[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7348) enhancement: check_password contrib module
Ceci est un message signC) cryptographiquement au format MIME.
--------------ms000000000208070102090606
Content-Type: multipart/mixed;
boundary="------------050908090805020607010105"
This is a multi-part message in MIME format.
--------------050908090805020607010105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Here is the patch.
--=20
Guillaume Rousse
INRIA, Direction des syst=E8mes d'information
Domaine de Voluceau
Rocquencourt - BP 105
78153 Le Chesnay
Tel: 01 39 63 58 31
--------------050908090805020607010105
Content-Type: text/x-patch;
name="0001-ITS-7348-new-check_password-contrib-module.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename*0="0001-ITS-7348-new-check_password-contrib-module.patch"
=46rom fa2f6730171ab5755f56ca66715b723df726026d Mon Sep 17 00:00:00 2001
From: Guillaume Rousse <guillomovitch@gmail.com>
Date: Tue, 7 Aug 2012 17:39:21 +0200
Subject: [PATCH] ITS #7348: new check_password contrib module
Signed-off-by: Guillaume Rousse <Guillame.Rousse@inria.fr>
---
contrib/slapd-modules/README | 3 +
contrib/slapd-modules/check-password/Makefile | 52 +++
contrib/slapd-modules/check-password/README | 146 +++++++++
.../slapd-modules/check-password/check_password.c | 356 +++++++++++++++=
++++++
4 files changed, 557 insertions(+)
create mode 100644 contrib/slapd-modules/check-password/Makefile
create mode 100644 contrib/slapd-modules/check-password/README
create mode 100644 contrib/slapd-modules/check-password/check_password.c=
diff --git a/contrib/slapd-modules/README b/contrib/slapd-modules/README
index db74379..d8005ff 100644
--- a/contrib/slapd-modules/README
+++ b/contrib/slapd-modules/README
@@ -20,6 +20,9 @@ allop (overlay)
autogroup (overlay)
Automated updates of group memberships.
=20
+check_password (plugin)
+ External password quality check module for ppolicy
+
cloak (overlay)
Hide specific attributes unless explicitely requested
=20
diff --git a/contrib/slapd-modules/check-password/Makefile b/contrib/slap=
d-modules/check-password/Makefile
new file mode 100644
index 0000000..42dd18f
--- /dev/null
+++ b/contrib/slapd-modules/check-password/Makefile
@@ -0,0 +1,52 @@
+
+LDAP_SRC =3D ../../..
+LDAP_BUILD =3D ../../..
+LDAP_INC =3D -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)=
/servers/slapd
+LDAP_LIB =3D $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+CRACKLIB_PATH =3D /usr/share/cracklib/pw_dict
+CRACKLIB_INC =3D=20
+CRACKLIB_LIB =3D -lcrack
+
+CONFIG_PATH =3D /etc/openldap/check_password.conf
+
+LIBTOOL =3D $(LDAP_BUILD)/libtool
+CC =3D gcc
+OPT =3D -g -O2 -Wall
+DEFS =3D -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH=3D"\"$(CRACKLIB_PATH)\"" \
+ -DCONFIG_FILE=3D"\"$(CONFIG_PATH)\"" -DDEBUG
+INCS =3D $(LDAP_INC) $(CRACKLIB_INC)
+LIBS =3D $(LDAP_LIB) $(CRACKLIB_LIB)
+
+PROGRAMS =3D check_password.la
+LTVER =3D 0:0:0
+
+prefix=3D/usr/local
+exec_prefix=3D$(prefix)
+ldap_subdir=3D/openldap
+
+libdir=3D$(exec_prefix)/lib
+libexecdir=3D$(exec_prefix)/libexec
+moduledir =3D $(libexecdir)$(ldap_subdir)
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LIBTOOL) --mode=3Dcompile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
+
+all: $(PROGRAMS)
+
+check_password.la: check_password.lo
+ $(LIBTOOL) --mode=3Dlink $(CC) $(OPT) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+clean:
+ rm -rf *.o *.lo *.la .libs
+
+install: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=3Dinstall cp $$p $(DESTDIR)$(moduledir) ; \
+ done
+
diff --git a/contrib/slapd-modules/check-password/README b/contrib/slapd-=
modules/check-password/README
new file mode 100644
index 0000000..10191c2
--- /dev/null
+++ b/contrib/slapd-modules/check-password/README
@@ -0,0 +1,146 @@
+
+check_password.c - OpenLDAP pwdChecker library
+
+2007-06-06 Michael Steinmann <msl@calivia.com>
+2008-01-30 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
+2009 Clement Oudot <clem.oudot@gmail.com> - LTB-project
+2009 Jerome HUET - LTB-project
+
+check_password.c is an OpenLDAP pwdPolicyChecker module used to check th=
e
+strength and quality of user-provided passwords.
+
+This module is used as an extension of the OpenLDAP password policy cont=
rols,
+see slapo-ppolicy(5) section pwdCheckModule.
+
+check_password.c will run a number of checks on the passwords to ensure =
minimum
+strength and quality requirements are met. Passwords that do not meet th=
ese
+requirements are rejected.
+
+
+Password checks
+---------------
+ - passwords shorter than 6 characters are rejected if cracklib is used =
(because
+ cracklib WILL reject them).
+
+ - syntactic checks controls how many different character classes are us=
ed
+ (lower, upper, digit and punctuation characters). The minimum number =
of
+ classes is defined in a configuration file. You can set the minimum f=
or each
+ class.
+
+ - passwords are checked against cracklib if cracklib is enabled at comp=
ile
+ time. It can be disabled in configuration file.
+
+INSTALLATION
+------------
+Use the provided Makefile to build the module.
+
+Compilation constants :
+
+CONFIG_FILE : Path to the configuration file.=20
+ Defaults to /etc/openldap/check_password.conf
+
+DEBUG : If defined, check_password will syslog() its actions.
+
+Build dependencies
+cracklib header files (link with -lcrack). The Makefile does not look fo=
r
+cracklib; you may need to provide the paths manually.
+
+Install into the slapd server module path. Change the installation
+path to match with the OpenLDAP module path in the Makefile.
+
+The module may be defined with slapd.conf parameter "modulepath".
+
+USAGE
+-----
+To use this module you need to add objectClass pwdPolicyChecker with an =
+attribute 'pwdCheckModule: check_password.so' to a password policy entry=
=2E
+
+The module depends on a working cracklib installation including wordlist=
files.
+If the wordlist files are not readable, the cracklib check will be skipp=
ed
+silently.
+
+Note: pwdPolicyChecker modules are loaded on *every* password change ope=
ration.
+
+Configuration
+-------------
+The configuration file (/etc/openldap/check_password.conf by default) co=
ntains
+parameters for the module. If the file is not found, parameters are give=
n their
+default value.
+
+The syntax of the file is :
+
+parameter value
+
+with spaces being delimiters. Parameter names ARE case sensitive (this m=
ay
+change in the future).
+
+Current parameters :
+
+- useCracklib: integer. Default value: 1. Set it to 0 to disable crackl=
ib verification.
+ It has no effect if cracklib is not included at compile time.
+
+- minPoints: integer. Default value: 3. Minimum number of quality point=
s a new
+ password must have to be accepted. One quality point is awarded for e=
ach character
+ class used in the password.
+
+- minUpper: integer. Defaut value: 0. Minimum upper characters expected.=
+
+- minLower: integer. Defaut value: 0. Minimum lower characters expected.=
+
+- minDigit: integer. Defaut value: 0. Minimum digit characters expected.=
+
+- minPunct: integer. Defaut value: 0. Minimum punctuation characters exp=
ected.
+
+Logs
+----
+If a user password is rejected by an OpenLDAP pwdChecker module, the use=
r will
+*not* get a detailed error message, this is by design.
+
+Typical user message from ldappasswd(5):
+ Result: Constraint violation (19)
+ Additional info: Password fails quality checking policy
+
+A more detailed message is written to the server log.
+
+Server log:
+ check_password_quality: module error: (check_password.so)
+ Password for dn=3D".." does not pass required number of strength check=
s (2 of 3)
+
+
+Caveats
+-------
+Runtime errors with this module (such as cracklib configuration problems=
) may
+bring down the slapd process.
+
+Use at your own risk.
+
+
+TODO
+----
+* use proper malloc function, see ITS#4998
+
+
+HISTORY
+-------
+* 2009-10-30 Clement OUDOT - LTB-project
+ Version 1.1
+ - Apply patch from Jerome HUET for minUpper/minLower/minDigit/minPunc=
t
+
+* 2009-02-05 Clement Oudot <clem.oudot@gmail.com> - LINAGORA Group
+ Version 1.0.3
+ - Add useCracklib parameter in config file (with help of Pascal Pejac)=
+ - Prefix log messages with "check_password: "
+ - Log what character type is found for quality checking
+
+* 2008-01-31 Pierre-Yves Bonnetain <py.bonnetain@ba-cst.com>
+ Version 1.0.2
+ - Several bug fixes.
+ - Add external config file
+
+* 2007-06-06 Michael Steinmann <msl@calivia.com>
+ Version 1.0.1
+ - add dn to error messages
+
+* 2007-06-02 Michael Steinmann <msl@calivia.com>
+ Version 1.0
+
diff --git a/contrib/slapd-modules/check-password/check_password.c b/cont=
rib/slapd-modules/check-password/check_password.c
new file mode 100644
index 0000000..da427e7
--- /dev/null
+++ b/contrib/slapd-modules/check-password/check_password.c
@@ -0,0 +1,356 @@
+/*
+ * check_password.c for OpenLDAP
+ *
+ * See LICENSE, README and INSTALL files
+ */
+
+#include <string.h>
+#include <ctype.h>
+#include <portable.h>
+#include <slap.h>
+
+#ifdef HAVE_CRACKLIB
+#include "crack.h"
+#endif
+
+#if defined(DEBUG)
+#include <syslog.h>
+#endif
+
+#ifndef CRACKLIB_DICTPATH
+#define CRACKLIB_DICTPATH "/usr/share/cracklib/pw_dict"
+#endif
+
+#ifndef CONFIG_FILE
+#define CONFIG_FILE "/etc/openldap/check_password.conf"
+#endif
+
+#define DEFAULT_QUALITY 3
+#define DEFAULT_CRACKLIB 1
+#define MEMORY_MARGIN 50
+#define MEM_INIT_SZ 64
+#define FILENAME_MAXLEN 512
+
+#define PASSWORD_TOO_SHORT_SZ \
+ "Password for dn=3D\"%s\" is too short (%d/6)"
+#define PASSWORD_QUALITY_SZ \
+ "Password for dn=3D\"%s\" does not pass required number of strength che=
cks (%d of %d)"
+#define BAD_PASSWORD_SZ \
+ "Bad password for dn=3D\"%s\" because %s"
+
+typedef int (*validator) (char*);
+static int read_config_file (char *);
+static validator valid_word (char *);
+static int set_quality (char *);
+static int set_cracklib (char *);
+
+int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+
+static int set_quality (char *value)
+{
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value);
+#endif
+
+ /* No need to require more quality than we can check for. */
+ if (!isdigit(*value) || (int) (value[0] - '0') > 4) return DEFAULT_QUAL=
ITY;
+ return (int) (value[0] - '0');
+
+}
+
+static int set_cracklib (char *value)
+{
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", va=
lue);
+#endif
+
+
+ return (int) (value[0] - '0');
+
+}
+
+static int set_digit (char *value)
+{
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value);=
+#endif
+ if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
+ return (int) (value[0] - '0');
+}
+
+static validator valid_word (char *word)
+{
+ struct {
+ char * parameter;
+ validator dealer;
+ } list[] =3D { { "minPoints", set_quality },
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
+ int index =3D 0;
+
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word);
+#endif
+
+ while (list[index].parameter !=3D NULL) {
+ if (strlen(word) =3D=3D strlen(list[index].parameter) &&
+ strcmp(list[index].parameter, word) =3D=3D 0) {
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+#endif
+ return list[index].dealer;
+ }
+ index++;
+ }
+
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Parameter rejected.");
+#endif
+
+ return NULL;
+}
+
+static int read_config_file (char *keyWord)
+{
+ FILE * config;
+ char * line;
+ int returnValue =3D -1;
+
+ if ((line =3D ber_memcalloc(260, sizeof(char))) =3D=3D NULL) {
+ return returnValue;
+ }
+
+ if ( (config =3D fopen(CONFIG_FILE, "r")) =3D=3D NULL) {
+#if defined(DEBUG)
+ syslog(LOG_ERR, "check_password: Opening file %s failed", CONFIG_FILE)=
;
+#endif
+
+ ber_memfree(line);
+ return returnValue;
+ }
+
+ while (fgets(line, 256, config) !=3D NULL) {
+ char *start =3D line;
+ char *word, *value;
+ validator dealer;
+
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Got line |%s|", line);
+#endif
+
+ while (isspace(*start) && isascii(*start)) start++;
+
+ if (! isascii(*start))
+ continue;
+
+ if ((word =3D strtok(start, " \t")) && (dealer =3D valid_word(word)) &=
& (strcmp(keyWord,word)=3D=3D0)) {
+ if ((value =3D strtok(NULL, " \t")) =3D=3D NULL)
+ continue;
+
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Word =3D %s, value =3D %s", word,=
value);
+#endif
+
+ returnValue =3D (*dealer)(value);
+ }
+ }
+
+ fclose(config);
+ ber_memfree(line);
+ return returnValue;
+}
+
+static int realloc_error_message (char ** target, int curlen, int nextle=
n)
+{
+ if (curlen < nextlen + MEMORY_MARGIN) {
+#if defined(DEBUG)
+ syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to =
%d",
+ curlen, nextlen + MEMORY_MARGIN);
+#endif
+ ber_memfree(*target);
+ curlen =3D nextlen + MEMORY_MARGIN;
+ *target =3D (char *) ber_memalloc(curlen);
+ }
+
+ return curlen;
+}
+
+ int
+check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+{
+
+ char *szErrStr =3D (char *) ber_memalloc(MEM_INIT_SZ);
+ int mem_len =3D MEM_INIT_SZ;
+
+ int nLen;
+ int nLower =3D 0;
+ int nUpper =3D 0;
+ int nDigit =3D 0;
+ int nPunct =3D 0;
+ int minLower =3D 0;
+ int minUpper =3D 0;
+ int minDigit =3D 0;
+ int minPunct =3D 0;
+ int nQuality =3D 0;
+ int i;
+
+ /* Set a sensible default to keep original behaviour. */
+ int minQuality =3D DEFAULT_QUALITY;
+ int useCracklib =3D DEFAULT_CRACKLIB;
+
+ /** bail out early as cracklib will reject passwords shorter
+ * than 6 characters
+ */
+
+ nLen =3D strlen (pPasswd);
+ if ( nLen < 6) {
+ mem_len =3D realloc_error_message(&szErrStr, mem_len,
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
+ sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen)=
;
+ goto fail;
+ }
+
+ /* Read config file */
+ minQuality =3D read_config_file("minPoints");
+
+ useCracklib =3D read_config_file("useCracklib");
+ minUpper =3D read_config_file("minUpper");
+ minLower =3D read_config_file("minLower");
+ minDigit =3D read_config_file("minDigit");
+ minPunct =3D read_config_file("minPunct");
+
+ /** The password must have at least minQuality strength points with one=
+ * point for the first occurrance of a lower, upper, digit and
+ * punctuation character
+ */
+
+ for ( i =3D 0; i < nLen; i++ ) {
+
+ if ( nQuality >=3D minQuality ) break;
+
+ if ( islower (pPasswd[i]) ) {
+ minLower--;
+ if ( !nLower && (minLower < 1)) {
+ nLower =3D 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Found lower character - quality =
raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+
+ if ( isupper (pPasswd[i]) ) {
+ minUpper--;
+ if ( !nUpper && (minUpper < 1)) {
+ nUpper =3D 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Found upper character - quality =
raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+
+ if ( isdigit (pPasswd[i]) ) {
+ minDigit--;
+ if ( !nDigit && (minDigit < 1)) {
+ nDigit =3D 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Found digit character - quality =
raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+
+ if ( ispunct (pPasswd[i]) ) {
+ minPunct--;
+ if ( !nPunct && (minPunct < 1)) {
+ nPunct =3D 1; nQuality++;
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Found punctuation character - qu=
ality raise %d", nQuality);
+#endif
+ }
+ continue;
+ }
+ }
+
+ if ( nQuality < minQuality ) {
+ mem_len =3D realloc_error_message(&szErrStr, mem_len,
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
+ sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+ nQuality, minQuality);
+ goto fail;
+ }
+
+#ifdef HAVE_CRACKLIB
+
+ /** Check password with cracklib */
+
+ if ( useCracklib > 0 ) {
+ int j =3D 0;
+ FILE* fp;
+ char filename[FILENAME_MAXLEN];
+ char const* ext[] =3D { "hwm", "pwd", "pwi" };
+ int nErr =3D 0;
+
+ /**
+ * Silently fail when cracklib wordlist is not found
+ */
+
+ for ( j =3D 0; j < 3; j++ ) {
+
+ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+ CRACKLIB_DICTPATH, ext[j]);
+
+ if (( fp =3D fopen ( filename, "r")) =3D=3D NULL ) {
+
+ nErr =3D 1;
+ break;
+
+ } else {
+
+ fclose (fp);
+
+ }
+ }
+
+ char *r;
+ if ( nErr =3D=3D 0) {
+
+ r =3D (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ if ( r !=3D NULL ) {
+ mem_len =3D realloc_error_message(&szErrStr, mem_len,
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
+ sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ goto fail;
+ }
+ }
+ }
+
+ else {
+#if defined(DEBUG)
+ syslog(LOG_NOTICE, "check_password: Cracklib verification disabled by =
configuration");
+#endif
+ }
+
+#endif
+
+ *ppErrStr =3D strdup ("");
+ ber_memfree(szErrStr);
+ return (LDAP_SUCCESS);
+
+fail:
+ *ppErrStr =3D strdup (szErrStr);
+ ber_memfree(szErrStr);
+ return (EXIT_FAILURE);
+
+}
+
--=20
1.7.11.4
--------------050908090805020607010105--
--------------ms000000000208070102090606
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: Signature cryptographique S/MIME
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN7jCC
BIowggNyoAMCAQICECf06hH0eobEbp27bqkXBwcwDQYJKoZIhvcNAQEFBQAwbzELMAkGA1UE
BhMCU0UxFDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9vdDAeFw0w
NTA2MDcwODA5MTBaFw0yMDA1MzAxMDQ4MzhaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
VVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5l
dHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVRO
LVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVN
NRm5pELlzkniii8efNIxB8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQy
lbsMTzC9mKALi+VuG6JG+ni8om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXq
vgvOdjp6Dpvq/NonWz1zHyLmSGHGTPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6
hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7NlyP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu
9mIwFIws6wIDAQABo4HhMIHeMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0G
A1UdDgQWBBSJgmd9xJ0mcABLtFBIfN49rgRufTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zB7BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9BZGRU
cnVzdEV4dGVybmFsQ0FSb290LmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8ubmV0L0Fk
ZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAZ2IkRbyispgCi
54fBm5AD236hEv0e8+LwAamUVEJrmgnEoG3XkJIEA2Z5Q3H8+G+v23ZF4jcaPd3kWQR4rBz0
g0bzes9bhHIt5UbBuhgRKfPLSXmHPLptBZ2kbWhPrXIUNqi5sf2/z3/wpGqUNVCPz4FtVbHd
WTBK322gnGQfSXzvNrv042n0+DmPWq1LhTq3Du3Tzw1EovsEv+QvcI4l+1pUBrPQxLxtjftz
Mizpm4QkLdZ/kXpoAlAfDj9N6cz1u2fo3BwuO/xOzf4CjuOoEwqlJkRl6RDyTVKnrtw+ymsy
XEFs/vVdoOr/0fqbhlhtPZZH5f4ulQTCAMyOofK7MIIElTCCA32gAwIBAgIQK7maWQuBMVtp
KDwyDC57STANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5B
MRswGQYDVQQDExJURVJFTkEgUGVyc29uYWwgQ0EwHhcNMTEwMTExMDAwMDAwWhcNMTQwMTEw
MjM1OTU5WjBYMQswCQYDVQQGEwJGUjEOMAwGA1UEChMFSU5SSUExGTAXBgNVBAMTEEd1aWxs
YXVtZSBST1VTU0UxHjAcBgkqhkiG9w0BCQIWD3JvdXNzZUBpbnJpYS5mcjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANT2GRniP4zFepDfXQ9qHZCqmyGFsnxP1sAK5gRwh2xm
7EJgNSAlRVkmYdkrohltfjGJWvzmlIc8lgbzPSddeHhlc3SI8ZV3b9gWlyq3asH4oPJ3KuKh
d8s2JLoll4pYRo+EqH/kLr8Tz3xfDEHtXNXiZ4QM6kniyLyk2QKc8UUsxd8f8gbiUW8yP2rB
9MgwbKYHn+EudkGbn+krQGbrBQRK83phYVGNnRy13mlu8Mb+9mmNCJq8cL6vhhIsGB4VRvhb
k3pcZc2zFm9QJFziYLpdqINoh3vmSVHEVN0Oa3KecuXjiaboonCzXnxvdgLWQYAJNglpP7TV
H4PTw+xXLZsCAwEAAaOCAXYwggFyMB8GA1UdIwQYMBaAFGNNQ1oZSD/ERsECur/uDuWCt2am
MB0GA1UdDgQWBBRPxfiKCFknW2HnMSChZnApNelBwjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwGAYDVR0gBBEwDzANBgsr
BgEEAbIxAQICHTA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLnRjcy50ZXJlbmEub3Jn
L1RFUkVOQVBlcnNvbmFsQ0EuY3JsMHIGCCsGAQUFBwEBBGYwZDA6BggrBgEFBQcwAoYuaHR0
cDovL2NydC50Y3MudGVyZW5hLm9yZy9URVJFTkFQZXJzb25hbENBLmNydDAmBggrBgEFBQcw
AYYaaHR0cDovL29jc3AudGNzLnRlcmVuYS5vcmcwJAYDVR0RBB0wG4EZR3VpbGxhdW1lLlJv
dXNzZUBpbnJpYS5mcjANBgkqhkiG9w0BAQUFAAOCAQEAQi0EyaS/cO1avHkqFkOVhX5kuG3y
kUlOIrzga2dnR2H7ylRILOTxBLweXL2DKJN+ZPJleLJSmdVcstq0GneSA7D1kJt0aPdMHqI6
8fMcppQer+N1V/9LYJWWRTV6RFrlSduzEU5tmdlG7QbYtvgNtvBliZL06AYPO54FDkHrhfnJ
ldS55eeuAkwFrYkJP1Aa+zo/H2ytzVnIICtZMsZSa7Y2xo4j5Ykxd0HIsc48lmnkDnZ08+yf
AOjJis2tc9eeBdcvQ/Pck+woIDeW9vnahCRcOOqCbmith0cqFvEm8cb1ajPIKmlUGBJi97Qh
XJV8FZcuIK1Naelj/8MDbcd3ZzCCBMMwggOroAMCAQICEHP+V/rfuMUIgXtmuWvwLe8wDQYJ
KoZIhvcNAQEFBQAwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2Fs
dCBMYWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgRW1haWwwHhcNMDkwNTE4MDAwMDAwWhcNMjgxMjMxMjM1
OTU5WjA7MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRswGQYDVQQDExJURVJFTkEg
UGVyc29uYWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIFdn1M2ojoZAN
z7sFRMOrH0o1hRohhaBP+PBA4kpDm/5bsbC/tFfcdYBBS2Qa9ttPb4/QJUU1+erLSvr72tPt
RYgRlDbkzKgN78U9N+0We+PClZ5YM38i+/j/7Oa+264KZSUih9pvhItG6ECGKD+/VgjiSumD
ouki+y36tigfkcHDcftTwCtOpAyhbp1V7ezhJIc6COINHOTETdDLJ/qEZObRl51WJFuTuyku
Q+JBaj3iSmX8ml9ahoe8h8d5gJaZUcaQD2SRmX0Q3awsAyrheGT+zj1O9CtQEUvRWNSbA/B/
9TtTsFND+8UvxAQpGjqs11Xp0Q6V0Tsxf3hPriktAgMBAAGjggFNMIIBSTAfBgNVHSMEGDAW
gBSJgmd9xJ0mcABLtFBIfN49rgRufTAdBgNVHQ4EFgQUY01DWhlIP8RGwQK6v+4O5YK3ZqYw
DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwGAYDVR0gBBEwDzANBgsrBgEE
AbIxAQICHTBYBgNVHR8EUTBPME2gS6BJhkdodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVRO
LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBvBggrBgEFBQcB
AQRjMGEwOAYIKwYBBQUHMAKGLGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VVE5BQUFDbGll
bnRfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqG
SIb3DQEBBQUAA4IBAQAGK6lTLxPcXDkWzIafXkx7cvvsjVWKXpoK/1NMdvQGPVDPV/Ciz6+Z
jKr+oBl2PpkDMvp1gziKu2uapQwTstQbduaULmeYWeORbAKQmpzIYEtVq8qIWo0r5WmVAwfR
1A78JCIuWbFjpF/t2SNy5JzOOlxsH0+pAMkd/vp/RS22LoTdDyegWRhO1XYlRfSZJnnbb58j
90O7Kw8Eo4EmLLd7Nfk9d19AIeZ/HaWWWr3QyxY6bLthi4r9BDlECsss4cvOLhCYGtvgk+1J
ZGQIIJ+3o1Dwot3KtMZ8DD3nXhXcJ4bkOjtSWherqQZTK50Jc2QcAcP9MNKHA2/kFQN6OV9o
MYIDBzCCAwMCAQEwTzA7MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRswGQYDVQQD
ExJURVJFTkEgUGVyc29uYWwgQ0ECECu5mlkLgTFbaSg8Mgwue0kwCQYFKw4DAhoFAKCCAY0w
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwODA3MTU1NzI1
WjAjBgkqhkiG9w0BCQQxFgQUQ1jLCcKguMOiIFP7wDC8SLbfFfYwXgYJKwYBBAGCNxAEMVEw
TzA7MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRswGQYDVQQDExJURVJFTkEgUGVy
c29uYWwgQ0ECECu5mlkLgTFbaSg8Mgwue0kwYAYLKoZIhvcNAQkQAgsxUaBPMDsxCzAJBgNV
BAYTAk5MMQ8wDQYDVQQKEwZURVJFTkExGzAZBgNVBAMTElRFUkVOQSBQZXJzb25hbCBDQQIQ
K7maWQuBMVtpKDwyDC57STBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgB
ZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsO
AwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBANISMWbCVg4clpyyoU7WyOoP
ENBalFbEzAbA7iBn6edoAEV8jgj41VcGlNsevz8kQrb59GzkjOqMXsIwHTsGvjky738QcFPu
uXyb8ZY+ExFOhgscUVlQ924+idn6xPMstKuM/cPKrknqdrRsS6igOTMVhKjI0s0MX2vsSA8/
FLd48o7B8XE5vWCXpJKExRgZvJdbzxrY3fSFugo3/jrCPz62mquY9u4U55nspkADfd6Ws86J
tzVhlZzAM+CGmBvXETbPOJpP6HV2ORAXhxSX/x2Rn07Rm8kShMVUSeSpg2cH5MiyAXNFwfix
kZDykKSrudGq7u+YrAC/Q6isV4ohEZMAAAAAAAA=
--------------ms000000000208070102090606--