- update to NSS 3.30.2

New Functionality
  * In the PKCS#11 root CA module (nssckbi), CAs with positive trust
    are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY,
    set to true. Applications that need to distinguish them from other
    other root CAs, may use the exported function PK11_HasAttributeSet.
  * Support for callback functions that can be used to monitor SSL/TLS
    alerts that are sent or received.
  New Functions
  * CERT_CompareAVA - performs a comparison of two CERTAVA structures,
    and returns a SECComparison result.
  * PK11_HasAttributeSet - allows to check if a PKCS#11 object in a
    given slot has a specific boolean attribute set.
  * SSL_AlertReceivedCallback - register a callback function, that will
    be called whenever an SSL/TLS alert is received
  * SSL_AlertSentCallback - register a callback function, that will be
    called whenever an SSL/TLS alert is sent
  * SSL_SetSessionTicketKeyPair - configures an asymmetric key pair,
    for use in wrapping session ticket keys, used by the server. This
    function currently only accepts an RSA public/private key pair.
  New Macros
  * PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256
    cipher family identifiers corresponding to the PKCS#5 v2.1 AES
    based encryption schemes used in the PKCS#12 support in NSS
  * CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11
    attribute, that should be set to true, if a CA is present because
    of it's acceptance according to the Mozilla CA Policy
  Notable Changes
  * The TLS server code has been enhanced to support session tickets
    when no RSA certificate (e.g. only an ECDSA certificate) is configured.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=241
This commit is contained in:
Wolfgang Rosenauer 2017-04-26 21:50:12 +00:00 committed by Git OBS Bridge
parent 607f63b358
commit 8a54093a7b
5 changed files with 94 additions and 114 deletions

View File

@ -1,3 +1,55 @@
-------------------------------------------------------------------
Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org
- update to NSS 3.30.2
New Functionality
* In the PKCS#11 root CA module (nssckbi), CAs with positive trust
are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY,
set to true. Applications that need to distinguish them from other
other root CAs, may use the exported function PK11_HasAttributeSet.
* Support for callback functions that can be used to monitor SSL/TLS
alerts that are sent or received.
New Functions
* CERT_CompareAVA - performs a comparison of two CERTAVA structures,
and returns a SECComparison result.
* PK11_HasAttributeSet - allows to check if a PKCS#11 object in a
given slot has a specific boolean attribute set.
* SSL_AlertReceivedCallback - register a callback function, that will
be called whenever an SSL/TLS alert is received
* SSL_AlertSentCallback - register a callback function, that will be
called whenever an SSL/TLS alert is sent
* SSL_SetSessionTicketKeyPair - configures an asymmetric key pair,
for use in wrapping session ticket keys, used by the server. This
function currently only accepts an RSA public/private key pair.
New Macros
* PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256
cipher family identifiers corresponding to the PKCS#5 v2.1 AES
based encryption schemes used in the PKCS#12 support in NSS
* CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11
attribute, that should be set to true, if a CA is present because
of it's acceptance according to the Mozilla CA Policy
Notable Changes
* The TLS server code has been enhanced to support session tickets
when no RSA certificate (e.g. only an ECDSA certificate) is configured.
* RSA-PSS signatures produced by key pairs with a modulus bit length
that is not a multiple of 8 are now supported.
* The pk12util tool now supports importing and exporting data encrypted
in the AES based schemes defined in PKCS#5 v2.1.
Root CA updates
* The following CA certificates were Removed
- O = Japanese Government, OU = ApplicationCA
- CN = WellsSecure Public Root Certificate Authority
- CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- CN = Microsec e-Szigno Root
* The following CA certificates were Added
- CN = D-TRUST Root CA 3 2013
- CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
* The version number of the updated root CA list has been set to 2.14
(bmo#1350859)
* Domain name constraints for one of the new CAs have been added to the
NSS code (bmo#1349705)
- removed obsolete nss-bmo1320695.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org

View File

@ -21,11 +21,11 @@
Name: mozilla-nss Name: mozilla-nss
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: mozilla-nspr-devel >= 4.13.1 BuildRequires: mozilla-nspr-devel >= 4.14
BuildRequires: pkg-config BuildRequires: pkg-config
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
Version: 3.29.5 Version: 3.30.2
Release: 0 Release: 0
# bug437293 # bug437293
%ifarch ppc64 %ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0 License: MPL-2.0
Group: System/Libraries Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/ Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM # hg clone https://hg.mozilla.org/projects/nss nss-3.30.2/nss ; cd nss-3.30.2/nss ; hg up NSS_3_30_2_RTM
#Source: nss-%{version}.tar.gz #Source: nss-%{version}.tar.gz
Source1: nss.pc.in Source1: nss.pc.in
Source3: nss-config.in Source3: nss-config.in
@ -57,7 +57,6 @@ Patch5: malloc.patch
Patch6: nss-disable-ocsp-test.patch Patch6: nss-disable-ocsp-test.patch
Patch7: nss-sqlitename.patch Patch7: nss-sqlitename.patch
Patch8: nss-fix-hash.patch Patch8: nss-fix-hash.patch
Patch9: nss-bmo1320695.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -86,10 +85,10 @@ certificates, and other security standards.
%package devel %package devel
Summary: Network (Netscape) Security Services development files Summary: Network (Netscape) Security Services development files
Group: Development/Libraries/Other Group: Development/Libraries/C and C++
Requires: libfreebl3 Requires: libfreebl3
Requires: libsoftokn3 Requires: libsoftokn3
Requires: mozilla-nspr-devel >= 4.13.1 Requires: mozilla-nspr-devel >= 4.14
Requires: mozilla-nss = %{version}-%{release} Requires: mozilla-nss = %{version}-%{release}
# bug437293 # bug437293
%ifarch ppc64 %ifarch ppc64
@ -179,7 +178,6 @@ cd nss
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1
# additional CA certificates # additional CA certificates
#cd security/nss/lib/ckfw/builtins #cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt #cat %{SOURCE2} >> certdata.txt
@ -196,7 +194,7 @@ export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1 export FREEBL_LOWHASH=1
export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_INCLUDE_DIR=`nspr-config --includedir`
export NSPR_LIB_DIR=`nspr-config --libdir` export NSPR_LIB_DIR=`nspr-config --libdir`
export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" export OPT_FLAGS="%{optflags} -fno-strict-aliasing"
export LIBDIR=%{_libdir} export LIBDIR=%{_libdir}
%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 %ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64
export USE_64=1 export USE_64=1
@ -222,20 +220,20 @@ fi
%install %install
cd nss cd nss
mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p %{buildroot}%{_libdir}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss mkdir -p %{buildroot}%{_libexecdir}/nss
mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 mkdir -p %{buildroot}%{_includedir}/nss3
mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p %{buildroot}%{_bindir}
mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p %{buildroot}%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p %{buildroot}/%{_lib}
mkdir -p $RPM_BUILD_ROOT%{nssdbdir} mkdir -p %{buildroot}%{nssdbdir}
pushd ../dist/Linux* pushd ../dist/Linux*
# copy headers # copy headers
cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 cp -rL ../public/nss/*.h %{buildroot}%{_includedir}/nss3
# copy some freebl include files we also want # copy some freebl include files we also want
for file in blapi.h alghmac.h for file in blapi.h alghmac.h
do do
cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 cp -L ../private/nss/$file %{buildroot}/%{_includedir}/nss3
done done
# copy dynamic libs # copy dynamic libs
cp -L lib/libnss3.so \ cp -L lib/libnss3.so \
@ -248,20 +246,20 @@ cp -L lib/libnss3.so \
lib/libsoftokn3.so \ lib/libsoftokn3.so \
lib/libsoftokn3.chk \ lib/libsoftokn3.chk \
lib/libssl3.so \ lib/libssl3.so \
$RPM_BUILD_ROOT%{_libdir} %{buildroot}%{_libdir}
cp -L lib/libfreebl3.so \ cp -L lib/libfreebl3.so \
lib/libfreebl3.chk \ lib/libfreebl3.chk \
lib/libfreeblpriv3.so \ lib/libfreeblpriv3.so \
lib/libfreeblpriv3.chk \ lib/libfreeblpriv3.chk \
$RPM_BUILD_ROOT/%{_lib} %{buildroot}/%{_lib}
#cp -L lib/libnsssqlite3.so \ #cp -L lib/libnsssqlite3.so \
# $RPM_BUILD_ROOT%{_libdir} # %{buildroot}%{_libdir}
# copy static libs # copy static libs
cp -L lib/libcrmf.a \ cp -L lib/libcrmf.a \
lib/libfreebl.a \ lib/libfreebl.a \
lib/libnssb.a \ lib/libnssb.a \
lib/libnssckfw.a \ lib/libnssckfw.a \
$RPM_BUILD_ROOT%{_libdir} %{buildroot}%{_libdir}
# copy tools # copy tools
cp -L bin/certutil \ cp -L bin/certutil \
bin/cmsutil \ bin/cmsutil \
@ -271,7 +269,7 @@ cp -L bin/certutil \
bin/signtool \ bin/signtool \
bin/signver \ bin/signver \
bin/ssltap \ bin/ssltap \
$RPM_BUILD_ROOT%{_bindir} %{buildroot}%{_bindir}
# copy unsupported tools # copy unsupported tools
cp -L bin/atob \ cp -L bin/atob \
bin/btoa \ bin/btoa \
@ -285,13 +283,13 @@ cp -L bin/atob \
bin/tstclnt \ bin/tstclnt \
bin/vfyserv \ bin/vfyserv \
bin/vfychain \ bin/vfychain \
$RPM_BUILD_ROOT%{_libexecdir}/nss %{buildroot}%{_libexecdir}/nss
# prepare pkgconfig file # prepare pkgconfig file
mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/ mkdir -p %{buildroot}%{_libdir}/pkgconfig/
sed "s:%%LIBDIR%%:%{_libdir}:g sed "s:%%LIBDIR%%:%{_libdir}:g
s:%%VERSION%%:%{version}:g s:%%VERSION%%:%{version}:g
s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
%{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc %{SOURCE1} > %{buildroot}%{_libdir}/pkgconfig/nss.pc
# prepare nss-config file # prepare nss-config file
popd popd
NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'` NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'`
@ -304,32 +302,32 @@ cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
> $RPM_BUILD_ROOT/%{_bindir}/nss-config > %{buildroot}/%{_bindir}/nss-config
chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config chmod 755 %{buildroot}/%{_bindir}/nss-config
# setup-nsssysinfo.sh # setup-nsssysinfo.sh
install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/ install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/
# create empty NSS database # create empty NSS database
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create #LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/modutil -force -dbdir "sql:%{buildroot}%{nssdbdir}" -create
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null #LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/certutil -N -d "sql:%{buildroot}%{nssdbdir}" -f /dev/null 2>&1 > /dev/null
#chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/* #chmod 644 "%{buildroot}%{nssdbdir}"/*
#sed "s:%{buildroot}::g #sed "s:%{buildroot}::g
#s/^library=$/library=libnsssysinit.so/ #s/^library=$/library=libnsssysinit.so/
#/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \ #/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \
# $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed # %{buildroot}%{nssdbdir}/pkcs11.txt > %{buildroot}%{nssdbdir}/pkcs11.txt.sed
# mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,} # mv %{buildroot}%{nssdbdir}/pkcs11.txt{.sed,}
# copy empty NSS database # copy empty NSS database
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir}
# create shlib sigs after extracting debuginfo # create shlib sigs after extracting debuginfo
%define __spec_install_post \ %define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \ %{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \ %{__arch_install_post} \
%{__os_install_post} \ %{__os_install_post} \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_lib}/libfreebl3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \ LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_lib}/libfreeblpriv3.so \
%{nil} %{nil}
%post -p /sbin/ldconfig %post -p /sbin/ldconfig
@ -356,9 +354,6 @@ fi
%postun sysinit -p /sbin/ldconfig %postun sysinit -p /sbin/ldconfig
%clean
rm -rf $RPM_BUILD_ROOT
%files %files
%defattr(-, root, root) %defattr(-, root, root)
%{_libdir}/libnss3.so %{_libdir}/libnss3.so

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985
size 7480246

3
nss-3.30.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24
size 9499119

View File

@ -1,67 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1481108447 -3600
# Wed Dec 07 12:00:47 2016 +0100
# Branch wip/dueno/ec-session-ticket
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
When session ticket is used and wrapping key pair (for caching
generated keys at server side) is not available, disable caching
instead of returning an error.
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
sslSocket *ss = (sslSocket *)data;
sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
const sslServerCert *sc;
- SECKEYPrivateKey *svrPrivKey;
- SECKEYPublicKey *svrPubKey;
+ SECKEYPrivateKey *svrPrivKey = NULL;
+ SECKEYPublicKey *svrPubKey = NULL;
sc = ssl_FindServerCert(ss, &certType);
if (!sc || !sc->serverKeyPair) {
SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
SSL_GETPID(), ss->fd));
- goto loser;
- }
- svrPrivKey = sc->serverKeyPair->privKey;
- svrPubKey = sc->serverKeyPair->pubKey;
- if (svrPrivKey == NULL || svrPubKey == NULL) {
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
- SSL_GETPID(), ss->fd));
- goto loser;
+ } else {
+ svrPrivKey = sc->serverKeyPair->privKey;
+ svrPubKey = sc->serverKeyPair->pubKey;
+ if (svrPrivKey == NULL || svrPubKey == NULL) {
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+ SSL_GETPID(), ss->fd));
+ svrPrivKey = NULL;
+ svrPubKey = NULL;
+ }
}
/* Get a copy of the session keys from shared memory. */
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
PRBool keysGenerated = PR_FALSE;
cacheDesc *cache = &globalCache;
- if (!cache->cacheMem) {
- /* cache is uninitialized. Generate keys and return them
- * without caching. */
+ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
+ /* Generated keys cannot be cached, because:
+ * - the cache is not initialized, or
+ * - key pairs to wrap them are not available
+ * Generate keys and return them without caching. */
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
}