]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
3df3e884 | 2 | |
33dbab6f | 3 | #if defined(__i386__) || defined(__x86_64__) |
97fa202a LP |
4 | #include <cpuid.h> |
5 | #endif | |
6 | ||
11c3a366 | 7 | #include <elf.h> |
3df3e884 | 8 | #include <errno.h> |
3df3e884 | 9 | #include <fcntl.h> |
4dd055f9 | 10 | #include <linux/random.h> |
a0f11d1d | 11 | #include <pthread.h> |
11c3a366 | 12 | #include <stdbool.h> |
dccca82b | 13 | #include <stdint.h> |
11c3a366 | 14 | #include <stdlib.h> |
dccca82b | 15 | #include <string.h> |
4dd055f9 | 16 | #include <sys/ioctl.h> |
11c3a366 | 17 | #include <sys/time.h> |
11c3a366 | 18 | |
349cc4a5 | 19 | #if HAVE_SYS_AUXV_H |
5224c2c7 ZJS |
20 | # include <sys/auxv.h> |
21 | #endif | |
22 | ||
c322f379 | 23 | #include "alloc-util.h" |
e2b55464 | 24 | #include "errno-util.h" |
3ffd4af2 | 25 | #include "fd-util.h" |
3e155eba | 26 | #include "fileio.h" |
c004493c | 27 | #include "io-util.h" |
f5947a5e YW |
28 | #include "missing_random.h" |
29 | #include "missing_syscall.h" | |
3e155eba | 30 | #include "parse-util.h" |
3df3e884 | 31 | #include "random-util.h" |
80eb560a | 32 | #include "siphash24.h" |
3df3e884 | 33 | #include "time-util.h" |
3df3e884 | 34 | |
a0f11d1d YW |
35 | static bool srand_called = false; |
36 | ||
33dbab6f | 37 | int rdrand(unsigned long *ret) { |
97fa202a | 38 | |
85505064 LP |
39 | /* So, you are a "security researcher", and you wonder why we bother with using raw RDRAND here, |
40 | * instead of sticking to /dev/urandom or getrandom()? | |
41 | * | |
42 | * Here's why: early boot. On Linux, during early boot the random pool that backs /dev/urandom and | |
43 | * getrandom() is generally not initialized yet. It is very common that initialization of the random | |
44 | * pool takes a longer time (up to many minutes), in particular on embedded devices that have no | |
45 | * explicit hardware random generator, as well as in virtualized environments such as major cloud | |
46 | * installations that do not provide virtio-rng or a similar mechanism. | |
47 | * | |
48 | * In such an environment using getrandom() synchronously means we'd block the entire system boot-up | |
49 | * until the pool is initialized, i.e. *very* long. Using getrandom() asynchronously (GRND_NONBLOCK) | |
50 | * would mean acquiring randomness during early boot would simply fail. Using /dev/urandom would mean | |
51 | * generating many kmsg log messages about our use of it before the random pool is properly | |
52 | * initialized. Neither of these outcomes is desirable. | |
53 | * | |
54 | * Thus, for very specific purposes we use RDRAND instead of either of these three options. RDRAND | |
55 | * provides us quickly and relatively reliably with random values, without having to delay boot, | |
56 | * without triggering warning messages in kmsg. | |
57 | * | |
58 | * Note that we use RDRAND only under very specific circumstances, when the requirements on the | |
59 | * quality of the returned entropy permit it. Specifically, here are some cases where we *do* use | |
60 | * RDRAND: | |
61 | * | |
62 | * • UUID generation: UUIDs are supposed to be universally unique but are not cryptographic | |
63 | * key material. The quality and trust level of RDRAND should hence be OK: UUIDs should be | |
64 | * generated in a way that is reliably unique, but they do not require ultimate trust into | |
65 | * the entropy generator. systemd generates a number of UUIDs during early boot, including | |
66 | * 'invocation IDs' for every unit spawned that identify the specific invocation of the | |
67 | * service globally, and a number of others. Other alternatives for generating these UUIDs | |
68 | * have been considered, but don't really work: for example, hashing uuids from a local | |
69 | * system identifier combined with a counter falls flat because during early boot disk | |
70 | * storage is not yet available (think: initrd) and thus a system-specific ID cannot be | |
71 | * stored or retrieved yet. | |
72 | * | |
73 | * • Hash table seed generation: systemd uses many hash tables internally. Hash tables are | |
74 | * generally assumed to have O(1) access complexity, but can deteriorate to prohibitive | |
75 | * O(n) access complexity if an attacker manages to trigger a large number of hash | |
76 | * collisions. Thus, systemd (as any software employing hash tables should) uses seeded | |
77 | * hash functions for its hash tables, with a seed generated randomly. The hash tables | |
78 | * systemd employs watch the fill level closely and reseed if necessary. This allows use of | |
79 | * a low quality RNG initially, as long as it improves should a hash table be under attack: | |
d7b34e38 | 80 | * the attacker after all needs to trigger many collisions to exploit it for the purpose |
85505064 LP |
81 | * of DoS, but if doing so improves the seed the attack surface is reduced as the attack |
82 | * takes place. | |
83 | * | |
84 | * Some cases where we do NOT use RDRAND are: | |
85 | * | |
86 | * • Generation of cryptographic key material 🔑 | |
87 | * | |
88 | * • Generation of cryptographic salt values 🧂 | |
89 | * | |
90 | * This function returns: | |
91 | * | |
92 | * -EOPNOTSUPP → RDRAND is not available on this system 😔 | |
93 | * -EAGAIN → The operation failed this time, but is likely to work if you try again a few | |
94 | * times ♻ | |
95 | * -EUCLEAN → We got some random value, but it looked strange, so we refused using it. | |
96 | * This failure might or might not be temporary. 😕 | |
97 | */ | |
98 | ||
33dbab6f | 99 | #if defined(__i386__) || defined(__x86_64__) |
97fa202a | 100 | static int have_rdrand = -1; |
1c53d4a0 | 101 | unsigned long v; |
328f850e | 102 | uint8_t success; |
97fa202a LP |
103 | |
104 | if (have_rdrand < 0) { | |
105 | uint32_t eax, ebx, ecx, edx; | |
106 | ||
107 | /* Check if RDRAND is supported by the CPU */ | |
108 | if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) { | |
109 | have_rdrand = false; | |
110 | return -EOPNOTSUPP; | |
111 | } | |
112 | ||
cc28145d LP |
113 | /* Compat with old gcc where bit_RDRND didn't exist yet */ |
114 | #ifndef bit_RDRND | |
115 | #define bit_RDRND (1U << 30) | |
116 | #endif | |
117 | ||
118 | have_rdrand = !!(ecx & bit_RDRND); | |
97fa202a LP |
119 | } |
120 | ||
121 | if (have_rdrand == 0) | |
122 | return -EOPNOTSUPP; | |
123 | ||
124 | asm volatile("rdrand %0;" | |
125 | "setc %1" | |
1c53d4a0 | 126 | : "=r" (v), |
328f850e | 127 | "=qm" (success)); |
7f2cdcea | 128 | msan_unpoison(&success, sizeof(success)); |
328f850e | 129 | if (!success) |
97fa202a LP |
130 | return -EAGAIN; |
131 | ||
1c53d4a0 LP |
132 | /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success |
133 | * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be | |
134 | * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking | |
135 | * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around | |
136 | * only however and something AMD really should fix properly. The Linux kernel should probably work | |
137 | * around this issue by turning off RDRAND altogether on those CPUs. See: | |
138 | * https://github.com/systemd/systemd/issues/11810 */ | |
139 | if (v == 0 || v == ULONG_MAX) | |
140 | return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN), | |
141 | "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v); | |
142 | ||
143 | *ret = v; | |
97fa202a LP |
144 | return 0; |
145 | #else | |
146 | return -EOPNOTSUPP; | |
147 | #endif | |
148 | } | |
149 | ||
94d457e8 | 150 | int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { |
3df3e884 | 151 | static int have_syscall = -1; |
3df3e884 | 152 | _cleanup_close_ int fd = -1; |
cc83d519 | 153 | bool got_some = false; |
7b54715d | 154 | int r; |
3df3e884 | 155 | |
85505064 LP |
156 | /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from |
157 | * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK | |
158 | * flag is set. If RANDOM_MAY_FAIL is set, an error is returned if the random pool is not | |
159 | * initialized. Otherwise it will always return some data from the kernel, regardless of whether the | |
160 | * random pool is fully initialized or not. If RANDOM_EXTEND_WITH_PSEUDO is set, and some but not | |
161 | * enough better quality randomness could be acquired, the rest is filled up with low quality | |
162 | * randomness. | |
163 | * | |
164 | * Of course, when creating cryptographic key material you really shouldn't use RANDOM_ALLOW_DRDRAND | |
165 | * or even RANDOM_EXTEND_WITH_PSEUDO. | |
166 | * | |
167 | * When generating UUIDs it's fine to use RANDOM_ALLOW_RDRAND but not OK to use | |
168 | * RANDOM_EXTEND_WITH_PSEUDO. In fact RANDOM_EXTEND_WITH_PSEUDO is only really fine when invoked via | |
169 | * an "all bets are off" wrapper, such as random_bytes(), see below. */ | |
3df3e884 | 170 | |
776cf746 LP |
171 | if (n == 0) |
172 | return 0; | |
173 | ||
cc83d519 | 174 | if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND)) |
1a0ffa1e LP |
175 | /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is |
176 | * not required, as we don't trust it (who does?). Note that we only do a single iteration of | |
177 | * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10 | |
178 | * invocations or so. That's because we don't really care about the quality here. We | |
179 | * generally prefer using RDRAND if the caller allows us to, since this way we won't upset | |
180 | * the kernel's random subsystem by accessing it before the pool is initialized (after all it | |
181 | * will kmsg log about every attempt to do so)..*/ | |
cc83d519 | 182 | for (;;) { |
33dbab6f | 183 | unsigned long u; |
cc83d519 LP |
184 | size_t m; |
185 | ||
33dbab6f | 186 | if (rdrand(&u) < 0) { |
cc83d519 LP |
187 | if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { |
188 | /* Fill in the remaining bytes using pseudo-random values */ | |
189 | pseudo_random_bytes(p, n); | |
190 | return 0; | |
191 | } | |
192 | ||
193 | /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */ | |
194 | break; | |
195 | } | |
196 | ||
197 | m = MIN(sizeof(u), n); | |
198 | memcpy(p, &u, m); | |
199 | ||
200 | p = (uint8_t*) p + m; | |
201 | n -= m; | |
202 | ||
203 | if (n == 0) | |
204 | return 0; /* Yay, success! */ | |
205 | ||
206 | got_some = true; | |
207 | } | |
208 | ||
f0d09059 | 209 | /* Use the getrandom() syscall unless we know we don't have it. */ |
2e69f411 | 210 | if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) { |
68534345 LP |
211 | |
212 | for (;;) { | |
0497c4c2 LP |
213 | r = getrandom(p, n, |
214 | (FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK) | | |
215 | (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE) ? GRND_INSECURE : 0)); | |
68534345 LP |
216 | if (r > 0) { |
217 | have_syscall = true; | |
218 | ||
219 | if ((size_t) r == n) | |
220 | return 0; /* Yay, success! */ | |
221 | ||
222 | assert((size_t) r < n); | |
223 | p = (uint8_t*) p + r; | |
224 | n -= r; | |
225 | ||
226 | if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { | |
227 | /* Fill in the remaining bytes using pseudo-random values */ | |
228 | pseudo_random_bytes(p, n); | |
229 | return 0; | |
230 | } | |
231 | ||
cc83d519 LP |
232 | got_some = true; |
233 | ||
68534345 LP |
234 | /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */ |
235 | if (FLAGS_SET(flags, RANDOM_BLOCK)) | |
236 | continue; | |
237 | ||
238 | /* Fill in the rest with /dev/urandom */ | |
239 | break; | |
240 | ||
241 | } else if (r == 0) { | |
242 | have_syscall = true; | |
243 | return -EIO; | |
244 | ||
e2b55464 | 245 | } else if (ERRNO_IS_NOT_SUPPORTED(errno)) { |
68534345 LP |
246 | /* We lack the syscall, continue with reading from /dev/urandom. */ |
247 | have_syscall = false; | |
248 | break; | |
249 | ||
250 | } else if (errno == EAGAIN) { | |
1a0ffa1e LP |
251 | /* The kernel has no entropy whatsoever. Let's remember to use the syscall |
252 | * the next time again though. | |
68534345 | 253 | * |
1a0ffa1e LP |
254 | * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can |
255 | * produce some pseudo-random bytes instead. Otherwise, fall back to | |
256 | * /dev/urandom, which we know is empty, but the kernel will produce some | |
257 | * bytes for us on a best-effort basis. */ | |
68534345 LP |
258 | have_syscall = true; |
259 | ||
cc83d519 LP |
260 | if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { |
261 | /* Fill in the remaining bytes using pseudorandom values */ | |
262 | pseudo_random_bytes(p, n); | |
68534345 LP |
263 | return 0; |
264 | } | |
265 | ||
1a0ffa1e | 266 | if (FLAGS_SET(flags, RANDOM_MAY_FAIL)) |
cc83d519 LP |
267 | return -ENODATA; |
268 | ||
68534345 LP |
269 | /* Use /dev/urandom instead */ |
270 | break; | |
0497c4c2 LP |
271 | |
272 | } else if (errno == EINVAL) { | |
273 | ||
274 | /* Most likely: unknown flag. We know that GRND_INSECURE might cause this, | |
275 | * hence try without. */ | |
276 | ||
277 | if (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE)) { | |
278 | flags = flags &~ RANDOM_ALLOW_INSECURE; | |
279 | continue; | |
280 | } | |
281 | ||
282 | return -errno; | |
68534345 LP |
283 | } else |
284 | return -errno; | |
285 | } | |
3df3e884 RC |
286 | } |
287 | ||
288 | fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC|O_NOCTTY); | |
289 | if (fd < 0) | |
290 | return errno == ENOENT ? -ENOSYS : -errno; | |
291 | ||
68534345 | 292 | return loop_read_exact(fd, p, n, true); |
3df3e884 RC |
293 | } |
294 | ||
a0f11d1d YW |
295 | static void clear_srand_initialization(void) { |
296 | srand_called = false; | |
297 | } | |
298 | ||
3df3e884 | 299 | void initialize_srand(void) { |
a0f11d1d | 300 | static bool pthread_atfork_registered = false; |
3df3e884 | 301 | unsigned x; |
349cc4a5 | 302 | #if HAVE_SYS_AUXV_H |
54bf2315 | 303 | const void *auxv; |
3df3e884 | 304 | #endif |
33dbab6f | 305 | unsigned long k; |
3df3e884 RC |
306 | |
307 | if (srand_called) | |
308 | return; | |
309 | ||
349cc4a5 | 310 | #if HAVE_SYS_AUXV_H |
80eb560a LP |
311 | /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed |
312 | * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder | |
313 | * to recover the original value by watching any pseudo-random bits we generate. After all the | |
314 | * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't | |
315 | * leak the seed for that. */ | |
3df3e884 | 316 | |
80eb560a | 317 | auxv = ULONG_TO_PTR(getauxval(AT_RANDOM)); |
ad6b1fa2 | 318 | if (auxv) { |
80eb560a LP |
319 | static const uint8_t auxval_hash_key[16] = { |
320 | 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f | |
321 | }; | |
322 | ||
323 | x = (unsigned) siphash24(auxv, 16, auxval_hash_key); | |
ad6b1fa2 | 324 | } else |
3df3e884 | 325 | #endif |
ad6b1fa2 LP |
326 | x = 0; |
327 | ||
3df3e884 RC |
328 | x ^= (unsigned) now(CLOCK_REALTIME); |
329 | x ^= (unsigned) gettid(); | |
330 | ||
33dbab6f | 331 | if (rdrand(&k) >= 0) |
92025e8f LP |
332 | x ^= (unsigned) k; |
333 | ||
3df3e884 RC |
334 | srand(x); |
335 | srand_called = true; | |
a0f11d1d YW |
336 | |
337 | if (!pthread_atfork_registered) { | |
338 | (void) pthread_atfork(NULL, NULL, clear_srand_initialization); | |
339 | pthread_atfork_registered = true; | |
340 | } | |
3df3e884 RC |
341 | } |
342 | ||
6a06b1a5 ZJS |
343 | /* INT_MAX gives us only 31 bits, so use 24 out of that. */ |
344 | #if RAND_MAX >= INT_MAX | |
57ee010f | 345 | assert_cc(RAND_MAX >= 16777215); |
6a06b1a5 ZJS |
346 | # define RAND_STEP 3 |
347 | #else | |
57ee010f LP |
348 | /* SHORT_INT_MAX or lower gives at most 15 bits, we just use 8 out of that. */ |
349 | assert_cc(RAND_MAX >= 255); | |
6a06b1a5 ZJS |
350 | # define RAND_STEP 1 |
351 | #endif | |
352 | ||
3335dc2d | 353 | void pseudo_random_bytes(void *p, size_t n) { |
3df3e884 | 354 | uint8_t *q; |
6a06b1a5 | 355 | |
85505064 LP |
356 | /* This returns pseudo-random data using libc's rand() function. You probably never want to call this |
357 | * directly, because why would you use this if you can get better stuff cheaply? Use random_bytes() | |
358 | * instead, see below: it will fall back to this function if there's nothing better to get, but only | |
359 | * then. */ | |
360 | ||
6a06b1a5 ZJS |
361 | initialize_srand(); |
362 | ||
363 | for (q = p; q < (uint8_t*) p + n; q += RAND_STEP) { | |
364 | unsigned rr; | |
365 | ||
366 | rr = (unsigned) rand(); | |
367 | ||
368 | #if RAND_STEP >= 3 | |
7b54715d | 369 | if ((size_t) (q - (uint8_t*) p + 2) < n) |
6a06b1a5 ZJS |
370 | q[2] = rr >> 16; |
371 | #endif | |
372 | #if RAND_STEP >= 2 | |
7b54715d | 373 | if ((size_t) (q - (uint8_t*) p + 1) < n) |
6a06b1a5 ZJS |
374 | q[1] = rr >> 8; |
375 | #endif | |
376 | q[0] = rr; | |
377 | } | |
378 | } | |
379 | ||
380 | void random_bytes(void *p, size_t n) { | |
3df3e884 | 381 | |
85505064 LP |
382 | /* This returns high quality randomness if we can get it cheaply. If we can't because for some reason |
383 | * it is not available we'll try some crappy fallbacks. | |
384 | * | |
385 | * What this function will do: | |
386 | * | |
387 | * • This function will preferably use the CPU's RDRAND operation, if it is available, in | |
388 | * order to return "mid-quality" random values cheaply. | |
389 | * | |
390 | * • Use getrandom() with GRND_NONBLOCK, to return high-quality random values if they are | |
391 | * cheaply available. | |
392 | * | |
393 | * • This function will return pseudo-random data, generated via libc rand() if nothing | |
394 | * better is available. | |
395 | * | |
396 | * • This function will work fine in early boot | |
397 | * | |
398 | * • This function will always succeed | |
399 | * | |
400 | * What this function won't do: | |
401 | * | |
402 | * • This function will never fail: it will give you randomness no matter what. It might not | |
403 | * be high quality, but it will return some, possibly generated via libc's rand() call. | |
404 | * | |
405 | * • This function will never block: if the only way to get good randomness is a blocking, | |
406 | * synchronous getrandom() we'll instead provide you with pseudo-random data. | |
407 | * | |
408 | * This function is hence great for things like seeding hash tables, generating random numeric UNIX | |
409 | * user IDs (that are checked for collisions before use) and such. | |
410 | * | |
411 | * This function is hence not useful for generating UUIDs or cryptographic key material. | |
412 | */ | |
413 | ||
0497c4c2 | 414 | if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND|RANDOM_ALLOW_INSECURE) >= 0) |
3df3e884 RC |
415 | return; |
416 | ||
3335dc2d LP |
417 | /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */ |
418 | pseudo_random_bytes(p, n); | |
3df3e884 | 419 | } |
3e155eba LP |
420 | |
421 | size_t random_pool_size(void) { | |
422 | _cleanup_free_ char *s = NULL; | |
423 | int r; | |
424 | ||
425 | /* Read pool size, if possible */ | |
426 | r = read_one_line_file("/proc/sys/kernel/random/poolsize", &s); | |
427 | if (r < 0) | |
428 | log_debug_errno(r, "Failed to read pool size from kernel: %m"); | |
429 | else { | |
430 | unsigned sz; | |
431 | ||
432 | r = safe_atou(s, &sz); | |
433 | if (r < 0) | |
434 | log_debug_errno(r, "Failed to parse pool size: %s", s); | |
435 | else | |
436 | /* poolsize is in bits on 2.6, but we want bytes */ | |
437 | return CLAMP(sz / 8, RANDOM_POOL_SIZE_MIN, RANDOM_POOL_SIZE_MAX); | |
438 | } | |
439 | ||
440 | /* Use the minimum as default, if we can't retrieve the correct value */ | |
441 | return RANDOM_POOL_SIZE_MIN; | |
442 | } | |
4dd055f9 LP |
443 | |
444 | int random_write_entropy(int fd, const void *seed, size_t size, bool credit) { | |
445 | int r; | |
446 | ||
447 | assert(fd >= 0); | |
448 | assert(seed && size > 0); | |
449 | ||
450 | if (credit) { | |
451 | _cleanup_free_ struct rand_pool_info *info = NULL; | |
452 | ||
453 | /* The kernel API only accepts "int" as entropy count (which is in bits), let's avoid any | |
454 | * chance for confusion here. */ | |
455 | if (size > INT_MAX / 8) | |
456 | return -EOVERFLOW; | |
457 | ||
458 | info = malloc(offsetof(struct rand_pool_info, buf) + size); | |
459 | if (!info) | |
460 | return -ENOMEM; | |
461 | ||
462 | info->entropy_count = size * 8; | |
463 | info->buf_size = size; | |
464 | memcpy(info->buf, seed, size); | |
465 | ||
466 | if (ioctl(fd, RNDADDENTROPY, info) < 0) | |
467 | return -errno; | |
468 | } else { | |
469 | r = loop_write(fd, seed, size, false); | |
470 | if (r < 0) | |
471 | return r; | |
472 | } | |
473 | ||
474 | return 0; | |
475 | } |