diff -burN openssh-3.7.1p2/Makefile.in openssh/Makefile.in --- openssh-3.7.1p2/Makefile.in 2003-09-21 18:00:12.000000000 -0700 +++ openssh/Makefile.in 2004-02-08 01:54:16.000000000 -0800 @@ -90,6 +90,14 @@ MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 MANTYPE = @MANTYPE@ +SRP_PROGS = srp-keygen$(EXEEXT) moduli2tconf$(EXEEXT) tconf2embed$(EXEEXT) +SRP_CONFIG = moduli2tconf$(EXEEXT) tconf2embed$(EXEEXT) +TARGETS += $(SRP_PROGS) +LIBSSH_OBJS += srp-param.o srp-util.o tpasswd-util.o +SSHDOBJS += auth-srp.o +MANPAGES += srp-keygen.1.out +MANPAGES_IN += srp-keygen.1 + CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES_IN=sshd_config ssh_config moduli @@ -108,11 +116,12 @@ -e 's|/etc/sshrc|$(sysconfdir)/sshrc|g' \ -e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \ -e 's|/var/empty|$(PRIVSEP_PATH)|g' \ + -e 's|/etc/verifier|$(sysconfdir)/verifier|g' \ -e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g' FIXPATHSCMD = $(SED) $(PATHSUBS) -all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) +all: $(CONFIGFILES) ssh_prng_cmds.out $(SRP_CONFIG) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): Makefile.in config.h $(SSHOBJS): Makefile.in config.h @@ -167,6 +176,39 @@ logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) +# moduli2tconf and tconf2embed need to be independent from libssh.a so +# srp-param.c can be rebuilt + +SRP_SUB = log.o xmalloc.o tpasswd-util.o fatal.o + +moduli2tconf$(EXEEXT): $(LIBCOMPAT) moduli2tconf.o $(SRP_SUB) + $(LD) -o $@ moduli2tconf.o $(SRP_SUB) $(LDFLAGS) -lopenbsd-compat $(LIBS) + +tconf2embed$(EXEEXT): $(LIBCOMPAT) tconf2embed.o $(SRP_SUB) + $(LD) -o $@ tconf2embed.o $(SRP_SUB) $(LDFLAGS) -lopenbsd-compat $(LIBS) + +srp-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a srp-keygen.o + $(LD) -o $@ srp-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +# this isn't built by default, but the primality testing code is useful +readtconf$(EXEEXT): $(LIBCOMPAT) libssh.a readtconf.o + $(LD) -o $@ readtconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +# Note that this relies on the "moduli" file being safe! (It's supposed to be.) +# If entries are added to "moduli" they should be checked. +# (DH requirements are different from SRP requirements.) +# The distribution comes with an srp-param.c file that +# has everything in it already (built by the code below): + +srp-param.c: moduli2tconf$(EXEEXT) tconf2embed$(EXEEXT) + @if [ -f srp-param.c ]; then \ + echo srp-param.c will not be overwritten; \ + touch srp-param.c; \ + else \ + ./moduli2tconf$(EXEEXT) moduli | \ + ./tconf2embed$(EXEEXT) $(FAST) libsrp.conf - > srp-param.c; \ + fi + $(MANPAGES): $(MANPAGES_IN) if test "$(MANTYPE)" = "cat"; then \ manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \ @@ -248,6 +290,7 @@ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen + $(INSTALL) -m 0755 $(STRIP_OPT) srp-keygen $(DESTDIR)$(bindir)/srp-keygen $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ @@ -270,6 +313,7 @@ fi $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 srp-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/srp-keygen.1 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin @@ -349,6 +393,7 @@ -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + -rm -f $(DESTDIR)$(bindir)/srp-keygen$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) @@ -360,6 +405,7 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/srp-keygen.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 diff -burN openssh-3.7.1p2/README.SRP openssh/README.SRP --- openssh-3.7.1p2/README.SRP 1969-12-31 16:00:00.000000000 -0800 +++ openssh/README.SRP 2004-02-08 01:41:02.000000000 -0800 @@ -0,0 +1,76 @@ + +* This patch is relative to openssh-3.7.1p2. + +Recent major changes: 1. SRP is no longer a configuration option; +the code is included by default, and enabled by default. You can still +disable SRP authentication via the configuration file, but if you really +don't want to use SRP, don't apply the patch. 2. Privsep is now supported. + +See installation instructions below. + +NOTE: The srp-param.c file has been regenerated. (Apr 3, 2002) + +The new file contains additional primes from the 'moduli' file. Some of the +old primes (from the old 'primes' file) are no longer in the 'moduli' file; +these were moved to the libsrp.conf file so that old verifiers will continue +to work, with the following exceptions: + +The old 512 bit, 640 bit, and 768 bit primes have been removed from the +default configuration. Their use is deprecated, and users should upgrade +their verifiers if they are using these primes. + +Verifiers that use these old primes may still be used by adding the lines: + +:3Kn/YYiomHkFkfM1x4kayR125MGkzpLUDy3y14FlTMwYnhZkjrMXnoC2TcFAecNlU5kFzgcpKYUbBOPZFRtyf3:2 +:CbDP.jR6YD6wAj2ByQWxQxQZ7.9J9xkn2.Uqb3zVm16vQyizprhBw9hi80psatZ8k54vwZfiIeEHZVsDnyqeWSSIpWso.wh5GD4OFgdhVI3:2 +:iqJ7nFZ4bGCRjE1F.FXEwL085Zb0kLM2TdHDaVVCdq0cKxvnH/0FLskJTKlDtt6sDl89dc//aEULTVFGtcbA/tDzc.bnFE.DWthQOu2n2JwKjgKfgCR2lZFWXdnWmoOh:2 +:///////////93zgY8MZ2DCJ6Oek0t1pHAG9E28fdp7G22xwcEnER8b5A27cED0JTxvKPiyqwGnimAmfjybyKDq/XDMrjKS95v8MrTc9UViRqJ4BffZes8F//////////:7 + +to the SSHDIR/verifier.conf file. + +---------- + +SRP is a strong passphrase authentication method which provides the ability +to authenticate in both directions, without using any client state apart +from the user-entered passphrase. That is, SRP authenticates the server in +addition to the user (preventing host spoofing), and also authenticates the +server host key. Thus it is useful in situations where no authentic host +key is known (because it has been changed, for example). + +To install: + +1. Configure and make as usual. SRP is automatically enabled unless you +uncomment and change the line in SSHDIR/sshd_config that says + + #SRPAuthentication yes + +The server currently defaults to allowing SRP unless it is disabled in the +config file. You may also wish to disable other authentication methods, such +as password. No configuration changes are needed on the client side. + +2. If you already have an /etc/tpasswd file you can skip this step. +Each user must have a verifier entry on the server. To create it, the +user must run + + srp-keygen + +which asks for a passphrase and stores a verifier in $HOME/.ssh/verifier. +The contents of this file must be kept secret: they are vulnerable to a +dictionary attack (this is less of a problem if you use a good pass- +phrase, but few people do). Alternatively the administrator may create +a verifier on behalf of the user: + + mkdir -p ~user/.ssh # if not already present + chmod 700 ~user/.ssh # + srp-keygen -f ~user/.ssh/verifier -u user + chown user ~user/.ssh/verifier + chmod 600 ~user/.ssh/verifier + +with a temporary passphrase that the user can change later, as above. +Multiple verifiers may also be stored in SSHDIR/verifier (or /etc/tpasswd), +in this case the file must not be world readable and must be owned by root. + +3. Finally, if you use /etc/tpasswd, and a user has created and added a new +prime to /etc/tpasswd.conf, the client must also have a copy of this file +(if it doesn't already); it can be copied to either SSHDIR/verifier.conf or +/etc/tpasswd.conf. diff -burN openssh-3.7.1p2/auth-srp.c openssh/auth-srp.c --- openssh-3.7.1p2/auth-srp.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/auth-srp.c 2004-02-08 01:41:02.000000000 -0800 @@ -0,0 +1,287 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include + +#include "ssh2.h" +#include "xmalloc.h" +#include "packet.h" +#include "log.h" +#include "dispatch.h" +#include "servconf.h" +#include "auth.h" +#include "monitor_wrap.h" +#include "srp.h" + +int auth_srp_param(Authctxt *authctxt); +void fatal_bignum_error(void); +static void input_userauth_srp_value(int type, u_int32_t seq, void *ctxt); +static void input_userauth_srp_proof(int type, u_int32_t seq, void *ctxt); + +/* import */ +extern ServerOptions options; + +static int +userauth_srp(Authctxt *authctxt) +{ + packet_check_eom(); + + /* Allocate an SRP context. */ + + authctxt->srp = SRP_CTX_new(); + + /* Get the user's parameters. */ + + if (!PRIVSEP(auth_srp_param(authctxt))) + packet_disconnect("unknown/unsafe SRP group for user %s", + authctxt->pw->pw_name); + + return auth_srp(authctxt); +} + +/* + * Get the user's parameters, which must be done in the non-chrooted + * parent under privsep. + */ +int +auth_srp_param(Authctxt *authctxt) +{ + /* Find the user's prime p, generator g, verifier v, and salt. */ + + srp_find_verifier(authctxt->pw, authctxt->srp); + + /* Make sure the group is OK (it might be user generated). */ + + return is_safe_group(authctxt->srp->p, authctxt->srp->g); +} + +/* + * First round of SRP authentication. Send the user's parameters, + * then calculate f and return; round 2 begins when we get the reply. + */ +int +auth_srp(Authctxt *authctxt) +{ + int i, plen; + BIGNUM *tmp; + SRP_CTX *srp; + + srp = authctxt->srp; + + /* Send p, g, and salt. */ + + packet_start(SSH2_MSG_USERAUTH_SRP_REPLY); + packet_put_bignum2(srp->p); + packet_put_bignum2(srp->g); + packet_put_string(srp->salt, srp->slen); + packet_send(); + packet_write_wait(); + + /* We can precompute some things now that we'll need later. */ + + /* p-1 */ + + if (!BN_sub(srp->pm1, srp->p, BN_value_one())) + goto err; + + /* + * The random exponent b is ALEN bits long, or the size of p, + * whichever is less. + */ + plen = BN_num_bits(srp->p); + i = ALEN; + if (plen < ALEN) + i = plen; + + /* Loop until we find valid f and u values. */ + + if ((tmp = BN_new()) == NULL) + goto err; + for (;;) { + + /* + * Generate the random exponent b. Ensure that b > lg(p). + * Note that there is only one secret exponent per side, + * which is called 'a' in the SRP_CTX struct. + */ + if (!BN_set_word(tmp, plen)) + goto err; + for (;;) { + if (!BN_rand(srp->a, i, 0, 0)) + goto err; + if (BN_ucmp(srp->a, tmp) > 0) + break; + } + + /* Generate the public value f = (v + g^b) mod p. */ + + if (!BN_mod_exp(srp->f, srp->g, srp->a, srp->p, srp->ctx)) + goto err; + if (!BN_add(srp->f, srp->v, srp->f)) + goto err; + if (BN_ucmp(srp->f, srp->p) >= 0) { + if (!BN_sub(tmp, srp->f, srp->p)) + goto err; + if (BN_copy(srp->f, tmp) == NULL) + goto err; + } + + /* Try again if it's 0, 1, or p-1. */ + + if (BN_is_zero(srp->f) || BN_is_one(srp->f) || + BN_ucmp(srp->f, srp->pm1) == 0) + continue; + + /* Calculate u from f; try again if it's zero. */ + + srp->u = srp_u_calc(srp->f); + if (srp->u != 0) + break; + } + BN_free(tmp); + + /* Now we're all set, so we go back to wait for the next packet. */ + + dispatch_set(SSH2_MSG_USERAUTH_SRP_VALUE, &input_userauth_srp_value); + authctxt->postponed = 1; + return 0; + +err: + fatal_bignum_error(); + return 0; /* mu */ +} + +/* Round 2: send f, calculate the shared secret K and the proofs. */ + +static void +input_userauth_srp_value(int type, u_int32_t seq, void *ctxt) +{ + BIGNUM *tmp, *K; + Authctxt *authctxt; + SRP_CTX *srp; + + /* Make sure we're where we're supposed to be. */ + + authctxt = ctxt; + if (authctxt == NULL || authctxt->srp == NULL) + fatal("input_userauth_srp_value: no context"); + srp = authctxt->srp; + dispatch_set(SSH2_MSG_USERAUTH_SRP_VALUE, NULL); + + /* The client sent us e = g^a mod q. */ + + packet_get_bignum2(srp->e); + packet_check_eom(); + + /* Sanity check e. Abort if e is not in (1, p-1). */ + + if (BN_cmp(srp->e, BN_value_one()) <= 0 || + BN_ucmp(srp->e, srp->pm1) >= 0) + packet_disconnect("bad SRP e value for user %s", + authctxt->pw->pw_name); + + /* Now we can send f. */ + + packet_start(SSH2_MSG_USERAUTH_SRP_VALUE); + packet_put_bignum2(srp->f); + packet_send(); + packet_write_wait(); + + /* + * Calculate the shared secret K = (e * v^u)^b mod p. + * Abort if e * v^u == 1 or -1 mod p. + */ + if ((tmp = BN_new()) == NULL) + goto err; + if ((K = BN_new()) == NULL) + goto err; + + if (!BN_set_word(tmp, srp->u)) + goto err; + if (!BN_mod_exp(K, srp->v, tmp, srp->p, srp->ctx)) /* use K as a temp */ + goto err; + if (!BN_mod_mul(tmp, srp->e, K, srp->p, srp->ctx)) + goto err; + + if (BN_cmp(tmp, BN_value_one()) <= 0 || BN_ucmp(tmp, srp->pm1) >= 0) + packet_disconnect("bad SRP base value"); + + if (!BN_mod_exp(K, tmp, srp->a, srp->p, srp->ctx)) + goto err; + + /* Calculate the exchange hash and proofs. */ + + srp_hash_calc(authctxt->user, authctxt->service, SRP_GEX_SHA1, srp, K); + + BN_clear_free(K); + BN_clear_free(tmp); + + /* Now we're ready for round 3. */ + + dispatch_set(SSH2_MSG_USERAUTH_SRP_PROOF, &input_userauth_srp_proof); + return; + +err: + fatal_bignum_error(); +} + +/* Round 3. Check the client's proof and then send ours. */ + +static void +input_userauth_srp_proof(int type, u_int32_t seq, void *ctxt) +{ + int authenticated, mlen; + char *mbuf; + Authctxt *authctxt; + SRP_CTX *srp; + + authctxt = ctxt; + if (authctxt == NULL || authctxt->srp == NULL) + fatal("input_userauth_srp_proof: no context"); + srp = authctxt->srp; + dispatch_set(SSH2_MSG_USERAUTH_SRP_PROOF, NULL); + + /* Get the client's version of m1. */ + + mbuf = packet_get_string(&mlen); + packet_check_eom(); + + authenticated = 0; + if (mlen == srp->m1len && memcmp(mbuf, srp->m1, mlen) == 0) + authenticated = 1; + + xfree(mbuf); + + /* + * The return proof is either a flag set to true plus the server + * authenticator m2, or if the client was NOT authenticated, + * just the flag, set to false. + */ + packet_start(SSH2_MSG_USERAUTH_SRP_PROOF); + packet_put_char(authenticated); + if (authenticated) + packet_put_string(srp->m2, srp->m2len); + packet_send(); + packet_write_wait(); + + /* All done, nuke the context. */ + + SRP_CTX_free(srp); + authctxt->srp = NULL; + + /* + * Finish up. The client will inform us of our status by either + * accepting or rejecting the success message we send if the + * client was OK. + */ + authctxt->postponed = 0; + mm_send_srp_done(authenticated); + userauth_finish(authctxt, authenticated, SRP_GEX_SHA1); +} + +Authmethod method_srp = { + SRP_GEX_SHA1, + userauth_srp, + &options.srp_authentication +}; diff -burN openssh-3.7.1p2/auth.h openssh/auth.h --- openssh-3.7.1p2/auth.h 2003-09-02 19:11:30.000000000 -0700 +++ openssh/auth.h 2004-02-08 09:01:13.000000000 -0800 @@ -41,6 +41,7 @@ #ifdef KRB5 #include #endif +#include "srp.h" typedef struct Authctxt Authctxt; typedef struct Authmethod Authmethod; @@ -66,6 +67,7 @@ krb5_principal krb5_user; char *krb5_ticket_file; #endif + SRP_CTX *srp; void *methoddata; }; /* @@ -121,6 +123,8 @@ void krb5_cleanup_proc(void *authctxt); #endif /* KRB5 */ +int auth_srp(Authctxt *authctxt); + #include "auth-pam.h" Authctxt *do_authentication(void); diff -burN openssh-3.7.1p2/auth2.c openssh/auth2.c --- openssh-3.7.1p2/auth2.c 2003-09-02 14:32:46.000000000 -0700 +++ openssh/auth2.c 2004-02-08 01:41:02.000000000 -0800 @@ -35,6 +35,7 @@ #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "srp.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -54,6 +55,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; +extern Authmethod method_srp; #ifdef GSSAPI extern Authmethod method_gssapi; #endif @@ -67,6 +69,7 @@ &method_passwd, &method_kbdint, &method_hostbased, + &method_srp, NULL }; @@ -196,6 +199,10 @@ #endif authctxt->postponed = 0; + if (authctxt->srp) { + SRP_CTX_free(authctxt->srp); + authctxt->srp = NULL; + } /* try to authenticate user */ m = authmethod_lookup(method); diff -burN openssh-3.7.1p2/libsrp.conf openssh/libsrp.conf --- openssh-3.7.1p2/libsrp.conf 1969-12-31 16:00:00.000000000 -0800 +++ openssh/libsrp.conf 2004-02-08 01:41:02.000000000 -0800 @@ -0,0 +1,77 @@ +# These are the default primes and generators used by the srp-1.7.1 +# distribution of libsrp, with lengths >= 1024 bits. +:Ewl2hcjiutMd3Fu2lgFnUXWSc67TVyy2vwYCKoS9MLsrdJVT9RgWTCuEqWJrfB6uE3LsE9GkOlaZabS7M29sj5TnzUqOLJMjiwEzArfiLr9WbMRANlF68N5AVLcPWvNx6Zjl3m5Scp0BzJBz9TkgfhzKJZ.WtP3Mv/67I/0wmRZ:2 +:F//////////oG/QeY5emZJ4ncABWDmSqIa2JWYAPynq0Wk.fZiJco9HIWXvZZG4tU.L6RFDEaCRC2iARV9V53TFuJLjRL72HUI5jNPYNdx6z4n2wQOtxMiB/rosz0QtxUuuQ/jQYP.bhfya4NnB7.P9A6PHxEPJWV//////////:5 +:3NUKQ2Re4P5BEK0TLg2dX3gETNNNECPoe92h4OVMaDn3Xo/0QdjgG/EvM.hiVV1BdIGklSI14HA38Mpe5k04juR5/EXMU0r1WtsLhNXwKBlf2zEfoOh0zVmDvqInpU695f29Iy7sNW3U5RIogcs740oUp2Kdv5wuITwnIx84cnO.e467/IV1lPnvMCr0pd1dgS0a.RV5eBJr03Q65Xy61R:2 +:dUyyhxav9tgnyIg65wHxkzkb7VIPh4o0lkwfOKiPp4rVJrzLRYVBtb76gKlaO7ef5LYGEw3G.4E0jbMxcYBetDy2YdpiP/3GWJInoBbvYHIRO9uBuxgsFKTKWu7RnR7yTau/IrFTdQ4LY/q.AvoCzMxV0PKvD9Odso/LFIItn8PbTov3VMn/ZEH2SqhtpBUkWtmcIkEflhX/YY/fkBKfBbe27/zUaKUUZEUYZ2H2nlCL60.JIPeZJSzsu/xHDVcx:2 +:2iQzj1CagQc/5ctbuJYLWlhtAsPHc7xWVyCPAKFRLWKADpASkqe9djWPFWTNTdeJtL8nAhImCn3Sr/IAdQ1FrGw0WvQUstPx3FO9KNcXOwisOQ1VlL.gheAHYfbYyBaxXL.NcJx9TUwgWDT0hRzFzqSrdGGTN3FgSTA1v4QnHtEygNj3eZ.u0MThqWUaDiP87nqha7XnT66bkTCkQ8.7T8L4KZjIImrNrUftedTTBi.WCi.zlrBxDuOM0da0JbUkQlXqvp0yvJAPpC11nxmmZOAbQOywZGmu9nhZNuwTlxjfIro0FOdthaDTuZRL9VL7MRPUDo/DQEyW.d4H.UIlzp:2 +# These are the primes from the old 'primes' file that are not included +# in the new 'moduli' file. +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOch5R:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOch5R:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOmMSp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOmMSp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOxft3:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOxft3:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBWzx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBWzx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBxwZ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBxwZ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPCGYB:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPCGYB:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPGq83:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPGq83:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQK0R:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQK0R:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQqxx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQqxx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPRTbJ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPRTbJ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPVQQB:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPVQQB:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPXEWp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPXEWp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPYxQB:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPYxQB:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPZUyx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPZUyx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkDNp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkDNp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkyJx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkyJx:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPpw7x:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPpw7x:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQ884h:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQ884h:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQB6Mp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQB6Mp:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQDMuZ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQDMuZ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQNGwZ:2 +:gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQNGwZ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAMmuyx:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAMuhKB:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fANG4rZ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fANiobh:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAO/D.B:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAODm8x:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAPqjtB:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAQ1hxB:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAQA.8J:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAQVn3h:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fARbdZZ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fARoLEJ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAS0SIp:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fASINr3:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fASKzKB:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fASsn63:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAT2GSx:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAT4gu3:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATL7CZ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATPQAZ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATPhDp:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATaZmJ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATdepZ:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAToFvh:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAU0I7h:2 +:4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAU2JxR:2 diff -burN openssh-3.7.1p2/moduli2tconf.c openssh/moduli2tconf.c --- openssh-3.7.1p2/moduli2tconf.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/moduli2tconf.c 2004-02-08 01:41:22.000000000 -0800 @@ -0,0 +1,116 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include + +#include "xmalloc.h" +#include "log.h" +#include "srp.h" + +/* argv0 */ +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif + +void parse_prime(char *buf, BIGNUM *p, BIGNUM *g); +void write_tconf(const BIGNUM *p, const BIGNUM *g); + +/* + * Convert the "moduli" file into libsrp base64 format. The result, + * along with other parameters from existing /etc/tpasswd.conf files (that + * differ from the libsrp defaults, which are already in libsrp.conf), + * is then passed to the tconf2embed program which makes the parameters + * into a C file that can be linked with ssh and sshd. + */ +int +main(int argc, char **argv) +{ + char buf[8 * 1024]; + FILE *infile; + BIGNUM *p, *g; + + __progname = ssh_get_progname(*argv); + + if (argc != 2) { + fprintf(stderr, + "usage: %s \n" + "output appears on stdout\n", __progname); + exit(1); + } + + if ((p = BN_new()) == NULL || (g = BN_new()) == NULL) { + fprintf(stderr, "can't allocate BIGNUMs\n"); + exit(1); + } + + if ((infile = fopen(argv[1], "r")) == NULL) { + fprintf(stderr, "file '%s' not found\n", argv[1]); + exit(1); + } + + printf("# These are the primes and generators from the file '%s'.\n", + argv[1]); + while (fgets(buf, sizeof(buf), infile) != NULL) { + if (buf[0] == '#' || buf[0] == '\n') + continue; + parse_prime(buf, p, g); + write_tconf(p, g); + } + + fclose(infile); + return 0; +} + +char Fieldsep[] = { ' ', '\0' }; + +void +parse_prime(char *buf, BIGNUM *p, BIGNUM *g) +{ + char *s, *prime, *gen; + static int lineno = 1; + + s = buf; + if (strsep(&s, Fieldsep) == NULL) /* time */ + goto err; + if (strsep(&s, Fieldsep) == NULL) /* type */ + goto err; + if (strsep(&s, Fieldsep) == NULL) /* tests */ + goto err; + if (strsep(&s, Fieldsep) == NULL) /* tries */ + goto err; + if (strsep(&s, Fieldsep) == NULL) /* size */ + goto err; + if ((gen = strsep(&s, Fieldsep)) == NULL) /* gen */ + goto err; + if ((prime = strsep(&s, Fieldsep)) == NULL) /* prime */ + goto err; + if (s != NULL) + goto err; + + if (!BN_hex2bn(&p, prime)) + goto err; + if (!BN_hex2bn(&g, gen)) + goto err; + + lineno++; + return; + +err: + fprintf(stderr, "%s: parse error on line %d\n", __progname, lineno); + exit(1); +} + +void +write_tconf(const BIGNUM *p, const BIGNUM *g) +{ + char buf[8 * 1024]; + static int index = 1; + + printf("%d:", index); + printf("%s:", srp_bn2tfmt(buf, p)); + printf("%s\n", srp_bn2tfmt(buf, g)); + index++; +} diff -burN openssh-3.7.1p2/monitor.c openssh/monitor.c --- openssh-3.7.1p2/monitor.c 2003-09-02 14:32:46.000000000 -0700 +++ openssh/monitor.c 2004-02-08 01:41:22.000000000 -0800 @@ -58,6 +58,7 @@ #include "compat.h" #include "ssh2.h" #include "mpaux.h" +#include "srp.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -110,6 +111,8 @@ int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_skeyquery(int, Buffer *); int mm_answer_skeyrespond(int, Buffer *); +int mm_answer_srp_param(int, Buffer *); +int mm_answer_srp_done(int, Buffer *); int mm_answer_keyallowed(int, Buffer *); int mm_answer_keyverify(int, Buffer *); int mm_answer_pty(int, Buffer *); @@ -187,6 +190,8 @@ {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif + {MONITOR_REQ_SRP_PARAM, MON_ISAUTH, mm_answer_srp_param}, + {MONITOR_REQ_SRP_DONE, MON_AUTH, mm_answer_srp_done}, {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, #ifdef GSSAPI @@ -911,6 +916,47 @@ } #endif +int +mm_answer_srp_param(int socket, Buffer *m) +{ + int res; + SRP_CTX *srp; + int auth_srp_param(Authctxt *authctxt); + +if (authctxt->srp) fatal("unexpected SRP context"); +if (!authctxt->valid) debug3("%s: invalid user, pw = %p", __func__, authctxt->pw); + srp = SRP_CTX_new(); + authctxt->srp = srp; + res = auth_srp_param(authctxt); + authctxt->srp = NULL; + + buffer_clear(m); + buffer_put_int(m, res); + if (res) { + buffer_put_string(m, srp->salt, srp->slen); + buffer_put_bignum2(m, srp->p); + buffer_put_bignum2(m, srp->g); + buffer_put_bignum2(m, srp->v); + } + + SRP_CTX_free(srp); + + debug3("%s: sending SRP parameters", __func__); + mm_request_send(socket, MONITOR_ANS_SRP_PARAM, m); + + return (0); +} + +int +mm_answer_srp_done(int socket, Buffer *m) +{ + int authenticated; + + authenticated = buffer_get_int(m); + auth_method = SRP_GEX_SHA1; + return authenticated; +} + static void mm_append_debug(Buffer *m) { diff -burN openssh-3.7.1p2/monitor.h openssh/monitor.h --- openssh-3.7.1p2/monitor.h 2003-09-02 05:51:17.000000000 -0700 +++ openssh/monitor.h 2004-02-08 09:11:13.000000000 -0800 @@ -39,6 +39,7 @@ MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, + MONITOR_REQ_SRP_PARAM, MONITOR_ANS_SRP_PARAM, MONITOR_REQ_SRP_DONE, MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, MONITOR_REQ_KEYEXPORT, diff -burN openssh-3.7.1p2/monitor_wrap.c openssh/monitor_wrap.c --- openssh-3.7.1p2/monitor_wrap.c 2003-09-02 05:51:17.000000000 -0700 +++ openssh/monitor_wrap.c 2004-02-08 01:41:22.000000000 -0800 @@ -48,6 +48,7 @@ #include "monitor_fdpass.h" #include "getput.h" #include "servconf.h" +#include "srp.h" #include "auth.h" #include "channels.h" @@ -958,6 +959,45 @@ return ((authok == 0) ? -1 : 0); } +/* Request the user's SRP parameters. */ + +int +mm_auth_srp_param(Authctxt *authctxt) +{ + int res; + Buffer m; + SRP_CTX *srp; + + buffer_init(&m); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SRP_PARAM, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SRP_PARAM, &m); + + srp = authctxt->srp; + res = buffer_get_int(&m); + if (res) { + srp->salt = buffer_get_string(&m, &srp->slen); + buffer_get_bignum2(&m, srp->p); + buffer_get_bignum2(&m, srp->g); + buffer_get_bignum2(&m, srp->v); + } + + buffer_free(&m); + + return res; +} + +void +mm_send_srp_done(int authenticated) +{ + Buffer m; + + buffer_init(&m); + buffer_put_int(&m, authenticated); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SRP_DONE, &m); + buffer_free(&m); +} + void mm_ssh1_session_id(u_char session_id[16]) { diff -burN openssh-3.7.1p2/monitor_wrap.h openssh/monitor_wrap.h --- openssh-3.7.1p2/monitor_wrap.h 2003-09-02 05:51:17.000000000 -0700 +++ openssh/monitor_wrap.h 2004-02-08 01:41:33.000000000 -0800 @@ -96,6 +96,10 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); +/* srp */ +int mm_auth_srp_param(struct Authctxt *); +void mm_send_srp_done(int); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); diff -burN openssh-3.7.1p2/p4096.conf openssh/p4096.conf --- openssh-3.7.1p2/p4096.conf 1969-12-31 16:00:00.000000000 -0800 +++ openssh/p4096.conf 2004-02-08 01:41:33.000000000 -0800 @@ -0,0 +1 @@ +:AM7BtDyz2O8KXDNPqZkkBkMKa4ou3n90KNJxBfMj8foNCgHT5a7KPWM1ndolQHmNgocnUrNG4ioHKLo2ASvuZzySYXtCr8DklWPIapIh6lT8QZ31tbZV5F/n54ILiMxUtZ.WUZCM6/NY7PuLT4MfZuZ5V7JzP5sEZELNwhje7id6uBAga7bCtolgxrbzfE2emTQE/Ej98caI1saBUXG2wAGdKn5k49Ub4BCA1w0Kqa0tOs1rqivELl33Q/2Yh7thA/XcPfgvRQZbvW.mGtVHMsM1WI.wtWeBv1hiWONLIzMMgn.tfPJy45Bf1hIqGzJGrw1mfJaQDdACYRmTU5MFfqyZyaECaO4vGPk1TPwbVIAqwC6T5xfSUL39DPHnc5FW12dJvys2PC62qQ81DukFxI0ec7V/DRgCRKoXoFluKkF88uTpB7RRpLe9F0ELBkPLD3YnnOeHS22YJLm.AEAy03j9OBksbT2jYIfor5z2sgAOVDdGQJLErHS7xwK9Ebn1WPgcT1p8Zr/w4EgZhSt6zoWNhWNcgz9AzMnKmbyXwBTiNnYQCNfG61NoWeaTvwy8HhZPtvxbaCEdE/tz3mV39TP5PKoQkXvlxpEC/sDGUx8UXp8Sr3AkTe/AE8TU44cUZQN93WwX3SUL8YzqqC3QZSg4YSbs6FBhp7gsVY2XFp3:2 diff -burN openssh-3.7.1p2/pathnames.h openssh/pathnames.h --- openssh-3.7.1p2/pathnames.h 2002-06-06 12:57:34.000000000 -0700 +++ openssh/pathnames.h 2004-02-08 01:41:33.000000000 -0800 @@ -98,6 +98,16 @@ #define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" /* + * The locations of the files that hold the verifiers and groups used + * by the SRP protocol. + */ +#define _PATH_SSH_USER_VERIFIER _PATH_SSH_USER_DIR "/verifier" +#define _PATH_SSH_SYSTEM_VERIFIER SSHDIR "/verifier" +#define _PATH_SSH_SYSTEM_SRPGROUPS SSHDIR "/verifier.conf" +#define _PATH_SSH_LIBSRP_TPASSWD "/etc/tpasswd" +#define _PATH_SSH_LIBSRP_TPASSWD_CONF "/etc/tpasswd.conf" + +/* * Per-user and system-wide ssh "rc" files. These files are executed with * /bin/sh before starting the shell or command if they exist. They will be * passed "proto cookie" as arguments if X11 forwarding with spoofing is in diff -burN openssh-3.7.1p2/readconf.c openssh/readconf.c --- openssh-3.7.1p2/readconf.c 2003-09-02 05:58:22.000000000 -0700 +++ openssh/readconf.c 2004-02-08 01:41:33.000000000 -0800 @@ -91,7 +91,7 @@ oBadOption, oForwardAgent, oForwardX11, oGatewayPorts, oPasswordAuthentication, oRSAAuthentication, - oChallengeResponseAuthentication, oXAuthLocation, + oChallengeResponseAuthentication, oXAuthLocation, oSRPAuthentication, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -141,6 +141,7 @@ { "gssapiauthentication", oUnsupported }, { "gssapidelegatecredentials", oUnsupported }, #endif + { "srpauthentication", oSRPAuthentication }, { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, { "identityfile", oIdentityFile }, @@ -390,6 +391,10 @@ intptr = &options->gss_deleg_creds; goto parse_flag; + case oSRPAuthentication: + intptr = &options->srp_authentication; + goto parse_flag; + case oBatchMode: intptr = &options->batch_mode; goto parse_flag; @@ -814,6 +819,7 @@ options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; + options->srp_authentication = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -888,6 +894,8 @@ options->gss_authentication = 1; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; + if (options->srp_authentication == -1) + options->srp_authentication = 1; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff -burN openssh-3.7.1p2/readconf.h openssh/readconf.h --- openssh-3.7.1p2/readconf.h 2003-09-02 05:58:22.000000000 -0700 +++ openssh/readconf.h 2004-02-08 01:41:45.000000000 -0800 @@ -42,6 +42,7 @@ /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ + int srp_authentication; /* Try SRP authentication. */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff -burN openssh-3.7.1p2/readtconf.c openssh/readtconf.c --- openssh-3.7.1p2/readtconf.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/readtconf.c 2004-02-08 01:41:45.000000000 -0800 @@ -0,0 +1,136 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include + +#include "xmalloc.h" +#include "srp.h" + +/* argv0 */ +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif + +void parse_tconf(char *buf, BIGNUM *p, BIGNUM *g); + +/* + * Read a tpasswd.conf file in the format used by libsrp and check the + * primes. Used for testing. + */ +int +main(int argc, char **argv) +{ + char buf[8 * 1024]; + int gen; + FILE *infile; + BIGNUM *p, *g, *q, *r; + BN_CTX *ctx; + BN_ULONG l; + + __progname = ssh_get_progname(*argv); + + if (argc != 2) { + fprintf(stderr, "usage: %s \n", __progname); + exit(1); + } + + if ((p = BN_new()) == NULL || (g = BN_new()) == NULL || + (q = BN_new()) == NULL || (r = BN_new()) == NULL) { + fprintf(stderr, "can't allocate BIGNUMs\n"); + exit(1); + } + if ((ctx = BN_CTX_new()) == NULL) { + fprintf(stderr, "can't allocate BN_CTX\n"); + exit(1); + } + + if ((infile = fopen(argv[1], "r")) == NULL) { + fprintf(stderr, "file '%s' not found\n", argv[1]); + exit(1); + } + + while (fgets(buf, sizeof(buf), infile) != NULL) { + if (buf[0] == '#') + continue; + parse_tconf(buf, p, g); + + printf("p = "); + BN_print_fp(stdout, p); + putchar('\n'); + printf("g = "); + BN_print_fp(stdout, g); + putchar('\n'); + + gen = -1; + if (BN_is_word(g, 2)) + gen = 2; + if (BN_is_word(g, 5)) + gen = 5; + + if (BN_is_prime(p, 50, NULL, ctx, NULL) != 1) + printf("prime test failed!!!\n"); + else { + printf("prime test passed\n"); + BN_rshift1(q, p); + if (BN_is_prime(q, 50, NULL, ctx, NULL) != 1) + printf("(p - 1) / 2 prime test failed!!!\n"); + else + printf("(p - 1) / 2 prime test passed\n"); + } + + if (gen == 2 && BN_mod_word(p, 24) == 11) + printf("g is a primitive generator\n"); + else if (gen == 5) { + l = BN_mod_word(p, 10); + if (l == 3 || l == 7) + printf("g is a primitive generator\n"); + } else { + + /* Do it the slow way; g^q mod p != 1 -> primitive. */ + + BN_rshift1(q, p); + BN_mod_exp(r, g, q, p, ctx); + if (BN_is_one(r)) + printf("g is not a primitive generator!!!\n"); + else + printf("g is a primitive generator\n"); + } + } + + fclose(infile); + return 0; +} + +char Fieldsep[] = { ':', '\0' }; + +void +parse_tconf(char *buf, BIGNUM *p, BIGNUM *g) +{ + char *s, *prime, *gen; + static int lineno = 1; + + s = buf; + if (strsep(&s, Fieldsep) == NULL) /* index */ + goto err; + if ((prime = strsep(&s, Fieldsep)) == NULL) /* prime */ + goto err; + if ((gen = strsep(&s, Fieldsep)) == NULL) /* gen */ + goto err; + if (s != NULL) + goto err; + + if (!srp_tfmt2bn(p, prime)) + goto err; + if (!srp_tfmt2bn(g, gen)) + goto err; + + lineno++; + return; + +err: + fprintf(stderr, "parse error on line %d\n", lineno); + exit(1); +} diff -burN openssh-3.7.1p2/servconf.c openssh/servconf.c --- openssh-3.7.1p2/servconf.c 2003-09-23 02:24:21.000000000 -0700 +++ openssh/servconf.c 2004-02-08 01:41:45.000000000 -0800 @@ -74,6 +74,7 @@ options->kerberos_ticket_cleanup = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; + options->srp_authentication = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -185,6 +186,8 @@ options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; + if (options->srp_authentication == -1) + options->srp_authentication = 1; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -248,7 +251,7 @@ /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, - sRhostsRSAAuthentication, sRSAAuthentication, + sRhostsRSAAuthentication, sRSAAuthentication, sSRPAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, @@ -315,6 +318,7 @@ { "gssapiauthentication", sUnsupported }, { "gssapicleanupcreds", sUnsupported }, #endif + { "srpauthentication", sSRPAuthentication }, { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, @@ -637,6 +641,10 @@ intptr = &options->gss_cleanup_creds; goto parse_flag; + case sSRPAuthentication: + intptr = &options->srp_authentication; + goto parse_flag; + case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; diff -burN openssh-3.7.1p2/servconf.h openssh/servconf.h --- openssh-3.7.1p2/servconf.h 2003-09-02 05:58:22.000000000 -0700 +++ openssh/servconf.h 2004-02-08 01:41:45.000000000 -0800 @@ -82,6 +82,7 @@ * file on logout. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int srp_authentication; /* If true, permit SRP authentication. */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ diff -burN openssh-3.7.1p2/srp-auth.nroff openssh/srp-auth.nroff --- openssh-3.7.1p2/srp-auth.nroff 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp-auth.nroff 2004-02-08 01:41:55.000000000 -0800 @@ -0,0 +1,382 @@ +.\" -*- mode: nroff; fill-column: 68 -*- +.pl 10.0i +.po 0 +.ll 7.2i +.lt 7.2i +.nr LL 7.2i +.nr LT 7.2i +.ds LF Tom Holroyd +.ds RF FORMFEED[Page %] +.ds CF +.ds LH INTERNET-DRAFT +.ds RH 20 March 2001 +.ds CH SRP authorization with Secure Shell. +.hy 0 +.ad l +.in 0 +INTERNET-DRAFT T. Holroyd +draft-tomh-secsh-srp-00.txt T. Wu +Expires in September 2001 N. Moeller + 20 March 2001 + +.ce +Using the SRP protocol as an authorization method in Secure Shell + +.ti 0 +Status of this Memo +.fi +.in 3 + +This document is an Internet-Draft and is in full conformance with +all provisions of Section 10 of RFC2026. + +Internet-Drafts are working documents of the Internet Engineering +Task Force (IETF), its areas, and its working groups. Note that +other groups may also distribute working documents as +Internet-Drafts. + +Internet-Drafts are draft documents valid for a maximum of six +months and may be updated, replaced, or obsoleted by other documents +at any time. It is inappropriate to use Internet-Drafts as reference +material or to cite them other than as "work in progress." + +The list of current Internet-Drafts can be accessed at +http://www.ietf.org/ietf/1id-abstracts.txt + +The list of Internet-Draft Shadow Directories can be accessed at +http://www.ietf.org/shadow.html. + +.ti 0 +Copyright Notice + +Copyright (C) The Internet Society (2000). See the Full Copyright +Notice below for details. + +.ti 0 +Abstract + +This memo describes an experimental method for authentication in the Secure +Shell protocol, version 2 [SSH-ARCH]. + +The main virtue of the use of the SRP protocol [SRP] as an authentication +method in the "ssh-userauth"-service [SSH-USERAUTH] is its ability to +provide strong authentication in both directions, without using any client +state apart from the user-entered passphrase. That is, SRP authenticates +the server in addition to the user, and can also authenticate the server +host key. It is useful in situations where no authentic host key is known. + +.ti 0 +Conventions and notations + +Some of the conventions used in this document are taken from [SSH-USERAUTH], +others are from [SRP]. + +C is the client, S is the server; q is a large safe prime, g is a primitive +root. + +The ^ operator is the exponentiation operation, and the mod operator is the +integer remainder operation. Most implementations perform the +exponentiation and remainder in a single stage to avoid generating unwieldy +intermediate results. + +The | symbol indicates string concatenation. + +HASH is a hash function (currently SHA1), n is the user's name (used for +looking up salt and verifier in the server's database), p is a passphrase, +and s is a random salt string 80 bits long. + +x is constructed from the strings n, p and s as HASH(s | HASH(n | ":" | p)), +and the verifier v is computed as g^x mod q. S keeps a database containing +entries of the form , indexed by n. + +Numerical ranges such as e in (1, q-1) are non-inclusive, i.e. 1 < e < q-1. + +.ti 0 +Protocol description + +1. C sends n to S. + +2. S uses n to find v, s, q, and g in its database. S sends q, g, + and s to C. + +3. C renerates a random number a with ALEN bits (lg(q) < a) and + computes e = g^a mod q. C sends e to S. + +4. S generates a random number b with ALEN bits (lg(q) < b) and + computes f = v + g^b mod q. S selects u as the integer + corresponding to the first 32 bits of HASH(f). If f or u happen + to be zero, S must try another b. S sends f to C, and then + computes the shared secret K = (e * v^u)^b mod q. + +5. C gets the passphrase p from the user and computes + x = HASH(s | HASH(n | ":" | p)) and v = g^x mod q. C also + computes u in the same way as S. Finally, C computes the + shared secret K = (f - v) ^ (a + u * x) mod q. + +C must check that q is a safe prime and that g is a primitive root, ideally +by looking these values up in a well known table. + +The random exponents a and b have ALEN bits, or lg(q) bits if lg(q) +< ALEN. ALEN should be at least 256, but either side may use a longer +value (at the expense of speed). + +Each party must check that e and f are in the range (1, q-1). If +not, the key exchange fails. + +At this point C and S have a shared secret K. They must now prove +that they know the same value. Even if we're primarily interested +in authenticating the server, the user must prove knowledge of the +key *first*. (Otherwise, the server leaks information about the +verifier). + +To do this, the client sends m1 = HMAC(K, H) to the server, where H +is the "exchange hash" defined below. After verifying the MAC, the +server responds by sending m2 = HMAC(K, e | m1 | H) to the client. +The purpose of this final message exchange is twofold: (i) to prove +knowledge of the shared secret key K, completing the SRP protocol, +and (ii) to use the shared key K to authenticate the session id, +which is part of the exchange hash and which is itself a hash of the +server host key and other data. The latter is needed in order to +protect against attacks on the algorithm negotiation that happens +before the SRP exchange, as well as version rollback attacks. + +.ti 0 +Protocol messages + +The name of the method, when listed in the SSH2_MSG_USERAUTH_REQUEST +message, is "srp-gex-sha1". + +First, the client sends: + + byte SSH2_MSG_USERAUTH_REQUEST + string user name (in ISO-10646 UTF-8 encoding [RFC-2279]) + string service name (in US-ASCII) + string "srp-gex-sha1" + +The server responds with + + byte SSH2_MSG_USERAUTH_SRP_REPLY + mpint q + mpint g + string s + +The client MUST verify that q is a safe prime (i.e., that q is prime, and +that (q - 1) / 2 is also prime), and that g is a primitive root of the +multiplicative group formed by q (i.e., that for all x in [1, q-1], +there exists a y such that g^y mod q = x). If q is not safe, or +g is not primitive, the client MUST abort authentication. + +The client then sends + + byte SSH2_MSG_USERAUTH_SRP_VALUE + mpint e + +The server MUST abort if e is not in the range (1, q-1). + +The server responds with + + byte SSH2_MSG_USERAUTH_SRP_VALUE + mpint f + +The server MUST NOT send this message until after it has received and +checked the the client's SSH2_MSG_USERAUTH_SRP_VALUE message. + +Both sides compute u as the first 32 bits of HASH(f). The server MUST NOT +send an f such that u == 0, and f MUST be in the range (1, q-1). The client +MUST abort if u is 0 or f is outside the range (1, q-1). + +At this point, both sides calculate K. The client obtains a passphrase +from the user, and calculates x, v, and K. The server MUST abort if +e * v^u == 1 or -1 (mod q). + +Both sides now compute the exchange hash H, as the HASH of the concatenation +of the following data: + + string session_id, calculated during the initial key exchange + (see [SSH-TRANS] for more information) + byte SSH2_MSG_USERAUTH_REQUEST + string user name (in ISO-10646 UTF-8 encoding [RFC-2279]) + string service name (in US-ASCII) + string "srp-gex-sha1" + string s, the salt + mpint q, the prime sent by the server + mpint g, the primitive root sent by the server + mpint e, exchange value sent by the client + mpint f, exchange value sent by the server + +The client computes m1 = HMAC(K, H), and sends it to the server, to +prove that it knows the shared key. It sends + + byte SSH2_MSG_USERAUTH_SRP_PROOF + string m1 + +The server verifies that m1 is correct using its own K. If they +don't match, the server MUST NOT send any proof back to the client, +but MAY continue without disconnecting in order to allow retries. + +Finally, the server computes m2 = HMAC(K, H2), where H2 is the HASH of: + + mpint e + string m1 + string H + +and sends to the client either: + + byte SSH2_MSG_USERAUTH_SRP_PROOF + boolean 0 + +in the case that the client's proof was rejected, or: + + byte SSH2_MSG_USERAUTH_SRP_PROOF + boolean 1 + string m2 + +in the case that the client's proof was accepted. If m2 was not sent, the +client is not authenticated and MAY retry after receiving the +SSH2_MSG_USERAUTH_FAILURE message that the server MUST send. If m2 was +sent, the client verifies that m2 is correct, and if so, the server is +authenticated. + +Note that according to the SSH2 protocol [SSH-USERAUTH], it is the server +that either rejects the authentication request by sending +SSH2_MSG_USERAUTH_FAILURE, or accepts it by sending SSH2_MSG_USERAUTH_SUCCESS. +If the m2 value sent by the server does not match the value computed by the +client, the client MUST abort if it receives a SSH2_MSG_USERAUTH_SUCCESS +message, since the authenticity of the server is in doubt. + +.ti 0 +Message numbers + +The following message numbers have been defined in this protocol: + + /* 60-79 User authentication method specific (numbers can be + * reused for different authentication methods) + */ + + #define SSH2_MSG_USERAUTH_SRP_REPLY 60 + #define SSH2_MSG_USERAUTH_SRP_VALUE 61 + #define SSH2_MSG_USERAUTH_SRP_PROOF 62 + +.ti 0 +Security Considerations + +This entire draft discusses an authentication and key exchange system that +provides strong authentication, protects passphrases, and exchanges keys +across an untrusted network. Most of this section is taken from [SRP], +which also provides more details. + +Knowledge of the verifier enables an attacker to mount an offline search +(also known as a "dictionary attack") on the user's passphrase, as well as to +impersonate the server. So the verifier should be kept secret. The entry can be created on the user's machine and +transferred to the server over a secure channel, or it could be created on +the server. The former approach has the advantage that the cleartext +passphrase is not even temporarily known by the server. + +SRP has been designed not only to counter the threat of casual +passphrase-sniffing, but also to prevent a determined attacker equipped with +a dictionary of passphrases from guessing at passphrases using captured +network traffic. The SRP protocol itself also resists active network +attacks, and implementations can use the securely exchanged keys to protect +the session against hijacking and provide confidentiality. + +Although SRP may be used as an initial authentication and key-exchange +method (e.g. instead of the diffie-hellman-group1-sha1 method required by +SSH-TRANS), using SRP as an authentication method in Secure Shell has the +following advantages: 1) the username is not transmitted in the clear; +2) the server is authenticated to the client, preventing server spoofing; +and 3) since the session id is incorporated into the exchange hashes, +it (and implicitly the host key it was generated from) is authenticated +along with the server. + +As some of the best known algorithms for computing discrete logarithms use +extensive precomputations, it is desirable not to depend on a single fixed +group. However, care must be taken whenever a client starts to use a new +group. An attacker that knows how to compute discrete logarithms in the +multiplicative group of a particular prime, and can convince the client to +use that group (by spoofing the server, for example), can obtain the random +value a from e, and mount a dictionary attack on m1. While dictionary +attacks may often be successful due to weak passphrases or simple passwords, +this one depends on the ability to compute discrete logs in a safe-prime +group, which is currently theoretically difficult, and requires expensive +modular exponentiation and multiplication for each test passphrase. In +addition, this is not a passive attack, although most of the calculations +can be carried out off-line. + +SRP authentication of the host key protects against a man-in-the-middle +attack, where a client is tricked into connecting to a fake server, who +would then capture the user's password, along with session data. + +SRP also has the added advantage of permitting the host to store passphrases +in a form that is not directly useful to an attacker. Even if the host's +passphrase verifier database were publicly revealed, the attacker would +still need an expensive dictionary search to obtain any passphrases. The +exponential computation required to validate a guess in this case is much +more time-consuming than the hash currently used by most UNIX systems. +Hosts are still advised, though, to try their best to keep their passphrase +verifier files secure. + +.ti 0 +Author's Address + +.nf +Dr. Tom Holroyd +NIMH MEG Core Facility +Bldg 10 Rm B1D65A +National Institutes of Health +9000 Rockville Pike +Bethesda, MD 20892-1059 +email: tomh@kurage.nimh.nih.gov +tel: 301-402-2362 +fax: 301-480-7795 +(or tom.holroyd@nih.gov) + +Thomas Wu +Arcot Systems +3200 Patrick Henry Blvd. +Santa Clara, CA 95054 + +EMail: tom@arcot.com + +.ti 0 +References + +[SRP] T. Wu, "The SRP Authentication and Key Exchange System", +Internet Draft, RFC 2945 + +[SSH-ARCH] Ylonen, T., et al, "SSH Protocol Architecture", Internet +Draft, draft-ietf-secsh-architecture-08.txt + +[SSH-TRANS] Ylonen, T., et al, "SSH Transport Layer Protocol", Internet +Draft, draft-ietf-secsh-transport-10.txt + +[SSH-USERAUTH] Ylonen, T., et al, "SSH Authentication Protocol", +Internet Draft, draft-ietf-secsh-userauth-10.txt + +.ti 0 +Full Copyright Statement + +Copyright (C) The Internet Society (2001). All Rights Reserved. + +This document and translations of it may be copied and furnished to +others, and derivative works that comment on or otherwise explain it +or assist in its implmentation may be prepared, copied, published and +distributed, in whole or in part, without restriction of any kind, +provided that the above copyright notice and this paragraph are +included on all such copies and derivative works. However, this +document itself may not be modified in any way, such as by removing +the copyright notice or references to the Internet Society or other +Internet organizations, except as needed for the purpose of developing +Internet standards in which case the procedures for copyrights defined +in the Internet Standards process must be followed, or as required to +translate it into languages other than English. + +The limited permissions granted above are perpetual and will not be +revoked by the Internet Society or its successors or assigns. + +This document and the information contained herein is provided on an +"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT +NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN +WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." diff -burN openssh-3.7.1p2/srp-keygen.0 openssh/srp-keygen.0 --- openssh-3.7.1p2/srp-keygen.0 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp-keygen.0 2004-02-08 01:41:55.000000000 -0800 @@ -0,0 +1,85 @@ +SRP-KEYGEN(1) System General Commands Manual SRP-KEYGEN(1) + +NAME + srp-keygen - generate SRP verifiers + +SYNOPSIS + srp-keygen [-b bits] [-f output_verifier_file] [-u username] + +DESCRIPTION + srp-keygen generates SRP verifiers for use with ssh(1). To use SRP + authentication, a user runs this to create a $HOME/.ssh/verifier file on + the host server. Note that you must already be connected to the server + over a secure channel in order to do this! Usually the system adminis- + trator will set up an initial verifier file using the -f and -u options. + + If the server is already using SRP-aware telnet(1) or login(1), a + $HOME/.ssh/verifier file is not necessary. In that case, verifiers may + be set or updated using the tpasswd(1) program. srp-keygen may still be + used to create a $HOME/.ssh/verifier file which will override the + /etc/tpasswd entry, if any. + + srp-keygen asks for a passphrase to use in creating the SRP verifier. + The same passphrase is required when connecting to the server using SRP + authentication. Good passphrases are 10-30 characters long and are not + simple sentences or otherwise easily guessable (English prose has only + 1-2 bits of entropy per word). + + There is no way to recover a lost passphrase. If the passphrase is lost + or forgotten, you (or the system administrator) will have to generate a + new one. + + The options are as follows: + + -b bits + Specifies the number of bits in the prime group. Only certain + sizes are available, use -b0 to see the list. Generally 1024 + bits is considered sufficient. Sizes above that make things + slower and might not improve security. The default is 1535 bits. + + -f filename + Specifies the name of the output verifier file. The default is + $HOME/.ssh/verifier. + + -u username + Specifies the username. This option is only useful to the system + administrator, in combination with -f. Note that the username is + encoded as part of the verifier. If a user's name ever changes, + the verifier will have to be recreated. + +FILES + $HOME/.ssh/verifier + Contains the SRP verifier for the user (server-side). This file + should not be readable by anyone but the user. sshd(8) will read + this file when a login attempt is made. + + /etc/verifier + Contains SRP verifier entries for all users of the server. This + file should not be readable by anyone but the sshd user (usually + root). This file is not necessary, but may be used to centralize + verifier administration. sshd(8) will read this file when a + login attempt is made, if no $HOME/.ssh/verifier file is present. + + /etc/verifier.conf + A list of valid prime groups. This file should be world read- + able. + + /etc/tpasswd + This file will be used to look up the user's verifier if no + $HOME/.ssh/verifier or /etc/verifier exists, or no entry for the + user could be found in those files. + + /etc/tpasswd.conf + This file contains additional prime groups to use when the user's + verifier is located in /etc/tpasswd. + +AUTHORS + OpenSSH is a derivative of the original and free ssh 1.2.12 release by + Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Tom Holroyd contributed the support for SRP. + +SEE ALSO + ssh(1), ssh-add(1), ssh-agent(1), sshd(8), tpasswd(1), tconf(1) + +BSD March 20, 2001 BSD diff -burN openssh-3.7.1p2/srp-keygen.1 openssh/srp-keygen.1 --- openssh-3.7.1p2/srp-keygen.1 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp-keygen.1 2004-02-08 01:41:55.000000000 -0800 @@ -0,0 +1,140 @@ +.\" -*- nroff -*- +.\" +.\" Author: Tom Holroyd +.\" +.\" Copyright (c) 2001 Tom Holroyd. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd March 20, 2001 +.Dt SRP-KEYGEN 1 +.Os +.Sh NAME +.Nm srp-keygen +.Nd generate SRP verifiers +.Sh SYNOPSIS +.Nm srp-keygen +.Op Fl b Ar bits +.Op Fl f Ar output_verifier_file +.Op Fl u Ar username +.Sh DESCRIPTION +.Nm +generates SRP verifiers for use with +.Xr ssh 1 . +To use SRP authentication, a user runs this to create a +.Pa $HOME/.ssh/verifier +file on the host server. Note that you must already be connected to +the server over a secure channel in order to do this! Usually the system +administrator will set up an initial verifier file using the +.Fl f +and +.Fl u +options. +.Pp +If the server is already using SRP-aware +.Xr telnet 1 +or +.Xr login 1 , a +.Pa $HOME/.ssh/verifier +file is not necessary. In that case, verifiers may be set or updated +using the +.Xr tpasswd 1 +program. +.Nm +may still be used to create a +.Pa $HOME/.ssh/verifier +file which will override the +.Pa /etc/tpasswd +entry, if any. +.Pp +.Nm +asks for a passphrase to use in creating the SRP verifier. The same passphrase +is required when connecting to the server using SRP authentication. +Good passphrases are 10-30 characters long and are +not simple sentences or otherwise easily guessable (English +prose has only 1-2 bits of entropy per word). +.Pp +There is no way to recover a lost passphrase. If the passphrase is lost or +forgotten, you (or the system administrator) will have to generate a new +one. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl b Ar bits +Specifies the number of bits in the prime group. Only certain sizes are +available, use +.Fl b0 +to see the list. +Generally 1024 bits is considered sufficient. Sizes +above that make things slower and might not improve security. +The default is 1535 bits. +.It Fl f Ar filename +Specifies the name of the output verifier file. The default is +.Pa $HOME/.ssh/verifier . +.It Fl u Ar username +Specifies the username. This option is only useful to the system +administrator, in combination with +.Fl f . +Note that the username is encoded as part of the verifier. If a user's +name ever changes, the verifier will have to be recreated. +.El +.Sh FILES +.Bl -tag -width Ds +.It Pa $HOME/.ssh/verifier +Contains the SRP verifier for the user (server-side). +This file should not be readable by anyone but the user. +.Xr sshd 8 +will read this file when a login attempt is made. +.It Pa /etc/verifier +Contains SRP verifier entries for all users of the server. This file should +not be readable by anyone but the sshd user (usually root). This file is +not necessary, but may be used to centralize verifier administration. +.Xr sshd 8 +will read this file when a login attempt is made, if no +.Pa $HOME/.ssh/verifier +file is present. +.It Pa /etc/verifier.conf +A list of valid prime groups. This file should be world readable. +.It Pa /etc/tpasswd +This file will be used to look up the user's verifier if no +.Pa $HOME/.ssh/verifier +or +.Pa /etc/verifier +exists, or no entry for the user could be found in those files. +.It Pa /etc/tpasswd.conf +This file contains additional prime groups to use when the user's +verifier is located in /etc/tpasswd. +.El +.Sh AUTHORS +OpenSSH is a derivative of the original and free +ssh 1.2.12 release by Tatu Ylonen. +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Theo de Raadt and Dug Song +removed many bugs, re-added newer features and +created OpenSSH. +Tom Holroyd contributed the support for SRP. +.Sh SEE ALSO +.Xr ssh 1 , +.Xr ssh-add 1 , +.Xr ssh-agent 1 , +.Xr sshd 8 , +.Xr tpasswd 1 , +.Xr tconf 1 diff -burN openssh-3.7.1p2/srp-keygen.c openssh/srp-keygen.c --- openssh-3.7.1p2/srp-keygen.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp-keygen.c 2004-02-08 01:42:06.000000000 -0800 @@ -0,0 +1,351 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include + +#include "xmalloc.h" +#include "log.h" +#include "pathnames.h" +#include "readpass.h" +#include "srp.h" + +/* argv0 */ +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif + +#define USAGE() fprintf(stderr, Usage, __progname) + +char Usage[] = + "usage: %s [-b ] [-f ] [-u ]\n" + "This program creates an SRP verifier for username (default: the\n" + "current user), and stores it in the verifier file (default:\n" + "$HOME/.ssh/verifier). The previous file contents, if any, are\n" + "destroyed.\n" + "The prime group used is selected at random from a predefined set;\n" + "the -b flag may be used to specify the number of bits used for\n" + "the prime (default: 1535). Use -b0 to see the choices.\n"; + +/* + * -f is most useful (to the system administrator) along with -u, to + * create a verifier entry for an arbitrary user. Note that the verifier + * file must not be world readable, and must be owned by the user. + * Be aware that the username is part of the verifier; if you want to + * change the user's name, you cannot simply change the username field + * with an editor, you must regenerate the verifier with this program. + * + * XXX This version will always overwrite a preexisting file. If you + * need to have verifier entries for multiple users in the same file, + * you must currently use an editor to add them, or use the tpasswd(1) + * utility from the Stanford SRP distribution. + */ + +/* + * This little bit of stuff is a hack to make it possible to link this + * with srp-util.c, since srp_hash_calc() uses it. + */ +u_char *session_id2; +int session_id2_len; + +/* Keep track of the bit sizes we know. */ +void bits_add(int bits); +void bits_dump(); + +/* Create an SRP verifier file. */ + +int +main(int argc, char **argv) +{ + int i, j, c, bits, slen, which, fd; + char *filename, *username, *buf; + char *salt, *passphrase, *p2, prompt[100]; + FILE *outfile; + struct passwd *pw = NULL; + struct stat st; + BIGNUM *p, *g, *s, *x, *v; + BN_CTX *ctx, *ctx2; + extern int optind; + extern char *optarg; + + __progname = ssh_get_progname(*argv); + init_rng(); + log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + seed_rng(); + + /* Parse option arguments. */ + + bits = 1535; + filename = NULL; + username = NULL; + while ((c = getopt(argc, argv, "b:f:u:")) != EOF) { + switch (c) { + case 'b': + bits = atoi(optarg); + break; + + case 'f': + filename = xstrdup(optarg); + break; + + case 'u': + username = xstrdup(optarg); + break; + + default: + USAGE(); + exit(1); + } + } + argc -= optind; + argv += optind; + + if (argc != 0) { + USAGE(); + exit(1); + } + + /* + * Figure out who we are, and where to write the file. If both + * -f and -u are specified, we don't need to consult the passwd + * database. This allows creation of verifiers for usernames + * that don't have local accounts. + */ + if (username == NULL || filename == NULL) { + if (username == NULL) + pw = getpwuid(getuid()); + else + pw = getpwnam(username); + if (pw == NULL) { + fprintf(stderr, + "%s: can't find user passwd entry\n", __progname); + exit(1); + } + username = xstrdup(pw->pw_name); + } + if (filename == NULL) { + + /* Create the ~/.ssh directory if it doesn't already exist. */ + + c = strlen(pw->pw_dir) + strlen(_PATH_SSH_USER_DIR) + 2; + filename = xmalloc(c); + snprintf(filename, c, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); + if (stat(filename, &st) < 0) { + if (mkdir(filename, 0700) < 0) { + fprintf(stderr, + "%s: could not create directory '%s'.\n", + __progname, filename); + exit(1); + } else + printf("Created directory '%s'.\n", filename); + } + xfree(filename); + + /* Now create the pathname to the verifier file. */ + + c = strlen(pw->pw_dir) + strlen(_PATH_SSH_USER_VERIFIER) + 2; + filename = xmalloc(c); + snprintf(filename, c, + "%s/%s", pw->pw_dir, _PATH_SSH_USER_VERIFIER); + } + + /* Allocate BIGNUMs and stuff. */ + + if ((ctx = BN_CTX_new()) == NULL) + goto err; + if ((ctx2 = BN_CTX_new()) == NULL) + goto err; + BN_CTX_start(ctx); + p = BN_CTX_get(ctx); + g = BN_CTX_get(ctx); + s = BN_CTX_get(ctx); + x = BN_CTX_get(ctx); + v = BN_CTX_get(ctx); + if (v == NULL) + goto err; + + /* + * Count the number of primes we know that are bits long. + * Just use the built-in values for now. Better would be + * to include the external tables as well, ignoring any + * duplicates. Maybe later. + */ + c = 0; + for (i = 0; i < SRP_nparams; i++) { + srp_get_param(i, p, g); + j = BN_num_bits(p); + bits_add(j); + if (j == bits) + c++; + } + if (c == 0) { + if (bits != 0) + fprintf(stderr, "%s: no primes found with %d bits\n", + __progname, bits); + bits_dump(); + exit(1); + } + printf("%d candidate groups with %d bits found.\n", c, bits); + + /* Pick one, and get it. */ + + which = arc4random() % c; + c = 0; + for (i = 0; i < SRP_nparams; i++) { + srp_get_param(i, p, g); + j = BN_num_bits(p); + if (j == bits) { + if (c == which) + break; + c++; + } + } + + /* Pick a random salt. */ + + if (!BN_rand(s, SALTLEN, 0, 0)) + goto err; + slen = BN_num_bytes(s); + salt = xmalloc(slen); + if (!BN_bn2bin(s, salt)) + goto err; + + /* Get the (new) passphrase. */ + + snprintf(prompt, sizeof(prompt), + "Enter SRP passphrase for %s: ", username); + passphrase = read_passphrase(prompt, 0); + p2 = read_passphrase("Verify: ", 0); + if (strcmp(passphrase, p2) != 0) { + fprintf(stderr, + "%s: passphrase mismatch, no action taken\n", __progname); + exit(1); + } + + /* Calculate x = HASH(salt | HASH(username | passphrase)). */ + + srp_x_calc(salt, slen, username, passphrase, x); + + memset(passphrase, 0, strlen(passphrase)); + memset(p2, 0, strlen(p2)); + xfree(passphrase); + xfree(p2); + + /* Calculate v = g^x mod p. */ + + if (!BN_mod_exp(v, g, x, p, ctx2)) + goto err; + + /* Create the file. */ + + fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd < 0) { + fprintf(stderr, "%s: can't create '%s'\n", __progname, filename); + exit(1); + } + outfile = fdopen(fd, "w"); + if (outfile == NULL) { + fprintf(stderr, "%s: fdopen() failed\n", __progname); + close(fd); + exit(1); + } + + /* Convert to base64 and write it all out. */ + + buf = xmalloc(8 * 1024); + + fprintf(outfile, "%s:", username); + + srp_bn2tfmt(buf, v); + fprintf(outfile, "%s:", buf); + + srp_bn2tfmt(buf, s); + fprintf(outfile, "%s::", buf); + + srp_bn2tfmt(buf, p); + fprintf(outfile, "%s:", buf); + + srp_bn2tfmt(buf, g); + fprintf(outfile, "%s\n", buf); + + fclose(outfile); + + BN_CTX_end(ctx); + BN_CTX_free(ctx); + BN_CTX_free(ctx2); + return 0; + +err: + fprintf(stderr, "%s: BIGNUM error\n", __progname); + return 1; +} + +/* Keep track of the number of different bit sizes we know. */ + +typedef struct bitslist BITSLIST; +struct bitslist { + int bits; + int count; + BITSLIST *next; +}; + +BITSLIST *Bits = NULL; + +BITSLIST * +bits_new(int bits, BITSLIST *next) +{ + BITSLIST *p; + + p = xmalloc(sizeof(BITSLIST)); + p->bits = bits; + p->count = 1; + p->next = next; + + return p; +} + +void +bits_add(int bits) +{ + BITSLIST *p, *pp = NULL; + + /* Do a little insertion sort, just for fun. */ + + if (Bits == NULL) { + Bits = bits_new(bits, NULL); + return; + } + for (p = Bits; p; p = p->next) { + if (p->bits == bits) { + p->count++; + return; + } + if (p->bits > bits) + break; + pp = p; + } + if (pp == NULL) { + p = Bits; + Bits = bits_new(bits, p); + } else { + p = pp->next; + pp->next = bits_new(bits, p); + } +} + +void +bits_dump() +{ + BITSLIST *p; + + if (!Bits) { + fprintf(stderr, "no known prime groups!\n"); + exit(1); + } + printf("Known prime group sizes (count):\n"); + for (p = Bits; p; p = p->next) + printf("\t%d (%d)\n", p->bits, p->count); +} + diff -burN openssh-3.7.1p2/srp-param.c openssh/srp-param.c --- openssh-3.7.1p2/srp-param.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp-param.c 2004-02-08 01:42:06.000000000 -0800 @@ -0,0 +1,700 @@ +/* This file was created by tconf2embed. Do not edit. */ +/* Converted by tomh on Wed Apr 3 14:56:53 2002. */ + +#include "includes.h" +#include +#include "srp.h" + +SRP_PARAM SRP_param[] = { + /* These are the default primes and generators used by the srp-1.7.1 */ + /* distribution of libsrp, with lengths >= 1024 bits. */ + { "Ewl2hcjiutMd3Fu2lgFnUXWSc67TVyy2vwYCKoS9MLsrdJVT9RgWTCuEqWJrfB6uE3LsE9GkOlaZabS7M29sj5TnzUqOLJMjiwEzArfiLr9WbMRANlF68N5AVLcPWvNx6Zjl3m5Scp0BzJBz9TkgfhzKJZ.WtP3Mv/67I/0wmRZ", + "2", + NULL, NULL }, + { "F//////////oG/QeY5emZJ4ncABWDmSqIa2JWYAPynq0Wk.fZiJco9HIWXvZZG4tU.L6RFDEaCRC2iARV9V53TFuJLjRL72HUI5jNPYNdx6z4n2wQOtxMiB/rosz0QtxUuuQ/jQYP.bhfya4NnB7.P9A6PHxEPJWV//////////", + "5", + NULL, NULL }, + { "3NUKQ2Re4P5BEK0TLg2dX3gETNNNECPoe92h4OVMaDn3Xo/0QdjgG/EvM.hiVV1BdIGklSI14HA38Mpe5k04juR5/EXMU0r1WtsLhNXwKBlf2zEfoOh0zVmDvqInpU695f29Iy7sNW3U5RIogcs740oUp2Kdv5wuITwnIx84cnO.e467/IV1lPnvMCr0pd1dgS0a.RV5eBJr03Q65Xy61R", + "2", + NULL, NULL }, + { "dUyyhxav9tgnyIg65wHxkzkb7VIPh4o0lkwfOKiPp4rVJrzLRYVBtb76gKlaO7ef5LYGEw3G.4E0jbMxcYBetDy2YdpiP/3GWJInoBbvYHIRO9uBuxgsFKTKWu7RnR7yTau/IrFTdQ4LY/q.AvoCzMxV0PKvD9Odso/LFIItn8PbTov3VMn/ZEH2SqhtpBUkWtmcIkEflhX/YY/fkBKfBbe27/zUaKUUZEUYZ2H2nlCL60.JIPeZJSzsu/xHDVcx", + "2", + NULL, NULL }, + { "2iQzj1CagQc/5ctbuJYLWlhtAsPHc7xWVyCPAKFRLWKADpASkqe9djWPFWTNTdeJtL8nAhImCn3Sr/IAdQ1FrGw0WvQUstPx3FO9KNcXOwisOQ1VlL.gheAHYfbYyBaxXL.NcJx9TUwgWDT0hRzFzqSrdGGTN3FgSTA1v4QnHtEygNj3eZ.u0MThqWUaDiP87nqha7XnT66bkTCkQ8.7T8L4KZjIImrNrUftedTTBi.WCi.zlrBxDuOM0da0JbUkQlXqvp0yvJAPpC11nxmmZOAbQOywZGmu9nhZNuwTlxjfIro0FOdthaDTuZRL9VL7MRPUDo/DQEyW.d4H.UIlzp", + "2", + NULL, NULL }, + /* These are the primes from the old 'primes' file that are not included */ + /* in the new 'moduli' file. */ + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOch5R", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOch5R", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOmMSp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOmMSp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOxft3", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinOxft3", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBWzx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBWzx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBxwZ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPBxwZ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPCGYB", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPCGYB", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPGq83", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPGq83", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQK0R", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQK0R", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQqxx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPQqxx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPRTbJ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPRTbJ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPVQQB", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPVQQB", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPXEWp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPXEWp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPYxQB", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPYxQB", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPZUyx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPZUyx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkDNp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkDNp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkyJx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPkyJx", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPpw7x", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinPpw7x", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQ884h", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQ884h", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQB6Mp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQB6Mp", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQDMuZ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQDMuZ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQNGwZ", + "2", + NULL, NULL }, + { "gkqSd6XW9yaVqGp1bxd27WLqOdeuhx6U2VHSx1upNY/IjnRrtLdauJNOo5kt18LUlx6wqqaDQByUJ63.lhSd/DRN8T77Q7bPW0WFn6kPKetV80G6LUWm0HEwQwMwAVCU5fYd1VANLxogO6uD1VRTVbXRW/yl9BKGEjpeinQNGwZ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAMmuyx", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAMuhKB", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fANG4rZ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fANiobh", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAO/D.B", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAODm8x", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAPqjtB", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAQ1hxB", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAQA.8J", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAQVn3h", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fARbdZZ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fARoLEJ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAS0SIp", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fASINr3", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fASKzKB", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fASsn63", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAT2GSx", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAT4gu3", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATL7CZ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATPQAZ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATPhDp", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATaZmJ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fATdepZ", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAToFvh", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAU0I7h", + "2", + NULL, NULL }, + { "4wtEYp5YHyOWToTDc9nGMiXb7qwcEjDnMadhzzmgfq/2WAoED2D5FiTdvN7w3FPQbOLf9caZ6m.xpq6BzAIxuhjzD91D59IIU2VQsQDD23HUpGDqraXu5MXA/y9vXKrkxdBBUK65NCHlq.u5RhGGfNmmOOND4.FPEiipRhZsAyOSCHi9ajhxqrg3NAHggqld7AYXIvYq/TSg254Lt4PJ7t4RfAr1KpghHE.3dNbIjyHbMZC9xlkyF.ZV8HENvOto8rbiQLg9axvzWUnIkOaQKUpc8FthZ4qThOVvURetNDurUzrur6SkeNPI6fxmmEX2rYpUymcsxIpK7B0fAU2JxR", + "2", + NULL, NULL }, + /* These are the primes and generators from the file 'moduli'. */ + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrH9mY7B", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrH9oLf3", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrH9p8px", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrH9sRst", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrH9.sxp", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHA005J", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHA1kdh", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHA7ooJ", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHA86hR", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAAX2R", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAAy6x", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAEjph", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHANekl", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHARLJN", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHARiHl", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAk69l", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAnznp", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAx/1p", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHAzPJ/", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHA/knJ", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHB2pKJ", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHB5bS7", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBEfPp", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBGcOZ", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBH2VR", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBNZ/7", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBPPPB", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBQfDp", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBSWEp", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBUf//", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBVQhJ", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBXLml", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBZ5Fh", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBdoR3", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBe0QN", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBfKCJ", + "2", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBhkyd", + "5", + NULL, NULL }, + { "DpwnE/edri8AMAhccVerZw4.aaUNJXqbuWLXeMLHf5ZsWPXvY2AZ2pK.3YJjJXahVqXLEZOxw56kjW8LYvBzia3IFrvxhCuVPFyUKEyHGkbKvcwFFFVlGrESO001x3frV4kUYotwav9WIvnNut5SCHut2th74cmheUbtrHBjSuB", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpEL67", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpJj5R", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpMVm7", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpNtg3", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpRHGp", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpUoKx", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mpezG/", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mploIZ", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mq0HkB", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mq0gal", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mq1jD3", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mqDleh", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mqSSyR", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrAlNl", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrZCFB", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrgRV/", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrif9/", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrn7CZ", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrpwd3", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mruBit", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mrwSmZ", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mr/Nrd", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.ms1IpB", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.msIXu7", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mshLLN", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.msxbU/", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mt5gSB", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mt7G4B", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mt7hN7", + "5", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mt9rzB", + "2", + NULL, NULL }, + { "RVqMsMQUslGkzTJks2geImL1ti84MshrK26XXFChojvXIX51Dm8icej1m9hyE1cUSmM6Jt2eS8yt/24d9axFJwCZaV93p6AubWBJWJ22PvvRtqbhgT.ao1Yj8Umc6syHX1vlBU5NJEbGbOGThmKeQCpLwR/AL3u9DBKATgMOvfCJRUBKUQxpU5sNklzFk5gur6sa9CJCNX6holSOWtuMDGc2luedSeCOx0B77j5azNpR4XjoOKjxV41c4.mtECFp", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKwogoh", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKwvRuF", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKwxUBJ", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKx3pBB", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKxCEK3", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKxoQzN", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKy859Z", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKyFovJ", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKyeek/", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKyk143", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKzyJj7", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auKzy.rJ", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK.NINd", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK.dF0J", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK.dXph", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK.zOj/", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/0NQN", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/3dBJ", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/5CuN", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/BkkZ", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/Kkad", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/Ts.B", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/oO13", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/r.gl", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auK/.QzV", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL0JZCB", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL0PoqV", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL0vB8J", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL1H9H/", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL1Jo8x", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL1KY1p", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL1V8vJ", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL2Ba6h", + "2", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL2VTF/", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL2hwBN", + "5", + NULL, NULL }, + { "1.q8YBPWg1ZnNbzsf/A/4CcTT1ATe4H6nW4MoSW0K11WkA/mTTpWm8pltsbKGERnRypR1ZMT20xsBMI5owwvIvA.TnrJMqwfnT5DXCrsIU9SVFwYoHH8RCA/tdV4mDyTRTxMN.ulKwVwQGh.EEu0mLJxhl.JL6QnTiiAxG95YbKfAVJgVyFc.VTOtdyYp1z9P1z9A2146zmGdmpXZuW/oJwfh4mKCcWheSMsU.sCXX5IfVbIgCtF6yu2kDa.WC4Jpf/YvAoacobukPgCNw8nftzUV61DHCV6wfZLOIbDJtgmOKCigukzpiDbdUPFPIPUQv/5z6XvknVCD9auL2m4et", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiAiMsl", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiAnMp/", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiCBqj/", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiD1EVt", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiD1tbB", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiDA.ZF", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiDNG4h", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiEfPuN", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiErjfF", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiE.pcp", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiFi7mR", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiGtP/3", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiH0uSt", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiHBYJd", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiHoUdx", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiIE0Fh", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiIOIxJ", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiJeb27", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiKB4uZ", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiKM7Zp", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiLAlQh", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiLvuoB", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiMIR/l", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiMJKu/", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiMu7ip", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiNS693", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiOBzbN", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiOTea3", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiOtFmx", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiQ6lUN", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiR5L7d", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiRzux7", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiSC08R", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiSydT3", + "2", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiT9VhN", + "5", + NULL, NULL }, + { "PfkZxMOV8ce92.LaIYkq89Dnju/3veIA2LWXcJzP24obxX85BvTz0V1cRmFsLpiPdVx9gvHOZ2nWtZi.VFK9HOUHdym/j0fXmc7eaQ3v7P/yZp3A4i.0dTWf3TU6.ei47/h5UJmuyuTNwcUGHoh2QI65jLIm16wC1boOF0hCZI.5gqljzyuZC0aXZ9QH/aGc5O3K59yTH76mjTzvuYGb97JhmxUrIGbGkqEBz9ZdduUKIOiwEr.xGeASExwa1dyemZla0tUvXhrKGypF0a1RZCog2UWNdm5er9QPb1SQQjcFWG5Ro4uGf4uU/Iu8OiNHglwP0KSLesW0szccnHm29io2fb7QvFSzLCJH0y4z71NFZCfdrSivy3ncyxT6Vu/zp51qpGmR9JZx.LQN6/EJ5CxT8E6n3U5jXk4Bv/fR6d1gwqmrRqc0UY87BD05MQyAXZU8bMPHaPucenNgqT9kV9ZyJFereF1Dr02YcHeV/bid7.tbGtM9QYdvQBuTKHkaPgagm.Dt9mdyWLiTZ2TJ", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4C7WZp", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4C8P.p", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4CPWi/", + "5", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4DT1CJ", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4Dr16J", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4E2hJl", + "5", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4E8lXN", + "5", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4ECOAB", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4Eueih", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4EwNex", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4FKiHZ", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4GOdhp", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4GfvEp", + "2", + NULL, NULL }, + { "6MrkVNi.jjCopZHl8b30kbRI4Cf3nfwG5UTy.B/cC7JsfyX25V7X4CzyohVdWo04X8HQGuV.q6usqw6h.E8e9oRiicEt5WSBcNLVs6xaWmz6ti5Yr.j/sNM1zh/H3kBeQpXewUnRg1nFs9JV6Q9uyIWzX6Oyx1K/F50pwtOOYmETY6PWp7bdQRtBfrWZGvOzIRfNqXSVACAGMONsZpFzoAxWZOc1YWz1Kiqk3xDjCaRguDPH04ElbwVfx0MxOc97TLJp76rptRjig64itVsSDQl6HTZxlqNNaZgD.uOkUHEBG5zX5n4J84HWMWPXcv92rBt.7cWnlG1ptXPPq.JumGsNqwCkCCIxxSbSof6ryyCdIavhk9VGeploGbPs/YjrXBpG..R/ABxfXlKlvFXvKOcqYVzg1BXZGSLUQjEwicG7QiOEyiDdqXpBPBEPhE6wkNO8IoVqLRSFmcnSRLWFXUaQD94yxQ83hpQ69kfuZvAJ6mfbQpoPFZEdLIoSnOqF0l1aY7tNcegne0HT1QLvPdtD62te4BWHXsnYStE8Zj0Cslo9HhZisCLcM39zZj7xyGtaDHqshkQQ6sl8U3TTbCtIVofyKJwd2GyxnDanvsO7jWTn6DSSxVua8kXaAgI3jDm.1MyBvizAEs7lZIW59Y3OYB1Ut32Hi0yeS4Hqg8d", + "5", + NULL, NULL }, +}; + +int SRP_nparams = 228; diff -burN openssh-3.7.1p2/srp-util.c openssh/srp-util.c --- openssh-3.7.1p2/srp-util.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp-util.c 2004-02-08 01:42:06.000000000 -0800 @@ -0,0 +1,833 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include +#include +#include +#include + +#include "xmalloc.h" +#include "buffer.h" +#include "bufaux.h" +#include "pathnames.h" +#include "log.h" +#include "ssh2.h" +#include "srp.h" + +extern u_char *session_id2; +extern int session_id2_len; + +/* + * The following routines deal with the files that store verifier + * entries and prime groups. This version handles two types of files: + * "verifier" files and libsrp format "tpasswd" files (also known as + * EPS files -- Exponential Password Suite). + * + * The verifier files store the prime and generator explicitly, while + * the tpasswd files use an index into a global configuration file. + * + * User verifier entries have the following format (one long line + * per entry): + * u:v:s::p:g + * where u is the username, v is the verifier, s is the salt, p is + * the prime, and g is the generator. The username is a string, the + * salt is a binary string, and the rest are bignums. The bignums and + * salt are stored in libsrp base64. User verifier entries are stored + * either in $HOME/.ssh/verifier or SSHDIR/verifier, where the latter + * would normally have many entries, one for each user. + * + * The libsrp /etc/tpasswd file stores many entries, which have the + * format: + * u:v:s:i + * where i is a numeric identifier that points into /etc/tpasswd.conf, + * whose entries have the format: + * i:p:g + * The bignums and salt are stored in libsrp base64 format. + * + * A file called SSHDIR/verifier.conf is also allowed which stores + * entries with the format: + * :p:g + * + * SSHDIR/verifier.conf and /etc/tpasswd.conf store trusted SRP parameters. + * You should never add an entry to either of these files unless you know + * that the parameters are safe. Normally you don't need to do anything, + * because there is a built-in set of parameters (stored in SRP_param[]) + * that are used by default. + * + * During group exchange, the SRP_param[] table and these two files + * are searched to quickly verify that a (p, g) pair sent during group + * exchange is valid. If the parameters are not found, an expensive + * primality test is necessary. Thus if a non-default group is ever + * used, adding it as an entry in SSHDIR/verifier.conf makes this check + * run much faster. + */ + +/* This is handy. */ + +void +fatal_bignum_error(void) +{ + fatal("BIGNUM error: %s", ERR_error_string(ERR_get_error(), NULL)); +} + +/* + * If the owner and mode are correct, open the file for reading. + * The owner must match exactly, and the modemask bits must be zero. + * Return the open FILE * if OK, or NULL if error or bad owner or mode. + * XXX: this doesn't check the containing dir. + */ +static FILE * +fopen_owner_mode(const char *name, int owner, int modemask) +{ + struct stat st; + + if (stat(name, &st) < 0) + return NULL; + + if (st.st_uid != owner || (st.st_mode & modemask) != 0) { + error("Bad ownership(%d) or mode(0%3.3o) for '%s'.", + st.st_uid, st.st_mode & 0777, name); + return NULL; + } + + return fopen(name, "r"); +} + +/* + * Find and open the conf file. '*try' must be zero the first time this + * routine is called (for each group). It is incremented here after + * each open, so if the group wasn't found subsequent calls can keep + * going. It is the caller's responsibility to close the file. + * Return the FILE * or NULL on error. + */ +static FILE * +open_conf(int *try) +{ + FILE *infile; + + /* + * Try, in order, + * SSHDIR/verifier.conf + * /etc/tpasswd.conf + */ + + if (*try == 0) { + infile = fopen_owner_mode(_PATH_SSH_SYSTEM_SRPGROUPS, 0, 033); + (*try)++; + if (infile != NULL) + return infile; + } + + if (*try == 1) { /* This has to be try #1 for get_tconf_entry(). */ + infile = fopen_owner_mode(_PATH_SSH_LIBSRP_TPASSWD_CONF, 0, 033); + (*try)++; + if (infile != NULL) + return infile; + } + + /* Not found. */ + + return NULL; +} + +/* + * This routine gets the next prime & generator from the conf file. The + * id is set to zero for verifier.conf and the real id for tpasswd.conf. + * Return 1 for success, 0 for error (including EOF). + */ +static int +parse_conf(FILE *infile, BIGNUM *p, BIGNUM *g, int *id) +{ + char *s, *iptr, *pptr, *gptr; + char buf[8 * 1024]; + int c, n; + + /* Get the next non-comment line. */ + + s = buf; + n = 0; + while ((c = getc(infile)) != EOF && c != '\n') { + if (n == 0 && c == '#') { + while ((c = getc(infile)) != EOF && c != '\n') + ; + if (c == EOF) + break; + continue; + } + *s++ = c; + n++; + if (n == sizeof(buf)) + goto parse_err; + } + *s = '\0'; + + if (n == 0 && c == EOF) + return 0; + + /* Carve. [i]:p:g */ + + s = buf; + if ((iptr = strsep(&s, ":")) == NULL) + goto parse_err; + if ((pptr = strsep(&s, ":")) == NULL) + goto parse_err; + if ((gptr = strsep(&s, ":")) == NULL) + goto parse_err; + if (s != NULL) + goto parse_err; + + /* Convert to BIGNUMs. */ + + *id = 0; + if (*iptr) + *id = atoi(iptr); + if (!srp_tfmt2bn(p, pptr)) + goto err; + if (!srp_tfmt2bn(g, gptr)) + goto err; + + return 1; + +err: + fatal_bignum_error(); + /* NOT REACHED */ + +parse_err: + error("SRP conf file parse error"); + return 0; +} + +/* + * This routine searches /etc/tpasswd.conf for the entry with id id, and + * gets the (preallocated) prime and generator. Return 1 for success, + * 0 for error. + */ +static int +get_tconf_entry(int id, BIGNUM *p, BIGNUM *g) +{ + int try, n, ret; + FILE *infile; + + try = 1; + if ((infile = open_conf(&try)) == NULL) + return 0; + ret = 0; + while (parse_conf(infile, p, g, &n)) + if (n == id) { + ret = 1; + break; + } + fclose(infile); + return ret; +} + +/* + * Return the ith built-in parameter. If p and g are not NULL, copy the + * values to them. + */ +void +srp_get_param(int i, BIGNUM *p, BIGNUM *g) +{ + SRP_PARAM *pp; + + if (i < 0 || i >= SRP_nparams) + fatal("invalid call to srp_get_param"); + pp = &SRP_param[i]; + + /* + * The values start out life as base64 strings. The server + * converts them all up front via srp_param_init(), but the + * client converts them on demand. This routine is used in + * either case to do the actual conversion. + */ + if (pp->p == NULL) { + if ((pp->p = BN_new()) == NULL) + goto err; + if (!srp_tfmt2bn(pp->p, pp->prime_tfmt)) + goto err; + if ((pp->g = BN_new()) == NULL) + goto err; + if (!srp_tfmt2bn(pp->g, pp->gen_tfmt)) + goto err; + } + + if (p != NULL && BN_copy(p, pp->p) == NULL) + goto err; + if (g != NULL && BN_copy(g, pp->g) == NULL) + goto err; + + return; + +err: + fatal_bignum_error(); +} + +/* Convert all the built-in SRP parameters to BIGNUMs. */ + +void +srp_param_init() +{ + int i; + + for (i = 0; i < SRP_nparams; i++) + srp_get_param(i, NULL, NULL); +} + +/* + * Find and open the verifier file. '*try' must be zero the first time + * this routine is called (for each user) and it is incremented here after + * each open, so if the username wasn't found subsequent calls can keep + * keep going. It is the caller's responsibility to close the file. + * Return the FILE * or NULL on error. + */ +static FILE * +open_verifier(const struct passwd *pw, int *try) +{ + char *name, *home; + int namelen; + FILE *infile; + + /* + * Try, in order, + * $HOME/.ssh/verifier + * SSHDIR/verifier + * /etc/tpasswd + */ + if (*try == 0) { + home = pw->pw_dir; + namelen = + strlen(home) + strlen(_PATH_SSH_USER_VERIFIER) + 2; + name = xmalloc(namelen); + snprintf(name, namelen, "%s/%s", home, _PATH_SSH_USER_VERIFIER); + infile = fopen_owner_mode(name, pw->pw_uid, 077); + xfree(name); + (*try)++; + if (infile != NULL) + return infile; + } + + if (*try == 1) { + infile = fopen_owner_mode(_PATH_SSH_SYSTEM_VERIFIER, 0, 077); + (*try)++; + if (infile != NULL) + return infile; + } + + if (*try == 2) { + infile = fopen_owner_mode(_PATH_SSH_LIBSRP_TPASSWD, 0, 077); + (*try)++; + if (infile != NULL) + return infile; + } + + /* Not found. */ + + return NULL; +} + +/* + * Parse a verifier line and check for the username. If it looks like + * u:v:s::p:g + * then we've got everything, but if it looks like + * u:v:s:i + * then it's a tpasswd file so we need to get the rest from the .conf + * file. This updates the SRP context with the found values. + * Set found to 1 if we found the username, otherwise set it to 0. + * Return 0 on EOF or parse error, 1 otherwise. + */ +static int +parse_verifier(FILE *infile, const char *name, int *found, SRP_CTX *srp) +{ + char *s, *uptr, *vptr, *sptr, *iptr, *pptr = NULL, *gptr = NULL; + char buf[8 * 1024]; + int c, n; + + /* + * Get the next line. It's probably long, and the 8K buffer is + * enough to read some very very large numbers. Normal use with + * 1024 bit numbers is less than 1K. + */ + *found = 0; + s = buf; + n = 0; + while ((c = getc(infile)) != EOF && c != '\n') { + *s++ = c; + n++; + if (n == sizeof(buf)) + goto parse_err; + } + *s = '\0'; + + if (n == 0 && c == EOF) + return 0; + + /* Allow comment lines. */ + + if (buf[0] == '#') + return 1; + + /* Return if the first field isn't the username we want. */ + + s = buf; + if ((uptr = strsep(&s, ":")) == NULL) + goto parse_err; + if (strcmp(uptr, name) != 0) + return 1; + *found = 1; + + /* Found it. Carve up the rest of the buffer. v:s:[i|:p:g] */ + + iptr = NULL; + if ((vptr = strsep(&s, ":")) == NULL) + goto parse_err; + if ((sptr = strsep(&s, ":")) == NULL) + goto parse_err; + if (*s != ':') { + if ((iptr = strsep(&s, ":")) == NULL) + goto parse_err; + } else { + s++; + if ((pptr = strsep(&s, ":")) == NULL) + goto parse_err; + if ((gptr = strsep(&s, ":")) == NULL) + goto parse_err; + } + if (s != NULL) + goto parse_err; + + /* Now get p and g (if necessary) and convert from base64. */ + + if (iptr) { + + /* tpasswd format. Get p and g from the tpasswd.conf file. */ + + n = atoi(iptr); + if (!get_tconf_entry(n, srp->p, srp->g)) + goto parse_err; + } else { + + /* verifier format. We got 'em, so convert 'em. */ + + if (!srp_tfmt2bn(srp->p, pptr)) + goto err; + if (!srp_tfmt2bn(srp->g, gptr)) + goto err; + } + + /* + * Convert verifier and salt, save the converted salt in new + * storage, and return success. + */ + if (!srp_tfmt2bn(srp->v, vptr)) + goto err; + srp->slen = srp_tfmt2bin(sptr, sptr); + srp->salt = xmalloc(srp->slen); + memcpy(srp->salt, sptr, srp->slen); + return 1; + +parse_err: + error("SRP verifier file parse error"); + return 0; + +err: + fatal_bignum_error(); + return 0; /* mu */ +} + +/* + * If the username wasn't found in the verifier files, make up some + * fake values so the authentication procedure can continue, wasting + * time for a brute-force attacker. + */ +static void +fake_verifier(SRP_CTX *srp) +{ + int i; + BIGNUM *x; + + /* Make sure the prime is valid. */ + + i = arc4random() % SRP_nparams; + srp_get_param(i, srp->p, srp->g); + + if ((x = BN_new()) == NULL) + goto err; + if (!BN_rand(x, SALTLEN, 0, 0)) /* salt */ + goto err; + srp->slen = BN_num_bytes(x); + srp->salt = xmalloc(srp->slen); + if (!BN_bn2bin(x, srp->salt)) + goto err; + + /* Make the fake v from a fake x for added realism. */ + + if (!BN_rand(x, EVP_MAX_MD_SIZE * 8, 0, 0)) + goto err; + if (!BN_mod_exp(srp->v, srp->g, x, srp->p, srp->ctx)) + goto err; + BN_clear_free(x); + + return; + +err: + fatal_bignum_error(); +} + +/* + * Locate the user's verifier entry and update the SRP context. If the + * user doesn't exist, return fake parameters. This allocates the salt + * with xmalloc(). + */ +void +srp_find_verifier(const struct passwd *pw, SRP_CTX *srp) +{ + int found, try; + char *username; + FILE *infile; + + /* pw is NULL if the username wasn't found. */ + + if (pw == NULL) { + logit("SRP request for unknown user, making random parameters"); + fake_verifier(srp); + return; + } + username = pw->pw_name; + + /* + * Open the files one by one and search for the first entry that + * matches the username. + */ + try = 0; + while ((infile = open_verifier(pw, &try)) != NULL) { + + /* + * Search for the username in this file. If it's found, + * parse_verifier() fills in the context. Otherwise we + * keep looking. + */ + while (parse_verifier(infile, username, &found, srp)) + if (found) { + fclose(infile); + return; + } + fclose(infile); + } + + /* Ran out of files. Fake it. */ + + logit("no verifier for user %s, making random parameters", username); + fake_verifier(srp); +} + +/* + * This is called by both client and server to determine whether or + * not 1) the prime p is safe and 2) the generator g is primitive. + * Returns true if both 1 and 2 are true, false otherwise. + */ +int +is_safe_group(const BIGNUM *p, const BIGNUM *g) +{ + int try, i, safe; + FILE *infile; + BIGNUM *prime, *gen; +#ifdef SRP_PRIMALITY_TEST + BIGNUM *q, *r; + BN_CTX *ctx; + BN_ULONG l; +#endif + + if ((prime = BN_new()) == NULL) + goto err; + if ((gen = BN_new()) == NULL) + goto err; + + /* + * Search the tables of known safe groups and generators. + * Embedded tables first. + */ + safe = 0; + for (i = 0; i < SRP_nparams; i++) { + srp_get_param(i, prime, gen); + if (BN_cmp(p, prime) == 0 && BN_cmp(g, gen) == 0) { + safe = 1; + break; + } + } + + /* Now the external tables, if any. */ + + try = 0; + while (!safe && (infile = open_conf(&try)) != NULL) { + while (parse_conf(infile, prime, gen, &i)) + if (BN_cmp(p, prime) == 0 && BN_cmp(g, gen) == 0) { + safe = 1; + break; + } + fclose(infile); + } + + BN_free(prime); + BN_free(gen); + + if (safe) + return safe; + + /* + * If we can't find p and g in the tables, we do the expensive + * primality and generator tests. + * + * It's somewhat questionable whether to allow users to generate + * their own groups or not, so for the moment this feature + * is disabled. It's also very slow. + */ +#ifdef SRP_PRIMALITY_TEST + verbose("performing SRP parameter check"); + + if ((ctx = BN_CTX_new()) == NULL) + goto err; + if ((q = BN_new()) == NULL) + goto err; + if ((r = BN_new()) == NULL) + goto err; + + if (BN_is_prime(p, 50, NULL, ctx, NULL) != 1) + goto unsafe; + if (!BN_rshift1(q, p)) + goto err; + if (BN_is_prime(q, 50, NULL, ctx, NULL) != 1) + goto unsafe; + + if (BN_is_word(g, 2)) { + if (BN_mod_word(p, 24) != 11) + goto unsafe; + } else if (BN_is_word(g, 5)) { + l = BN_mod_word(p, 10); + if (l != 3 && l != 7) + goto unsafe; + } else { + + /* + * Do it the slow way; g is a generator if + * g^((p-1)/f) mod p != 1 + * for all f which are factors of p-1. That's 2 and q, + * so check them. + */ + if (!BN_mod_exp(r, g, q, p, ctx)) + goto err; + if (BN_is_one(r)) + goto unsafe; + if (!BN_set_word(q, 2)) + goto err; + if (!BN_mod_exp(r, g, q, p, ctx)) + goto err; + if (BN_is_one(r)) + goto unsafe; + } + safe = 1; + + /* fall through */ +unsafe: + BN_free(r); + BN_free(q); + BN_CTX_free(ctx); +#endif /* SRP_PRIMALITY_TEST */ + + return safe; + +err: + fatal_bignum_error(); + return 0; /* mu */ +} + +/* + * The next few routines are used during calculation of the values used + * by the SRP protocol that have to be done the same way on both sides, + * or during verifier creation. + */ + +/* Make a new SRP context. The salt is not allocated. */ + +SRP_CTX * +SRP_CTX_new() +{ + SRP_CTX *srp; + + srp = xmalloc(sizeof(SRP_CTX)); + + srp->salt = NULL; + if ((srp->ctx = BN_CTX_new()) == NULL) + goto err; + if ((srp->p = BN_new()) == NULL) + goto err; + if ((srp->g = BN_new()) == NULL) + goto err; + if ((srp->a = BN_new()) == NULL) + goto err; + if ((srp->e = BN_new()) == NULL) + goto err; + if ((srp->f = BN_new()) == NULL) + goto err; + if ((srp->v = BN_new()) == NULL) + goto err; + if ((srp->pm1 = BN_new()) == NULL) + goto err; + + return srp; + +err: + fatal_bignum_error(); + return NULL; /* mu */ +} + +/* Free an SRP context, including the salt. */ + +void +SRP_CTX_free(SRP_CTX *srp) +{ + if (srp == NULL) + return; + + /* BN_CTX_free() clears all its BIGNUMs before freeing them. */ + + if (srp->salt != NULL) + xfree(srp->salt); + BN_CTX_free(srp->ctx); + BN_free(srp->p); + BN_free(srp->g); + BN_clear_free(srp->a); + BN_free(srp->e); + BN_free(srp->f); + BN_clear_free(srp->v); + BN_free(srp->pm1); + xfree(srp); +} + +/* + * Calculate x = HASH(salt | HASH(username | passphrase)). This + * calculation is used both in verifier generation and in the client. + * Sets x, which must be allocated. + */ +void +srp_x_calc(const char *salt, int slen, const char *username, + const char *passphrase, BIGNUM *x) +{ + int dlen; + u_char digest[EVP_MAX_MD_SIZE]; + EVP_MD *evp_md = EVP_sha1(); + EVP_MD_CTX md; + + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, username, strlen(username)); + EVP_DigestUpdate(&md, ":", 1); + EVP_DigestUpdate(&md, passphrase, strlen(passphrase)); + EVP_DigestFinal(&md, digest, &dlen); + + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, salt, slen); + EVP_DigestUpdate(&md, digest, dlen); + EVP_DigestFinal(&md, digest, &dlen); + + if (BN_bin2bn(digest, dlen, x) == NULL) + fatal_bignum_error(); + memset(digest, 0, dlen); +} + +/* This routine calculates the value of u given f. Returns u. */ + +BN_ULONG +srp_u_calc(const BIGNUM *f) +{ + int len; + u_char *buf, digest[EVP_MAX_MD_SIZE]; + BN_ULONG u; + EVP_MD *evp_md = EVP_sha1(); + EVP_MD_CTX md; + + /* u is the first 32 bits of HASH(f). */ + + len = BN_num_bytes(f); + buf = xmalloc(len); + if (!BN_bn2bin(f, buf)) + fatal_bignum_error(); + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buf, len); + EVP_DigestFinal(&md, digest, &len); + xfree(buf); + + u = ((u_int32_t)digest[0] << 24) | + ((u_int32_t)digest[1] << 16) | + ((u_int32_t)digest[2] << 8) | + ((u_int32_t)digest[3]); + + return u; +} + +/* + * This routine calculates the exchange hash and HMACs for the client + * and server proofs, and updates the SRP context. + */ +void +srp_hash_calc(const char *username, const char *service, const char *method, + SRP_CTX *srp, const BIGNUM *K) +{ + int klen, hlen; + u_char *kbuf, hash[EVP_MAX_MD_SIZE]; + Buffer buf; + EVP_MD *evp_md = EVP_sha1(); + EVP_MD_CTX md; + HMAC_CTX hmac; + + /* + * Make a hash H of values used during the computation, including + * the session id. + */ + buffer_init(&buf); + + buffer_append(&buf, session_id2, session_id2_len); + buffer_put_char(&buf, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(&buf, username); + buffer_put_cstring(&buf, service); + buffer_put_cstring(&buf, method); + buffer_put_string(&buf, srp->salt, srp->slen); + buffer_put_bignum2(&buf, srp->p); + buffer_put_bignum2(&buf, srp->g); + buffer_put_bignum2(&buf, srp->e); + buffer_put_bignum2(&buf, srp->f); + + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, buffer_ptr(&buf), buffer_len(&buf)); + EVP_DigestFinal(&md, hash, &hlen); + + /* Calculate the client authenticator m1 = HMAC(K, H). */ + + klen = BN_num_bytes(K); + kbuf = xmalloc(klen); + if (!BN_bn2bin(K, kbuf)) + fatal_bignum_error(); + + HMAC_Init(&hmac, kbuf, klen, evp_md); + HMAC_Update(&hmac, hash, hlen); + HMAC_Final(&hmac, srp->m1, &srp->m1len); + HMAC_cleanup(&hmac); + + /* Calculate the server authenticator HMAC(K, e | m1 | H). */ + + buffer_clear(&buf); + buffer_put_bignum2(&buf, srp->e); + buffer_put_string(&buf, srp->m1, srp->m1len); + buffer_put_string(&buf, hash, hlen); + + HMAC_Init(&hmac, kbuf, klen, evp_md); + HMAC_Update(&hmac, buffer_ptr(&buf), buffer_len(&buf)); + HMAC_Final(&hmac, srp->m2, &srp->m2len); + HMAC_cleanup(&hmac); + + /* Cleanup and return. */ + + memset(hash, 0, hlen); + memset(kbuf, 0, klen); + xfree(kbuf); + buffer_free(&buf); +} diff -burN openssh-3.7.1p2/srp.h openssh/srp.h --- openssh-3.7.1p2/srp.h 1969-12-31 16:00:00.000000000 -0800 +++ openssh/srp.h 2004-02-08 01:42:06.000000000 -0800 @@ -0,0 +1,130 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#ifndef SRP_H +#define SRP_H + +#include +#include + +/* The name of the supported authentication method. */ +#define SRP_GEX_SHA1 "srp-gex-sha1" + +/* The length of the random exponents, in bits. */ +#define ALEN 256 + +/* The default length of the salt, in bits. */ +#define SALTLEN 80 + +/* Embedded SRP parameters are stored in this structure. */ +typedef struct srp_param { + char *prime_tfmt; /* the safe prime in libsrp base64 */ + char *gen_tfmt; /* the generator in libsrp base64 */ + BIGNUM *p; /* the prime as a BIGNUM */ + BIGNUM *g; /* the generator as a BIGNUM */ +} SRP_PARAM; + +extern SRP_PARAM SRP_param[]; +extern int SRP_nparams; + +/* SRP authentication context. */ +typedef struct { + u_char *salt; /* salt */ + u_int slen; /* number of bytes in salt */ + BN_CTX *ctx; /* BIGNUM context used during calculations */ + BIGNUM *p; /* safe prime */ + BIGNUM *g; /* primitive generator */ + BIGNUM *a; /* secret exponent (one on each side) */ + BIGNUM *e; /* public value sent by client */ + BIGNUM *f; /* public value sent by server */ + BIGNUM *v; /* verifier */ + BIGNUM *pm1; /* p - 1, for convenience */ + BN_ULONG u; /* SRP mixing parameter */ + u_char m1[EVP_MAX_MD_SIZE]; /* proof hashes */ + u_char m2[EVP_MAX_MD_SIZE]; + u_int m1len; /* proof hash lengths */ + u_int m2len; +} SRP_CTX; + +/* + * Return the ith built-in parameter. If p and g are not NULL, copy the + * values to them. + */ +void +srp_get_param(int i, BIGNUM *p, BIGNUM *g); + +/* Convert all the built-in SRP parameters to BIGNUMs. */ + +void +srp_param_init(); + +/* + * Locate the user's verifier entry and update the SRP context. If the + * user doesn't exist, return fake parameters. This allocates the salt + * with xmalloc(). + */ +void +srp_find_verifier(const struct passwd *pw, SRP_CTX *srp); + +/* + * This is called by both client and server to determine whether or + * not 1) the prime p is safe and 2) the generator g is primitive. + * Returns true if both 1 and 2 are true, false otherwise. + */ +int +is_safe_group(const BIGNUM *p, const BIGNUM *g); + +/* Make a new SRP context. The salt is not allocated. */ + +SRP_CTX * +SRP_CTX_new(); + +/* Free an SRP context, including the salt. */ + +void +SRP_CTX_free(SRP_CTX *srp); + +/* + * Calculate x = HASH(salt | HASH(username | passphrase)). This + * calculation is used both in verifier generation and in the client. + * Sets x, which must be allocated. + */ +void +srp_x_calc(const char *salt, int slen, const char *username, + const char *passphrase, BIGNUM *x); + +/* This routine calculates the value of u given f. Returns u. */ + +BN_ULONG +srp_u_calc(const BIGNUM *f); + +/* + * This routine calculates the exchange hash and HMACs for the client + * and server proofs, and updates the SRP context. + */ +void +srp_hash_calc(const char *username, const char *service, const char *method, + SRP_CTX *srp, const BIGNUM *K); + +/* + * Convert a libsrp base64 string into a BIGNUM, which must be + * preallocated. Returns 1 for success, 0 for error. + */ +int +srp_tfmt2bn(BIGNUM *dst, const char *src); + +/* + * Convert a libsrp base64 string into raw byte array representation. + * dst must already be allocated, and must be large enough. Returns the + * length of the converted src. XXX Fails for empty fields. + */ +int +srp_tfmt2bin(char *dst, const char *src); + +/* + * Convert a BIGNUM into a null-terminated libsrp base64 ASCII string. + * Returns dst, which must be preallocated and big enough. + */ +char * +srp_bn2tfmt(char *dst, const BIGNUM *src); + +#endif /* SRP_H */ diff -burN openssh-3.7.1p2/ssh2.h openssh/ssh2.h --- openssh-3.7.1p2/ssh2.h 2003-05-13 20:46:53.000000000 -0700 +++ openssh/ssh2.h 2004-02-08 01:42:17.000000000 -0800 @@ -111,6 +111,9 @@ #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ 60 #define SSH2_MSG_USERAUTH_INFO_REQUEST 60 #define SSH2_MSG_USERAUTH_INFO_RESPONSE 61 +#define SSH2_MSG_USERAUTH_SRP_REPLY 60 +#define SSH2_MSG_USERAUTH_SRP_VALUE 61 +#define SSH2_MSG_USERAUTH_SRP_PROOF 62 /* connection protocol: generic */ diff -burN openssh-3.7.1p2/ssh_config openssh/ssh_config --- openssh-3.7.1p2/ssh_config 2003-08-13 03:37:05.000000000 -0700 +++ openssh/ssh_config 2004-02-08 01:42:17.000000000 -0800 @@ -21,6 +21,7 @@ # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes +# SRPAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes diff -burN openssh-3.7.1p2/ssh_config.0 openssh/ssh_config.0 --- openssh-3.7.1p2/ssh_config.0 2003-09-23 02:55:19.000000000 -0700 +++ openssh/ssh_config.0 2004-02-08 01:42:17.000000000 -0800 @@ -278,6 +278,11 @@ to this keyword must be ``yes'' or ``no''. The default is ``yes''. + SRPAuthentication + Specifies whether to try SRP authentication. The argument to + this keyword must be ``yes'' or ``no''. The default is ``yes''. + Note that this option applies to protocol version 2 only. + Port Specifies the port number to connect on the remote host. Default is 22. diff -burN openssh-3.7.1p2/ssh_config.5 openssh/ssh_config.5 --- openssh-3.7.1p2/ssh_config.5 2003-09-02 19:13:30.000000000 -0700 +++ openssh/ssh_config.5 2004-02-08 01:42:17.000000000 -0800 @@ -455,6 +455,15 @@ .Dq no . The default is .Dq yes . +.It Cm SRPAuthentication +Specifies whether to try SRP authentication. +The argument to this keyword must be +.Dq yes +or +.Dq no . +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. .It Cm Port Specifies the port number to connect on the remote host. Default is 22. @@ -466,7 +475,7 @@ over another method (e.g. .Cm password ) The default for this option is: -.Dq hostbased,publickey,keyboard-interactive,password . +.Dq hostbased,publickey,keyboard-interactive,password,srp-gex-sha1 . .It Cm Protocol Specifies the protocol versions .Nm ssh diff -burN openssh-3.7.1p2/sshconnect2.c openssh/sshconnect2.c --- openssh-3.7.1p2/sshconnect2.c 2003-08-25 19:14:05.000000000 -0700 +++ openssh/sshconnect2.c 2004-02-08 01:42:35.000000000 -0800 @@ -49,6 +49,7 @@ #include "canohost.h" #include "msg.h" #include "pathnames.h" +#include "srp.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -175,6 +176,10 @@ Sensitive *sensitive; /* kbd-interactive */ int info_req_seen; + int server_auth; /* SRP authenticates _both_ sides; + * this is set when the client + * authenticates the server. */ + SRP_CTX *srp; /* generic */ void *methoddata; }; @@ -199,6 +204,7 @@ int userauth_kbdint(Authctxt *); int userauth_hostbased(Authctxt *); int userauth_kerberos(Authctxt *); +int userauth_srp(Authctxt *); #ifdef GSSAPI int userauth_gssapi(Authctxt *authctxt); @@ -235,6 +241,10 @@ userauth_pubkey, &options.pubkey_authentication, NULL}, + {SRP_GEX_SHA1, + userauth_srp, + &options.srp_authentication, + &options.batch_mode}, {"keyboard-interactive", userauth_kbdint, &options.kbd_interactive_authentication, @@ -372,6 +382,10 @@ Authctxt *authctxt = ctxt; if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); + if (strcmp(authctxt->method->name, SRP_GEX_SHA1) == 0 && + !authctxt->server_auth) { + fatal("SRP unauthenticated server sent a SUCCESS packet"); + } if (authctxt->authlist) xfree(authctxt->authlist); if (authctxt->methoddata) @@ -1362,6 +1376,283 @@ return 1; } +void fatal_bignum_error(); +static void input_userauth_srp_reply(int type, u_int32_t seq, void *ctxt); +static void input_userauth_srp_value(int type, u_int32_t seq, void *ctxt); +static void input_userauth_srp_proof(int type, u_int32_t seq, void *ctxt); + +int +userauth_srp(Authctxt *authctxt) +{ + static int attempt = 0; + + if (attempt++ >= options.number_of_password_prompts) + return 0; + + if (attempt != 1) + error("Permission denied, please try again."); + + /* Allocate an SRP context and update the authentication context. */ + + authctxt->srp = SRP_CTX_new(); + authctxt->server_auth = 0; + + /* We begin by sending an authorization request for the method. */ + + packet_start(SSH2_MSG_USERAUTH_REQUEST); + packet_put_cstring(authctxt->server_user); + packet_put_cstring(authctxt->service); + packet_put_cstring(authctxt->method->name); + packet_send(); + + /* Round 1 begins when we get the reply from the server. */ + + dispatch_set(SSH2_MSG_USERAUTH_SRP_REPLY, &input_userauth_srp_reply); + return 1; +} + +/* Round 1: get the SRP parameters and send the public value e. */ + +static void +input_userauth_srp_reply(int type, u_int32_t seq, void *ctxt) +{ + int i, plen; + BIGNUM *tmp; + Authctxt *authctxt; + SRP_CTX *srp; + + /* Make sure we're where we're supposed to be. */ + + authctxt = ctxt; + if (authctxt == NULL || authctxt->srp == NULL) + fatal("input_userauth_srp_reply: no context"); + srp = authctxt->srp; + dispatch_set(SSH2_MSG_USERAUTH_SRP_REPLY, NULL); + + /* The server sent us the prime p, generator g, and salt. */ + + packet_get_bignum2(srp->p); + packet_get_bignum2(srp->g); + srp->salt = packet_get_string(&srp->slen); + packet_check_eom(); + + /* + * Make sure the group is OK. XXX note that there is no check + * that this is really the group that the user chose when + * he or she created the verifier (that requires persistent + * client state). + */ + if (!is_safe_group(srp->p, srp->g)) + packet_disconnect("unknown/unsafe SRP group for user %s", + authctxt->server_user); + + /* We'll need p-1 later. */ + + if (!BN_sub(srp->pm1, srp->p, BN_value_one())) + goto err; + + /* + * The random exponent a is ALEN bits long, or the size of p, + * whichever is less. + */ + plen = BN_num_bits(srp->p); + i = ALEN; + if (plen < ALEN) + i = plen; + + /* + * Generate the random exponent a. Loop until lg(p) < a < p-1. + * This guarantees that 1 < e < p-1 and that e isn't some + * obvious power of g. + */ + if ((tmp = BN_new()) == NULL) + goto err; + if (!BN_set_word(tmp, plen)) + goto err; + for (;;) { + if (!BN_rand(srp->a, i, 0, 0)) + goto err; + if (BN_ucmp(srp->a, tmp) > 0 && BN_ucmp(srp->a, srp->pm1) < 0) + break; + } + BN_free(tmp); + + /* Generate the public value e = g^a mod p. */ + + if (!BN_mod_exp(srp->e, srp->g, srp->a, srp->p, srp->ctx)) + goto err; + + /* Send it. */ + + packet_start(SSH2_MSG_USERAUTH_SRP_VALUE); + packet_put_bignum2(srp->e); + packet_send(); + + /* Round 2 begins when we get the server's public value. */ + + dispatch_set(SSH2_MSG_USERAUTH_SRP_VALUE, &input_userauth_srp_value); + return; + +err: + fatal_bignum_error(); +} + +static void +input_userauth_srp_value(int type, u_int32_t seq, void *ctxt) +{ + int plen; + char *passphrase, prompt[100]; + BIGNUM *x, *K; + Authctxt *authctxt; + SRP_CTX *srp; + + /* Make sure we're where we're supposed to be. */ + + authctxt = ctxt; + if (authctxt == NULL || authctxt->srp == NULL) + fatal("input_userauth_srp_value: no context"); + srp = authctxt->srp; + dispatch_set(SSH2_MSG_USERAUTH_SRP_VALUE, NULL); + + /* + * The server sent f = (v + g^b) mod p, where v is the + * user's verifier and b is another random number. + */ + packet_get_bignum2(srp->f); + packet_check_eom(); + + /* Sanity check f. Abort if f is not in (1, p-1). */ + + if (BN_cmp(srp->f, BN_value_one()) <= 0 || + BN_ucmp(srp->f, srp->pm1) >= 0) + packet_disconnect("bad SRP f value"); + + /* Calculate u from f. */ + + srp->u = srp_u_calc(srp->f); + if (srp->u == 0) + packet_disconnect("bad SRP u value"); + + /* Get the passphrase from the user. */ + + /* + * XXX it would actually be nice if we could display the prompt + * and set no-echo mode earlier, and read the passphrase here, + * since the calculations above can be lengthy and could happen + * while the user is typing (we only need the passphrase in + * memory at this point), but the cli_* routines don't have an + * API for that. :-( + */ + snprintf(prompt, sizeof(prompt), "Enter %.30s@%.128s's SRP passphrase: ", + authctxt->server_user, authctxt->host); + passphrase = read_passphrase(prompt, 0); + plen = strlen(passphrase); + + /* Calculate x = HASH(salt | HASH(username | passphrase)). */ + + if ((x = BN_new()) == NULL) + goto err; + srp_x_calc(srp->salt, srp->slen, authctxt->server_user, passphrase, x); + + memset(passphrase, 0, plen); + xfree(passphrase); + + /* Calculate v = g^x mod p. */ + + if (!BN_mod_exp(srp->v, srp->g, x, srp->p, srp->ctx)) + goto err; + + /* Now the shared secret K = (f - v) ^ (a + u * x) mod p. */ + + if (!BN_mul_word(x, srp->u)) + goto err; + if (!BN_add(x, srp->a, x)) /* x = (a + u * x) */ + goto err; + + if ((K = BN_new()) == NULL) + goto err; + if (BN_copy(K, srp->f) == NULL) /* use K as temp */ + goto err; + if (BN_cmp(K, srp->v) < 0) { + if (!BN_add(K, K, srp->p)) + goto err; + } + if (!BN_sub(srp->a, K, srp->v)) /* a = (f - v) */ + goto err; + + if (!BN_mod_exp(K, srp->a, x, srp->p, srp->ctx)) + goto err; + BN_clear_free(x); + + /* Calculate the exchange hash and proofs. */ + + srp_hash_calc(authctxt->server_user, authctxt->service, + authctxt->method->name, srp, K); + BN_clear_free(K); + + /* Send the client authenticator. */ + + packet_start(SSH2_MSG_USERAUTH_SRP_PROOF); + packet_put_string(srp->m1, srp->m1len); + packet_send(); + + /* Wait for the server's authenticator. */ + + dispatch_set(SSH2_MSG_USERAUTH_SRP_PROOF, &input_userauth_srp_proof); + return; + +err: + fatal_bignum_error(); +} + +/* Round 3: check the proofs. */ + +static void +input_userauth_srp_proof(int type, u_int32_t seq, void *ctxt) +{ + int i; + u_int mlen; + u_char *mbuf; + Authctxt *authctxt; + SRP_CTX *srp; + + /* Make sure we're where we're supposed to be. */ + + authctxt = ctxt; + if (authctxt == NULL || authctxt->srp == NULL) + fatal("input_userauth_srp_proof: no context"); + srp = authctxt->srp; + dispatch_set(SSH2_MSG_USERAUTH_SRP_PROOF, NULL); + + /* Get the server's version. */ + + i = packet_get_char(); + mbuf = NULL; + if (i) + mbuf = packet_get_string(&mlen); + packet_check_eom(); + + /* If the flag is set, we were OK; check the server. */ + + if (i) { + /* + * If we were authenticated, but the server was not, + * there is likely to be a serious problem. + */ + if (mlen != srp->m2len || memcmp(mbuf, srp->m2, mlen) != 0) + packet_disconnect("SRP server authentication failure!"); + + authctxt->server_auth = 1; + xfree(mbuf); + } + + /* + * Done. Free the SRP context, and return to await the server's + * reply packet. + */ + SRP_CTX_free(srp); +} + /* find auth method */ /* diff -burN openssh-3.7.1p2/sshd.0 openssh/sshd.0 --- openssh-3.7.1p2/sshd.0 2003-09-23 02:55:18.000000000 -0700 +++ openssh/sshd.0 2004-02-08 01:42:35.000000000 -0800 @@ -77,6 +77,8 @@ tion) or client host (HostbasedAuthentication) authentication method, conventional password authentication and challenge response based meth- ods. + SRP-based password authentication, conventional password authentication + and challenge response based methods. Command execution and data forwarding diff -burN openssh-3.7.1p2/sshd.8 openssh/sshd.8 --- openssh-3.7.1p2/sshd.8 2003-08-24 18:51:19.000000000 -0700 +++ openssh/sshd.8 2004-02-08 01:42:35.000000000 -0800 @@ -170,6 +170,7 @@ Protocol version 2 provides a public key based user (PubkeyAuthentication) or client host (HostbasedAuthentication) authentication method, +SRP-based password authentication, conventional password authentication and challenge response based methods. .Pp .Ss Command execution and data forwarding diff -burN openssh-3.7.1p2/sshd.c openssh/sshd.c --- openssh-3.7.1p2/sshd.c 2003-09-02 05:51:17.000000000 -0700 +++ openssh/sshd.c 2004-02-08 01:42:35.000000000 -0800 @@ -84,6 +84,7 @@ #include "monitor.h" #include "monitor_wrap.h" #include "monitor_fdpass.h" +#include "srp.h" #ifdef LIBWRAP #include @@ -1009,6 +1010,8 @@ exit(1); } + srp_param_init(); + /* Check certain values for sanity. */ if (options.protocol & SSH_PROTO_1) { if (options.server_key_bits < 512 || diff -burN openssh-3.7.1p2/sshd_config openssh/sshd_config --- openssh-3.7.1p2/sshd_config 2003-09-02 05:51:18.000000000 -0700 +++ openssh/sshd_config 2004-02-08 01:42:35.000000000 -0800 @@ -50,6 +50,9 @@ # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes +# The default is to use SRP. +#SRPAuthentication yes + # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no diff -burN openssh-3.7.1p2/sshd_config.0 openssh/sshd_config.0 --- openssh-3.7.1p2/sshd_config.0 2003-09-23 02:55:19.000000000 -0700 +++ openssh/sshd_config.0 2004-02-08 01:42:35.000000000 -0800 @@ -324,6 +324,11 @@ fault is ``yes''. This option applies to protocol version 1 on- ly. + SRPAuthentication + Specifies whether SRP authentication is allowed. The default is + ``yes''. Note that this option applies to protocol version 2 + only. + ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. diff -burN openssh-3.7.1p2/sshd_config.5 openssh/sshd_config.5 --- openssh-3.7.1p2/sshd_config.5 2003-09-02 05:57:05.000000000 -0700 +++ openssh/sshd_config.5 2004-02-08 01:42:35.000000000 -0800 @@ -551,6 +551,11 @@ The default is .Dq yes . This option applies to protocol version 1 only. +.It Cm SRPAuthentication +Specifies whether SRP authentication is allowed. +The default is +.Dq yes . +Note that this option applies to protocol version 2 only. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. diff -burN openssh-3.7.1p2/tconf2embed.c openssh/tconf2embed.c --- openssh-3.7.1p2/tconf2embed.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/tconf2embed.c 2004-02-08 01:42:35.000000000 -0800 @@ -0,0 +1,244 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include + +#include "xmalloc.h" +#include "log.h" +#include "srp.h" + +#define USAGE() fprintf(stderr, "usage: %s [-f] ...\n", __progname) + +/* argv0 */ +#ifdef HAVE___PROGNAME +extern char *__progname; +#else +char *__progname; +#endif + +int Fastmode; + +int parse_tconf(char *buf, BIGNUM *p, BIGNUM *g); +int is_safe(BIGNUM *p, BIGNUM *g); + +/* + * Read tpasswd.conf files in the format used by libsrp and output the + * entries as an external C module meant to be linked with ssh and sshd. + */ +int +main(int argc, char **argv) +{ + int i, c, n; + char *s, buf[8 * 1024]; + time_t t; + struct passwd *pw; + FILE *infile; + BIGNUM *p, *g; + extern int optind; + + __progname = ssh_get_progname(*argv); + + Fastmode = 0; + while ((c = getopt(argc, argv, "f")) != EOF) { + switch (c) { + case 'f': + Fastmode = 1; + break; + + default: + USAGE(); + exit(1); + } + } + argc -= optind; + argv += optind; + + if (argc < 1) { + USAGE(); + exit(1); + } + + if ((p = BN_new()) == NULL || (g = BN_new()) == NULL) { + fprintf(stderr, "can't allocate BIGNUMs\n"); + exit(1); + } + + /* Get some values for the header. */ + + time(&t); + s = ctime(&t); + s[strlen(s) - 1] = '\0'; + + pw = getpwuid(getuid()); + if (pw == NULL) { + fprintf(stderr, "no such user\n"); + exit(1); + } + + printf("/* This file was created by tconf2embed. Do not edit. */\n"); + printf("/* Converted by %s on %s. */\n\n", pw->pw_name, s); + + printf("#include \"includes.h\"\n"); + printf("#include \n"); + printf("#include \"srp.h\"\n\n"); + + n = 0; + printf("SRP_PARAM SRP_param[] = {\n"); + + if (!Fastmode) + fprintf(stderr, + "%s: checking SRP parameters for safety -- " + "this may take a while\n", + __progname); + + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "-") == 0) + infile = stdin; + else if ((infile = fopen(argv[i], "r")) == NULL) { + fprintf(stderr, "file '%s' not found\n", argv[i]); + exit(1); + } + + while (fgets(buf, sizeof(buf), infile) != NULL) { + buf[strlen(buf) - 1] = '\0'; + if (buf[0] == '#') + printf("\t/*%s */\n", buf + 1); + else { + fprintf(stderr, "."); + if (parse_tconf(buf, p, g)) + n++; + } + } + + fclose(infile); + } + printf("};\n\n"); + printf("int SRP_nparams = %d;\n", n); + + fprintf(stderr, "\n%d groups\n", n); + + return 0; +} + +char Fieldsep[] = { ':', '\0' }; + +/* + * Get the parameters from buf and test them for safety. If they are + * safe, output them and return 1, otherwise return 0. + */ +int +parse_tconf(char *buf, BIGNUM *p, BIGNUM *g) +{ + char *s, *prime, *gen; + static int lineno = 0; + + /* Carve. [i]:p:g */ + + s = buf; + if (strsep(&s, Fieldsep) == NULL) /* index - ignore */ + goto err; + if ((prime = strsep(&s, Fieldsep)) == NULL) /* prime */ + goto err; + if ((gen = strsep(&s, Fieldsep)) == NULL) /* gen */ + goto err; + if (s != NULL) + goto err; + lineno++; + + /* Convert to BIGNUMs. */ + + if (!srp_tfmt2bn(p, prime)) + goto err; + if (!srp_tfmt2bn(g, gen)) + goto err; + + /* Check for safety. */ + + if (!Fastmode) + if (!is_safe(p, g)) { + fprintf(stderr, + "unsafe entry skipped on line %d!\n", lineno); + return 0; + } + + printf("\t{ \"%s\",\n", prime); + printf("\t \"%s\",\n", gen); + printf("\t NULL, NULL },\n"); + + return 1; + +err: + fprintf(stderr, "parse error on line %d\n", lineno); + exit(1); + + return 0; /* mu */ +} + +/* This is the test code from is_safe_group(). */ + +int +is_safe(BIGNUM *p, BIGNUM *g) +{ + int safe; + BIGNUM *q, *r; + BN_CTX *ctx; + BN_ULONG l; + + safe = 0; + + if ((ctx = BN_CTX_new()) == NULL) + goto err; + if ((q = BN_new()) == NULL) + goto err; + if ((r = BN_new()) == NULL) + goto err; + + if (BN_is_prime(p, 50, NULL, ctx, NULL) != 1) + goto unsafe; + if (!BN_rshift1(q, p)) + goto err; + if (BN_is_prime(q, 50, NULL, ctx, NULL) != 1) + goto unsafe; + + if (BN_is_word(g, 2)) { + if (BN_mod_word(p, 24) != 11) + goto unsafe; + } else if (BN_is_word(g, 5)) { + l = BN_mod_word(p, 10); + if (l != 3 && l != 7) + goto unsafe; + } else { + + /* + * Do it the slow way; g is a generator if + * g^((p-1)/f) mod p != 1 + * for all f which are factors of p-1. That's 2 and q, + * so check them. + */ + if (!BN_mod_exp(r, g, q, p, ctx)) + goto err; + if (BN_is_one(r)) + goto unsafe; + if (!BN_set_word(q, 2)) + goto err; + if (!BN_mod_exp(r, g, q, p, ctx)) + goto err; + if (BN_is_one(r)) + goto unsafe; + } + safe = 1; + +unsafe: + BN_free(r); + BN_free(q); + BN_CTX_free(ctx); + + return safe; + +err: + fprintf(stderr, "BIGNUM error\n"); + exit(1); + + return 0; /* mu */ +} diff -burN openssh-3.7.1p2/tpasswd-util.c openssh/tpasswd-util.c --- openssh-3.7.1p2/tpasswd-util.c 1969-12-31 16:00:00.000000000 -0800 +++ openssh/tpasswd-util.c 2004-02-08 01:42:35.000000000 -0800 @@ -0,0 +1,164 @@ +/* SRP implementation for OpenSSH by Dr. Tom . */ + +#include "includes.h" + +#include + +#include "xmalloc.h" +#include "srp.h" + +/* + * These routines convert BIGNUMS to and from the base64 format used + * by the Stanford distribution of libsrp. They were taken from srp-1.7.1 + * and modified a bit. + */ + +static char b64table[] = + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; + +/* + * Convert a libsrp base64 string into a BIGNUM, which must be + * preallocated. Returns 1 for success, 0 for error. + */ +int +srp_tfmt2bn(BIGNUM *dst, const char *src) +{ + char *a; + int i, ret; + + i = strlen(src) + 1; + a = xmalloc(i); + + i = srp_tfmt2bin(a, src); + ret = 1; + if (BN_bin2bn(a, i, dst) == NULL) + ret = 0; + + xfree(a); + return ret; +} + +/* + * Convert a libsrp base64 string into raw byte array representation. + * dst must already be allocated, and must be large enough. Returns the + * length of the converted src. + */ +int +srp_tfmt2bin(char *dst, const char *src) +{ + char *loc; + u_char *a; + int i, j, size; + + while (*src && (*src == ' ' || *src == '\t' || *src == '\n')) + ++src; + size = strlen(src); + if (size == 0) + return size; + + a = xmalloc((size + 1) * sizeof(u_char)); + i = 0; + while (i < size) { + loc = strchr(b64table, src[i]); + if (loc == (char *) 0) + break; + else + a[i] = loc - b64table; + ++i; + } + size = i; + + i = size - 1; + j = size; + for (;;) { + a[j] = a[i]; + if (--i < 0) + break; + a[j] |= (a[i] & 3) << 6; + --j; + a[j] = (u_char) ((a[i] & 0x3c) >> 2); + if (--i < 0) + break; + a[j] |= (a[i] & 0xf) << 4; + --j; + a[j] = (u_char) ((a[i] & 0x30) >> 4); + if (--i < 0) + break; + a[j] |= (a[i] << 2); + + a[--j] = 0; + if (--i < 0) + break; + } + + while (a[j] == 0 && j <= size) + ++j; + + memcpy(dst, a + j, size - j + 1); + xfree(a); + return size - j + 1; +} + +/* + * Convert a BIGNUM into a null-terminated libsrp base64 ASCII string. + * Returns dst, which must be preallocated and big enough. + * This is only used by the utilities srp-keygen and primes2tconf. + */ +char * +srp_bn2tfmt(char *dst, const BIGNUM *src0) +{ + char *olddst = dst; + u_char b0 = 0, b1 = 0, b2 = 0, notleading = 0; + u_char *src; + int c, size, pos; + + size = BN_num_bytes(src0); + src = xmalloc(size); + BN_bn2bin(src0, src); + + pos = size % 3; + + switch (pos) { + case 1: + b2 = src[0]; + break; + case 2: + b1 = src[0]; + b2 = src[1]; + break; + } + + for (;;) { + c = (b0 & 0xfc) >> 2; + if (notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + c = ((b0 & 3) << 4) | ((b1 & 0xf0) >> 4); + if (notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + c = ((b1 & 0xf) << 2) | ((b2 & 0xc0) >> 6); + if (notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + c = b2 & 0x3f; + if (notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + if (pos >= size) + break; + else { + b0 = src[pos++]; + b1 = src[pos++]; + b2 = src[pos++]; + } + } + + *dst = '\0'; + xfree(src); + return olddst; +}