JOJMS4iUGEyZeVUA8m21V+KZS3CZjaEuq+/3dLW
+WzC1vtl7WMa3JahCGaJHL7kauVa0qgEkG1FENDxNhjb9m7nXh7+DRSOQM8oT4EbC
+kSt5mLAwPl6JoAiRa3l+oVy6SldpdkMl6ycCnYEWki5K5xTUeJugw95Hm5mkD6Dt
+li7tTtIlqcQ8i2kQB+BmtD2HSKBWrFONE4DQaBv8GcqzoDMFmw72sOStbnbAGEtz
+IU41pmOaV6AnfN/hVqNNH3P8vzrSJifU0WCR9TEZoZoN0Rxbt4vYbLrArgiGE94K
+rUEJ08c7Q4VOAdbQcENgzu+MnQC7jWk471eJ05hWMtqvW2PKh/2bF/LgIYJuBcNX
+CKFBkDNTBNibJ8MnVn0uBZ3X9G6Kx9wU5e89Qvj7V6MM4SoTiOmhlbxH8GxXXSYf
+AWosuWUSOFyXzG5yhurvUmYW+OIFPRZ6Wb5gKSgoLdgB+DhfuQINBFOsE5ABEADr
+LQL3bP7+M6PTCjuVbqqHBDhBAKEEuxKffwDz1AJKfRhvqTYIKQqgZwaIzXdbOkmP
+rTEgWHJKbwssaRmdBVRSYkE2DXLEcnuxqAgNyc5RMoVHWIE4jFNkxmrN6ZcVWel2
+OwCo9A6bzUftKKYJRPAYou4nmv87+CdKT16JV40dMG/phLyPINByy9wThIodpJQX
+/H1O6OCsMM/ZQJQ8zJCXbCCCe/c5gcg6+RJLsNa1CjIjQH0F1XZuncxz3nvKLxXL
+uQG8HCcU5GxW/z2byjEkoJrlakmcwUzuih7IuFrvSaexb8so2N6u5H8vm+SBkCwU
+c28lBsKECOJUeH28CBcMmFuRKFgF/fBpRiXDKI8Fl3IRm5vFIfL6oIBJBSDfunfZ
+5FPXup5fVGT9k0dhBlD48zDQ22kVVmRkpctxGwd3yE4BM9/sQ3nK4HwrB9+9X2Rq
+xbAzwz8LGvRE7/rusBg9HaO8kIOO/7NjutCvJkHGPfJSF7i9XvBcoQpkTIJFPaxu
+pk7TCFOVDAzUYh82MzNq89SVe49017/nuXzKJ3SAtok7xDYVsXXriYgnmouL7f+c
+DXdXmLIxPZN6LKkwKb9/rU0/9xPuvxS25zCSgjig8/SFEdSt6wvs94npSn6RcmVx
+i5VN1Ni4IMRgQn7hXpGKATlM6CQ32V7QBJN24mFECQARAQABiQI2BBgBCgAgAhsM
+FiEEHLJ9vJhhSy1YQWRtCDAttqJnBCgFAmBFEU0ACgkQCDAttqJnBCh3ahAAo9lG
+UYfbbuQd6XRb7bkXWsoPoTI+o2S9wQOvZQLb/sANCkK0HqwAWdNeBKWF3o9NUG5y
+/gQ3wNJv7WBGzCBL/N87K0doq6s9MiwXFIykr/yIlN7la3lCQvOUDn1OmO9zHGq4
+t4arfCiInm5Hc6NhStV3aKtgIJoGWDMu9aIcy9canuAO+oO8l1ayV1kPDKWskVEX
+ZsdvnxY0rhInvUfgw27uY2ziPLO3iTfPJLJ8wx2V3cyxkVWgk+08DHKQz0gwObJA
+iAFtWJXSd8kO7mzcNVPgDAgje/7Lf2wlP4GQYO6Ht5RnhzbzIcgHxcK6pJeIS5oA
+vDySWASwD66dkdYQUAjYHE2OQnwTjxU907uf1Foaa6yiOFBcQku4NQNdoUDfv+HW
+0C5TR2XVcO9UBPTlEGMjMeqhTHs3E3HXKGiFWT7WYtdG9fBhVNoLvZ39eYnWEM8N
+svcRUmOKzvoAJbmbZAlH3necl20MeJnfkTx9Nu3D9afYnaw9IJ9BetTON3gXzTtG
+wAJjMZ346k9MLvnSLFpD8of15R/jl+RbZ732stOJkbcM5cUj2Lgi7DE44y7BeBT5
+XD5LAUwop30sm4Kxwv9oEyVjzoQPkB24l9YGeEOEIqESZLszZ44Jsh703+9n3Dq9
+wNTn8cXhFYi0Of02Vt4nNiXryBL/zneXgb37qiI=
+=8Avy
+-----END PGP PUBLIC KEY BLOCK-----

gnutls.rpmlintrc

@@ -0,0 +1 @@
+addFilter("hidden-file-or-dir /usr/lib64/.libgnutls.so.30.hmac")

gnutls.spec

@@ -0,0 +1,387 @@
+#
+# spec file for package gnutls
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define gnutls_sover 30
+%define gnutlsxx_sover 30
+%define gnutls_dane_sover 0
+# unbound isn't in SLE (bsc#1086428)
+%if 0%{?is_opensuse}
+%bcond_without dane
+%else
+%bcond_with dane
+%endif
+%if 0%{?suse_version} >= 1550
+%bcond_without srp
+%else
+%bcond_with srp
+%endif
+# Enable Linux kernel AF_ALG based acceleration
+%if 0%{?suse_version} >= 1550
+# disable for now, as our OBS builds do not work with it. Marcus 20220511
+#bcond_without kcapi
+%bcond_with kcapi
+%else
+%bcond_with kcapi
+%endif
+%bcond_with tpm
+Name:           gnutls
+Version:        3.8.3
+Release:        0
+Summary:        The GNU Transport Layer Security Library
+License:        GPL-3.0-or-later AND LGPL-2.1-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.gnutls.org/
+Source0:        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz
+Source1:        https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8/%{name}-%{version}.tar.xz.sig
+# https://gnutls.org/gnutls-release-keyring.gpg
+Source2:        https://gnutls.org/gnutls-release-keyring.gpg#/gnutls.keyring
+Source3:        baselibs.conf
+# Suppress a false positive on the .hmac file
+Source4:        gnutls.rpmlintrc
+Patch0:         gnutls-3.5.11-skip-trust-store-tests.patch
+Patch1:         gnutls-FIPS-TLS_KDF_selftest.patch
+Patch2:         gnutls-disable-flaky-test-dtls-resume.patch
+# PATCH-FIX-OPENSUSE The srp test fails with SIGPIPE
+Patch3:         gnutls-srp-test-SIGPIPE.patch
+# FIPS 140-3 patches:
+#PATCH-FIX-SUSE bsc#1207346 FIPS: Change FIPS 140-2 references to FIPS 140-3
+Patch100:       gnutls-FIPS-140-3-references.patch
+#PATCH-FIX-SUSE bsc#1211476 FIPS: Skip fixed HMAC verification for nettle, hogweed and gmp
+Patch101:       gnutls-FIPS-HMAC-nettle-hogweed-gmp.patch
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+#PATCH-FIX-SUSE bsc#1202146 FIPS: Port gnutls to use jitterentropy
+Patch102:       gnutls-FIPS-jitterentropy.patch
+%endif
+BuildRequires:  autogen
+BuildRequires:  automake
+BuildRequires:  datefudge
+BuildRequires:  fdupes
+BuildRequires:  gcc-c++
+BuildRequires:  gtk-doc
+# The test suite calls /usr/bin/ss from iproute2. It's our own duty to ensure we have it present
+BuildRequires:  iproute2
+BuildRequires:  libidn2-devel
+BuildRequires:  libnettle-devel >= 3.6
+BuildRequires:  libtasn1-devel >= 4.9
+BuildRequires:  libtool
+BuildRequires:  libunistring-devel
+BuildRequires:  makeinfo
+BuildRequires:  p11-kit-devel >= 0.23.1
+BuildRequires:  pkgconfig
+BuildRequires:  xz
+BuildRequires:  pkgconfig(autoopts)
+BuildRequires:  pkgconfig(zlib)
+%if %{with kcapi}
+BuildRequires:  pkgconfig(libkcapi)
+%endif
+%if 0%{?suse_version} <= 1320
+BuildRequires:  net-tools
+%else
+BuildRequires:  net-tools-deprecated
+%endif
+%if %{with tpm}
+BuildRequires:  trousers-devel
+%endif
+%if %{with dane}
+Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
+%if 0%{?suse_version} <= 1320
+BuildRequires:  unbound-devel
+%else
+BuildRequires:  libunbound-devel
+%endif
+%endif
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+BuildRequires:  crypto-policies
+Requires:       crypto-policies
+BuildRequires:  jitterentropy-devel >= 3.4.0
+Requires:       libjitterentropy3 >= 3.4.0
+%endif
+
+%description
+The GnuTLS library provides a secure layer over a reliable transport
+layer. Currently the GnuTLS library implements the proposed standards
+of the IETF's TLS working group.
+
+%package -n libgnutls%{gnutls_sover}
+Summary:        The GNU Transport Layer Security Library
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+Provides:       libgnutls%{gnutls_sover}-hmac = %{version}-%{release}
+Obsoletes:      libgnutls%{gnutls_sover}-hmac < %{version}-%{release}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies
+%endif
+
+%description -n libgnutls%{gnutls_sover}
+The GnuTLS library provides a secure layer over a reliable transport
+layer. Currently the GnuTLS library implements the proposed standards
+of the IETF's TLS working group.
+
+%if %{with dane}
+%package -n libgnutls-dane%{gnutls_dane_sover}
+Summary:        DANE support for the GNU Transport Layer Security Library
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+
+%description -n libgnutls-dane%{gnutls_dane_sover}
+The GnuTLS project aims to develop a library that provides a secure
+layer over a reliable transport layer.
+This package contains the "DANE" part of gnutls.
+%endif
+
+%package -n libgnutlsxx%{gnutlsxx_sover}
+Summary:        C++ API for the GNU Transport Layer Security Library
+License:        LGPL-2.1-or-later
+Group:          System/Libraries
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies
+%endif
+
+%description -n libgnutlsxx%{gnutlsxx_sover}
+The GnuTLS library provides a secure layer over a reliable transport
+layer. Currently the GnuTLS library implements the proposed standards
+of the IETF's TLS working group.
+
+%package -n libgnutls-devel
+Summary:        Development package for the GnuTLS C API
+License:        LGPL-2.1-or-later
+Group:          Development/Libraries/C and C++
+Requires:       glibc-devel
+Requires:       gnutls = %{version}
+Requires:       libgnutls%{gnutls_sover} = %{version}
+Provides:       gnutls-devel = %{version}-%{release}
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies
+%endif
+
+%description -n libgnutls-devel
+Files needed for software development using gnutls.
+
+%if %{with dane}
+%package -n libgnutls-dane-devel
+Summary:        Development package for GnuTLS DANE component
+License:        LGPL-2.1-or-later
+Group:          Development/Libraries/C and C++
+Requires:       libgnutls-dane%{gnutls_dane_sover} = %{version}
+
+%description -n libgnutls-dane-devel
+Files needed for software development using gnutls.
+%endif
+
+%package -n libgnutlsxx-devel
+Summary:        Development package for the GnuTLS C++ API
+License:        LGPL-2.1-or-later
+Group:          Development/Libraries/C and C++
+Requires:       libgnutls-devel = %{version}
+Requires:       libgnutlsxx%{gnutlsxx_sover} = %{version}
+Requires:       libstdc++-devel
+
+%description -n libgnutlsxx-devel
+Files needed for software development using gnutls.
+
+%prep
+%autosetup -p1
+
+echo "SYSTEM=NORMAL" >> tests/system.prio
+
+%build
+export LDFLAGS="-pie -Wl,-z,now -Wl,-z,relro"
+export CFLAGS="%{optflags} -fPIE"
+export CXXFLAGS="%{optflags} -fPIE"
+
+autoreconf -fiv
+
+%configure \
+        gl_cv_func_printf_directive_n=yes \
+        gl_cv_func_printf_infinite_long_double=yes \
+        --disable-static \
+        --disable-rpath \
+        --disable-gcc-warnings \
+        --disable-silent-rules \
+        %{?with_kcapi:--enable-afalg} \
+        --with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
+        --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
+        --with-default-priority-string="@SYSTEM" \
+        --with-sysroot=/%{?_sysroot} \
+%if %{without tpm}
+        --without-tpm \
+%endif
+%if %{with dane}
+        --with-unbound-root-key-file=%{_localstatedir}/lib/unbound/root.key \
+%else
+        --disable-libdane \
+%endif
+%if %{with srp}
+        --enable-srp-authentication \
+%endif
+%ifarch %{ix86} %{arm}
+        --disable-year2038 \
+%endif
+        --enable-shared \
+        --enable-fips140-mode \
+        --with-fips140-module-name="GnuTLS version" \
+        --with-fips140-module-version="%{version}-%{release}" \
+        %{nil}
+
+%make_build
+
+%install
+%make_install
+
+# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
+# export BRP_FIPSHMAC_FILES=%%{buildroot}%%{_libdir}/libgnutls.so.%%{gnutls_sover}
+
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the %%expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'orboDeJITITejsirpADONivirpUkvarP'
+# Note: The FIPS hmac is now calculated with an internal tool since
+#   commit a86c8e87189e23920ae622da5e572cb4e1a6e0ed
+%{expand:%%global __os_install_post {%__os_install_post
+ ./lib/fipshmac "%{buildroot}%{_libdir}/libgnutls.so.%{gnutls_sover}" > "%{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac"
+ sed -i "s^%{buildroot}/usr^^" "%{buildroot}%{_libdir}/.libgnutls.so.%{gnutls_sover}.hmac"
+}}
+
+rm -rf %{buildroot}%{_datadir}/locale/en@{,bold}quot
+# Do not package static libs and libtool files
+find %{buildroot} -type f -name "*.la" -delete -print
+
+# install docs
+mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/
+cp doc/gnutls.html doc/*.png %{buildroot}%{_docdir}/libgnutls-devel/
+mkdir -p %{buildroot}%{_docdir}/libgnutls-devel/examples
+cp doc/examples/*.{c,h} %{buildroot}%{_docdir}/libgnutls-devel/examples/
+
+# PNG files are replaced with the compressed files and that breaks
+# deduplication, this is workaround
+find %{buildroot}%{_datadir} -name '*.png' -exec gzip -n -9 {} +
+rm -rf %{buildroot}%{_datadir}/doc/gnutls
+%fdupes -s %{buildroot}%{_datadir}
+
+%find_lang libgnutls --all-name
+
+%check
+%if ! 0%{?qemu_user_space_build}
+%make_build check GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+    find -name test-suite.log -print -exec cat {} +
+    exit 1
+}
+
+# Run the regression tests also in forced FIPS mode
+GNUTLS_FORCE_FIPS_MODE=1 make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null || {
+    find -name test-suite.log -print -exec cat {} +
+    exit 1
+}
+%endif
+
+%post -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
+%postun -n libgnutls%{gnutls_sover} -p /sbin/ldconfig
+
+%if %{with dane}
+%post -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
+%postun -n libgnutls-dane%{gnutls_dane_sover} -p /sbin/ldconfig
+%endif
+
+%post -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
+%postun -n libgnutlsxx%{gnutlsxx_sover} -p /sbin/ldconfig
+
+%files -f libgnutls.lang
+%license LICENSE
+%doc THANKS README.md NEWS ChangeLog AUTHORS doc/TODO
+%{_bindir}/certtool
+%{_bindir}/gnutls-cli
+%{_bindir}/gnutls-cli-debug
+%{_bindir}/gnutls-serv
+%{_bindir}/ocsptool
+%{_bindir}/psktool
+%{_bindir}/p11tool
+%if %{with srp}
+%{_bindir}/srptool
+%endif
+%if %{with dane}
+%{_bindir}/danetool
+%endif
+%if %{with tpm}
+%{_bindir}/tpmtool
+%endif
+%{_mandir}/man1/*
+
+%files -n libgnutls%{gnutls_sover}
+%license LICENSE
+%{_libdir}/libgnutls.so.%{gnutls_sover}*
+%{_libdir}/.libgnutls.so.%{gnutls_sover}*.hmac
+
+%if %{with dane}
+%files -n libgnutls-dane%{gnutls_dane_sover}
+%license LICENSE
+%{_libdir}/libgnutls-dane.so.%{gnutls_dane_sover}*
+%endif
+
+%files -n libgnutlsxx%{gnutlsxx_sover}
+%license LICENSE
+%{_libdir}/libgnutlsxx.so.%{gnutlsxx_sover}*
+
+%files -n libgnutls-devel
+%license LICENSE
+%dir %{_includedir}/%{name}
+%{_includedir}/%{name}/abstract.h
+%{_includedir}/%{name}/crypto.h
+%{_includedir}/%{name}/compat.h
+%{_includedir}/%{name}/dtls.h
+%{_includedir}/%{name}/gnutls.h
+%{_includedir}/%{name}/openpgp.h
+%{_includedir}/%{name}/ocsp.h
+%{_includedir}/%{name}/pkcs7.h
+%{_includedir}/%{name}/pkcs11.h
+%{_includedir}/%{name}/pkcs12.h
+%{_includedir}/%{name}/self-test.h
+%{_includedir}/%{name}/socket.h
+%{_includedir}/%{name}/x509.h
+%{_includedir}/%{name}/x509-ext.h
+%{_includedir}/%{name}/tpm.h
+%{_includedir}/%{name}/system-keys.h
+%{_includedir}/%{name}/urls.h
+%{_libdir}/libgnutls.so
+%{_libdir}/pkgconfig/gnutls.pc
+%{_mandir}/man3/*
+%{_infodir}/*%{ext_info}
+%doc %{_docdir}/libgnutls-devel
+
+%if %{with dane}
+%files -n libgnutls-dane-devel
+%license LICENSE
+%dir %{_includedir}/%{name}
+%{_includedir}/%{name}/dane.h
+%{_libdir}/pkgconfig/gnutls-dane.pc
+%{_libdir}/libgnutls-dane.so
+%endif
+
+%files -n libgnutlsxx-devel
+%license LICENSE
+%{_libdir}/libgnutlsxx.so
+%dir %{_includedir}/%{name}
+%{_includedir}/%{name}/gnutlsxx.h
+
+%changelog