From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Konstantin Kliakhandler Newsgroups: gmane.emacs.bugs Subject: bug#23759: 25.1.50; 25.1.50; open-tls-stream creates malformed gnutls-cli command if trusted cert files don't exist Date: Tue, 5 Jul 2016 19:54:53 +0300 Message-ID: References: <87y46ahz23.fsf@gmail.com> <87wpl0gnjf.fsf@lifelogs.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=001a1144405a07ee160536e6519b X-Trace: ger.gmane.org 1467742428 24706 80.91.229.3 (5 Jul 2016 18:13:48 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 5 Jul 2016 18:13:48 +0000 (UTC) Cc: 23759@debbugs.gnu.org, Ted Zlatanov To: Noam Postavsky Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jul 05 20:13:38 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1bKUqn-0001rv-VI for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jul 2016 20:13:38 +0200 Original-Received: from localhost ([::1]:56962 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKUqm-0006Sw-Ty for geb-bug-gnu-emacs@m.gmane.org; Tue, 05 Jul 2016 14:13:36 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51090) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKTdm-0001bQ-D5 for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 12:56:08 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bKTdi-0002q2-2q for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 12:56:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:54407) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bKTdh-0002ps-TW for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 12:56:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1bKTdh-0007Sj-Od for bug-gnu-emacs@gnu.org; Tue, 05 Jul 2016 12:56:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Konstantin Kliakhandler Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 05 Jul 2016 16:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 23759 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 23759-submit@debbugs.gnu.org id=B23759.146773772228636 (code B ref 23759); Tue, 05 Jul 2016 16:56:01 +0000 Original-Received: (at 23759) by debbugs.gnu.org; 5 Jul 2016 16:55:22 +0000 Original-Received: from localhost ([127.0.0.1]:38511 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bKTd3-0007Ro-Fu for submit@debbugs.gnu.org; Tue, 05 Jul 2016 12:55:21 -0400 Original-Received: from mail-it0-f47.google.com ([209.85.214.47]:35428) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bKTd1-0007RF-5f for 23759@debbugs.gnu.org; Tue, 05 Jul 2016 12:55:20 -0400 Original-Received: by mail-it0-f47.google.com with SMTP id j185so55155949ith.0 for <23759@debbugs.gnu.org>; Tue, 05 Jul 2016 09:55:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=slumpy-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=exm9se0cfymYG17KU3V4rbSgJkOkQPxjb1guAFThKTY=; b=lToudfS1590ozs/D8xx4rwy+UvRfFNkuJRjSlih3A3VGBsVHEoPHue2sXqBHiRNbYL m1o/nL6+761lBauyzgraCA1uvmYrUnaoAn5/fL0pEkZkBC54ttkuKLrczrz7+MWkhTzE 95rQHCuU28ATPU9WXs2h2Ww0hbOMl9RiVrT0H1wu1OOCjZu2sDn5H6nv2o0dxC7pw9zR dwEn8/61z3KHCtAfgPCxoB5WlChhANEksgewSQKPQJJbEeTeFrHCik5aHBuXPL7QW13I 5L1sEIn6fOnnOLeOzb5O/ujgxuVnXKpfYCPfWMEzGNDur6S98PuP2KQk57GjljvEoR1+ UVCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=exm9se0cfymYG17KU3V4rbSgJkOkQPxjb1guAFThKTY=; b=Wj1TvXa2Mtk85/DACoUXkm6e0ZLjNhMC+LS+J+JqSmJPsgBq+Wg0hN7iCVwOzK6s1h qfc0Zywfezbl0oa+Yv1DEcOcOrvZdrqeIjJVi6SdTfMPink/Nq8faV+GEeNlFpSzxAEf ZDjDI92Jxp8M3SJJS5ufKksd8NF4vll0T3CLSmCaVAe3YfguPKyr2Ds2aGwjTQXW366e 2RXlgF3aM2sbD1Q3nQAXdODkaA+Bk6s2SH4BgI8lWUFAEA3v85FA3cMHJ74VzrvxpjSS FEP5AA440MySSBB+Bf0TvM32uV8VeQV+AT+pcwGW2SUJ+QzLz4uJ7nr28kBfYnBU94Kr bqag== X-Gm-Message-State: ALyK8tIP2pCNd1pqNneNSe1nGfJkBhxpCvgj8KoW5iBbDyve1YlrmypHKrYg9PR0qJJUHB0YoYSsqAb1K3RPQzHE X-Received: by 10.36.16.197 with SMTP id 188mr7236651ity.88.1467737713357; Tue, 05 Jul 2016 09:55:13 -0700 (PDT) Original-Received: by 10.107.136.216 with HTTP; Tue, 5 Jul 2016 09:54:53 -0700 (PDT) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:120445 Archived-At: --001a1144405a07ee160536e6519b Content-Type: multipart/alternative; boundary=001a1144405a07ee0f0536e65199 --001a1144405a07ee0f0536e65199 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, On 5 July 2016 at 17:49, Noam Postavsky wrote: > > I think gnutls is broken on master for OSX currently, see > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D23503 > When I do this, with my patch enabled, I get a buffer with: Cache-Control: max-age=3D0 > Expires: Tue, 05 Jul 2016 14:58:42 GMT > Content-Length: 3104 > Keep-Alive: timeout=3D3, max=3D100 > Connection: Keep-Alive > Content-Type: text/html > Content-Language: en > ... Of course, it would have worked even before the patch since currently tls.el by default attempts two connections via gnutls-tls and then tries via openssl s_client, which always worked for me (at least for ERC). On 5 July 2016 at 17:36, Ted Zlatanov wrote: > > > As you said, one of the key points of your patch is this: > > - '("gnutls-cli --x509cafile %t -p %p %h" > + '("gnutls-cli -p %p %h" > + "gnutls-cli --x509cafile %t -p %p %h" > I wouldn't characterize it as "one of the key points" of my patch, and the patch would work just as well if instead the line without --x509cafile was at the bottom of the list. Well, it would work worse for some users, but the key word is that it would work - except that now now it would take several more attempts to connect on my computer and on OPs (instead of just not connecting at all for OP). Which replaces the specific call with a generic call (no CA file > specified). This is probably less secure because it will use the system > CA trustfiles regardless of the user's preferred `gnutls-trustfiles', so > I'd rather not make it the first thing attempted. Personally, I also think that the default as defined in my current patch is preferable, since anyone who messes around with the certificates would edit this variable e.g. to set there --strict-tofu or the like (I did. It is a bit more annoying to use, but since I rarely open a new domain in emacs, it's not a big deal). For everyone else, they trust their system CAs all the time when they go online. Especially considering that the previous default for this variable had "--insecure" in the arguments, I thought that the priorities for the new setting was 1>2>3 "1. It is secure by default. 2. It works by default. 3. It is secure in edge cases", rather than 1>3>2. Anyway, I do concede that the second version is more secure. Attached is a patch that I hope is more to your liking. I put the the call that do not use an explicit certificate at the bottom of the list, even below the call to openssl s_client. I'm not sure what are the implications, as I don't know the relative merits of openssl s_client vs gnutls-cli. If you are inclined to educate me, please do as a short googling did not reveal the answers. > Once the libraries are installed, you're all set, they'll be used > automatically. > >From what both of you said, I still am not sure what is meant by "native support". However, for various reasons I don't like the version provided in homebrew. I prefer the version from https://emacsformacosx.com. Noam, is this *"one of the pre-built binary packages"* you were referring to, or did you mean something else? How will I know that the libraries are being used? Finally, is there a way to test them explicitly? Anyway, it seems that the version I got from the site above does not have built in gnutls: system-configuration-features is a variable defined in =E2=80=98C source co= de=E2=80=99. Its value is "NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS" system-configuration-options is a variable defined in =E2=80=98C source cod= e=E2=80=99. Its value is "--with-ns '--enable-locallisppath=3D/Library/Application Support/Emacs/${version}/site-lisp:/Library/Application Support/Emacs/site-lisp' I'll build one myself and see if the results I get are any different. Thanks for your time, Kosta --001a1144405a07ee0f0536e65199 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

On 5 July 2016 at 17:49, Noam Postavsky <npostavs@use= rs.sourceforge.net> wrote:
I think gnutls is = broken on master for OSX currently, see
https://debbugs.gnu.org/cgi/bugreport.cgi?bug= =3D23503

When I do this, wit= h my patch enabled, I get a buffer with:
Cache-Control: max-age= =3D0
Expires: Tue, 05 Jul 2016 14:58:42 GMT
Content-Length: 3104
K= eep-Alive: timeout=3D3, max=3D100
Connection: Keep-Alive
Content-Type= : text/html
Content-Language: en
...

= Of course, it would have worked even before the patch since currently tls.e= l by default attempts two connections via gnutls-tls and then tries via ope= nssl s_client, which always worked for me (at least for ERC).=C2=A0

On 5 July 2016 at 17:36, Ted Zlatanov=C2=A0<tzz@lifelogs.= com>=C2=A0wrote:

As you said, one of the = key points of your patch is this:

-=C2=A0 '("gnutls-cli --x= 509cafile %t -p %p %h"
+=C2=A0 '("gnutls-cli -p %p %h"= ;
+=C2=A0 =C2=A0 "gnutls-cli --x509cafile %t -p %p %h"

I wouldn't characterize it as "one of= the key points" of my patch, and the patch would work just as well if= instead the line without --x509cafile was at the bottom of the list. Well,= it would work worse for some users, but the key word is that it would work= - except that now now it would take several more attempts to connect on my= computer and on OPs (instead of just not connecting at all for OP).=C2=A0<= /div>

Which replaces the specific call with = a generic call (no CA file
specified). This is probably less secure beca= use it will use the system
CA trustfiles regardless of the user's pr= eferred `gnutls-trustfiles', so
I'd rather not make it the first= thing attempted.

Personally, I also think = that the default as defined in my current patch is preferable, since anyone= who messes around with the certificates would edit this variable e.g. to s= et there --strict-tofu or the like (I did. It is a bit more annoying to use= , but since I rarely open a new domain in emacs, it's not a big deal). = For everyone else, they trust their system CAs all the time when they go on= line. Especially considering that the previous default for this variable ha= d "--insecure" in the arguments, I thought that the priorities fo= r the new setting was 1>2>3 "1. It is secure by default. 2. It w= orks by default. 3. It is secure in edge cases", rather than 1>3>= ;2.=C2=A0

Anyway, I do concede that the second ver= sion is more secure. Attached is a patch that I hope is more to your liking= . I put the the call that do not use an explicit certificate at the bottom = of the list, even below the call to openssl s_client. I'm not sure what= are the implications, as I don't know the relative merits of openssl s= _client vs gnutls-cli. If you are inclined to educate me, please do as a sh= ort googling did not reveal the answers.
=C2=A0
Once the libraries are installed, you're all set, they'll be u= sed
automatically.
=C2=A0
From what= both of you said, I still am not sure what is meant by "native suppor= t". However, for various reasons I don't like the version provided= in homebrew. I prefer the version from https://emacsformacosx.com. Noam, is this=C2=A0"one of the pre-built binary packages"=C2=A0you were referri= ng to, or did you mean something else? How will I know that the libraries a= re being used? Finally, is there a way to test them explicitly? Anyway, it = seems that the version I got from the site above does not have built in gnu= tls:

system-configuration-features is a varia= ble defined in =E2=80=98C source code=E2=80=99.
Its value is &quo= t;NOTIFY ACL LIBXML2 ZLIB TOOLKIT_SCROLL_BARS NS"
system-configuration-options is a variable defined in =E2=80=98C source co= de=E2=80=99.
Its value is
"--with-ns '--enable= -locallisppath=3D/Library/Application Support/Emacs/${version}/site-lisp:/L= ibrary/Application Support/Emacs/site-lisp'

<= div>I'll build one myself and see if the results I get are any differen= t.

Thanks for your time,
Kosta
--001a1144405a07ee0f0536e65199-- --001a1144405a07ee160536e6519b Content-Type: application/octet-stream; name="0001-tls-Make-open-tls-stream-try-all-gnutls-trustfiles-a.patch" Content-Disposition: attachment; filename="0001-tls-Make-open-tls-stream-try-all-gnutls-trustfiles-a.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_iq9oi4570 RnJvbSBkZWNjYmI1NGQ3ODRjYzIwYmY0NjA3MjQ5ODA3MTIzNWIwODc3OTViIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBLb25zdGFudGluIEtsaWFraGFuZGxlciA8a29zdGFAc2x1bXB5 Lm9yZz4KRGF0ZTogU2F0LCAyIEp1bCAyMDE2IDAyOjQyOjMzICswMzAwClN1YmplY3Q6IFtQQVRD SF0gdGxzOiBNYWtlIG9wZW4tdGxzLXN0cmVhbSB0cnkgYWxsIGdudXRscy10cnVzdGZpbGVzIGFu ZCBzZXQKIGJldHRlciBkZWZhdWx0IHRscy1wcm9ncmFtCgpUaGlzIGZpeGVzIHRoZSBidWcgcmVw b3J0ZWQgaW4gaHR0cHM6Ly9saXN0cy5nbnUub3JnL2FyY2hpdmUvaHRtbC9idWctZ251LWVtYWNz LzIwMTYtMDYvbXNnMDA1NTMuaHRtbAoKKiBsaXNwL25ldC90bHMuZWwgKG9wZW4tdGxzLXN0cmVh bSk6IEl0ZXJhdGUgb24gYWxsIGZvdW5kCiAgZ251dGxzLXRydXN0ZmlsZXMgaW5zdGVhZCBvZiBz dGlja2luZyB3aXRoIHRoZSBmaXJzdCBvbmUgZm91bmQKCih0bHMtcHJvZ3JhbSk6IFNldCB0aGUg ZGVmYXVsdCB0byBhIGxpc3QgdGhhdCBpbmNsdWRlcyBib3RoCmdudXRscy10cnVzdGZpbGVzIHN1 YnN0aXR1dGlvbiBhbmQgd2l0aG91dCBpdC4KLS0tCiBsaXNwL25ldC90bHMuZWwgfCAyMiArKysr KysrKysrKysrKysrLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwgMTYgaW5zZXJ0aW9ucygrKSwgNiBk ZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9saXNwL25ldC90bHMuZWwgYi9saXNwL25ldC90bHMu ZWwKaW5kZXggZjEyMTlmZC4uYmMyMDY4NSAxMDA2NDQKLS0tIGEvbGlzcC9uZXQvdGxzLmVsCisr KyBiL2xpc3AvbmV0L3Rscy5lbApAQCAtNzksNyArNzksMTAgQEAgYW5kIGBnbnV0bHMtY2xpJyAo dmVyc2lvbiAyLjAuMSkgb3V0cHV0LiIKIChkZWZjdXN0b20gdGxzLXByb2dyYW0KICAgJygiZ251 dGxzLWNsaSAtLXg1MDljYWZpbGUgJXQgLXAgJXAgJWgiCiAgICAgImdudXRscy1jbGkgLS14NTA5 Y2FmaWxlICV0IC1wICVwICVoIC0tcHJvdG9jb2xzIHNzbDMiCi0gICAgIm9wZW5zc2wgc19jbGll bnQgLWNvbm5lY3QgJWg6JXAgLW5vX3NzbDIgLWlnbl9lb2YiKQorICAgICJvcGVuc3NsIHNfY2xp ZW50IC1DQWZpbGUgJXQgLWNvbm5lY3QgJWg6JXAgLW5vX3NzbDIgLWlnbl9lb2YiCisgICAgIm9w ZW5zc2wgc19jbGllbnQgLWNvbm5lY3QgJWg6JXAgLW5vX3NzbDIgLWlnbl9lb2YiCisgICAgImdu dXRscy1jbGkgLXAgJXAgJWgiKQorCiAgICJMaXN0IG9mIHN0cmluZ3MgY29udGFpbmluZyBjb21t YW5kcyB0byBzdGFydCBUTFMgc3RyZWFtIHRvIGEgaG9zdC4KIEVhY2ggZW50cnkgaW4gdGhlIGxp c3QgaXMgdHJpZWQgdW50aWwgYSBjb25uZWN0aW9uIGlzIHN1Y2Nlc3NmdWwuCiAlaCBpcyByZXBs YWNlZCB3aXRoIHRoZSBzZXJ2ZXIgaG9zdG5hbWUsICVwIHdpdGggdGhlIHBvcnQgdG8KQEAgLTk1 LDEyICs5OCwxNiBAQCBzdWNjZXNzZnVsIG5lZ290aWF0aW9uLiIKICAgICAoY29uc3QgOnRhZyAi RGVmYXVsdCBsaXN0IG9mIGNvbW1hbmRzIgogCSAgICgiZ251dGxzLWNsaSAtLXg1MDljYWZpbGUg JXQgLXAgJXAgJWgiCiAJICAgICJnbnV0bHMtY2xpIC0teDUwOWNhZmlsZSAldCAtcCAlcCAlaCAt LXByb3RvY29scyBzc2wzIgotCSAgICAib3BlbnNzbCBzX2NsaWVudCAtQ0FmaWxlICV0IC1jb25u ZWN0ICVoOiVwIC1ub19zc2wyIC1pZ25fZW9mIikpCisJICAgICJvcGVuc3NsIHNfY2xpZW50IC1D QWZpbGUgJXQgLWNvbm5lY3QgJWg6JXAgLW5vX3NzbDIgLWlnbl9lb2YiCisgICAgICAgICAgICAi Z251dGxzLWNsaSAtcCAlcCAlaCIKKyAgICAgICAgICAgICJvcGVuc3NsIHNfY2xpZW50IC1jb25u ZWN0ICVoOiVwIC1ub19zc2wyIC1pZ25fZW9mIikpCiAgICAgKGxpc3QgOnRhZyAiQ2hvb3NlIGNv bW1hbmRzIgogCSAgOnZhbHVlCiAJICAoImdudXRscy1jbGkgLS14NTA5Y2FmaWxlICV0IC1wICVw ICVoIgogCSAgICJnbnV0bHMtY2xpIC0teDUwOWNhZmlsZSAldCAtcCAlcCAlaCAtLXByb3RvY29s cyBzc2wzIgotCSAgICJvcGVuc3NsIHNfY2xpZW50IC1jb25uZWN0ICVoOiVwIC1ub19zc2wyIC1p Z25fZW9mIikKKwkgICAib3BlbnNzbCBzX2NsaWVudCAtQ0FmaWxlICV0IC1jb25uZWN0ICVoOiVw IC1ub19zc2wyIC1pZ25fZW9mIgorICAgICAgICAgICAiZ251dGxzLWNsaSAtcCAlcCAlaCIKKyAg ICAgICAgICAgIm9wZW5zc2wgc19jbGllbnQgLWNvbm5lY3QgJWg6JXAgLW5vX3NzbDIgLWlnbl9l b2YiKQogCSAgKHNldCA6aW5saW5lIHQKIAkgICAgICAgOzsgRklYTUU6IGFkZCBicmllZiBgOnRh ZyAiLi4uIicgZGVzY3JpcHRpb25zLgogCSAgICAgICA7OyAocmVwZWF0IDppbmxpbmUgdCA6dGFn ICJPdGhlciIgKHN0cmluZykpCkBAIC0yMjcsMTIgKzIzNCwxNSBAQCBGb3VydGggYXJnIFBPUlQg aXMgYW4gaW50ZWdlciBzcGVjaWZ5aW5nIGEgcG9ydCB0byBjb25uZWN0IHRvLiIKICAgICAod2l0 aC1jdXJyZW50LWJ1ZmZlciBidWZmZXIKICAgICAgIChtZXNzYWdlICJPcGVuaW5nIFRMUyBjb25u ZWN0aW9uIHRvIGAlcycuLi4iIGhvc3QpCiAgICAgICAod2hpbGUgKGFuZCAobm90IGRvbmUpIChz ZXRxIGNtZCAocG9wIGNtZHMpKSkKLQkobGV0ICgocHJvY2Vzcy1jb25uZWN0aW9uLXR5cGUgdGxz LXByb2Nlc3MtY29ubmVjdGlvbi10eXBlKQorICAgICAgICAobGV0ICgodHJ1c3RmaWxlcyAoZ251 dGxzLXRydXN0ZmlsZXMpKQorCSAgICAgICh0cnVzdGZpbGUgbmlsKSkKKyAgICAgICAgICAod2hp bGUgKGFuZCAobm90IGRvbmUpIChzZXRxIHRydXN0ZmlsZSAocG9wIHRydXN0ZmlsZXMpKSkKKyAg ICAgICAgKGxldCAoKHByb2Nlc3MtY29ubmVjdGlvbi10eXBlIHRscy1wcm9jZXNzLWNvbm5lY3Rp b24tdHlwZSkKIAkgICAgICAoZm9ybWF0dGVkLWNtZAogCSAgICAgICAoZm9ybWF0LXNwZWMKIAkJ Y21kCiAJCShmb3JtYXQtc3BlYy1tYWtlCi0gICAgICAgICAgICAgICAgID90IChjYXIgKGdudXRs cy10cnVzdGZpbGVzKSkKKyAgICAgICAgICAgICAgICAgP3QgdHJ1c3RmaWxlCiAJCSA/aCBob3N0 CiAJCSA/cCAoaWYgKGludGVnZXJwIHBvcnQpCiAJCQkoaW50LXRvLXN0cmluZyBwb3J0KQpAQCAt MjY5LDcgKzI3OSw3IEBAIEZvdXJ0aCBhcmcgUE9SVCBpcyBhbiBpbnRlZ2VyIHNwZWNpZnlpbmcg YSBwb3J0IHRvIGNvbm5lY3QgdG8uIgogCSAgICAgIChpZiBzdGFydC1vZi1kYXRhCiAJCSAgOzsg bW92ZSBwb2ludCB0byBzdGFydCBvZiBjbGllbnQgZGF0YQogCQkgIChnb3RvLWNoYXIgc3RhcnQt b2YtZGF0YSkpKQotCSAgICAoc2V0cSBkb25lIHByb2Nlc3MpKSkpCisJICAgIChzZXRxIGRvbmUg cHJvY2VzcykpKSkpKQogICAgICAgKHdoZW4gKGFuZCBkb25lCiAJCSAob3IKIAkJICAoYW5kIHRs cy1jaGVja3RydXN0Ci0tIAoyLjkuMAoK --001a1144405a07ee160536e6519b--