From: Rafal Somla Date: March 18 2011 6:46pm Subject: bzr commit into mysql-5.5 branch (rafal.somla:3374) Bug#11766631 List-Archive: http://lists.mysql.com/commits/133351 X-Bug: 11766631 Message-Id: <201103181844.p2IIiwbc013996@acsmt358.oracle.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0175670287==" --===============0175670287== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At D:/source/bzr2/mysql-5.5 based on revid:build@stripped 3374 Rafal Somla 2011-03-18 Bug#11766631 (59780) - Move the client authentication_windows plugin into the server repository This patch adds client windows authentication plugin code to the client library libmysql (only on Windows platform). The plugin is compiled into the library and added to the list of built-in plugins. This way clients should be able to connect to a server which uses windows authentication plugin even as an SQL user which uses such authentication. Note: this makes the client library to depend on Secur32 Windows system library. When building clients, they must be linked against Secur32. Command mysql_config --libs correctly lists Secur32 as a required dependency. added: libmysql/authentication_win/ libmysql/authentication_win/CMakeLists.txt libmysql/authentication_win/common.cc libmysql/authentication_win/common.h libmysql/authentication_win/handshake.cc libmysql/authentication_win/handshake.h libmysql/authentication_win/handshake_client.cc libmysql/authentication_win/log_client.cc libmysql/authentication_win/plugin_client.cc modified: libmysql/CMakeLists.txt sql-common/client.c === modified file 'libmysql/CMakeLists.txt' --- a/libmysql/CMakeLists.txt 2010-11-13 22:16:52 +0000 +++ b/libmysql/CMakeLists.txt 2011-03-18 18:46:24 +0000 @@ -1,4 +1,4 @@ -# Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -134,6 +134,12 @@ CACHE INTERNAL "Functions exported by cl ) +IF(WIN32) + ADD_SUBDIRECTORY(authentication_win) + SET(WITH_AUTHENTICATION_WIN 1) + ADD_DEFINITIONS(-DAUTHENTICATION_WIN) +ENDIF(WIN32) + SET(CLIENT_SOURCES get_password.c libmysql.c @@ -150,6 +156,10 @@ DTRACE_INSTRUMENT(clientlib) ADD_DEPENDENCIES(clientlib GenError) SET(LIBS clientlib dbug strings vio mysys ${ZLIB_LIBRARY} ${SSL_LIBRARIES} ${LIBDL}) + +IF(WITH_AUTHENTICATION_WIN) + LIST(APPEND LIBS auth_win_client) +ENDIF(WITH_AUTHENTICATION_WIN) # Merge several convenience libraries into one big mysqlclient # and link them together into shared library. === added directory 'libmysql/authentication_win' === added file 'libmysql/authentication_win/CMakeLists.txt' --- a/libmysql/authentication_win/CMakeLists.txt 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/CMakeLists.txt 2011-03-18 18:46:24 +0000 @@ -0,0 +1,31 @@ +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +# +# Configuration for building Windows Authentication Plugin (client-side) +# + +ADD_DEFINITIONS(-DSECURITY_WIN32) +ADD_DEFINITIONS(-DDEBUG_ERRROR_LOG) # no error logging in production builds + +SET(HEADERS common.h handshake.h) +SET(PLUGIN_SOURCES plugin_client.cc handshake_client.cc log_client.cc common.cc handshake.cc) + +ADD_CONVENIENCE_LIBRARY(auth_win_client ${PLUGIN_SOURCES} ${HEADERS}) +TARGET_LINK_LIBRARIES(auth_win_client Secur32) + +# In IDE, group headers in a separate folder. + +SOURCE_GROUP(Headers REGULAR_EXPRESSION ".*h$") === added file 'libmysql/authentication_win/common.cc' --- a/libmysql/authentication_win/common.cc 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/common.cc 2011-03-18 18:46:24 +0000 @@ -0,0 +1,492 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#include "common.h" +#include // for ConvertSidToStringSid() +#include // for GetUserNameEx() + + +template <> void error_log_print(const char *fmt, ...); +template <> void error_log_print(const char *fmt, ...); +template <> void error_log_print(const char *fmt, ...); + + +/** Connection class **************************************************/ + +/** + Create connection out of an active MYSQL_PLUGIN_VIO object. + + @param[in] vio pointer to a @c MYSQL_PLUGIN_VIO object used for + connection - it can not be NULL +*/ + +Connection::Connection(MYSQL_PLUGIN_VIO *vio): m_vio(vio), m_error(0) +{ + DBUG_ASSERT(vio); +} + + +/** + Write data to the connection. + + @param[in] blob data to be written + + @return 0 on success, VIO error code on failure. + + @note In case of error, VIO error code is stored in the connection object + and can be obtained with @c error() method. +*/ + +int Connection::write(const Blob &blob) +{ + m_error= m_vio->write_packet(m_vio, blob.ptr(), blob.len()); + +#ifndef DBUG_OFF + if (m_error) + DBUG_PRINT("error", ("vio write error %d", m_error)); +#endif + + return m_error; +} + + +/** + Read data from connection. + + @return A Blob containing read packet or null Blob in case of error. + + @note In case of error, VIO error code is stored in the connection object + and can be obtained with @c error() method. +*/ + +Blob Connection::read() +{ + unsigned char *ptr; + int len= m_vio->read_packet(m_vio, &ptr); + + if (len < 0) + { + m_error= true; + return Blob(); + } + + return Blob(ptr, len); +} + + +/** Sid class *****************************************************/ + + +/** + Create Sid object corresponding to a given account name. + + @param[in] account_name name of a Windows account + + The account name can be in any form accepted by @c LookupAccountName() + function. + + @note In case of errors created object is invalid and its @c is_valid() + method returns @c false. +*/ + +Sid::Sid(const wchar_t *account_name): m_data(NULL) +#ifndef DBUG_OFF +, m_as_string(NULL) +#endif +{ + DWORD sid_size= 0, domain_size= 0; + bool success; + + // Determine required buffer sizes + + success= LookupAccountNameW(NULL, account_name, NULL, &sid_size, + NULL, &domain_size, &m_type); + + if (!success && GetLastError() != ERROR_INSUFFICIENT_BUFFER) + { +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not determine SID buffer size, " + "LookupAccountName() failed with error %X (%s)", + GetLastError(), get_last_error_message(error_buf))); +#endif + return; + } + + // Query for SID (domain is ignored) + + wchar_t *domain= new wchar_t[domain_size]; + m_data= (TOKEN_USER*) new BYTE[sid_size + sizeof(TOKEN_USER)]; + m_data->User.Sid= (BYTE*)m_data + sizeof(TOKEN_USER); + + success= LookupAccountNameW(NULL, account_name, + m_data->User.Sid, &sid_size, + domain, &domain_size, + &m_type); + + if (!success || !is_valid()) + { +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not determine SID of '%S', " + "LookupAccountName() failed with error %X (%s)", + account_name, GetLastError(), + get_last_error_message(error_buf))); +#endif + goto fail; + } + + goto end; + +fail: + if (m_data) + delete [] m_data; + m_data= NULL; + +end: + if (domain) + delete [] domain; +} + + +/** + Create Sid object corresponding to a given security token. + + @param[in] token security token of a Windows account + + @note In case of errors created object is invalid and its @c is_valid() + method returns @c false. +*/ + +Sid::Sid(HANDLE token): m_data(NULL) +#ifndef DBUG_OFF +, m_as_string(NULL) +#endif +{ + DWORD req_size= 0; + bool success; + + // Determine required buffer size + + success= GetTokenInformation(token, TokenUser, NULL, 0, &req_size); + if (!success && GetLastError() != ERROR_INSUFFICIENT_BUFFER) + { +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not determine SID buffer size, " + "GetTokenInformation() failed with error %X (%s)", + GetLastError(), get_last_error_message(error_buf))); +#endif + return; + } + + m_data= (TOKEN_USER*) new BYTE[req_size]; + success= GetTokenInformation(token, TokenUser, m_data, req_size, &req_size); + + if (!success || !is_valid()) + { + delete [] m_data; + m_data= NULL; +#ifndef DBUG_OFF + if (!success) + { + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not read SID from security token, " + "GetTokenInformation() failed with error %X (%s)", + GetLastError(), get_last_error_message(error_buf))); + } +#endif + } +} + + +Sid::~Sid() +{ + if (m_data) + delete [] m_data; +#ifndef DBUG_OFF + if (m_as_string) + LocalFree(m_as_string); +#endif +} + +/// Check if Sid object is valid. +bool Sid::is_valid(void) const +{ + return m_data && m_data->User.Sid && IsValidSid(m_data->User.Sid); +} + + +#ifndef DBUG_OFF + +/** + Produces string representation of the SID. + + @return String representation of the SID or NULL in case of errors. + + @note Memory allocated for the string is automatically freed in Sid's + destructor. +*/ + +const char* Sid::as_string() +{ + if (!m_data) + return NULL; + + if (!m_as_string) + { + bool success= ConvertSidToStringSid(m_data->User.Sid, &m_as_string); + + if (!success) + { +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not get textual representation of a SID, " + "ConvertSidToStringSid() failed with error %X (%s)", + GetLastError(), get_last_error_message(error_buf))); +#endif + m_as_string= NULL; + return NULL; + } + } + + return m_as_string; +} + +#endif + + +bool Sid::operator ==(const Sid &other) +{ + if (!is_valid() || !other.is_valid()) + return false; + + return EqualSid(m_data->User.Sid, other.m_data->User.Sid); +} + + +/** Generating User Principal Name *************************/ + +/** + Call Windows API functions to get UPN of the current user and store it + in internal buffer. +*/ + +UPN::UPN(): m_buf(NULL) +{ + wchar_t buf1[MAX_SERVICE_NAME_LENGTH]; + + // First we try to use GetUserNameEx. + + m_len= sizeof(buf1)/sizeof(wchar_t); + + if (!GetUserNameExW(NameUserPrincipal, buf1, (PULONG)&m_len)) + { + if (GetLastError()) + { +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("note", ("When determining UPN" + ", GetUserNameEx() failed with error %X (%s)", + GetLastError(), get_last_error_message(error_buf))); +#endif + if (ERROR_MORE_DATA == GetLastError()) + ERROR_LOG(INFO, ("Buffer overrun when determining UPN:" + " need %ul characters but have %ul", + m_len, sizeof(buf1)/sizeof(WCHAR))); + } + + m_len= 0; // m_len == 0 indicates invalid UPN + return; + } + + /* + UPN is stored in buf1 in wide-char format - convert it to utf8 + for sending over network. + */ + + m_buf= wchar_to_utf8(buf1, &m_len); + + if(!m_buf) + ERROR_LOG(ERROR, ("Failed to convert UPN to utf8")); + + // Note: possible error would be indicated by the fact that m_buf is NULL. + return; +} + + +UPN::~UPN() +{ + if (m_buf) + free(m_buf); +} + + +/** + Convert a wide-char string to utf8 representation. + + @param[in] string null-terminated wide-char string to be converted + @param[in,out] len length of the string to be converted or 0; on + return length (in bytes, excluding terminating + null character) of the converted string + + If len is 0 then the length of the string will be computed by this function. + + @return Pointer to a buffer containing utf8 representation or NULL in + case of error. + + @note The returned buffer must be freed with @c free() call. +*/ + +char* wchar_to_utf8(const wchar_t *string, size_t *len) +{ + char *buf= NULL; + size_t str_len= len && *len ? *len : wcslen(string); + + /* + A conversion from utf8 to wchar_t will never take more than 3 bytes per + character, so a buffer of length 3 * str_len schould be sufficient. + We check that assumption with an assertion later. + */ + + size_t buf_len= 3 * str_len; + + buf= (char*)malloc(buf_len + 1); + if (!buf) + { + DBUG_PRINT("error",("Out of memory when converting string '%S' to utf8", + string)); + return NULL; + } + + int res= WideCharToMultiByte(CP_UTF8, // convert to UTF-8 + 0, // conversion flags + string, // input buffer + str_len, // its length + buf, buf_len, // output buffer and its size + NULL, NULL); // default character (not used) + + if (res) + { + buf[res]= '\0'; + if (len) + *len= res; + return buf; + } + + // res is 0 which indicates error + +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not convert string '%S' to utf8" + ", WideCharToMultiByte() failed with error %X (%s)", + string, GetLastError(), + get_last_error_message(error_buf))); +#endif + + // Let's check our assumption about sufficient buffer size + DBUG_ASSERT(ERROR_INSUFFICIENT_BUFFER != GetLastError()); + + return NULL; +} + + +/** + Convert an utf8 string to a wide-char string. + + @param[in] string null-terminated utf8 string to be converted + @param[in,out] len length of the string to be converted or 0; on + return length (in chars) of the converted string + + If len is 0 then the length of the string will be computed by this function. + + @return Pointer to a buffer containing wide-char representation or NULL in + case of error. + + @note The returned buffer must be freed with @c free() call. +*/ + +wchar_t* utf8_to_wchar(const char *string, size_t *len) +{ + size_t buf_len; + + /* + Note: length (in bytes) of an utf8 string is always bigger than the + number of characters in this string. Hence a buffer of size len will + be sufficient. We add 1 for the terminating null character. + */ + + buf_len= len && *len ? *len : strlen(string); + wchar_t *buf= (wchar_t*)malloc((buf_len+1)*sizeof(wchar_t)); + + if (!buf) + { + DBUG_PRINT("error",("Out of memory when converting utf8 string '%s'" + " to wide-char representation", string)); + return NULL; + } + + size_t res; + res= MultiByteToWideChar(CP_UTF8, // convert from UTF-8 + 0, // conversion flags + string, // input buffer + buf_len, // its size + buf, buf_len); // output buffer and its size + if (res) + { + buf[res]= '\0'; + if (len) + *len= res; + return buf; + } + + // error in MultiByteToWideChar() + +#ifndef DBUG_OFF + Error_message_buf error_buf; + DBUG_PRINT("error", ("Could not convert UPN from UTF-8" + ", MultiByteToWideChar() failed with error %X (%s)", + GetLastError(), get_last_error_message(error_buf))); +#endif + + // Let's check our assumption about sufficient buffer size + DBUG_ASSERT(ERROR_INSUFFICIENT_BUFFER != GetLastError()); + + return NULL; +} + + +/** Error handling ****************************************************/ + + +/** + Returns error message corresponding to the last Windows error given + by GetLastError(). + + @note Error message is overwritten by next call to + @c get_last_error_message(). +*/ + +const char* get_last_error_message(Error_message_buf buf) +{ + int error= GetLastError(); + + buf[0]= '\0'; + FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, + NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), + (LPTSTR)buf, sizeof(buf), NULL ); + + return buf; +} === added file 'libmysql/authentication_win/common.h' --- a/libmysql/authentication_win/common.h 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/common.h 2011-03-18 18:46:24 +0000 @@ -0,0 +1,283 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#ifndef COMMON_H +#define COMMON_H + +#include +#include +#include // for CtxtHandle +#include // for MYSQL_PLUGIN_VIO + +/// Maximum length of the target service name. +#define MAX_SERVICE_NAME_LENGTH 1024 + + +/** Debugging and error reporting infrastructure ***************************/ + +/* + Note: We use plugin local logging and error reporting mechanisms until + WL#2940 (plugin service: error reporting) is available. +*/ + +#undef INFO +#undef WARNING +#undef ERROR + +struct error_log_level +{ + typedef enum {INFO, WARNING, ERROR} type; +}; + +#undef DBUG_ASSERT +#ifndef DBUG_OFF +#define DBUG_ASSERT(X) assert(X) +#else +#define DBUG_ASSERT(X) do {} while (0) +#endif + +extern "C" int opt_auth_win_client_log; + +/* + Note1: Double level of indirection in definition of DBUG_PRINT allows to + temporary redefine or disable DBUG_PRINT macro and then easily return to + the original definition (in terms of DBUG_PRINT_DO). + + Note2: DBUG_PRINT() can use printf-like format string like this: + + DBUG_PRINT(Keyword, ("format string", args)); + + The implementation should handle it correctly. Currently it is passed + to fprintf() (see debug_msg() function). +*/ + +#ifndef DBUG_OFF +#define DBUG_PRINT_DO(Keyword, Msg) \ + do { \ + if (2 > opt_auth_win_client_log) break; \ + fprintf(stderr, "winauth: %s: ", Keyword); \ + debug_msg Msg; \ + } while (0) +#else +#define DBUG_PRINT_DO(K, M) do {} while (0) +#endif + +#undef DBUG_PRINT +#define DBUG_PRINT(Keyword, Msg) DBUG_PRINT_DO(Keyword, Msg) + +#if defined(DEBUG_ERROR_LOG) && defined(DBUG_OFF) +#define ERROR_LOG(Level, Msg) do {} while (0) +#else +#define ERROR_LOG(Level, Msg) error_log_print< error_log_level::Level > Msg +#endif + +inline +void debug_msg(const char *fmt, ...) +{ + va_list args; + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + fflush(stderr); + va_end(args); +} + + +void error_log_vprint(error_log_level::type level, + const char *fmt, va_list args); + +template +void error_log_print(const char *fmt, ...) +{ + va_list args; + va_start(args, fmt); + error_log_vprint(Level, fmt, args); + va_end(args); +} + +typedef char Error_message_buf[1024]; +const char* get_last_error_message(Error_message_buf); + + +/** Blob class *************************************************************/ + +typedef unsigned char byte; + +/** + Class representing a region of memory (e.g., a string or binary buffer). + + @note This class does not allocate memory. It merely describes a region + of memory which must be allocated externally (if it is dynamic memory). +*/ + +class Blob +{ + byte *m_ptr; ///< Pointer to the first byte of the memory region. + size_t m_len; ///< Length of the memory region. + +public: + + Blob(): m_ptr(NULL), m_len(0) + {} + + Blob(const byte *ptr, const size_t len) + : m_ptr(const_cast(ptr)), m_len(len) + {} + + Blob(const char *str): m_ptr((byte*)str) + { + m_len= strlen(str); + } + + byte* ptr() const + { + return m_ptr; + } + + size_t len() const + { + return m_len; + } + + byte operator[](unsigned pos) const + { + return pos < len() ? m_ptr[pos] : 0x00; + } + + bool is_null() const + { + return m_ptr == NULL; + } +}; + + +/** Connection class *******************************************************/ + +/** + Convenience wrapper around MYSQL_PLUGIN_VIO object providing basic + read/write operations. +*/ + +class Connection +{ + MYSQL_PLUGIN_VIO *m_vio; ///< Pointer to @c MYSQL_PLUGIN_VIO structure. + + /** + If non-zero, indicates that connection is broken. If this has happened + because of failed operation, stores non-zero error code from that failure. + */ + int m_error; + +public: + + Connection(MYSQL_PLUGIN_VIO *vio); + int write(const Blob&); + Blob read(); + + int error() const + { + return m_error; + } +}; + + +/** Sid class **************************************************************/ + +/** + Class for storing and manipulating Windows security identifiers (SIDs). +*/ + +class Sid +{ + TOKEN_USER *m_data; ///< Pointer to structure holding identifier's data. + SID_NAME_USE m_type; ///< Type of identified entity. + +public: + + Sid(const wchar_t*); + Sid(HANDLE sec_token); + ~Sid(); + + bool is_valid(void) const; + + bool is_group(void) const + { + return m_type == SidTypeGroup + || m_type == SidTypeWellKnownGroup + || m_type == SidTypeAlias; + } + + bool is_user(void) const + { + return m_type == SidTypeUser; + } + + bool operator==(const Sid&); + + operator PSID() const + { + return (PSID)m_data->User.Sid; + } + +#ifndef DBUG_OFF + +private: + char *m_as_string; ///< Cached string representation of the SID. +public: + const char* as_string(); + +#endif +}; + + +/** UPN class **************************************************************/ + +/** + An object of this class obtains and stores User Principal Name of the + account under which current process is running. +*/ + +class UPN +{ + char *m_buf; ///< Pointer to UPN in utf8 representation. + size_t m_len; ///< Length of the name. + +public: + + UPN(); + ~UPN(); + + bool is_valid() const + { + return m_len > 0; + } + + const Blob as_blob() const + { + return m_len ? Blob((byte*)m_buf, m_len) : Blob(); + } + + const char* as_string() const + { + return (const char*)m_buf; + } + +}; + + +char* wchar_to_utf8(const wchar_t*, size_t*); +wchar_t* utf8_to_wchar(const char*, size_t*); + +#endif === added file 'libmysql/authentication_win/handshake.cc' --- a/libmysql/authentication_win/handshake.cc 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/handshake.cc 2011-03-18 18:46:24 +0000 @@ -0,0 +1,288 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#include "handshake.h" + + +/** Handshake class implementation **********************************/ + +/** + Create common part of handshake context. + + @param[in] ssp name of the SSP (Security Service Provider) to + be used for authentication + @param[in] side is this handshake object used for server- or + client-side handshake + + Prepare for handshake using the @c ssp security module. We use + "Negotiate" which picks best available module. Parameter @c side + tells if this is preparing for server or client side authentication + and is used to prepare appropriate credentials. +*/ + +Handshake::Handshake(const char *ssp, side_t side) +: m_atts(0L), m_error(0), m_complete(FALSE), + m_have_credentials(false), m_have_sec_context(false) +#ifndef DBUG_OFF + , m_ssp_info(NULL) +#endif +{ + SECURITY_STATUS ret; + + // Obtain credentials for the authentication handshake. + + ret= AcquireCredentialsHandle(NULL, (SEC_CHAR*)ssp, + side == SERVER ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND, + NULL, NULL, NULL, NULL, &m_cred, &m_expire); + + if (ret != SEC_E_OK) + { + DBUG_PRINT("error", ("AcqireCredentialsHandle() failed" + " with error %X", ret)); + ERROR_LOG(ERROR, ("Could not obtain local credentials" + " required for authentication")); + m_error= ret; + } + + m_have_credentials= true; +} + + +Handshake::~Handshake() +{ + if (m_have_credentials) + FreeCredentialsHandle(&m_cred); + if (m_have_sec_context) + DeleteSecurityContext(&m_sctx); + m_output.free(); + +#ifndef DBUG_OFF + if (m_ssp_info) + FreeContextBuffer(m_ssp_info); +#endif +} + + +/** + Read and process data packets from the other end of a connection. + + @param[IN] con a connection to read packets from + + Packets are read and processed until authentication handshake is + complete. It is assumed that the peer will send at least one packet. + Packets are processed with @c process_data() method. If new data is + generated during packet processing, this data is sent to the peer and + another round of packet exchange starts. + + @return 0 on success. + + @note In case of error, appropriate error message is logged. +*/ +int Handshake::packet_processing_loop(Connection &con) +{ + unsigned round= 1; + + do { + // Read packet send by the peer + DBUG_PRINT("info", ("Waiting for packet")); + Blob packet= con.read(); + if (con.error() || packet.is_null()) + { + ERROR_LOG(ERROR, ("Error reading packet in round %d", round)); + return 1; + } + DBUG_PRINT("info", ("Got packet of length %d", packet.len())); + + /* + Process received data, possibly generating new data to be sent. + */ + + Blob new_data= process_data(packet); + + if (error()) + { + ERROR_LOG(ERROR, ("Error processing packet in round %d", round)); + return 1; + } + + /* + If new data has been generated, send it to the peer. Otherwise + handshake must be completed. + */ + + if (!new_data.is_null()) + { + ++round; + DBUG_PRINT("info", ("Round %d started", round)); + + DBUG_PRINT("info", ("Sending packet of length %d", new_data.len())); + int ret= con.write(new_data); + if (ret) + { + ERROR_LOG(ERROR, ("Error writing packet in round %d", round)); + return 1; + } + DBUG_PRINT("info", ("Data sent")); + } + else if (!is_complete()) + { + ERROR_LOG(ERROR, ("No data to send in round %d" + " but handshake is not complete", round)); + return 1; + } + + /* + To protect against malicious clients, break handshake exchange if + too many rounds. + */ + + if (round > MAX_HANDSHAKE_ROUNDS) + { + ERROR_LOG(ERROR, ("Authentication handshake could not be completed" + " after %d rounds", round)); + return 1; + } + + } while(!is_complete()); + + ERROR_LOG(INFO, ("Handshake completed after %d rounds", round)); + return 0; +} + + +#ifndef DBUG_OFF + +/** + Get name of the security package which was used in authentication. + + This method should be called only after handshake was completed. It is + available only in debug builds. + + @return Name of security package or NULL if it can not be obtained. +*/ + +const char* Handshake::ssp_name() +{ + if (!m_ssp_info && m_complete) + { + SecPkgContext_PackageInfo pinfo; + + int ret= QueryContextAttributes(&m_sctx, SECPKG_ATTR_PACKAGE_INFO, &pinfo); + + if (SEC_E_OK == ret) + { + m_ssp_info= pinfo.PackageInfo; + } + else + DBUG_PRINT("error", + ("Could not obtain SSP info from authentication context" + ", QueryContextAttributes() failed with error %X", ret)); + } + + return m_ssp_info ? m_ssp_info->Name : NULL; +} + +#endif + + +/** + Process result of @c {Initialize,Accept}SecurityContext() function. + + @param[in] ret return code from @c {Initialize,Accept}SecurityContext() + function + + This function analyses return value of Windows + @c {Initialize,Accept}SecurityContext() function. A call to + @c CompleteAuthToken() is done if requested. If authentication is complete, + this fact is marked in the internal state of the Handshake object. + If errors are detected the object is moved to error state. + + @return True if error has been detected. +*/ + +bool Handshake::process_result(int ret) +{ + /* + First check for errors and set the m_complete flag if the result + indicates that handshake is complete. + */ + + switch (ret) + { + case SEC_E_OK: + case SEC_I_COMPLETE_NEEDED: + // Handshake completed + m_complete= true; + break; + + case SEC_I_CONTINUE_NEEDED: + case SEC_I_COMPLETE_AND_CONTINUE: + break; + + default: + m_error= ret; + return true; + } + + m_have_sec_context= true; + + /* + If the result indicates a need for this, complete the authentication + token. + */ + + switch (ret) + { + case SEC_I_COMPLETE_NEEDED: + case SEC_I_COMPLETE_AND_CONTINUE: + ret= CompleteAuthToken(&m_sctx, &m_output); + if (ret != 0) + { + DBUG_PRINT("error", ("CompleteAuthToken() failed with error %X", ret)); + m_error= ret; + return true; + } + default: + break; + } + + return false; +} + + +/** Security_buffer class implementation **********************************/ + + +Security_buffer::Security_buffer(const Blob &blob): m_allocated(false) +{ + init(blob.ptr(), blob.len()); +} + + +Security_buffer::Security_buffer(): m_allocated(true) +{ + init(NULL, 0); +} + + +void Security_buffer::free(void) +{ + if (!m_allocated) + return; + if (!ptr()) + return; + FreeContextBuffer(ptr()); + m_allocated= false; +} === added file 'libmysql/authentication_win/handshake.h' --- a/libmysql/authentication_win/handshake.h 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/handshake.h 2011-03-18 18:46:24 +0000 @@ -0,0 +1,168 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#ifndef HANDSHAKE_H +#define HANDSHAKE_H + +#include "common.h" + +/** + Name of the SSP (Security Support Provider) to be used for authentication. + + We use "Negotiate" which will find the most secure SSP which can be used + and redirect to that SSP. +*/ +#define SSP_NAME "Negotiate" + +/** + Maximal number of rounds in authentication handshake. + + Server will interrupt authentication handshake with error if client's + identity can not be determined within this many rounds. +*/ +#define MAX_HANDSHAKE_ROUNDS 50 + + +/// Convenience wrapper around @c SecBufferDesc. + +class Security_buffer: public SecBufferDesc +{ + SecBuffer m_buf; ///< A @c SecBuffer instance. + + void init(byte *ptr, size_t len) + { + ulVersion= 0; + cBuffers= 1; + pBuffers= &m_buf; + + m_buf.BufferType= SECBUFFER_TOKEN; + m_buf.pvBuffer= ptr; + m_buf.cbBuffer= len; + } + + /// If @c false, no deallocation will be done in the destructor. + bool m_allocated; + + public: + + Security_buffer(const Blob&); + Security_buffer(); + + ~Security_buffer() + { + free(); + } + + byte* ptr() const + { + return (byte*)m_buf.pvBuffer; + } + + size_t len() const + { + return m_buf.cbBuffer; + } + + bool is_valid() const + { + return ptr() != NULL; + } + + const Blob as_blob() const + { + return Blob(ptr(), len()); + } + + void free(void); +}; + + +/// Common base for Handshake_{server,client}. + +class Handshake +{ +public: + + typedef enum {CLIENT, SERVER} side_t; + + Handshake(const char *ssp, side_t side); + virtual ~Handshake(); + + int Handshake::packet_processing_loop(Connection &con); + + bool virtual is_complete() const + { + return m_complete; + } + + int error() const + { + return m_error; + } + +protected: + + /// Security context object created during the handshake. + CtxtHandle m_sctx; + + /// Credentials of the principal performing this handshake. + CredHandle m_cred; + + /// Stores expiry date of the created security context. + TimeStamp m_expire; + + /// Stores attributes of the created security context. + ULONG m_atts; + + /// If non-zero, stores error code of the last failed operation. + int m_error; + + /// @c true when handshake is complete. + bool m_complete; + + /// @c true when the principal credentials has been determined. + bool m_have_credentials; + + /// @c true when the security context has been created. + bool m_have_sec_context; + + /// Buffer for data to be send to the other side. + Security_buffer m_output; + + bool process_result(int); + + /** + This method is used inside @c packet_processing_loop to process + data packets received from the other end. + + @param[IN] data data to be processed + + @return A blob with data to be sent to the other end or null blob if + no more data needs to be exchanged. + */ + virtual Blob process_data(const Blob &data)= 0; + +#ifndef DBUG_OFF + +private: + SecPkgInfo *m_ssp_info; +public: + const char* ssp_name(); + +#endif +}; + + +#endif === added file 'libmysql/authentication_win/handshake_client.cc' --- a/libmysql/authentication_win/handshake_client.cc 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/handshake_client.cc 2011-03-18 18:46:24 +0000 @@ -0,0 +1,285 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#include "handshake.h" + +#include // for MYSQL structure + + +/// Client-side context for authentication handshake + +class Handshake_client: public Handshake +{ + /** + Name of the server's service for which we authenticate. + + The service name is sent by server in the initial packet. If no + service name is used, this member is @c NULL. + */ + SEC_WCHAR *m_service_name; + + /// Buffer for storing service name obtained from server. + SEC_WCHAR m_service_name_buf[MAX_SERVICE_NAME_LENGTH]; + +public: + + Handshake_client(const char *target, size_t len); + ~Handshake_client(); + + Blob first_packet(); + Blob process_data(const Blob&); +}; + + +/** + Create authentication handshake context for client. + + @param target name of the target service with which we will authenticate + (can be NULL if not used) + + Some security packages (like Kerberos) require providing explicit name + of the service with which a client wants to authenticate. The server-side + authentication plugin sends this name in the greeting packet + (see @c win_auth_handshake_{server,client}() functions). +*/ + +Handshake_client::Handshake_client(const char *target, size_t len) +: Handshake(SSP_NAME, CLIENT), m_service_name(NULL) +{ + if (!target || 0 == len) + return; + + // Convert received UPN to internal WCHAR representation. + + m_service_name= utf8_to_wchar(target, &len); + + if (m_service_name) + DBUG_PRINT("info", ("Using target service: %S\n", m_service_name)); + else + { + /* + Note: we ignore errors here - m_target will be NULL, the target name + will not be used and system will fall-back to NTLM authentication. But + we leave trace in error log. + */ + ERROR_LOG(WARNING, ("Could not decode UPN sent by the server" + "; target service name will not be used" + " and Kerberos authentication will not work")); + } +} + + +Handshake_client::~Handshake_client() +{ + if (m_service_name) + free(m_service_name); +} + + +/** + Generate first packet to be sent to the server during packet exchange. + + This first packet should contain some data. In case of error a null blob + is returned and @c error() gives non-zero error code. + + @return Data to be sent in the first packet or null blob in case of error. +*/ + +Blob Handshake_client::first_packet() +{ + SECURITY_STATUS ret; + + m_output.free(); + + ret= InitializeSecurityContextW( + &m_cred, + NULL, // partial context + m_service_name, // service name + ASC_REQ_ALLOCATE_MEMORY, // requested attributes + 0, // reserved + SECURITY_NETWORK_DREP, // data representation + NULL, // input data + 0, // reserved + &m_sctx, // context + &m_output, // output data + &m_atts, // attributes + &m_expire); // expire date + + if (process_result(ret)) + { + DBUG_PRINT("error", + ("InitializeSecurityContext() failed with error %X", ret)); + return Blob(); + } + + return m_output.as_blob(); +} + + +/** + Process data sent by server. + + @param[in] data blob with data from server + + This method analyses data sent by server during authentication handshake. + If client should continue packet exchange, this method returns data to + be sent to the server next. If no more data needs to be exchanged, an + empty blob is returned and @c is_complete() is @c true. In case of error + an empty blob is returned and @c error() gives non-zero error code. + + @return Data to be sent to the server next or null blob if no more data + needs to be exchanged or in case of error. +*/ + +Blob Handshake_client::process_data(const Blob &data) +{ + Security_buffer input(data); + SECURITY_STATUS ret; + + m_output.free(); + + ret= InitializeSecurityContextW( + &m_cred, + &m_sctx, // partial context + m_service_name, // service name + ASC_REQ_ALLOCATE_MEMORY, // requested attributes + 0, // reserved + SECURITY_NETWORK_DREP, // data representation + &input, // input data + 0, // reserved + &m_sctx, // context + &m_output, // output data + &m_atts, // attributes + &m_expire); // expire date + + if (process_result(ret)) + { + DBUG_PRINT("error", + ("InitializeSecurityContext() failed with error %X", ret)); + return Blob(); + } + + return m_output.as_blob(); +} + + +/**********************************************************************/ + + +/** + Perform authentication handshake from client side. + + @param[in] vio pointer to @c MYSQL_PLUGIN_VIO instance to be used + for communication with the server + @param[in] mysql pointer to a MySQL connection for which we authenticate + + After reading the initial packet from server, containing its UPN to be + used as service name, client starts packet exchange by sending the first + packet in this exchange. While handshake is not yet completed, client + reads packets sent by the server and process them, possibly generating new + data to be sent to the server. + + This function reports errors. + + @return 0 on success. +*/ + +int win_auth_handshake_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) +{ + /* + Check if we should enable logging. + */ + { + const char *opt= getenv("AUTHENTICATION_WIN_LOG"); + int opt_val= opt ? atoi(opt) : 0; + if (opt && !opt_val) + { + if (!strncasecmp("on", opt, 2)) opt_val= 1; + if (!strncasecmp("yes", opt, 3)) opt_val= 1; + if (!strncasecmp("true", opt, 4)) opt_val= 1; + if (!strncasecmp("debug", opt, 5)) opt_val= 2; + if (!strncasecmp("dbug", opt, 4)) opt_val= 2; + } + opt_auth_win_client_log= opt_val; + } + + ERROR_LOG(INFO, ("Authentication handshake for account %s", mysql->user)); + + // Create connection object. + + Connection con(vio); + DBUG_ASSERT(!con.error()); + + // Read initial packet from server containing service name. + + int ret; + Blob service_name= con.read(); + + if (con.error() || service_name.is_null()) + { + ERROR_LOG(ERROR, ("Error reading initial packet")); + return CR_ERROR; + } + DBUG_PRINT("info", ("Got initial packet of length %d", service_name.len())); + + // Create authentication handsake context using the given service name. + + Handshake_client hndshk(service_name[0] ? (char *)service_name.ptr() : NULL, + service_name.len()); + if (hndshk.error()) + { + ERROR_LOG(ERROR, ("Could not create authentication handshake context")); + return CR_ERROR; + } + + /* + The following packet exchange always starts with a packet sent by + the client. Send this first packet now. + */ + + { + Blob packet= hndshk.first_packet(); + if (hndshk.error() || packet.is_null()) + { + ERROR_LOG(ERROR, ("Could not generate first packet")); + return CR_ERROR; + } + DBUG_PRINT("info", ("Sending first packet of length %d", packet.len())); + + ret= con.write(packet); + if (ret) + { + ERROR_LOG(ERROR, ("Error writing first packet")); + return CR_ERROR; + } + DBUG_PRINT("info", ("First packet sent")); + } + + DBUG_ASSERT(!hndshk.error()); + + /* + If handshake is not yet complete and client expects a reply, + read and process packets from server until handshake is complete. + */ + if (!hndshk.is_complete()) + { + if (hndshk.packet_processing_loop(con)) + return CR_ERROR; + } + + DBUG_ASSERT(!hndshk.error() && hndshk.is_complete()); + + return CR_OK; +} === added file 'libmysql/authentication_win/log_client.cc' --- a/libmysql/authentication_win/log_client.cc 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/log_client.cc 2011-03-18 18:46:24 +0000 @@ -0,0 +1,55 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#include +#include "common.h" + +/** + This option is set in win_auth_handshake_client() function + in handshake_client.cc. + + Values: + 0 - no logging + 1 - log error/warning/info messages + 2 - also log debug messages + + Note: No error or debug messages are logged in production code + (see logging macros in common.h). +*/ +int opt_auth_win_client_log= 0; + + +// Client-side logging function + +void error_log_vprint(error_log_level::type level, + const char *fmt, va_list args) +{ + if (0 == opt_auth_win_client_log) + return; + + const char *level_string= ""; + + switch (level) + { + case error_log_level::INFO: level_string= "Note"; break; + case error_log_level::WARNING: level_string= "Warning"; break; + case error_log_level::ERROR: level_string= "ERROR"; break; + } + + fprintf(stderr, "Windows Authentication Plugin %s: ", level_string); + vfprintf(stderr, fmt, args); + fputc('\n', stderr); + fflush(stderr); +} === added file 'libmysql/authentication_win/plugin_client.cc' --- a/libmysql/authentication_win/plugin_client.cc 1970-01-01 00:00:00 +0000 +++ b/libmysql/authentication_win/plugin_client.cc 2011-03-18 18:46:24 +0000 @@ -0,0 +1,58 @@ +/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + +#include +#include +#include +#include + +#include "common.h" + +static int win_auth_client_plugin_init(char*, size_t, int, va_list) +{ + return 0; +} + + +static int win_auth_client_plugin_deinit() +{ + return 0; +} + + +int win_auth_handshake_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql); + + +/* + Client plugin declaration. This is added to mysql_client_builtins[] + in sql-common/client.c +*/ + +extern "C" +st_mysql_client_plugin_AUTHENTICATION win_auth_client_plugin= +{ + MYSQL_CLIENT_AUTHENTICATION_PLUGIN, + MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION, + "authentication_windows_client", + "Rafal Somla", + "Windows Authentication Plugin - client side", + {0,1,0}, + "GPL", + NULL, + win_auth_client_plugin_init, + win_auth_client_plugin_deinit, + NULL, // option handling + win_auth_handshake_client +}; === modified file 'sql-common/client.c' --- a/sql-common/client.c 2011-02-11 14:00:09 +0000 +++ b/sql-common/client.c 2011-03-18 18:46:24 +0000 @@ -2314,11 +2314,18 @@ static auth_plugin_t clear_password_clie clear_password_auth_client }; +#ifdef AUTHENTICATION_WIN +extern auth_plugin_t win_auth_client_plugin; +#endif + struct st_mysql_client_plugin *mysql_client_builtins[]= { (struct st_mysql_client_plugin *)&native_password_client_plugin, (struct st_mysql_client_plugin *)&old_password_client_plugin, (struct st_mysql_client_plugin *)&clear_password_client_plugin, +#ifdef AUTHENTICATION_WIN + (struct st_mysql_client_plugin *)&win_auth_client_plugin, +#endif 0 }; --===============0175670287== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/rafal.somla@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: rafal.somla@stripped # target_branch: file:///D:/rafal/winauth/bug59780/mysql-5.5/ # testament_sha1: c493d65f01a4994f36e1e2952dd1a02eaa1e010a # timestamp: 2011-03-18 19:46:33 +0100 # source_branch: D:/rafal/winauth/bug59780/mysql-5.5 # base_revision_id: build@stripped # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWeEh8boAH+j/gHf///t///// /+//7r////9gP/zqrvr62be13213udDaenbR3nVLsOjuyhrWrETZaZJre48Z9vvKfXTud8969t27 67r6+c9NrZW2xsaT7hrlffPeyu3VO21JyZ61rCKvWeVWu5y6rVm3bloZVUPZvPeAPrd6+XrXvblr aBIbMIQWW33bmQ2ZttkSywBtLMoBVejqnBJKCb5RzQiscs5zYyAaNstYwSgiaACNAQZNJlT2Q0Jm k02lNpkhp6hskGJ6mhjUD1NDQD1AlCaaAQiMiYiEeTIypp6R6nih6geo0BoAA0ANA9TQNAGmjSjU yjJpDQaDQaAAAAAD09SAaAAAANAAJNJIgIKabRTaT1Eep6aT002lPIj0hjTU9QNGIDxTTQeo0DTR oABEkgQAmhoAk2gBDaQBPSTZRPap4yZKNPU9T1P0ppiepppp+qekGnqCREICATTCU9GCCepiJtTR hQDT1HqeSHpDEPU9QPUBoAA88AIHM9jpi+yfY/9FPQ1r8yVyfXp7CYL8z72TdOHQdsMZX3vm3+zl 2imyZCDKNZOAmEghiZIQGiWAHxIYWqagndoER6w+j8q5Rx7Ka5v5ndNdBVQ7LKiojA5HKzF22suC SQ5YEY5ZFqljFCk10USMSgZSaJgJK1xI7H7lhfHrt1yygtgj+DYsrKknNnx9Pf5bctXE8tjChODC XEA/p3JlYIajh5ZaQuw+umH2xWZ3SuzsyrFd11za96RJVtjFbHKfgdeehSfh95nnWXYrSoEv/FPf Zj9x3zLUL3ILlHZaKVcYaFfI036Kxcyf9vRXDMgiMpN7/+GHU2O53c6bbrObYVWVBvhZhTS5WbrX 38z4pTFuZDTAlI1QfhmPc7uGOCOKMK0yxpmeWHaq9Ahx1MKKrKJVSXE3ebNf/M/ZOhU7D3THLlKF SxEn+5C6+V3RGjCqtwcIaaGhv14kSc4McNFguu/G++wu9eVEpcV5hZUd1c/YuyPPlzEGQR6eLVx8 hV4PIRN05IrgTonQxoIQDUWkcGpHiw5uOUJJQUrHYs2FHF5MyqJSZT0Vadritw2S0rqEHkc6NW81 7Cm3dnksRNkMLs4T7I3VU78DX/Xjzm/R48mYni2xcfT6FTCyjzy9HdWV3aTG6prl9cFuISVmF/Ar Kqku6SEl2Pf40+fzPDI8igKHRR7cs0w4eB131vNtyiHa6MqsDowtrUxg6ECLhDEF5ID1w5cqkJfN b0c5WQnuR6th3NMP5K1bQwsWCVFoMxS2SCGDoxFPn7dh4TSbYYna4J7rIqdv09YaPmfrd8PxpPtM nnhUDkMHb6fhnrJcKHQkTWa0Or2S66MloGUOTODsIfW8tMSKHYkh5Ek3Z6HtIdL2uIKt/lZJSY84 p6nt87soHlrWJ+EIzsqsqePRh15DvuPs0xPN+zxjpYB6X95oxzSwYHe20oaG4IjRMdiId8RkBYRQ EJv8hD392O30OSYWzYY3+qAqg6A+KDngKnrgmUd0xiIFHrNmTgkk6DAKyTuSTtMoZPmfUZ4aL1Si kiwiLgQaYEGJB2B8By5YXBgqu3d/b8frN+rdkBhA64yKZ3NyWQbEgRTSs+cCezGv8ICB1QZHVFyW RYJFggcAIjQsfMsCl110WWhwjb46V3QkvWClxdXa0WGiGALi0jjcBHtfVSAxfF0bcjC6scBOmZiM 51vhx6ec0c3l4qE5IDlAdWBkTU9sIswJaQhVxOI4/9PsflRx8h4cCdK3RDtBIo1Y39CS7x/KoTpT Gl9JPApqOHPgWGaA0tFzE3HCuCMAjggf1Aa0F70WKZhrfYRI3oHrd5h+mPmYPeqZUU4wI6eyPawK j3cGvk/AZYbiDLe0XC91Jo3DdyW48pJJQPlzJyGFWqBl1Vu0/HW+ceG/bzpmQfeYA96k78IEgeLq 0PK1/dnKuyAZONSqCNiQ/wmErDA3cvrlNGbxLwx0eC2e4GRWUDDUA38mJk88lgPujDCnUkyB3Rk5 L6Sl8NMdVY0exmPoqrTXAE2KD9bW6FR7Hjq+5ptgnRv39q/na9cMLE1nPAYng5lhg3UkG6p5xEDr YYAL4IHkAokbYRQFgnlFYzCdOTUQIJ3G69iMKcYGUrbLdETJKSoqX9jx4YEx37+OR8vLjwkdjZFH a9yTtHtCC2zvpXKdxyqRO5BQ4rWTl0D5wIv5p6VEoB7FAGUAVEl9YCNdflNJc99k1Kxv06X3nzz2 nfEinUz166zKgKoe5mhGoDWbaLyVr58ORiV6AEwHiXCJ993JZc3kKtMLCytL79qofj8mz6fTV9Mq N5sjIPrre6qKMZdHGXfRhqMEHR2AZ94Fij0JYreMZNhp/HICY1nag4rv8G7o9hGGm13OqnYo+zCr pac5qLPUGnPJR7sByXzvSDB5SvQnzOAoAPInkelLKvzpM0XjcKGI6mk4ixdvnXr06uLypWeVz7GR OSdYSrSOLfaBjSBG8XUxNnnlTpKMr81QGbKHkP0PjbtNIqT9dX7gJnT0Q2lNp9nDYc7oLO+So0p4 wyB88vOuSJe26J2eq0ZblmjXxrZk22oY5DTIJMMssSWXKEC4EXlqgTZVRSp0iALew9Bed6lqfZ+w MTj48eS7rdY72ko08Vfl212W0L0+u01hormcsbSVRjQW2U1q0cJwTTrVdgLwJzzgzwL9PySyRfFP KvGZwyKMZYUPQbCisfENnW1jjF0Tz+W2cIE69HRxRR2FS/24OyfMqVOr8L+ECMIFkQUdAoom7MIc klOWxiUL5/olPiG6sOtp+/4x31iKcn7tFUNlfHrpS2vJwG29S5Z8F3mDyfNdYNY9nAQZIzbFs9yc RpKDMLeoxPE3rb30u0hJy8DGKQFGGHMDeKzBeRl/tlZi3FSN4aF1StGTd8+a86PnNz5PHeMZvRUB 7IzJjQEwXzdGiZsSpRVk6XbJC8kEnaPURVhnjfTGMmnOwz2nAFtQGWDALE6FoC9TiEdc6qIOqSZL y2HxZo1anggl27d0kefcsdFAhTGmZWWa0N0GNt0ZSzSypDcfhmgXIxNW/FWsWispc9JYDgtOB1z8 FZePwrOFrOTa37XF0rC/gWrxoy+3tO0Tr2cHGTLRxqiuqdy9qppe5nnzoQjSbfwcUutGlzkB+xM6 /Jkgz6d+3urANpJbdM+FX4gTfopV5IqBBvZXdWLDze/KlS9jdJMPJWAssq+Pk8y5vd05PJZYVlFE G2BGO650TsKbwtezLTwU4pbwRmIV8OSXKqvCUT2ASmwDsOooLG3gM+I75EaGrtyVFGpQejVD53XX peqAJNm1BwJMDTaPQdpmT56nGrAzN2wHrsNU7lSvEcntwxKx5uzn0jafSU1MEs6L0nRE3Uut3zVu xSlNyalOqaIZvklOUxg7Jeh4Cjs93kgLGbMd3HJfpyuQXRkFTM0sUmksisU4EiBLRJHAcjuZyMsZ WVSFKGSYdhVDYCcMFKddtpeNkt2Xzk0OHS5eii6cilg7gkHcYDJRcqW3l2BgXM2uewlxFBhlqA8a VpWB3U3POglDxgJtBldSzeIGAEfeAvUGI6d0cW5gxlEZekzyp5lWksd2mOPBD/DcRZaZ7dPHI+ID Lab+HSUti2Qi7nJ6wnnrXKjj66HyiphWyj2M7a3SmLEm3FxwG2iykXYiGGA5UC1b2nbAldIbuLlF s48CiidGjQpfhTXtWF7K6MAJiU3sW0fVUClOltWwixAFDu1oDoSO9S4NWa/VoP5Hhu6Tl5MdJyr0 m02yGKCw6VrijjR0KOVA0BttDVxuWILag3BtzSrrZiYW+fOIJ/JVzXutq3fqm21I7NKvqoMoSdmw wtGVSqydhnaCvNiPpnhS7wUfhr1yykxKXSBxbMZkL6j4WqFF6sQhMVIYT6hTxm2gNFMfLbdc0817 kTRWJFCzlez3i8u+8TssDKReUbfY+Xy93NORwFcGSSS2z4z9qm24cYsDtBGMX6PRnk6gWzwlLi8s AM0vXUSVc6xjeTVEdmFJhtgDZFIIykybyzq3e7O65Kvsm4LJlyodVGQM49xOa2zOxTVDrSpPIEsb +voeFIg7V5qGhln6WBkoDql7s3HC8qWkerVc4ugTOd1WxZOf0Yvr5abvQzPsDyrUObLNA+L26tdj m8GrXwO5RBEAR5eJM3bnfDMfcouzLSzqGNmi/ygOndXgXoRS2wC6+mMVFtU9227bOLmmfQYVo/To 3Tb0lmWnzov5a93YUw0WJgDnjlNqzPY97ZSDr4RmiH+IkBwoXfQDEvICuXOPOA7jsTA1CoghJtNb RZ1ndjG4VOuKfqEhBhEd5ojhjuLk47t96UzqUf26u/T73n1Qh8Bt+lKJeiXxfh+Jqaaa/q4L1TSr Xu/02AMpPEQpZ8i3ryGfHeLc/2VXWKJ3vj304iZU4lSa33LJIHGgM3rt9f0rzvjhyszURIHyIKPB hVjSS7wB7fLj8PqcfahxOJfxsJjI+rmQpkqiwVNCkgglIDRLAUSAlfiIHyPTwoEh6+56IyEeAFD7 pBIeL60oH4kR2pRPPSlowr+MW76zmsFbzzNnEz+B6D/Mvf1MOmPtgB/9gv98R/uJ7SD/qMlaglFS AZaNm7veXZ/pMMdxBjWLkJ0HkDJNsi/cr1tVSFEt0kZCOM6tD35i8T7nE1vT0cbF5i7WXMdg0YJR RCV7uvK70dWyHi5qRYLM5rbgwwNEGtzfuMj4EixaoLAfzRTzuqrjywL7BTA7uJZovabgSy9CCkwp U30EVJMYDHpzK0yd/f4oLUqoH8FHXSpbfgMzdk3pZvOkiF1S+NmluKUCwEKvuUAkYcWqtsqmiHap Lp9FjukaalcCQoeHtGIVpCdiv8e++qzGUh6Cje6t2qSPofX4Kqstd+mjDQRk3ZhFrV7OxkqWnldn nFdb38mTK8Emfe4GON8EoU2520bfQRE7+n8lw+ZHUxEuX2eeve928sX01YaYFuVguM256qGX9RPm 0Crm9SuSTYphsQKqoFAoB3nfaMIYh9814no00FA6bYBxeQypq83mPignDnZUSuwugz8bl1jA7Kop eTMo8gcXTMM8HaJOqD8XK3pWtUDPya7Fonmp9zPh6Fju+O82wJWUvb3bO3Xwr0yS4YXMZi5nFTjW XJ+myq8ec+VlHuggueEhD0qgPbZ2rOmix2bT8rt860pXlVZ6hQZOQzAWnzNZ7L1o9pW8tZXilPK5 Ln2mwfMqH8AKqqqoIKERhHpwPT1NSIaYrDymrwMybmvo5br78QXEIpAuUqgC/CV/Y3r9MGKlUlBY cZZTlg/2kcIJxwW27+u708Ru9nYnaQMIZ1LggidpzoFxlM0oSs5JN214mb3h/GbSsqrNp1kZyoVP xbsusdrt8Pz44ePnjO67f3XEKPghQ2xiamIFBaZqkFF9ChxAXVInJXGzNVgAvSwFGBdvCk2u8vRj kgT7ftPCJgod/WvbQzD8k0b239pXT2OmJJIpYW/HKa5+gmWS1oceZmho0s9fiQCl+ByMcz3Vn0w2 F70Y4013VohMa88ErKTIAy7gjMiMId4oMTxCMRec/WYBXwiNJ8jHj5wJfO9r4+IecLb9ZvPz13L4 vQerjeGGGJ+EQpR+/TQA0utKO7CJs5KYU9Cws1dZNBKQzHuk60UifksviZhXv8kPvFoxm30rFO5s opW7Xq8uIBkKlZCVj4DFQSQhQjehQ6G9eF5Xqvh0PjAzdAXlq5Ue27tGzRpqWeUL7UPX2gZsnlTz 9fT8/b4dwGs8sC4m6JNhXLUYo7uovIR1VJYwbbKna+h+l2dLjjQvzgiflh0rMmZkYKOgKPR/nv/H kEPs/3fbPev6cETzxT8qCHWv5Q+FrIxhAyRSxZlKKFs/KH8X5P8uH5D+/l6Q6j9v3fj+N+bD8f2/ po2ZYmCfuIlBGR/yjvgbxCKcO1UDt95AHH7PKiHeHOabucm7l5V3d0uEOlU99UR4lP2JAiJ8Ctu2 7AexEX2U1o/X+G2BJUyGHwRPLNN1dtkADM6PaXl9DSA8xiF8wzgXmklCWooQXjpidJqJWg+WUqXD OsvJIuL3jqQ2BZahUaXH/o0pBMyWPoF56NhSM1o4gmf5J7SwoqoclxdvooN+5JDJQYNLl89Xypfy xJSFbohCVTs4HmOf6me53IL0tsAJNJvpWih0H3Y5UXAyMBC26m3nz5RnYytpdXwrxwAqfG1ZDPOg lZqSaLFh58mM2BEvLxkhzv2R4k8xolSBBNyFr+VcQTIgnMv8KmNksMIcxDfgbSnFHLS6JriFhoXC vVsrHAqJTKgqpVqmQtxg2KxRpoGAlrKbUGAhX4UoQxC2VKXtcQTrA6EjBLIglC2xIdJgiQMQlnOZ JLdgtju8JVxbxWS79zCJtQc0b0GLHeV0WOZ2mImxW6Ng8hC63KWJuGlJW2BZULIStqI+uGOhJ1Nb D1LPdEWRB00cG+xkkqnh0pKjbwbFbfVwUGvMSFLg4DLNqSBoN/EiSJIjEqfKOXGwrsr0k8WkoIWn bbON4NJeDV7zKF65VzMNl6yvGCW4sZmYKS3ShyOhU42LmdgSamDssTHJnoFNFCsuIn1nQdGfAlWq Ay4YFczqsSswfAhRK4QTKYmKlFhkmMQqMzlmZt/itMtlZgXl9TCoF5xtxwkKlhlrP+j3XdBhXKcN AgjC04W3RyNCUtEUdIjmUY/EITV5q7uJO24QuRvgvqyShJOZhyInrOZf3muaX4O3YkXOqZ6ffG5z rG50MkynlyQSRRzIMKczdfOUEE/SPT4dmKonWc8k4Iw9MEm7f1yognmKa83fkkVyL1H6hsdTBkkb Gu1Rzjf0Y7uChwOmu6aCaSssJFZG6g3CCYG+REE0SyLFxqbWayIEVxvk7oV+6eIglHMZJFOCogki UhTRBQ4OzfqXEEwbl+9AwxQscpDP3RBkiWu0yOqybrCZIN2CwcUYtnL6xSAvt4k5RBNEciJKmE/P ZrCOBFpyJdkeljAzitCIzj2cNUjHcsU0movmkSEE6wnFpozXXaixPFSkdqqu/2dCgp1tm2VkcyBJ LaHKCLBFYd+oL9vaduXkgO/aXYwsTcYyRSkFSXZ1URNLXe8B2tKG1s613SFKvvrOmkyCtKtRCgis XTIKdQlfc5UtH5NzY1cyA7vCA17IbOR/JG577VpH35jfYq2xu998PdJ/AxFRhcw9Tva1s1/FaL7a dVxrTuoY/OMyTa+090mEyF8B13KuZ9Er3tL1jOkECNDujOpq3ytZvISlrYzabI2OWQMNljEcT142 wLVNptinKcbSiFSdRuTZy83ZLKIS225umyk4YoslyoqvMYfo2I9UkadpTVKUqPi9qbU7k+kC41wP 4QLwO78SDogH4NRCQ0K3DW8w6F07Sv2f8aLt2Mjr5kG2M1LKdJDipnE4lmMTmhSTphS5O7KuJY69 d9zaynDlnO9fV2yFUYsVj1gCVhwkMHI2g5vNycZQxDbSXh/3erz+j0exDrjignr2NCb+VRr64oSL +H7wIv77A3UB8/7/DfCfEY+bN9oY+0p7QkBHOwjARApQPhcgAqWx+tBLgGj9Rgg+X/EFF606ZWga t21R9K+hE2PQxHIhQpPJIcxAJIhJ/L+QE4bP5OwN21DpIAvPrLRdDE6mCP5jbuPB/hJcfZyV9GX2 JmPKcQmvseSzwsB4A6aBTH66GJJAGC3kEim4BpLwGSdSH0tHCGaOYjul0P0gYkPjsOMEgMQuY7dO 4kKys6zt9neEnYztPwrSyjFrVRtYa8SL7e5gsAqYn1MkTL2GAy4LsHGmqy+EhW6PD0DbnocDjOYc zQDMqAOlqOXI4Nz00jV8+stT2wNIhisjANHiWZAYgZbOjkkdfFDgodXFttnzMzuqPNF2xsWsRLH5 sM4F+EJJiETuLVlCUJYjUKajT5u5WK11LejxANu5b1Ul9QdAI3A9CNduqiPBCNiCAlYAbgGBbbqn TEAg9sw7GIJE0e4VpVwAcs1zovQ421EgC4IumJ8vz/uP6PAqFQ8jHVntDNwBWTkDWgj88yIhveBf fScM3/8PzP0MG5JgljeL9PgshHmXaEAbEvMwuZ04hxB2+TVJ6QPeHPHhom14cRqTa68A1KsgbV+c zzaFtEttWwWzCyRksgJAxFkjUHmZ6W1JED3uo6w3vQXj5Tlhz+WhgdLrN2LiHm3H82JDHjsv54gZ 4oejszedDnOZzhDVuCq9IGAgWR1ZlgRQxrGCS1IXgAYh23KEAcjqjiMze1oODXaaTUSA4Dkeom4k KpZg0R0ELuQPiEPF4DvbArCyoWceRMvjVOpRJqeADNoHAQ1vEe6GBqMgGGgLSGTCgEioHeAmqJaQ GHzH+cEj+xlJP65AMcQLyBjGYoaRCVP0Ncdy+IMYOQVbCr8fRj6Yj4Apes5USAkDgPSPNi3kbB1F IXYgRQ7i6FsbFyD1AeEp878QGnapxFwdvOVfMC3hwnvaCDv9jIhhEDYCv+jogGKdFYDRkn7bg/IR Q650QFxEOIp7a1EaApCUVDhCJEE6gOBsVgKnPUYdRrOFrsyUgMBUUo56UUxObAC8DJBL4AUBEmLo SqAa1v6/DZBYfa/IDlmbn/qe5JUcCmw3muBkPSKlPAZDBMkKN74CsAg8pAxw2YmNl+w9sxiOxDUg ciw5YK3TFdoRukO9ovH731sYyF7ecNmwYjmNdrA+GzcWH8VPhsi8qnB4qQFi176YG/lufuAQQmIX OCkjIXlk5sDOyu5RSC8sMqjuYjqAgasIxAatKaCIA558Q7s8fc8mIajOBoAgwSrZwOqJIMhtgh4v GdDyv1vMGAX3hoAdpHxpQcytKAbwOF4g5cW3xpZN0Ht7ZRvL3OOQHK3gc43oU0ZxOWx8J7AOHSD7 tnXiwYr00fgjuvLz8lOx7xgXjmBMhQFM8xxGotwjmlp3MCpIvlRyd/GnEBnA2gwPYAeTrUixA0fj PoPxxxqHfxsJRqsOqPkStTw8CGCiVeJ4VipFek9F5+igo8ZadcQpxKUUOXmPWHaN3F7hWD8R7iKD vVluH8ZfFQpVEq530qoWLV6CzjHvM4pTfdMTSpeoHLoMTS4GZzdufC9NBVKZEHGdYhuF0JxhyoXB 1gVQFAQp+mE2LuO7JfrttsntWD7sUOO5GGfYCw3BNIgz+hgIgPA++YSc5BDo4Z0sBk3gQcaaP0AW KFsp473XEoKqrQpadsh0htDUgYCSDLOJwCqiMDOmKFn4rqE0YpQXrgl1LeEEuEw/A00NrcIN0B0O IHexB68oMRYDwQqsY7NflWyUre+sgIESLSqLA0gMxLkGXuhCiMURGIsYyCc/j1oJP5j8X4TffnJD 8pip6oEjuFhOdPhnOg03IF6IJ+ZAq1H69WeYzqpMQD+uffMr18Wk7dkPIRAYRMEQ7D3ChzcovAlB kUvQch4DrPKZlH2Zgd0OV/eRGEUvEmQ6Go1HJM+hoXUAxlGMBiPAr9O0DvAxaFZgl6hpBevt4moB ZnlPzFPCbRdVFaVem3Q5KNlyvysL9+YDtwMY4HK/UnFWq+gMgcULz503O2BBh6BIiqiohAZEr4i7 dHOkilSjUQuMKQLRR+VwjEiQAWMGQSKKiMYKkMda9ygXRrDClTuiA8aB3TpyAKwkaApBzqWH8wQn HnagwMK3JjWWlhYqFnCCN0H0njBwQbUHRBCc25Q14DRa/5ACymrca0cZRIeQU+JptsQjHCB3hiBq MVTbaimXzHW0DDcRMynFhwgXpxHhw0l32GIhjCUiKDsHIDWaFttwChexBh3h6x8+bYckJt5RpLCN Avu3VUDiQ2QDvPcOd/NZEe8y6O/MepQVPh9R9pfe31WLyx7C89Z7/vcDvPhKn56G1cCx1G0sMosR ED76p7FRDAzmWMA3JtOs8xk/ac0DAA7Ms9JFEuQ7g/yKe7BKD7GCbJkcDtwC68jIXp95J+v1hPkN 6B1T5fkv7rDbaJYCKn262p1NYvBhoRQjBEPJPQw7pqGkh3SQ9igHKBH8KDxX835OCH87kGDJ5IJC imqoEZCPJ7hpIVoERqO6BkNpedYmOY652C0Y5nCYiejuMxjDeh0B1RbBveZL+OlX/Eib06bzCMWA simXKchFNhr+58oBQ0kTHPKglQhSyhDkL8ylgA5QtooiwWCF3A53CYUDlP2CYbTigHHBOsfY9llk vksgUXwDv5edh0hhedYNQkjdicpENQgPkURQFQPR0w/r97tNwhjI4qwFVVVdP9hpENuJpT5jCoh0 AB46+aZ5EmMdMIBEYkPc7VPq4Gn8qEmgRkP9i+XCeBmUuDAkiBgRhAA6wDvPAWW5IwkOjnOnjJ89 MQtpBJ84qxyigViIrGJlLEIF60qGJf1llK66KSUeGy5WLkLQ8DMNSmk+cCSVETRcNa0mOjCUBTID DGQzVNtAbQmxoclI7S2G0vxiZmUyKqMFkkr61Cobk3QGYU2ErFEGFktn16VaFKnvzVhOKLprkAj2 HYdePVr3HrOQvtM7bmyCUEEjYuZQS/AgntsbM+lmkaKKJVKm9qgNEDu7pwXoIB2RGhPDO2rWQhFI 6ADHjNho4zVRwnPseoQhUEUWMgjuaKB0Dn3UPA7DqMCdQ1P7gUQGouCtAWAV4UQSdGfWAywI5lkk vOC2AXXt0i6G9rhrJ+/j7hQCANv3yyD6hCof+NKd4+p+ngG+ZSgA8uFj4LcikFAEMmUSdDj0Uqeh vq+A/NScyESaJMDZyTNDeqcQwa1cvVy0SE/PcHtBhmRJKEIJ5AuOMpZUIqBMAMOzoZtIBzM9JZE/ EsJCUQu1DAAqZUKWp9xv2J4QL4A+0VvCNSvF+JhDEwkSFo4OEikmJrdGqxp2QKEzOUes0iYgqQCx OGA1KhhlgWrUUDFfHfeaBfD7SdMhZUV8i40BqhjmxLmNhaW4h0s2ZLsgMqsZsm7cCJliyi4Vka8j fjCFmZCyi32TmBMmJiYDAnLgC8kHFBK7ATAzffjdwOJ55pkRKnJNp7vgIul1qpgoUyOSHZCyZEkJ AmJlAhACWgESHrwmjom/knIepQKxHSTKMCmkRaXdKCQ6JQh0dsUZqs8OkSpPLD1K6rRIYETeYJA6 IaDsXHD4jIVROo8z8hgHhqZob5NZYmgz0M2U83wFGVGerUcWNh0C6Y38eM6i1fMaA80u+7hBkMyc lOjA8kLOA7hbWZF+AVhVhNyVSIqgOgOhIoJaQC+gXC6CMxLzR9sISRez9EoHD3NNhZwOohev1/uH kToyUrfoHGyT85viHixpLNgLQWPLnDGDbEMEOld4TAy3CiCm+ysSQWMgJCSGPhWCFGrEdZTjvUoB d+2QqKTsMGOGnjiqq+gB3mZS4FNJmJGSZwwygnACJrEuJg6vaVjCfFxBQpoc9AEIBxARTJ7jxWfo 1FMWfe+/kHaaQu3oAlgjSBIfUsaHNI3oJ27HX6mIgEg4N859Pf3eBGvgbTbsRfxKiQD5URaBbZit ZCnHSd0YujZ2IYFxiIEWKRixSTFbz95s4hTm+2fjJ+N16ECtZsn8qBedNmhB9pE2nYAGsDIYSHCJ Q1RRBKiVASlIrRykGQN4juBiIRqbMMnFFpEyTf3+oDgYXLA9ahINANCytt7yWZBgVkpmxmInbKb5 fXZZatcujCX0+oG0DLxpyet3JUvuuJo6ukCpBFLqgWLabrIq0ND70k6V/aZb/uuxyRcybDQBxih9 CvnoY/DHsCwjBYYBSH2lRKX7KTUgyePp4c6vjNSH3xDZENsKUe2CSKvHbpefjzhR0VyWtldRIYnz WLuqUeKuyxiRTRS+c4t9kXMgHUPlipSGysnEwXTspmkspqt3WUoJLVRA7iJgjCzBoGQl4DZSgxA7 gWEG2ezsIFId2C5AKfF4s2iBGCSJ1IWvF90pSwvYEOULQJBZx0K+Vurp8ibOdQ6Fki+kWyEny3JI IzGyZ6lxzRhhUDQGrBS4YZAZWMCqEg2kG6TjtsSglAneFqU+QsQ+k7z4T6ToMleQ8BkWcjVeaAA4 jfBD5UWehg4Os+S/YcR6EeY20Km24HUIOKGgvC55z1CbFL1L0JrQIhq92vGRvIf0JGGcUziP0lyB /OA/HFPDz0+yasgvkt6yCjEaVRWlCNq/Z0dgC2gW+q4F4lkGSPGktsh5XkMnRgYMgRFTTEdNC2SL Ox9UymkKvEssIhvKBwMFYsIsBfVTM6SwbrRJEgf3z9sTE1fTWeJYQzWEagjSzcGA/UepxMV8Rg4c t4D0iNjHYbBPYQ3AHDT0gdzFkkjADmopZEIMJQHZzFFrmgYAVALKKQ0gn8Ih2Rj2g1u8hUJPkiAI gSw3kjA0BYEn22QFkFABQRIKpA6623GcgHb3fg/aFxRGSAcEsAxvukJzsGMFBFUgMBTycoHuQJx+ 96Bq3N4GQOu5IDYDtEPV6QDPcI+2Hb7xSh1QHfRTSFZ2gKVKoRsbqQpO8YA9cQ9QAfGAHxo5s/rD MZava7LmikIlEISBAIUlEjX20B2KlqXagdIw6kjzBtDLTkBpIPMQRkkVWxxb0coEgEE8s9xIFEGs oiqJBQVrT4U87JKbBN5SQ+XdQDDf0pB17QxK+k1LNQj1JcwqIYxI50AKSg4iRIEjMPV34GSRLM0M s82jcMHSNNRRo/OwlMukA7UOuna/dKVaEsyLCJAsEN3aF1hHiTlEOLvFzpzTrXIg2M12SMUxmacD ju7C/6/dQSc2MZTUcNmcoOYFqyJEiAIDxBh4CKQDp8EZaRiogGEiXV7ksF22bFkqE2eGqpDA3O6H r9J1rUbDRslH1XZ6KSMKjE+iObjtgoPUFYgOxBAUMuuxyufl9OHjAL10xDeBAYQkVKiAVAakgVFI jF8Y8ngEaOc8UD110MDgewxQWdZv3yTkMFIIIDIxFFgrFFQIkFgxPa9taIMLU9LOf0E9UDMLsobA E9BDAXbBC9cXYvMAUolga4SjjwALHbDkgMgpO1TgPc8eSBrYjAijJ1HpeDieQA9hvN0HXokAuEbe gRvWk9Z9VgqCSAyCpx5UalCYKj+k/OeYS2q++3YYIkrjvoHcRTOjEJjUFWAQzqhFMboi0LtlIuEG lG7ZC63E0AmOBpQQwXz2yEZoMPLDbA4pDepK5McQuToRcHYul1K+yM6jcpzhU0aIi5nbCQ2sDmwX OhVlLqSqawLgW5TchFMw9jAL1IZe09EEDkbDwE3BvwdLDG7FTxcEBZHClgeyM8gc5IKTWcEpB3fq On54hXeT0yVvUDp0RWAb0OaIEkggGi1/h18ScQNYQ3sMwLLTxmEKBNLWgckoaJ370J6jdU5/KsIi xIiCMEQSevPVOowE7BY+iyBQOAFD29jBQ7AEmQmIyAnUQVaJ6EgqdPYNsAVDsKF1+EaifSO6+bjb e15G2SAaIFDCklIlJJ/VUCWAbD2MOqOyJ8vZFBqtT8vbRw6xNzFSgQUZUtS/oP4HbQcWcU0n+qGc 05zDZigU+zZpclkODSJsL/Yaw6poc42G4mhNJ7x3QPnk8HpOw8ZDpSuYdPA6QKME2hIwaLUaCqYe BT4IpThhSFeQRtmFz50U8z6MhLkYDoQhjsSaQcr1NDSLAK1MLFaEM+p8ILsv0aEa/vqO7eM1T+YK ojIevX8IwzGE7YlqU/SMwwwxtTLclQKBrQGAH7e1k2ibZiYWptq5maw1kLk1pw2gxEyapTUoMNqZ oYaYChi0tVMKMA1MPqs2SG2yOwGYGhWoxxhMARBmtJrEvjzbYqcakL+RLTQYMgiDNUFhVVWSoNAL GiEqAsFhKw1AU4HmmTbisEdxpgGNhULIfqUmSQMZELoxNzqHYgfnthEjIyCfBuAHcBwhx4ompIds JmWRBaMFUjUsDGgsspAsLRYE5kSSFRCw0i6Gr0GAUowlCA0oKAFRtnFJFr0cCjGnUmGOCrZDs9yk vMNUCQAkIEEEoCCJoExANPXRcunVMCwOSxqdL1mdqKmOQtzRrGhGppHIR68p+jMWkbMlBrAB5hkh KyEWRKZKNspBjFpZRgyFSgrIooiiQiFhYAwSGEYtkaVYNCoWZaNiIsJjFYBCsU/jOCQuNdVe4kYq Yv+0R4cfqXC0hSHhgdqSH8m9MlzJsm2uWrNVPhSAcfpQ0QqikiZiqJ83Ya7N0yAyGjvAXaqQPoiG cR8CHWp1gWCGvEUHSB9QBxAZkQsYgOk7gDL4PhIQLg2sXCh5AHdtlyBtADMhjq1sUfmvkECMA3pu INRAojxQaigVApg9sW5kgGQEL+CUoUXMWBKRdzoMuGGfkAuPcuuZGLCMcmhUKGLFkIkISEYBo4J6 VDJN3GHccgGl9Mb3VUieqB4PNTUTWBsQx57qVhtsUBAQtxhitkSjRZfggWCBgGBlSRkAgI64t8JA YRBfOeYFsLw9Cc7DzarKw5po5ge+k7YdJORN+QiRW4Kpb5QM6B+uEgvLFPIhiam09nJXFzp5QPwA n9NRiqCZNIJL0yQDOAKhEAUKzinAbafpGD3kP2c1nIOTunkFqHeefGq4WSNrNov5rJ4rCZ0A0p5C kPKflpN6eNA9bfcpEapNRqB5wKAiH9MC4Lzx1C9amqsfDRkuLcFoqEsCNLP12tUo8SfZKPdEKcN0 Gax01B0PomF8TykKLI7ij4dMIHupbceAoeWMm8iYBBFOgizMDNgjLSQO8ryZ45SOg+Hvw7OiuMFQ 0MiQDp7TgEYyDxGJpNaB4j7z7xHSmHwGY0COPQqfwxC0DAvKzwhGdBRSMJKEKcXExgFGMnkKTMpB jGClsqDGQWQGCDBbQrGjYyMspYgLCIjFkiay4YojlkqAoiRcVMzClpXMoLWn0ouoRNGmauFqwyJG KyCmwMKYWNi1WDJsNxAIEQSyBCv4IUC2HwHgBinV/ReLkA94BjAIgdvq1Ae+WMYc2RjE2QqLemYh NaAdUCup3iBVy0xtmRwBPN67O3zVflQ6gfpB5WJMkOJ3jDqGobbUqRlgbgDaLIEY7bBtzGwGRHxf PL1DxE/j5qA1hJ5CksYI0jmY+MJeyMhEeWBA9Ms+IP8MNBrRVuDcSmQpRfgGiixISBLqqLEOjz0D xHEqTUcPCqa/eQxQ4uQxJgtuzPYKI2qgEvF/X4FC4QLF5h32MS4XUpIjggkioQLJSYEDVcmBnhCK GFUI9vUgbLPMoKY5SxlsDm0lAf4wfyHYazIzAYgbTaxsg+eLJGJCKwiiMQjJAGQZCixNUpJ60ktJ iCMBjRFbHJ2AfcQnf2PCSAbzgcLjgx2gUOQ6PegNI+m/7m3hYxtAqLB/AWIvCoRR5ItEXEESQFlF FiZNoKyKB+R4yrgY1yZCnhBLbK7WcCSjmp7O6pP5mAdFEvJrM0yWd2rMVlb4SJBqfgQTfQrW+SuR CBYgVs2gdaBNXXMNJN2SFWFSkqvDJrFoQrFTH872GYm5Mkc923agD5+lhLFVxZyV0Sd5LgctOVEC W1AqWngqWh0g1ghByA+5jZygZyJVBRFDDgkgbCurA5J2LPf1Y6V5bVGjONgIEAtSNmgsBExDLHBK Bz4kiEIHYwCwDnRP+0kGAeFiqFUA/vGg87EZJM9P0zLyfUZlxuPo6mDcawf6shOQEDECIejMjud/ vesuzQ/Vz1Zki0GGPDWUnYpqJAevIdkiQiBFD44+2q7Diinu7M1/bEPkUdSfK55JSngekDCI5rO9 GECSEgCyENrQ3nXtNwHRd23h0cBJRtDHpRSrATrFYkDOiIpFEA2kX9VVfUyKiqM8gqrWYgaBKqDV qun7maQBn84xBml/TEWbf3XfZgWKpM/YRrv1lNzNCLChWal68A22TedPL/UGPWaM2MEIXSayoFFH wfnQoLUTZBVc6RKm55ATGPKMgKBfhhNm22mr2BwHM1GATS5qt2J5GWwMFklICEJUpYzMqPSa0miq Xj3GMAq3ugZEsNml6zZVzcxmuICRl6o9VlVURyU3o6E5gMmRZQ08lik1zWY7HRBgNORebyhvuBzN Q3U1vFcRiUbthUcGZxjLOabdDcS2GPLspzSaakvYSRLDo7oQh91khximQLjYVBtDKw0DQYjSGokK kiEyiJpfnagqy1AGTtpxgLADKAFLI0qQKGGBGCLXgmkWSGiBpGCUFwJcBkqBYD2N8CJOLZk0Ofk5 eBeJkrqN7p+AvAoO1uWg4lhHYlLYjXgAzbTqgZNsXTBdA0joQdCJLjD0mzbWC+IeJ4uPIQQE2ETx 03yyq5aYk2UOQR5i3yF0Qa0Eq+veXFyBoNauTdxmGTNtFFFIXKuAJzShvELu9DiTVBClilyjgqh7 8VDZERsqu8D6rYRR2IUBoEdGGlN5eDeDc3tIhdB7SzV5oycMycNu83gim1KzwKSjaEo3fJrRKiqa YURYCLBIoxCI7FU5jUBDPJBWoh0D14ewubp0k4t3OB7cjSQsodkkdl2pFxR/3m1HCSSAQNEAOpYp mioRi4kAufRroC7QXzREOQ441VdyEs4XaGisQtVkbnYn7CBcdkzhmQU6wGUvuh/SZjiIugCKPAOp hunZRLzB6gDYbg/bYu+gBghxgHeTeUQfAoeaq0UD97/Fu0OCgn3hAkUhBiGYKSoFyIxfJC8e1fad IHi2bkXabRb9W+DD508t4XBjvxRoQP5UcUEIurJ3ugA0w9SNeFqHYHRzIZ0mwJECyCkO3DQ8UUev 9FGYhtTo6AOAGYCiekhYT7RGUQuAhFcQc7HQ+RioxiQgJgjz4l6FzliBewS47j92FQDKaoB4BqQ1 YHsQJgogcoZJpDGEvEDUiIqSUACQg93Hq+BtxAwosAC9edSmMsN7qEfLiufxFBj0APz0pzGZoc5o KqB8sD34oMjefRSlAbqK/JNe/wt6iW+BK2QNkA2v2HZCwvQH2nunzmInx7ZnikV6w/AIUoRUaBGQ RhJz4byMi3zU2LhReCFxPoNmMhxdaAO0CkKqixURJRMKOIg87+3ynSIWA3EPdgPc5xHvfh7OB8h6 vuLAeXOv1wIkDjQ5TjNaJ7hyp7pFjHmT7hGsdCAHSk7Kw9h1H4CO5UPiU9Hui2YIxsVT/7gT0FJ/ ogh/8M2Am8pP3hJJcKwVpONsQ+T9Vu8fNr6l4wGejZRV//F3JFOFCQ4SHxug --===============0175670287==--