From 8fb8948616e21cf7bd4aad31f63aeb9139a57dcfaa94555c4a9395159eddc801 Mon Sep 17 00:00:00 2001
From: Otto Hollmann <otto.hollmann@suse.com>
Date: Wed, 8 Feb 2023 08:03:11 +0000
Subject: [PATCH] Accepting request 1063668 from
 home:ohollmann:branches:security:tls

- Update to 1.1.1t:
  * Fixed X.400 address type confusion in X.509 GeneralName.
    There is a type confusion vulnerability relating to X.400 address processing
    inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
    but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
    vulnerability may allow an attacker who can provide a certificate chain and
    CRL (neither of which need have a valid signature) to pass arbitrary
    pointers to a memcmp call, creating a possible read primitive, subject to
    some constraints. Refer to the advisory for more information. Thanks to
    David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286]
    This issue has been fixed by changing the public header file definition of
    GENERAL_NAME so that x400Address reflects the implementation. It was not
    possible for any existing application to successfully use the existing
    definition; however, if any application references the x400Address field
    (e.g. in dead code), note that the type of this field has changed. There is
    no ABI change.
  * Fixed Use-after-free following BIO_new_NDEF.
    The public API function BIO_new_NDEF is a helper function used for
    streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
    to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
    be called directly by end user applications.
    The function receives a BIO from the caller, prepends a new BIO_f_asn1
    filter BIO onto the front of it to form a BIO chain, and then returns
    the new head of the BIO chain to the caller. Under certain conditions,
    for example if a CMS recipient public key is invalid, the new filter BIO
    is freed and the function returns a NULL result indicating a failure.
    However, in this case, the BIO chain is not properly cleaned up and the
    BIO passed by the caller still retains internal pointers to the previously
    freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
    then a use-after-free will occur. This will most likely result in a crash.

OBS-URL: https://build.opensuse.org/request/show/1063668
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
---
 openssl-1.1.1s.tar.gz            |   3 -
 openssl-1.1.1s.tar.gz.asc        |  17 --
 openssl-1.1.1t.tar.gz            |   3 +
 openssl-1.1.1t.tar.gz.asc        |  16 ++
 openssl-1_1-openssl-config.patch | 262 ++++++++++++++-----------------
 openssl-1_1.changes              |  70 +++++++++
 openssl-1_1.spec                 |   2 +-
 openssl.keyring                  | 201 +++++++++++-------------
 8 files changed, 302 insertions(+), 272 deletions(-)
 delete mode 100644 openssl-1.1.1s.tar.gz
 delete mode 100644 openssl-1.1.1s.tar.gz.asc
 create mode 100644 openssl-1.1.1t.tar.gz
 create mode 100644 openssl-1.1.1t.tar.gz.asc

diff --git a/openssl-1.1.1s.tar.gz b/openssl-1.1.1s.tar.gz
deleted file mode 100644
index b0db038..0000000
--- a/openssl-1.1.1s.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa
-size 9868981
diff --git a/openssl-1.1.1s.tar.gz.asc b/openssl-1.1.1s.tar.gz.asc
deleted file mode 100644
index fd139f9..0000000
--- a/openssl-1.1.1s.tar.gz.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJGBAABCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhEsESHHRvbWFzQG9w
-ZW5zc2wub3JnAAoJEFJ0ZqIcp55tDTIQAKINCpzYH5Wixo5wvYxo/1x+YugR2FMJ
-F7OLFD+HZ+ohrafV+WwGJkjwAEHzoXnho5iPx47RwpJ8lgKzTPgkvUx+LT3/1Shv
-2kkiMNV5hJP2kIP7HzrjhbZ72e/gWX8lSM/u5GHzUyEDuM5jyuV+d91csB2tZ9ai
-LHS0WzVp5F0E8GqhuQMXklV0eFKeuuUouSdobXVfjFvUs2vQxYY7ARel6b18nQL0
-RPcmuil8XOJwZ2r460ZmsTf1FA0b/eoyEjI2140ZffDILZlI5BpLNoLcpH7Gtq+l
-qo2yLConF1nQh4STWu/+fm2281xXrHc5BuL3CgHXIPDnTNE1iOZeE+TYWqu5F+qT
-f6sxqI9YFkYTlwjoVruYkeA3x+qtJV4NmE6fBZk4JsVQxRf7g0iIDlIm/tXmbT/U
-0YPl0sSYc3uvquwkV4de0TX2hfTChvAWjvlets5hHEh9cGfnGBrfzmwBK8mN18F9
-bCPf4UYPjnB37D9alGc8VsTSDwbNMebzwj9bo3bUi90U/y/9e55Wq8QoQpaqeAXq
-mhHuhN6y21TWvOYmNYvcvjGHd5Ikkivs1mHA06HsM0XV8TeZueo0MXse5fC6t25X
-Iy84EL2mas0v6rbYOzgAQcdR4hD2zqeQOOfWFt5CvT+1TbiLFmbW8ZgGzkgkVkZ1
-1RMZGNU3T2eU
-=0j1K
------END PGP SIGNATURE-----
diff --git a/openssl-1.1.1t.tar.gz b/openssl-1.1.1t.tar.gz
new file mode 100644
index 0000000..30092f6
--- /dev/null
+++ b/openssl-1.1.1t.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
+size 9881866
diff --git a/openssl-1.1.1t.tar.gz.asc b/openssl-1.1.1t.tar.gz.asc
new file mode 100644
index 0000000..92fdf9b
--- /dev/null
+++ b/openssl-1.1.1t.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmPiVA4ACgkQ1enkP335
+7owO9Q/+I6mvbNQeSgpOaOu//sVRGVkOD9pfZJsxZJtQuiYPQtXLlwkZyoh3Ft8b
+Gty7sC6zXwWA2sbo4LGeum3jnjb7nb/x3+5O8KARPLFRpy2/4okL3uZnAw8Pr5ps
+8VjCEIm9l9UmuWNZPWRQZPtup6Uz5u97/kVLQE17qFQW1bwiUixR+Yc+ICyW/hUQ
+F13tbV2GVkoVdJKwD9UpwAs6ft0+faXtkEASNyLykcrTbGbBPVVpieXiH/Vuv6BX
+1Ax/oBR5Xem9bGSZkCa5KZMDOqR08GUEA1zqa9Hh8VN4hH11w0cjyKPK9U6dQmAH
+P6clMEtbNMYPr3pHO4Ufgwf0OzdnLfxIf8qCiqQcNLmBnCG0NHM0/8zJmiGg1O6r
+Fy0P9/nSQ5CIT3t27Xcn8RciwTR7YClEyBtNGS1JdDzGJmomTqmxBns/QyZyKtlG
+V+7IsNfUBVdCF4AUP7BRC+SkHf/2/fDyCPETg27AQz/iOUC9KU0DgKLQtmnnRKk0
+Uz49l/WSVJARzPS5y55o8NUEv/QhnSct2eGjYeO3RiikuHDVQoH9R663G6E1koMq
+fahxEs0FX39hALOt/CVisZ/H8trIy3r3Buc7EmqLHj/Q40I5IJA9ZCzi1e8UviQV
+pQpkVru5VJVwNsm8KB/aBOm6J00mi2kbXMPrW1zwfmJAwt+iSJ4=
+=nNu+
+-----END PGP SIGNATURE-----
diff --git a/openssl-1_1-openssl-config.patch b/openssl-1_1-openssl-config.patch
index 5ff415e..c3d7692 100644
--- a/openssl-1_1-openssl-config.patch
+++ b/openssl-1_1-openssl-config.patch
@@ -1,7 +1,44 @@
-Index: openssl-1.1.1s/Configurations/unix-Makefile.tmpl
-===================================================================
---- openssl-1.1.1s.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-1.1.1s/Configurations/unix-Makefile.tmpl
+---
+ Configurations/descrip.mms.tmpl            |    4 +--
+ Configurations/unix-Makefile.tmpl          |   22 ++++++++---------
+ Configure                                  |    2 -
+ INSTALL                                    |    2 -
+ NEWS                                       |    3 ++
+ VMS/openssl_utils.com.in                   |    2 -
+ apps/CA.pl.in                              |    8 +++---
+ apps/build.info                            |    6 ++--
+ apps/tsget.in                              |    2 -
+ doc/HOWTO/certificates.txt                 |    2 -
+ doc/man1/CA.pl.pod                         |   36 ++++++++++++++---------------
+ doc/man1/ca.pod                            |    4 +--
+ doc/man1/rehash.pod                        |   10 ++++----
+ doc/man1/tsget.pod                         |    4 +--
+ doc/man1/verify.pod                        |    2 -
+ doc/man1/x509.pod                          |    2 -
+ doc/man3/OPENSSL_config.pod                |    2 -
+ doc/man3/SSL_CTX_load_verify_locations.pod |    4 +--
+ doc/man5/config.pod                        |    2 -
+ include/internal/cryptlib.h                |    2 -
+ test/recipes/80-test_ca.t                  |   10 ++++----
+ tools/build.info                           |    2 -
+ tools/c_rehash.in                          |    6 ++--
+ 23 files changed, 71 insertions(+), 68 deletions(-)
+
+--- a/Configurations/descrip.mms.tmpl
++++ b/Configurations/descrip.mms.tmpl
+@@ -140,8 +140,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
+ INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
+ INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
+ {- output_off() if $disabled{apps}; "" -}
+-BIN_SCRIPTS=[.tools]c_rehash.pl
+-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
++BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
++MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
+ {- output_on() if $disabled{apps}; "" -}
+ 
+ APPS_OPENSSL={- use File::Spec::Functions;
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
 @@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\
  INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -}
  INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -}
@@ -45,10 +82,8 @@ Index: openssl-1.1.1s/Configurations/unix-Makefile.tmpl
  
  generate_crypto_bn:
  	( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
-Index: openssl-1.1.1s/Configure
-===================================================================
---- openssl-1.1.1s.orig/Configure
-+++ openssl-1.1.1s/Configure
+--- a/Configure
++++ b/Configure
 @@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher>
  #               directories bin, lib, include, share/man, share/doc/openssl
  #               This becomes the value of INSTALLTOP in Makefile
@@ -58,10 +93,8 @@ Index: openssl-1.1.1s/Configure
  #               If it's a relative directory, it will be added on the directory
  #               given with --prefix.
  #               This becomes the value of OPENSSLDIR in Makefile and in C.
-Index: openssl-1.1.1s/INSTALL
-===================================================================
---- openssl-1.1.1s.orig/INSTALL
-+++ openssl-1.1.1s/INSTALL
+--- a/INSTALL
++++ b/INSTALL
 @@ -296,7 +296,7 @@
                     be undesirable if small executable size is an objective.
  
@@ -71,10 +104,8 @@ Index: openssl-1.1.1s/INSTALL
                     Typically OpenSSL will automatically load a system config
                     file which configures default ssl options.
  
-Index: openssl-1.1.1s/NEWS
-===================================================================
---- openssl-1.1.1s.orig/NEWS
-+++ openssl-1.1.1s/NEWS
+--- a/NEWS
++++ b/NEWS
 @@ -5,6 +5,9 @@
    This file gives a brief overview of the major changes between each OpenSSL
    release. For more details please read the CHANGES file.
@@ -82,80 +113,11 @@ Index: openssl-1.1.1s/NEWS
 +  IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master
 +  configuration file openssl.cnf has been renamed to openssl-1_1.cnf.
 +
-   Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022]
+   Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
  
-       o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the
-Index: openssl-1.1.1s/doc/HOWTO/certificates.txt
-===================================================================
---- openssl-1.1.1s.orig/doc/HOWTO/certificates.txt
-+++ openssl-1.1.1s/doc/HOWTO/certificates.txt
-@@ -16,7 +16,7 @@ Certificate authorities should read http
- In all the cases shown below, the standard configuration file, as
- compiled into openssl, will be used.  You may find it in /etc/,
- /usr/local/ssl/ or somewhere else.  By default the file is named
--openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
-+openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
- You can specify a different configuration file using the
- '-config {file}' argument with the commands shown below.
- 
-Index: openssl-1.1.1s/doc/man3/OPENSSL_config.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man3/OPENSSL_config.pod
-+++ openssl-1.1.1s/doc/man3/OPENSSL_config.pod
-@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
- 
- =head1 DESCRIPTION
- 
--OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
-+OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
- reads from the application section B<appname>. If B<appname> is NULL then
- the default section, B<openssl_conf>, will be used.
- Errors are silently ignored.
-Index: openssl-1.1.1s/doc/man5/config.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man5/config.pod
-+++ openssl-1.1.1s/doc/man5/config.pod
-@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
- =head1 DESCRIPTION
- 
- The OpenSSL CONF library can be used to read configuration files.
--It is used for the OpenSSL master configuration file B<openssl.cnf>
-+It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
- and in a few other places like B<SPKAC> files and certificate extension
- files for the B<x509> utility. OpenSSL applications can also use the
- CONF library for their own purposes.
-Index: openssl-1.1.1s/include/internal/cryptlib.h
-===================================================================
---- openssl-1.1.1s.orig/include/internal/cryptlib.h
-+++ openssl-1.1.1s/include/internal/cryptlib.h
-@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
- typedef struct mem_st MEM;
- DEFINE_LHASH_OF(MEM);
- 
--# define OPENSSL_CONF             "openssl.cnf"
-+# define OPENSSL_CONF             "openssl-1_1.cnf"
- 
- # ifndef OPENSSL_SYS_VMS
- #  define X509_CERT_AREA          OPENSSLDIR
-Index: openssl-1.1.1s/Configurations/descrip.mms.tmpl
-===================================================================
---- openssl-1.1.1s.orig/Configurations/descrip.mms.tmpl
-+++ openssl-1.1.1s/Configurations/descrip.mms.tmpl
-@@ -140,8 +140,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
- INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
- INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
- {- output_off() if $disabled{apps}; "" -}
--BIN_SCRIPTS=[.tools]c_rehash.pl
--MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
-+BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
-+MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
- {- output_on() if $disabled{apps}; "" -}
- 
- APPS_OPENSSL={- use File::Spec::Functions;
-Index: openssl-1.1.1s/VMS/openssl_utils.com.in
-===================================================================
---- openssl-1.1.1s.orig/VMS/openssl_utils.com.in
-+++ openssl-1.1.1s/VMS/openssl_utils.com.in
+       o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
+--- a/VMS/openssl_utils.com.in
++++ b/VMS/openssl_utils.com.in
 @@ -8,7 +8,7 @@ $	OPENSSL		:== $OSSL$EXE:OPENSSL'v'
  $
  $	IF F$TYPE(PERL) .EQS. "STRING"
@@ -165,10 +127,8 @@ Index: openssl-1.1.1s/VMS/openssl_utils.com.in
  $	ELSE
  $	    WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
  $	ENDIF
-Index: openssl-1.1.1s/apps/CA.pl.in
-===================================================================
---- openssl-1.1.1s.orig/apps/CA.pl.in
-+++ openssl-1.1.1s/apps/CA.pl.in
+--- a/apps/CA.pl.in
++++ b/apps/CA.pl.in
 @@ -113,10 +113,10 @@ sub run
  
  
@@ -184,10 +144,8 @@ Index: openssl-1.1.1s/apps/CA.pl.in
      exit 0;
  }
  if ($WHAT eq '-newcert' ) {
-Index: openssl-1.1.1s/apps/build.info
-===================================================================
---- openssl-1.1.1s.orig/apps/build.info
-+++ openssl-1.1.1s/apps/build.info
+--- a/apps/build.info
++++ b/apps/build.info
 @@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}]
    GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
    DEPEND[progs.h]=../configdata.pm
@@ -199,10 +157,8 @@ Index: openssl-1.1.1s/apps/build.info
 +  SOURCE[CA-1_1.pl]=CA.pl.in
 +  SOURCE[tsget-1_1.pl]=tsget.in
  ENDIF
-Index: openssl-1.1.1s/apps/tsget.in
-===================================================================
---- openssl-1.1.1s.orig/apps/tsget.in
-+++ openssl-1.1.1s/apps/tsget.in
+--- a/apps/tsget.in
++++ b/apps/tsget.in
 @@ -47,7 +47,7 @@ sub create_curl {
      $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
      $curl->setopt(CURLOPT_FAILONERROR, 1);
@@ -212,10 +168,19 @@ Index: openssl-1.1.1s/apps/tsget.in
  
      # Options for POST method.
      $curl->setopt(CURLOPT_UPLOAD, 1);
-Index: openssl-1.1.1s/doc/man1/CA.pl.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man1/CA.pl.pod
-+++ openssl-1.1.1s/doc/man1/CA.pl.pod
+--- a/doc/HOWTO/certificates.txt
++++ b/doc/HOWTO/certificates.txt
+@@ -16,7 +16,7 @@ Certificate authorities should read http
+ In all the cases shown below, the standard configuration file, as
+ compiled into openssl, will be used.  You may find it in /etc/,
+ /usr/local/ssl/ or somewhere else.  By default the file is named
+-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
++openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+ You can specify a different configuration file using the
+ '-config {file}' argument with the commands shown below.
+ 
+--- a/doc/man1/CA.pl.pod
++++ b/doc/man1/CA.pl.pod
 @@ -2,16 +2,16 @@
  
  =head1 NAME
@@ -318,10 +283,8 @@ Index: openssl-1.1.1s/doc/man1/CA.pl.pod
  
  can be used and the B<OPENSSL_CONF> environment variable changed to point to
  the correct path of the configuration file.
-Index: openssl-1.1.1s/doc/man1/ca.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man1/ca.pod
-+++ openssl-1.1.1s/doc/man1/ca.pod
+--- a/doc/man1/ca.pod
++++ b/doc/man1/ca.pod
 @@ -698,7 +698,7 @@ the database has to be kept in memory.
  The B<ca> command really needs rewriting or the required functionality
  exposed at either a command or interface level so a more friendly utility
@@ -340,10 +303,8 @@ Index: openssl-1.1.1s/doc/man1/ca.pod
  L<config(5)>, L<x509v3_config(5)>
  
  =head1 COPYRIGHT
-Index: openssl-1.1.1s/doc/man1/rehash.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man1/rehash.pod
-+++ openssl-1.1.1s/doc/man1/rehash.pod
+--- a/doc/man1/rehash.pod
++++ b/doc/man1/rehash.pod
 @@ -6,7 +6,7 @@ Original text by James Westby, contribut
  =head1 NAME
  
@@ -379,10 +340,8 @@ Index: openssl-1.1.1s/doc/man1/rehash.pod
  uses the B<openssl> program to compute the hashes and
  fingerprints. If not found in the user's B<PATH>, then set the
  B<OPENSSL> environment variable to the full pathname.
-Index: openssl-1.1.1s/doc/man1/tsget.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man1/tsget.pod
-+++ openssl-1.1.1s/doc/man1/tsget.pod
+--- a/doc/man1/tsget.pod
++++ b/doc/man1/tsget.pod
 @@ -35,7 +35,7 @@ line.
  The tool sends the following HTTP request for each timestamp request:
  
@@ -401,10 +360,8 @@ Index: openssl-1.1.1s/doc/man1/tsget.pod
  OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
  HTTPS. (Optional)
  
-Index: openssl-1.1.1s/doc/man1/verify.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man1/verify.pod
-+++ openssl-1.1.1s/doc/man1/verify.pod
+--- a/doc/man1/verify.pod
++++ b/doc/man1/verify.pod
 @@ -75,7 +75,7 @@ The file should contain one or more cert
  A directory of trusted certificates. The certificates should have names
  of the form: hash.0 or have symbolic links to them of this
@@ -414,10 +371,8 @@ Index: openssl-1.1.1s/doc/man1/verify.pod
  create symbolic links to a directory of certificates.
  
  =item B<-no-CAfile>
-Index: openssl-1.1.1s/doc/man1/x509.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man1/x509.pod
-+++ openssl-1.1.1s/doc/man1/x509.pod
+--- a/doc/man1/x509.pod
++++ b/doc/man1/x509.pod
 @@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec
  before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
  of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
@@ -427,10 +382,19 @@ Index: openssl-1.1.1s/doc/man1/x509.pod
  
  =head1 COPYRIGHT
  
-Index: openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
-===================================================================
---- openssl-1.1.1s.orig/doc/man3/SSL_CTX_load_verify_locations.pod
-+++ openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
+--- a/doc/man3/OPENSSL_config.pod
++++ b/doc/man3/OPENSSL_config.pod
+@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
+ 
+ =head1 DESCRIPTION
+ 
+-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
++OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
+ reads from the application section B<appname>. If B<appname> is NULL then
+ the default section, B<openssl_conf>, will be used.
+ Errors are silently ignored.
+--- a/doc/man3/SSL_CTX_load_verify_locations.pod
++++ b/doc/man3/SSL_CTX_load_verify_locations.pod
 @@ -63,7 +63,7 @@ If more than one CA certificate with the
  extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
  is performed in the ordering of the extension number, regardless of other
@@ -449,10 +413,30 @@ Index: openssl-1.1.1s/doc/man3/SSL_CTX_load_verify_locations.pod
  
  =head1 SEE ALSO
  
-Index: openssl-1.1.1s/test/recipes/80-test_ca.t
-===================================================================
---- openssl-1.1.1s.orig/test/recipes/80-test_ca.t
-+++ openssl-1.1.1s/test/recipes/80-test_ca.t
+--- a/doc/man5/config.pod
++++ b/doc/man5/config.pod
+@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
+ =head1 DESCRIPTION
+ 
+ The OpenSSL CONF library can be used to read configuration files.
+-It is used for the OpenSSL master configuration file B<openssl.cnf>
++It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
+ and in a few other places like B<SPKAC> files and certificate extension
+ files for the B<x509> utility. OpenSSL applications can also use the
+ CONF library for their own purposes.
+--- a/include/internal/cryptlib.h
++++ b/include/internal/cryptlib.h
+@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
+ typedef struct mem_st MEM;
+ DEFINE_LHASH_OF(MEM);
+ 
+-# define OPENSSL_CONF             "openssl.cnf"
++# define OPENSSL_CONF             "openssl-1_1.cnf"
+ 
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+--- a/test/recipes/80-test_ca.t
++++ b/test/recipes/80-test_ca.t
 @@ -27,27 +27,27 @@ plan tests => 5;
   SKIP: {
       $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
@@ -486,10 +470,8 @@ Index: openssl-1.1.1s/test/recipes/80-test_ca.t
          'creating new pre-certificate');
  }
  
-Index: openssl-1.1.1s/tools/build.info
-===================================================================
---- openssl-1.1.1s.orig/tools/build.info
-+++ openssl-1.1.1s/tools/build.info
+--- a/tools/build.info
++++ b/tools/build.info
 @@ -1,5 +1,5 @@
  {- our $c_rehash_name =
 -       $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
@@ -497,10 +479,8 @@ Index: openssl-1.1.1s/tools/build.info
     "" -}
  IF[{- !$disabled{apps} -}]
    SCRIPTS={- $c_rehash_name -}
-Index: openssl-1.1.1s/tools/c_rehash.in
-===================================================================
---- openssl-1.1.1s.orig/tools/c_rehash.in
-+++ openssl-1.1.1s/tools/c_rehash.in
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
 @@ -8,7 +8,7 @@
  # in the file LICENSE in the source distribution or at
  # https://www.openssl.org/source/license.html
diff --git a/openssl-1_1.changes b/openssl-1_1.changes
index 044f2a5..391f373 100644
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@@ -1,3 +1,73 @@
+-------------------------------------------------------------------
+Tue Feb  7 15:59:21 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Update to 1.1.1t:
+  * Fixed X.400 address type confusion in X.509 GeneralName.
+    There is a type confusion vulnerability relating to X.400 address processing
+    inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+    but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
+    vulnerability may allow an attacker who can provide a certificate chain and
+    CRL (neither of which need have a valid signature) to pass arbitrary
+    pointers to a memcmp call, creating a possible read primitive, subject to
+    some constraints. Refer to the advisory for more information. Thanks to
+    David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286]
+
+    This issue has been fixed by changing the public header file definition of
+    GENERAL_NAME so that x400Address reflects the implementation. It was not
+    possible for any existing application to successfully use the existing
+    definition; however, if any application references the x400Address field
+    (e.g. in dead code), note that the type of this field has changed. There is
+    no ABI change.
+  * Fixed Use-after-free following BIO_new_NDEF.
+    The public API function BIO_new_NDEF is a helper function used for
+    streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
+    to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
+    be called directly by end user applications.
+
+    The function receives a BIO from the caller, prepends a new BIO_f_asn1
+    filter BIO onto the front of it to form a BIO chain, and then returns
+    the new head of the BIO chain to the caller. Under certain conditions,
+    for example if a CMS recipient public key is invalid, the new filter BIO
+    is freed and the function returns a NULL result indicating a failure.
+    However, in this case, the BIO chain is not properly cleaned up and the
+    BIO passed by the caller still retains internal pointers to the previously
+    freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
+    then a use-after-free will occur. This will most likely result in a crash.
+    [bsc#1207536, CVE-2023-0215]
+  * Fixed Double free after calling PEM_read_bio_ex.
+    The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+    decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+    data. If the function succeeds then the "name_out", "header" and "data"
+    arguments are populated with pointers to buffers containing the relevant
+    decoded data. The caller is responsible for freeing those buffers. It is
+    possible to construct a PEM file that results in 0 bytes of payload data.
+    In this case PEM_read_bio_ex() will return a failure code but will populate
+    the header argument with a pointer to a buffer that has already been freed.
+    If the caller also frees this buffer then a double free will occur. This
+    will most likely lead to a crash.
+
+    The functions PEM_read_bio() and PEM_read() are simple wrappers around
+    PEM_read_bio_ex() and therefore these functions are also directly affected.
+
+    These functions are also called indirectly by a number of other OpenSSL
+    functions including PEM_X509_INFO_read_bio_ex() and
+    SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
+    internal uses of these functions are not vulnerable because the caller does
+    not free the header argument if PEM_read_bio_ex() returns a failure code.
+    [bsc#1207538, CVE-2022-4450]
+    [Kurt Roeckx, Matt Caswell]
+  * Fixed Timing Oracle in RSA Decryption.
+    A timing based side channel exists in the OpenSSL RSA Decryption
+    implementation which could be sufficient to recover a plaintext across
+    a network in a Bleichenbacher style attack. To achieve a successful
+    decryption an attacker would have to be able to send a very large number
+    of trial messages for decryption. The vulnerability affects all RSA padding
+    modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
+    [bsc#1207534, CVE-2022-4304]
+  * Rebased openssl-1_1-openssl-config.patch
+  * Update openssl.keyring with key
+    7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte)
+
 -------------------------------------------------------------------
 Wed Dec 14 12:56:06 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 
diff --git a/openssl-1_1.spec b/openssl-1_1.spec
index 14a852d..52be0a1 100644
--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@@ -41,7 +41,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" meta-package!
-Version:        1.1.1s
+Version:        1.1.1t
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL
diff --git a/openssl.keyring b/openssl.keyring
index e406ce6..6c3798e 100644
--- a/openssl.keyring
+++ b/openssl.keyring
@@ -1,113 +1,94 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: 7953 AC1F BC3D C8B3 B292  393E D5E9 E43F 7DF9 EE8C
+Comment: Richard Levitte <levitte@lp.se>
+Comment: Richard Levitte <levitte@openssl.org>
+Comment: Richard Levitte <richard@levitte.org>
 
-mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
-55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
-F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
-UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
-pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
-/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
-MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
-laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
-HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
-zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
-YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
-tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
-o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
-AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
-U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
-KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
-nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
-1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
-m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
-kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
-IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
-8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
-z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
-xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
-MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
-BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
-AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
-8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
-UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
-FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
-FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
-UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
-Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
-2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
-kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
-T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
-yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
-8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
-AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
-CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
-KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
-2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
-+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
-yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
-cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
-ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
-Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
-q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
-Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
-hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
-w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
-VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
-1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
-djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
-IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
-bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
-gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
-NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
-D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
-a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
-HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
-nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
-Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
-Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
-otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
-SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
-cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
-8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
-vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
-yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
-HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
-K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
-aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
-uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
-cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
-RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
-9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
-JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
-muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
-86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
-HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
-DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
-ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
-uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
-YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
-JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
-aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
-oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
-FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
-ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
-vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
-i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
-PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
-ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
-N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
-eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
-LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
-JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
-QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
-uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
-nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
-sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
-NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
-nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
-FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
-qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
-Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
-zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
-TIdjvGbJ/k4qxw==
-=Ctij
+xsFNBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pXvmqx
+5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+Omvl
+G7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGKZMnr
+94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5XTj+B
+iVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1KdqlwD
+F+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2DsgljQuW
+Sj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gGQTUJ
+DeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+t/iH
+3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whitGG+
+y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VPMt2L
+732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQARAQAB
+zR9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+wsGPBBMBAgAiBQJUMGwd
+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8
+PcizspI5PtXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKjeOx8kXtVCe9+q
+CzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNbpClGtXcQHlUt
+hjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHOo0B3yNDfV845
++7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0TG0CbxGMgIN5
+cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhmzu3CpRtMjmRA
+dzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tAuEXpbCVoQ68b
+6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6QehEmiy6UKXl7
+zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPFMK05a8QENc66
+M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc6NVh7Zby89r1
+DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+HJIZEhX/YCyQ
+N4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqzI8/76Ph1inPb
+jbJczSVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5vcmc+wsGPBBMB
+AgAiBQJUMGwKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnu
+jBYhBHlTrB+8PcizspI5PtXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX
+jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY
+TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd
+x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv
+nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue
+W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r
+d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy
+nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp
+G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6
+JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI
+uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX
+lRJjjYxIBCnjxtUWzSVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v
+cmc+wsGSBBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ
+AQAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp5D99+e6MmN0P/AmpB8DasBnj
+h9fAlBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh
+4V86hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvd
+ooy/4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1
+C3I+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6
+MZPiFBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFA
+nwf5MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4
++1WmLxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbY
+k81XfXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9
+fyZn/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W
+3mDDxJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlF
+IEUgucXLOLQHyEl+kEkCLEmSbn71WsM8wsGPBBMBAgAiBQJUMGs2AhsDBgsJCAcD
+AgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp
+5D99+e6MbdMP/1yj/fl/t8sl6ZH8v26uBBLSUeZPJYef9TCoe6akV//x4JLujB8y
+dGGW8bToC680zpuYlNn+avMwmjyocPwe7Cqgev6AyO+CjspoodM9Xai0y10CAHCl
+vGAW8mX7c79jtLcMB/Z/0+5u4ErkzfwyURRpB5deLcQ4LhyRVZbLQ72fdCrmPYzO
+e6Rhmfr9nWKL/oHDTLDUtRjAXdurI8YQKK9nCtbsM2uytvYkzpD2wx0B16rB7N04
+QLJBNDyOUJwnm4K+Xt9LLs8NUJ8JXCdwXKXGrFFbt2b3vmy0y4/NR5AUoS444ao5
+1mybA19WkCcCj5mSKmfZ9Dfbv6K3JCJx4ra5uJT2HP2M3NugtumQ1KPBUlNApVC6
+u+Vn7SMqFW/KFRCxOjXDWWU+F4prqzOVc5SYqIUOk7XVxgj1FBryw5Wel5iq1Bn8
+La1Fv3Hs/+pUKHRYYIC48kRET7h6oCmBiNn+XmU0A2qZnIyblmVpmfYftj3UWUC0
+S86qf/dRi8unTXYl8qEQyOSPz8g6t2RDgEsJOzKhiO+j+wcBYVOgrSgsawC8yxjA
+zfVwkprUJognVBJFCv4sKMb9wg99iEacI6O401w3FQy5FyokjmxXzrhn0UPj3t35
+wd81WZ5HWaBSLnBo8HklfDyaybPlXODldSI7OGOch/0/CZEQzQwzsmnazsFNBFQw
+azYBEADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpj
+U45kx/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV
+9qT3i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdk
+HsEoMSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHM
+el8ZcEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1
+nbMQ/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAt
+c/+iwMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQ
+Je31m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+
+sjauCZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbh
+ddJBHsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz
+5JTjMkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABwsF2BBgB
+AgAJBQJUMGs2AhsMACEJENXp5D99+e6MFiEEeVOsH7w9yLOykjk+1enkP3357ozr
+2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882pPhXfJqX8l8H1zyHbKWy5lLLiv1M
+oNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO37/lQBcpjvAfy9HWpl21FDxn9Ruxn
+a/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtHW61L3vbBAcz9VMSay9QVm1f6qzM5
+WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3qSeX0CsRB7WF5VYMalpNTHPRIqCWp
+zTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnVEVJ07s0nn1yj3q7Ii7av+waGmTf7
+9B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id/M61k0yKOusHdzDcZbCzecyww1w3
+WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULATME+TH9J5eNq0A5sRRaayEiA1TDcA
+WfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBbfDfh8oRhEsICQ6rs098wiYz8jtZ/
+pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKTUnREpH102pg1Cw6v2OcjiXsqU5L7
+Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQGWvkObPXEYLld2UF6hK6MH4epkwV
+/w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdWExXybKkE2NY=
+=1H60
 -----END PGP PUBLIC KEY BLOCK-----