openkylin
/
openssl3
mirror of https://gitee.com/openkylin/openssl3.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

同步高版本补丁及打包文件

This commit is contained in:
shangxiaoyang 2023-03-09 14:52:19 +08:00
parent 62ed5dc1eb
commit 5c495ee639
46 changed files with 2671 additions and 10721 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Configurations/10-main.conf
View File

@ -697,7 +697,7 @@ my %targets = (
shared_target => "linux-shared",
shared_cflag => "-fPIC",
shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
enable => [ "afalgeng" ],
enable => [ "afalgeng", "ktls" ],
},
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],

169
Configurations/20-debian.conf Normal file
View File

@ -0,0 +1,169 @@
my %targets = (
"debian" => {
cflags => add("-Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2"),
},
"debian-alpha" => {
inherit_from => [ "linux-alpha-gcc", "debian" ],
},
"debian-alpha-ev4" => {
inherit_from => [ "debian-alpha" ],
cflags => add("-mcpu=ev4"),
},
"debian-alpha-ev5" => {
inherit_from => [ "debian-alpha" ],
cflags => add("-mcpu=ev5"),
},
"debian-arc" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-arm64" => {
inherit_from => [ "linux-aarch64", "debian" ],
},
"debian-arm64ilp32" => {
inherit_from => [ "linux-arm64ilp32", "debian" ],
},
"debian-armel" => {
inherit_from => [ "linux-armv4", "debian" ],
},
"debian-armhf" => {
inherit_from => [ "linux-armv4", "debian" ],
},
"debian-amd64" => {
inherit_from => [ "linux-x86_64", "debian" ],
},
"debian-i386" => {
inherit_from => [ "linux-elf", "debian" ],
},
"debian-avr32" => {
inherit_from => [ "linux-generic32", "debian" ],
},
"debian-kfreebsd-amd64" => {
inherit_from => [ "debian-amd64" ],
enable => [ ],
},
"debian-kfreebsd-i386" => {
inherit_from => [ "debian-i386" ],
enable => [ ],
},
"debian-hppa" => {
inherit_from => [ "linux-generic32", "debian" ],
cflags => add("-DB_ENDIAN"),
},
"debian-hurd-i386" => {
inherit_from => [ "hurd-x86", "debian" ],
},
"debian-ia64" => {
inherit_from => [ "linux-ia64", "debian" ],
cflags => add("-fzero-call-used-regs=skip"),
},
"debian-loong64" => {
inherit_from => [ "linux64-loongarch64", "debian" ],
},
"debian-m68k" => {
inherit_from => [ "linux-latomic", "debian" ],
cflags => add("-DB_ENDIAN"),
},
"debian-mips" => {
inherit_from => [ "linux-mips32", "debian" ],
cflags => add("-DB_ENDIAN"),
},
"debian-mipsel" => {
inherit_from => [ "linux-mips32", "debian" ],
cflags => add("-DL_ENDIAN"),
},
"debian-mipsn32" => {
inherit_from => [ "linux-mips64", "debian" ],
cflags => add("-DB_ENDIAN"),
},
"debian-mipsn32el" => {
inherit_from => [ "linux-mips64", "debian" ],
cflags => add("-DL_ENDIAN"),
},
"debian-mips64" => {
inherit_from => [ "linux64-mips64", "debian" ],
cflags => add("-DB_ENDIAN"),
},
"debian-mips64el" => {
inherit_from => [ "linux64-mips64", "debian" ],
cflags => add("-DL_ENDIAN"),
},
"debian-musl-linux-arm64" => {
inherit_from => [ "linux-aarch64", "debian" ],
},
"debian-musl-linux-armhf" => {
inherit_from => [ "linux-armv4", "debian" ],
},
"debian-musl-linux-i386" => {
inherit_from => [ "linux-elf", "debian" ],
},
"debian-musl-linux-mips" => {
inherit_from => [ "linux-mips32", "debian" ],
cflags => add("-DB_ENDIAN"),
},
"debian-musl-linux-mipsel" => {
inherit_from => [ "linux-mips32", "debian" ],
cflags => add("-DL_ENDIAN"),
},
"debian-nios2" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-powerpc" => {
inherit_from => [ "linux-ppc", "debian" ],
},
"debian-powerpcspe" => {
inherit_from => [ "linux-ppc", "debian" ],
},
"debian-ppc64" => {
inherit_from => [ "linux-generic64", "debian", ],
asm_arch => 'ppc64',
cflags => add("-DB_ENDIAN"),
perlasm_scheme => "linux64",
},
"debian-ppc64el" => {
inherit_from => [ "linux-ppc64le", "debian" ],
},
"debian-riscv64" => {
inherit_from => [ "linux-generic64", "debian" ],
},
"debian-s390" => {
inherit_from => [ "linux-generic32", "debian" ],
},
"debian-s390x" => {
inherit_from => [ "linux64-s390x", "debian" ],
},
"debian-sh3" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-sh3eb" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-sh4" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-sh4eb" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-m32r" => {
inherit_from => [ "linux-latomic", "debian" ],
},
"debian-sparc" => {
inherit_from => [ "linux-latomic", "debian", ],
asm_arch => 'sparcv9',
cflags => add("-DB_ENDIAN -DBN_DIV2W"),
},
"debian-sparc64" => {
inherit_from => [ "linux-generic64", "debian" ],
asm_arch => 'sparcv9',
cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"),
bn_ops => "BN_LLONG RC4_CHAR",
ex_libs => add("-latomic"),
},
"debian-tilegx" => {
inherit_from => [ "linux-generic64", "debian" ],
},
"debian-x32" => {
inherit_from => [ "linux-x32", "debian" ],
},
);

2
Configurations/shared-info.pl
View File

@ -25,7 +25,7 @@ sub detect_gnu_cc {
my %shared_info;
%shared_info = (
'gnu-shared' => {
shared_ldflag => '-shared -Wl,-Bsymbolic',
shared_ldflag => '-shared',
shared_sonameflag => '-Wl,-soname=',
},
'linux-shared' => sub {

5
Configurations/unix-Makefile.tmpl
View File

@ -318,7 +318,8 @@ HTMLDIR=$(DOCDIR)/html
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
MANSUFFIX=ossl
MANSUFFIX=ssl
MANSECTION=SSL
HTMLSUFFIX=html
# For "optional" echo messages, to get "real" silence
@ -1537,7 +1538,7 @@ EOF
my $pod = $gen0;
return <<"EOF";
$args{src}: $pod
pod2man --name=$name --section=$section\$(MANSUFFIX) --center=OpenSSL \\
pod2man --name=$name --section=$section\$(MANSECTION) --center=OpenSSL \\
--release=\$(VERSION) $pod >\$\@
EOF
} elsif (platform->isdef($args{src})) {

2
Configure
View File

@ -1715,7 +1715,7 @@ unless ($disabled{devcryptoeng}) {
unless ($disabled{ktls}) {
$config{ktls}="";
my $cc = $config{CROSS_COMPILE}.$config{CC};
if ($target =~ m/^linux/) {
if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
if ($? != 0) {
disable('too-old-kernel', 'ktls');

8
apps/openssl.cnf
View File

@ -51,11 +51,11 @@ tsa_policy3 = 1.2.3.4.5.7
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# [provider_sect]
# default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@ -68,7 +68,7 @@ default = default_sect
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# [default_sect]
# activate = 1

35
crypto/conf/conf_ssl.c
View File

@ -12,6 +12,7 @@
#include <openssl/conf.h>
#include <openssl/err.h>
#include "internal/sslconf.h"
#include "internal/thread_once.h"
#include "conf_local.h"
/*
@ -35,12 +36,25 @@ struct ssl_conf_cmd_st {
char *arg;
};
static CRYPTO_ONCE init_ssl_names_lock = CRYPTO_ONCE_STATIC_INIT;
static CRYPTO_RWLOCK *ssl_names_lock;
static struct ssl_conf_name_st *ssl_names;
static size_t ssl_names_count;
static void ssl_module_free(CONF_IMODULE *md)
DEFINE_RUN_ONCE_STATIC(do_init_ssl_names_lock)
{
ssl_names_lock = CRYPTO_THREAD_lock_new();
if (ssl_names_lock == NULL) {
ERR_raise(ERR_LIB_CONF, ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
}
static void ssl_module_free_unlocked(CONF_IMODULE *md)
{
size_t i, j;
if (ssl_names == NULL)
return;
for (i = 0; i < ssl_names_count; i++) {
@ -58,6 +72,14 @@ static void ssl_module_free(CONF_IMODULE *md)
ssl_names_count = 0;
}
static void ssl_module_free(CONF_IMODULE *md)
{
if (!CRYPTO_THREAD_write_lock(ssl_names_lock))
return;
ssl_module_free_unlocked(md);
CRYPTO_THREAD_unlock(ssl_names_lock);
}
static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
{
size_t i, j, cnt;
@ -65,6 +87,12 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
const char *ssl_conf_section;
STACK_OF(CONF_VALUE) *cmd_lists;
if (!RUN_ONCE(&init_ssl_names_lock, do_init_ssl_names_lock))
return 0;
if (!CRYPTO_THREAD_write_lock(ssl_names_lock))
return 0;
ssl_conf_section = CONF_imodule_get_value(md);
cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
@ -77,7 +105,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
goto err;
}
cnt = sk_CONF_VALUE_num(cmd_lists);
ssl_module_free(md);
ssl_module_free_unlocked(md);
ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
if (ssl_names == NULL)
goto err;
@ -126,7 +154,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
rv = 1;
err:
if (rv == 0)
ssl_module_free(md);
ssl_module_free_unlocked(md);
CRYPTO_THREAD_unlock(ssl_names_lock);
return rv;
}

17
crypto/des/asm/desboth.pl
View File

@ -23,6 +23,11 @@ sub DES_encrypt3
&push("edi");
&call (&label("pic_point0"));
&set_label("pic_point0");
&blindpop("ebp");
&add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
&comment("");
&comment("Load the data words");
&mov($L,&DWP(0,"ebx","",0));
@ -54,15 +59,21 @@ sub DES_encrypt3
&mov(&swtmp(2), (DWC(($enc)?"1":"0")));
&mov(&swtmp(1), "eax");
&mov(&swtmp(0), "ebx");
&call("DES_encrypt2");
&exch("ebx", "ebp");
&call("DES_encrypt2\@PLT");
&exch("ebx", "ebp");
&mov(&swtmp(2), (DWC(($enc)?"0":"1")));
&mov(&swtmp(1), "edi");
&mov(&swtmp(0), "ebx");
&call("DES_encrypt2");
&exch("ebx", "ebp");
&call("DES_encrypt2\@PLT");
&exch("ebx", "ebp");
&mov(&swtmp(2), (DWC(($enc)?"1":"0")));
&mov(&swtmp(1), "esi");
&mov(&swtmp(0), "ebx");
&call("DES_encrypt2");
&exch("ebx", "ebp");
&call("DES_encrypt2\@PLT");
&exch("ebx", "ebp");
&stack_pop(3);
&mov($L,&DWP(0,"ebx","",0));

24
crypto/perlasm/cbc.pl
View File

@ -129,7 +129,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
&call($enc_func);
&call (&label("pic_point0"));
&set_label("pic_point0");
&blindpop("ebx");
&add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
&call("$enc_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0));
&mov("ebx", &DWP($data_off+4,"esp","",0));
@ -199,7 +203,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
&call($enc_func);
&call (&label("pic_point1"));
&set_label("pic_point1");
&blindpop("ebx");
&add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
&call("$enc_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0));
&mov("ebx", &DWP($data_off+4,"esp","",0));
@ -232,7 +240,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put back
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
&call($dec_func);
&call (&label("pic_point2"));
&set_label("pic_point2");
&blindpop("ebx");
&add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
&call("$dec_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #
@ -275,7 +287,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put back
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
&call($dec_func);
&call (&label("pic_point3"));
&set_label("pic_point3");
&blindpop("ebx");
&add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
&call("$dec_func\@PLT");
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #

16
crypto/perlasm/x86gas.pl
View File

@ -171,6 +171,7 @@ sub ::file_end
if ($::macosx) { push (@out,"$tmp,2\n"); }
elsif ($::elf) { push (@out,"$tmp,4\n"); }
else { push (@out,"$tmp\n"); }
if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
}
push(@out,$initseg) if ($initseg);
if ($::elf) {
@ -249,8 +250,23 @@ ___
elsif ($::elf)
{ $initseg.=<<___;
.section .init
___
if ($::pic)
{ $initseg.=<<___;
pushl %ebx
call .pic_point0
.pic_point0:
popl %ebx
addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
call $f\@PLT
popl %ebx
___
}
else
{ $initseg.=<<___;
call $f
___
}
}
elsif ($::coff)
{ $initseg.=<<___; # applies to both Cygwin and Mingw

10
crypto/x86cpuid.pl
View File

@ -16,6 +16,8 @@ $output = pop and open STDOUT,">$output";
for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
push(@out, ".hidden OPENSSL_ia32cap_P\n");
&function_begin("OPENSSL_ia32_cpuid");
&xor ("edx","edx");
&pushf ();
@ -161,9 +163,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
&set_label("nocpuid");
&function_end("OPENSSL_ia32_cpuid");
&external_label("OPENSSL_ia32cap_P");
&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
&function_begin_B("OPENSSL_rdtsc");
&xor ("eax","eax");
&xor ("edx","edx");
&picmeup("ecx","OPENSSL_ia32cap_P");
@ -177,7 +177,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
# This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
# but it's safe to call it on any [supported] 32-bit platform...
# Just check for [non-]zero return value...
&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
&function_begin_B("OPENSSL_instrument_halt");
&picmeup("ecx","OPENSSL_ia32cap_P");
&bt (&DWP(0,"ecx"),4);
&jnc (&label("nohalt")); # no TSC
@ -244,7 +244,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
&ret ();
&function_end_B("OPENSSL_far_spin");
&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
&function_begin_B("OPENSSL_wipe_cpu");
&xor ("eax","eax");
&xor ("edx","edx");
&picmeup("ecx","OPENSSL_ia32cap_P");

8
debian/README.Debian vendored
View File

@ -1,8 +0,0 @@
openssl for Debian
Please edit this to provide information specific to
this openssl Debian package.
(Automatically generated by debmake Version 4.3.1)
-- Luoyaoming <luoyaoming@kylinos.cn> Fri, 06 Jan 2023 20:02:41 +0800

8
debian/README.debian vendored
View File

@ -11,6 +11,14 @@ Instead of `<application>` please call now `openssl <application>`
eg:
instead of `req` please call `openssl req`
TLS protovol version and RSA key size
-------------------------------------
The default system global policy is to support TLSv1.2+ and security level two.
Please see
https://www.openssl.org/docs/man1.1.1/man5/config.html
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html#DEFAULT-CALLBACK-BEHAVIOUR
for configurations details of `MinProtocol' and `CipherString' in
/etc/ssl/openssl.cnf case you really require to support legacy systems.
PATENT ISSUES
-------------

2
debian/changelog vendored
View File

@ -2,7 +2,7 @@ openssl (3.0.8-ok1) yangtze; urgency=medium
* merge upstream 3.0.8.
-- shangxiaoyang <shangxiaoyang@kylinos.cn> Thu, 09 Mar 2023 14:39:56 +0800
-- shangxiaoyang <shangxiaoyang@kylinos.cn> Wed, 08 Mar 2023 15:48:31 +0800
openssl (3.0.2-ok2) yangtze; urgency=medium

9
debian/control vendored
View File

@ -1,13 +1,13 @@
Source: openssl
Build-Depends: debhelper-compat (= 12), m4, bc, dpkg-dev (>= 1.15.7)
Build-Depends: debhelper-compat (= 13), m4, bc, dpkg-dev (>= 1.15.7)
Section: utils
Priority: optional
Maintainer: Openkylin Developers <packaging@lists.openkylin.top>
XSBC-Original-Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
Uploaders: Openkylin Developers <packaging@lists.openkylin.top>
Standards-Version: 4.5.0
Vcs-Browser: https://gitee/openkylin/openssl
Vcs-Git: https://gitee/openkylin/openssl.git
Standards-Version: 4.6.2
Vcs-Browser: https://gitee.com/openkylin/openssl3
Vcs-Git: https://gitee.com/openkylin/openssl3.git
Homepage: https://www.openssl.org/
Rules-Requires-Root: no
@ -74,7 +74,6 @@ Architecture: any
Multi-Arch: same
Suggests: libssl-doc
Depends: libssl3 (= ${binary:Version}), ${misc:Depends}
Conflicts: libssl1.0-dev
Description: Secure Sockets Layer toolkit - development files
This package is part of the OpenSSL project's implementation of the SSL
and TLS cryptographic protocols for secure communication over the

9014
debian/copyright vendored
View File

File diff suppressed because it is too large Load Diff

4
debian/gbp.conf vendored
View File

@ -2,8 +2,8 @@
#upstream-vcs-tag = OpenSSL_%(version%.%_)s
#sign-tags = false
dist = DEP14
upstream-branch = upstream/master
debian-branch = debian/experimental
upstream-branch = upstream/openssl-3.0
debian-branch = debian/unstable
debian-tag = debian/openssl-%(version)s
id-length = 12
abbrev = 12

226
debian/libssl3.postinst vendored
View File

@ -1,226 +0,0 @@
#!/bin/sh
. /usr/share/debconf/confmodule
set -e
package_name()
{
echo $(basename $0 .postinst)
}
# element() is a helper function for file-rc:
element() {
local element list IFS
element="$1"
[ "$2" = "in" ] && shift
list="$2"
[ "$list" = "-" ] && return 1
[ "$list" = "*" ] && return 0
IFS=","
set -- $list
case $element in
"$1"|"$2"|"$3"|"$4"|"$5"|"$6"|"$7"|"$8"|"$9")
return 0
esac
return 1
}
# filerc (runlevel, service) returns /etc/init.d/service, if service is
# running in $runlevel:
filerc() {
local runlevel basename
runlevel=$1
basename=$2
while read LINE
do
case $LINE in
\#*|"") continue
esac
set -- $LINE
SORT_NO="$1"; STOP="$2"; START="$3"; CMD="$4"
[ "$CMD" = "/etc/init.d/$basename" ] || continue
if element "$runlevel" in "$START" || element "S" in "$START"
then
echo "/etc/init.d/$basename"
return 0
fi
done < /etc/runlevel.conf
echo ""
}
if [ "$1" = "configure" ]
then
if [ ! -z "$2" ] && [ ! -x /usr/lib/needrestart/apt-pinvoke ] ; then
# This triggers services restarting, so limit this to major upgrades
# only. Security updates should not restart services automatically.
if dpkg --compare-versions "$2" lt 1.1.1-1ubuntu2.1~18.04.2; then
echo -n "Checking for services that may need to be restarted..."
check="amanda-server anon-proxy apache2 apache-ssl"
check="$check apf-firewall asterisk bacula-director-common"
check="$check bacula-fd bacula-sd bind9 bip boinc-client"
check="$check boxbackup-client boxbackup-server bozo cfengine2"
check="$check cfengine3 citadel-server clamav-daemon clamav-freshclam"
check="$check clamcour collectd-core conserver-server courier-imap-ssl"
check="$check courier-mta-ssl courier-pop-ssl cyrus21-imapd"
check="$check cyrus21-pop3d cyrus-common cyrus-imspd dovecot-core"
check="$check ejabberd exim4 fetchmail freeradius ftpd-ssl gatling"
check="$check globus-gatekeeper inn inn2 libapache-mod-ssl lighttpd lldpd"
check="$check lwresd monit myproxy-server nagios-nrpe-server nginx-common"
check="$check ntp openntpd openssh-server openvpn partimage-server"
check="$check postfix postgresql-7.4 postgresql-8.0 postgresql-8.1"
check="$check postgresql-8.2 postgresql-9.1 postgresql-9.2 postgresql-9.3"
check="$check proftpd proftpd-ldap proftpd-basic"
check="$check proftpd-mysql proftpd-pgsql racoon sendmail slapd"
check="$check spamassassin ssh-nonfree stunnel4 syslog-ng tor unbound"
check="$check vsftpd"
# Only get the ones that are installed, and configured
check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
# init script rewrites
check=$(echo $check | sed "
# The name of proftpd-{ldap,mysql,pgsql,basic} init script is
# same as "proftpd".
s/proftpd-.*/proftpd/g;
# dovecot-core ships its init script, but the
# script name is dovecot for dovecot-{imapd,pop3d}.
s/dovecot-core/dovecot/g;
# openssh-server's init script it called ssh
s/openssh-server/ssh/g;
# bacula-director-common's init is bacula-director
s/bacula-director-common/bacula-director/g;
# citadel server
s/citadel-server/citadel/g;
# collectd
s/collectd-core/collectd/g;
# cyrus
s/cyrus-common/cyrus-imapd/g;
# nginx
s/nginx-common/nginx/g;
")
echo "done."
fi
if dpkg --compare-versions "$2" lt 1.1.1-1ubuntu2.1~18.04.2; then
echo -n "Checking for services that may need to be restarted..."
check2="chef chef-expander chef-server-api"
check2="$check2 chef-solr pound postgresql-common"
check2="$check2 prosody puppet puppetmaster snmpd"
# Only get the ones that are installed, and configured
check2=$(dpkg -s $check2 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}')
# init script rewrites
check2=$(echo $check2 | sed -r "
s/chef\s/chef-client/g;
s/chef-server-api/chef-server/g;
s/postgresql-common/postgresql/g;
")
echo "done."
if [ -n "$check2" ]; then
check="$check $check2"
fi
fi
if [ -n "$check" ]; then
db_version 2.0
echo "Checking init scripts..."
for service in $check; do
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
idl=$(ls /etc/init.d/${service} 2> /dev/null | head -n 1)
if [ -n "$idl" ] && [ -x $idl ]; then
services="$service $services"
else
echo "WARNING: init script for $service not found."
fi
else
if [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then
idl=$(filerc $rl $service)
else
idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1)
fi
if [ -n "$idl" ] && [ -x $idl ]; then
services="$service $services"
fi
fi
done
if [ -n "$services" ]; then
db_input critical libraries/restart-without-asking || true
db_go || true
db_get libraries/restart-without-asking
if [ "x$RET" != xtrue ]; then
db_reset libssl3/restart-services
db_set libssl3/restart-services "$services"
db_input critical libssl3/restart-services || true
if [ "$RELEASE_UPGRADE_MODE" = desktop ]; then
db_input medium libssl3/restart-services || true
else
db_input critical libssl3/restart-services || true
fi
db_go || true
db_get libssl3/restart-services
if [ "x$RET" != "x" ]
then
services=$RET
answer=yes
else
answer=no
fi
else
answer=yes
fi
echo
if [ "$answer" = yes ] && [ "$services" != "" ]; then
echo "Restarting services possibly affected by the upgrade:"
failed=""
rl=$(runlevel | sed 's/.*\ //')
for service in $services; do
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
idl="invoke-rc.d ${service}"
elif [ -f /usr/share/file-rc/rc ] || [ -f /usr/lib/file-rc/rc ] && [ -f /etc/runlevel.conf ]; then
idl=$(filerc $rl $service)
else
idl=$(ls /etc/rc${rl}.d/S??${service} 2> /dev/null | head -n 1)
fi
if ! $idl restart; then
failed="$service $failed"
fi
done
echo
if [ -n "$failed" ]; then
db_subst libssl3/restart-failed services "$failed"
db_input critical libssl3/restart-failed || true
db_go || true
else
echo "Services restarted successfully."
fi
echo
fi
else
echo "Nothing to restart."
fi
# Shut down the frontend, to make sure none of the
# restarted services keep a connection open to it
db_stop
fi # end upgrading and $2 lt 0.9.8c-2
# Here we issue the reboot notification for upgrades and
# security updates. We do want services to be restarted when we
# update for a security issue, but planned by the sysadmin, not
# automatically.
# Only issue the reboot notification for servers; we proxy this by
# testing that the X server is not running (LP: #244250)
if ! pidof /usr/lib/xorg/Xorg > /dev/null && [ -x /usr/share/update-notifier/notify-reboot-required ]; then
/usr/share/update-notifier/notify-reboot-required
fi
fi # Upgrading
fi
#DEBHELPER#

6
debian/libssl3.symbols vendored
View File

@ -1,6 +1,8 @@
libcrypto.so.3 libssl3 #MINVER#
* Build-Depends-Package: libssl-dev
*@OPENSSL_3.0.0 3.0.0~~alpha1
*@OPENSSL_3.0.0 3.0.0
*@OPENSSL_3.0.3 3.0.3
*@OPENSSL_3.0.8 3.0.8
libssl.so.3 libssl3 #MINVER#
* Build-Depends-Package: libssl-dev
*@OPENSSL_3.0.0 3.0.0~~alpha1
*@OPENSSL_3.0.0 3.0.0

42
debian/libssl3.templates vendored
View File

@ -1,42 +0,0 @@
Template: libssl3/restart-services
Type: string
_Description: Services to restart to make them use the new libraries:
This release of OpenSSL fixes some security issues. Services will not
use these fixes until they are restarted. Please note that restarting
the SSH server (sshd) should not affect any existing connections.
.
Please check the list of detected services that need to be restarted
and correct it, if needed. The services names must be identical to the
initialization script names in /etc/init.d and separated by
spaces. No services will be restarted if the list is empty.
.
Any service that later fails unexpectedly after this upgrade should
be restarted. It is recommended to reboot this host to avoid any
SSL-related trouble.
Template: libssl3/restart-failed
Type: error
#flag:translate!:3
#flag:comment:2
# This paragraph is followed by a (non translatable) paragraph containing
# a list of services that could not be restarted
_Description: Failure restarting some services for OpenSSL upgrade
The following services could not be restarted for the OpenSSL library upgrade:
.
${services}
.
You will need to start these manually by running
'/etc/init.d/<service> start'.
Template: libraries/restart-without-asking
Type: boolean
Default: false
_Description: Restart services during package upgrades without asking?
There are services installed on your system which need to be restarted
when certain libraries, such as libpam, libc, and libssl, are upgraded.
Since these restarts may cause interruptions of service for the system,
you will normally be prompted on each upgrade for the list of services
you wish to restart. You can choose this option to avoid being prompted;
instead, all necessary restarts will be done for you automatically so you
can avoid being asked questions on each library upgrade.

4
debian/not-installed vendored Normal file
View File

@ -0,0 +1,4 @@
usr/lib/ssl/ct_log_list.cnf
usr/lib/ssl/ct_log_list.cnf.dist
usr/lib/ssl/openssl.cnf.dist
usr/share/doc/openssl/html

1
debian/openssl.install vendored
View File

@ -1,5 +1,6 @@
etc/ssl
usr/bin/*
usr/lib/ssl/cert.pem
usr/lib/ssl/certs
usr/lib/ssl/private
usr/lib/ssl/misc/*

14
debian/patches/Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch vendored
View File

@ -23,7 +23,7 @@ Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index a7294d2ad1b1..617ad2e65655 100644
index b578a3c2a861..b3b21d39990b 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -697,7 +697,7 @@ my %targets = (
@ -36,15 +36,15 @@ index a7294d2ad1b1..617ad2e65655 100644
"linux-latomic" => {
inherit_from => [ "linux-generic32" ],
diff --git a/Configure b/Configure
index df7232d55154..308086509ee7 100755
index 5ac4b5222e4f..978414d914ea 100755
--- a/Configure
+++ b/Configure
@@ -1716,7 +1716,7 @@ unless ($disabled{devcryptoeng}) {
@@ -1715,7 +1715,7 @@ unless ($disabled{devcryptoeng}) {
unless ($disabled{ktls}) {
$config{ktls}="";
my $cc = $config{CROSS_COMPILE}.$config{CC};
- if ($target =~ m/^linux/) {
+ if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $usr = "/usr/$config{cross_compile_prefix}";
chop($usr);
if ($config{cross_compile_prefix} eq "") {
system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
if ($? != 0) {
disable('too-old-kernel', 'ktls');

1390
debian/patches/Fix-tests-for-new-default-security-level.patch vendored Normal file
View File

File diff suppressed because it is too large Load Diff

40
debian/patches/Remove-the-provider-section.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 8 Jun 2022 20:45:32 +0200
Subject: Remove the provider section.
The provider section breaks libssl1.1 users. Remove it for now.
Link: https://bugs.debian.org/1011051
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
apps/openssl.cnf | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 03330e0120a2..215768bfe710 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -51,11 +51,11 @@ tsa_policy3 = 1.2.3.4.5.7
# .include fipsmodule.cnf
[openssl_init]
-providers = provider_sect
+# providers = provider_sect
# List of providers to load
-[provider_sect]
-default = default_sect
+# [provider_sect]
+# default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -68,7 +68,7 @@ default = default_sect
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
-[default_sect]
+# [default_sect]
# activate = 1

386
debian/patches/TEST-Provide-a-default-openssl.cnf-for-tests.patch vendored
View File

@ -1,386 +0,0 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Wed, 17 Jun 2020 21:47:15 +0200
Subject: TEST: Provide a default openssl.cnf for tests
The modified .cnf leads to failure of tests which expect <TLS1.2.
Provide the original .cnf file for running the tests.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
test/openssl.cnf | 353 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
test/run_tests.pl | 2 +-
2 files changed, 354 insertions(+), 1 deletion(-)
create mode 100644 test/openssl.cnf
diff --git a/test/openssl.cnf b/test/openssl.cnf
new file mode 100644
index 000000000000..4fd5286d2e25
--- /dev/null
+++ b/test/openssl.cnf
@@ -0,0 +1,353 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = ./demoCA # Where everything is kept
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+#unique_subject = no # Set to 'no' to allow creation of
+ # several certs with same subject.
+new_certs_dir = $dir/newcerts # default place for new certs.
+
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+ # must be commented out to leave a V1 CRL
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem# The private key
+
+x509_extensions = usr_cert # The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 2048
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = AU
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+#organizationalUnitName_default =
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1 # the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir = ./demoCA # TSA root directory
+serial = $dir/tsaserial # The current serial number (mandatory)
+crypto_device = builtin # OpenSSL engine to use for signing
+signer_cert = $dir/tsacert.pem # The TSA signing certificate
+ # (optional)
+certs = $dir/cacert.pem # Certificate chain to include in reply
+ # (optional)
+signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest = sha256 # Signing digest to use. (Optional)
+default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+clock_precision_digits = 0 # number of digits after dot. (optional)
+ordering = yes # Is ordering defined for timestamps?
+ # (optional, default: no)
+tsa_name = yes # Must the TSA name be included in the reply?
+ # (optional, default: no)
+ess_cert_id_chain = no # Must the ESS cert id chain be included?
+ # (optional, default: no)
+ess_cert_id_alg = sha1 # algorithm to compute certificate
+ # identifier (optional, default: sha1)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # potentially needed quirk
+unprotected_errors = 1 # potentially needed quirk
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = insta.ca.crt
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = insta.ca.crt # does not include keyUsage digitalSignature
+
+# Client authentication
+secret = # disable PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
diff --git a/test/run_tests.pl b/test/run_tests.pl
index 4384ebe28e0d..f82284e224b8 100644
--- a/test/run_tests.pl
+++ b/test/run_tests.pl
@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test", "recipes");
my $libdir = rel2abs(catdir($srctop, "util", "perl"));
my $jobs = $ENV{HARNESS_JOBS} // 1;
-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf"));
+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "test", "openssl.cnf"));
$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
$ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
$ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));

61
debian/patches/c_rehash-compat.patch vendored
View File

@ -1,13 +1,13 @@
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 21 Apr 2010 15:52:10 +0200
Subject: [PATCH] also create old hash for compatibility
Subject: also create old hash for compatibility
---
tools/c_rehash.in | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
tools/c_rehash.in | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/tools/c_rehash.in b/tools/c_rehash.in
index d51d8856d709..047a7cbfd8cf 100644
index 343cdc1e7575..229a37f3b608 100644
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
@ -31,42 +31,33 @@ index d51d8856d709..047a7cbfd8cf 100644
help();
} elsif ( $flag eq '-n' ) {
$removelinks = 0;
@@ -128,7 +123,9 @@ sub hash_dir {
next;
}
link_hash_cert($fname) if ($cert);
+ link_hash_cert_old($fname) if ($cert);
link_hash_crl($fname) if ($crl);
+ link_hash_crl_old($fname) if ($crl);
}
}
@@ -161,6 +158,7 @@ sub check_file {
@@ -203,22 +198,24 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
my $fname = $_[0];
+ my $x509hash = $_[1] || '-subject_hash';
$fname =~ s/\"/\\\"/g;
my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
chomp $hash;
@@ -198,10 +196,20 @@ sub link_hash_cert {
$hashlist{$hash} = $fprint;
- link_hash($_[0], 'cert');
+ link_hash($_[0], 'cert', '-subject_hash');
+ link_hash($_[0], 'cert', '-subject_hash_old');
}
+sub link_hash_cert_old {
+ link_hash_cert($_[0], '-subject_hash_old');
+}
+
+sub link_hash_crl_old {
+ link_hash_crl($_[0], '-hash_old');
+}
+
+
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
my $fname = $_[0];
+ my $crlhash = $_[1] || "-hash";
$fname =~ s/'/'\\''/g;
my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
- link_hash($_[0], 'crl');
+ link_hash($_[0], 'crl', '-hash');
+ link_hash($_[0], 'crl', '-hash_old');
}
sub link_hash {
- my ($fname, $type) = @_;
- my $is_cert = $type eq 'cert';
+ my ($fname, $type, $hash_name) = @_;
+ my $is_cert = $type eq 'cert' or $type eq 'cert_old';
my ($hash, $fprint) = compute_hash($openssl,
$is_cert ? "x509" : "crl",
- $is_cert ? $x509hash : $crlhash,
+ $hash_name,
"-fingerprint", "-noout",
"-in", $fname);
chomp $hash;

102
debian/patches/conf-Serialize-allocation-free-of-ssl_names.patch vendored Normal file
View File

@ -0,0 +1,102 @@
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 19 Sep 2022 20:51:31 +0200
Subject: conf: Serialize allocation/free of ssl_names.
The access to `ssl_names' is not fully serialized. With multiple threads
it is possible that more than one thread starts to clean up `ssl_names'.
This leads to occasional segfaults if more than one terminates and
performs the clean up.
Fixes: #19243
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
crypto/conf/conf_ssl.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/crypto/conf/conf_ssl.c b/crypto/conf/conf_ssl.c
index 84c5b2afe581..d6596e60c3b5 100644
--- a/crypto/conf/conf_ssl.c
+++ b/crypto/conf/conf_ssl.c
@@ -12,6 +12,7 @@
#include <openssl/conf.h>
#include <openssl/err.h>
#include "internal/sslconf.h"
+#include "internal/thread_once.h"
#include "conf_local.h"
/*
@@ -35,12 +36,25 @@ struct ssl_conf_cmd_st {
char *arg;
};
+static CRYPTO_ONCE init_ssl_names_lock = CRYPTO_ONCE_STATIC_INIT;
+static CRYPTO_RWLOCK *ssl_names_lock;
static struct ssl_conf_name_st *ssl_names;
static size_t ssl_names_count;
-static void ssl_module_free(CONF_IMODULE *md)
+DEFINE_RUN_ONCE_STATIC(do_init_ssl_names_lock)
+{
+ ssl_names_lock = CRYPTO_THREAD_lock_new();
+ if (ssl_names_lock == NULL) {
+ ERR_raise(ERR_LIB_CONF, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ return 1;
+}
+
+static void ssl_module_free_unlocked(CONF_IMODULE *md)
{
size_t i, j;
+
if (ssl_names == NULL)
return;
for (i = 0; i < ssl_names_count; i++) {
@@ -58,6 +72,14 @@ static void ssl_module_free(CONF_IMODULE *md)
ssl_names_count = 0;
}
+static void ssl_module_free(CONF_IMODULE *md)
+{
+ if (!CRYPTO_THREAD_write_lock(ssl_names_lock))
+ return;
+ ssl_module_free_unlocked(md);
+ CRYPTO_THREAD_unlock(ssl_names_lock);
+}
+
static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
{
size_t i, j, cnt;
@@ -65,6 +87,12 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
const char *ssl_conf_section;
STACK_OF(CONF_VALUE) *cmd_lists;
+ if (!RUN_ONCE(&init_ssl_names_lock, do_init_ssl_names_lock))
+ return 0;
+
+ if (!CRYPTO_THREAD_write_lock(ssl_names_lock))
+ return 0;
+
ssl_conf_section = CONF_imodule_get_value(md);
cmd_lists = NCONF_get_section(cnf, ssl_conf_section);
if (sk_CONF_VALUE_num(cmd_lists) <= 0) {
@@ -77,7 +105,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
goto err;
}
cnt = sk_CONF_VALUE_num(cmd_lists);
- ssl_module_free(md);
+ ssl_module_free_unlocked(md);
ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
if (ssl_names == NULL)
goto err;
@@ -126,7 +154,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
rv = 1;
err:
if (rv == 0)
- ssl_module_free(md);
+ ssl_module_free_unlocked(md);
+ CRYPTO_THREAD_unlock(ssl_names_lock);
return rv;
}

90
debian/patches/debian-targets.patch vendored
View File

@ -3,19 +3,19 @@ Date: Sun, 5 Nov 2017 15:09:09 +0100
Subject: debian-targets
---
Configurations/20-debian.conf | 215 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 215 insertions(+)
Configurations/20-debian.conf | 169 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 169 insertions(+)
create mode 100644 Configurations/20-debian.conf
diff --git a/Configurations/20-debian.conf b/Configurations/20-debian.conf
new file mode 100644
index 000000000000..a060666a0f6a
index 000000000000..c6860ed4b7d7
--- /dev/null
+++ b/Configurations/20-debian.conf
@@ -0,0 +1,215 @@
@@ -0,0 +1,169 @@
+my %targets = (
+ "debian" => {
+ cflags => add("-Wa,--noexecstack -Wall"),
+ cflags => add("-Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2"),
+ },
+ "debian-alpha" => {
+ inherit_from => [ "linux-alpha-gcc", "debian" ],
@ -28,6 +28,9 @@ index 000000000000..a060666a0f6a
+ inherit_from => [ "debian-alpha" ],
+ cflags => add("-mcpu=ev5"),
+ },
+ "debian-arc" => {
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-arm64" => {
+ inherit_from => [ "linux-aarch64", "debian" ],
+ },
@ -66,9 +69,13 @@ index 000000000000..a060666a0f6a
+ },
+ "debian-ia64" => {
+ inherit_from => [ "linux-ia64", "debian" ],
+ cflags => add("-fzero-call-used-regs=skip"),
+ },
+ "debian-loong64" => {
+ inherit_from => [ "linux64-loongarch64", "debian" ],
+ },
+ "debian-m68k" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mips" => {
@ -96,59 +103,6 @@ index 000000000000..a060666a0f6a
+ cflags => add("-DL_ENDIAN"),
+ },
+
+ # Temporary MIPS R6 targets. Those will vanish approx in 1.1.1 because
+ # aes-mips.pl creates proper R6 ASM code. After that, we can inherit from
+ # the linux*-mips* targets.
+ "linux-mips32r6" => {
+ # Configure script adds minimally required -march for assembly
+ # support, if no -march was specified at command line.
+ inherit_from => [ "linux-generic32"],
+ cflags => add("-mabi=32"),
+ perlasm_scheme => "o32",
+ shared_ldflag => add("-mabi=32"),
+ },
+ # mips32 and mips64 below refer to contemporary MIPS Architecture
+ # specifications, MIPS32 and MIPS64, rather than to kernel bitness.
+ "linux-mips64r6" => {
+ inherit_from => [ "linux-generic32"],
+ cflags => add("-mabi=n32"),
+ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
+ perlasm_scheme => "n32",
+ shared_ldflag => add("-mabi=n32"),
+ multilib => "32",
+ },
+ "linux64-mips64r6" => {
+ inherit_from => [ "linux-generic64"],
+ cflags => add("-mabi=64"),
+ perlasm_scheme => "64",
+ shared_ldflag => add("-mabi=64"),
+ multilib => "64",
+ },
+ "debian-mipsr6" => {
+ inherit_from => [ "linux-mips32r6", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mipsr6el" => {
+ inherit_from => [ "linux-mips32r6", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+ "debian-mipsn32r6" => {
+ inherit_from => [ "linux-mips64r6", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mipsn32r6el" => {
+ inherit_from => [ "linux-mips64r6", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+ "debian-mips64r6" => {
+ inherit_from => [ "linux64-mips64r6", "debian" ],
+ cflags => add("-DB_ENDIAN"),
+ },
+ "debian-mips64r6el" => {
+ inherit_from => [ "linux64-mips64r6", "debian" ],
+ cflags => add("-DL_ENDIAN"),
+ },
+
+ "debian-musl-linux-arm64" => {
+ inherit_from => [ "linux-aarch64", "debian" ],
+ },
@ -168,7 +122,7 @@ index 000000000000..a060666a0f6a
+ },
+
+ "debian-nios2" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-powerpc" => {
+ inherit_from => [ "linux-ppc", "debian" ],
@ -178,9 +132,9 @@ index 000000000000..a060666a0f6a
+ },
+ "debian-ppc64" => {
+ inherit_from => [ "linux-generic64", "debian", ],
+ asm_arch => 'ppc64',
+ asm_arch => 'ppc64',
+ cflags => add("-DB_ENDIAN"),
+ perlasm_scheme => "linux64",
+ perlasm_scheme => "linux64",
+ },
+ "debian-ppc64el" => {
+ inherit_from => [ "linux-ppc64le", "debian" ],
@ -195,22 +149,22 @@ index 000000000000..a060666a0f6a
+ inherit_from => [ "linux64-s390x", "debian" ],
+ },
+ "debian-sh3" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-sh3eb" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-sh4" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-sh4eb" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-m32r" => {
+ inherit_from => [ "linux-generic32", "debian" ],
+ inherit_from => [ "linux-latomic", "debian" ],
+ },
+ "debian-sparc" => {
+ inherit_from => [ "linux-generic32", "debian", ],
+ inherit_from => [ "linux-latomic", "debian", ],
+ asm_arch => 'sparcv9',
+ cflags => add("-DB_ENDIAN -DBN_DIV2W"),
+ },

4
debian/patches/man-section.patch vendored
View File

@ -7,7 +7,7 @@ Subject: man-section
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 3e779960671b..39194f13696f 100644
index ebf20965b7a9..5b7e317b51d1 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -318,7 +318,8 @@ HTMLDIR=$(DOCDIR)/html
@ -20,7 +20,7 @@ index 3e779960671b..39194f13696f 100644
HTMLSUFFIX=html
# For "optional" echo messages, to get "real" silence
@@ -1535,7 +1536,7 @@ EOF
@@ -1537,7 +1538,7 @@ EOF
my $pod = $gen0;
return <<"EOF";
$args{src}: $pod

9
debian/patches/series vendored Normal file
View File

@ -0,0 +1,9 @@
debian-targets.patch
man-section.patch
no-symbolic.patch
pic.patch
c_rehash-compat.patch
Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
Remove-the-provider-section.patch
conf-Serialize-allocation-free-of-ssl_names.patch
Fix-tests-for-new-default-security-level.patch

59
debian/patches/skip_tls1.1_seclevel3_tests.patch vendored
View File

@ -1,59 +0,0 @@
From: Simon Chopin <simon.chopin@canonical.com>
Date: Fri, 6 Jan 2023 15:09:08 +0000
Subject: Skip TLS 1.1 tests on seclevel 3
Forwarded: not-needed
Last-Update: 2022-03-21
In the Ubuntu package, we changed the semantics of seclevel 2 (and above) to
also disable TLS <= 1.2. This makes those tests fail.
Last-Update: 2022-03-21
---
test/recipes/80-test_ssl_old.t | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 8c52b637fc82..d74ccd6f8712 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -583,32 +583,32 @@ sub testssl {
if $no_tls1_1;
SKIP: {
- skip "skipping auto DHE PSK test at SECLEVEL 3", 1
- if ($no_dh || $no_psk);
+ skip "skipping auto DHE PSK test at SECLEVEL 3", 1;
+ # if ($no_dh || $no_psk);
ok(run(test(['ssl_old_test', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])),
'test auto DHE PSK meets security strength');
}
SKIP: {
- skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1
- if ($no_ec || $no_psk);
+ skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1;
+ # if ($no_ec || $no_psk);
ok(run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])),
'test auto ECDHE PSK meets security strength');
}
SKIP: {
- skip "skipping no RSA PSK at SECLEVEL 3 test", 1
- if ($no_rsa || $no_psk);
+ skip "skipping no RSA PSK at SECLEVEL 3 test", 1;
+ # if ($no_rsa || $no_psk);
ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])),
'test auto RSA PSK does not meet security level 3 requirements (PFS)');
}
SKIP: {
- skip "skipping no PSK at SECLEVEL 3 test", 1
- if ($no_psk);
+ skip "skipping no PSK at SECLEVEL 3 test", 1;
+ # if ($no_psk);
ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])),
'test auto PSK does not meet security level 3 requirements (PFS)');

260
debian/patches/tests-use-seclevel-1.patch vendored
View File

@ -1,260 +0,0 @@
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 6 Jan 2023 15:09:08 +0000
Subject: Change testsuite to use SECLEVEL 1 by default
By default the testsuite assumes that SECLEVEL is set to 1, and many
tests fail, when one raises security level to 2. Many test certs use
insecure hash algorithms and small key sizes.
---
test/bad_dtls_test.c | 2 ++
test/helpers/ssltestlib.c | 10 ++++++++++
test/recipes/70-test_sslmessages.t | 2 +-
test/recipes/70-test_sslsigalgs.t | 14 +++++++-------
test/recipes/70-test_sslsignature.t | 4 ++--
test/ssl_test.c | 10 ++++++++++
util/perl/TLSProxy/Proxy.pm | 8 ++++----
7 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c
index f8c6b142d84b..01bb02df2c89 100644
--- a/test/bad_dtls_test.c
+++ b/test/bad_dtls_test.c
@@ -491,6 +491,8 @@ static int test_bad_dtls(void)
goto end;
ctx = SSL_CTX_new(DTLS_client_method());
+ if (TEST_ptr(ctx))
+ SSL_CTX_set_security_level(ctx, 1);
if (!TEST_ptr(ctx)
|| !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
|| !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c
index 2d992cde234c..c4d5b8c39bc4 100644
--- a/test/helpers/ssltestlib.c
+++ b/test/helpers/ssltestlib.c
@@ -719,6 +719,11 @@ int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm,
max_proto_version = TLS1_2_VERSION;
#endif
+ if (serverctx != NULL && SSL_CTX_get_security_level(serverctx) == 2)
+ SSL_CTX_set_security_level(serverctx, 1);
+ if (clientctx != NULL && SSL_CTX_get_security_level(clientctx) == 2)
+ SSL_CTX_set_security_level(clientctx, 1);
+
if (serverctx != NULL
&& ((min_proto_version > 0
&& !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
@@ -887,6 +892,11 @@ int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
else if (!TEST_ptr(clientssl = SSL_new(clientctx)))
goto error;
+ if (SSL_get_security_level(serverssl) == 2)
+ SSL_set_security_level(serverssl, 1);
+ if (SSL_get_security_level(clientssl) == 2)
+ SSL_set_security_level(clientssl, 1);
+
if (SSL_is_dtls(clientssl)) {
if (!TEST_ptr(s_to_c_bio = BIO_new(bio_s_mempacket_test()))
|| !TEST_ptr(c_to_s_bio = BIO_new(bio_s_mempacket_test())))
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index abb0f5aff905..e252fc81c7d7 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -421,7 +421,7 @@ SKIP: {
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
checkhandshake::DEFAULT_EXTENSIONS
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 48b9e43c3b39..ae4e5e89f004 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -129,7 +129,7 @@ SKIP: {
# should succeed
$proxy->clear();
$proxy->serverflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->success, "TLSv1.3 client TLSv1.2 server");
@@ -173,7 +173,7 @@ SKIP: {
$proxy->clear();
$testtype = EMPTY_SIG_ALGS_EXT;
$proxy->clientflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "Empty TLSv1.2 sigalgs");
@@ -181,7 +181,7 @@ SKIP: {
$proxy->clear();
$testtype = NO_KNOWN_SIG_ALGS;
$proxy->clientflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "No known TLSv1.3 sigalgs");
@@ -190,7 +190,7 @@ SKIP: {
$proxy->clear();
$testtype = NO_PSS_SIG_ALGS;
$proxy->clientflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->success, "No PSS TLSv1.2 sigalgs");
@@ -198,7 +198,7 @@ SKIP: {
$proxy->clear();
$testtype = PSS_ONLY_SIG_ALGS;
$proxy->serverflags("-no_tls1_3");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->success, "PSS only sigalgs in TLSv1.2");
@@ -209,7 +209,7 @@ SKIP: {
$proxy->clear();
$testtype = PSS_ONLY_SIG_ALGS;
$proxy->clientflags("-no_tls1_3 -sigalgs RSA+SHA256");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->start();
ok(TLSProxy::Message->fail, "Sigalg we did not send in TLSv1.2");
@@ -217,7 +217,7 @@ SKIP: {
# matches the certificate should fail in TLSv1.2
$proxy->clear();
$proxy->clientflags("-no_tls1_3 -sigalgs ECDSA+SHA256");
- $proxy->ciphers("ECDHE-RSA-AES128-SHA");
+ $proxy->ciphers("ECDHE-RSA-AES128-SHA:\@SECLEVEL=1");
$proxy->filter(undef);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching TLSv1.2 sigalgs");
diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t
index a9a77d5b8f1c..48b8357c2f59 100644
--- a/test/recipes/70-test_sslsignature.t
+++ b/test/recipes/70-test_sslsignature.t
@@ -103,8 +103,8 @@ SKIP: {
$proxy->clear();
$testtype = CORRUPT_TLS1_2_SERVER_KEY_EXCHANGE;
$proxy->clientflags("-no_tls1_3");
- $proxy->cipherc('DHE-RSA-AES128-SHA');
- $proxy->ciphers('DHE-RSA-AES128-SHA');
+ $proxy->cipherc('DHE-RSA-AES128-SHA:\@SECLEVEL=1');
+ $proxy->ciphers('DHE-RSA-AES128-SHA:\@SECLEVEL=1');
$proxy->start();
ok(TLSProxy::Message->fail, "Corrupt <=TLSv1.2 ServerKeyExchange");
}
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 4c2553ce27c1..eb37452e8fcd 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -409,6 +409,7 @@ static int test_handshake(int idx)
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());
+ SSL_CTX_set_security_level(server_ctx, 1);
if (!TEST_true(SSL_CTX_set_options(server_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION))
|| !TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
@@ -420,19 +421,23 @@ static int test_handshake(int idx)
|| !TEST_true(SSL_CTX_set_options(server2_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
+ SSL_CTX_set_security_level(server2_ctx, 1);
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_client_method());
+ SSL_CTX_set_security_level(client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0)))
goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
DTLS_server_method());
+ SSL_CTX_set_security_level(resume_server_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0))
|| !TEST_true(SSL_CTX_set_options(resume_server_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
DTLS_client_method());
+ SSL_CTX_set_security_level(resume_client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0)))
goto err;
if (!TEST_ptr(resume_server_ctx)
@@ -452,6 +457,7 @@ static int test_handshake(int idx)
#endif
server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
+ SSL_CTX_set_security_level(server_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion))
|| !TEST_true(SSL_CTX_set_options(server_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
@@ -464,17 +470,20 @@ static int test_handshake(int idx)
|| !TEST_true(SSL_CTX_set_options(server2_ctx,
SSL_OP_ALLOW_CLIENT_RENEGOTIATION)))
goto err;
+ SSL_CTX_set_security_level(server2_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
maxversion)))
goto err;
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
+ SSL_CTX_set_security_level(client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion)))
goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_server_method());
+ SSL_CTX_set_security_level(resume_server_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
maxversion))
|| !TEST_true(SSL_CTX_set_options(resume_server_ctx,
@@ -482,6 +491,7 @@ static int test_handshake(int idx)
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_client_method());
+ SSL_CTX_set_security_level(resume_client_ctx, 1);
if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
maxversion)))
goto err;
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 3de10eccb94e..d3defae64eb0 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -97,9 +97,9 @@ sub new
execute => $execute,
cert => $cert,
debug => $debug,
- cipherc => "",
+ cipherc => "DEFAULT:\@SECLEVEL=1",
ciphersuitesc => "",
- ciphers => "AES128-SHA",
+ ciphers => "AES128-SHA:\@SECLEVEL=1",
ciphersuitess => "TLS_AES_128_GCM_SHA256",
flight => -1,
direction => -1,
@@ -145,7 +145,7 @@ sub clearClient
{
my $self = shift;
- $self->{cipherc} = "";
+ $self->{cipherc} = "DEFAULT:\@SECLEVEL=1";
$self->{ciphersuitec} = "";
$self->{flight} = -1;
$self->{direction} = -1;
@@ -167,7 +167,7 @@ sub clear
my $self = shift;
$self->clearClient;
- $self->{ciphers} = "AES128-SHA";
+ $self->{ciphers} = "AES128-SHA:\@SECLEVEL=1";
$self->{ciphersuitess} = "TLS_AES_128_GCM_SHA256";
$self->{serverflags} = "";
$self->{serverconnects} = 1;

74
debian/patches/tls1.2-min-seclevel2.patch vendored
View File

@ -1,74 +0,0 @@
From: Openkylin Developers <packaging@lists.openkylin.top>
Date: Fri, 6 Jan 2023 15:09:08 +0000
Subject: TLS versions below 1.2 are not permitted as security level 2.
---
doc/man3/SSL_CTX_set_security_level.pod | 9 ++++-----
ssl/ssl_cert.c | 14 ++++----------
2 files changed, 8 insertions(+), 15 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index a4595490013b..a58552848855 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -86,22 +86,20 @@ bits.
Security level set to 112 bits of security. As a result RSA, DSA and DH keys
shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
In addition to the level 1 exclusions any cipher suite using RC4 is also
-prohibited. SSL version 3 is also not allowed. Compression is disabled.
+prohibited. On Ubuntu, TLS versions below 1.2 are not permitted. Compression is disabled.
=item B<Level 3>
Security level set to 128 bits of security. As a result RSA, DSA and DH keys
shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
In addition to the level 2 exclusions cipher suites not offering forward
-secrecy are prohibited. TLS versions below 1.1 are not permitted. Session
-tickets are disabled.
+secrecy are prohibited. Session tickets are disabled.
=item B<Level 4>
Security level set to 192 bits of security. As a result RSA, DSA and
DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
-prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS
-versions below 1.2 are not permitted.
+prohibited. Cipher suites using SHA1 for the MAC are prohibited.
=item B<Level 5>
@@ -118,6 +116,7 @@ I<Documentation to be provided.>
The default security level can be configured when OpenSSL is compiled by
setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
+On Ubuntu, 2 is used.
The security framework disables or reject parameters inconsistent with the
set security level. In the past this was difficult as applications had to set
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 8d90fa54df7b..f03079648e71 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1044,18 +1044,12 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
}
case SSL_SECOP_VERSION:
if (!SSL_IS_DTLS(s)) {
- /* SSLv3 not allowed at level 2 */
- if (nid <= SSL3_VERSION && level >= 2)
- return 0;
- /* TLS v1.1 and above only for level 3 */
- if (nid <= TLS1_VERSION && level >= 3)
- return 0;
- /* TLS v1.2 only for level 4 and above */
- if (nid <= TLS1_1_VERSION && level >= 4)
+ /* TLS v1.2 only for level 2 and above */
+ if (nid <= TLS1_1_VERSION && level >= 2)
return 0;
} else {
- /* DTLS v1.2 only for level 4 and above */
- if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4)
+ /* DTLS v1.2 only for level 2 and above */
+ if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 2)
return 0;
}
break;

24
debian/rules vendored
View File

@ -12,7 +12,6 @@ include /usr/share/dpkg/architecture.mk
include /usr/share/dpkg/pkg-info.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+all future=+lfs
export DEB_CFLAGS_MAINT_APPEND = -DOPENSSL_TLS_SECURITY_LEVEL=2
SHELL=/bin/bash
@ -30,8 +29,8 @@ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
MAKEFLAGS += -j$(NUMJOBS)
endif
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms no-capieng
OPT_alpha = ev4 ev5
CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method enable-rfc3779 enable-cms no-capieng no-rdrand
#OPT_alpha = ev4 ev5
ARCHOPTS = OPT_$(DEB_HOST_ARCH)
OPTS = $($(ARCHOPTS))
@ -86,8 +85,8 @@ else
set -xe; \
$(MAKE) -C build_$$opt test $(TESTSUITE_FLAGS); \
done
#$(MAKE) -C build_static test $(TESTSUITE_FLAGS)
#$(MAKE) -C build_shared test $(TESTSUITE_FLAGS)
$(MAKE) -C build_static test $(TESTSUITE_FLAGS)
$(MAKE) -C build_shared test $(TESTSUITE_FLAGS)
endif
override_dh_auto_clean:
@ -112,18 +111,14 @@ override_dh_auto_install-indep:
fi
override_dh_auto_install-arch:
# We need the -udeb directories now!
dh_installdirs
$(MAKE) -C build_shared install DESTDIR=`pwd`/debian/tmp
# pic static libraries, nobody should need them
cp -pf build_static/libcrypto.a debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.a
cp -pf build_static/libssl.a debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libssl.a
mkdir -p debian/tmp/etc/ssl
mkdir -p debian/libcrypto1.1-udeb/usr/lib/
mkdir -p debian/libcrypto1.1-udeb/usr/lib/ssl
mkdir -p debian/libssl1.1-udeb/usr/lib/
mv debian/tmp/usr/lib/ssl/{certs,openssl.cnf,private} debian/tmp/etc/ssl/
ln -s /etc/ssl/{certs,openssl.cnf,private} debian/tmp/usr/lib/ssl/
ln -s /etc/ssl/certs/ca-certificates.crt debian/tmp/usr/lib/ssl/cert.pem
ifeq (,$(filter noudeb,$(DEB_BUILD_PROFILES)))
cp -pf debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libcrypto.so.* debian/libcrypto3-udeb/usr/lib/
cp -pf debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules/*.so debian/libcrypto3-udeb/usr/lib/ossl-modules
@ -149,15 +144,6 @@ override_dh_fixperms:
fi
dh_fixperms -a -X etc/ssl/private
override_dh_compress:
dh_compress
# symlink doc files
for p in openssl libssl-dev; do \
for f in changelog.Debian.gz changelog.gz copyright; do \
ln -sf ../libssl3/$$f debian/$$p/usr/share/doc/$$p/$$f; \
done; \
done
override_dh_perl:
dh_perl -d

2
debian/tests/control vendored
View File

@ -1,3 +1,3 @@
Tests: run-25-test-verify
Depends: openssl, perl:native
Depends: openssl, perl
Restrictions: rw-build-tree, allow-stderr

905
debian/upstream/signing-key.asc vendored
View File

@ -1,398 +1,513 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFAAbq4BEACzaRctf1/dafs2TQtOrMebzky4TGw1BrWFWn/xdc9HLm61+Y9c
GkEFquLwvDDds/cSt+J6U+6vqPpWVt0pqmvo7bXF5w62QGA88c5R/2owB6fw54rx
GvdJneRtHbsqPuBtW+/8EiAjpCvShw5/YB/VT/zbBguwH4JRzNY3yRrpFJ0cwRD7
lo1wntACMFPG5eMu8flU/yXhP6Hp92pnNukBjxgayuvivYpCl3lmJrE2QBIvaIES
2W9XBq8Madx/JlN7TvnGhAz2Gn1Z4h8Y/EPtuy7OXV7mtQfW0ByPdv4FmXO+dfKv
hyrTJg+KQlpnoyIVcS6gOALUOLYlPIBEmwZTDpx5A5ZRsfUzxquwvsvvDVDBikuQ
Al261hO5P5Xxy5ZaLo8fi+xMA8j8HfVVgsgFPAvAy8iM/pNt3BFUulVxjZBxrq9p
d5PXdxLxtqpAEZ+Xnzw5QgjJe3MMWX85eE2nQTLyevzERKFWi6M9dBpCEM34uKF5
9ZUQ/i6GSOkoxpokNVWnOnpiOgp6AAEOtC8G9+Z+pjQlPCf9LU5Xmb/1Kx/DRkmL
us4nHY9qtaiV1XUSAP1WZSrXUlVQMOwiJgvewWJqFivy82lM7n4Wkk1wfjI8bR8r
QAKBiHiwVDnpXgr9bDDWu3OSZ7CU5bizAoGgIliwgXcigZqrPUBNkjY2CwARAQAB
tBxLdXJ0IFJvZWNreCA8a3VydEByb2Vja3guYmU+iQI3BBMBCgAhBQJQAG6uAhsD
BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJECBkxTZBwl5dzCQP+gOSp8Xz63jE
ZGmsUPElufn6OLARL9pKZnCruzdcOOWsir1xRZhZunsrJ0qCMaqQZUxK4tXluMq6
t7qdsIylpI67WoE39obc///eQhnRT7T1pHwR1Ehg5Um6j4/jnGtegtLzSugkCtFJ
xaQ8aDqaT3FbY654xWwtKV2HXMoMBv9TMWhks+l6QrzOfbs1XSReoUxXGNhGAp9y
g2PRTtnqrZ6OLUegjCX3UR23pOaNubAw7N6EuPnqS8U/WHXammKbf7LPmuvFejxn
W6erUanFdj+/QKIE1kAEdfWprTz2wmSKUSsunHkbhELxVAX4ofRPiTo/sQ//hIO7
xYOXM2he09VZh3em2KpThSB6ApX8CyKCdR4fhTagx3KLV+7pbKXEYEmPqJRci27Z
WjXJzAID4Hyxz84iLLpvgbrsvRWCyKWk5sB8z5issawv4EvJ7khh6V5Efp/4UnIM
4yHHNyalDd7vtUx5Y8Sqp2sY3I5CoNZ1CIM8pem3CSdKs7KYV+FiqjCF2kDwKpEK
CewHvGNENCRbaDFs1463UP9+10rhmeED5u65eLtVXohITDLDrkLoJWOvxhFsMmC4
dCUpOFWoBIrnOx7nIb5s3sccXGSoJitsXANG5tBMADe2z2Mq+yHL9fpG9hegmFFc
mbl+7GTJ6WfqQkc7SoqN1Zjc4qfU0oStuDMEVaub5RYJKwYBBAHaRw8BAQdAHp9Y
bPAXkR2TsdnPFLmhQf9C2mY0XO37TPS1IEMmeT6JAn8EGAEKAAkFAlWrm+UCGwIA
agkQIGTFNkHCXl1fIAQZFgoABgUCVaub5QAKCRAIbqUF3KLT8/MxAP9ISev0B/SM
Qv0UZJArqEDvpGlvxIQ7EijvPSDez/flQQEA3cw/RVGItC2FZIlX+WAguY3kwCh2
fCfOpm+TGnfyCQgAIRAAhwwrwXR3Gaf1L7E0ttaYq1fnUUhp8SO86RXvJLXzm6d5
CwjqR9eTind36F92Xvxc+h+CazSkAR0aLvOUxYEcFimO164bHaVN4BPH14xxqYyr
60DHi6kv95q5a/8xw9VFMc9tSaXgJxPRUHNMFM6MjlgFW+5SW4BuAq+c5wnLY2VD
YuMbM7wqB25xw4iKSWy4sYkm8G/NeltBjhDUjhhEpSInoTqnkgZMyPWnLH3XnI07
6SQ+6nMeR9QHHrZn+32ZcGOLsfK9qcxoFa1gVQxvT6pit/jm9G45S+kGSn+Gb0h1
PwyZ00b/Ay5ALsWAx0TnuX0MET5AFV7+bfngnwnzKAYs5ScMuSCMzxn1aVxfq+Og
mHdCO4tD2FUuOS2WCmtJ3H0bu1IMbYufp9A/0XY9ZrYgWtXBJlp7B9LYjJJ0HOEw
dH4+Ciss1zayI6eBGIDv/GwX6Bm7k5+lnaU2zb5xbIyaen+xCTJmC0sVQdb/CE0k
eo9LlC08S2HbHiEkCbz1VxVzlTpxhke7crpYptKnKsZ/pe35pdQK5BZHbb+WBrI+
7pHI2Xpazv2oLhu2vhQsdntqTqBbI6CPD87pkMSk/PYXP+WMhG9Zqsc5jBDWIrgf
rU8/Cfx5zU3Dlz3wjsH+eCOrLOc/UD3nFnOCwLbgrdC3IZh3bznBCOluynlgaKy5
Ag0EUABurgEQAPBbF7My7232h0PktP61YzyCJx8ZNDYARe5ugGXndfxOBFN4Oxnj
x7ZIKymFmQ6Gw8orJaROxvh2ggxzVkm3T05BHJuNBQpTFR3Ye3HFat5gPI6Cr3h5
/U9lP5LNqRf9RX0DR/D7ske+0Tp0DepIi/aPIb2eS4tj4APUG1kQRdWfhg9EBPu9
jhvYBN8ZGu74tU+ypFFwDAP+MsWdMMBWEp/OeEfBAQ6GK3UsUtmOw3ObG8JZ5qMZ
1kU8KwM3e3BiLdQbvYLg8VHYkK6noYsAaijX8udlyUe9dkQ8eoFX0mz8ZriOKurR
Tbsx6yYMNPiq+aO1J+jnKsnhM4nI8qgyJk/DKy530ITvgwhcCDdP9vtahzrWXGEt
QUrR/lm1ZmbN/TJUjyCS6SmF6BVnPPvezmiT1woaxp3Ucvn0KCOayuBfs2fGeGyo
WH14QHKYrDdn17uHIvu1+ZjftfiZZWmji/ibKBq7SzstunSkAeMLApV7x9do/nVX
wiXFVEVBFFRToHTL6902P/EPq7LitsmWPyA89EXPBn2t27BlqWW9GxXvfiVZEYqq
rn82nr+D/R9S5wVL3+bnfLmwEFDrLwcruRziaSCClcaD6aMzlPJgIUauKnyJFF5s
NCUFzlTnk5KfOYi2VRXUkN+teVLustJoesZO54HUjmo/1cZhW+zNlDxLABEBAAGJ
Ah8EGAEKAAkFAlAAbq4CGwwACgkQIGTFNkHCXl2HiA//Zo6g+mb7d716LnhWMyzr
TnB4wmCZZwSRlX77DY3aQ8oWibVwGtFbWEvJG+YT/iRAl2EzrDWGYTRSBDnbdPAx
Ev7gUtQA8sXuRuVUp9KuTjIXRyBp4oZH8HpTw+JInErliHNs9IPMMEu0HiDa/aVA
vnG5M8LvAy+ysE2759sm8YJ3j3/oQ0Tu2doCl2BSzU0t6NYQQ5nBXvXuVSufjng3
LEk033Cy9LQw4Qp0NizRBYYcg0/Q/g5tWIb1gR+/inPj2Tzk9EvV4YaoqJR5zZHp
+J479oRU+GF8VxnjAGI+461tvpsQ6/Q5f8v8jgRuT6YzBzMVwaTnlq3w/DaFwOZk
BRcWYXZXlfyVIEwbbq+xa+YMM+R0uyxM2B2+jTbiX4aZAkG6ezfwMTCprSBPvm2G
Zupv/vcGyAgFpN6OGnp8DK2RErG0uvOPy49lI04nrel17h79JgKIWBnMh0ZxrWTc
Y9EFsxEbdOFACC/028FaW8c8GBE0CbbziRw1CCXJq6Tyz2cPXmZ8Lg5m9yo1Bco4
laE0oqqdWIepzDaVp/bPlbwcmbBo7PVWqbAW0J3s3vPj1r7a7sjxILkqG5hXAWGS
77cv2tGfnG5I1r9Y7jxJsFzJVwjTWJ9dyQ0045RlD+4kbPFd6fLghjUQo7FrGxuQ
JMeog4NgWTChpQSDcCTgv4K5Ag0EUADi4gEQALnZQB3RhzQwM8SmVGvUzEBpGlQL
PbImzQhRUPIpat7cyLP78QpBY6TakiaQwKut82rIlApq1BnwzUFvyGEar//SQWQb
/OM9SPSH2I2pe7iomqi+cQAxSDUuX58SBLhYrSleI0oqJ8G1LpiVqFg6xWLQYUSA
AkmfySMWZe4QcE5Xx+iozr+531ihjEBfljocvqbG6YTTVpVMa6pg1emkb0kOBg5Y
XgxD/dw56sGC73yd0252xWn7qd1Q3dg9d7+mS06lzfA5pA7lNyPaB29pCm98ZE9r
UVBprt4NIVPy1n/eZvMlqf8iLqUkNW3PqvRv0MpzvfAuaePRPA5jkxwAD+8SuJ/R
+RGwJtlFX1PErYLMNwSfeqJYQRyPjCoYi6I+8iNX/WwKkXYphtDjp75nTa/KS6O0
lak8H19ZvHgP97YMQyFvbTW/m3xeD8xGQuhjoAKUTHmAlqYzG31pnzcaqtrIgUp+
u3OQaTMZdX/r4nm3+p1RHhZXKF2zQPbfVEy/RXhK2v0oQFOMpm46wwb3eXax9dhH
98/X5Up3R8xXg1n3vuPj1YonAsBLmIZtxb+9n0II6xDNhwu9/vVG/B5+Ufk0CJ7d
VHjxVnWGN7ghA6Pj0hshn/4qssi8a6idXaj2bxVCu6C3kU/fMiSr0aPpXWHfdL99
TU0enPWoSr+kSw7hABEBAAGJBD4EGAEKAAkFAlAA4uICGwICKQkQIGTFNkHCXl3B
XSAEGQEKAAYFAlAA4uIACgkQoZ8sMBpVIt0CCw/9H2+XvbVfdJGO7g2xvy99Rpag
KgsQ+S9FcRbLb2ch//EUTGfMN8jID+92RhevH5nZgls7rQDUMWPU4MU4rL7ocF22
lrHptGB9vUJPFwCADKoc7OfQxVkrtIqDAmMVYsoYcs1VX2dJtw78z45G7I13yVkj
xwK82u43OwWR8BKgNX4uGqiu77vgT/whpY110Fh1ceMhUQFV84XGjW0OnK9L6snn
KLXhiR5seVt40KhmuvHYIM89V5o0uCbl7r8PGOxs5xsMIPWdKLXBzaPpAbQ5tyoX
1zXk4yBwYPlOOTKr1xNL+ZoQkr5zymL/ClPJIbyMX9QLh6/dk4ndq0/TZoEEI783
QisB5xqYftI2jFlcHE/79Ud0vY0NEI/zXKIu3d+qLuXzbXI11LPuw6g/uqTonHmk
EYPMoCYrjFWGFcwVopPqYQJUzXNU34D7MLyPTwUBJyYGV32o2fWFyU1TerBSC/7U
8lLJB2di4GUG5kg7kdx07CXb7Twm5GCvkSHFACHAS9JVtqiW7ZMJRk+zay2QyRWE
tB0jc7+tha+QjuWfRwyplNogfKZ3MYJQ3LI0+PD7oX1mtgk+qKEtCcrlpjwLzIeV
ZWLy9325g/s0x3cQuJiqSHTD1WkMlSnO7lOZ3VvNz0Wek4SMQLSwEc4ts9KivlPd
tyu9xOoJyPCdMhC4cdj+8BAAgNqdDtS+YLcgJ3wkxrZ9DSwg19qNEipUFRAXajAW
Io4n0duMUdvb/QjPcoNhlZs/sYi2kXWds3CXCUPx+R0ZVwkSwVNPq+KVrdZO3hr6
7YeWPjIp6kR6hs/NwUA2B3/snGYZK+WQou5Mnh6WTcjw7gFeBoffuQge+SUq/oMQ
Xa4yg0dAbl1eGlVM4ZoQXRX4mYX88CWh/8gK532/P/viA3/1J2lYI+vtkGlHMHCI
+k0r3XMz84Lp74xAeWM7mYYcICRtiM1yoo1nCYcv3ZexsRTQioAKS11EhuW9eMDQ
jDLms1AaMLMfbS/YLT8JkfDOz0h49m+wfxvY4fqP5PDirnpU9tpkOOp3LlDK0zXr
f552sM3PTHGlvEpKqrl52LCMU/MJjaKx5DycR+fPQC3GZnzb++M10G3OHlQjhVW+
NTSMKyp4vE3lRMOz4C2jM4zIo4dfHnxJxv3VQYHdNWf1+fbq3BHWbx+981dytwFV
zIUQ68GKhndn3QoZW4B6edsWIZ63EGOoBUh/wQ2k6ncMXBz13ou/vLhg+crwBXAC
31I3rvkZLC0FnFxsJVXzZf7TSSRaNE3VsUUA+nl8FYvxHdlTYHnU5NVWKCJSKL4x
CgnOpvonSXTDY3RRJk5uHZKmoYgrgx+eicIH/tM7f3FfbOXkAsx/lJXHjEqqwJ7T
BX25Ag0EVH8XxQEQALTvIQg6VEY5u49MCR8OxmfEllnypF0ZTLX/tXbRbF8Y1Rs8
brf3H43cXSGJvsRvMrtJDl4iz6DaoF7Oy8gj+KrpB7wNBYuO4wlhR/sat9NfFUB+
tMLO5SZU7CgBPjZ+4x7yfdb+h752g52BqkertVSG2YMqFSI8mie3W6elsdnx5ZxW
8ol2ZLGZKYQS7uK2eWomYKyYKdunuIXz3wEJZT9seeh8pNWmV0/n9kyoqZ+25EOd
oA//Wov3Q8nwCmuv9UhoHOetRDNrAVfS4tvaHIzleTc73BQz1anXjI7v1nDzbJti
umOJCW/ACJPDz7nCfkyR3Z4BI3ROFl2qp+TWqaX8XDirwvjoNYB5jSbqgK/Yve9e
dYVZfM0QNXoqmFPzUEBMs/czA/0Y66bWkS9JGRmiITWpQooujOpLY1pizb91iv+6
dBsZRSvvsDMJjZ84AI1nSPhIusHijEvvezlFiObZL8/TreEzqIuO+sYvK8zFVx/a
vnqaOBXceyiLti3ZWjwHFyyfSLfmIlYtlt//pg7bFdyAGKepixPvnVe5eCPmsg50
x3et2x6MPc1EEH1wbsJ7b4UgT88lrFMlaCYHJuKoHvI+l/lLUn0zUvLR5cZNwtLV
zyvDqTTwIbkKY5URQ2eL1yWb6NoaugigDPaQIecUQxD0POY31qs7vrMxSNghABEB
AAGJBD4EGAEKAAkFAlR/F8UCGwICKQkQIGTFNkHCXl3BXSAEGQEKAAYFAlR/F8UA
CgkQ48TdzR5MEkTHLA//fXUEdBCTH/9HXnrJgfpaSAJRwOEX1UxSoJlrRmRESxXN
FHPZd5a3Ff99VISd5BQJeT1EJoQGZToATbI6F6742Uv2mkeEz/iBbYEPTnJvcVux
E8zEGY4RdTiBYEUVunRTXizF7mh3kswIVZc3jya5JsBLe2NSDv6TLoBdjz/OsLmc
YD+eiE4vT47SfofDI2TMxq6JH7ezMBrVciibcXH3MSyacDbmgj2DzisrWnkdDvAP
Ry4+0dg5bo0KKo2e1cm0aOZZyE467ynO7+y+QrFRIZrvZozgvHtyAqstWVrM5gAV
xyJtPCpY4k3+UmwQ61wqGM2lPqlnskyCA+VeO7LyYiUop4GmEi/z99jg7RtiY0mQ
Tq19mAZd5dBwxjCRI7Zb7Pw8sMqzEpbmu9etmdmJvzODlSqi100EYCG44fPbUfss
/6Uj6k0YQ7NFEqLezUYQcZRT8l3REx8J7HQwcQ5vYZfP/OBxp94xPuBqpOLgWQb0
WR5V4QzCNpRpn0AKt4NrFB4v1su0nuQlMdvjLL2T222tPpxDkFmlfI/TyzsIO4s/
54gBbZkbF324OwFTNL4Gbbqf2Uun1cGgt16k7HvX/YtOiUidS6emhakVmxpZe11j
og7rwP1LInm95gPPZ/AhS2focWzXSbg9BxB1GxQaUxGiz1zHZ67WuzKtRXB1Rsn6
ahAAmm1+BUUVmtf0+e5ITls9fff7Gc1Hhxfa99Eloz3J32YMXjusqZQyRoU1IRfx
F7wKbEM/I9S95KEcXIFT1HyRpUjd02+uJTakWg95S2Rw29hFe/q0qQrjH6sCK6Vt
unDg4bLjnw4wxiCeAUVzzGwiYsx9rbNDJVYepM/0kcX0elztgJbZhFfWwDdl+JN2
ezWrDNJ64EV3nb5MMky990COFFXAOB4KhDY0Qtw7pRVODViz51w0PpFbzdmr2n9L
7noG+rzGjN64tLcLwB4ngqr3ypqv2GyoPg+t+iDWMv0e/7WOYRT0kmznk/Dc+0sN
2i2NQ9taNnjvZlH/WD9AYM0fMS5r0eTTEvFLZC3ilik5zGfGGf3EPfuB9GUzvNj+
FvjgG8oBZwjUuXfSGli3l/iOFDY9UkzEXGUqm9lXE0U8f4hST7Med/ifum/GBEFP
rudn/i0xgmZi2wLqm7gBRwRSpGmQAmnk/Eap/quN6/7QnHfYJIwF9mJqGlEO2tq7
XUTiC81d42Ys8tu9/zqQS6Y2wND4rbCJ4Z/yD7ercyDrL+9OKDmbOgLo09dJ0QQF
fKwjKnST3x2RZsuN1Be7fd+lUXHqF2IpV6UiFDLmsT0F0qouNnEj/2+HzPyVj+Qq
d/1OlzNpIX81R4Xm7XXyjuvIoAeJl/JLXqb88HAyikF06OeZAQ0EUYAuwgEIAMGS
HrN/Ft7BbYomNoxqKyFKunG6JVpTK9aCl7oyhp7sk0JbxrKElvAC2xDr1IYDiBST
KtHo8G8MxVgSJipnBcH/cgStK0RKNy76CRuaxrRdzAemQTeI3sjxpTrrIy3vXScY
SZytHkTi7g242ge2c4EoSH5EIsanmajqHBtRhTMbd5Qj/OLaEsCk+loBNecPdmSG
C0dXeWfdnXqdRZAB0hVOjFiG9WejYRCyp7xDeJ+XZR/Rilo3X0EMGvEzdY84Apsm
TQBvVuOARp1q+sUEI6X0KttOF7BEaaQ53ElZpWQRFcxKGXNTOMm8o5QRQY7EkKad
9CKY9CgJ1DJUUuAd9EUAEQEAAbQfTWF0dCBDYXN3ZWxsIDxtYXR0QG9wZW5zc2wu
b3JnPokBOAQTAQIAIgUCU96+vAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQ2cTSbQ5gRJGgPQf/WUQld+vrqt2+yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr
9OOfzVPenCavcXghwsY0sPPgSDrvFur9PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZ
tEG7bgUozuhfcpC+Ah0lZ3EccmyOkYJWITWYgUBEDOU37qne09udDMA2NHLuL89h
T+eIZ2pVwyFydkJfkXtgfrDq3RmZgfebVB5ESdap/G7t7Iewi95syApMj9swbxns
qUtmFr0fCsVdAA8hJPqx9zVuUon0g1QMz2IroNH+6WTDt7SGYcuqNapizk/PJd6g
2ew9cm3r3CIANiqPgo0Mh02nVGgX2p9vWcT4MzquBrQgTWF0dCBDYXN3ZWxsIDxm
cm9kb0BiYWdnaW5zLm9yZz6JATgEEwECACIFAlGALsICGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJENnE0m0OYESRY/4H/RKxZJ4saj6+Khvz3flSKt6LgW+f
MY5RXXD92AMtLNq+bKxXFvir2mynW+PUoS2bXy/Nk7v0B4BEbBZNBgaYWas1FZnY
OBuMbIngtLmQsGpD0VoXu9QW2aXpHTjLH5FOBBODrTVewCN5Ty5JquZ5mAZUwAie
x0ytRzviUl5YpKei+vggU52CJT96e/X20rfnlux9O9vSSwTlDvCeehFd0vI163QB
Z/h52dYMSdFvpwhUMXbxRGPEfrIh+oBV7tWe4MHhJ+5yThHiBgVL/EZ9OChw9QNn
itTPzCV4YvAMiJTsamKWa1lOXUVM+QVr+aptwmB1VMmotk7m8hImRm+oTlS5AQ0E
UYAuwgEIAM9nUJAEpsVBYwK92PP9Mlo1/etXp6JgBI68sOCJxTwzBrbTzIlevVQX
qW9zdODD6ObKcgGNuG+G6Nwn54P6McRpd2dxor9YA+yaI0yT6CVnhxsXjwc/vuQ4
tBAL6tfuMAXRVIeEVk22cKk4HJB68ImXCCRdyRi9HIE5iTrZHsHC4sjAsirhlc0o
8hU3gqkKh2Ehwa6+U8lzNx06hoFEZxIVRteoz1jzCHImF7EXztEcDIamO8uckVKA
uKbJgFGkU3bkvNgWlc8Pgx4tRUNJGC1LE4nYqaSEwee1SpA/VewiDObj97PozCTF
zRCUBCnSvaAlTnpA90TnODH7ar+L5aEAEQEAAYkBHwQYAQIACQUCUYAuwgIbDAAK
CRDZxNJtDmBEkQs2B/96XB9hyFpX/bhu41YNr7nSA65dDi9d+PkMqvLppickG3VR
4xXWywzEJTw6W2DNMyFO6mOtdXWgNdgDF7HKZYvHBr6pyttLAMP7BfWBvU7YY59u
KmUSc5vl0NzsaSbx5PDSQEkSICLI+/hIwuEXOb6Z7gOrX7F1uy83TmHFOOjD2mLl
5isUzFhaLVk0fZSY+mCgg3/inbwb8g3191Ybk2LfXmndaEsdEzMLrT0g6wIgmybz
6UdVuVPfSPGly0VWVAG1sNPOCpAuJpNV6+VxrdViAx3vQPbx3XzqDFS1ISlnd0qS
/7RXwMuFDpVH/BDvzQcoikWnpRY/loPGkSg4TB7amQENBFIOPE4BCAC65kaDpN/H
2OawMMUjPE4OR0dq9o0/qf6ZEEX3NVFIRZR6FUI0f6LsobNB4gf5iC1aUMPSGky5
BIY+AtTmVKM/3py8+pg2+lSvrHmuhkAFJlQfhjrvGz8dd9zO4Sfd7M6xEFJIYfaL
ia9tq4tNkGeoO5q7zJBJJKK1og+Is3pvJLELp4LGFDx8zbhRPgMU0vOFJMgyXuGX
fWVoqDtOKZlw073hasHiEGFhwU/9hS5yabbz29LHehCILryxtNQwOWmhJFVl1fui
AYRenKjezgYxRKSZM/npyNayTN+9dCdOacuT4y2kCSrzNQAuzytYiysnCIouBOE1
u5icWbgxKi/7ABEBAAG0HFJpY2ggU2FseiA8cnNhbHpAYWthbWFpLmNvbT6JAVUE
EwECAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE0JloTcfCHgLhSor+
8jR5RVxRsnwFAlogQlsFCQvVvoUACgkQ8jR5RVxRsnxKcAf/arP6yZ8tin2yieuN
Ov2Hj2FGdzeFBbEVrlDRiXVnwGw6Yb6FNBZCjrXRTtVzmIeDZgiTN06WjBIQpYXZ
Ff8bbayxu2LQjhg3NZt66iqRrBYbMu4CLMQDK+XPHWqJLFjSjjThE8LWktYNWaTW
kkVrSQLcCdJgm04ZnpOUygU6+m93HKvbv3D8kUAUzivoRBU58lr2hox6W7kS46PU
tV31H7IKrihkLrodXeNnKCWB45LJ3NykwH2ldqxQmXRJksIOeMoRGrEWNtJCie9o
I+PJxIv0YoPmn2P8nPF9+JeC0uyfSZaMFW3B4ZLLyMDvh+3W6p4dpqDWV2oe3GJ/
gSZzCLQdUmljaCBTYWx6IDxyc2FsekBvcGVuc3NsLm9yZz6JAVUEEwECAD8CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE0JloTcfCHgLhSor+8jR5RVxRsnwF
AlogQlsFCQvVvoUACgkQ8jR5RVxRsnx70gf9Gw1vdnDihY/ZyW7L9mSr+bqnANpH
BKjJPSLyjMmBsW0ac3Es9Q+hsucE1QFNp9SJ9WXwy7bynGUE66PbeDaQd//4uDmi
uos358pAkGZVoNAMTNRbHSEIwPiiyB5/qNN14R4WorDhGdmOdz64vwnMBEKen+WR
iqrNiHLiUQG4AGSDapkBrki83Z4ZnZ5vQPgLAnUN/IEVVrTyZQaeDMBZztui0IuE
mmNlykoLPCv6h2ImjH3Ox76yTOt1BAzzMRMZZrOl5TLqRFulBtsqvtJ6nyDYtfTI
FTDvhMzKn4n5yUcWvbtutnAQG6JuX0EhwDta/UooEffDjsVCwqT6H+o/vbQfUmlj
aCBTYWx6IDxyaWNoLnNhbHpAZ21haWwuY29tPokBVQQTAQIAPwIbAwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AWIQTQmWhNx8IeAuFKiv7yNHlFXFGyfAUCWiBCUwUJ
C9W+hQAKCRDyNHlFXFGyfJsXB/9dJApKTorE1QHzy/G2+mHIBRkjnlfEB369Axaw
XwLPmBOlpnmmuv7mESiEmTj4oDVvslSpaEkmvzZiEw0qcwZ7ejbYbKY9q9qUDUKl
tNDWowW+nvPZ/XmySIxSxRhNvNYNwqld3x77Yjar7j08dzPbcxDblIL21wegvPz8
gfePYPT14roK+FSm1RdJ5AmAzSnmzM/31le2/z1QcY+PYeNzO/uCiKNs9D5Qp6WA
Y2NYcoM/12/M+an2OZlVQxoQzoCxMbHB8Vm9GH86qKfHG+ZZSryADqENo41fdSnS
N0XLuozsE94T9q1NrGcZnMovISAYIT9XXZbxDxsCh/UGZVgtuQENBFIOPE4BCADE
H2XYHa+Hk8EisPQzpDuTNDHUw2lFOY3QiRFx1PKRVUyYCzNlWIWtOh3cYf8tamc/
nfZ/tDXTKyXxe/pmPQO6gJWzl1Yvws6vc710vqNt/7KJDJfiWPdIlW0x3+8O3rtE
gFT6asywj+WuG7LHODByysbvVOVq2vYStz+Pn3tEdoTTCnJS/IFyJq5yeU7rUPHH
d2xgOMycPtYxAigesS3C3IPYbWPV5+3ELpemkJPHc3GlWwOGw9vt6tUmurcPVKtw
hh9lso217e+5Dhn8PLUO2Dm98KLTUZxEOTvfww3i5nphuEDTu15nGNF+QWra+jv6
08AQBEv5GHfs9JUV32WvABEBAAGJATwEGAECACYCGwwWIQTQmWhNx8IeAuFKiv7y
NHlFXFGyfAUCWiBDlgUJC9W/yAAKCRDyNHlFXFGyfDUFB/4/pRvFCXse+GDcYa9c
G9nfB+hwL3OSQCHnmmHkKTQiV3JF+swZtmhkm/8l5gQQ2K/F3pNkj1Sr8DddX+w2
aORGWtv6Xsq+6a9SrlMb25frVlkdcSqffqWbtUHcvxUUJC6IGe5WVlyxAsFhNegL
54bh6Ic4FotB++0Yfu5lQ71pzifEqBbvi5lBySErFcNrOpFxx8CBjc63btqwUPBp
DrKpvH+3pzMKJzybg/KJy6P6dd9g8R7dbv2zY9avO+IQkYRasL4pJKxUp+4tX/yo
a/aXP1vazrpAyCAYXNBtq3gPCw4VS2pDTCbxIwDWs6pW+NPy2Gng4IaF93QCY5gE
7tbXmQINBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pX
vmqx5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+
OmvlG7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGK
ZMnr94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5X
Tj+BiVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1Kd
qlwDF+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2Dsgl
jQuWSj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gG
QTUJDeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+
t/iH3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whi
tGG+y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VP
Mt2L732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQAR
AQABtB9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+iQI4BBMBAgAiBQJU
MGwdAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujKu0D/4j
YQRAyWEU62HOiQJkSIOmMoio3jsfJF7VQnvfqgswvmPXocmQeQ8pdGG3o/YzSXRA
ycwxys1cFODa33n3E1qlDkAzW6QpRrV3EB5VLYY0RD1qcgBB9ToQ+TQ00jCOWGCm
QxH4jeqBKVpXO1itJl2bmOZhzqNAd8jQ31fOOfuwhjyvc7hOev3/Ui5gmhbApDTB
m71eMmy0aAX2XZwuTTzisiV0NExtAm8RjICDeXDqwaYVPmaz2GPqeIxKA+a7xboE
JePqEbL8coKSVebfKXtYoTTIZs7twqUbTI5kQHcyvtu2fKe5vATkbqAvjW11aXJo
yLnlw5GHcT/tPalMsPMRN/fLQLhF6WwlaEOvG+jQwgaaMIL1Lt+M8Q59MCnbdmBh
wes+ype2/EcnFht2PLvx7PpekHoRJosulCl5e81tzyIt9fdlsxJVIu07Rv27agum
D7NFN0kDJDVs8JI2yjPWwuIDxTCtOWvEBDXOujPlElozYNE4gJBj/Tw5aWMobY4n
Ak4C+dZQ5vCwV6/XG8712r+yXOjVYe2W8vPa9Q7Dxc3w5HHDl+p0p6mDCEpr0VBq
xn4K5HnjNDDbvd2j067PtH8avhySGRIV/2AskDeI6jPoUBofWzsDOwWnGj/Rfb56
toQytliF5VgoV/UO9MQK1YiasyPP++j4dYpz242yXLQlUmljaGFyZCBMZXZpdHRl
IDxsZXZpdHRlQG9wZW5zc2wub3JnPokCOAQTAQIAIgUCVDBsCgIbAwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357ozVsA//RvKgkyIyyzBqlsHKlAJP
+9CZqheNnM1xTioAqUHkQyUeTGXVPzK0RfGY0x397SW1X0cAt4GpfV5gdLuhMbes
xcq5hVhM7X14zbAuIJbrrgRS06wH3MCemnpf7xRYyg0SlaUQeCR2UANDTEiusfem
3b1IBt3HRCy/CRY9rASgoyhSIY+dVjiEC3tfH2AOZYRrZPq0TF32ygEFMi4ilMfc
xsAQey+cFt3Jqs2W0YX+ldgYyYZpiZTRa6OorOqkGnLfPB3RHHUqazl7RlzKlXOr
HdeBy55bx9sw9Nlsb5n3bYZQUMnXf1aMADYWwwn0RLtcgigmH/id8HCT49dyPb1O
J4OeXat3jHtjGeqnhXNq74gBHP1WvU4gVWVBtpJ1d+YMWL9+9V/0IlmdbBxLCSqn
imTnRnKcQD7xPMRCPTyN2PT7Ksk29tHGpshp/NKahTvtsA2ziBzRY51NOm+/iGid
RBE4BGkb8lPjuETsBNUY10XtuZY0TIRgW1kx0Y/TEP4rTESCyKvrlqu5WLFWs0rE
5f3CrHokbMdNJOC0BVgC8wixYlMu4JdlsxGaaaa5t/JVowCKzPlQhgP5MI+dy4nV
0xRb1Yi4s0UYtNEYeuLTURZ7Z6lodlYDRYHRxBlp4alzsL3zpayQOL1ID1nMIgZb
ihAgFBeVEmONjEgEKePG1Ra0JVJpY2hhcmQgTGV2aXR0ZSA8cmljaGFyZEBsZXZp
dHRlLm9yZz6JAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJU
MG0mAhkBAAoJENXp5D99+e6MmN0P/AmpB8DasBnjh9fAlBM8kEZ23MHVdEguPWX8
KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh4V86hIYgLK9tisZyby+5NT4d
El6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvdooy/4ThXNS16HcsJRckan6oF
jCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1C3I+oL3+qWwiqAG9hp/zedsI
sNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6MZPiFBRGsARRRFfTRGkzI9W1
M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFAnwf5MeO3MqzvjocoUyoZNc4t
7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4+1WmLxwcF0n3xaB04KCvXTaB
Z5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbYk81XfXBuBKv7Vxk0fRYf9+HJ
7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9fyZn/sv+UCLrMR6fyD/5Etzg
zW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W3mDDxJoaYe5bE2p0ca+mwEHZ
QpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlFIEUgucXLOLQHyEl+kEkCLEmS
bn71WsM8tCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAb3BlbnNzbC5jb20+iQI4
BBMBAgAiBQJUO42DAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/
ffnujLPhD/4n7Jl5/FIKKNPIDJDAYmq/Z36t1m+m0IvSL0yuZh2WSCDo+xurZWVL
PQIrP14ORvWJJzZTmRLUWTxQPDF0z3S4kkopMyqTeHl++to/4eTQPF0QkpLcDXVK
zRe5jzRUTYC8x7mtJHdgKjmWqbgqm63RJg2PphRSbFqoPkfoZ0/kNdzG3bkELlpW
8YphA4guQBlU3N7p52KOavVny03UDLN1jVE/QmD641g4E7iNNxyXNs15iRi884Ox
4+EjBZOQFygx7RtrWXVokOS4Ba4fp3yDnkAdqhN3DtjKGPv7oqMcJuJpuBP6F1Rm
d7eJPS6+nIfJac0EnhDu25k5m248mUAgvtX8PR9n6OB39G6UEKnBoBFpmDpUCJKe
OLwGjvkpB04gAVdIbWJVXVkYVUyX6i2VRQiVEEmEsTNRZKrjyWtHyAzfSg0oEKUT
xijtVbkHZk33SuCSATq+8qKMXDDJHhcpX8/K3zgVOMDTRexY5Zpe47IiL0/CbK3M
N+SnBfgZzsw/TNasJ0a/AUw+FDGIq71UNysVL7dKHeKQX3nRRvHp7blpdCf0bOlB
c4Ni5Rk/QYMAR1zVHgXHOrANzTim1dUHensnlquYGx3sdws2d7G3p0VX5Ke+Drea
l5NraRhMYk0hJTgOy34vf+z1UGejbViVkEgts1X2nRmBInJhZOSyP7QvUmljaGFy
ZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLmNvbT6JAjgEEwEC
ACIFAlQwa/UCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99+e6M
3KkP/izg32cHPYfDZaWDVbzV1V1EcyMM1hpsQm4C3bo2UY/06NtLescn/6kUwAlh
Bnn9jfqbhoPzqJXc/kbNxtVRc5JvZxhulBj+UdgoB3wiyrY8tM0+eYMWB4Tej483
0s4c5rUenM2OrUNrpaLVL5pFm1M7k4m5xaMIkKUVQB0PaCms9NB4yplSIEcL9c3M
5UFm/ipQYML6qp07qknd/NTbNNPUfZreLYQiAr/kZxsjZR4mcCMaal8rcRZVhzkG
wX78aReu0xIdkPaNfJAvrO7NMCz7U3yntwbXmRi1jw4PAXvZjAfgRbOv7ug1xPcV
dbr7YbhL3miyYXH8H72muLvslOvba2CBAE4x6wZi7IEx3VNG9aklOx09PDZy29ty
Px4AhMLPj9GnGROUcMzC3+ZvOPmteaQjdA1MmR2PEAdm1OZLJ1Lb78FcGoWBXdWm
I0XFM09YxAAD1YNvVijPnS193jtTqesKtu57D4PEqLPUupHZZpic9X9T17veSjbI
6B1VCi46HHF4MEbQt7pTsGiNMKS2i/YVTap29Fj8x+cTxAmV2Fb8BWPjdLee5VGy
H8dwDYtMXK7fE6hQFZX3Vn7RXInv4onouolcyq7aPvxYPVnGdijNSMDtHdFx78vS
t9kMx75s8jyJ0ILojuAqB7C2G/ScybtQNYBXAIZtFZWLiPuEuQINBFQwazYBEADP
NcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45kx/wO
5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3i0eS
Spa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEoMSVU
6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8ZcEgT
ah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ/dEv
MQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+iwMUk
QQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31m7se
zA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjauCZQW
3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJBHsd7
GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTjMkj1
s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJBQJU
MGs2AhsMAAoJENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivPNqT4
V3yal/JfB9c8h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyDt+/5
UAXKY7wH8vR1qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIbR1ut
S972wQHM/VTEmsvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd6knl
9ArEQe1heVWDGpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek51RFS
dO7NJ59co96uyIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJeyHfzO
tZNMijrrB3cw3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCwEzBP
kx/SeXjatAObEUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQW3w3
4fKEYRLCAkOq7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmayk1J0
RKR9dNqYNQsOr9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCzEBlr
5Dmz1xGC5XdlBeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlHVhMV
8mypBNjWmQENBE76Z9YBCAClJEJJTPrqEX9P84lgfWoeAz6MqIgDxxmIjFMeJZ+s
p47tHnPaam0t4+8v+63RpsIlepNZtsufUyeIVq104YB+2pLWlTLCG0vQRmA5D6Ri
D7PeadLnAZtBMzhTNRyx0gD2hLM9HN19KftTa9ar4SfIVd2e/N6vgSSJKsI12x9M
4G3Zd0poEnz897HGftxg5APVsJoBw7tSQKHmKxLgJWAmxFV7bMxquF8tGSgaEeV+
AceRKQmVWFWBb2JIa2qihptuJOfIlSke6h09oVa1jZ6kI3ATWCbzAWUjcT9nHCmE
VzT/Fha7JNW5JT8tyO08B5b82HyL+83n+87FVbOkncULABEBAAG0HFRpbSBIdWRz
b24gPHRqaEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlOctAQCGyMGCwkIBwMCBhUI
AgkKCwQWAgMBAh4BAheAAAoJEJGVxIJB+/fdlikH/RLnyBDNaQuyPkl09ZDKYiYq
g0uL/BtjEdzZzGzfV5uk9RctMd5UMU5Lh6phdc/Jei0d/VpQnSxhSoWmQHn6reYf
q9SabApzZzQcscBxL9g0P4mMj4PzYGmhYCkkh1GOTtDtm5wleTaoIKz8KTHzvc7b
LP5XIwrzwrtiRAiAfCCdmKz9hVqllM7yV9HZZzXnd5lAqoxV9wt6eiGfB4ORVJFa
sQsPAA0/+YoWhc8Zta819MRABKw+egfWoRm+DVAEVl+5hPBOJGzrFpZdPVPiGt16
QgmHVKVh9z46OBup/CfhvXWHY7J7X28c0/zHgI1dFJBOlgGxAzvBGmXkYNLXXMG0
JlRpbSBIdWRzb24gPHRqaEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQE4BBMBAgAi
BQJO+mfWAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRlcSCQfv33cdH
CACS9HhOWAyEAGNhCPjOhYsJRY0iQk57Ekxh2kWTO66NLfX6HwnmOv+6z2uMo6Xx
IDqLtCMFYoURkOUuoYNhZBhbLNNCqBY47382zuivs4X4RUNuewQGCmQd5ASzbCxt
Z6eqMG6qJpnn8lsAbI9yGQ8ofwqSs98CTbRsv4P1DVacwXFqGDeu4qKQ2liIdbQm
CP9mkl7dkwJ2BJrc5X8msu226WVeT7z3lPWlmEWnYtJLnjaLeGjP4wEcaUDm6Lub
RWxUAZ7gqRWqP8dX37Y9VSZvKHOmUINrvLAmhhYlZvt8z32PUA+hICJ7AMwB3V4H
oNy/qJfAtkWqODvnG2HT00BduQENBE76Z9YBCAC5xpa7smrlstM6q6gnBkjTs1Tb
68mtEXTGPpc8ds6T/79sApVbyIq3xXCinqtSwYeH/kkYnB3+kBQDgDsSFos8XpxB
Lqr9mrVk2Bu4Pz/c5/vF9L2uhf1p8nt/V+HlC9p7Q7ZCf/TRFQj+3WFafHbBjzDZ
w6kkJm7gBtzNj6FTHNUxv1t3NzbPSeW7tQbo6ptrclLk+S7rgEnG5t8VOYbo60I6
bniGUvUVYMVVR49BsZ5tW7jrLToZf5wQEE2C6iud46poPpcDNiBiPi/LBFHCr71K
zGnAWsfHu8lt7v9MarEuXDPoC045DLQyWSKHGP9/uSuesEOpnb63J9gDlgaPABEB
AAGJAR8EGAECAAkFAk76Z9YCGwwACgkQkZXEgkH7990gaAf9FD6fsKERbpB5aSiy
CyXWm4vgIla4U2WE8ttGRNOVX646XHN/lA3W9r84HOsFgK4JvbLomiwZLQS+bvSj
9qplO+s5OqzfWyZpdpjZNhAeb4GsfaYThrT0mCngb6gVnAEpvtf/6+4KIQSxqvbe
GXJyaHtWhhXtqd8qzV6RbXDc5kCDJQMSZiwTxHUo7UmWR3fPJDTfhyyLlD+fjI/H
hHwR140q1xnP2L/4wWF8pNqxX3qcMkXm6uDfRgY0eCdT/BlrJAQ0lfa09h6fsMkH
soHd5Pvpz+TkGHUI7TNMj3oOSrSKSu+qI6kJnOUY9PFNwTq4ljvTdbNLymjJiugL
yosU15kBDQRVlEpGAQgAmdVZaxAD6wKTiQ/VUd6EIuOocLXUuU4v9yRooArbbpLN
lgTyzlDRcNYFpvW5gZ/KXt7sfE72pbDWV2HVFfcf8zyTMygz+2tzDL9ldWTAEqYe
is4NYIH9yQToZGoc1oEkgBYwKoEQUnpq2A4IMggRaD4KSc/7W98raf63IrBOK2u9
tfg6CZDgKHRsv6d5AHSZTFrJR7vh9EIg33z/qzaebZ5lO7woV0q69yqUdzBsdFEc
20fUUIEv2PsWcfNKx+BzKmbddlfwSWVv6xua7KDFge6uDrg3ISWQWCwd8iz3jOUs
eeiaLYk5QOUJapWyKBqYJiOAbbQSTzkVuQMMB4QSmQARAQABtBdNYXJrIENveCA8
bWFya0Bhd2UuY29tPokBOgQTAQIAJAIbLwIeAQIXgAULCQgHAwUVCgkICwUWAwIB
AAUCVZUDDgIZAQAKCRA2zuTesAz+MyFiB/99TL4ML2eevVmxbtcN3f70VZtteoKv
wIcZ6hDw3sG8DVAjFlyiwtXtDG/mNOBxuW78o9dCceCI/ngbH4qHbCuiKUXpkh6L
Bw3VnS6eORHWJOk4xPwktHHl9YPf4DO4sraq8OeJyooSqcRO++eCMR1JQiUcG59q
oL93c9zibpanh8K7aoHe5P3bsACJED4kqis4sEa5oDA6JVu4LPccic2LTpOF9LDd
Zxn92Ii6MHdyia3E8tkJiFOXurOw2JNHZHbFBHZaARLES4GLAP28VEfuEZirPECI
w9tJ+jecmxMIYj0SdvMp/bOEdlH1ot/JGMhWEsAlZUG4OEj9V9UDkHP5tBlNYXJr
IENveCA8bWpjQGFwYWNoZS5vcmc+iQE3BBMBAgAhAhsvAh4BAheABQJVlQLqBQsJ
CAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zohwH/jOC5HbMlwaMbPHRVkDz5wdV
9qivHXuV1PxNKjCPEv9dEdOq8CcyQqTBfZoc2mUFLrulvZAUxpl3ki6afSL3yjl3
VlXD8VtFmaAmdBgtLQvQ/PvovW2xnc2alM2iY3e/MXdyRCEx1b6zHYUWJALtZXyQ
a20UE6g9oTePNzaValNnup24ymmPDHy8YWdeHuDTL8dh6ji6v58nwAQkZ3NlYJgp
bUBj4TJfk38fm0h1BRnKCMgOxYp69lwLmC7EbvbgauzYn0Elwl68t02njv0Yga+8
cHvo84nRQHnn7aVWBaJWwwYKMzMlXndJWsj52gPKXyO51X2Su4jAvGxM59m2VcG0
GU1hcmsgQ294IDxtamNAcmVkaGF0LmNvbT6JATcEEwECACECGy8CHgECF4AFAlWV
Au4FCwkIBwMFFQoJCAsFFgMCAQAACgkQNs7k3rAM/jODoQf7BTBbQ7v7nJ8CxSr4
P3Yqsr4jXgaY2O3M0ilodmeo0EgxhK384O1JZ4NV86YVzsGI//+6quGcYGt4fcsk
Rf/9cE4LhhnbP6N2Z4XyyyXVlwJNR6oDyH1zqpZTCtQNmou8hxm1MvmpM67ue2sm
LVg/p1g+h1NWbfjoo4L0UyRUlDlELun6Y737pg6usNK2IOcv6G9gv+QVi3DVGpmU
2+z2SK6Rxh/5Dk5sDoT4oM0e5DL7KTt5Po+dWrUyo+nUtm/3L3ugNHl48vA/Fvy2
HBH4zxs+Y5kCyiotePiTww49l5QQDYPdFylab8Jd44wpwiJEV93cqxVuzIABFM3R
eFqU5bQbTWFyayBDb3ggPG1hcmtAb3BlbnNzbC5vcmc+iQE3BBMBAgAhAhsvAh4B
AheABQJVlQLuBQsJCAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zu7UH/0Y42wgW
GcVzDJu9zFlMX/XPMXJYbSENOsSyq+LUhGKLK7xPjXAl4eWVrUWsGFQTO+syA4fi
pMw1XbTPpXDaNxacfjSwayeTV25H3KmgnQgKQXH3Kkfze9Zxe10vG+knssaOkf5E
YEVtthbBL/k6qKC2zIrixzfS5MOpSK3sAepn1mNBFjtPSikaNwHtxcBXdIbikhuT
pImu/PfGlOaeYwgUm7Sx9BmfGnZLvTz8MGDtqziXld0NxO0lXTh5Y2+Ojv0yWisU
oXA44blslYYWC8aRR3FCWCxMmKfkDb9ztM5KQbQXS/nyYra6/Nsh/Acvgg4GBPOI
enT+uE82YZfpPWG5AQ0EVZT51AEIAO91fZyiPkiioZURT8zZfUtpQxLJOHnovp0h
1yo1xfX7okpq2nM1hytWu3ICZ0CpZw2kv+bmbRdD11xbobFnl/QWb42KThqDL7T/
+chZz/uMzrHNFgzRCRiTJlkTcI+Q4jK71eyVzMWoiv0xnLRNf46x66AxieXYTkn0
e7KPC2sUppfIbpRA2BshXuJqCzjaHH/z4+QI7JTAoROayyApVcGgO7njWKVAk+JO
d3iThS+wjnzU0sBIg12yT6q4w/M6MSMOBsqcwOMtx/iXmEHCWCuYzubhOL6Bv3k1
1pkkBgArD+wZGA5JuFYfTSAnKsCWbDxVmJzGTkqwY9DgIAOpQgUAEQEAAYkCPgQY
AQIACQUCVZT51AIbAgEpCRA2zuTesAz+M8BdIAQZAQIABgUCVZT51AAKCRABClBA
fEyMvSc6B/9tpCI1LeZx9TxpYo8PLw1QcZdwpxQU9hanlg55ZeyL2j104cz/7fzE
qHd4zNlzS5J1fs2xiuDl3pLP+tPz3uOBxiergyAOcprXMCZOjAksvUpwuX/Ek8NI
HjUAk6iCbFB0awUrrXMQq7WY+yYfCP7dUxVkXP6dHOQGs2B94TMUYkJs7/QVYYE0
qGb4XkgwENH07Wywt/oejBn9UXFo80pv7Rz6jdELoPF60hMT14ZuDu7f9Jxn2of9
4QJGNlA3OuueQR4W25iaJQe4P4alr3PCTmyuoaFI5K0yHByB489JO4eSPLOer4pf
tNESsDyBwc8A4Fx8ro88xLuufYnoPwrTAkcH/3d/MGABEEmqDwRDXzH/cLh0h9/O
inNEgilOCc+zK+6+7bi7x/jUw+aAIN+bmO/6+EEnl1GQuUj7F2ZxXU9tPRvbYF0u
Coyd+ZMayHbuMc8etThWqvMNlbNeZegLHbNO7NsoDxPmDb/rPlc7tvKdxUVGKfZS
WT78tQAb4JeJUR4G1Rm+3jlkCNoiaFCV02C9HGXu3Amqkz33FJKjCnEv61tmwYZv
kLc9bYQzqXt8rvb3nlZbvbFYlf3oNU7YFV43a4W0y07NtxiXzPhC+E4FIAdiaBbJ
mv9EEXzrMRyXuZFOUZx9wGAC77dHcJ8cw7+MUxpJ5ja8aoFS7ly7sk442gK5AQ0E
VZT5+AEIALH40GSCbgSuXVHjhUYYLeo0TNBevlZD7Po1OEyhi2eEhrWYg/3cAwr0
/neLXXD6xiAlOXcN01H+OjY4ZAmKzm290LCRBuo9WPsRvHIECAY9XZBeL+tu69bi
SXv07vhvqmMG8yZ6Hi8Q5wUHJvISo6MC6fbq2RUVnkscgqp4jlBVjRNo97Ngi+WE
co+znvu7pio7uXYGPT9UorIPX7cQ2kpbiYM4UU4i/ezbAELc8Ttq4IXzz5zi/Rea
/r7HR7aSpapzVB56Wwg87F3c4zcwK9bdxxgdpRfHnBJ84mrBZlSGwKN6a1ksN/zk
s6R6eNVhO9UbozzVqgl1Riz/aXlv2tsAEQEAAYkBHwQYAQIACQUCVZT5+AIbDAAK
CRA2zuTesAz+M2u5B/997Q3sXvQo3J2ZB/gSXYVIjh76pzabO9NIlhW2fX3Z41Vs
gZKX6tpTGlqUn9Q14EkntzpGBtX/3PtoycH+Ta0E+IfpoINwSy/7SQfWmPhYxjMn
u3LH0ho1mkGMuxXf/dMoapovKY3d//ud6KcPruq+W+8ZXD8CT4zay6z/5JIgFAP1
viRNtyVmFh6NfZTIsKGyS+jaHniAR9N3cRa1Y7gutwT6cNV1zpTOAOBx0L75xLxG
y6WuyBLaaZIhk0f3ONryFQslIsVGGs/d2QJm2xxywvaq4JrSor+TPJxXu3JrumME
E9U0zENea7N8dQxWQBmXnChX88eRPHOIAdXEWrOj
=YY/2
mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0IE1hdHQgQ2Fzd2VsbCA8
ZnJvZG9AYmFnZ2lucy5vcmc+iQFPBBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
CgsEFgIDAQIeAQIXgAAhCRDZxNJtDmBEkRYhBIZXq7Jg8Fax5RkIOdnE0m0OYESR
Y/4H/RKxZJ4saj6+Khvz3flSKt6LgW+fMY5RXXD92AMtLNq+bKxXFvir2mynW+PU
oS2bXy/Nk7v0B4BEbBZNBgaYWas1FZnYOBuMbIngtLmQsGpD0VoXu9QW2aXpHTjL
H5FOBBODrTVewCN5Ty5JquZ5mAZUwAiex0ytRzviUl5YpKei+vggU52CJT96e/X2
0rfnlux9O9vSSwTlDvCeehFd0vI163QBZ/h52dYMSdFvpwhUMXbxRGPEfrIh+oBV
7tWe4MHhJ+5yThHiBgVL/EZ9OChw9QNnitTPzCV4YvAMiJTsamKWa1lOXUVM+QVr
+aptwmB1VMmotk7m8hImRm+oTlS0H01hdHQgQ2Fzd2VsbCA8bWF0dEBvcGVuc3Ns
Lm9yZz6JAU8EEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
ACEJENnE0m0OYESRFiEEhlersmDwVrHlGQg52cTSbQ5gRJGgPQf/WUQld+vrqt2+
yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr9OOfzVPenCavcXghwsY0sPPgSDrvFur9
PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZtEG7bgUozuhfcpC+Ah0lZ3EccmyOkYJW
ITWYgUBEDOU37qne09udDMA2NHLuL89hT+eIZ2pVwyFydkJfkXtgfrDq3RmZgfeb
VB5ESdap/G7t7Iewi95syApMj9swbxnsqUtmFr0fCsVdAA8hJPqx9zVuUon0g1QM
z2IroNH+6WTDt7SGYcuqNapizk/PJd6g2ew9cm3r3CIANiqPgo0Mh02nVGgX2p9v
WcT4MzquBrkBDQRRgC7CAQgAz2dQkASmxUFjAr3Y8/0yWjX961enomAEjryw4InF
PDMGttPMiV69VBepb3N04MPo5spyAY24b4bo3Cfng/oxxGl3Z3Giv1gD7JojTJPo
JWeHGxePBz++5Di0EAvq1+4wBdFUh4RWTbZwqTgckHrwiZcIJF3JGL0cgTmJOtke
wcLiyMCyKuGVzSjyFTeCqQqHYSHBrr5TyXM3HTqGgURnEhVG16jPWPMIciYXsRfO
0RwMhqY7y5yRUoC4psmAUaRTduS82BaVzw+DHi1FQ0kYLUsTidippITB57VKkD9V
7CIM5uP3s+jMJMXNEJQEKdK9oCVOekD3ROc4Mftqv4vloQARAQABiQE2BBgBAgAJ
BQJRgC7CAhsMACEJENnE0m0OYESRFiEEhlersmDwVrHlGQg52cTSbQ5gRJELNgf/
elwfYchaV/24buNWDa+50gOuXQ4vXfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMh
TupjrXV1oDXYAxexymWLxwa+qcrbSwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw
0kBJEiAiyPv4SMLhFzm+me4Dq1+xdbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpg
oIN/4p28G/IN9fdWG5Ni315p3WhLHRMzC609IOsCIJsm8+lHVblT30jxpctFVlQB
tbDTzgqQLiaTVevlca3VYgMd70D28d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780H
KIpFp6UWP5aDxpEoOEwe2pkCDQRg8UwlARAAotCdQIMF8Y6wFfxmpuaOGmUlXDxQ
XDtG31jC+Zk/GVHN8TtXK+eQ7HG5F29uzivxUna6tWD+/qQrUmTrLTT2P+5OFczU
taPFaDMyWdywIlyOVgfyxxfF0ssxrhRHKP1U9YY072/BFtipXAQkemNts+Vpta1S
6ru0PG/339fjP5GljOgRYlCqnwWXaibgwzRURqha9CYwqJdA9b9b6JZZutdjgESq
c7lEjhEXXNdbrYnZBooWoKSQ8j+Wvqh2eBjc2ZGfgQXbrmQzFHRCoCtvD4tD9DZt
e10c19Tn9bl6IzL66KL+yvwZG6b/rr2aIkhAHg/hv/k8pPVS4Zso4vT/tJcGMh29
wAoEt8BJc+wmcBYAd5IybzF/dzpQgDK7hYbf/uoULtM8dSj8cfueY/8O6Elcx/GZ
mDQ+ZDOM5RlZycSZOmgbvJWjgEWcOxBDc93PoXYKPgvpF6LLTbG4rkE0J5RRWiDO
1MtNvcFp5QikhJshJVvWQR5z4XIoYvFm36EXU3HXzK2sQhCFNRv6FcWCn81dpKGU
0pMD6aiWHJMox7O2Xs+QN81ZQFzxRFSxAhK9NhEqVsRWm5PIrQM9KDGUp+bW95QR
7NVxag7yWqjBNbp2rI49OmFLg4Ch8QlmS8aP3HyUa1cZUXLA4Gd7OD48SpAJs1F7
ecm+ytxFVg0K4tMAEQEAAbQbVG9tw6HFoSBNcsOheiA8dG1AdDhtLmluZm8+iQJU
BBMBCAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwFAmDxTJECGwMFCRLMAwAFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6naLVxBqA//QskRTPLc3HULEAXk
HsChkxnSbz8fbGgyzuhFclPZRMvLyyjB55gJPvZslQX9FB8Qo1WW5b1xC+lP3giD
VvEwbvWR+egDJD0IL32ZBCq6QaD9sn5APf9q3woXnO45BVMAK1igAfIciz4gAV3Z
t70WTIYgQLBU7/a3a6/PVpwL3HfTlz8axDO5jZJAg1JUZH0cHcUns0rZif9fGzOZ
a5UeA4/TGFDonmCArLv54dbvQvkAzhq7qP8ZLuwfO6lUpyjODMtvP0bUnho0wTcN
0DxJrpgKyDTVAzWW3t3viJtt5ercj+55rS26NMD3EQfauCtRpZnnKs0oC7HX/GAj
mSmsfQy2gNn1lSQsqdtlI5Aph5FYHl5gcp3VlXX2MiTuCxiYTOwX5lhmv8iESkSm
RpSWr0WPlAJH6pFwm84RQyDMkU1N86iXyXF61Q7JbwdZjGwRiEe4Ji9h0k6DbzeR
NsYhGph20jr9M3tFcOQNTPEu9Yvoy1Enpxk4Iy3budviu0hi7coRv5AOTabzMgiw
TmGfuBz4GyMCi5XJuUkSes+LCi0mZlOxyzKevY13xkKo2GyaFBB7ArCznlTBojlW
aqGVkFnDB8vVbzgNBVceNca6XQy37fWnfnDP6GomFxFoamEZwTOXiB9AdxzpP5Ji
2enKzRPl+cRtaoaGYALqzDK4jxW0H1RvbcOhxaEgTXLDoXogPHRvbWFzQGFybGV0
by5jej6JAlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMagIbAwUJ
EswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXHrLD/4xu3Rb
/2BCJ+6eO8APqvuNyqK45PCy6XW/mIVRKV4Cyt8lDTnIIbPnvlMUpUuIw1fU4aSo
ARIEwp+lfLxFnuXY7y1XDlDRv8Md95LGSgzq2bdqhs8/VQXdrq9dNB4wN4mxgpTI
3ITEAnLZQBwQiP41e4PUrxSB6/6hAg56+dJYeJDXgWR/+oGBJwdVKpHPu8v9IKKZ
N5BHMTtNKio/XfED2rbKFhTgVujk9JXV+ZtfRC/seCrtv2sgcJqG7EMo93A1fHCT
fUMScQdQKiwClyt16REPEFBEaK+mdoELvWwkaEApd17vpX6odoJn6F6FomRYp6Ac
xBE7SCxFHTWtjLCYXjblck3/lv7638gClZew4D5Pp9+tH68ZkfJ+6ZEqQ6tdrPSe
Hopl+2lJW4Q19l4jKP5BktqKNrpQdPN6CatPVIniNmnMESJ+nxQDl8eAq/SEQJyr
bxsU9185AyfFpAv/kBO8FpI7Q/feJA9iX9RgqhSFj8fifPFV6eVG6GzhDWARlr3O
T5IueNWhSpF3uZryvZ9hZk93zngZ8oU9uye/VGEpDoPWZNKO5XCyr4F906jsEa8D
DhqsgSKx5C6ayG3l+SjgSMr7aL8k7qt6YhejnHzmLmSTnFeC551ujpPbIImtVoKj
cifhUnUperS2m83DOrGdSPLZlweAXKBxQfTdALQhVG9tw6HFoSBNcsOheiA8dG9t
YXNAb3BlbnNzbC5vcmc+iQJUBBMBCAA+FiEEoh+rdLAIiqNhFSWGuO8aa6naLVwF
AmDxTCUCGwMFCRLMAwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQuO8aa6na
LVyVHw//ahSVEV68q/P1ISiSAGEGsHN64EgnjGkoutH4D4bXgX/VTwOcPODii7Z2
RXD3KbxqWh7kcY/pnITkqNh5GM+3rHk7Fm34Lg4gTX9bANCFuv1nyI6nxpYsP4pC
5/5gPBoC84DzxIhG2R/oGfidbbcb9eRPHVlUmCCyXJ+1S1/BIGHPd7moj23HOsBt
6gc+VA+xVuqYOgIxIc+o+MkAav3QFFC/Z3668fKeuePGrJQEeQO3tZFj0jJK1w+h
AnZSfC0Xmj44lq7ywrX9THJgECZF1/Tyx7T7ZF830/exnXBFrTxd6qbvZPICt0Av
3T6AAiLA1FNfprmqpUQdwKMy1RW0idpANAapx74Qfu3CAf2ZAGrIiNYyfVz8CSZ8
2RpURRiZ1IOjEV//xSL5clYvoRbdQ0NrVjKOqXrtbDQwzjWCi+/zYRXnSYSEaGFI
kLXBLlqrU4zlJ+xK5GgtsqvIc1oGAntmn8tbFL8g7VI7pXVUzc1dYnODDwvkGeWR
MNrh3z9qBC5Sts1JS2SKbQcL4M6sOanMY9JwR6Gg00ciV61w1n/w7Mkug39bfFIn
aHOlt8zRISm2m702+ILVo4Yf0HsyTbckUoOEmdmcfhMYAJ4BXYSlJNNV8rS3BKmB
4zozumR6T9P/hO0/Mme7CMOQJwQv5pE26qeTbG5P7KaDdFpez2W5Ag0EYPFMqAEQ
AKYlkax43RLvRadsneyvd1abbbAFhnmaOmnQO5Cq3QfgxcMkHUECBhdTKMcym963
DtrMaFP0p2P06cXVW0jtu9TC1HKqBHORfrsbl7KeE8ebOol2PcU8EHgYvKQFEEi5
VnP8qGpBeLGoRvuftDVA6XYwhHr0cNpx1WzG8swAoAdFURK4aWOoDgSuy5B8FwBF
4daTfN+j9bNwyyyJ46DOdCBkCSyd/P3QXln/Zaiaw4n95WfQa+4dsR1YWo/tPIli
hV2/jA5FupVzrk/gPKcxym89U1YaKYnfTTnMPMLNNFZ6vUdP3YZPhU/NVyQuhpqA
Ytho4yqSzTM3wROiJCY4Z4DGPVs+bEn14cndMe2RnUt8PUoiF16McN+cKAtf1Huk
FWrJv5XQjUjR+t8vBuW+8DQPOP34VWvf07oPM8s0Y/aeRnu29cjG7VcvUXrfHtcQ
d8jiR/K48Jndd6HDQaxWIQ+G9fj9A0nK+E27q0d0uIMM2sAdo7iE6BC0BrHkfJ0I
PJOhZOb2fDGmLJTFNs2ux2t+/QvPgPYdAtpqG6rcOxqvDcwx9h+AYKctAnvAclp0
RxCK2XCuL2Q08wX1vpWCQRxZTXNJoXldooer45s/eNHGpMy7xheuVAOvbbEvEP97
Fh9kCxU8sHXBFGTYGUVp3JwGiziP58NcnXoMPBfrNQCxABEBAAGJBHIEGAEIACYW
IQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMqAIbAgUJC0c1AAJACRC47xprqdot
XMF0IAQZAQgAHRYhBNxwMmYq+IXi9H8kP1J0ZqIcp55tBQJg8UyoAAoJEFJ0ZqIc
p55t7/kP/jaWELjvtGue/qLcL7jd8aDLDpoop4J3eruX3n4vKgox4GCcZ2UIYoZO
DDsomOOgsSSJhSiOjNdx+UpbLmhjG5de3+VfHRO61Aw/Q/bQ+PoVXudOFLAHamih
xYRPMcliduIrfS5iF2N+fHEO4JvxMwP8AihHs9WfyFJceoaxugZwLhOhWIS00LeV
nAhmwNeyO9jNR+dK1/H2tPKjoOK88jRDnrM9WriN6bdVTsv1SaO1fqDtss+DTRga
owjdZjDpgZdbwZXWc+KGSb6qAhYMeAY+IfCx4pcoNjlmVeF4e31Bh9v0SHXwGIQk
8+PeTdbHQx3sPUHNzz9L1cs8KAiWNpqAomdeitKNtea4GACXGNiggorYY8PpLR2f
xNdPHJiSRNGVxvbBVXRegBxBKH2mEYFxL8BTsBAZ8rQKtpdXj5pU3unruf4UjGJW
p/d2KbBdraJfo8OxfmrKYCtiT1qgeBbLqcZ77wL8xga00xnwi+M+yvP+kJmKyQQc
sdFv5ZBbHmxHzs9EmP0b7GhkNyxJkJG5/gs9nNj8JiLmCYrLpxzQtax+pRdWtfQ9
paXvNhId07FxLII7ctvrIbh7Cgl/7J0mvs8kqjG7BOqP/AKrrk+7ZHRzta2H6933
7yHl/B1Y+jSptXspOrsghHG9PI6gVjhvLc6TbejyL4sq0Eayvp3Ei48P/Rk+C4WS
p3yzOaVQBVdI1an9vZVYZERw3ojZnaa6qb1t+XAEuyx9sL9sRo+PsBmiZpLK7oiY
9irTQFmvu1L3eMb57ay9xfZBuagtOIk8fZ54OKpYmQCNcBsU/3wCkteuS+bHU10b
3MsKJLIcbbD4Al3B/ydr/yQugRp+OKPKqPwixiGkwZOlfDX2OGKjRcjGjEQEEkPT
5NCl0MbMHcQEmmM002/d4JrqDu16yLu2ntZaaXi9xweYUNP8xdXFcwqy1337BGTV
Vv9f/VWponEzlj/HVf8pTfOnezb3yZPC+zvmCLBCmIShA3wlyGaxe2J7vUglokfC
wKsWaQcdv+paJpkCe0ZSqxwZFlBsgvFh2K/7MTkctLsUnrxhXHytrBTJ6SyYQugv
N9DtOQekhU1k6w/XPzQtkgw1kAq9U7ndxmet+AaME5UEYCaRiXNrOMDjGgEZ4Vba
/xmUIXwszoXGhwFTAV9BRHHvi5LYoRJ8xCSYHP280x/rd3yFvG0uHOuWJcAszAid
aGMgC5Q9QZWesIRUlVGa6LmFbvHYieAJX/foXGDlPxp28ot2xW0RoQVc/JQd03BH
j9NvoEkhQ+4g4tlrd4ZJmGGk+5N2BjNpLF3UNuUhjNWluHa8WqgI+bGePDl0zDU/
Yq2t0y/6P16ehkYVRPIjpSSmxqKgvsHIR5jiuQINBGDxTCUBEADfyegcqR2Ls6sF
Qx/IawkCdLPSNXxXYrutLmni00D3gdiVcFeLfVmbDOplTBFGSRiKG5NmORRcy7B7
Wz5UrOzF7S4ZS2tOYojF6qGbEuxGCPhgzTujj9Y/IfTp9iJORJyv9HVhkIJUmP68
sPuUoXQIx0neIQkbwcX1+xSRja7yJCKfAMZU7zQUMrkeK5bjp30tS1xQ5Wk1sUQG
QSXQfxsgGwqippH25F2WzGRQPdxNrJKyyeugj4GivN6/g1IuvhMrzik5GcNDlOkt
JO8U+GdX9AG0vzjeRvMIy78Srvk5ndixyzFEzIkkO/ytIsOPqZrNfjDgVhQ1/Gkv
6aEXtDUu+/USJPh8uDhu/ovUaX+MFPmdkB21GK7p+oe/kckr/hNu0FgoDbgHZthf
HCLMUNwdJgGqan9hAiJDWz37Q5b/4g6swMQKGzSc5bCkK3EZhDyDqjcYt0z/h/OX
pMB03cMHT2+bvKYHoaQ7pnIsh32GewN3jZekbm0DCFkIEM8VG63lCZCox8C6KpEx
w2nyXiiO/tpyCOK96XkHxDdI2eR0lx0x7uOdtBVARzbrb7h6gstJ0K4b6FxHw+MK
GJNuzjsEih7tWXRBWuoiR3gFtH+qUjjJBDA0bRVr9P4VaTQ24QPowLMMw+Pl2A5P
sWXQzjbmvYpzvd9DBiNgbC0NZKLRUwARAQABiQI8BBgBCAAmFiEEoh+rdLAIiqNh
FSWGuO8aa6naLVwFAmDxTCUCGwwFCRLMAwAACgkQuO8aa6naLVwVNg/+Lxf+Ra5D
8+/I0pe2De+4HP7E6QRjIUMYWcSqX/vMRP6IoPfxfdATCmhQH5QoYhDD3Pg49Faw
hsD9sTE1TuCe5cO20690QbhE7lavEt14LZk5V8KEUC/dV7aBowI4X4KV24vwxMme
vt+EMDGK+O+K7CojLAXDEp1kw7qkapBWAGheC0Ww+kZFnJPgu5OKbPyiH5RCokhL
r6Y5NU6Ym8KErfsyHmSOrrEi1mxnAA6p1x3tBgpVKnDGGyIC81cl0EM1L368AM4v
F731vvEIT/geaGU+svGAQzR0A3CEwuDmGlR2J2VkvrT7T0GSuHbgJWUXf5QcSj2z
Vnnubnz4eQCxQCDaQVj9ApxylY/z93wXAq89mWGh+YkJqoUmyd5chSiaEEIK3J1m
5zliPdQ3YZrxNhiMp9SSRBU9mEKkR+dnQ1+YDpeTnME+z8VdY3NN24WbDgspQaKt
WHfYg91NG4IqiO9XRma12amkM7ooAkcZb/Jxfe0lBiwwrr6guXo5nnEAWJiwq4CI
kXCPhV0lZ2YVGJHgW4PbFwpWvJgoMRdUYR9kvc/W5ayxH9q/pf/D9PiFppmk7wm2
e5CK1LGxr+xTQrm1QN1F3Mz6w0e4UAv8TQF9UVzBjZj67vcFbYJ5+9lJ3qA/3S2G
OuVP2RSzXkAJ6vXN1SSkNkyHY7xmyf5OKseZAg0EYCmvuwEQAKjJzMcw2BaJWDiM
yO12RvmPtywo90XHwHsUk0wWsv9n8jUGPAxNDt/Eq8M3rPeaMAwqFT7AIv29RJIx
S3LN79+jHT2fziNgPA3effujOSuFwMHTWJqIoIJ5E0RbqZ5Ozf9ok8YLOcg6T+Qw
eWdmdA9xKmEh7Gj9lTIHn2HqybPYu+hNmDRp5l4nB7Rx9pWdZgDVr3Cv5AkNDBGQ
Sp3LvvZwzTc+Gz+xFZ3j6cGo/VfFaVffRiNUaMOxjeAf0ADLihSdvu06aTlL0Ugq
4x2SRZ5TQBubz/fo59nIwVtkMAxs7yLe6fh4hA6Dm2PKdJdh6XeeUn9/ChId58+B
q8KQF2SeTzjYsz3Gvba34gqbL325bsUOq+PBs+gyDrPYlquXQWq7caEiMKYox7pM
F+RjAHh+nkq3NHCtKMOjXq+Qygzr2ZeoDvB/UlX4Eq8TpBN4823yLHiJvlzqY86s
WdgbVfe2Q05zj+ropwZu9LXExrHXarb/NJk+agm/NZOtIXyVANkqMydeeGtkxjyH
uW79ATgNDUz1TU8V1/q/Aus1ocd+L+tYpN5+ysanZMipTiWbjmnR8OuhioMwv6Cn
xExRkFTwzjAbCGW50SIKg4WNe7YQK++CsHskeuH4W0y65E/HirZ5E7vk16kN9mqa
njw8iqS3ZvdWOKw1x4HvS5iJRDZ5ABEBAAG0HVBhdWwgRGFsZSA8cGF1bGlAb3Bl
bnNzbC5vcmc+iQJOBBMBCgA4FiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sC
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQIxyEzdzGnEVrRhAAgCec16Tf
5Rdkv+7hHqGz+UmikL2n8wVsKcvRvXNmdvMptu9rXQ8Dc8S/6zOHKUMp4MhsMoXX
ISMjgFM0ItLywsoRlZItMxbUxmGbFablN0V5uGiPpOON/GZ7gRPKTf6/eELdiWbS
OKoccSu61EA8hbVUMVBXEpk9qy/XKPdg2IFKS1NIfUyNlm2UNiOn3PdVNzO+s7cE
EklLFDkJjvj2kTC2PB0tOo5W2gkvy2Fncn2NKdIOyAVWn+k81XHFX3xh3z0mozfg
y864PeNhI4S0xQImAwVc1n9zb4Glatf6yw+qtj28Guruj3Ur45AdtvhnWmMr93MO
rXzcTfa5M5htyjuBr8moTtz33vNjR+BCwjOF0S94LigzJ3PAdD1bMdRhHsC1OAX2
QqxMfLwfrJ7e5okwgxIR0C8jibEb+T/Mb9Aqsi3WdQmH8zu67YhP18z4ChH7ZVXW
7W+KbGkKk5elMHiZMhHlh+JpF9ecebnmKr+h3FWP/JWoVRy6PL5gL1ICgpEYlFBX
Qpm6vXEA4myDBQnWJclnDKmjCQjn2OnCXapYJ9khLVmukh5uJWThkFocN7W/Xvy4
s7chqxlHscu9wPsRJfxTzyeDwnWdcer5RzviPkNzoIxN3lZhOQW+GM7fcmIedwrw
Itg4Wyd0gZe2z84SGnTw3kkQscJ5K67hQhu5Ag0EYCmvuwEQAM1DrDqNA2rFbEcO
MnNxdyVAkU8HaqVP/l4xrtB45iInkOZjZVA/QyW2SatzxP8j019EWloHtn7zMTmW
aNKLc3l9haOGhmn2g/RZh9It5/gqkPsp8QRNoGiGfxzDQq36eYQ33TjD2SksT5YC
8PSpEqeKVwJRYTkSzvX1bx0yH/xwHoWIIjnybIi9XrfINXUOI3IRwo15qwgUXyfc
UJ3SBY9ddL0V7ua5CkgngtvanfKWpxj1RpTyf4tABvUsvWQLjrwxTQsGGGQKdnYF
pxacm7smvNDU2KGT4lHJe3RABFyCwhO3z7etB1kNvqjqNOLEKU1c4nYsZkwAjY2t
Cml+fe4GfLTq97J172XeuLC05jCoR8RO3o413LSA53jN6U86d8y3PAN48LSbRvmJ
s2wwZVga7lua7hcVmuTyK9wCISDhMkdxi1SZ443K6GZoJtwbyKfQZm9SBv9gtwGk
sGEUVRR3UAsF+LpxeW8WVJTQcdCg1EgDIW0LUNBoA5ZD2/bUpIXrMUb1CDfIcrL7
EGNeN+nQhk6o3mOuZfFt+X/4tapQcPni2ZKIetR/UKJbqej7hYEj1/r/5AJUsUGh
K2U2ChG385whearVxMnalNI+XdLT4ehsIRqWUQYQNeqwbGZXaQ2bGxSSz+ScQYUS
Wn9e0yuHKSJwh1Bie0xpF5uWOumLABEBAAGJAjYEGAEKACAWIQS3wcFDYPNTo2hi
5NUjHITN3MacRQUCYCmvuwIbDAAKCRAjHITN3MacRbZ7D/4jMZVeAHfg14edotUN
O2JReCs2g5XjEVNL6S9lesYLmL6YyFp709yC8DKOywnt1U/ZEkFI2R93GtF3YPgc
Vx/d2f+frjoc2JOKeKt++hR/hUgDWN0On2qLGL/+07t+w/Kffl3rvY4D0ALdxwGC
OLpX1cDnxESicX5qnZsTQkElhMlmsRP1afIE8SN592k5FIdpeqKZ8c3n1BXmBcQV
ngKLWMK32fpYRvSij6RBORRvzPsX0/7uiOND7gquC2Vdv2KPELAx8ZE80iee6arI
onQ+FNXCEzUk12LnefBVj3w4YRldaIo8VDqUAbIstfBo5LO0oZJ2wU8r+2nJWKHC
ioeMkJTlK389WWm9EqFu2rbgV8O7tjIM7ZAOnb8X5Ah1WdQU7YjXF5vaT79PH7ed
8pg26L4AVq505uWthDM+uWzAnMKaYH85OS3C46qvae9CvYlTCZJpG90IB7wQj8cB
r+6OUDztPr0vhProrAFa4GQhhlDEW0KIL4GaSw8Jh71MFNmbb7zGTpSJIwq6vARJ
OQOP+5Qaa0YeLdxIk9JDnHjUI5IRz7/JnSR5BNKeeRWsHvVwyvbJV71ZaJSpSgdu
TCKLL1gAeSnvqMdtNGwKOzw7ai2KgBbTphvuvWJanq3CH+CIHOxUmd14/lKz/zlN
B+uXzHzImO/U5CIhGtNPPoZ1TZkCDQRQAG6uARAAs2kXLX9f3Wn7Nk0LTqzHm85M
uExsNQa1hVp/8XXPRy5utfmPXBpBBari8Lww3bP3ErfielPur6j6VlbdKapr6O21
xecOtkBgPPHOUf9qMAen8OeK8Rr3SZ3kbR27Kj7gbVvv/BIgI6Qr0ocOf2Af1U/8
2wYLsB+CUczWN8ka6RSdHMEQ+5aNcJ7QAjBTxuXjLvH5VP8l4T+h6fdqZzbpAY8Y
Gsrr4r2KQpd5ZiaxNkASL2iBEtlvVwavDGncfyZTe075xoQM9hp9WeIfGPxD7bsu
zl1e5rUH1tAcj3b+BZlzvnXyr4cq0yYPikJaZ6MiFXEuoDgC1Di2JTyARJsGUw6c
eQOWUbH1M8arsL7L7w1QwYpLkAJdutYTuT+V8cuWWi6PH4vsTAPI/B31VYLIBTwL
wMvIjP6TbdwRVLpVcY2Qca6vaXeT13cS8baqQBGfl588OUIIyXtzDFl/OXhNp0Ey
8nr8xEShVoujPXQaQhDN+LihefWVEP4uhkjpKMaaJDVVpzp6YjoKegABDrQvBvfm
fqY0JTwn/S1OV5m/9Ssfw0ZJi7rOJx2ParWoldV1EgD9VmUq11JVUDDsIiYL3sFi
ahYr8vNpTO5+FpJNcH4yPG0fK0ACgYh4sFQ56V4K/Www1rtzkmewlOW4swKBoCJY
sIF3IoGaqz1ATZI2NgsAEQEAAbQcS3VydCBSb2Vja3ggPGt1cnRAcm9lY2t4LmJl
PokCNwQTAQoAIQUCUABurgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAg
ZMU2QcJeXcwkD/oDkqfF8+t4xGRprFDxJbn5+jiwES/aSmZwq7s3XDjlrIq9cUWY
Wbp7KydKgjGqkGVMSuLV5bjKure6nbCMpaSOu1qBN/aG3P//3kIZ0U+09aR8EdRI
YOVJuo+P45xrXoLS80roJArRScWkPGg6mk9xW2OueMVsLSldh1zKDAb/UzFoZLPp
ekK8zn27NV0kXqFMVxjYRgKfcoNj0U7Z6q2eji1HoIwl91Edt6TmjbmwMOzehLj5
6kvFP1h12ppim3+yz5rrxXo8Z1unq1GpxXY/v0CiBNZABHX1qa089sJkilErLpx5
G4RC8VQF+KH0T4k6P7EP/4SDu8WDlzNoXtPVWYd3ptiqU4UgegKV/AsignUeH4U2
oMdyi1fu6WylxGBJj6iUXItu2Vo1ycwCA+B8sc/OIiy6b4G67L0VgsilpObAfM+Y
rLGsL+BLye5IYeleRH6f+FJyDOMhxzcmpQ3e77VMeWPEqqdrGNyOQqDWdQiDPKXp
twknSrOymFfhYqowhdpA8CqRCgnsB7xjRDQkW2gxbNeOt1D/ftdK4ZnhA+buuXi7
VV6ISEwyw65C6CVjr8YRbDJguHQlKThVqASK5zse5yG+bN7HHFxkqCYrbFwDRubQ
TAA3ts9jKvshy/X6RvYXoJhRXJm5fuxkyeln6kJHO0qKjdWY3OKn1NKErbgzBFWr
m+UWCSsGAQQB2kcPAQEHQB6fWGzwF5Edk7HZzxS5oUH/QtpmNFzt+0z0tSBDJnk+
iQJ/BBgBCgAJBQJVq5vlAhsCAGoJECBkxTZBwl5dXyAEGRYKAAYFAlWrm+UACgkQ
CG6lBdyi0/PzMQD/SEnr9Af0jEL9FGSQK6hA76Rpb8SEOxIo7z0g3s/35UEBAN3M
P0VRiLQthWSJV/lgILmN5MAodnwnzqZvkxp38gkIACEQAIcMK8F0dxmn9S+xNLbW
mKtX51FIafEjvOkV7yS185uneQsI6kfXk4p3d+hfdl78XPofgms0pAEdGi7zlMWB
HBYpjteuGx2lTeATx9eMcamMq+tAx4upL/eauWv/McPVRTHPbUml4CcT0VBzTBTO
jI5YBVvuUluAbgKvnOcJy2NlQ2LjGzO8KgduccOIiklsuLGJJvBvzXpbQY4Q1I4Y
RKUiJ6E6p5IGTMj1pyx915yNO+kkPupzHkfUBx62Z/t9mXBji7HyvanMaBWtYFUM
b0+qYrf45vRuOUvpBkp/hm9IdT8MmdNG/wMuQC7FgMdE57l9DBE+QBVe/m354J8J
8ygGLOUnDLkgjM8Z9WlcX6vjoJh3QjuLQ9hVLjktlgprSdx9G7tSDG2Ln6fQP9F2
PWa2IFrVwSZaewfS2IySdBzhMHR+PgorLNc2siOngRiA7/xsF+gZu5OfpZ2lNs2+
cWyMmnp/sQkyZgtLFUHW/whNJHqPS5QtPEth2x4hJAm89VcVc5U6cYZHu3K6WKbS
pyrGf6Xt+aXUCuQWR22/lgayPu6RyNl6Ws79qC4btr4ULHZ7ak6gWyOgjw/O6ZDE
pPz2Fz/ljIRvWarHOYwQ1iK4H61PPwn8ec1Nw5c98I7B/ngjqyznP1A95xZzgsC2
4K3QtyGYd285wQjpbsp5YGisuQINBFAAbq4BEADwWxezMu9t9odD5LT+tWM8gicf
GTQ2AEXuboBl53X8TgRTeDsZ48e2SCsphZkOhsPKKyWkTsb4doIMc1ZJt09OQRyb
jQUKUxUd2HtxxWreYDyOgq94ef1PZT+SzakX/UV9A0fw+7JHvtE6dA3qSIv2jyG9
nkuLY+AD1BtZEEXVn4YPRAT7vY4b2ATfGRru+LVPsqRRcAwD/jLFnTDAVhKfznhH
wQEOhit1LFLZjsNzmxvCWeajGdZFPCsDN3twYi3UG72C4PFR2JCup6GLAGoo1/Ln
ZclHvXZEPHqBV9Js/Ga4jirq0U27MesmDDT4qvmjtSfo5yrJ4TOJyPKoMiZPwysu
d9CE74MIXAg3T/b7Woc61lxhLUFK0f5ZtWZmzf0yVI8gkukphegVZzz73s5ok9cK
Gsad1HL59CgjmsrgX7NnxnhsqFh9eEBymKw3Z9e7hyL7tfmY37X4mWVpo4v4myga
u0s7Lbp0pAHjCwKVe8fXaP51V8IlxVRFQRRUU6B0y+vdNj/xD6uy4rbJlj8gPPRF
zwZ9rduwZallvRsV734lWRGKqq5/Np6/g/0fUucFS9/m53y5sBBQ6y8HK7kc4mkg
gpXGg+mjM5TyYCFGrip8iRRebDQlBc5U55OSnzmItlUV1JDfrXlS7rLSaHrGTueB
1I5qP9XGYVvszZQ8SwARAQABiQIfBBgBCgAJBQJQAG6uAhsMAAoJECBkxTZBwl5d
h4gP/2aOoPpm+3e9ei54VjMs605weMJgmWcEkZV++w2N2kPKFom1cBrRW1hLyRvm
E/4kQJdhM6w1hmE0UgQ523TwMRL+4FLUAPLF7kblVKfSrk4yF0cgaeKGR/B6U8Pi
SJxK5YhzbPSDzDBLtB4g2v2lQL5xuTPC7wMvsrBNu+fbJvGCd49/6ENE7tnaApdg
Us1NLejWEEOZwV717lUrn454NyxJNN9wsvS0MOEKdDYs0QWGHINP0P4ObViG9YEf
v4pz49k85PRL1eGGqKiUec2R6fieO/aEVPhhfFcZ4wBiPuOtbb6bEOv0OX/L/I4E
bk+mMwczFcGk55at8Pw2hcDmZAUXFmF2V5X8lSBMG26vsWvmDDPkdLssTNgdvo02
4l+GmQJBuns38DEwqa0gT75thmbqb/73BsgIBaTejhp6fAytkRKxtLrzj8uPZSNO
J63pde4e/SYCiFgZzIdGca1k3GPRBbMRG3ThQAgv9NvBWlvHPBgRNAm284kcNQgl
yauk8s9nD15mfC4OZvcqNQXKOJWhNKKqnViHqcw2laf2z5W8HJmwaOz1VqmwFtCd
7N7z49a+2u7I8SC5KhuYVwFhku+3L9rRn5xuSNa/WO48SbBcyVcI01ifXckNNOOU
ZQ/uJGzxXeny4IY1EKOxaxsbkCTHqIODYFkwoaUEg3Ak4L+CuQINBFAA4uIBEAC5
2UAd0Yc0MDPEplRr1MxAaRpUCz2yJs0IUVDyKWre3Miz+/EKQWOk2pImkMCrrfNq
yJQKatQZ8M1Bb8hhGq//0kFkG/zjPUj0h9iNqXu4qJqovnEAMUg1Ll+fEgS4WK0p
XiNKKifBtS6YlahYOsVi0GFEgAJJn8kjFmXuEHBOV8foqM6/ud9YoYxAX5Y6HL6m
xumE01aVTGuqYNXppG9JDgYOWF4MQ/3cOerBgu98ndNudsVp+6ndUN3YPXe/pktO
pc3wOaQO5Tcj2gdvaQpvfGRPa1FQaa7eDSFT8tZ/3mbzJan/Ii6lJDVtz6r0b9DK
c73wLmnj0TwOY5McAA/vErif0fkRsCbZRV9TxK2CzDcEn3qiWEEcj4wqGIuiPvIj
V/1sCpF2KYbQ46e+Z02vykujtJWpPB9fWbx4D/e2DEMhb201v5t8Xg/MRkLoY6AC
lEx5gJamMxt9aZ83GqrayIFKfrtzkGkzGXV/6+J5t/qdUR4WVyhds0D231RMv0V4
Str9KEBTjKZuOsMG93l2sfXYR/fP1+VKd0fMV4NZ977j49WKJwLAS5iGbcW/vZ9C
COsQzYcLvf71RvweflH5NAie3VR48VZ1hje4IQOj49IbIZ/+KrLIvGuonV2o9m8V
Qrugt5FP3zIkq9Gj6V1h33S/fU1NHpz1qEq/pEsO4QARAQABiQQ+BBgBCgAJBQJQ
AOLiAhsCAikJECBkxTZBwl5dwV0gBBkBCgAGBQJQAOLiAAoJEKGfLDAaVSLdAgsP
/R9vl721X3SRju4Nsb8vfUaWoCoLEPkvRXEWy29nIf/xFExnzDfIyA/vdkYXrx+Z
2YJbO60A1DFj1ODFOKy+6HBdtpax6bRgfb1CTxcAgAyqHOzn0MVZK7SKgwJjFWLK
GHLNVV9nSbcO/M+ORuyNd8lZI8cCvNruNzsFkfASoDV+Lhqoru+74E/8IaWNddBY
dXHjIVEBVfOFxo1tDpyvS+rJ5yi14YkebHlbeNCoZrrx2CDPPVeaNLgm5e6/Dxjs
bOcbDCD1nSi1wc2j6QG0ObcqF9c15OMgcGD5Tjkyq9cTS/maEJK+c8pi/wpTySG8
jF/UC4ev3ZOJ3atP02aBBCO/N0IrAecamH7SNoxZXBxP+/VHdL2NDRCP81yiLt3f
qi7l821yNdSz7sOoP7qk6Jx5pBGDzKAmK4xVhhXMFaKT6mECVM1zVN+A+zC8j08F
AScmBld9qNn1hclNU3qwUgv+1PJSyQdnYuBlBuZIO5HcdOwl2+08JuRgr5EhxQAh
wEvSVbaolu2TCUZPs2stkMkVhLQdI3O/rYWvkI7ln0cMqZTaIHymdzGCUNyyNPjw
+6F9ZrYJPqihLQnK5aY8C8yHlWVi8vd9uYP7NMd3ELiYqkh0w9VpDJUpzu5Tmd1b
zc9FnpOEjEC0sBHOLbPSor5T3bcrvcTqCcjwnTIQuHHY/vAQAIDanQ7UvmC3ICd8
JMa2fQ0sINfajRIqVBUQF2owFiKOJ9HbjFHb2/0Iz3KDYZWbP7GItpF1nbNwlwlD
8fkdGVcJEsFTT6vila3WTt4a+u2Hlj4yKepEeobPzcFANgd/7JxmGSvlkKLuTJ4e
lk3I8O4BXgaH37kIHvklKv6DEF2uMoNHQG5dXhpVTOGaEF0V+JmF/PAlof/ICud9
vz/74gN/9SdpWCPr7ZBpRzBwiPpNK91zM/OC6e+MQHljO5mGHCAkbYjNcqKNZwmH
L92XsbEU0IqACktdRIblvXjA0Iwy5rNQGjCzH20v2C0/CZHwzs9IePZvsH8b2OH6
j+Tw4q56VPbaZDjqdy5QytM163+edrDNz0xxpbxKSqq5ediwjFPzCY2iseQ8nEfn
z0AtxmZ82/vjNdBtzh5UI4VVvjU0jCsqeLxN5UTDs+AtozOMyKOHXx58Scb91UGB
3TVn9fn26twR1m8fvfNXcrcBVcyFEOvBioZ3Z90KGVuAennbFiGetxBjqAVIf8EN
pOp3DFwc9d6Lv7y4YPnK8AVwAt9SN675GSwtBZxcbCVV82X+00kkWjRN1bFFAPp5
fBWL8R3ZU2B51OTVVigiUii+MQoJzqb6J0l0w2N0USZObh2SpqGIK4MfnonCB/7T
O39xX2zl5ALMf5SVx4xKqsCe0wV9uQINBFR/F8UBEAC07yEIOlRGObuPTAkfDsZn
xJZZ8qRdGUy1/7V20WxfGNUbPG639x+N3F0hib7EbzK7SQ5eIs+g2qBezsvII/iq
6Qe8DQWLjuMJYUf7GrfTXxVAfrTCzuUmVOwoAT42fuMe8n3W/oe+doOdgapHq7VU
htmDKhUiPJont1unpbHZ8eWcVvKJdmSxmSmEEu7itnlqJmCsmCnbp7iF898BCWU/
bHnofKTVpldP5/ZMqKmftuRDnaAP/1qL90PJ8Aprr/VIaBznrUQzawFX0uLb2hyM
5Xk3O9wUM9Wp14yO79Zw82ybYrpjiQlvwAiTw8+5wn5Mkd2eASN0ThZdqqfk1qml
/Fw4q8L46DWAeY0m6oCv2L3vXnWFWXzNEDV6KphT81BATLP3MwP9GOum1pEvSRkZ
oiE1qUKKLozqS2NaYs2/dYr/unQbGUUr77AzCY2fOACNZ0j4SLrB4oxL73s5RYjm
2S/P063hM6iLjvrGLyvMxVcf2r56mjgV3Hsoi7Yt2Vo8Bxcsn0i35iJWLZbf/6YO
2xXcgBinqYsT751XuXgj5rIOdMd3rdsejD3NRBB9cG7Ce2+FIE/PJaxTJWgmBybi
qB7yPpf5S1J9M1Ly0eXGTcLS1c8rw6k08CG5CmOVEUNni9clm+jaGroIoAz2kCHn
FEMQ9DzmN9arO76zMUjYIQARAQABiQQ+BBgBCgAJBQJUfxfFAhsCAikJECBkxTZB
wl5dwV0gBBkBCgAGBQJUfxfFAAoJEOPE3c0eTBJExywP/311BHQQkx//R156yYH6
WkgCUcDhF9VMUqCZa0ZkREsVzRRz2XeWtxX/fVSEneQUCXk9RCaEBmU6AE2yOheu
+NlL9ppHhM/4gW2BD05yb3FbsRPMxBmOEXU4gWBFFbp0U14sxe5od5LMCFWXN48m
uSbAS3tjUg7+ky6AXY8/zrC5nGA/nohOL0+O0n6HwyNkzMauiR+3szAa1XIom3Fx
9zEsmnA25oI9g84rK1p5HQ7wD0cuPtHYOW6NCiqNntXJtGjmWchOOu8pzu/svkKx
USGa72aM4Lx7cgKrLVlazOYAFccibTwqWOJN/lJsEOtcKhjNpT6pZ7JMggPlXjuy
8mIlKKeBphIv8/fY4O0bYmNJkE6tfZgGXeXQcMYwkSO2W+z8PLDKsxKW5rvXrZnZ
ib8zg5UqotdNBGAhuOHz21H7LP+lI+pNGEOzRRKi3s1GEHGUU/Jd0RMfCex0MHEO
b2GXz/zgcafeMT7gaqTi4FkG9FkeVeEMwjaUaZ9ACreDaxQeL9bLtJ7kJTHb4yy9
k9ttrT6cQ5BZpXyP08s7CDuLP+eIAW2ZGxd9uDsBUzS+Bm26n9lLp9XBoLdepOx7
1/2LTolInUunpoWpFZsaWXtdY6IO68D9SyJ5veYDz2fwIUtn6HFs10m4PQcQdRsU
GlMRos9cx2eu1rsyrUVwdUbJ+moQAJptfgVFFZrX9PnuSE5bPX33+xnNR4cX2vfR
JaM9yd9mDF47rKmUMkaFNSEX8Re8CmxDPyPUveShHFyBU9R8kaVI3dNvriU2pFoP
eUtkcNvYRXv6tKkK4x+rAiulbbpw4OGy458OMMYgngFFc8xsImLMfa2zQyVWHqTP
9JHF9Hpc7YCW2YRX1sA3ZfiTdns1qwzSeuBFd52+TDJMvfdAjhRVwDgeCoQ2NELc
O6UVTg1Ys+dcND6RW83Zq9p/S+56Bvq8xozeuLS3C8AeJ4Kq98qar9hsqD4Prfog
1jL9Hv+1jmEU9JJs55Pw3PtLDdotjUPbWjZ472ZR/1g/QGDNHzEua9Hk0xLxS2Qt
4pYpOcxnxhn9xD37gfRlM7zY/hb44BvKAWcI1Ll30hpYt5f4jhQ2PVJMxFxlKpvZ
VxNFPH+IUk+zHnf4n7pvxgRBT67nZ/4tMYJmYtsC6pu4AUcEUqRpkAJp5PxGqf6r
jev+0Jx32CSMBfZiahpRDtrau11E4gvNXeNmLPLbvf86kEumNsDQ+K2wieGf8g+3
q3Mg6y/vTig5mzoC6NPXSdEEBXysIyp0k98dkWbLjdQXu33fpVFx6hdiKVelIhQy
5rE9BdKqLjZxI/9vh8z8lY/kKnf9TpczaSF/NUeF5u118o7ryKAHiZfyS16m/PBw
MopBdOjnmQINBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ym
G/pXvmqx5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAm
NIf+OmvlG7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYz
UbGKZMnr94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyF
oi5XTj+BiVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kP
o1KdqlwDF+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2
DsgljQuWSj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA
05gGQTUJDeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQ
Ur8+t/iH3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw
1whitGG+y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt
1+VPMt2L732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9
sQARAQABtB9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+iQI4BBMBAgAi
BQJUMGwdAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV6eQ/ffnujKu0
D/4jYQRAyWEU62HOiQJkSIOmMoio3jsfJF7VQnvfqgswvmPXocmQeQ8pdGG3o/Yz
SXRAycwxys1cFODa33n3E1qlDkAzW6QpRrV3EB5VLYY0RD1qcgBB9ToQ+TQ00jCO
WGCmQxH4jeqBKVpXO1itJl2bmOZhzqNAd8jQ31fOOfuwhjyvc7hOev3/Ui5gmhbA
pDTBm71eMmy0aAX2XZwuTTzisiV0NExtAm8RjICDeXDqwaYVPmaz2GPqeIxKA+a7
xboEJePqEbL8coKSVebfKXtYoTTIZs7twqUbTI5kQHcyvtu2fKe5vATkbqAvjW11
aXJoyLnlw5GHcT/tPalMsPMRN/fLQLhF6WwlaEOvG+jQwgaaMIL1Lt+M8Q59MCnb
dmBhwes+ype2/EcnFht2PLvx7PpekHoRJosulCl5e81tzyIt9fdlsxJVIu07Rv27
agumD7NFN0kDJDVs8JI2yjPWwuIDxTCtOWvEBDXOujPlElozYNE4gJBj/Tw5aWMo
bY4nAk4C+dZQ5vCwV6/XG8712r+yXOjVYe2W8vPa9Q7Dxc3w5HHDl+p0p6mDCEpr
0VBqxn4K5HnjNDDbvd2j067PtH8avhySGRIV/2AskDeI6jPoUBofWzsDOwWnGj/R
fb56toQytliF5VgoV/UO9MQK1YiasyPP++j4dYpz242yXLQlUmljaGFyZCBMZXZp
dHRlIDxsZXZpdHRlQG9wZW5zc2wub3JnPokCOAQTAQIAIgUCVDBsCgIbAwYLCQgH
AwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP3357ozVsA//RvKgkyIyyzBqlsHK
lAJP+9CZqheNnM1xTioAqUHkQyUeTGXVPzK0RfGY0x397SW1X0cAt4GpfV5gdLuh
Mbesxcq5hVhM7X14zbAuIJbrrgRS06wH3MCemnpf7xRYyg0SlaUQeCR2UANDTEiu
sfem3b1IBt3HRCy/CRY9rASgoyhSIY+dVjiEC3tfH2AOZYRrZPq0TF32ygEFMi4i
lMfcxsAQey+cFt3Jqs2W0YX+ldgYyYZpiZTRa6OorOqkGnLfPB3RHHUqazl7RlzK
lXOrHdeBy55bx9sw9Nlsb5n3bYZQUMnXf1aMADYWwwn0RLtcgigmH/id8HCT49dy
Pb1OJ4OeXat3jHtjGeqnhXNq74gBHP1WvU4gVWVBtpJ1d+YMWL9+9V/0IlmdbBxL
CSqnimTnRnKcQD7xPMRCPTyN2PT7Ksk29tHGpshp/NKahTvtsA2ziBzRY51NOm+/
iGidRBE4BGkb8lPjuETsBNUY10XtuZY0TIRgW1kx0Y/TEP4rTESCyKvrlqu5WLFW
s0rE5f3CrHokbMdNJOC0BVgC8wixYlMu4JdlsxGaaaa5t/JVowCKzPlQhgP5MI+d
y4nV0xRb1Yi4s0UYtNEYeuLTURZ7Z6lodlYDRYHRxBlp4alzsL3zpayQOL1ID1nM
IgZbihAgFBeVEmONjEgEKePG1Ra0JVJpY2hhcmQgTGV2aXR0ZSA8cmljaGFyZEBs
ZXZpdHRlLm9yZz6JAjsEEwECACUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
BQJUMG0mAhkBAAoJENXp5D99+e6MmN0P/AmpB8DasBnjh9fAlBM8kEZ23MHVdEgu
PWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh4V86hIYgLK9tisZyby+5
NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvdooy/4ThXNS16HcsJRcka
n6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1C3I+oL3+qWwiqAG9hp/z
edsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6MZPiFBRGsARRRFfTRGkz
I9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFAnwf5MeO3MqzvjocoUyoZ
Nc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4+1WmLxwcF0n3xaB04KCv
XTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbYk81XfXBuBKv7Vxk0fRYf
9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9fyZn/sv+UCLrMR6fyD/5
EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W3mDDxJoaYe5bE2p0ca+m
wEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlFIEUgucXLOLQHyEl+kEkC
LEmSbn71WsM8tCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAb3BlbnNzbC5jb20+
iQI4BBMBAgAiBQJUO42DAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDV
6eQ/ffnujLPhD/4n7Jl5/FIKKNPIDJDAYmq/Z36t1m+m0IvSL0yuZh2WSCDo+xur
ZWVLPQIrP14ORvWJJzZTmRLUWTxQPDF0z3S4kkopMyqTeHl++to/4eTQPF0QkpLc
DXVKzRe5jzRUTYC8x7mtJHdgKjmWqbgqm63RJg2PphRSbFqoPkfoZ0/kNdzG3bkE
LlpW8YphA4guQBlU3N7p52KOavVny03UDLN1jVE/QmD641g4E7iNNxyXNs15iRi8
84Ox4+EjBZOQFygx7RtrWXVokOS4Ba4fp3yDnkAdqhN3DtjKGPv7oqMcJuJpuBP6
F1Rmd7eJPS6+nIfJac0EnhDu25k5m248mUAgvtX8PR9n6OB39G6UEKnBoBFpmDpU
CJKeOLwGjvkpB04gAVdIbWJVXVkYVUyX6i2VRQiVEEmEsTNRZKrjyWtHyAzfSg0o
EKUTxijtVbkHZk33SuCSATq+8qKMXDDJHhcpX8/K3zgVOMDTRexY5Zpe47IiL0/C
bK3MN+SnBfgZzsw/TNasJ0a/AUw+FDGIq71UNysVL7dKHeKQX3nRRvHp7blpdCf0
bOlBc4Ni5Rk/QYMAR1zVHgXHOrANzTim1dUHensnlquYGx3sdws2d7G3p0VX5Ke+
Dreal5NraRhMYk0hJTgOy34vf+z1UGejbViVkEgts1X2nRmBInJhZOSyP7QvUmlj
aGFyZCBMZXZpdHRlIDxyaWNoYXJkQG9wZW5zc2xmb3VuZGF0aW9uLmNvbT6JAjgE
EwECACIFAlQwa/UCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99
+e6M3KkP/izg32cHPYfDZaWDVbzV1V1EcyMM1hpsQm4C3bo2UY/06NtLescn/6kU
wAlhBnn9jfqbhoPzqJXc/kbNxtVRc5JvZxhulBj+UdgoB3wiyrY8tM0+eYMWB4Te
j4830s4c5rUenM2OrUNrpaLVL5pFm1M7k4m5xaMIkKUVQB0PaCms9NB4yplSIEcL
9c3M5UFm/ipQYML6qp07qknd/NTbNNPUfZreLYQiAr/kZxsjZR4mcCMaal8rcRZV
hzkGwX78aReu0xIdkPaNfJAvrO7NMCz7U3yntwbXmRi1jw4PAXvZjAfgRbOv7ug1
xPcVdbr7YbhL3miyYXH8H72muLvslOvba2CBAE4x6wZi7IEx3VNG9aklOx09PDZy
29tyPx4AhMLPj9GnGROUcMzC3+ZvOPmteaQjdA1MmR2PEAdm1OZLJ1Lb78FcGoWB
XdWmI0XFM09YxAAD1YNvVijPnS193jtTqesKtu57D4PEqLPUupHZZpic9X9T17ve
SjbI6B1VCi46HHF4MEbQt7pTsGiNMKS2i/YVTap29Fj8x+cTxAmV2Fb8BWPjdLee
5VGyH8dwDYtMXK7fE6hQFZX3Vn7RXInv4onouolcyq7aPvxYPVnGdijNSMDtHdFx
78vSt9kMx75s8jyJ0ILojuAqB7C2G/ScybtQNYBXAIZtFZWLiPuEuQINBFQwazYB
EADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpjU45k
x/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV9qT3
i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdkHsEo
MSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHMel8Z
cEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1nbMQ
/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAtc/+i
wMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQJe31
m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+sjau
CZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbhddJB
Hsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz5JTj
Mkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABiQIfBBgBAgAJ
BQJUMGs2AhsMAAoJENXp5D99+e6M69gP/2MzECejKPv0lN9vHTnqLHiP7BcqbivP
NqT4V3yal/JfB9c8h2ylsuZSy4r9TKDTgv/KVm6b9kJVsjdzyqwerKwpZ6T8ohyD
t+/5UAXKY7wH8vR1qZdtRQ8Z/UbsZ2vyDGMKutBIxOYfDcpzZ+e78nRd6k3E6pIb
R1utS972wQHM/VTEmsvUFZtX+qszOVm2y8adbHzY0FikqN/NZI7NVY+8gkwaybpd
6knl9ArEQe1heVWDGpaTUxz0SKglqc0zHDtxOUkhiCcvgKsAGWbxYspRq0rLsek5
1RFSdO7NJ59co96uyIu2r/sGhpk3+/QdAMmb9CGeI+DVFhTZxobBtWxLphS5EJey
HfzOtZNMijrrB3cw3GWws3nMsMNcN1g/o+MLxpHwcuJkEai4so7rbDf3acUUZFCw
EzBPkx/SeXjatAObEUWmshIgNUw3AFnxdD7QOLJjctRsiGq6GwvsZ/ABDYuHnmGQ
W3w34fKEYRLCAkOq7NPfMImM/I7Wf6Tq7s24g+2Sg8vr4yrWKoIxp4qB0GpSQmay
k1J0RKR9dNqYNQsOr9jnI4l7KlOS+2K4b9Y0CJbiCNOdVSCf0AVnubk+2IiTrDCz
EBlr5Dmz1xGC5XdlBeoSujB+HqZMFf8Nbjap5byHhBYB0ypkh738JQBeuJVIgwlH
VhMV8mypBNjWmQENBE76Z9YBCAClJEJJTPrqEX9P84lgfWoeAz6MqIgDxxmIjFMe
JZ+sp47tHnPaam0t4+8v+63RpsIlepNZtsufUyeIVq104YB+2pLWlTLCG0vQRmA5
D6RiD7PeadLnAZtBMzhTNRyx0gD2hLM9HN19KftTa9ar4SfIVd2e/N6vgSSJKsI1
2x9M4G3Zd0poEnz897HGftxg5APVsJoBw7tSQKHmKxLgJWAmxFV7bMxquF8tGSga
EeV+AceRKQmVWFWBb2JIa2qihptuJOfIlSke6h09oVa1jZ6kI3ATWCbzAWUjcT9n
HCmEVzT/Fha7JNW5JT8tyO08B5b82HyL+83n+87FVbOkncULABEBAAG0HFRpbSBI
dWRzb24gPHRqaEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlOctAQCGyMGCwkIBwMC
BhUIAgkKCwQWAgMBAh4BAheAAAoJEJGVxIJB+/fdlikH/RLnyBDNaQuyPkl09ZDK
YiYqg0uL/BtjEdzZzGzfV5uk9RctMd5UMU5Lh6phdc/Jei0d/VpQnSxhSoWmQHn6
reYfq9SabApzZzQcscBxL9g0P4mMj4PzYGmhYCkkh1GOTtDtm5wleTaoIKz8KTHz
vc7bLP5XIwrzwrtiRAiAfCCdmKz9hVqllM7yV9HZZzXnd5lAqoxV9wt6eiGfB4OR
VJFasQsPAA0/+YoWhc8Zta819MRABKw+egfWoRm+DVAEVl+5hPBOJGzrFpZdPVPi
Gt16QgmHVKVh9z46OBup/CfhvXWHY7J7X28c0/zHgI1dFJBOlgGxAzvBGmXkYNLX
XMG0JlRpbSBIdWRzb24gPHRqaEBvcGVuc3NsZm91bmRhdGlvbi5jb20+iQE4BBMB
AgAiBQJO+mfWAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCRlcSCQfv3
3cdHCACS9HhOWAyEAGNhCPjOhYsJRY0iQk57Ekxh2kWTO66NLfX6HwnmOv+6z2uM
o6XxIDqLtCMFYoURkOUuoYNhZBhbLNNCqBY47382zuivs4X4RUNuewQGCmQd5ASz
bCxtZ6eqMG6qJpnn8lsAbI9yGQ8ofwqSs98CTbRsv4P1DVacwXFqGDeu4qKQ2liI
dbQmCP9mkl7dkwJ2BJrc5X8msu226WVeT7z3lPWlmEWnYtJLnjaLeGjP4wEcaUDm
6LubRWxUAZ7gqRWqP8dX37Y9VSZvKHOmUINrvLAmhhYlZvt8z32PUA+hICJ7AMwB
3V4HoNy/qJfAtkWqODvnG2HT00BduQENBE76Z9YBCAC5xpa7smrlstM6q6gnBkjT
s1Tb68mtEXTGPpc8ds6T/79sApVbyIq3xXCinqtSwYeH/kkYnB3+kBQDgDsSFos8
XpxBLqr9mrVk2Bu4Pz/c5/vF9L2uhf1p8nt/V+HlC9p7Q7ZCf/TRFQj+3WFafHbB
jzDZw6kkJm7gBtzNj6FTHNUxv1t3NzbPSeW7tQbo6ptrclLk+S7rgEnG5t8VOYbo
60I6bniGUvUVYMVVR49BsZ5tW7jrLToZf5wQEE2C6iud46poPpcDNiBiPi/LBFHC
r71KzGnAWsfHu8lt7v9MarEuXDPoC045DLQyWSKHGP9/uSuesEOpnb63J9gDlgaP
ABEBAAGJAR8EGAECAAkFAk76Z9YCGwwACgkQkZXEgkH7990gaAf9FD6fsKERbpB5
aSiyCyXWm4vgIla4U2WE8ttGRNOVX646XHN/lA3W9r84HOsFgK4JvbLomiwZLQS+
bvSj9qplO+s5OqzfWyZpdpjZNhAeb4GsfaYThrT0mCngb6gVnAEpvtf/6+4KIQSx
qvbeGXJyaHtWhhXtqd8qzV6RbXDc5kCDJQMSZiwTxHUo7UmWR3fPJDTfhyyLlD+f
jI/HhHwR140q1xnP2L/4wWF8pNqxX3qcMkXm6uDfRgY0eCdT/BlrJAQ0lfa09h6f
sMkHsoHd5Pvpz+TkGHUI7TNMj3oOSrSKSu+qI6kJnOUY9PFNwTq4ljvTdbNLymjJ
iugLyosU15kBDQRVlEpGAQgAmdVZaxAD6wKTiQ/VUd6EIuOocLXUuU4v9yRooArb
bpLNlgTyzlDRcNYFpvW5gZ/KXt7sfE72pbDWV2HVFfcf8zyTMygz+2tzDL9ldWTA
EqYeis4NYIH9yQToZGoc1oEkgBYwKoEQUnpq2A4IMggRaD4KSc/7W98raf63IrBO
K2u9tfg6CZDgKHRsv6d5AHSZTFrJR7vh9EIg33z/qzaebZ5lO7woV0q69yqUdzBs
dFEc20fUUIEv2PsWcfNKx+BzKmbddlfwSWVv6xua7KDFge6uDrg3ISWQWCwd8iz3
jOUseeiaLYk5QOUJapWyKBqYJiOAbbQSTzkVuQMMB4QSmQARAQABtBdNYXJrIENv
eCA8bWFya0Bhd2UuY29tPokBOgQTAQIAJAIbLwIeAQIXgAULCQgHAwUVCgkICwUW
AwIBAAUCVZUDDgIZAQAKCRA2zuTesAz+MyFiB/99TL4ML2eevVmxbtcN3f70VZtt
eoKvwIcZ6hDw3sG8DVAjFlyiwtXtDG/mNOBxuW78o9dCceCI/ngbH4qHbCuiKUXp
kh6LBw3VnS6eORHWJOk4xPwktHHl9YPf4DO4sraq8OeJyooSqcRO++eCMR1JQiUc
G59qoL93c9zibpanh8K7aoHe5P3bsACJED4kqis4sEa5oDA6JVu4LPccic2LTpOF
9LDdZxn92Ii6MHdyia3E8tkJiFOXurOw2JNHZHbFBHZaARLES4GLAP28VEfuEZir
PECIw9tJ+jecmxMIYj0SdvMp/bOEdlH1ot/JGMhWEsAlZUG4OEj9V9UDkHP5tBlN
YXJrIENveCA8bWpjQGFwYWNoZS5vcmc+iQE3BBMBAgAhAhsvAh4BAheABQJVlQLq
BQsJCAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zohwH/jOC5HbMlwaMbPHRVkDz
5wdV9qivHXuV1PxNKjCPEv9dEdOq8CcyQqTBfZoc2mUFLrulvZAUxpl3ki6afSL3
yjl3VlXD8VtFmaAmdBgtLQvQ/PvovW2xnc2alM2iY3e/MXdyRCEx1b6zHYUWJALt
ZXyQa20UE6g9oTePNzaValNnup24ymmPDHy8YWdeHuDTL8dh6ji6v58nwAQkZ3Nl
YJgpbUBj4TJfk38fm0h1BRnKCMgOxYp69lwLmC7EbvbgauzYn0Elwl68t02njv0Y
ga+8cHvo84nRQHnn7aVWBaJWwwYKMzMlXndJWsj52gPKXyO51X2Su4jAvGxM59m2
VcG0GU1hcmsgQ294IDxtamNAcmVkaGF0LmNvbT6JATcEEwECACECGy8CHgECF4AF
AlWVAu4FCwkIBwMFFQoJCAsFFgMCAQAACgkQNs7k3rAM/jODoQf7BTBbQ7v7nJ8C
xSr4P3Yqsr4jXgaY2O3M0ilodmeo0EgxhK384O1JZ4NV86YVzsGI//+6quGcYGt4
fcskRf/9cE4LhhnbP6N2Z4XyyyXVlwJNR6oDyH1zqpZTCtQNmou8hxm1MvmpM67u
e2smLVg/p1g+h1NWbfjoo4L0UyRUlDlELun6Y737pg6usNK2IOcv6G9gv+QVi3DV
GpmU2+z2SK6Rxh/5Dk5sDoT4oM0e5DL7KTt5Po+dWrUyo+nUtm/3L3ugNHl48vA/
Fvy2HBH4zxs+Y5kCyiotePiTww49l5QQDYPdFylab8Jd44wpwiJEV93cqxVuzIAB
FM3ReFqU5bQbTWFyayBDb3ggPG1hcmtAb3BlbnNzbC5vcmc+iQE3BBMBAgAhAhsv
Ah4BAheABQJVlQLuBQsJCAcDBRUKCQgLBRYDAgEAAAoJEDbO5N6wDP4zu7UH/0Y4
2wgWGcVzDJu9zFlMX/XPMXJYbSENOsSyq+LUhGKLK7xPjXAl4eWVrUWsGFQTO+sy
A4fipMw1XbTPpXDaNxacfjSwayeTV25H3KmgnQgKQXH3Kkfze9Zxe10vG+knssaO
kf5EYEVtthbBL/k6qKC2zIrixzfS5MOpSK3sAepn1mNBFjtPSikaNwHtxcBXdIbi
khuTpImu/PfGlOaeYwgUm7Sx9BmfGnZLvTz8MGDtqziXld0NxO0lXTh5Y2+Ojv0y
WisUoXA44blslYYWC8aRR3FCWCxMmKfkDb9ztM5KQbQXS/nyYra6/Nsh/Acvgg4G
BPOIenT+uE82YZfpPWG5AQ0EVZT51AEIAO91fZyiPkiioZURT8zZfUtpQxLJOHno
vp0h1yo1xfX7okpq2nM1hytWu3ICZ0CpZw2kv+bmbRdD11xbobFnl/QWb42KThqD
L7T/+chZz/uMzrHNFgzRCRiTJlkTcI+Q4jK71eyVzMWoiv0xnLRNf46x66AxieXY
Tkn0e7KPC2sUppfIbpRA2BshXuJqCzjaHH/z4+QI7JTAoROayyApVcGgO7njWKVA
k+JOd3iThS+wjnzU0sBIg12yT6q4w/M6MSMOBsqcwOMtx/iXmEHCWCuYzubhOL6B
v3k11pkkBgArD+wZGA5JuFYfTSAnKsCWbDxVmJzGTkqwY9DgIAOpQgUAEQEAAYkC
PgQYAQIACQUCVZT51AIbAgEpCRA2zuTesAz+M8BdIAQZAQIABgUCVZT51AAKCRAB
ClBAfEyMvSc6B/9tpCI1LeZx9TxpYo8PLw1QcZdwpxQU9hanlg55ZeyL2j104cz/
7fzEqHd4zNlzS5J1fs2xiuDl3pLP+tPz3uOBxiergyAOcprXMCZOjAksvUpwuX/E
k8NIHjUAk6iCbFB0awUrrXMQq7WY+yYfCP7dUxVkXP6dHOQGs2B94TMUYkJs7/QV
YYE0qGb4XkgwENH07Wywt/oejBn9UXFo80pv7Rz6jdELoPF60hMT14ZuDu7f9Jxn
2of94QJGNlA3OuueQR4W25iaJQe4P4alr3PCTmyuoaFI5K0yHByB489JO4eSPLOe
r4pftNESsDyBwc8A4Fx8ro88xLuufYnoPwrTAkcH/3d/MGABEEmqDwRDXzH/cLh0
h9/OinNEgilOCc+zK+6+7bi7x/jUw+aAIN+bmO/6+EEnl1GQuUj7F2ZxXU9tPRvb
YF0uCoyd+ZMayHbuMc8etThWqvMNlbNeZegLHbNO7NsoDxPmDb/rPlc7tvKdxUVG
KfZSWT78tQAb4JeJUR4G1Rm+3jlkCNoiaFCV02C9HGXu3Amqkz33FJKjCnEv61tm
wYZvkLc9bYQzqXt8rvb3nlZbvbFYlf3oNU7YFV43a4W0y07NtxiXzPhC+E4FIAdi
aBbJmv9EEXzrMRyXuZFOUZx9wGAC77dHcJ8cw7+MUxpJ5ja8aoFS7ly7sk442gK5
AQ0EVZT5+AEIALH40GSCbgSuXVHjhUYYLeo0TNBevlZD7Po1OEyhi2eEhrWYg/3c
Awr0/neLXXD6xiAlOXcN01H+OjY4ZAmKzm290LCRBuo9WPsRvHIECAY9XZBeL+tu
69biSXv07vhvqmMG8yZ6Hi8Q5wUHJvISo6MC6fbq2RUVnkscgqp4jlBVjRNo97Ng
i+WEco+znvu7pio7uXYGPT9UorIPX7cQ2kpbiYM4UU4i/ezbAELc8Ttq4IXzz5zi
/Rea/r7HR7aSpapzVB56Wwg87F3c4zcwK9bdxxgdpRfHnBJ84mrBZlSGwKN6a1ks
N/zks6R6eNVhO9UbozzVqgl1Riz/aXlv2tsAEQEAAYkBHwQYAQIACQUCVZT5+AIb
DAAKCRA2zuTesAz+M2u5B/997Q3sXvQo3J2ZB/gSXYVIjh76pzabO9NIlhW2fX3Z
41VsgZKX6tpTGlqUn9Q14EkntzpGBtX/3PtoycH+Ta0E+IfpoINwSy/7SQfWmPhY
xjMnu3LH0ho1mkGMuxXf/dMoapovKY3d//ud6KcPruq+W+8ZXD8CT4zay6z/5JIg
FAP1viRNtyVmFh6NfZTIsKGyS+jaHniAR9N3cRa1Y7gutwT6cNV1zpTOAOBx0L75
xLxGy6WuyBLaaZIhk0f3ONryFQslIsVGGs/d2QJm2xxywvaq4JrSor+TPJxXu3Jr
umMEE9U0zENea7N8dQxWQBmXnChX88eRPHOIAdXEWrOj
=Qsm0
-----END PGP PUBLIC KEY BLOCK-----

2
debian/watch vendored
View File

@ -1,2 +1,2 @@
version=3
version=4
opts=pgpsigurlmangle=s/$/.asc/ https://www.openssl.org/source/ openssl-(3.0.*).tar.gz

24
test/ssl-tests/12-ct.cnf
View File

@ -19,11 +19,11 @@ client = 0-ct-permissive-without-scts-client
[0-ct-permissive-without-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-ct-permissive-without-scts-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -46,11 +46,11 @@ client = 1-ct-permissive-with-scts-client
[1-ct-permissive-with-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[1-ct-permissive-with-scts-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
@ -73,11 +73,11 @@ client = 2-ct-strict-without-scts-client
[2-ct-strict-without-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-ct-strict-without-scts-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -101,11 +101,11 @@ client = 3-ct-strict-with-scts-client
[3-ct-strict-with-scts-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[3-ct-strict-with-scts-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
@ -130,11 +130,11 @@ resume-client = 4-ct-permissive-resumption-client
[4-ct-permissive-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[4-ct-permissive-resumption-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer
@ -162,11 +162,11 @@ resume-client = 5-ct-strict-resumption-resume-client
[5-ct-strict-resumption-server]
Certificate = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1-key.pem
[5-ct-strict-resumption-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/embeddedSCTs1_issuer.pem
VerifyMode = Peer

12
test/ssl-tests/12-ct.cnf.in
View File

@ -19,8 +19,10 @@ our @tests = (
{
name => "ct-permissive-without-scts",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
extra => {
"CTValidation" => "Permissive",
},
@ -32,10 +34,12 @@ our @tests = (
{
name => "ct-permissive-with-scts",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Permissive",
@ -48,8 +52,10 @@ our @tests = (
{
name => "ct-strict-without-scts",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
extra => {
"CTValidation" => "Strict",
},
@ -62,10 +68,12 @@ our @tests = (
{
name => "ct-strict-with-scts",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Strict",
@ -78,10 +86,12 @@ our @tests = (
{
name => "ct-permissive-resumption",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Permissive",
@ -96,10 +106,12 @@ our @tests = (
{
name => "ct-strict-resumption",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Certificate" => test_pem("embeddedSCTs1.pem"),
"PrivateKey" => test_pem("embeddedSCTs1-key.pem"),
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"VerifyCAFile" => test_pem("embeddedSCTs1_issuer.pem"),
extra => {
"CTValidation" => "Strict",

220
test/ssl-tests/14-curves.cnf
View File

@ -93,13 +93,13 @@ client = 0-curve-prime256v1-client
[0-curve-prime256v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = prime256v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-curve-prime256v1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = prime256v1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -122,13 +122,13 @@ client = 1-curve-secp384r1-client
[1-curve-secp384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-curve-secp384r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp384r1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -151,13 +151,13 @@ client = 2-curve-secp521r1-client
[2-curve-secp521r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp521r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-curve-secp521r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp521r1
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -180,13 +180,13 @@ client = 3-curve-X25519-client
[3-curve-X25519-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = X25519
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-curve-X25519-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = X25519
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -209,13 +209,13 @@ client = 4-curve-X448-client
[4-curve-X448-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = X448
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-curve-X448-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = X448
MaxProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -238,13 +238,13 @@ client = 5-curve-sect233k1-client
[5-curve-sect233k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-curve-sect233k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -267,13 +267,13 @@ client = 6-curve-sect233r1-client
[6-curve-sect233r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-curve-sect233r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -296,13 +296,13 @@ client = 7-curve-sect283k1-client
[7-curve-sect283k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-curve-sect283k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -325,13 +325,13 @@ client = 8-curve-sect283r1-client
[8-curve-sect283r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-curve-sect283r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -354,13 +354,13 @@ client = 9-curve-sect409k1-client
[9-curve-sect409k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-curve-sect409k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -383,13 +383,13 @@ client = 10-curve-sect409r1-client
[10-curve-sect409r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[10-curve-sect409r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -412,13 +412,13 @@ client = 11-curve-sect571k1-client
[11-curve-sect571k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[11-curve-sect571k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -441,13 +441,13 @@ client = 12-curve-sect571r1-client
[12-curve-sect571r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[12-curve-sect571r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -470,13 +470,13 @@ client = 13-curve-secp224r1-client
[13-curve-secp224r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[13-curve-secp224r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -499,13 +499,13 @@ client = 14-curve-sect163k1-client
[14-curve-sect163k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[14-curve-sect163k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -528,13 +528,13 @@ client = 15-curve-sect163r2-client
[15-curve-sect163r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[15-curve-sect163r2-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -557,13 +557,13 @@ client = 16-curve-prime192v1-client
[16-curve-prime192v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[16-curve-prime192v1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -586,13 +586,13 @@ client = 17-curve-sect163r1-client
[17-curve-sect163r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[17-curve-sect163r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -615,13 +615,13 @@ client = 18-curve-sect193r1-client
[18-curve-sect193r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[18-curve-sect193r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -644,13 +644,13 @@ client = 19-curve-sect193r2-client
[19-curve-sect193r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[19-curve-sect193r2-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -673,13 +673,13 @@ client = 20-curve-sect239k1-client
[20-curve-sect239k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[20-curve-sect239k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -702,13 +702,13 @@ client = 21-curve-secp160k1-client
[21-curve-secp160k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[21-curve-secp160k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -731,13 +731,13 @@ client = 22-curve-secp160r1-client
[22-curve-secp160r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[22-curve-secp160r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -760,13 +760,13 @@ client = 23-curve-secp160r2-client
[23-curve-secp160r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[23-curve-secp160r2-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -789,13 +789,13 @@ client = 24-curve-secp192k1-client
[24-curve-secp192k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[24-curve-secp192k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -818,13 +818,13 @@ client = 25-curve-secp224k1-client
[25-curve-secp224k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[25-curve-secp224k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -847,13 +847,13 @@ client = 26-curve-secp256k1-client
[26-curve-secp256k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[26-curve-secp256k1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -876,13 +876,13 @@ client = 27-curve-brainpoolP256r1-client
[27-curve-brainpoolP256r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[27-curve-brainpoolP256r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -905,13 +905,13 @@ client = 28-curve-brainpoolP384r1-client
[28-curve-brainpoolP384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[28-curve-brainpoolP384r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -934,13 +934,13 @@ client = 29-curve-brainpoolP512r1-client
[29-curve-brainpoolP512r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[29-curve-brainpoolP512r1-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1713,13 +1713,13 @@ client = 55-curve-sect233k1-tls13-client
[55-curve-sect233k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect233k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[55-curve-sect233k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect233k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1740,13 +1740,13 @@ client = 56-curve-sect233r1-tls13-client
[56-curve-sect233r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect233r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[56-curve-sect233r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect233r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1767,13 +1767,13 @@ client = 57-curve-sect283k1-tls13-client
[57-curve-sect283k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect283k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[57-curve-sect283k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect283k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1794,13 +1794,13 @@ client = 58-curve-sect283r1-tls13-client
[58-curve-sect283r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect283r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[58-curve-sect283r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect283r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1821,13 +1821,13 @@ client = 59-curve-sect409k1-tls13-client
[59-curve-sect409k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect409k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[59-curve-sect409k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect409k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1848,13 +1848,13 @@ client = 60-curve-sect409r1-tls13-client
[60-curve-sect409r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect409r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[60-curve-sect409r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect409r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1875,13 +1875,13 @@ client = 61-curve-sect571k1-tls13-client
[61-curve-sect571k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect571k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[61-curve-sect571k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect571k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1902,13 +1902,13 @@ client = 62-curve-sect571r1-tls13-client
[62-curve-sect571r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect571r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[62-curve-sect571r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect571r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1929,13 +1929,13 @@ client = 63-curve-secp224r1-tls13-client
[63-curve-secp224r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp224r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[63-curve-secp224r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp224r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1956,13 +1956,13 @@ client = 64-curve-sect163k1-tls13-client
[64-curve-sect163k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[64-curve-sect163k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect163k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -1983,13 +1983,13 @@ client = 65-curve-sect163r2-tls13-client
[65-curve-sect163r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[65-curve-sect163r2-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect163r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2010,13 +2010,13 @@ client = 66-curve-prime192v1-tls13-client
[66-curve-prime192v1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = prime192v1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[66-curve-prime192v1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = prime192v1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2037,13 +2037,13 @@ client = 67-curve-sect163r1-tls13-client
[67-curve-sect163r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect163r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[67-curve-sect163r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect163r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2064,13 +2064,13 @@ client = 68-curve-sect193r1-tls13-client
[68-curve-sect193r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect193r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[68-curve-sect193r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect193r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2091,13 +2091,13 @@ client = 69-curve-sect193r2-tls13-client
[69-curve-sect193r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect193r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[69-curve-sect193r2-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect193r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2118,13 +2118,13 @@ client = 70-curve-sect239k1-tls13-client
[70-curve-sect239k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = sect239k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[70-curve-sect239k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = sect239k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2145,13 +2145,13 @@ client = 71-curve-secp160k1-tls13-client
[71-curve-secp160k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[71-curve-secp160k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp160k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2172,13 +2172,13 @@ client = 72-curve-secp160r1-tls13-client
[72-curve-secp160r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[72-curve-secp160r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp160r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2199,13 +2199,13 @@ client = 73-curve-secp160r2-tls13-client
[73-curve-secp160r2-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp160r2
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[73-curve-secp160r2-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp160r2
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2226,13 +2226,13 @@ client = 74-curve-secp192k1-tls13-client
[74-curve-secp192k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp192k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[74-curve-secp192k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp192k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2253,13 +2253,13 @@ client = 75-curve-secp224k1-tls13-client
[75-curve-secp224k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp224k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[75-curve-secp224k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp224k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2280,13 +2280,13 @@ client = 76-curve-secp256k1-tls13-client
[76-curve-secp256k1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = secp256k1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[76-curve-secp256k1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = secp256k1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2307,13 +2307,13 @@ client = 77-curve-brainpoolP256r1-tls13-client
[77-curve-brainpoolP256r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP256r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[77-curve-brainpoolP256r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP256r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2334,13 +2334,13 @@ client = 78-curve-brainpoolP384r1-tls13-client
[78-curve-brainpoolP384r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP384r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[78-curve-brainpoolP384r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP384r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -2361,13 +2361,13 @@ client = 79-curve-brainpoolP512r1-tls13-client
[79-curve-brainpoolP512r1-tls13-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Curves = brainpoolP512r1
MaxProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[79-curve-brainpoolP512r1-tls13-client]
CipherString = ECDHE
CipherString = ECDHE@SECLEVEL=1
Curves = brainpoolP512r1
MinProtocol = TLSv1.3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

9
test/ssl-tests/14-curves.cnf.in
View File

@ -36,10 +36,11 @@ sub generate_tests() {
name => "curve-${curve}",
server => {
"Curves" => $curve,
"CipherString" => 'DEFAULT@SECLEVEL=1',
"MaxProtocol" => "TLSv1.3"
},
client => {
"CipherString" => "ECDHE",
"CipherString" => 'ECDHE@SECLEVEL=1',
"MaxProtocol" => "TLSv1.3",
"Curves" => $curve
},
@ -56,10 +57,11 @@ sub generate_tests() {
name => "curve-${curve}",
server => {
"Curves" => $curve,
"CipherString" => 'DEFAULT@SECLEVEL=1',
"MaxProtocol" => "TLSv1.3"
},
client => {
"CipherString" => "ECDHE",
"CipherString" => 'ECDHE@SECLEVEL=1',
"MaxProtocol" => "TLSv1.2",
"Curves" => $curve
},
@ -100,10 +102,11 @@ sub generate_tests() {
name => "curve-${curve}-tls13",
server => {
"Curves" => $curve,
"CipherString" => 'DEFAULT@SECLEVEL=1',
"MaxProtocol" => "TLSv1.3"
},
client => {
"CipherString" => "ECDHE",
"CipherString" => 'ECDHE@SECLEVEL=1',
"MinProtocol" => "TLSv1.3",
"Curves" => $curve
},

32
test/ssl-tests/22-compression.cnf
View File

@ -21,12 +21,12 @@ client = 0-tlsv1_3-both-compress-client
[0-tlsv1_3-both-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-tlsv1_3-both-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -47,11 +47,11 @@ client = 1-tlsv1_3-client-compress-client
[1-tlsv1_3-client-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-tlsv1_3-client-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -72,12 +72,12 @@ client = 2-tlsv1_3-server-compress-client
[2-tlsv1_3-server-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-tlsv1_3-server-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -97,11 +97,11 @@ client = 3-tlsv1_3-neither-compress-client
[3-tlsv1_3-neither-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-tlsv1_3-neither-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -121,12 +121,12 @@ client = 4-tlsv1_2-both-compress-client
[4-tlsv1_2-both-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-tlsv1_2-both-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
MaxProtocol = TLSv1.2
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -148,11 +148,11 @@ client = 5-tlsv1_2-client-compress-client
[5-tlsv1_2-client-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-tlsv1_2-client-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
MaxProtocol = TLSv1.2
Options = Compression
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@ -174,12 +174,12 @@ client = 6-tlsv1_2-server-compress-client
[6-tlsv1_2-server-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
Options = Compression
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-tlsv1_2-server-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@ -200,11 +200,11 @@ client = 7-tlsv1_2-neither-compress-client
[7-tlsv1_2-neither-compress-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-tlsv1_2-neither-compress-client]
CipherString = DEFAULT
CipherString = DEFAULT@SECLEVEL=1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer

16
test/ssl-tests/22-compression.cnf.in
View File

@ -21,9 +21,11 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-both-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression"
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression"
},
test => {
@ -34,8 +36,10 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-client-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression"
},
test => {
@ -46,9 +50,11 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-server-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression"
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
test => {
"CompressionExpected" => "No",
@ -58,8 +64,10 @@ our @tests_tls1_3 = (
{
name => "tlsv1_3-neither-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
test => {
"CompressionExpected" => "No",
@ -71,9 +79,11 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-both-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression"
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression",
"MaxProtocol" => "TLSv1.2"
},
@ -85,8 +95,10 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-client-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression",
"MaxProtocol" => "TLSv1.2"
},
@ -98,9 +110,11 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-server-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"Options" => "Compression"
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"MaxProtocol" => "TLSv1.2"
},
test => {
@ -111,8 +125,10 @@ our @tests_tls1_2 = (
{
name => "tlsv1_2-neither-compress",
server => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
},
client => {
"CipherString" => 'DEFAULT@SECLEVEL=1',
"MaxProtocol" => "TLSv1.2"
},
test => {

24
test/sslapitest.c
View File

@ -9507,7 +9507,8 @@ static int test_set_tmp_dh(int idx)
*/
static int test_dh_auto(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL_CTX *cctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
SSL_CTX *sctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
EVP_PKEY *tmpkey = NULL;
@ -9515,14 +9516,21 @@ static int test_dh_auto(int idx)
size_t expdhsize = 0;
const char *ciphersuite = "DHE-RSA-AES128-SHA";
if (!TEST_ptr(sctx) || !TEST_ptr(cctx))
goto end;
switch (idx) {
case 0:
/* The FIPS provider doesn't support this DH size - so we ignore it */
if (is_fips)
return 1;
if (is_fips) {
testresult = 1;
goto end;
}
thiscert = cert1024;
thiskey = privkey1024;
expdhsize = 1024;
SSL_CTX_set_security_level(sctx, 1);
SSL_CTX_set_security_level(cctx, 1);
break;
case 1:
/* 2048 bit prime */
@ -9548,8 +9556,10 @@ static int test_dh_auto(int idx)
/* No certificate cases */
case 5:
/* The FIPS provider doesn't support this DH size - so we ignore it */
if (is_fips)
return 1;
if (is_fips) {
testresult = 1;
goto end;
}
ciphersuite = "ADH-AES128-SHA256:@SECLEVEL=0";
expdhsize = 1024;
break;
@ -9562,8 +9572,8 @@ static int test_dh_auto(int idx)
goto end;
}
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
if (!TEST_true(create_ssl_ctx_pair(libctx, NULL,
NULL,
0,
0,
&sctx, &cctx, thiscert, thiskey)))

19
tools/c_rehash.in
View File

@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
my $errorcount = 0;
my $openssl = $ENV{OPENSSL} || "openssl";
my $pwd;
my $x509hash = "-subject_hash";
my $crlhash = "-hash";
my $verbose = 0;
my $symlink_exists=eval {symlink("",""); 1};
my $removelinks = 1;
@ -27,10 +25,7 @@ my $removelinks = 1;
while ( $ARGV[0] =~ /^-/ ) {
my $flag = shift @ARGV;
last if ( $flag eq '--');
if ( $flag eq '-old') {
$x509hash = "-subject_hash_old";
$crlhash = "-hash_old";
} elsif ( $flag eq '-h' || $flag eq '-help' ) {
if ( $flag eq '-h' || $flag eq '-help' ) {
help();
} elsif ( $flag eq '-n' ) {
$removelinks = 0;
@ -203,22 +198,24 @@ sub compute_hash {
# certificate fingerprints
sub link_hash_cert {
link_hash($_[0], 'cert');
link_hash($_[0], 'cert', '-subject_hash');
link_hash($_[0], 'cert', '-subject_hash_old');
}
# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
sub link_hash_crl {
link_hash($_[0], 'crl');
link_hash($_[0], 'crl', '-hash');
link_hash($_[0], 'crl', '-hash_old');
}
sub link_hash {
my ($fname, $type) = @_;
my $is_cert = $type eq 'cert';
my ($fname, $type, $hash_name) = @_;
my $is_cert = $type eq 'cert' or $type eq 'cert_old';
my ($hash, $fprint) = compute_hash($openssl,
$is_cert ? "x509" : "crl",
$is_cert ? $x509hash : $crlhash,
$hash_name,
"-fingerprint", "-noout",
"-in", $fname);
chomp $hash;