Accepting request 1063662 from home:ohollmann:branches:security:tls

- Update to 3.0.8:
  * Fixed NULL dereference during PKCS7 data verification.
    A NULL pointer can be dereferenced when signatures are being
    verified on PKCS7 signed or signedAndEnveloped data. In case the hash
    algorithm used for the signature is known to the OpenSSL library but
    the implementation of the hash algorithm is not available the digest
    initialization will fail. There is a missing check for the return
    value from the initialization function which later leads to invalid
    usage of the digest API most likely leading to a crash.
    ([bsc#1207541, CVE-2023-0401])
    PKCS7 data is processed by the SMIME library calls and also by the
    time stamp (TS) library calls. The TLS implementation in OpenSSL does
    not call these functions however third party applications would be
    affected if they call these functions to verify signatures on untrusted
    data.
  * Fixed X.400 address type confusion in X.509 GeneralName.
    There is a type confusion vulnerability relating to X.400 address processing
    inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
    but the public structure definition for GENERAL_NAME incorrectly specified
    the type of the x400Address field as ASN1_TYPE. This field is subsequently
    interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
    than an ASN1_STRING.
    When CRL checking is enabled (i.e. the application sets the
    X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
    pass arbitrary pointers to a memcmp call, enabling them to read memory
    contents or enact a denial of service.
    ([bsc#1207533, CVE-2023-0286])
  * Fixed NULL dereference validating DSA public key.
    An invalid pointer dereference on read can be triggered when an
    application tries to check a malformed DSA public key by the

OBS-URL: https://build.opensuse.org/request/show/1063662
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=53

openssl-3-Fix-double-locking-problem.patch

@@ -1,34 +0,0 @@
-From 4d0340a6d2f327700a059f0b8f954d6160f8eef5 Mon Sep 17 00:00:00 2001
-From: Pauli <pauli@openssl.org>
-Date: Fri, 11 Nov 2022 09:40:19 +1100
-Subject: [PATCH] x509: fix double locking problem
-
-This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
-redundant flag setting.
-
-Fixes #19643
-
-Fixes LOW CVE-2022-3996
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/19652)
----
- crypto/x509/pcy_map.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c
-index 05406c6493f..60dfd1e3203 100644
---- a/crypto/x509/pcy_map.c
-+++ b/crypto/x509/pcy_map.c
-@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
- 
-     ret = 1;
-  bad_mapping:
--    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
--        x->ex_flags |= EXFLAG_INVALID_POLICY;
--        CRYPTO_THREAD_unlock(x->lock);
--    }
-     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
-     return ret;
- 

openssl-3.0.7.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e
-size 15107575

openssl-3.0.7.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJGBAABCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmNhKfISHHRvbWFzQG9w
-ZW5zc2wub3JnAAoJEFJ0ZqIcp55tQ84P/3vLj5HFHCSjkdthzR+sdxD+ndrdjOgT
-ToEGqkAntayT8eVwcWNTum71JNc3XCZZEa3KvuvuiK7+emYAhk+zV/R0obyKnNqu
-it7ZbhMxgWfJnXYIz6aOAZQMYyMr2EFazd5avnR4lY3DkGdvdKC/Gwx7WT+KvOZN
-xsrYEkupa23VFdah/pcaR+3FIYRPBn5Y8qwRIpXsPm8GZMHbJF2N4BpTEQFuwZtQ
-RuHnNheqeJp9DFMcGQdjYU7GTSEL8sh1QgwG+WFp0zVUWoPMzb7IfGRXQK4SHuE4
-qPcQOT7X7nwiFgQGDYClzlkCyduX0LCJMBl+QMOoYTj/HjXejgucrKSlZpInsfD5
-jAm1vyX0SKNaQ5mAXOmruBcztDAsag+XedmLlodZMgjBp3wyq8VyY2dg/EQXCHtn
-B/K3vJJj9kJADYD0WVre4n8x5v87lFyTHvrDvtLgZeIs8jUho7Fh9Vr5aYLqAvZ5
-mR4ZJYmv+K+/h4oNn2j6Q0IclOmjfq0UxB46G0l9yfr/yWo5xebwwa5HPNxwCySg
-+sAY0/yBoZmcI7POjtbWz6ZJr4nOvwhxnFcIlLxvgJIrNHJJNGHHYT5vCFEuNM/W
-8QS2+iEoTnYNi46G0q5Zr2VW2UsZGodcPO51RyWZd+EvsH+1D9ZxQxjuUzidrksy
-vulYjGcU9Di4
-=72eE
------END PGP SIGNATURE-----

openssl-3.0.8.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
+size 15151328

openssl-3.0.8.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmPiVZsACgkQ1enkP335
+7owJ6BAAk2EnBElYMTM3SuqLDp4fdf2EhSfhxWG45Q9oV8BQ3Th/l8zia/pIOLs7
+Pt6MXYhdd6IdVij5HMMR/ZMUJi/YnYG9lhhJ+p4NTHP+Tc4UjHoexJQuDZk9jM6y
+zynSONsuIZRAXI4hiJ2Lg5X0iLhEuYBblPUDDdkO8ojTYkEohMQDj4Jt63vVPylV
+m+tIDFVfYVQpXnORvy0LNDyjQhDb+gEEnAt8XwpE9FnrvkREHM1WQgmI4+1FLXBc
+MaCWoFGEmFRMqxbqEjrtnCCafFcCKGYQnozrdN8VK62xGhDEOwEwjgzW00rm1TIG
+eKOp9XOwcZehM5VR622eD/N4A96ET5Q3WOgqc76I8sWmx0lu/PaXl5bZcAeZpG4v
+dYI926XSaSsrQ2ADhpgl02vLTVISMejmTNrxZjci0Ce76xjFfcxutD8wppL9Zqg4
+dwmpW8+qpgXZ+ABN6qYWsIXVHijJcyJgmFdQdcF/FfjVRxviCncz2i5dyUNUgw6Z
++nLlYNfk+6v0EVIgIA3rw8TGKGom3m1+d41KAMdEAET6n1D/SKbJxCyyYlBBGZBT
+7Vd5u2zEjMK4b0Iv81Nq4YsActWk69PULfkYLgRGSvBFtpIn9g9RgV7hKlFTvZ/5
+S4A8XH/qrlSk+jb2Bl7qlgyZceDti8Ef6Ktz9YDdH0O133BRxAQ=
+=FUbH
+-----END PGP SIGNATURE-----

openssl-3.changes

@@ -1,3 +1,135 @@
+-------------------------------------------------------------------
+Tue Feb  7 15:43:22 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Update to 3.0.8:
+  * Fixed NULL dereference during PKCS7 data verification.
+    A NULL pointer can be dereferenced when signatures are being
+    verified on PKCS7 signed or signedAndEnveloped data. In case the hash
+    algorithm used for the signature is known to the OpenSSL library but
+    the implementation of the hash algorithm is not available the digest
+    initialization will fail. There is a missing check for the return
+    value from the initialization function which later leads to invalid
+    usage of the digest API most likely leading to a crash.
+    ([bsc#1207541, CVE-2023-0401])
+
+    PKCS7 data is processed by the SMIME library calls and also by the
+    time stamp (TS) library calls. The TLS implementation in OpenSSL does
+    not call these functions however third party applications would be
+    affected if they call these functions to verify signatures on untrusted
+    data.
+  * Fixed X.400 address type confusion in X.509 GeneralName.
+    There is a type confusion vulnerability relating to X.400 address processing
+    inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+    but the public structure definition for GENERAL_NAME incorrectly specified
+    the type of the x400Address field as ASN1_TYPE. This field is subsequently
+    interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
+    than an ASN1_STRING.
+
+    When CRL checking is enabled (i.e. the application sets the
+    X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
+    pass arbitrary pointers to a memcmp call, enabling them to read memory
+    contents or enact a denial of service.
+    ([bsc#1207533, CVE-2023-0286])
+  * Fixed NULL dereference validating DSA public key.
+    An invalid pointer dereference on read can be triggered when an
+    application tries to check a malformed DSA public key by the
+    EVP_PKEY_public_check() function. This will most likely lead
+    to an application crash. This function can be called on public
+    keys supplied from untrusted sources which could allow an attacker
+    to cause a denial of service attack.
+
+    The TLS implementation in OpenSSL does not call this function
+    but applications might call the function if there are additional
+    security requirements imposed by standards such as FIPS 140-3.
+    ([bsc#1207540, CVE-2023-0217])
+  * Fixed Invalid pointer dereference in d2i_PKCS7 functions.
+    An invalid pointer dereference on read can be triggered when an
+    application tries to load malformed PKCS7 data with the
+    d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
+
+    The result of the dereference is an application crash which could
+    lead to a denial of service attack. The TLS implementation in OpenSSL
+    does not call this function however third party applications might
+    call these functions on untrusted data.
+    ([bsc#1207539, CVE-2023-0216])
+  * Fixed Use-after-free following BIO_new_NDEF.
+    The public API function BIO_new_NDEF is a helper function used for
+    streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
+    to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
+    be called directly by end user applications.
+
+    The function receives a BIO from the caller, prepends a new BIO_f_asn1
+    filter BIO onto the front of it to form a BIO chain, and then returns
+    the new head of the BIO chain to the caller. Under certain conditions,
+    for example if a CMS recipient public key is invalid, the new filter BIO
+    is freed and the function returns a NULL result indicating a failure.
+    However, in this case, the BIO chain is not properly cleaned up and the
+    BIO passed by the caller still retains internal pointers to the previously
+    freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
+    then a use-after-free will occur. This will most likely result in a crash.
+    ([bsc#1207536, CVE-2023-0215])
+  * Fixed Double free after calling PEM_read_bio_ex.
+    The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+    decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+    data. If the function succeeds then the "name_out", "header" and "data"
+    arguments are populated with pointers to buffers containing the relevant
+    decoded data. The caller is responsible for freeing those buffers. It is
+    possible to construct a PEM file that results in 0 bytes of payload data.
+    In this case PEM_read_bio_ex() will return a failure code but will populate
+    the header argument with a pointer to a buffer that has already been freed.
+    If the caller also frees this buffer then a double free will occur. This
+    will most likely lead to a crash.
+
+    The functions PEM_read_bio() and PEM_read() are simple wrappers around
+    PEM_read_bio_ex() and therefore these functions are also directly affected.
+
+    These functions are also called indirectly by a number of other OpenSSL
+    functions including PEM_X509_INFO_read_bio_ex() and
+    SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
+    internal uses of these functions are not vulnerable because the caller does
+    not free the header argument if PEM_read_bio_ex() returns a failure code.
+    ([bsc#1207538, CVE-2022-4450])
+  * Fixed Timing Oracle in RSA Decryption.
+    A timing based side channel exists in the OpenSSL RSA Decryption
+    implementation which could be sufficient to recover a plaintext across
+    a network in a Bleichenbacher style attack. To achieve a successful
+    decryption an attacker would have to be able to send a very large number
+    of trial messages for decryption. The vulnerability affects all RSA padding
+    modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
+    ([bsc#1207534, CVE-2022-4304])
+  * Fixed X.509 Name Constraints Read Buffer Overflow.
+    A read buffer overrun can be triggered in X.509 certificate verification,
+    specifically in name constraint checking. The read buffer overrun might
+    result in a crash which could lead to a denial of service attack.
+    In a TLS client, this can be triggered by connecting to a malicious
+    server. In a TLS server, this can be triggered if the server requests
+    client authentication and a malicious client connects.
+    ([bsc#1207535, CVE-2022-4203])
+  * Fixed X.509 Policy Constraints Double Locking security issue.
+    If an X.509 certificate contains a malformed policy constraint and
+    policy processing is enabled, then a write lock will be taken twice
+    recursively.  On some operating systems (most widely: Windows) this
+    results in a denial of service when the affected process hangs.  Policy
+    processing being enabled on a publicly facing server is not considered
+    to be a common setup.
+    ([CVE-2022-3996])
+  * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
+    `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
+    `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and
+    default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting
+    `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using
+    `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases.
+    For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
+    for legacy EC and SM2 keys is also changed similarly to honor the
+    equivalent conversion format flag as specified in the underlying
+    `EC_KEY` object being exported to a provider, when this function is
+    called through `EVP_PKEY_export()`.
+  * Removed openssl-3-Fix-double-locking-problem.patch,
+    contained in upstream.
+  * Rebased openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+  * Update openssl.keyring with key
+    7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte)
+
 -------------------------------------------------------------------
 Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
 

openssl-3.spec

@@ -22,7 +22,7 @@
 %define man_suffix 3ssl
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" meta-package!
-Version:        3.0.7
+Version:        3.0.8
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        Apache-2.0
@@ -46,8 +46,7 @@ Patch6:         openssl-no-date.patch
 # Add crypto-policies support
 Patch7:         openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
 Patch8:         openssl-Override-default-paths-for-the-CA-directory-tree.patch
-# PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double Locking
-Patch9:         openssl-3-Fix-double-locking-problem.patch
+
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 Requires:       libopenssl3 = %{version}-%{release}
@@ -71,6 +70,7 @@ OpenSSL contains an implementation of the SSL and TLS protocols.
 
 %package -n libopenssl3
 Summary:        Secure Sockets and Transport Layer Security
+License:        Apache-2.0
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies
 %endif
@@ -89,6 +89,7 @@ OpenSSL contains an implementation of the SSL and TLS protocols.
 
 %package -n libopenssl-3-devel
 Summary:        Development files for OpenSSL
+License:        Apache-2.0
 Requires:       libopenssl3 = %{version}
 Requires:       pkgconfig(zlib)
 Recommends:     %{name} = %{version}
@@ -106,6 +107,7 @@ that want to make use of the OpenSSL C API.
 
 %package doc
 Summary:        Additional Package Documentation
+License:        Apache-2.0
 Conflicts:      openssl-doc
 Provides:       openssl-doc = %{version}
 Obsoletes:      openssl-doc < %{version}

openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -5,20 +5,18 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
 
 (was openssl-1.1.1-system-cipherlist.patch)
 ---
- Configurations/unix-Makefile.tmpl |  5 ++
- Configure                         | 10 +++-
- doc/man1/openssl-ciphers.pod.in   |  9 ++++
- include/openssl/ssl.h.in          |  5 ++
- ssl/ssl_ciph.c                    | 88 +++++++++++++++++++++++++++----
- ssl/ssl_lib.c                     |  4 +-
- test/cipherlist_test.c            |  2 +
- util/libcrypto.num                |  1 +
+ Configurations/unix-Makefile.tmpl |    5 ++
+ Configure                         |   11 ++++
+ doc/man1/openssl-ciphers.pod.in   |    9 +++
+ include/openssl/ssl.h.in          |    5 ++
+ ssl/ssl_ciph.c                    |   87 +++++++++++++++++++++++++++++++++-----
+ ssl/ssl_lib.c                     |    4 -
+ test/cipherlist_test.c            |    2 
+ util/libcrypto.num                |    1 
  8 files changed, 110 insertions(+), 14 deletions(-)
 
-Index: openssl-3.0.7/Configurations/unix-Makefile.tmpl
-===================================================================
---- openssl-3.0.7.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.7/Configurations/unix-Makefile.tmpl
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
 @@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
  DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
  HTMLDIR=$(DOCDIR)/html
@@ -38,10 +36,49 @@ Index: openssl-3.0.7/Configurations/unix-Makefile.tmpl
                                    (map { "-I".$_} @{$config{CPPINCLUDES}}),
                                    @{$config{CPPFLAGS}}) -}
  CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
-Index: openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
-===================================================================
---- openssl-3.0.7.orig/doc/man1/openssl-ciphers.pod.in
-+++ openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
+--- a/Configure
++++ b/Configure
+@@ -27,7 +27,7 @@ use OpenSSL::config;
+ my $orig_death_handler = $SIG{__DIE__};
+ $SIG{__DIE__} = \&death_handler;
+ 
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+ 
+ my $banner = <<"EOF";
+ 
+@@ -61,6 +61,10 @@ EOF
+ #               given with --prefix.
+ #               This becomes the value of OPENSSLDIR in Makefile and in C.
+ #               (Default: PREFIX/ssl)
++#
++# --system-ciphers-file  A file to read cipher string from when the PROFILE=SYSTEM
++#		cipher is specified (default).
++#
+ # --banner=".." Output specified text instead of default completion banner
+ #
+ # -w            Don't wait after showing a Configure warning
+@@ -387,6 +391,7 @@ $config{prefix}="";
+ $config{openssldir}="";
+ $config{processor}="";
+ $config{libdir}="";
++$config{system_ciphers_file}="";
+ my $auto_threads=1;    # enable threads automatically? true by default
+ my $default_ranlib;
+ 
+@@ -989,6 +994,10 @@ while (@argvcopy)
+                         die "FIPS key too long (64 bytes max)\n"
+                            if length $1 > 64;
+                         }
++                elsif (/^--system-ciphers-file=(.*)$/)
++                        {
++                        $config{system_ciphers_file}=$1;
++                        }
+                 elsif (/^--banner=(.*)$/)
+                         {
+                         $banner = $1 . "\n";
+--- a/doc/man1/openssl-ciphers.pod.in
++++ b/doc/man1/openssl-ciphers.pod.in
 @@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
  
  The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@@ -58,10 +95,8 @@ Index: openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
  =item B<HIGH>
  
  "High" encryption cipher suites. This currently means those with key lengths
-Index: openssl-3.0.7/include/openssl/ssl.h.in
-===================================================================
---- openssl-3.0.7.orig/include/openssl/ssl.h.in
-+++ openssl-3.0.7/include/openssl/ssl.h.in
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
 @@ -210,6 +210,11 @@ extern "C" {
   * throwing out anonymous and unencrypted ciphersuites! (The latter are not
   * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@@ -74,10 +109,8 @@ Index: openssl-3.0.7/include/openssl/ssl.h.in
  
  /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
  # define SSL_SENT_SHUTDOWN       1
-Index: openssl-3.0.7/ssl/ssl_ciph.c
-===================================================================
---- openssl-3.0.7.orig/ssl/ssl_ciph.c
-+++ openssl-3.0.7/ssl/ssl_ciph.c
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
 @@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c
      return ret;
  }
@@ -231,10 +264,8 @@ Index: openssl-3.0.7/ssl/ssl_ciph.c
  }
  
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-Index: openssl-3.0.7/ssl/ssl_lib.c
-===================================================================
---- openssl-3.0.7.orig/ssl/ssl_lib.c
-+++ openssl-3.0.7/ssl/ssl_lib.c
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
 @@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
                                  ctx->tls13_ciphersuites,
                                  &(ctx->cipher_list),
@@ -253,10 +284,8 @@ Index: openssl-3.0.7/ssl/ssl_lib.c
          || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
          ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
          goto err2;
-Index: openssl-3.0.7/test/cipherlist_test.c
-===================================================================
---- openssl-3.0.7.orig/test/cipherlist_test.c
-+++ openssl-3.0.7/test/cipherlist_test.c
+--- a/test/cipherlist_test.c
++++ b/test/cipherlist_test.c
 @@ -246,7 +246,9 @@ end:
  
  int setup_tests(void)
@@ -267,55 +296,10 @@ Index: openssl-3.0.7/test/cipherlist_test.c
      ADD_TEST(test_default_cipherlist_explicit);
      ADD_TEST(test_default_cipherlist_clear);
      return 1;
-Index: openssl-3.0.7/util/libcrypto.num
-===================================================================
---- openssl-3.0.7.orig/util/libcrypto.num
-+++ openssl-3.0.7/util/libcrypto.num
-@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider
- EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -5428,3 +5428,4 @@ EVP_PKEY_CTX_get0_provider
  OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
  OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
 +ossl_safe_getenv                        ?	3_0_0   EXIST::FUNCTION:
-Index: openssl-3.0.7/Configure
-===================================================================
---- openssl-3.0.7.orig/Configure
-+++ openssl-3.0.7/Configure
-@@ -27,7 +27,7 @@ use OpenSSL::config;
- my $orig_death_handler = $SIG{__DIE__};
- $SIG{__DIE__} = \&death_handler;
- 
--my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
-+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
- 
- my $banner = <<"EOF";
- 
-@@ -61,6 +61,10 @@ EOF
- #               given with --prefix.
- #               This becomes the value of OPENSSLDIR in Makefile and in C.
- #               (Default: PREFIX/ssl)
-+#
-+# --system-ciphers-file  A file to read cipher string from when the PROFILE=SYSTEM
-+#		cipher is specified (default).
-+#
- # --banner=".." Output specified text instead of default completion banner
- #
- # -w            Don't wait after showing a Configure warning
-@@ -387,6 +391,7 @@ $config{prefix}="";
- $config{openssldir}="";
- $config{processor}="";
- $config{libdir}="";
-+$config{system_ciphers_file}="";
- my $auto_threads=1;    # enable threads automatically? true by default
- my $default_ranlib;
- 
-@@ -989,6 +994,10 @@ while (@argvcopy)
-                         die "FIPS key too long (64 bytes max)\n"
-                            if length $1 > 64;
-                         }
-+                elsif (/^--system-ciphers-file=(.*)$/)
-+                        {
-+                        $config{system_ciphers_file}=$1;
-+                        }
-                 elsif (/^--banner=(.*)$/)
-                         {
-                         $banner = $1 . "\n";

openssl.keyring

@@ -1,113 +1,94 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: 7953 AC1F BC3D C8B3 B292  393E D5E9 E43F 7DF9 EE8C
+Comment: Richard Levitte <levitte@lp.se>
+Comment: Richard Levitte <levitte@openssl.org>
+Comment: Richard Levitte <richard@levitte.org>
 
-mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
-55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
-F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
-UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
-pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
-/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
-MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
-laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
-HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
-zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
-YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
-tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
-o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
-AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
-U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
-KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
-nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
-1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
-m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
-kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
-IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
-8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
-z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
-xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
-MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
-BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
-AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
-8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
-UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
-FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
-FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
-UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
-Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
-2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
-kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
-T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
-yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
-8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
-AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
-CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
-KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
-2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
-+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
-yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
-cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
-ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
-Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
-q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
-Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
-hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
-w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
-VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
-1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
-djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
-IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
-bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
-gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
-NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
-D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
-a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
-HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
-nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
-Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
-Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
-otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
-SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
-cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
-8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
-vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
-yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
-HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
-K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
-aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
-uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
-cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
-RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
-9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
-JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
-muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
-86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
-HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
-DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
-ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
-uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
-YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
-JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
-aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
-oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
-FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
-ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
-vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
-i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
-PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
-ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
-N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
-eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
-LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
-JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
-QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
-uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
-nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
-sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
-NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
-nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
-FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
-qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
-Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
-zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
-TIdjvGbJ/k4qxw==
-=Ctij
+xsFNBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pXvmqx
+5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+Omvl
+G7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGKZMnr
+94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5XTj+B
+iVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1KdqlwD
+F+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2DsgljQuW
+Sj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gGQTUJ
+DeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+t/iH
+3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whitGG+
+y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VPMt2L
+732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQARAQAB
+zR9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+wsGPBBMBAgAiBQJUMGwd
+AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8
+PcizspI5PtXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKjeOx8kXtVCe9+q
+CzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNbpClGtXcQHlUt
+hjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHOo0B3yNDfV845
++7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0TG0CbxGMgIN5
+cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhmzu3CpRtMjmRA
+dzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tAuEXpbCVoQ68b
+6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6QehEmiy6UKXl7
+zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPFMK05a8QENc66
+M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc6NVh7Zby89r1
+DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+HJIZEhX/YCyQ
+N4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqzI8/76Ph1inPb
+jbJczSVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5vcmc+wsGPBBMB
+AgAiBQJUMGwKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnu
+jBYhBHlTrB+8PcizspI5PtXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX
+jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY
+TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd
+x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv
+nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue
+W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r
+d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy
+nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp
+G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6
+JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI
+uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX
+lRJjjYxIBCnjxtUWzSVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v
+cmc+wsGSBBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ
+AQAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp5D99+e6MmN0P/AmpB8DasBnj
+h9fAlBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh
+4V86hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvd
+ooy/4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1
+C3I+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6
+MZPiFBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFA
+nwf5MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4
++1WmLxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbY
+k81XfXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9
+fyZn/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W
+3mDDxJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlF
+IEUgucXLOLQHyEl+kEkCLEmSbn71WsM8wsGPBBMBAgAiBQJUMGs2AhsDBgsJCAcD
+AgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp
+5D99+e6MbdMP/1yj/fl/t8sl6ZH8v26uBBLSUeZPJYef9TCoe6akV//x4JLujB8y
+dGGW8bToC680zpuYlNn+avMwmjyocPwe7Cqgev6AyO+CjspoodM9Xai0y10CAHCl
+vGAW8mX7c79jtLcMB/Z/0+5u4ErkzfwyURRpB5deLcQ4LhyRVZbLQ72fdCrmPYzO
+e6Rhmfr9nWKL/oHDTLDUtRjAXdurI8YQKK9nCtbsM2uytvYkzpD2wx0B16rB7N04
+QLJBNDyOUJwnm4K+Xt9LLs8NUJ8JXCdwXKXGrFFbt2b3vmy0y4/NR5AUoS444ao5
+1mybA19WkCcCj5mSKmfZ9Dfbv6K3JCJx4ra5uJT2HP2M3NugtumQ1KPBUlNApVC6
+u+Vn7SMqFW/KFRCxOjXDWWU+F4prqzOVc5SYqIUOk7XVxgj1FBryw5Wel5iq1Bn8
+La1Fv3Hs/+pUKHRYYIC48kRET7h6oCmBiNn+XmU0A2qZnIyblmVpmfYftj3UWUC0
+S86qf/dRi8unTXYl8qEQyOSPz8g6t2RDgEsJOzKhiO+j+wcBYVOgrSgsawC8yxjA
+zfVwkprUJognVBJFCv4sKMb9wg99iEacI6O401w3FQy5FyokjmxXzrhn0UPj3t35
+wd81WZ5HWaBSLnBo8HklfDyaybPlXODldSI7OGOch/0/CZEQzQwzsmnazsFNBFQw
+azYBEADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpj
+U45kx/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV
+9qT3i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdk
+HsEoMSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHM
+el8ZcEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1
+nbMQ/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAt
+c/+iwMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQ
+Je31m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+
+sjauCZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbh
+ddJBHsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz
+5JTjMkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABwsF2BBgB
+AgAJBQJUMGs2AhsMACEJENXp5D99+e6MFiEEeVOsH7w9yLOykjk+1enkP3357ozr
+2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882pPhXfJqX8l8H1zyHbKWy5lLLiv1M
+oNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO37/lQBcpjvAfy9HWpl21FDxn9Ruxn
+a/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtHW61L3vbBAcz9VMSay9QVm1f6qzM5
+WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3qSeX0CsRB7WF5VYMalpNTHPRIqCWp
+zTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnVEVJ07s0nn1yj3q7Ii7av+waGmTf7
+9B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id/M61k0yKOusHdzDcZbCzecyww1w3
+WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULATME+TH9J5eNq0A5sRRaayEiA1TDcA
+WfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBbfDfh8oRhEsICQ6rs098wiYz8jtZ/
+pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKTUnREpH102pg1Cw6v2OcjiXsqU5L7
+Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQGWvkObPXEYLld2UF6hK6MH4epkwV
+/w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdWExXybKkE2NY=
+=1H60
 -----END PGP PUBLIC KEY BLOCK-----