libressl-devel-3.3.3-lp152.3.3.1<>,`k/=„@&va2plOW͊Ȯɀ]E LJ):~hAD?4d # f 9NT\RR HR R 4R R RRnR,R t ! ! """3("58"<;9#(;:(;FGRHRI`RXY\R]PR^b;cdve{f~luRvwRx`Ry z0Clibressl-devel3.3.3lp152.3.3.1Development files for LibreSSL, an SSL/TLS protocol implementationLibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It derives from OpenSSL, with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. This subpackage contains libraries and header files for developing applications that want to make use of libressl.`klamb13nopenSUSE Leap 15.2openSUSEOpenSSLhttp://bugs.opensuse.orgDevelopment/Libraries/C and C++http://libressl.org/linuxx86_642t!|w G g59%w\@h&&:0 Cw6}4'NH( $-#cQvO*sk++&uSSk m5wPo)NfP\wB. b$)W7A큤`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`k`kb1a9652554dbc8f59f1c738871d9deca91a4f343d9a9321ead22140561850d5ae248ede4a87361ef987b08a3eb27d78c12a51a72123c7c089409730a903d586b2cf69241687efecaa64deff90a1b314f6d7c744c5ffa95e9350772613d5c64c44f58bc8477d20384fc4c14424bf425ad2a7d28cae48522677c122968c059ba934f77271e14e77e629492aa25d5602eaa396d05f076ac02ee44aea2b39f2286709ed141304b928f5781ae3d2dabb2648f3214ca3f33e4ff2ce35f36576d9dbdcc84afaf3681dab2ad4095a6c886ce50ff93d1e7b5ef1f21bea36ed4c01d410d8e7c493b1665915dfe9901cbe0e4d0289c16aef34df5369e5594fd407aee46baa64bfda9dc565fdd5c657bdc16937e4f168c79b1215f5b722c869f7248591f1e2a1249f724f0d2b8a9c042302ee2f0dfb233a96c3b169542825abbdabd7c54c7320c620f0b656374510e4a332f80462b026bf7e5323160c42a319e76b37cbda4bf28c82a0cbd386eaad8de7457adb6117ec423864b53c44e94a45f280a1cfc13b9e6c5682589c2bf0711681d9bd71d5a5364bb40ec6704e114b8a358649d11da4ffd077d3504f5a00d03b4cbceca199b3ef579bfda0242f59adebb4be3fe11ddc8d4ca31b4a952302c58fc0df2e58d1f4bfdb855f910c58a9d3502c3acb36ece27a6fe3b7302188c194d5a29192fb009aa566dc8ba714db92ec572830e043d713f89dea030aa3fb68ae72a0a7bb8c6be377c29937cb6972610bcff82af6e983027d85d3c10ebacb6b405fe8b0d821a6f2947584b89a13b49106d32d5cd0526d96cfab2fde73d2b0f8c62b59bdee2af943509a92ecf3ade1a14bfbebbafa1a8d4a39c17843584bc9c1ce0825496050b4c31f4fdcde33e5641acdaccc7edfc0d3427fa8665bfc8094ca7ebaf1fdc1889fd2891591b137563974fdac2603b95b793c198f3c2327a200a51f4dd97206caccf684be77569dd8338ef5373817b28b9df4db82d26e65df36d744ac5182f938ec018cbca41a442b3f8d178e7a608e391a770a4d041c554463b61a2564fb3443a2bbd7783a911e6a731fadb00b4f75bfc567a735fa0581b280229586d28a2c6e1704c051ed15ff1f1e14a31c4d325f4975ba528aea386d5b4ce5a40ef7a88172e996f5ff40ae8d129078a62376c1478ae7adf1005b57c98f6b7ed5c49df9193b32557bc9d92461a565fab08e7a005587d6d80dccf5f62af420b8f5f44d6f7c19a55d77a9275292f802aaf038d5736dd3553a5078b4510956c946956825bd2da96814d91fce1b234874d8f011ce29b62376d0045e2898778ca55ab00f6bad0f4d4ec3e8e6a49a7997ca3253d7cf426441f9cd7279e2089b4e541ae9213b9c625e46706c19ff88fd2b4828a1465ebfb97e85e4883f5087481b9bdc0bd990e9967c6b35e90a6b27971f0ce4d7eb4e4cee0ac26abe64fd4d299199b83802641066dcab235ade36a91e6c4cc9fa7d596fbc0d76fa12f58b369e39b0dd55fc76d081de6142fc2a731bbfeb35878c664e25e940ed6c0e9fc70bad4ffc365b0eff1622b5736c832c0875d5746227a352dfb4d8d592fe69277a8ef5d7fa70aaeb96907b9319708dff41d66f7914fd123c0069210120e183fa55e0bf777a25b7501024db575f8e917b0f000217771c430c5e857d7faae128f7eb57fa04917fa958269f49d5ad9496f6515f076cec3cfd0b6d12584ec62a8e863e307e587beb1501abc41d21b73ccbcddbb337f37886776cb34081036c7ddd2cbed61e6f9eb63a050f2aaf2593d6b5f435f9879eaeea65b3ab075aa25d9b1a8afb47e02a5feb33982fa4efd5e8c5f0b7bb263677b23413550069e958d4733455a2e27d71bea7a3c708692c90f731b054c87f30aa137a80ba4ccc7a073d68ff0bad2c1c1e191eaedaa4137e88748c58d62da2c0cdf0439cd71bc44bd9626e91089a309f2b63f21d699a051bca87d7bb10f4cb7e29155c10dbb9d5f2f70a5ab1e1113962bfef5a07dbc9189378723694f7fcf7af865efb6bc1e32c34fb3829bfe2baa3383282f82c12af5ebc75ca6f8d2b8cde9084321c283119f8818239f62aeba64107914989378498cc23a754353a0b882ccf4779be92acb8671e188dc2e92bea3cd25aa9b4cf58e9b42c0a5cc4cfc0bd7bd06c156774f1642f80bb4b20efd3ec27b79023b9b3ed45f3675d2397fd36326663b8ac6019cb96d48003d8e07f5c31f217cea35bb379a78327dd785eedaadaa1b16fe35e0ef0ade96ae8e8976cdc1857987283d599b0d6b5df734349b75b52e0c5c379c8c5c06a07c72067fc39e5851474b2c9ee06041efae492a0c96430e0df20e243cec98f0bca8f1949bbc2ced32d5840b295abc3639a52223fd3016b7b0adcacdfc9a83a1bfc1f568b682e2d9f1c7b4c4a49ffd5c8f4d96a7354208d68b3a14e462d1cd9f1957be3ae442c9f65c9a7990482eeb7813b975f73d21ff23c46a7b20b8dc3908a31863fc960da420f39df38323fb7277e800f605feee4d9f75610bb62d70083a224b9f828b027b514cc849480210d447cc81fc71eae100c1f7f87f902589ea862e152ee26d18e91ea70ebd5166a70eb91c8cdff6c9094692026cf243d61ae1c6e6c152b0d45b49dd7624c931cd66ad839604d19ec54c29d921a678e1ab956e97e31819ffef41bc0ddab2acb054786a022f44fb08ff602239419a335ea791ebd1a970ff9550f8315850df7444466b9f49e715f244a66670936f6a4a83a7a63fc51477bde57c76dffde52dfb112e908629535f19c64325f04a13bb903e1888cfd7d7f1de65db6da36d25563fe4102c958d8e3537647d13747d0a2b3f84e2c1ad1e6484bb4941b359453f9e112d4e9959d97d76646984060dd93e1310a84d96fcf8d6e3acf7bfe5a687c8168ae1402a462dc9d646fcf7f2af091dbd54f0b8c69cddfeb6b7ce03017c50364dd59d167b14db35ff210327d57cabfb14be2ae40e440de2aad14d5b2791375e11f03c51d4a05f3c31670183d68dfc7ebcf2d7de947e8cb1cb3e29cb30c1c6132afbe4fb84da6371f5ea6e33628dbc0fc45e730cf79d4ec4614452a4411bd1b6462525e022f0d7b30a1dd8326ca1fe96d3d829ee064458eb0ddf1d47fbf28ad6698ce24060e3138fa811f09100bdad645ccce08aed8715c8a1dea85ececceff42522b62ce4ff043490cb4407ec0022ec212c677a177f70a2430888c9c975a9d2eb5a195a7a0f4dceae498d8570f9dcf226e543bf8a11dbff2c1a612aff579736f8c78bd7263d1c3796517652a1b8c24255ed235821995d1b4154c52a86d5541cd83ee5b16a407675b34d487bf5f0c46226f2ed3d848763200e2221dff3bcd36ecb716b9bba8448c584fbceb476c4fd87ee6dc6d85b17f255be1c6461dc2c8c16c4b76ad08b2f83c4775c67edabe0055b56d2d6c2043cd6fa43c33c98afaa97c5c7b4dce6005e71992324880d44edb00cbe3bd70a38605a0f2c2e70a5e55798051172b3046b9c834d43f609b209262dbc931bd203057e71fbf207a72ff9libcrypto.so.46.0.2libssl.so.48.0.2libtls.so.20.0.3rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootlibressl-3.3.3-lp152.3.3.1.src.rpmlibressl-devellibressl-devel(x86-64)pkgconfig(libcrypto)pkgconfig(libssl)pkgconfig(libtls)pkgconfig(openssl)@@@    /usr/bin/pkg-configlibcrypto46libssl48libtls20pkgconfig(libcrypto)pkgconfig(libssl)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.3.33.3.33.3.33.0.4-14.6.0-14.0-15.2-1libopenssl-develotherproviders(ssl-devel)4.14.1``W5@`'@_ _"_=@^^@^]L@\9\@\\B@\ @[ @[@[@[j@Z?Z@ZZ@Z;@Z%8Z@Y*@YKYY@Y i@Y XX@W@WWWZWPW)@V@V@VjV9@V VU@UUU@U@UzU@U @TT@TÉ@TT~@Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt sean@suspend.netBernhard Wiedemann Jan Engelhardt Jan Engelhardt jengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.detchvatal@suse.comtchvatal@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.desor.alexei@meowr.rujengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.de- Update to release 3.3.3 * Support for DTLSv1.2. * Continued rewrite of the record layer for the legacy stack. * Numerous bugs and interoperability issues were fixed in the new verifier. A few bugs and incompatibilities remain, so this release uses the old verifier by default. * The OpenSSL 1.1 TLSv1.3 API is not yet available.- Update to release 3.2.5 * A TLS client using session resumption may have caused a use-after-free.- Update to release 3.2.4 * Switch back to certificate verification code from LibreSSL 3.1.x. The new verifier is not bug compatible with the old verifier causing issues with applications expecting behavior of the old verifier. * Unbreak DTLS retransmissions for flights that include a CCS. * Implement autochain for the TLSv1.3 server. * Use the legacy verifier for autochain. * Implement exporter for TLSv1.3. * Plug leak in x509_verify_chain_dup().- Update to release 3.2.3 * Fixed: Malformed ASN.1 in a certificate revocation list or a timestamp response token could lead to a NULL pointer dereference.- Update to release 3.2.2 * New X509 certificate chain validator that correctly handles multiple paths through intermediate certificates. * New name constraints verification implementation. * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. * Avoid an out-of-bounds write in BN_rand(). * Fix numerous leaks in the UI_dup_* functions. * Avoid an out-of-bounds write in BN_rand().- Update to release 3.1.4 * TLS 1.3 client improvements: * Improve client certificate selection to allow EC certificates instead of only RSA certificates. * Do not error out if a TLSv1.3 server requests an OCSP response as part of a certificate request. * Fix SSL_shutdown behavior to match the legacy stack. The previous behaviour could cause a hang. * Fix a memory leak and add a missing error check in the handling of the key update message. * Fix a memory leak in tls13_record_layer_set_traffic_key. * Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. * Ensure that only PSS may be used with RSA in TLSv1.3 in order to avoid using PKCS1-based signatures. * Add the P-521 curve to the list of curves supported by default in the client.- Update to release 3.1.3 * Fixed libcrypto failing to build a valid certificate chain due to expired untrusted issuer certificates.- Update to release 3.1.2 * A TLS client with peer verification disabled may crash when contacting a server that sends an empty certificate list.- Update to release 3.1.1 * Completed initial TLS 1.3 implementation with a completely new state machine and record layer. TLS 1.3 is now enabled by default for the client side, with the server side to be enabled in a future release. Note that the OpenSSL TLS 1.3 API is not yet visible/available. * Improved cipher suite handling to automatically include TLSv1.3 cipher suites when they are not explicitly referred to in the cipher string. * Provided TLSv1.3 cipher suite aliases to match the names used in RFC 8446. * Added cms subcommand to openssl(1). * Added -addext option to openssl(1) req subcommand. * Added -groups option to openssl(1) s_server subcommand. * Added TLSv1.3 extension types to openssl(1) -tlsextdebug.- Update to release 3.0.2 * Use a valid curve when constructing an EC_KEY that looks like X25519. The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. (Note that the CMS code is currently disabled).- Update to new upstream release 2.9.2 * Fixed SRTP profile advertisement for DTLS servers.- Update to new upstream release 2.9.1 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. * Implemented further missing OpenSSL 1.1 API. * Added support for XChaCha20 and XChaCha20-Poly1305. * Added support for AES key wrap constructions via the EVP interface.- Add openssl(cli) provides. Replace otherproviders conflict by normal Conflict+Provides.- Update to new upstream release 2.9.0 * CRYPTO_LOCK is now automatically initialized, with the legacy callbacks stubbed for compatibility. * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. * Added the ability to use the RSA PSS algorithm for handshake signatures. * Added functionality to derive early, handshake, and application secrets as per RFC8446. * Added handshake state machine from RFC8446. * Added support for assembly optimizations on 32-bit ARM ELF targets. * Improved protection against timing side channels in ECDSA signature generation. * Coordinate blinding was added to some elliptic curves. This is the last bit of the work by Brumley et al. to protect against the Portsmash vulnerability.- Update to new upstream release 2.8.3 * Fixed warnings about clock_gettime on Windows VS builds * Fixed CMake builds on systems where getpagesize is inline * Implemented coordinate blinding for EC_POINT for portsmash * Fixed a non-uniformity in getentropy(2) to discard zeroes- Update extra-symver.diff to fix build with -j1- Update to new upstream release 2.8.2 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, along with test harness fixes.- Update to new upstream release 2.8.1 * Simplified key exchange signature generation and verification. * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string. * Modified signature of CRYPTO_mem_leaks_* to return -1. This function is a no-op in LibreSSL, so this function returns an error to not indicate the (non-)existence of memory leaks. * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, X509_OBJECT_up_ref_count now return an int for error handling, matching OpenSSL. * Converted a number of #defines into proper functions, matching OpenSSL's ABI. * Added X509_get0_serialNumber from OpenSSL. * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching OpenSSL. * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be retrieved and set with appropriate validation.- Update to new upstream release 2.8.0 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. * Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. * Fixed a potential memory leak on failure in ASN1_item_digest. * Fixed a potential memory alignment crash in asn1_item_combine_free. * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. * Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. * Added a missing bounds check in c2i_ASN1_BIT_STRING. * Removed three remaining single DES cipher suites. * Fixed a potential leak/incorrect return value in DSA signature generation. * Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. * Added ECC constant time scalar multiplication support. * Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. * Changes from 2.7.4: * Avoid a timing side-channel leak when generating DSA and ECDSA signatures. [CVE-2018-12434, boo#1097779] * Reject excessively large primes in DH key generation.- Update to new upstream release 2.7.3 * Removed incorrect NULL checks in DH_set0_key(). * Limited tls_config_clear_keys() to only clear private keys.- Update to new upstream release 2.7.2 * Updated and added extensive new HISTORY sections to the API manuals.- Update to new upstream release 2.7.1 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name length provided is 0 to match the OpenSSL behaviour. [CVE-2018-8970, boo#1086778]- Update to new upstream release 2.7.0 * Added support for many OpenSSL 1.0.2 and 1.1 APIs. * Added support for automatic library initialization in libcrypto, libssl, and libtls. * Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages. * Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions. * Rewrote ASN1_TYPE_ get,set _octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_ macros (asn1_mac.h) from API that needs to continue to exist. * Added support for client-side session resumption in libtls. * A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. * Merged more DTLS support into the regular TLS code path.- Update to new upstream release 2.6.4 * Make tls_config_parse_protocols() work correctly when passed a NULL pointer for a protocol string. * Correct TLS extensions handling when no extensions are present.- Add extra-symver.diff- Update to new upstream release 2.6.3 * Added support for providing CRLs to libtls - once a CRL is provided via tls_config_set_crl_file(3) or tls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server. * Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd. * Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions. * Imported HKDF (HMAC Key Derivation Function) from BoringSSL. * Dropped cipher suites using DSS authentication. * Removed support for DSS/DSA from libssl. * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. * Removed NPN support - NPN was never standardised and the last draft expired in October 2012. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. - Add des-fcrypt.diff [boo#1065363]- Update to new upstream release 2.6.2 * Provide a useful error with libtls if there are no OCSP URLs in a peer certificate. * Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair. - Update to new upstream release 2.6.1 * Added tls_config_set_ecdhecurves() to libtls, which allows the names of the eliptical curves that may be used during client and server key exchange to be specified. * Removed support for DSS/DSA, since we removed the cipher suites a while back. * Removed NPN support. NPN was never standardised and the last draft expired in October 2012. ALPN was standardised. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termintation. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Implemented the SSL_CTX_set_min_proto_version(3) API. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.- Update to new upstream release 2.6.0 * Added support for providing CRLs to libtls. Once a CRL is provided, we enable CRL checking for the full certificate chain. * Allow non-compliant clients using IP literal addresses with SNI to connect to a server using libtls. * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). * Added definitions for three OIDs used in EV certificates. * Plugged a memory leak in tls_ocsp_free. * Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to libtls, useful in private certificate validation callbacks. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Added tls_keypair_clear_key for clearing key material. * Removed inconsistent IPv6 handling from BIO_get_accept_socket, simplified BIO_get_host_ip and BIO_accept. * Fixed the openssl(1) ca command so that is generates certificates with RFC 5280-conformant time. * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *. * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. * Added HKDF (HMAC Key Derivation Function) from BoringSSL * Providea a tls_unload_file() function that frees the memory returned from a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. * Perform reference counting for tls_config. This allows tls_config_free() to be called as soon as it has been passed to the final tls_configure() call, simplifying lifetime tracking for the application. * Moved internal state of SSL and other structures to be opaque. * Dropped cipher suites with DSS authentication.- Update to new upstream release 2.5.5 * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category.- Add conflict between libressl and the main versioned packages too- Add conflict for split openssl packages- Update to new upstream release 2.5.4 * Reverted a previous change that forced consistency between return value and error code when specifing a certificate verification callback, since this breaks the documented API. * Switched Linux getrandom() usage to non-blocking mode, continuing to use fallback mechanims if unsuccessful. * Fixed a bug caused by the return value being set early to signal successful DTLS cookie validation.- Update to new upstream release 2.5.1 * Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. [bnc#1019334] * Detect zero-length encrypted session data early * Curve25519 Key Exchange support. * Support for alternate chains for certificate verification. - Update to new upstream release 2.5.2 * Added EVP interface for MD5+SHA1 hashes * Fixed DTLS client failures when the server sends a certificate request. * Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. * Allowed protocols and ciphers to be set on a TLS config object in libtls. - Update to new upstream release 2.5.3 * Documentation updates - Remove ecs.diff (merged)- Add ecs.diff [bnc#1019334]- Update to new upstream release 2.5.0 * libtls now supports ALPN and SNI * libtls adds a new callback interface for integrating custom IO functions. * libtls now handles 4 cipher suite groups: "secure" (TLSv1.2+AEAD+PFS), "compat" (HIGH:!aNULL), "legacy" (HIGH:MEDIUM:!aNULL), "insecure" (ALL:!aNULL:!eNULL). This allows for flexibility and finer grained control, rather than having two extremes. * libtls now always loads CA, key and certificate files at the time the configuration function is called. * Add support for OCSP intermediate certificates. * Added functions used by stunnel and exim from BoringSSL - this brings in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc. * Improved behavior of arc4random on Windows when using memory leak analysis software. * Correctly handle an EOF that occurs prior to the TLS handshake completing. * Limit the support of the "backward compatible" ssl2 handshake to only be used if TLS 1.0 is enabled. * Fix incorrect results in certain cases on 64-bit systems when BN_mod_word() can return incorrect results. BN_mod_word() now can return an error condition. * Added constant-time updates to address CVE-2016-0702 * Fixed undefined behavior in BN_GF2m_mod_arr() * Removed unused Cryptographic Message Support (CMS) * More conversions of long long idioms to time_t * Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour. * Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions. * Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls. * Removed flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls.- Update to new upstream release 2.4.1 * Correct a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.- Update to new upstream release 2.4.0 * Added missing error handling around bn_wexpand() calls. * Added explicit_bzero calls for freed ASN.1 objects. * Fixed X509_*set_object functions to return 0 on allocation failure. * Implemented the IETF ChaCha20-Poly1305 cipher suites. * Changed default EVP_aead_chacha20_poly1305() implementation to the IETF version, which is now the default. * Fixed password prompts from openssl(1) to properly handle ^C. * Reworked error handling in libtls so that configuration errors are visible. * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.- Update to new upstream release 2.3.4 [boo#978492, boo#977584] * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.- Update to new upstream release 2.3.3 * cert.pem has been reorganized and synced with Mozilla's certificate store- Update to new upstream release 2.3.2 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD construction introduced in RFC 7539, which is different than that already used in TLS with EVP_aead_chacha20_poly1305(). * Avoid a potential undefined C99+ behavior due to shift overflow in AES_decrypt. - Remove 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch (included)- Add 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch [boo#958768]- Update to new upstream release 2.3.1 * ASN.1 cleanups and RFC5280 compliance fixes. * Time representations switched from "unsigned long" to "time_t". LibreSSL now checks if the host OS supports 64-bit time_t. * Changed tls_connect_servername to use the first address that resolves with getaddrinfo(). * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of sizeof(RC4_CHUNK). - Drop CVE-2015-5333_CVE-2015-5334.patch (merged)- Security update for libressl: * CVE-2015-5333: Memory Leak [boo#950707] * CVE-2015-5334: Buffer Overflow [boo#950708] - adding CVE-2015-5333_CVE-2015-5334.patch- Update to new upstream release 2.3.0 * SSLv3 is now permanently removed from the tree. * libtls API: The read/write functions work correctly with external event libraries. See the tls_init man page for examples of using libtls correctly in asynchronous mode. * When using tls_connect_fds, tls_connect_socket or tls_accept_fds, libtls no longer implicitly closes the passed in sockets. The caller is responsible for closing them in this case. * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no longer supported. * SHA-0 is removed, which was withdrawn shortly after publication 20 years ago.- Update to new upstream release 2.2.3 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not include TLS extensions, resulting in such handshakes being aborted. This release corrects the handling of such messages.- drop /etc/ssl/cert.pem- Avoid file conflict with ca-certificates by dropping /etc/ssl/certs- Update to new upstream release 2.2.2 * Incorporated fix for OpenSSL issue #3683 [malformed private key via command line segfaults openssl] * Removed workarounds for TLS client padding bugs, removed SSLv3 support from openssl(1), removed IE 6 SSLv3 workarounds, removed RSAX engine. * Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation. * Building a program that intentionally uses SSLv3 will result in a linker warning. * Added TLS_method, TLS_client_method and TLS_server_method as a replacement for the SSLv23_*method calls. * Switched `openssl dhparam` default from 512 to 2048 bits * Fixed `openssl pkeyutl -verify` to exit with a 0 on success * Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.- Update to new upstream release 2.2.1 [bnc#937891] * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL * Removed Dynamic Engine support * Removed unused and obsolete MDC-2DES cipher * Removed workarounds for obsolete SSL implementations * Fixes and changes for plaforms other than GNU/Linux- Update to new upstream release 2.2.0 * Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still supported with the openssl(1) command. * libtls API and documentation additions * fixed: * CVE-2015-1788: Malformed ECParameters causes infinite loop * CVE-2015-1789: Exploitable out-of-bounds read in X509_cmp_time * CVE-2015-1792: CMS verify infinite loop with unknown hash function (this code is not enabled by default) * already fixed earlier, or not found in LibreSSL: * CVE-2015-4000: DHE man-in-the-middle protection (Logjam) * CVE-2015-1790: PKCS7 crash with missing EnvelopedContent * CVE-2014-8176: Invalid free in DTLS- Ship pkgconfig files again- Update to new upstream release 2.1.6 * Reject server ephemeral DH keys smaller than 1024 bits * Fixed CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp * Fixed CVE-2015-0287 - ASN.1 structure reuse memory corruption * Fixed CVE-2015-0289 - PKCS7 NULL pointer dereferences * Fixed CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error * Fixed CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref- Update to 2.1.4: * Improvements to libtls: - a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. - Ciphers default to TLSv1.2 with AEAD and PFS. - Improved error handling and message generation. - New APIs and improved documentation. * Add X509_STORE_load_mem API for loading certificates from memory. This facilitates accessing certificates from a chrooted environment. * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by using 'TLSv1.2+AEAD' as the cipher selection string. * New openssl(1) command 'certhash' replaces the c_rehash script. * Server-side support for TLS_FALLBACK_SCSV for compatibility with various auditor and vulnerability scanners. * Dead and disabled code removal including MD5, Netscape workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more. * The ASN1 macros are expanded to aid readability and maintainability. * Various NULL pointer asserts removed in favor of letting the OS/signal handler catch them. * Refactored argument handling in openssl(1) for consistency and maintainability. * Support for building with OPENSSL_NO_DEPRECATED. * Dozens of issues found with the Coverity scanner fixed. * Fix a minor information leak that was introduced in t1_lib.c r1.71, whereby an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. * Fixes for the following low-severity issues were integrated into LibreSSL from OpenSSL 1.0.1k: - CVE-2015-0205 - DH client certificates accepted without verification. - CVE-2014-3570 - Bignum squaring may produce incorrect results. - CVE-2014-8275 - Certificate fingerprints can be modified. - CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client].- Add package signatures- Update to new upstream release 2.1.3 * Fixes for various memory leaks in DTLS, including those for CVE-2015-0206. * Application-Layer Protocol Negotiation (ALPN) support. * Simplfied and refactored SSL/DTLS handshake code. * SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. * Ensure the stack is marked non-executable for assembly sections.- Update to new upstream release 2.1.2 * The two cipher suites GOST and Camellia have been reworked or reenabled, providing better interoperability with systems around the world. * The libtls library, a modern and simplified interface for secure client and server communications, is now packaged. * Assembly acceleration of various algorithms (most importantly AES, MD5, SHA1, SHA256, SHA512) are enabled for AMD64. - Remove libressl-no-punning.diff (file to patch is gone)- Update to new upstream release 2.1.1 * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection buglamb13 1625844729  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQR3.3.3-lp152.3.3.13.3.3-lp152.3.3.13.3.33.3.33.3.33.3.3opensslaes.hasn1.hasn1t.hbio.hblowfish.hbn.hbuffer.hcamellia.hcast.hchacha.hcmac.hcms.hcomp.hconf.hconf_api.hcrypto.hcurve25519.hdes.hdh.hdsa.hdso.hdtls1.hec.hecdh.hecdsa.hengine.herr.hevp.hgost.hhkdf.hhmac.hidea.hlhash.hmd4.hmd5.hmodes.hobj_mac.hobjects.hocsp.hopensslconf.hopensslfeatures.hopensslv.hossl_typ.hpem.hpem2.hpkcs12.hpkcs7.hpoly1305.hrand.hrc2.hrc4.hripemd.hrsa.hsafestack.hsha.hsm3.hsm4.hsrtp.hssl.hssl2.hssl23.hssl3.hstack.htls1.hts.htxt_db.hui.hui_compat.hwhrlpool.hx509.hx509_verify.hx509_vfy.hx509v3.htls.hlibcrypto.solibssl.solibtls.solibcrypto.pclibssl.pclibtls.pcopenssl.pc/usr/include//usr/include/openssl//usr/lib64//usr/lib64/pkgconfig/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:16678/openSUSE_Leap_15.2_Update/ad212ff1f37670e0c6fb0ee4a7a341ed-libressl.openSUSE_Leap_15.2_Updatedrpmxz5x86_64-suse-linuxdirectoryC source, ASCII textASCII textpkgconfig filePRPRRPRPRRR/ j".=h}utf-83164932696e6031d6dc41392acb81b78e24f1d1bf774c61ab2b68dfc0d00ff85?7zXZ !t/(ODA]"k%]d)(c|s3'i3)֐iS-Ǹ{6::R4fj6Jqʸjzq|nSxyx8`N&U5fhӫrX%H}k$#tB"IT.G3,S$Vc١D#l&O>Ej m,-h#X5Fda=L(m!gº5T7})_*̒ hFp3ŵYOWtvmwXQ|8w.ĩtdW|3czAtLx4۴:biEUgs;UhQP? w &,ukk¨$KO!,Cj+]HS7R3{ ~7K-^cZuG[ܖ;鎾-_1C2=NJyz$jLMۣ^Nvlڏ$5Obgl'BэhȀţ!uo Q=~l#*uAF!G uoXm'-= E!U{aa+nO2o}侅T[pÀm1C0JNFQJطa3CHgÎ_ElV,us望 b+E X0erl{0d-*_I:M|[(wWўp"$5]˂@`I-ߦ㚶*]p8Biҧ5abnש17HsS.H޶dy`Z '%QEPQkݪA2( 772gW:`Lۏuװy@vNho_`M̉ ieϻ_@G]pK2Pf!?ٰ gm O"};EOV?qXTI+_̈1 Br 4'm},Ft)-7۝}\YDәa?jJɴx/+b['BӳQr?*zai^Ό-g.Bwwzmr D4@c]N7HF.9D앋~DqI#5,_ *[ZhHI@n0GPS4#GZʰ2ml&Ya!]F)/JpJ@_o`Êtaٴ!%ӼoӶق唑B jw1_ڰxq.IM|Te\371:o]P  {^H߲l<>H7z{?S=/fxiҡہt "X2rst/4}fUJk$PP(fDO*"bTn;DeC4~\E7,@:$d׵ =WUFYH}/ l1Eeюrzk4]2~EO{6oh ] HD-͆'RcfkU/I5`iq'ރ)uF!1?3J~`Ծu{%W >"f[BAeP,:?ѳkzsrrK`ܟ3A٭-w*>%CA4 <\XZs!Wh ;h%g|M>D:twlxz’M2?L m]݅Qx/qq?I2} Byߐ|A?y0!*'s%WkrK';$JB.K+@téVDZ4Zlmj?:W0,`c?Uqv+%_F))ea$ psOvv="ƚ^nNU^Oa{H~͘ ,ѻصu<]HB_⪤ ZAl\Z$]ƋI0lxÓ8!M;92|8YKkM;릫n})D4zp3ҙ~ =,FBKU`Cp#E‰U"H̯O6tꝢWs,FAuymȲ_aKLЊi@F^xv\8z՛kch=&I_f&;r8V 1p/ yeFUM8ho_~2PyC"sh.mQid(iy 7dCNm3[@}? l{2\d2A͂/B4Q-sA"gZ w #mz,' OfĬ >! )*`)光\:ۄ\jy!\q7\_Y(Nau7j+y|J)jHXYZ>%%*.g]N B"5ZSt5/ Vsl^oNr* Y!jfՅji%ghY!_?!n/R0,Dw?cBZx<,K]h|%T;@9NW "^kw^M-<@ȍ''1d/OٟtB[TB LzD%zx0bU"9"P<d9T&>+zV44!!6Ņ1'# tѶY`6}_Y,\=$1K\}>{KOD; xدHvxXBVPloIsk5暼jpǽ3ȫu;A>h[vUoPJQPGwNW%H6翘FdDDmޒJ08 *0 סȮ&ZzZ=gC$bS0y5!:dJfܪ9 y}m `qm˚9hoё(4-m--oYK Y'Ʉ&*BsQZ[k8M2~e4IQT=]Ͼoo]\5]a7R+­g7\zíJWxU2Чw`vMyyKjHز́#? r@X!iVчzC`vψ(HMQB_WdE) B'nn5dp (%?ղ-E '=&El=❯`kԱg3qVV40ZVv6}:Zmgd:s&_-Mٹ3\Ld?'Y&"ߎۦ&\Fn~Ԕ jIc]]NI`^]B{>=T{7dL He3[I&{ w>cPu0lMu2*4 =/UhqP{{ɜR75: i{S@\q[x>@.N:euꑳT:VG,S21T8pIrK{Orj 4b3}@JOƶyK)镜/B4;ԘG=4= S} l'jS(P DC?|/j%1(ZeDL5NQ8rn 2C:Џy(^_hMR =ð'6 g0'QKpZZatz\86:J[ >{V\ðak Jy4EFJ"[>ȂixƮT`W+>CXEKEYRaO@$t DԬڪm_t*WNĮDf.\O\<'(nrKٽ}.W9VNi0E1#e^ޗ60?O8^X4ueQcVgo:xaOA Y] U,ian T_> h/+G!B=?5-Ԁۄ&D(㋍ H )"U7˻Zfs:AT>ȂPҞ .=J^;yx<9Q^"mդvL=e)xD }yr@KWG[v+``z8\ U&t I#iK$ ud_8 T %j5MdJy:(>xH)V5?\xc=^6.t'~phJ,&„B|:k?s2Q YU^Hof^_ J P9!>̰$av=i8}La:}Kg)QȬmzPWJE-D,4Pލ͙(:82OY8 rÓW[+ah=3# I!s`nntŜK& LcG[c#:X|KXiIymWg,`݋@gg i26lR>e=*%8*~ה˞7*{lb`kF~݀@:Юрr. \'l%Ţ+L~rdP>>KIAf Mep0'bxYUUm-Nusؖ"SJbp\.n֐uճbO vd_+|+^E$V/BƩJ+jA歊RmxC@81Jc Z;;U18`1y".ʧ/ 2FG<8}oS1LHx]B #6un>S{~}$$ $;[~>9{B!yx F&|~V`T*^g?Ä*#h64M@b68e{_b%G=}3kxtR,CidQ] PS(vvh]}ne}ߡG)BVΪ*YJdwK(XMzۛQ[;]s|w<7ܨN#w PYS< =bƮJ:[at̪\ʩ &zTv+Sg[VUW 8 ZtB2P p<0㋪b݄;.vnSp,uOP2˨rIV@+CCr (ӔSjtr[7pB r-P,rzmV ˷n02uC2p a2ڴ(w?s+!f:+>"Uˁ;kMn Gl+g-0.c/>vךvd[d)(U%芵[EbX`ᗤH˨M~1@(7,,\[RVJK@S6έ]+˪_=qTb5'{bQkD;}ld$cKױ2$eljn˕v:b7\o7+pJlS'0X=D0E vsp+<{؎]$cEn3hJ- ;Kw`[Ar))-E nc4e?9_v}2 qe[AUhVZsE`!)XU#io8-6= :fG2? sf{;O/xԨf°ܰ.Ƽ`$ ubsmWfŽ߲G$;sɍގ:!.@ y`SEmTsDOcе]30ZaȦH#Y(+8H]W\#$(ީvMN4t1[$#Żx)tMK?9f[,=1cAcM rsPfVfMKַ]4͡IEEmWv|ͻ79C_:]j)FʜOv$`[ѿgؔ!eipsܥӵabu+dM`8Nѹj%Wny6󬅣`tcxU!yBeQDvvR35dNԌ8m<0NvW1o<➦*qZ@GfSXg@2X5schv<}y#i]+0xx. 8 <+= X;"%}‡BPttITCZ;W;p#~5Yy/km3ʴQUB c۫GH/`f²^9tyija˚ 7:k/ۺf•+]0`$"Aj͋TmT?\V* ?d;Vrxxs Vv?AXפ͑HGFcqvE O!;TNjq-5d{J}(*Q/dH}_m7MşkrLqh1#$z(ČIlxx᷸3ݹ;;9 {Ld(cSˢ$ mpK:&g?V7@3b(l0ڑ7=E괋R!y 73mjSJoxjO!Cćzi8'jPJEcq:*x0A +Lam\ڰLՙg\j9،c]ipMFj鸬"$J&2 wx9$ހ*vU^~+ ـ|ߍE y{0 t~E$ga5ިnBu:eR0N CD*.4[#]NY+VYgE!0-gC!UX;Npo,0)?|(b/divEGJl7ξ4?V} K$.|ZZ=I?LMdu~} P@D3^ 6KQ* g-62`Ql )t4oXm2"i >13%q+^(w{8̿kW)PVO¦A0 ͝HF~MsĽAyΚ+EbPP@l.̨8Dc"m5 p`a~Y%&V.#}{R` .U. A<<%Օ|Stc$UH&W񜈃covw s$>/k^j둻Z7G' aYrI#:EYϜTD{j9Ь(`{:)uBυx%iA;NvK*d^>21q2R&G|jEչD^ ڦdN5&KD^ll[=sǣLFih.]l0]=d{O?+,f[^2S,\ v}/g~DԖ^A8K-O=,i?C*9wYqE#&_/:#_DέcB4Ќ(6ݎ4> BӠ*:9YPPb-0M!ÿ=yEq,O%ϥ=K!d'dRܭODbzKu/2WiQ <iŷ:z&< (C3#E!wxuaǣ`H E3XgfFlfɇ?[֔Q[?:zBHi%˓fғhͼUiS&* .V2$ +6 )ڸ5؅Eލ%kZEtb>ɡ*6l&FEC黲[;sCȆ&eK]09Q]p|(`ck+'8TfH l%EdE (U\gm\XQ߰M˗ {E1gCiP!;4DjiJ5|Ԩu#+Ͳ).[h4ƿaivwë[n=H_]KCxlowꈖӘ$?ds 3=⺉?wK<}ד`1pTԥ$/ʋhgwnLJbn=8zZ`>-5tźFK U - :`]"5%ޘ؟9 ^@ @hjfeViAU"UV*a@Oؗ=orb>kZFny\w 51iMG]TS u^hM[uxq{c+ hA2B$N)J\kFTRYAp̑Ƨc`G$8H|DVTn*zk7on@N@VDxRzZ0>׼{ ;(x=iƒߋSϪ$WgHi*#Փ QI{ ]/3ijP[;!{}vL(pʇTLȷt>ʯy) Cj(XbRX:2nHq1I.)ZH`AJTЇF@ VTZ<upσ_<(b'k&:]BVuIOvdxg *@yH+3T ;UTЇk L(+R{ &KQUo:F`@el6Z|o(|e#W4VdI+2 mi=%=N'(L7+8Rmn(qc߈ HZh5 l|k'IDu .->9@t ʡs~v*B)LgE% гvEAve@X ċdqAM_iy=5´"HM4ijh= MS$)arSzv/°ZŝAENsOm"ge@揎HE'U؀}XpRn42 JO^ &|gk},<`"b3OÕ&7RM:=Ȍ/Wl=1`H:?-Р gaxnlr$Fjjmr6o6tigCҶcp|MMhke2Jt"TbG^<+I9#)[6ۦB6Jԁi൳Ƹ2n5攤\ }_³ONS?mx Ƃ򊬤-Mz,W!)g:O)FX/{ "Nv`h&`L g c@-̄Ѝ2 ʱ{~e8Wtֻ`l1EayҶn̈́vb' <*_MxHB~ZcZ<ӢQtsrlXYEmr>NHl-cWEc)hHjⴔs1>+BOlԸ/|tm  .,iHyyf/%Xg@ ʤ׻f!S;ӿlkW Mja{LᗌT~"ŧya%U S6goZuAÌVӉ."_#@7^壟tUNXWTuՈ?V[djMWpU↛B]r=IhW 9?wVzژz/2ݛk{gm-: 9@`D.fZY?p\ -?!te2lH- e_&܌g&CsH|~ƨF5N hc:#<)3D0 SzaCamV G3ss/^l<} {rc 0>51`?y`T)6Lq,Ϥo>&S#sJ/Vy:s٤ꓧZw#I2Eqvg$nH"wH!0/ܸ"dI/_}Rȁ5_Gz4!!ߝ=TM[l*g.o/.bs|7yǠ&i#5t݁?ro} “waܼ,, 瞛r*b'1rRk6S B٪V9zawǰ\/yTr9?9]TyWu};X+F*fNApkn}҃Zx " !;w4lΔxj΅S:IŹ"ep Xm H.v)Uole\-b mm$(S vnieZ(Ԥ\ mc7& AQh8*"<> aVV26Z2ԅzZ,Eݑo hn/З,c';#~PIskTDFDm"#rɌu/jx"SI+~U3(NhG+)%" VŃ݅x5ZJ} qT d]6<'} ANoKq$Z.b(puEe$2n"\+-kB]#:7-$Sl*p~G3"P523pAډ@, 'Gv&BA5G@G% ȵbw;j7W)56M4~RqcF $^퍜ߌiiMº1&P}O>saVXvC&+P*f?;4}{P.ur3librx:iA,' M10QJq1aģeUAZѓ3tġ YR.j:Hm#9{D)w"zQzHI!\ԲF@Y ˠh43rbnH"ErM66m" 5gsc <2g n%EVUdYB9Sr(}%$GZ3Fy8t !'Q%*tUHQ$Xa|w*a0M} .L>DEk6'+;Mݰŷx7uMBd{1 ΡUhm9ʝ5fc%|cO kku>Zfw+U{̘{ Y|(!5n