Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp116675lqh;
        Fri, 3 May 2024 15:32:27 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXmTP8DtIzG/tXeO0qFTH/WAfkIKZ3iy0YWNkuBjeN9UpuIz2N3dlXWtHGDpPqnkZNNkltZB4/zZdR5kXu/gOat4w2bD/Luxg0fEttTYg==
X-Google-Smtp-Source: AGHT+IEx+6298uvOj37h7htigIaRtjpND2TsZ9UNwg2bDdanJtUrtDz/MhfiQIpGbePBGC2/QWf8
X-Received: by 2002:ac2:5322:0:b0:518:bc7c:413a with SMTP id f2-20020ac25322000000b00518bc7c413amr2331459lfh.69.1714775547029;
        Fri, 03 May 2024 15:32:27 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714775546; cv=pass;
        d=google.com; s=arc-20160816;
        b=XkL/z/nkRIk3kimmM+Sx1QpVqk6se2NJ+dMBThJ3HRBjYHGlIHLYYLR6xe0nL2fdLz
         4XENdfxf8FFkVhC0fQJk8JoYFl24WO104tU59TWvqrfealyfGDe9unIjiwX6oOABcGr8
         jBEAUsy0Gyqc0v01UuoCWat657vHkSyPCdzcLLBFCahOy4vgF7UGxpOTwrs8iZZFCjRw
         EvA5vIijthwXP6UKIaAy4FeAA7pYIMoAnJPiTb4tQNqWcMbooKwNBEzoX3dYS8Txsw1/
         wovha7ruTHfme4oY69HDML7RsvuI/L0B1Qaaihc/pUbgAXl1yD1AHRKK4biBwEl0jKBd
         Ux3w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :dkim-signature;
        bh=XgB0xYSvxKgZRjmBtfdGpGLFcuc7WFw/gerbRuOe/hc=;
        fh=/4VkMLKbz+utqvOtcUOryPhkJqKX9gY3X0yvV/9zYGw=;
        b=rqUoTrTkSP5L0asegIgllN19hcnLuocHxfSSv1wyTmqSLSM+TZohPdlbrj9ShZkOMa
         z5yqI8+oGnB5i2+Olzl2SnIHV3iddZiwnsYM1tYMZqch5PSTILpM3P48zyo+dnl/l+2+
         AbB86FR8afjMsNNbjSQr4BeimCGw+DwLb7K/9ch06HuN91yj9XKIzS5L4NQsSuap3ZJT
         eRb/5HVVPoTJN6gIEDB2gDhNaawCUx0UOJuSZ25AOVAg1pkOoH70KW9ZM3P0G4OSjMyw
         rJ/Dp2d3qepp1oI930jT7zKURzdRtFUIjXpWlJ3+VFRbSv1EOpQzoa9OI31Hd+O9m/aP
         GKyw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b="UmS/ot0E";
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-nfs+bounces-3153-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3153-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-nfs+bounces-3153-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id b22-20020aa7d496000000b0056c3b60243bsi1882165edr.308.2024.05.03.15.32.26
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 03 May 2024 15:32:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs+bounces-3153-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b="UmS/ot0E";
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-nfs+bounces-3153-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-nfs+bounces-3153-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 962D81F213B7
	for <linux.lists.archive@gmail.com>; Fri,  3 May 2024 22:31:58 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 263A42AE83;
	Fri,  3 May 2024 22:31:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UmS/ot0E"
X-Original-To: linux-nfs@vger.kernel.org
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F6CF290F
	for <linux-nfs@vger.kernel.org>; Fri,  3 May 2024 22:31:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714775516; cv=none; b=fn4XckzN9ML2YqpgUH8ntU8re1Pxou1FyDosagXivx7MPfq/WheDTq57IZNxbxRV/TnBFagLwkZa97PfNy4xpX1ygQcUbcgh/GvZx4krQHwjbw/qvDYmNsyPhmhG15v6ou9qJdc9yxUkJ8l8NqsUWzuQleurqUMbjus9AXXZ7x0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714775516; c=relaxed/simple;
	bh=Cbu6q79fTFdc7vXeFUDi82o8S+0itUAEzjJdmevm9hU=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=FMB+IXXyCtKwpLRSLnKrGwmI7NP+42cNJTXflzC25PrhcxhSzqBVGCUK48umgJzO5ezJXRpETreO4pWQz3dzBGcn1MOCZDtyhvvS1xX8pLb7KepjiexJR+irJMebtDT8JORC25Axa915Sbbiz9zFNIVtUjGLp6A7SSMLSef5lqw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UmS/ot0E; arc=none smtp.client-ip=209.85.216.54
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-2a6fa7773d3so147637a91.3
        for <linux-nfs@vger.kernel.org>; Fri, 03 May 2024 15:31:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1714775514; x=1715380314; darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=XgB0xYSvxKgZRjmBtfdGpGLFcuc7WFw/gerbRuOe/hc=;
        b=UmS/ot0EFM/bPr9/Hkk7KJSch0vUqFb/uOeP1nflw45p6W+mYQxn42taC/rY8Vyxx4
         n4mIvNgbveOgM+R33IN6bXTYnc+mzAU38QfzjU0DtKiLj2gg1IPhRj2cWKCOrczCV2lp
         Mm5F+LrK3lGiJ3E8BCPPWHxEBnGxckye9eJzD6fta3TJjimcYKAoIfsJ4xCvm93n5oE1
         1nVa3tNREjzVTp9biI1hZRzMtwIfwVEiDOOkXKeOzKg4FQ3rkHc/kiZ3auq+lYbyUf+Q
         s9uRDQ3qfR9xGsrnQC6061ttU//cRyZC3dx8Gt2hJD78kHoNIpQxdq439AzQQ+/ii+Ik
         7Xdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714775514; x=1715380314;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=XgB0xYSvxKgZRjmBtfdGpGLFcuc7WFw/gerbRuOe/hc=;
        b=Z9sk3Q3iSMjMNIexroVRegl0sLlbnMpreoFDl9un8b/lwwwkzNoDXZcY4MMGruwM45
         isb+7w6bTz2acBuvY+3w09vA1kn43nIKN9DX5WpqGe4JT2SDzFOKKYmTycpRHdeN4/VA
         RVPr0TefbOO7RLjyeV9lgrLuvH+oowQSZTsgVPOPkRN3qicq4kBnrFn4dpHxF0W2m6EC
         GmtMHTESN1VuFzT8zBjGo3aKhINUSUjP3FRkRbu7c0n0ndQCdn6hL3mEC2xy94RNxR36
         h1y/qRkMBUI3vufM7iyuqkaqao1FM3dboaONBe+e3aGxnsCMp3WzY91A5KHNX+v/NbNW
         he0w==
X-Forwarded-Encrypted: i=1; AJvYcCXkkDAG/km/1pchArznUtsqSKDAMTOhI/NDX70hJjKrP5KcZS9hLP477t80I5IV9yP5v7fnBTJV+fCBF1rQE+eaD6NN7yzvMRCR
X-Gm-Message-State: AOJu0YwRNQW0spgLwBH1vz8bnpFbldh/uucTaFVPdb778Pb4GOVS6ERX
	+QfI1wBNLEGlG4aObyPxFd1yliSRTVXBj7eWTNBiqUb+1WGpE5BmwREllH7wEfyekPX/W6hSu1u
	5l6Kw+7FNIv1Awtz0GYX93CgwWOJW
X-Received: by 2002:a17:90a:ab92:b0:2b3:ed2:1a77 with SMTP id
 n18-20020a17090aab9200b002b30ed21a77mr4107097pjq.10.1714775513577; Fri, 03
 May 2024 15:31:53 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-nfs@vger.kernel.org
List-Id: <linux-nfs.vger.kernel.org>
List-Subscribe: <mailto:linux-nfs+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-nfs+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <ZjO3Qwf_G87yNXb2@aion> <100A1A35-2B53-46CA-A448-F82A95CA1EFA@oracle.com>
 <ZjPPZmBZJZVmBuA6@aion> <38C9B493-2A43-4691-A19A-8998F0DFAED9@oracle.com>
 <ZjPgq-xA1G6Z2_aQ@aion> <ZjUwmthoBkBLaW/I@tissot.1015granger.net>
In-Reply-To: <ZjUwmthoBkBLaW/I@tissot.1015granger.net>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 3 May 2024 15:31:43 -0700
Message-ID: <CAM5tNy5aUEBqVRkFqCLqh-8_1cDHv3tz12m1LiaAAdwD-QY2Mw@mail.gmail.com>
Subject: Re: NFSv3 and xprtsec policies
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Scott Mayhew <smayhew@redhat.com>, Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Content-Type: multipart/mixed; boundary="0000000000005b5c96061794497b"

--0000000000005b5c96061794497b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, May 3, 2024 at 11:45=E2=80=AFAM Chuck Lever <chuck.lever@oracle.com=
> wrote:
>
> On Thu, May 02, 2024 at 02:51:23PM -0400, Scott Mayhew wrote:
> > On Thu, 02 May 2024, Chuck Lever III wrote:
> >
> > >
> > >
> > > > On May 2, 2024, at 1:37=E2=80=AFPM, Scott Mayhew <smayhew@redhat.co=
m> wrote:
> > > >
> > > > On Thu, 02 May 2024, Chuck Lever III wrote:
> > > >
> > > >>> On May 2, 2024, at 11:54=E2=80=AFAM, Scott Mayhew <smayhew@redhat=
.com> wrote:
> > > >>>
> > > >>> Red Hat QE identified an "interesting" issue with NFSv3 and TLS, =
in that an
> > > >>> NFSv3 client can mount with "xprtsec=3Dnone" a filesystem exporte=
d with
> > > >>> "xprtsec=3Dtls:mtls" (in the sense that the client gets the fileh=
andle and adds a
> > > >>> mount to its mount table - it can't actually access the mount).
> > > >>>
> > > >>> Here's an example using machines from the recent Bakeathon.
> > > >>>
> > > >>> Mounting a server with TLS enabled:
> > > >>>
> > > >>> # mount -o v4.2,sec=3Dsys,xprtsec=3Dtls oracle-102.chuck.lever.or=
acle.com.nfsv4.dev:/export/tls /mnt
> > > >>> # umount /mnt
> > > >>>
> > > >>> Trying to mount without "xprtsec=3Dtls" shows that the filesystem=
 is not exported with "xprtsec=3Dnone":
> > > >>>
> > > >>> # mount -o v4.2,sec=3Dsys oracle-102.chuck.lever.oracle.com.nfsv4=
.dev:/export/tls /mnt
> > > >>> mount.nfs: Operation not permitted for oracle-102.chuck.lever.ora=
cle.com.nfsv4.dev:/export/tls on /mnt
> > > >>>
> > > >>> Yet a v3 mount without "xprtsec=3Dtls" works:
> > > >>>
> > > >>> # mount -o v3,sec=3Dsys oracle-102.chuck.lever.oracle.com.nfsv4.d=
ev:/export/tls /mnt
> > > >>> # umount /mnt
> > > >>>
> > > >>> and a mount with no explicit version and without "xprtsec=3Dtls" =
falls back to
> > > >>> v3 and also "works":
> > > >>>
> > > >>> # mount -o sec=3Dsys oracle-102.chuck.lever.oracle.com.nfsv4.dev:=
/export/tls /mnt
> > > >>> # grep ora /proc/mounts
> > > >>> oracle-102.chuck.lever.oracle.com.nfsv4.dev:/export/tls /mnt nfs
> > > >>> +rw,relatime,vers=3D3,rsize=3D524288,wsize=3D524288,namlen=3D255,=
hard,proto=3Dtcp,timeo=3D600,retrans=3D2,sec=3Dsys,mountaddr=3D100.64.0.49,=
mountvers=3D3,mountport=3D20048,mountproto=3Dudp,local_lock=3Dnone,addr=3D1=
00.64.0.49 0 0
> > > >>>
> > > >>> Even though the filesystem is mounted, the client can't do anythi=
ng with it:
> > > >>>
> > > >>> # ls /mnt
> > > >>> ls: cannot open directory '/mnt': Permission denied
> > > >>>
> > > >>> When krb5 is used with NFSv3, the server returns a list of pseudo=
flavors in
> > > >>> mountres3_ok (https://datatracker.ietf.org/doc/html/rfc1813#secti=
on-5.2.1).
> > > >>> The client compares that list with its own list of auth flavors p=
arsed from the
> > > >>> mount request and returns -EACCES if no match is found (see
> > > >>> nfs_verify_authflavors()).
> > > >>>
> > > >>> Perhaps we should be doing something similar with xprtsec policie=
s?
> > > >>
> > > >> The problem might be in how you've set up the exports. With NFSv3,
> > > >> the parent export needs the "crossmnt" export option in order for
> > > >> NFSv3 to behave like NFSv4 in this regard, although I could have
> > > >> missed something.
> > > >
> > > > I was mounting your server though :)
> > >
> > > OK, then not the same bug that Olga found last year.
> > >
> > > We should find out what FreeBSD does in this case.
> >
> > I thought about that.  Rick's servers from the BAT are offline, and I
> > don't think he was exporting v3 anyway.
If you want me to leave the FreeBSD server up on tailscale configured to
allow NFSv3/RPC-with-TLS mounts, just email.

I did a quick test using the FreeBSD client and the mount fails, but I know
that failure happens when it tries to access the server file system in
the kernel.
The replies fail with RPC Msg_denied.
(I've attached a packet trace, in case you are interested.)

I haven't done anything with the userspace mountd daemon, which means it
will allow a Mount protocol RPC without TLS and does not return any differe=
nt
info (such as a new pseudo flavour).  Adding a pseudo-flavour wouldn't be h=
ard,
but I have tried hard to avoid adding RPC-with-TLS to the userspace
RPC libraries.
(Mainly avoiding the need to link the userspace stuff to the OpenSSL librar=
ies.)

> >
> > >
> > >
> > > >>> Should
> > > >>> there be an errata to RFC 9289 and a request from IANA for assign=
ed numbers for
> > > >>> pseudo-flavors corresponding to xprtsec policies?
> > > >>
> > > >> No. Transport-layer security is not an RPC security flavor or
> > > >> pseudo-flavor. These two things are not related.
> > > >>
> > > >> (And in fact, I proposed something like this for NFSv4 SECINFO,
> > > >> but it was rejected).
> > > >
> > > > I thought it might be a stretch to try to use mountres3.auth_flavor=
s for
> > > > this, but since RFC 9289 does refer to AUTH_TLS as an authenticatio=
n
> > > > flavor and https://www.iana.org/assignments/rpc-authentication-numb=
ers/rpc-authentication-numbers.xhtml
> > > > also lists TLS under the Flavor Name column I thought it might make
> > > > sense to treat xprtsec policies as if they were pseudo-flavors even
> > > > though they're not, if only to give the client a way to determine t=
hat
> > > > the mount should fail.
> > >
> > > RPC_AUTH_TLS is used only when a client probes a server to see if
> > > it supports RPC-with-TLS. At all other times, the client uses one
> > > of the normal, legitimate flavors. It does not represent a security
> > > flavor that can be used during regular operation.
> > >
> > > NFSv3 mount failover logic is still open for discussion (ie, incomple=
te).
> > >
> > > Would it help if rpc.mountd stuck RPC_AUTH_TLS in the auth_flavors
> > > list? I think clients that don't recognize it should ignore it,
> > > but I'm not sure. What should a client do if it sees that flavor in
> > > the list? It's not one that can be used for any other procedure than
> > > a NULL RPC.
> >
> > Maybe?  After the client gets the filehandle it's calling FSINFO and
> > PATHCONF.  The latter get NFS3ERR_ACCES, but nfs_probe_fsinfo() isn't
> > checking for a negative return code from the PATHCONF operation.  If it
> > did, it could maybe use the -EACCES coupled with the knowledge that the
> > server had RPC_AUTH_TLS enabled to emit an error message saying to chec=
k
> > the xprtsec policies (but I don't think that would be as definitive as
> > what I had in mind) and to fail the mount.
>
> If Linux is the only implementation of NFSv3 with TLS so far, then
> we have some latitude for innovation.
At this point, FreeBSD can change to whatever you guys think works best,
although I'd like to avoid adding RPC-with-TLS support to the Mount protoco=
l.

Have fun with it, rick

>
> I would like to hear from the client maintainers about what they
> would prefer the client user experience to look like. Then NFSD's
> behavior can be adjusted to accommodate.
>
> In this case, Steve would have to sign off on an rpc.mountd change
> to return AUTH_TLS in the auth_flavors list.
>
>
> --
> Chuck Lever
>

--0000000000005b5c96061794497b
Content-Type: application/octet-stream; 
	name="freebsd-tls-with-rpc-v3-mount-failure.pcap"
Content-Disposition: attachment; 
	filename="freebsd-tls-with-rpc-v3-mount-failure.pcap"
Content-Transfer-Encoding: base64
Content-ID: <f_lvr8znef0>
X-Attachment-Id: f_lvr8znef0

1MOyoQIABAAAAAAAAAAAAAAABAABAAAATWQ1Zv1uAABuAAAAbgAAALBa2liWlQCgmF8GGggARUgA
YAAAQABABrbywKgBCMCoAQUAFn98XE+iosDNUcGAGABBHgcAAAEBCAoLPDoWmij8cLlk8aX/pzy7
QAaz09gprh/8odSgvTJlhXGtY7ne6a5TZmfQHgNvOW4euh2WTWQ1ZqVvAAB+AAAAfgAAALBa2liW
lQCgmF8GGggARUgAcAAAQABABrbiwKgBCMCoAQUAFn98XE+izsDNUcGAGABBp9sAAAEBCAoLPDoW
mij8cLj2PmCthj0OOjcR7qZ7bcsHLorTFSuwr0E3d/Cax9fCw/I520n8faRxkGJtsYEfdcSZMh1u
dmALCFbf+k1kNWbCcAAAQgAAAEIAAAAAoJhfBhqwWtpYlpUIAEVIADQAAEAAQAa3HsCoAQXAqAEI
f3wAFsDNUcFcT6MKgBAAQYVOAAABAQgKmij82Qs8OhZNZDVmVHEAAIYAAACGAAAAsFraWJaVAKCY
XwYaCABFSAB4AABAAEAGttrAqAEIwKgBBQAWf3xcT6MKwM1RwYAYAEGlwQAAAQEICgs8OhaaKPzZ
irU3ZUmU8PLavvcRIqS5X6UciYRO+tt/TNJnVxH/S33A0eZsZZOOHCqVoog4x0eY/J0mTMk5JJJ1
1567Ie+4kjvFpgxNZDVm0XEAAIYAAACGAAAAsFraWJaVAKCYXwYaCABFSAB4AABAAEAGttrAqAEI
wKgBBQAWf3xcT6NOwM1RwYAYAEG+dQAAAQEICgs8OhaaKPzZzazbpP241WQ4tDFkj04rzEZzBiHY
+bAytycnq/eOIuezfExO68tLOtDOrrI65Nxss8wKoqM8qS5t/C+p+jmwWfDjRAFNZDVmZHIAAEIA
AABCAAAAAKCYXwYasFraWJaVCABFSAA0AABAAEAGtx7AqAEFwKgBCH98ABbAzVHBXE+jkoAQAEGE
xQAAAQEICpoo/NoLPDoWWGQ1ZgWJBgBKAAAASgAAALBa2liWlQCgmF8GGggARQAAPAAAQABABrde
wKgBCMCoAQUDkgBvaMYZ5AAAAACgAv///gwAAAIEBbQBAwMKBAIICp9PoJcAAAAAWGQ1Zj6KBgBK
AAAASgAAAACgmF8GGrBa2liWlQgARQAAPAAAQABABrdewKgBBcCoAQgAbwOStWDcSmjGGeWgEv//
Nb8AAAIEBbQBAwMKBAIICnZhwC+fT6CXWGQ1ZnCKBgBCAAAAQgAAALBa2liWlQCgmF8GGggARQAA
NAAAQABABrdmwKgBCMCoAQUDkgBvaMYZ5bVg3EuAEABBZE0AAAEBCAqfT6CXdmHAL1hkNWariwYA
fgAAAH4AAACwWtpYlpUAoJhfBhoIAEUAAHAAAEAAQAa3KsCoAQjAqAEFA5IAb2jGGeW1YNxLgBgA
QfBBAAABAQgKn0+gl3ZhwC+AAAA4ITbFAgAAAAAAAAACAAGGoAAAAAIAAAADAAAAAAAAAAAAAAAA
AAAAAAABhqMAAAADAAAABgAAAABYZDVmrIwGAGIAAABiAAAAAKCYXwYasFraWJaVCABFAABUAABA
AEAGt0bAqAEFwKgBCABvA5K1YNxLaMYaIYAYAEH1kAAAAQEICnZhwDCfT6CXgAAAHCE2xQIAAAAB
AAAAAAAAAAAAAAAAAAAAAAAACAFYZDVmFI0GAEIAAABCAAAAsFraWJaVAKCYXwYaCABFAAA0AABA
AEAGt2bAqAEIwKgBBQOSAG9oxhohtWDca4ARAEFj7wAAAQEICp9PoJd2YcAwWGQ1ZrKNBgBCAAAA
QgAAAACgmF8GGrBa2liWlQgARQAANAAAQABABrdmwKgBBcCoAQgAbwOStWDca2jGGiKAEABBY+8A
AAEBCAp2YcAwn0+gl1hkNWbKjQYAQgAAAEIAAAAAoJhfBhqwWtpYlpUIAEUAADQAAEAAQAa3ZsCo
AQXAqAEIAG8DkrVg3GtoxhoigBEAQWPuAAABAQgKdmHAMJ9PoJdYZDVm5I0GAEIAAABCAAAAsFra
WJaVAKCYXwYaCABFAAA0AABAAEAGt2bAqAEIwKgBBQOSAG9oxhoitWDcbIAQAEFj7gAAAQEICp9P
oJd2YcAwWGQ1Zj6OBgBKAAAASgAAALBa2liWlQCgmF8GGggARQAAPAAAQABABrdewKgBCMCoAQUD
ywgBHGFe3AAAAACgAv//QTIAAAIEBbQBAwMKBAIICjKwybMAAAAAWGQ1ZtCOBgBKAAAASgAAAACg
mF8GGrBa2liWlQgARQAAPAAAQABABrdewKgBBcCoAQgIAQPLy2N1NBxhXt2gEv//jAAAAAIEBbQB
AwMKBAIICv38dosysMmzWGQ1Zu6OBgBCAAAAQgAAALBa2liWlQCgmF8GGggARQAANAAAQABABrdm
wKgBCMCoAQUDywgBHGFe3ctjdTWAEABBuo4AAAEBCAoysMmz/fx2i1hkNWZ9kgYAbgAAAG4AAACw
WtpYlpUAoJhfBhoIAEUAAGAAAEAAQAa3OsCoAQjAqAEFA8sIARxhXt3LY3U1gBgAQdGhAAABAQgK
MrDJs/38douAAAAoITbAsAAAAAAAAAACAAGGowAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAFhkNWYb
kwYAQgAAAEIAAAAAoJhfBhqwWtpYlpUIAEUAADQAAEAAQAa3ZsCoAQXAqAEICAEDy8tjdTUcYV8J
gBCgoBoBAAABAQgK/fx2jTKwybNYZDVmMpMGAF4AAABeAAAAAKCYXwYasFraWJaVCABFAABQAABA
AEAGt0rAqAEFwKgBCAgBA8vLY3U1HGFfCYAYoKC33AAAAQEICv38do0ysMmzgAAAGCE2wLAAAAAB
AAAAAAAAAAAAAAAAAAAAAFhkNWZlkwYAQgAAAEIAAACwWtpYlpUAoJhfBhoIAEUAADQAAEAAQAa3
ZsCoAQjAqAEFA8sIARxhXwnLY3VRgBEAQbpDAAABAQgKMrDJs/38do1YZDVm6ZMGAEIAAABCAAAA
AKCYXwYasFraWJaVCABFAAA0AABAAEAGt2bAqAEFwKgBCAgBA8vLY3VRHGFfCoAQoKAZ5AAAAQEI
Cv38do0ysMmzWGQ1Zm6UBgBCAAAAQgAAAACgmF8GGrBa2liWlQgARQAANAAAQABABrdmwKgBBcCo
AQgIAQPLy2N1URxhXwqAEaCgGeMAAAEBCAr9/HaNMrDJs1hkNWYAlQYASgAAAEoAAACwWtpYlpUA
oJhfBhoIAEUAADwAAEAAQAa3XsCoAQjAqAEFAmIAb3Pr+uUAAAAAoAL//wEgAAACBAW0AQMDCgQC
CApH+QnkAAAAAFhkNWYDlQYAQgAAAEIAAACwWtpYlpUAoJhfBhoIAEUAADQAAEAAQAa3ZsCoAQjA
qAEFA8sIARxhXwrLY3VSgBAAQbpCAAABAQgKMrDJs/38do1YZDVmjJUGAEoAAABKAAAAAKCYXwYa
sFraWJaVCABFAAA8AABAAEAGt17AqAEFwKgBCABvAmKaN1Zlc+v65qAS//8+SwAAAgQFtAEDAwoE
AggKaptni0f5CeRYZDVmq5UGAEIAAABCAAAAsFraWJaVAKCYXwYaCABFAAA0AABAAEAGt2bAqAEI
wKgBBQJiAG9z6/rmmjdWZoAQAEFs2QAAAQEICkf5CeRqm2eLWGQ1ZhqWBgB+AAAAfgAAALBa2liW
lQCgmF8GGggARQAAcAAAQABABrcqwKgBCMCoAQUCYgBvc+v65po3VmaAGABB410AAAEBCApH+Qnk
aptni4AAADghNtpwAAAAAAAAAAIAAYagAAAAAgAAAAMAAAAAAAAAAAAAAAAAAAAAAAGGpQAAAAMA
AAAGAAAAAFhkNWYblwYAYgAAAGIAAAAAoJhfBhqwWtpYlpUIAEUAAFQAAEAAQAa3RsCoAQXAqAEI
AG8CYpo3VmZz6/sigBgAQe4fAAABAQgKaptnjEf5CeSAAAAcITbacAAAAAEAAAAAAAAAAAAAAAAA
AAAAAAACkFhkNWZblwYAQgAAAEIAAACwWtpYlpUAoJhfBhoIAEUAADQAAEAAQAa3ZsCoAQjAqAEF
AmIAb3Pr+yKaN1aGgBEAQWx7AAABAQgKR/kJ5GqbZ4xYZDVm15cGAEIAAABCAAAAAKCYXwYasFra
WJaVCABFAAA0AABAAEAGt2bAqAEFwKgBCABvAmKaN1aGc+v7I4AQAEFsewAAAQEICmqbZ4xH+Qnk
WGQ1ZhaYBgBCAAAAQgAAAACgmF8GGrBa2liWlQgARQAANAAAQABABrdmwKgBBcCoAQgAbwJimjdW
hnPr+yOAEQBBbHoAAAEBCApqm2eMR/kJ5FhkNWYumAYAQgAAAEIAAACwWtpYlpUAoJhfBhoIAEUA
ADQAAEAAQAa3ZsCoAQjAqAEFAmIAb3Pr+yOaN1aHgBAAQWx6AAABAQgKR/kJ5GqbZ4xYZDVmjJgG
AEoAAABKAAAAsFraWJaVAKCYXwYaCABFAAA8AABAAEAGt17AqAEIwKgBBQPGApAySGwNAAAAAKAC
//+uVgAAAgQFtAEDAwoEAggKjRDkjAAAAABYZDVmFJkGAEoAAABKAAAAAKCYXwYasFraWJaVCABF
AAA8AABAAEAGt17AqAEFwKgBCAKQA8ZE7jO7MkhsDqAS///sDwAAAgQFtAEDAwoEAggKhkzDP40Q
5IxYZDVmMpkGAEIAAABCAAAAsFraWJaVAKCYXwYaCABFAAA0AABAAEAGt2bAqAEIwKgBBQPGApAy
SGwORO4zvIAQAEEangAAAQEICo0Q5IyGTMM/WGQ1ZgycBgCuAAAArgAAALBa2liWlQCgmF8GGggA
RQAAoAAAQABABrb6wKgBCMCoAQUDxgKQMkhsDkTuM7yAGABBuYcAAAEBCAqNEOSMhkzDP4AAAGgh
NtbzAAAAAAAAAAIAAYalAAAAAwAAAAEAAAABAAAAOGY1ZFgAAAAVbmZzdjQtZGF0YTAuaG9tZS5y
aWNrAAAAAAAAAAAAAAAAAAADAAAAAAAAAAAAAAAFAAAAAAAAAAAAAAAEL2Zvb1hkNWbPnQYAlgAA
AJYAAAAAoJhfBhqwWtpYlpUIAEUAAIgAAEAAQAa3EsCoAQXAqAEIApADxkTuM7wySGx6gBgAQZh9
AAABAQgKhkzDQI0Q5IyAAABQITbW8wAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABy4JNBkHy42
lwwAAAACAAAAQKQBWgAAAAAAAAAAAAAABAAAAAEABfNzAAXzdAAF83VYZDVmKJ4GAEIAAABCAAAA
sFraWJaVAKCYXwYaCABFAAA0AABAAEAGt2bAqAEIwKgBBQPGApAySGx6RO40EIARAEEZ3AAAAQEI
Co0Q5IyGTMNAWGQ1ZsueBgBCAAAAQgAAAACgmF8GGrBa2liWlQgARQAANAAAQABABrdmwKgBBcCo
AQgCkAPGRO40EDJIbHuAEABBGdsAAAEBCAqGTMNBjRDkjFhkNWbingYAQgAAAEIAAAAAoJhfBhqw
WtpYlpUIAEUAADQAAEAAQAa3ZsCoAQXAqAEIApADxkTuNBAySGx7gBEAQRnaAAABAQgKhkzDQY0Q
5IxYZDVm+Z4GAEIAAABCAAAAsFraWJaVAKCYXwYaCABFAAA0AABAAEAGt2bAqAEIwKgBBQPGApAy
SGx7RO40EYAQAEEZ2gAAAQEICo0Q5IyGTMNBWGQ1ZgKhBgBKAAAASgAAALBa2liWlQCgmF8GGggA
RQAAPAAAQABABrdewKgBCMCoAQUD8QgBz4HqcgAAAACgAv//Z70AAAIEBbQBAwMKBAIIChyvekwA
AAAAWGQ1ZpChBgBKAAAASgAAAACgmF8GGrBa2liWlQgARQAAPAAAQABABrdewKgBBcCoAQgIAQPx
91WOCM+B6nOgEv//cskAAAIEBbQBAwMKBAIICl9bECkcr3pMWGQ1ZrGhBgBCAAAAQgAAALBa2liW
lQCgmF8GGggARQAANAAAQABABrdmwKgBCMCoAQUD8QgBz4Hqc/dVjgmAEABBoVcAAAEBCAocr3pM
X1sQKVhkNWb9oQYAwgAAAMIAAACwWtpYlpUAoJhfBhoIAEUAALQAAEAAQAa25sCoAQjAqAEFA/EI
Ac+B6nP3VY4JgBgBEPtRAAABAQgKHK96TF9bECmAAAB8ZUxJYgAAAAAAAAACAAGGowAAAAMAAAAB
AAAAAQAAADRmNWJDAAAAFW5mc3Y0LWRhdGEwLmhvbWUucmljawAAAAAAAAAAAAAAAAAAAgAAAAAA
AAAFAAAAAAAAAAAAAAAcuCTQZB8uNpcMAAAAAgAAAECkAVoAAAAAAAAAAFhkNWa1ogYAQgAAAEIA
AAAAoJhfBhqwWtpYlpUIAEUAADQAAEAAQAa3ZsCoAQXAqAEICAED8fdVjgnPgerzgBCgoAB3AAAB
AQgKX1sQKhyvekxYZDVmzKIGAFoAAABaAAAAAKCYXwYasFraWJaVCABFAABMAABAAEAGt07AqAEF
wKgBCAgBA/H3VY4Jz4Hq84AYoKDRiwAAAQEICl9bECocr3pMgAAAFGVMSWIAAAABAAAAAQAAAAEA
AAAFWGQ1ZgqjBgDCAAAAwgAAALBa2liWlQCgmF8GGggARQAAtAAAQABABrbmwKgBCMCoAQUD8QgB
z4Hq8/dVjiGAGAEQ+qUAAAEBCAocr3pMX1sQKoAAAHxlTEljAAAAAAAAAAIAAYajAAAAAwAAABMA
AAABAAAANGY1YkMAAAAVbmZzdjQtZGF0YTAuaG9tZS5yaWNrAAAAAAAAAAAAAAAAAAACAAAAAAAA
AAUAAAAAAAAAAAAAABy4JNBkHy42lwwAAAACAAAAQKQBWgAAAAAAAAAAWGQ1ZsWjBgBaAAAAWgAA
AACgmF8GGrBa2liWlQgARQAATAAAQABABrdOwKgBBcCoAQgIAQPx91WOIc+B63OAGKCg0PIAAAEB
CApfWxAqHK96TIAAABRlTEljAAAAAQAAAAEAAAABAAAABVhkNWYJpAYAwgAAAMIAAACwWtpYlpUA
oJhfBhoIAEUAALQAAEAAQAa25sCoAQjAqAEFA/EIAc+B63P3VY45gBgBEPoMAAABAQgKHK96TF9b
ECqAAAB8ZUxJZAAAAAAAAAACAAGGowAAAAMAAAATAAAAAQAAADRmNWJDAAAAFW5mc3Y0LWRhdGEw
LmhvbWUucmljawAAAAAAAAAAAAAAAAAAAgAAAAAAAAAFAAAAAAAAAAAAAAAcuCTQZB8uNpcMAAAA
AgAAAECkAVoAAAAAAAAAAFhkNWaspAYAWgAAAFoAAAAAoJhfBhqwWtpYlpUIAEUAAEwAAEAAQAa3
TsCoAQXAqAEICAED8fdVjjnPgevzgBigoNBZAAABAQgKX1sQKhyvekyAAAAUZUxJZAAAAAEAAAAB
AAAAAQAAAAVYZDVm46QGAMIAAADCAAAAsFraWJaVAKCYXwYaCABFAAC0AABAAEAGtubAqAEIwKgB
BQPxCAHPgevz91WOUYAYARD5hQAAAQEIChyvekxfWxAqgAAAfGVMSWUAAAAAAAAAAgABhqMAAAAD
AAAAAQAAAAEAAAA0ZjViQwAAABVuZnN2NC1kYXRhMC5ob21lLnJpY2sAAAAAAAAAAAAAAAAAAAIA
AAAAAAAABQAAAAAAAAAAAAAAHLgk0GQfLjaXDAAAAAIAAABApAFaAAAAAAAAAABYZDVmf6UGAFoA
AABaAAAAAKCYXwYasFraWJaVCABFAABMAABAAEAGt07AqAEFwKgBCAgBA/H3VY5Rz4Hsc4AYoKDP
wAAAAQEICl9bECocr3pMgAAAFGVMSWUAAAABAAAAAQAAAAEAAAAFWGQ1ZralBgBCAAAAQgAAALBa
2liWlQCgmF8GGggARQAANAAAQABABrdmwKgBCMCoAQUD8QgBz4Hsc/dVjmmAEQEQniYAAAEBCAoc
r3pMX1sQKlhkNWZMpgYAQgAAAEIAAAAAoJhfBhqwWtpYlpUIAEUAADQAAEAAQAa3ZsCoAQXAqAEI
CAED8fdVjmnPgex0gBCgoP6VAAABAQgKX1sQKhyvekxYZDVmY6YGAEIAAABCAAAAAKCYXwYasFra
WJaVCABFAAA0AABAAEAGt2bAqAEFwKgBCAgBA/H3VY5pz4HsdIARoKD+lAAAAQEICl9bECocr3pM
WGQ1ZnqmBgBCAAAAQgAAALBa2liWlQCgmF8GGggARQAANAAAQABABrdmwKgBCMCoAQUD8QgBz4Hs
dPdVjmqAEAEQniUAAAEBCAocr3pMX1sQKg==
--0000000000005b5c96061794497b--