diff --git a/baselibs.conf b/baselibs.conf index 1d3616f..9a2fb09 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,7 +1,7 @@ libopenssl3 obsoletes "libopenssl1_1_0-" -libopenssl3-hmac - requires "libopenssl3- = -%release" + provides "libopenssl3-hmac- = -%release" + obsoletes "libopenssl3-hmac- < -%release" libopenssl-3-devel provides "libopenssl-devel- = " conflicts "otherproviders(libopenssl-devel-)" diff --git a/openssl-3.0.8.tar.gz b/openssl-3.0.8.tar.gz deleted file mode 100644 index e078d43..0000000 --- a/openssl-3.0.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e -size 15151328 diff --git a/openssl-3.0.8.tar.gz.asc b/openssl-3.0.8.tar.gz.asc deleted file mode 100644 index 80652d4..0000000 --- a/openssl-3.0.8.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmPiVZsACgkQ1enkP335 -7owJ6BAAk2EnBElYMTM3SuqLDp4fdf2EhSfhxWG45Q9oV8BQ3Th/l8zia/pIOLs7 -Pt6MXYhdd6IdVij5HMMR/ZMUJi/YnYG9lhhJ+p4NTHP+Tc4UjHoexJQuDZk9jM6y -zynSONsuIZRAXI4hiJ2Lg5X0iLhEuYBblPUDDdkO8ojTYkEohMQDj4Jt63vVPylV -m+tIDFVfYVQpXnORvy0LNDyjQhDb+gEEnAt8XwpE9FnrvkREHM1WQgmI4+1FLXBc -MaCWoFGEmFRMqxbqEjrtnCCafFcCKGYQnozrdN8VK62xGhDEOwEwjgzW00rm1TIG -eKOp9XOwcZehM5VR622eD/N4A96ET5Q3WOgqc76I8sWmx0lu/PaXl5bZcAeZpG4v -dYI926XSaSsrQ2ADhpgl02vLTVISMejmTNrxZjci0Ce76xjFfcxutD8wppL9Zqg4 -dwmpW8+qpgXZ+ABN6qYWsIXVHijJcyJgmFdQdcF/FfjVRxviCncz2i5dyUNUgw6Z -+nLlYNfk+6v0EVIgIA3rw8TGKGom3m1+d41KAMdEAET6n1D/SKbJxCyyYlBBGZBT -7Vd5u2zEjMK4b0Iv81Nq4YsActWk69PULfkYLgRGSvBFtpIn9g9RgV7hKlFTvZ/5 -S4A8XH/qrlSk+jb2Bl7qlgyZceDti8Ef6Ktz9YDdH0O133BRxAQ= -=FUbH ------END PGP SIGNATURE----- diff --git a/openssl-3.1.1.tar.gz b/openssl-3.1.1.tar.gz new file mode 100644 index 0000000..219eef5 --- /dev/null +++ b/openssl-3.1.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674 +size 15544757 diff --git a/openssl-3.1.1.tar.gz.asc b/openssl-3.1.1.tar.gz.asc new file mode 100644 index 0000000..ac31c4d --- /dev/null +++ b/openssl-3.1.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR16IIACgkQUnRmohyn +nm0XXw/+NcoUTEDzBQvoRmR+y0GFU6eobgkbiL3Iu/whTD1xljm0YLAP8mWzWhzt +AOGMJLpQ+lBczSow4zXaHT3xky+2fYqUNjccGBF5oWyY/nUFE7+qUG/1yUcXy6Ca +2q6gYX2qAxpHUAjfKfQfYtogkVqIiUnqjaxJX/RgC/FEJTqCN7zq309LF7FaFr7s +IJxkHXRAcjzwXFopTfiKkSQRm1W0bV8xht29kzjXJlSviCnhWFoY/hQdtDr/vcnP +X9GobFyn0n7DPI7B62P1TKGtK755RXztymUnIkNvOUW+TmyuPSBL523jB8SrPfw2 +sasQ1G51IqKwAKhDEawDrJ4QAlfZXYJn1REoSpVWPLoGMfM5Aby0OBbzr0eYIJGp +92RMcWjfnUd5Xiw2sW97eRwdAF9WXdcH8Dz650z3bSstc2JeQq49cn9pZ6jG2Yxb +yuXJgkyWWFhBRRax/7FI065vdMFssB0xEHm4u/y8XJ4k/cQR8GZG9JPSwjVapb3X +3TTpDDV/wBFekfHHGJjM9ljuB5NXxYKficDsbHTDaC3ysg3kKzZN5cve0jdSf+P+ +v9JLDgk5HZJ3r50/fMrLptzzpjFwToOS0qQV0/X8FpGRxHGjENh9gw3y+IsDEeY1 +LVZKq1kkFhYz32h0m+E8OSA/gFcsNY+BG1Y7svtf9sewL84+a/Y= +=JKq4 +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 1cf931f..6ffbd32 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,137 @@ +------------------------------------------------------------------- +Tue May 30 15:14:51 UTC 2023 - Otto Hollmann + +- Update to 3.1.1: + * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate + (CVE-2023-2650, bsc#1211430) + * Multiple algorithm implementation fixes for ARM BE platforms. + * Added a -pedantic option to fipsinstall that adjusts the various settings + to ensure strict FIPS compliance rather than backwards compatibility. + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which + happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can + trigger a crash of an application using AES-XTS decryption if the memory + just after the buffer being decrypted is not mapped. Thanks to Anton + Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) + * Add FIPS provider configuration option to disallow the use of truncated + digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The + option '-no_drbg_truncated_digests' can optionally be supplied + to 'openssl fipsinstall'. + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that + it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. (CVE-2023-0466, bsc#1209873) + * Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are + skipped for that certificate. A malicious CA could use this to + deliberately assert invalid certificate policies in order to circumvent + policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) + * Limited the number of nodes created in a policy tree to mitigate against + CVE-2023-0464. The default limit is set to 1000 nodes, which should be + sufficient for most installations. If required, the limit can be adjusted + by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a + desired maximum number of nodes or zero to allow unlimited growth. + (CVE-2023-0464, bsc#1209624) + * Update openssl.keyring with key + A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) + * Rebased patches: + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-Add_support_for_Windows_CA_certificate_store.patch + * Removed patches: + - openssl-CVE-2023-0464.patch + - openssl-Fix-OBJ_nid2obj-regression.patch + - openssl-CVE-2023-0465.patch + - openssl-CVE-2023-0466.patch + +------------------------------------------------------------------- +Mon May 29 07:31:07 UTC 2023 - Pedro Monreal + +- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116] + +------------------------------------------------------------------- +Mon May 15 09:00:04 UTC 2023 - Otto Hollmann + +- Add support for Windows CA certificate store [bsc#1209430] + https://github.com/openssl/openssl/pull/18070 + * Add openssl-Add_support_for_Windows_CA_certificate_store.patch + +------------------------------------------------------------------- +Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0465, bsc#1209878] + * Invalid certificate policies in leaf certificates are silently ignored + * Add openssl-CVE-2023-0465.patch +- Security Fix: [CVE-2023-0466, bsc#1209873] + * Certificate policy check not enabled + * Add openssl-CVE-2023-0466.patch + +------------------------------------------------------------------- +Tue Mar 28 12:19:06 UTC 2023 - Pedro Monreal + +- Fix regression in the OBJ_nid2obj() function: [bsc#1209430] + * Upstream https://github.com/openssl/openssl/issues/20555 + * Add openssl-Fix-OBJ_nid2obj-regression.patch + +------------------------------------------------------------------- +Mon Mar 27 14:44:32 UTC 2023 - Otto Hollmann + +- Fix compiler error "initializer element is not constant" on s390 + * Add openssl-z16-s390x.patch + +------------------------------------------------------------------- +Fri Mar 24 13:55:25 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0464, bsc#1209624] + * Excessive Resource Usage Verifying X.509 Policy Constraints + * Add openssl-CVE-2023-0464.patch + +------------------------------------------------------------------- +Wed Mar 15 14:55:29 UTC 2023 - Otto Hollmann + +- Pass over with spec-cleaner + +------------------------------------------------------------------- +Tue Mar 14 13:34:13 UTC 2023 - Otto Hollmann + +- Update to 3.1.0: + * Add FIPS provider configuration option to enforce the Extended Master + Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can + optionally be supplied to 'openssl fipsinstall'. + * The FIPS provider includes a few non-approved algorithms for backward + compatibility purposes and the "fips=yes" property query must be used for + all algorithm fetches to ensure FIPS compliance. The algorithms that are + included but not approved are Triple DES ECB, Triple DES CBC and EdDSA. + * Added support for KMAC in KBKDF. + * RNDR and RNDRRS support in provider functions to provide random number + generation for Arm CPUs (aarch64). + * s_client and s_server apps now explicitly say when the TLS version does not + include the renegotiation mechanism. This avoids confusion between that + scenario versus when the TLS version includes secure renegotiation but the + peer lacks support for it. + * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. + * The various OBJ_* functions have been made thread safe. + * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA + capable processors. + * The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats, + OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, + OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now + marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining + OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in + favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding + type-specific function definitions for these functions regardless of + whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may + start receiving deprecation warnings for these functions regardless of + whether they are using them. It is recommended that users transition to the + new macro, DEFINE_LHASH_OF_EX. + * When generating safe-prime DH parameters set the recommended private key + length equivalent to minimum key lengths as in RFC 7919. + * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the + maximum size that is smaller or equal to the digest length to comply with + FIPS 186-4 section 5. This is implemented by a new option + OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax") for the + rsa_pss_saltlen parameter, which is now the default. Signature verification + is not affected by this change and continues to work as before. + * Update openssl.keyring with key + 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 (Matt Caswell) + ------------------------------------------------------------------- Wed Mar 8 10:37:09 UTC 2023 - Martin Pluskal diff --git a/openssl-3.spec b/openssl-3.spec index 719fa9c..73226b1 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -22,7 +22,7 @@ %define man_suffix 3ssl Name: openssl-3 # Don't forget to update the version in the "openssl" meta-package! -Version: 3.0.8 +Version: 3.1.1 Release: 0 Summary: Secure Sockets and Transport Layer Security License: Apache-2.0 @@ -46,6 +46,10 @@ Patch6: openssl-no-date.patch # Add crypto-policies support Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch +# PATCH-FIX-OPENSUSE: Fix compiler error "initializer element is not constant" on s390 +Patch9: openssl-z16-s390x.patch +# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW +Patch10: openssl-Add_support_for_Windows_CA_certificate_store.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) @@ -54,14 +58,14 @@ Requires: openssl Conflicts: ssl Provides: ssl Provides: openssl(cli) -%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 -Requires: crypto-policies -%endif # Needed for clean upgrade path, boo#1070003 Obsoletes: openssl-1_0_0 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: openssl-1_1_0 %{?suse_build_hwcaps_libs} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +Requires: crypto-policies +%endif %description OpenSSL is a software library to be used in applications that need to @@ -71,16 +75,21 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl3 Summary: Secure Sockets and Transport Layer Security -License: Apache-2.0 +BuildRequires: fipscheck +Recommends: ca-certificates-mozilla +Conflicts: %{name} < %{version}-%{release} +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif -Recommends: ca-certificates-mozilla -# install libopenssl and libopenssl-hmac close together (bsc#1090765) -Suggests: libopenssl3-hmac = %{version}-%{release} +# Merge back the hmac files bsc#1185116 +Provides: libopenssl3-hmac = %{version}-%{release} +Obsoletes: libopenssl3-hmac < %{version}-%{release} # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 -Obsoletes: libopenssl1_1_0 -Conflicts: %{name} < %{version}-%{release} +Obsoletes: libopenssl1_1_0-hmac +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-hmac %description -n libopenssl3 OpenSSL is a software library to be used in applications that need to @@ -90,13 +99,12 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl-3-devel Summary: Development files for OpenSSL -License: Apache-2.0 Requires: libopenssl3 = %{version} Requires: pkgconfig(zlib) Recommends: %{name} = %{version} -Conflicts: libressl-devel # Conflicting names with libopenssl-1_1-devel Conflicts: libopenssl-1_1-devel +Conflicts: libressl-devel # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl-1_1_0-devel # Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 @@ -108,7 +116,6 @@ that want to make use of the OpenSSL C API. %package doc Summary: Additional Package Documentation -License: Apache-2.0 Conflicts: openssl-doc Provides: openssl-doc = %{version} Obsoletes: openssl-doc < %{version} @@ -118,20 +125,6 @@ BuildArch: noarch This package contains optional documentation provided in addition to this package's base documentation. -%package -n libopenssl3-hmac -Summary: HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries -License: BSD-3-Clause -Requires: libopenssl3 = %{version}-%{release} -BuildRequires: fipscheck -# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 -Obsoletes: libopenssl1_1_0-hmac -# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 -Obsoletes: libopenssl-1_0_0-hmac - -%description -n libopenssl3-hmac -The FIPS compliant operation of the openssl shared libraries is NOT -possible without the HMAC hashes contained in this package! - %prep %autosetup -p1 -n %{_rname}-%{version} @@ -179,7 +172,7 @@ perl configdata.pm --dump %check # Relax the crypto-policies requirements for the regression tests # Revert patch8 before running tests -patch -p1 -R < %{P:8} +patch -p1 -R < %{PATCH8} export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 @@ -212,8 +205,8 @@ rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf # Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484] -mkdir -p %{buildroot}/var/lib/ca-certificates/openssl -install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl +mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl +install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl # Remove the fipsmodule.cnf because FIPS module is loaded automatically rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf @@ -263,8 +256,6 @@ fi %dir %{_libdir}/ossl-modules %{_libdir}/ossl-modules/fips.so %{_libdir}/ossl-modules/legacy.so - -%files -n libopenssl3-hmac %{_libdir}/.libssl.so.%{sover}.hmac %{_libdir}/.libcrypto.so.%{sover}.hmac @@ -291,8 +282,8 @@ fi %attr(700,root,root) %{ssletcdir}/private %dir %{_datadir}/ssl %{_datadir}/ssl/misc -%dir /var/lib/ca-certificates/ -%dir /var/lib/ca-certificates/openssl +%dir %{_localstatedir}/lib/ca-certificates/ +%dir %{_localstatedir}/lib/ca-certificates/openssl %{_bindir}/%{_rname} %{_bindir}/c_rehash %{_mandir}/man1/* diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index e06c2cb..1bb6aee 100644 --- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -97,7 +97,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist "High" encryption cipher suites. This currently means those with key lengths --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in -@@ -210,6 +210,11 @@ extern "C" { +@@ -213,6 +213,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) */ @@ -111,7 +111,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # define SSL_SENT_SHUTDOWN 1 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c +@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -165,7 +165,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -193,7 +193,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* * To reduce the work to do we only want to process the compiled -@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); @@ -202,7 +202,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -212,7 +212,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { @@ -223,7 +223,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -233,7 +233,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -249,7 +249,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -266,7 +266,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c -@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx +@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -275,7 +275,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li +@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -298,8 +298,8 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist return 1; --- a/util/libcrypto.num +++ b/util/libcrypto.num -@@ -5428,3 +5428,4 @@ EVP_PKEY_CTX_get0_provider - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: - OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP -+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup + EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: + BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: + OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP ++ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: diff --git a/openssl-Add_support_for_Windows_CA_certificate_store.patch b/openssl-Add_support_for_Windows_CA_certificate_store.patch new file mode 100644 index 0000000..cd143e0 --- /dev/null +++ b/openssl-Add_support_for_Windows_CA_certificate_store.patch @@ -0,0 +1,743 @@ +From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Fri, 8 Apr 2022 13:10:52 +0100 +Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI + env + +Fixes #18068. +--- + CHANGES.md | 21 + Configure | 7 + crypto/x509/by_dir.c | 17 + crypto/x509/by_store.c | 14 + crypto/x509/x509_def.c | 15 + doc/build.info | 6 + doc/man3/X509_get_default_cert_file.pod | 113 +++++ + include/internal/cryptlib.h | 11 + include/internal/e_os.h | 2 + include/openssl/x509.h.in | 3 + providers/implementations/include/prov/implementations.h | 1 + providers/implementations/storemgmt/build.info | 3 + providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++ + providers/stores.inc | 3 + util/libcrypto.num | 3 + util/missingcrypto.txt | 4 + 16 files changed, 536 insertions(+), 14 deletions(-) + +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -24,6 +24,27 @@ OpenSSL 3.1 + + ### Changes between 3.1.0 and 3.1.1 [30 May 2023] + ++ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced. ++ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The ++ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of ++ paths which are searched for root certificates. ++ ++ The existing `SSL_CERT_DIR` environment variable is deprecated. ++ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated ++ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes ++ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate ++ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored ++ for the purposes of determining root certificate stores. ++ ++ *Hugo Landau* ++ ++ * Support for loading root certificates from the Windows certificate store ++ has been added. The support is in the form of a store which recognises the ++ URI string of `org.openssl.winstore://`. This store is enabled by default and ++ can be disabled using the new compile-time option `no-winstore`. ++ ++ *Hugo Landau* ++ + * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + +--- a/Configure ++++ b/Configure +@@ -420,6 +420,7 @@ my @disablables = ( + "cached-fetch", + "camellia", + "capieng", ++ "winstore", + "cast", + "chacha", + "cmac", +@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) { + } + } + ++unless ($disabled{winstore}) { ++ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) { ++ disable('not-windows', 'winstore'); ++ } ++} ++ + push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); + + # Get the extra flags used when building shared libraries and modules. We +--- a/crypto/x509/by_dir.c ++++ b/crypto/x509/by_dir.c +@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in + switch (cmd) { + case X509_L_ADD_DIR: + if (argl == X509_FILETYPE_DEFAULT) { +- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); ++ /* If SSL_CERT_PATH is provided and non-empty, use that. */ ++ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env()); + +- if (dir) +- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); +- else +- ret = add_cert_dir(ld, X509_get_default_cert_dir(), +- X509_FILETYPE_PEM); ++ /* Fallback to SSL_CERT_DIR. */ ++ if (dir == NULL) ++ dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); ++ ++ /* Fallback to built-in default. */ ++ if (dir == NULL) ++ dir = X509_get_default_cert_dir(); ++ ++ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); + if (!ret) { + ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR); + } +--- a/crypto/x509/by_store.c ++++ b/crypto/x509/by_store.c +@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP + { + switch (cmd) { + case X509_L_ADD_STORE: +- /* If no URI is given, use the default cert dir as default URI */ ++ /* First try the newer default cert URI envvar. */ ++ if (argp == NULL) ++ argp = ossl_safe_getenv(X509_get_default_cert_uri_env()); ++ ++ /* If not set, see if we have a URI in the older cert dir envvar. */ + if (argp == NULL) + argp = ossl_safe_getenv(X509_get_default_cert_dir_env()); ++ ++ /* Fallback to default store URI. */ + if (argp == NULL) +- argp = X509_get_default_cert_dir(); ++ argp = X509_get_default_cert_uri(); ++ ++ /* No point adding an empty URI. */ ++ if (!*argp) ++ return 1; + + { + STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); +--- a/crypto/x509/x509_def.c ++++ b/crypto/x509/x509_def.c +@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v + return X509_CERT_AREA; + } + ++const char *X509_get_default_cert_uri(void) ++{ ++ return X509_CERT_URI; ++} ++ + const char *X509_get_default_cert_dir(void) + { + return X509_CERT_DIR; +@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v + return X509_CERT_FILE; + } + ++const char *X509_get_default_cert_uri_env(void) ++{ ++ return X509_CERT_URI_EVP; ++} ++ ++const char *X509_get_default_cert_path_env(void) ++{ ++ return X509_CERT_PATH_EVP; ++} ++ + const char *X509_get_default_cert_dir_env(void) + { + return X509_CERT_DIR_EVP; +--- a/doc/build.info ++++ b/doc/build.info +@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma + GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod + DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod + GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod ++DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod ++GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod ++DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod ++GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod + DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod + GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod + DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod +@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht + html/man3/X509_get0_notBefore.html \ + html/man3/X509_get0_signature.html \ + html/man3/X509_get0_uids.html \ ++html/man3/X509_get_default_cert_file.html \ + html/man3/X509_get_extension_flags.html \ + html/man3/X509_get_pubkey.html \ + html/man3/X509_get_serialNumber.html \ +@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \ + man/man3/X509_get0_notBefore.3 \ + man/man3/X509_get0_signature.3 \ + man/man3/X509_get0_uids.3 \ ++man/man3/X509_get_default_cert_file.3 \ + man/man3/X509_get_extension_flags.3 \ + man/man3/X509_get_pubkey.3 \ + man/man3/X509_get_serialNumber.3 \ +--- /dev/null ++++ b/doc/man3/X509_get_default_cert_file.pod +@@ -0,0 +1,113 @@ ++=pod ++ ++=head1 NAME ++ ++X509_get_default_cert_file, X509_get_default_cert_file_env, ++X509_get_default_cert_path_env, ++X509_get_default_cert_dir, X509_get_default_cert_dir_env, ++X509_get_default_cert_uri, X509_get_default_cert_uri_env - ++retrieve default locations for trusted CA certificates ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ const char *X509_get_default_cert_file(void); ++ const char *X509_get_default_cert_dir(void); ++ const char *X509_get_default_cert_uri(void); ++ ++ const char *X509_get_default_cert_file_env(void); ++ const char *X509_get_default_cert_path_env(void); ++ const char *X509_get_default_cert_dir_env(void); ++ const char *X509_get_default_cert_uri_env(void); ++ ++=head1 DESCRIPTION ++ ++The X509_get_default_cert_file() function returns the default path ++to a file containing trusted CA certificates. OpenSSL will use this as ++the default path when it is asked to load trusted CA certificates ++from a file and no other path is specified. If the file exists, CA certificates ++are loaded from the file. ++ ++The X509_get_default_cert_dir() function returns a default delimeter-separated ++list of paths to a directories containing trusted CA certificates named in the ++hashed format. OpenSSL will use this as the default list of paths when it is ++asked to load trusted CA certificates from a directory and no other path is ++specified. If a given directory in the list exists, OpenSSL attempts to lookup ++CA certificates in this directory by calculating a filename based on a hash of ++the certificate's subject name. ++ ++The X509_get_default_cert_uri() function returns the default URI for a ++certificate store accessed programmatically via an OpenSSL provider. If there is ++no default store applicable to the system for which OpenSSL was compiled, this ++returns an empty string. ++ ++X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return ++environment variable names which are recommended to specify nondefault values to ++be used instead of the values returned by X509_get_default_cert_file() and ++X509_get_default_cert_uri() respectively. The values returned by the latter ++functions are not affected by these environment variables; you must check for ++these environment variables yourself, using these functions to retrieve the ++correct environment variable names. If an environment variable is not set, the ++value returned by the corresponding function above should be used. ++ ++X509_get_default_cert_path_env() returns the environment variable name which is ++recommended to specify a nondefault value to be used instead of the value ++returned by X509_get_default_cert_dir(). This environment variable supercedes ++the deprecated environment variable whose name is returned by ++X509_get_default_cert_dir_env(). This environment variable was deprecated as its ++contents can be interpreted ambiguously; see NOTES. ++ ++By default, OpenSSL uses the path list specified in the environment variable ++whose name is returned by X509_get_default_cert_path_env() if it is set; ++otherwise, it uses the path list specified in the environment variable whose ++name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it ++uses the value returned by X509_get_default_cert_dir()). ++ ++=head1 NOTES ++ ++X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and ++X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this ++release, store URIs were expressed via the environment variable returned by ++X509_get_default_cert_dir_env(); this environment variable could be used to ++specify either a list of directories or a store URI. This creates an ambiguity ++in which the environment variable returned by X509_get_default_cert_dir_env() is ++interpreted both as a list of directories and as a store URI. ++ ++This usage and the environment variable returned by ++X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use ++the environment variable returned by X509_get_default_cert_uri_env(), and to ++specify a list of directories, use the environment variable returned by ++X509_get_default_cert_path_env(). ++ ++=head1 RETURN VALUES ++ ++These functions return pointers to constant strings with static storage ++duration. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++X509_get_default_cert_uri(), X509_get_default_cert_path_env() and ++X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1. ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -13,6 +13,8 @@ + + # include + # include ++# include "openssl/configuration.h" ++# include "internal/e_os.h" /* ossl_inline in many files */ + + # ifdef OPENSSL_USE_APPLINK + # define BIO_FLAGS_UPLINK_INTERNAL 0x8000 +@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM); + # define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf" + # endif + ++#ifndef OPENSSL_NO_WINSTORE ++# define X509_CERT_URI "org.openssl.winstore://" ++#else ++# define X509_CERT_URI "" ++#endif ++ ++# define X509_CERT_URI_EVP "SSL_CERT_URI" ++# define X509_CERT_PATH_EVP "SSL_CERT_PATH" + # define X509_CERT_DIR_EVP "SSL_CERT_DIR" + # define X509_CERT_FILE_EVP "SSL_CERT_FILE" + # define CTLOG_FILE_EVP "CTLOG_FILE" +@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_ + # endif + return path[0] == '/'; + } +- + #endif +--- a/include/internal/e_os.h ++++ b/include/internal/e_os.h +@@ -249,7 +249,7 @@ FILE *__iob_func(); + /***********************************************/ + + # if defined(OPENSSL_SYS_WINDOWS) +-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) ++# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE) + # define open _open + # define fdopen _fdopen + # define close _close +--- a/include/openssl/x509.h.in ++++ b/include/openssl/x509.h.in +@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s + ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); + + const char *X509_get_default_cert_area(void); ++const char *X509_get_default_cert_uri(void); + const char *X509_get_default_cert_dir(void); + const char *X509_get_default_cert_file(void); ++const char *X509_get_default_cert_uri_env(void); ++const char *X509_get_default_cert_path_env(void); + const char *X509_get_default_cert_dir_env(void); + const char *X509_get_default_cert_file_env(void); + const char *X509_get_default_private_dir(void); +--- a/providers/implementations/include/prov/implementations.h ++++ b/providers/implementations/include/prov/implementations.h +@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP + extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[]; + + extern const OSSL_DISPATCH ossl_file_store_functions[]; ++extern const OSSL_DISPATCH ossl_winstore_store_functions[]; +--- a/providers/implementations/storemgmt/build.info ++++ b/providers/implementations/storemgmt/build.info +@@ -4,3 +4,6 @@ + $STORE_GOAL=../../libdefault.a + + SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c ++IF[{- !$disabled{winstore} -}] ++ SOURCE[$STORE_GOAL]=winstore_store.c ++ENDIF +--- /dev/null ++++ b/providers/implementations/storemgmt/winstore_store.c +@@ -0,0 +1,327 @@ ++/* ++ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include /* The OSSL_STORE_INFO type numbers */ ++#include "internal/cryptlib.h" ++#include "internal/o_dir.h" ++#include "crypto/decoder.h" ++#include "crypto/ctype.h" /* ossl_isdigit() */ ++#include "prov/implementations.h" ++#include "prov/bio.h" ++#include "file_store_local.h" ++ ++#include ++ ++enum { ++ STATE_IDLE, ++ STATE_READ, ++ STATE_EOF, ++}; ++ ++struct winstore_ctx_st { ++ void *provctx; ++ char *propq; ++ unsigned char *subject; ++ size_t subject_len; ++ ++ HCERTSTORE win_store; ++ const CERT_CONTEXT *win_ctx; ++ int state; ++ ++ OSSL_DECODER_CTX *dctx; ++}; ++ ++static void winstore_win_reset(struct winstore_ctx_st *ctx) ++{ ++ if (ctx->win_ctx != NULL) { ++ CertFreeCertificateContext(ctx->win_ctx); ++ ctx->win_ctx = NULL; ++ } ++ ++ ctx->state = STATE_IDLE; ++} ++ ++static void winstore_win_advance(struct winstore_ctx_st *ctx) ++{ ++ CERT_NAME_BLOB name = {0}; ++ ++ if (ctx->state == STATE_EOF) ++ return; ++ ++ name.cbData = ctx->subject_len; ++ name.pbData = ctx->subject; ++ ++ ctx->win_ctx = (name.cbData == 0 ? NULL : ++ CertFindCertificateInStore(ctx->win_store, ++ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, ++ 0, CERT_FIND_SUBJECT_NAME, ++ &name, ctx->win_ctx)); ++ ++ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ; ++} ++ ++static void *winstore_open(void *provctx, const char *uri) ++{ ++ struct winstore_ctx_st *ctx = NULL; ++ ++ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:")) ++ return NULL; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->provctx = provctx; ++ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT"); ++ if (ctx->win_store == NULL) { ++ OPENSSL_free(ctx); ++ return NULL; ++ } ++ ++ winstore_win_reset(ctx); ++ return ctx; ++} ++ ++static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin) ++{ ++ return NULL; /* not supported */ ++} ++ ++static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[]) ++{ ++ static const OSSL_PARAM known_settable_ctx_params[] = { ++ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), ++ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), ++ OSSL_PARAM_END ++ }; ++ return known_settable_ctx_params; ++} ++ ++static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) ++{ ++ struct winstore_ctx_st *ctx = loaderctx; ++ const OSSL_PARAM *p; ++ int do_reset = 0; ++ ++ if (params == NULL) ++ return 1; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); ++ if (p != NULL) { ++ do_reset = 1; ++ OPENSSL_free(ctx->propq); ++ ctx->propq = NULL; ++ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0)) ++ return 0; ++ } ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT); ++ if (p != NULL) { ++ const unsigned char *der = NULL; ++ size_t der_len = 0; ++ ++ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len)) ++ return 0; ++ ++ do_reset = 1; ++ ++ OPENSSL_free(ctx->subject); ++ ++ ctx->subject = OPENSSL_malloc(der_len); ++ if (ctx->subject == NULL) { ++ ctx->subject_len = 0; ++ return 0; ++ } ++ ++ ctx->subject_len = der_len; ++ memcpy(ctx->subject, der, der_len); ++ } ++ ++ if (do_reset) { ++ winstore_win_reset(ctx); ++ winstore_win_advance(ctx); ++ } ++ ++ return 1; ++} ++ ++struct load_data_st { ++ OSSL_CALLBACK *object_cb; ++ void *object_cbarg; ++}; ++ ++static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst, ++ const OSSL_PARAM *params, void *construct_data) ++{ ++ struct load_data_st *data = construct_data; ++ return data->object_cb(params, data->object_cbarg); ++} ++ ++static void load_cleanup(void *construct_data) ++{ ++ /* No-op. */ ++} ++ ++static int setup_decoder(struct winstore_ctx_st *ctx) ++{ ++ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); ++ const OSSL_ALGORITHM *to_algo = NULL; ++ ++ if (ctx->dctx != NULL) ++ return 1; ++ ++ ctx->dctx = OSSL_DECODER_CTX_new(); ++ if (ctx->dctx == NULL) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ for (to_algo = ossl_any_to_obj_algorithm; ++ to_algo->algorithm_names != NULL; ++ to_algo++) { ++ OSSL_DECODER *to_obj = NULL; ++ OSSL_DECODER_INSTANCE *to_obj_inst = NULL; ++ ++ /* ++ * Create the internal last resort decoder implementation ++ * together with a "decoder instance". ++ * The decoder doesn't need any identification or to be ++ * attached to any provider, since it's only used locally. ++ */ ++ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL); ++ if (to_obj != NULL) ++ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); ++ ++ OSSL_DECODER_free(to_obj); ++ if (to_obj_inst == NULL) ++ goto err; ++ ++ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx, ++ to_obj_inst)) { ++ ossl_decoder_instance_free(to_obj_inst); ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ } ++ ++ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ return 1; ++ ++err: ++ OSSL_DECODER_CTX_free(ctx->dctx); ++ ctx->dctx = NULL; ++ return 0; ++} ++ ++static int winstore_load_using(struct winstore_ctx_st *ctx, ++ OSSL_CALLBACK *object_cb, void *object_cbarg, ++ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg, ++ const void *der, size_t der_len) ++{ ++ struct load_data_st data; ++ const unsigned char *der_ = der; ++ size_t der_len_ = der_len; ++ ++ if (setup_decoder(ctx) == 0) ++ return 0; ++ ++ data.object_cb = object_cb; ++ data.object_cbarg = object_cbarg; ++ ++ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data); ++ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg); ++ ++ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0) ++ return 0; ++ ++ return 1; ++} ++ ++static int winstore_load(void *loaderctx, ++ OSSL_CALLBACK *object_cb, void *object_cbarg, ++ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) ++{ ++ int ret = 0; ++ struct winstore_ctx_st *ctx = loaderctx; ++ ++ if (ctx->state != STATE_READ) ++ return 0; ++ ++ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg, ++ ctx->win_ctx->pbCertEncoded, ++ ctx->win_ctx->cbCertEncoded); ++ ++ if (ret == 1) ++ winstore_win_advance(ctx); ++ ++ return ret; ++} ++ ++static int winstore_eof(void *loaderctx) ++{ ++ struct winstore_ctx_st *ctx = loaderctx; ++ ++ return ctx->state != STATE_READ; ++} ++ ++static int winstore_close(void *loaderctx) ++{ ++ struct winstore_ctx_st *ctx = loaderctx; ++ ++ winstore_win_reset(ctx); ++ CertCloseStore(ctx->win_store, 0); ++ OSSL_DECODER_CTX_free(ctx->dctx); ++ OPENSSL_free(ctx->propq); ++ OPENSSL_free(ctx->subject); ++ OPENSSL_free(ctx); ++ return 1; ++} ++ ++const OSSL_DISPATCH ossl_winstore_store_functions[] = { ++ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open }, ++ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach }, ++ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params }, ++ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params }, ++ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load }, ++ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof }, ++ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close }, ++ { 0, NULL }, ++}; +--- a/providers/stores.inc ++++ b/providers/stores.inc +@@ -12,3 +12,6 @@ + #endif + + STORE("file", "yes", ossl_file_store_functions) ++#ifndef OPENSSL_NO_WINSTORE ++STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions) ++#endif +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup + EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: + BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: + OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP ++X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION: ++X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: ++X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: + ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +--- a/util/missingcrypto.txt ++++ b/util/missingcrypto.txt +@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3) + X509_get1_email(3) + X509_get1_ocsp(3) + X509_get_default_cert_area(3) +-X509_get_default_cert_dir(3) +-X509_get_default_cert_dir_env(3) +-X509_get_default_cert_file(3) +-X509_get_default_cert_file_env(3) + X509_get_default_private_dir(3) + X509_get_pubkey_parameters(3) + X509_get_signature_type(3) diff --git a/openssl-z16-s390x.patch b/openssl-z16-s390x.patch new file mode 100644 index 0000000..4738e47 --- /dev/null +++ b/openssl-z16-s390x.patch @@ -0,0 +1,111 @@ +iIndex: openssl-3.1.0/crypto/s390xcap.c +=================================================================== +--- openssl-3.1.0.orig/crypto/s390xcap.c ++++ openssl-3.1.0/crypto/s390xcap.c +@@ -674,7 +674,105 @@ static int parse_env(struct OPENSSL_s390 + * z16 (2022) - z/Architecture POP + * Implements MSA and MSA1-9 (same as z15). + */ ++#if defined(__GNUC__) && __GNUC__<13 && (defined(__s390__) || defined(__s390x__)) ++ static const struct OPENSSL_s390xcap_st z16 = { ++ /*.stfle = */{S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF) ++ | S390X_CAPBIT(S390X_MSA5), ++ S390X_CAPBIT(S390X_MSA3) ++ | S390X_CAPBIT(S390X_MSA4), ++ S390X_CAPBIT(S390X_VX) ++ | S390X_CAPBIT(S390X_VXD) ++ | S390X_CAPBIT(S390X_VXE) ++ | S390X_CAPBIT(S390X_MSA8) ++ | S390X_CAPBIT(S390X_MSA9), ++ 0ULL}, ++ /*.kimd = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512) ++ | S390X_CAPBIT(S390X_SHA3_224) ++ | S390X_CAPBIT(S390X_SHA3_256) ++ | S390X_CAPBIT(S390X_SHA3_384) ++ | S390X_CAPBIT(S390X_SHA3_512) ++ | S390X_CAPBIT(S390X_SHAKE_128) ++ | S390X_CAPBIT(S390X_SHAKE_256), ++ S390X_CAPBIT(S390X_GHASH)}, ++ /*.klmd = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512) ++ | S390X_CAPBIT(S390X_SHA3_224) ++ | S390X_CAPBIT(S390X_SHA3_256) ++ | S390X_CAPBIT(S390X_SHA3_384) ++ | S390X_CAPBIT(S390X_SHA3_512) ++ | S390X_CAPBIT(S390X_SHAKE_128) ++ | S390X_CAPBIT(S390X_SHAKE_256), ++ 0ULL}, ++ /*.km = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256) ++ | S390X_CAPBIT(S390X_XTS_AES_128) ++ | S390X_CAPBIT(S390X_XTS_AES_256), ++ 0ULL}, ++ /*.kmc = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmac = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmctr = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmo = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmf = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.prno = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_512_DRNG), ++ S390X_CAPBIT(S390X_TRNG)}, ++ /*.kma = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.pcc = */{S390X_CAPBIT(S390X_QUERY), ++ S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)}, ++ /*.kdsa = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256) ++ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384) ++ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521) ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P256) ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P384) ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521) ++ | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519) ++ | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448) ++ | S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) ++ | S390X_CAPBIT(S390X_EDDSA_SIGN_ED448), ++ 0ULL}, ++ }; ++#else + static const struct OPENSSL_s390xcap_st z16 = z15; ++#endif + + char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1]; + int rc, off, i, n; + diff --git a/openssl.keyring b/openssl.keyring index 6c3798e..c8220a7 100644 --- a/openssl.keyring +++ b/openssl.keyring @@ -1,94 +1,117 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Comment: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C -Comment: Richard Levitte -Comment: Richard Levitte -Comment: Richard Levitte +Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C +Comment: Tomáš Mráz +Comment: Tomáš Mráz +Comment: Tomáš Mráz -xsFNBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pXvmqx -5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+Omvl -G7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGKZMnr -94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5XTj+B -iVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1KdqlwD -F+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2DsgljQuW -Sj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gGQTUJ -DeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+t/iH -3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whitGG+ -y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VPMt2L -732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQARAQAB -zR9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+wsGPBBMBAgAiBQJUMGwd -AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8 -PcizspI5PtXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKjeOx8kXtVCe9+q -CzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNbpClGtXcQHlUt -hjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHOo0B3yNDfV845 -+7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0TG0CbxGMgIN5 -cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhmzu3CpRtMjmRA -dzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tAuEXpbCVoQ68b -6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6QehEmiy6UKXl7 -zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPFMK05a8QENc66 -M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc6NVh7Zby89r1 -DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+HJIZEhX/YCyQ -N4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqzI8/76Ph1inPb -jbJczSVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5vcmc+wsGPBBMB -AgAiBQJUMGwKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnu -jBYhBHlTrB+8PcizspI5PtXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX -jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY -TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd -x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv -nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue -W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r -d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy -nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp -G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6 -JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI -uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX -lRJjjYxIBCnjxtUWzSVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v -cmc+wsGSBBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ -AQAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp5D99+e6MmN0P/AmpB8DasBnj -h9fAlBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh -4V86hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvd -ooy/4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1 -C3I+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6 -MZPiFBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFA -nwf5MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4 -+1WmLxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbY -k81XfXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9 -fyZn/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W -3mDDxJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlF -IEUgucXLOLQHyEl+kEkCLEmSbn71WsM8wsGPBBMBAgAiBQJUMGs2AhsDBgsJCAcD -AgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp -5D99+e6MbdMP/1yj/fl/t8sl6ZH8v26uBBLSUeZPJYef9TCoe6akV//x4JLujB8y -dGGW8bToC680zpuYlNn+avMwmjyocPwe7Cqgev6AyO+CjspoodM9Xai0y10CAHCl -vGAW8mX7c79jtLcMB/Z/0+5u4ErkzfwyURRpB5deLcQ4LhyRVZbLQ72fdCrmPYzO -e6Rhmfr9nWKL/oHDTLDUtRjAXdurI8YQKK9nCtbsM2uytvYkzpD2wx0B16rB7N04 -QLJBNDyOUJwnm4K+Xt9LLs8NUJ8JXCdwXKXGrFFbt2b3vmy0y4/NR5AUoS444ao5 -1mybA19WkCcCj5mSKmfZ9Dfbv6K3JCJx4ra5uJT2HP2M3NugtumQ1KPBUlNApVC6 -u+Vn7SMqFW/KFRCxOjXDWWU+F4prqzOVc5SYqIUOk7XVxgj1FBryw5Wel5iq1Bn8 -La1Fv3Hs/+pUKHRYYIC48kRET7h6oCmBiNn+XmU0A2qZnIyblmVpmfYftj3UWUC0 -S86qf/dRi8unTXYl8qEQyOSPz8g6t2RDgEsJOzKhiO+j+wcBYVOgrSgsawC8yxjA -zfVwkprUJognVBJFCv4sKMb9wg99iEacI6O401w3FQy5FyokjmxXzrhn0UPj3t35 -wd81WZ5HWaBSLnBo8HklfDyaybPlXODldSI7OGOch/0/CZEQzQwzsmnazsFNBFQw -azYBEADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpj -U45kx/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV -9qT3i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdk -HsEoMSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHM -el8ZcEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1 -nbMQ/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAt -c/+iwMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQ -Je31m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+ -sjauCZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbh -ddJBHsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz -5JTjMkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABwsF2BBgB -AgAJBQJUMGs2AhsMACEJENXp5D99+e6MFiEEeVOsH7w9yLOykjk+1enkP3357ozr -2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882pPhXfJqX8l8H1zyHbKWy5lLLiv1M -oNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO37/lQBcpjvAfy9HWpl21FDxn9Ruxn -a/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtHW61L3vbBAcz9VMSay9QVm1f6qzM5 -WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3qSeX0CsRB7WF5VYMalpNTHPRIqCWp -zTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnVEVJ07s0nn1yj3q7Ii7av+waGmTf7 -9B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id/M61k0yKOusHdzDcZbCzecyww1w3 -WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULATME+TH9J5eNq0A5sRRaayEiA1TDcA -WfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBbfDfh8oRhEsICQ6rs098wiYz8jtZ/ -pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKTUnREpH102pg1Cw6v2OcjiXsqU5L7 -Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQGWvkObPXEYLld2UF6hK6MH4epkwV -/w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdWExXybKkE2NY= -=1H60 +xsFNBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr +55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH +F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi +UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag +pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K +/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv +MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8 +laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB +HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3 +zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06 +YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB +zRtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz7CwZQEEwEIAD4WIQSiH6t0sAiK +o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe +AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy +U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE +KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W +nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh +1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I +m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj +kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD +IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M +8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6 +z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41 +xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM +MriPFc0fVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PsLBlAQTAQgAPhYh +BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk +8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO +UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv +FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW +FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q +UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy +Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS +2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW +kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm +T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI +yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I +8tmXB4BcoHFB9N0AzSFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz7C +wZQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh +KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo +2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ ++J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4 +yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M +cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A +ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly +Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y +q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt +Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj +hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI +w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZc7BTQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 +VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27 +1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp +djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50 +IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK +bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn +gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w +NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh +D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H +a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB +HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc +nAaLOI/nw1ydegw8F+s1ALEAEQEAAcLDsgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv +Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy +Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+ +otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5 +SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358 +cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0 +8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ +vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV +yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A +HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg +K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs +aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh +uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE +cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk +RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F +9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/ +JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g +muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN +86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr +HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S +DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE +ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro +uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY +YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl +JKbGoqC+wchHmOLOwU0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u +aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq +oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7 +FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM +ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL +vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+ +i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb +PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum +ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE +N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH +eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs +LQ1kotFTABEBAAHCwXwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM +JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh +QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB +uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS +nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u +sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD +NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C +nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE +FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ +qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX +Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc +zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2 +TIdjvGbJ/k4qxw== +=fnGl -----END PGP PUBLIC KEY BLOCK-----