From team at libreswan.org Fri Jan 26 03:44:53 2018 From: team at libreswan.org (The Libreswan Project) Date: Thu, 25 Jan 2018 22:44:53 -0500 (EST) Subject: [Swan-announce] libreswan-3.23 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.23 This is a feature and maintenance release. New Features: MOBIKE support (RFC 4555) via mobike=yes|no using XFRM_MIGRATE IKEv2 split DNS support (draft-ietf-split-dns) via modecfg* options Postquantim Preshared Keys (PPK) support via ppk=yes|no (draft-ietf-ipsecme-qr-ikev2-01) Improved Multi-domain server support using IDr payloads New IPsec SA options decap-dscp=yes|no and nopmtudisc=yes|no Important bugfixes: Updated nic-offload= support updown now adds/removes IP addresses with "scope 50" pthread handling fixes for busy servers Fix unique marks accidentally setting -1 Compatibility changes: modecfgdns1= and modecfgdns2= merged into a new modecfgdns= option modecfgdomain= option renamed to modecfgdomains= You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.23.tar.gz https: //download.libreswan.org/libreswan-3.23.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.23 (January 25, 2018) * IKEv2: MOBIKE support (RFC 4555) [Antony/Paul] * IKEv2: Add support for modecfgdns= and modecfgdomains= like for IKEv1 [Paul] * IKEv2: EXPERIMENTAL: Support for Postquantim Preshared Keys [Vukasin Karadzic] based on draft-ietf-ipsecme-qr-ikev2-01 (using private use numbers) new option: ppk=yes|no|insist (default no) * pluto: Fix DEFAULT_RUNDIR to be set so it is really configurable [Tuomo] * pluto: Add support IDr payload (You Tarzan, me Jane) [Paul] * pluto: pass state to send_crypto_helper_request() [Andrew] * pluto: Internal time/scheduling changes, micro-seconds logging [Andrew] * pluto: make counts of states consistently "unsigned" [Hugh] * pluto/lib: Remove obsoleted/unused %myid support [Paul] * pluto: add --impair replay-forward,replay-backward [Andrew] * pluto: add --impair dup-incoming-packets [Andrew] * pluto: Rework nic offload detection code [Aviv Heller] * pluto: Retry send on -EAGAIN in check_msg_errqueue() (upto 32x) [Paul/Hugh] * pluto: Pull latest kernel traffic counters before logging/deleting SA [Paul] * pluto: STF_INLINE, STF_TOOMUCHCRYPTO no longer needed in helpers [Andrew] * pluto: Replace socket queues with a simple queue and mutex+cont [Andrew] * pluto: Do not send DPD/liveness probes for replaced inactive IPsec SAs [Paul] * pluto: crypto processing cleanup [Andrew] * XFRM: XFRM_MIGRATE support, used for MOBIKE [Antony] * XFRM: Listen to NETLINK_ROUTE messages from kernel for MOBIKE [Antony] * XFRM: Fix unique marks accidentally setting -1 instead of random [Paul] * XFRM: Only install IPv6 holes when system has configured IPv6 [Antony] * XFRM: Add support for decap-dscp=yes|no (default no) [Paul] * XFRM: Add support for nopmtudisc=yes|no (default no) [Paul] * KLIPS: Support kernels 4.14+ with renamed dev->priv_destructor [Paul] * KLIPS: updown fixes for IPv6 default route and metric/mtu settings [Wolfgang] * SECCOMP: Update syscall whitelist for use of libunbound [Paul] * IKEv1: better handle ESP with no integrity vs unknown integrity [Andrew] * IKEv1: Fix packet retransmit code wrf timeouts vs duplucates [Andrew] * IKEv1: Prevent duplicate responder states on retransmision [Andrew] * IKEv1: Don't linger R1 states for 1h but use configured timeouts [Paul] * IKEv2: nat_traversal_change_port_lookup() code moved [Antony] * IKEv2: Macros could misinterpret some IKE/IPsec states [Paul/Antony] * IKEv2: Updated Group transforms to comply with RFC 8247 [Paul] * PAM: Don't cancel pam threads (unsupported!) but drop results instead [Andrew] * _updown: Fix resolv.conf handling (github #130) [Tuomo] * _updown: Fix POINTPOINT interfaces not to use nexthop [Tuomo] * _updown.netkey: Add source ip to dev lo by default [Tuomo] * Makefiles: Fix INC_MANDIR to be share/man and add FINALMANDIR [Tuomo] * packaging: Move debian/ to packaging ('make deb' still works) [Antony] * contrib: Added ipsec-dyndns to demonstrante how push an IPSECKEY [Paul] * Bugtracker bugs fixed: #313: changesource in updown_klips doesn't respect PLUTO_METRIC [Wolfgang] #314: IPv6 default route is deleted by mistake [Wolfgang] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJaaqNfAAoJEIX/S0OzD8b5ZL4P/RRIiqZnRJKdIHkOHpgcY+e8 fMM79EpiSK95UGNnFoGcbOOh3V9YANH6A3gGjQCBflWBByluTYySK3wYuvAMmR8V ypk3BKxHntDuWwMzAHb95BxD44W0UV0rbLC26i1tLOTuM4Mc1/9AsKamq8cYxHMq DHPQXsteoDn49wnRsuJtQ9aUHMdsseqx5Ac5xbw0stamYf4hHxyPepD/jK1LHVzY UktBr1nDhFfqSKMcXVj9bA85hcvxF09/3fBo1bmm1+BiRYuffQ/tF4pQ5daQ80VI 3sYNlCJuW0IY0qnir8vp/DW4sn8mgbK3ula7mL+iw3uyccfkD794QAWceFJPPu50 /NoJLAc1/M9RvhKjT1+xsFm+sHH9OuQuVut8IddqgodyWMGUJ1hQfqndYdOdccuH 0lS3rH7jn2OsUwUCu0w+HmPYi2yNtr0YiCFFAj2B8HqD08vOENd8grVtK/wTdyPA NBpOPs1d5GX5Pvnzrbn9YPx6S10ka/kfi+p73AHhW8aIo2YxK3BBpyMghTNVyExK SM8NIjjthmm3vI5XBnIWg0GkIznkjgsVlW2ihynM4ppDPSNqbWQ2azdfFa5NRXrp ueMLrHiDNSSxQ7fZ5nWIs+4rYgaDct3Evw6RJ1LAZxkcGi0FR9c5LkLiQmjGx4o3 Ece0B6Grn5n3S7MHPLki =z2RT -----END PGP SIGNATURE----- From team at libreswan.org Wed Jun 27 23:40:44 2018 From: team at libreswan.org (The Libreswan Project) Date: Wed, 27 Jun 2018 19:40:44 -0400 (EDT) Subject: [Swan-announce] libreswan-3.25 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.25 This is a major bugfix release with some additional features New Features: Various Opportunistic IPsec related features Harden IP triggered OE with new dns-match-id=yes|no Important bugfixes: Various fixes to VTI interface handling Various updates to updown handling and routing/proxyarp DPD/liveness false positives and false negatives FIPS improvements CRL handling improvements Compatibility changes: connaddrfamily= should no longer be used, and 6in4 and 4in6 should be autodetected. Additionally, hostaddrfamily= and clientaddrfamily= are introduced to the set the endpoint or inner address familes. You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.25.tar.gz https: //download.libreswan.org/libreswan-3.25.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.25 (June 27, 2018) * IKEv2: MOBIKE Initiator support (RFC 4555) [Antony] * IKEv2: Support for IKE SA rekeying RFC7296 1.3.2, initiator [Antony] * IKEv2: Support for IPsec SA rekeying RFC7296 1.3.3, initiator [Antony] * IKEv2: Support for IKE SA reauth=yes|no RFC7296 2.8.3 [Antony] * IKEv2: Temporarilly disable Liveness/DPD when MOBIKE kick in [Antony] * IKEv2: No longer allow contradicting esp= and pfs= options [Andrew] * IKEv2: PPK support for authby=rsasig [Vukasin Karadzic] * IKEv2: IANA INTERNAL_DNSSEC_TA allocation added [Paul] * IKEv2: Add PPK support to authby=rsasig [Vukasin] * IKEv2: Don't calculate NO_PPK_AUTH when the POLICY is INSIST [Vukasin] * IKEv2: fix PPK when responder is ppk=no but has a valid PPKID [Paul/Vukasin] * IKEv2: Support for protoport based Opportunistic IPsec [Paul] * IKEv2: Support multiple authby values (eg authby=rsasig,null) [Paul] * IKEv2: Support for AUTHNULL fallback via private use Notify [Vukasin] * IKEv2: Fix v3.23 regression causing liveness check to always fail [Tuomo] * IKEv2: Support for Microsoft rekey bug: ms-dh-downgrade=yes|no [Andrew/Paul] * IKEv2: Allow switching between OE instances with different protoports [Paul] * IKEv2: process INITIAL_CONTACT and delete old states from a connection [Paul] * IKEv2: Only retransmit fragments on receiving first fragment [Andrew] * IKEv2: When sending fragments, also update st_msgid_lastreplied [Paul] * IKEv2: Encrypt IKE_AUTH reply when authenticaion failed [Andrew] * IKEv2: Fix handling of corrupt encrypted packets [Andrew] * IKEv2: Do not call ISAKMP_SA_established() during CREATE_CHILD_SA [Paul] * IKEv2: When receiving Initial Contact, delete old IPsec SA's [Paul] * IKEv2: Harden IP triggered OE with new dns-match-id=yes|no [AntonyPaul] * IKEv2: Add PRF/INTEG support for AES_XCBC / AES_CMAC [Andrew] * IKEv2: permit DH=none (as in esp=aes;none,aes;dh22) [Andrew] * IKEv1: Prevent crashes with IKEv1 mistakenly allowing narrowing=yes [Paul] * IKEv1: DPD was not getting scheduled (bug introduced in 3.23) [Paul] * IKEv1: modecfg_send_set() must not ignore failure of modecfg_resp() [Hugh] * X509: Extend support for wildcard certs matching remote peer ID [Paul/Hugh] * X509: Support PKCS7 for Microsoft interop with intermediate certs [Andrew] * X509: Handle CRL fetching in separate thread [Andrew] * pluto: Obsoleted connaddrfamily= (fixes 6in4 and 4in6) [Paul] * pluto: New hostaddrfamily= and clientaddrfamily= (only needed w DNS) [Paul] * pluto: Cleanup of state/md passing code [Andrew] * pluto: Allow switching back from wrong instance to template conn [Paul] * pluto: disentangle IKEv1 and IKEv2 packet sending code [Andrew] * pluto: Allow rightsubnets= without leftsubnet(s)= [Paul] * pluto: don't share IP leases for authby=secret (in case of group ID) [Paul] * pluto: Parser bug prevented 4in6 config [mhuntxu at github, Daniel M. Weeks] * pluto: Find and delete old connection/states with same ID [Paul/Hugh] * pluto: traffic log (and updown) line had in/out bytes swapped [Paul/Tuomo] * pluto: Fix memory/fd leaks found by Coverity and in cert code [Hugh/Andrew] * pluto: Improve SPD longest prefix to priority calculation [Andrew/Paul/Hugh] * addconn: Fix auto=route and auto=start processing [Paul] * whack/auto: Ensure all status and list commands return no error code [Paul] * KLIPS: Replace deprecated blkcipher with skcipher crypto API [Tijs Van Buggenhout] * FIPS: Support new NIST ACVP protocol with cavp tool cmdline args [Andrew] * FIPS: Don't attempt HMAC integrity test on rsasigkey (rhbz#1544143) [Paul] * FIPS: Don't allow RSA keys < 3072 [Matt/Paul] * FIPS: Enable our PRF aes_xcbc wrapper on NSS hash code in FIPS mode [Andrew] * FIPS: Raise minimum RSA key length allowed to 3072 [Paul] * CAVP: Add - and -json(output) options to CAVP [Andrew] * portexcludes: new command ipsec portexcludes (see portexcludes.conf) [Paul] * _updown.netkey: fix deleting routes when half routes are used [Tuomo] * _updown.netkey: don't delete VTI interfaces until we can refcount [Tuomo] * _updown.netkey: fix unroute: "need at least a destination address" [Tuomo] * _updown.netkey: don't do proxyarp for direct host-host tunnels [Tuomo] * _updown.netkey: force routing if we don't have route to remote network [Tuomo] * _unbound-hook: Pass all IPSECKEY's to pluto, not just the first [Paul] * contrib/python-swan: module to check if trafic get be encrypted [Kim] * contrib/c-swan: example code to check if trafic get be encrypted [Kim] * building: added USE_GLIBC_KERN_FLIP_HEADERS (default off) [Paul] * building: when ElectricFence enabled, add extra system calls to seccomp [Andrew] * ipsec: add checknss option --settrusts to reset CA trusts in nss db [Tuomo] * _updown.netkey: force routing when necessary for IPsec to work [Tuomo] * _updown.netkey: do not proxyarp for host-host tunnels [Tuomo] * look: sort XFRM output by priority [Andrew] * Bugtracker bugs fixed: #311: segfault in crl fetching git master f5b17dc [Andrew, Tuomo] #314: IPv6 default route is deleted by mistake #318: vti interface gets down on previous initiator if roles switch [Tuomo] #320: nsspassword file location is half implemented #328: Addcon crash on duplicit "left" or "leftid" keys in conn config [Stepan Broz] -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJbNCBQAAoJEIX/S0OzD8b5bmAP/RMY8hoJXpE7u115CMP3MEkg ARsBDgiJ3TNbKYbFdGqu/GieLjunnF8QnRBUFnFypzzmxv3YJng4P+3bPKLZsgVl vdTqFj4CHq0NeCmgYpU79pTU9Qs5Zpz6svCEnk655wTNvSN3t/BESw/HHRL5ywBN SLL86RsUcKmwyL2XYTUekH6qcaYEi0Q0R9AL0fPk2pl+Yr7UxJOxG5tuMIVve7dp 4toP+kUSrwLqNPX4+rZQJ9KGjIMkfruPXuw6tgth8NGN17FkPE9l5QvLLmQkHyzf DUqkG6lEUccY2s/ObWhYBi0omhU9C5pgznwly9XCL2M1ktdsYE6StmdFQwcljQCI hu2OzlBPMoALr+IVlH/IkijfpBqIsOgWmYkQTUpYIj+rpk+2HlCYFSC5yoba8qjI THuqewG9CD1obNdHLbvImGLRJMF7MZ1erzYBry6ynA6KoeHAHdjCNsMfA6Zsc+F5 VheIoY7dL8k/x3PUmOvaEvFcsr04RPxbTms1jjPBt0stLauuz20nbT8RLzKVqJV7 sTRfTUMZ57Xz0R6oyplVj4JcZzfUEwSZubq5d6RTbgG/Pt+hjDFUk8fPESZVvqVg qeBIN2nFnvEhwU0OJZXDXgWjbJw8K0dF5VrsKpS9X41QSPG8gobEMUM06D+G7WBn mqFudY9Z4ee3cs1CZwVM =/8E4 -----END PGP SIGNATURE----- From team at libreswan.org Tue Sep 18 22:15:58 2018 From: team at libreswan.org (The Libreswan Project) Date: Tue, 18 Sep 2018 18:15:58 -0400 (EDT) Subject: [Swan-announce] libreswan-3.26 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.26 This is a feature release with some minor bugfixes New Features: * Support for RSA-PSS (RFC 7427) via authby=rsa-sha2 * Support for ECDSA (RFC 7427) via authby=ecdsa-sha2 * Support for CHACHA20POLY1305 for IKE and ESP Bugfixes: * Fix optional key-length regression (in v3.25) with ESP proposal * Be lenient with DH components in ESP when pfs=no * Don't do bogus XAUTH message padding * Fix traffic selector lookup for asymmetric conns You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.26.tar.gz https: //download.libreswan.org/libreswan-3.26.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.26 (September 16, 2018) * IKEv2: Support for RSA-PSS (RFC 7427) via authby=rsa-sha2 [Sahana Prasad] * IKEv2: Support for ECDSA (RFC 7427) via authby=ecdsa-sha2 [Sahana Prasad] * IKEv2: Use DER handling code of NSS instead of our custom code [Andrew] * IKEv2: Fix core dump when impaired and proposing esp=null-none [Andrew] * IKEv2: Fix traffic selector lookup for asymmetric conns [Andrew/Paul] * IKEv2: Add IKE and ESP support for chacha20poly1305 (RFC 7634) [Andrew] * IKEv2: Fix leaks in ikev2_calculate_rsa_hash [Hugh] * IKEv2: Simplify proposal generating [Hugh] * IKEv1: Fix handling XAUTH empty passwords [Andrew] * IKEv1: Fix XAUTH message padding [Hugh] * IKEv1: Various code cleanup, next payload handling [Hugh] * IKEv1: fix optional key-length regression (in v3.25) with ESP prop [Andrew] * IKEv1: Don't delete replaced IKE SA, it confuses third party clients [Paul] * pluto: Relax strictness of DH in ESP/AH proposals [Andrew] * pluto: Fix for two roadwarriors using ID_IPv4 behind same NAT [Paul] * pluto: Do not hand out old lease address for authby=secret conns [Paul] * pluto: new --selftest option that exits pluto after startup tests [Paul] * pluto: Updated known Vendor ID table [Paul] * XFRM: Don't call init_pfkey() on boot so Linux upstream can kill it [Andrew] *_unbound-hook: Fixup adding IPv4 pubkey, unbound now quotes arg as 1 [Paul] * building: Fix listed patches for debian build [Paul] * building: enable DH31 (curve25519) per default [Paul] * testing: prepare to migrate from f22 to f28 [Andrew, Antony, Paul] * Bugtracker bugs fixed: #166 IPsec/XAuth reusing lease for multiple clients behind same NAT [Paul] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCgAGBQJbnyw4AAoJEIX/S0OzD8b5bsEP/Rb6SXkqFzW0N9o8pnurNwSl LVDF2c3GwjGs0jHSvTlf5wKK5PTgDX18OxXb31rcQeivGLgv6wlgCynmqYiVxVMZ gm7mjulC15PEI+DvGztRCDvYGBVMFr+lqVHYV8f25/InB0JW0bHE84TJRrudY9mV xQBuyFHfv8eCHpYmjEz90wTHe6+9iXJPRlKcFZDxzZgLySgSlrVwnJ9Q32xrNrbC WYBM4QjVAqgb4gLf7tOv7regMVP//YPaf1Xc9rbqYi6abdW4oNy8zS8N1ZkEYbo1 Ek7O8fcOeol5cSiF//G8z3gEZILlzFn1if3NQW0BrTiF2XQ7Z7tUUBpI9vCyH4Pw 5vOeaqrLUY4MZivxBdRiKYlZeBIdO+vT0VOpiyngjt6JS7MD72dHn4Tf+6rz9vbV LyPeHVb+6JizqxJByI32Bn6O68u3uZ56VyJp8ATKLw51ii9IsMg+nwnS/DiSNgyp irYNxYnRb5rChcP5qpLKsuB4kbGIu0ZTu1/e9cuvcYYNl/HSBcGyWpEuSbwJFL22 rskDEdCe9hhO0lcDFLZKljz6w4KkBS771kAP4J+XbIsoElHUjeiMU5oKDx+tsPZR EE3vnv/58Mr6w8qNtCYE/sdoghRbCFHgyj0rOHV8Fr9V26RHNX8TQS5k80oVRzfj kTmUHI2DQog0VqJ9LJi6 =MALs -----END PGP SIGNATURE----- From team at libreswan.org Wed Oct 10 15:44:15 2018 From: team at libreswan.org (Libreswan Team) Date: Wed, 10 Oct 2018 11:44:15 -0400 (EDT) Subject: [Swan-announce] libreswan-3.27 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The Libreswan Project has released libreswan-3.27 This is a bugfix release You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.27.tar.gz https: //download.libreswan.org/libreswan-3.27.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL can be found at: https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.27 (October 7, 2018) * XFRM: SA marks must be included for delete operation [Tijs Van Buggenhout] * pluto: Resolve a crasher in ECDSA freeing code [Hugh/Sahana] * pluto: Resolve a hang when recursively loading same config file [Hugh] * pluto: Refuse to load conns with different subnet address families [Paul] * IKEv2: Fix regression on ID_NULL causing a new conn instance [Paul] * IKEv1: Drop duplicates when not a reply [Andrew] * IKEv1: Don't respond with errors to invalid encrypted packets [Andrew] * IKEv1: Don't print empty informational warning on delete payload [Paul] * IKEv1: Don't add spurious ESP-NULL proposal to AH proposals [Andrew] * whack: Release whack socket on IKE_AUTH errors [Andrew] * libswan: fix buffer size to getnameinfo() call in resolve_ppp_peer() [Hugh] * libipsecconf: Don't accidentally clear modecfgdomains= entries [Andrew] * building: Fixup NSS includes and links (fixes Debian builds) [Andrew/Paul] * documentation: Update (L)GPL license links and http -> https links [dkg] * Bugtracker bugs fixed: #177 left=%defaultroute not working when "src" in the default route [Kim] #80 VTI interface vanishes when peer goes down and up [yu-shiba] -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJbvh3gAAoJEIX/S0OzD8b5L4sP+wZ5aTMUsieZDnvn0k7BWM7x 7y+1zsY0IL0xcWhDl+dv1HzbaTX6wt/Gu3bjqPFIEHxHbvU6dkX8Go9OejSrzfq4 J+bC6nv7nFp5mmA4KpYWztGCmNwUO4UX4CWJVW1EA+kXGdy6N63B2wuaYYIwHF+S GkIY0RrG5QioKxOL9z31psJvTE85ah9kIWVZHW7ghb3aAEw7QUe+xeCgaOZeum7e 2Ci0QfaQEe2zWoQDjuUa+pVBwUw3lYeiObBKkKEOBxod15GIdMvUERsvrxCdchS2 ZBOPda3o6m33hq6cllFpdTMi3E/UVrfWds5pCClAi4o3Cv3gk6aEtGxRkihG/nZd TOzVEHFoYNNHuhcOn6TZZG9xBEt8L/eUDMrUSE1vsuI89LQe4Ix2ee70beqgCtft 7YcFqmSBvyPAbzg+jjtorGiux/VKw0bRjbqR0Xg36HjaNd8bxCEg1u7gEzp2L3Nl lTiA1xiqptaju8rfiiDcm8DAsUTm4yDaWNB4MFtJLlKqoJ5aqu8E76maF3wMNzdh rhSVhg667aYaFd5hMzxjTL2/LZNFIrKWKt3BTXa9nqIWX8uRvWTa49pGeQ/9h9HT DeAudjBPLXf2zTKE39mRqNzWti0aEL1zv0Fm3PTtwNqDDsrxQt0MqConoBx25sSF 3kbMPWlD9yd5/QDJIrG3 =YLcq -----END PGP SIGNATURE-----