testing/openssl-3
SHA256
3
0
Fork 0
forked from pool/openssl-3
Code Pull Requests Activity

Accepting request 1089933 from security:tls

Browse Source 
- Update to 3.1.1:
  * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
    (CVE-2023-2650, bsc#1211430)
  * Multiple algorithm implementation fixes for ARM BE platforms.
  * Added a -pedantic option to fipsinstall that adjusts the various settings
    to ensure strict FIPS compliance rather than backwards compatibility.
  * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
    happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
    trigger a crash of an application using AES-XTS decryption if the memory
    just after the buffer being decrypted is not mapped. Thanks to Anton
    Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714)
  * Add FIPS provider configuration option to disallow the use of truncated
    digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The
    option '-no_drbg_truncated_digests' can optionally be supplied
    to 'openssl fipsinstall'.
  * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that
    it does not enable policy checking. Thanks to David Benjamin for
    discovering this issue. (CVE-2023-0466, bsc#1209873)
  * Fixed an issue where invalid certificate policies in leaf certificates are
    silently ignored by OpenSSL and other certificate policy checks are
    skipped for that certificate. A malicious CA could use this to
    deliberately assert invalid certificate policies in order to circumvent
    policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878)
  * Limited the number of nodes created in a policy tree to mitigate against
    CVE-2023-0464. The default limit is set to 1000 nodes, which should be
    sufficient for most installations. If required, the limit can be adjusted
    by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a
    desired maximum number of nodes or zero to allow unlimited growth.
    (CVE-2023-0464, bsc#1209624)
  * Update openssl.keyring with key

OBS-URL: https://build.opensuse.org/request/show/1089933
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=11
This commit is contained in:
Dominique Leuenberger 2023-06-01 15:18:42 +00:00 committed by Git OBS Bridge
commit ad1bcf2871
11 changed files with 1164 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
baselibs.conf
View File

@ -1,7 +1,7 @@
libopenssl3 libopenssl3
obsoletes "libopenssl1_1_0-<targettype>" obsoletes "libopenssl1_1_0-<targettype>"
libopenssl3-hmac provides "libopenssl3-hmac-<targettype> = <version>-%release"
requires "libopenssl3-<targettype> = <version>-%release" obsoletes "libopenssl3-hmac-<targettype> < <version>-%release"
libopenssl-3-devel libopenssl-3-devel
provides "libopenssl-devel-<targettype> = <version>" provides "libopenssl-devel-<targettype> = <version>"
conflicts "otherproviders(libopenssl-devel-<targettype>)" conflicts "otherproviders(libopenssl-devel-<targettype>)"

3
openssl-3.0.8.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
size 15151328

16
openssl-3.0.8.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmPiVZsACgkQ1enkP335
7owJ6BAAk2EnBElYMTM3SuqLDp4fdf2EhSfhxWG45Q9oV8BQ3Th/l8zia/pIOLs7
Pt6MXYhdd6IdVij5HMMR/ZMUJi/YnYG9lhhJ+p4NTHP+Tc4UjHoexJQuDZk9jM6y
zynSONsuIZRAXI4hiJ2Lg5X0iLhEuYBblPUDDdkO8ojTYkEohMQDj4Jt63vVPylV
m+tIDFVfYVQpXnORvy0LNDyjQhDb+gEEnAt8XwpE9FnrvkREHM1WQgmI4+1FLXBc
MaCWoFGEmFRMqxbqEjrtnCCafFcCKGYQnozrdN8VK62xGhDEOwEwjgzW00rm1TIG
eKOp9XOwcZehM5VR622eD/N4A96ET5Q3WOgqc76I8sWmx0lu/PaXl5bZcAeZpG4v
dYI926XSaSsrQ2ADhpgl02vLTVISMejmTNrxZjci0Ce76xjFfcxutD8wppL9Zqg4
dwmpW8+qpgXZ+ABN6qYWsIXVHijJcyJgmFdQdcF/FfjVRxviCncz2i5dyUNUgw6Z
+nLlYNfk+6v0EVIgIA3rw8TGKGom3m1+d41KAMdEAET6n1D/SKbJxCyyYlBBGZBT
7Vd5u2zEjMK4b0Iv81Nq4YsActWk69PULfkYLgRGSvBFtpIn9g9RgV7hKlFTvZ/5
S4A8XH/qrlSk+jb2Bl7qlgyZceDti8Ef6Ktz9YDdH0O133BRxAQ=
=FUbH
-----END PGP SIGNATURE-----

3
openssl-3.1.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674
size 15544757

16
openssl-3.1.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR16IIACgkQUnRmohyn
nm0XXw/+NcoUTEDzBQvoRmR+y0GFU6eobgkbiL3Iu/whTD1xljm0YLAP8mWzWhzt
AOGMJLpQ+lBczSow4zXaHT3xky+2fYqUNjccGBF5oWyY/nUFE7+qUG/1yUcXy6Ca
2q6gYX2qAxpHUAjfKfQfYtogkVqIiUnqjaxJX/RgC/FEJTqCN7zq309LF7FaFr7s
IJxkHXRAcjzwXFopTfiKkSQRm1W0bV8xht29kzjXJlSviCnhWFoY/hQdtDr/vcnP
X9GobFyn0n7DPI7B62P1TKGtK755RXztymUnIkNvOUW+TmyuPSBL523jB8SrPfw2
sasQ1G51IqKwAKhDEawDrJ4QAlfZXYJn1REoSpVWPLoGMfM5Aby0OBbzr0eYIJGp
92RMcWjfnUd5Xiw2sW97eRwdAF9WXdcH8Dz650z3bSstc2JeQq49cn9pZ6jG2Yxb
yuXJgkyWWFhBRRax/7FI065vdMFssB0xEHm4u/y8XJ4k/cQR8GZG9JPSwjVapb3X
3TTpDDV/wBFekfHHGJjM9ljuB5NXxYKficDsbHTDaC3ysg3kKzZN5cve0jdSf+P+
v9JLDgk5HZJ3r50/fMrLptzzpjFwToOS0qQV0/X8FpGRxHGjENh9gw3y+IsDEeY1
LVZKq1kkFhYz32h0m+E8OSA/gFcsNY+BG1Y7svtf9sewL84+a/Y=
=JKq4
-----END PGP SIGNATURE-----

134
openssl-3.changes
View File

@ -1,3 +1,137 @@
-------------------------------------------------------------------
Tue May 30 15:14:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Update to 3.1.1:
* Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
(CVE-2023-2650, bsc#1211430)
* Multiple algorithm implementation fixes for ARM BE platforms.
* Added a -pedantic option to fipsinstall that adjusts the various settings
to ensure strict FIPS compliance rather than backwards compatibility.
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
trigger a crash of an application using AES-XTS decryption if the memory
just after the buffer being decrypted is not mapped. Thanks to Anton
Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714)
* Add FIPS provider configuration option to disallow the use of truncated
digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The
option '-no_drbg_truncated_digests' can optionally be supplied
to 'openssl fipsinstall'.
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that
it does not enable policy checking. Thanks to David Benjamin for
discovering this issue. (CVE-2023-0466, bsc#1209873)
* Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are
skipped for that certificate. A malicious CA could use this to
deliberately assert invalid certificate policies in order to circumvent
policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878)
* Limited the number of nodes created in a policy tree to mitigate against
CVE-2023-0464. The default limit is set to 1000 nodes, which should be
sufficient for most installations. If required, the limit can be adjusted
by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a
desired maximum number of nodes or zero to allow unlimited growth.
(CVE-2023-0464, bsc#1209624)
* Update openssl.keyring with key
A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz)
* Rebased patches:
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
- openssl-Add_support_for_Windows_CA_certificate_store.patch
* Removed patches:
- openssl-CVE-2023-0464.patch
- openssl-Fix-OBJ_nid2obj-regression.patch
- openssl-CVE-2023-0465.patch
- openssl-CVE-2023-0466.patch
-------------------------------------------------------------------
Mon May 29 07:31:07 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116]
-------------------------------------------------------------------
Mon May 15 09:00:04 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Add support for Windows CA certificate store [bsc#1209430]
https://github.com/openssl/openssl/pull/18070
* Add openssl-Add_support_for_Windows_CA_certificate_store.patch
-------------------------------------------------------------------
Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
-------------------------------------------------------------------
Tue Mar 28 12:19:06 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Fix regression in the OBJ_nid2obj() function: [bsc#1209430]
* Upstream https://github.com/openssl/openssl/issues/20555
* Add openssl-Fix-OBJ_nid2obj-regression.patch
-------------------------------------------------------------------
Mon Mar 27 14:44:32 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Fix compiler error "initializer element is not constant" on s390
* Add openssl-z16-s390x.patch
-------------------------------------------------------------------
Fri Mar 24 13:55:25 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
-------------------------------------------------------------------
Wed Mar 15 14:55:29 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Pass over with spec-cleaner
-------------------------------------------------------------------
Tue Mar 14 13:34:13 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Update to 3.1.0:
* Add FIPS provider configuration option to enforce the Extended Master
Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can
optionally be supplied to 'openssl fipsinstall'.
* The FIPS provider includes a few non-approved algorithms for backward
compatibility purposes and the "fips=yes" property query must be used for
all algorithm fetches to ensure FIPS compliance. The algorithms that are
included but not approved are Triple DES ECB, Triple DES CBC and EdDSA.
* Added support for KMAC in KBKDF.
* RNDR and RNDRRS support in provider functions to provide random number
generation for Arm CPUs (aarch64).
* s_client and s_server apps now explicitly say when the TLS version does not
include the renegotiation mechanism. This avoids confusion between that
scenario versus when the TLS version includes secure renegotiation but the
peer lacks support for it.
* AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
* The various OBJ_* functions have been made thread safe.
* Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA
capable processors.
* The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats,
OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio,
OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now
marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining
OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in
favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding
type-specific function definitions for these functions regardless of
whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may
start receiving deprecation warnings for these functions regardless of
whether they are using them. It is recommended that users transition to the
new macro, DEFINE_LHASH_OF_EX.
* When generating safe-prime DH parameters set the recommended private key
length equivalent to minimum key lengths as in RFC 7919.
* Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
maximum size that is smaller or equal to the digest length to comply with
FIPS 186-4 section 5. This is implemented by a new option
OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax") for the
rsa_pss_saltlen parameter, which is now the default. Signature verification
is not affected by this change and continues to work as before.
* Update openssl.keyring with key
8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 (Matt Caswell)
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 8 10:37:09 UTC 2023 - Martin Pluskal <mpluskal@suse.com> Wed Mar 8 10:37:09 UTC 2023 - Martin Pluskal <mpluskal@suse.com>

59
openssl-3.spec
View File

@ -22,7 +22,7 @@
%define man_suffix 3ssl %define man_suffix 3ssl
Name: openssl-3 Name: openssl-3
# Don't forget to update the version in the "openssl" meta-package! # Don't forget to update the version in the "openssl" meta-package!
Version: 3.0.8 Version: 3.1.1
Release: 0 Release: 0
Summary: Secure Sockets and Transport Layer Security Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0 License: Apache-2.0
@ -46,6 +46,10 @@ Patch6: openssl-no-date.patch
# Add crypto-policies support # Add crypto-policies support
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
# PATCH-FIX-OPENSUSE: Fix compiler error "initializer element is not constant" on s390
Patch9: openssl-z16-s390x.patch
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
Patch10: openssl-Add_support_for_Windows_CA_certificate_store.patch
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(zlib)
@ -54,14 +58,14 @@ Requires: openssl
Conflicts: ssl Conflicts: ssl
Provides: ssl Provides: ssl
Provides: openssl(cli) Provides: openssl(cli)
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies
%endif
# Needed for clean upgrade path, boo#1070003 # Needed for clean upgrade path, boo#1070003
Obsoletes: openssl-1_0_0 Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: openssl-1_1_0 Obsoletes: openssl-1_1_0
%{?suse_build_hwcaps_libs} %{?suse_build_hwcaps_libs}
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies
%endif
%description %description
OpenSSL is a software library to be used in applications that need to OpenSSL is a software library to be used in applications that need to
@ -71,16 +75,21 @@ OpenSSL contains an implementation of the SSL and TLS protocols.
%package -n libopenssl3 %package -n libopenssl3
Summary: Secure Sockets and Transport Layer Security Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0 BuildRequires: fipscheck
Recommends: ca-certificates-mozilla
Conflicts: %{name} < %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies Requires: crypto-policies
%endif %endif
Recommends: ca-certificates-mozilla # Merge back the hmac files bsc#1185116
# install libopenssl and libopenssl-hmac close together (bsc#1090765) Provides: libopenssl3-hmac = %{version}-%{release}
Suggests: libopenssl3-hmac = %{version}-%{release} Obsoletes: libopenssl3-hmac < %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0 Obsoletes: libopenssl1_1_0-hmac
Conflicts: %{name} < %{version}-%{release} # Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-hmac
%description -n libopenssl3 %description -n libopenssl3
OpenSSL is a software library to be used in applications that need to OpenSSL is a software library to be used in applications that need to
@ -90,13 +99,12 @@ OpenSSL contains an implementation of the SSL and TLS protocols.
%package -n libopenssl-3-devel %package -n libopenssl-3-devel
Summary: Development files for OpenSSL Summary: Development files for OpenSSL
License: Apache-2.0
Requires: libopenssl3 = %{version} Requires: libopenssl3 = %{version}
Requires: pkgconfig(zlib) Requires: pkgconfig(zlib)
Recommends: %{name} = %{version} Recommends: %{name} = %{version}
Conflicts: libressl-devel
# Conflicting names with libopenssl-1_1-devel # Conflicting names with libopenssl-1_1-devel
Conflicts: libopenssl-1_1-devel Conflicts: libopenssl-1_1-devel
Conflicts: libressl-devel
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl-1_1_0-devel Obsoletes: libopenssl-1_1_0-devel
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 # Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
@ -108,7 +116,6 @@ that want to make use of the OpenSSL C API.
%package doc %package doc
Summary: Additional Package Documentation Summary: Additional Package Documentation
License: Apache-2.0
Conflicts: openssl-doc Conflicts: openssl-doc
Provides: openssl-doc = %{version} Provides: openssl-doc = %{version}
Obsoletes: openssl-doc < %{version} Obsoletes: openssl-doc < %{version}
@ -118,20 +125,6 @@ BuildArch: noarch
This package contains optional documentation provided in addition to This package contains optional documentation provided in addition to
this package's base documentation. this package's base documentation.
%package -n libopenssl3-hmac
Summary: HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries
License: BSD-3-Clause
Requires: libopenssl3 = %{version}-%{release}
BuildRequires: fipscheck
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0-hmac
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-hmac
%description -n libopenssl3-hmac
The FIPS compliant operation of the openssl shared libraries is NOT
possible without the HMAC hashes contained in this package!
%prep %prep
%autosetup -p1 -n %{_rname}-%{version} %autosetup -p1 -n %{_rname}-%{version}
@ -179,7 +172,7 @@ perl configdata.pm --dump
%check %check
# Relax the crypto-policies requirements for the regression tests # Relax the crypto-policies requirements for the regression tests
# Revert patch8 before running tests # Revert patch8 before running tests
patch -p1 -R < %{P:8} patch -p1 -R < %{PATCH8}
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export MALLOC_CHECK_=3 export MALLOC_CHECK_=3
@ -212,8 +205,8 @@ rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484] # Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484]
mkdir -p %{buildroot}/var/lib/ca-certificates/openssl mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl
# Remove the fipsmodule.cnf because FIPS module is loaded automatically # Remove the fipsmodule.cnf because FIPS module is loaded automatically
rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
@ -263,8 +256,6 @@ fi
%dir %{_libdir}/ossl-modules %dir %{_libdir}/ossl-modules
%{_libdir}/ossl-modules/fips.so %{_libdir}/ossl-modules/fips.so
%{_libdir}/ossl-modules/legacy.so %{_libdir}/ossl-modules/legacy.so
%files -n libopenssl3-hmac
%{_libdir}/.libssl.so.%{sover}.hmac %{_libdir}/.libssl.so.%{sover}.hmac
%{_libdir}/.libcrypto.so.%{sover}.hmac %{_libdir}/.libcrypto.so.%{sover}.hmac
@ -291,8 +282,8 @@ fi
%attr(700,root,root) %{ssletcdir}/private %attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl %dir %{_datadir}/ssl
%{_datadir}/ssl/misc %{_datadir}/ssl/misc
%dir /var/lib/ca-certificates/ %dir %{_localstatedir}/lib/ca-certificates/
%dir /var/lib/ca-certificates/openssl %dir %{_localstatedir}/lib/ca-certificates/openssl
%{_bindir}/%{_rname} %{_bindir}/%{_rname}
%{_bindir}/c_rehash %{_bindir}/c_rehash
%{_mandir}/man1/* %{_mandir}/man1/*

32
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -97,7 +97,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
"High" encryption cipher suites. This currently means those with key lengths "High" encryption cipher suites. This currently means those with key lengths
--- a/include/openssl/ssl.h.in --- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in
@@ -210,6 +210,11 @@ extern "C" { @@ -213,6 +213,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not * throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.) * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/ */
@ -111,7 +111,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
# define SSL_SENT_SHUTDOWN 1 # define SSL_SENT_SHUTDOWN 1
--- a/ssl/ssl_ciph.c --- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c
@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c @@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret; return ret;
} }
@ -165,7 +165,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL; const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method; const SSL_METHOD *ssl_method = ctx->method;
@ -193,7 +193,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
/* /*
* To reduce the work to do we only want to process the compiled * To reduce the work to do we only want to process the compiled
@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) { if (co_list == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
@ -202,7 +202,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
} }
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class * in force within each class
*/ */
if (!ssl_cipher_strength_sort(&head, &tail)) { if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -212,7 +212,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
} }
/* /*
@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) { if (ca_list == NULL) {
@ -223,7 +223,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
} }
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc, disabled_mkey, disabled_auth, disabled_enc,
@@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */ OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */ if (!ok) { /* Rule processing failure */
@ -233,7 +233,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
} }
/* /*
@@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one. * if we cannot get one.
*/ */
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -249,7 +249,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
/* Add TLSv1.3 ciphers first - we always prefer those if possible */ /* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack; *cipher_list = cipherstack;
return cipherstack; return cipherstack;
@ -266,7 +266,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
--- a/ssl/ssl_lib.c --- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx @@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites, ctx->tls13_ciphersuites,
&(ctx->cipher_list), &(ctx->cipher_list),
&(ctx->cipher_list_by_id), &(ctx->cipher_list_by_id),
@ -275,7 +275,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0; return 0;
@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li @@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret, if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites, ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id, &ret->cipher_list, &ret->cipher_list_by_id,
@ -298,8 +298,8 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
return 1; return 1;
--- a/util/libcrypto.num --- a/util/libcrypto.num
+++ b/util/libcrypto.num +++ b/util/libcrypto.num
@@ -5428,3 +5428,4 @@ EVP_PKEY_CTX_get0_provider @@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:

743
openssl-Add_support_for_Windows_CA_certificate_store.patch Normal file
View File

@ -0,0 +1,743 @@
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Fri, 8 Apr 2022 13:10:52 +0100
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
env
Fixes #18068.
---
CHANGES.md | 21
Configure | 7
crypto/x509/by_dir.c | 17
crypto/x509/by_store.c | 14
crypto/x509/x509_def.c | 15
doc/build.info | 6
doc/man3/X509_get_default_cert_file.pod | 113 +++++
include/internal/cryptlib.h | 11
include/internal/e_os.h | 2
include/openssl/x509.h.in | 3
providers/implementations/include/prov/implementations.h | 1
providers/implementations/storemgmt/build.info | 3
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
providers/stores.inc | 3
util/libcrypto.num | 3
util/missingcrypto.txt | 4
16 files changed, 536 insertions(+), 14 deletions(-)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,27 @@ OpenSSL 3.1
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
+ paths which are searched for root certificates.
+
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
+ for the purposes of determining root certificate stores.
+
+ *Hugo Landau*
+
+ * Support for loading root certificates from the Windows certificate store
+ has been added. The support is in the form of a store which recognises the
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
+ can be disabled using the new compile-time option `no-winstore`.
+
+ *Hugo Landau*
+
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
--- a/Configure
+++ b/Configure
@@ -420,6 +420,7 @@ my @disablables = (
"cached-fetch",
"camellia",
"capieng",
+ "winstore",
"cast",
"chacha",
"cmac",
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
}
}
+unless ($disabled{winstore}) {
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
+ disable('not-windows', 'winstore');
+ }
+}
+
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
# Get the extra flags used when building shared libraries and modules. We
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
- else
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
- X509_FILETYPE_PEM);
+ /* Fallback to SSL_CERT_DIR. */
+ if (dir == NULL)
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to built-in default. */
+ if (dir == NULL)
+ dir = X509_get_default_cert_dir();
+
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
if (!ret) {
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
}
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
{
switch (cmd) {
case X509_L_ADD_STORE:
- /* If no URI is given, use the default cert dir as default URI */
+ /* First try the newer default cert URI envvar. */
+ if (argp == NULL)
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
+
+ /* If not set, see if we have a URI in the older cert dir envvar. */
if (argp == NULL)
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to default store URI. */
if (argp == NULL)
- argp = X509_get_default_cert_dir();
+ argp = X509_get_default_cert_uri();
+
+ /* No point adding an empty URI. */
+ if (!*argp)
+ return 1;
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
return X509_CERT_AREA;
}
+const char *X509_get_default_cert_uri(void)
+{
+ return X509_CERT_URI;
+}
+
const char *X509_get_default_cert_dir(void)
{
return X509_CERT_DIR;
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
return X509_CERT_FILE;
}
+const char *X509_get_default_cert_uri_env(void)
+{
+ return X509_CERT_URI_EVP;
+}
+
+const char *X509_get_default_cert_path_env(void)
+{
+ return X509_CERT_PATH_EVP;
+}
+
const char *X509_get_default_cert_dir_env(void)
{
return X509_CERT_DIR_EVP;
--- a/doc/build.info
+++ b/doc/build.info
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
html/man3/X509_get0_notBefore.html \
html/man3/X509_get0_signature.html \
html/man3/X509_get0_uids.html \
+html/man3/X509_get_default_cert_file.html \
html/man3/X509_get_extension_flags.html \
html/man3/X509_get_pubkey.html \
html/man3/X509_get_serialNumber.html \
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
man/man3/X509_get0_notBefore.3 \
man/man3/X509_get0_signature.3 \
man/man3/X509_get0_uids.3 \
+man/man3/X509_get_default_cert_file.3 \
man/man3/X509_get_extension_flags.3 \
man/man3/X509_get_pubkey.3 \
man/man3/X509_get_serialNumber.3 \
--- /dev/null
+++ b/doc/man3/X509_get_default_cert_file.pod
@@ -0,0 +1,113 @@
+=pod
+
+=head1 NAME
+
+X509_get_default_cert_file, X509_get_default_cert_file_env,
+X509_get_default_cert_path_env,
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
+retrieve default locations for trusted CA certificates
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ const char *X509_get_default_cert_file(void);
+ const char *X509_get_default_cert_dir(void);
+ const char *X509_get_default_cert_uri(void);
+
+ const char *X509_get_default_cert_file_env(void);
+ const char *X509_get_default_cert_path_env(void);
+ const char *X509_get_default_cert_dir_env(void);
+ const char *X509_get_default_cert_uri_env(void);
+
+=head1 DESCRIPTION
+
+The X509_get_default_cert_file() function returns the default path
+to a file containing trusted CA certificates. OpenSSL will use this as
+the default path when it is asked to load trusted CA certificates
+from a file and no other path is specified. If the file exists, CA certificates
+are loaded from the file.
+
+The X509_get_default_cert_dir() function returns a default delimeter-separated
+list of paths to a directories containing trusted CA certificates named in the
+hashed format. OpenSSL will use this as the default list of paths when it is
+asked to load trusted CA certificates from a directory and no other path is
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
+CA certificates in this directory by calculating a filename based on a hash of
+the certificate's subject name.
+
+The X509_get_default_cert_uri() function returns the default URI for a
+certificate store accessed programmatically via an OpenSSL provider. If there is
+no default store applicable to the system for which OpenSSL was compiled, this
+returns an empty string.
+
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
+environment variable names which are recommended to specify nondefault values to
+be used instead of the values returned by X509_get_default_cert_file() and
+X509_get_default_cert_uri() respectively. The values returned by the latter
+functions are not affected by these environment variables; you must check for
+these environment variables yourself, using these functions to retrieve the
+correct environment variable names. If an environment variable is not set, the
+value returned by the corresponding function above should be used.
+
+X509_get_default_cert_path_env() returns the environment variable name which is
+recommended to specify a nondefault value to be used instead of the value
+returned by X509_get_default_cert_dir(). This environment variable supercedes
+the deprecated environment variable whose name is returned by
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
+contents can be interpreted ambiguously; see NOTES.
+
+By default, OpenSSL uses the path list specified in the environment variable
+whose name is returned by X509_get_default_cert_path_env() if it is set;
+otherwise, it uses the path list specified in the environment variable whose
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
+uses the value returned by X509_get_default_cert_dir()).
+
+=head1 NOTES
+
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
+release, store URIs were expressed via the environment variable returned by
+X509_get_default_cert_dir_env(); this environment variable could be used to
+specify either a list of directories or a store URI. This creates an ambiguity
+in which the environment variable returned by X509_get_default_cert_dir_env() is
+interpreted both as a list of directories and as a store URI.
+
+This usage and the environment variable returned by
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
+the environment variable returned by X509_get_default_cert_uri_env(), and to
+specify a list of directories, use the environment variable returned by
+X509_get_default_cert_path_env().
+
+=head1 RETURN VALUES
+
+These functions return pointers to constant strings with static storage
+duration.
+
+=head1 SEE ALSO
+
+L<X509_LOOKUP(3)>,
+L<SSL_CTX_set_default_verify_file(3)>,
+L<SSL_CTX_set_default_verify_dir(3)>,
+L<SSL_CTX_set_default_verify_store(3)>,
+L<SSL_CTX_load_verify_file(3)>,
+L<SSL_CTX_load_verify_dir(3)>,
+L<SSL_CTX_load_verify_store(3)>,
+L<SSL_CTX_load_verify_locations(3)>
+
+=head1 HISTORY
+
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
+
+=head1 COPYRIGHT
+
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -13,6 +13,8 @@
# include <stdlib.h>
# include <string.h>
+# include "openssl/configuration.h"
+# include "internal/e_os.h" /* ossl_inline in many files */
# ifdef OPENSSL_USE_APPLINK
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
# endif
+#ifndef OPENSSL_NO_WINSTORE
+# define X509_CERT_URI "org.openssl.winstore://"
+#else
+# define X509_CERT_URI ""
+#endif
+
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
# define CTLOG_FILE_EVP "CTLOG_FILE"
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
# endif
return path[0] == '/';
}
-
#endif
--- a/include/internal/e_os.h
+++ b/include/internal/e_os.h
@@ -249,7 +249,7 @@ FILE *__iob_func();
/***********************************************/
# if defined(OPENSSL_SYS_WINDOWS)
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
# define open _open
# define fdopen _fdopen
# define close _close
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
const char *X509_get_default_cert_area(void);
+const char *X509_get_default_cert_uri(void);
const char *X509_get_default_cert_dir(void);
const char *X509_get_default_cert_file(void);
+const char *X509_get_default_cert_uri_env(void);
+const char *X509_get_default_cert_path_env(void);
const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);
const char *X509_get_default_private_dir(void);
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
extern const OSSL_DISPATCH ossl_file_store_functions[];
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
--- a/providers/implementations/storemgmt/build.info
+++ b/providers/implementations/storemgmt/build.info
@@ -4,3 +4,6 @@
$STORE_GOAL=../../libdefault.a
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
+IF[{- !$disabled{winstore} -}]
+ SOURCE[$STORE_GOAL]=winstore_store.c
+ENDIF
--- /dev/null
+++ b/providers/implementations/storemgmt/winstore_store.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <openssl/store.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/core_object.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/params.h>
+#include <openssl/decoder.h>
+#include <openssl/proverr.h>
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
+#include "internal/cryptlib.h"
+#include "internal/o_dir.h"
+#include "crypto/decoder.h"
+#include "crypto/ctype.h" /* ossl_isdigit() */
+#include "prov/implementations.h"
+#include "prov/bio.h"
+#include "file_store_local.h"
+
+#include <wincrypt.h>
+
+enum {
+ STATE_IDLE,
+ STATE_READ,
+ STATE_EOF,
+};
+
+struct winstore_ctx_st {
+ void *provctx;
+ char *propq;
+ unsigned char *subject;
+ size_t subject_len;
+
+ HCERTSTORE win_store;
+ const CERT_CONTEXT *win_ctx;
+ int state;
+
+ OSSL_DECODER_CTX *dctx;
+};
+
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
+{
+ if (ctx->win_ctx != NULL) {
+ CertFreeCertificateContext(ctx->win_ctx);
+ ctx->win_ctx = NULL;
+ }
+
+ ctx->state = STATE_IDLE;
+}
+
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
+{
+ CERT_NAME_BLOB name = {0};
+
+ if (ctx->state == STATE_EOF)
+ return;
+
+ name.cbData = ctx->subject_len;
+ name.pbData = ctx->subject;
+
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
+ CertFindCertificateInStore(ctx->win_store,
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ 0, CERT_FIND_SUBJECT_NAME,
+ &name, ctx->win_ctx));
+
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
+}
+
+static void *winstore_open(void *provctx, const char *uri)
+{
+ struct winstore_ctx_st *ctx = NULL;
+
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL)
+ return NULL;
+
+ ctx->provctx = provctx;
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
+ if (ctx->win_store == NULL) {
+ OPENSSL_free(ctx);
+ return NULL;
+ }
+
+ winstore_win_reset(ctx);
+ return ctx;
+}
+
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
+{
+ return NULL; /* not supported */
+}
+
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+ const OSSL_PARAM *p;
+ int do_reset = 0;
+
+ if (params == NULL)
+ return 1;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
+ if (p != NULL) {
+ do_reset = 1;
+ OPENSSL_free(ctx->propq);
+ ctx->propq = NULL;
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
+ if (p != NULL) {
+ const unsigned char *der = NULL;
+ size_t der_len = 0;
+
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
+ return 0;
+
+ do_reset = 1;
+
+ OPENSSL_free(ctx->subject);
+
+ ctx->subject = OPENSSL_malloc(der_len);
+ if (ctx->subject == NULL) {
+ ctx->subject_len = 0;
+ return 0;
+ }
+
+ ctx->subject_len = der_len;
+ memcpy(ctx->subject, der, der_len);
+ }
+
+ if (do_reset) {
+ winstore_win_reset(ctx);
+ winstore_win_advance(ctx);
+ }
+
+ return 1;
+}
+
+struct load_data_st {
+ OSSL_CALLBACK *object_cb;
+ void *object_cbarg;
+};
+
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
+ const OSSL_PARAM *params, void *construct_data)
+{
+ struct load_data_st *data = construct_data;
+ return data->object_cb(params, data->object_cbarg);
+}
+
+static void load_cleanup(void *construct_data)
+{
+ /* No-op. */
+}
+
+static int setup_decoder(struct winstore_ctx_st *ctx)
+{
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
+ const OSSL_ALGORITHM *to_algo = NULL;
+
+ if (ctx->dctx != NULL)
+ return 1;
+
+ ctx->dctx = OSSL_DECODER_CTX_new();
+ if (ctx->dctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ for (to_algo = ossl_any_to_obj_algorithm;
+ to_algo->algorithm_names != NULL;
+ to_algo++) {
+ OSSL_DECODER *to_obj = NULL;
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
+
+ /*
+ * Create the internal last resort decoder implementation
+ * together with a "decoder instance".
+ * The decoder doesn't need any identification or to be
+ * attached to any provider, since it's only used locally.
+ */
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
+ if (to_obj != NULL)
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
+
+ OSSL_DECODER_free(to_obj);
+ if (to_obj_inst == NULL)
+ goto err;
+
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
+ to_obj_inst)) {
+ ossl_decoder_instance_free(to_obj_inst);
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+ }
+
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ return 1;
+
+err:
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ ctx->dctx = NULL;
+ return 0;
+}
+
+static int winstore_load_using(struct winstore_ctx_st *ctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
+ const void *der, size_t der_len)
+{
+ struct load_data_st data;
+ const unsigned char *der_ = der;
+ size_t der_len_ = der_len;
+
+ if (setup_decoder(ctx) == 0)
+ return 0;
+
+ data.object_cb = object_cb;
+ data.object_cbarg = object_cbarg;
+
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
+
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
+ return 0;
+
+ return 1;
+}
+
+static int winstore_load(void *loaderctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+ int ret = 0;
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ if (ctx->state != STATE_READ)
+ return 0;
+
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
+ ctx->win_ctx->pbCertEncoded,
+ ctx->win_ctx->cbCertEncoded);
+
+ if (ret == 1)
+ winstore_win_advance(ctx);
+
+ return ret;
+}
+
+static int winstore_eof(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ return ctx->state != STATE_READ;
+}
+
+static int winstore_close(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ winstore_win_reset(ctx);
+ CertCloseStore(ctx->win_store, 0);
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ OPENSSL_free(ctx->propq);
+ OPENSSL_free(ctx->subject);
+ OPENSSL_free(ctx);
+ return 1;
+}
+
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
+ { 0, NULL },
+};
--- a/providers/stores.inc
+++ b/providers/stores.inc
@@ -12,3 +12,6 @@
#endif
STORE("file", "yes", ossl_file_store_functions)
+#ifndef OPENSSL_NO_WINSTORE
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
+#endif
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
X509_get1_email(3)
X509_get1_ocsp(3)
X509_get_default_cert_area(3)
-X509_get_default_cert_dir(3)
-X509_get_default_cert_dir_env(3)
-X509_get_default_cert_file(3)
-X509_get_default_cert_file_env(3)
X509_get_default_private_dir(3)
X509_get_pubkey_parameters(3)
X509_get_signature_type(3)

111
openssl-z16-s390x.patch Normal file
View File

@ -0,0 +1,111 @@
iIndex: openssl-3.1.0/crypto/s390xcap.c
===================================================================
--- openssl-3.1.0.orig/crypto/s390xcap.c
+++ openssl-3.1.0/crypto/s390xcap.c
@@ -674,7 +674,105 @@ static int parse_env(struct OPENSSL_s390
* z16 (2022) - z/Architecture POP
* Implements MSA and MSA1-9 (same as z15).
*/
+#if defined(__GNUC__) && __GNUC__<13 && (defined(__s390__) || defined(__s390x__))
+ static const struct OPENSSL_s390xcap_st z16 = {
+ /*.stfle = */{S390X_CAPBIT(S390X_MSA)
+ | S390X_CAPBIT(S390X_STCKF)
+ | S390X_CAPBIT(S390X_MSA5),
+ S390X_CAPBIT(S390X_MSA3)
+ | S390X_CAPBIT(S390X_MSA4),
+ S390X_CAPBIT(S390X_VX)
+ | S390X_CAPBIT(S390X_VXD)
+ | S390X_CAPBIT(S390X_VXE)
+ | S390X_CAPBIT(S390X_MSA8)
+ | S390X_CAPBIT(S390X_MSA9),
+ 0ULL},
+ /*.kimd = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ S390X_CAPBIT(S390X_GHASH)},
+ /*.klmd = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_1)
+ | S390X_CAPBIT(S390X_SHA_256)
+ | S390X_CAPBIT(S390X_SHA_512)
+ | S390X_CAPBIT(S390X_SHA3_224)
+ | S390X_CAPBIT(S390X_SHA3_256)
+ | S390X_CAPBIT(S390X_SHA3_384)
+ | S390X_CAPBIT(S390X_SHA3_512)
+ | S390X_CAPBIT(S390X_SHAKE_128)
+ | S390X_CAPBIT(S390X_SHAKE_256),
+ 0ULL},
+ /*.km = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256)
+ | S390X_CAPBIT(S390X_XTS_AES_128)
+ | S390X_CAPBIT(S390X_XTS_AES_256),
+ 0ULL},
+ /*.kmc = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmac = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmctr = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmo = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.kmf = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.prno = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_SHA_512_DRNG),
+ S390X_CAPBIT(S390X_TRNG)},
+ /*.kma = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_AES_128)
+ | S390X_CAPBIT(S390X_AES_192)
+ | S390X_CAPBIT(S390X_AES_256),
+ 0ULL},
+ /*.pcc = */{S390X_CAPBIT(S390X_QUERY),
+ S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)
+ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)},
+ /*.kdsa = */{S390X_CAPBIT(S390X_QUERY)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
+ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
+ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521)
+ | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)
+ | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)
+ | S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
+ | S390X_CAPBIT(S390X_EDDSA_SIGN_ED448),
+ 0ULL},
+ };
+#else
static const struct OPENSSL_s390xcap_st z16 = z15;
+#endif
char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
int rc, off, i, n;

205
openssl.keyring
View File

@ -1,94 +1,117 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C
Comment: Richard Levitte <levitte@lp.se> Comment: Tomáš Mráz <tm@t8m.info>
Comment: Richard Levitte <levitte@openssl.org> Comment: Tomáš Mráz <tomas@arleto.cz>
Comment: Richard Levitte <richard@levitte.org> Comment: Tomáš Mráz <tomas@openssl.org>
xsFNBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pXvmqx xsFNBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+Omvl 55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
G7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGKZMnr F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5XTj+B UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
iVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1KdqlwD pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
F+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2DsgljQuW /Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
Sj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gGQTUJ MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
DeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+t/iH laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whitGG+ HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VPMt2L zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQARAQAB YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
zR9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+wsGPBBMBAgAiBQJUMGwd zRtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz7CwZQEEwEIAD4WIQSiH6t0sAiK
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8 o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
PcizspI5PtXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKjeOx8kXtVCe9+q AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
CzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNbpClGtXcQHlUt U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
hjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHOo0B3yNDfV845 KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
+7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0TG0CbxGMgIN5 nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhmzu3CpRtMjmRA 1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
dzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tAuEXpbCVoQ68b m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6QehEmiy6UKXl7 kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPFMK05a8QENc66 IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc6NVh7Zby89r1 8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+HJIZEhX/YCyQ z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
N4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqzI8/76Ph1inPb xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
jbJczSVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5vcmc+wsGPBBMB MriPFc0fVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PsLBlAQTAQgAPhYh
AgAiBQJUMGwKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnu BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
jBYhBHlTrB+8PcizspI5PtXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY 8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp 2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6 kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
lRJjjYxIBCnjxtUWzSVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v 8tmXB4BcoHFB9N0AzSFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz7C
cmc+wsGSBBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ wZQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
AQAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp5D99+e6MmN0P/AmpB8DasBnj CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
h9fAlBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
4V86hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvd 2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
ooy/4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1 +J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
C3I+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6 yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
MZPiFBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFA cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
nwf5MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4 ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
+1WmLxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbY Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
k81XfXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9 q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
fyZn/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
3mDDxJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlF hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
IEUgucXLOLQHyEl+kEkCLEmSbn71WsM8wsGPBBMBAgAiBQJUMGs2AhsDBgsJCAcD w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZc7BTQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
AgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
5D99+e6MbdMP/1yj/fl/t8sl6ZH8v26uBBLSUeZPJYef9TCoe6akV//x4JLujB8y 1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
dGGW8bToC680zpuYlNn+avMwmjyocPwe7Cqgev6AyO+CjspoodM9Xai0y10CAHCl djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
vGAW8mX7c79jtLcMB/Z/0+5u4ErkzfwyURRpB5deLcQ4LhyRVZbLQ72fdCrmPYzO IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
e6Rhmfr9nWKL/oHDTLDUtRjAXdurI8YQKK9nCtbsM2uytvYkzpD2wx0B16rB7N04 bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
QLJBNDyOUJwnm4K+Xt9LLs8NUJ8JXCdwXKXGrFFbt2b3vmy0y4/NR5AUoS444ao5 gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
1mybA19WkCcCj5mSKmfZ9Dfbv6K3JCJx4ra5uJT2HP2M3NugtumQ1KPBUlNApVC6 NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
u+Vn7SMqFW/KFRCxOjXDWWU+F4prqzOVc5SYqIUOk7XVxgj1FBryw5Wel5iq1Bn8 D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
La1Fv3Hs/+pUKHRYYIC48kRET7h6oCmBiNn+XmU0A2qZnIyblmVpmfYftj3UWUC0 a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
S86qf/dRi8unTXYl8qEQyOSPz8g6t2RDgEsJOzKhiO+j+wcBYVOgrSgsawC8yxjA HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
zfVwkprUJognVBJFCv4sKMb9wg99iEacI6O401w3FQy5FyokjmxXzrhn0UPj3t35 nAaLOI/nw1ydegw8F+s1ALEAEQEAAcLDsgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
wd81WZ5HWaBSLnBo8HklfDyaybPlXODldSI7OGOch/0/CZEQzQwzsmnazsFNBFQw Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
azYBEADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpj Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
U45kx/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
9qT3i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdk SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
HsEoMSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHM cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
el8ZcEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1 8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
nbMQ/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAt vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
c/+iwMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQ yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
Je31m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+ HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
sjauCZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbh K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
ddJBHsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
5JTjMkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABwsF2BBgB uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
AgAJBQJUMGs2AhsMACEJENXp5D99+e6MFiEEeVOsH7w9yLOykjk+1enkP3357ozr cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882pPhXfJqX8l8H1zyHbKWy5lLLiv1M RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
oNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO37/lQBcpjvAfy9HWpl21FDxn9Ruxn 9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
a/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtHW61L3vbBAcz9VMSay9QVm1f6qzM5 JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3qSeX0CsRB7WF5VYMalpNTHPRIqCWp muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
zTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnVEVJ07s0nn1yj3q7Ii7av+waGmTf7 86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
9B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id/M61k0yKOusHdzDcZbCzecyww1w3 HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULATME+TH9J5eNq0A5sRRaayEiA1TDcA DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
WfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBbfDfh8oRhEsICQ6rs098wiYz8jtZ/ ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKTUnREpH102pg1Cw6v2OcjiXsqU5L7 uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQGWvkObPXEYLld2UF6hK6MH4epkwV YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
/w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdWExXybKkE2NY= JKbGoqC+wchHmOLOwU0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
=1H60 aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
LQ1kotFTABEBAAHCwXwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
TIdjvGbJ/k4qxw==
=fnGl
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----