From a620e0aeaff1faa5e692ba2408704aabb44d995074f870eaaf5a4fd8615c2772 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Tue, 25 Jul 2023 08:04:18 +0000 Subject: [PATCH 1/3] Accepting request 1100559 from home:ohollmann:branches:security:tls - Dont pass zero length input to EVP_Cipher because assembler optimized AES cannot handle zero size. [bsc#1213517] * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch OBS-URL: https://build.opensuse.org/request/show/1100559 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=140 --- openssl-1_1.changes | 7 +++++++ openssl-1_1.spec | 2 ++ ...nt-pass-zero-length-input-to-EVP_Cipher.patch | 16 ++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 27341ed..87258a0 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jul 24 12:40:38 UTC 2023 - Otto Hollmann + +- Dont pass zero length input to EVP_Cipher because assembler + optimized AES cannot handle zero size. [bsc#1213517] + * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch + ------------------------------------------------------------------- Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 5d58c8f..8efc277 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -135,6 +135,8 @@ Patch80: openssl-1_1-openssl-config.patch # PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus Patch81: openssl-CVE-2023-3446.patch Patch82: openssl-CVE-2023-3446-test.patch +# PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher +Patch83: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Provides: ssl diff --git a/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch b/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch new file mode 100644 index 0000000..71e5a26 --- /dev/null +++ b/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch @@ -0,0 +1,16 @@ +--- + crypto/evp/e_aes.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -2742,6 +2742,9 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX + { + EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); + ++ if (!len) ++ return 1; ++ + if (dat->stream.cbc) + (*dat->stream.cbc) (in, out, len, &dat->ks, + EVP_CIPHER_CTX_iv_noconst(ctx), From f8ec18178aece972fa49cd0c045669545d9031df026f634a6c614818e4211688 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 2 Aug 2023 10:03:45 +0000 Subject: [PATCH 2/3] Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141 --- openssl-1.1.1u.tar.gz | 3 - openssl-1.1.1u.tar.gz.asc | 16 ---- openssl-1.1.1v.tar.gz | 3 + openssl-1.1.1v.tar.gz.asc | 16 ++++ openssl-1_1-openssl-config.patch | 144 ++++++++++++++++++++----------- openssl-1_1.changes | 31 +++++++ openssl-1_1.spec | 7 +- openssl-CVE-2023-3446-test.patch | 58 ------------- openssl-CVE-2023-3446.patch | 105 ---------------------- 9 files changed, 147 insertions(+), 236 deletions(-) delete mode 100644 openssl-1.1.1u.tar.gz delete mode 100644 openssl-1.1.1u.tar.gz.asc create mode 100644 openssl-1.1.1v.tar.gz create mode 100644 openssl-1.1.1v.tar.gz.asc delete mode 100644 openssl-CVE-2023-3446-test.patch delete mode 100644 openssl-CVE-2023-3446.patch diff --git a/openssl-1.1.1u.tar.gz b/openssl-1.1.1u.tar.gz deleted file mode 100644 index c32616b..0000000 --- a/openssl-1.1.1u.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6 -size 9892176 diff --git a/openssl-1.1.1u.tar.gz.asc b/openssl-1.1.1u.tar.gz.asc deleted file mode 100644 index 8bca6a1..0000000 --- a/openssl-1.1.1u.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR171cACgkQUnRmohyn -nm0f7RAAj+ZssEY1hiRWhuLTmmFJIR1vhEpP9addj8oaXvlJSrA6QzHZrUcuzTL0 -jtOkS4gTIla8iNNe1alwQdYXnhW46IrQAy2+bYuHCLXJm55/0PKCs2Cdy3naPU3N -9zxo+jAEx3X7hBJAzyLbGwrzpIUe9mbkyheSGxtEpW53ZvX1jo73uxyVYzq6BwJx -ngCeyBDrRrP6GgwMrpR6zExUyOwltBl/Jvx813AvXXbczJgMe3wCeQOa9Y1QWaVA -eTKz2lT7reZ80VzfXNMdPT+33+vABfwGEPsdXy7JIWGJubiC5vkHq2Im/U6wzU9v -9WsKk9MGQ4OV52gcRiYVyb9+nvGWUgfgV8c268nwWHIdYA85FjBb8xGzK1vHgA3o -E4rRT6e94l+NQChjmm7NwALLcQ+oFtqXsK+CiG9Ek6BMXJ/RitmQUHuhnRDyNL2u -OtbF549NrxwPe3CskJzP+tUizcQbM6HJtaKi+U49f1+EYZObxJ57qom34eFgET8N -GvnY6ikBccGEMjphL7dOzEnKYMRBSTCYAQfjBLFvwth2yLjM5f8AC+z6KhGiKnDY -JI+hHdca4rfrsKXxon+62x8gFmP8waHacR6Sh0OqDiYqNYn+G9q3nuLZMGpRJD2M -WgXyeu43LEXwhbCGzxnQH0mxFWSMB/2trWTTFzr5BrS7TmujVCw= -=EBqr ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1v.tar.gz b/openssl-1.1.1v.tar.gz new file mode 100644 index 0000000..f4d327a --- /dev/null +++ b/openssl-1.1.1v.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 +size 9893443 diff --git a/openssl-1.1.1v.tar.gz.asc b/openssl-1.1.1v.tar.gz.asc new file mode 100644 index 0000000..b5d3f7a --- /dev/null +++ b/openssl-1.1.1v.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmTJDewACgkQ2JTizos9 +efVPDBAAjgNq842XSAhmH3CBHHFtMuVlg5RV+tAV7PF7tDm/Bu0VPxZecvDhEHyk +y1bIzYki9kPQrnDc5Cz3UYHjnBp2n2GH+JDShedSJMH3qbsAlSB4j5b15UFjE8b4 +yDl4rlcug3SydqEdYJAGnOD3QBghsX7GiS6S9BgnU1D1XDZ1LYF6NumrjeypGm2r +vodcjel0tD+Xu2Du398sGmXLZLfK7eBT8dYtzWHAZubf+dNQmfRRDALo2Q5Xux6p +xIDlEQvTUkt5mF+Rx0CI1boIKeaFoZFOReUW0zkKYfwNkfq1WvGj3sGA+StQsgn1 +Dvfx6ONoS9UT+6KTegsLOIX2xOAHa8k4UgtW19eCovYzJNkBwNnq83lrvIEMoLY7 +brALTqBmlFq4prPgzpDHlTeC78uDcf/Ao95CeBw5yKVsKAN7W7vA2u6Gr2ZgUWsF +zVnrxJ9difkrvkFxm6uO2qu1qA/84Bow77M6/7FSHFZ+oDB3tjGXtq4Tf6iBkhpf +XIRu79S1LxCY7HxKVHHfpKuGSfefV/tgPeOac8CvucIq6r1Be20h0crRnDEGJt8G +Otznvt04iX+FkSVC7PjiAVZqubQQWjXUZxDngQgUOye/suExGwEoaTMmhj95eiVu +ufee+jDrVGOjhLLoEClP/+zpl2Wplq3KzLVsvvJa8v5KTVot9r4= +=mu7b +-----END PGP SIGNATURE----- diff --git a/openssl-1_1-openssl-config.patch b/openssl-1_1-openssl-config.patch index b5caa53..1ba132a 100644 --- a/openssl-1_1-openssl-config.patch +++ b/openssl-1_1-openssl-config.patch @@ -24,8 +24,10 @@ tools/c_rehash.in | 6 ++-- 23 files changed, 71 insertions(+), 68 deletions(-) ---- a/Configurations/descrip.mms.tmpl -+++ b/Configurations/descrip.mms.tmpl +Index: openssl-1.1.1v/Configurations/descrip.mms.tmpl +=================================================================== +--- openssl-1.1.1v.orig/Configurations/descrip.mms.tmpl ++++ openssl-1.1.1v/Configurations/descrip.mms.tmpl @@ -142,8 +142,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\ INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -} INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -} @@ -37,8 +39,10 @@ {- output_on() if $disabled{apps}; "" -} APPS_OPENSSL={- use File::Spec::Functions; ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl +Index: openssl-1.1.1v/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-1.1.1v.orig/Configurations/unix-Makefile.tmpl ++++ openssl-1.1.1v/Configurations/unix-Makefile.tmpl @@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\ INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -} INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -} @@ -82,8 +86,10 @@ generate_crypto_bn: ( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h ) ---- a/Configure -+++ b/Configure +Index: openssl-1.1.1v/Configure +=================================================================== +--- openssl-1.1.1v.orig/Configure ++++ openssl-1.1.1v/Configure @@ -35,7 +35,7 @@ my $usage="Usage: Configure [no- # directories bin, lib, include, share/man, share/doc/openssl # This becomes the value of INSTALLTOP in Makefile @@ -93,8 +99,10 @@ # If it's a relative directory, it will be added on the directory # given with --prefix. # This becomes the value of OPENSSLDIR in Makefile and in C. ---- a/INSTALL -+++ b/INSTALL +Index: openssl-1.1.1v/INSTALL +=================================================================== +--- openssl-1.1.1v.orig/INSTALL ++++ openssl-1.1.1v/INSTALL @@ -296,7 +296,7 @@ be undesirable if small executable size is an objective. @@ -104,11 +112,13 @@ Typically OpenSSL will automatically load a system config file which configures default ssl options. ---- a/NEWS -+++ b/NEWS -@@ -5,6 +5,9 @@ - This file gives a brief overview of the major changes between each OpenSSL - release. For more details please read the CHANGES file. +Index: openssl-1.1.1v/NEWS +=================================================================== +--- openssl-1.1.1v.orig/NEWS ++++ openssl-1.1.1v/NEWS +@@ -10,6 +10,9 @@ + o Fix excessive time spent checking DH q parameter value (CVE-2023-3817) + o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) + IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master + configuration file openssl.cnf has been renamed to openssl-1_1.cnf. @@ -116,8 +126,10 @@ Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic ---- a/VMS/openssl_utils.com.in -+++ b/VMS/openssl_utils.com.in +Index: openssl-1.1.1v/VMS/openssl_utils.com.in +=================================================================== +--- openssl-1.1.1v.orig/VMS/openssl_utils.com.in ++++ openssl-1.1.1v/VMS/openssl_utils.com.in @@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v' $ $ IF F$TYPE(PERL) .EQS. "STRING" @@ -127,8 +139,10 @@ $ ELSE $ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH" $ ENDIF ---- a/apps/CA.pl.in -+++ b/apps/CA.pl.in +Index: openssl-1.1.1v/apps/CA.pl.in +=================================================================== +--- openssl-1.1.1v.orig/apps/CA.pl.in ++++ openssl-1.1.1v/apps/CA.pl.in @@ -113,10 +113,10 @@ sub run @@ -144,8 +158,10 @@ exit 0; } if ($WHAT eq '-newcert' ) { ---- a/apps/build.info -+++ b/apps/build.info +Index: openssl-1.1.1v/apps/build.info +=================================================================== +--- openssl-1.1.1v.orig/apps/build.info ++++ openssl-1.1.1v/apps/build.info @@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}] GENERATE[progs.h]=progs.pl $(APPS_OPENSSL) DEPEND[progs.h]=../configdata.pm @@ -157,8 +173,10 @@ + SOURCE[CA-1_1.pl]=CA.pl.in + SOURCE[tsget-1_1.pl]=tsget.in ENDIF ---- a/apps/tsget.in -+++ b/apps/tsget.in +Index: openssl-1.1.1v/apps/tsget.in +=================================================================== +--- openssl-1.1.1v.orig/apps/tsget.in ++++ openssl-1.1.1v/apps/tsget.in @@ -47,7 +47,7 @@ sub create_curl { $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; $curl->setopt(CURLOPT_FAILONERROR, 1); @@ -168,8 +186,10 @@ # Options for POST method. $curl->setopt(CURLOPT_UPLOAD, 1); ---- a/doc/HOWTO/certificates.txt -+++ b/doc/HOWTO/certificates.txt +Index: openssl-1.1.1v/doc/HOWTO/certificates.txt +=================================================================== +--- openssl-1.1.1v.orig/doc/HOWTO/certificates.txt ++++ openssl-1.1.1v/doc/HOWTO/certificates.txt @@ -16,7 +16,7 @@ Certificate authorities should read http In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, @@ -179,8 +199,10 @@ You can specify a different configuration file using the '-config {file}' argument with the commands shown below. ---- a/doc/man1/CA.pl.pod -+++ b/doc/man1/CA.pl.pod +Index: openssl-1.1.1v/doc/man1/CA.pl.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/CA.pl.pod ++++ openssl-1.1.1v/doc/man1/CA.pl.pod @@ -2,16 +2,16 @@ =head1 NAME @@ -283,8 +305,10 @@ can be used and the B environment variable changed to point to the correct path of the configuration file. ---- a/doc/man1/ca.pod -+++ b/doc/man1/ca.pod +Index: openssl-1.1.1v/doc/man1/ca.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/ca.pod ++++ openssl-1.1.1v/doc/man1/ca.pod @@ -698,7 +698,7 @@ the database has to be kept in memory. The B command really needs rewriting or the required functionality exposed at either a command or interface level so a more friendly utility @@ -303,8 +327,10 @@ L, L =head1 COPYRIGHT ---- a/doc/man1/rehash.pod -+++ b/doc/man1/rehash.pod +Index: openssl-1.1.1v/doc/man1/rehash.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/rehash.pod ++++ openssl-1.1.1v/doc/man1/rehash.pod @@ -6,7 +6,7 @@ Original text by James Westby, contribut =head1 NAME @@ -340,8 +366,10 @@ uses the B program to compute the hashes and fingerprints. If not found in the user's B, then set the B environment variable to the full pathname. ---- a/doc/man1/tsget.pod -+++ b/doc/man1/tsget.pod +Index: openssl-1.1.1v/doc/man1/tsget.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/tsget.pod ++++ openssl-1.1.1v/doc/man1/tsget.pod @@ -35,7 +35,7 @@ line. The tool sends the following HTTP request for each timestamp request: @@ -360,8 +388,10 @@ OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) ---- a/doc/man1/verify.pod -+++ b/doc/man1/verify.pod +Index: openssl-1.1.1v/doc/man1/verify.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/verify.pod ++++ openssl-1.1.1v/doc/man1/verify.pod @@ -75,7 +75,7 @@ The file should contain one or more cert A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this @@ -371,8 +401,10 @@ create symbolic links to a directory of certificates. =item B<-no-CAfile> ---- a/doc/man1/x509.pod -+++ b/doc/man1/x509.pod +Index: openssl-1.1.1v/doc/man1/x509.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/x509.pod ++++ openssl-1.1.1v/doc/man1/x509.pod @@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a @@ -382,8 +414,10 @@ =head1 COPYRIGHT ---- a/doc/man3/OPENSSL_config.pod -+++ b/doc/man3/OPENSSL_config.pod +Index: openssl-1.1.1v/doc/man3/OPENSSL_config.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man3/OPENSSL_config.pod ++++ openssl-1.1.1v/doc/man3/OPENSSL_config.pod @@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp =head1 DESCRIPTION @@ -393,8 +427,10 @@ reads from the application section B. If B is NULL then the default section, B, will be used. Errors are silently ignored. ---- a/doc/man3/SSL_CTX_load_verify_locations.pod -+++ b/doc/man3/SSL_CTX_load_verify_locations.pod +Index: openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man3/SSL_CTX_load_verify_locations.pod ++++ openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod @@ -63,7 +63,7 @@ If more than one CA certificate with the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the ordering of the extension number, regardless of other @@ -413,8 +449,10 @@ =head1 SEE ALSO ---- a/doc/man5/config.pod -+++ b/doc/man5/config.pod +Index: openssl-1.1.1v/doc/man5/config.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man5/config.pod ++++ openssl-1.1.1v/doc/man5/config.pod @@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat =head1 DESCRIPTION @@ -424,8 +462,10 @@ and in a few other places like B files and certificate extension files for the B utility. OpenSSL applications can also use the CONF library for their own purposes. ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h +Index: openssl-1.1.1v/include/internal/cryptlib.h +=================================================================== +--- openssl-1.1.1v.orig/include/internal/cryptlib.h ++++ openssl-1.1.1v/include/internal/cryptlib.h @@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO; typedef struct mem_st MEM; DEFINE_LHASH_OF(MEM); @@ -435,8 +475,10 @@ # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR ---- a/test/recipes/80-test_ca.t -+++ b/test/recipes/80-test_ca.t +Index: openssl-1.1.1v/test/recipes/80-test_ca.t +=================================================================== +--- openssl-1.1.1v.orig/test/recipes/80-test_ca.t ++++ openssl-1.1.1v/test/recipes/80-test_ca.t @@ -27,27 +27,27 @@ plan tests => 5; SKIP: { $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; @@ -470,8 +512,10 @@ 'creating new pre-certificate'); } ---- a/tools/build.info -+++ b/tools/build.info +Index: openssl-1.1.1v/tools/build.info +=================================================================== +--- openssl-1.1.1v.orig/tools/build.info ++++ openssl-1.1.1v/tools/build.info @@ -1,5 +1,5 @@ {- our $c_rehash_name = - $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash"; @@ -479,8 +523,10 @@ "" -} IF[{- !$disabled{apps} -}] SCRIPTS={- $c_rehash_name -} ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in +Index: openssl-1.1.1v/tools/c_rehash.in +=================================================================== +--- openssl-1.1.1v.orig/tools/c_rehash.in ++++ openssl-1.1.1v/tools/c_rehash.in @@ -8,7 +8,7 @@ # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 87258a0..8772a90 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Tue Aug 1 16:12:36 UTC 2023 - Pedro Monreal + +- Update to 1.1.1v: + * Fix excessive time spent checking DH q parameter value + (bsc#1213853, CVE-2023-3817). The function DH_check() performs + various checks on DH parameters. After fixing CVE-2023-3446 it + was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A + correct q value, if present, cannot be larger than the modulus + p parameter, thus it is unnecessary to perform these checks if + q is larger than p. If DH_check() is called with such q parameter + value, DH_CHECK_INVALID_Q_VALUE return flag is set and the + computationally intensive checks are skipped. + * Fix DH_check() excessive time with over sized modulus + (bsc#1213487, CVE-2023-3446). The function DH_check() performs + various checks on DH parameters. One of those checks confirms + that the modulus ("p" parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use + a modulus which is over 10,000 bits in length. However the + DH_check() function checks numerous aspects of the key or + parameters that have been supplied. Some of those checks use the + supplied modulus value even if it has already been found to be + too large. A new limit has been added to DH_check of 32,768 bits. + Supplying a key/parameters with a modulus over this size will + simply cause DH_check() to fail. + * Rebase openssl-1_1-openssl-config.patch + * Remove security patches fixed upstream: + - openssl-CVE-2023-3446.patch + - openssl-CVE-2023-3446-test.patch + ------------------------------------------------------------------- Mon Jul 24 12:40:38 UTC 2023 - Otto Hollmann diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 8efc277..5a44979 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -41,7 +41,7 @@ %define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" meta-package! -Version: 1.1.1u +Version: 1.1.1v Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -132,11 +132,8 @@ Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch #PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl Patch80: openssl-1_1-openssl-config.patch -# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus -Patch81: openssl-CVE-2023-3446.patch -Patch82: openssl-CVE-2023-3446-test.patch # PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher -Patch83: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch +Patch81: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Provides: ssl diff --git a/openssl-CVE-2023-3446-test.patch b/openssl-CVE-2023-3446-test.patch deleted file mode 100644 index 45a6f53..0000000 --- a/openssl-CVE-2023-3446-test.patch +++ /dev/null @@ -1,58 +0,0 @@ -From e9ddae17e302a7e6a0daf00f25efed7c70f114d4 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 7 Jul 2023 14:39:48 +0100 -Subject: [PATCH] Add a test for CVE-2023-3446 - -Confirm that the only errors DH_check() finds with DH parameters with an -excessively long modulus is that the modulus is too large. We should not -be performing time consuming checks using that modulus. - -Reviewed-by: Paul Dale -Reviewed-by: Tom Cosgrove -Reviewed-by: Bernd Edlinger -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21452) ---- - test/dhtest.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/test/dhtest.c b/test/dhtest.c -index 9d5609b943ab..00b3c471015d 100644 ---- a/test/dhtest.c -+++ b/test/dhtest.c -@@ -63,7 +63,7 @@ static int dh_test(void) - || !TEST_true(DH_set0_pqg(dh, p, q, g))) - goto err1; - -- if (!DH_check(dh, &i)) -+ if (!TEST_true(DH_check(dh, &i))) - goto err2; - if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) - || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) -@@ -123,6 +123,17 @@ static int dh_test(void) - /* check whether the public key was calculated correctly */ - TEST_uint_eq(BN_get_word(pub_key2), 3331L); - -+ /* Modulus of size: dh check max modulus bits + 1 */ -+ if (!TEST_true(BN_set_word(p, 1)) -+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) -+ goto err3; -+ -+ /* -+ * We expect no checks at all for an excessively large modulus -+ */ -+ if (!TEST_false(DH_check(dh, &i))) -+ goto err3; -+ - /* - * II) key generation - */ -@@ -137,7 +148,7 @@ static int dh_test(void) - goto err3; - - /* ... and check whether it is valid */ -- if (!DH_check(a, &i)) -+ if (!TEST_true(DH_check(a, &i))) - goto err3; - if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) - || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) diff --git a/openssl-CVE-2023-3446.patch b/openssl-CVE-2023-3446.patch deleted file mode 100644 index a39ee09..0000000 --- a/openssl-CVE-2023-3446.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 6 Jul 2023 16:36:35 +0100 -Subject: [PATCH] Fix DH_check() excessive time with over sized modulus - -The DH_check() function checks numerous aspects of the key or parameters -that have been supplied. Some of those checks use the supplied modulus -value even if it is excessively large. - -There is already a maximum DH modulus size (10,000 bits) over which -OpenSSL will not generate or derive keys. DH_check() will however still -perform various tests for validity on such a large modulus. We introduce a -new maximum (32,768) over which DH_check() will just fail. - -An application that calls DH_check() and supplies a key or parameters -obtained from an untrusted source could be vulnerable to a Denial of -Service attack. - -The function DH_check() is itself called by a number of other OpenSSL -functions. An application calling any of those other functions may -similarly be affected. The other functions affected by this are -DH_check_ex() and EVP_PKEY_param_check(). - -CVE-2023-3446 - -Reviewed-by: Paul Dale -Reviewed-by: Tom Cosgrove -Reviewed-by: Bernd Edlinger -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21452) ---- - crypto/dh/dh_check.c | 6 ++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/err/openssl.txt | 3 ++- - include/openssl/dh.h | 3 +++ - include/openssl/dherr.h | 3 ++- - 5 files changed, 15 insertions(+), 3 deletions(-) - -Index: openssl-1.1.1u/crypto/dh/dh_check.c -=================================================================== ---- openssl-1.1.1u.orig/crypto/dh/dh_check.c -+++ openssl-1.1.1u/crypto/dh/dh_check.c -@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret) - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - if (!DH_check_params(dh, ret)) - return 0; - -Index: openssl-1.1.1u/crypto/dh/dh_err.c -=================================================================== ---- openssl-1.1.1u.orig/crypto/dh/dh_err.c -+++ openssl-1.1.1u/crypto/dh/dh_err.c -@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_func - {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), - "dh_builtin_genparams"}, -+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, -Index: openssl-1.1.1u/crypto/err/openssl.txt -=================================================================== ---- openssl-1.1.1u.orig/crypto/err/openssl.txt -+++ openssl-1.1.1u/crypto/err/openssl.txt -@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version - DH_F_COMPUTE_KEY:102:compute_key - DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp - DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams -+DH_F_DH_CHECK:126:DH_check - DH_F_DH_CHECK_EX:121:DH_check_ex - DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex - DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex -Index: openssl-1.1.1u/include/openssl/dh.h -=================================================================== ---- openssl-1.1.1u.orig/include/openssl/dh.h -+++ openssl-1.1.1u/include/openssl/dh.h -@@ -29,6 +29,9 @@ extern "C" { - # ifndef OPENSSL_DH_MAX_MODULUS_BITS - # define OPENSSL_DH_MAX_MODULUS_BITS 10000 - # endif -+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS -+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 -+# endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 -Index: openssl-1.1.1u/include/openssl/dherr.h -=================================================================== ---- openssl-1.1.1u.orig/include/openssl/dherr.h -+++ openssl-1.1.1u/include/openssl/dherr.h -@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void); - # define DH_F_COMPUTE_KEY 102 - # define DH_F_DHPARAMS_PRINT_FP 101 - # define DH_F_DH_BUILTIN_GENPARAMS 106 -+# define DH_F_DH_CHECK 126 - # define DH_F_DH_CHECK_EX 121 - # define DH_F_DH_CHECK_PARAMS_EX 122 - # define DH_F_DH_CHECK_PUB_KEY_EX 123 From 5c433ba865f989e6703e5939cdd475f616e9cbdc9679527102ee8e50c66dc879 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Wed, 2 Aug 2023 10:17:50 +0000 Subject: [PATCH 3/3] Accepting request 1101936 from home:pmonrealgonzalez:branches:security:tls * Update openssl.keyring with the OTC members that sign releases OBS-URL: https://build.opensuse.org/request/show/1101936 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=142 --- openssl-1_1.changes | 1 + openssl.keyring | 208 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 199 insertions(+), 10 deletions(-) diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 8772a90..0d6c6ba 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -24,6 +24,7 @@ Tue Aug 1 16:12:36 UTC 2023 - Pedro Monreal too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. + * Update openssl.keyring with the OTC members that sign releases * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch diff --git a/openssl.keyring b/openssl.keyring index c8220a7..d7ab2d7 100644 --- a/openssl.keyring +++ b/openssl.keyring @@ -1,10 +1,102 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +Comment: Matt Caswell +Comment: Matt Caswell + +mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay +hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3 +iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi +2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa +N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz +UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8 +bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH +jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR +nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p +3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH +sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0 +hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h +dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD +BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+ +viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA +RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj +eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE +5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R +4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO +5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg +icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM +k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6 +2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex +F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ +P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC +AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v +Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb +SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x +dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL +HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2 +8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g== +=Z0q9 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45 +Comment: Paul Dale + +mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM +TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia +iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0 +aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj +VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4 +eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj +wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w +f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ +PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe +fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7 +JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB +tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg +81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA +AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz +Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF +ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB +SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9 +jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP +qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz +hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q +KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/ +odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q +WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7 +4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb +uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ +P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE +TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5 +8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU +8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3 +rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O +Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU +meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt +C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS +iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa +llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB +iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE +zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc +gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q +ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny +BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj +Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6 +lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q +Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt +wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B +mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k +eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb +7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0= +=AbiA +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C Comment: Tomáš Mráz Comment: Tomáš Mráz Comment: Tomáš Mráz -xsFNBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr +mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr 55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag @@ -15,7 +107,7 @@ laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3 zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06 YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB -zRtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz7CwZQEEwEIAD4WIQSiH6t0sAiK +tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE @@ -28,7 +120,7 @@ IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M 8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6 z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41 xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM -MriPFc0fVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PsLBlAQTAQgAPhYh +MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk 8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO @@ -41,8 +133,8 @@ Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I -8tmXB4BcoHFB9N0AzSFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz7C -wZQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL +8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J +AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo 2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ @@ -54,7 +146,7 @@ Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI -w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZc7BTQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 +w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27 1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50 @@ -65,7 +157,7 @@ NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc -nAaLOI/nw1ydegw8F+s1ALEAEQEAAcLDsgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv +nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+ otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5 @@ -89,7 +181,7 @@ DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl -JKbGoqC+wchHmOLOwU0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u +JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7 FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM @@ -100,7 +192,7 @@ PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs -LQ1kotFTABEBAAHCwXwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM +LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS @@ -113,5 +205,101 @@ qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2 TIdjvGbJ/k4qxw== -=fnGl +=Ctij +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 +Comment: OpenSSL security team +Comment: OpenSSL OMC +Comment: OpenSSL Security + +mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM +kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy +yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt +4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5 +QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q +2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9 +Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO +3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf +5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc +zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK +eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB +tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz +bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck +Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn +a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ +uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl +4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE +XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY +3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz +ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe +HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8 +c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV +nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ +jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt +VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu +c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY +lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA +RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT +MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO +VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ +cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX +NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG +mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K +ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX +q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s +1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o +gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl +blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE +EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w +2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU +nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1 +JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId +gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS +4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks +vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI +8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV +s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf +d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu +PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK +8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu +y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt +QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ +2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi +zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21 +3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3 +LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9 +yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A ++SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv +kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh +GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw +OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs +RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS +rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4 +mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p +nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD +30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF +KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h +VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT +hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY +MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6 +lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv +Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8 +NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK +4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+ +7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK +ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO +iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs +HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO +Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7 +KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL +9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7 +zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji +/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz +sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/ +G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v +E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI +aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA== +=Q+Oa -----END PGP PUBLIC KEY BLOCK-----