From f82321ee0c7e390a9828a604c3acb61db1ddffe0 Mon Sep 17 00:00:00 2001 From: Andrey Volk Date: Fri, 26 Apr 2019 15:31:40 +0400 Subject: [PATCH] FS-11816: [Build-System] Update libsrtp to 2.2.0 --- libs/srtp/.clang-format | 79 + libs/srtp/.gitignore | 50 + libs/srtp/.travis.yml | 131 + libs/srtp/.update | 2 +- libs/srtp/CHANGES | 62 +- libs/srtp/COPYING | 35 - libs/srtp/INSTALL | 236 - libs/srtp/Makefile.am | 5 +- libs/srtp/README.md | 27 + libs/srtp/TODO | 66 - libs/srtp/VERSION | 1 - libs/srtp/acsite.m4 | 6 - libs/srtp/config.hw | 1 - libs/srtp/config.hw.orig | 182 - libs/srtp/configure.ac | 2 +- libs/srtp/crypto/Makefile.in | 29 +- libs/srtp/crypto/cipher/aes.c | 559 +- libs/srtp/crypto/cipher/aes_gcm_ossl.c | 133 +- libs/srtp/crypto/cipher/aes_icm.c | 203 +- libs/srtp/crypto/cipher/aes_icm_ossl.c | 226 +- libs/srtp/crypto/cipher/cipher.c | 282 +- libs/srtp/crypto/cipher/null_cipher.c | 73 +- libs/srtp/crypto/hash/auth.c | 41 +- libs/srtp/crypto/hash/hmac.c | 89 +- libs/srtp/crypto/hash/hmac_ossl.c | 103 +- libs/srtp/crypto/hash/null_auth.c | 82 +- libs/srtp/crypto/hash/sha1.c | 202 +- libs/srtp/crypto/include/aes.h | 6 +- libs/srtp/crypto/include/aes_gcm_ossl.h | 3 +- libs/srtp/crypto/include/aes_icm.h | 13 +- libs/srtp/crypto/include/aes_icm_ossl.h | 7 +- libs/srtp/crypto/include/alloc.h | 31 +- libs/srtp/crypto/include/auth.h | 71 +- libs/srtp/crypto/include/cipher.h | 128 +- .../include/cipher_types.h} | 79 +- libs/srtp/crypto/include/crypto_kernel.h | 43 +- libs/srtp/crypto/include/crypto_types.h | 52 +- libs/srtp/crypto/include/datatypes.h | 411 +- libs/srtp/crypto/include/err.h | 30 +- libs/srtp/crypto/include/integers.h | 90 +- libs/srtp/crypto/include/key.h | 8 +- libs/srtp/crypto/include/null_cipher.h | 1 - libs/srtp/crypto/include/rdb.h | 22 +- libs/srtp/crypto/include/rdbx.h | 44 +- libs/srtp/crypto/include/sha1.h | 33 +- libs/srtp/crypto/include/stat.h | 19 +- libs/srtp/crypto/kernel/alloc.c | 60 +- libs/srtp/crypto/kernel/crypto_kernel.c | 168 +- libs/srtp/crypto/kernel/err.c | 18 +- libs/srtp/crypto/kernel/key.c | 20 +- libs/srtp/crypto/math/datatypes.c | 708 +- libs/srtp/crypto/math/stat.c | 307 +- libs/srtp/crypto/replay/rdb.c | 24 +- libs/srtp/crypto/replay/rdbx.c | 110 +- libs/srtp/crypto/replay/ut_sim.c | 87 +- libs/srtp/crypto/test/aes_calc.c | 195 +- libs/srtp/crypto/test/cipher_driver.c | 789 +- libs/srtp/crypto/test/datatypes_driver.c | 286 +- libs/srtp/crypto/test/env.c | 50 +- libs/srtp/crypto/test/kernel_driver.c | 132 +- libs/srtp/crypto/test/sha1_driver.c | 767 +- libs/srtp/crypto/test/stat_driver.c | 331 +- libs/srtp/doc/libsrtp.pdf | Bin 234575 -> 0 bytes libs/srtp/format.sh | 35 + libs/srtp/include/ekt.h | 99 +- libs/srtp/include/getopt_s.h | 23 +- libs/srtp/include/rtp.h | 139 - libs/srtp/include/srtp.h | 828 +- libs/srtp/include/srtp_priv.h | 190 +- libs/srtp/include/ut_sim.h | 30 +- libs/srtp/libsrtp.2017.vcxproj | 1 + libs/srtp/srtp-1.42.pc.in | 10 - libs/srtp/srtp/ekt.c | 339 +- libs/srtp/srtp/srtp.c | 6655 +++++++++-------- libs/srtp/srtp2.vcxproj | 3 +- libs/srtp/srtp2.vcxproj.filters | 5 +- libs/srtp/test/cutest.h | 432 +- libs/srtp/test/dtls_srtp_driver.c | 378 +- libs/srtp/test/getopt_s.c | 112 +- libs/srtp/test/rdbx_driver.c | 539 +- libs/srtp/test/replay_driver.c | 425 +- libs/srtp/test/roc_driver.c | 203 +- libs/srtp/test/rtp.c | 284 +- libs/srtp/test/rtp.h | 118 +- libs/srtp/test/rtp_decoder.c | 857 ++- libs/srtp/test/rtp_decoder.h | 39 +- libs/srtp/test/rtpw.c | 1061 +-- libs/srtp/test/srtp_driver.c | 2477 +++--- libs/srtp/test/test_srtp.c | 22 +- libs/srtp/test/util.c | 91 +- libs/srtp/test/util.h | 2 +- w32/Library/FreeSwitchCore.2017.vcxproj | 1 + w32/openssl.props | 2 +- 93 files changed, 11633 insertions(+), 11817 deletions(-) create mode 100644 libs/srtp/.clang-format create mode 100644 libs/srtp/.gitignore create mode 100644 libs/srtp/.travis.yml delete mode 100644 libs/srtp/COPYING delete mode 100644 libs/srtp/INSTALL delete mode 100644 libs/srtp/TODO delete mode 100644 libs/srtp/VERSION delete mode 100644 libs/srtp/acsite.m4 delete mode 100644 libs/srtp/config.hw.orig rename libs/srtp/{include/rtp_priv.h => crypto/include/cipher_types.h} (57%) delete mode 100644 libs/srtp/doc/libsrtp.pdf create mode 100644 libs/srtp/format.sh delete mode 100644 libs/srtp/include/rtp.h delete mode 100644 libs/srtp/srtp-1.42.pc.in diff --git a/libs/srtp/.clang-format b/libs/srtp/.clang-format new file mode 100644 index 0000000000..358e22272c --- /dev/null +++ b/libs/srtp/.clang-format @@ -0,0 +1,79 @@ +AccessModifierOffset: -4 + +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: false +AlignConsecutiveDeclarations: false +AlignEscapedNewlinesLeft: false +AlignOperands: true +AlignTrailingComments: true + +AllowAllParametersOfDeclarationOnNextLine: false + +AllowShortBlocksOnASingleLine: false +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: Inline +AllowShortIfStatementsOnASingleLine: false +AllowShortLoopsOnASingleLine: false + +AlwaysBreakAfterDefinitionReturnType: None +AlwaysBreakBeforeMultilineStrings: false +AlwaysBreakTemplateDeclarations: false + +BinPackArguments: true +BinPackParameters: false +BraceWrapping: + AfterControlStatement: false + AfterEnum: false + AfterFunction: true + AfterStruct: false + AfterUnion: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false + +BreakBeforeBinaryOperators: None +BreakBeforeBraces: Custom +BreakBeforeTernaryOperators: true + +ColumnLimit: 80 +CommentPragmas: '^ IWYU pragma:' +ContinuationIndentWidth: 4 +DerivePointerAlignment: false +DisableFormat: false +ExperimentalAutoDetectBinPacking: false + +IndentCaseLabels: false +IndentWidth: 4 +IndentWrappedFunctionNames: false + +KeepEmptyLinesAtTheStartOfBlocks: false + +MaxEmptyLinesToKeep: 1 + +PenaltyBreakBeforeFirstCallParameter: 16 +PenaltyBreakComment: 300 +PenaltyBreakFirstLessLess: 120 +PenaltyBreakString: 1000 +PenaltyExcessCharacter: 1000 +PenaltyReturnTypeOnItsOwnLine: 9000 + +Cpp11BracedListStyle: false + +PointerAlignment: Right + +ReflowComments: true + +SortIncludes: false + +SpaceAfterCStyleCast: false +SpaceBeforeAssignmentOperators: true +SpaceBeforeParens: ControlStatements +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +SpacesInAngles: false +SpacesInContainerLiterals: true +SpacesInCStyleCastParentheses: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +TabWidth: 4 +UseTab: Never diff --git a/libs/srtp/.gitignore b/libs/srtp/.gitignore new file mode 100644 index 0000000000..a5ccf852db --- /dev/null +++ b/libs/srtp/.gitignore @@ -0,0 +1,50 @@ +# Misc crap +*~ +old +old? +*.pc + +# Object files +*.o + +# Libraries +*.lib +*.a + +# Shared objects (inc. Windows DLLs) +*.dll +*.so +*.so.* +*.dylib + +# Executables +*.exe +*.out +*.app + +# srtp things +Debug +Makefile +Root +autom4te.cache +config.log +config.status +crypto/include/config.h +crypto/test/aes_calc +crypto/test/cipher_driver +crypto/test/datatypes_driver +crypto/test/env +crypto/test/kernel_driver +crypto/test/rand_gen +crypto/test/sha1_driver +crypto/test/stat_driver +crypto/test/rand_gen_soak +tables/aes_tables +test/dtls_srtp_driver +test/rdbx_driver +test/replay_driver +test/roc_driver +test/rtp_decoder +test/rtpw +test/srtp_driver +test/test_srtp diff --git a/libs/srtp/.travis.yml b/libs/srtp/.travis.yml new file mode 100644 index 0000000000..e0a7983de2 --- /dev/null +++ b/libs/srtp/.travis.yml @@ -0,0 +1,131 @@ +dist: trusty +sudo: false +language: c + +env: + global: + - secure: "QD09MuUxftXRXtz7ZrB7S0NV/3O9yVhjvIlCSbXN8B87rNSDC8wxMThKMT7iZewnqGk53m+Up19PiMw5ERlHose5tm2cmY1FO/l+c9oAyWZaAL+4XNXryq6zI5F5FX5I61NbfqV3xcnfLTI2QIJF6WqDojNxhPjTbNzQGxIDuqw=" + +matrix: + include: + + # default linux build with gcc + - os: linux + env: + - TEST="linux gcc" + addons: + apt: + sources: + - ubuntu-toolchain-r-test + packages: + - gcc-6 + script: + - CC=gcc-6 EXTRA_CFLAGS=-Werror ./configure + - make + - make runtest + + # linux build with openssl and gcc + - os: linux + env: + - TEST="linux gcc (openssl)" + addons: + apt: + sources: + - ubuntu-toolchain-r-test + packages: + - gcc-6 + script: + - CC=gcc-6 EXTRA_CFLAGS=-Werror ./configure --enable-openssl + - make + - make runtest + + # linux build with openssl and clang + - os: linux + env: + - TEST="linux clang (openssl)" + addons: + apt: + packages: + - clang + script: + - CC=clang EXTRA_CFLAGS=-Werror ./configure --enable-openssl + - make + - make runtest + + # default osx build with xcode (clang) + - os: osx + env: + - TEST="osx XCode 8.2" + osx_image: xcode8.2 + script: + - EXTRA_CFLAGS=-Werror ./configure + - make + - make runtest + + # code format check + - os: linux + env: + - TEST="clang-format" + addons: + apt: + packages: + - clang-format-3.9 + script: + - CLANG_FORMAT=clang-format-3.9 ./format.sh -d + + # valgrind + - os: linux + env: + - TEST="valgrind (openssl)" + addons: + apt: + sources: + - ubuntu-toolchain-r-test + packages: + - gcc-6 + - valgrind + script: + - CC=gcc-6 ./configure --enable-openssl + - make + - make runtest-valgrind + + # big-endian + - os: linux + sudo: true + env: + - TEST="big-endian" + services: + - docker + addons: + apt: + packages: + - qemu-user-static + - qemu-system-mips + before_install: + - sudo docker run --volume $(pwd):/src --workdir /src --name mipsX --tty --detach ubuntu:16.04 tail + - sudo docker exec --tty mipsX apt-get update + - sudo docker exec --tty mipsX apt-get install build-essential -y + - sudo docker exec --tty mipsX apt-get install gcc-mips-linux-gnu -y + script: + - sudo docker exec --tty mipsX bash -c 'EXTRA_CFLAGS=-static CC=mips-linux-gnu-gcc ./configure --host=mips-linux-gnu' + - sudo docker exec --tty mipsX make + - sudo docker kill mipsX + - file test/srtp_driver + - make runtest + + # coverity scan + - os: linux + env: + - TEST="Coverity Scan" + addons: + coverity_scan: + project: + name: "cisco-libSRTP" + description: "Build submitted via Travis CI" + version: 2 + notification_email: pabuhler@cisco.com + build_command_prepend: "./configure" + build_command: "make" + branch_pattern: master + script: + - echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca- diff --git a/libs/srtp/.update b/libs/srtp/.update index 7f2b55f7ef..c6e9146e26 100644 --- a/libs/srtp/.update +++ b/libs/srtp/.update @@ -1 +1 @@ -Wed Apr 9 03:14:42 CDT 2014 +Fri Apr 26 00:00:02 CDT 2019 diff --git a/libs/srtp/CHANGES b/libs/srtp/CHANGES index a323af1965..caa2b61139 100644 --- a/libs/srtp/CHANGES +++ b/libs/srtp/CHANGES @@ -1,5 +1,65 @@ Changelog +2.2.0-pre (This version) + +Major changes + +All code has been reformatted to be consistent. A .clang-format file and format.sh script has been added that can be use to verify and enforce consistent formatting. An automated check on code formatting is now part of travis build. + +Other changes + +PR #409 - Compatibilty with LibreSSL + +PR #406 - Fix unprotect when pktlen < (2*mki_size + tag_len) + +PR #405 - Prevent potential double free + +PR #404 - Add back extern to global variables + +PR #403 - Set gcm IV directly with EVP_CipherInit_ex + +PR #401 - Fix memory access issue in srtp_get_session_keys() + +PR #398 - Fix memory access fixes when invalid profiles where used + +PR #391 - Return NULL when allocating memory of size zero + +PR #390 - Bitvector of length zero is not valid + +PR #385 - Treat warnings as errors on travis builds + +PR #388 - Moved externs from crypto_kernel into its own header + +PR #379 - Fixed several compiler warnings from Firefox builds + +PR #377 - Removed variable init code in rdbx which never gets used + +PR #381 - Added error in case the platform is not detected + +PR #376 - Add coverity scan to travis builds + +PR #374 - Add a big endian build on travis + +PR #373 - Fixed buffer size issue in test/srtp_driver.c + +PR #372 - Make rtp_decoder compile on MinGW + +PR #367 - Rename configure.in to configure.ac + +PR #365 - Replace calls to free() with srtp_crypto_free() + +PR #364 - Add valgrind to travis and fix leaks in tests + +PR #363 - Change smtp_crypto_alloc to initialize memory to zero + +PR #354 - Fix potential leak if cloning of stream fails + +PR #340 - Fix potential leak in srtp_add_stream() + +PR #323 - Fix running test in out of source builds + +Issue #316 - Remove VERSION file + 2.1.0 Compatibility changes @@ -164,4 +224,4 @@ Other changes PR #302 - Fix warning regarding unused variable - PR #303 - Makefile.in: Add gnu as match for shared lib suffix \ No newline at end of file + PR #303 - Makefile.in: Add gnu as match for shared lib suffix diff --git a/libs/srtp/COPYING b/libs/srtp/COPYING deleted file mode 100644 index d1ff4e8559..0000000000 --- a/libs/srtp/COPYING +++ /dev/null @@ -1,35 +0,0 @@ -/* - * - * Copyright (c) 2001-2005 Cisco Systems, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * Neither the name of the Cisco Systems, Inc. nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ diff --git a/libs/srtp/INSTALL b/libs/srtp/INSTALL deleted file mode 100644 index 23e5f25d0e..0000000000 --- a/libs/srtp/INSTALL +++ /dev/null @@ -1,236 +0,0 @@ -Installation Instructions -************************* - -Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005 Free -Software Foundation, Inc. - -This file is free documentation; the Free Software Foundation gives -unlimited permission to copy, distribute and modify it. - -Basic Installation -================== - -These are generic installation instructions. - - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). - - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. (Caching is -disabled by default to prevent problems with accidental use of stale -cache files.) - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you -may remove or edit it. - - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You only need -`configure.ac' if you want to change it or regenerate `configure' using -a newer version of `autoconf'. - -The simplest way to compile this package is: - - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. If you're - using `csh' on an old version of System V, you might need to type - `sh ./configure' instead to prevent `csh' from trying to execute - `configure' itself. - - Running `configure' takes awhile. While running, it prints some - messages telling which features it is checking for. - - 2. Type `make' to compile the package. - - 3. Optionally, type `make check' to run any self-tests that come with - the package. - - 4. Type `make install' to install the programs and any data files and - documentation. - - 5. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly - for the package's developers. If you use it, you may have to get - all sorts of other programs in order to regenerate files that came - with the distribution. - -Compilers and Options -===================== - -Some systems require unusual options for compilation or linking that the -`configure' script does not know about. Run `./configure --help' for -details on some of the pertinent environment variables. - - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: - - ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix - - *Note Defining Variables::, for more details. - -Compiling For Multiple Architectures -==================================== - -You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you must use a version of `make' that -supports the `VPATH' variable, such as GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. - - If you have to use a `make' that does not support the `VPATH' -variable, you have to compile the package for one architecture at a -time in the source code directory. After you have installed the -package for one architecture, use `make distclean' before reconfiguring -for another architecture. - -Installation Names -================== - -By default, `make install' installs the package's commands under -`/usr/local/bin', include files under `/usr/local/include', etc. You -can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX'. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -pass the option `--exec-prefix=PREFIX' to `configure', the package uses -PREFIX as the prefix for installing programs and libraries. -Documentation and other data files still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=DIR' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. - -Optional Features -================= - -Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - -Specifying the System Type -========================== - -There may be some features `configure' cannot figure out automatically, -but needs to determine by the type of machine the package will run on. -Usually, assuming the package is built to be run on the _same_ -architectures, `configure' can figure that out, but if it prints a -message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: - - CPU-COMPANY-SYSTEM - -where SYSTEM can have one of these forms: - - OS KERNEL-OS - - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the machine type. - - If you are _building_ compiler tools for cross-compiling, you should -use the option `--target=TYPE' to select the type of system they will -produce code for. - - If you want to _use_ a cross compiler, that generates code for a -platform different from the build platform, you should specify the -"host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. - -Sharing Defaults -================ - -If you want to set default values for `configure' scripts to share, you -can create a site shell script called `config.site' that gives default -values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. - -Defining Variables -================== - -Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run -configure again during the build, and the customized values of these -variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: - - ./configure CC=/usr/local2/bin/gcc - -causes the specified `gcc' to be used as the C compiler (unless it is -overridden in the site shell script). Here is a another example: - - /bin/bash ./configure CONFIG_SHELL=/bin/bash - -Here the `CONFIG_SHELL=/bin/bash' operand causes subsequent -configuration-related scripts to be executed by `/bin/bash'. - -`configure' Invocation -====================== - -`configure' recognizes the following options to control how it operates. - -`--help' -`-h' - Print a summary of the options to `configure', and exit. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' - script, and exit. - -`--cache-file=FILE' - Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to - disable caching. - -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' - Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error - messages will still be shown). - -`--srcdir=DIR' - Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. - -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. - diff --git a/libs/srtp/Makefile.am b/libs/srtp/Makefile.am index fc34a04ad3..caff627c76 100644 --- a/libs/srtp/Makefile.am +++ b/libs/srtp/Makefile.am @@ -34,7 +34,8 @@ libsrtp_la_SOURCES += gdoi/srtp+gdoi.c endif library_includedir = $(prefix)/include/srtp -library_include_HEADERS = include/rtp.h include/srtp.h include/ut_sim.h crypto/include/auth.h \ +library_include_HEADERS = include/srtp.h include/ut_sim.h crypto/include/auth.h \ + crypto/include/cipher_types.h \ crypto/include/datatypes.h crypto/include/integers.h crypto/include/null_cipher.h \ crypto/include/rdbx.h crypto/include/aes_icm.h crypto/include/cipher.h crypto/include/crypto_types.h \ crypto/include/err.h crypto/include/sha1.h \ @@ -43,4 +44,4 @@ library_include_HEADERS = include/rtp.h include/srtp.h include/ut_sim.h crypto/i crypto/include/hmac.h crypto/include/null_auth.h crypto/include/rdb.h pkgconfigdir = $(libdir)/pkgconfig -pkgconfig_DATA = srtp-1.42.pc +pkgconfig_DATA = libsrtp2.pc diff --git a/libs/srtp/README.md b/libs/srtp/README.md index b63267ac50..3f1e5bbfde 100644 --- a/libs/srtp/README.md +++ b/libs/srtp/README.md @@ -1,3 +1,6 @@ +[![Build Status](https://travis-ci.org/cisco/libsrtp.svg?branch=master)](https://travis-ci.org/cisco/libsrtp) +[![Coverity Scan Build Status](https://scan.coverity.com/projects/14274/badge.svg)](https://scan.coverity.com/projects/cisco-libsrtp) + # Introduction to libSRTP @@ -51,6 +54,7 @@ because it does its work behind the scenes. - [Supported Features](#supported-features) - [Implementation Notes](#implementation-notes) - [Installing and Building libSRTP](#installing-and-building-libsrtp) + - [Changing Build Configuration](#changing-build-configuration) - [Applications](#applications) - [Example Code](#example-code) - [Credits](#credits) @@ -291,6 +295,26 @@ OpenBSD (sparc-unknown-openbsd2.7). -------------------------------------------------------------------------------- + +## Changing Build Configuration + +To build the `./configure` script mentioned above, libSRTP relies on the +[automake](https://www.gnu.org/software/automake/) toolchain. Since +`./configure` is built from `configure.in` by automake, if you make changes in +how `./configure` works (e.g., to add a new library dependency), you will need +to rebuild `./configure` and commit the updated version. In addition to +automake itself, you will need to have the `pkgconfig` tools installed as well. + +For example, on macOS: + +``` +brew install automake pkgconfig +# Edit configure.in +autoremake -ivf +``` + +-------------------------------------------------------------------------------- + # Applications @@ -397,6 +421,9 @@ uint8_t key[30] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // initialize libSRTP srtp_init(); +// default policy values +memset(&policy, 0x0, sizeof(srtp_policy_t)); + // set policy to describe a policy for an SRTP stream crypto_policy_set_rtp_default(&policy.rtp); crypto_policy_set_rtcp_default(&policy.rtcp); diff --git a/libs/srtp/TODO b/libs/srtp/TODO deleted file mode 100644 index 18846e8ad0..0000000000 --- a/libs/srtp/TODO +++ /dev/null @@ -1,66 +0,0 @@ -TODO List - -1.4.1 - - - document which fields are in NBO/HBO, and check for consistency. - - - move HAVE_U_LONG_LONG inside of datatypes.c, or some other - separate file - - - re-write configure.in to make cross-compilation easier - - - eliminate GENERIC_AESICM by generalizing the code a bit - -Older comments - - - add tests for key_limit_t datatype - - - move octet_get_weight() from datatypes.c to math.c (any other - funcs?) - -Changes and additions planned - - Make cipher and auth dealloc() functions zeroize the key-storage - areas before calling free(). - - Eliminate key_len from auth_init() - - Doucument internal APIs (cipher, auth, srtp_protect, ...) - - -SRTP options not (yet) included in this libaray: - - - the aes-f8-mode cipher - - the Master Key Index - - re-keying using the key derivation function (only the initial - use of the PRF has been implemented, as it's sufficient - for most uses) - - -(OLD) PLANNED CHANGES - - strip out test/lfsr.c - - Write new documentation!!! - - Fix the x86 assembly code in aes.c. - - Eliminate /* DAM */ - there's one in srtp.c - - Change debugging so that it can print more than one line. Or perhaps - just change it so that a single check of the debug-enabled flag is - needed. - - Improve interface between cipher and rdbx - perhaps generalize rdbx - into 'nonce' datatype. - - Make rijndael_icm accept variable sized keys. - - Add rdbx functions that allow different-sized explicit sequence - numbers to be used. - - Write uniform byte-buffering code for PRFs, preferably as macros. - - Consider eliminating low-level alloc functions in favor of len() - functions, so that there need not be multiple allocations within a - particular alloc() function. diff --git a/libs/srtp/VERSION b/libs/srtp/VERSION deleted file mode 100644 index 44e5be2f08..0000000000 --- a/libs/srtp/VERSION +++ /dev/null @@ -1 +0,0 @@ -2.1.0-pre diff --git a/libs/srtp/acsite.m4 b/libs/srtp/acsite.m4 deleted file mode 100644 index 80f8cf4138..0000000000 --- a/libs/srtp/acsite.m4 +++ /dev/null @@ -1,6 +0,0 @@ -m4_include([build/config/ax_compiler_vendor.m4]) -m4_include([build/config/ax_cflags_warn_all_ansi.m4]) -m4_include([build/config/ax_cc_maxopt.m4]) -m4_include([build/config/ax_check_compiler_flags.m4]) -m4_include([build/config/ac_gcc_archflag.m4]) -m4_include([build/config/ac_gcc_x86_cpuid.m4]) diff --git a/libs/srtp/config.hw b/libs/srtp/config.hw index 33ad189fb3..44dba2a2d5 100644 --- a/libs/srtp/config.hw +++ b/libs/srtp/config.hw @@ -181,5 +181,4 @@ typedef __int64 int64_t; #ifdef _MSC_VER #pragma warning(disable:4311) -#define OPENSSL #endif diff --git a/libs/srtp/config.hw.orig b/libs/srtp/config.hw.orig deleted file mode 100644 index 6fc65df677..0000000000 --- a/libs/srtp/config.hw.orig +++ /dev/null @@ -1,182 +0,0 @@ -/* crypto/include/config.h. Generated by configure. */ -/* config_in.h. Generated from configure.in by autoheader. */ - -#if (_MSC_VER >= 1400) -# define HAVE_RAND_S 1 -# define _CRT_RAND_S -#endif - -/* Define if building for a CISC machine (e.g. Intel). */ -#define CPU_CISC 1 - -/* Define if building for a RISC machine (assume slow byte access). */ -/* #undef CPU_RISC */ - -/* Define to enabled debug logging for all mudules. */ -#undef ENABLE_DEBUG_LOGGING - -/* Logging statments will be writen to this file. */ -/* #undef ERR_REPORTING_FILE */ - -/* Define to redirect logging to stdout. */ -#undef ERR_REPORTING_STDOUT - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_ARPA_INET_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_BYTESWAP_H */ - -/* Define to 1 if you have the `inet_aton' function. */ -/* #undef HAVE_INET_ATON */ - -/* Define to 1 if the system has the type `int16_t'. */ -#define HAVE_INT16_T 1 - -/* Define to 1 if the system has the type `int32_t'. */ -#define HAVE_INT32_T 1 - -/* Define to 1 if the system has the type `int8_t'. */ -#define HAVE_INT8_T 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_INTTYPES_H */ - -/* Define to 1 if you have the `socket' library (-lsocket). */ -/* #undef HAVE_LIBSOCKET */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_MACHINE_TYPES_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_MEMORY_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_NETINET_IN_H */ - -/* Define to 1 if you have the `socket' function. */ -/* #undef HAVE_SOCKET */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_STDINT_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_STDLIB_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STRINGS_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_STRING_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_INT_TYPES_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_SOCKET_H */ - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_STAT_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_SYS_TYPES_H 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_UIO_H */ - -/* Define to 1 if the system has the type `uint16_t'. */ -#define HAVE_UINT16_T 1 - -/* Define to 1 if the system has the type `uint32_t'. */ -#define HAVE_UINT32_T 1 - -/* Define to 1 if the system has the type `uint64_t'. */ -#define HAVE_UINT64_T 1 - -/* Define to 1 if the system has the type `uint8_t'. */ -#define HAVE_UINT8_T 1 - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_UNISTD_H */ - -/* Define to 1 if you have the `usleep' function. */ -/* #undef HAVE_USLEEP */ - -/* Define to 1 if you have the header file. */ -#define HAVE_WINDOWS_H 1 - -/* Define to 1 if you have the header file. */ -#define HAVE_WINSOCK2_H 1 - -/* Define to use X86 inlined assembly code */ -/* #undef HAVE_X86 */ - -/* Define to the address where bug reports for this package should be sent. */ -#define PACKAGE_BUGREPORT "" - -/* Define to the full name of this package. */ -#define PACKAGE_NAME "" - -/* Define to the full name and version of this package. */ -#define PACKAGE_STRING "" - -/* Define to the one symbol short name of this package. */ -#define PACKAGE_TARNAME "" - -/* Define to the version of this package. */ -#define PACKAGE_VERSION "" - -/* The size of a `unsigned long', as computed by sizeof. */ -#define SIZEOF_UNSIGNED_LONG 4 - -/* The size of a `unsigned long long', as computed by sizeof. */ -#define SIZEOF_UNSIGNED_LONG_LONG 8 - -/* Define to use GDOI. */ -/* #undef SRTP_GDOI */ - -/* Define to compile for kernel contexts. */ -/* #undef SRTP_KERNEL */ - -/* Define to compile for Linux kernel context. */ -/* #undef SRTP_KERNEL_LINUX */ - -/* Define to 1 if you have the ANSI C header files. */ -#define STDC_HEADERS 1 - -/* Define to 1 if your processor stores words with the most significant byte - first (like Motorola and SPARC, unlike Intel and VAX). */ -/* #undef WORDS_BIGENDIAN */ - -/* Define to empty if `const' does not conform to ANSI C. */ -/* #undef const */ - -/* Define 'inline' to nothing, since the MSVC compiler doesn't support it. */ -#define inline - -/* Define to `unsigned' if does not define. */ -/* #undef size_t */ - -#if (_MSC_VER >= 1400) // VC8+ -#ifndef _CRT_SECURE_NO_DEPRECATE -#define _CRT_SECURE_NO_DEPRECATE -#endif -#ifndef _CRT_NONSTDC_NO_DEPRECATE -#define _CRT_NONSTDC_NO_DEPRECATE -#endif -#endif // VC8+ - -#ifndef uint32_t -typedef unsigned __int8 uint8_t; -typedef unsigned __int16 uint16_t; -typedef unsigned __int32 uint32_t; -typedef unsigned __int64 uint64_t; -typedef __int8 int8_t; -typedef __int16 int16_t; -typedef __int32 int32_t; -typedef __int64 int64_t; -#endif - -#ifdef _MSC_VER -#pragma warning(disable:4311) -#endif diff --git a/libs/srtp/configure.ac b/libs/srtp/configure.ac index 35803dac97..288d0e970a 100644 --- a/libs/srtp/configure.ac +++ b/libs/srtp/configure.ac @@ -333,7 +333,7 @@ AM_CONDITIONAL([GDOI],[test "SRTP_GDOI" = "1"]) AC_CONFIG_HEADERS(crypto/include/config.h:config_in.h) -AC_OUTPUT(Makefile crypto/Makefile doc/Makefile test/Makefile srtp-1.42.pc) +AC_OUTPUT(Makefile crypto/Makefile doc/Makefile test/Makefile libsrtp2.pc) # This is needed when building outside the source dir. AS_MKDIR_P(crypto/cipher) diff --git a/libs/srtp/crypto/Makefile.in b/libs/srtp/crypto/Makefile.in index c93d9b1672..faaa991a09 100644 --- a/libs/srtp/crypto/Makefile.in +++ b/libs/srtp/crypto/Makefile.in @@ -1,4 +1,4 @@ -# Makefile for libcryptomodule.a +# Makefile for crypto test suite # # David A. McGrew # Cisco Systems, Inc. @@ -9,14 +9,14 @@ top_builddir = @top_builddir@ VPATH = @srcdir@ CC = @CC@ -INCDIR = -Iinclude -I$(srcdir)/include +INCDIR = -Iinclude -I$(srcdir)/include -I$(top_srcdir)/include DEFS = @DEFS@ CPPFLAGS= @CPPFLAGS@ CFLAGS = @CFLAGS@ LIBS = @LIBS@ LDFLAGS = @LDFLAGS@ -L. -L.. COMPILE = $(CC) $(DEFS) $(INCDIR) $(CPPFLAGS) $(CFLAGS) -CRYPTOLIB = -lsrtp +CRYPTOLIB = -lsrtp2 RANLIB = @RANLIB@ @@ -37,16 +37,16 @@ endif .PHONY: dummy all runtest clean superclean -dummy : all runtest +dummy : all runtest -# test applications +# test applications ifneq (1, $(USE_OPENSSL)) AES_CALC = test/aes_calc$(EXE) endif testapp = test/cipher_driver$(EXE) test/datatypes_driver$(EXE) \ test/stat_driver$(EXE) test/sha1_driver$(EXE) \ - test/kernel_driver$(EXE) $(AES_CALC) test/rand_gen$(EXE) \ + test/kernel_driver$(EXE) $(AES_CALC) \ test/env$(EXE) # data values used to test the aes_calc application for AES-128 @@ -73,7 +73,6 @@ endif test/stat_driver$(EXE) >/dev/null test/sha1_driver$(EXE) -v >/dev/null test/kernel_driver$(EXE) -v >/dev/null - test/rand_gen$(EXE) -n 256 >/dev/null @echo "crypto test applications passed." @@ -82,16 +81,15 @@ endif %.o: %.c $(COMPILE) -c $< -o $@ -%$(EXE): %.c - $(COMPILE) $(LDFLAGS) $< -o $@ $(CRYPTOLIB) $(LIBS) +%$(EXE): %.c $(srcdir)/../test/getopt_s.c + $(COMPILE) $(LDFLAGS) $< $(srcdir)/../test/getopt_s.c -o $@ $(CRYPTOLIB) $(LIBS) all: $(testapp) # housekeeping functions clean: - rm -f libcryptomodule.a - rm -f $(testapp) *.o */*.o + rm -f $(testapp) *.o */*.o for a in * .* */*; do if [ -f "$$a~" ] ; then rm $$a~; fi; done; rm -f `find . -name "*.[ch]~*~"` rm -rf latex @@ -99,13 +97,4 @@ clean: superclean: clean rm -f *core TAGS ktrace.out - -# the target 'package' builds a compressed tar archive of the source code - -distname = crypto-$(shell cat VERSION) - -package: superclean - cd ..; tar cvzf $(distname).tgz crypto/ - - # EOF diff --git a/libs/srtp/crypto/cipher/aes.c b/libs/srtp/crypto/cipher/aes.c index a4d6bb630e..c9cd774201 100644 --- a/libs/srtp/crypto/cipher/aes.c +++ b/libs/srtp/crypto/cipher/aes.c @@ -44,7 +44,7 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "aes.h" @@ -63,7 +63,7 @@ */ #ifndef WORDS_BIGENDIAN - +/* clang-format off */ static const uint32_t T0[256] = { 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0xdf2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, @@ -130,7 +130,9 @@ static const uint32_t T0[256] = { 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t T1[256] = { 0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, 0xf2f2ff0d, 0x6b6bd6bd, 0x6f6fdeb1, 0xc5c59154, @@ -197,7 +199,9 @@ static const uint32_t T1[256] = { 0x414182c3, 0x999929b0, 0x2d2d5a77, 0xf0f1e11, 0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t T2[256] = { 0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, 0xf2ff0df2, 0x6bd6bd6b, 0x6fdeb16f, 0xc59154c5, @@ -264,7 +268,9 @@ static const uint32_t T2[256] = { 0x4182c341, 0x9929b099, 0x2d5a772d, 0xf1e110f, 0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t T3[256] = { 0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, 0xff0df2f2, 0xd6bd6b6b, 0xdeb16f6f, 0x9154c5c5, @@ -331,7 +337,9 @@ static const uint32_t T3[256] = { 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f, 0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U0[256] = { 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b, @@ -398,7 +406,9 @@ static const uint32_t U0[256] = { 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664, 0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U1[256] = { 0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, 0x6bab3bcb, 0x459d1ff1, 0x58faacab, 0x3e34b93, @@ -465,7 +475,9 @@ static const uint32_t U1[256] = { 0x1a83971, 0xb30c08de, 0xe4b4d89c, 0xc1566490, 0x84cb7b61, 0xb632d570, 0x5c6c4874, 0x57b8d042, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U2[256] = { 0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, 0xab3bcb6b, 0x9d1ff145, 0xfaacab58, 0xe34b9303, @@ -532,7 +544,9 @@ static const uint32_t U2[256] = { 0xa8397101, 0xc08deb3, 0xb4d89ce4, 0x566490c1, 0xcb7b6184, 0x32d570b6, 0x6c48745c, 0xb8d04257, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U3[256] = { 0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, 0x3bcb6bab, 0x1ff1459d, 0xacab58fa, 0x4b9303e3, @@ -599,9 +613,10 @@ static const uint32_t U3[256] = { 0x397101a8, 0x8deb30c, 0xd89ce4b4, 0x6490c156, 0x7b6184cb, 0xd570b632, 0x48745c6c, 0xd04257b8, }; +/* clang-format on */ #else /* assume big endian */ - +/* clang-format off */ static const uint32_t T0[256] = { 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554, @@ -668,7 +683,9 @@ static const uint32_t T0[256] = { 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11, 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t T1[256] = { 0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, 0xdfff2f2, 0xbdd66b6b, 0xb1de6f6f, 0x5491c5c5, @@ -735,7 +752,9 @@ static const uint32_t T1[256] = { 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f, 0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t T2[256] = { 0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, 0xf20dfff2, 0x6bbdd66b, 0x6fb1de6f, 0xc55491c5, @@ -802,7 +821,9 @@ static const uint32_t T2[256] = { 0x41c38241, 0x99b02999, 0x2d775a2d, 0xf111e0f, 0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t T3[256] = { 0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, 0xf2f20dff, 0x6b6bbdd6, 0x6f6fb1de, 0xc5c55491, @@ -869,7 +890,9 @@ static const uint32_t T3[256] = { 0x4141c382, 0x9999b029, 0x2d2d775a, 0xf0f111e, 0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c, }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U0[256] = { 0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, 0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393, @@ -936,7 +959,9 @@ static const uint32_t U0[256] = { 0x39a80171, 0x80cb3de, 0xd8b4e49c, 0x6456c190, 0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742 }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U1[256] = { 0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e, 0xcb3bab6b, 0xf11f9d45, 0xabacfa58, 0x934be303, @@ -1003,7 +1028,9 @@ static const uint32_t U1[256] = { 0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1, 0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857 }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U2[256] = { 0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27, 0x6bcb3bab, 0x45f11f9d, 0x58abacfa, 0x3934be3, @@ -1070,7 +1097,9 @@ static const uint32_t U2[256] = { 0x17139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456, 0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8 }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U3[256] = { 0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a, 0xab6bcb3b, 0x9d45f11f, 0xfa58abac, 0xe303934b, @@ -1137,16 +1166,15 @@ static const uint32_t U3[256] = { 0xa8017139, 0xcb3de08, 0xb4e49cd8, 0x56c19064, 0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0 }; - +/* clang-format on */ #endif /* * the following tables (aes_sbox, aes_inv_sbox, T4, U4) are * endian-neutral */ - -static const uint8_t - aes_sbox[256] = { +/* clang-format off */ +static const uint8_t aes_sbox[256] = { 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, @@ -1180,10 +1208,11 @@ static const uint8_t 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 }; +/* clang-format on */ #ifndef CPU_RISC -static const uint8_t - aes_inv_sbox[256] = { +/* clang-format off */ +static const uint8_t aes_inv_sbox[256] = { 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, @@ -1217,11 +1246,12 @@ static const uint8_t 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d }; +/* clang-format on */ #endif /* ! CPU_RISC */ #ifdef CPU_RISC -static const uint32_t - T4[256] = { +/* clang-format off */ +static const uint32_t T4[256] = { 0x63636363, 0x7c7c7c7c, 0x77777777, 0x7b7b7b7b, 0xf2f2f2f2, 0x6b6b6b6b, 0x6f6f6f6f, 0xc5c5c5c5, 0x30303030, 0x01010101, 0x67676767, 0x2b2b2b2b, @@ -1287,7 +1317,9 @@ static const uint32_t 0x41414141, 0x99999999, 0x2d2d2d2d, 0x0f0f0f0f, 0xb0b0b0b0, 0x54545454, 0xbbbbbbbb, 0x16161616 }; +/* clang-format on */ +/* clang-format off */ static const uint32_t U4[256] = { 0x52525252, 0x9090909, 0x6a6a6a6a, 0xd5d5d5d5, 0x30303030, 0x36363636, 0xa5a5a5a5, 0x38383838, @@ -1354,6 +1386,7 @@ static const uint32_t U4[256] = { 0xe1e1e1e1, 0x69696969, 0x14141414, 0x63636363, 0x55555555, 0x21212121, 0xc0c0c0c, 0x7d7d7d7d }; +/* clang-format on */ #endif /* CPU_RISC */ #define gf2_8_field_polynomial 0x1B @@ -1363,16 +1396,13 @@ static const uint32_t U4[256] = { * next gf2_8 value in the cyclic representation of that field. The * value z should be an uint8_t. */ -#define gf2_8_shift(z) (((z) & 128) ? \ - (((z) << 1) ^ gf2_8_field_polynomial) : ((z) << 1)) +#define gf2_8_shift(z) \ + (((z)&128) ? (((z) << 1) ^ gf2_8_field_polynomial) : ((z) << 1)) /* aes internals */ -extern srtp_debug_module_t srtp_mod_aes_icm; - -static void -aes_128_expand_encryption_key (const uint8_t *key, - srtp_aes_expanded_key_t *expanded_key) +static void aes_128_expand_encryption_key(const uint8_t *key, + srtp_aes_expanded_key_t *expanded_key) { int i; uint8_t rc; @@ -1391,14 +1421,17 @@ aes_128_expand_encryption_key (const uint8_t *key, /* loop over round keys */ for (i = 1; i < 11; i++) { - /* munge first word of round key */ - expanded_key->round[i].v8[0] = aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc; - expanded_key->round[i].v8[1] = aes_sbox[expanded_key->round[i - 1].v8[14]]; - expanded_key->round[i].v8[2] = aes_sbox[expanded_key->round[i - 1].v8[15]]; - expanded_key->round[i].v8[3] = aes_sbox[expanded_key->round[i - 1].v8[12]]; + expanded_key->round[i].v8[0] = + aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc; + expanded_key->round[i].v8[1] = + aes_sbox[expanded_key->round[i - 1].v8[14]]; + expanded_key->round[i].v8[2] = + aes_sbox[expanded_key->round[i - 1].v8[15]]; + expanded_key->round[i].v8[3] = + aes_sbox[expanded_key->round[i - 1].v8[12]]; - expanded_key->round[i].v32[0] ^= expanded_key->round[i - 1].v32[0]; + expanded_key->round[i].v32[0] ^= expanded_key->round[i - 1].v32[0]; /* set remaining 32 bit words to the exor of the one previous with * the one four words previous */ @@ -1419,13 +1452,11 @@ aes_128_expand_encryption_key (const uint8_t *key, /* modify round constant */ rc = gf2_8_shift(rc); - } } -static void -aes_256_expand_encryption_key (const unsigned char *key, - srtp_aes_expanded_key_t *expanded_key) +static void aes_256_expand_encryption_key(const unsigned char *key, + srtp_aes_expanded_key_t *expanded_key) { int i; uint8_t rc; @@ -1447,24 +1478,31 @@ aes_256_expand_encryption_key (const unsigned char *key, /* loop over rest of round keys */ for (i = 2; i < 15; i++) { - /* munge first word of round key */ if ((i & 1) == 0) { - expanded_key->round[i].v8[0] = aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc; - expanded_key->round[i].v8[1] = aes_sbox[expanded_key->round[i - 1].v8[14]]; - expanded_key->round[i].v8[2] = aes_sbox[expanded_key->round[i - 1].v8[15]]; - expanded_key->round[i].v8[3] = aes_sbox[expanded_key->round[i - 1].v8[12]]; + expanded_key->round[i].v8[0] = + aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc; + expanded_key->round[i].v8[1] = + aes_sbox[expanded_key->round[i - 1].v8[14]]; + expanded_key->round[i].v8[2] = + aes_sbox[expanded_key->round[i - 1].v8[15]]; + expanded_key->round[i].v8[3] = + aes_sbox[expanded_key->round[i - 1].v8[12]]; /* modify round constant */ rc = gf2_8_shift(rc); - }else { - expanded_key->round[i].v8[0] = aes_sbox[expanded_key->round[i - 1].v8[12]]; - expanded_key->round[i].v8[1] = aes_sbox[expanded_key->round[i - 1].v8[13]]; - expanded_key->round[i].v8[2] = aes_sbox[expanded_key->round[i - 1].v8[14]]; - expanded_key->round[i].v8[3] = aes_sbox[expanded_key->round[i - 1].v8[15]]; + } else { + expanded_key->round[i].v8[0] = + aes_sbox[expanded_key->round[i - 1].v8[12]]; + expanded_key->round[i].v8[1] = + aes_sbox[expanded_key->round[i - 1].v8[13]]; + expanded_key->round[i].v8[2] = + aes_sbox[expanded_key->round[i - 1].v8[14]]; + expanded_key->round[i].v8[3] = + aes_sbox[expanded_key->round[i - 1].v8[15]]; } - expanded_key->round[i].v32[0] ^= expanded_key->round[i - 2].v32[0]; + expanded_key->round[i].v32[0] ^= expanded_key->round[i - 2].v32[0]; /* set remaining 32 bit words to the exor of the one previous with * the one eight words previous */ @@ -1482,31 +1520,32 @@ aes_256_expand_encryption_key (const unsigned char *key, debug_print2(srtp_mod_aes_icm, "expanded key[%d]: %s", i, v128_hex_string(&expanded_key->round[i])); #endif - } } -srtp_err_status_t srtp_aes_expand_encryption_key (const uint8_t *key, - int key_len, - srtp_aes_expanded_key_t *expanded_key) +srtp_err_status_t srtp_aes_expand_encryption_key( + const uint8_t *key, + int key_len, + srtp_aes_expanded_key_t *expanded_key) { if (key_len == 16) { aes_128_expand_encryption_key(key, expanded_key); return srtp_err_status_ok; - }else if (key_len == 24) { + } else if (key_len == 24) { /* AES-192 not yet supported */ return srtp_err_status_bad_param; - }else if (key_len == 32) { + } else if (key_len == 32) { aes_256_expand_encryption_key(key, expanded_key); return srtp_err_status_ok; - }else { + } else { return srtp_err_status_bad_param; } } -srtp_err_status_t srtp_aes_expand_decryption_key (const uint8_t *key, - int key_len, - srtp_aes_expanded_key_t *expanded_key) +srtp_err_status_t srtp_aes_expand_decryption_key( + const uint8_t *key, + int key_len, + srtp_aes_expanded_key_t *expanded_key) { int i; srtp_err_status_t status; @@ -1521,7 +1560,8 @@ srtp_err_status_t srtp_aes_expand_decryption_key (const uint8_t *key, for (i = 0; i < num_rounds / 2; i++) { v128_t tmp; v128_copy(&tmp, &expanded_key->round[num_rounds - i]); - v128_copy(&expanded_key->round[num_rounds - i], &expanded_key->round[i]); + v128_copy(&expanded_key->round[num_rounds - i], + &expanded_key->round[i]); v128_copy(&expanded_key->round[i], &tmp); } @@ -1538,6 +1578,7 @@ srtp_err_status_t srtp_aes_expand_decryption_key (const uint8_t *key, uint32_t tmp; #ifdef WORDS_BIGENDIAN + /* clang-format off */ tmp = expanded_key->round[i].v32[0]; expanded_key->round[i].v32[0] = U0[T4[(tmp >> 24) ] & 0xff] ^ @@ -1593,31 +1634,32 @@ srtp_err_status_t srtp_aes_expand_decryption_key (const uint8_t *key, U2[T4[(tmp >> 16) & 0xff] & 0xff] ^ U1[T4[(tmp >> 8) & 0xff] & 0xff] ^ U0[T4[(tmp) & 0xff] & 0xff]; -#endif /* WORDS_BIGENDIAN */ +/* clang-format on */ +#endif /* WORDS_BIGENDIAN */ #else /* assume CPU_CISC */ uint32_t c0, c1, c2, c3; - c0 = U0[aes_sbox[expanded_key->round[i].v8[0]]] - ^ U1[aes_sbox[expanded_key->round[i].v8[1]]] - ^ U2[aes_sbox[expanded_key->round[i].v8[2]]] - ^ U3[aes_sbox[expanded_key->round[i].v8[3]]]; + c0 = U0[aes_sbox[expanded_key->round[i].v8[0]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[1]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[2]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[3]]]; - c1 = U0[aes_sbox[expanded_key->round[i].v8[4]]] - ^ U1[aes_sbox[expanded_key->round[i].v8[5]]] - ^ U2[aes_sbox[expanded_key->round[i].v8[6]]] - ^ U3[aes_sbox[expanded_key->round[i].v8[7]]]; + c1 = U0[aes_sbox[expanded_key->round[i].v8[4]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[5]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[6]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[7]]]; - c2 = U0[aes_sbox[expanded_key->round[i].v8[8]]] - ^ U1[aes_sbox[expanded_key->round[i].v8[9]]] - ^ U2[aes_sbox[expanded_key->round[i].v8[10]]] - ^ U3[aes_sbox[expanded_key->round[i].v8[11]]]; + c2 = U0[aes_sbox[expanded_key->round[i].v8[8]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[9]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[10]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[11]]]; - c3 = U0[aes_sbox[expanded_key->round[i].v8[12]]] - ^ U1[aes_sbox[expanded_key->round[i].v8[13]]] - ^ U2[aes_sbox[expanded_key->round[i].v8[14]]] - ^ U3[aes_sbox[expanded_key->round[i].v8[15]]]; + c3 = U0[aes_sbox[expanded_key->round[i].v8[12]]] ^ + U1[aes_sbox[expanded_key->round[i].v8[13]]] ^ + U2[aes_sbox[expanded_key->round[i].v8[14]]] ^ + U3[aes_sbox[expanded_key->round[i].v8[15]]]; expanded_key->round[i].v32[0] = c0; expanded_key->round[i].v32[1] = c1; @@ -1632,61 +1674,57 @@ srtp_err_status_t srtp_aes_expand_decryption_key (const uint8_t *key, #ifdef CPU_CISC - -static inline void aes_round (v128_t *state, const v128_t *round_key) +static inline void aes_round(v128_t *state, const v128_t *round_key) { uint32_t column0, column1, column2, column3; /* compute the columns of the output square in terms of the octets of state, using the tables T0, T1, T2, T3 */ - column0 = T0[state->v8[0]] ^ T1[state->v8[5]] - ^ T2[state->v8[10]] ^ T3[state->v8[15]]; + column0 = T0[state->v8[0]] ^ T1[state->v8[5]] ^ T2[state->v8[10]] ^ + T3[state->v8[15]]; - column1 = T0[state->v8[4]] ^ T1[state->v8[9]] - ^ T2[state->v8[14]] ^ T3[state->v8[3]]; + column1 = T0[state->v8[4]] ^ T1[state->v8[9]] ^ T2[state->v8[14]] ^ + T3[state->v8[3]]; - column2 = T0[state->v8[8]] ^ T1[state->v8[13]] - ^ T2[state->v8[2]] ^ T3[state->v8[7]]; + column2 = T0[state->v8[8]] ^ T1[state->v8[13]] ^ T2[state->v8[2]] ^ + T3[state->v8[7]]; - column3 = T0[state->v8[12]] ^ T1[state->v8[1]] - ^ T2[state->v8[6]] ^ T3[state->v8[11]]; + column3 = T0[state->v8[12]] ^ T1[state->v8[1]] ^ T2[state->v8[6]] ^ + T3[state->v8[11]]; state->v32[0] = column0 ^ round_key->v32[0]; state->v32[1] = column1 ^ round_key->v32[1]; state->v32[2] = column2 ^ round_key->v32[2]; state->v32[3] = column3 ^ round_key->v32[3]; - } - -static inline void aes_inv_round (v128_t *state, const v128_t *round_key) +static inline void aes_inv_round(v128_t *state, const v128_t *round_key) { uint32_t column0, column1, column2, column3; /* compute the columns of the output square in terms of the octets of state, using the tables U0, U1, U2, U3 */ - column0 = U0[state->v8[0]] ^ U1[state->v8[13]] - ^ U2[state->v8[10]] ^ U3[state->v8[7]]; + column0 = U0[state->v8[0]] ^ U1[state->v8[13]] ^ U2[state->v8[10]] ^ + U3[state->v8[7]]; - column1 = U0[state->v8[4]] ^ U1[state->v8[1]] - ^ U2[state->v8[14]] ^ U3[state->v8[11]]; + column1 = U0[state->v8[4]] ^ U1[state->v8[1]] ^ U2[state->v8[14]] ^ + U3[state->v8[11]]; - column2 = U0[state->v8[8]] ^ U1[state->v8[5]] - ^ U2[state->v8[2]] ^ U3[state->v8[15]]; + column2 = U0[state->v8[8]] ^ U1[state->v8[5]] ^ U2[state->v8[2]] ^ + U3[state->v8[15]]; - column3 = U0[state->v8[12]] ^ U1[state->v8[9]] - ^ U2[state->v8[6]] ^ U3[state->v8[3]]; + column3 = U0[state->v8[12]] ^ U1[state->v8[9]] ^ U2[state->v8[6]] ^ + U3[state->v8[3]]; state->v32[0] = column0 ^ round_key->v32[0]; state->v32[1] = column1 ^ round_key->v32[1]; state->v32[2] = column2 ^ round_key->v32[2]; state->v32[3] = column3 ^ round_key->v32[3]; - } -static inline void aes_final_round (v128_t *state, const v128_t *round_key) +static inline void aes_final_round(v128_t *state, const v128_t *round_key) { uint8_t tmp; @@ -1722,7 +1760,7 @@ static inline void aes_final_round (v128_t *state, const v128_t *round_key) v128_xor_eq(state, round_key); } -static inline void aes_inv_final_round (v128_t *state, const v128_t *round_key) +static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key) { uint8_t tmp; @@ -1758,201 +1796,205 @@ static inline void aes_inv_final_round (v128_t *state, const v128_t *round_key) v128_xor_eq(state, round_key); } - #elif CPU_RISC -static inline void aes_round (v128_t *state, const v128_t *round_key) +static inline void aes_round(v128_t *state, const v128_t *round_key) { uint32_t column0, column1, column2, column3; - /* compute the columns of the output square in terms of the octets - of state, using the tables T0, T1, T2, T3 */ +/* compute the columns of the output square in terms of the octets + of state, using the tables T0, T1, T2, T3 */ #ifdef WORDS_BIGENDIAN - column0 = T0[state->v32[0] >> 24] ^ T1[(state->v32[1] >> 16) & 0xff] - ^ T2[(state->v32[2] >> 8) & 0xff] ^ T3[state->v32[3] & 0xff]; + column0 = T0[state->v32[0] >> 24] ^ T1[(state->v32[1] >> 16) & 0xff] ^ + T2[(state->v32[2] >> 8) & 0xff] ^ T3[state->v32[3] & 0xff]; - column1 = T0[state->v32[1] >> 24] ^ T1[(state->v32[2] >> 16) & 0xff] - ^ T2[(state->v32[3] >> 8) & 0xff] ^ T3[state->v32[0] & 0xff]; + column1 = T0[state->v32[1] >> 24] ^ T1[(state->v32[2] >> 16) & 0xff] ^ + T2[(state->v32[3] >> 8) & 0xff] ^ T3[state->v32[0] & 0xff]; - column2 = T0[state->v32[2] >> 24] ^ T1[(state->v32[3] >> 16) & 0xff] - ^ T2[(state->v32[0] >> 8) & 0xff] ^ T3[state->v32[1] & 0xff]; + column2 = T0[state->v32[2] >> 24] ^ T1[(state->v32[3] >> 16) & 0xff] ^ + T2[(state->v32[0] >> 8) & 0xff] ^ T3[state->v32[1] & 0xff]; - column3 = T0[state->v32[3] >> 24] ^ T1[(state->v32[0] >> 16) & 0xff] - ^ T2[(state->v32[1] >> 8) & 0xff] ^ T3[state->v32[2] & 0xff]; + column3 = T0[state->v32[3] >> 24] ^ T1[(state->v32[0] >> 16) & 0xff] ^ + T2[(state->v32[1] >> 8) & 0xff] ^ T3[state->v32[2] & 0xff]; #else - column0 = T0[state->v32[0] & 0xff] ^ T1[(state->v32[1] >> 8) & 0xff] - ^ T2[(state->v32[2] >> 16) & 0xff] ^ T3[state->v32[3] >> 24]; + column0 = T0[state->v32[0] & 0xff] ^ T1[(state->v32[1] >> 8) & 0xff] ^ + T2[(state->v32[2] >> 16) & 0xff] ^ T3[state->v32[3] >> 24]; - column1 = T0[state->v32[1] & 0xff] ^ T1[(state->v32[2] >> 8) & 0xff] - ^ T2[(state->v32[3] >> 16) & 0xff] ^ T3[state->v32[0] >> 24]; + column1 = T0[state->v32[1] & 0xff] ^ T1[(state->v32[2] >> 8) & 0xff] ^ + T2[(state->v32[3] >> 16) & 0xff] ^ T3[state->v32[0] >> 24]; - column2 = T0[state->v32[2] & 0xff] ^ T1[(state->v32[3] >> 8) & 0xff] - ^ T2[(state->v32[0] >> 16) & 0xff] ^ T3[state->v32[1] >> 24]; + column2 = T0[state->v32[2] & 0xff] ^ T1[(state->v32[3] >> 8) & 0xff] ^ + T2[(state->v32[0] >> 16) & 0xff] ^ T3[state->v32[1] >> 24]; - column3 = T0[state->v32[3] & 0xff] ^ T1[(state->v32[0] >> 8) & 0xff] - ^ T2[(state->v32[1] >> 16) & 0xff] ^ T3[state->v32[2] >> 24]; + column3 = T0[state->v32[3] & 0xff] ^ T1[(state->v32[0] >> 8) & 0xff] ^ + T2[(state->v32[1] >> 16) & 0xff] ^ T3[state->v32[2] >> 24]; #endif /* WORDS_BIGENDIAN */ state->v32[0] = column0 ^ round_key->v32[0]; state->v32[1] = column1 ^ round_key->v32[1]; state->v32[2] = column2 ^ round_key->v32[2]; state->v32[3] = column3 ^ round_key->v32[3]; - } -static inline void aes_inv_round (v128_t *state, const v128_t *round_key) +static inline void aes_inv_round(v128_t *state, const v128_t *round_key) { uint32_t column0, column1, column2, column3; - /* compute the columns of the output square in terms of the octets - of state, using the tables U0, U1, U2, U3 */ +/* compute the columns of the output square in terms of the octets + of state, using the tables U0, U1, U2, U3 */ #ifdef WORDS_BIGENDIAN - column0 = U0[state->v32[0] >> 24] ^ U1[(state->v32[3] >> 16) & 0xff] - ^ U2[(state->v32[2] >> 8) & 0xff] ^ U3[state->v32[1] & 0xff]; + column0 = U0[state->v32[0] >> 24] ^ U1[(state->v32[3] >> 16) & 0xff] ^ + U2[(state->v32[2] >> 8) & 0xff] ^ U3[state->v32[1] & 0xff]; - column1 = U0[state->v32[1] >> 24] ^ U1[(state->v32[0] >> 16) & 0xff] - ^ U2[(state->v32[3] >> 8) & 0xff] ^ U3[state->v32[2] & 0xff]; + column1 = U0[state->v32[1] >> 24] ^ U1[(state->v32[0] >> 16) & 0xff] ^ + U2[(state->v32[3] >> 8) & 0xff] ^ U3[state->v32[2] & 0xff]; - column2 = U0[state->v32[2] >> 24] ^ U1[(state->v32[1] >> 16) & 0xff] - ^ U2[(state->v32[0] >> 8) & 0xff] ^ U3[state->v32[3] & 0xff]; + column2 = U0[state->v32[2] >> 24] ^ U1[(state->v32[1] >> 16) & 0xff] ^ + U2[(state->v32[0] >> 8) & 0xff] ^ U3[state->v32[3] & 0xff]; - column3 = U0[state->v32[3] >> 24] ^ U1[(state->v32[2] >> 16) & 0xff] - ^ U2[(state->v32[1] >> 8) & 0xff] ^ U3[state->v32[0] & 0xff]; + column3 = U0[state->v32[3] >> 24] ^ U1[(state->v32[2] >> 16) & 0xff] ^ + U2[(state->v32[1] >> 8) & 0xff] ^ U3[state->v32[0] & 0xff]; #else - column0 = U0[state->v32[0] & 0xff] ^ U1[(state->v32[3] >> 8) & 0xff] - ^ U2[(state->v32[2] >> 16) & 0xff] ^ U3[(state->v32[1] >> 24) & 0xff]; + column0 = U0[state->v32[0] & 0xff] ^ U1[(state->v32[3] >> 8) & 0xff] ^ + U2[(state->v32[2] >> 16) & 0xff] ^ + U3[(state->v32[1] >> 24) & 0xff]; - column1 = U0[state->v32[1] & 0xff] ^ U1[(state->v32[0] >> 8) & 0xff] - ^ U2[(state->v32[3] >> 16) & 0xff] ^ U3[(state->v32[2] >> 24) & 0xff]; + column1 = U0[state->v32[1] & 0xff] ^ U1[(state->v32[0] >> 8) & 0xff] ^ + U2[(state->v32[3] >> 16) & 0xff] ^ + U3[(state->v32[2] >> 24) & 0xff]; - column2 = U0[state->v32[2] & 0xff] ^ U1[(state->v32[1] >> 8) & 0xff] - ^ U2[(state->v32[0] >> 16) & 0xff] ^ U3[(state->v32[3] >> 24) & 0xff]; + column2 = U0[state->v32[2] & 0xff] ^ U1[(state->v32[1] >> 8) & 0xff] ^ + U2[(state->v32[0] >> 16) & 0xff] ^ + U3[(state->v32[3] >> 24) & 0xff]; - column3 = U0[state->v32[3] & 0xff] ^ U1[(state->v32[2] >> 8) & 0xff] - ^ U2[(state->v32[1] >> 16) & 0xff] ^ U3[(state->v32[0] >> 24) & 0xff]; + column3 = U0[state->v32[3] & 0xff] ^ U1[(state->v32[2] >> 8) & 0xff] ^ + U2[(state->v32[1] >> 16) & 0xff] ^ + U3[(state->v32[0] >> 24) & 0xff]; #endif /* WORDS_BIGENDIAN */ state->v32[0] = column0 ^ round_key->v32[0]; state->v32[1] = column1 ^ round_key->v32[1]; state->v32[2] = column2 ^ round_key->v32[2]; state->v32[3] = column3 ^ round_key->v32[3]; - } -static inline void aes_final_round (v128_t *state, const v128_t *round_key) +static inline void aes_final_round(v128_t *state, const v128_t *round_key) { uint32_t tmp0, tmp1, tmp2, tmp3; #ifdef WORDS_BIGENDIAN - tmp0 = (T4[(state->v32[0] >> 24)] & 0xff000000) - ^ (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[3] ) & 0xff] & 0x000000ff) - ^ round_key->v32[0]; - - tmp1 = (T4[(state->v32[1] >> 24)] & 0xff000000) - ^ (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[0] ) & 0xff] & 0x000000ff) - ^ round_key->v32[1]; - - tmp2 = (T4[(state->v32[2] >> 24)] & 0xff000000) - ^ (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[1] ) & 0xff] & 0x000000ff) - ^ round_key->v32[2]; - - tmp3 = (T4[(state->v32[3] >> 24)] & 0xff000000) - ^ (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[2] ) & 0xff] & 0x000000ff) - ^ round_key->v32[3]; + /* clang-format off */ + tmp0 = (T4[(state->v32[0] >> 24)] & 0xff000000) ^ + (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (T4[(state->v32[1] >> 24)] & 0xff000000) ^ + (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (T4[(state->v32[2] >> 24)] & 0xff000000) ^ + (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (T4[(state->v32[3] >> 24)] & 0xff000000) ^ + (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; #else - tmp0 = (T4[(state->v32[3] >> 24)] & 0xff000000) - ^ (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[0] ) & 0xff] & 0x000000ff) - ^ round_key->v32[0]; - - tmp1 = (T4[(state->v32[0] >> 24)] & 0xff000000) - ^ (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[1] ) & 0xff] & 0x000000ff) - ^ round_key->v32[1]; - - tmp2 = (T4[(state->v32[1] >> 24)] & 0xff000000) - ^ (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[2] ) & 0xff] & 0x000000ff) - ^ round_key->v32[2]; - - tmp3 = (T4[(state->v32[2] >> 24)] & 0xff000000) - ^ (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) - ^ (T4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) - ^ (T4[(state->v32[3] ) & 0xff] & 0x000000ff) - ^ round_key->v32[3]; + tmp0 = (T4[(state->v32[3] >> 24)] & 0xff000000) ^ + (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (T4[(state->v32[0] >> 24)] & 0xff000000) ^ + (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (T4[(state->v32[1] >> 24)] & 0xff000000) ^ + (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (T4[(state->v32[2] >> 24)] & 0xff000000) ^ + (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (T4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (T4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; +/* clang-format on */ #endif /* WORDS_BIGENDIAN */ state->v32[0] = tmp0; state->v32[1] = tmp1; state->v32[2] = tmp2; state->v32[3] = tmp3; - } -static inline void aes_inv_final_round (v128_t *state, const v128_t *round_key) +static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key) { uint32_t tmp0, tmp1, tmp2, tmp3; #ifdef WORDS_BIGENDIAN - tmp0 = (U4[(state->v32[0] >> 24)] & 0xff000000) - ^ (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[1] ) & 0xff] & 0x000000ff) - ^ round_key->v32[0]; - - tmp1 = (U4[(state->v32[1] >> 24)] & 0xff000000) - ^ (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[2] ) & 0xff] & 0x000000ff) - ^ round_key->v32[1]; - - tmp2 = (U4[(state->v32[2] >> 24)] & 0xff000000) - ^ (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[3] ) & 0xff] & 0x000000ff) - ^ round_key->v32[2]; - - tmp3 = (U4[(state->v32[3] >> 24)] & 0xff000000) - ^ (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[0] ) & 0xff] & 0x000000ff) - ^ round_key->v32[3]; + /* clang-format off */ + tmp0 = (U4[(state->v32[0] >> 24)] & 0xff000000) ^ + (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (U4[(state->v32[1] >> 24)] & 0xff000000) ^ + (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (U4[(state->v32[2] >> 24)] & 0xff000000) ^ + (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (U4[(state->v32[3] >> 24)] & 0xff000000) ^ + (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; #else - tmp0 = (U4[(state->v32[1] >> 24)] & 0xff000000) - ^ (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[0] ) & 0xff] & 0x000000ff) - ^ round_key->v32[0]; - - tmp1 = (U4[(state->v32[2] >> 24)] & 0xff000000) - ^ (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[1] ) & 0xff] & 0x000000ff) - ^ round_key->v32[1]; - - tmp2 = (U4[(state->v32[3] >> 24)] & 0xff000000) - ^ (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[2] ) & 0xff] & 0x000000ff) - ^ round_key->v32[2]; - - tmp3 = (U4[(state->v32[0] >> 24)] & 0xff000000) - ^ (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) - ^ (U4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) - ^ (U4[(state->v32[3] ) & 0xff] & 0x000000ff) - ^ round_key->v32[3]; + tmp0 = (U4[(state->v32[1] >> 24)] & 0xff000000) ^ + (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[3] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[0] ) & 0xff] & 0x000000ff) ^ + round_key->v32[0]; + + tmp1 = (U4[(state->v32[2] >> 24)] & 0xff000000) ^ + (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[0] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[1] ) & 0xff] & 0x000000ff) ^ + round_key->v32[1]; + + tmp2 = (U4[(state->v32[3] >> 24)] & 0xff000000) ^ + (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[1] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[2] ) & 0xff] & 0x000000ff) ^ + round_key->v32[2]; + + tmp3 = (U4[(state->v32[0] >> 24)] & 0xff000000) ^ + (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^ + (U4[(state->v32[2] >> 8) & 0xff] & 0x0000ff00) ^ + (U4[(state->v32[3] ) & 0xff] & 0x000000ff) ^ + round_key->v32[3]; +/* clang-format on */ #endif /* WORDS_BIGENDIAN */ state->v32[0] = tmp0; @@ -1961,62 +2003,58 @@ static inline void aes_inv_final_round (v128_t *state, const v128_t *round_key) state->v32[3] = tmp3; } -#elif CPU_16 /* assume 16-bit word size on processor */ +#elif CPU_16 /* assume 16-bit word size on processor */ -static inline void aes_round (v128_t *state, const v128_t *round_key) +static inline void aes_round(v128_t *state, const v128_t *round_key) { uint32_t column0, column1, column2, column3; - uint16_t c /* compute the columns of the output square in terms of the octets of state, using the tables T0, T1, T2, T3 */ - column0 = T0[state->v8[0]] ^ T1[state->v8[5]] - ^ T2[state->v8[10]] ^ T3[state->v8[15]]; + column0 = T0[state->v8[0]] ^ T1[state->v8[5]] ^ T2[state->v8[10]] ^ + T3[state->v8[15]]; - column1 = T0[state->v8[4]] ^ T1[state->v8[9]] - ^ T2[state->v8[14]] ^ T3[state->v8[3]]; + column1 = T0[state->v8[4]] ^ T1[state->v8[9]] ^ T2[state->v8[14]] ^ + T3[state->v8[3]]; - column2 = T0[state->v8[8]] ^ T1[state->v8[13]] - ^ T2[state->v8[2]] ^ T3[state->v8[7]]; + column2 = T0[state->v8[8]] ^ T1[state->v8[13]] ^ T2[state->v8[2]] ^ + T3[state->v8[7]]; - column3 = T0[state->v8[12]] ^ T1[state->v8[1]] - ^ T2[state->v8[6]] ^ T3[state->v8[11]]; + column3 = T0[state->v8[12]] ^ T1[state->v8[1]] ^ T2[state->v8[6]] ^ + T3[state->v8[11]]; state->v32[0] = column0 ^ round_key->v32[0]; state->v32[1] = column1 ^ round_key->v32[1]; state->v32[2] = column2 ^ round_key->v32[2]; state->v32[3] = column3 ^ round_key->v32[3]; - } - -static inline void aes_inv_round (v128_t *state, const v128_t *round_key) +static inline void aes_inv_round(v128_t *state, const v128_t *round_key) { uint32_t column0, column1, column2, column3; /* compute the columns of the output square in terms of the octets of state, using the tables U0, U1, U2, U3 */ - column0 = U0[state->v8[0]] ^ U1[state->v8[5]] - ^ U2[state->v8[10]] ^ U3[state->v8[15]]; + column0 = U0[state->v8[0]] ^ U1[state->v8[5]] ^ U2[state->v8[10]] ^ + U3[state->v8[15]]; - column1 = U0[state->v8[4]] ^ U1[state->v8[9]] - ^ U2[state->v8[14]] ^ U3[state->v8[3]]; + column1 = U0[state->v8[4]] ^ U1[state->v8[9]] ^ U2[state->v8[14]] ^ + U3[state->v8[3]]; - column2 = U0[state->v8[8]] ^ U1[state->v8[13]] - ^ U2[state->v8[2]] ^ U3[state->v8[7]]; + column2 = U0[state->v8[8]] ^ U1[state->v8[13]] ^ U2[state->v8[2]] ^ + U3[state->v8[7]]; - column3 = U0[state->v8[12]] ^ U1[state->v8[1]] - ^ U2[state->v8[6]] ^ U3[state->v8[11]]; + column3 = U0[state->v8[12]] ^ U1[state->v8[1]] ^ U2[state->v8[6]] ^ + U3[state->v8[11]]; state->v32[0] = column0 ^ round_key->v32[0]; state->v32[1] = column1 ^ round_key->v32[1]; state->v32[2] = column2 ^ round_key->v32[2]; state->v32[3] = column3 ^ round_key->v32[3]; - } -static inline void aes_final_round (v128_t *state, const v128_t *round_key) +static inline void aes_final_round(v128_t *state, const v128_t *round_key) { uint8_t tmp; @@ -2052,7 +2090,7 @@ static inline void aes_final_round (v128_t *state, const v128_t *round_key) v128_xor_eq(state, round_key); } -static inline void aes_inv_final_round (v128_t *state, const v128_t *round_key) +static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key) { uint8_t tmp; @@ -2088,12 +2126,10 @@ static inline void aes_inv_final_round (v128_t *state, const v128_t *round_key) v128_xor_eq(state, round_key); } -#endif /* CPU type */ +#endif /* CPU type */ - -void srtp_aes_encrypt (v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key) +void srtp_aes_encrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key) { - /* add in the subkey */ v128_xor_eq(plaintext, &exp_key->round[0]); @@ -2109,11 +2145,11 @@ void srtp_aes_encrypt (v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key aes_round(plaintext, &exp_key->round[9]); if (exp_key->num_rounds == 10) { aes_final_round(plaintext, &exp_key->round[10]); - }else if (exp_key->num_rounds == 12) { + } else if (exp_key->num_rounds == 12) { aes_round(plaintext, &exp_key->round[10]); aes_round(plaintext, &exp_key->round[11]); aes_final_round(plaintext, &exp_key->round[12]); - }else if (exp_key->num_rounds == 14) { + } else if (exp_key->num_rounds == 14) { aes_round(plaintext, &exp_key->round[10]); aes_round(plaintext, &exp_key->round[11]); aes_round(plaintext, &exp_key->round[12]); @@ -2122,9 +2158,8 @@ void srtp_aes_encrypt (v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key } } -void srtp_aes_decrypt (v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key) +void srtp_aes_decrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key) { - /* add in the subkey */ v128_xor_eq(plaintext, &exp_key->round[0]); @@ -2140,11 +2175,11 @@ void srtp_aes_decrypt (v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key aes_inv_round(plaintext, &exp_key->round[9]); if (exp_key->num_rounds == 10) { aes_inv_final_round(plaintext, &exp_key->round[10]); - }else if (exp_key->num_rounds == 12) { + } else if (exp_key->num_rounds == 12) { aes_inv_round(plaintext, &exp_key->round[10]); aes_inv_round(plaintext, &exp_key->round[11]); aes_inv_final_round(plaintext, &exp_key->round[12]); - }else if (exp_key->num_rounds == 14) { + } else if (exp_key->num_rounds == 14) { aes_inv_round(plaintext, &exp_key->round[10]); aes_inv_round(plaintext, &exp_key->round[11]); aes_inv_round(plaintext, &exp_key->round[12]); diff --git a/libs/srtp/crypto/cipher/aes_gcm_ossl.c b/libs/srtp/crypto/cipher/aes_gcm_ossl.c index 416582aacc..ef13a78240 100644 --- a/libs/srtp/crypto/cipher/aes_gcm_ossl.c +++ b/libs/srtp/crypto/cipher/aes_gcm_ossl.c @@ -45,36 +45,28 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include #include "aes_icm_ossl.h" #include "aes_gcm_ossl.h" #include "alloc.h" -#include "err.h" /* for srtp_debug */ +#include "err.h" /* for srtp_debug */ #include "crypto_types.h" - +#include "cipher_types.h" srtp_debug_module_t srtp_mod_aes_gcm = { - 0, /* debugging is off by default */ - "aes gcm" /* printable module name */ + 0, /* debugging is off by default */ + "aes gcm" /* printable module name */ }; -/* - * The following are the global singleton instances for the - * 128-bit and 256-bit GCM ciphers. - */ -extern const srtp_cipher_type_t srtp_aes_gcm_128_openssl; -extern const srtp_cipher_type_t srtp_aes_gcm_256_openssl; - /* * For now we only support 8 and 16 octet tags. The spec allows for * optional 12 byte tag, which may be supported in the future. */ -#define GCM_AUTH_TAG_LEN 16 -#define GCM_AUTH_TAG_LEN_8 8 - +#define GCM_AUTH_TAG_LEN 16 +#define GCM_AUTH_TAG_LEN_8 8 /* * This function allocates a new instance of this crypto engine. @@ -83,11 +75,14 @@ extern const srtp_cipher_type_t srtp_aes_gcm_256_openssl; * key length includes the 14 byte salt value that is used when * initializing the KDF. */ -static srtp_err_status_t srtp_aes_gcm_openssl_alloc (srtp_cipher_t **c, int key_len, int tlen) +static srtp_err_status_t srtp_aes_gcm_openssl_alloc(srtp_cipher_t **c, + int key_len, + int tlen) { srtp_aes_gcm_ctx_t *gcm; - debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d", key_len); + debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d", + key_len); debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen); /* @@ -98,8 +93,7 @@ static srtp_err_status_t srtp_aes_gcm_openssl_alloc (srtp_cipher_t **c, int key_ return (srtp_err_status_bad_param); } - if (tlen != GCM_AUTH_TAG_LEN && - tlen != GCM_AUTH_TAG_LEN_8) { + if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) { return (srtp_err_status_bad_param); } @@ -108,15 +102,13 @@ static srtp_err_status_t srtp_aes_gcm_openssl_alloc (srtp_cipher_t **c, int key_ if (*c == NULL) { return (srtp_err_status_alloc_fail); } - memset(*c, 0x0, sizeof(srtp_cipher_t)); gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t)); if (gcm == NULL) { - srtp_crypto_free(*c); - *c = NULL; + srtp_crypto_free(*c); + *c = NULL; return (srtp_err_status_alloc_fail); } - memset(gcm, 0x0, sizeof(srtp_aes_gcm_ctx_t)); gcm->ctx = EVP_CIPHER_CTX_new(); if (gcm->ctx == NULL) { @@ -151,15 +143,14 @@ static srtp_err_status_t srtp_aes_gcm_openssl_alloc (srtp_cipher_t **c, int key_ return (srtp_err_status_ok); } - /* * This function deallocates a GCM session */ -static srtp_err_status_t srtp_aes_gcm_openssl_dealloc (srtp_cipher_t *c) +static srtp_err_status_t srtp_aes_gcm_openssl_dealloc(srtp_cipher_t *c) { srtp_aes_gcm_ctx_t *ctx; - ctx = (srtp_aes_gcm_ctx_t*)c->state; + ctx = (srtp_aes_gcm_ctx_t *)c->state; if (ctx) { EVP_CIPHER_CTX_free(ctx->ctx); /* zeroize the key material */ @@ -179,14 +170,16 @@ static srtp_err_status_t srtp_aes_gcm_openssl_dealloc (srtp_cipher_t *c) * * the key is the secret key */ -static srtp_err_status_t srtp_aes_gcm_openssl_context_init (void* cv, const uint8_t *key) +static srtp_err_status_t srtp_aes_gcm_openssl_context_init(void *cv, + const uint8_t *key) { srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; const EVP_CIPHER *evp; c->dir = srtp_direction_any; - debug_print(srtp_mod_aes_gcm, "key: %s", srtp_octet_string_hex_string(key, c->key_size)); + debug_print(srtp_mod_aes_gcm, "key: %s", + srtp_octet_string_hex_string(key, c->key_size)); switch (c->key_size) { case SRTP_AES_256_KEY_LEN: @@ -207,35 +200,32 @@ static srtp_err_status_t srtp_aes_gcm_openssl_context_init (void* cv, const uint return (srtp_err_status_ok); } - /* * aes_gcm_openssl_set_iv(c, iv) sets the counter value to the exor of iv with * the offset */ -static srtp_err_status_t srtp_aes_gcm_openssl_set_iv (void *cv, uint8_t *iv, srtp_cipher_direction_t direction) +static srtp_err_status_t srtp_aes_gcm_openssl_set_iv( + void *cv, + uint8_t *iv, + srtp_cipher_direction_t direction) { srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; - if (direction != srtp_direction_encrypt && direction != srtp_direction_decrypt) { + if (direction != srtp_direction_encrypt && + direction != srtp_direction_decrypt) { return (srtp_err_status_bad_param); } c->dir = direction; - debug_print(srtp_mod_aes_gcm, "setting iv: %s", v128_hex_string((v128_t*)iv)); + debug_print(srtp_mod_aes_gcm, "setting iv: %s", + v128_hex_string((v128_t *)iv)); - if (!EVP_CipherInit_ex(c->ctx, NULL, NULL, NULL, - NULL, (c->dir == srtp_direction_encrypt ? 1 : 0))) { - return (srtp_err_status_init_fail); - } - - /* set IV len and the IV value, the followiong 3 calls are required */ if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0)) { return (srtp_err_status_init_fail); } - if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_IV_FIXED, -1, (void*)iv)) { - return (srtp_err_status_init_fail); - } - if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_IV_GEN, 0, (void*)iv)) { + + if (!EVP_CipherInit_ex(c->ctx, NULL, NULL, NULL, iv, + (c->dir == srtp_direction_encrypt ? 1 : 0))) { return (srtp_err_status_init_fail); } @@ -250,7 +240,9 @@ static srtp_err_status_t srtp_aes_gcm_openssl_set_iv (void *cv, uint8_t *iv, srt * aad Additional data to process for AEAD cipher suites * aad_len length of aad buffer */ -static srtp_err_status_t srtp_aes_gcm_openssl_set_aad (void *cv, const uint8_t *aad, uint32_t aad_len) +static srtp_err_status_t srtp_aes_gcm_openssl_set_aad(void *cv, + const uint8_t *aad, + uint32_t aad_len) { srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; int rv; @@ -262,8 +254,8 @@ static srtp_err_status_t srtp_aes_gcm_openssl_set_aad (void *cv, const uint8_t * /* * OpenSSL never write to address pointed by the last parameter of - * EVP_CIPHER_CTX_ctrl while EVP_CTRL_GCM_SET_TAG (in reality, - * OpenSSL copy its content to the context), so we can make + * EVP_CIPHER_CTX_ctrl while EVP_CTRL_GCM_SET_TAG (in reality, + * OpenSSL copy its content to the context), so we can make * aad read-only in this function and all its wrappers. */ unsigned char dummy_tag[GCM_AUTH_TAG_LEN]; @@ -286,7 +278,9 @@ static srtp_err_status_t srtp_aes_gcm_openssl_set_aad (void *cv, const uint8_t * * buf data to encrypt * enc_len length of encrypt buffer */ -static srtp_err_status_t srtp_aes_gcm_openssl_encrypt (void *cv, unsigned char *buf, unsigned int *enc_len) +static srtp_err_status_t srtp_aes_gcm_openssl_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) { srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) { @@ -312,7 +306,9 @@ static srtp_err_status_t srtp_aes_gcm_openssl_encrypt (void *cv, unsigned char * * buf data to encrypt * len length of encrypt buffer */ -static srtp_err_status_t srtp_aes_gcm_openssl_get_tag (void *cv, uint8_t *buf, uint32_t *len) +static srtp_err_status_t srtp_aes_gcm_openssl_get_tag(void *cv, + uint8_t *buf, + uint32_t *len) { srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; /* @@ -333,7 +329,6 @@ static srtp_err_status_t srtp_aes_gcm_openssl_get_tag (void *cv, uint8_t *buf, u return (srtp_err_status_ok); } - /* * This function decrypts a buffer using AES GCM mode * @@ -342,7 +337,9 @@ static srtp_err_status_t srtp_aes_gcm_openssl_get_tag (void *cv, uint8_t *buf, u * buf data to encrypt * enc_len length of encrypt buffer */ -static srtp_err_status_t srtp_aes_gcm_openssl_decrypt (void *cv, unsigned char *buf, unsigned int *enc_len) +static srtp_err_status_t srtp_aes_gcm_openssl_decrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) { srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv; if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) { @@ -372,32 +369,36 @@ static srtp_err_status_t srtp_aes_gcm_openssl_decrypt (void *cv, unsigned char * return (srtp_err_status_ok); } - - /* * Name of this crypto engine */ -static const char srtp_aes_gcm_128_openssl_description[] = "AES-128 GCM using openssl"; -static const char srtp_aes_gcm_256_openssl_description[] = "AES-256 GCM using openssl"; - +static const char srtp_aes_gcm_128_openssl_description[] = + "AES-128 GCM using openssl"; +static const char srtp_aes_gcm_256_openssl_description[] = + "AES-256 GCM using openssl"; /* * KAT values for AES self-test. These * values we're derived from independent test code * using OpenSSL. */ +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_0_key[SRTP_AES_GCM_128_KEY_LEN_WSALT] = { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_gcm_test_case_0_iv[12] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] = { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, @@ -409,12 +410,15 @@ static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] = { 0xba, 0x63, 0x7b, 0x39 }; +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_0_aad[20] = { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, @@ -428,6 +432,7 @@ static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb, 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47, }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = { SRTP_AES_GCM_128_KEY_LEN_WSALT, /* octets in key */ @@ -439,7 +444,7 @@ static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = { srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */ 20, /* octets in AAD */ srtp_aes_gcm_test_case_0_aad, /* AAD */ - GCM_AUTH_TAG_LEN_8, + GCM_AUTH_TAG_LEN_8, /* */ NULL /* pointer to next testcase */ }; @@ -453,10 +458,11 @@ static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0 = { srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext + tag */ 20, /* octets in AAD */ srtp_aes_gcm_test_case_0_aad, /* AAD */ - GCM_AUTH_TAG_LEN, + GCM_AUTH_TAG_LEN, /* */ &srtp_aes_gcm_test_case_0a /* pointer to next testcase */ }; +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT] = { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0xa5, 0x59, 0x09, 0xc5, 0x54, 0x66, 0x93, 0x1c, @@ -464,14 +470,17 @@ static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, - }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_gcm_test_case_1_iv[12] = { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] = { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, @@ -482,13 +491,17 @@ static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] = { 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_1_aad[20] = { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 0xab, 0xad, 0xda, 0xd2 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = { 0x0b, 0x11, 0xcf, 0xaf, 0x68, 0x4d, 0xae, 0x46, 0xc7, 0x90, 0xb8, 0x8e, 0xb7, 0x6a, 0x76, 0x2a, @@ -502,6 +515,7 @@ static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = { 0x45, 0xbc, 0x03, 0xe6, 0xe1, 0xac, 0x0a, 0x9f, 0x81, 0xcb, 0x8e, 0x5b, 0x46, 0x65, 0x63, 0x1d, }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = { SRTP_AES_GCM_256_KEY_LEN_WSALT, /* octets in key */ @@ -513,7 +527,7 @@ static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = { srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */ 20, /* octets in AAD */ srtp_aes_gcm_test_case_1_aad, /* AAD */ - GCM_AUTH_TAG_LEN_8, + GCM_AUTH_TAG_LEN_8, /* */ NULL /* pointer to next testcase */ }; @@ -527,7 +541,7 @@ static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1 = { srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext + tag */ 20, /* octets in AAD */ srtp_aes_gcm_test_case_1_aad, /* AAD */ - GCM_AUTH_TAG_LEN, + GCM_AUTH_TAG_LEN, /* */ &srtp_aes_gcm_test_case_1a /* pointer to next testcase */ }; @@ -564,4 +578,3 @@ const srtp_cipher_type_t srtp_aes_gcm_256_openssl = { &srtp_aes_gcm_test_case_1, SRTP_AES_GCM_256 }; - diff --git a/libs/srtp/crypto/cipher/aes_icm.c b/libs/srtp/crypto/cipher/aes_icm.c index 6901213bad..7551c75148 100644 --- a/libs/srtp/crypto/cipher/aes_icm.c +++ b/libs/srtp/crypto/cipher/aes_icm.c @@ -44,21 +44,19 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #define ALIGN_32 0 #include "aes_icm.h" #include "alloc.h" - +#include "cipher_types.h" srtp_debug_module_t srtp_mod_aes_icm = { - 0, /* debugging is off by default */ - "aes icm" /* printable module name */ + 0, /* debugging is off by default */ + "aes icm" /* printable module name */ }; -extern const srtp_cipher_type_t srtp_aes_icm_128; -extern const srtp_cipher_type_t srtp_aes_icm_256; /* * integer counter mode works as follows: @@ -94,12 +92,14 @@ extern const srtp_cipher_type_t srtp_aes_icm_256; * */ -static srtp_err_status_t srtp_aes_icm_alloc (srtp_cipher_t **c, int key_len, int tlen) +static srtp_err_status_t srtp_aes_icm_alloc(srtp_cipher_t **c, + int key_len, + int tlen) { srtp_aes_icm_ctx_t *icm; - debug_print(srtp_mod_aes_icm, - "allocating cipher with key length %d", key_len); + debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d", + key_len); /* * The check for key_len = 30/46 does not apply. Our usage @@ -107,7 +107,8 @@ static srtp_err_status_t srtp_aes_icm_alloc (srtp_cipher_t **c, int key_len, int * has not broken anything. Don't know what would be the * effect of skipping this check for srtp in general. */ - if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { + if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { return srtp_err_status_bad_param; } @@ -116,14 +117,13 @@ static srtp_err_status_t srtp_aes_icm_alloc (srtp_cipher_t **c, int key_len, int if (*c == NULL) { return srtp_err_status_alloc_fail; } - memset(*c, 0x0, sizeof(srtp_cipher_t)); icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t)); if (icm == NULL) { - srtp_crypto_free(*c); + srtp_crypto_free(*c); + *c = NULL; return srtp_err_status_alloc_fail; } - memset(icm, 0x0, sizeof(srtp_aes_icm_ctx_t)); /* set pointers */ (*c)->state = icm; @@ -146,7 +146,7 @@ static srtp_err_status_t srtp_aes_icm_alloc (srtp_cipher_t **c, int key_len, int return srtp_err_status_ok; } -static srtp_err_status_t srtp_aes_icm_dealloc (srtp_cipher_t *c) +static srtp_err_status_t srtp_aes_icm_dealloc(srtp_cipher_t *c) { srtp_aes_icm_ctx_t *ctx; @@ -167,7 +167,6 @@ static srtp_err_status_t srtp_aes_icm_dealloc (srtp_cipher_t *c) return srtp_err_status_ok; } - /* * aes_icm_context_init(...) initializes the aes_icm_context * using the value in key[]. @@ -178,15 +177,16 @@ static srtp_err_status_t srtp_aes_icm_dealloc (srtp_cipher_t *c) * randomizes the starting point in the keystream */ -static srtp_err_status_t srtp_aes_icm_context_init (void *cv, const uint8_t *key) +static srtp_err_status_t srtp_aes_icm_context_init(void *cv, const uint8_t *key) { srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; srtp_err_status_t status; int base_key_len, copy_len; - if (c->key_size == SRTP_AES_ICM_128_KEY_LEN_WSALT || c->key_size == SRTP_AES_ICM_256_KEY_LEN_WSALT) { + if (c->key_size == SRTP_AES_ICM_128_KEY_LEN_WSALT || + c->key_size == SRTP_AES_ICM_256_KEY_LEN_WSALT) { base_key_len = c->key_size - SRTP_SALT_LEN; - } else{ + } else { return srtp_err_status_bad_param; } @@ -198,7 +198,8 @@ static srtp_err_status_t srtp_aes_icm_context_init (void *cv, const uint8_t *key v128_set_to_zero(&c->offset); copy_len = c->key_size - base_key_len; - /* force last two octets of the offset to be left zero (for srtp compatibility) */ + /* force last two octets of the offset to be left zero (for srtp + * compatibility) */ if (copy_len > SRTP_SALT_LEN) { copy_len = SRTP_SALT_LEN; } @@ -206,13 +207,13 @@ static srtp_err_status_t srtp_aes_icm_context_init (void *cv, const uint8_t *key memcpy(&c->counter, key + base_key_len, copy_len); memcpy(&c->offset, key + base_key_len, copy_len); - debug_print(srtp_mod_aes_icm, - "key: %s", srtp_octet_string_hex_string(key, base_key_len)); - debug_print(srtp_mod_aes_icm, - "offset: %s", v128_hex_string(&c->offset)); + debug_print(srtp_mod_aes_icm, "key: %s", + srtp_octet_string_hex_string(key, base_key_len)); + debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset)); /* expand key */ - status = srtp_aes_expand_encryption_key(key, base_key_len, &c->expanded_key); + status = + srtp_aes_expand_encryption_key(key, base_key_len, &c->expanded_key); if (status) { v128_set_to_zero(&c->counter); v128_set_to_zero(&c->offset); @@ -230,7 +231,9 @@ static srtp_err_status_t srtp_aes_icm_context_init (void *cv, const uint8_t *key * the offset */ -static srtp_err_status_t srtp_aes_icm_set_iv (void *cv, uint8_t *iv, srtp_cipher_direction_t direction) +static srtp_err_status_t srtp_aes_icm_set_iv(void *cv, + uint8_t *iv, + srtp_cipher_direction_t direction) { srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; v128_t nonce; @@ -238,13 +241,12 @@ static srtp_err_status_t srtp_aes_icm_set_iv (void *cv, uint8_t *iv, srtp_cipher /* set nonce (for alignment) */ v128_copy_octet_string(&nonce, iv); - debug_print(srtp_mod_aes_icm, - "setting iv: %s", v128_hex_string(&nonce)); + debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce)); v128_xor(&c->counter, &c->offset, &nonce); - debug_print(srtp_mod_aes_icm, - "set_counter: %s", v128_hex_string(&c->counter)); + debug_print(srtp_mod_aes_icm, "set_counter: %s", + v128_hex_string(&c->counter)); /* indicate that the keystream_buffer is empty */ c->bytes_in_buffer = 0; @@ -252,15 +254,13 @@ static srtp_err_status_t srtp_aes_icm_set_iv (void *cv, uint8_t *iv, srtp_cipher return srtp_err_status_ok; } - - /* * aes_icm_advance(...) refills the keystream_buffer and * advances the block index of the sicm_context forward by one * * this is an internal, hopefully inlined function */ -static void srtp_aes_icm_advance (srtp_aes_icm_ctx_t *c) +static void srtp_aes_icm_advance(srtp_aes_icm_ctx_t *c) { /* fill buffer with new keystream */ v128_copy(&c->keystream_buffer, &c->counter); @@ -278,7 +278,7 @@ static void srtp_aes_icm_advance (srtp_aes_icm_ctx_t *c) } } -/*e +/* * icm_encrypt deals with the following cases: * * bytes_to_encr < bytes_in_buffer @@ -291,10 +291,11 @@ static void srtp_aes_icm_advance (srtp_aes_icm_ctx_t *c) * - fill buffer then add in remaining (< 16) bytes of keystream */ -static srtp_err_status_t srtp_aes_icm_encrypt (void *cv, - unsigned char *buf, unsigned int *enc_len) +static srtp_err_status_t srtp_aes_icm_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) { - srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t*)cv; + srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; unsigned int bytes_to_encr = *enc_len; unsigned int i; uint32_t *b; @@ -304,10 +305,8 @@ static srtp_err_status_t srtp_aes_icm_encrypt (void *cv, return srtp_err_status_terminus; } - debug_print(srtp_mod_aes_icm, "block index: %d", - htons(c->counter.v16[7])); + debug_print(srtp_mod_aes_icm, "block index: %d", htons(c->counter.v16[7])); if (bytes_to_encr <= (unsigned int)c->bytes_in_buffer) { - /* deal with odd case of small bytes_to_encr */ for (i = (sizeof(v128_t) - c->bytes_in_buffer); i < (sizeof(v128_t) - c->bytes_in_buffer + bytes_to_encr); i++) { @@ -320,37 +319,35 @@ static srtp_err_status_t srtp_aes_icm_encrypt (void *cv, return srtp_err_status_ok; } else { - /* encrypt bytes until the remaining data is 16-byte aligned */ - for (i = (sizeof(v128_t) - c->bytes_in_buffer); i < sizeof(v128_t); i++) { + for (i = (sizeof(v128_t) - c->bytes_in_buffer); i < sizeof(v128_t); + i++) { *buf++ ^= c->keystream_buffer.v8[i]; } bytes_to_encr -= c->bytes_in_buffer; c->bytes_in_buffer = 0; - } /* now loop over entire 16-byte blocks of keystream */ for (i = 0; i < (bytes_to_encr / sizeof(v128_t)); i++) { - /* fill buffer with new keystream */ srtp_aes_icm_advance(c); - /* - * add keystream into the data buffer (this would be a lot faster - * if we could assume 32-bit alignment!) - */ +/* + * add keystream into the data buffer (this would be a lot faster + * if we could assume 32-bit alignment!) + */ #if ALIGN_32 - b = (uint32_t*)buf; + b = (uint32_t *)buf; *b++ ^= c->keystream_buffer.v32[0]; *b++ ^= c->keystream_buffer.v32[1]; *b++ ^= c->keystream_buffer.v32[2]; *b++ ^= c->keystream_buffer.v32[3]; - buf = (uint8_t*)b; + buf = (uint8_t *)b; #else - if ((((unsigned long)buf) & 0x03) != 0) { + if ((((uintptr_t)buf) & 0x03) != 0) { *buf++ ^= c->keystream_buffer.v8[0]; *buf++ ^= c->keystream_buffer.v8[1]; *buf++ ^= c->keystream_buffer.v8[2]; @@ -368,20 +365,18 @@ static srtp_err_status_t srtp_aes_icm_encrypt (void *cv, *buf++ ^= c->keystream_buffer.v8[14]; *buf++ ^= c->keystream_buffer.v8[15]; } else { - b = (uint32_t*)buf; + b = (uint32_t *)buf; *b++ ^= c->keystream_buffer.v32[0]; *b++ ^= c->keystream_buffer.v32[1]; *b++ ^= c->keystream_buffer.v32[2]; *b++ ^= c->keystream_buffer.v32[3]; - buf = (uint8_t*)b; + buf = (uint8_t *)b; } -#endif /* #if ALIGN_32 */ - +#endif /* #if ALIGN_32 */ } /* if there is a tail end of the data, process it */ if ((bytes_to_encr & 0xf) != 0) { - /* fill buffer with new keystream */ srtp_aes_icm_advance(c); @@ -392,58 +387,67 @@ static srtp_err_status_t srtp_aes_icm_encrypt (void *cv, /* reset the keystream buffer size to right value */ c->bytes_in_buffer = sizeof(v128_t) - i; } else { - /* no tail, so just reset the keystream buffer size to zero */ c->bytes_in_buffer = 0; - } return srtp_err_status_ok; } -static const char srtp_aes_icm_128_description[] = "AES-128 integer counter mode"; -static const char srtp_aes_icm_256_description[] = "AES-256 integer counter mode"; +static const char srtp_aes_icm_128_description[] = + "AES-128 integer counter mode"; +static const char srtp_aes_icm_256_description[] = + "AES-256 integer counter mode"; +/* clang-format off */ static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = { 0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80, 0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4, 0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7, 0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = { - SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ srtp_aes_icm_128_test_case_0_key, /* key */ srtp_aes_icm_128_test_case_0_nonce, /* packet index */ - 32, /* octets in plaintext */ + 32, /* octets in plaintext */ srtp_aes_icm_128_test_case_0_plaintext, /* plaintext */ - 32, /* octets in ciphertext */ + 32, /* octets in ciphertext */ srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext */ - 0, - NULL, - 0, - NULL /* pointer to next testcase */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ }; +/* clang-format off */ static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = { 0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70, 0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92, @@ -452,70 +456,75 @@ static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_W 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = { 0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25, 0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4, 0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6, 0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = { - SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ srtp_aes_icm_256_test_case_0_key, /* key */ srtp_aes_icm_256_test_case_0_nonce, /* packet index */ - 32, /* octets in plaintext */ + 32, /* octets in plaintext */ srtp_aes_icm_256_test_case_0_plaintext, /* plaintext */ - 32, /* octets in ciphertext */ + 32, /* octets in ciphertext */ srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext */ - 0, - NULL, - 0, - NULL, /* pointer to next testcase */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL, /* pointer to next testcase */ }; - - /* * note: the encrypt function is identical to the decrypt function */ const srtp_cipher_type_t srtp_aes_icm_128 = { - srtp_aes_icm_alloc, - srtp_aes_icm_dealloc, - srtp_aes_icm_context_init, - 0, /* set_aad */ - srtp_aes_icm_encrypt, - srtp_aes_icm_encrypt, - srtp_aes_icm_set_iv, - 0, /* get_tag */ - srtp_aes_icm_128_description, - &srtp_aes_icm_128_test_case_0, - SRTP_AES_ICM_128 + srtp_aes_icm_alloc, /* */ + srtp_aes_icm_dealloc, /* */ + srtp_aes_icm_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_128_description, /* */ + &srtp_aes_icm_128_test_case_0, /* */ + SRTP_AES_ICM_128 /* */ }; const srtp_cipher_type_t srtp_aes_icm_256 = { - srtp_aes_icm_alloc, - srtp_aes_icm_dealloc, - srtp_aes_icm_context_init, - 0, /* set_aad */ - srtp_aes_icm_encrypt, - srtp_aes_icm_encrypt, - srtp_aes_icm_set_iv, - 0, /* get_tag */ - srtp_aes_icm_256_description, - &srtp_aes_icm_256_test_case_0, - SRTP_AES_ICM_256 + srtp_aes_icm_alloc, /* */ + srtp_aes_icm_dealloc, /* */ + srtp_aes_icm_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_encrypt, /* */ + srtp_aes_icm_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_256_description, /* */ + &srtp_aes_icm_256_test_case_0, /* */ + SRTP_AES_ICM_256 /* */ }; diff --git a/libs/srtp/crypto/cipher/aes_icm_ossl.c b/libs/srtp/crypto/cipher/aes_icm_ossl.c index 25b431fadd..b591897623 100644 --- a/libs/srtp/crypto/cipher/aes_icm_ossl.c +++ b/libs/srtp/crypto/cipher/aes_icm_ossl.c @@ -49,23 +49,20 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include #include "aes_icm_ossl.h" #include "crypto_types.h" -#include "err.h" /* for srtp_debug */ +#include "err.h" /* for srtp_debug */ #include "alloc.h" - +#include "cipher_types.h" srtp_debug_module_t srtp_mod_aes_icm = { - 0, /* debugging is off by default */ - "aes icm ossl" /* printable module name */ + 0, /* debugging is off by default */ + "aes icm ossl" /* printable module name */ }; -extern const srtp_cipher_type_t srtp_aes_icm_128; -extern const srtp_cipher_type_t srtp_aes_icm_192; -extern const srtp_cipher_type_t srtp_aes_icm_256; /* * integer counter mode works as follows: @@ -109,16 +106,20 @@ extern const srtp_cipher_type_t srtp_aes_icm_256; * value. The tlen argument is for the AEAD tag length, which * isn't used in counter mode. */ -static srtp_err_status_t srtp_aes_icm_openssl_alloc (srtp_cipher_t **c, int key_len, int tlen) +static srtp_err_status_t srtp_aes_icm_openssl_alloc(srtp_cipher_t **c, + int key_len, + int tlen) { srtp_aes_icm_ctx_t *icm; - debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d", key_len); + debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d", + key_len); /* * Verify the key_len is valid for one of: AES-128/192/256 */ - if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && key_len != SRTP_AES_ICM_192_KEY_LEN_WSALT && + if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT && + key_len != SRTP_AES_ICM_192_KEY_LEN_WSALT && key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) { return srtp_err_status_bad_param; } @@ -128,15 +129,13 @@ static srtp_err_status_t srtp_aes_icm_openssl_alloc (srtp_cipher_t **c, int key_ if (*c == NULL) { return srtp_err_status_alloc_fail; } - memset(*c, 0x0, sizeof(srtp_cipher_t)); icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t)); if (icm == NULL) { - srtp_crypto_free(*c); - *c = NULL; + srtp_crypto_free(*c); + *c = NULL; return srtp_err_status_alloc_fail; } - memset(icm, 0x0, sizeof(srtp_aes_icm_ctx_t)); icm->ctx = EVP_CIPHER_CTX_new(); if (icm->ctx == NULL) { @@ -174,11 +173,10 @@ static srtp_err_status_t srtp_aes_icm_openssl_alloc (srtp_cipher_t **c, int key_ return srtp_err_status_ok; } - /* * This function deallocates an instance of this engine */ -static srtp_err_status_t srtp_aes_icm_openssl_dealloc (srtp_cipher_t *c) +static srtp_err_status_t srtp_aes_icm_openssl_dealloc(srtp_cipher_t *c) { srtp_aes_icm_ctx_t *ctx; @@ -189,7 +187,7 @@ static srtp_err_status_t srtp_aes_icm_openssl_dealloc (srtp_cipher_t *c) /* * Free the EVP context */ - ctx = (srtp_aes_icm_ctx_t*)c->state; + ctx = (srtp_aes_icm_ctx_t *)c->state; if (ctx != NULL) { EVP_CIPHER_CTX_free(ctx->ctx); /* zeroize the key material */ @@ -212,7 +210,8 @@ static srtp_err_status_t srtp_aes_icm_openssl_dealloc (srtp_cipher_t *c) * the salt is unpredictable (but not necessarily secret) data which * randomizes the starting point in the keystream */ -static srtp_err_status_t srtp_aes_icm_openssl_context_init (void* cv, const uint8_t *key) +static srtp_err_status_t srtp_aes_icm_openssl_context_init(void *cv, + const uint8_t *key) { srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; const EVP_CIPHER *evp; @@ -230,7 +229,8 @@ static srtp_err_status_t srtp_aes_icm_openssl_context_init (void* cv, const uint c->offset.v8[SRTP_SALT_LEN] = c->offset.v8[SRTP_SALT_LEN + 1] = 0; c->counter.v8[SRTP_SALT_LEN] = c->counter.v8[SRTP_SALT_LEN + 1] = 0; - debug_print(srtp_mod_aes_icm, "key: %s", srtp_octet_string_hex_string(key, c->key_size)); + debug_print(srtp_mod_aes_icm, "key: %s", + srtp_octet_string_hex_string(key, c->key_size)); debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset)); switch (c->key_size) { @@ -248,8 +248,7 @@ static srtp_err_status_t srtp_aes_icm_openssl_context_init (void* cv, const uint break; } - if (!EVP_EncryptInit_ex(c->ctx, evp, - NULL, key, NULL)) { + if (!EVP_EncryptInit_ex(c->ctx, evp, NULL, key, NULL)) { return srtp_err_status_fail; } else { return srtp_err_status_ok; @@ -258,12 +257,14 @@ static srtp_err_status_t srtp_aes_icm_openssl_context_init (void* cv, const uint return srtp_err_status_ok; } - /* * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with * the offset */ -static srtp_err_status_t srtp_aes_icm_openssl_set_iv (void *cv, uint8_t *iv, srtp_cipher_direction_t dir) +static srtp_err_status_t srtp_aes_icm_openssl_set_iv( + void *cv, + uint8_t *iv, + srtp_cipher_direction_t dir) { srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; v128_t nonce; @@ -275,10 +276,10 @@ static srtp_err_status_t srtp_aes_icm_openssl_set_iv (void *cv, uint8_t *iv, srt v128_xor(&c->counter, &c->offset, &nonce); - debug_print(srtp_mod_aes_icm, "set_counter: %s", v128_hex_string(&c->counter)); + debug_print(srtp_mod_aes_icm, "set_counter: %s", + v128_hex_string(&c->counter)); - if (!EVP_EncryptInit_ex(c->ctx, NULL, - NULL, NULL, c->counter.v8)) { + if (!EVP_EncryptInit_ex(c->ctx, NULL, NULL, NULL, c->counter.v8)) { return srtp_err_status_fail; } else { return srtp_err_status_ok; @@ -293,7 +294,9 @@ static srtp_err_status_t srtp_aes_icm_openssl_set_iv (void *cv, uint8_t *iv, srt * buf data to encrypt * enc_len length of encrypt buffer */ -static srtp_err_status_t srtp_aes_icm_openssl_encrypt (void *cv, unsigned char *buf, unsigned int *enc_len) +static srtp_err_status_t srtp_aes_icm_openssl_encrypt(void *cv, + unsigned char *buf, + unsigned int *enc_len) { srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv; int len = 0; @@ -316,59 +319,70 @@ static srtp_err_status_t srtp_aes_icm_openssl_encrypt (void *cv, unsigned char * /* * Name of this crypto engine */ -static const char srtp_aes_icm_128_openssl_description[] = "AES-128 counter mode using openssl"; -static const char srtp_aes_icm_192_openssl_description[] = "AES-192 counter mode using openssl"; -static const char srtp_aes_icm_256_openssl_description[] = "AES-256 counter mode using openssl"; - +static const char srtp_aes_icm_128_openssl_description[] = + "AES-128 counter mode using openssl"; +static const char srtp_aes_icm_192_openssl_description[] = + "AES-192 counter mode using openssl"; +static const char srtp_aes_icm_256_openssl_description[] = + "AES-256 counter mode using openssl"; /* * KAT values for AES self-test. These * values came from the legacy libsrtp code. */ +/* clang-format off */ static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = { 0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80, 0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4, 0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7, 0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = { - SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ - srtp_aes_icm_128_test_case_0_key, /* key */ - srtp_aes_icm_128_test_case_0_nonce, /* packet index */ - 32, /* octets in plaintext */ - srtp_aes_icm_128_test_case_0_plaintext, /* plaintext */ - 32, /* octets in ciphertext */ - srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext */ - 0, - NULL, - 0, - NULL /* pointer to next testcase */ + SRTP_AES_ICM_128_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_128_test_case_0_key, /* key */ + srtp_aes_icm_128_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_128_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ }; /* * KAT values for AES-192-CTR self-test. These * values came from section 7 of RFC 6188. */ +/* clang-format off */ static const uint8_t srtp_aes_icm_192_test_case_0_key[SRTP_AES_ICM_192_KEY_LEN_WSALT] = { 0xea, 0xb2, 0x34, 0x76, 0x4e, 0x51, 0x7b, 0x2d, 0x3d, 0x16, 0x0d, 0x58, 0x7d, 0x8c, 0x86, 0x21, @@ -376,44 +390,52 @@ static const uint8_t srtp_aes_icm_192_test_case_0_key[SRTP_AES_ICM_192_KEY_LEN_W 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_icm_192_test_case_0_nonce[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_192_test_case_0_plaintext[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_192_test_case_0_ciphertext[32] = { 0x35, 0x09, 0x6c, 0xba, 0x46, 0x10, 0x02, 0x8d, 0xc1, 0xb5, 0x75, 0x03, 0x80, 0x4c, 0xe3, 0x7c, 0x5d, 0xe9, 0x86, 0x29, 0x1d, 0xcc, 0xe1, 0x61, 0xd5, 0x16, 0x5e, 0xc4, 0x56, 0x8f, 0x5c, 0x9a }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_icm_192_test_case_0 = { - SRTP_AES_ICM_192_KEY_LEN_WSALT, /* octets in key */ - srtp_aes_icm_192_test_case_0_key, /* key */ - srtp_aes_icm_192_test_case_0_nonce, /* packet index */ - 32, /* octets in plaintext */ - srtp_aes_icm_192_test_case_0_plaintext, /* plaintext */ - 32, /* octets in ciphertext */ - srtp_aes_icm_192_test_case_0_ciphertext, /* ciphertext */ - 0, - NULL, - 0, - NULL /* pointer to next testcase */ + SRTP_AES_ICM_192_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_192_test_case_0_key, /* key */ + srtp_aes_icm_192_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_192_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_192_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ }; /* * KAT values for AES-256-CTR self-test. These * values came from section 7 of RFC 6188. */ +/* clang-format off */ static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = { 0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70, 0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92, @@ -422,38 +444,45 @@ static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_W 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd }; +/* clang-format on */ +/* clang-format off */ static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = { 0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25, 0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4, 0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6, 0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac }; +/* clang-format on */ static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = { - SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ - srtp_aes_icm_256_test_case_0_key, /* key */ - srtp_aes_icm_256_test_case_0_nonce, /* packet index */ - 32, /* octets in plaintext */ - srtp_aes_icm_256_test_case_0_plaintext, /* plaintext */ - 32, /* octets in ciphertext */ - srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext */ - 0, - NULL, - 0, - NULL /* pointer to next testcase */ + SRTP_AES_ICM_256_KEY_LEN_WSALT, /* octets in key */ + srtp_aes_icm_256_test_case_0_key, /* key */ + srtp_aes_icm_256_test_case_0_nonce, /* packet index */ + 32, /* octets in plaintext */ + srtp_aes_icm_256_test_case_0_plaintext, /* plaintext */ + 32, /* octets in ciphertext */ + srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ }; /* @@ -461,17 +490,17 @@ static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = { * note: the encrypt function is identical to the decrypt function */ const srtp_cipher_type_t srtp_aes_icm_128 = { - srtp_aes_icm_openssl_alloc, - srtp_aes_icm_openssl_dealloc, - srtp_aes_icm_openssl_context_init, - 0, /* set_aad */ - srtp_aes_icm_openssl_encrypt, - srtp_aes_icm_openssl_encrypt, - srtp_aes_icm_openssl_set_iv, - 0, /* get_tag */ - srtp_aes_icm_128_openssl_description, - &srtp_aes_icm_128_test_case_0, - SRTP_AES_ICM_128 + srtp_aes_icm_openssl_alloc, /* */ + srtp_aes_icm_openssl_dealloc, /* */ + srtp_aes_icm_openssl_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_128_openssl_description, /* */ + &srtp_aes_icm_128_test_case_0, /* */ + SRTP_AES_ICM_128 /* */ }; /* @@ -479,17 +508,17 @@ const srtp_cipher_type_t srtp_aes_icm_128 = { * note: the encrypt function is identical to the decrypt function */ const srtp_cipher_type_t srtp_aes_icm_192 = { - srtp_aes_icm_openssl_alloc, - srtp_aes_icm_openssl_dealloc, - srtp_aes_icm_openssl_context_init, - 0, /* set_aad */ - srtp_aes_icm_openssl_encrypt, - srtp_aes_icm_openssl_encrypt, - srtp_aes_icm_openssl_set_iv, - 0, /* get_tag */ - srtp_aes_icm_192_openssl_description, - &srtp_aes_icm_192_test_case_0, - SRTP_AES_ICM_192 + srtp_aes_icm_openssl_alloc, /* */ + srtp_aes_icm_openssl_dealloc, /* */ + srtp_aes_icm_openssl_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_192_openssl_description, /* */ + &srtp_aes_icm_192_test_case_0, /* */ + SRTP_AES_ICM_192 /* */ }; /* @@ -497,16 +526,15 @@ const srtp_cipher_type_t srtp_aes_icm_192 = { * note: the encrypt function is identical to the decrypt function */ const srtp_cipher_type_t srtp_aes_icm_256 = { - srtp_aes_icm_openssl_alloc, - srtp_aes_icm_openssl_dealloc, - srtp_aes_icm_openssl_context_init, - 0, /* set_aad */ - srtp_aes_icm_openssl_encrypt, - srtp_aes_icm_openssl_encrypt, - srtp_aes_icm_openssl_set_iv, - 0, /* get_tag */ - srtp_aes_icm_256_openssl_description, - &srtp_aes_icm_256_test_case_0, - SRTP_AES_ICM_256 + srtp_aes_icm_openssl_alloc, /* */ + srtp_aes_icm_openssl_dealloc, /* */ + srtp_aes_icm_openssl_context_init, /* */ + 0, /* set_aad */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_encrypt, /* */ + srtp_aes_icm_openssl_set_iv, /* */ + 0, /* get_tag */ + srtp_aes_icm_256_openssl_description, /* */ + &srtp_aes_icm_256_test_case_0, /* */ + SRTP_AES_ICM_256 /* */ }; - diff --git a/libs/srtp/crypto/cipher/cipher.c b/libs/srtp/crypto/cipher/cipher.c index 3c67790888..19f00abc55 100644 --- a/libs/srtp/crypto/cipher/cipher.c +++ b/libs/srtp/crypto/cipher/cipher.c @@ -45,56 +45,61 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "cipher.h" #include "crypto_types.h" -#include "err.h" /* for srtp_debug */ -#include "alloc.h" /* for crypto_alloc(), crypto_free() */ +#include "err.h" /* for srtp_debug */ +#include "alloc.h" /* for crypto_alloc(), crypto_free() */ srtp_debug_module_t srtp_mod_cipher = { - 0, /* debugging is off by default */ - "cipher" /* printable module name */ + 0, /* debugging is off by default */ + "cipher" /* printable module name */ }; -srtp_err_status_t srtp_cipher_type_alloc (const srtp_cipher_type_t *ct, srtp_cipher_t **c, int key_len, int tlen) +srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct, + srtp_cipher_t **c, + int key_len, + int tlen) { if (!ct || !ct->alloc) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } return ((ct)->alloc((c), (key_len), (tlen))); } -srtp_err_status_t srtp_cipher_dealloc (srtp_cipher_t *c) +srtp_err_status_t srtp_cipher_dealloc(srtp_cipher_t *c) { if (!c || !c->type) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } return (((c)->type)->dealloc(c)); } -srtp_err_status_t srtp_cipher_init (srtp_cipher_t *c, const uint8_t *key) +srtp_err_status_t srtp_cipher_init(srtp_cipher_t *c, const uint8_t *key) { if (!c || !c->type || !c->state) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } return (((c)->type)->init(((c)->state), (key))); } - -srtp_err_status_t srtp_cipher_set_iv (srtp_cipher_t *c, uint8_t *iv, int direction) +srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c, + uint8_t *iv, + int direction) { if (!c || !c->type || !c->state) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } - return (((c)->type)->set_iv(((c)->state), iv, direction)); + return (((c)->type)->set_iv(((c)->state), iv, direction)); } -srtp_err_status_t srtp_cipher_output (srtp_cipher_t *c, uint8_t *buffer, uint32_t *num_octets_to_output) +srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output) { - /* zeroize the buffer */ octet_string_set_to_zero(buffer, *num_octets_to_output); @@ -102,43 +107,51 @@ srtp_err_status_t srtp_cipher_output (srtp_cipher_t *c, uint8_t *buffer, uint32_ return (((c)->type)->encrypt(((c)->state), buffer, num_octets_to_output)); } -srtp_err_status_t srtp_cipher_encrypt (srtp_cipher_t *c, uint8_t *buffer, uint32_t *num_octets_to_output) +srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output) { if (!c || !c->type || !c->state) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } return (((c)->type)->encrypt(((c)->state), buffer, num_octets_to_output)); } -srtp_err_status_t srtp_cipher_decrypt (srtp_cipher_t *c, uint8_t *buffer, uint32_t *num_octets_to_output) +srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output) { if (!c || !c->type || !c->state) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } return (((c)->type)->decrypt(((c)->state), buffer, num_octets_to_output)); } -srtp_err_status_t srtp_cipher_get_tag (srtp_cipher_t *c, uint8_t *buffer, uint32_t *tag_len) +srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *tag_len) { if (!c || !c->type || !c->state) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } if (!((c)->type)->get_tag) { - return (srtp_err_status_no_such_op); + return (srtp_err_status_no_such_op); } return (((c)->type)->get_tag(((c)->state), buffer, tag_len)); } -srtp_err_status_t srtp_cipher_set_aad (srtp_cipher_t *c, const uint8_t *aad, uint32_t aad_len) +srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c, + const uint8_t *aad, + uint32_t aad_len) { if (!c || !c->type || !c->state) { - return (srtp_err_status_bad_param); + return (srtp_err_status_bad_param); } if (!((c)->type)->set_aad) { - return (srtp_err_status_no_such_op); + return (srtp_err_status_no_such_op); } return (((c)->type)->set_aad(((c)->state), aad, aad_len)); @@ -146,57 +159,56 @@ srtp_err_status_t srtp_cipher_set_aad (srtp_cipher_t *c, const uint8_t *aad, uin /* some bookkeeping functions */ -int srtp_cipher_get_key_length (const srtp_cipher_t *c) +int srtp_cipher_get_key_length(const srtp_cipher_t *c) { return c->key_len; } - /* * A trivial platform independent random source. The random * data is used for some of the cipher self-tests. */ -static srtp_err_status_t srtp_cipher_rand (void *dest, uint32_t len) +static srtp_err_status_t srtp_cipher_rand(void *dest, uint32_t len) { #if defined(HAVE_RAND_S) - uint8_t *dst = (uint8_t *)dest; - while (len) - { - unsigned int val; - errno_t err = rand_s(&val); - - if (err != 0) - return srtp_err_status_fail; - - *dst++ = val & 0xff; - len--; - } + uint8_t *dst = (uint8_t *)dest; + while (len) { + unsigned int val; + errno_t err = rand_s(&val); + + if (err != 0) + return srtp_err_status_fail; + + *dst++ = val & 0xff; + len--; + } #else - /* Generic C-library (rand()) version */ - /* This is a random source of last resort */ - uint8_t *dst = (uint8_t *)dest; - while (len) - { - int val = rand(); - /* rand() returns 0-32767 (ugh) */ - /* Is this a good enough way to get random bytes? - It is if it passes FIPS-140... */ - *dst++ = val & 0xff; - len--; - } + /* Generic C-library (rand()) version */ + /* This is a random source of last resort */ + uint8_t *dst = (uint8_t *)dest; + while (len) { + int val = rand(); + /* rand() returns 0-32767 (ugh) */ + /* Is this a good enough way to get random bytes? + It is if it passes FIPS-140... */ + *dst++ = val & 0xff; + len--; + } #endif - return srtp_err_status_ok; + return srtp_err_status_ok; } - + #define SELF_TEST_BUF_OCTETS 128 -#define NUM_RAND_TESTS 128 -#define MAX_KEY_LEN 64 +#define NUM_RAND_TESTS 128 +#define MAX_KEY_LEN 64 /* * srtp_cipher_type_test(ct, test_data) tests a cipher of type ct against * test cases provided in a list test_data of values of key, salt, iv, * plaintext, and ciphertext that is known to be good */ -srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srtp_cipher_test_case_t *test_data) +srtp_err_status_t srtp_cipher_type_test( + const srtp_cipher_type_t *ct, + const srtp_cipher_test_case_t *test_data) { const srtp_cipher_test_case_t *test_case = test_data; srtp_cipher_t *c; @@ -206,6 +218,7 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt uint32_t tag_len; unsigned int len; int i, j, case_num = 0; + unsigned k = 0; debug_print(srtp_mod_cipher, "running self-test for cipher %s", ct->description); @@ -224,7 +237,8 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt */ while (test_case != NULL) { /* allocate cipher */ - status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, test_case->tag_length_octets); + status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, + test_case->tag_length_octets); if (status) { return status; } @@ -246,36 +260,39 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt srtp_cipher_dealloc(c); return srtp_err_status_bad_param; } - for (i = 0; i < test_case->plaintext_length_octets; i++) { - buffer[i] = test_case->plaintext[i]; + for (k = 0; k < test_case->plaintext_length_octets; k++) { + buffer[k] = test_case->plaintext[k]; } debug_print(srtp_mod_cipher, "plaintext: %s", - srtp_octet_string_hex_string(buffer, - test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + buffer, test_case->plaintext_length_octets)); /* set the initialization vector */ - status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, srtp_direction_encrypt); + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_encrypt); if (status) { srtp_cipher_dealloc(c); return status; } - if (c->algorithm == SRTP_AES_GCM_128 || c->algorithm == SRTP_AES_GCM_256) { + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { debug_print(srtp_mod_cipher, "IV: %s", srtp_octet_string_hex_string(test_case->idx, 12)); /* * Set the AAD */ - status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets); + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); if (status) { srtp_cipher_dealloc(c); return status; } debug_print(srtp_mod_cipher, "AAD: %s", - srtp_octet_string_hex_string(test_case->aad, - test_case->aad_length_octets)); + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); } /* encrypt */ @@ -286,7 +303,8 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt return status; } - if (c->algorithm == SRTP_AES_GCM_128 || c->algorithm == SRTP_AES_GCM_256) { + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { /* * Get the GCM tag */ @@ -299,8 +317,8 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt } debug_print(srtp_mod_cipher, "ciphertext: %s", - srtp_octet_string_hex_string(buffer, - test_case->ciphertext_length_octets)); + srtp_octet_string_hex_string( + buffer, test_case->ciphertext_length_octets)); /* compare the resulting ciphertext with that in the test case */ if (len != test_case->ciphertext_length_octets) { @@ -308,22 +326,22 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt return srtp_err_status_algo_fail; } status = srtp_err_status_ok; - for (i = 0; i < test_case->ciphertext_length_octets; i++) { - if (buffer[i] != test_case->ciphertext[i]) { + for (k = 0; k < test_case->ciphertext_length_octets; k++) { + if (buffer[k] != test_case->ciphertext[k]) { status = srtp_err_status_algo_fail; debug_print(srtp_mod_cipher, "test case %d failed", case_num); - debug_print(srtp_mod_cipher, "(failure at byte %d)", i); + debug_print(srtp_mod_cipher, "(failure at byte %u)", k); break; } } if (status) { - debug_print(srtp_mod_cipher, "c computed: %s", - srtp_octet_string_hex_string(buffer, - 2 * test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + buffer, 2 * test_case->plaintext_length_octets)); debug_print(srtp_mod_cipher, "c expected: %s", - srtp_octet_string_hex_string(test_case->ciphertext, - 2 * test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + test_case->ciphertext, + 2 * test_case->plaintext_length_octets)); srtp_cipher_dealloc(c); return srtp_err_status_algo_fail; @@ -346,33 +364,36 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt srtp_cipher_dealloc(c); return srtp_err_status_bad_param; } - for (i = 0; i < test_case->ciphertext_length_octets; i++) { - buffer[i] = test_case->ciphertext[i]; + for (k = 0; k < test_case->ciphertext_length_octets; k++) { + buffer[k] = test_case->ciphertext[k]; } debug_print(srtp_mod_cipher, "ciphertext: %s", - srtp_octet_string_hex_string(buffer, - test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + buffer, test_case->plaintext_length_octets)); /* set the initialization vector */ - status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, srtp_direction_decrypt); + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_decrypt); if (status) { srtp_cipher_dealloc(c); return status; } - if (c->algorithm == SRTP_AES_GCM_128 || c->algorithm == SRTP_AES_GCM_256) { + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { /* * Set the AAD */ - status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets); + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); if (status) { srtp_cipher_dealloc(c); return status; } debug_print(srtp_mod_cipher, "AAD: %s", - srtp_octet_string_hex_string(test_case->aad, - test_case->aad_length_octets)); + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); } /* decrypt */ @@ -384,8 +405,8 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt } debug_print(srtp_mod_cipher, "plaintext: %s", - srtp_octet_string_hex_string(buffer, - test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + buffer, test_case->plaintext_length_octets)); /* compare the resulting plaintext with that in the test case */ if (len != test_case->plaintext_length_octets) { @@ -393,21 +414,21 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt return srtp_err_status_algo_fail; } status = srtp_err_status_ok; - for (i = 0; i < test_case->plaintext_length_octets; i++) { - if (buffer[i] != test_case->plaintext[i]) { + for (k = 0; k < test_case->plaintext_length_octets; k++) { + if (buffer[k] != test_case->plaintext[k]) { status = srtp_err_status_algo_fail; debug_print(srtp_mod_cipher, "test case %d failed", case_num); - debug_print(srtp_mod_cipher, "(failure at byte %d)", i); + debug_print(srtp_mod_cipher, "(failure at byte %u)", k); } } if (status) { - debug_print(srtp_mod_cipher, "p computed: %s", - srtp_octet_string_hex_string(buffer, - 2 * test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + buffer, 2 * test_case->plaintext_length_octets)); debug_print(srtp_mod_cipher, "p expected: %s", - srtp_octet_string_hex_string(test_case->plaintext, - 2 * test_case->plaintext_length_octets)); + srtp_octet_string_hex_string( + test_case->plaintext, + 2 * test_case->plaintext_length_octets)); srtp_cipher_dealloc(c); return srtp_err_status_algo_fail; @@ -431,14 +452,15 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt /* allocate cipher, using paramaters from the first test case */ test_case = test_data; - status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, test_case->tag_length_octets); + status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets, + test_case->tag_length_octets); if (status) { return status; } for (j = 0; j < NUM_RAND_TESTS; j++) { - unsigned length; - int plaintext_len; + unsigned int length; + unsigned int plaintext_len; uint8_t key[MAX_KEY_LEN]; uint8_t iv[MAX_KEY_LEN]; @@ -485,24 +507,27 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt } /* set initialization vector */ - status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, srtp_direction_encrypt); + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_encrypt); if (status) { srtp_cipher_dealloc(c); return status; } - if (c->algorithm == SRTP_AES_GCM_128 || c->algorithm == SRTP_AES_GCM_256) { + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { /* * Set the AAD */ - status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets); + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); if (status) { srtp_cipher_dealloc(c); return status; } debug_print(srtp_mod_cipher, "AAD: %s", - srtp_octet_string_hex_string(test_case->aad, - test_case->aad_length_octets)); + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); } /* encrypt buffer with cipher */ @@ -512,7 +537,8 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt srtp_cipher_dealloc(c); return status; } - if (c->algorithm == SRTP_AES_GCM_128 || c->algorithm == SRTP_AES_GCM_256) { + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { /* * Get the GCM tag */ @@ -535,23 +561,26 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt srtp_cipher_dealloc(c); return status; } - status = srtp_cipher_set_iv(c, (uint8_t*)test_case->idx, srtp_direction_decrypt); + status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx, + srtp_direction_decrypt); if (status) { srtp_cipher_dealloc(c); return status; } - if (c->algorithm == SRTP_AES_GCM_128 || c->algorithm == SRTP_AES_GCM_256) { + if (c->algorithm == SRTP_AES_GCM_128 || + c->algorithm == SRTP_AES_GCM_256) { /* * Set the AAD */ - status = srtp_cipher_set_aad(c, test_case->aad, test_case->aad_length_octets); + status = srtp_cipher_set_aad(c, test_case->aad, + test_case->aad_length_octets); if (status) { srtp_cipher_dealloc(c); return status; } debug_print(srtp_mod_cipher, "AAD: %s", - srtp_octet_string_hex_string(test_case->aad, - test_case->aad_length_octets)); + srtp_octet_string_hex_string( + test_case->aad, test_case->aad_length_octets)); } status = srtp_cipher_decrypt(c, buffer, &length); if (status) { @@ -568,18 +597,18 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt return srtp_err_status_algo_fail; } status = srtp_err_status_ok; - for (i = 0; i < plaintext_len; i++) { - if (buffer[i] != buffer2[i]) { + for (k = 0; k < plaintext_len; k++) { + if (buffer[k] != buffer2[k]) { status = srtp_err_status_algo_fail; - debug_print(srtp_mod_cipher, "random test case %d failed", case_num); - debug_print(srtp_mod_cipher, "(failure at byte %d)", i); + debug_print(srtp_mod_cipher, "random test case %d failed", + case_num); + debug_print(srtp_mod_cipher, "(failure at byte %u)", k); } } if (status) { srtp_cipher_dealloc(c); return srtp_err_status_algo_fail; } - } status = srtp_cipher_dealloc(c); @@ -590,12 +619,11 @@ srtp_err_status_t srtp_cipher_type_test (const srtp_cipher_type_t *ct, const srt return srtp_err_status_ok; } - /* - * srtp_cipher_type_self_test(ct) performs srtp_cipher_type_test on ct's internal - * list of test data. + * srtp_cipher_type_self_test(ct) performs srtp_cipher_type_test on ct's + * internal list of test data. */ -srtp_err_status_t srtp_cipher_type_self_test (const srtp_cipher_type_t *ct) +srtp_err_status_t srtp_cipher_type_self_test(const srtp_cipher_type_t *ct) { return srtp_cipher_type_test(ct, ct->test_data); } @@ -610,7 +638,9 @@ srtp_err_status_t srtp_cipher_type_self_test (const srtp_cipher_type_t *ct) * * if an error is encountered, the value 0 is returned */ -uint64_t srtp_cipher_bits_per_second (srtp_cipher_t *c, int octets_in_buffer, int num_trials) +uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c, + int octets_in_buffer, + int num_trials) { int i; v128_t nonce; @@ -618,16 +648,16 @@ uint64_t srtp_cipher_bits_per_second (srtp_cipher_t *c, int octets_in_buffer, in unsigned char *enc_buf; unsigned int len = octets_in_buffer; - enc_buf = (unsigned char*)srtp_crypto_alloc(octets_in_buffer); + enc_buf = (unsigned char *)srtp_crypto_alloc(octets_in_buffer); if (enc_buf == NULL) { return 0; /* indicate bad parameters by returning null */ - } /* time repeated trials */ v128_set_to_zero(&nonce); timer = clock(); for (i = 0; i < num_trials; i++, nonce.v32[3] = i) { - if (srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt) != srtp_err_status_ok) { + if (srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt) != + srtp_err_status_ok) { srtp_crypto_free(enc_buf); return 0; } diff --git a/libs/srtp/crypto/cipher/null_cipher.c b/libs/srtp/crypto/cipher/null_cipher.c index 46bf1126da..659add0d47 100644 --- a/libs/srtp/crypto/cipher/null_cipher.c +++ b/libs/srtp/crypto/cipher/null_cipher.c @@ -45,45 +45,42 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "datatypes.h" #include "null_cipher.h" -#include "err.h" /* for srtp_debug */ +#include "err.h" /* for srtp_debug */ #include "alloc.h" +#include "cipher_types.h" -/* the null_cipher uses the cipher debug module */ - -extern srtp_debug_module_t srtp_mod_cipher; - -static srtp_err_status_t srtp_null_cipher_alloc (srtp_cipher_t **c, int key_len, int tlen) +static srtp_err_status_t srtp_null_cipher_alloc(srtp_cipher_t **c, + int key_len, + int tlen) { extern const srtp_cipher_type_t srtp_null_cipher; - debug_print(srtp_mod_cipher, - "allocating cipher with key length %d", key_len); + debug_print(srtp_mod_cipher, "allocating cipher with key length %d", + key_len); /* allocate memory a cipher of type null_cipher */ *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t)); if (*c == NULL) { return srtp_err_status_alloc_fail; } - memset(*c, 0x0, sizeof(srtp_cipher_t)); /* set pointers */ (*c)->algorithm = SRTP_NULL_CIPHER; (*c)->type = &srtp_null_cipher; - (*c)->state = (void *) 0x1; /* The null cipher does not maintain state */ + (*c)->state = (void *)0x1; /* The null cipher does not maintain state */ /* set key size */ (*c)->key_len = key_len; return srtp_err_status_ok; - } -static srtp_err_status_t srtp_null_cipher_dealloc (srtp_cipher_t *c) +static srtp_err_status_t srtp_null_cipher_dealloc(srtp_cipher_t *c) { extern const srtp_cipher_type_t srtp_null_cipher; @@ -94,28 +91,30 @@ static srtp_err_status_t srtp_null_cipher_dealloc (srtp_cipher_t *c) srtp_crypto_free(c); return srtp_err_status_ok; - } -static srtp_err_status_t srtp_null_cipher_init (void *cv, const uint8_t *key) +static srtp_err_status_t srtp_null_cipher_init(void *cv, const uint8_t *key) { - /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ + /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ debug_print(srtp_mod_cipher, "initializing null cipher", NULL); return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_cipher_set_iv (void *cv, uint8_t *iv, srtp_cipher_direction_t dir) +static srtp_err_status_t srtp_null_cipher_set_iv(void *cv, + uint8_t *iv, + srtp_cipher_direction_t dir) { - /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ + /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_cipher_encrypt (void *cv, - unsigned char *buf, unsigned int *bytes_to_encr) +static srtp_err_status_t srtp_null_cipher_encrypt(void *cv, + unsigned char *buf, + unsigned int *bytes_to_encr) { - /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ + /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */ return srtp_err_status_ok; } @@ -129,28 +128,26 @@ static const srtp_cipher_test_case_t srtp_null_cipher_test_0 = { NULL, /* plaintext */ 0, /* octets in plaintext */ NULL, /* ciphertext */ - 0, - NULL, - 0, - NULL /* pointer to next testcase */ + 0, /* */ + NULL, /* */ + 0, /* */ + NULL /* pointer to next testcase */ }; - /* * note: the decrypt function is idential to the encrypt function */ const srtp_cipher_type_t srtp_null_cipher = { - srtp_null_cipher_alloc, - srtp_null_cipher_dealloc, - srtp_null_cipher_init, - 0, /* set_aad */ - srtp_null_cipher_encrypt, - srtp_null_cipher_encrypt, - srtp_null_cipher_set_iv, - 0, /* get_tag */ - srtp_null_cipher_description, - &srtp_null_cipher_test_0, - SRTP_NULL_CIPHER + srtp_null_cipher_alloc, /* */ + srtp_null_cipher_dealloc, /* */ + srtp_null_cipher_init, /* */ + 0, /* set_aad */ + srtp_null_cipher_encrypt, /* */ + srtp_null_cipher_encrypt, /* */ + srtp_null_cipher_set_iv, /* */ + 0, /* get_tag */ + srtp_null_cipher_description, /* */ + &srtp_null_cipher_test_0, /* */ + SRTP_NULL_CIPHER /* */ }; - diff --git a/libs/srtp/crypto/hash/auth.c b/libs/srtp/crypto/hash/auth.c index c6ce3576f7..f19327dc8e 100644 --- a/libs/srtp/crypto/hash/auth.c +++ b/libs/srtp/crypto/hash/auth.c @@ -44,32 +44,31 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "auth.h" -#include "err.h" /* for srtp_debug */ -#include "datatypes.h" /* for octet_string */ +#include "err.h" /* for srtp_debug */ +#include "datatypes.h" /* for octet_string */ /* the debug module for authentiation */ srtp_debug_module_t srtp_mod_auth = { - 0, /* debugging is off by default */ - "auth func" /* printable name for module */ + 0, /* debugging is off by default */ + "auth func" /* printable name for module */ }; - -int srtp_auth_get_key_length (const srtp_auth_t *a) +int srtp_auth_get_key_length(const srtp_auth_t *a) { return a->key_len; } -int srtp_auth_get_tag_length (const srtp_auth_t *a) +int srtp_auth_get_tag_length(const srtp_auth_t *a) { return a->out_len; } -int srtp_auth_get_prefix_length (const srtp_auth_t *a) +int srtp_auth_get_prefix_length(const srtp_auth_t *a) { return a->prefix_len; } @@ -83,8 +82,8 @@ int srtp_auth_get_prefix_length (const srtp_auth_t *a) /* should be big enough for most occasions */ #define SELF_TEST_TAG_BUF_OCTETS 32 -srtp_err_status_t -srtp_auth_type_test (const srtp_auth_type_t *at, const srtp_auth_test_case_t *test_data) +srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at, + const srtp_auth_test_case_t *test_data) { const srtp_auth_test_case_t *test_case = test_data; srtp_auth_t *a; @@ -105,7 +104,6 @@ srtp_auth_type_test (const srtp_auth_type_t *at, const srtp_auth_test_case_t *te /* loop over all test cases */ while (test_case != NULL) { - /* check test case parameters */ if (test_case->tag_length_octets > SELF_TEST_TAG_BUF_OCTETS) { return srtp_err_status_bad_param; @@ -113,7 +111,7 @@ srtp_auth_type_test (const srtp_auth_type_t *at, const srtp_auth_test_case_t *te /* allocate auth */ status = srtp_auth_type_alloc(at, &a, test_case->key_length_octets, - test_case->tag_length_octets); + test_case->tag_length_octets); if (status) { return status; } @@ -128,7 +126,7 @@ srtp_auth_type_test (const srtp_auth_type_t *at, const srtp_auth_test_case_t *te /* zeroize tag then compute */ octet_string_set_to_zero(tag, test_case->tag_length_octets); status = srtp_auth_compute(a, test_case->data, - test_case->data_length_octets, tag); + test_case->data_length_octets, tag); if (status) { srtp_auth_dealloc(a); return status; @@ -138,10 +136,11 @@ srtp_auth_type_test (const srtp_auth_type_t *at, const srtp_auth_test_case_t *te srtp_octet_string_hex_string(test_case->key, test_case->key_length_octets)); debug_print(srtp_mod_auth, "data: %s", - srtp_octet_string_hex_string(test_case->data, - test_case->data_length_octets)); - debug_print(srtp_mod_auth, "tag computed: %s", - srtp_octet_string_hex_string(tag, test_case->tag_length_octets)); + srtp_octet_string_hex_string( + test_case->data, test_case->data_length_octets)); + debug_print( + srtp_mod_auth, "tag computed: %s", + srtp_octet_string_hex_string(tag, test_case->tag_length_octets)); debug_print(srtp_mod_auth, "tag expected: %s", srtp_octet_string_hex_string(test_case->tag, test_case->tag_length_octets)); @@ -177,14 +176,12 @@ srtp_auth_type_test (const srtp_auth_type_t *at, const srtp_auth_test_case_t *te return srtp_err_status_ok; } - /* - * auth_type_self_test(at) performs srtp_auth_type_test on at's internal + * srtp_auth_type_self_test(at) performs srtp_auth_type_test on at's internal * list of test data. */ -srtp_err_status_t srtp_auth_type_self_test (const srtp_auth_type_t *at) +srtp_err_status_t srtp_auth_type_self_test(const srtp_auth_type_t *at) { return srtp_auth_type_test(at, at->test_data); } - diff --git a/libs/srtp/crypto/hash/hmac.c b/libs/srtp/crypto/hash/hmac.c index 416f17be26..6e91468f36 100644 --- a/libs/srtp/crypto/hash/hmac.c +++ b/libs/srtp/crypto/hash/hmac.c @@ -43,27 +43,31 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "hmac.h" #include "alloc.h" +#include "cipher_types.h" /* the debug module for authentiation */ srtp_debug_module_t srtp_mod_hmac = { - 0, /* debugging is off by default */ - "hmac sha-1" /* printable name for module */ + 0, /* debugging is off by default */ + "hmac sha-1" /* printable name for module */ }; - -static srtp_err_status_t srtp_hmac_alloc (srtp_auth_t **a, int key_len, int out_len) +static srtp_err_status_t srtp_hmac_alloc(srtp_auth_t **a, + int key_len, + int out_len) { extern const srtp_auth_type_t srtp_hmac; uint8_t *pointer; - debug_print(srtp_mod_hmac, "allocating auth func with key length %d", key_len); - debug_print(srtp_mod_hmac, " tag length %d", out_len); + debug_print(srtp_mod_hmac, "allocating auth func with key length %d", + key_len); + debug_print(srtp_mod_hmac, " tag length %d", + out_len); /* * check key length - note that we don't support keys larger @@ -79,13 +83,14 @@ static srtp_err_status_t srtp_hmac_alloc (srtp_auth_t **a, int key_len, int out_ } /* allocate memory for auth and srtp_hmac_ctx_t structures */ - pointer = (uint8_t*)srtp_crypto_alloc(sizeof(srtp_hmac_ctx_t) + sizeof(srtp_auth_t)); + pointer = (uint8_t *)srtp_crypto_alloc(sizeof(srtp_hmac_ctx_t) + + sizeof(srtp_auth_t)); if (pointer == NULL) { return srtp_err_status_alloc_fail; } /* set pointers */ - *a = (srtp_auth_t*)pointer; + *a = (srtp_auth_t *)pointer; (*a)->type = &srtp_hmac; (*a)->state = pointer + sizeof(srtp_auth_t); (*a)->out_len = out_len; @@ -95,7 +100,7 @@ static srtp_err_status_t srtp_hmac_alloc (srtp_auth_t **a, int key_len, int out_ return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_dealloc (srtp_auth_t *a) +static srtp_err_status_t srtp_hmac_dealloc(srtp_auth_t *a) { /* zeroize entire state*/ octet_string_set_to_zero(a, sizeof(srtp_hmac_ctx_t) + sizeof(srtp_auth_t)); @@ -106,7 +111,9 @@ static srtp_err_status_t srtp_hmac_dealloc (srtp_auth_t *a) return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_init (void *statev, const uint8_t *key, int key_len) +static srtp_err_status_t srtp_hmac_init(void *statev, + const uint8_t *key, + int key_len) { srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; int i; @@ -131,10 +138,11 @@ static srtp_err_status_t srtp_hmac_init (void *statev, const uint8_t *key, int k /* set the rest of ipad, opad to constant values */ for (; i < 64; i++) { ipad[i] = 0x36; - ((uint8_t*)state->opad)[i] = 0x5c; + ((uint8_t *)state->opad)[i] = 0x5c; } - debug_print(srtp_mod_hmac, "ipad: %s", srtp_octet_string_hex_string(ipad, 64)); + debug_print(srtp_mod_hmac, "ipad: %s", + srtp_octet_string_hex_string(ipad, 64)); /* initialize sha1 context */ srtp_sha1_init(&state->init_ctx); @@ -146,7 +154,7 @@ static srtp_err_status_t srtp_hmac_init (void *statev, const uint8_t *key, int k return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_start (void *statev) +static srtp_err_status_t srtp_hmac_start(void *statev) { srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; @@ -155,7 +163,9 @@ static srtp_err_status_t srtp_hmac_start (void *statev) return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_update (void *statev, const uint8_t *message, int msg_octets) +static srtp_err_status_t srtp_hmac_update(void *statev, + const uint8_t *message, + int msg_octets) { srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; @@ -168,8 +178,11 @@ static srtp_err_status_t srtp_hmac_update (void *statev, const uint8_t *message, return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_compute (void *statev, const uint8_t *message, - int msg_octets, int tag_len, uint8_t *result) +static srtp_err_status_t srtp_hmac_compute(void *statev, + const uint8_t *message, + int msg_octets, + int tag_len, + uint8_t *result) { srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev; uint32_t hash_value[5]; @@ -190,49 +203,53 @@ static srtp_err_status_t srtp_hmac_compute (void *statev, const uint8_t *message * function hmac_update() already did that for us */ debug_print(srtp_mod_hmac, "intermediate state: %s", - srtp_octet_string_hex_string((uint8_t*)H, 20)); + srtp_octet_string_hex_string((uint8_t *)H, 20)); /* re-initialize hash context */ srtp_sha1_init(&state->ctx); /* hash opad ^ key */ - srtp_sha1_update(&state->ctx, (uint8_t*)state->opad, 64); + srtp_sha1_update(&state->ctx, (uint8_t *)state->opad, 64); /* hash the result of the inner hash */ - srtp_sha1_update(&state->ctx, (uint8_t*)H, 20); + srtp_sha1_update(&state->ctx, (uint8_t *)H, 20); /* the result is returned in the array hash_value[] */ srtp_sha1_final(&state->ctx, hash_value); /* copy hash_value to *result */ for (i = 0; i < tag_len; i++) { - result[i] = ((uint8_t*)hash_value)[i]; + result[i] = ((uint8_t *)hash_value)[i]; } debug_print(srtp_mod_hmac, "output: %s", - srtp_octet_string_hex_string((uint8_t*)hash_value, tag_len)); + srtp_octet_string_hex_string((uint8_t *)hash_value, tag_len)); return srtp_err_status_ok; } - /* begin test case 0 */ - +/* clang-format off */ static const uint8_t srtp_hmac_test_case_0_key[20] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_hmac_test_case_0_data[8] = { 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 /* "Hi There" */ }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_hmac_test_case_0_tag[20] = { 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e, 0xf1, 0x46, 0xbe, 0x00 }; +/* clang-format on */ static const srtp_auth_test_case_t srtp_hmac_test_case_0 = { 20, /* octets in key */ @@ -246,21 +263,21 @@ static const srtp_auth_test_case_t srtp_hmac_test_case_0 = { /* end test case 0 */ -static const char srtp_hmac_description[] = "hmac sha-1 authentication function"; +static const char srtp_hmac_description[] = + "hmac sha-1 authentication function"; /* * srtp_auth_type_t hmac is the hmac metaobject */ -const srtp_auth_type_t srtp_hmac = { - srtp_hmac_alloc, - srtp_hmac_dealloc, - srtp_hmac_init, - srtp_hmac_compute, - srtp_hmac_update, - srtp_hmac_start, - srtp_hmac_description, - &srtp_hmac_test_case_0, - SRTP_HMAC_SHA1 +const srtp_auth_type_t srtp_hmac = { + srtp_hmac_alloc, /* */ + srtp_hmac_dealloc, /* */ + srtp_hmac_init, /* */ + srtp_hmac_compute, /* */ + srtp_hmac_update, /* */ + srtp_hmac_start, /* */ + srtp_hmac_description, /* */ + &srtp_hmac_test_case_0, /* */ + SRTP_HMAC_SHA1 /* */ }; - diff --git a/libs/srtp/crypto/hash/hmac_ossl.c b/libs/srtp/crypto/hash/hmac_ossl.c index f99646b58f..8146438b05 100644 --- a/libs/srtp/crypto/hash/hmac_ossl.c +++ b/libs/srtp/crypto/hash/hmac_ossl.c @@ -43,31 +43,34 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "auth.h" #include "alloc.h" -#include "err.h" /* for srtp_debug */ +#include "err.h" /* for srtp_debug */ #include #include -#define SHA1_DIGEST_SIZE 20 +#define SHA1_DIGEST_SIZE 20 /* the debug module for authentiation */ srtp_debug_module_t srtp_mod_hmac = { - 0, /* debugging is off by default */ - "hmac sha-1 openssl" /* printable name for module */ + 0, /* debugging is off by default */ + "hmac sha-1 openssl" /* printable name for module */ }; - -static srtp_err_status_t srtp_hmac_alloc (srtp_auth_t **a, int key_len, int out_len) +static srtp_err_status_t srtp_hmac_alloc(srtp_auth_t **a, + int key_len, + int out_len) { extern const srtp_auth_type_t srtp_hmac; - debug_print(srtp_mod_hmac, "allocating auth func with key length %d", key_len); - debug_print(srtp_mod_hmac, " tag length %d", out_len); + debug_print(srtp_mod_hmac, "allocating auth func with key length %d", + key_len); + debug_print(srtp_mod_hmac, " tag length %d", + out_len); /* check output length - should be less than 20 bytes */ if (out_len > SHA1_DIGEST_SIZE) { @@ -76,24 +79,25 @@ static srtp_err_status_t srtp_hmac_alloc (srtp_auth_t **a, int key_len, int out_ /* OpenSSL 1.1.0 made HMAC_CTX an opaque structure, which must be allocated using HMAC_CTX_new. But this function doesn't exist in OpenSSL 1.0.x. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER { /* allocate memory for auth and HMAC_CTX structures */ - uint8_t* pointer; + uint8_t *pointer; HMAC_CTX *new_hmac_ctx; - pointer = (uint8_t*)srtp_crypto_alloc(sizeof(HMAC_CTX) + sizeof(srtp_auth_t)); + pointer = (uint8_t *)srtp_crypto_alloc(sizeof(HMAC_CTX) + + sizeof(srtp_auth_t)); if (pointer == NULL) { return srtp_err_status_alloc_fail; } - *a = (srtp_auth_t*)pointer; + *a = (srtp_auth_t *)pointer; (*a)->state = pointer + sizeof(srtp_auth_t); - new_hmac_ctx = (HMAC_CTX*)((*a)->state); + new_hmac_ctx = (HMAC_CTX *)((*a)->state); HMAC_CTX_init(new_hmac_ctx); } #else - *a = (srtp_auth_t*)srtp_crypto_alloc(sizeof(srtp_auth_t)); + *a = (srtp_auth_t *)srtp_crypto_alloc(sizeof(srtp_auth_t)); if (*a == NULL) { return srtp_err_status_alloc_fail; } @@ -115,13 +119,13 @@ static srtp_err_status_t srtp_hmac_alloc (srtp_auth_t **a, int key_len, int out_ return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_dealloc (srtp_auth_t *a) +static srtp_err_status_t srtp_hmac_dealloc(srtp_auth_t *a) { HMAC_CTX *hmac_ctx; - hmac_ctx = (HMAC_CTX*)a->state; + hmac_ctx = (HMAC_CTX *)a->state; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER HMAC_CTX_cleanup(hmac_ctx); /* zeroize entire state*/ @@ -140,7 +144,7 @@ static srtp_err_status_t srtp_hmac_dealloc (srtp_auth_t *a) return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_start (void *statev) +static srtp_err_status_t srtp_hmac_start(void *statev) { HMAC_CTX *state = (HMAC_CTX *)statev; @@ -150,7 +154,9 @@ static srtp_err_status_t srtp_hmac_start (void *statev) return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_init (void *statev, const uint8_t *key, int key_len) +static srtp_err_status_t srtp_hmac_init(void *statev, + const uint8_t *key, + int key_len) { HMAC_CTX *state = (HMAC_CTX *)statev; @@ -160,7 +166,9 @@ static srtp_err_status_t srtp_hmac_init (void *statev, const uint8_t *key, int k return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_update (void *statev, const uint8_t *message, int msg_octets) +static srtp_err_status_t srtp_hmac_update(void *statev, + const uint8_t *message, + int msg_octets) { HMAC_CTX *state = (HMAC_CTX *)statev; @@ -173,8 +181,11 @@ static srtp_err_status_t srtp_hmac_update (void *statev, const uint8_t *message, return srtp_err_status_ok; } -static srtp_err_status_t srtp_hmac_compute (void *statev, const uint8_t *message, - int msg_octets, int tag_len, uint8_t *result) +static srtp_err_status_t srtp_hmac_compute(void *statev, + const uint8_t *message, + int msg_octets, + int tag_len, + uint8_t *result) { HMAC_CTX *state = (HMAC_CTX *)statev; uint8_t hash_value[SHA1_DIGEST_SIZE]; @@ -207,52 +218,56 @@ static srtp_err_status_t srtp_hmac_compute (void *statev, const uint8_t *message return srtp_err_status_ok; } - /* begin test case 0 */ - +/* clang-format off */ static const uint8_t srtp_hmac_test_case_0_key[SHA1_DIGEST_SIZE] = { 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_hmac_test_case_0_data[8] = { 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 /* "Hi There" */ }; +/* clang-format on */ +/* clang-format off */ static const uint8_t srtp_hmac_test_case_0_tag[SHA1_DIGEST_SIZE] = { 0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e, 0xf1, 0x46, 0xbe, 0x00 }; +/* clang-format on */ static const srtp_auth_test_case_t srtp_hmac_test_case_0 = { - sizeof(srtp_hmac_test_case_0_key), /* octets in key */ - srtp_hmac_test_case_0_key, /* key */ - sizeof(srtp_hmac_test_case_0_data), /* octets in data */ - srtp_hmac_test_case_0_data, /* data */ - sizeof(srtp_hmac_test_case_0_tag), /* octets in tag */ - srtp_hmac_test_case_0_tag, /* tag */ - NULL /* pointer to next testcase */ + sizeof(srtp_hmac_test_case_0_key), /* octets in key */ + srtp_hmac_test_case_0_key, /* key */ + sizeof(srtp_hmac_test_case_0_data), /* octets in data */ + srtp_hmac_test_case_0_data, /* data */ + sizeof(srtp_hmac_test_case_0_tag), /* octets in tag */ + srtp_hmac_test_case_0_tag, /* tag */ + NULL /* pointer to next testcase */ }; /* end test case 0 */ -static const char srtp_hmac_description[] = "hmac sha-1 authentication function"; +static const char srtp_hmac_description[] = + "hmac sha-1 authentication function"; /* * srtp_auth_type_t hmac is the hmac metaobject */ -const srtp_auth_type_t srtp_hmac = { - srtp_hmac_alloc, - srtp_hmac_dealloc, - srtp_hmac_init, - srtp_hmac_compute, - srtp_hmac_update, - srtp_hmac_start, - srtp_hmac_description, - &srtp_hmac_test_case_0, - SRTP_HMAC_SHA1 +const srtp_auth_type_t srtp_hmac = { + srtp_hmac_alloc, /* */ + srtp_hmac_dealloc, /* */ + srtp_hmac_init, /* */ + srtp_hmac_compute, /* */ + srtp_hmac_update, /* */ + srtp_hmac_start, /* */ + srtp_hmac_description, /* */ + &srtp_hmac_test_case_0, /* */ + SRTP_HMAC_SHA1 /* */ }; - diff --git a/libs/srtp/crypto/hash/null_auth.c b/libs/srtp/crypto/hash/null_auth.c index 2d99027caa..5194417caf 100644 --- a/libs/srtp/crypto/hash/null_auth.c +++ b/libs/srtp/crypto/hash/null_auth.c @@ -45,33 +45,35 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "null_auth.h" -#include "err.h" /* for srtp_debug */ +#include "err.h" /* for srtp_debug */ #include "alloc.h" +#include "cipher_types.h" -/* null_auth uses the auth debug module */ - -extern srtp_debug_module_t srtp_mod_auth; - -static srtp_err_status_t srtp_null_auth_alloc (srtp_auth_t **a, int key_len, int out_len) +static srtp_err_status_t srtp_null_auth_alloc(srtp_auth_t **a, + int key_len, + int out_len) { extern const srtp_auth_type_t srtp_null_auth; uint8_t *pointer; - debug_print(srtp_mod_auth, "allocating auth func with key length %d", key_len); - debug_print(srtp_mod_auth, " tag length %d", out_len); + debug_print(srtp_mod_auth, "allocating auth func with key length %d", + key_len); + debug_print(srtp_mod_auth, " tag length %d", + out_len); /* allocate memory for auth and srtp_null_auth_ctx_t structures */ - pointer = (uint8_t*)srtp_crypto_alloc(sizeof(srtp_null_auth_ctx_t) + sizeof(srtp_auth_t)); + pointer = (uint8_t *)srtp_crypto_alloc(sizeof(srtp_null_auth_ctx_t) + + sizeof(srtp_auth_t)); if (pointer == NULL) { return srtp_err_status_alloc_fail; } /* set pointers */ - *a = (srtp_auth_t*)pointer; + *a = (srtp_auth_t *)pointer; (*a)->type = &srtp_null_auth; (*a)->state = pointer + sizeof(srtp_auth_t); (*a)->out_len = out_len; @@ -81,12 +83,13 @@ static srtp_err_status_t srtp_null_auth_alloc (srtp_auth_t **a, int key_len, int return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_auth_dealloc (srtp_auth_t *a) +static srtp_err_status_t srtp_null_auth_dealloc(srtp_auth_t *a) { extern const srtp_auth_type_t srtp_null_auth; /* zeroize entire state*/ - octet_string_set_to_zero(a, sizeof(srtp_null_auth_ctx_t) + sizeof(srtp_auth_t)); + octet_string_set_to_zero(a, sizeof(srtp_null_auth_ctx_t) + + sizeof(srtp_auth_t)); /* free memory */ srtp_crypto_free(a); @@ -94,7 +97,9 @@ static srtp_err_status_t srtp_null_auth_dealloc (srtp_auth_t *a) return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_auth_init (void *statev, const uint8_t *key, int key_len) +static srtp_err_status_t srtp_null_auth_init(void *statev, + const uint8_t *key, + int key_len) { /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ /* accept any length of key, and do nothing */ @@ -102,23 +107,27 @@ static srtp_err_status_t srtp_null_auth_init (void *statev, const uint8_t *key, return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_auth_compute (void *statev, const uint8_t *message, - int msg_octets, int tag_len, uint8_t *result) +static srtp_err_status_t srtp_null_auth_compute(void *statev, + const uint8_t *message, + int msg_octets, + int tag_len, + uint8_t *result) { /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_auth_update (void *statev, const uint8_t *message, - int msg_octets) +static srtp_err_status_t srtp_null_auth_update(void *statev, + const uint8_t *message, + int msg_octets) { /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ return srtp_err_status_ok; } -static srtp_err_status_t srtp_null_auth_start (void *statev) +static srtp_err_status_t srtp_null_auth_start(void *statev) { /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */ @@ -133,28 +142,27 @@ static srtp_err_status_t srtp_null_auth_start (void *statev) /* begin test case 0 */ static const srtp_auth_test_case_t srtp_null_auth_test_case_0 = { - 0, /* octets in key */ - NULL, /* key */ - 0, /* octets in data */ - NULL, /* data */ - 0, /* octets in tag */ - NULL, /* tag */ - NULL /* pointer to next testcase */ + 0, /* octets in key */ + NULL, /* key */ + 0, /* octets in data */ + NULL, /* data */ + 0, /* octets in tag */ + NULL, /* tag */ + NULL /* pointer to next testcase */ }; /* end test case 0 */ static const char srtp_null_auth_description[] = "null authentication function"; -const srtp_auth_type_t srtp_null_auth = { - srtp_null_auth_alloc, - srtp_null_auth_dealloc, - srtp_null_auth_init, - srtp_null_auth_compute, - srtp_null_auth_update, - srtp_null_auth_start, - srtp_null_auth_description, - &srtp_null_auth_test_case_0, - SRTP_NULL_AUTH +const srtp_auth_type_t srtp_null_auth = { + srtp_null_auth_alloc, /* */ + srtp_null_auth_dealloc, /* */ + srtp_null_auth_init, /* */ + srtp_null_auth_compute, /* */ + srtp_null_auth_update, /* */ + srtp_null_auth_start, /* */ + srtp_null_auth_description, /* */ + &srtp_null_auth_test_case_0, /* */ + SRTP_NULL_AUTH /* */ }; - diff --git a/libs/srtp/crypto/hash/sha1.c b/libs/srtp/crypto/hash/sha1.c index 94528899c6..afd6381542 100644 --- a/libs/srtp/crypto/hash/sha1.c +++ b/libs/srtp/crypto/hash/sha1.c @@ -45,19 +45,19 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "sha1.h" srtp_debug_module_t srtp_mod_sha1 = { - 0, /* debugging is off by default */ - "sha-1" /* printable module name */ + 0, /* debugging is off by default */ + "sha-1" /* printable module name */ }; /* SN == Rotate left N bits */ -#define S1(X) ((X << 1) | (X >> 31)) -#define S5(X) ((X << 5) | (X >> 27)) +#define S1(X) ((X << 1) | (X >> 31)) +#define S5(X) ((X << 5) | (X >> 27)) #define S30(X) ((X << 30) | (X >> 2)) #define f0(B, C, D) ((B & C) | (~B & D)) @@ -71,19 +71,18 @@ srtp_debug_module_t srtp_mod_sha1 = { * on systems that uses curses */ -uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */ -uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */ -uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */ -uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */ +uint32_t SHA_K0 = 0x5A827999; /* Kt for 0 <= t <= 19 */ +uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */ +uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */ +uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */ -void srtp_sha1 (const uint8_t *msg, int octets_in_msg, uint32_t hash_value[5]) +void srtp_sha1(const uint8_t *msg, int octets_in_msg, uint32_t hash_value[5]) { srtp_sha1_ctx_t ctx; srtp_sha1_init(&ctx); srtp_sha1_update(&ctx, msg, octets_in_msg); srtp_sha1_final(&ctx, hash_value); - } /* @@ -98,7 +97,7 @@ void srtp_sha1 (const uint8_t *msg, int octets_in_msg, uint32_t hash_value[5]) * (crypto/cipher/seal.c) */ -void srtp_sha1_core (const uint32_t M[16], uint32_t hash_value[5]) +void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5]) { uint32_t H0; uint32_t H1; @@ -118,38 +117,54 @@ void srtp_sha1_core (const uint32_t M[16], uint32_t hash_value[5]) /* copy/xor message into array */ - W[0] = be32_to_cpu(M[0]); - W[1] = be32_to_cpu(M[1]); - W[2] = be32_to_cpu(M[2]); - W[3] = be32_to_cpu(M[3]); - W[4] = be32_to_cpu(M[4]); - W[5] = be32_to_cpu(M[5]); - W[6] = be32_to_cpu(M[6]); - W[7] = be32_to_cpu(M[7]); - W[8] = be32_to_cpu(M[8]); - W[9] = be32_to_cpu(M[9]); + W[0] = be32_to_cpu(M[0]); + W[1] = be32_to_cpu(M[1]); + W[2] = be32_to_cpu(M[2]); + W[3] = be32_to_cpu(M[3]); + W[4] = be32_to_cpu(M[4]); + W[5] = be32_to_cpu(M[5]); + W[6] = be32_to_cpu(M[6]); + W[7] = be32_to_cpu(M[7]); + W[8] = be32_to_cpu(M[8]); + W[9] = be32_to_cpu(M[9]); W[10] = be32_to_cpu(M[10]); W[11] = be32_to_cpu(M[11]); W[12] = be32_to_cpu(M[12]); W[13] = be32_to_cpu(M[13]); W[14] = be32_to_cpu(M[14]); W[15] = be32_to_cpu(M[15]); - TEMP = W[13] ^ W[8] ^ W[2] ^ W[0]; W[16] = S1(TEMP); - TEMP = W[14] ^ W[9] ^ W[3] ^ W[1]; W[17] = S1(TEMP); - TEMP = W[15] ^ W[10] ^ W[4] ^ W[2]; W[18] = S1(TEMP); - TEMP = W[16] ^ W[11] ^ W[5] ^ W[3]; W[19] = S1(TEMP); - TEMP = W[17] ^ W[12] ^ W[6] ^ W[4]; W[20] = S1(TEMP); - TEMP = W[18] ^ W[13] ^ W[7] ^ W[5]; W[21] = S1(TEMP); - TEMP = W[19] ^ W[14] ^ W[8] ^ W[6]; W[22] = S1(TEMP); - TEMP = W[20] ^ W[15] ^ W[9] ^ W[7]; W[23] = S1(TEMP); - TEMP = W[21] ^ W[16] ^ W[10] ^ W[8]; W[24] = S1(TEMP); - TEMP = W[22] ^ W[17] ^ W[11] ^ W[9]; W[25] = S1(TEMP); - TEMP = W[23] ^ W[18] ^ W[12] ^ W[10]; W[26] = S1(TEMP); - TEMP = W[24] ^ W[19] ^ W[13] ^ W[11]; W[27] = S1(TEMP); - TEMP = W[25] ^ W[20] ^ W[14] ^ W[12]; W[28] = S1(TEMP); - TEMP = W[26] ^ W[21] ^ W[15] ^ W[13]; W[29] = S1(TEMP); - TEMP = W[27] ^ W[22] ^ W[16] ^ W[14]; W[30] = S1(TEMP); - TEMP = W[28] ^ W[23] ^ W[17] ^ W[15]; W[31] = S1(TEMP); + TEMP = W[13] ^ W[8] ^ W[2] ^ W[0]; + W[16] = S1(TEMP); + TEMP = W[14] ^ W[9] ^ W[3] ^ W[1]; + W[17] = S1(TEMP); + TEMP = W[15] ^ W[10] ^ W[4] ^ W[2]; + W[18] = S1(TEMP); + TEMP = W[16] ^ W[11] ^ W[5] ^ W[3]; + W[19] = S1(TEMP); + TEMP = W[17] ^ W[12] ^ W[6] ^ W[4]; + W[20] = S1(TEMP); + TEMP = W[18] ^ W[13] ^ W[7] ^ W[5]; + W[21] = S1(TEMP); + TEMP = W[19] ^ W[14] ^ W[8] ^ W[6]; + W[22] = S1(TEMP); + TEMP = W[20] ^ W[15] ^ W[9] ^ W[7]; + W[23] = S1(TEMP); + TEMP = W[21] ^ W[16] ^ W[10] ^ W[8]; + W[24] = S1(TEMP); + TEMP = W[22] ^ W[17] ^ W[11] ^ W[9]; + W[25] = S1(TEMP); + TEMP = W[23] ^ W[18] ^ W[12] ^ W[10]; + W[26] = S1(TEMP); + TEMP = W[24] ^ W[19] ^ W[13] ^ W[11]; + W[27] = S1(TEMP); + TEMP = W[25] ^ W[20] ^ W[14] ^ W[12]; + W[28] = S1(TEMP); + TEMP = W[26] ^ W[21] ^ W[15] ^ W[13]; + W[29] = S1(TEMP); + TEMP = W[27] ^ W[22] ^ W[16] ^ W[14]; + W[30] = S1(TEMP); + TEMP = W[28] ^ W[23] ^ W[17] ^ W[15]; + W[31] = S1(TEMP); /* process the remainder of the array */ for (t = 32; t < 80; t++) { @@ -157,23 +172,43 @@ void srtp_sha1_core (const uint32_t M[16], uint32_t hash_value[5]) W[t] = S1(TEMP); } - A = H0; B = H1; C = H2; D = H3; E = H4; + A = H0; + B = H1; + C = H2; + D = H3; + E = H4; for (t = 0; t < 20; t++) { TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 40; t++) { TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 60; t++) { TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 80; t++) { TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } hash_value[0] = H0 + A; @@ -185,9 +220,8 @@ void srtp_sha1_core (const uint32_t M[16], uint32_t hash_value[5]) return; } -void srtp_sha1_init (srtp_sha1_ctx_t *ctx) +void srtp_sha1_init(srtp_sha1_ctx_t *ctx) { - /* initialize state vector */ ctx->H[0] = 0x67452301; ctx->H[1] = 0xefcdab89; @@ -200,22 +234,21 @@ void srtp_sha1_init (srtp_sha1_ctx_t *ctx) /* reset message bit-count to zero */ ctx->num_bits_in_msg = 0; - } -void srtp_sha1_update (srtp_sha1_ctx_t *ctx, const uint8_t *msg, int octets_in_msg) +void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *msg, + int octets_in_msg) { int i; - uint8_t *buf = (uint8_t*)ctx->M; + uint8_t *buf = (uint8_t *)ctx->M; /* update message bit-count */ ctx->num_bits_in_msg += octets_in_msg * 8; /* loop over 16-word blocks of M */ while (octets_in_msg > 0) { - if (octets_in_msg + ctx->octets_in_buffer >= 64) { - /* * copy words of M into msg buffer until that buffer is full, * converting them into host byte order as needed @@ -228,13 +261,14 @@ void srtp_sha1_update (srtp_sha1_ctx_t *ctx, const uint8_t *msg, int octets_in_m /* process a whole block */ - debug_print(srtp_mod_sha1, "(update) running srtp_sha1_core()", NULL); + debug_print(srtp_mod_sha1, "(update) running srtp_sha1_core()", + NULL); srtp_sha1_core(ctx->M, ctx->H); } else { - - debug_print(srtp_mod_sha1, "(update) not running srtp_sha1_core()", NULL); + debug_print(srtp_mod_sha1, "(update) not running srtp_sha1_core()", + NULL); for (i = ctx->octets_in_buffer; i < (ctx->octets_in_buffer + octets_in_msg); i++) { @@ -243,9 +277,7 @@ void srtp_sha1_update (srtp_sha1_ctx_t *ctx, const uint8_t *msg, int octets_in_m ctx->octets_in_buffer += octets_in_msg; octets_in_msg = 0; } - } - } /* @@ -253,7 +285,7 @@ void srtp_sha1_update (srtp_sha1_ctx_t *ctx, const uint8_t *msg, int octets_in_m * into the twenty octets located at *output */ -void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) +void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output) { uint32_t A, B, C, D, E, TEMP; uint32_t W[80]; @@ -268,7 +300,7 @@ void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) /* copy/xor message into array */ for (i = 0; i < (ctx->octets_in_buffer + 3) / 4; i++) { - W[i] = be32_to_cpu(ctx->M[i]); + W[i] = be32_to_cpu(ctx->M[i]); } /* set the high bit of the octet immediately following the message */ @@ -321,19 +353,35 @@ void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) for (t = 0; t < 20; t++) { TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 40; t++) { TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 60; t++) { TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 80; t++) { TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } ctx->H[0] += A; @@ -341,14 +389,13 @@ void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) ctx->H[2] += C; ctx->H[3] += D; ctx->H[4] += E; - } debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core()", NULL); if (ctx->octets_in_buffer >= 56) { - - debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core() again", NULL); + debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core() again", + NULL); /* we need to do one final run of the compression algo */ @@ -375,19 +422,35 @@ void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) for (t = 0; t < 20; t++) { TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 40; t++) { TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 60; t++) { TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } for (; t < 80; t++) { TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3; - E = D; D = C; C = S30(B); B = A; A = TEMP; + E = D; + D = C; + C = S30(B); + B = A; + A = TEMP; } ctx->H[0] += A; @@ -409,6 +472,3 @@ void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) return; } - - - diff --git a/libs/srtp/crypto/include/aes.h b/libs/srtp/crypto/include/aes.h index 007163c534..779c3ac744 100644 --- a/libs/srtp/crypto/include/aes.h +++ b/libs/srtp/crypto/include/aes.h @@ -70,9 +70,11 @@ srtp_err_status_t srtp_aes_expand_decryption_key( int key_len, srtp_aes_expanded_key_t *expanded_key); -void srtp_aes_encrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key); +void srtp_aes_encrypt(v128_t *plaintext, + const srtp_aes_expanded_key_t *exp_key); -void srtp_aes_decrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key); +void srtp_aes_decrypt(v128_t *plaintext, + const srtp_aes_expanded_key_t *exp_key); #ifdef __cplusplus } diff --git a/libs/srtp/crypto/include/aes_gcm_ossl.h b/libs/srtp/crypto/include/aes_gcm_ossl.h index 8b0d7a0264..d5b83eeeb0 100644 --- a/libs/srtp/crypto/include/aes_gcm_ossl.h +++ b/libs/srtp/crypto/include/aes_gcm_ossl.h @@ -55,9 +55,8 @@ typedef struct { int key_size; int tag_len; - EVP_CIPHER_CTX* ctx; + EVP_CIPHER_CTX *ctx; srtp_cipher_direction_t dir; } srtp_aes_gcm_ctx_t; #endif /* AES_GCM_OSSL_H */ - diff --git a/libs/srtp/crypto/include/aes_icm.h b/libs/srtp/crypto/include/aes_icm.h index 90fbd5e35d..8ded156a29 100644 --- a/libs/srtp/crypto/include/aes_icm.h +++ b/libs/srtp/crypto/include/aes_icm.h @@ -9,26 +9,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -60,4 +60,3 @@ typedef struct { } srtp_aes_icm_ctx_t; #endif /* AES_ICM_H */ - diff --git a/libs/srtp/crypto/include/aes_icm_ossl.h b/libs/srtp/crypto/include/aes_icm_ossl.h index 1dddd755fc..c4aae376e6 100644 --- a/libs/srtp/crypto/include/aes_icm_ossl.h +++ b/libs/srtp/crypto/include/aes_icm_ossl.h @@ -52,11 +52,10 @@ #include typedef struct { - v128_t counter; /* holds the counter value */ - v128_t offset; /* initial offset value */ + v128_t counter; /* holds the counter value */ + v128_t offset; /* initial offset value */ int key_size; - EVP_CIPHER_CTX* ctx; + EVP_CIPHER_CTX *ctx; } srtp_aes_icm_ctx_t; #endif /* AES_ICM_H */ - diff --git a/libs/srtp/crypto/include/alloc.h b/libs/srtp/crypto/include/alloc.h index 0bd2a90820..1fc041014d 100644 --- a/libs/srtp/crypto/include/alloc.h +++ b/libs/srtp/crypto/include/alloc.h @@ -1,32 +1,32 @@ /* * alloc.h * - * interface to memory allocation and deallocation, with optional debugging + * interface to memory allocation and deallocation, with optional debugging * * David A. McGrew * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,7 +42,6 @@ * */ - #ifndef CRYPTO_ALLOC_H #define CRYPTO_ALLOC_H @@ -52,8 +51,22 @@ extern "C" { #endif -void * srtp_crypto_alloc(size_t size); +/* + * srtp_crypto_alloc + * + * Allocates a block of memory of given size. The memory will be + * initialized to zero's. Free the memory with a call to srtp_crypto_free. + * + * returns pointer to memory on success or else NULL + */ +void *srtp_crypto_alloc(size_t size); +/* + * srtp_crypto_free + * + * Frees the block of memory ptr previously allocated with + * srtp_crypto_alloc + */ void srtp_crypto_free(void *ptr); #ifdef __cplusplus diff --git a/libs/srtp/crypto/include/auth.h b/libs/srtp/crypto/include/auth.h index 7870b29450..774ea1687b 100644 --- a/libs/srtp/crypto/include/auth.h +++ b/libs/srtp/crypto/include/auth.h @@ -47,46 +47,51 @@ #define SRTP_AUTH_H #include "srtp.h" -#include "crypto_types.h" /* for values of auth_type_id_t */ +#include "crypto_types.h" /* for values of auth_type_id_t */ #ifdef __cplusplus extern "C" { #endif typedef const struct srtp_auth_type_t *srtp_auth_type_pointer; -typedef struct srtp_auth_t *srtp_auth_pointer_t; +typedef struct srtp_auth_t *srtp_auth_pointer_t; -typedef srtp_err_status_t (*srtp_auth_alloc_func) - (srtp_auth_pointer_t *ap, int key_len, int out_len); +typedef srtp_err_status_t (*srtp_auth_alloc_func)(srtp_auth_pointer_t *ap, + int key_len, + int out_len); -typedef srtp_err_status_t (*srtp_auth_init_func) - (void *state, const uint8_t *key, int key_len); +typedef srtp_err_status_t (*srtp_auth_init_func)(void *state, + const uint8_t *key, + int key_len); typedef srtp_err_status_t (*srtp_auth_dealloc_func)(srtp_auth_pointer_t ap); -typedef srtp_err_status_t (*srtp_auth_compute_func) - (void *state, const uint8_t *buffer, int octets_to_auth, - int tag_len, uint8_t *tag); +typedef srtp_err_status_t (*srtp_auth_compute_func)(void *state, + const uint8_t *buffer, + int octets_to_auth, + int tag_len, + uint8_t *tag); -typedef srtp_err_status_t (*srtp_auth_update_func) - (void *state, const uint8_t *buffer, int octets_to_auth); +typedef srtp_err_status_t (*srtp_auth_update_func)(void *state, + const uint8_t *buffer, + int octets_to_auth); typedef srtp_err_status_t (*srtp_auth_start_func)(void *state); /* some syntactic sugar on these function types */ -#define srtp_auth_type_alloc(at, a, klen, outlen) \ +#define srtp_auth_type_alloc(at, a, klen, outlen) \ ((at)->alloc((a), (klen), (outlen))) -#define srtp_auth_init(a, key) \ +#define srtp_auth_init(a, key) \ (((a)->type)->init((a)->state, (key), ((a)->key_len))) -#define srtp_auth_compute(a, buf, len, res) \ +#define srtp_auth_compute(a, buf, len, res) \ (((a)->type)->compute((a)->state, (buf), (len), (a)->out_len, (res))) -#define srtp_auth_update(a, buf, len) \ +#define srtp_auth_update(a, buf, len) \ (((a)->type)->update((a)->state, (buf), (len))) -#define srtp_auth_start(a)(((a)->type)->start((a)->state)) +#define srtp_auth_start(a) (((a)->type)->start((a)->state)) #define srtp_auth_dealloc(c) (((c)->type)->dealloc(c)) @@ -105,13 +110,14 @@ int srtp_auth_get_prefix_length(const struct srtp_auth_t *a); * function below) */ typedef struct srtp_auth_test_case_t { - int key_length_octets; /* octets in key */ - const uint8_t *key; /* key */ - int data_length_octets; /* octets in data */ - const uint8_t *data; /* data */ - int tag_length_octets; /* octets in tag */ - const uint8_t *tag; /* tag */ - const struct srtp_auth_test_case_t *next_test_case; /* pointer to next testcase */ + int key_length_octets; /* octets in key */ + const uint8_t *key; /* key */ + int data_length_octets; /* octets in data */ + const uint8_t *data; /* data */ + int tag_length_octets; /* octets in tag */ + const uint8_t *tag; /* tag */ + const struct srtp_auth_test_case_t + *next_test_case; /* pointer to next testcase */ } srtp_auth_test_case_t; /* srtp_auth_type_t */ @@ -122,17 +128,17 @@ typedef struct srtp_auth_type_t { srtp_auth_compute_func compute; srtp_auth_update_func update; srtp_auth_start_func start; - const char *description; - const srtp_auth_test_case_t *test_data; + const char *description; + const srtp_auth_test_case_t *test_data; srtp_auth_type_id_t id; } srtp_auth_type_t; typedef struct srtp_auth_t { const srtp_auth_type_t *type; - void *state; - int out_len; /* length of output tag in octets */ - int key_len; /* length of key in octets */ - int prefix_len; /* length of keystream prefix */ + void *state; + int out_len; /* length of output tag in octets */ + int key_len; /* length of key in octets */ + int prefix_len; /* length of keystream prefix */ } srtp_auth_t; /* @@ -147,8 +153,8 @@ srtp_err_status_t srtp_auth_type_self_test(const srtp_auth_type_t *at); * provided in an array of values of key/message/tag that is known to * be good */ -srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at, - const srtp_auth_test_case_t *test_data); +srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at, + const srtp_auth_test_case_t *test_data); /* * srtp_replace_auth_type(ct, id) @@ -157,7 +163,8 @@ srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at, * with a new one passed in externally. The new auth type must pass all the * existing auth_type's self tests as well as its own. */ -srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *ct, srtp_auth_type_id_t id); +srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *ct, + srtp_auth_type_id_t id); #ifdef __cplusplus } diff --git a/libs/srtp/crypto/include/cipher.h b/libs/srtp/crypto/include/cipher.h index d544b12045..4f14e3560f 100644 --- a/libs/srtp/crypto/include/cipher.h +++ b/libs/srtp/crypto/include/cipher.h @@ -42,13 +42,11 @@ * */ - #ifndef SRTP_CIPHER_H #define SRTP_CIPHER_H #include "srtp.h" -#include "crypto_types.h" /* for values of cipher_type_id_t */ - +#include "crypto_types.h" /* for values of cipher_type_id_t */ #ifdef __cplusplus extern "C" { @@ -71,51 +69,60 @@ typedef enum { * the srtp_cipher_pointer_t definition is needed * as srtp_cipher_t is not yet defined */ -typedef struct srtp_cipher_t *srtp_cipher_pointer_t; +typedef struct srtp_cipher_t *srtp_cipher_pointer_t; /* - * a srtp_cipher_alloc_func_t allocates (but does not initialize) a srtp_cipher_t + * a srtp_cipher_alloc_func_t allocates (but does not initialize) a + * srtp_cipher_t */ -typedef srtp_err_status_t (*srtp_cipher_alloc_func_t) - (srtp_cipher_pointer_t *cp, int key_len, int tag_len); +typedef srtp_err_status_t (*srtp_cipher_alloc_func_t)(srtp_cipher_pointer_t *cp, + int key_len, + int tag_len); /* * a srtp_cipher_init_func_t [re-]initializes a cipher_t with a given key */ -typedef srtp_err_status_t (*srtp_cipher_init_func_t) - (void *state, const uint8_t *key); +typedef srtp_err_status_t (*srtp_cipher_init_func_t)(void *state, + const uint8_t *key); /* a srtp_cipher_dealloc_func_t de-allocates a cipher_t */ -typedef srtp_err_status_t (*srtp_cipher_dealloc_func_t)(srtp_cipher_pointer_t cp); +typedef srtp_err_status_t (*srtp_cipher_dealloc_func_t)( + srtp_cipher_pointer_t cp); /* * a srtp_cipher_set_aad_func_t processes the AAD data for AEAD ciphers */ -typedef srtp_err_status_t (*srtp_cipher_set_aad_func_t) - (void *state, const uint8_t *aad, uint32_t aad_len); - +typedef srtp_err_status_t (*srtp_cipher_set_aad_func_t)(void *state, + const uint8_t *aad, + uint32_t aad_len); /* a srtp_cipher_encrypt_func_t encrypts data in-place */ -typedef srtp_err_status_t (*srtp_cipher_encrypt_func_t) - (void *state, uint8_t *buffer, unsigned int *octets_to_encrypt); +typedef srtp_err_status_t (*srtp_cipher_encrypt_func_t)( + void *state, + uint8_t *buffer, + unsigned int *octets_to_encrypt); /* a srtp_cipher_decrypt_func_t decrypts data in-place */ -typedef srtp_err_status_t (*srtp_cipher_decrypt_func_t) - (void *state, uint8_t *buffer, unsigned int *octets_to_decrypt); +typedef srtp_err_status_t (*srtp_cipher_decrypt_func_t)( + void *state, + uint8_t *buffer, + unsigned int *octets_to_decrypt); /* * a srtp_cipher_set_iv_func_t function sets the current initialization vector */ -typedef srtp_err_status_t (*srtp_cipher_set_iv_func_t) - (void *state, uint8_t *iv, srtp_cipher_direction_t direction); +typedef srtp_err_status_t (*srtp_cipher_set_iv_func_t)( + void *state, + uint8_t *iv, + srtp_cipher_direction_t direction); /* * a cipher_get_tag_func_t function is used to get the authentication * tag that was calculated by an AEAD cipher. */ -typedef srtp_err_status_t (*srtp_cipher_get_tag_func_t) - (void *state, uint8_t *tag, uint32_t *len); - +typedef srtp_err_status_t (*srtp_cipher_get_tag_func_t)(void *state, + uint8_t *tag, + uint32_t *len); /* * srtp_cipher_test_case_t is a (list of) key, salt, plaintext, ciphertext, @@ -125,17 +132,18 @@ typedef srtp_err_status_t (*srtp_cipher_get_tag_func_t) * (see the srtp_cipher_type_self_test() function below) */ typedef struct srtp_cipher_test_case_t { - int key_length_octets; /* octets in key */ - const uint8_t *key; /* key */ - uint8_t *idx; /* packet index */ - int plaintext_length_octets; /* octets in plaintext */ - const uint8_t *plaintext; /* plaintext */ - int ciphertext_length_octets; /* octets in plaintext */ - const uint8_t *ciphertext; /* ciphertext */ - int aad_length_octets; /* octets in AAD */ - const uint8_t *aad; /* AAD */ - int tag_length_octets; /* Length of AEAD tag */ - const struct srtp_cipher_test_case_t *next_test_case; /* pointer to next testcase */ + int key_length_octets; /* octets in key */ + const uint8_t *key; /* key */ + uint8_t *idx; /* packet index */ + unsigned int plaintext_length_octets; /* octets in plaintext */ + const uint8_t *plaintext; /* plaintext */ + unsigned int ciphertext_length_octets; /* octets in plaintext */ + const uint8_t *ciphertext; /* ciphertext */ + int aad_length_octets; /* octets in AAD */ + const uint8_t *aad; /* AAD */ + int tag_length_octets; /* Length of AEAD tag */ + const struct srtp_cipher_test_case_t + *next_test_case; /* pointer to next testcase */ } srtp_cipher_test_case_t; /* srtp_cipher_type_t defines the 'metadata' for a particular cipher type */ @@ -148,8 +156,8 @@ typedef struct srtp_cipher_type_t { srtp_cipher_encrypt_func_t decrypt; srtp_cipher_set_iv_func_t set_iv; srtp_cipher_get_tag_func_t get_tag; - const char *description; - const srtp_cipher_test_case_t *test_data; + const char *description; + const srtp_cipher_test_case_t *test_data; srtp_cipher_type_id_t id; } srtp_cipher_type_t; @@ -159,7 +167,7 @@ typedef struct srtp_cipher_type_t { */ typedef struct srtp_cipher_t { const srtp_cipher_type_t *type; - void *state; + void *state; int key_len; int algorithm; } srtp_cipher_t; @@ -167,7 +175,6 @@ typedef struct srtp_cipher_t { /* some bookkeeping functions */ int srtp_cipher_get_key_length(const srtp_cipher_t *c); - /* * srtp_cipher_type_self_test() tests a cipher against test cases provided in * an array of values of key/srtp_xtd_seq_num_t/plaintext/ciphertext @@ -175,14 +182,15 @@ int srtp_cipher_get_key_length(const srtp_cipher_t *c); */ srtp_err_status_t srtp_cipher_type_self_test(const srtp_cipher_type_t *ct); - /* - * srtp_cipher_type_test() tests a cipher against external test cases provided in + * srtp_cipher_type_test() tests a cipher against external test cases provided + * in * an array of values of key/srtp_xtd_seq_num_t/plaintext/ciphertext * that is known to be good */ -srtp_err_status_t srtp_cipher_type_test(const srtp_cipher_type_t *ct, const srtp_cipher_test_case_t *test_data); - +srtp_err_status_t srtp_cipher_type_test( + const srtp_cipher_type_t *ct, + const srtp_cipher_test_case_t *test_data); /* * srtp_cipher_bits_per_second(c, l, t) computes (an estimate of) the @@ -194,17 +202,34 @@ srtp_err_status_t srtp_cipher_type_test(const srtp_cipher_type_t *ct, const srtp * * if an error is encountered, then the value 0 is returned */ -uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c, int octets_in_buffer, int num_trials); - -srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct, srtp_cipher_t **c, int key_len, int tlen); +uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c, + int octets_in_buffer, + int num_trials); + +srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct, + srtp_cipher_t **c, + int key_len, + int tlen); srtp_err_status_t srtp_cipher_dealloc(srtp_cipher_t *c); srtp_err_status_t srtp_cipher_init(srtp_cipher_t *c, const uint8_t *key); -srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c, uint8_t *iv, int direction); -srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c, uint8_t *buffer, uint32_t *num_octets_to_output); -srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c, uint8_t *buffer, uint32_t *num_octets_to_output); -srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c, uint8_t *buffer, uint32_t *num_octets_to_output); -srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c, uint8_t *buffer, uint32_t *tag_len); -srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c, const uint8_t *aad, uint32_t aad_len); +srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c, + uint8_t *iv, + int direction); +srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output); +srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output); +srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *num_octets_to_output); +srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c, + uint8_t *buffer, + uint32_t *tag_len); +srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c, + const uint8_t *aad, + uint32_t aad_len); /* * srtp_replace_cipher_type(ct, id) @@ -213,7 +238,8 @@ srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c, const uint8_t *aad, uint * with a new one passed in externally. The new cipher must pass all the * existing cipher_type's self tests as well as its own. */ -srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *ct, srtp_cipher_type_id_t id); +srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *ct, + srtp_cipher_type_id_t id); #ifdef __cplusplus } diff --git a/libs/srtp/include/rtp_priv.h b/libs/srtp/crypto/include/cipher_types.h similarity index 57% rename from libs/srtp/include/rtp_priv.h rename to libs/srtp/crypto/include/cipher_types.h index 1421386673..a543b5478b 100644 --- a/libs/srtp/include/rtp_priv.h +++ b/libs/srtp/crypto/include/cipher_types.h @@ -1,32 +1,24 @@ /* - * rtp_priv.h * - * private, internal header file for RTP - * - * David A. McGrew - * Cisco Systems, Inc. - */ -/* - * - * Copyright (c) 2001-2006 Cisco Systems, Inc. + * Copyright(c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,33 +34,48 @@ * */ +#ifndef CIHPER_TYPES_H +#define CIHPER_TYPES_H -#ifndef RTP_PRIV_H -#define RTP_PRIV_H +#include "cipher.h" +#include "auth.h" -#include "srtp_priv.h" -#include "rtp.h" +/* + * cipher types that can be included in the kernel + */ + +extern const srtp_cipher_type_t srtp_null_cipher; +extern const srtp_cipher_type_t srtp_aes_icm_128; +extern const srtp_cipher_type_t srtp_aes_icm_256; +#ifdef OPENSSL +extern const srtp_cipher_type_t srtp_aes_icm_192; +extern const srtp_cipher_type_t srtp_aes_gcm_128_openssl; +extern const srtp_cipher_type_t srtp_aes_gcm_256_openssl; +#endif + +/* + * auth func types that can be included in the kernel + */ -typedef srtp_hdr_t rtp_hdr_t; +extern const srtp_auth_type_t srtp_null_auth; +extern const srtp_auth_type_t srtp_hmac; -typedef struct { - srtp_hdr_t header; - char body[RTP_MAX_BUF_LEN]; -} rtp_msg_t; +/* + * other generic debug modules that can be included in the kernel + */ -typedef struct rtp_sender_ctx_t { - rtp_msg_t message; - int socket; - srtp_ctx_t *srtp_ctx; - struct sockaddr_in addr; /* reciever's address */ -} rtp_sender_ctx_t; +extern srtp_debug_module_t srtp_mod_auth; +extern srtp_debug_module_t srtp_mod_cipher; +extern srtp_debug_module_t srtp_mod_stat; +extern srtp_debug_module_t srtp_mod_alloc; -typedef struct rtp_receiver_ctx_t { - rtp_msg_t message; - int socket; - srtp_ctx_t *srtp_ctx; - struct sockaddr_in addr; /* receiver's address */ -} rtp_receiver_ctx_t; +/* debug modules for cipher types */ +extern srtp_debug_module_t srtp_mod_aes_icm; +#ifdef OPENSSL +extern srtp_debug_module_t srtp_mod_aes_gcm; +#endif +/* debug modules for auth types */ +extern srtp_debug_module_t srtp_mod_hmac; -#endif /* RTP_PRIV_H */ +#endif diff --git a/libs/srtp/crypto/include/crypto_kernel.h b/libs/srtp/crypto/include/crypto_kernel.h index 1abf383f5a..1f8dfa7712 100644 --- a/libs/srtp/crypto/include/crypto_kernel.h +++ b/libs/srtp/crypto/include/crypto_kernel.h @@ -42,7 +42,6 @@ * */ - #ifndef CRYPTO_KERNEL #define CRYPTO_KERNEL @@ -72,7 +71,7 @@ typedef enum { */ typedef struct srtp_kernel_cipher_type { srtp_cipher_type_id_t id; - const srtp_cipher_type_t *cipher_type; + const srtp_cipher_type_t *cipher_type; struct srtp_kernel_cipher_type *next; } srtp_kernel_cipher_type_t; @@ -81,7 +80,7 @@ typedef struct srtp_kernel_cipher_type { */ typedef struct srtp_kernel_auth_type { srtp_auth_type_id_t id; - const srtp_auth_type_t *auth_type; + const srtp_auth_type_t *auth_type; struct srtp_kernel_auth_type *next; } srtp_kernel_auth_type_t; @@ -93,7 +92,6 @@ typedef struct srtp_kernel_debug_module { struct srtp_kernel_debug_module *next; } srtp_kernel_debug_module_t; - /* * crypto_kernel_t is the data structure for the crypto kernel * @@ -101,18 +99,17 @@ typedef struct srtp_kernel_debug_module { * a global variable defined in crypto_kernel.c */ typedef struct { - srtp_crypto_kernel_state_t state; /* current state of kernel */ - srtp_kernel_cipher_type_t *cipher_type_list; /* list of all cipher types */ - srtp_kernel_auth_type_t *auth_type_list; /* list of all auth func types */ - srtp_kernel_debug_module_t *debug_module_list; /* list of all debug modules */ + srtp_crypto_kernel_state_t state; /* current state of kernel */ + srtp_kernel_cipher_type_t *cipher_type_list; /* list of all cipher types */ + srtp_kernel_auth_type_t *auth_type_list; /* list of all auth func types */ + srtp_kernel_debug_module_t + *debug_module_list; /* list of all debug modules */ } srtp_crypto_kernel_t; - /* * srtp_crypto_kernel_t external api */ - /* * The function srtp_crypto_kernel_init() initialized the crypto kernel and * runs the self-test operations on the random number generators and @@ -126,7 +123,6 @@ typedef struct { */ srtp_err_status_t srtp_crypto_kernel_init(void); - /* * The function srtp_crypto_kernel_shutdown() de-initializes the * crypto_kernel, zeroizes keys and other cryptographic material, and @@ -150,7 +146,6 @@ srtp_err_status_t srtp_crypto_kernel_shutdown(void); */ srtp_err_status_t srtp_crypto_kernel_status(void); - /* * srtp_crypto_kernel_list_debug_modules() outputs a list of debugging modules * @@ -161,11 +156,15 @@ srtp_err_status_t srtp_crypto_kernel_list_debug_modules(void); * srtp_crypto_kernel_load_cipher_type() * */ -srtp_err_status_t srtp_crypto_kernel_load_cipher_type(const srtp_cipher_type_t *ct, srtp_cipher_type_id_t id); +srtp_err_status_t srtp_crypto_kernel_load_cipher_type( + const srtp_cipher_type_t *ct, + srtp_cipher_type_id_t id); -srtp_err_status_t srtp_crypto_kernel_load_auth_type(const srtp_auth_type_t *ct, srtp_auth_type_id_t id); +srtp_err_status_t srtp_crypto_kernel_load_auth_type(const srtp_auth_type_t *ct, + srtp_auth_type_id_t id); -srtp_err_status_t srtp_crypto_kernel_load_debug_module(srtp_debug_module_t *new_dm); +srtp_err_status_t srtp_crypto_kernel_load_debug_module( + srtp_debug_module_t *new_dm); /* * srtp_crypto_kernel_alloc_cipher(id, cp, key_len); @@ -177,7 +176,10 @@ srtp_err_status_t srtp_crypto_kernel_load_debug_module(srtp_debug_module_t *new_ * srtp_err_status_alloc_fail an allocation failure occured * srtp_err_status_fail couldn't find cipher with identifier 'id' */ -srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id, srtp_cipher_pointer_t *cp, int key_len, int tag_len); +srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id, + srtp_cipher_pointer_t *cp, + int key_len, + int tag_len); /* * srtp_crypto_kernel_alloc_auth(id, ap, key_len, tag_len); @@ -190,8 +192,10 @@ srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id, srtp * srtp_err_status_alloc_fail an allocation failure occured * srtp_err_status_fail couldn't find auth with identifier 'id' */ -srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id, srtp_auth_pointer_t *ap, int key_len, int tag_len); - +srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id, + srtp_auth_pointer_t *ap, + int key_len, + int tag_len); /* * srtp_crypto_kernel_set_debug_module(mod_name, v) @@ -201,7 +205,8 @@ srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id, srtp_aut * * returns srtp_err_status_ok on success, srtp_err_status_fail otherwise */ -srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *mod_name, int v); +srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *mod_name, + int v); #ifdef __cplusplus } diff --git a/libs/srtp/crypto/include/crypto_types.h b/libs/srtp/crypto/include/crypto_types.h index 329d60dbd1..7fd3178b0b 100644 --- a/libs/srtp/crypto/include/crypto_types.h +++ b/libs/srtp/crypto/include/crypto_types.h @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright(c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -48,62 +48,62 @@ /* * The null cipher performs no encryption. * - * The SRTP_NULL_CIPHER leaves its inputs unaltered, during both the + * The SRTP_NULL_CIPHER leaves its inputs unaltered, during both the * encryption and decryption operations. This cipher can be chosen * to indicate that no encryption is to be performed. */ -#define SRTP_NULL_CIPHER 0 +#define SRTP_NULL_CIPHER 0 -/* +/* * AES-128 Integer Counter Mode (AES ICM) * * AES-128 ICM is the variant of counter mode that is used by * Secure RTP. This cipher uses a 16-octet key concatenated with a * 14-octet offset (or salt) value. */ -#define SRTP_AES_ICM_128 1 +#define SRTP_AES_ICM_128 1 -/* +/* * AES-192 Integer Counter Mode (AES ICM) * * AES-128 ICM is the variant of counter mode that is used by * Secure RTP. This cipher uses a 24-octet key concatenated with a * 14-octet offset (or salt) value. */ -#define SRTP_AES_ICM_192 4 +#define SRTP_AES_ICM_192 4 -/* +/* * AES-256 Integer Counter Mode (AES ICM) * * AES-128 ICM is the variant of counter mode that is used by * Secure RTP. This cipher uses a 32-octet key concatenated with a * 14-octet offset (or salt) value. */ -#define SRTP_AES_ICM_256 5 +#define SRTP_AES_ICM_256 5 -/* - * AES-128_GCM Galois Counter Mode (AES GCM) +/* + * AES-128_GCM Galois Counter Mode (AES GCM) * - * AES-128 GCM is the variant of galois counter mode that is used by + * AES-128 GCM is the variant of galois counter mode that is used by * Secure RTP. This cipher uses a 16-octet key. */ -#define SRTP_AES_GCM_128 6 +#define SRTP_AES_GCM_128 6 -/* - * AES-256_GCM Galois Counter Mode (AES GCM) +/* + * AES-256_GCM Galois Counter Mode (AES GCM) * - * AES-256 GCM is the variant of galois counter mode that is used by + * AES-256 GCM is the variant of galois counter mode that is used by * Secure RTP. This cipher uses a 32-octet key. */ -#define SRTP_AES_GCM_256 7 +#define SRTP_AES_GCM_256 7 /* * The null authentication function performs no authentication. * * The NULL_AUTH function does nothing, and can be selected to indicate * that authentication should not be performed. - */ -#define SRTP_NULL_AUTH 0 + */ +#define SRTP_NULL_AUTH 0 /* * HMAC-SHA1 @@ -111,6 +111,6 @@ * SRTP_HMAC_SHA1 implements the Hash-based MAC using the NIST Secure * Hash Algorithm version 1 (SHA1). */ -#define SRTP_HMAC_SHA1 3 +#define SRTP_HMAC_SHA1 3 -#endif /* SRTP_CRYPTO_TYPES_H */ +#endif /* SRTP_CRYPTO_TYPES_H */ diff --git a/libs/srtp/crypto/include/datatypes.h b/libs/srtp/crypto/include/datatypes.h index 8440376824..182cca25b9 100644 --- a/libs/srtp/crypto/include/datatypes.h +++ b/libs/srtp/crypto/include/datatypes.h @@ -1,6 +1,6 @@ /* * datatypes.h - * + * * data types for bit vectors and finite fields * * David A. McGrew @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,11 +43,10 @@ * */ - #ifndef DATATYPES_H #define DATATYPES_H -#include "integers.h" /* definitions of uint32_t, et cetera */ +#include "integers.h" /* definitions of uint32_t, et cetera */ #include "alloc.h" #include @@ -56,42 +55,43 @@ #include #include #ifdef HAVE_NETINET_IN_H -# include +#include #elif defined HAVE_WINSOCK2_H -# include +#include +#else +#error "Platform not recognized" #endif #ifdef __cplusplus extern "C" { #endif - /* if DATATYPES_USE_MACROS is defined, then little functions are macros */ -#define DATATYPES_USE_MACROS +#define DATATYPES_USE_MACROS typedef union { - uint8_t v8[2]; - uint16_t value; + uint8_t v8[2]; + uint16_t value; } v16_t; typedef union { - uint8_t v8[4]; - uint16_t v16[2]; - uint32_t value; + uint8_t v8[4]; + uint16_t v16[2]; + uint32_t value; } v32_t; typedef union { - uint8_t v8[8]; - uint16_t v16[4]; - uint32_t v32[2]; - uint64_t value; + uint8_t v8[8]; + uint16_t v16[4]; + uint32_t v32[2]; + uint64_t value; } v64_t; typedef union { - uint8_t v8[16]; - uint16_t v16[8]; - uint32_t v32[4]; - uint64_t v64[2]; + uint8_t v8[16]; + uint16_t v16[8]; + uint32_t v32[4]; + uint64_t v64[2]; } v128_t; typedef union { @@ -101,118 +101,82 @@ typedef union { uint64_t v64[4]; } v256_t; - /* some useful and simple math functions */ -#define pow_2(X) ( (unsigned int)1 << (X) ) /* 2^X */ - -#define pow_minus_one(X) ( (X) ? -1 : 1 ) /* (-1)^X */ +#define pow_2(X) ((unsigned int)1 << (X)) /* 2^X */ +#define pow_minus_one(X) ((X) ? -1 : 1) /* (-1)^X */ /* * octet_get_weight(x) returns the hamming weight (number of bits equal to * one) in the octet x */ -int -octet_get_weight(uint8_t octet); +int octet_get_weight(uint8_t octet); #define MAX_PRINT_STRING_LEN 1024 -char * -srtp_octet_string_hex_string(const void *str, int length); +char *srtp_octet_string_hex_string(const void *str, int length); -char * -v128_bit_string(v128_t *x); +char *v128_bit_string(v128_t *x); -char * -v128_hex_string(v128_t *x); +char *v128_hex_string(v128_t *x); -void -v128_copy_octet_string(v128_t *x, const uint8_t s[16]); +void v128_copy_octet_string(v128_t *x, const uint8_t s[16]); -void -v128_left_shift(v128_t *x, int shift_index); +void v128_left_shift(v128_t *x, int shift_index); -void -v128_right_shift(v128_t *x, int shift_index); +void v128_right_shift(v128_t *x, int shift_index); /* * the following macros define the data manipulation functions - * + * * If DATATYPES_USE_MACROS is defined, then these macros are used * directly (and function call overhead is avoided). Otherwise, * the macros are used through the functions defined in datatypes.c * (and the compiler provides better warnings). */ -#define _v128_set_to_zero(x) \ -( \ - (x)->v32[0] = 0, \ - (x)->v32[1] = 0, \ - (x)->v32[2] = 0, \ - (x)->v32[3] = 0 \ -) - -#define _v128_copy(x, y) \ -( \ - (x)->v32[0] = (y)->v32[0], \ - (x)->v32[1] = (y)->v32[1], \ - (x)->v32[2] = (y)->v32[2], \ - (x)->v32[3] = (y)->v32[3] \ -) - -#define _v128_xor(z, x, y) \ -( \ - (z)->v32[0] = (x)->v32[0] ^ (y)->v32[0], \ - (z)->v32[1] = (x)->v32[1] ^ (y)->v32[1], \ - (z)->v32[2] = (x)->v32[2] ^ (y)->v32[2], \ - (z)->v32[3] = (x)->v32[3] ^ (y)->v32[3] \ -) - -#define _v128_and(z, x, y) \ -( \ - (z)->v32[0] = (x)->v32[0] & (y)->v32[0], \ - (z)->v32[1] = (x)->v32[1] & (y)->v32[1], \ - (z)->v32[2] = (x)->v32[2] & (y)->v32[2], \ - (z)->v32[3] = (x)->v32[3] & (y)->v32[3] \ -) - -#define _v128_or(z, x, y) \ -( \ - (z)->v32[0] = (x)->v32[0] | (y)->v32[0], \ - (z)->v32[1] = (x)->v32[1] | (y)->v32[1], \ - (z)->v32[2] = (x)->v32[2] | (y)->v32[2], \ - (z)->v32[3] = (x)->v32[3] | (y)->v32[3] \ -) - -#define _v128_complement(x) \ -( \ - (x)->v32[0] = ~(x)->v32[0], \ - (x)->v32[1] = ~(x)->v32[1], \ - (x)->v32[2] = ~(x)->v32[2], \ - (x)->v32[3] = ~(x)->v32[3] \ -) +#define _v128_set_to_zero(x) \ + ((x)->v32[0] = 0, (x)->v32[1] = 0, (x)->v32[2] = 0, (x)->v32[3] = 0) -/* ok for NO_64BIT_MATH if it can compare uint64_t's (even as structures) */ -#define _v128_is_eq(x, y) \ - (((x)->v64[0] == (y)->v64[0]) && ((x)->v64[1] == (y)->v64[1])) +#define _v128_copy(x, y) \ + ((x)->v32[0] = (y)->v32[0], (x)->v32[1] = (y)->v32[1], \ + (x)->v32[2] = (y)->v32[2], (x)->v32[3] = (y)->v32[3]) +#define _v128_xor(z, x, y) \ + ((z)->v32[0] = (x)->v32[0] ^ (y)->v32[0], \ + (z)->v32[1] = (x)->v32[1] ^ (y)->v32[1], \ + (z)->v32[2] = (x)->v32[2] ^ (y)->v32[2], \ + (z)->v32[3] = (x)->v32[3] ^ (y)->v32[3]) + +#define _v128_and(z, x, y) \ + ((z)->v32[0] = (x)->v32[0] & (y)->v32[0], \ + (z)->v32[1] = (x)->v32[1] & (y)->v32[1], \ + (z)->v32[2] = (x)->v32[2] & (y)->v32[2], \ + (z)->v32[3] = (x)->v32[3] & (y)->v32[3]) + +#define _v128_or(z, x, y) \ + ((z)->v32[0] = (x)->v32[0] | (y)->v32[0], \ + (z)->v32[1] = (x)->v32[1] | (y)->v32[1], \ + (z)->v32[2] = (x)->v32[2] | (y)->v32[2], \ + (z)->v32[3] = (x)->v32[3] | (y)->v32[3]) + +#define _v128_complement(x) \ + ((x)->v32[0] = ~(x)->v32[0], (x)->v32[1] = ~(x)->v32[1], \ + (x)->v32[2] = ~(x)->v32[2], (x)->v32[3] = ~(x)->v32[3]) + +/* ok for NO_64BIT_MATH if it can compare uint64_t's (even as structures) */ +#define _v128_is_eq(x, y) \ + (((x)->v64[0] == (y)->v64[0]) && ((x)->v64[1] == (y)->v64[1])) #ifdef NO_64BIT_MATH -#define _v128_xor_eq(z, x) \ -( \ - (z)->v32[0] ^= (x)->v32[0], \ - (z)->v32[1] ^= (x)->v32[1], \ - (z)->v32[2] ^= (x)->v32[2], \ - (z)->v32[3] ^= (x)->v32[3] \ -) +#define _v128_xor_eq(z, x) \ + ((z)->v32[0] ^= (x)->v32[0], (z)->v32[1] ^= (x)->v32[1], \ + (z)->v32[2] ^= (x)->v32[2], (z)->v32[3] ^= (x)->v32[3]) #else -#define _v128_xor_eq(z, x) \ -( \ - (z)->v64[0] ^= (x)->v64[0], \ - (z)->v64[1] ^= (x)->v64[1] \ -) +#define _v128_xor_eq(z, x) \ + ((z)->v64[0] ^= (x)->v64[0], (z)->v64[1] ^= (x)->v64[1]) #endif /* NOTE! This assumes an odd ordering! */ @@ -224,76 +188,55 @@ v128_right_shift(v128_t *x, int shift_index); really care which bit is which. AES does care which bit is which, but doesn't use the 128-bit get/set or 128-bit shifts */ -#define _v128_get_bit(x, bit) \ -( \ - ((((x)->v32[(bit) >> 5]) >> ((bit) & 31)) & 1) \ -) - -#define _v128_set_bit(x, bit) \ -( \ - (((x)->v32[(bit) >> 5]) |= ((uint32_t)1 << ((bit) & 31))) \ -) - -#define _v128_clear_bit(x, bit) \ -( \ - (((x)->v32[(bit) >> 5]) &= ~((uint32_t)1 << ((bit) & 31))) \ -) - -#define _v128_set_bit_to(x, bit, value) \ -( \ - (value) ? _v128_set_bit(x, bit) : \ - _v128_clear_bit(x, bit) \ -) - -#ifdef DATATYPES_USE_MACROS /* little functions are really macros */ - -#define v128_set_to_zero(z) _v128_set_to_zero(z) -#define v128_copy(z, x) _v128_copy(z, x) -#define v128_xor(z, x, y) _v128_xor(z, x, y) -#define v128_and(z, x, y) _v128_and(z, x, y) -#define v128_or(z, x, y) _v128_or(z, x, y) -#define v128_complement(x) _v128_complement(x) -#define v128_is_eq(x, y) _v128_is_eq(x, y) -#define v128_xor_eq(x, y) _v128_xor_eq(x, y) -#define v128_get_bit(x, i) _v128_get_bit(x, i) -#define v128_set_bit(x, i) _v128_set_bit(x, i) -#define v128_clear_bit(x, i) _v128_clear_bit(x, i) -#define v128_set_bit_to(x, i, y) _v128_set_bit_to(x, i, y) +#define _v128_get_bit(x, bit) (((((x)->v32[(bit) >> 5]) >> ((bit)&31)) & 1)) + +#define _v128_set_bit(x, bit) \ + ((((x)->v32[(bit) >> 5]) |= ((uint32_t)1 << ((bit)&31)))) + +#define _v128_clear_bit(x, bit) \ + ((((x)->v32[(bit) >> 5]) &= ~((uint32_t)1 << ((bit)&31)))) + +#define _v128_set_bit_to(x, bit, value) \ + ((value) ? _v128_set_bit(x, bit) : _v128_clear_bit(x, bit)) + +#ifdef DATATYPES_USE_MACROS /* little functions are really macros */ + +#define v128_set_to_zero(z) _v128_set_to_zero(z) +#define v128_copy(z, x) _v128_copy(z, x) +#define v128_xor(z, x, y) _v128_xor(z, x, y) +#define v128_and(z, x, y) _v128_and(z, x, y) +#define v128_or(z, x, y) _v128_or(z, x, y) +#define v128_complement(x) _v128_complement(x) +#define v128_is_eq(x, y) _v128_is_eq(x, y) +#define v128_xor_eq(x, y) _v128_xor_eq(x, y) +#define v128_get_bit(x, i) _v128_get_bit(x, i) +#define v128_set_bit(x, i) _v128_set_bit(x, i) +#define v128_clear_bit(x, i) _v128_clear_bit(x, i) +#define v128_set_bit_to(x, i, y) _v128_set_bit_to(x, i, y) #else -void -v128_set_to_zero(v128_t *x); +void v128_set_to_zero(v128_t *x); -int -v128_is_eq(const v128_t *x, const v128_t *y); +int v128_is_eq(const v128_t *x, const v128_t *y); -void -v128_copy(v128_t *x, const v128_t *y); +void v128_copy(v128_t *x, const v128_t *y); -void -v128_xor(v128_t *z, v128_t *x, v128_t *y); +void v128_xor(v128_t *z, v128_t *x, v128_t *y); -void -v128_and(v128_t *z, v128_t *x, v128_t *y); +void v128_and(v128_t *z, v128_t *x, v128_t *y); -void -v128_or(v128_t *z, v128_t *x, v128_t *y); +void v128_or(v128_t *z, v128_t *x, v128_t *y); -void -v128_complement(v128_t *x); +void v128_complement(v128_t *x); -int -v128_get_bit(const v128_t *x, int i); +int v128_get_bit(const v128_t *x, int i); -void -v128_set_bit(v128_t *x, int i) ; +void v128_set_bit(v128_t *x, int i); -void -v128_clear_bit(v128_t *x, int i); +void v128_clear_bit(v128_t *x, int i); -void -v128_set_bit_to(v128_t *x, int i, int y); +void v128_set_bit_to(v128_t *x, int i, int y); #endif /* DATATYPES_USE_MACROS */ @@ -304,113 +247,102 @@ v128_set_bit_to(v128_t *x, int i, int y); * verifying authentication tags. */ -int -octet_string_is_eq(uint8_t *a, uint8_t *b, int len); +int octet_string_is_eq(uint8_t *a, uint8_t *b, int len); /* * A portable way to zero out memory as recommended by * https://cryptocoding.net/index.php/Coding_rules#Clean_memory_of_secret_data * This is used to zero memory when OPENSSL_cleanse() is not available. */ -void -srtp_cleanse(void *s, size_t len); +void srtp_cleanse(void *s, size_t len); /* * Functions as a wrapper that delegates to either srtp_cleanse() or * OPENSSL_cleanse() if available to zero memory. */ -void -octet_string_set_to_zero(void *s, size_t len); +void octet_string_set_to_zero(void *s, size_t len); -#if defined(HAVE_CONFIG_H) +#if defined(HAVE_CONFIG_H) -/* +/* * Convert big endian integers to CPU byte order. */ #ifdef WORDS_BIGENDIAN /* Nothing to do. */ -# define be32_to_cpu(x) (x) -# define be64_to_cpu(x) (x) +#define be32_to_cpu(x) (x) +#define be64_to_cpu(x) (x) #elif defined(HAVE_BYTESWAP_H) /* We have (hopefully) optimized versions in byteswap.h */ -# include -# define be32_to_cpu(x) bswap_32((x)) -# define be64_to_cpu(x) bswap_64((x)) -#else +#include +#define be32_to_cpu(x) bswap_32((x)) +#define be64_to_cpu(x) bswap_64((x)) +#else /* WORDS_BIGENDIAN */ #if defined(__GNUC__) && defined(HAVE_X86) /* Fall back. */ -static inline uint32_t be32_to_cpu(uint32_t v) { - /* optimized for x86. */ - __asm__("bswap %0" : "=r" (v) : "0" (v)); - return v; -} -# else /* HAVE_X86 */ -# ifdef HAVE_NETINET_IN_H -# include -# elif defined HAVE_WINSOCK2_H -# include -# endif -# define be32_to_cpu(x) ntohl((x)) -# endif /* HAVE_X86 */ - -static inline uint64_t be64_to_cpu(uint64_t v) { -# ifdef NO_64BIT_MATH - /* use the make64 functions to do 64-bit math */ - v = make64(htonl(low32(v)),htonl(high32(v))); -# else - /* use the native 64-bit math */ - v= (uint64_t)((be32_to_cpu((uint32_t)(v >> 32))) | (((uint64_t)be32_to_cpu((uint32_t)v)) << 32)); -# endif - return v; +static inline uint32_t be32_to_cpu(uint32_t v) +{ + /* optimized for x86. */ + asm("bswap %0" : "=r"(v) : "0"(v)); + return v; } +#else /* HAVE_X86 */ +#ifdef HAVE_NETINET_IN_H +#include +#elif defined HAVE_WINSOCK2_H +#include +#endif /* HAVE_NETINET_IN_H */ +#define be32_to_cpu(x) ntohl((x)) +#endif /* HAVE_X86 */ -#endif +static inline uint64_t be64_to_cpu(uint64_t v) +{ +#ifdef NO_64BIT_MATH + /* use the make64 functions to do 64-bit math */ + v = make64(htonl(low32(v)), htonl(high32(v))); +#else /* NO_64BIT_MATH */ + /* use the native 64-bit math */ + v = (uint64_t)((be32_to_cpu((uint32_t)(v >> 32))) | + (((uint64_t)be32_to_cpu((uint32_t)v)) << 32)); +#endif /* NO_64BIT_MATH */ + return v; +} #endif /* WORDS_BIGENDIAN */ +#endif /* HAVE_CONFIG_H */ + /* - * functions manipulating bitvector_t + * functions manipulating bitvector_t * * A bitvector_t consists of an array of words and an integer * representing the number of significant bits stored in the array. * The bits are packed as follows: the least significant bit is that * of word[0], while the most significant bit is the nth most * significant bit of word[m], where length = bits_per_word * m + n. - * + * */ -#define bits_per_word 32 +#define bits_per_word 32 #define bytes_per_word 4 typedef struct { - uint32_t length; - uint32_t *word; + uint32_t length; + uint32_t *word; } bitvector_t; +#define _bitvector_get_bit(v, bit_index) \ + (((((v)->word[((bit_index) >> 5)]) >> ((bit_index)&31)) & 1)) -#define _bitvector_get_bit(v, bit_index) \ -( \ - ((((v)->word[((bit_index) >> 5)]) >> ((bit_index) & 31)) & 1) \ -) - - -#define _bitvector_set_bit(v, bit_index) \ -( \ - (((v)->word[((bit_index) >> 5)] |= ((uint32_t)1 << ((bit_index) & 31)))) \ -) +#define _bitvector_set_bit(v, bit_index) \ + ((((v)->word[((bit_index) >> 5)] |= ((uint32_t)1 << ((bit_index)&31))))) -#define _bitvector_clear_bit(v, bit_index) \ -( \ - (((v)->word[((bit_index) >> 5)] &= ~((uint32_t)1 << ((bit_index) & 31)))) \ -) +#define _bitvector_clear_bit(v, bit_index) \ + ((((v)->word[((bit_index) >> 5)] &= ~((uint32_t)1 << ((bit_index)&31))))) -#define _bitvector_get_length(v) \ -( \ - ((v)->length) \ -) +#define _bitvector_get_length(v) (((v)->length)) -#ifdef DATATYPES_USE_MACROS /* little functions are really macros */ +#ifdef DATATYPES_USE_MACROS /* little functions are really macros */ #define bitvector_get_bit(v, bit_index) _bitvector_get_bit(v, bit_index) #define bitvector_set_bit(v, bit_index) _bitvector_set_bit(v, bit_index) @@ -419,34 +351,25 @@ typedef struct { #else -int -bitvector_get_bit(const bitvector_t *v, int bit_index); +int bitvector_get_bit(const bitvector_t *v, int bit_index); -void -bitvector_set_bit(bitvector_t *v, int bit_index); +void bitvector_set_bit(bitvector_t *v, int bit_index); -void -bitvector_clear_bit(bitvector_t *v, int bit_index); +void bitvector_clear_bit(bitvector_t *v, int bit_index); -unsigned long -bitvector_get_length(const bitvector_t *v); +unsigned long bitvector_get_length(const bitvector_t *v); #endif -int -bitvector_alloc(bitvector_t *v, unsigned long length); +int bitvector_alloc(bitvector_t *v, unsigned long length); -void -bitvector_dealloc(bitvector_t *v); +void bitvector_dealloc(bitvector_t *v); -void -bitvector_set_to_zero(bitvector_t *x); +void bitvector_set_to_zero(bitvector_t *x); -void -bitvector_left_shift(bitvector_t *x, int index); +void bitvector_left_shift(bitvector_t *x, int index); -char * -bitvector_bit_string(bitvector_t *x, char* buf, int len); +char *bitvector_bit_string(bitvector_t *x, char *buf, int len); #ifdef __cplusplus } diff --git a/libs/srtp/crypto/include/err.h b/libs/srtp/crypto/include/err.h index b6f196da84..66a1023ec8 100644 --- a/libs/srtp/crypto/include/err.h +++ b/libs/srtp/crypto/include/err.h @@ -42,7 +42,6 @@ * */ - #ifndef ERR_H #define ERR_H @@ -62,7 +61,6 @@ extern "C" { * @{ */ - /** * @} */ @@ -82,9 +80,11 @@ typedef enum { srtp_err_status_t srtp_err_reporting_init(void); -typedef void (srtp_err_report_handler_func_t)(srtp_err_reporting_level_t level, const char * msg); +typedef void(srtp_err_report_handler_func_t)(srtp_err_reporting_level_t level, + const char *msg); -srtp_err_status_t srtp_install_err_report_handler(srtp_err_report_handler_func_t func); +srtp_err_status_t srtp_install_err_report_handler( + srtp_err_report_handler_func_t func); /* * srtp_err_report reports a 'printf' formatted error @@ -96,9 +96,7 @@ srtp_err_status_t srtp_install_err_report_handler(srtp_err_report_handler_func_t * */ -void -srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...); - +void srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...); /* * debug_module_t defines a debug module @@ -111,17 +109,21 @@ typedef struct { #ifdef ENABLE_DEBUG_LOGGING -#define debug_print(mod, format, arg) \ +#define debug_print(mod, format, arg) \ srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg) -#define debug_print2(mod, format, arg1, arg2) \ - srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg1, arg2) +#define debug_print2(mod, format, arg1, arg2) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, \ + arg1, arg2) #else -#define debug_print(mod, format, arg) \ - if (mod.on) srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg) -#define debug_print2(mod, format, arg1, arg2) \ - if (mod.on) srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg1, arg2) +#define debug_print(mod, format, arg) \ + if (mod.on) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg) +#define debug_print2(mod, format, arg1, arg2) \ + if (mod.on) \ + srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, \ + arg1, arg2) #endif diff --git a/libs/srtp/crypto/include/integers.h b/libs/srtp/crypto/include/integers.h index 4a871c7085..f2cd7c064d 100644 --- a/libs/srtp/crypto/include/integers.h +++ b/libs/srtp/crypto/include/integers.h @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,29 +43,27 @@ * */ - #ifndef INTEGERS_H #define INTEGERS_H - /* use standard integer definitions, if they're available */ #ifdef HAVE_STDLIB_H -# include +#include #endif #ifdef HAVE_STDINT_H -# include +#include #endif #ifdef HAVE_INTTYPES_H -# include +#include #endif #ifdef HAVE_SYS_TYPES_H -# include +#include #endif #ifdef HAVE_SYS_INT_TYPES_H -# include /* this exists on Sun OS */ +#include /* this exists on Sun OS */ #endif #ifdef HAVE_MACHINE_TYPES_H -# include +#include #endif #ifdef __cplusplus @@ -74,31 +72,30 @@ extern "C" { /* Can we do 64 bit integers? */ #if !defined(HAVE_UINT64_T) -# if SIZEOF_UNSIGNED_LONG == 8 -typedef unsigned long uint64_t; -# elif SIZEOF_UNSIGNED_LONG_LONG == 8 -typedef unsigned long long uint64_t; -# else -# define NO_64BIT_MATH 1 -# endif +#if SIZEOF_UNSIGNED_LONG == 8 +typedef unsigned long uint64_t; +#elif SIZEOF_UNSIGNED_LONG_LONG == 8 +typedef unsigned long long uint64_t; +#else +#define NO_64BIT_MATH 1 +#endif #endif /* Reasonable defaults for 32 bit machines - you may need to * edit these definitions for your own machine. */ #ifndef HAVE_UINT8_T -typedef unsigned char uint8_t; +typedef unsigned char uint8_t; #endif #ifndef HAVE_UINT16_T -typedef unsigned short int uint16_t; +typedef unsigned short int uint16_t; #endif #ifndef HAVE_UINT32_T -typedef unsigned int uint32_t; +typedef unsigned int uint32_t; #endif #ifndef HAVE_INT32_T typedef int int32_t; #endif - #if defined(NO_64BIT_MATH) && defined(HAVE_CONFIG_H) typedef double uint64_t; /* assert that sizeof(double) == 8 */ @@ -107,39 +104,38 @@ extern uint32_t high32(uint64_t value); extern uint32_t low32(uint64_t value); #endif - /* These macros are to load and store 32-bit values from un-aligned addresses. This is required for processors that do not allow unaligned loads. */ #ifdef ALIGNMENT_32BIT_REQUIRED /* Note that if it's in a variable, you can memcpy it */ #ifdef WORDS_BIGENDIAN -#define PUT_32(addr,value) \ - { \ - ((unsigned char *) (addr))[0] = (value >> 24); \ - ((unsigned char *) (addr))[1] = (value >> 16) & 0xff; \ - ((unsigned char *) (addr))[2] = (value >> 8) & 0xff; \ - ((unsigned char *) (addr))[3] = (value) & 0xff; \ +#define PUT_32(addr, value) \ + { \ + ((unsigned char *)(addr))[0] = (value >> 24); \ + ((unsigned char *)(addr))[1] = (value >> 16) & 0xff; \ + ((unsigned char *)(addr))[2] = (value >> 8) & 0xff; \ + ((unsigned char *)(addr))[3] = (value)&0xff; \ } -#define GET_32(addr) ((((unsigned char *) (addr))[0] << 24) | \ - (((unsigned char *) (addr))[1] << 16) | \ - (((unsigned char *) (addr))[2] << 8) | \ - (((unsigned char *) (addr))[3])) +#define GET_32(addr) \ + ((((unsigned char *)(addr))[0] << 24) | \ + (((unsigned char *)(addr))[1] << 16) | \ + (((unsigned char *)(addr))[2] << 8) | (((unsigned char *)(addr))[3])) #else -#define PUT_32(addr,value) \ - { \ - ((unsigned char *) (addr))[3] = (value >> 24); \ - ((unsigned char *) (addr))[2] = (value >> 16) & 0xff; \ - ((unsigned char *) (addr))[1] = (value >> 8) & 0xff; \ - ((unsigned char *) (addr))[0] = (value) & 0xff; \ +#define PUT_32(addr, value) \ + { \ + ((unsigned char *)(addr))[3] = (value >> 24); \ + ((unsigned char *)(addr))[2] = (value >> 16) & 0xff; \ + ((unsigned char *)(addr))[1] = (value >> 8) & 0xff; \ + ((unsigned char *)(addr))[0] = (value)&0xff; \ } -#define GET_32(addr) ((((unsigned char *) (addr))[3] << 24) | \ - (((unsigned char *) (addr))[2] << 16) | \ - (((unsigned char *) (addr))[1] << 8) | \ - (((unsigned char *) (addr))[0])) +#define GET_32(addr) \ + ((((unsigned char *)(addr))[3] << 24) | \ + (((unsigned char *)(addr))[2] << 16) | \ + (((unsigned char *)(addr))[1] << 8) | (((unsigned char *)(addr))[0])) #endif // WORDS_BIGENDIAN #else -#define PUT_32(addr,value) *(((uint32_t *) (addr)) = (value) +#define PUT_32(addr, value) *(((uint32_t *) (addr)) = (value) #define GET_32(addr) (*(((uint32_t *) (addr))) #endif diff --git a/libs/srtp/crypto/include/key.h b/libs/srtp/crypto/include/key.h index 55ba126435..3498114b05 100644 --- a/libs/srtp/crypto/include/key.h +++ b/libs/srtp/crypto/include/key.h @@ -45,7 +45,7 @@ #ifndef KEY_H #define KEY_H -#include "rdbx.h" /* for srtp_xtd_seq_num_t */ +#include "rdbx.h" /* for srtp_xtd_seq_num_t */ #include "err.h" #ifdef __cplusplus @@ -60,9 +60,11 @@ typedef enum { srtp_key_event_hard_limit } srtp_key_event_t; -srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key, const srtp_xtd_seq_num_t s); +srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key, + const srtp_xtd_seq_num_t s); -srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original, srtp_key_limit_t *new_key); +srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original, + srtp_key_limit_t *new_key); srtp_err_status_t srtp_key_limit_check(const srtp_key_limit_t key); diff --git a/libs/srtp/crypto/include/null_cipher.h b/libs/srtp/crypto/include/null_cipher.h index 4e168f1a77..5e8c91c134 100644 --- a/libs/srtp/crypto/include/null_cipher.h +++ b/libs/srtp/crypto/include/null_cipher.h @@ -44,7 +44,6 @@ * */ - #ifndef NULL_CIPHER_H #define NULL_CIPHER_H diff --git a/libs/srtp/crypto/include/rdb.h b/libs/srtp/crypto/include/rdb.h index 4671a0a0d9..98314c1f3e 100644 --- a/libs/srtp/crypto/include/rdb.h +++ b/libs/srtp/crypto/include/rdb.h @@ -7,28 +7,27 @@ * Cisco Systems, Inc. */ - /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -47,9 +46,9 @@ #ifndef REPLAY_DB_H #define REPLAY_DB_H -#include "integers.h" /* for uint32_t */ -#include "datatypes.h" /* for v128_t */ -#include "err.h" /* for srtp_err_status_t */ +#include "integers.h" /* for uint32_t */ +#include "datatypes.h" /* for v128_t */ +#include "err.h" /* for srtp_err_status_t */ #ifdef __cplusplus extern "C" { @@ -76,7 +75,6 @@ typedef struct { */ srtp_err_status_t srtp_rdb_init(srtp_rdb_t *rdb); - /* * srtp_rdb_check * @@ -103,7 +101,6 @@ srtp_err_status_t srtp_rdb_add_index(srtp_rdb_t *rdb, uint32_t rdb_index); * srtp_rdb_t upon which srtp_rdb_add_index is used! */ - /* * srtp_rdb_increment(db) increments the sequence number in db, if it is * not too high @@ -121,7 +118,6 @@ srtp_err_status_t srtp_rdb_increment(srtp_rdb_t *rdb); */ uint32_t srtp_rdb_get_value(const srtp_rdb_t *rdb); - #ifdef __cplusplus } #endif diff --git a/libs/srtp/crypto/include/rdbx.h b/libs/srtp/crypto/include/rdbx.h index 010eb012d7..2194178ee2 100644 --- a/libs/srtp/crypto/include/rdbx.h +++ b/libs/srtp/crypto/include/rdbx.h @@ -9,26 +9,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -58,10 +58,10 @@ extern "C" { #ifndef ROC_TEST -typedef uint16_t srtp_sequence_number_t; /* 16 bit sequence number */ -typedef uint32_t srtp_rollover_counter_t; /* 32 bit rollover counter */ +typedef uint16_t srtp_sequence_number_t; /* 16 bit sequence number */ +typedef uint32_t srtp_rollover_counter_t; /* 32 bit rollover counter */ -#else /* use small seq_num and roc datatypes for testing purposes */ +#else /* use small seq_num and roc datatypes for testing purposes */ typedef unsigned char srtp_sequence_number_t; /* 8 bit sequence number */ typedef uint16_t srtp_rollover_counter_t; /* 16 bit rollover counter */ @@ -69,7 +69,7 @@ typedef uint16_t srtp_rollover_counter_t; /* 16 bit rollover counter */ #endif #define seq_num_median (1 << (8 * sizeof(srtp_sequence_number_t) - 1)) -#define seq_num_max (1 << (8 * sizeof(srtp_sequence_number_t))) +#define seq_num_max (1 << (8 * sizeof(srtp_sequence_number_t))) /* * An rtp_xtd_seq_num_t is a 64-bit unsigned integer used as an 'extended' @@ -77,7 +77,6 @@ typedef uint16_t srtp_rollover_counter_t; /* 16 bit rollover counter */ */ typedef uint64_t srtp_xtd_seq_num_t; - /* * An srtp_rdbx_t is a replay database with extended range; it uses an * xtd_seq_num_t and a bitmask of recently received indices. @@ -87,7 +86,6 @@ typedef struct { bitvector_t bitmask; } srtp_rdbx_t; - /* * srtp_rdbx_init(rdbx_ptr, ws) * @@ -96,7 +94,6 @@ typedef struct { */ srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws); - /* * srtp_rdbx_dealloc(rdbx_ptr) * @@ -104,7 +101,6 @@ srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws); */ srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx); - /* * srtp_rdbx_estimate_index(rdbx, guess, s) * @@ -113,7 +109,9 @@ srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx); * index to which s corresponds, and returns the difference between * *guess and the locally stored synch info */ -int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx, srtp_xtd_seq_num_t *guess, srtp_sequence_number_t s); +int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s); /* * srtp_rdbx_check(rdbx, delta); @@ -136,7 +134,6 @@ srtp_err_status_t srtp_rdbx_check(const srtp_rdbx_t *rdbx, int difference); */ srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta); - /* * srtp_rdbx_set_roc(rdbx, roc) initalizes the srtp_rdbx_t at the location rdbx * to have the rollover counter value roc. If that value is less than @@ -147,7 +144,8 @@ srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta); srtp_err_status_t srtp_rdbx_set_roc(srtp_rdbx_t *rdbx, uint32_t roc); /* - * srtp_rdbx_get_packet_index(rdbx) returns the value of the rollover counter for + * srtp_rdbx_get_packet_index(rdbx) returns the value of the rollover counter + * for * the srtp_rdbx_t pointed to by rdbx * */ @@ -166,14 +164,12 @@ srtp_xtd_seq_num_t srtp_rdbx_get_packet_index(const srtp_rdbx_t *rdbx); */ unsigned long srtp_rdbx_get_window_size(const srtp_rdbx_t *rdbx); - /* index_init(&pi) initializes a packet index pi (sets it to zero) */ void srtp_index_init(srtp_xtd_seq_num_t *pi); /* index_advance(&pi, s) advances a xtd_seq_num_t forward by s */ void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s); - /* * srtp_index_guess(local, guess, s) * @@ -183,7 +179,9 @@ void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s); * guess of the packet index to which s corresponds, and returns the * difference between *guess and *local */ -int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local, srtp_xtd_seq_num_t *guess, srtp_sequence_number_t s); +int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s); /* * srtp_rdbx_get_roc(rdbx) @@ -200,9 +198,9 @@ uint32_t srtp_rdbx_get_roc(const srtp_rdbx_t *rdbx); * rollover counter value, then the function returns * srtp_err_status_replay_old, otherwise, srtp_err_status_ok is returned. */ -srtp_err_status_t srtp_rdbx_set_roc_seq (srtp_rdbx_t *rdbx, - uint32_t roc, - uint16_t seq); +srtp_err_status_t srtp_rdbx_set_roc_seq(srtp_rdbx_t *rdbx, + uint32_t roc, + uint16_t seq); #ifdef __cplusplus } diff --git a/libs/srtp/crypto/include/sha1.h b/libs/srtp/crypto/include/sha1.h index 3dc8d91039..933c1466a3 100644 --- a/libs/srtp/crypto/include/sha1.h +++ b/libs/srtp/crypto/include/sha1.h @@ -48,7 +48,7 @@ #define SHA1_H #ifdef HAVE_CONFIG_H - #include +#include #endif #include "err.h" @@ -81,49 +81,53 @@ extern "C" { /* OpenSSL 1.1.0 made EVP_MD_CTX an opaque structure, which must be allocated using EVP_MD_CTX_new. But this function doesn't exist in OpenSSL 1.0.x. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER typedef EVP_MD_CTX srtp_sha1_ctx_t; -static inline void srtp_sha1_init (srtp_sha1_ctx_t *ctx) +static inline void srtp_sha1_init(srtp_sha1_ctx_t *ctx) { EVP_MD_CTX_init(ctx); EVP_DigestInit(ctx, EVP_sha1()); } -static inline void srtp_sha1_update (srtp_sha1_ctx_t *ctx, const uint8_t *M, int octets_in_msg) +static inline void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *M, + int octets_in_msg) { EVP_DigestUpdate(ctx, M, octets_in_msg); } -static inline void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) +static inline void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output) { unsigned int len = 0; - EVP_DigestFinal(ctx, (unsigned char*)output, &len); + EVP_DigestFinal(ctx, (unsigned char *)output, &len); EVP_MD_CTX_cleanup(ctx); } #else -typedef EVP_MD_CTX* srtp_sha1_ctx_t; +typedef EVP_MD_CTX *srtp_sha1_ctx_t; -static inline void srtp_sha1_init (srtp_sha1_ctx_t *ctx) +static inline void srtp_sha1_init(srtp_sha1_ctx_t *ctx) { *ctx = EVP_MD_CTX_new(); EVP_DigestInit(*ctx, EVP_sha1()); } -static inline void srtp_sha1_update (srtp_sha1_ctx_t *ctx, const uint8_t *M, int octets_in_msg) +static inline void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *M, + int octets_in_msg) { EVP_DigestUpdate(*ctx, M, octets_in_msg); } -static inline void srtp_sha1_final (srtp_sha1_ctx_t *ctx, uint32_t *output) +static inline void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output) { unsigned int len = 0; - EVP_DigestFinal(*ctx, (unsigned char*)output, &len); + EVP_DigestFinal(*ctx, (unsigned char *)output, &len); EVP_MD_CTX_free(*ctx); } #endif @@ -137,7 +141,6 @@ typedef struct { uint32_t num_bits_in_msg; /* total number of bits in message */ } srtp_sha1_ctx_t; - /* * srtp_sha1_init(&ctx) initializes the SHA1 context ctx * @@ -150,9 +153,11 @@ typedef struct { */ void srtp_sha1_init(srtp_sha1_ctx_t *ctx); -void srtp_sha1_update(srtp_sha1_ctx_t *ctx, const uint8_t *M, int octets_in_msg); +void srtp_sha1_update(srtp_sha1_ctx_t *ctx, + const uint8_t *M, + int octets_in_msg); -void srtp_sha1_final(srtp_sha1_ctx_t * ctx, uint32_t output[5]); +void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5]); /* * The srtp_sha1_core function is INTERNAL to SHA-1, but it is declared diff --git a/libs/srtp/crypto/include/stat.h b/libs/srtp/crypto/include/stat.h index e8cf3605a8..1894e041aa 100644 --- a/libs/srtp/crypto/include/stat.h +++ b/libs/srtp/crypto/include/stat.h @@ -1,6 +1,6 @@ /* * stats.h - * + * * interface to statistical test functions * * David A. McGrew @@ -8,26 +8,26 @@ */ /* - * + * * Copyright(c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,12 +43,11 @@ * */ - #ifndef STAT_H #define STAT_H -#include "datatypes.h" /* for uint8_t */ -#include "err.h" /* for srtp_err_status_t */ +#include "datatypes.h" /* for uint8_t */ +#include "err.h" /* for srtp_err_status_t */ #ifdef __cplusplus extern "C" { diff --git a/libs/srtp/crypto/kernel/alloc.c b/libs/srtp/crypto/kernel/alloc.c index cbd8877c87..dbe58266f4 100644 --- a/libs/srtp/crypto/kernel/alloc.c +++ b/libs/srtp/crypto/kernel/alloc.c @@ -1,32 +1,32 @@ /* * alloc.c * - * memory allocation and deallocation + * memory allocation and deallocation * * David A. McGrew * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,7 +43,7 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "alloc.h" @@ -51,9 +51,9 @@ /* the debug module for memory allocation */ -srtp_debug_module_t mod_alloc = { - 0, /* debugging is off by default */ - "alloc" /* printable name for module */ +srtp_debug_module_t srtp_mod_alloc = { + 0, /* debugging is off by default */ + "alloc" /* printable name for module */ }; /* @@ -67,29 +67,35 @@ srtp_debug_module_t mod_alloc = { #if defined(HAVE_STDLIB_H) -void * srtp_crypto_alloc(size_t size) { - void *ptr; +void *srtp_crypto_alloc(size_t size) +{ + void *ptr; - ptr = malloc(size); - - if (ptr) { - debug_print(mod_alloc, "(location: %p) allocated", ptr); - } else { - debug_print(mod_alloc, "allocation failed (asked for %d bytes)\n", size); - } + if (!size) { + return NULL; + } - return ptr; -} + ptr = calloc(1, size); -void srtp_crypto_free(void *ptr) { + if (ptr) { + debug_print(srtp_mod_alloc, "(location: %p) allocated", ptr); + } else { + debug_print(srtp_mod_alloc, "allocation failed (asked for %d bytes)\n", + size); + } + + return ptr; +} - debug_print(mod_alloc, "(location: %p) freed", ptr); +void srtp_crypto_free(void *ptr) +{ + debug_print(srtp_mod_alloc, "(location: %p) freed", ptr); - free(ptr); + free(ptr); } -#else /* we need to define our own memory allocation routines */ +#else /* we need to define our own memory allocation routines */ -#error no memory allocation defined yet +#error no memory allocation defined yet #endif diff --git a/libs/srtp/crypto/kernel/crypto_kernel.c b/libs/srtp/crypto/kernel/crypto_kernel.c index 3caff0e123..ab4492e8a6 100644 --- a/libs/srtp/crypto/kernel/crypto_kernel.c +++ b/libs/srtp/crypto/kernel/crypto_kernel.c @@ -42,60 +42,22 @@ * */ - #ifdef HAVE_CONFIG_H - #include +#include #endif #include "alloc.h" #include "crypto_kernel.h" +#include "cipher_types.h" /* the debug module for the crypto_kernel */ srtp_debug_module_t srtp_mod_crypto_kernel = { - 0, /* debugging is off by default */ - "crypto kernel" /* printable name for module */ + 0, /* debugging is off by default */ + "crypto kernel" /* printable name for module */ }; -/* - * other generic debug modules that can be included in the kernel - */ - -extern srtp_debug_module_t srtp_mod_auth; -extern srtp_debug_module_t srtp_mod_cipher; -extern srtp_debug_module_t mod_stat; -extern srtp_debug_module_t mod_alloc; - -/* - * cipher types that can be included in the kernel - */ - -extern srtp_cipher_type_t srtp_null_cipher; -extern srtp_cipher_type_t srtp_aes_icm_128; -extern srtp_cipher_type_t srtp_aes_icm_256; -#ifdef OPENSSL -extern srtp_cipher_type_t srtp_aes_icm_192; -extern srtp_cipher_type_t srtp_aes_gcm_128_openssl; -extern srtp_cipher_type_t srtp_aes_gcm_256_openssl; -#endif - -/* debug modules for cipher types */ -extern srtp_debug_module_t srtp_mod_aes_icm; -#ifdef OPENSSL -extern srtp_debug_module_t srtp_mod_aes_gcm; -#endif - -/* - * auth func types that can be included in the kernel - */ - -extern srtp_auth_type_t srtp_null_auth; -extern srtp_auth_type_t srtp_hmac; - -/* debug modules for auth types */ -extern srtp_debug_module_t srtp_mod_hmac; - /* crypto_kernel is a global variable, the only one of its datatype */ srtp_crypto_kernel_t crypto_kernel = { @@ -107,13 +69,12 @@ srtp_crypto_kernel_t crypto_kernel = { #define MAX_RNG_TRIALS 25 -srtp_err_status_t srtp_crypto_kernel_init () +srtp_err_status_t srtp_crypto_kernel_init() { srtp_err_status_t status; /* check the security state */ if (crypto_kernel.state == srtp_crypto_kernel_state_secure) { - /* * we're already in the secure state, but we've been asked to * re-initialize, so we just re-run the self-tests and then return @@ -140,25 +101,28 @@ srtp_err_status_t srtp_crypto_kernel_init () if (status) { return status; } - status = srtp_crypto_kernel_load_debug_module(&mod_stat); + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_stat); if (status) { return status; } - status = srtp_crypto_kernel_load_debug_module(&mod_alloc); + status = srtp_crypto_kernel_load_debug_module(&srtp_mod_alloc); if (status) { return status; } /* load cipher types */ - status = srtp_crypto_kernel_load_cipher_type(&srtp_null_cipher, SRTP_NULL_CIPHER); + status = srtp_crypto_kernel_load_cipher_type(&srtp_null_cipher, + SRTP_NULL_CIPHER); if (status) { return status; } - status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_128, SRTP_AES_ICM_128); + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_128, + SRTP_AES_ICM_128); if (status) { return status; } - status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_256, SRTP_AES_ICM_256); + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_256, + SRTP_AES_ICM_256); if (status) { return status; } @@ -167,15 +131,18 @@ srtp_err_status_t srtp_crypto_kernel_init () return status; } #ifdef OPENSSL - status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_192, SRTP_AES_ICM_192); + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_192, + SRTP_AES_ICM_192); if (status) { return status; } - status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_128_openssl, SRTP_AES_GCM_128); + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_128_openssl, + SRTP_AES_GCM_128); if (status) { return status; } - status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_256_openssl, SRTP_AES_GCM_256); + status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_256_openssl, + SRTP_AES_GCM_256); if (status) { return status; } @@ -205,19 +172,21 @@ srtp_err_status_t srtp_crypto_kernel_init () return srtp_err_status_ok; } -srtp_err_status_t srtp_crypto_kernel_status () +srtp_err_status_t srtp_crypto_kernel_status() { srtp_err_status_t status; - srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list; - srtp_kernel_auth_type_t *atype = crypto_kernel.auth_type_list; + srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list; + srtp_kernel_auth_type_t *atype = crypto_kernel.auth_type_list; /* for each cipher type, describe and test */ while (ctype != NULL) { - srtp_err_report(srtp_err_level_info, "cipher: %s\n", ctype->cipher_type->description); + srtp_err_report(srtp_err_level_info, "cipher: %s\n", + ctype->cipher_type->description); srtp_err_report(srtp_err_level_info, " self-test: "); status = srtp_cipher_type_self_test(ctype->cipher_type); if (status) { - srtp_err_report(srtp_err_level_error, "failed with error code %d\n", status); + srtp_err_report(srtp_err_level_error, "failed with error code %d\n", + status); exit(status); } srtp_err_report(srtp_err_level_info, "passed\n"); @@ -226,11 +195,13 @@ srtp_err_status_t srtp_crypto_kernel_status () /* for each auth type, describe and test */ while (atype != NULL) { - srtp_err_report(srtp_err_level_info, "auth func: %s\n", atype->auth_type->description); + srtp_err_report(srtp_err_level_info, "auth func: %s\n", + atype->auth_type->description); srtp_err_report(srtp_err_level_info, " self-test: "); status = srtp_auth_type_self_test(atype->auth_type); if (status) { - srtp_err_report(srtp_err_level_error, "failed with error code %d\n", status); + srtp_err_report(srtp_err_level_error, "failed with error code %d\n", + status); exit(status); } srtp_err_report(srtp_err_level_info, "passed\n"); @@ -242,7 +213,7 @@ srtp_err_status_t srtp_crypto_kernel_status () return srtp_err_status_ok; } -srtp_err_status_t srtp_crypto_kernel_list_debug_modules () +srtp_err_status_t srtp_crypto_kernel_list_debug_modules() { srtp_kernel_debug_module_t *dm = crypto_kernel.debug_module_list; @@ -252,7 +223,7 @@ srtp_err_status_t srtp_crypto_kernel_list_debug_modules () srtp_err_report(srtp_err_level_info, " %s ", dm->mod->name); if (dm->mod->on) { srtp_err_report(srtp_err_level_info, "(on)\n"); - } else{ + } else { srtp_err_report(srtp_err_level_info, "(off)\n"); } dm = dm->next; @@ -261,7 +232,7 @@ srtp_err_status_t srtp_crypto_kernel_list_debug_modules () return srtp_err_status_ok; } -srtp_err_status_t srtp_crypto_kernel_shutdown () +srtp_err_status_t srtp_crypto_kernel_shutdown() { /* * free dynamic memory used in crypto_kernel at present @@ -271,8 +242,7 @@ srtp_err_status_t srtp_crypto_kernel_shutdown () while (crypto_kernel.cipher_type_list != NULL) { srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list; crypto_kernel.cipher_type_list = ctype->next; - debug_print(srtp_mod_crypto_kernel, - "freeing memory for cipher %s", + debug_print(srtp_mod_crypto_kernel, "freeing memory for cipher %s", ctype->cipher_type->description); srtp_crypto_free(ctype); } @@ -292,8 +262,7 @@ srtp_err_status_t srtp_crypto_kernel_shutdown () srtp_kernel_debug_module_t *kdm = crypto_kernel.debug_module_list; crypto_kernel.debug_module_list = kdm->next; debug_print(srtp_mod_crypto_kernel, - "freeing memory for debug module %s", - kdm->mod->name); + "freeing memory for debug module %s", kdm->mod->name); srtp_crypto_free(kdm); } @@ -303,7 +272,10 @@ srtp_err_status_t srtp_crypto_kernel_shutdown () return srtp_err_status_ok; } -static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type (const srtp_cipher_type_t *new_ct, srtp_cipher_type_id_t id, int replace) +static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type( + const srtp_cipher_type_t *new_ct, + srtp_cipher_type_id_t id, + int replace) { srtp_kernel_cipher_type_t *ctype, *new_ctype; srtp_err_status_t status; @@ -330,13 +302,14 @@ static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type (const sr if (!replace) { return srtp_err_status_bad_param; } - status = srtp_cipher_type_test(new_ct, ctype->cipher_type->test_data); + status = + srtp_cipher_type_test(new_ct, ctype->cipher_type->test_data); if (status) { return status; } new_ctype = ctype; break; - }else if (new_ct == ctype->cipher_type) { + } else if (new_ct == ctype->cipher_type) { return srtp_err_status_bad_param; } ctype = ctype->next; @@ -345,7 +318,8 @@ static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type (const sr /* if not found, put new_ct at the head of the list */ if (ctype == NULL) { /* allocate memory */ - new_ctype = (srtp_kernel_cipher_type_t*)srtp_crypto_alloc(sizeof(srtp_kernel_cipher_type_t)); + new_ctype = (srtp_kernel_cipher_type_t *)srtp_crypto_alloc( + sizeof(srtp_kernel_cipher_type_t)); if (new_ctype == NULL) { return srtp_err_status_alloc_fail; } @@ -362,17 +336,23 @@ static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type (const sr return srtp_err_status_ok; } -srtp_err_status_t srtp_crypto_kernel_load_cipher_type (const srtp_cipher_type_t *new_ct, srtp_cipher_type_id_t id) +srtp_err_status_t srtp_crypto_kernel_load_cipher_type( + const srtp_cipher_type_t *new_ct, + srtp_cipher_type_id_t id) { return srtp_crypto_kernel_do_load_cipher_type(new_ct, id, 0); } -srtp_err_status_t srtp_replace_cipher_type (const srtp_cipher_type_t *new_ct, srtp_cipher_type_id_t id) +srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *new_ct, + srtp_cipher_type_id_t id) { return srtp_crypto_kernel_do_load_cipher_type(new_ct, id, 1); } -srtp_err_status_t srtp_crypto_kernel_do_load_auth_type (const srtp_auth_type_t *new_at, srtp_auth_type_id_t id, int replace) +srtp_err_status_t srtp_crypto_kernel_do_load_auth_type( + const srtp_auth_type_t *new_at, + srtp_auth_type_id_t id, + int replace) { srtp_kernel_auth_type_t *atype, *new_atype; srtp_err_status_t status; @@ -405,7 +385,7 @@ srtp_err_status_t srtp_crypto_kernel_do_load_auth_type (const srtp_auth_type_t * } new_atype = atype; break; - }else if (new_at == atype->auth_type) { + } else if (new_at == atype->auth_type) { return srtp_err_status_bad_param; } atype = atype->next; @@ -414,7 +394,8 @@ srtp_err_status_t srtp_crypto_kernel_do_load_auth_type (const srtp_auth_type_t * /* if not found, put new_at at the head of the list */ if (atype == NULL) { /* allocate memory */ - new_atype = (srtp_kernel_auth_type_t*)srtp_crypto_alloc(sizeof(srtp_kernel_auth_type_t)); + new_atype = (srtp_kernel_auth_type_t *)srtp_crypto_alloc( + sizeof(srtp_kernel_auth_type_t)); if (new_atype == NULL) { return srtp_err_status_alloc_fail; } @@ -429,21 +410,23 @@ srtp_err_status_t srtp_crypto_kernel_do_load_auth_type (const srtp_auth_type_t * new_atype->id = id; return srtp_err_status_ok; - } -srtp_err_status_t srtp_crypto_kernel_load_auth_type (const srtp_auth_type_t *new_at, srtp_auth_type_id_t id) +srtp_err_status_t srtp_crypto_kernel_load_auth_type( + const srtp_auth_type_t *new_at, + srtp_auth_type_id_t id) { return srtp_crypto_kernel_do_load_auth_type(new_at, id, 0); } -srtp_err_status_t srtp_replace_auth_type (const srtp_auth_type_t *new_at, srtp_auth_type_id_t id) +srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *new_at, + srtp_auth_type_id_t id) { return srtp_crypto_kernel_do_load_auth_type(new_at, id, 1); } - -const srtp_cipher_type_t * srtp_crypto_kernel_get_cipher_type (srtp_cipher_type_id_t id) +const srtp_cipher_type_t *srtp_crypto_kernel_get_cipher_type( + srtp_cipher_type_id_t id) { srtp_kernel_cipher_type_t *ctype; @@ -460,8 +443,10 @@ const srtp_cipher_type_t * srtp_crypto_kernel_get_cipher_type (srtp_cipher_type_ return NULL; } - -srtp_err_status_t srtp_crypto_kernel_alloc_cipher (srtp_cipher_type_id_t id, srtp_cipher_pointer_t *cp, int key_len, int tag_len) +srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id, + srtp_cipher_pointer_t *cp, + int key_len, + int tag_len) { const srtp_cipher_type_t *ct; @@ -481,9 +466,7 @@ srtp_err_status_t srtp_crypto_kernel_alloc_cipher (srtp_cipher_type_id_t id, srt return ((ct)->alloc(cp, key_len, tag_len)); } - - -const srtp_auth_type_t * srtp_crypto_kernel_get_auth_type (srtp_auth_type_id_t id) +const srtp_auth_type_t *srtp_crypto_kernel_get_auth_type(srtp_auth_type_id_t id) { srtp_kernel_auth_type_t *atype; @@ -500,7 +483,10 @@ const srtp_auth_type_t * srtp_crypto_kernel_get_auth_type (srtp_auth_type_id_t i return NULL; } -srtp_err_status_t srtp_crypto_kernel_alloc_auth (srtp_auth_type_id_t id, srtp_auth_pointer_t *ap, int key_len, int tag_len) +srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id, + srtp_auth_pointer_t *ap, + int key_len, + int tag_len) { const srtp_auth_type_t *at; @@ -520,12 +506,13 @@ srtp_err_status_t srtp_crypto_kernel_alloc_auth (srtp_auth_type_id_t id, srtp_au return ((at)->alloc(ap, key_len, tag_len)); } -srtp_err_status_t srtp_crypto_kernel_load_debug_module (srtp_debug_module_t *new_dm) +srtp_err_status_t srtp_crypto_kernel_load_debug_module( + srtp_debug_module_t *new_dm) { srtp_kernel_debug_module_t *kdm, *new; /* defensive coding */ - if (new_dm == NULL) { + if (new_dm == NULL || new_dm->name == NULL) { return srtp_err_status_bad_param; } @@ -540,7 +527,8 @@ srtp_err_status_t srtp_crypto_kernel_load_debug_module (srtp_debug_module_t *new /* put new_dm at the head of the list */ /* allocate memory */ - new = (srtp_kernel_debug_module_t*)srtp_crypto_alloc(sizeof(srtp_kernel_debug_module_t)); + new = (srtp_kernel_debug_module_t *)srtp_crypto_alloc( + sizeof(srtp_kernel_debug_module_t)); if (new == NULL) { return srtp_err_status_alloc_fail; } @@ -555,7 +543,7 @@ srtp_err_status_t srtp_crypto_kernel_load_debug_module (srtp_debug_module_t *new return srtp_err_status_ok; } -srtp_err_status_t srtp_crypto_kernel_set_debug_module (const char *name, int on) +srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *name, int on) { srtp_kernel_debug_module_t *kdm; diff --git a/libs/srtp/crypto/kernel/err.c b/libs/srtp/crypto/kernel/err.c index 9dcecbadd5..f443549e5a 100644 --- a/libs/srtp/crypto/kernel/err.c +++ b/libs/srtp/crypto/kernel/err.c @@ -43,7 +43,7 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "err.h" @@ -54,7 +54,7 @@ static FILE *srtp_err_file = NULL; -srtp_err_status_t srtp_err_reporting_init () +srtp_err_status_t srtp_err_reporting_init() { #ifdef ERR_REPORTING_STDOUT srtp_err_file = stdout; @@ -69,15 +69,16 @@ srtp_err_status_t srtp_err_reporting_init () return srtp_err_status_ok; } -static srtp_err_report_handler_func_t * srtp_err_report_handler = NULL; +static srtp_err_report_handler_func_t *srtp_err_report_handler = NULL; -srtp_err_status_t srtp_install_err_report_handler(srtp_err_report_handler_func_t func) +srtp_err_status_t srtp_install_err_report_handler( + srtp_err_report_handler_func_t func) { srtp_err_report_handler = func; return srtp_err_status_ok; } -void srtp_err_report (srtp_err_reporting_level_t level, const char *format, ...) +void srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...) { va_list args; if (srtp_err_file != NULL) { @@ -91,12 +92,13 @@ void srtp_err_report (srtp_err_reporting_level_t level, const char *format, ...) if (vsnprintf(msg, sizeof(msg), format, args) > 0) { /* strip trailing \n, callback should not have one */ size_t l = strlen(msg); - if (l && msg[l-1] == '\n') { - msg[l-1] = '\0'; + if (l && msg[l - 1] == '\n') { + msg[l - 1] = '\0'; } srtp_err_report_handler(level, msg); /* - * NOTE, need to be carefull, there is a potential that octet_string_set_to_zero() could + * NOTE, need to be carefull, there is a potential that + * octet_string_set_to_zero() could * call srtp_err_report() in the future, leading to recursion */ octet_string_set_to_zero(msg, sizeof(msg)); diff --git a/libs/srtp/crypto/kernel/key.c b/libs/srtp/crypto/kernel/key.c index 1430f0df67..0466195046 100644 --- a/libs/srtp/crypto/kernel/key.c +++ b/libs/srtp/crypto/kernel/key.c @@ -43,14 +43,15 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "key.h" #define soft_limit 0x10000 -srtp_err_status_t srtp_key_limit_set (srtp_key_limit_t key, const srtp_xtd_seq_num_t s) +srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key, + const srtp_xtd_seq_num_t s) { #ifdef NO_64BIT_MATH if (high32(s) == 0 && low32(s) < soft_limit) { @@ -66,7 +67,8 @@ srtp_err_status_t srtp_key_limit_set (srtp_key_limit_t key, const srtp_xtd_seq_n return srtp_err_status_ok; } -srtp_err_status_t srtp_key_limit_clone (srtp_key_limit_t original, srtp_key_limit_t *new_key) +srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original, + srtp_key_limit_t *new_key) { if (original == NULL) { return srtp_err_status_bad_param; @@ -75,7 +77,7 @@ srtp_err_status_t srtp_key_limit_clone (srtp_key_limit_t original, srtp_key_limi return srtp_err_status_ok; } -srtp_err_status_t srtp_key_limit_check (const srtp_key_limit_t key) +srtp_err_status_t srtp_key_limit_check(const srtp_key_limit_t key) { if (key->state == srtp_key_state_expired) { return srtp_err_status_key_expired; @@ -83,13 +85,14 @@ srtp_err_status_t srtp_key_limit_check (const srtp_key_limit_t key) return srtp_err_status_ok; } -srtp_key_event_t srtp_key_limit_update (srtp_key_limit_t key) +srtp_key_event_t srtp_key_limit_update(srtp_key_limit_t key) { #ifdef NO_64BIT_MATH if (low32(key->num_left) == 0) { // carry - key->num_left = make64(high32(key->num_left) - 1, low32(key->num_left) - 1); - }else { + key->num_left = + make64(high32(key->num_left) - 1, low32(key->num_left) - 1); + } else { // no carry key->num_left = make64(high32(key->num_left), low32(key->num_left) - 1); } @@ -111,10 +114,9 @@ srtp_key_event_t srtp_key_limit_update (srtp_key_limit_t key) #else if (key->num_left < 1) #endif - { /* we just hit the hard limit */ + { /* we just hit the hard limit */ key->state = srtp_key_state_expired; return srtp_key_event_hard_limit; } return srtp_key_event_soft_limit; } - diff --git a/libs/srtp/crypto/math/datatypes.c b/libs/srtp/crypto/math/datatypes.c index bb4b56e307..c0dfece659 100644 --- a/libs/srtp/crypto/math/datatypes.c +++ b/libs/srtp/crypto/math/datatypes.c @@ -8,26 +8,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,7 +44,7 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #ifdef OPENSSL @@ -53,48 +53,24 @@ #include "datatypes.h" -int -octet_weight[256] = { - 0, 1, 1, 2, 1, 2, 2, 3, - 1, 2, 2, 3, 2, 3, 3, 4, - 1, 2, 2, 3, 2, 3, 3, 4, - 2, 3, 3, 4, 3, 4, 4, 5, - 1, 2, 2, 3, 2, 3, 3, 4, - 2, 3, 3, 4, 3, 4, 4, 5, - 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, - 1, 2, 2, 3, 2, 3, 3, 4, - 2, 3, 3, 4, 3, 4, 4, 5, - 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, - 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, - 3, 4, 4, 5, 4, 5, 5, 6, - 4, 5, 5, 6, 5, 6, 6, 7, - 1, 2, 2, 3, 2, 3, 3, 4, - 2, 3, 3, 4, 3, 4, 4, 5, - 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, - 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, - 3, 4, 4, 5, 4, 5, 5, 6, - 4, 5, 5, 6, 5, 6, 6, 7, - 2, 3, 3, 4, 3, 4, 4, 5, - 3, 4, 4, 5, 4, 5, 5, 6, - 3, 4, 4, 5, 4, 5, 5, 6, - 4, 5, 5, 6, 5, 6, 6, 7, - 3, 4, 4, 5, 4, 5, 5, 6, - 4, 5, 5, 6, 5, 6, 6, 7, - 4, 5, 5, 6, 5, 6, 6, 7, - 5, 6, 6, 7, 6, 7, 7, 8 +static const int8_t octet_weight[256] = { + 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3, 3, 4, + 2, 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2, 2, 3, 2, 3, 3, 4, + 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, + 4, 5, 5, 6, 5, 6, 6, 7, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, + 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, + 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, + 4, 5, 5, 6, 5, 6, 6, 7, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, + 4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8 }; -int -octet_get_weight(uint8_t octet) { - extern int octet_weight[256]; - - return octet_weight[octet]; -} +int octet_get_weight(uint8_t octet) +{ + return (int)octet_weight[octet]; +} /* * bit_string is a buffer that is used to hold output strings, e.g. @@ -105,414 +81,410 @@ octet_get_weight(uint8_t octet) { char bit_string[MAX_PRINT_STRING_LEN]; -uint8_t -srtp_nibble_to_hex_char(uint8_t nibble) { - char buf[16] = {'0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; - return buf[nibble & 0xF]; -} - -char * srtp_octet_string_hex_string(const void *s, int length) { - const uint8_t *str = (const uint8_t *)s; - int i; - - /* double length, since one octet takes two hex characters */ - length *= 2; - - /* truncate string if it would be too long */ - if (length > MAX_PRINT_STRING_LEN) - length = MAX_PRINT_STRING_LEN-2; - - for (i=0; i < length; i+=2) { - bit_string[i] = srtp_nibble_to_hex_char(*str >> 4); - bit_string[i+1] = srtp_nibble_to_hex_char(*str++ & 0xF); - } - bit_string[i] = 0; /* null terminate string */ - return bit_string; -} - -char * -v128_hex_string(v128_t *x) { - int i, j; - - for (i=j=0; i < 16; i++) { - bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] >> 4); - bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] & 0xF); - } - - bit_string[j] = 0; /* null terminate string */ - return bit_string; -} - -char * -v128_bit_string(v128_t *x) { - int j, i; - uint32_t mask; - - for (j=i=0; j < 4; j++) { - for (mask=0x80000000; mask > 0; mask >>= 1) { - if (x->v32[j] & mask) - bit_string[i] = '1'; - else - bit_string[i] = '0'; - ++i; +uint8_t srtp_nibble_to_hex_char(uint8_t nibble) +{ + char buf[16] = { '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; + return buf[nibble & 0xF]; +} + +char *srtp_octet_string_hex_string(const void *s, int length) +{ + const uint8_t *str = (const uint8_t *)s; + int i; + + /* double length, since one octet takes two hex characters */ + length *= 2; + + /* truncate string if it would be too long */ + if (length > MAX_PRINT_STRING_LEN) + length = MAX_PRINT_STRING_LEN - 2; + + for (i = 0; i < length; i += 2) { + bit_string[i] = srtp_nibble_to_hex_char(*str >> 4); + bit_string[i + 1] = srtp_nibble_to_hex_char(*str++ & 0xF); + } + bit_string[i] = 0; /* null terminate string */ + return bit_string; +} + +char *v128_hex_string(v128_t *x) +{ + int i, j; + + for (i = j = 0; i < 16; i++) { + bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] >> 4); + bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] & 0xF); } - } - bit_string[128] = 0; /* null terminate string */ - return bit_string; + bit_string[j] = 0; /* null terminate string */ + return bit_string; } -void -v128_copy_octet_string(v128_t *x, const uint8_t s[16]) { +char *v128_bit_string(v128_t *x) +{ + int j, i; + uint32_t mask; + + for (j = i = 0; j < 4; j++) { + for (mask = 0x80000000; mask > 0; mask >>= 1) { + if (x->v32[j] & mask) + bit_string[i] = '1'; + else + bit_string[i] = '0'; + ++i; + } + } + bit_string[128] = 0; /* null terminate string */ + + return bit_string; +} + +void v128_copy_octet_string(v128_t *x, const uint8_t s[16]) +{ #ifdef ALIGNMENT_32BIT_REQUIRED - if ((((uint32_t) &s[0]) & 0x3) != 0) + if ((((uint32_t)&s[0]) & 0x3) != 0) #endif - { - x->v8[0] = s[0]; - x->v8[1] = s[1]; - x->v8[2] = s[2]; - x->v8[3] = s[3]; - x->v8[4] = s[4]; - x->v8[5] = s[5]; - x->v8[6] = s[6]; - x->v8[7] = s[7]; - x->v8[8] = s[8]; - x->v8[9] = s[9]; - x->v8[10] = s[10]; - x->v8[11] = s[11]; - x->v8[12] = s[12]; - x->v8[13] = s[13]; - x->v8[14] = s[14]; - x->v8[15] = s[15]; - } + { + x->v8[0] = s[0]; + x->v8[1] = s[1]; + x->v8[2] = s[2]; + x->v8[3] = s[3]; + x->v8[4] = s[4]; + x->v8[5] = s[5]; + x->v8[6] = s[6]; + x->v8[7] = s[7]; + x->v8[8] = s[8]; + x->v8[9] = s[9]; + x->v8[10] = s[10]; + x->v8[11] = s[11]; + x->v8[12] = s[12]; + x->v8[13] = s[13]; + x->v8[14] = s[14]; + x->v8[15] = s[15]; + } #ifdef ALIGNMENT_32BIT_REQUIRED - else - { - v128_t *v = (v128_t *) &s[0]; + else { + v128_t *v = (v128_t *)&s[0]; - v128_copy(x,v); - } + v128_copy(x, v); + } #endif } #ifndef DATATYPES_USE_MACROS /* little functions are not macros */ -void -v128_set_to_zero(v128_t *x) { - _v128_set_to_zero(x); +void v128_set_to_zero(v128_t *x) +{ + _v128_set_to_zero(x); } -void -v128_copy(v128_t *x, const v128_t *y) { - _v128_copy(x, y); +void v128_copy(v128_t *x, const v128_t *y) +{ + _v128_copy(x, y); } -void -v128_xor(v128_t *z, v128_t *x, v128_t *y) { - _v128_xor(z, x, y); -} - -void -v128_and(v128_t *z, v128_t *x, v128_t *y) { - _v128_and(z, x, y); +void v128_xor(v128_t *z, v128_t *x, v128_t *y) +{ + _v128_xor(z, x, y); } -void -v128_or(v128_t *z, v128_t *x, v128_t *y) { - _v128_or(z, x, y); +void v128_and(v128_t *z, v128_t *x, v128_t *y) +{ + _v128_and(z, x, y); } -void -v128_complement(v128_t *x) { - _v128_complement(x); +void v128_or(v128_t *z, v128_t *x, v128_t *y) +{ + _v128_or(z, x, y); } -int -v128_is_eq(const v128_t *x, const v128_t *y) { - return _v128_is_eq(x, y); +void v128_complement(v128_t *x) +{ + _v128_complement(x); } -int -v128_xor_eq(v128_t *x, const v128_t *y) { - return _v128_xor_eq(x, y); +int v128_is_eq(const v128_t *x, const v128_t *y) +{ + return _v128_is_eq(x, y); } -int -v128_get_bit(const v128_t *x, int i) { - return _v128_get_bit(x, i); +int v128_xor_eq(v128_t *x, const v128_t *y) +{ + return _v128_xor_eq(x, y); } -void -v128_set_bit(v128_t *x, int i) { - _v128_set_bit(x, i); -} +int v128_get_bit(const v128_t *x, int i) +{ + return _v128_get_bit(x, i); +} -void -v128_clear_bit(v128_t *x, int i){ - _v128_clear_bit(x, i); -} +void v128_set_bit(v128_t *x, int i) +{ + _v128_set_bit(x, i); +} -void -v128_set_bit_to(v128_t *x, int i, int y){ - _v128_set_bit_to(x, i, y); +void v128_clear_bit(v128_t *x, int i) +{ + _v128_clear_bit(x, i); } +void v128_set_bit_to(v128_t *x, int i, int y) +{ + _v128_set_bit_to(x, i, y); +} #endif /* DATATYPES_USE_MACROS */ -void -v128_right_shift(v128_t *x, int shift) { - const int base_index = shift >> 5; - const int bit_index = shift & 31; - int i, from; - uint32_t b; - - if (shift > 127) { - v128_set_to_zero(x); - return; - } - - if (bit_index == 0) { - - /* copy each word from left size to right side */ - x->v32[4-1] = x->v32[4-1-base_index]; - for (i=4-1; i > base_index; i--) - x->v32[i-1] = x->v32[i-1-base_index]; - - } else { - - /* set each word to the "or" of the two bit-shifted words */ - for (i = 4; i > base_index; i--) { - from = i-1 - base_index; - b = x->v32[from] << bit_index; - if (from > 0) - b |= x->v32[from-1] >> (32-bit_index); - x->v32[i-1] = b; +void v128_right_shift(v128_t *x, int shift) +{ + const int base_index = shift >> 5; + const int bit_index = shift & 31; + int i, from; + uint32_t b; + + if (shift > 127) { + v128_set_to_zero(x); + return; + } + + if (bit_index == 0) { + /* copy each word from left size to right side */ + x->v32[4 - 1] = x->v32[4 - 1 - base_index]; + for (i = 4 - 1; i > base_index; i--) + x->v32[i - 1] = x->v32[i - 1 - base_index]; + + } else { + /* set each word to the "or" of the two bit-shifted words */ + for (i = 4; i > base_index; i--) { + from = i - 1 - base_index; + b = x->v32[from] << bit_index; + if (from > 0) + b |= x->v32[from - 1] >> (32 - bit_index); + x->v32[i - 1] = b; + } + } + + /* now wrap up the final portion */ + for (i = 0; i < base_index; i++) + x->v32[i] = 0; +} + +void v128_left_shift(v128_t *x, int shift) +{ + int i; + const int base_index = shift >> 5; + const int bit_index = shift & 31; + + if (shift > 127) { + v128_set_to_zero(x); + return; + } + + if (bit_index == 0) { + for (i = 0; i < 4 - base_index; i++) + x->v32[i] = x->v32[i + base_index]; + } else { + for (i = 0; i < 4 - base_index - 1; i++) + x->v32[i] = (x->v32[i + base_index] >> bit_index) ^ + (x->v32[i + base_index + 1] << (32 - bit_index)); + x->v32[4 - base_index - 1] = x->v32[4 - 1] >> bit_index; } - - } - - /* now wrap up the final portion */ - for (i=0; i < base_index; i++) - x->v32[i] = 0; - -} - -void -v128_left_shift(v128_t *x, int shift) { - int i; - const int base_index = shift >> 5; - const int bit_index = shift & 31; - - if (shift > 127) { - v128_set_to_zero(x); - return; - } - - if (bit_index == 0) { - for (i=0; i < 4 - base_index; i++) - x->v32[i] = x->v32[i+base_index]; - } else { - for (i=0; i < 4 - base_index - 1; i++) - x->v32[i] = (x->v32[i+base_index] >> bit_index) ^ - (x->v32[i+base_index+1] << (32 - bit_index)); - x->v32[4 - base_index-1] = x->v32[4-1] >> bit_index; - } - - /* now wrap up the final portion */ - for (i = 4 - base_index; i < 4; i++) - x->v32[i] = 0; + /* now wrap up the final portion */ + for (i = 4 - base_index; i < 4; i++) + x->v32[i] = 0; } /* functions manipulating bitvector_t */ #ifndef DATATYPES_USE_MACROS /* little functions are not macros */ -int -bitvector_get_bit(const bitvector_t *v, int bit_index) +int bitvector_get_bit(const bitvector_t *v, int bit_index) { - return _bitvector_get_bit(v, bit_index); + return _bitvector_get_bit(v, bit_index); } -void -bitvector_set_bit(bitvector_t *v, int bit_index) +void bitvector_set_bit(bitvector_t *v, int bit_index) { - _bitvector_set_bit(v, bit_index); + _bitvector_set_bit(v, bit_index); } -void -bitvector_clear_bit(bitvector_t *v, int bit_index) +void bitvector_clear_bit(bitvector_t *v, int bit_index) { - _bitvector_clear_bit(v, bit_index); + _bitvector_clear_bit(v, bit_index); } - #endif /* DATATYPES_USE_MACROS */ -int -bitvector_alloc(bitvector_t *v, unsigned long length) { - unsigned long l; - - /* Round length up to a multiple of bits_per_word */ - length = (length + bits_per_word - 1) & ~(unsigned long)((bits_per_word - 1)); - - l = length / bits_per_word * bytes_per_word; - - /* allocate memory, then set parameters */ - if (l == 0) - v->word = NULL; - else { - v->word = (uint32_t*)srtp_crypto_alloc(l); - if (v->word == NULL) { - v->word = NULL; - v->length = 0; - return -1; +int bitvector_alloc(bitvector_t *v, unsigned long length) +{ + unsigned long l; + + /* Round length up to a multiple of bits_per_word */ + length = + (length + bits_per_word - 1) & ~(unsigned long)((bits_per_word - 1)); + + l = length / bits_per_word * bytes_per_word; + + /* allocate memory, then set parameters */ + if (l == 0) { + v->word = NULL; + v->length = 0; + return -1; + } else { + v->word = (uint32_t *)srtp_crypto_alloc(l); + if (v->word == NULL) { + v->length = 0; + return -1; + } } - } - v->length = length; + v->length = length; - /* initialize bitvector to zero */ - bitvector_set_to_zero(v); + /* initialize bitvector to zero */ + bitvector_set_to_zero(v); - return 0; + return 0; } - -void -bitvector_dealloc(bitvector_t *v) { - if (v->word != NULL) - srtp_crypto_free(v->word); - v->word = NULL; - v->length = 0; +void bitvector_dealloc(bitvector_t *v) +{ + if (v->word != NULL) + srtp_crypto_free(v->word); + v->word = NULL; + v->length = 0; } -void -bitvector_set_to_zero(bitvector_t *x) +void bitvector_set_to_zero(bitvector_t *x) { - /* C99 guarantees that memset(0) will set the value 0 for uint32_t */ - memset(x->word, 0, x->length >> 3); + /* C99 guarantees that memset(0) will set the value 0 for uint32_t */ + memset(x->word, 0, x->length >> 3); } -char * -bitvector_bit_string(bitvector_t *x, char* buf, int len) { - int j, i; - uint32_t mask; - - for (j=i=0; j < (int)(x->length>>5) && i < len-1; j++) { - for (mask=0x80000000; mask > 0; mask >>= 1) { - if (x->word[j] & mask) - buf[i] = '1'; - else - buf[i] = '0'; - ++i; - if (i >= len-1) - break; +char *bitvector_bit_string(bitvector_t *x, char *buf, int len) +{ + int j, i; + uint32_t mask; + + for (j = i = 0; j < (int)(x->length >> 5) && i < len - 1; j++) { + for (mask = 0x80000000; mask > 0; mask >>= 1) { + if (x->word[j] & mask) + buf[i] = '1'; + else + buf[i] = '0'; + ++i; + if (i >= len - 1) + break; + } } - } - buf[i] = 0; /* null terminate string */ + buf[i] = 0; /* null terminate string */ - return buf; + return buf; } -void -bitvector_left_shift(bitvector_t *x, int shift) { - int i; - const int base_index = shift >> 5; - const int bit_index = shift & 31; - const int word_length = x->length >> 5; - - if (shift >= (int)x->length) { - bitvector_set_to_zero(x); - return; - } - - if (bit_index == 0) { - for (i=0; i < word_length - base_index; i++) - x->word[i] = x->word[i+base_index]; - } else { - for (i=0; i < word_length - base_index - 1; i++) - x->word[i] = (x->word[i+base_index] >> bit_index) ^ - (x->word[i+base_index+1] << (32 - bit_index)); - x->word[word_length - base_index-1] = x->word[word_length-1] >> bit_index; - } +void bitvector_left_shift(bitvector_t *x, int shift) +{ + int i; + const int base_index = shift >> 5; + const int bit_index = shift & 31; + const int word_length = x->length >> 5; + + if (shift >= (int)x->length) { + bitvector_set_to_zero(x); + return; + } - /* now wrap up the final portion */ - for (i = word_length - base_index; i < word_length; i++) - x->word[i] = 0; + if (bit_index == 0) { + for (i = 0; i < word_length - base_index; i++) + x->word[i] = x->word[i + base_index]; + } else { + for (i = 0; i < word_length - base_index - 1; i++) + x->word[i] = (x->word[i + base_index] >> bit_index) ^ + (x->word[i + base_index + 1] << (32 - bit_index)); + x->word[word_length - base_index - 1] = + x->word[word_length - 1] >> bit_index; + } + /* now wrap up the final portion */ + for (i = word_length - base_index; i < word_length; i++) + x->word[i] = 0; } -int -octet_string_is_eq(uint8_t *a, uint8_t *b, int len) { - uint8_t *end = b + len; - uint8_t accumulator = 0; - - /* - * We use this somewhat obscure implementation to try to ensure the running - * time only depends on len, even accounting for compiler optimizations. - * The accumulator ends up zero iff the strings are equal. - */ - while (b < end) - accumulator |= (*a++ ^ *b++); - - /* Return 1 if *not* equal. */ - return accumulator != 0; +int octet_string_is_eq(uint8_t *a, uint8_t *b, int len) +{ + uint8_t *end = b + len; + uint8_t accumulator = 0; + + /* + * We use this somewhat obscure implementation to try to ensure the running + * time only depends on len, even accounting for compiler optimizations. + * The accumulator ends up zero iff the strings are equal. + */ + while (b < end) + accumulator |= (*a++ ^ *b++); + + /* Return 1 if *not* equal. */ + return accumulator != 0; } -void -srtp_cleanse(void *s, size_t len) +void srtp_cleanse(void *s, size_t len) { - volatile unsigned char *p = (volatile unsigned char *)s; - while(len--) *p++ = 0; + volatile unsigned char *p = (volatile unsigned char *)s; + while (len--) + *p++ = 0; } -void -octet_string_set_to_zero(void *s, size_t len) +void octet_string_set_to_zero(void *s, size_t len) { #ifdef OPENSSL - OPENSSL_cleanse(s, len); + OPENSSL_cleanse(s, len); #else - srtp_cleanse(s, len); + srtp_cleanse(s, len); #endif } #ifdef TESTAPP_SOURCE static const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz0123456789+/"; - -static int base64_block_to_octet_triple(char *out, char *in) { - unsigned char sextets[4] = {0}; - int j = 0; - int i; - - for (i = 0; i < 4; i++) { - char *p = strchr(b64chars, in[i]); - if (p != NULL) sextets[i] = p - b64chars; - else j++; - } - - out[0] = (sextets[0]<<2)|(sextets[1]>>4); - if (j < 2) out[1] = (sextets[1]<<4)|(sextets[2]>>2); - if (j < 1) out[2] = (sextets[2]<<6)|sextets[3]; - return j; -} - -int base64_string_to_octet_string(char *out, int *pad, char *in, int len) { - int k = 0; - int i = 0; - int j = 0; - if (len % 4 != 0) return 0; - - while (i < len && j == 0) { - j = base64_block_to_octet_triple(out + k, in + i); - k += 3; - i += 4; - } - *pad = j; - return i; + "abcdefghijklmnopqrstuvwxyz0123456789+/"; + +static int base64_block_to_octet_triple(char *out, char *in) +{ + unsigned char sextets[4] = { 0 }; + int j = 0; + int i; + + for (i = 0; i < 4; i++) { + char *p = strchr(b64chars, in[i]); + if (p != NULL) + sextets[i] = p - b64chars; + else + j++; + } + + out[0] = (sextets[0] << 2) | (sextets[1] >> 4); + if (j < 2) + out[1] = (sextets[1] << 4) | (sextets[2] >> 2); + if (j < 1) + out[2] = (sextets[2] << 6) | sextets[3]; + return j; +} + +int base64_string_to_octet_string(char *out, int *pad, char *in, int len) +{ + int k = 0; + int i = 0; + int j = 0; + if (len % 4 != 0) + return 0; + + while (i < len && j == 0) { + j = base64_block_to_octet_triple(out + k, in + i); + k += 3; + i += 4; + } + *pad = j; + return i; } #endif diff --git a/libs/srtp/crypto/math/stat.c b/libs/srtp/crypto/math/stat.c index 0b4aec3764..6dd332b0cf 100644 --- a/libs/srtp/crypto/math/stat.c +++ b/libs/srtp/crypto/math/stat.c @@ -1,33 +1,33 @@ /* * stats.c * - * statistical tests - * + * statistical tests + * * David A. McGrew * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,14 +44,14 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "stat.h" -srtp_debug_module_t mod_stat = { - 0, /* debugging is off by default */ - (char *)"stat test" /* printable module name */ +srtp_debug_module_t srtp_mod_stat = { + 0, /* debugging is off by default */ + (char *)"stat test" /* printable module name */ }; /* @@ -61,166 +61,153 @@ srtp_debug_module_t mod_stat = { #define STAT_TEST_DATA_LEN 2500 -srtp_err_status_t -stat_test_monobit(uint8_t *data) { - uint8_t *data_end = data + STAT_TEST_DATA_LEN; - uint16_t ones_count; +srtp_err_status_t stat_test_monobit(uint8_t *data) +{ + uint8_t *data_end = data + STAT_TEST_DATA_LEN; + uint16_t ones_count; - ones_count = 0; - while (data < data_end) { - ones_count += octet_get_weight(*data); - data++; - } + ones_count = 0; + while (data < data_end) { + ones_count += octet_get_weight(*data); + data++; + } - debug_print(mod_stat, "bit count: %d", ones_count); - - if ((ones_count < 9725) || (ones_count > 10275)) - return srtp_err_status_algo_fail; + debug_print(srtp_mod_stat, "bit count: %d", ones_count); - return srtp_err_status_ok; -} + if ((ones_count < 9725) || (ones_count > 10275)) + return srtp_err_status_algo_fail; -srtp_err_status_t -stat_test_poker(uint8_t *data) { - int i; - uint8_t *data_end = data + STAT_TEST_DATA_LEN; - double poker; - uint16_t f[16] = { - 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0 - }; - - while (data < data_end) { - f[*data & 0x0f]++; /* increment freq. count for low nibble */ - f[(*data) >> 4]++; /* increment freq. count for high nibble */ - data++; - } - - poker = 0.0; - for (i=0; i < 16; i++) - poker += (double) f[i] * f[i]; - - poker *= (16.0 / 5000.0); - poker -= 5000.0; - - debug_print(mod_stat, "poker test: %f\n", poker); - - if ((poker < 2.16) || (poker > 46.17)) - return srtp_err_status_algo_fail; - - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t stat_test_poker(uint8_t *data) +{ + int i; + uint8_t *data_end = data + STAT_TEST_DATA_LEN; + double poker; + uint16_t f[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + + while (data < data_end) { + f[*data & 0x0f]++; /* increment freq. count for low nibble */ + f[(*data) >> 4]++; /* increment freq. count for high nibble */ + data++; + } + + poker = 0.0; + for (i = 0; i < 16; i++) + poker += (double)f[i] * f[i]; + + poker *= (16.0 / 5000.0); + poker -= 5000.0; + + debug_print(srtp_mod_stat, "poker test: %f\n", poker); + + if ((poker < 2.16) || (poker > 46.17)) + return srtp_err_status_algo_fail; + + return srtp_err_status_ok; +} /* * runs[i] holds the number of runs of size (i-1) */ -srtp_err_status_t -stat_test_runs(uint8_t *data) { - uint8_t *data_end = data + STAT_TEST_DATA_LEN; - uint16_t runs[6] = { 0, 0, 0, 0, 0, 0 }; - uint16_t gaps[6] = { 0, 0, 0, 0, 0, 0 }; - uint16_t lo_value[6] = { 2315, 1114, 527, 240, 103, 103 }; - uint16_t hi_value[6] = { 2685, 1386, 723, 384, 209, 209 }; - int state = 0; - uint16_t mask; - int i; - - /* - * the state variable holds the number of bits in the - * current run (or gap, if negative) - */ - - while (data < data_end) { - - /* loop over the bits of this byte */ - for (mask = 1; mask < 256; mask <<= 1) { - if (*data & mask) { - - /* next bit is a one */ - if (state > 0) { - - /* prefix is a run, so increment the run-count */ - state++; - - /* check for long runs */ - if (state > 25) { - debug_print(mod_stat, ">25 runs: %d", state); - return srtp_err_status_algo_fail; - } - - } else if (state < 0) { - - /* prefix is a gap */ - if (state < -25) { - debug_print(mod_stat, ">25 gaps: %d", state); - return srtp_err_status_algo_fail; /* long-runs test failed */ - } - if (state < -6) { - state = -6; /* group together gaps > 5 */ - } - gaps[-1-state]++; /* increment gap count */ - state = 1; /* set state at one set bit */ - } else { - - /* state is zero; this happens only at initialization */ - state = 1; - } - } else { - - /* next bit is a zero */ - if (state > 0) { - - /* prefix is a run */ - if (state > 25) { - debug_print(mod_stat, ">25 runs (2): %d", state); - return srtp_err_status_algo_fail; /* long-runs test failed */ - } - if (state > 6) { - state = 6; /* group together runs > 5 */ - } - runs[state-1]++; /* increment run count */ - state = -1; /* set state at one zero bit */ - } else if (state < 0) { - - /* prefix is a gap, so increment gap-count (decrement state) */ - state--; - - /* check for long gaps */ - if (state < -25) { - debug_print(mod_stat, ">25 gaps (2): %d", state); - return srtp_err_status_algo_fail; - } - - } else { - - /* state is zero; this happens only at initialization */ - state = -1; - } - } +srtp_err_status_t stat_test_runs(uint8_t *data) +{ + uint8_t *data_end = data + STAT_TEST_DATA_LEN; + uint16_t runs[6] = { 0, 0, 0, 0, 0, 0 }; + uint16_t gaps[6] = { 0, 0, 0, 0, 0, 0 }; + uint16_t lo_value[6] = { 2315, 1114, 527, 240, 103, 103 }; + uint16_t hi_value[6] = { 2685, 1386, 723, 384, 209, 209 }; + int state = 0; + uint16_t mask; + int i; + + /* + * the state variable holds the number of bits in the + * current run (or gap, if negative) + */ + + while (data < data_end) { + /* loop over the bits of this byte */ + for (mask = 1; mask < 256; mask <<= 1) { + if (*data & mask) { + /* next bit is a one */ + if (state > 0) { + /* prefix is a run, so increment the run-count */ + state++; + + /* check for long runs */ + if (state > 25) { + debug_print(srtp_mod_stat, ">25 runs: %d", state); + return srtp_err_status_algo_fail; + } + + } else if (state < 0) { + /* prefix is a gap */ + if (state < -25) { + debug_print(srtp_mod_stat, ">25 gaps: %d", state); + return srtp_err_status_algo_fail; /* long-runs test + failed */ + } + if (state < -6) { + state = -6; /* group together gaps > 5 */ + } + gaps[-1 - state]++; /* increment gap count */ + state = 1; /* set state at one set bit */ + } else { + /* state is zero; this happens only at initialization */ + state = 1; + } + } else { + /* next bit is a zero */ + if (state > 0) { + /* prefix is a run */ + if (state > 25) { + debug_print(srtp_mod_stat, ">25 runs (2): %d", state); + return srtp_err_status_algo_fail; /* long-runs test + failed */ + } + if (state > 6) { + state = 6; /* group together runs > 5 */ + } + runs[state - 1]++; /* increment run count */ + state = -1; /* set state at one zero bit */ + } else if (state < 0) { + /* prefix is a gap, so increment gap-count (decrement state) + */ + state--; + + /* check for long gaps */ + if (state < -25) { + debug_print(srtp_mod_stat, ">25 gaps (2): %d", state); + return srtp_err_status_algo_fail; + } + + } else { + /* state is zero; this happens only at initialization */ + state = -1; + } + } + } + + /* move along to next octet */ + data++; } - /* move along to next octet */ - data++; - } - - if (mod_stat.on) { - debug_print(mod_stat, "runs test", NULL); - for (i=0; i < 6; i++) - debug_print(mod_stat, " runs[]: %d", runs[i]); - for (i=0; i < 6; i++) - debug_print(mod_stat, " gaps[]: %d", gaps[i]); - } - - /* check run and gap counts against the fixed limits */ - for (i=0; i < 6; i++) - if ( (runs[i] < lo_value[i] ) || (runs[i] > hi_value[i]) - || (gaps[i] < lo_value[i] ) || (gaps[i] > hi_value[i])) - return srtp_err_status_algo_fail; - - - return srtp_err_status_ok; -} + if (srtp_mod_stat.on) { + debug_print(srtp_mod_stat, "runs test", NULL); + for (i = 0; i < 6; i++) + debug_print(srtp_mod_stat, " runs[]: %d", runs[i]); + for (i = 0; i < 6; i++) + debug_print(srtp_mod_stat, " gaps[]: %d", gaps[i]); + } + /* check run and gap counts against the fixed limits */ + for (i = 0; i < 6; i++) + if ((runs[i] < lo_value[i]) || (runs[i] > hi_value[i]) || + (gaps[i] < lo_value[i]) || (gaps[i] > hi_value[i])) + return srtp_err_status_algo_fail; + return srtp_err_status_ok; +} diff --git a/libs/srtp/crypto/replay/rdb.c b/libs/srtp/crypto/replay/rdb.c index 3741367f68..ab1c7b55b6 100644 --- a/libs/srtp/crypto/replay/rdb.c +++ b/libs/srtp/crypto/replay/rdb.c @@ -43,14 +43,12 @@ * */ - #ifdef HAVE_CONFIG_H - #include +#include #endif #include "rdb.h" - /* * this implementation of a replay database works as follows: * @@ -61,7 +59,7 @@ */ /* srtp_rdb_init initalizes rdb */ -srtp_err_status_t srtp_rdb_init (srtp_rdb_t *rdb) +srtp_err_status_t srtp_rdb_init(srtp_rdb_t *rdb) { v128_set_to_zero(&rdb->bitmask); rdb->window_start = 0; @@ -71,9 +69,8 @@ srtp_err_status_t srtp_rdb_init (srtp_rdb_t *rdb) /* * srtp_rdb_check checks to see if index appears in rdb */ -srtp_err_status_t srtp_rdb_check (const srtp_rdb_t *rdb, uint32_t p_index) +srtp_err_status_t srtp_rdb_check(const srtp_rdb_t *rdb, uint32_t p_index) { - /* if the index appears after (or at very end of) the window, its good */ if (p_index >= rdb->window_start + rdb_bits_in_bitmask) { return srtp_err_status_ok; @@ -101,35 +98,32 @@ srtp_err_status_t srtp_rdb_check (const srtp_rdb_t *rdb, uint32_t p_index) * indicated that the index does not appear in the rdb, e.g., a mutex * should protect the rdb between these calls */ -srtp_err_status_t srtp_rdb_add_index (srtp_rdb_t *rdb, uint32_t p_index) +srtp_err_status_t srtp_rdb_add_index(srtp_rdb_t *rdb, uint32_t p_index) { - int delta; + unsigned int delta; - /* here we *assume* that p_index > rdb->window_start */ + if (p_index < rdb->window_start) + return srtp_err_status_replay_fail; delta = (p_index - rdb->window_start); if (delta < rdb_bits_in_bitmask) { - /* if the p_index is within the window, set the appropriate bit */ v128_set_bit(&rdb->bitmask, delta); } else { - delta -= rdb_bits_in_bitmask - 1; /* shift the window forward by delta bits*/ v128_left_shift(&rdb->bitmask, delta); v128_set_bit(&rdb->bitmask, rdb_bits_in_bitmask - 1); rdb->window_start += delta; - } return srtp_err_status_ok; } -srtp_err_status_t srtp_rdb_increment (srtp_rdb_t *rdb) +srtp_err_status_t srtp_rdb_increment(srtp_rdb_t *rdb) { - if (rdb->window_start >= 0x7fffffff) { return srtp_err_status_key_expired; } @@ -137,7 +131,7 @@ srtp_err_status_t srtp_rdb_increment (srtp_rdb_t *rdb) return srtp_err_status_ok; } -uint32_t srtp_rdb_get_value (const srtp_rdb_t *rdb) +uint32_t srtp_rdb_get_value(const srtp_rdb_t *rdb) { return rdb->window_start; } diff --git a/libs/srtp/crypto/replay/rdbx.c b/libs/srtp/crypto/replay/rdbx.c index 63f66ff024..40cba01a1f 100644 --- a/libs/srtp/crypto/replay/rdbx.c +++ b/libs/srtp/crypto/replay/rdbx.c @@ -44,12 +44,11 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "rdbx.h" - /* * from RFC 3711: * @@ -64,8 +63,6 @@ * incremented by one (if the packet containing s is authentic). */ - - /* * rdbx implementation notes * @@ -83,14 +80,13 @@ * srtp_index_advance(&guess, delta), where delta is the difference. * * - * A srtp_rdbx_t consists of a srtp_xtd_seq_num_t and a bitmask. The index is highest - * sequence number that has been received, and the bitmask indicates + * A srtp_rdbx_t consists of a srtp_xtd_seq_num_t and a bitmask. The index is + * highest sequence number that has been received, and the bitmask indicates * which of the recent indicies have been received as well. The * highest bit in the bitmask corresponds to the index in the bitmask. */ - -void srtp_index_init (srtp_xtd_seq_num_t *pi) +void srtp_index_init(srtp_xtd_seq_num_t *pi) { #ifdef NO_64BIT_MATH *pi = make64(0, 0); @@ -99,7 +95,7 @@ void srtp_index_init (srtp_xtd_seq_num_t *pi) #endif } -void srtp_index_advance (srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s) +void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s) { #ifdef NO_64BIT_MATH /* a > ~b means a+b will generate a carry */ @@ -110,7 +106,6 @@ void srtp_index_advance (srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s) #endif } - /* * srtp_index_guess(local, guess, s) * @@ -124,24 +119,19 @@ void srtp_index_advance (srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s) * unsigned integer! */ -int32_t srtp_index_guess (const srtp_xtd_seq_num_t *local, srtp_xtd_seq_num_t *guess, srtp_sequence_number_t s) +int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s) { #ifdef NO_64BIT_MATH - uint32_t local_roc = ((high32(*local) << 16) | - (low32(*local) >> 16)); + uint32_t local_roc = ((high32(*local) << 16) | (low32(*local) >> 16)); uint16_t local_seq = (uint16_t)(low32(*local)); #else uint32_t local_roc = (uint32_t)(*local >> 16); uint16_t local_seq = (uint16_t)*local; #endif -#ifdef NO_64BIT_MATH - uint32_t guess_roc = ((high32(*guess) << 16) | - (low32(*guess) >> 16)); - uint16_t guess_seq = (uint16_t)(low32(*guess)); -#else - uint32_t guess_roc = (uint32_t)(*guess >> 16); - uint16_t guess_seq = (uint16_t)*guess; -#endif + uint32_t guess_roc; + uint16_t guess_seq; int32_t difference; if (local_seq < seq_num_median) { @@ -163,10 +153,9 @@ int32_t srtp_index_guess (const srtp_xtd_seq_num_t *local, srtp_xtd_seq_num_t *g } guess_seq = s; - /* Note: guess_roc is 32 bits, so this generates a 48-bit result! */ +/* Note: guess_roc is 32 bits, so this generates a 48-bit result! */ #ifdef NO_64BIT_MATH - *guess = make64(guess_roc >> 16, - (guess_roc << 16) | guess_seq); + *guess = make64(guess_roc >> 16, (guess_roc << 16) | guess_seq); #else *guess = (((uint64_t)guess_roc) << 16) | guess_seq; #endif @@ -179,11 +168,11 @@ int32_t srtp_index_guess (const srtp_xtd_seq_num_t *local, srtp_xtd_seq_num_t *g * */ - /* - * srtp_rdbx_init(&r, ws) initializes the srtp_rdbx_t pointed to by r with window size ws + * srtp_rdbx_init(&r, ws) initializes the srtp_rdbx_t pointed to by r with + * window size ws */ -srtp_err_status_t srtp_rdbx_init (srtp_rdbx_t *rdbx, unsigned long ws) +srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws) { if (ws == 0) { return srtp_err_status_bad_param; @@ -201,7 +190,7 @@ srtp_err_status_t srtp_rdbx_init (srtp_rdbx_t *rdbx, unsigned long ws) /* * srtp_rdbx_dealloc(&r) frees memory for the srtp_rdbx_t pointed to by r */ -srtp_err_status_t srtp_rdbx_dealloc (srtp_rdbx_t *rdbx) +srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx) { bitvector_dealloc(&rdbx->bitmask); @@ -215,12 +204,12 @@ srtp_err_status_t srtp_rdbx_dealloc (srtp_rdbx_t *rdbx) * srtp_err_status_replay_old; otherwise, srtp_err_status_ok is returned. * */ -srtp_err_status_t srtp_rdbx_set_roc (srtp_rdbx_t *rdbx, uint32_t roc) +srtp_err_status_t srtp_rdbx_set_roc(srtp_rdbx_t *rdbx, uint32_t roc) { bitvector_set_to_zero(&rdbx->bitmask); #ifdef NO_64BIT_MATH - #error not yet implemented +#error not yet implemented #else /* make sure that we're not moving backwards */ @@ -240,7 +229,7 @@ srtp_err_status_t srtp_rdbx_set_roc (srtp_rdbx_t *rdbx, uint32_t roc) * for the srtp_rdbx_t pointed to by rdbx * */ -srtp_xtd_seq_num_t srtp_rdbx_get_packet_index (const srtp_rdbx_t *rdbx) +srtp_xtd_seq_num_t srtp_rdbx_get_packet_index(const srtp_rdbx_t *rdbx) { return rdbx->index; } @@ -250,7 +239,7 @@ srtp_xtd_seq_num_t srtp_rdbx_get_packet_index (const srtp_rdbx_t *rdbx) * for the srtp_rdbx_t pointed to by rdbx * */ -unsigned long srtp_rdbx_get_window_size (const srtp_rdbx_t *rdbx) +unsigned long srtp_rdbx_get_window_size(const srtp_rdbx_t *rdbx) { return bitvector_get_length(&rdbx->bitmask); } @@ -259,16 +248,17 @@ unsigned long srtp_rdbx_get_window_size (const srtp_rdbx_t *rdbx) * srtp_rdbx_check(&r, delta) checks to see if the srtp_xtd_seq_num_t * which is at rdbx->index + delta is in the rdb */ -srtp_err_status_t srtp_rdbx_check (const srtp_rdbx_t *rdbx, int delta) +srtp_err_status_t srtp_rdbx_check(const srtp_rdbx_t *rdbx, int delta) { - - if (delta > 0) { /* if delta is positive, it's good */ + if (delta > 0) { /* if delta is positive, it's good */ return srtp_err_status_ok; } else if ((int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta < 0) { /* if delta is lower than the bitmask, it's bad */ return srtp_err_status_replay_old; - } else if (bitvector_get_bit(&rdbx->bitmask, - (int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta) == 1) { + } else if (bitvector_get_bit( + &rdbx->bitmask, + (int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta) == + 1) { /* delta is within the window, so check the bitmask */ return srtp_err_status_replay_fail; } @@ -285,17 +275,18 @@ srtp_err_status_t srtp_rdbx_check (const srtp_rdbx_t *rdbx, int delta) * indicated that the index does not appear in the rdbx, e.g., a mutex * should protect the rdbx between these calls if need be */ -srtp_err_status_t srtp_rdbx_add_index (srtp_rdbx_t *rdbx, int delta) +srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta) { - if (delta > 0) { /* shift forward by delta */ srtp_index_advance(&rdbx->index, delta); bitvector_left_shift(&rdbx->bitmask, delta); - bitvector_set_bit(&rdbx->bitmask, bitvector_get_length(&rdbx->bitmask) - 1); + bitvector_set_bit(&rdbx->bitmask, + bitvector_get_length(&rdbx->bitmask) - 1); } else { /* delta is in window */ - bitvector_set_bit(&rdbx->bitmask, bitvector_get_length(&rdbx->bitmask) - 1 + delta); + bitvector_set_bit(&rdbx->bitmask, + bitvector_get_length(&rdbx->bitmask) - 1 + delta); } /* note that we need not consider the case that delta == 0 */ @@ -303,8 +294,6 @@ srtp_err_status_t srtp_rdbx_add_index (srtp_rdbx_t *rdbx, int delta) return srtp_err_status_ok; } - - /* * srtp_rdbx_estimate_index(rdbx, guess, s) * @@ -313,25 +302,27 @@ srtp_err_status_t srtp_rdbx_add_index (srtp_rdbx_t *rdbx, int delta) * index to which s corresponds, and returns the difference between * *guess and the locally stored synch info */ -int32_t srtp_rdbx_estimate_index (const srtp_rdbx_t *rdbx, srtp_xtd_seq_num_t *guess, srtp_sequence_number_t s) +int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx, + srtp_xtd_seq_num_t *guess, + srtp_sequence_number_t s) { - - /* - * if the sequence number and rollover counter in the rdbx are - * non-zero, then use the srtp_index_guess(...) function, otherwise, just - * set the rollover counter to zero (since the srtp_index_guess(...) - * function might incorrectly guess that the rollover counter is - * 0xffffffff) - */ +/* + * if the sequence number and rollover counter in the rdbx are + * non-zero, then use the srtp_index_guess(...) function, otherwise, just + * set the rollover counter to zero (since the srtp_index_guess(...) + * function might incorrectly guess that the rollover counter is + * 0xffffffff) + */ #ifdef NO_64BIT_MATH /* seq_num_median = 0x8000 */ - if (high32(rdbx->index) > 0 || - low32(rdbx->index) > seq_num_median) + if (high32(rdbx->index) > 0 || low32(rdbx->index) > seq_num_median) #else if (rdbx->index > seq_num_median) #endif - { return srtp_index_guess(&rdbx->index, guess, s); } + { + return srtp_index_guess(&rdbx->index, guess, s); + } #ifdef NO_64BIT_MATH *guess = make64(0, (uint32_t)s); @@ -372,12 +363,12 @@ uint32_t srtp_rdbx_get_roc(const srtp_rdbx_t *rdbx) * rollover counter value, then the function returns * srtp_err_status_replay_old, otherwise, srtp_err_status_ok is returned. */ -srtp_err_status_t srtp_rdbx_set_roc_seq (srtp_rdbx_t *rdbx, - uint32_t roc, - uint16_t seq) +srtp_err_status_t srtp_rdbx_set_roc_seq(srtp_rdbx_t *rdbx, + uint32_t roc, + uint16_t seq) { #ifdef NO_64BIT_MATH - #error not yet implemented +#error not yet implemented #else /* make sure that we're not moving backwards */ @@ -393,4 +384,3 @@ srtp_err_status_t srtp_rdbx_set_roc_seq (srtp_rdbx_t *rdbx, return srtp_err_status_ok; } - diff --git a/libs/srtp/crypto/replay/ut_sim.c b/libs/srtp/crypto/replay/ut_sim.c index b50164ced1..c621c0e9f2 100644 --- a/libs/srtp/crypto/replay/ut_sim.c +++ b/libs/srtp/crypto/replay/ut_sim.c @@ -3,32 +3,32 @@ * * an unreliable transport simulator * (for testing replay databases and suchlike) - * + * * David A. McGrew * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,66 +44,61 @@ * */ - #ifdef HAVE_CONFIG_H - #include +#include #endif #include "ut_sim.h" - -int -ut_compar(const void *a, const void *b) { - return rand() > (RAND_MAX/2) ? -1 : 1; +int ut_compar(const void *a, const void *b) +{ + return rand() > (RAND_MAX / 2) ? -1 : 1; } -void -ut_init(ut_connection *utc) { - int i; - utc->index = 0; +void ut_init(ut_connection *utc) +{ + int i; + utc->index = 0; - for (i=0; i < UT_BUF; i++) - utc->buffer[i] = i; - - qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar); + for (i = 0; i < UT_BUF; i++) + utc->buffer[i] = i; - utc->index = UT_BUF - 1; -} + qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar); -uint32_t -ut_next_index(ut_connection *utc) { - uint32_t tmp; + utc->index = UT_BUF - 1; +} - tmp = utc->buffer[0]; - utc->index++; - utc->buffer[0] = utc->index; +uint32_t ut_next_index(ut_connection *utc) +{ + uint32_t tmp; - qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar); - - return tmp; -} + tmp = utc->buffer[0]; + utc->index++; + utc->buffer[0] = utc->index; + qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar); + return tmp; +} #ifdef UT_TEST #include -int -main() { - uint32_t i, irecvd, idiff; - ut_connection utc; +int main() +{ + uint32_t i, irecvd, idiff; + ut_connection utc; - ut_init(&utc); + ut_init(&utc); - for (i=0; i < 1000; i++) { - irecvd = ut_next_index(&utc); - idiff = i - irecvd; - printf("%lu\t%lu\t%d\n", i, irecvd, idiff); - } - - return 0; -} + for (i = 0; i < 1000; i++) { + irecvd = ut_next_index(&utc); + idiff = i - irecvd; + printf("%lu\t%lu\t%d\n", i, irecvd, idiff); + } + return 0; +} #endif diff --git a/libs/srtp/crypto/test/aes_calc.c b/libs/srtp/crypto/test/aes_calc.c index 08a0541a1b..b362fd57fc 100644 --- a/libs/srtp/crypto/test/aes_calc.c +++ b/libs/srtp/crypto/test/aes_calc.c @@ -1,6 +1,6 @@ /* * aes_calc.c - * + * * A simple AES calculator for generating AES encryption values * * David A. McGrew @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,10 +44,12 @@ */ /* - + Example usage (with first NIST FIPS 197 test case): - -[sh]$ test/aes_calc 000102030405060708090a0b0c0d0e0f 00112233445566778899aabbccddeeff -v + + [sh]$ test/aes_calc 000102030405060708090a0b0c0d0e0f \ + 00112233445566778899aabbccddeeff -v + plaintext: 00112233445566778899aabbccddeeff key: 000102030405060708090a0b0c0d0e0f ciphertext: 69c4e0d86a7b0430d8cdb78070b4c55a @@ -55,7 +57,7 @@ */ #ifdef HAVE_CONFIG_H - #include +#include #endif #include "aes.h" @@ -63,98 +65,93 @@ #include #include "util.h" -void -usage(char *prog_name) { - printf("usage: %s [-v]\n", prog_name); - exit(255); +void usage(char *prog_name) +{ + printf("usage: %s <key> <plaintext> [-v]\n", prog_name); + exit(255); } #define AES_MAX_KEY_LEN 32 -int -main (int argc, char *argv[]) { - v128_t data; - uint8_t key[AES_MAX_KEY_LEN]; - srtp_aes_expanded_key_t exp_key; - int key_len, len; - int verbose = 0; - srtp_err_status_t status; - - if (argc == 3) { - /* we're not in verbose mode */ - verbose = 0; - } else if (argc == 4) { - if (strncmp(argv[3], "-v", 2) == 0) { - /* we're in verbose mode */ - verbose = 1; +int main(int argc, char *argv[]) +{ + v128_t data; + uint8_t key[AES_MAX_KEY_LEN]; + srtp_aes_expanded_key_t exp_key; + int key_len, len; + int verbose = 0; + srtp_err_status_t status; + + if (argc == 3) { + /* we're not in verbose mode */ + verbose = 0; + } else if (argc == 4) { + if (strncmp(argv[3], "-v", 2) == 0) { + /* we're in verbose mode */ + verbose = 1; + } else { + /* unrecognized flag, complain and exit */ + usage(argv[0]); + } } else { - /* unrecognized flag, complain and exit */ - usage(argv[0]); + /* we've been fed the wrong number of arguments - compain and exit */ + usage(argv[0]); + } + + /* read in key, checking length */ + if (strlen(argv[1]) > AES_MAX_KEY_LEN * 2) { + fprintf(stderr, "error: too many digits in key " + "(should be at most %d hexadecimal digits, found %u)\n", + AES_MAX_KEY_LEN * 2, (unsigned)strlen(argv[1])); + exit(1); + } + len = hex_string_to_octet_string((char *)key, argv[1], AES_MAX_KEY_LEN * 2); + /* check that hex string is the right length */ + if (len != 32 && len != 48 && len != 64) { + fprintf(stderr, "error: bad number of digits in key " + "(should be 32/48/64 hexadecimal digits, found %d)\n", + len); + exit(1); + } + key_len = len / 2; + + /* read in plaintext, checking length */ + if (strlen(argv[2]) > 16 * 2) { + fprintf(stderr, "error: too many digits in plaintext " + "(should be %d hexadecimal digits, found %u)\n", + 16 * 2, (unsigned)strlen(argv[2])); + exit(1); + } + len = hex_string_to_octet_string((char *)(&data), argv[2], 16 * 2); + /* check that hex string is the right length */ + if (len < 16 * 2) { + fprintf(stderr, "error: too few digits in plaintext " + "(should be %d hexadecimal digits, found %d)\n", + 16 * 2, len); + exit(1); + } + + if (verbose) { + /* print out plaintext */ + printf("plaintext:\t%s\n", + octet_string_hex_string((uint8_t *)&data, 16)); } - } else { - /* we've been fed the wrong number of arguments - compain and exit */ - usage(argv[0]); - } - - /* read in key, checking length */ - if (strlen(argv[1]) > AES_MAX_KEY_LEN*2) { - fprintf(stderr, - "error: too many digits in key " - "(should be at most %d hexadecimal digits, found %u)\n", - AES_MAX_KEY_LEN*2, (unsigned)strlen(argv[1])); - exit(1); - } - len = hex_string_to_octet_string((char*)key, argv[1], AES_MAX_KEY_LEN*2); - /* check that hex string is the right length */ - if (len != 32 && len != 48 && len != 64) { - fprintf(stderr, - "error: bad number of digits in key " - "(should be 32/48/64 hexadecimal digits, found %d)\n", - len); - exit(1); - } - key_len = len/2; - - /* read in plaintext, checking length */ - if (strlen(argv[2]) > 16*2) { - fprintf(stderr, - "error: too many digits in plaintext " - "(should be %d hexadecimal digits, found %u)\n", - 16*2, (unsigned)strlen(argv[2])); - exit(1); - } - len = hex_string_to_octet_string((char *)(&data), argv[2], 16*2); - /* check that hex string is the right length */ - if (len < 16*2) { - fprintf(stderr, - "error: too few digits in plaintext " - "(should be %d hexadecimal digits, found %d)\n", - 16*2, len); - exit(1); - } - - if (verbose) { - /* print out plaintext */ - printf("plaintext:\t%s\n", octet_string_hex_string((uint8_t *)&data, 16)); - } - - /* encrypt plaintext */ - status = srtp_aes_expand_encryption_key(key, key_len, &exp_key); - if (status) { - fprintf(stderr, - "error: AES key expansion failed.\n"); - exit(1); - } - - srtp_aes_encrypt(&data, &exp_key); - - /* write ciphertext to output */ - if (verbose) { - printf("key:\t\t%s\n", octet_string_hex_string(key, key_len)); - printf("ciphertext:\t"); - } - printf("%s\n", v128_hex_string(&data)); - - return 0; -} + /* encrypt plaintext */ + status = srtp_aes_expand_encryption_key(key, key_len, &exp_key); + if (status) { + fprintf(stderr, "error: AES key expansion failed.\n"); + exit(1); + } + + srtp_aes_encrypt(&data, &exp_key); + + /* write ciphertext to output */ + if (verbose) { + printf("key:\t\t%s\n", octet_string_hex_string(key, key_len)); + printf("ciphertext:\t"); + } + printf("%s\n", v128_hex_string(&data)); + + return 0; +} diff --git a/libs/srtp/crypto/test/cipher_driver.c b/libs/srtp/crypto/test/cipher_driver.c index b63cd5ba0a..e28f5f264f 100644 --- a/libs/srtp/crypto/test/cipher_driver.c +++ b/libs/srtp/crypto/test/cipher_driver.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,12 +44,11 @@ */ #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif -#include <stdio.h> /* for printf() */ -#include <stdlib.h> /* for rand() */ -#include <string.h> /* for memset() */ +#include <stdio.h> /* for printf() */ +#include <stdlib.h> /* for rand() */ #include "getopt_s.h" #include "cipher.h" #ifdef OPENSSL @@ -61,12 +60,9 @@ #define PRINT_DEBUG 0 -void -cipher_driver_test_throughput(srtp_cipher_t *c); - -srtp_err_status_t -cipher_driver_self_test(srtp_cipher_type_t *ct); +void cipher_driver_test_throughput(srtp_cipher_t *c); +srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct); /* * cipher_driver_test_buffering(ct) tests the cipher's output @@ -74,44 +70,43 @@ cipher_driver_self_test(srtp_cipher_type_t *ct); * calls */ -srtp_err_status_t -cipher_driver_test_buffering(srtp_cipher_t *c); - +srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c); /* * functions for testing cipher cache thrash */ -srtp_err_status_t -cipher_driver_test_array_throughput(srtp_cipher_type_t *ct, - int klen, int num_cipher); +srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct, + int klen, + int num_cipher); -void -cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher); +void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher); -uint64_t -cipher_array_bits_per_second(srtp_cipher_t *cipher_array[], int num_cipher, - unsigned octets_in_buffer, int num_trials); +uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[], + int num_cipher, + unsigned octets_in_buffer, + int num_trials); -srtp_err_status_t -cipher_array_delete(srtp_cipher_t *cipher_array[], int num_cipher); +srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[], + int num_cipher); -srtp_err_status_t -cipher_array_alloc_init(srtp_cipher_t ***cipher_array, int num_ciphers, - srtp_cipher_type_t *ctype, int klen); +srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***cipher_array, + int num_ciphers, + srtp_cipher_type_t *ctype, + int klen); -void -usage(char *prog_name) { - printf("usage: %s [ -t | -v | -a ]\n", prog_name); - exit(255); +void usage(char *prog_name) +{ + printf("usage: %s [ -t | -v | -a ]\n", prog_name); + exit(255); } -void -check_status(srtp_err_status_t s) { - if (s) { - printf("error (code %d)\n", s); - exit(s); - } - return; +void check_status(srtp_err_status_t s) +{ + if (s) { + printf("error (code %d)\n", s); + exit(s); + } + return; } /* @@ -129,151 +124,163 @@ extern srtp_cipher_type_t srtp_aes_gcm_128_openssl; extern srtp_cipher_type_t srtp_aes_gcm_256_openssl; #endif -int -main(int argc, char *argv[]) { - srtp_cipher_t *c = NULL; - srtp_err_status_t status; - unsigned char test_key[48] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, - 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, - }; - int q; - unsigned do_timing_test = 0; - unsigned do_validation = 0; - unsigned do_array_timing_test = 0; - - /* process input arguments */ - while (1) { - q = getopt_s(argc, argv, "tva"); - if (q == -1) - break; - switch (q) { - case 't': - do_timing_test = 1; - break; - case 'v': - do_validation = 1; - break; - case 'a': - do_array_timing_test = 1; - break; - default: - usage(argv[0]); - } - } - - printf("cipher test driver\n" - "David A. McGrew\n" - "Cisco Systems, Inc.\n"); - - if (!do_validation && !do_timing_test && !do_array_timing_test) - usage(argv[0]); - - /* arry timing (cache thrash) test */ - if (do_array_timing_test) { - int max_num_cipher = 1 << 16; /* number of ciphers in cipher_array */ - int num_cipher; - - for (num_cipher=1; num_cipher < max_num_cipher; num_cipher *=8) - cipher_driver_test_array_throughput(&srtp_null_cipher, 0, num_cipher); - - for (num_cipher=1; num_cipher < max_num_cipher; num_cipher *=8) - cipher_driver_test_array_throughput(&srtp_aes_icm_128, SRTP_AES_ICM_128_KEY_LEN_WSALT, num_cipher); - - for (num_cipher=1; num_cipher < max_num_cipher; num_cipher *=8) - cipher_driver_test_array_throughput(&srtp_aes_icm_256, SRTP_AES_ICM_256_KEY_LEN_WSALT, num_cipher); +int main(int argc, char *argv[]) +{ + srtp_cipher_t *c = NULL; + srtp_err_status_t status; + /* clang-format off */ + unsigned char test_key[48] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + }; + /* clang-format on */ + int q; + unsigned do_timing_test = 0; + unsigned do_validation = 0; + unsigned do_array_timing_test = 0; + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "tva"); + if (q == -1) + break; + switch (q) { + case 't': + do_timing_test = 1; + break; + case 'v': + do_validation = 1; + break; + case 'a': + do_array_timing_test = 1; + break; + default: + usage(argv[0]); + } + } + + printf("cipher test driver\n" + "David A. McGrew\n" + "Cisco Systems, Inc.\n"); -#ifdef OPENSSL - for (num_cipher=1; num_cipher < max_num_cipher; num_cipher *=8) - cipher_driver_test_array_throughput(&srtp_aes_icm_192, SRTP_AES_ICM_192_KEY_LEN_WSALT, num_cipher); + if (!do_validation && !do_timing_test && !do_array_timing_test) + usage(argv[0]); - for (num_cipher=1; num_cipher < max_num_cipher; num_cipher *=8) { - cipher_driver_test_array_throughput(&srtp_aes_gcm_128_openssl, SRTP_AES_GCM_128_KEY_LEN_WSALT, num_cipher); - } + /* arry timing (cache thrash) test */ + if (do_array_timing_test) { + int max_num_cipher = 1 << 16; /* number of ciphers in cipher_array */ + int num_cipher; - for (num_cipher=1; num_cipher < max_num_cipher; num_cipher *=8) { - cipher_driver_test_array_throughput(&srtp_aes_gcm_256_openssl, SRTP_AES_GCM_256_KEY_LEN_WSALT, num_cipher); - } + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput(&srtp_null_cipher, 0, + num_cipher); + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput( + &srtp_aes_icm_128, SRTP_AES_ICM_128_KEY_LEN_WSALT, num_cipher); + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput( + &srtp_aes_icm_256, SRTP_AES_ICM_256_KEY_LEN_WSALT, num_cipher); + +#ifdef OPENSSL + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) + cipher_driver_test_array_throughput( + &srtp_aes_icm_192, SRTP_AES_ICM_192_KEY_LEN_WSALT, num_cipher); + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) { + cipher_driver_test_array_throughput(&srtp_aes_gcm_128_openssl, + SRTP_AES_GCM_128_KEY_LEN_WSALT, + num_cipher); + } + + for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) { + cipher_driver_test_array_throughput(&srtp_aes_gcm_256_openssl, + SRTP_AES_GCM_256_KEY_LEN_WSALT, + num_cipher); + } #endif - } + } - if (do_validation) { - cipher_driver_self_test(&srtp_null_cipher); - cipher_driver_self_test(&srtp_aes_icm_128); - cipher_driver_self_test(&srtp_aes_icm_256); + if (do_validation) { + cipher_driver_self_test(&srtp_null_cipher); + cipher_driver_self_test(&srtp_aes_icm_128); + cipher_driver_self_test(&srtp_aes_icm_256); #ifdef OPENSSL - cipher_driver_self_test(&srtp_aes_icm_192); - cipher_driver_self_test(&srtp_aes_gcm_128_openssl); - cipher_driver_self_test(&srtp_aes_gcm_256_openssl); + cipher_driver_self_test(&srtp_aes_icm_192); + cipher_driver_self_test(&srtp_aes_gcm_128_openssl); + cipher_driver_self_test(&srtp_aes_gcm_256_openssl); #endif - } + } - /* do timing and/or buffer_test on srtp_null_cipher */ - status = srtp_cipher_type_alloc(&srtp_null_cipher, &c, 0, 0); - check_status(status); + /* do timing and/or buffer_test on srtp_null_cipher */ + status = srtp_cipher_type_alloc(&srtp_null_cipher, &c, 0, 0); + check_status(status); - status = srtp_cipher_init(c, NULL); - check_status(status); + status = srtp_cipher_init(c, NULL); + check_status(status); - if (do_timing_test) - cipher_driver_test_throughput(c); - if (do_validation) { - status = cipher_driver_test_buffering(c); + if (do_timing_test) + cipher_driver_test_throughput(c); + if (do_validation) { + status = cipher_driver_test_buffering(c); + check_status(status); + } + status = srtp_cipher_dealloc(c); check_status(status); - } - status = srtp_cipher_dealloc(c); - check_status(status); - - /* run the throughput test on the aes_icm cipher (128-bit key) */ - status = srtp_cipher_type_alloc(&srtp_aes_icm_128, &c, SRTP_AES_ICM_128_KEY_LEN_WSALT, 0); + /* run the throughput test on the aes_icm cipher (128-bit key) */ + status = srtp_cipher_type_alloc(&srtp_aes_icm_128, &c, + SRTP_AES_ICM_128_KEY_LEN_WSALT, 0); if (status) { - fprintf(stderr, "error: can't allocate cipher\n"); - exit(status); + fprintf(stderr, "error: can't allocate cipher\n"); + exit(status); } status = srtp_cipher_init(c, test_key); check_status(status); if (do_timing_test) - cipher_driver_test_throughput(c); - + cipher_driver_test_throughput(c); + if (do_validation) { - status = cipher_driver_test_buffering(c); - check_status(status); + status = cipher_driver_test_buffering(c); + check_status(status); } - + status = srtp_cipher_dealloc(c); check_status(status); - /* repeat the tests with 256-bit keys */ - status = srtp_cipher_type_alloc(&srtp_aes_icm_256, &c, SRTP_AES_ICM_256_KEY_LEN_WSALT, 0); + /* repeat the tests with 256-bit keys */ + status = srtp_cipher_type_alloc(&srtp_aes_icm_256, &c, + SRTP_AES_ICM_256_KEY_LEN_WSALT, 0); if (status) { - fprintf(stderr, "error: can't allocate cipher\n"); - exit(status); + fprintf(stderr, "error: can't allocate cipher\n"); + exit(status); } status = srtp_cipher_init(c, test_key); check_status(status); if (do_timing_test) - cipher_driver_test_throughput(c); - + cipher_driver_test_throughput(c); + if (do_validation) { - status = cipher_driver_test_buffering(c); - check_status(status); + status = cipher_driver_test_buffering(c); + check_status(status); } - + status = srtp_cipher_dealloc(c); check_status(status); #ifdef OPENSSL /* run the throughput test on the aes_gcm_128_openssl cipher */ - status = srtp_cipher_type_alloc(&srtp_aes_gcm_128_openssl, &c, SRTP_AES_GCM_128_KEY_LEN_WSALT, 8); + status = srtp_cipher_type_alloc(&srtp_aes_gcm_128_openssl, &c, + SRTP_AES_GCM_128_KEY_LEN_WSALT, 8); if (status) { fprintf(stderr, "error: can't allocate GCM 128 cipher\n"); exit(status); @@ -292,7 +299,8 @@ main(int argc, char *argv[]) { check_status(status); /* run the throughput test on the aes_gcm_256_openssl cipher */ - status = srtp_cipher_type_alloc(&srtp_aes_gcm_256_openssl, &c, SRTP_AES_GCM_256_KEY_LEN_WSALT, 16); + status = srtp_cipher_type_alloc(&srtp_aes_gcm_256_openssl, &c, + SRTP_AES_GCM_256_KEY_LEN_WSALT, 16); if (status) { fprintf(stderr, "error: can't allocate GCM 256 cipher\n"); exit(status); @@ -309,39 +317,39 @@ main(int argc, char *argv[]) { } status = srtp_cipher_dealloc(c); check_status(status); -#endif +#endif return 0; } -void -cipher_driver_test_throughput(srtp_cipher_t *c) { - int i; - int min_enc_len = 32; - int max_enc_len = 2048; /* should be a power of two */ - int num_trials = 1000000; - - printf("timing %s throughput, key length %d:\n", c->type->description, c->key_len); - fflush(stdout); - for (i=min_enc_len; i <= max_enc_len; i = i * 2) - printf("msg len: %d\tgigabits per second: %f\n", - i, srtp_cipher_bits_per_second(c, i, num_trials) / 1e9); - +void cipher_driver_test_throughput(srtp_cipher_t *c) +{ + int i; + int min_enc_len = 32; + int max_enc_len = 2048; /* should be a power of two */ + int num_trials = 1000000; + + printf("timing %s throughput, key length %d:\n", c->type->description, + c->key_len); + fflush(stdout); + for (i = min_enc_len; i <= max_enc_len; i = i * 2) + printf("msg len: %d\tgigabits per second: %f\n", i, + srtp_cipher_bits_per_second(c, i, num_trials) / 1e9); } -srtp_err_status_t -cipher_driver_self_test(srtp_cipher_type_t *ct) { - srtp_err_status_t status; - - printf("running cipher self-test for %s...", ct->description); - status = srtp_cipher_type_self_test(ct); - if (status) { - printf("failed with error code %d\n", status); - exit(status); - } - printf("passed\n"); - - return srtp_err_status_ok; +srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct) +{ + srtp_err_status_t status; + + printf("running cipher self-test for %s...", ct->description); + status = srtp_cipher_type_self_test(ct); + if (status) { + printf("failed with error code %d\n", status); + exit(status); + } + printf("passed\n"); + + return srtp_err_status_ok; } /* @@ -351,168 +359,166 @@ cipher_driver_self_test(srtp_cipher_type_t *ct) { */ #define INITIAL_BUFLEN 1024 -srtp_err_status_t -cipher_driver_test_buffering(srtp_cipher_t *c) { - int i, j, num_trials = 1000; - unsigned len, buflen = INITIAL_BUFLEN; - uint8_t buffer0[INITIAL_BUFLEN], buffer1[INITIAL_BUFLEN], *current, *end; - uint8_t idx[16] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34 - }; - srtp_err_status_t status; - - printf("testing output buffering for cipher %s...", - c->type->description); - - for (i=0; i < num_trials; i++) { - - /* set buffers to zero */ - for (j=0; j < (int) buflen; j++) { - buffer0[j] = buffer1[j] = 0; - } - - /* initialize cipher */ - status = srtp_cipher_set_iv(c, (uint8_t*)idx, srtp_direction_encrypt); - if (status) - return status; - - /* generate 'reference' value by encrypting all at once */ - status = srtp_cipher_encrypt(c, buffer0, &buflen); - if (status) - return status; - - /* re-initialize cipher */ - status = srtp_cipher_set_iv(c, (uint8_t*)idx, srtp_direction_encrypt); - if (status) - return status; - - /* now loop over short lengths until buffer1 is encrypted */ - current = buffer1; - end = buffer1 + buflen; - while (current < end) { - - /* choose a short length */ - len = rand() & 0x01f; - - /* make sure that len doesn't cause us to overreach the buffer */ - if (current + len > end) - len = end - current; - - status = srtp_cipher_encrypt(c, current, &len); - if (status) - return status; - - /* advance pointer into buffer1 to reflect encryption */ - current += len; - - /* if buffer1 is all encrypted, break out of loop */ - if (current == end) - break; - } - - /* compare buffers */ - for (j=0; j < (int) buflen; j++) { - if (buffer0[j] != buffer1[j]) { +srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c) +{ + int i, j, num_trials = 1000; + unsigned len, buflen = INITIAL_BUFLEN; + uint8_t buffer0[INITIAL_BUFLEN], buffer1[INITIAL_BUFLEN], *current, *end; + uint8_t idx[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34 }; + srtp_err_status_t status; + + printf("testing output buffering for cipher %s...", c->type->description); + + for (i = 0; i < num_trials; i++) { + /* set buffers to zero */ + for (j = 0; j < (int)buflen; j++) { + buffer0[j] = buffer1[j] = 0; + } + + /* initialize cipher */ + status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt); + if (status) + return status; + + /* generate 'reference' value by encrypting all at once */ + status = srtp_cipher_encrypt(c, buffer0, &buflen); + if (status) + return status; + + /* re-initialize cipher */ + status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt); + if (status) + return status; + + /* now loop over short lengths until buffer1 is encrypted */ + current = buffer1; + end = buffer1 + buflen; + while (current < end) { + /* choose a short length */ + len = rand() & 0x01f; + + /* make sure that len doesn't cause us to overreach the buffer */ + if (current + len > end) + len = end - current; + + status = srtp_cipher_encrypt(c, current, &len); + if (status) + return status; + + /* advance pointer into buffer1 to reflect encryption */ + current += len; + + /* if buffer1 is all encrypted, break out of loop */ + if (current == end) + break; + } + + /* compare buffers */ + for (j = 0; j < (int)buflen; j++) { + if (buffer0[j] != buffer1[j]) { #if PRINT_DEBUG - printf("test case %d failed at byte %d\n", i, j); - printf("computed: %s\n", octet_string_hex_string(buffer1, buflen)); - printf("expected: %s\n", octet_string_hex_string(buffer0, buflen)); -#endif - return srtp_err_status_algo_fail; - } + printf("test case %d failed at byte %d\n", i, j); + printf("computed: %s\n", + octet_string_hex_string(buffer1, buflen)); + printf("expected: %s\n", + octet_string_hex_string(buffer0, buflen)); +#endif + return srtp_err_status_algo_fail; + } + } } - } - - printf("passed\n"); - return srtp_err_status_ok; -} + printf("passed\n"); + return srtp_err_status_ok; +} /* * The function cipher_test_throughput_array() tests the effect of CPU - * cache thrash on cipher throughput. + * cache thrash on cipher throughput. * * cipher_array_alloc_init(ctype, array, num_ciphers) creates an array * of srtp_cipher_t of type ctype */ -srtp_err_status_t -cipher_array_alloc_init(srtp_cipher_t ***ca, int num_ciphers, - srtp_cipher_type_t *ctype, int klen) { - int i, j; - srtp_err_status_t status; - uint8_t *key; - srtp_cipher_t **cipher_array; - /* pad klen allocation, to handle aes_icm reading 16 bytes for the - 14-byte salt */ - int klen_pad = ((klen + 15) >> 4) << 4; - - /* allocate array of pointers to ciphers */ - cipher_array = (srtp_cipher_t **) malloc(sizeof(srtp_cipher_t *) * num_ciphers); - if (cipher_array == NULL) - return srtp_err_status_alloc_fail; - - /* set ca to location of cipher_array */ - *ca = cipher_array; - - /* allocate key */ - key = srtp_crypto_alloc(klen_pad); - if (key == NULL) { - free(cipher_array); - return srtp_err_status_alloc_fail; - } - - /* allocate and initialize an array of ciphers */ - for (i=0; i < num_ciphers; i++) { - - /* allocate cipher */ - status = srtp_cipher_type_alloc(ctype, cipher_array, klen, 16); - if (status) - return status; - - /* generate random key and initialize cipher */ - for (j=0; j < klen; j++) - key[j] = (uint8_t) rand(); - for (; j < klen_pad; j++) - key[j] = 0; - status = srtp_cipher_init(*cipher_array, key); - if (status) - return status; - -/* printf("%dth cipher is at %p\n", i, *cipher_array); */ -/* printf("%dth cipher description: %s\n", i, */ -/* (*cipher_array)->type->description); */ - - /* advance cipher array pointer */ - cipher_array++; - } - - srtp_crypto_free(key); - - return srtp_err_status_ok; -} +srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***ca, + int num_ciphers, + srtp_cipher_type_t *ctype, + int klen) +{ + int i, j; + srtp_err_status_t status; + uint8_t *key; + srtp_cipher_t **cipher_array; + /* pad klen allocation, to handle aes_icm reading 16 bytes for the + 14-byte salt */ + int klen_pad = ((klen + 15) >> 4) << 4; + + /* allocate array of pointers to ciphers */ + cipher_array = (srtp_cipher_t **)srtp_crypto_alloc(sizeof(srtp_cipher_t *) * + num_ciphers); + if (cipher_array == NULL) + return srtp_err_status_alloc_fail; + + /* set ca to location of cipher_array */ + *ca = cipher_array; + + /* allocate key */ + key = srtp_crypto_alloc(klen_pad); + if (key == NULL) { + srtp_crypto_free(cipher_array); + return srtp_err_status_alloc_fail; + } + + /* allocate and initialize an array of ciphers */ + for (i = 0; i < num_ciphers; i++) { + /* allocate cipher */ + status = srtp_cipher_type_alloc(ctype, cipher_array, klen, 16); + if (status) + return status; + + /* generate random key and initialize cipher */ + for (j = 0; j < klen; j++) + key[j] = (uint8_t)rand(); + for (; j < klen_pad; j++) + key[j] = 0; + status = srtp_cipher_init(*cipher_array, key); + if (status) + return status; + + /* printf("%dth cipher is at %p\n", i, *cipher_array); */ + /* printf("%dth cipher description: %s\n", i, */ + /* (*cipher_array)->type->description); */ + + /* advance cipher array pointer */ + cipher_array++; + } + + srtp_crypto_free(key); -srtp_err_status_t -cipher_array_delete(srtp_cipher_t *cipher_array[], int num_cipher) { - int i; - - for (i=0; i < num_cipher; i++) { - srtp_cipher_dealloc(cipher_array[i]); - } - - free(cipher_array); - - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[], + int num_cipher) +{ + int i; + + for (i = 0; i < num_cipher; i++) { + srtp_cipher_dealloc(cipher_array[i]); + } + + srtp_crypto_free(cipher_array); + + return srtp_err_status_ok; +} /* * cipher_array_bits_per_second(c, l, t) computes (an estimate of) the * number of bits that a cipher implementation can encrypt in a second * when distinct keys are used to encrypt distinct messages - * + * * c is a cipher (which MUST be allocated an initialized already), l * is the length in octets of the test data to be encrypted, and t is * the number of trials @@ -520,80 +526,85 @@ cipher_array_delete(srtp_cipher_t *cipher_array[], int num_cipher) { * if an error is encountered, the value 0 is returned */ -uint64_t -cipher_array_bits_per_second(srtp_cipher_t *cipher_array[], int num_cipher, - unsigned octets_in_buffer, int num_trials) { - int i; - v128_t nonce; - clock_t timer; - unsigned char *enc_buf; - int cipher_index = rand() % num_cipher; - - /* Over-alloc, for NIST CBC padding */ - enc_buf = srtp_crypto_alloc(octets_in_buffer+17); - if (enc_buf == NULL) - return 0; /* indicate bad parameters by returning null */ - memset(enc_buf, 0, octets_in_buffer); - - /* time repeated trials */ - v128_set_to_zero(&nonce); - timer = clock(); - for(i=0; i < num_trials; i++, nonce.v32[3] = i) { - /* length parameter to srtp_cipher_encrypt is in/out -- out is total, padded - * length -- so reset it each time. */ - unsigned octets_to_encrypt = octets_in_buffer; - - /* encrypt buffer with cipher */ - srtp_cipher_set_iv(cipher_array[cipher_index], (uint8_t*)&nonce, srtp_direction_encrypt); - srtp_cipher_encrypt(cipher_array[cipher_index], enc_buf, &octets_to_encrypt); - - /* choose a cipher at random from the array*/ - cipher_index = (*((uint32_t *)enc_buf)) % num_cipher; - } - timer = clock() - timer; - - free(enc_buf); - - if (timer == 0) { - /* Too fast! */ - return 0; - } +uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[], + int num_cipher, + unsigned octets_in_buffer, + int num_trials) +{ + int i; + v128_t nonce; + clock_t timer; + unsigned char *enc_buf; + int cipher_index = rand() % num_cipher; + + /* Over-alloc, for NIST CBC padding */ + enc_buf = srtp_crypto_alloc(octets_in_buffer + 17); + if (enc_buf == NULL) + return 0; /* indicate bad parameters by returning null */ + + /* time repeated trials */ + v128_set_to_zero(&nonce); + timer = clock(); + for (i = 0; i < num_trials; i++, nonce.v32[3] = i) { + /* length parameter to srtp_cipher_encrypt is in/out -- out is total, + * padded + * length -- so reset it each time. */ + unsigned octets_to_encrypt = octets_in_buffer; + + /* encrypt buffer with cipher */ + srtp_cipher_set_iv(cipher_array[cipher_index], (uint8_t *)&nonce, + srtp_direction_encrypt); + srtp_cipher_encrypt(cipher_array[cipher_index], enc_buf, + &octets_to_encrypt); + + /* choose a cipher at random from the array*/ + cipher_index = (*((uint32_t *)enc_buf)) % num_cipher; + } + timer = clock() - timer; - return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer; -} + srtp_crypto_free(enc_buf); -void -cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher) { - int i; - int min_enc_len = 16; - int max_enc_len = 2048; /* should be a power of two */ - int num_trials = 1000000; + if (timer == 0) { + /* Too fast! */ + return 0; + } - printf("timing %s throughput with key length %d, array size %d:\n", - (ca[0])->type->description, (ca[0])->key_len, num_cipher); - fflush(stdout); - for (i=min_enc_len; i <= max_enc_len; i = i * 4) - printf("msg len: %d\tgigabits per second: %f\n", i, - cipher_array_bits_per_second(ca, num_cipher, i, num_trials) / 1e9); + return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer; +} +void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher) +{ + int i; + int min_enc_len = 16; + int max_enc_len = 2048; /* should be a power of two */ + int num_trials = 1000000; + + printf("timing %s throughput with key length %d, array size %d:\n", + (ca[0])->type->description, (ca[0])->key_len, num_cipher); + fflush(stdout); + for (i = min_enc_len; i <= max_enc_len; i = i * 4) + printf("msg len: %d\tgigabits per second: %f\n", i, + cipher_array_bits_per_second(ca, num_cipher, i, num_trials) / + 1e9); } -srtp_err_status_t -cipher_driver_test_array_throughput(srtp_cipher_type_t *ct, - int klen, int num_cipher) { - srtp_cipher_t **ca = NULL; - srtp_err_status_t status; - - status = cipher_array_alloc_init(&ca, num_cipher, ct, klen); - if (status) { - printf("error: cipher_array_alloc_init() failed with error code %d\n", - status); - return status; - } - - cipher_array_test_throughput(ca, num_cipher); - - cipher_array_delete(ca, num_cipher); - - return srtp_err_status_ok; +srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct, + int klen, + int num_cipher) +{ + srtp_cipher_t **ca = NULL; + srtp_err_status_t status; + + status = cipher_array_alloc_init(&ca, num_cipher, ct, klen); + if (status) { + printf("error: cipher_array_alloc_init() failed with error code %d\n", + status); + return status; + } + + cipher_array_test_throughput(ca, num_cipher); + + cipher_array_delete(ca, num_cipher); + + return srtp_err_status_ok; } diff --git a/libs/srtp/crypto/test/datatypes_driver.c b/libs/srtp/crypto/test/datatypes_driver.c index d847c2f802..2f78903eb8 100644 --- a/libs/srtp/crypto/test/datatypes_driver.c +++ b/libs/srtp/crypto/test/datatypes_driver.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,117 +43,108 @@ * */ - #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif -#include <stdio.h> /* for printf() */ -#include <string.h> /* for strlen() */ +#include <stdio.h> /* for printf() */ +#include <string.h> /* for strlen() */ #include "datatypes.h" #include "util.h" -void -byte_order(void); +void byte_order(void); -void -test_hex_string_funcs(void); +void test_hex_string_funcs(void); -void -print_string(char *s); +void print_string(char *s); -void -test_bswap(void); +void test_bswap(void); -int -main (void) { - - /* - * this program includes various and sundry tests for fundamental - * datatypes. it's a grab-bag of throwaway code, retained only in - * case of future problems - */ - - int i, j; - v128_t x; - char *r = - "The Moving Finger writes; and, having writ,\n" - "Moves on: nor all thy Piety nor Wit\n" - "Shall lure it back to cancel half a Line,\n" - "Nor all thy Tears wash out a Word of it."; - char *s = "incomplet"; - - print_string(r); - print_string(s); - - byte_order(); - test_hex_string_funcs(); - - for (j=0; j < 128; j++) { +int main(void) +{ + /* + * this program includes various and sundry tests for fundamental + * datatypes. it's a grab-bag of throwaway code, retained only in + * case of future problems + */ + + int i, j; + v128_t x; + char *r = "The Moving Finger writes; and, having writ,\n" + "Moves on: nor all thy Piety nor Wit\n" + "Shall lure it back to cancel half a Line,\n" + "Nor all thy Tears wash out a Word of it."; + char *s = "incomplet"; + + print_string(r); + print_string(s); + + byte_order(); + test_hex_string_funcs(); + + for (j = 0; j < 128; j++) { + v128_set_to_zero(&x); + /* x.v32[0] = (1 << j); */ + v128_set_bit(&x, j); + printf("%s\n", v128_bit_string(&x)); + v128_clear_bit(&x, j); + printf("%s\n", v128_bit_string(&x)); + } + + printf("----------------------------------------------\n"); + v128_set_to_zero(&x); + for (i = 0; i < 128; i++) { + v128_set_bit(&x, i); + } + printf("%s\n", v128_bit_string(&x)); + + printf("----------------------------------------------\n"); v128_set_to_zero(&x); - /* x.v32[0] = (1 << j); */ - v128_set_bit(&x, j); - printf("%s\n", v128_bit_string(&x)); - v128_clear_bit(&x, j); - printf("%s\n", v128_bit_string(&x)); - - } - - printf("----------------------------------------------\n"); - v128_set_to_zero(&x); - for (i=0; i < 128; i++) { - v128_set_bit(&x, i); - } - printf("%s\n", v128_bit_string(&x)); - - printf("----------------------------------------------\n"); - v128_set_to_zero(&x); - v128_set_bit(&x, 0); - for (i=0; i < 128; i++) { - printf("%s\n", v128_bit_string(&x)); - v128_right_shift(&x, 1); - } - printf("----------------------------------------------\n"); - v128_set_to_zero(&x); - v128_set_bit(&x, 127); - for (i=0; i < 128; i++) { - printf("%s\n", v128_bit_string(&x)); - v128_left_shift(&x, 1); - } - printf("----------------------------------------------\n"); - for (i=0; i < 128; i++) { + v128_set_bit(&x, 0); + for (i = 0; i < 128; i++) { + printf("%s\n", v128_bit_string(&x)); + v128_right_shift(&x, 1); + } + printf("----------------------------------------------\n"); v128_set_to_zero(&x); v128_set_bit(&x, 127); - v128_left_shift(&x, i); - printf("%s\n", v128_bit_string(&x)); - } - printf("----------------------------------------------\n"); - v128_set_to_zero(&x); - for (i=0; i < 128; i+=2) { - v128_set_bit(&x, i); - } - printf("bit_string: { %s }\n", v128_bit_string(&x)); - printf("get_bit: { "); - for (i=0; i < 128; i++) { - if (v128_get_bit(&x, i) == 1) - printf("1"); - else - printf("0"); - } - printf(" } \n"); - - test_bswap(); - - return 0; + for (i = 0; i < 128; i++) { + printf("%s\n", v128_bit_string(&x)); + v128_left_shift(&x, 1); + } + printf("----------------------------------------------\n"); + for (i = 0; i < 128; i++) { + v128_set_to_zero(&x); + v128_set_bit(&x, 127); + v128_left_shift(&x, i); + printf("%s\n", v128_bit_string(&x)); + } + printf("----------------------------------------------\n"); + v128_set_to_zero(&x); + for (i = 0; i < 128; i += 2) { + v128_set_bit(&x, i); + } + printf("bit_string: { %s }\n", v128_bit_string(&x)); + printf("get_bit: { "); + for (i = 0; i < 128; i++) { + if (v128_get_bit(&x, i) == 1) + printf("1"); + else + printf("0"); + } + printf(" } \n"); + + test_bswap(); + + return 0; } - /* byte_order() prints out byte ordering of datatypes */ -void -byte_order(void) { - int i; - v128_t e; +void byte_order(void) +{ + int i; + v128_t e; #if 0 v16_t b; v32_t c; @@ -180,63 +171,60 @@ byte_order(void) { c.value = 0x00010002; printf("v32_t:\t%x%x\n", c.v16[0], c.v16[1]); -#endif +#endif - printf("byte ordering of crypto/math datatypes:\n"); - for (i=0; i < sizeof(e); i++) - e.v8[i] = i; - printf("v128_t: %s\n", v128_hex_string(&e)); - + printf("byte ordering of crypto/math datatypes:\n"); + for (i = 0; i < sizeof(e); i++) + e.v8[i] = i; + printf("v128_t: %s\n", v128_hex_string(&e)); } -void -test_hex_string_funcs(void) { - char hex1[] = "abadcafe"; - char hex2[] = "0123456789abcdefqqqqq"; - char raw[10]; - int len; - - len = hex_string_to_octet_string(raw, hex1, strlen(hex1)); - printf("computed length: %d\tstring: %s\n", len, - octet_string_hex_string(raw, len/2)); - printf("expected length: %u\tstring: %s\n", (unsigned)strlen(hex1), hex1); - - len = hex_string_to_octet_string(raw, hex2, strlen(hex2)); - printf("computed length: %d\tstring: %s\n", len, - octet_string_hex_string(raw, len/2)); - printf("expected length: %d\tstring: %s\n", 16, "0123456789abcdef"); - +void test_hex_string_funcs(void) +{ + char hex1[] = "abadcafe"; + char hex2[] = "0123456789abcdefqqqqq"; + char raw[10]; + int len; + + len = hex_string_to_octet_string(raw, hex1, strlen(hex1)); + printf("computed length: %d\tstring: %s\n", len, + octet_string_hex_string(raw, len / 2)); + printf("expected length: %u\tstring: %s\n", (unsigned)strlen(hex1), hex1); + + len = hex_string_to_octet_string(raw, hex2, strlen(hex2)); + printf("computed length: %d\tstring: %s\n", len, + octet_string_hex_string(raw, len / 2)); + printf("expected length: %d\tstring: %s\n", 16, "0123456789abcdef"); } -void -print_string(char *s) { - size_t i; - printf("%s\n", s); - printf("strlen(s) = %u\n", (unsigned)strlen(s)); - printf("{ "); - for (i=0; i < strlen(s); i++) { - printf("0x%x, ", s[i]); - if (((i+1) % 8) == 0) - printf("\n "); - } - printf("}\n"); +void print_string(char *s) +{ + size_t i; + printf("%s\n", s); + printf("strlen(s) = %u\n", (unsigned)strlen(s)); + printf("{ "); + for (i = 0; i < strlen(s); i++) { + printf("0x%x, ", s[i]); + if (((i + 1) % 8) == 0) + printf("\n "); + } + printf("}\n"); } -void -test_bswap(void) { - uint32_t x = 0x11223344; - uint64_t y = 0x1122334455667788LL; +void test_bswap(void) +{ + uint32_t x = 0x11223344; + uint64_t y = 0x1122334455667788LL; - printf("before: %0x\nafter: %0x\n", x, (unsigned int)be32_to_cpu(x)); - printf("before: %0llx\nafter: %0llx\n", (unsigned long long)y, - (unsigned long long)be64_to_cpu(y)); + printf("before: %0x\nafter: %0x\n", x, (unsigned int)be32_to_cpu(x)); + printf("before: %0llx\nafter: %0llx\n", (unsigned long long)y, + (unsigned long long)be64_to_cpu(y)); - y = 1234; + y = 1234; - printf("1234: %0llx\n", (unsigned long long)y); - printf("as octet string: %s\n", - octet_string_hex_string((uint8_t *) &y, 8)); - y = be64_to_cpu(y); - printf("bswapped octet string: %s\n", - octet_string_hex_string((uint8_t *) &y, 8)); + printf("1234: %0llx\n", (unsigned long long)y); + printf("as octet string: %s\n", octet_string_hex_string((uint8_t *)&y, 8)); + y = be64_to_cpu(y); + printf("bswapped octet string: %s\n", + octet_string_hex_string((uint8_t *)&y, 8)); } diff --git a/libs/srtp/crypto/test/env.c b/libs/srtp/crypto/test/env.c index 669e3d66c1..8c3f4edfac 100644 --- a/libs/srtp/crypto/test/env.c +++ b/libs/srtp/crypto/test/env.c @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,45 +43,47 @@ */ #include <stdio.h> -#include <string.h> /* for srtcmp() */ +#include <string.h> /* for srtcmp() */ #include "config.h" -int -main(void) { - int err_count = 0; +int main(void) +{ + int err_count = 0; #ifdef WORDS_BIGENDIAN - printf("CPU set to big-endian\t\t\t(WORDS_BIGENDIAN == 1)\n"); + printf("CPU set to big-endian\t\t\t(WORDS_BIGENDIAN == 1)\n"); #else - printf("CPU set to little-endian\t\t(WORDS_BIGENDIAN == 0)\n"); + printf("CPU set to little-endian\t\t(WORDS_BIGENDIAN == 0)\n"); #endif #ifdef CPU_RISC - printf("CPU set to RISC\t\t\t\t(CPU_RISC == 1)\n"); + printf("CPU set to RISC\t\t\t\t(CPU_RISC == 1)\n"); #elif defined(CPU_CISC) - printf("CPU set to CISC\t\t\t\t(CPU_CISC == 1)\n"); + printf("CPU set to CISC\t\t\t\t(CPU_CISC == 1)\n"); #else - printf("CPU set to an unknown type, probably due to a configuration error\n"); - err_count++; + printf( + "CPU set to an unknown type, probably due to a configuration error\n"); + err_count++; #endif #ifdef CPU_ALTIVEC - printf("CPU set to ALTIVEC\t\t\t\t(CPU_ALTIVEC == 0)\n"); + printf("CPU set to ALTIVEC\t\t\t\t(CPU_ALTIVEC == 0)\n"); #endif #ifndef NO_64BIT_MATH - printf("using native 64-bit type\t\t(NO_64_BIT_MATH == 0)\n"); + printf("using native 64-bit type\t\t(NO_64_BIT_MATH == 0)\n"); #else - printf("using built-in 64-bit math\t\t(NO_64_BIT_MATH == 1)\n"); + printf("using built-in 64-bit math\t\t(NO_64_BIT_MATH == 1)\n"); #endif #ifdef ERR_REPORTING_STDOUT - printf("using stdout for error reporting\t(ERR_REPORTING_STDOUT == 1)\n"); + printf("using stdout for error reporting\t(ERR_REPORTING_STDOUT == 1)\n"); #endif - if (err_count) - printf("warning: configuration is probably in error " - "(found %d problems)\n", err_count); + if (err_count) + printf("warning: configuration is probably in error " + "(found %d problems)\n", + err_count); - return err_count; + return err_count; } diff --git a/libs/srtp/crypto/test/kernel_driver.c b/libs/srtp/crypto/test/kernel_driver.c index 92b7240249..d29405a971 100644 --- a/libs/srtp/crypto/test/kernel_driver.c +++ b/libs/srtp/crypto/test/kernel_driver.c @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright(c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,77 +42,76 @@ * */ - #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif -#include <stdio.h> /* for printf() */ +#include <stdio.h> /* for printf() */ #include "getopt_s.h" #include "crypto_kernel.h" -void -usage(char *prog_name) { - printf("usage: %s [ -v ][ -d debug_module ]*\n", prog_name); - exit(255); +void usage(char *prog_name) +{ + printf("usage: %s [ -v ][ -d debug_module ]*\n", prog_name); + exit(255); } -int -main (int argc, char *argv[]) { - int q; - int do_validation = 0; - srtp_err_status_t status; +int main(int argc, char *argv[]) +{ + int q; + int do_validation = 0; + srtp_err_status_t status; - if (argc == 1) - usage(argv[0]); + if (argc == 1) + usage(argv[0]); - /* initialize kernel - we need to do this before anything else */ - status = srtp_crypto_kernel_init(); - if (status) { - printf("error: srtp_crypto_kernel init failed\n"); - exit(1); - } - printf("srtp_crypto_kernel successfully initalized\n"); + /* initialize kernel - we need to do this before anything else */ + status = srtp_crypto_kernel_init(); + if (status) { + printf("error: srtp_crypto_kernel init failed\n"); + exit(1); + } + printf("srtp_crypto_kernel successfully initalized\n"); + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "vd:"); + if (q == -1) + break; + switch (q) { + case 'v': + do_validation = 1; + break; + case 'd': + status = srtp_crypto_kernel_set_debug_module(optarg_s, 1); + if (status) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + default: + usage(argv[0]); + } + } - /* process input arguments */ - while (1) { - q = getopt_s(argc, argv, "vd:"); - if (q == -1) - break; - switch (q) { - case 'v': - do_validation = 1; - break; - case 'd': - status = srtp_crypto_kernel_set_debug_module(optarg_s, 1); - if (status) { - printf("error: set debug module (%s) failed\n", optarg_s); - exit(1); - } - break; - default: - usage(argv[0]); - } - } + if (do_validation) { + printf("checking srtp_crypto_kernel status...\n"); + status = srtp_crypto_kernel_status(); + if (status) { + printf("failed\n"); + exit(1); + } + printf("srtp_crypto_kernel passed self-tests\n"); + } - if (do_validation) { - printf("checking srtp_crypto_kernel status...\n"); - status = srtp_crypto_kernel_status(); + status = srtp_crypto_kernel_shutdown(); if (status) { - printf("failed\n"); - exit(1); + printf("error: srtp_crypto_kernel shutdown failed\n"); + exit(1); } - printf("srtp_crypto_kernel passed self-tests\n"); - } + printf("srtp_crypto_kernel successfully shut down\n"); - status = srtp_crypto_kernel_shutdown(); - if (status) { - printf("error: srtp_crypto_kernel shutdown failed\n"); - exit(1); - } - printf("srtp_crypto_kernel successfully shut down\n"); - - return 0; + return 0; } /* @@ -120,10 +119,9 @@ main (int argc, char *argv[]) { * of the crypto_kernel */ -srtp_err_status_t -crypto_kernel_cipher_test(void) { - - /* not implemented yet! */ +srtp_err_status_t crypto_kernel_cipher_test(void) +{ + /* not implemented yet! */ - return srtp_err_status_ok; + return srtp_err_status_ok; } diff --git a/libs/srtp/crypto/test/sha1_driver.c b/libs/srtp/crypto/test/sha1_driver.c index e22c2b57e5..c64b000f81 100644 --- a/libs/srtp/crypto/test/sha1_driver.c +++ b/libs/srtp/crypto/test/sha1_driver.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,7 +44,7 @@ */ #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif #include <stdio.h> @@ -56,505 +56,332 @@ #define SHA_FAIL 1 #define MAX_HASH_DATA_LEN 1024 -#define MAX_HASH_OUT_LEN 20 +#define MAX_HASH_OUT_LEN 20 typedef struct hash_test_case_t { - unsigned data_len; /* number of octets in data */ - unsigned hash_len; /* number of octets output by hash */ - uint8_t data[MAX_HASH_DATA_LEN]; /* message data */ - uint8_t hash[MAX_HASH_OUT_LEN]; /* expected hash output */ - struct hash_test_case_t *next_test_case; + unsigned data_len; /* number of octets in data */ + unsigned hash_len; /* number of octets output by hash */ + uint8_t data[MAX_HASH_DATA_LEN]; /* message data */ + uint8_t hash[MAX_HASH_OUT_LEN]; /* expected hash output */ + struct hash_test_case_t *next_test_case; } hash_test_case_t; hash_test_case_t *sha1_test_case_list; -srtp_err_status_t -hash_test_case_add(hash_test_case_t **list_ptr, - char *hex_data, - unsigned data_len, - char *hex_hash, - unsigned hash_len) { - hash_test_case_t *list_head = *list_ptr; - hash_test_case_t *test_case; - unsigned tmp_len; - - test_case = malloc(sizeof(hash_test_case_t)); - if (test_case == NULL) - return srtp_err_status_alloc_fail; - - tmp_len = hex_string_to_octet_string((char *)test_case->data, hex_data, data_len*2); - if (tmp_len != data_len*2) { - free(test_case); - return srtp_err_status_parse_err; - } - - tmp_len = hex_string_to_octet_string((char *)test_case->hash, hex_hash, hash_len*2); - if (tmp_len != hash_len*2) { - free(test_case); - return srtp_err_status_parse_err; - } - - test_case->data_len = data_len; - test_case->hash_len = hash_len; - - /* add the new test case to the head of the list */ - test_case->next_test_case = list_head; - *list_ptr = test_case; - - return srtp_err_status_ok; +srtp_err_status_t hash_test_case_add(hash_test_case_t **list_ptr, + char *hex_data, + unsigned data_len, + char *hex_hash, + unsigned hash_len) +{ + hash_test_case_t *list_head = *list_ptr; + hash_test_case_t *test_case; + unsigned tmp_len; + + test_case = malloc(sizeof(hash_test_case_t)); + if (test_case == NULL) + return srtp_err_status_alloc_fail; + + tmp_len = hex_string_to_octet_string((char *)test_case->data, hex_data, + data_len * 2); + if (tmp_len != data_len * 2) { + free(test_case); + return srtp_err_status_parse_err; + } + + tmp_len = hex_string_to_octet_string((char *)test_case->hash, hex_hash, + hash_len * 2); + if (tmp_len != hash_len * 2) { + free(test_case); + return srtp_err_status_parse_err; + } + + test_case->data_len = data_len; + test_case->hash_len = hash_len; + + /* add the new test case to the head of the list */ + test_case->next_test_case = list_head; + *list_ptr = test_case; + + return srtp_err_status_ok; } -srtp_err_status_t -sha1_test_case_validate(const hash_test_case_t *test_case) { - srtp_sha1_ctx_t ctx; - uint32_t hash_value[5]; +srtp_err_status_t sha1_test_case_validate(const hash_test_case_t *test_case) +{ + srtp_sha1_ctx_t ctx; + uint32_t hash_value[5]; - if (test_case == NULL) - return srtp_err_status_bad_param; + if (test_case == NULL) + return srtp_err_status_bad_param; - if (test_case->hash_len != 20) - return srtp_err_status_bad_param; - if (test_case->data_len > MAX_HASH_DATA_LEN) - return srtp_err_status_bad_param; + if (test_case->hash_len != 20) + return srtp_err_status_bad_param; + if (test_case->data_len > MAX_HASH_DATA_LEN) + return srtp_err_status_bad_param; - srtp_sha1_init(&ctx); - srtp_sha1_update(&ctx, test_case->data, test_case->data_len); - srtp_sha1_final(&ctx, hash_value); - if (0 == memcmp(test_case->hash, hash_value, 20)) { + srtp_sha1_init(&ctx); + srtp_sha1_update(&ctx, test_case->data, test_case->data_len); + srtp_sha1_final(&ctx, hash_value); + if (0 == memcmp(test_case->hash, hash_value, 20)) { #if VERBOSE - printf("PASSED: reference value: %s\n", - octet_string_hex_string((const uint8_t *)test_case->hash, 20)); - printf("PASSED: computed value: %s\n", - octet_string_hex_string((const uint8_t *)hash_value, 20)); -#endif - return srtp_err_status_ok; - } + printf("PASSED: reference value: %s\n", + octet_string_hex_string((const uint8_t *)test_case->hash, 20)); + printf("PASSED: computed value: %s\n", + octet_string_hex_string((const uint8_t *)hash_value, 20)); +#endif + return srtp_err_status_ok; + } - printf("reference value: %s\n", - octet_string_hex_string((const uint8_t *)test_case->hash, 20)); - printf("computed value: %s\n", - octet_string_hex_string((const uint8_t *)hash_value, 20)); + printf("reference value: %s\n", + octet_string_hex_string((const uint8_t *)test_case->hash, 20)); + printf("computed value: %s\n", + octet_string_hex_string((const uint8_t *)hash_value, 20)); - return srtp_err_status_algo_fail; - + return srtp_err_status_algo_fail; } struct hex_sha1_test_case_t { - unsigned bit_len; - char hex_data[MAX_HASH_DATA_LEN*2]; - char hex_hash[40]; + unsigned bit_len; + char hex_data[MAX_HASH_DATA_LEN * 2]; + char hex_hash[40]; }; -srtp_err_status_t -sha1_add_test_cases(void) { - int i; - srtp_err_status_t err; - - /* - * these test cases are taken from the "SHA-1 Sample Vectors" - * provided by NIST at http://csrc.nist.gov/cryptval/shs.html - */ - - struct hex_sha1_test_case_t tc[] = { - { - 0, - "", - "da39a3ee5e6b4b0d3255bfef95601890afd80709" - }, - { - 8, - "a8", - "99f2aa95e36f95c2acb0eaf23998f030638f3f15" - }, - { - 16, - "3000", - "f944dcd635f9801f7ac90a407fbc479964dec024" - }, - { - 24, - "42749e", - "a444319e9b6cc1e8464c511ec0969c37d6bb2619" - }, - { - 32, - "9fc3fe08", - "16a0ff84fcc156fd5d3ca3a744f20a232d172253" - }, - { - 40, - "b5c1c6f1af", - "fec9deebfcdedaf66dda525e1be43597a73a1f93" - }, - { - 48, - "e47571e5022e", - "8ce051181f0ed5e9d0c498f6bc4caf448d20deb5" - }, - { - 56, - "3e1b28839fb758", - "67da53837d89e03bf652ef09c369a3415937cfd3" - }, - { - 64, - "a81350cbb224cb90", - "305e4ff9888ad855a78573cddf4c5640cce7e946" - }, - { - 72, "c243d167923dec3ce1", - "5902b77b3265f023f9bbc396ba1a93fa3509bde7" - }, - { - 80, - "50ac18c59d6a37a29bf4", - "fcade5f5d156bf6f9af97bdfa9c19bccfb4ff6ab" - }, - { - 88, - "98e2b611ad3b1cccf634f6", - "1d20fbe00533c10e3cbd6b27088a5de0c632c4b5" - }, - { - 96, - "73fe9afb68e1e8712e5d4eec", - "7e1b7e0f7a8f3455a9c03e9580fd63ae205a2d93" - }, - { - 104, - "9e701ed7d412a9226a2a130e66", - "706f0677146307b20bb0e8d6311e329966884d13" - }, - { - 112, - "6d3ee90413b0a7cbf69e5e6144ca", - "a7241a703aaf0d53fe142f86bf2e849251fa8dff" - }, - { - 120, - "fae24d56514efcb530fd4802f5e71f", - "400f53546916d33ad01a5e6df66822dfbdc4e9e6" - }, - { - 128, - "c5a22dd6eda3fe2bdc4ddb3ce6b35fd1", - "fac8ab93c1ae6c16f0311872b984f729dc928ccd" - }, - { - 136, - "d98cded2adabf08fda356445c781802d95", - "fba6d750c18da58f6e2aab10112b9a5ef3301b3b" - }, - { - 144, - "bcc6d7087a84f00103ccb32e5f5487a751a2", - "29d27c2d44c205c8107f0351b05753ac708226b6" - }, - { - 152, - "36ecacb1055434190dbbc556c48bafcb0feb0d", - "b971bfc1ebd6f359e8d74cb7ecfe7f898d0ba845" - }, - { - 160, - "5ff9edb69e8f6bbd498eb4537580b7fba7ad31d0", - "96d08c430094b9fcc164ad2fb6f72d0a24268f68" - }, - { - 168, "c95b441d8270822a46a798fae5defcf7b26abace36", - "a287ea752a593d5209e287881a09c49fa3f0beb1" - }, - { - 176, - "83104c1d8a55b28f906f1b72cb53f68cbb097b44f860", - "a06c713779cbd88519ed4a585ac0cb8a5e9d612b" - }, - { - 184, - "755175528d55c39c56493d697b790f099a5ce741f7754b", - "bff7d52c13a3688132a1d407b1ab40f5b5ace298" - }, - { - 192, - "088fc38128bbdb9fd7d65228b3184b3faac6c8715f07272f", - "c7566b91d7b6f56bdfcaa9781a7b6841aacb17e9" - }, - { - 200, - "a4a586eb9245a6c87e3adf1009ac8a49f46c07e14185016895", - "ffa30c0b5c550ea4b1e34f8a60ec9295a1e06ac1" - }, - { - 208, - "8e7c555270c006092c2a3189e2a526b873e2e269f0fb28245256", - "29e66ed23e914351e872aa761df6e4f1a07f4b81" - }, - { - 216, - "a5f3bfa6bb0ba3b59f6b9cbdef8a558ec565e8aa3121f405e7f2f0", - "b28cf5e5b806a01491d41f69bd9248765c5dc292" - }, - { - 224, - "589054f0d2bd3c2c85b466bfd8ce18e6ec3e0b87d944cd093ba36469", - "60224fb72c46069652cd78bcd08029ef64da62f3" - }, - { - 232, - "a0abb12083b5bbc78128601bf1cbdbc0fdf4b862b24d899953d8da0ff3", - "b72c4a86f72608f24c05f3b9088ef92fba431df7" - }, - { - 240, - "82143f4cea6fadbf998e128a8811dc75301cf1db4f079501ea568da68eeb", - "73779ad5d6b71b9b8328ef7220ff12eb167076ac" - }, - { - 248, - "9f1231dd6df1ff7bc0b0d4f989d048672683ce35d956d2f57913046267e6f3", - "a09671d4452d7cf50015c914a1e31973d20cc1a0" - }, - { - 256, - "041c512b5eed791f80d3282f3a28df263bb1df95e1239a7650e5670fc2187919", - "e88cdcd233d99184a6fd260b8fca1b7f7687aee0" - }, - { - 264, - "17e81f6ae8c2e5579d69dafa6e070e7111461552d314b691e7a3e7a4feb3fae418", - "010def22850deb1168d525e8c84c28116cb8a269" - }, - { - 272, - "d15976b23a1d712ad28fad04d805f572026b54dd64961fda94d5355a0cc98620cf77", - "aeaa40ba1717ed5439b1e6ea901b294ba500f9ad" - }, - { - 280, - "09fce4d434f6bd32a44e04b848ff50ec9f642a8a85b37a264dc73f130f22838443328f", - "c6433791238795e34f080a5f1f1723f065463ca0" - }, - { - 288, "f17af27d776ec82a257d8d46d2b46b639462c56984cc1be9c1222eadb8b26594a25c709d", - "e21e22b89c1bb944a32932e6b2a2f20d491982c3" - }, - { - 296, - "b13ce635d6f8758143ffb114f2f601cb20b6276951416a2f94fbf4ad081779d79f4f195b22", - "575323a9661f5d28387964d2ba6ab92c17d05a8a" - }, - { - 304, - "5498793f60916ff1c918dde572cdea76da8629ba4ead6d065de3dfb48de94d234cc1c5002910", - "feb44494af72f245bfe68e86c4d7986d57c11db7" - }, - { - 312, - "498a1e0b39fa49582ae688cd715c86fbaf8a81b8b11b4d1594c49c902d197c8ba8a621fd6e3be5", - "cff2290b3648ba2831b98dde436a72f9ebf51eee" - }, - { - 320, - "3a36ae71521f9af628b3e34dcb0d4513f84c78ee49f10416a98857150b8b15cb5c83afb4b570376e", - "9b4efe9d27b965905b0c3dab67b8d7c9ebacd56c" - }, - { - 328, - "dcc76b40ae0ea3ba253e92ac50fcde791662c5b6c948538cffc2d95e9de99cac34dfca38910db2678f", - "afedb0ff156205bcd831cbdbda43db8b0588c113" - }, - { - 336, - "5b5ec6ec4fd3ad9c4906f65c747fd4233c11a1736b6b228b92e90cddabb0c7c2fcf9716d3fad261dff33", - "8deb1e858f88293a5e5e4d521a34b2a4efa70fc4" - }, - { - 344, - "df48a37b29b1d6de4e94717d60cdb4293fcf170bba388bddf7a9035a15d433f20fd697c3e4c8b8c5f590ab", - "95cbdac0f74afa69cebd0e5c7defbc6faf0cbeaf" - }, - { - 352, - "1f179b3b82250a65e1b0aee949e218e2f45c7a8dbfd6ba08de05c55acfc226b48c68d7f7057e5675cd96fcfc", - "f0307bcb92842e5ae0cd4f4f14f3df7f877fbef2" - }, - { - 360, - "ee3d72da3a44d971578972a8e6780ce64941267e0f7d0179b214fa97855e1790e888e09fbe3a70412176cb3b54", - "7b13bb0dbf14964bd63b133ac85e22100542ef55" - }, - { - 368, - "d4d4c7843d312b30f610b3682254c8be96d5f6684503f8fbfbcd15774fc1b084d3741afb8d24aaa8ab9c104f7258", - "c314d2b6cf439be678d2a74e890d96cfac1c02ed" - }, - { - 376, - "32c094944f5936a190a0877fb9178a7bf60ceae36fd530671c5b38c5dbd5e6a6c0d615c2ac8ad04b213cc589541cf6", - "4d0be361e410b47a9d67d8ce0bb6a8e01c53c078" - }, - { - 384, - "e5d3180c14bf27a5409fa12b104a8fd7e9639609bfde6ee82bbf9648be2546d29688a65e2e3f3da47a45ac14343c9c02", - "e5353431ffae097f675cbf498869f6fbb6e1c9f2" - }, - { - 392, - "e7b6e4b69f724327e41e1188a37f4fe38b1dba19cbf5a7311d6e32f1038e97ab506ee05aebebc1eed09fc0e357109818b9", - "b8720a7068a085c018ab18961de2765aa6cd9ac4" - }, - { - 400, - "bc880cb83b8ac68ef2fedc2da95e7677ce2aa18b0e2d8b322701f67af7d5e7a0d96e9e33326ccb7747cfff0852b961bfd475", - "b0732181568543ba85f2b6da602b4b065d9931aa" - }, - { - 408, - "235ea9c2ba7af25400f2e98a47a291b0bccdaad63faa2475721fda5510cc7dad814bce8dabb611790a6abe56030b798b75c944", - "9c22674cf3222c3ba921672694aafee4ce67b96b" - }, - { - 416, - "07e3e29fed63104b8410f323b975fd9fba53f636af8c4e68a53fb202ca35dd9ee07cb169ec5186292e44c27e5696a967f5e67709", - "d128335f4cecca9066cdae08958ce656ff0b4cfc" - }, - { - 424, - "65d2a1dd60a517eb27bfbf530cf6a5458f9d5f4730058bd9814379547f34241822bf67e6335a6d8b5ed06abf8841884c636a25733f", - "0b67c57ac578de88a2ae055caeaec8bb9b0085a0" - }, - { - 432, - "dcc86b3bd461615bab739d8daafac231c0f462e819ad29f9f14058f3ab5b75941d4241ea2f17ebb8a458831b37a9b16dead4a76a9b0e", - "c766f912a89d4ccda88e0cce6a713ef5f178b596" - }, - { - 440, - "4627d54f0568dc126b62a8c35fb46a9ac5024400f2995e51635636e1afc4373dbb848eb32df23914230560b82477e9c3572647a7f2bb92", - "9aa3925a9dcb177b15ccff9b78e70cf344858779" - }, - { - 448, - "ba531affd4381168ef24d8b275a84d9254c7f5cc55fded53aa8024b2c5c5c8aa7146fe1d1b83d62b70467e9a2e2cb67b3361830adbab28d7", - "4811fa30042fc076acf37c8e2274d025307e5943" - }, - { - 456, - "8764dcbcf89dcf4282eb644e3d568bdccb4b13508bfa7bfe0ffc05efd1390be22109969262992d377691eb4f77f3d59ea8466a74abf57b2ef4", - "6743018450c9730761ee2b130df9b91c1e118150" - }, - { - 464, - "497d9df9ddb554f3d17870b1a31986c1be277bc44feff713544217a9f579623d18b5ffae306c25a45521d2759a72c0459b58957255ab592f3be4", - "71ad4a19d37d92a5e6ef3694ddbeb5aa61ada645" - }, - { - 472, - "72c3c2e065aefa8d9f7a65229e818176eef05da83f835107ba90ec2e95472e73e538f783b416c04654ba8909f26a12db6e5c4e376b7615e4a25819", - "a7d9dc68dacefb7d6116186048cb355cc548e11d" - }, - { - 480, - "7cc9894454d0055ab5069a33984e2f712bef7e3124960d33559f5f3b81906bb66fe64da13c153ca7f5cabc89667314c32c01036d12ecaf5f9a78de98", - "142e429f0522ba5abf5131fa81df82d355b96909" - }, - { - 488, - "74e8404d5a453c5f4d306f2cfa338ca65501c840ddab3fb82117933483afd6913c56aaf8a0a0a6b2a342fc3d9dc7599f4a850dfa15d06c61966d74ea59", - "ef72db70dcbcab991e9637976c6faf00d22caae9" - }, - { - 496, - "46fe5ed326c8fe376fcc92dc9e2714e2240d3253b105adfbb256ff7a19bc40975c604ad7c0071c4fd78a7cb64786e1bece548fa4833c04065fe593f6fb10", - "f220a7457f4588d639dc21407c942e9843f8e26b" - }, - { - 504, - "836dfa2524d621cf07c3d2908835de859e549d35030433c796b81272fd8bc0348e8ddbc7705a5ad1fdf2155b6bc48884ac0cd376925f069a37849c089c8645", - "ddd2117b6e309c233ede85f962a0c2fc215e5c69" - }, - { - 512, - "7e3a4c325cb9c52b88387f93d01ae86d42098f5efa7f9457388b5e74b6d28b2438d42d8b64703324d4aa25ab6aad153ae30cd2b2af4d5e5c00a8a2d0220c6116", - "a3054427cdb13f164a610b348702724c808a0dcc" +srtp_err_status_t sha1_add_test_cases(void) +{ + int i; + srtp_err_status_t err; + + /* + * these test cases are taken from the "SHA-1 Sample Vectors" + * provided by NIST at http://csrc.nist.gov/cryptval/shs.html + */ + + struct hex_sha1_test_case_t tc[] = { + { 0, "", "da39a3ee5e6b4b0d3255bfef95601890afd80709" }, + { 8, "a8", "99f2aa95e36f95c2acb0eaf23998f030638f3f15" }, + { 16, "3000", "f944dcd635f9801f7ac90a407fbc479964dec024" }, + { 24, "42749e", "a444319e9b6cc1e8464c511ec0969c37d6bb2619" }, + { 32, "9fc3fe08", "16a0ff84fcc156fd5d3ca3a744f20a232d172253" }, + { 40, "b5c1c6f1af", "fec9deebfcdedaf66dda525e1be43597a73a1f93" }, + { 48, "e47571e5022e", "8ce051181f0ed5e9d0c498f6bc4caf448d20deb5" }, + { 56, "3e1b28839fb758", "67da53837d89e03bf652ef09c369a3415937cfd3" }, + { 64, "a81350cbb224cb90", "305e4ff9888ad855a78573cddf4c5640cce7e946" }, + { 72, "c243d167923dec3ce1", + "5902b77b3265f023f9bbc396ba1a93fa3509bde7" }, + { 80, "50ac18c59d6a37a29bf4", + "fcade5f5d156bf6f9af97bdfa9c19bccfb4ff6ab" }, + { 88, "98e2b611ad3b1cccf634f6", + "1d20fbe00533c10e3cbd6b27088a5de0c632c4b5" }, + { 96, "73fe9afb68e1e8712e5d4eec", + "7e1b7e0f7a8f3455a9c03e9580fd63ae205a2d93" }, + { 104, "9e701ed7d412a9226a2a130e66", + "706f0677146307b20bb0e8d6311e329966884d13" }, + { 112, "6d3ee90413b0a7cbf69e5e6144ca", + "a7241a703aaf0d53fe142f86bf2e849251fa8dff" }, + { 120, "fae24d56514efcb530fd4802f5e71f", + "400f53546916d33ad01a5e6df66822dfbdc4e9e6" }, + { 128, "c5a22dd6eda3fe2bdc4ddb3ce6b35fd1", + "fac8ab93c1ae6c16f0311872b984f729dc928ccd" }, + { 136, "d98cded2adabf08fda356445c781802d95", + "fba6d750c18da58f6e2aab10112b9a5ef3301b3b" }, + { 144, "bcc6d7087a84f00103ccb32e5f5487a751a2", + "29d27c2d44c205c8107f0351b05753ac708226b6" }, + { 152, "36ecacb1055434190dbbc556c48bafcb0feb0d", + "b971bfc1ebd6f359e8d74cb7ecfe7f898d0ba845" }, + { 160, "5ff9edb69e8f6bbd498eb4537580b7fba7ad31d0", + "96d08c430094b9fcc164ad2fb6f72d0a24268f68" }, + { 168, "c95b441d8270822a46a798fae5defcf7b26abace36", + "a287ea752a593d5209e287881a09c49fa3f0beb1" }, + { 176, "83104c1d8a55b28f906f1b72cb53f68cbb097b44f860", + "a06c713779cbd88519ed4a585ac0cb8a5e9d612b" }, + { 184, "755175528d55c39c56493d697b790f099a5ce741f7754b", + "bff7d52c13a3688132a1d407b1ab40f5b5ace298" }, + { 192, "088fc38128bbdb9fd7d65228b3184b3faac6c8715f07272f", + "c7566b91d7b6f56bdfcaa9781a7b6841aacb17e9" }, + { 200, "a4a586eb9245a6c87e3adf1009ac8a49f46c07e14185016895", + "ffa30c0b5c550ea4b1e34f8a60ec9295a1e06ac1" }, + { 208, "8e7c555270c006092c2a3189e2a526b873e2e269f0fb28245256", + "29e66ed23e914351e872aa761df6e4f1a07f4b81" }, + { 216, "a5f3bfa6bb0ba3b59f6b9cbdef8a558ec565e8aa3121f405e7f2f0", + "b28cf5e5b806a01491d41f69bd9248765c5dc292" }, + { 224, "589054f0d2bd3c2c85b466bfd8ce18e6ec3e0b87d944cd093ba36469", + "60224fb72c46069652cd78bcd08029ef64da62f3" }, + { 232, "a0abb12083b5bbc78128601bf1cbdbc0fdf4b862b24d899953d8da0ff3", + "b72c4a86f72608f24c05f3b9088ef92fba431df7" }, + { 240, "82143f4cea6fadbf998e128a8811dc75301cf1db4f079501ea568da68eeb", + "73779ad5d6b71b9b8328ef7220ff12eb167076ac" }, + { 248, "9f1231dd6df1ff7bc0b0d4f989d048672683ce35d956d2f57913046267e6f3", + "a09671d4452d7cf50015c914a1e31973d20cc1a0" }, + { 256, + "041c512b5eed791f80d3282f3a28df263bb1df95e1239a7650e5670fc2187919", + "e88cdcd233d99184a6fd260b8fca1b7f7687aee0" }, + { 264, + "17e81f6ae8c2e5579d69dafa6e070e7111461552d314b691e7a3e7a4feb3fae418", + "010def22850deb1168d525e8c84c28116cb8a269" }, + { 272, "d15976b23a1d712ad28fad04d805f572026b54dd64961fda94d5355a0cc9862" + "0cf77", + "aeaa40ba1717ed5439b1e6ea901b294ba500f9ad" }, + { 280, "09fce4d434f6bd32a44e04b848ff50ec9f642a8a85b37a264dc73f130f22838" + "443328f", + "c6433791238795e34f080a5f1f1723f065463ca0" }, + { 288, "f17af27d776ec82a257d8d46d2b46b639462c56984cc1be9c1222eadb8b2659" + "4a25c709d", + "e21e22b89c1bb944a32932e6b2a2f20d491982c3" }, + { 296, "b13ce635d6f8758143ffb114f2f601cb20b6276951416a2f94fbf4ad081779d" + "79f4f195b22", + "575323a9661f5d28387964d2ba6ab92c17d05a8a" }, + { 304, "5498793f60916ff1c918dde572cdea76da8629ba4ead6d065de3dfb48de94d2" + "34cc1c5002910", + "feb44494af72f245bfe68e86c4d7986d57c11db7" }, + { 312, "498a1e0b39fa49582ae688cd715c86fbaf8a81b8b11b4d1594c49c902d197c8" + "ba8a621fd6e3be5", + "cff2290b3648ba2831b98dde436a72f9ebf51eee" }, + { 320, "3a36ae71521f9af628b3e34dcb0d4513f84c78ee49f10416a98857150b8b15c" + "b5c83afb4b570376e", + "9b4efe9d27b965905b0c3dab67b8d7c9ebacd56c" }, + { 328, "dcc76b40ae0ea3ba253e92ac50fcde791662c5b6c948538cffc2d95e9de99ca" + "c34dfca38910db2678f", + "afedb0ff156205bcd831cbdbda43db8b0588c113" }, + { 336, "5b5ec6ec4fd3ad9c4906f65c747fd4233c11a1736b6b228b92e90cddabb0c7c" + "2fcf9716d3fad261dff33", + "8deb1e858f88293a5e5e4d521a34b2a4efa70fc4" }, + { 344, "df48a37b29b1d6de4e94717d60cdb4293fcf170bba388bddf7a9035a15d433f" + "20fd697c3e4c8b8c5f590ab", + "95cbdac0f74afa69cebd0e5c7defbc6faf0cbeaf" }, + { 352, "1f179b3b82250a65e1b0aee949e218e2f45c7a8dbfd6ba08de05c55acfc226b" + "48c68d7f7057e5675cd96fcfc", + "f0307bcb92842e5ae0cd4f4f14f3df7f877fbef2" }, + { 360, "ee3d72da3a44d971578972a8e6780ce64941267e0f7d0179b214fa97855e179" + "0e888e09fbe3a70412176cb3b54", + "7b13bb0dbf14964bd63b133ac85e22100542ef55" }, + { 368, "d4d4c7843d312b30f610b3682254c8be96d5f6684503f8fbfbcd15774fc1b08" + "4d3741afb8d24aaa8ab9c104f7258", + "c314d2b6cf439be678d2a74e890d96cfac1c02ed" }, + { 376, "32c094944f5936a190a0877fb9178a7bf60ceae36fd530671c5b38c5dbd5e6a" + "6c0d615c2ac8ad04b213cc589541cf6", + "4d0be361e410b47a9d67d8ce0bb6a8e01c53c078" }, + { 384, "e5d3180c14bf27a5409fa12b104a8fd7e9639609bfde6ee82bbf9648be2546d" + "29688a65e2e3f3da47a45ac14343c9c02", + "e5353431ffae097f675cbf498869f6fbb6e1c9f2" }, + { 392, "e7b6e4b69f724327e41e1188a37f4fe38b1dba19cbf5a7311d6e32f1038e97a" + "b506ee05aebebc1eed09fc0e357109818b9", + "b8720a7068a085c018ab18961de2765aa6cd9ac4" }, + { 400, "bc880cb83b8ac68ef2fedc2da95e7677ce2aa18b0e2d8b322701f67af7d5e7a" + "0d96e9e33326ccb7747cfff0852b961bfd475", + "b0732181568543ba85f2b6da602b4b065d9931aa" }, + { 408, "235ea9c2ba7af25400f2e98a47a291b0bccdaad63faa2475721fda5510cc7da" + "d814bce8dabb611790a6abe56030b798b75c944", + "9c22674cf3222c3ba921672694aafee4ce67b96b" }, + { 416, "07e3e29fed63104b8410f323b975fd9fba53f636af8c4e68a53fb202ca35dd9" + "ee07cb169ec5186292e44c27e5696a967f5e67709", + "d128335f4cecca9066cdae08958ce656ff0b4cfc" }, + { 424, "65d2a1dd60a517eb27bfbf530cf6a5458f9d5f4730058bd9814379547f34241" + "822bf67e6335a6d8b5ed06abf8841884c636a25733f", + "0b67c57ac578de88a2ae055caeaec8bb9b0085a0" }, + { 432, "dcc86b3bd461615bab739d8daafac231c0f462e819ad29f9f14058f3ab5b759" + "41d4241ea2f17ebb8a458831b37a9b16dead4a76a9b0e", + "c766f912a89d4ccda88e0cce6a713ef5f178b596" }, + { 440, "4627d54f0568dc126b62a8c35fb46a9ac5024400f2995e51635636e1afc4373" + "dbb848eb32df23914230560b82477e9c3572647a7f2bb92", + "9aa3925a9dcb177b15ccff9b78e70cf344858779" }, + { 448, "ba531affd4381168ef24d8b275a84d9254c7f5cc55fded53aa8024b2c5c5c8a" + "a7146fe1d1b83d62b70467e9a2e2cb67b3361830adbab28d7", + "4811fa30042fc076acf37c8e2274d025307e5943" }, + { 456, "8764dcbcf89dcf4282eb644e3d568bdccb4b13508bfa7bfe0ffc05efd1390be" + "22109969262992d377691eb4f77f3d59ea8466a74abf57b2ef4", + "6743018450c9730761ee2b130df9b91c1e118150" }, + { 464, "497d9df9ddb554f3d17870b1a31986c1be277bc44feff713544217a9f579623" + "d18b5ffae306c25a45521d2759a72c0459b58957255ab592f3be4", + "71ad4a19d37d92a5e6ef3694ddbeb5aa61ada645" }, + { 472, "72c3c2e065aefa8d9f7a65229e818176eef05da83f835107ba90ec2e95472e7" + "3e538f783b416c04654ba8909f26a12db6e5c4e376b7615e4a25819", + "a7d9dc68dacefb7d6116186048cb355cc548e11d" }, + { 480, "7cc9894454d0055ab5069a33984e2f712bef7e3124960d33559f5f3b81906bb" + "66fe64da13c153ca7f5cabc89667314c32c01036d12ecaf5f9a78de98", + "142e429f0522ba5abf5131fa81df82d355b96909" }, + { 488, "74e8404d5a453c5f4d306f2cfa338ca65501c840ddab3fb82117933483afd69" + "13c56aaf8a0a0a6b2a342fc3d9dc7599f4a850dfa15d06c61966d74ea59", + "ef72db70dcbcab991e9637976c6faf00d22caae9" }, + { 496, "46fe5ed326c8fe376fcc92dc9e2714e2240d3253b105adfbb256ff7a19bc409" + "75c604ad7c0071c4fd78a7cb64786e1bece548fa4833c04065fe593f6fb10", + "f220a7457f4588d639dc21407c942e9843f8e26b" }, + { 504, "836dfa2524d621cf07c3d2908835de859e549d35030433c796b81272fd8bc03" + "48e8ddbc7705a5ad1fdf2155b6bc48884ac0cd376925f069a37849c089c864" + "5", + "ddd2117b6e309c233ede85f962a0c2fc215e5c69" }, + { 512, "7e3a4c325cb9c52b88387f93d01ae86d42098f5efa7f9457388b5e74b6d28b2" + "438d42d8b64703324d4aa25ab6aad153ae30cd2b2af4d5e5c00a8a2d0220c61" + "16", + "a3054427cdb13f164a610b348702724c808a0dcc" } + }; + + for (i = 0; i < 65; i++) { + err = hash_test_case_add(&sha1_test_case_list, tc[i].hex_data, + tc[i].bit_len / 8, tc[i].hex_hash, 20); + if (err) { + printf("error adding hash test case (code %d)\n", err); + return err; + } } - }; - - - for (i=0; i < 65; i++) { - err = hash_test_case_add(&sha1_test_case_list, - tc[i].hex_data, - tc[i].bit_len/8, - tc[i].hex_hash, 20); - if (err) { - printf("error adding hash test case (code %d)\n", err); - return err; - } - } - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -sha1_dealloc_test_cases(void) { - hash_test_case_t *t, *next; +srtp_err_status_t sha1_dealloc_test_cases(void) +{ + hash_test_case_t *t, *next; - for (t = sha1_test_case_list; t != NULL; t = next) { - next = t->next_test_case; - free(t); - } + for (t = sha1_test_case_list; t != NULL; t = next) { + next = t->next_test_case; + free(t); + } - sha1_test_case_list = NULL; + sha1_test_case_list = NULL; - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t sha1_validate(void) +{ + hash_test_case_t *test_case; + srtp_err_status_t err; - -srtp_err_status_t -sha1_validate(void) { - hash_test_case_t *test_case; - srtp_err_status_t err; - - err = sha1_add_test_cases(); - if (err) { - printf("error adding SHA1 test cases (error code %d)\n", err); - return err; - } - - if (sha1_test_case_list == NULL) - return srtp_err_status_cant_check; - - test_case = sha1_test_case_list; - while (test_case != NULL) { - err = sha1_test_case_validate(test_case); + err = sha1_add_test_cases(); if (err) { - printf("error validating hash test case (error code %d)\n", err); - return err; + printf("error adding SHA1 test cases (error code %d)\n", err); + return err; } - test_case = test_case->next_test_case; - } - - sha1_dealloc_test_cases(); - - return srtp_err_status_ok; -} + if (sha1_test_case_list == NULL) + return srtp_err_status_cant_check; + + test_case = sha1_test_case_list; + while (test_case != NULL) { + err = sha1_test_case_validate(test_case); + if (err) { + printf("error validating hash test case (error code %d)\n", err); + return err; + } + test_case = test_case->next_test_case; + } + sha1_dealloc_test_cases(); -int -main (void) { - srtp_err_status_t err; + return srtp_err_status_ok; +} - printf("sha1 test driver\n"); +int main(void) +{ + srtp_err_status_t err; - err = sha1_validate(); - if (err) { - printf("SHA1 did not pass validation testing\n"); - return 1; - } - printf("SHA1 passed validation tests\n"); + printf("sha1 test driver\n"); - return 0; + err = sha1_validate(); + if (err) { + printf("SHA1 did not pass validation testing\n"); + return 1; + } + printf("SHA1 passed validation tests\n"); + return 0; } diff --git a/libs/srtp/crypto/test/stat_driver.c b/libs/srtp/crypto/test/stat_driver.c index a8939b2830..4149447f74 100644 --- a/libs/srtp/crypto/test/stat_driver.c +++ b/libs/srtp/crypto/test/stat_driver.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,10 +44,10 @@ */ #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif -#include <stdio.h> /* for printf() */ +#include <stdio.h> /* for printf() */ #include "err.h" #include "stat.h" @@ -56,192 +56,203 @@ #include "cipher.h" typedef struct { - void *state; + void *state; } random_source_t; -srtp_err_status_t -random_source_alloc(void); +srtp_err_status_t random_source_alloc(void); -void -err_check(srtp_err_status_t s) { - if (s) { - printf("error (code %d)\n", s); - exit(1); - } +void err_check(srtp_err_status_t s) +{ + if (s) { + printf("error (code %d)\n", s); + exit(1); + } } -int -main (int argc, char *argv[]) { - uint8_t buffer[2532]; - unsigned int buf_len = 2500; - int i, j; - extern srtp_cipher_type_t srtp_aes_icm_128; - extern srtp_cipher_type_t srtp_aes_icm_256; +int main(int argc, char *argv[]) +{ + uint8_t buffer[2532]; + unsigned int buf_len = 2500; + int i, j; + extern srtp_cipher_type_t srtp_aes_icm_128; + extern srtp_cipher_type_t srtp_aes_icm_256; #ifdef OPENSSL - extern srtp_cipher_type_t srtp_aes_gcm_128_openssl; - extern srtp_cipher_type_t srtp_aes_gcm_256_openssl; + extern srtp_cipher_type_t srtp_aes_gcm_128_openssl; + extern srtp_cipher_type_t srtp_aes_gcm_256_openssl; #endif - srtp_cipher_t *c; - uint8_t key[46] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 + srtp_cipher_t *c; + /* clang-format off */ + uint8_t key[46] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 }; - v128_t nonce; - int num_trials = 500; - int num_fail; - - printf("statistical tests driver\n"); - - v128_set_to_zero(&nonce); - for (i=0; i < 2500; i++) - buffer[i] = 0; - - /* run tests */ - printf("running stat_tests on all-null buffer, expecting failure\n"); - printf("monobit %d\n", stat_test_monobit(buffer)); - printf("poker %d\n", stat_test_poker(buffer)); - printf("runs %d\n", stat_test_runs(buffer)); - - for (i=0; i < 2500; i++) - buffer[i] = rand(); - printf("running stat_tests on rand(), expecting success\n"); - printf("monobit %d\n", stat_test_monobit(buffer)); - printf("poker %d\n", stat_test_poker(buffer)); - printf("runs %d\n", stat_test_runs(buffer)); - - printf("running stat_tests on AES-128-ICM, expecting success\n"); - /* set buffer to cipher output */ - for (i=0; i < 2500; i++) - buffer[i] = 0; - err_check(srtp_cipher_type_alloc(&srtp_aes_icm_128, &c, SRTP_AES_ICM_128_KEY_LEN_WSALT, 0)); - err_check(srtp_cipher_init(c, key)); - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); - err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); - /* run tests on cipher outout */ - printf("monobit %d\n", stat_test_monobit(buffer)); - printf("poker %d\n", stat_test_poker(buffer)); - printf("runs %d\n", stat_test_runs(buffer)); - - printf("runs test (please be patient): "); - fflush(stdout); - num_fail = 0; - v128_set_to_zero(&nonce); - for(j=0; j < num_trials; j++) { - for (i=0; i < 2500; i++) - buffer[i] = 0; - nonce.v32[3] = i; - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); - err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); - if (stat_test_runs(buffer)) { - num_fail++; - } - } - - printf("%d failures in %d tests\n", num_fail, num_trials); - printf("(nota bene: a small fraction of stat_test failures does not \n" - "indicate that the random source is invalid)\n"); - - err_check(srtp_cipher_dealloc(c)); - - printf("running stat_tests on AES-256-ICM, expecting success\n"); - /* set buffer to cipher output */ - for (i=0; i < 2500; i++) - buffer[i] = 0; - err_check(srtp_cipher_type_alloc(&srtp_aes_icm_256, &c, SRTP_AES_ICM_256_KEY_LEN_WSALT, 0)); - err_check(srtp_cipher_init(c, key)); - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); - err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); - /* run tests on cipher outout */ - printf("monobit %d\n", stat_test_monobit(buffer)); - printf("poker %d\n", stat_test_poker(buffer)); - printf("runs %d\n", stat_test_runs(buffer)); - - printf("runs test (please be patient): "); - fflush(stdout); - num_fail = 0; - v128_set_to_zero(&nonce); - for(j=0; j < num_trials; j++) { - for (i=0; i < 2500; i++) - buffer[i] = 0; - nonce.v32[3] = i; - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); - err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); - if (stat_test_runs(buffer)) { - num_fail++; - } - } + /* clang-format on */ + v128_t nonce; + int num_trials = 500; + int num_fail; -#ifdef OPENSSL - { - printf("running stat_tests on AES-128-GCM, expecting success\n"); + printf("statistical tests driver\n"); + + v128_set_to_zero(&nonce); + for (i = 0; i < 2500; i++) + buffer[i] = 0; + + /* run tests */ + printf("running stat_tests on all-null buffer, expecting failure\n"); + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + + for (i = 0; i < 2500; i++) + buffer[i] = rand(); + printf("running stat_tests on rand(), expecting success\n"); + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + + printf("running stat_tests on AES-128-ICM, expecting success\n"); /* set buffer to cipher output */ - for (i=0; i < 2500; i++) { - buffer[i] = 0; - } - err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_128_openssl, &c, SRTP_AES_GCM_128_KEY_LEN_WSALT, 8)); + for (i = 0; i < 2500; i++) + buffer[i] = 0; + err_check(srtp_cipher_type_alloc(&srtp_aes_icm_128, &c, + SRTP_AES_ICM_128_KEY_LEN_WSALT, 0)); err_check(srtp_cipher_init(c, key)); - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); /* run tests on cipher outout */ printf("monobit %d\n", stat_test_monobit(buffer)); printf("poker %d\n", stat_test_poker(buffer)); printf("runs %d\n", stat_test_runs(buffer)); + + printf("runs test (please be patient): "); fflush(stdout); num_fail = 0; v128_set_to_zero(&nonce); - for(j=0; j < num_trials; j++) { - for (i=0; i < 2500; i++) { - buffer[i] = 0; - } - nonce.v32[3] = i; - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); - err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); - buf_len = 2500; - if (stat_test_runs(buffer)) { - num_fail++; - } + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) + buffer[i] = 0; + nonce.v32[3] = i; + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + if (stat_test_runs(buffer)) { + num_fail++; + } } - printf("running stat_tests on AES-256-GCM, expecting success\n"); + printf("%d failures in %d tests\n", num_fail, num_trials); + printf("(nota bene: a small fraction of stat_test failures does not \n" + "indicate that the random source is invalid)\n"); + + err_check(srtp_cipher_dealloc(c)); + + printf("running stat_tests on AES-256-ICM, expecting success\n"); /* set buffer to cipher output */ - for (i=0; i < 2500; i++) { - buffer[i] = 0; - } - err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_256_openssl, &c, SRTP_AES_GCM_256_KEY_LEN_WSALT, 16)); + for (i = 0; i < 2500; i++) + buffer[i] = 0; + err_check(srtp_cipher_type_alloc(&srtp_aes_icm_256, &c, + SRTP_AES_ICM_256_KEY_LEN_WSALT, 0)); err_check(srtp_cipher_init(c, key)); - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); /* run tests on cipher outout */ printf("monobit %d\n", stat_test_monobit(buffer)); printf("poker %d\n", stat_test_poker(buffer)); printf("runs %d\n", stat_test_runs(buffer)); + + printf("runs test (please be patient): "); fflush(stdout); num_fail = 0; v128_set_to_zero(&nonce); - for(j=0; j < num_trials; j++) { - for (i=0; i < 2500; i++) { - buffer[i] = 0; - } - nonce.v32[3] = i; - err_check(srtp_cipher_set_iv(c, (uint8_t*)&nonce, srtp_direction_encrypt)); - err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); - buf_len = 2500; - if (stat_test_runs(buffer)) { - num_fail++; - } + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) + buffer[i] = 0; + nonce.v32[3] = i; + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + if (stat_test_runs(buffer)) { + num_fail++; + } + } + +#ifdef OPENSSL + { + printf("running stat_tests on AES-128-GCM, expecting success\n"); + /* set buffer to cipher output */ + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_128_openssl, &c, + SRTP_AES_GCM_128_KEY_LEN_WSALT, 8)); + err_check(srtp_cipher_init(c, key)); + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + /* run tests on cipher outout */ + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + fflush(stdout); + num_fail = 0; + v128_set_to_zero(&nonce); + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + nonce.v32[3] = i; + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, + srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + buf_len = 2500; + if (stat_test_runs(buffer)) { + num_fail++; + } + } + + printf("running stat_tests on AES-256-GCM, expecting success\n"); + /* set buffer to cipher output */ + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_256_openssl, &c, + SRTP_AES_GCM_256_KEY_LEN_WSALT, 16)); + err_check(srtp_cipher_init(c, key)); + err_check( + srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + /* run tests on cipher outout */ + printf("monobit %d\n", stat_test_monobit(buffer)); + printf("poker %d\n", stat_test_poker(buffer)); + printf("runs %d\n", stat_test_runs(buffer)); + fflush(stdout); + num_fail = 0; + v128_set_to_zero(&nonce); + for (j = 0; j < num_trials; j++) { + for (i = 0; i < 2500; i++) { + buffer[i] = 0; + } + nonce.v32[3] = i; + err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, + srtp_direction_encrypt)); + err_check(srtp_cipher_encrypt(c, buffer, &buf_len)); + buf_len = 2500; + if (stat_test_runs(buffer)) { + num_fail++; + } + } } - } #endif - printf("%d failures in %d tests\n", num_fail, num_trials); - printf("(nota bene: a small fraction of stat_test failures does not \n" - "indicate that the random source is invalid)\n"); + printf("%d failures in %d tests\n", num_fail, num_trials); + printf("(nota bene: a small fraction of stat_test failures does not \n" + "indicate that the random source is invalid)\n"); - err_check(srtp_cipher_dealloc(c)); + err_check(srtp_cipher_dealloc(c)); - return 0; + return 0; } diff --git a/libs/srtp/doc/libsrtp.pdf b/libs/srtp/doc/libsrtp.pdf deleted file mode 100644 index a0a11b7bdc4e3a05397e200890a800599d012c5f..0000000000000000000000000000000000000000 GIT binary patch literal 0 Hc-jL100001 literal 234575 zc-pkOLy#_7)GSywPuaF@+qP}nw#`$vU3I>4)hXMyZL4obcSpZ?{~g@P+oLtu5gB_8 zGIOn+WQwBVbWHSYFl4ifL#r@M%uIxggbv2mguJ{k46<hS7Os|r%#5sr|IdM85Vx{* zHFG9p5VtjQH4`;6aWFN5;pc~OadkE`vV-wlw@cu27!ZUDfBA$-@DSN-z9BhVRu?Rh zR-*C7F@_omA{HVBNB-t7%qX<xd25Y0@vGT|f~k`I%68!Q(Pje1p&bwIBPcLz7%ptw zeQ7{0cYkS3mxunLa#1fOWVKZJ#3a)~j%bWauI(tbS-4Ws91+1a#xT~tDC=aW`15oV zz}ka1TEHGpfUqt{M|L<(m?BRcBi{7O<RegrOrL3rTXk@gKZzpo8+x3Lhz67knSbN0 z)P)n_?)lfc%qi33NkCdUe<vuctmH6^nZ4=%`>cPee_HZSbGZIzbC|dY|8sL#6eTqn z6&+8Q`-DJ&Oen$k{sn`D<$q#uadQ4=3_tXZ_<i<Azn)+T32kMH!(oyMeO3~pI0%5+ zQZ01~W`m^dA?H<t!H$bBE)48BEEh-q2RQ$l!t3D$3gS*ePPsu($rvfs0qa=vm^la4 zf|UMU$EbOV9LrlsxAvcyU(=#=#R41*`o8!xF)e~t{8`6Zy7!@>9FSOY3%q8-Ro(MN zWU_AM>h8)sd#Q7hGMTgROgJit9K4?0#SYbN7wr|hwhz*w0bLY+f;G<a;S?Jzm0zSq zsm;A=iak}m+E}GrU0riss(yA*y7@j7o!_8FGl2NwGg_+5c}xcJOwv2v87g5D94jTm z>D+#YA^Bz3;W0s8$s&Yqu(W2aeh7F4Z%AO8ZbViBzG$ke5;h8}A@$br-%_xEsLj?I zNF3ILD9Pl|p}+c-?}Vl@pBPrP=g@U=?&@|-Xdx;6ssg$4!`#WMSUxEFLVI&4OGVX$ zqb&D%eM|2f%;b)RILyNqaJu7IrFcY@QAvEaAd$akDc#87xIuM)ts}qxet6uXIqO$c zC%-IKyX|8Mh@nP+dl48X!t-Vb@iHKIm8NT}^;Mlbt`RG@uJBb8ZayOsjdLdw=vATR zyIYO`{v1}XhA}65k0nofa`^y>%3XgETEaoqX`{Q-Cru4{+!PD+6(ZO<9me;=QskWM zzfXJhFDgqg20W8d4Q2}Q;GD|Jv~19pKXB;?`U3?}d~@uW2>$@pgLflXOH&FDXWh>M zwb_R8CI9tf?dx3xP1;T@;enDs6`+Np<*$!=>C#0$vNtPWzjGvQuPBjq+Q$xV_ya7t z`rzG4s7!%F29*kEJ3*-$GN*TGbN3fh9FjWLxb&tDhL*ko1>5&g`&2VEo%Fcp9Qp<q zBdAgQ_$AT8j|FtKG*d>z_r59svxv3sWKa`&#`CL*3vTug0TlE?FkzO8-)>EXA|**U zUmM6G)2+VYU<eA&K)PXoszexsWi2<0vOt#6&ipS3@$$_*d0(<=rKE)S9Y?vfaHI~3 zDvw2n6=4Q(er-t{I8gkL**8x%&Q=!%#x$J3oL@qIRGuXstI{OiO3FAkW>;hfbDr9N zS-L`9rybKu6?r*>=Y<a>g?WH=blx7+%{{4jm-PM)Dr5SzPuA085c*Ua?M0A}7dlx@ zc1PchPuJDiYLhu>tM200(mnV?pdn5>r4M<f#X2X3G-5qCksGQYP6z(@U&YmlLwCkv z9~*JYJamj7x3?A?j2R_DUa;(`td4GMhM9jMh{<s&l-;JJ&~91!`xJBO{C(^OESc!s z{vfdRaxLZ}u&s7~W?=Q^b13|PI9}Q^{u^0v{GTTz4#s~YB#!@#ag`<GlEa7^_VR{C zYXqDY8v2*nEm{6OFI2DWfJoCV)7TKKWvaIxC@3xprPQ6^pkd$+Y&Q31ljgULAuYUN z7nc`aZWlms_7-nPBoEn_jgpx%H2y@GL=%(4{MU}Yffhbv$V_@1)I$>2$0HNx52mh; zL2x^TAm7<iSPWb!-Z*7VJ}6v{5+uu0rdE17FCDBKB4Yv3InD*5#`*OV@!=G{YsE=B zhsZ=Y5YPiNT^M*)7F|_EY;%h~65~WoH#<#Q^`>rG5Z?;$Y(_u@#g+GuAQ+CxF_1Kz zj`SW%k-d9%*r-N#0!bcvm!Cr>{W_wB6Ec}m*S>K_I8F|bId^(jAW5g;j=<(1p_nU0 z;W~;4reuFd-90Y~nFcDor>1%^#s(Z^;K<mnLcuC&a7$E2^r)G3s!{UaGv{hyeGR9k z(_a4uLo!N;a_K}s=Q_Zo^usET!U=V`*2y$r<tbtP`=^BURwc3v0r@N&Ey2{q`YT|` zzOspS;B-UTG>tapN}JHt_zn!LNRJ{fc$O_s{8M3vPEwY>XJk|O?`LCNV3O6&D;<3v zJ4RJU?hl-XS5cKoI^8Qf?BCnPZUl%(Yf$5@VgIkamQt5I@qK;+f`KI>TUB0(hKo<P zul9jN_{IYh+f_;Cpc=DaRnm9DW<?FAjI-b$U)Jx}kG}+qBl*vz#Uv2qyF>U)-vt`% zbO$#^SQ=W#w6r2>Ev1P<0Bhza5`5x$IQlD+7XR?{?T4+xsLgHB12f*lwfO7ThZP+7 zDi*fQLH5@md6#strRZ`q6gGU1n9c+p$D8ykmxpvEUfD8p7sriLa>cH^AvngV;Whlm zsD*wYqB8gjoT(ZYg%tPoOO+Y3h>&bb*<_t8X$ibF7YbS)uMR~Q{J@W-sTzJU3mN2N z52r=zfNWY8<P4AMq}R#flyjb;k@cZjcoTCc{}HijZ$l=-?UPU7xx2+`1c@k1mGd&T zay2gsom6bwDx!ci`%jRT6g;EtP-79_udgD4F{q@dCqeU?27%J95DaLD_1x8KzeBz5 zewU<sQ`AMO-+jCZQ1j&bi0m2rm=wl8K5rd9fAxx3$h=5@wpZyzQFAg+!FTN8bI6JP zF73i=)_7-rX)WDX_zN&_V3Y=<|BQnx6wh_w9$?%gFC&RQ=*qtncJ8*LgP6DG)@T12 zX?C^f^Vti&_-+w=H`I<~&PQZE^CgnG_44;vE9oq|_EdS<xny{RDzlGJ&9|!FA)75i znrkL~q0B-6_vVDcjE0O_#8VO}6CTNc41y5jea(N^J;cD?Kxg=$T*3UmFomj@qZuKC zg0Z!Vs~rr3JRuV!<NwVS&MvNmoQy30KU;CIGyYd5Y1Nc-z~TDUeW9`F<Xkwq&w&KD zyLzx@NU=&dZRF9-MX8)X7rRN<qP=#wb3+rI_nXtn<5vqX&ZRvXfk8KQvKaRK;g~hd zA*h*jR4lm(?O6W9D+LNjmL&N>yQpo}DiUP7A@7hZ91w}YsJ24xSU6=O`xu7vsVN>8 z@46&?A9vCOgg~N2v!m=b#DFIME+kUaJrDTr(U8ortWqReFA1VOI_1Bf{7PW<jHn`- zU}aGBf(ozju_%_{oTSUx{$83Y;RJI^?g-1NCWNtR{ooDa&3dHb7r-DhZqZ;Ev2(9{ zF_b_^PNGy5CWPwYyu`BM{F9c2$Ud0G346Baf?=s`efvax`k)I|UV*=x&A@m^XNdtA zV@EqaSYUnntAb)E;|ix}y1ItEq2T9O;d-&m%#O*c4WZIN$Pg*Ti7|fxp=d%2P@zHY zv<?s;%|VZb5|iw-v1yD4%}JiptnjI(IY+SgMFre)xxu8+0E;^U)f!8%{Lv;LVRIc` zF~?dDZzClAT`6rMF;eB*99#E!zLbSukYHO*cQ{<ecWa*HC!%1K`@xh!s*ZCQNu#By z7{5^KwQPyKD9M_LdP6by_sG6v1)Dwy-=)x{1QXf$`$0+0(!w+oQ-2vtmiEoQy}4-X z&)u(F+eu8ozFYZqt|Q9TPqMtfoeU{3Y!u$Gk32P8X=8J*+wB;1dwsmGVSFLTH7XtV zoH%T_E#PBox8eX+@s~T7p6kv=xbG_umYjNT-V4`e&6=^}{ai3FOmDpK!<X#a?HtAf z8R9p##PxfE>UoHAuU<N@yvYb8ARp7rnjzRg*t<1re>%=OO**kIFyz0eiQY#d%6=N` zzIm3(@&KRrPHycxY_8jO*-Q_rr5)aG;=L^w-wQpWwdZe_bBY>U21L`CM`oQ?{QUfI zJ0mZq{+_sP;>X5pHK*36Ng~9nU|ro2KV2K6jMpsB7+de2D=i{X2M2>4A4cB<!%Qar zhQ9pPdUy;*_WXg9g@=dOZ*TaO&X^ZE-CP;FZX93M0iAjaYu9BL?SofamMhtrCmUaO z3kw?xALff)#|LXp9pFRRZ?0ap3NC(4KYq^7ek&P^xUKRA4;MFbJM5i}_HXt4ail>% z)^&a+%&#A&lqzK(35`xWMs%;F3L-<r98>??Yq>Cos~{gQ^9txn+V&u$=_M#Hn=K@G zp8sQ-#A~~|`%?U8X3l@{5B2@tY<+LzL#ypc_V(<(Gf!8__DnuQda`zlZ#TdSed3`G zZyb)P0$}(@v&RZytI>cXqG>Nfp+0-c{i*0fa^;=~6ICQ@hYl#n2y!*dSYz*p`%>WN z$w5^G6?hxpqthc{9q3o-qy>9Mf%yI`nM~_J6^U}ZAxSz0CcVMS)_WD!DK@^I?)<&o zgHwS36TTB$z?t=@l7<po9N;~07mRHY8L?99p?FczKTg?)JIwBL9{y+0K9mbB{vFnu z$Pc6SNNdAA5J3M_rI_OUw3xl_Y-eYuXXj@pVrOEfVn>r#@7c5e7Jc%+6=BgB)cO^k zh5ui%7y2SNzyD+G<>o7p`m)n@MG$ioQ@6wFmn7e-^KJL$?B#Da9upbocFv7ms#O0G zsI4OJhsBnXrmWS7@_WXz3p+1N^qyM8{-$Zb)Fe(0K@Fe)6Omi*?5U|WGd^Hk&ve9D z${KvGr#Q*mA98ZiudYQ3DsLnm&yCKek(oR=tuVODSumlbDu!FZ$8wmJJUBHycvO>{ zQEaP@H4(_6twliY`TFKX8Vc&NSwd*!#3h8!B1AH&KvMLYSRI(CHpxjE67Qno{P)cZ ztlBr)IUk6N*t5`ZM#a12&2tfalB?SIk401wD3O|~q`ND4PQWyGj3$XxV`W7o-v(E0 zuvD@2ZLZB~H+Cke)U|-IvU8eovb4Es%o_$mPO-Ez4>}eK1gWdy+?x{JC5ojHlZrFt z#GfJ2M(EC%xMJhUUhlQt#j`qUBBoH(YSa-8r5CWAoS~Lk=gtT|`qA#%VPk9x%SizR z+T$=L{AzJ!VDNM|Xr}Ds18C>ekmL_-t!~b}E%8Iy%-uV%Gb1G1KflsggXq)wtPxrI zO}?k5tZT$8x-o~shlxh8t6lTvO}@9{SZLC7-1E^62(8(u`8Y~PK09$tzD)n9jcB7Q z^|7!A*nXn$&VTX>E2bZf<N8?ap`mS1@!enAP<1Ms8TJ%l4mt&OYs8PtKtEVe>4;NN z+G?6b!94q4jCg4MfW=TXi`S+^Q!`1G(w8zT+-3%_nZ@bhk7z&dhAg#+jtoKL2h^4Q zfNor4+WwpMX8%8L?>YZv;lsqv$o5|`+%#lTHrU~MZt7>1^2Vr3@Y@zQ+;g_p<Snw- zo=PH0AhnC^<Vlr8q}BkvJwU+kXfLF{zyx{uK@ua~lOpqO{PlMHe5K7)$(ES)#4qex zq>Iy1$Cy**08u@|wQF77^y$R<0s5ca-(T_#C6e<X8LwUtWPc)+lV~#<!0Ctq8AY<{ z%p`OPK5Vk<bk_?lv1C+$LP7=gBk87Kv%C_a@6!BDVf043V{hg*3bB;Z`gW#Ok3x1$ zpCeLh1M*7E<madD*aE3TCzFdm3typ~wDymhJk4{ym~~0Y!vv8g>o(jUF0*{K+n1Nt zaw86aJUo{IQ^kW+9;A`wwfNBl^BTGsykRL1l5HZE+irP7H8deHbV!$km0s(mZH2N0 zOi%*9ELE}oYq}<4_bLL&i`nL;NC6(6we>bnv9zHoiu;N3CzRS@si!z+_^Y<%xnO$Q zy<-_acNqhZmO%#`HmYTg6`y2PlIr<d{O3ez$qS=KT3<;T&U_q`1ouW@0oh_Y7S{J1 zB&+%yogRC}y3$yKe0-}Uw6MV2qs**Cc;1&n+J)B~N-%S@p5%C6$2}P#E)%@mp&T9c zexW2u35q`Pg_}s#4SX$}z+|P`EQFGN(B~3md{EMm>V{0BQ9^YZ2=1}1+q7h*w3<5Y zA)i|8pYcFR7$c?%5gWA-Axa<}3G<tBixLJ30(l_35InYtUM5t+&#a2+fg1&Q8I?XE z&XD_{8s%JBPlH{1(r|GG<w*2!*>?91^-%pS$Mo8Xs#jp(`#acWQc-Xumphc<AVijr zTeGPs@Vs91(#YBmc`cB53yTvXp?38`2%x7&ej)Q*$i-2KD!Zu5I|MLkU?lF?In!>; z*>-KYz}CCuk0Ng%zh+4>UImP6XQ^{KZzZUnCPT8@Qko=2LP1o52pklcubgEH_o@xz z<fK98$e5Lr&eLiOPZC5wY{L&!S^<XVN$zt+-#cN%08Q8BJH5EPRI3p31yGq2rCczK z1+!$dH?O6s`y;KTDdzz)Wuac$gRLSU+^hg48s#NPU7d|K^q|LhdJHx2ch*Ki{;kpV z^I5Ok!$)Pd>a_}QqJx_lAFP|*p4ENp>o?{GeV!1aXNV_K5rt746ilhwh?Wl{-oBkE zta*2m?vq-u7@zc{w+>FPVZo^o6cVOfFCj3o{N~$`*ae*{R|A#=20pD*%?2p)*Qvo1 zjN~E;Sk!VIu>!%A<86!WVpwXb4R8OkI0_$hKHnV@KbuozeJ2R65aS3TiPXiwM^L4^ zqv_%o{)6aUjJU6phC%+A94}@~%`-2OAZ@Dgl{OL1yD-4UX;~po<>anM3!cqTgqyn@ zn!tQs%o+Sh1+3?$P`~+R6iMtKN0O)pT6<$G11NKF4Lmq@IwR%eDE$he-Du9+EPB!% zlYd719p(0Mqxv9o?<TuN0llEId9|KN&tRw94kBQV&Dz?KU`9<u_grp8%(6rk%=@%h z0&niHkzzfcf=ghHD}+H)4|#YW6_g1NTgde%09ksq1vKt&0u0BaW)yNdQrksIZ~2Bp z1RrC8{H6I<P*~^ICmfb-(HcA^h#ub{g4`L!S$2T>!)WWYqn~|E{XKX&Fh<XYP(HM> z&jN==t51zvLefXRkmfP8YFetq60ywRDpFW85X%hV$X7&A?k+Yf%jbqy_%g{@vuZ;q z7Ywn_6D&?0vWcbhCSsu|c`MdH2a{oF2t$}$L{KEZU?;3-=-E0O^hE6@L>;`{JG|uH zURC>d!0()brS>0}G?UC?BfSmrorX~lbb|l`@?-?SZwT4`-hnHkxkrt&z-zt;acl$| zG-baA7CQGrDgtnYW)OGL?4w4j!OnG?>x4r|=eHMBY?{w|Rb%kVie$5~O3xNh;?vzp z`xy*lu^O-BAUo>N&_4#KE%3bvt5XWS2o1#skhzff1DJbh%!+$zBAxeXC0uQmTI5ZK z>`zto2XYUmPMW1Biq7wWj+5(AG;thd<%DyKvd3z-ijyrA@r=?WL(?e8g~nJlOsvqw zve0;gjn6`z)3Tw`*wZ5LR`!S!=iFW^1w$nwNi01JPQ-(j3uk8;6G@WCUdb3_ldRyM zQujMeUAu2BJs*e$Q<Sj(qDoxM|MCsN!ol=kRp~e8nDfE#^>w}Bk*L}loQG6eig=M7 zxi)T6c9acyT2V#Y6pR?P?tZ!N7bv!6^t|OZGX@*BU~wZG)aar<n~G1z8`93Fr-RP= zD&|L9{SZSo+cUfm>vDLy*=v015YJU}p2dbG->n><KlbL@^5~1}L<8`n>_1K;qRIMi zeA^4L)w=Xz$j(8&L-6ZyJr1lrGus8}8ZI`;%F6uL)X9#V9pvA9wgtywk}JKYYqk+L zI7Ogc-57iSZYC|ghYf2T!u|)g09%|g7Sh(<)i#PJ#gmp9k36e$o5qRrvhg<1jl~Ue zni%X<j|lI#;OhDnGo8|4N2@<5p<C^4A|2AKQtC*XT})hS>7Ww}Kg0RgmqvzJ?~UX7 zJJ|cw<K!|!boSzo?A6e}Eu`D#iRfbVmKW%#+{<D6DeX)<z9l<DIOF&d;QXl`x^P$X zzVp!PQ4t$hr&4Sgs)A0=hX3$fr^2n=cHi7(nOw{xHrO{4SH?r}6iBpE(0;%bNaI#H zuSmBKq;EoWW!QtRmu>*LIp-YEv;${vK_t57@NT%^L_@agc~4NNa5>xW*n!GG`q1Ka zpK$x#jPZeQsYwJC%5HR1W`os}VsE~hjD3<Zs)ue<#8otr)<=O%Cz@OEyg3K%@!4!g zE>pRm-QOVYD4W(qbD6&Zp^oJdo%Qfr!K7z^iH`t~Kd^s0z&|xe!Uqm#j;|apoq#ll zBO_&|(3uUb`Z<#tP7tqazk`<EKNYP4e{i_yQv*jKAZ%sCow6rd-&^~F?s~#89ARQq zVeC>wE<hIme66;bo|2=%jTFb*jP8X>)-V=YRNQ3B>;vkX%8<bi#9C+0wZUaUd$CMx zpu7_b%AB8v5{$sI*zwQi&iTJt8~T`1+yp7bytNT^RSe(-Pe&ZlCy{s-1$a@|{7s+F z&d<E?_<4t0{B)-*`m@Dk(^-aEVpsMcSshRiYm$1DX$547-L4RojUG0KltV$;teSku z316?Q@I;aA)NQl}hZcC@NG}vMAZjTlIN^$P%(diCa<n>pcf04s?bB&k(>Wd-k%xhI zWX`vfO<Ufhlgl?oj*qTFb+;A(P|LTI<q3i~v37nS(x-d8vH4N5%OH*f!!pdjIOe5E z7w$<D<|UYN?T=B&1?-kRRu+A<#gJ%6uv8L}GsEUw`JplTCkaJ6O3-kLR(4GqVxeR4 zDIU0jn9rdei{dxv&pVRVrSY*ItEr!w`k08SL9|cy4hM6Mny`VQd4ZZ8@njGBXO|qH zk?HFT$`Wf%^(68qv9S2S7aBIed%=+y9`nluL>h+AX?0gM(g<KPk->Y%O@aRqLf~g# zowCSgju{6}fQGNN>3zkVWqt9A=w?`WR!y*!xO#=B($6FgI5+^bAYri}5BqS1ja&X) zFHj;J$l)qh`fApiC)sA2@*<%LUB}%rDTJI-5Kn0+iHcI;GUib38p}W+&`!*c<+Pvd zYf6l&lF2EJ?o*b)iA#6HhO{2;@aiq`A!x`r=7ot(hPz^O=6ypuJIY0#f$>1i!v8+f zdX!IW(4MDu0RtYLMUzl>mhJ>f$Pz=01C1Y5NC3Wlz$1!DwxSuV`gKuNzp{sV0K(B| z={ctSE-C$@=L|W^wRGe{Hm;S8w7~3{8G+dEjGaqR<|{<j51c<hX~+OPVTvcd<yFa7 za~etW?yMBtCpp6@B1xh35uU1nfGM4TgOo#gs)GBiPw4vG-BIeINgavJ{3CiiJ)$^# zp^GFFo{Snspn3#K)aP_`C6;qW;<qxLkHbL{eq~f0Gy&>*MBnmW2Q0QR+=dIlG_f7X zn8CxYyGRt|;?^vyG>2RjRG{dcK<a1)7ItI8*y6W5eGR{<R;c_8<oQN|Op|sm?5MP2 z{>KWOfEii@S6^x)t%{7K3(7cm*^GDE28@EcyGlMhVU$j-%~{5UAPHxRL92Lx_=JGK z_g_7GdMRjefT<B5;WXq2_cS0)wZ>+tjmd<Jg%dz6EEg+3+suxSKEtRZ>9d@dP+!lN z5E@P#Y9A7tG59DutaSo)p?E}(M!}Dk6t-Gx$%8u3sH_y*k+xV_F7}a3X5kim1#eSY zWqv3gYejdjAjhO0RK>$eT5qL=bsPt^k>Ax-l7}}U@G(8Q8&a1;A!IDkC}i2J-4h4s zu|){TYy8aVJ`Mr;3CNwPp{@aLC|%F#hSl#L;<eNTmII1gbu>AXWwH~w?uU*MJX(UJ zori+o;$9NkToR*{hUpQBSbk-?5I#=l8ZpP~)xIGmQ{W!?3{~)CTfDr85<h9tpz-ih zb%}h1PYRohFizYbb`kp}49(v*LZQWPiy{(-Z|qV(H4G<60J<v(EY`7SBU_I@v!jBB z1lstX!GregUW2-#EtliS;0uICO~g|=Ttaj5zYV#{!+)Q!lr*I#RUsNvoM7n~jJ`yn zCg$5dkoXVW@)*a<6CVuiCmpo}(i+lUnI=4Dv?V_4#bjbLr%tzzUzvTp50m1vT0$6o zOJDk++^3y|9eBVfXed`$n;`EARn!6mAOJ3IojcW{$y^B4@ccXpNh=9SrfN*YM$iUx za`HS%<%~B}Va@wAZk+<D)8aI2QZHs>o+)+ZiCnwIuU7-r7*ZB*;TL^<r<%jFUkoJ9 z<!i)2UKx1zu;u_?S&5?!yl%R6V?4djU&dQqd>Gbw2|hc3Cj~gSpWuZC>T1W6SQu;2 zjjD50uDr9K$g0n9n4juBEB8~dorIp5JTU#gdSnP*1JAn#tWQ>%$DHOrpAseoAs;;# zJUZ*zx#g}BT!MDV@(!xUxnio{SA;ZZ{=cBNqmT6}&ir>|67(Of^PcKUb!l~gMkH#f zgRMQE-{N=aR8UY|-+%g@RPRKL%a*g3MYLAd*iVWp*y=uN($jgic1)p!bVBuz(^y7u zlp4wL$$FKzg<<E8V^afW9@SJo2T=r4T`6hcS&q9MMEtK}=&x=+zX=R0N;ya;0+Z3k z<Uf~$dj@G<@H|}@L^;#xfDiF`ivVm|%cN0In{deSIZ%I_6?l7X(AKC(B%%m}^Tzd& zGbu5_t7(5<8hxZ+Vm=H<i;hEo<#xTlv>$1QTgCt6_xARFcW&JA4MyCMccGY+^yEJu z9sNKor=gnvn<x91^aC>!=YL+`muhOIY_=i$?-=w;$frRNBj}H%s3&tcQ>AzF)JaRL z|7jpKhd@q%My%!N-G*l!CF0stQuZQ-V#W6J-xA!#>+0+5{Ij*y^&O<dKxXxq*rEN! z_;@HaIa0+T!zcesSb%@ip{Q@?t7~nZQd%VcSI=4#<E?<I9Yu_=2IOakT71ZcKE@lT zomSs7Lnnd5_Kp3wpUB>2U-5GdA$e3}S54R3C)urY=Fc1~lmg1lm~t9EMsA=aBYjsy zj)8r!O_Kx_32=habGzHpxh`AN0^_=^7xqW(_+<W@)Tehs%9hgJ--s#|xl-<2|CLcc z3HA+6(}rMF=9yNbTkB>t-PiS`bMy>1uc{n*^{qZl_l{fL7tSThtb@_)iJB)gDCn}9 z`!G&I*){CWpaGp*Y3%R{tt}5j_oK;Ln$K*%;Ze)2<K0Q$0FMK|HZTIWvMP1Dt|$3+ zEh4u{>~@^1i)YRdWL*+k)`?>m$YYE?10;H4^GihG@KnXU&=x1*5JO~2S|^D?!(WuQ z9Pp_^(P1%rQ1~e6fYVL8<i2_%58-~8XQT&|$$@m`^IqZXuI+}|fU4+q&i+YFog5(| zo+bB=PNlHqS{+6q=Hf}VS*6~&1RV5NzVH;SRSq|+P{^z|QS)?BQYhlYt?^Cvt*92a z9aC!q4oETCuD!a-veYtCxU&Y>0Y$LM9eClsWo7r`P;&7=!ce+9UR6cgy!SL(wHT4= zUkcMU;-!`R@$&4}Vg%#hg~<8m&3+>GV><JA-_1o*15&AfLI2!^7JM%#)iR$1@(FPx z^=g?&cyc-~$j>XKIN)HvC(50o&NiM;NJQEq_l;$YlmbH+&9SvJ;9_)p>Qeovad^&h zS;jWj=K;Xe!Ja4ip4^{Yu_x0?2Yw@jC~G{sj#HEmem=U6(psa~PbC#}V~W^r`Alj? z_EHWw2=&2)F;kj+2yh2tntZvDHf@q54;OR?T_S}?K_Ux7E_S4UBNwU$zD*zggg!z* zohoIks0fUY>|_1pu`l-NM$EghP2;P!vzlxHD#d{X-C1IU_n89s4XRTndyMm#fYGRT zZM+}?|4f#GuXB^IF<(qq#7WvP0gqTNKi9)1>xP8tZSf-ZIiv;8Eht%x+&sAaT^}Hg zMX>L5r-2|@CKdzB1*^;~`_!&*OqK_NWr`XC^511a7a|U$kpsu5+-VnQXBk+B4C&1G z*PB=g4K<dPSo3gG*Z4rwDnM#<oy^79C-6>ivCO!y)>fe=|BTh&odY@Vwf^b6HK&pi zjF#$Zve|=wmKo6U6nPXAirtE6o`x|O{xx;?+UcDON(BQid5am`TaV5Uw2|G%^%$39 z*({zfD?y@*>~WYT19#fP*#go07pOCvS2ZBZiodaMlB@$6=$AMDwe9Wtt7b7OatliS zol3rLC9{CR@_Gq|E<lgRjH6^q)+$Fr-YREUt4v<6bF{@z4|P>5R<0h!Uhk~=K37hU zR1(HA!I%m4f@8R-m|A{iAe>B5R{RGP0z2{z;&*+D%6_@Sk&$90gG|&k1?)6SR9pNL zx^h_aA?>d~+})b>W0;_8N3_-v@4TfWsRT~e5MZ#fYpB|*0RU14o@+S*a6WLc>#=|M z0%Gyj#z~vXkz1)?9&DJZ*%McVG#mGZ^wN1vR~afi7<AyEZnKw29-f&SX3N%wvR!{$ zs@8)qfcl^hA3Tl$44g0K9k4_~yc($^vU2l0MW!sr0*7Np&uBP(lR3*Az(l)F&*9&N zjY5i!!pXdmTex}rqa(_@N2VZ>-R@RcH--r+8|i92kcJKN2RlLR#;vZWJI_&{85IoB z81!0YzY;>ioIE$N%X!%PO|KjoQ_$h_at0cYR0Z$ffnJ=7Rv;dwmt;pe(C4+r#yVe{ zi@gMbg`}wQA%c)0#2vAwGnkRHxV3Rz!@#{zeD9dN_Q~A*=R%3|X)b_E-dJadLI@O9 z(hA6dP()>LK9&Jh!}6evj#SaK3EShKkL|-%3G1~4M5_tAGJZZc@FlUeDD+a)w~%B} zRdLU>73sKiU>(<-&Vq&Iu&&V7(f%;JFCvB>q}IRkr;ITHyJ?|JxKMXU@ddusFPo88 z(JgZ<ZLZllcV}nk$N%U1L;-4vz#s7O6@f^wLsD9&?rdDxP}fv6lUBQb*x^1F)W(nB zXlQ9gFyav{#kpMIz+z_=q0J;pbk4Y@pTGF3c>n6F<r%&bWR>7wXPpUJ#a8-I<bxk? zIdX|<y7F5FxO~0lV+-%fMrpv$rL=)<?Gv{&$4|9tAjvC<vFSnd^@-8L^)aSw@Seuh z0w1E_YBk*H@JG+Q<Ms@=_opvGY9HlVZ3?<->&(>pk8L0t*+5By*G^I6&-2@DN%aFg z9@(5bT~&~b`IqS_9%wr0w}{^8Fu7^)?p&T}irq%fdRxa|N!G$%jkld}kGKTD`A^?( zrb5mL{@^UsABjT2z=2r>&$yO+LI`_;?cW{+NPbVP&WOS;zlmSQAvW+ga+5s4T9Gv~ z5VKg1MFm&<kBCyp3&Ofnc14bF1Fh=%n8-m$q%yrxt86fv$NX03hXgScyC@?6f}u%; zvpZetGhFYobIj<7i6$FfYMV2#TM&yw^Q~0wIYYsdu^MO54r>}1A=1@g>deWrn|=j` zic;n9L(45FXmH^!(5-7M7zssLMVLYys}K?%Fj@H6S3*H|AY=n~L^O`UUz&v=xQ&O$ z&;{0!(<k><=}m8Fgah8rug|@2`hW{yBvL4-%9Xke4(K9aM{do5`Yu&*e|;=<GzjvH zDjCUxELN5CPSJT^Rk#m%;M!MH5jedvcJj&jdN@t=cC6@<Mih`j&Ho&w{oK3d1Eb)F z;fL)?2?w1#m??ilH~dnu|Chu9<G+2eaImrd_e{b@{02Lc--`y65WykwesWQTOb)u_ zT#026h}DXpb8KjOM_U7cvq;q<$lo`D*sXDLt3>i$G#VFv#?fA4V7kA5nxQ(My*g)w z-|1IssQ;<$HEwd~XaWiaF<4kCXU^mrK&+?t%LUKa<H7vu4R~;oj53gF@OomQa#Use z*o|zZbIPGwBWEcB4ftu5D1{rhkQ3^6i>{r=>X_jJ2P8@M-|0UXba>c`VC4f{j`kV> zH4XidNi&P8@DNTwRiL6Fvl@vcJJ2Y>nDDIY_}Klc!FIEM7_oWq;gxa~Yj@Ra{Eol7 z$tTg^8CrhVCf4Se$?<PwcqeIOWt|EgA5|j7bgOK&_zKWYl<{E&L6>V;#>(oKie*IE zdNOOq3ul3<&t{=5mQzMjX)fp#0_|WjITM9jrot&VZCH4b%(vO&FB7@U4e`Mrlq!%A zfP>L*AtFcRIad;h6C%gcw}$GV4&um55~CU$h^*I;T=F|_G#pbTeE_QG&)QN;9mQ7q zIe^Gehe$uUC7DG06D><#Y(OM)q)~6u8KV$&tR5V#ZQz}gmu4K82Ce+Lg~9kZ<ZsrC z^R|M#2CY@_1XC$5RC9&3$!S@8LVy6=s}xequ(e(H(n{1P@fu_lKw5N@Drz|&*Cm<3 zvJO$tHGL~nUueI|l33Ti51!Ee8m->Qo<O(0G@>nG&c|`0Z3a$onnGsm&#9b0u5b3e zY}vFb`<{xXA)vb+^<c1j@SulQqj<BTTNv{w=OA3Eb|M@&ZrF@}tT2!%9peAt)o$1@ z`TYhRUGZbqh=9fxIDi*kMri-8Sm0MUj}lqmoQ=$pVJ?Gcvb7+recaU3KmC?jE<r-- zX|9?{iGzQW4OqO{ac%lDcHh#i6?r-?{b9&fMJ5`wSl@44iE&ZKmSWvd^1B~muB(N+ zImOFuHlsI<hY_ll4+hEqM2*8WoNCQAp5}xvwqA&TOibA8#k)q~T)c;%xtHFH2kcfh zO`p<h2(butDYN_lIihCz=`t4sV$uJUZ!HrA+|prra?#U_3e}NY6M!}A_G_ByPCciD z>013sRGWK7I4vE4XuDm9Vd35s-vG|I1+h>6Gfd1Rw8-#MDQndOG6oy!i8CIul7K*o z1?JMb8B4kdGZ&60oWXaa9;be0xqX*nq7aqru(@z21~LZW)E&B10XQNa?d<^Gj<09K z+qj*j{alLgO#)Hhgq^wK`sRM&Qiv&jE9`ce#vNU~pvuiake>IAI-)?0NiYlAAk$Mh zp{k(T7DdjW;iGjO%4doc^ip_oVqNx~H5KeQU2o^ksEy;KWCVM$I&{#MQb-!wa$k%B z4#uSUJe@T!b~z_oV$Kod=K`lW#VjsSJc5d3^6TP+qm9}SwF;Mg%a_vdp+y}WW^zxY zzFS_Lu^ew5kVs*u*X%<D_j7(Rks0?MeJBar+kDR=7J-EjI1EB3567qIZ%j+rjbgu4 ztAMK?G8SHTdPa1l(mG%2Z{C#55gsSD>Z~#T5DP5PoDYBspAp!8-(QflJ(FR~9=(B; zA=XWe^+Ibqg+VHuV~)c>qb4r?D_LvLP*-x;gok_g7{tVCe;fegci%c|K<UE|)?=9t zc2}iwbic22TJeT8BbuEdvV!~IX&hlu!46QFX~hsk8diUS3-D#17fBF>X3RQFM)SGF zhuxnA|1N)hfyb>LKFe*arNXuluCLoRzO+az;35RmUf|E<Hq*BbR2qm#)@?X^pI%;w zdlP@9joxRHzi<j^3$<ot*B668OMT-ggaDr9cNK)&!ZrT^#l1y<%|guobUuUXd4_C1 z8hXTn-O{pi9TqYB?H1NRVfs7-&4p)vHi<NQS?Nih7^g@YadS||gu$XaTk**_yn#u* zPK)E8Uy$kVuk1e_EH!T)yk8?ZrB?b9^=ABy23NqZl%|OGi%rc;B@S}#9C}3rv|E18 z8U~Z{`5Ccx7N^-)HKBXYdOkwEUQnMho9rv@FpTTy?}Is>p&A`!%RvNS;ex6j{T%-- zLMZ4pw73&(-2<}Vd4;1NYM^<3{TRHYM*X*j0$x95k^f_5FR8wui6|;TwnW2|!&vfn z59^+3)%GKSrKG(6+B#4RKiBbj>{d>~4H>ck+f(6QDeis?rS(yNa|=tT&9FR4XmQZ_ zI0+N0QdOW*$_K&rO9sokpo<)f^5=H?K8qO0Yfhe@i^G>Zxo`>Uy2)^HBB^a}LUE>; zQ>vjqMiMI$@t+ti;$4zVNYY)UT&5m{V!@0$34i%4f_T!v*S@iUw>{4<JXw)&VRXUx z5lZvpy5OU|ACOWqBbR@XN+!mCOCzxS=cK?8=7jwL=Y3xNtq}q<5={x^d1DA4>Gh-G z$>PSCF(RK|0onSocsg$p?%>Ch&QOu*gc3H?Y=|5JY0Q&xw;B7!<mzR6PQ*!0=L~ZG zkx`!L*rgYrOtIFuS0)s{552`s@OVvL&ol};Z$K7<XI=^KZecD1@mMg09<H|BN4;l4 z4y0O_?fS7|#>34_?+!2j&ZpO)5N3|kNN%YSIz{t80(-@ilLqwTH!PfF(Of*ZJ|#*k zJPZ81ba{51&tY3qgGrNfs5B}nJ?`JE^Zk|aMr=fT+H!ThZXZx`F!25qwrubTn2lzq zb^UQ2-9uc0`~%w{PEQ8y$neiF+)!h0AXj*`bE?Vuw4MsMj;(^o{oST+$BMUDxUuh7 z$i1+r0#b9$`@8A4z12^Vf`_`=cbSc)-u=i(sifEY8NZw-Jpq0bYl>C+@#VM6c!tN_ zfyp;l${Wed!bj%Fi`BE#wgByd=DmlhN7**gOL=+yL}OQEsn)a#`4Fp<9>U*|GP-W1 zYl+dZgrp@2&T2$s4FXY)V-v7W#4NF;W07<vySJ+K3@R)m%;#OnP%Z*zqWA5QO2pq8 zy%@R|AR%R{^p@(?M3#%(M`AT@J>i*iNGveM;-y+tOI4l>=DDdJ%ynN_SQbA`u`=I3 zSR*dRo2b99eS@ss3a6^+&sywrw%mmEN%s?)uj-STvpkVM)|AVJZu9BO-i4I68W@vT z103Jr-xc8eXc5G6MOOm@C8HBd`O|eR4rBFNhAAIvk=bXlPjn$>@tv@=O?P(cxS4Lz ztujk`+P{h+$h~k~bxfQn7}<0cd2W>!V1!Aqy0F`Eq3@zt19iZOw}uz>Hc}&meblF> z7ert#Yj&o+8q|K5+wu+cpC?DgVqA%XCH8S43WIE|gfc_5C8mbdeSu1UL7FJlcFR|% zV6Yt}bTcRBAj1()VQU~PqOYgjlLyAsskLr#*hxsJrPE0+J)_Tnz?FZ-oe4#AE&+I^ zxg5jay``ih{M;Hs%XxR>sDIuchYW&T7252z0i-yD8Wx{m7NtjP+6aUB4(0j?;Bd1| zqb$MjseHHkViA5Du5xp#uO+!DcEFcgU_3SYqToUa5D%B?x7M{b35&36)#z2FYt?{< z+}s=%Ms>f^@Rv%INf12yT`ne>F2SH|qugHMF!JEm<s+Ek!AcF~W$~l}TX&(@ML;W< zyDrHdHz|-%dSCE~_4}4ZmYylXiPz{onCR^6F^VFb(y65Q7&#g1bW1s-ei<8&N@W}O zoKxhA!5(ejGG4#W;}3341gDOe-=~43J0wgTB}}}IitX1!E-0~6A>AtCk(zg6u)EH! zYItl+<D2@r9DEY#OtG7%v=tQLjEXphw`7o$Y1|NNJDB4g?T2NbT=nuP%wq8=*CL(~ zPlB#-{!j<xFVnZMhLJPrt_at#gTy-h7YXpPELt#;Kw~IHtY5SPmwyj#g+mK1aN}`) z-J)fpd4>!@IH2NPRnoWFspR~4!{b#S&l-n`h6-ewt|}NFIe50YP%&j4kizEaQi&xy zQ4@{H|30m<2k7fqgRH1PgCT+aj0IT06KIeGe4ZN_ezVk_3yi|3snvl=KC_qFL)XnT z04$bq**B<$<yG2k5Vi_doTZs&w(wzQq}HtXyenvOPKel{#cu3goP+k1)Z%QcETzXn zwhGTD@m)Y2##GV~Ff$^Bu}S{A?5PGrH$BGI3*$CQXL2&-h!SkdhdTSa`RauR^`dwV zJp|s8he8aM?R%o~!vdFnQ2%u%=y4Po!X>)41EPXAUpO|rTsE+6U2;8%1AZ?hc6R|K z)^$JA5$3f93@8#ob+g~7U<sKruX;N07-_JF=v3`^R&LL%gQBVkMjvst8t>fHOM7OA zai#e2wdwI-SQVV%TvWM=bd-RS^J))3?L|XEpKFu4e9#RONwd-u0SgnUEdbjETvR^h zL+ZW2EJtj?<f5`zbdVwzys0m4ymN}TfRF?1LnYcoxC}KD)T-pU=t}dKjSN$bK*GIO z4C~Y#a1P2^3uOlZBZ9@I5O-HrJ8U`XSB2F`1M(O;ud^+k_z~hr9bWxj5%U`>{wseI zrxZE<mRNwvY}T`F?|zgq4_S@VagteJ_#^Ya_zN-BT_xJwda^REEO)E6$LgdNCA5bj z(aIi}+Sb%&OHA?%YT#;9%E1`a=hkJkI``Jg8jw`x^gFI{>D}p!uXGE=wd2O(MTIcc zV23-OoroOHJuy7d#^%v`y!hirEY^K?@%_q5A=@;6GAAtm1Hw+9e>Y8)__6@*?4G^) zP10Aq(8P4$?ufs^l&j@ykC1^2Yxb0>C$RLGd+^QY5JGh<l^JQI{Gddo$%v+;8*YW4 zV9x40hpvtPG%H41#MqM^t2)Q-USxIKOm{mgJe;Hcp#sdS=ZDeX+YTV#6`S^iAYA8w z!R~Sr^C;+^FS)_n42aynMw6?l5@Cqsm&WbBfV@ya>{Xu65)sX4i$PgE>E?6i^wsy5 z*Z;X6H^FC44>-(NX%|40=o2M%9xkSxG?gtnYTf(+P6yf){}+8{=KPoaJ{ud$f7SOi zEg6SR&R;zr8jniwfBBLtPMB~e!LlZ%$svvtvA}HE>`*r7sESY>o>v^YDV6Nj#_~kb zV`?C)`OzyqUm9XOZXCXyJRT+-teUD3-ICBdJ3sW4F(O*3Jj{}DVbU(I<vVBQ*6;=V zHZh!BUq-&!<qk*_3{kVaCQU>mrUiPhj3(iBYSzlV9$S7su3vHtZtQ!uNeLOY$tK>N zyegWES9I<9fADVP8DBr>`6~eHe8?AO<;-qCYz2PXet@?XxzD0`GXTx`BT{wp6JPdM zt#rz%>6Yb&Iq#)|i{i=k95+7Z<jNSrvGF=GwAJEix`d}ScGhzb4z|m$bB{9l={7`J zY=W@nvvogo30p6o^|~iGZFCNRmnpUnj1GYBjxcc>`fBHcG#;*wWWNiL!ZH9aU8vBH z*xn%Ime<^0W*2_LHz9uz`zUw7d%phQQD*sF@NF>|GTlPKa{0gu@>Al5?q_L+zRJ${ zgHp8!Pw@ir9%WpeWKl}vTvSK8r-WE>mG)|WntOr?S<DcxwJIZd4e?>9!-svnjkrao z$d};F7u%LK?Y#g>0n_2o)_*32{DpSn<dJZN>u!miD+JpYvdy`h)DebW(;b1=9Czi$ z!%fb=_K>Ah3oKKN;xQcG+d$RD`vFF2livsF5hE@?e1mwJme^TM=n^<6=eGk-i=EL@ z6#AD)>^yv}WiHW^f+gF$WcM$9HCUWDkJVawuR;QPF>+3}fK6-C(p|<Nf{rZ|Yy2*M z?{;I3Hr7hdoScau|Ctg26zIN4w#obc315i=gk~b1s(MLguc2xsf|Gi)QYf7iZp3b~ zIuLz_lUnF*GARf>K588ju==DS7Em~N-zWFiY+>Wh<yb+X71ovl(60urc&t_JW8F;{ zKdmBEpD2*AoIv&nG)UPc_zyQ!tWZYIV5ks-F)b3BvE+tluue$M`BN{r5Um2p&W=u7 z9^&&`!rAw`uPHar4x`K7NVE<p@ttwI&Y5=VIt$3%R~%7nsD3L;tV=^&QeoyQuy(uy z0;^y%L0DUG4pTKWza|XWD3~>aLu9&4yN3tm*d9TmNATc7*g}2cy|71#ZUw%@dn8M9 z4qzfjl0oCN(ZBuQXd_f_=$3^J)rV|5{^StOXN%u`m7`uqi>RN>JZhqP9YgX%=p%@% zb-vg%Hw$0Zb|ZRQFS{4;44ezHA$VksQZT-6qy5X$v6BihA@>hAr>PT!AU!X~rq_)s zjfj}Ty|KL89_fK8o;>CYo8ZHhz!PSrBiFwBeZuIWnkDWp%o*Upu}SeDB~~YZVP|f` zpD|*nxyN*>UplPttpkZPd$QI!526F?x`UX|oVdFLfaW?f44cV)Ap;<7$Pqtr2+Ka9 z{t?MhKc?w3NUbNW&%H;(m4T>cYRA{rjs8cAuiwzI1?^b4^9~kipG=Z5yZW2<YZ$hQ z+GdCDBXZ~(g#mp96S;&~_^uT4v9Teg<9txeN)HyLV2@<BEKE_9H=%#63y`I#$uQ|- z(v1|O$fs>so#DZQ8WB!|YtOyE+yLD31^i5d+ye>bxO`Jt+i<!Xp%MpGj(#5_kX&aS zmwihTTo6~K0t>*h@$0fF0*xS{6{K<J$@|Q;CorIt2*#l1CWgZ;dm%>X{1|};l%W%@ z_;w0n*wY8bQpZkYQLYAbOxb;`O1NPxMtGD*fX#`%Is-E%O8x>tYf(bncY72CA<(ob zGPV~@9(xfyUS;$z2?%J2T^>jzWUAh@P&jtX%{0WU3$xPL@bo8xk)1wp&0UPjg0yka zmVqUtTGMMdl^}m_6i$p;=?lyzNb2O%ShWIAUZcwah^4GnL^?t!cOtsK^ti^CMM>#Y z{Nlz0BprOwv3K)0Gd`%om?UGD^u~Jb{ZZL55IFA9{NROb{>M1NM4Soj6l#<M`9<2H zLO!iWqO*1zQaO->x*aw|@7@51Qn9n*RzoNQ(>*S&eYWBpeEh7mE}4Ob=$&lViQ{3V zOl-wR@am&wCFezJnMmDfjP&H7I=E{YMou05x?sF5l|~;!LpMaKuiByOJJAeNaOyoU z>7@F<KrnllhWBR9MaO_!A@Ta%Hs#5Oc{`;KoW9&w;OuCJd(J-E<8J)+;$G8H)zQac zP7m;w$VUb_JXsT3uUJ`^6++w!?7kHUkcBNZx{7$VHyrZ9+ZF`g>cePI0|Ju8JF|lO z@p2inPiZBnOVo(2Wmq(#;JRSyctV)+$E`K?@A=ZhLuFl%l<@DxyLBVD)<Spc?Y7E@ z*c}9)N)~9fEFC(CUwS-mJ=P6|=f(pWcUr)3GBcRcZ7$%&!MPymb!@UFv?mY!&{lc$ z*#mC1SeJ7hSt&R+3h$+;S0B=w$}zU6=pMwGD1OMg?<CkR*RoPTCB+SSb`wVjQD-JE zhKE7G;$s`R5g7O{G)74xrwA>CM-Q`^!SdE>X|Z%G0}V5`iUnf~4j9^xgIB_Q=*{iM z63!?F)0{>su23Z2ie6`E?ojl+EHE{%gdz3-?*vU3*mqtmM9i0!*1U|-kIyE8`&Ww3 zzzeRQilE}&&vcFc!Qk;`ku0>n8Ab2BeDgYeLRH_2>d6PE(SGye2<6(Oi>vBN^-tL< zsZn{7Fw{wCdA8HI&*+!zOx_|`j~7s(AvI-m{CPE|@{_#uluKIEtq3830e~nGayrJX zgQ?&#i6WXRl0De&=VCB&Qd*as7I2b~o2H=AnqZ;{nl{GOD}SP%z=GK~8zeR}^7*p@ z!48wufUhxJHF&QEEfIYo|0S|+-NB7>$oQ+#JTAT|*AI5an{++_Y}>g5b;`rz69!Bg zg+OykhkQp0r`?(WZdh;z{;gFcwHYCO8ZQ!^I=@)5%+hazUW1c+|KH`m;ywMbm_TCS zKdtkyggKM_wC8r`ShMkUtoDytDh3yl^WAWJ&1C56PQ|%4i_Np^Ih~vJJeg^+A^1EU z$D2a?p~dNeKz>oq4z8&7MBmwgS*e2se_R$MSp4G?ZfTq-C(mM9EQ|YSwm|jiZ^5-+ za>?A#&86_V@=b8|{RSZ)gOeqZs!KGt*OH_W6i%HbO(xt><;M^BD~qiTiPkSmOsA3x z{t#?_7PN2M>=yA3Bfo7VrA|x<KyJ6!gV`y6s?OdgKj<hczeb4k@HS_;x4hf__^1J) z^}BGPUOa>lgl4Bb0F(v1KV>*tT+Kg&f#TZbVwpNJyFbaHo~CcJfu4#2k15DXCU6#T z{y4%6^dZsyUzEL5uy9KgC3tMxwr$(CZJ+Phwr$(C^&Q)`ZTH_Zt?0fnb2}m*_S25q zwJU37X02Q`;(FmjU_+g%Mv9u7HDJrZ;gN>qH&4qkbgeV{xeNa2HTg9};2xPg_VPXm z_;-oeumdlfR5b5b@lI~-Yc<_uoG|wC_f-Gz(J#94FT7~(bz(D@${i^`Dt4tm)Gx4s z%)RhGM3O8_|I|~${O==44Qc01HiX_w^}D44Gnz>Igz=|%vn>|OElJwvBX=GIP|0%1 zctSyHtFqsoE)4;CX*s7k0FA4|%@L!9<lB&lCMR#49a!(|!M8~ph96d#?5)W~1{X7F zb0n@Lg1ZF@2Q%o?8QKwVPi`3>w--wes3Mlxt^TZjmiz6?x@s#axu~}1K=@m8e6ZD~ zfiyvY3m@{ii?4{ZkqTv%pf0anO@MFUz3_*rb&J}Gh=aetRSfhw=X<jOejsW=(Sq7n zqK;Tt$(DHT^TGcCgMeFnA*d!^lFOTjx?bi;C3@MI)OD>t1nHl4W6-2ll2N5KVS)#I z5ujt&G;SIDNTVoIoQ+pDzy*2>?X_Ws2X+<(R!Vbjq0-{$MA#q!mxz|Fy~T|JZW7U` zabVE)o1Ltm)_Ocp9i3RQL=Yq17$0_Z7PFqMSEh`E>G_WiGaiZYk7xAMfWj=0+q>>j zsbm3NjKr6ny-dz6W)m|o=a4xjrgdou8MU+)!keP+jmI_(C8A?B-m+f^>xHP!zJ)Ga zJwDRRxYOTg8VdP!Tq8}w*86TcbQDDUBrX{`*)BOpMN8#zWLz>B39)C?wRl>~JS+&W zh5+J4e4i2Ueg12T4Q3)<@Y|*<O9H}}Ja~~=6ze+pOhV<BSKK_%{H*T)$)?+C-K6`a z>R?z&A|0%+i`&?xE%C)pg+1Jde8=NR2{bJ~OI#pHsa3tph7!!kc=;2(nc8YTEF5T& z)(Q-}%|euPF)Fem$Y$v|8Zt;z-xRPhb^VG=@$6s>r8%mGFXP(jI3CcW!94ps4XB^B za-nm&5r*l5fFKQ%@WC@6<ws5>D=Nnt;zbH(KqZAM1B2797$!GRbdf4Miu;@t0tw9b z4-xnVfQ6AK{nJk}unQf)y~TW$H(Y-QR?(DiMl8MiSC&dBT2r&s#HYag;3?xZTg7{O zqP{+H_2WG}(vc6{Wq5?3NHr*b_M2N(FM!}o+9ZDp^?Yt$H7sM#0}gw^_9A)Bb&PTr zy%NP@B2biB-ETbS?XXohC0tIh=-(2bOGdwtZ9N3|0{!+5IdMloNk^P%!6FO`Cc@MG z*yaKpW-9l?4g=F@w;qA_L7x--RK+iT-!2cwZn=?d&+i1ZD1cl<AIWt$=|{y@#iwKU z0c6!l(0sVbH8fX1m0#BGsdA(Ree&eta%#si49==)2uM*@$Ba2(DV()-MbsD#k!q?h zPf%sm*>nsBiz!qHD7@9tlArUrk2#Qgr?rwt=|QmOm;)yLSlepg!!UcyuHgoTy7h%r zyP&^0y7<#Xd#;A1oPZ&r)-~g#>EaSk?mCKIt?e(Be3eD5tU+s#rEtc)>FwbGZS*=F z#^TN>{i|~5z24_D1ir;V-^!DCY>C~R?uVh7H>J%=)4ch6JcMJ8T4)H)GN8xhYzgN| zeHINwq4uVK3doWUyYM=1NxL1879rJ@bqDfQ3yxv+A;cEhO)1l9qESYH92H9mO03-p z`96Kaw=IvvYZEs2n*O#n_jAV>FFqiqeXJl2FsOTZl~*36>gGp<VR1pD<X&Oy$ZWIZ zd9YB|uCVq-If}>{;3(GtS*sOZ%0POj<ke3fHy3Dw8Wc;%q5!8dQAQ(oGmU&`*aAzE zH)tgf^=~7=a$T9~Bkh{i;Jbqe1c$arq4-3wL#~c`9o6qxb1GuNb~1<PI_2hF6H&Xv zfIMGd&?(-_xji+UTkV;+ii3j2JwR}@pnt5rd=tDGY74DZm{JzcPukSZgRc}BoA)W( zH_Ub+IC0B4C=Y2<FLz_bv1i4QcSd?#SVlW&{fs1SJMo0P)BY|z-i(;QCG|fhO;J6c zy$s|$BJqdukv$jcu9{?my-AJd`UtP<A(4F|m$J6xGHBi%#th}+q$WOsvR8Mq_CxBy zCKsl}leYpWPi|b>4Y-p>P8g?a-x*pvLyOLmwZx0ATUQ~T<P9^DJxlnf3g~nF1=;8@ zT*|(=K{;tZN8)S_FCu}TGAFmY-Ycjk6(XY#XWGSrHGyC9>-0tM`xQ}vxZhRq(jSuY z8+f>tMS0r`Ql6AYDzSQ_LW>c{k0PG@gA!YNvl%FSr;ft~&+1F*{4gwixJTjWT3z;w z0m5j4d9(=sWqkJ)7mbiCa)$w8cw!pip+#2a`V0QS9Jl&Ui1iQLMwb8H1o>|eOG(y# zlL4mZQ~k~YIErkd!3g&=0hT(xHpb`D)4`S$(Lg(+ruwWe&%|spzBDZ7=?RaLPwA*0 z6i&bBlIi11lz^hNI9|aHAjO18y<WhCNt6QHJyQEosTz6w@PRO+;D9G4;doregy%=C zx)y@=)6;#E+t{lUJ?wi2j?RPbw$K#wJ9=*Q$iEEBd*GoXxHBp@my<=W8+b-3W#|%R zLy${8qwT;ETJ#Cy9zKR1M1mAU9{uQjhbw1l0mitkN=Lxx0gDG|SA!R6S6h6^w;s~$ zo_-O>xhiP$d?%x`uvh456po~Jhy&;>0x`G4Ljr;E=MULZ>+e8^#h|vT^%nN|FOQ3i ziMibOo%ay)FE-U=dDHX5$){CIcOUInw)4&BBA|gcMqIz01SMHm!1)u0nzrndhccmo z6VmWvG!Sp6p!&AN!sSe}pLB+=7o}ic>RzCWxh3mYc1|s>?%zJ}96K4&xpu`iY_{u} zJpR6RVGi-pj*mQC&pz&osr0E6e<Je^e)76^kNe$x>sjM}_{(hn5SOqr|9f$>>oi&C zECz(o+aFY}K|ob%NS~)vCdm)RoO6yXCQbx`P)b1f(VUZAw+097w&3B6c5=C{wJWRn zp{^(lO++y|bo_&nE@-%6rK)zKd))bK3xG<Hcn;!KJ=GmOTAz{bw=6$oKfQXwL`A$8 zJ9|3D2$NvuN)$aKG%+B9P%8vFX%&)7I{R;b=R?Od3zC514GRn;3dwiAAL}IBs;v;e z%BC&wJKxyijB+><RHb{ujuVurcpP2)NmCmQGv~W}ziaqWsF2wTovX3#>q)2#b-QfY z?1~B5)9w?yx1!2y=UX)ozxKSK>q`(?iGEa6!!xyxiN$N*9MV9DWLVw{aKaUytkdY` z7gonuxL%Ip>-nb{q<0-~g7hbW=z~viVhF1e%pnXy@tSFv^J@n=0_HtO=9p@GErDzM z`RnABrU@TBPkwKRp6;6$raI=+;_}N)lJD3)YG!87%y||Zz(t2ZMnTc*p-yWx+eW&H zrG1VnHCb)f5#ERTd~+cCh3jCR-c8Zt&b1itVx&)sm@t>#AR_aGuewz7!6L1l^;YWo zkrc~?6xr)JU7O3N*=6E*sdCJ}lalG`Pi>E_wqT&5vaOqcIIRy%^u6h=LK1OFD-sZ& zOMbKeZgP!13jBSZy87cR{Xl$@>dVunU_H8qIT2wf$1Y2m%S8-qYLJlCm^{9ZV-Ih~ z7l+;lAQUVG_D{>~A2~&A|9&%x>w*GeL=gS-9-(atIg~*fD@Ik(K=3X`#@0nOL`OvQ z+uZ|(rmpH>80v7w5N9YgOP2LJ0EtNC66F&}OpJmQMpUBz3%k<FYpXsfwSMBU>`aAJ zO-$+7@9Ju2cm1Pf>ts8+t`m*IB-~4arvwwJYrcXlrku)}?j70AFVFq9SAmkcWn_vL zx_j$$La!2t;QRspae1+vR36qY;fSDDJ1Czb@1p1lfI7u*`41EDPd(*qjQ<ysQK|z@ z|M9b)PwGF^Qz)uP1o>?%w%aesj9W~Y>R_B^QVhfq#qXa`BshmgtCrln$IV^&J{vyr z)PxSu2pUs6=1uH*5MYop6a@sE{^9-*#u7d-jX*lwsvUA^bfR*u$2%ta=6}tIBnD@$ zr-Xt)AP_((mkY!M`-dn(5no^@yeF|nLM{=JxO)LJ0U!)e#Mgl401^p*ft9C7%A}e* ztU%fK(>nL)MrYz6r<h9)06qXoUCY7+a5i(i!*zAJg_OM}5JAPKED7?gz{&wXrarNR zkLm{$wJ%Y?w7ec5JLB-BT3C0qlD&=7oHL>t6_0CE?Z>FDYHlFI>CUo`jaFL1iSgZo zh4^7)Wjow$mh6_VDw*6I&v<H=AmH8*qlYx2!VHl%#7>YU!A)zz7Hq{~kt?S*BO#Hq zc(40-M+G37G&rklH-Rl>l~cOwFKvG6DReIuIqt^Rb1p+zT=Utq+Q^YfBG^g?^xryO z>f?aOA><J}6E*Bb5=~q8tkVd}dUUt1BU=x~hA*}i7!(hp8mM@=Z`m8gW>ZjOKvRTR zsc#bJI&R@;>Xs|BHkyEql^2sLz7uGV=WPk#Yny%ji*exiuxHg~Dy^m;ZVxNgfMZ@* z@>;9usO-cY7gs#oA}pYgAIOQmt!K!^E6jfesV7QxaJQ+mayUE;9VlTzk4)p~FpJ-A zMOxy*lZpC7#@(LJJw4ya9H#IGu)iZOg8Y6sr52C3++Vkw>no4zWV`v9N4>o$s))=B z-Cfc#z<*VHA2)(6l(7AuH}SzguE!LC5F3|_c(lG5v%Wz-V|Wt(NpXSsUrHFUasDrT zsT}{BE;yp4XphZ~<hxq8XZ$%x%9%~*!2ne(=>t2*jo}JsK@S0<sr4Q$O{1Qeb+r4M zwLF?it4+;KjV&>?Oy~CI$dUbS)~+|qaY%|OZ{+<zR_wpK9zXdu9h$f!Pj-+YKVL7r zdj*s9Gb2`r!9@AkZ_dQIXBSHr#XgQwc8jJwH-^sR$ala9;;uxALAXbnch3R#C74FB zfu6oL-jDugznC6X!YNw38hB4`-WLD~=f?})BU%l}&H!y1KMbGn0(76~a&sI6$`pZs zYS_Oa3i67%Q$&a1hhr-tU6m{u@xC-HJ=ike>+c7U3b1861cEvMhk@P^s1sly1r<?w z$g?Z~aex$%SOH88Xm~zQ3Q%zb-yULf=zCSafzi`PxQxlXxT5MUIAMJR=Vde$T0lTZ zJrrCdAk<56FTzZx*v5qeAlGq!yFXI8L|HuS7>M^9;5!RM0_>?6u1R|aOfxlHC$Shd zBhd-5Tv({qFm$NdmL{ZJI|T+dG#v`IE!KWKct8*$A_SP)cqf`d9g66HO=6HCC|XjW zdcZhIpbBcH(Tey8iDHUzck-~HxkVIAVJ5a9&P_@76VO2<6|QSGu7NS2W5Egx@Hn0o z1cPOFFt>tpY^AjYVU!%sx6=WG!s2X)BE^8KDnYX5(g(1s5TPjW66wXpp`Bq1xlLfA zge`G;A|WOhC1_wlgi;|s4h~GEn?Aj@a!+S_IxYC}`0{z<`}gMi$S?TvY}0#jZlBv) z#EtN?^>eG|_YONh*s>$9Ugm3tZNQD;V`_u7!62Ja@?K&LY5pd)vx7k;vhug{i=9~| z`$-t69#5XGM(e%!<Dxw9*Cjl-*1XTb--`)DWv$YsfS^^!ZpPaNeS)twmA>D5{UBC< z!t|)BIDCHZOJ|NQ4Ymik<thVWmLB+qCp_vB{<#LO%-K<L*8Yr(v+070on`&hlcDQ( zyqK8_!Dp<8i>PCux~f&~6-`<*^+(4Z3mt9eOa12~@2AJBD9a~;wSkKHyLpRPx0sE@ z7ws%C8RJWq8-OeS)NiupM(pOPD&Oe~I)>a2^N^Q<yydX2CeTnk-3ASpz~>4sBL}up z_uGp+eVGgTp&`%a?#$JwF0lCR%o7Iew{Y#ut}=O=btIkN6<-k(-fR}ot2Ch;AxKvm zQ})Xs^}F}a>bl?<Qo5T8>1c~e4VLtm_9ciRG&6BZ%@vNbZd)Pk88**ezasim^}}PM z-fkQ?dUO2QG5xS1Q@>hpK?pu@LDfA;1bze>1Bl|U;X(Xe=yMysE}+b$LpSkf{mRcS zFpV$U!-*XtHk*yfZQlrk`zM<hCAMo)-gP}SIdzYv$`rlp&~6uq{lrFEtdV^tp7Qu3 z6Xtm|{QJ$#)xNLKqqHBGP#o=TD+5l5Oa_!&+H};RVnN;;(TB@FY}!W68y|SE=mUr> z03tHgNYI0NRFdx+t&*Mo!LUiw?4=N~CXn3-R})nHo6VcvlXjw5sDE67dbAQ_eKlz) zYsS<RVmp=f3Eh(()@*~w_s#>npnnH!gZ)Z=<JJ|}k(XtRtP#APK(PI?daVO@Y~>jE zJpyrAY>VJ=iq(ZQIzKzM6vA~;T&2a^n#(*OoWggeh>u{eTdHsGf7F<TM+)bim!&pK zTc>Ti7NSprt5(`<EwrsR)%2<&bH7{zH(jamMHNwVs$*f4>=O=LKv(zIEoeNHN>NG~ zWyAu;IO8D3H!LX^Su#1!=kvH4w8RbYX)T$O1D7pAMOH(>6ALyqhK6H`PDUgaEO2yr zUBXX<Bo0Q`kMSN!i&NEbK?L(4ExDK^uAmW=-+T%CfYsPBJxD4Jowzb$At7BWGA_m; z?D}NH>7K$=dz?*Tl5CPnXYdHMISFip7NQ(_G1j?`-S<v0vB8_#w5kbde4yw9!ijKF zQ$?WC3*9;D4K!KMp&(A^3rUU+woo|cta@T1X{%AG?~HzlWOA~Xo#xm@r2I1nwb2Xj zzb=oRTG3^80zj<h$vsVir9=%RwLT52cP9m`kTT5DAj6%47l<egXAG*2Lz+P@(P$?F zxX5c<0=n5j72E+Lx!tSAF*X<D#90SeWtHNQE|p!AqA?VLKcay;{2xB-6^u0!F18C+ ziX?ezBrhZki4Mmtt1l^614b8ROjUOGx3w;=O$0A};<L1BUZA2>g&JF$oSfl_U>CLs zn>FZVaqEM(C>NbY*hb?{i>#wBDoCj8P&k{TyP+eX6mJqKtR#_INGR=y`Cl>N$;`hp z?-_(}*-c@2Kj&1c?^XB+*q3~3c-c-gdbl_&#LD$pOQtT0KW6W>zki2*Qzs|=RF+R? z^RC|y7XQ-yR-&anyX*a0(xWY2fUJ%^=czv%y&nRH?!vN(39*%iF%6i3t)0co*D}?S z#DRaFH}XZDrn$DzEUtf5x1v8cdU6e>@_2^YhwyqRIwj3}VhgW<3$#3+b+MZ~xm|c` zxFyW^0)9rleLl34-)1#-*e?{lOn-DgAX8n*i_&Fr>*aPIcF6j*|4%FXZ}yC$^C1(* zL9j85x*g@&xOg*gHgLOc&-)hcgO=0_XbII|J>xIccw__~Uk^?|;Bqwxi_orSLWwJ2 z0WYwJ_x$yO1<|eaM^_s86+lEXSz8-RE>qnFV4oL&(1Gx($eQ49snIyDfC;<+P$F?# zD@(Az04~P@o`bu&^AtM=Pon<<D9J0l$f2~WHFZ!s38M=Dr5k0%6$0Rh8(zcqb&<G@ zRsXDWC!$Fc2K9Xfp!^#q@Xm>%?b?0$ORhh;?Vc6<$n#~e>L%D=YiR{JL{%$n@b$T~ zge`%LEy3068M<E2JH%g3cen4QQO!6IL+h_iw^q-d8fYbRJ?Ie7h~z)s(R*IB{pEI< zK@#895#tx)bjgT`Z7bYl&*#hQ4sVuh9UmIE;;fJ?1=Suqw&}Gl$RDdQ1WRVJ5=qPQ zb`$}mCg;_1tYxi3`zFme*W&!u=0VmU^H>xv=V2eK@T2CkYZU_gAIGSFr4!T2ced-n z%}Hy(Z9yhazn9AAqgTdQGDNOo9g4JKVw-FDS~aG|zSTx3G;8hxlPr8td72Q|O`Yy% zBMv=HvkC6YSg{@%62bX<q1yNYJp6gC?tJ9VKKM@UAH^dk|0(tOCy8zjmj9dF3vQ4B zM)cKt1a}e8n4FM=`hbuTa5@yj9U2l$irP0XT#1o^@m-?z=GicNAiY9S>AM0^Byz{S z7@5SAiO`5bXa{Nm(AuZxYC?5ivrKfJc?EMmmE_R>*<IUSo9eQ1eO1=Q8zqZHJ*oIc z$_ZAuw}Gd4kLQKGWrqRIgA+U{25|QE9Ck%>;yR;_Vp-|_bk*)BG!oe;_BZ$^QadlD zJ0xAea8JvT(LSY?i@FCOFh$tp|C|VBhJUDau(SO8idK)>yj>OpiqEY2n=Jutu5C17 zoOYLLCQFUf!-`rCuw0ZBASSu$uP+-L2!*V&%SMvzf!9sPY3?Oj0Jnet$knFj%Q5(X z0U&xbL;X(Re@(*v0>P|Mwm&@BG--Xncw9>VnteNm>W~DIuxK~wSRh0K2*xw|EKxvA zF-95&14lWz&Qg;W^OKXjl!Imh<TFGPUjbl*6vzCkmUii^-90j`^F|6erlgF3EFp%b z5Bf75Ac=q+tdZs;d}cBU?MRVupDWRdi^erCU<iUJ>Qmw}kSkuPHa<C?T{o#Ly-d2Q zlY}~Y(U`g^Lw-v;n$O~b&@a49u9w6yzU1@P1zWI>3j$Ar0b9CfPCpod)n-ZqYxTW` zro?~BypcTRf-QIW$70f7Wui)1ecRTaL{V*f(!&TX+QFb3TBNKkhZ=-;J6Wqc*R5MH zB~F^>g><H?>lh?#kSSL7U_9$8!257)V@(mj8ZnT=fYH`i3k@n>1)CY}0%tlE{iuuz zpD=(m%uJP!%RrbUTL=na6s(!q-F*=}e56m;-a`2teQRrtE}g4yv?TJu_KeaS6OhW9 zzpsonxWyny?lGRuaHj^~ExcYD!<H<vu{D-bsc4JrTafe2vh#S9^H=T;48dB>pC2N* znx7*dP3Oq)iA@8*t*2wd3*Uzk?OOkISWGet+emSb)IJ&jvYK9MnpNaEk6ar!Dk;sz zzbyAL*ISEk6X1J*$vi)FC>`6Xo@g3HdiJV{cRe7T1@k>8MI&?IeelYdv?4y|yP&2~ zNxO2U`Nq|J)(BeTBh`x0tu>RCSMp%P%Xppd;nk=z8-3m50uS=l`sq#{!H&m4Ug`DM zjbv%cxQsWyv_4GGx!4<&Wz}oZ&R*HgKISkSKCSm$Iw8EBQcf-o_v)UP3E%mtX;fbP z@ypvgSv|V=$$ZY~xMuON<WyY!Na3smBSVZvQ>iNaEr2K|^$!yK`}%xE4~wLw_Ya=K z@=v1LO#fYX@BiO(wl#F)irD_+IduXT&=S~nwo|LZ_@&EJm7CkD>`7r#%+w<NO@gxi zff*Ui7k>KKSs)Pa1curb@Q7&!`ucfZ-rlz5KFj$pb`Oi*4=-@U)4;hgwzfaTgtK64 z&n)1C23ZnW;u}G|k?60?L!lpE?8cE1(7ZVS!?Ms9uPijqRM(ilKc+vvPTYB4oPypU z<pnw7X8>tyTJ5<!-T_*}{JpCL47}=I6`8fHN$LLZQ`af3{O>#gR5B3tq%!vkg2*>m zfU}MD;Tr>)*M<PH;$UBl5YE7wo?0sRHs9suZZm8IrB$*Guria0czBGhT0Sjd6`%z_ z!Xo&D!;q@@BQTG3R+UYanjuhOgTL;NUHp05Ul04PCw}eUOD?N+ZjW|#({wtM%Q|?q zvLfvmz*z>ikq{0EP-(QPP%8u0-E^xDq?D`BnbO=o|5<H{Y7*SxL|Br}4V-)hMCKWJ z$6)*UOjwQL7J@&*Ig;o3&*I=`=WKsqbZlY+|D@Y9rG993MhYi9#ON!WfH&U_wZzq5 z(yt1hp-%$5(_M*Cn<cQ8GFrd{NQmUY3<uDtUnSqV%Ds+prJ8CBEk_@o@xYse$&W5T zr}!3vi#>-uQQ4krZGcWr#;0@`a&e{bUYJGNsg3AcI+9SKRJzKt%UjaL*eVMWYs;4r zapA3_2=>PFiki&SaLA&>XkGSpot2e>6X>@FCqWvm``96<@0uiwGk+|YFVyMKBV`vf z8|I|b-EeSaXykE;HbXqR3tD%?$I<-N#7V6Zpqz~5uTOA~U1c(;6pg1yQKUjOS*NNk zDZ9~TujEt>&`F@zh$E-=(X6)l0JkQ>YgC7v*yI+;jAn#%z!}t?FeG4sug^y=0fyKu zRcV_s7+c(wJV7CZUyE;E%qVeGy7WY!-_$>?dHSN(cyP;YC+67bcgjX|PyvP=Mj#f* zcg7l`b>(K7c%?8Ha1(uq{&uf#%)W5--7g?WN;i2>oWu2Y5nNCKX+eFWbJ0TK-u}(q zswUw0E2UU0bSb5#CJb{(T&HKdXoc>=E=g>pHss-+aa*vS?cEdi*bEPlp#%IN33}&0 z4i7?X;8Or{Cmd~zKj7VV1U|T%5Gjnw(buhL(kBZePQS_mFOtCG86x~1upfM-pl7`B z)zPQ-_Bk~p*;#X;{q2|RFu-p90l9c|9*+N~HZR{~lGyhy-u;UpLXMN=_%Kge-YbR% zr()5)V3+R$^`IQDN%lLHe~gfJR5^(GO!=sQUgVJJCw#|LDG$2Hnu0_J6%*EYpSn9# zWDq&c--<gXNpu3ZJ5*ZM&2n7sy(?2nv_xvN`sv=XD=mu6R?4>J*7xPHq|jBJY~R$$ zH9W58Obuq*neGCRI!X{!IeWOr8+Gi;9N3xTz+x-u$8~Lp+@n0|*0DbFcSAb)jIKtt zyWDOt(A!vJ1!I-jI7pjD8m$DZ^(pO$A3ziCHxUPzt8nobd__}FcLz7{J)h-SwfR{W z)XRssOrN}>Zpm53U#Cv{!i9mb-&t{645mHWDM&!~{WL{A&e{kVK8Y|_o#mc6^_H~j zbp;C%gy1Q3OY2s@GK(#**VYQ6tG`ASI^pJQ7hox^|MUOc6IuR=8_dZ1?|XlaGxd|Q z*bw@6zbV~^nOh3|{M~K1CCwj}PHt$&89@H9DZ|kHP1ED|QI|02Kk@Eu;+6Z1&recc zuzD?9CJM+Y3Ch_u>)V>$@yQ>CR6JAO?eKE|x&R3#$U{8kbK&dqc)7k=+#0+2zI_Be z1`4AS2Z_XUy)|j9DW>!b-0j=(%kJsR`(`Dc<8+l+#Dt6A>rJXQ&+9WH5BZ3L6Qe<y zc@?v|W|%>UhCJTt$ogg+QtS9GyJ^zenBmua=G})-*ge(q0qQi~e<Ku42Q`CoDPfy0 z&2*lnO_5nbzcPFi$MV^n$(fyIY21(zuQ9QYbw+FN@n8$lLaV4gLFtO(lD@9X;+SXk zn}KvKX>>6=5?OIkqmkVnYL!q?L$k;q`ilxJl`vb;L;!;*Hf_?YZ~=>TtqodwV2III zS*SH)r7eEp9%UxAp|EMB%xcDEf@jO6-M1TN=~u5?`13P9^`*F3Hl;-Sd;`4S^Ns}g z_(ajn%si5gSrMSh0R?Jlnu(}Rse#eu>R+t@{_(;9HF%d?>#Qk)t$H26WIKWwxyKi1 zA<*xKN0j`^vcks499zniuzu)=I8mI~kZ4Zm1cO@??%;~_XT!qO&_jBnP%R1Ts<fW+ zktPFq)`zPQp&(ocg1c6sP03ZaFGLMYkv|{YLKa4Q&;L{*=CNBwU=#@(-LeahIc3D- zW%dR=%85Ri4Xj7-=71%{3}E*od;YEwKyg=`2c-<b2hYD<0O&;rIDQrQuhzUmb1#a> zHo(d4ZHAVq8Wmd{DaaT;M6Xn>^mVfMcV0I~*k<8OYKV;6W;tSI)zP!cpHOUY)I%Cx z!M~74(DxF@cm#_W*#ku@e&5-q8|ISF&5EXe87oSnp0yR;bBob!@6?Hv-*$QW-y|Zr zr#a0&-KO)#fg)$HxLfKT2B5Y9r(e*8&jurzxi%9Ee^xy_vdRU?mLji}N@5|oAAH&2 zO<ARiHo9%(2r{^onf{<fCQ=)VU_u2YA)T}t9ubQTJKS;vD>_}`d~bA<h1t;$^kGIC zX^M|?5vhn&xnzqxQ;{JSrG-%rheurwpeT@(bD$-WRXbYN+Dv+?s#zi012zen)|UX1 zsxhood2^mUjh<1qdf-`Z)5pcqBRrlj&&{8Lq-XofnMX!B8{fx^E@C)nCX4?3aZYCe zlWd%pQtNRcy*pM!<QweuV^#5&iS04gUP<Px4Vh#Z+#+Lg<y4&QV`6OUrjMy%1cib0 zfsUpdIhhA4nxtij*+an4U5;E&?Yc9ndZy-p1O`Sb9_iVZQom&Y3PA%YnuDI6YVArI z$=lr>SmaOrvujYx@-+C%tB$2@oGH1%C<&w4JVtWODEXREoH|~6ysuM%XyaVsSO(S$ ztOBR7HQ*aG#{W`(SPjl+&h_^k|3;Hlo~yM2br?Vcdd2HQ&j<yZ3_hZZS()_t;zxTs z^%M>~DXdaQJgYKzS;iT2faW>kFDg?ZK*&)F`GE7Tb=}exs8yA(TZjqu4vH^Bp`HWH z7f(8@(e};(+%-oCUeWbTxpad^vtszX-7Qn#5JhoSbh^D9P$nIl>z8cG`DJ-&(iq3? z#xAy}OF@7ddhbXJpTe?eOl>N7BYbel53Y;(2|miz5tK<73ZtB!o1`mgBj*FC2lDzj z$wo5xwKkCb+zRTpHqdUtHbm?WQhp^WbC}K-z{ZDqR4ZL(KTOC=Ftx?{$_N?F<7K0* z<W66U`+%(0=^bgi0q!c4-ptf<yCHqrh|`C|Var^%fjBE4kUr{RlwVN^rM4=j>vdQ5 zvRiWqpYu8E-RPu`VC_*9*UWMax8S9_?q%P*Z5U)FdMAyNu_1&g@5O7YydakJZFl7+ zc~v{t)3qEzw&&Xd{)UK&Tst>TO-IO5q_<b#5#vPUnF6)_T%^ne1``T|(?S`ZL8;`( zpK|Sbfm@M1LLk6dpe4$xtiEKCK}5(khdzcGEai4$``g+=e9RBy*uDwkY=Y<^<=%<S zUzK>K0Fi!Nq5X5sln8dbH~j!NUf6$1)7k#rISVHv+yB5DW+vu;tu-~Rtr>^YhUlB8 zKOZ*^omL%00~82|uZTn-2qOtE31T>3MmRhNRh44=`{}(rloR276<zY;Ng#1`b57?= zvocPlSfP9Mw|a6#F-CVHdUK&fi#xW07?nppC*G)7t|@K{^|waKTnMA3iuI=agpSlz zh(MrZZ?KbuG6=;@QcxT9P)ggI?z-8CCKCLugrpB3rO+3UqvRqMRKD6Iz6v)1<trFk za>WtI6Vy(wU)gCe1lVX0^m8`Q?=EfWRzT%%9zX)xjw4VF(GN&-<!`PPIpd*oqz21p znFcT3ejt}(bz}rLWuT~ks!ABtjm5({rQ1ZuRXWs)76YYb*(HifgT`;9aaxk!NChzT z7o^KN=j4<wU33S7V=ZESe<2bq^zfokrt4G*wLmEO3Tn-d>b2DPo0O3{6<(8uIb^rt zl)0pL2O|0jdId94pMlPs`kE2&svC^V$&}eWbT^GgNW?5%MHQmkp1!*BGi7^KHXxpL zRpc&amqwH`uD0ql0L+vWW93!500I%`EukYNlSqUhyXc718d9y)6ZK#UXA&$@(DjfE zn4)BGjNx3cKWEXDsO>N9iG;y?Ea3=cMiJ|jpdw>f6idycP&hK9$kM4?ytP6Afv}t| z1i=KPl|N_y9EhWfM?cP*&z!RdSeNA(-P|6I8nmX24#Dby6BI@y^%UX!2yr5`@3VQj zFac8gAPx}Y0P0En6^yGPy7Ca}$sESy&3MxG@?sXd+jbK9_Oi0m8W5>ZDE5^-P}tW= z)2yqy{_aln>}l7HsoV3jx_nm^`s1tHb``F#6BfO%JNIGOPnL(<GwIp1{mqVGo9=$z zb#3nSt=-OU>|>Ye_NusFUfJq5I{U60z40lL6atxNh~<a2H+0D4rB}?C`nGf%Hg&z< z&*iSJWc=(>kH_zI8#n}iS9F}nOoDIp7VR+SU(Qxk-=C9dScx7T*-T@{q*nZnm<2Ig zV>@HZL*Ehpz|MtjU0y%_t(sRqukRE7t}1#vyRvuJ5EOmg@8gR)b^TtM%NTm2;fsPV z!R-SDI6H`7X#{kv=w!@WpWepX|BU`L3!NP|{U>bIzV!X`($AZH*Z0-)=N3OFC(ED$ zs~@G@7s0|s392eU6_O#1Kk6uJGwap9t}c(?>;8B(>rjGI1Olg-!-SokWPmEK|Ni+a zXL7>Tz(6#xQ=HfaqTOguE<oG_`W$_(yQ|BGe<!Amzq_Zaqu1B#@%r*U?DDb;maznb z$cCr{rBXZ51_6&lTWVn8Hn`#*GM6yDePmH#@0%huUK9`D`DXjNoe>4f8pJr>z>VC0 zaJ@j$KgCyvB8Ga6(6JT;lJ!#qcrr-A?sn&AP;B7F)8Hk4`+J<5A)FzvYzOg5FSKUs zg4g}rz~H;$wR~7%FHZh57G7s>S@}&?>Pu2jbV9y6@=V+-Wx1nv|D3CIZFEV@invX2 zquh4Nmd3W3jm>lEOtDBj29MP<Mj9{nW=t#&i`VL@eEv`@4x88Rsr`R@h|u;F4>l`s zkIv?#03sc}1I!lk#|f7247{}e&}b)s&7e`#M=3aA7zc7r9viU9x8#;35AmDZGHpQM zrHYwD09nJFt(wEs7_(8<O-C!JAjh5d44&{PccJ`7c}!KSXh_*E=~N&*q40-G(mjSL zhvJM^Oy!biruWfL<C$5$s5aI&{B8?^3V`9n&4&s^Y%4ky&JmMM9rZooTTr1;&j61} z3Mi`|_VB999*~<wLa+cAUP;1yO`wmg!P{Cs%dmn)H6$-V;z>}CsbB3=))0m?jK*Qa z1SffdH~NV8V<IKFacL%;F(qSgAhLOx!<IMl+4ikV;nA20gOI^25PQ!NVkpF7I>3_+ zcivN`1)ZHw=@;h`SN{-2U;C?>kTbauhj{*=b7&Ds!F=9Ls3OO}nUfCS2&57$>Kiww zFFUJfJ!8TpMlD?IVMJK8rGE9UWYyT%Qwag%@zg{I(tJZl+GRM4k3Q%_^a?Ogjz?$; z(p?EJ^bzj^tTKe*hlYoS7iOwMz{#VkflcGSg+v|FNY>8!CK-OJ=zBtVpw^HbkYa`J zg7YV`^Qc6|xVog66aKrLRdij63RJQU{~$Q=dkNWhz8d*VdB!yskckTTM@`7Tc#<gw zW|mn_MTPXf+s7yXfU)?BGGD;?YYxd!oL4-E>8+xPrnq5B@xvpWQyt{bWV-5PDwc{t z+{)rAuUepdov)P#-O8fDXMhvl7zNHfoMcWE<0}_s6ij$|E6kIUhP>6L6~Y0yuDn~D z_B76C``<!i%nJet=#PLJ@hd3}<S1JVeL-5~#6zoUo8C-Q5d&_rN>DABJSG`1WnIb_ z;$}^D6$6Y^c(tHxLJQigS}`e2hb9$L?S(<+!e^ec&S(u1>0fLd-T}A)3a=CsUW_1* zNYB_5`~sH+dE^Bs5CEPdMklr+j|Q%V`VvkmtOrEOcgj-jGUtNa(MXG86+MfF2u}&P zKqNdRqMBkR?G{>Ap0Km$l2$DFW2@?{+R@74%zfm8VwdcLVE?E^ov}uXyh^)@{k5pW zm3C)m{)Xcjf)=1S0~=YfI5hQVjL<?gCH=$DkDgMs^Y(PDAuan22UbTs5?N<iOh!cc z$Lb^kC@~w>wfIuQOJ_T$tYcEfggsCi`H@22^qa5qmzR^3Ay^1lS!SIOIAmeQ2Np&` z_6WxbE?f7`{k^FN#A?Fd3U9bIv#5B&Wr=WZbMLXc`M;AzD#jp=z=0*#&P^(dnQ)}* zc|AzMBGkGlD?Jd!Mgx~+uSD@M4UK1}k^Q_Hb(3$7r<exV+S3RNBq4}-s1;(GMva`J zS*esn_Zq&yhyp5Cphqf347bb_IF%2ghPFich<u^3MDd2D#=Q!N?cmy``cyoyFZZ(? zRiF=c0ih`nlHvvW0ne*PIeH6g=wtYF<KB0%X(sjWrR2NHhXmo)^1Y{$t+~1Cybuz9 z9(ci;x;Iajyd>HK+aA27-cK$nz;8Yzdte*s?Z5nJ#a~e4<I0cS$0mDA=dFkq{vRt@ z7LlroNLE9ptRYj<k{#BH8Nupl^}MxTkBiA=^;|jAEL!!XS;OktIBS6ev%`hi;=*Wm zVQ{!K*jpLsuL%m!1_y4_O1bi)SlLPWmasiylfrI^>4+(bSs4|pTkbCYf6cbJIWz75 z!&v4M)gC=t?j8BQusy8d{s7jJsLQ9n7usy^gqR!|h{n;8Xv1mJFNJIcl|Y~$Oxu?Y z>|`BN#ugSs%qNRSJR+4ioDA|{vDr)(Nw*{HK6q98+JREPQrGis%pVJCF>mFRvK}Bh z@_8LOYkJ!rQ0<&2#~oBcEYhoJ+!hdBtC&AfmcK5aLRNr)<ijm8F%fHvGH}ZCDn)ia zCA3Dn=8J)6CsPF%WXC)r%CEr&gyFI0an`Z+>Wh6~rzydC9=e#>e}N#V)`cAY6t=co z!nUR!m9yXoCrYbk@v2EJb;8OS@g^%CKtQroEzZdckAD+1$<<3S#hB7)r)D!Jt`n;W zc3<MInG5@fEDP=-E&@_fD*<_=SH+cZSHZVEn+PBjpMdOl*T?Kw#|`?c+f(<c<Ie_F z>y&<M1wBVvl5&Dy@oL{^oC^gFlx<?vT&UF0iLu5im)Ksug<K+5o$O(*zH8v~i!3At zndkfRVf285?dx<i^p+kyROXni$x&GgmJlGW4oWmHiazsp%<KFb%MVQ;GWl;k5LU;n z5Y-$^1jUEfpI=RjkgkO=-qo+eaBCrTBZLGi_Sko18;hU%CK{gb5T|55a12DwM9mBz z8tHt}V!I8?S3dw&srOMMJ%rWs?U)U*p6C?N-bGYYj~Qw`6=Jxr*;qinN2I+*V6kzd z8t|2k7vmqKhe{&B9P1!nzW$vDs}$g;Gv2PBj6v-1Fg^pczHg-C4}YF#(>Cb+mN@U7 zUYKQhAH;C)TL&6d<-ZKBQUrBvGI-BcQn`;kwirU_xzjbS?gqGIie{bev8h;h*w=wm z&@7nSDSHN38r!_Q^4WC=>IltrgkMFXkM;}eNyYm59c3ys0x}zCBoO8SwoaiGn{Fa) zl=zm|AzGA9FkBM63{5d-=W4h^ta@Z#0dM%PpVhLYs`?eI#e>z$@PgZ#nV7~0&xSJt z93jtJHaMkamWjAq+VFG~quX691Pvrj+h}7y1h0_=>j!apXv>NtjmEj=pt*QYi}}W{ zmHb`(59Kx1f4qd}-`|W^^FJD<97@rxN`>yo9R47aC$XFtx5DK}GGV0$+R8~vkyaG{ zyz25$Brw%*MaY4mPky6)f;l>+?Hx^DwH;rLSW6+rG#4{z?vRN{i=@ag3B{X`Xx1jl zTWW6U=ueZ%rQx4KPoS<)ii4yAm94Vvva(gz8T?K@Y+pHXewvE`0FoaOAeu`!W*jYF zEuv>v8$Rj=A}&(BpJ-MEJB9*ate86SemaL1Wnw7qr`{l@oDgIZ(1N&VnX@Eh5=}Mc zGgzEH5n~)arCiG>Zm^b1pmw)-DBE-yDSN4w5&Ab902#)2rHL1H!;{&ch!kh(?U_eg z>bge+G>*Ha)NnuY6Z{~6PjX9y)?*Re%-&6M<*)ezK+&jt)L*k9pQOS#QX)xmLLiq- z$tHmHJ&oQ>bA^LaBBJAnFcu3WtJ`!@MtSF!z$@pDN?5p}Sxm<({DIltxM8Fi0W!%s z?na?5ZYp}j+LZGL0_TM$NeKrSgJ7y7L&)Gtv!x_A&}JGXQIYkB3P2G#;uHuG%9t6= ze@z)DS3niRJTw<nRZyVdhAQ$B#w%ii8Jq!{&=FZ6&ZGLmguXJ+?@sl^IERviS`cyq z4Nc&P0l^?<@<%{&$H2XFC}utPco<a;O_5&;LnWE6Ja4UP>0#|^%mN@lfnr_+hUmU_ zge$S`l%q=z9WsK24onaKJ~+&NSYjz{%n8wwTyWJ|DV{pqPDslqfKCA<=07IP6$}pA z^uo`1^b%>76Cp$3BrUj=8zMloviKv1xSTHw_M`5!_fwQf1)%tavDe-Z1!JfY3lPP| zVuy^kDXYjG_nu~locG$g>ym=cwJYpy-({BO_Ia}VxI6qhZbh3v#5~dW$zu#}hH#ty z<qqQg`x<wBe#EefZyZRUlYwD+eqB2Qp0jJn=7#tMrF4>XibYn@Rw1uq!B*9+CCI4v zz9F%YQl(a<z>7y}nta@SmP^L75r#FFGeu?9Y$-=6oTosh7Q-3v=09;C3`Utr53+o& zeQV1;A~F`D)m#DCW0eO{v7sXBgTB(wb;|L5f#QEo8Lcd^+v4jQq>4zXUZ)=limnur zqI~nQJT@Sq^@mXg99dswXnlyDZ_Nc!__x!#x<boM;OQ&FHlW~6iozEuf@UUH9nGmQ zx7K}(6Owm+S<c-EO?<k}IdW09Ayz9}gd8(^l15V?%hd@ih&Trir>>0r59C9^wDTaM z^3kc77#JwiV_|rt_=m&&DoA-CL%?M}rvT~^GqUmA@$$&#Ynr-p6ZXsXJ50YF%#uh< zz^?v}<HVXuU}JC|sGga^*cx-RY>LQ#lIK$ZRV+!l*l3@7GpoW01a)&xN@9%rXg;<l zhVj@$>wPh^*Mu%LNyNn=PE$}et&ukkP&Y?BPeSwt4!{DYU$o^~sHKG!w{4%bwJkhH zPkC^q!<$T5g04an*M87t8uo@lPBLe744EFdWca?m=aOaR&285%OD^nJJG@e;s=h>E zs(^E-5Tw@b+fB|TgoI2d^eP+qowV(taUIwlRd%1*S90gs?xyV@>cx=dwnCaQ-ks`I zAIBT(t_t{HpushRhdy2S21O~3*+0w=&Ow*ln`VpaUm~*}g&c4{kp2T4I{JSLXc{$8 z(wuMXW>;9-^7<O28QUA1zEgUzfr1q+jT}}Lsxz{4x4M2B`N?vj-YM)*?$ODoYKBE_ zZ)442%JI%O+~%<_1A%&-bdk%o7X>VCr52~a2XC;NdcZ9MOgUJo=EIP$j`&pkkBT56 z%(`fy@#SOfkrOWJF`Z#3dcD9WCMB$VUPF2INTlg6DuO$9z)h?-UHNr!;9D3%nngFq zeDmNPB`6Hdy8$Ve;l>UJTl>UfH}GV!SB_pC*Er4&Q1Ro~KUrcT`HYbq8sO4onIc6# zkP|Qx9Z<rI7n+I`o)z2kxumr*UZuQ<h;V1|&MMrOKAqp-vAS&gVOw6Yy1{`5jgEBQ zDB6M8rX;ZY(0vZdcgXj|LS1O)!{jFl;g)T1`JxB`x%o(dJhAU>EvxiskC$|0L{IeG zLOtek4A~a8ZQZxG2T6mC9dt_?0??A(mVBmY_MnpVKH{Bm6jSbi1a~qD?S{w^9|%a< z$lB1Ir~Hnbz4CPoH;I?M?cj4*--**50vV#KcJGPb?w_MN1eF^>YNaFwZ27*16UWYe z0Y5ezy8Z#o*jWCFg2VBz&(B9Rw&M=j;QaFX2IbYk*XA#VVz0-}$!jS}H*;*@!}J(c zZA^`q8k9HJufJYNMJF1VJ8a?E1@cG~Q6v)<;*w3C_!8&Y+4Jn}^!#d6Rl<#GR_D#o zO}QqLk*tdfWl_IT*q>kaudQegr?Zx8<eW5zBNXOjO~3XglyA#_(N6q!yuBWmPfpsf zK?hBXyBRVfcr?Y2_fN|5OjQ8CHzlBykLJZ^UBYFIK+b}Fk$Jbi9EkZ%w>sy9GNYrh zM|akTsO$UF*My25-`19|&pdHZ?$;0<x44OTx}QG*76#yuH|wZLjoXwgzeJL{=pfcM z6C|K@Y3Sqd@pgO#vs17qdUsZ?Kl2mS&>mB`-~!h-ekClgyoi=<RnuIvNi>Ll9~$f` zwg1q$AEOy57gO5yHTyhccItz2=f4`3EUvMUzebL>*0c*x)7R{t-4fS<KsQ^bhsA{M z^jcRMHr!olm|P74iRTcch}AlRuRi44(Yt4P?p4^Ko3OiJe);L~-{Ensc>dmW-D;fN zWC~v-z!~!@Ok$aCtp${6G(t>1Yo*tF2VIFxVDQGyl*}I~Vii{5-`@Owzs-Km_W8N} zk}ATx(!AQ`2iOkjMFt879qI1kl7a26T(@$!RENz#K2sw2BHHa>x71Dgq`UBHD>qHF zcAX$VO(14V*D@{&GBUasyxz!h2swmoz=<vzU?MxeY}L%~g?uQmx7z2bU9$L!8m(=c z-8AGcdR=|GVY^}`4ot#6lbseMH$8qWRFUuA5;9&X=DexqF64;0QYr;WJBH4(DOAl| z0%2XHrQyfTyogk5F0Ett*WZaX-i1ybe%k#RMsH4ECmcllFd#_vvx!jIa9!wgS#9;e z!l9d8`Lmn<oI7ZTWk0}0Bv%Fj&i2PF7vQF$jXN4j?-i+L#+l>xr?B7VwqMzWb47QO zD2%`}SQluW4dX~B@Awlr1S+dkcpP6dbru89)ZDepHD4uw<<Go#oArk6<~%AcL(S5m za(n04z`YL`vplT62^{Z}jphofhGka23v_G|A7FHL?DrL0(-hPnkKvFXCir|xuc#(G z+R|>45V?k^Y4-R+Bu;6?HYJo1u0U?0=6!}AYtVlCPqb$m5J#_sV--3kO#l{2!YEFb z0#S@UwyQs2O{X=vg7AiDPdz^yXC3Y(A(BpWSETrI0oI1WY(&dc4A<9EMVI}|G~IaX zev{rrr<Op%<D)S++9D1wC*(clN^^OaXKVovgr`~{Q1FJqn%h(n1aE)-q-@HrzpI4G zz)qmzG#x$$ikOB-2pB41D5f7Mt45%S>dCN1)QO^zRq8~Ekm{+VPF*IPTD8!K&@D@s zFC+9+Ygo{Z?bekqRVajbAf|Ak*KdZ%@iEo^V&?gOM8m_Zu&U4Kfz9W-hx+pH1x~6_ z#SPfT9UeI8WQ&KNX_d1CWSIs}okD7(o;LXh5u}-TCe9{KsOzrDm@m~`qdD*7zk!HT zfOW@-!)xcpDKR~Hx`B`kegvzxE+JhtAk4urWK~8RqK&8E(q?wDScNvk%heSJ+*tT= zhj^_%*xpt-jE_RH$F;T<b@>DKE#nep(QcEv=61k|10hGH>d?mBc<W6G!R8z_J!OuV zuEGIu0LSoP2wM9@g0Bb=gsf$dlMulMoAzI~1y9ne5X~|uqyn{GBRAdS0N5N_K<O|F zEju@77e&3@Wcb4<Gq|*NUkP7((*<>Vks_or&g$iB`|CZ7-Jt`(fsiYaTt4HhC!!0m zB}o?i`9b<?wj!`NLM|YN8u3^4g-8k-z_UY->YHC-lt$r1K7XW`2w1@fj#g<l9~6uL zhG9Q^Z?8a<imtyU4Bld9F3_6$V4o9;6cB30DW(oM-~S9vv?!LKr6jcgG-U2QL^wy_ zczO-!3A1&o+Q{bq?*SyBw8aC}#ux8jqdQjFuHhs+J4(3!yob2kX3f(g1G!slS5pXj zT-f41X&dylcu~Do<ULUGt~~6u9hY2L;14%WS8m99Wnh0mg947QEGTGK9cj>)HGSH2 z)+)Rk|A#z;w|AM-hiJh4c12~^D*u5WbaM00qtKZB2b|ji$DUeXu9w@e9~d(RLi#`; zt#npE2ENzZ!c+chl=#8x9cb_!XCY9$;dmXh#LUlh!FvxJ^&Tyhd2;z%nPQ(fy`ZFz z=@`ECuN>!)nd;}+)gCOi)hejgFZvxx23J10!4eD)@E_mh+Qzp(4!mP9iq1`ef8VkK zis-u@SaL@D^j4*X!m88Hhy57pmJ?Q}6_QUBd}LeLx^3{l+jSg_`Mw~@?gu$Z45ws~ zg7X3RU1_h;frPZdGW~i5C*dW|-m73}{ggZ2`O)Gj0m?@E0wg8fgWeT?3+TS1#%16w z^B<viNd6o}`-!u&p0gz9Cb;X0uk+)MRqdip)`6ebNsgtnd@KBY+neaIz1$Z-H@=yf zw3kSsAT+)2^A_g&^<5%E=TzyBzYxiFBCT$e9`OSx0rGeJ2gGLoC&n8a$G_I=XwlSm z&f-AveXZL=oL#BBN%Ps1UR>vMNt(J6-n>T;LLy^x2W(67>l2qS09or;`iy6UIQJGm z{g51(_X#eFi`uP2zon;$fMH6UIQyU@5+kaVErt+GOgQ^s`#`dP$f}ww8NPo$J&tsW zk)1*e5dSZfy;F=ZZP%vVw%vWVZQHhO+qP}nwr$(CZQO0o^Zx%#GRZs}@3&W}wN*)_ zjvQ-Ub*_M;D(W4z46okcyS-XI8eVO>9~}h#enbxOVJHjQBImBRzp!F$_YX?Jh)kRx z3$i<+(M%xy_uUb-Xnu6{YE8c)%IjjEM=59S`Q3yNMz|6~38|A8KLzTQ?tL?r#S~R~ zTF<10-*=zTsOf@4Au`Q@deiAis%96Rvz2#Oh18Aw>*KMC1e46(7HOy@Oz}FIWg0x1 znEkb1i>Qd>_lVY-Xl`T%po7A$_4J=qqfe|<ncN%4GfNiQZLVl+8*K1%`%p7n+FV<P zr4mVLBTo6Q2MaT`Nrx{Q&VjIo$8WV-TS550^hG)d>P6+6h?NMX)S3=4%?WUzNB|DP zX;gs>u}tVDs_UQ7qTp2_qNfNDE;=+3u}dzG%~Pv06*4tnlc+`zR7b17s&D+2Rl1^F z@u;+;H?f-m-L8F~oR6Qj-Uz27H9K8%8^eAe8n+eQj}bmD@8Fk?-BB)C^D8}b*Hdv( z=TS;!mabPi9TQ6=h!0EVM!t(W8XOK=jZ_#OfI(Zu68ttOr>7Ee`o{h6RH6wefBhz$ ztoD2yvNpsi`vc1i_wZ?D&JOyzU9M;^yZ?YSdOqSx$H|gK2tgzcQ>x!JGPfx%DSfm! zI4kqv$$?7{-SpB`geT4La#a+JrJJXt$X#`}Qy6@fDKDc?FjNtuuLiT0Z%dI?`#fk4 zE(uJ%JX4{ui|MbR4t4GvIm<rAGwYUu|E*XobawhW?(#{1v)s_e>aS*neHp2x%%Zlb zM!FXh?Ld$l9UXmIO=mIfu*+>L6^u+e0=%fPaOz2NUB0-v>d!8Q&se~=o86d9Lf^sW zdj~zeu9}pJ;h@3bH;6`9Ua_Y}K%X~f7YRKVf<^BQ)N`h+AzyjOGl6O;HZO&}HZ~Zn z)r23>%3TKX?{U{YT_uhlp0G{xpbNE@Q0H+OMgakQYDTt(WG$4LODVMu=T~&B)l>lT zOoT2rUYgFQ4238$6Hq}y+_wj$Y|f=9Jq<^8LX!@6k97%uPp5&j0LGcN88YiQOcWrf zee_ZbG2jj<eTY}CwL|8WCIrI0l|o7uJtY;u!9|eOZ{^u)^k;2ij@|3%C`bf@TtN<y zkLflyErvFCY9~`+lZrel8%-MPPnNa>q4h4J0G0;B&J@SWWTZ2tPqC0#;Gi$qKX4fD z9?mq~%^b^t!W5|Yj8U@bojy>yhgJVV-PLBWi6cv0Z*#fOs6(nuSdQ;QA}TqaQ%|R7 zpP^WYM3TgLr8Ll2Bb^I`Oi`7`HFP~OOYDa*taY0z<_jHG|0B!}FL~2)Lmdr+#nL^& zF2nkV?e_9!^RO<<@w+`(^ptQqHFV64K5F63Aqn+{D8h<Qc}TuWfr^yIt>dOx)qTle zRVD@f^=IQ-y%uMBBl)NOpxI*EEb2_ub`!&1i<~WMk#!AEw-Ol`t>N1QgB!e{Rfo4X zMu6%P^NCMt-BuA5%_WvM4qhjhRfu#yw$%R*r)A&HS}y#yGa2k}??mEH(hdv4@G70{ zdD=o+KpB`G=U+)K+(f&?tQm;%vOfhmt|Y|gZ}QGZCGZEu;R{l+Vf<|n*>DBgRyfVR zoHpP6G>YtC7jG79TPUE}lmpYr^Dp#&m2U7psMx~=hs{rMj%Up&eKU^$upn#afM8Q( z=}`sOHn1P)ryaMQ^sypfaBSEzs;XSU0*sC@`6&R!oDc&`w=ktC=S;LEXO`RNsZ9BA zTr!Q#08fx+iJ3us)=4j5Dw}PlvO!fgT1&(np5o&%m4mjrGMw@Sr7d|JDT`=5v<NwR zP8wjNpPY$ntX;dH5&bY32?=Xr&L4$^pHPh0mRN1@?~81ldJ)$%;WG^Dko{5U59-|c zwvbYkCs?f-Cy~xRj!`AaoxWJ^qYLFV^U)5IWDoW&1vKtboodB~)5FE}q2mL{jGf6w z4UGF0sEe7G{dpA$Cx-hOjws>M4{PEL(okP+6++`Z+&zx4G*MZbd*5+tPrg*-lx~(v z`<m|l=&$N1%q3d@rUV0~d40zU@<~QAv)RQ3t<~KLI)3~@4AS7R)xG--FY~~_0Et?3 zbfW1ntP0%vll%hPlRW-QCKWRW)4y3M8{>cdPr8Pb(-AAue=@0>MO0$+0YKi?d1SbA zjguU4TdP`INhwfe7SO1WD#Vqs&(_YYn8_0oM=|9rUK6pYnfpcg{Cx{(g2wp4^kRG4 z|LAnDQH~3vU9q=&K_KA}OGdCO4(w3BA<$NSZe=-84|Uy*A=@Zsgou*+tA@6jH0Y$k z?CpQbx#`8#-ir1`ql8cKa~LurRzw6Da(vt;!I-N5a>f%*F78hl&;*SO191b=1#T_C z6TK(eJCue*Bca{e!rdYUd#$gEXtA)EvO-6BH|#$fes^1DT~ul)kEn0ldvsE4S?Jo9 zjyP62bLP-J8g^!!Sz=w_m8ATtAE+^4=G&%AL-Q76TebK;UG8{uK=FD9%U!Y6QwD=Y zdQ3f`$t2v3=y;IA#%;wIh58_C3!Bnhb(X~d$JxBST)KLC+$6tUe%zcqy;QXogZNFe zanDZTl`Ok(99gJ5x<CFT0va7D$D^Q`X}rsXW#iAAjyVB^a(7s_x@gsUIPOeKhE8U} z897RVs%n&RPG4aH6MqB?msLPL(!_S!Qt{@psZSffDYrb@X5oRGcel*oy&G|r8Ig`t z1UFQm&qW{4f>XV!T=mgpejt+RAK!wQH&o+s<?d)MEN5A&);gq;DNmW5&~0^-I4L)n zVH`l<WwOxKtjcH&ie8ER#M_yv4CQSb%x~7^->s#dR8M-OJQs*G!t72z%0S0PIW`@v ztPuM3&PC<D8=WD^&rX8$UcT<8=9B?YAf~Eif$QQ=u@~rq{2KF-kv){o=>9m(3+%;r ziSoFus1hp#)5VT<+o=6^x4V0KBB^ZfhMRu7H~5mD$Bjq5v=z)@zxAeO%v0W$CuBj9 zT?&hd8j}JeM3pDCGo2Nq|1n>!IpyA09TN@hOYBH<0X?F54{9Uie{^j4n>8-t68-0o z)n-s$Y34(jMh4yXNvA~1C<Ry1(DYUv(Pag^4$PmwtI*9BYg>gP>LhK^DsOuYiuz5@ zigi4I5S!L(??)C^&W@spUp<yo<Ii3bkAPd_!SuN#U*<!4J=y-6yxjafL%_VCs)<sW z_c}wHKxRw#YbHO_(EXO9o1t>tKB2`hsMsX_TN3VfBtd!HF$Lzmxh~~XsNJ8w3UDDz z2ZUwiOKY5_HSb7kf5N*Aj7X|V7f2Y=`m3*P(d1Roqi&|j>P?nP8h0z$i*2`{Is6fL z3BVDsbX-2WDM$8;P&Sdofirp&c$V_S6HFZF19HeLh9`f_unFL5tvW*h3zl|^6cfZ9 z5h;vK!DtJa=s1Uf|14OnA1Fh-JWrb-O>1it^^XvTsXYdAnU^TPg`T}0lWwJwxh&xt z=rMNghxmC(n`VXD7n^omJG`uclk?Hs;|`F~@}r!{{h2YKR1jwuC;1aP&TRowf+-~H z00frU71DU^Zzwk<q7F2UX5rkC1`t~T(nDEFnn0iMvz*WQK(Kg+B^r?iTq`Nu8n@f! z{ux2~XM~Vd-#mI=VUpQa5`^{bl<FF_D0q9fk7M7HLDv}m02vij+=ozx$7{J}FcQLy zwgh@_G|Ub|CO}I@=nPa$r8@8wY!R~}B=x04Q8kKs#x<mxN*~;j!YVjGS6FgVz$C5T zH%^1BqMnoo`U+*U$R4*|G{P&;0*xRqH^dArN*b>`>hd$aEYyJV?HDuNG9-%Cb-Y<U zcR#}OKsqc6!^yi{nF5cgWK0%2C!``m#PB)Z0#<1A@ZD*eU6nB9g*w`Zn9z>k(`u&^ z1Xk~IaAU;F-PSKnJh3{8?A!W+>14#q#PiKPW4K~>3=fk*G5c9B*!~x1HWCr6aj_@e z7l8}YCv*U0L2C3iB_b1pq{I)(PY#ht?`$d&3IXJ2DdC!VW~eUg?wDNETyk1!%@E1G zKGqf8Y4%&tL<3<%-258}65k2vA|q7h6W2~(2XnZAp_=A)XUaetRO&MWJ1k?6R1gT; zzS{dC^|9WP@>jX#YxWk3^S4EfU%!`XAnfhc*O$>$v)!e5<_Z-{m(W$p{B=Y0{^Of0 zi`pHr@G#m_1})_oPmxl}Cn;q0w|PR52w#SR_lb+TIf;uJq(@zc%hgX;2N{R*+kD$i z-TZNq$->>4#cFJYVEf}`<v_?%mA74O!u3E>5(jO?@)ib?-lFL)T;E_1aUhtJu(*OM zD9IPIdZU>B<4~iB_Vl5=A%G<~%Y(^jj<%(0<5^(i>JtT{@B213;2#~jtF5c+^>KT? zO}5<1<O08qS>g%*^45aaZRgN6_`Qto+kXD(4qrv@_y$L3ORxUg9tE7_1upv5bAyX6 zWnB2$;drZZg}c@(anesnnd#sH-w>!{XEJD;Re<2<gW`a>#omwNQ{(TF7Y5PPy@JSr z5V0GNt-d2bzSNI;C%2Q@I8eSzMZ(0Pk23w<`uW9rP_7iQp3xx6{eIi}uK!RLEl8Zx zebmc58U(!aPACKs;YF!<E-h>n8ubIX294bKe*w+%@0++dnEnTVw%Zc@|3V{`<@wup z$?$qgY!{hD{FhnfQ6%u?iD{4%#6yY?JNtT>xTLg_F<De0K*&82*t@v6_O7qF#}Qvu zabJBizMWaPyeLA_>WPyJ++1!Vh>aO#yTu{UC=YZ_cDej?XzA!q30~`VXMrn>a^Er` z@nK)-qO8|Yg!TGA!m8Gq(AApcm;fQRk>Qa%h7EB%H%wn{fnOcfy>A>!6W6<1s{hDY zi~wMqx43b9`i$mezRHopCcfEETJ@HB6JwlhLL<){(i85`McS?@*Q{L0?;dOzp*;*k z?@y!@-sGJne!65ZA<@h41Mnaqn%8yr+oO%a;a(5JEIsnu&nje!TIkbaerhnm8~)mE ztq`d)1zOC*88bO-TPBj|@9vt$)euITV$GsT4k6t<ZLVH1W{LgmKsci?6&*?B8?pC9 zhR)k8#CSvi#Y)f*>>+vBZ#SFc8A;wd7z|SIm-t7mnnGmSh|&XE5gtiqaI@AjA3%_g zs+5xgt`I~;V+Zb9FIt1JL~CG>CFKhmhbegPi?LN;2*}`nBwEm-dNant)2c{7?Y?f? z3-ftZ9Mgvd1BE1lGh^&P|FL$9ihT>&J!)f3<oWfQMP&$?@YN0SF7nK!VSr&45u1k> zjK+|08@fILg_2GNkk1EE8a?@FOD|j`-9gb=m=3ugQ#xy(9$Fcg5ng0+7)+)gqZJua z`BQOQXEOOMO&noX7#<;yodmcYNHTiu6&mqsry)g(yd2g9QTTpf2-n1}pQ%I;HZma` z4b0(Btwq^Q!PDxZaZs}XsEq2li}Fob>TQ63w&k$J(pB9>x6AXp7$dgS93Wj-%zGd_ z<P|;tczoe||MVS46Y0oohPBwra*B#2IiNNBTszs>SgUW0#3!|8mAMyZYBdJBZVp&t zl3;@t?~a}hj-H;1CTZyVW?*Hs5DB=NI=mkuFMeQ=nZmUS8hqSEx9=Q;A<P<|?n-Q@ zV|EeLsRgdM<g}(qzmDF1wNCYW3@sV*^N5}n^~m;uP`As?r>EWP85`Cwa#TjcZ~}Tv zrh&>Kla`WYyLd%Q9(Btp{$O+Agx)OE2Ag_932+3W-EdnMI|Ga?s(;*AauY`BUwYHS z7*J&t=9#zFwL28^TRK})XW3U?JyVTnPg3JZcux<A8~V10gVA>>$+*sx4fDO#*mcns z)3BhKR*UTr6e`9V$$PZ6@)2ul?ckqbveD7vqEoYfj=<#n^vx7<d(&C2S{`sntmtrL z=CYFNv7oLs<eiD0=W3xgPYHPV<+3xs+*;8E)ZMDt0o&DGZ83obe8w9j%+^Nnm$5{H z6JEBkZr;?h83(^MYW1R7r_61N`SUzpC%*r{x%hxde|e5Js+x`9mB=)_yl&@paLS1g zrTZCqC2a*W6a;Kktgg&=2tf6dBH@p?U}>Efn@-#J!}aycOKJgAW2Z(A%Npj7JTK<~ zel*--z%gXf;I*2<=VIK60u!niV6v3SZBj^&&;5CrbwH6XYYF)Fk@k@n-<yX*%6=Ir z4LcpsWvRN|4rx~4(0m!aqaJQ^GWx})ZY@qS?D`5PPIUIKW`XPn{>o8kvlG+~nUC|N z{F|R(1bBMRQl|qD|AOaQG1Yxvf>w(sB`9Y8wdDNOUEnCNI;cShEh~Z;O${ecz~#6* z{|zSm8^a2tV_lvVC(V5`OO5R!S0+HMCvA+M)DYKva(Ofo(ESS*ZH_4dS(_8P`Q|at zl_~T>k2bo{Npqhp!$5R)CT)X-z>e$r*vsd-@1HGCsrP^&kH%+Ow-aZj*AUk^%G8Sj zX}<<a{2?`EP~)Mh+uK&qKfSFu-}Wce0c@xI7HA{4U9WK+iTX8Ab_bAovx!W(Fhatl zvMz<-yg+vgJn+38${q<z<EJdd*0PP>s50t8(C&0TqDLg56SYMGDsFM@a}hZU!*#Jq z`bKy_6}#3i@jK6eDX~;v{rsrV6w`l?WS!I{g$Emwn}rL!4v~pZgg1hS80NQSQAFg7 z;Tx@GMSy$|^H|FW1vpSE%8r#WDN0kmHnXwhL$BRnn}#2}sR&capUHQ8OQtI0L$Cl^ zOch7=RxcCw)-NMowRldCRpEu{ytyVRG<nD+p`TZ3aw+n4s>}d<s#lmmORb(^=;K;F zNda!Oc!1}P{wdP`Q}p*}{-;>}Pmw>a&9ju>r6#uk569+NI^a^12Y5OCckhy;V}%Hm z-O&4k?1$~Ptp;~uAkCOrqDpLV3@rGkuf<a~7~AF<2ER|M>g<9HYnN#35-sl*TyBqV z^Agcuygj{l3HkAtzYLsd$L;nhnk?~WPN?9auIHG-5101^2$hmFpA`zTX}!HY@eAP_ zFTZEU@L!adiT%F}v*KX<zrw7T|7+sTXxhY~bRhol_6_3Q^|srjO`Sxlk~xTp%SsZ1 z2ulXeTbAlUKy7NwzybaE<X&d%Y=PQ#9c0dkQ@eIqU5}kOt|+;l$?Mp2lt&@y#11GZ zCzn_8kf})uO4KTfX6V2a<PXw{R+OWlQ*6l%i^v+J7`Zf{SP7J|6s4hPL!DEWog-z+ zOVA=BQXV6LTTRfS3d}|5RBFg8hymu90G0Q9q)-$Vl4=7i-P7xm=udEP5ej8)AZ}H` zU^0}SM^y^Uyg{GyHqDHePKDx+Q$B|K-z)uTFU%kio1io=Fs!St)2CTYn~7TC1SPjJ zkfudHPmF3Q=NVR^UCq2HTUAsL(9=NqMTJqYaxrFv0zD2~votEegJV@iREBY{D32bT zaFFhYL3JAbw5CZ1^`wa{U{t<$$`>QyG|lSb7li@BRd2v&B~hJ@kaQ&hu`*D0)J4=! z9#TJ)Z1%O}2lYYFPe!RJEa#V)XP|^Kh*lY2R;)3sf(b#>TGuuZod;4yFp8OiMMa-g zZ9qdtV^x|eg;X1Erj1t!lqBYYTxlMW)u$~-AuCRgEewIKb3`Q*e5vHbOzWzw0z_y8 zQzP=6q0iy0MP;Bg71z{ek=Fo4ohVvS3(auym!6ns3awxv)<RHADNra^H~20mE`zi* zy8grRXk4Aa=xI_NCdo>qs9f1oDQndTrD+*a)zqZ&cz9%TmnnvhzV%({@nhSBm-qW} zde~QWdUjKL<wgh0YVN-B)$-o*eqw@+r#jQryVI4%(5RNqw{mPyg;Ggp8YhXn1#B3% zy^&#++jUB}g|4;6?aJ4^YqO`5o5$z(a(MB6)e^dBs6*xEzY0l8D^#vS#sM!>ITUwW zmZ$pmI#!@4z1!>!t1@iH?*Eyud*gPu>C^S;-m#aPr)Rs@Yr&VBcb7JVVssDK3eNR< zYOAPXS8B9>KKxYHx){s&uHVaMCf6#IF|U0m^l`Rh+Xbww{u|%P3zNZyvqGCv8*~@U z1+Q~Zt0i9ppw=K{*AK)6JqPHee8oB0dDICB{Ng+|1U67;?U>kpd%(9CsIJ1Zqi8L; z0bZdOz;eN9-*rHHFAsLHnNQe2m*p~rCG-P#npr6qKHfl_PE|;(f>)HAtQ&WV)r8Kz z{l`h>`rue@SvyXj0;SvuZna4Da~?cZ{Q#UFnl+(o+2(`5ac;Afg!WuG$Wx{*A1a^d zYcK41pxb;<RdM)6IdH6%vC?#3Rx$v*Ng5~&#MIs<wE_)3(>>GF12#3^RCG8S@TFWe zRnW@4R3=_k>Uh1v94i#t3$;FjB!~+I($ynKWtoV4H|qJ|8tH``6H;sf_d+;ve=6bv zz8NqyyhdnbsLO~-gE^3QA=i8r4NLJH{3c_S;8+F^NKNL?<`WKV!OERKsxg!QBbf|t z2H;;#_?l^d$t>A0xPgYaaa60_<@7FH&sql}9X4tUKzY1vlVFb3gm8bnBLxG5rb83) zf*BrIN(Iezz-fwVD@b`uek7MMAl$Arh+>T246C2_IzO&*(f${@-5#IMOE;5zHUwA! zRTc_x^tp$mpImFYmm`#1{o?Rri?0!6VX!0cFz{o>;NUgf`>N9m+b!O^0_-(zpRZvS zx(|4-*UQ@8yjs22s#A35UA^nN_=QZ(ybRU4);m`lKNiy_qouvi+nJBE8*sK-Apz5H z8lV|oox6LjVE~Tt7%BG<1sWwb>eO<)Nk{4v_0<ONmUu{F5GUjM`|R970>w;pk=qL; za;I(paz$IF7gca6^*R@Fn>tjj8Xc;{G0>j!46?xm7FF3pBE{=>^@b|Ln48Wpbbijn z$Wz~;f~tHU&2s86)Tz^vStBSfE*Kz>C#WL)0Pw7qwoSzYaB^4<m#bl$8mr)#Mg<&y zR_gE;Q9J}Nj0iIpS|~XD@G8)ZvY$S7B?N>H;2?05#>9Gp!gQwaSN+b-8#+Jm1P)lZ zCAjlgm=`K)8_809i?L1VDTeaBXoj;%2J(^|8QBSwP|mUv$NLOp#aKo`joKwgL{>TI z2@_F5sIr{+@Xd!+<uVGyb(aiOct`t&(xaf9X-5v;ex}WaT{D9tEh3SLJdw!6UP{I7 zOosvsqh2B-Ti*BnB}05LJ?(@oM?_JqYhg6*MCVQ=#bB)a8H$eK6{QR`srpRiJ{j9s zf^CgYQ1!rZGb_5U8fpQ!Ra@}&Fh-gQsO#pin=kB>^be|QfhHqS-I~2q-(P)h8mOU` zp)UwFe0pQBM?Co32ktYBN?;X}^;ED@Rw7IYjq-Se7SwJRfpYyNP)GobY%&ghl`eCG zU|$XPzgYuP885(XCY6D^NmTiSt`;m(XdH$s8IAcylT0SasVuVNn*72q%2m=+A>5f` z*$qrzh!5Ngk>l)gRrU|Ob0Gfglgu1t(hF;J3Gs5rqMq85hK`UwJ<}L#iGTT*92*E3 zOy51ltl1I@k#*mb`g{1RRX?Wntg=t)npWq&Sa80d7`m#)u4{3dxO#kfO+8w0rFeSb zqdwd~>t;u_Y_v`i@FJDf`pHUGMc9AS<n>i_zHaIl6o~`+!ijE(kG}BVLyFc6@navc z%2v2Jx&DBg<F<UVZAG1WJjR*zZSKMUZrsuRE;HZl^}X7CeDAk)t<Bh)-^3A%_WjoX zI#8V1s_84-ShC|IZSshNDXFpNo+nUn$DcyH%L}tk;CEQQR_WhbwpALR?R?-@W{E-` zAwjR?zq;<=+`O=8ZNdqnJzCV#1?a7pVWcKS;~CzkUm~E;aPZCl%}m(X=}1AjuHAt< z9)%8;d~aq06UQus-m{KQUMW8ovXJG6FQ^P}EcZc7;EwV!OY)Zd>QOdZkX>Si?jkaR zWQ&eA9p4Bs%}8zX@{r}E8YCSA_LJFdat}U{=Z&d<xtU@URp$|w{DeA@A2ssex68}N z&b{ywRwR9pSdt+&vF|EB37F;$oD|c-`Q#t!y=Sa6sQ||Yhs<jo8!vYC_Bvu{#PJ;g zk1aO#D4v%gE|KJo$W|pL>8bz*@A>EEE^P^NOz~KbgHNbe4^!!!{hf|pJJ08n_2kNK zN<$s904s^i)CPrnIstgE8`sPyo>)!n>A!S382|0GHw)YUpwpoh_n&e5T;0BfNb%@1 z&S%5cPHUxd1y@qqN^>NHf$4l=JZNLlb=@5UD+okM5{k=f0bLO6*iY=-%-NLw-N4Z9 z)<)gb#uQt!JC=n+Nn7_T&?RUv{zQ1&w!52eX0@H&DbnXu+#~1-lvN%PkWj$)7CYy0 z1I}Lm>)h09(_UIrpBV`27;XjY5TK&A=Yp&2E2h^U_ut*2aElWj6-BK$hfo0I(F!-N zPovPW<fKf(X`rg@tLu8IqixH3f-QEPL!D&2SChn>Ywm5E>;0WDwL0{+J6(?NA)$AS zyGdfGm}}_IzZ4XBS0*nN^**&pj^;T&YN7Ds7y!(A@)79>sv{>xivGbcU!Oy?j(_Q^ z_Cj9}2fSjx{Z57bKOnR5Tk$5x>YIzk*mt@_OiXi;(3G0MevBtZeK&^<GOuyBi6@TA zrQ=*rWmRo1UH8l^kT9jm8X=|1<P}cC%0XTW-vcEMe>uoN^x<T$wrv0+O~bgo!`Yq> z2;7~0-X!Hlzl_t8A<v)ftj}=NN59!)+VtlKeO){U%bQ1o6sFwq@j@&tp9Z&oX`0GF zGYFgX+71?a0V=FzLw=3R#O9Y{3I9;yYgx6sX6~51FJZ%Bon~n|cY(9jEwxu+zb?%O z@Ag;JAU^^v(^%UZzrJXYD5Z##8djSbBwrUk$%EgqRw-4Qq)3+QqNzogGEw{4SGYd9 zp6;jssa%^?CB>+fXz4FaMqsL?jrl}#;xQBs!pt1e6yuH6JZb3{w>+Um6HT=6T+6@+ z0G(Z1ALjO4lR$y02i2e$)7RLT1g%*xM9Kn@BTs8VL?<h{@+=b)$1_*y^#;hu9p)FG zLOqoqA9CxV+V2Y))GTai@q-q|*n=1pdK-;ACW@jEvxR^{IY^I9Vu@&8l$NWER0l~U zi^5b{QblHjwCY0RGt9<Q7=%CSLzznwA4<CxM73iBlt59Gk^!24P;7GD`Pd3FZ^7XQ zWpyC`>KfbAkqOK#qP-)JGRJ`L13TF>LUuEP-{o`x&4Jsq2nkCcnb05}@X!gFBVVK~ z;8sGa{E$)K^Z%6(fH>Aqf-j47tbPo;PwiF~A4JUIUQgB_sMu;_D`u%O(e@ZbxPbbk z19MEYB$nmSU>|usBR#^V7T7=`J<`UPITuM71O`GCkOjiC9}YhsOam?r-Yk_cn(U@5 zB>SF)ov7#K5Q`tM+@a~+4Qv9CFrPw;Z<B6!y+6u!Y{wq5v8Lq{{5qKA>o)tf>Qh6( zi1eVh6fm+D&@dXJSR*QI87rW4Dja<Qu<+Vy+a_1;Y82vEl;MHvh-Prp#cG!V(T}tu z=yI!qKnOJeXLP6$GRN~WPsz0Hu=LjEI_PcnWK3s+)mQVqISpzH@t4h2@EwWZ^kts9 zc>BA+-fsAfzqY@h2e8zc5SGLgs#QZ?)M+Vl^ZD2dZQVRsuw2Xf;IpEPySRw5t*6<V z3KY2)hzWj78&U;R(;5s51<kbi3|o}v;v+iUoNe02Ts0BpvGvlE@yAR}E^3pxy-}$v zOFp2qgEXK{#|b)&;;3AtN)SCNYaQDWolCTp_hqnteCoTBVWiT!wTaHxu{sa?ifpVi z-3ao2iQx8jACs4WA4L<_&A_`*`Du=T-nOain$D_FXVsYW&E^W`4dtwCPyafOiPch$ z>re`D?ZC8!jYjNuu+l2<QAdI5lv@}3<&&Du>Pw+WC`#xUzXisZy`@+Xe_v8bUaCn2 z8Eh^;6`6l+xe=I0lBNv6<)4cW8%vIVzKW?jQhafmvVe9KCa>Fjg{eyWoR%Aawiuh_ zO~c~Z>4(2L8bI(yNyCt5{DsB6<g)F_<nq=??iC6MPe3L}h7z^=Df|imPh$^~`#}BE z6D!__Tx)9GiG~s9Z@&V$GgK6-^8D*<?k6enLEVkO?|BcCQ*z7CMAT#UGdeinX?1wV zDIiFHl2~g%au*6y=$)Duqk9FZ@`fl|*o{)^i;Pm}vCL9}_Rp#p?TZ(0*9=qWuj(a( zQeEUfX}%$<z7UK5R;>i_UyRNx>D}W^JJl(*ODOmA7-r%gWa>$N^y>jQeIlCw3w4<O zZ2-<f&-_22j@=gPe-3%gFX00-O?8cr)ygQLh;NaAg%Z%fh^QJGG!|bj;(tGLp-^Z! zGSkV1*zmt1DI5~?IUS8T8D8&rtaIgkH)i*^3q_PAq$+z(X~mgGlrQS?LnKDKPqnz+ zlugX6oM;>Ry*u>gYa84+3G0*B`=N@-U~WB-O#A8fX64YB>6wBc)Qi1v9Rg6$_Ly^Z z{Y3Y$NcTR{8)|yI)|{^zWfK5|I$Y|^_~sn+DKq8gE~6Nrsl%pa6$9ZI@9(i{D3f`Z z?se7`_z2(U82w&lL-5TevPT(mDcB8e#<DtSwu`vf{%>3yPi)H89MQ`(a=j)dJ1CdI zzufRvu<exEz7onMjq7tJxTtf5RCZbyVqu4$LX$@Per6;1TV$`6YyqImWHEL}t&R5W zCxHfwK^w%_JsVHUH5SYA*V#4r;Po@!j#+faG<7yM$;x4@ta{L2a=;%K(aXf>rhnEs zS<#FucjWAZ!oL8EpEyx|d3}BWWNs=X*BMc5S-2lDcg;+Fa$sPkUdcLZ1-m#VjS8K# z=Y_gx$7<LFsjKGOnk>=vwal^VY$=DJqibN0Xe6^*rB!ZqOKs+=X%^UOY?n699Q>Un zc|3Wa?y?0f{991|xUxG|wMkRYaWyPmeia6ExRo~?4#mVA=QM5;>($ZIFK%@~gCUk^ zWp!-=BLU<J$LcUQgj_A}&+;ZY@Q|NVhtF%UIXr~JJ&1sgPZ@uz`WLz6a2_sTK+2?} zvOl?0^Tbab-K4_@%>>S2ixYfzjB6~jcn05-)#{b&Pzlj)@VOFV%DyX3ChQB+D6?~| z_!7klu`aW4e5!MZ@6uTmAz>QWyg0eB5^#bbVA)%M-WJoJ3oIY%kWY_%@3<f01Tv5v zM1($483DV9JCfPnNX(sP0rrV7kO=O8S!<&I!X$~--{~8JQ(oMj1+p3FDnK86UPU`j zft%?d8wi;eS_Xc4rhl1K2Jc952s~02P#RK<6JKbboPssg8_u3XRDD9i{$O$_0OQcM z)qpvW5_B+FCXg}!o1O>ahLo77oRUBJTtc2Do2NRo9BS+F2@=|RUauQ)5vx9<xV|h# zEY1mMuh(73T@L#?G1B=jKio8w#10*<KcG69l6pWuA=cmAJ2ph)WVbMHAQ(Z+!pv6X z!C<N!UaUp>Wz;OIXav9Pp|Mx)Y#b0UNqo36(8nT%13+xUNmqpoM;<~=FKve6{!1b+ z|K^@HuLuHVzVYnV+@p9a?)jd6?7x)yk!ON%b`psAFhhXGZUMo!o&kkp!ZW&@?*}JK zb+ywbODT>*?|)u-C9{EK`HH?U(O{1trb<lb=7N^i;!=;Z!NWlssU~7h0&dY$0xY8> zKffJ7L3uSz`k$zzx~YbOsDz}bLSXs6l$*mEbYL4(aB%2WV2+U`S=P&HkPk9W724O@ z?D0E%SW}uVZw#x+d)(hG9iCrG77`|FBUxJ1O#9SZlYV3ryCT4r=Pr%GA(LF(&%ioR z13AaezgaA*)Y8{SRX}(AeK2hwnkcdeZlt>wm%n|Am2g?7x53F5qV4oGw9b}l;{q#m zJ>%9la*|*1Qfr^Nyq*sZ53j$kn$})`liz9uwo?veQUiCpjFfScZElxS9@4<DD3y}n z<rZrwHUtW~yw&t>lies4A*ZQ+>>&M`Q{{iyX$<nySzg*WiuP-!g%5&T;{`7^TXb*3 zqqR+c2OhtL<y>4H&vPMjD!pvyI6MXaNC2V4FR&`|b;T584Az#N6VAvACXu-%AmewD zI{JH8M`QymKF0%#+cO13(Nm6giibjE45~{K6TbDYyLkU$weV@4GO)KpbT!Np%9}r( zzu3ZV|G{s0=UYET!1SM;tF`U3^Vm8@Ac!9{Oe771fQ7!;W8s(!#<p<;i~rS3a_STr zq91gO=p%xa)!QREKEh*yAcHXSnT*4X8yX_E`aKgb7nE%0%2*tj0F?WI4DlzS_!nR> z|0^&!{(E4kPdWYrjGZg0_RD!D)Ic&w*9|eoBo#}mB?(5{%wQW?iiDDK)9t#ufgmJ_ zrN}GKO&L}~i0!D){*jKb!UY}SBDX3$wkkF|jwr@N67C4rHigNeWQIftG@HqDBW*P{ zwKR0d7&biGRc*`6kwkhJ)R;PHhx2GWJ;U$E)9=f)naeoTp;Kl<Tc%7TnxyjeT3+8$ zg^2f8L=wWK1$45Om|zqTR)*T5s+Bq_&)E**qu|J8uC|W0RgO42I(6@LooWqj{bjY8 z**SC%oh`)EuCP|S+O5)B{KCVqtDcLxu3qyxDPR|@v#`!zVbt&15xU2Z_zkab+)`_A z-uhcwVfS}iRG+6(T+H*Jz_`(f2KKw}Sr?__pgd~ZZ{xk}=#GdgsWeyVnCvGhGNDx% z>1qe-3`Jh1HW{-K=Gl`nc;97L89OMeM=xmz#51ox`AoUwzd01&Rwv$*U}VnSb}|YY zh<6Mf>d=(&pOoi&xUM4zP|HKsw|JnZBr(6uxtTg9t|6GMuNCtTJr!H|$H@9A9V-KJ zN-4U%%pN*7w}DeCVe*$F^L@(SJjF<;g#G%-RNZ6_8Lu6B8?QSB=L#dNlqth~I`qaJ z9B(V#(0}@GPUlbDXvJL5M)|6AR@CmV=#JQOu>y5%T20R^A?%FiD(TrIai45@IOUYT zoQ{fGWLbS(vgp8Ia!vz{yu>evef`T^i{n2R-#E_ba@h`WP98>5l+@q~x6sPGl)wY_ zDMej&v+DEshHc^9UVR%nU<J`gv@0xGvZ+g}bQJKw@LFZiMT@G<Pp)P@++RWk@VD!q z72#%ex%!iM9)1c&7~;?=4kqDlj&S-#7ZKO1DJB|;HK8StGCY{lz*++L$+CjaV5-td zDQ5Odz;qqzc$J;+535~Lflx%6Rg=wYdU)g0$Op;&V-?*5j_n2Pm+U1uTPZwYhNUU4 zsR>CMvZUt<7|1eaW7V(e-48L8uq@7OtAsBdK9u4_n3gmVG8@zwYLEq=ml+W}2TV&N zmg|sc%c94f(P$ZG<m+#Yrm`Ui(|u8=s0S3vl%~vqg`npfZd6x8*z6Sa$wU$m0wxP| zjkePUPuw3<Clb61B?{m1;q%dT$tOl@&{aH>EqeNgccRG&<g)UEXmt`TX2j4|<#&<V zq7e&#&ffH|IPd<}G|UgFcY7bCzGm0WLPiuO%DcW88%J7=jyzcFD&^HvM;VWX%f5B+ z;NKkBDC0`T(FGj`n_+uV5Q2MKrq%LVSEglV3ua0}j@TP6vM}QR^FGmRrrKe+JJ^iz z-p$l=UdFleweD4X$++uvZ$mjN*uMvclb)HcAoCweUG0N@L<Or>2Hz{kK-M4`Y5KSE z8>M(Bj`GeJ7T~H=i=KH^w>-h1K{KrFAH<q8kPXH}u&!IkzHH;y1B**XP^ab!84Cn{ zfkk9LtP6YLLPs#fg=8P0lA)2Oxl?~Za-&@tQI;MWup*3@;6^?7yW%t6t8-z#9b}J@ zIu0AvOzpW}v*CW~J*WfHf9#o8gYd~u1dle7+$JIdT=5f0uj$+&-W%{Cq)nVk#wTA1 zxc@R!8DSB_O)JbNmp}T6dgla5j+fa|5e)qzctGB2(LTrr7wHaBmt~75$jlrrW_f?A z(2kE#h?t{%19cs-lSG3tH0^P@`(!%;;*vKKwGD$_qE|c06Q{^j=N{y}<?B;;f&Fri zBHBVe(-`GaDpz`DM$BIR$#cU5r0x0?cy5QClb3<BStrbZrJ$R#@&jRgA1m(2b?zK1 zfZdW+?Bes0=AZUfo9#!>d1^n$<6;6Jd;(_lXnqBc(}=Pcs+#&<)-h=jta5}iInT7M z;;Rx_w}AWPly3ymdadPS2Xcj(RP1i8!Q;-%BXU806ma5OvY>||W&j^qd)OHeyvSxf z{Z1ew+(!?@{Y=BVI}G<6xA&p{#48<-mgCj_%c8{3iCG!z#1du~Lid80&(ilfU%BNF zUc>~E4Mi1JNMAxxcF;ux0>8G=B-07h{qj^*na7F;^?cr+Z!l>B|J1}&U-AP39?NF9 z5MhCPy5}a%DCpq&yAOXh)}0M4<4j2eM!!IbO^NO_<Of`0IPv%|C}LsxHx#k5{@0UA zb*Z@j<Rg5lovUJoWAc(bXy!v=frxZo<tFM=O>MRyXgHE|+`O#0g%%qxtYWny7xP4r zhCLomvoVzpDDeliHQ}W-t=X|dGcO><1)do7I}5uP2Bk9~L84Kw4UE-OtG>EDhKEkU zKZ2$~t`rc%q(+9mdbHX(cJ&55&P};B<)t?9nZgjy`{S@LrV}$lHQrnwnPF8Q-0Sd1 z%uC#-5$u2oLIDLD=zzU8>6tB8NI<H!563BKE+#B8z!T0uqBg9cClf`|$4++p61{~h zn-j7~(g%AiaX0I1-fV@<B6)eEmJcQ6w%eRSqlN6)4vq#RN+1`3g44{dk4J!+J)z}p z4kAH5HQ33o9$SRTo=Ut$P;#22<0GPi>vZYZAtezp;s!}5$h|};8blECypXYH!dL%o zrMbLZ3HAd)n9QZEs%p)WkCqZlc|qA)F-hQ&yDUQ*G;|H{4XOy;$X>Yj5ERPwxA)L5 zOZVvJt&a`#BM2sJP;AF%UVT}049YcQ^xjs}0I%)WBb;7rZ2lZ2{S<y<4;tF<Ft5u6 zdL~58ltJ?q@NsIga%Qyl*UJHnTm36n)v`lZSxB|m_;zM*2!DGg%{v&2Y|(Z=z&Z4J zHya`4*7dieJeS&GZR=5ax&!K0c(Gfs&tDEL{uPUx-j(Lk_U~3DNL0d)IqF09rP<X& z5H<M%ClI(4lEm3Qyc66i+Xd_0U(;Fj^^dREKHT3UB|17p3;<Vi>ba8QXh7O_jKsfM zyJXT={1y_-OK0u?EiPXW=*o<vps5(gikt+IqPn)S0Es{om#PE4BJ%qH>Yjm7t6+gK zB-FsHXa+9fBHVR1uXQpBHnFwXVr%_NI~p9F&ONhh$IGIiD}n$&+IGdS{q8utZKGpr zI{!Qt5mKI-p5RTeng;_rdorpxc#81-wRdvQ9NpL`jba&*5jCow0=;eShAG3Ob#C^3 zS6kCQ5dwtp3<tEEypj+#M7`^R{?%aoJdelPbyMwGPUi}zT~n$02~k0)C$^URy*e8% z=-p8AG`iv#+R@AlzG(2)@{VrD(DDL6a_T#Z{;5gt3{|ksz~TIOF(Gw4UP>$;H4NWn zJO&%9M`x?nbJ32(&0M3om#v72oHpfwMQUrTK<<l|ENGWaM+^u7UzxI%o2yJt02TcZ z8e{3f+)lEAs7tOt^ki!*RZ{N#_etC9o!$mXW%wTN7V@d`u*|)6uC3Oqk<#5%%iQ>J zhfXSmDp1pQQJY>Y@es@v-L`K%VLe!$vS&RYZ1E)bb8yJK<vk@0%`uGZFy6T^e0wyq z+#ehOAjFE^we?#sLOQc{0BQ`+DjCi&v;kFp@W33Qfjug<A;0=Qg}!d>SB$N9^@uoo zIKsMV7rcZ0#=>jY;O?KFkr+Or<UkMQe)9v*ldkS9wv~6Z!*c}?pu$jhe_I81?9bs2 z&QSu93wPu4zIHYzKts*`f~S^G>Z!0v7W;vECE=;4lJwU514ORcW^$j1S`%#J7iBt0 z6ZEK&+DFg|At6uMzZ<0T^n-+m{?duW5p2y7cf8FK;kdrO^gYhzLaNH0xE48CXB>Pj zBgB%26%{jo+`lSna_TjaGlkLTIAADU4L9$TIK;vqvWeXJ&L9j{oK!Oe#%5>(Ut2pb zKrOmDCGs4-EGy}5H6cQ9)@UOi&I23ailVqkS|w@NM7T<}<;C`mQ}9q`cXU<cRGT_~ z$ACB?(feIi>`=AZ8ZC`D#6M4;i_xN)ZF{n(ag^(F<7{ETy0w=Oc)l_mJ9EGN%4h@R zGsCm2M%8xNY+CaD-TguISX>MML!bjK3)8Vq_Kf9xipD2uH<3LU?KsNskDlx~S%RJ) zmkHG7WK`C&4*Br4<2rhI0BZaEOqTkIz$OsB*JOaZHQ+^4yvWTb)aLzLky*G26Gzae z9O-<NN0mM|P62}E#0VS|=fZwnuV8-9dTKkJkVY1(ZvS?vxuG3-)AowEh^b=Ovl3BZ zUxhCA##080;^Mc^0=yRq=c*n^)L;MNnjsA->OH=`QMiVSW2`ad#tU<-IbB!)F8+c- z8#coK3vT``!GMvT<-azc8VxPGqgEu}xw`oxm}(7OmjMAhPq<c*C|zW9o_^au<E%K) zDI{uzSu=fi@j{nqHmwey#F1EVW}$oA<XAky%paGheOXy^y~os(61n%po7jcPViZQi zh}4_cMQ#o%ws*E_|A-G??W(pZa~z2Qy)tv}QkPVfgE#b^-;TG_qpQ>77%cEV<`au4 zBSD&E?$+t?N)_`$|0^RLG2V2(ppZjI02;t!pe^FY#<wF+r~ON;y;0!fo<M>VH4Rb1 zDCsDnIG}K?ry4jWqLua>glskIRLU|XF8OFaLs8HnjFx4zQD7S;)x%_>q$Qi@1E~cA zokGY#?+h)QHj6(I%!V%PfE(VrtJ_sr`Gh;B<zpU*6XiLg{1r?W!*Pigreig$WWgDj zDO1hFG{Y$eiA<?UCD}+Vgt-3|PAE-NPUJ}Fgl4>A<F%JDsNLyRw;tRPXmq53f6FhQ zI*fn9gi#-jDA7a?sC3Ne2ML{htg%aU@UGD$4dipFUIOLD+qP;Pv%m$6cBt`{OW9eh zEosgfZZ#`VMU0212Bk?7U~R_Rts#$dpIHC1|EukQ$##MZnURfT+D+yySE0Vn7}A6s zFq+Gz!(5afS#DLsz9By!O`eXa_0VotlSOBlg`Dt0N@3MhOb$+RY=u(e+>>84DN(xI zS7<y)@OPX-S-Pt@k5KVmz;%R_!RU0(N&tCq0N08DVn(nY;1`t}&oIQRNjH`#tj+04 z-tytXzXgpk?gre-+al)9w4d=6zXExfhIaO>av7(0dqe(8G*_oD%i@a(f=M2&YfmkD z6pLFJ0?Mma-Mbe&&gJaZyjnSK%+YOl&1gY`${%z!9^SF!L&=MN3>3hB?^v4~ynomg zX*N0rfL<{v@@;X${wA~>=tMv(eUqhSVReZQgU^6Benpd1<LepFOcb!{9jDA1rp;T^ zhSsL$b#<6k8pkCDWZ>)eWE-H9i%u|zs)wAvqD#ue6Y<V_5*Ql*g#b|Inz@x-jbiw@ z<Q^Z;gSl_ed>jQ?Ig)Twz=y-8<#!$X%gL<yA=m^54Mn$BVD`6P_|R$AXybw{6+iB3 zlxp53ZE1r9H~TzxreyQT{pytu)r*g^b!KF`IEcOCu&~pdIjix9y9H|!W-(dlbPK)o zzA1&*f*lXZe*&3sQ1L84d$N7WPusc2$!<`qct|d`=jpr=xlMg#JOPuFm}AIdNS9V* z$PF6ob+`}!0!*y!u|-sJy`F)+<=G3smWw=D+M?xm31~e-wbH#SQ2eg?*u*j8*W(Z< zoPYl~ua>EJlGG(sh2tK4CufCVQJ{r|$*T)~b@yYjXfdbG7l4W-wq2|~94WDk(20PD zD7h@b-}^k{yA?l+P$Mz02u4}nmpwP{Na&u;BJsf88O>O;yGQ+!-vr<t0Ek?I$-@P8 z94)FpIA-oo_pnFMOI|nIfU||Y>6tWG&{!)oRv*E+er@~uxzVH!!#&douy63&5=gDD z!3s<=j1GpW+{bdWobRpk;%6g$=U?Qo(n_qTHnF-7?r5*P;$2`;RX=1(1-)FjPC_hc z44-V!-ms63^2snxl&%<XB}6#i9vU8=;Al@hf5nK%3E@j)N30F@nawtVL278ELFbD+ zcPx5{vIGOPp5NQ3-#t6qzPFF9wzk*3-tXPIL1g=E?uT;_Y(U;m<a(zfWOe%2C+<;; zkWXURpaE~%nv#cKsPV;l(q>*FpV!A7FbS8Pj#+3-RMKd{RxTZFtgr-?j&;>s)^O{w zfYy2i2q7m8*kThNDL;%FxYYant%Y6a58N!vJs&L6ItRPEY(+tshn|bL)?3=m!(v#7 zVfAeq&v(Y(_cf0rN~CiB3eO6llz9(IwMTu}54&12>bU|e(^hAn08oUY4KWpZ;s6C{ z<Va#DAZF)E!D1h^ruh<zb!DB7Gv-*z^Jabaji&6QgIe(6;zlQCSYEoEG8&(G|429R zhzX8`;0<gg<e6j?Vf%N_l~Qo1suaUD;KRHcF@F9O8WJxJ&@Ik}IN(5%`9#x%_|^cV z-is%ZdoclrmENg*jJqpC1T$95^)RYF9qRz}Yg6-cQ}uJx_2#Sqx2=v~E|fOL>iU~B z8@l{vRLY2`p?>c8=uei*uHac#NT5eCI#ssRO0#`BQ#8T-J)vW(8%`0F>eEEMxN*PM zU4q23=z3-!4Pb+-zGF~v)7wpnb*mI***`gP0)HoC(ik{)*9{aU!X!#W)0Nl3)+M-o z((iBT|8zw|;t36zoLP?@pdA8%HrzVbHa|=uE=tN0z#5}1is@Vrjn-l`;kC~EOt?); zzOaQEM3pQW0k{XEBcbhh+-j7fm`D${1dw1E2hX`x?R#D{4>uJLl#ot2z)KL=daXW= zVwd95WEBpj&F3VM!1|^;7Z>I8Jte7Y;F|7*%`y<9`1KtqM$WMebc}&gB^O|2I^Ys( zy6&zK*&q6Fm(7cqsCnI?Ug>!h!8HWj51-v>!Nkz1sx!SJttvRFbuQR5{N_5b93b{+ zQSnd05WJvVmdbs|r{tDuam5$cuk4v_T{@|7@8DtIPC|LSwp|u!0e89h#R-Dv7fL^O zR=d^Ec6umb5(CAgiDZiKgnLNr)gH<Gmigj>Y<%|77SL|C$eI1)SR<GKu}Wk;L8Cp_ zfjekXdmal@#XRp{EPhtGVk)$Zi2}?f*twHpEBa9p81>(J=~&+XX0dGl)=*{pKYNk? zi<MmJQg++_zr~h=cEjuuDm*O~Qe+AxY=U{(D+#Smw#MsBB$Ttizvd87)HJKMwi+Eb z9!4H>_jyDh)h2EQA0E9TM@qT>I6C}2r7?>jQFY4E-X@;59E_1+91TaK?pP;IyJ+p? z<<qjr)a}-*>0n+iO{7<+%*;&_*-JI>0sF+G-Oc%Ob@+P`3<#cC&m)qFNaUh;ElbNc zZw#Du$B%0u^LIb)7Ks29aI}7x^o-0eXFg+IS6zZ^(3E>26`8UTpA13-#Q-bB{ZaLP zLct)SS$qSJdh4aqspG1P3LS3loDv}@>%e}kc2&CU)>nXSD7<)7YCs^8sMEo403ygV z&c#4<@ZGvrUh6g!Rq5jFFN57INP}`8nB6QhgX)ZjTP@8a4tr|W6JF(cq5=z|_Vvy2 zEx3~<7fD_K$BKLPb!TOT9Qrja<KT&XZC%%8D=nKqV5M$hH93Rf9r-;<nMDJC2GgJ@ zB>$h&8;;-s0hnq~reG5ow7~i4P%U&fe@6lp&!x2xVA%US*(mQW*t?#eqOtq3ZYWXV z#~91HkXCZbgOPjY)3i?hSx{e2p0Ro;>_RE~Z~2a{`a7_J*||Ai*s3|I+C}dzF{p8x z$z9g2Z<>0*^S)5|Hc3z#U?!MTa{D(W<`yc2PCDA|_L_JR1oqsHAFNzmT<znV$c(4f zy_A-$1!AVFxuUOr2P?_ym3>Hw=Kn?6J2nZoMNNWb+j`2jZQHhOK4sgsZQHhO+jiC5 zo{5R>h`t~0`wLE-*s*i1+$%FzRL<Yt1EjFi&V}T@fa2|}oqZ>UXV_T{X#+ujW)UWL z>MUb0i;+WKkR_`fvZ)PW4GHSTQS-j@y=Dn%DyC^NKZB{i6IccKGSWtN1o0FxfDeKr zk5C1D0CiamH66g#UchF6xosY8l@XnRQbv*k-%y7$hqN~{h2}!IR^@p;5M%VSYECDH zU2w6fgh!t>;C>jgNh`bH2!PVmVMfetIk!q>V}ejRqGOZnbVSAz?+k)otb@zMnftpZ zClJ)ykB0KxT8-^$`yK2)-|Un*zP=p&G))pw@=#EM?kXc7PQTqqIF9Bz%dL^)k8>s= z#!IADvXIS=_yiW3Hf$n0wms(!XUl}Omm_~%rVW6`^t2hl42p>*MGa;pS6iR&1s(Dl z`TMlwVxSPUz-N}DL>=2zlVq_cPK*$`IKdWWAZ>({j%=sAbo5Y;P5IBnaVHx|Gk)NI zC&AX5@C^O-KJqUn#4pS0@uBHy5?G$P2$dRnIY0Nko9O${usYPv3PHK6!~O`lt#--; zRu2gAoSUyIS_D-{XF}bTMtf~x(+a_5lG3N4?)arE)S{{Qj(~)08^eUJ*^S6=9P6Dr z1pPTf;C+W}5k9m^A_}k{s|9W@)ejUnoJpxS@L^~DYZ}h*z*6U5^t9L5(__Z~%u++W zHSZuMxE|p6T;w1IKMM6~VzC6cdKte2A>bP`{?0LY?c<nl=uZ?Sqtwn1*<mgT$Zw?F zJ(t9kLjUSMH6!ibYH?51U(kbwp9ISov$&<LhGCriH=yP)-KKqRG6JT{T32M8Ixxff zRC1@&Rf12XXiqMez8^Ux1X9V^l+nO3pA4Dw2O62QhWiMi7Pm4?F_w0%(E$Dr{yg9h zs`@EZ5v&vG4t#P;bzjq#nkizbn06GNqyC=^Cv{=fLh7E^jopb5UfkG|;Zf8;#j}Io zf7qt2sgP+FSe*p2_Gh@loi$yj??1HR29NFbfwl|W#n#|Nr!TsXPWpqv-jp@eQGX4D zJ<vjSkbBFGSA(#SUjEVH0gS-(k<QkCf84UVZ_Rfrhz*<uV5g$ssM?NqV)~rjW7WV& z87I2QGy$=u@tyx>I?Oo<%2jEw6i~g%WYtaw0p|zI!GPg8*bggpHL_jAiSSk69i|hM zR>cipcKfzwvMpR(U`1wsLg1$Ym-gsJel9l;OR4czXHGSw*hQJ+w!_B_Z$h6wWhN}h z-_*3~rsljg)7^dRICI}~$YrrJu;dE6QA8sjr(SJR=SpPKCVZEXlhH53iV$pvz@s=Q z=2=N^CHR-DK&GSaczjTbEem!YII^3d!~O`@OX~yR;nSz4-;DgoUO$0&&s!%Xv2X5m z{qBPE0pQ9NVbk_u7z{Z``JBav_K`H4v43Z^ctGsBY2fN(h6VtX5{Q!+7psj8*n4i9 z3vPk9-_A;@m*v{D?&S{E0^0j`uaf&^j5|P`IAaaQk$VOBY=)!BQ@Bz5Y8P}Jg#kl7 zQArv!gD*66uQZ+2faiX=3tR82CR#zN+<V6DdX%VsZlHBPN~l|{9`)!W?$g(&rzY}W zsvtZ4zf?g6M)v<quGOSsD_K!?PSxs&6%RlBVO8DKI;x%7y0gQVhNsMr{E+8}`Td<a ze|tvZA>yPx$QF~m>t+{s&0-wtpzZHA4<<eCA8V69kR${|>UO{wU=0Q1^oiBY`i0u) zSYO?w{0E<3k0V4OQw)M2q&eVjT|BItGI#qw7C$x*E<Ns71N<Ct5UgNE$-{-?aM9r9 z*vIxhTLFkj6Ze*HI6<flA-o2>@V4lF)b;VU=m{sLmtc60AYz3`Ar8qA7zG&$X|MQF zqe3buA|1^JGd8nKWROsdFssN#)kSB9IO#M~H(%6CbQF?h6>U7Z&3l)QD=y7?kY3$d zl<6x~J{pMGmwcq`<gO!i%9+SuOt<^aES28AGcVLlE8Ml9a0@K35)-B_>Mt6@35mn# z#$HLH^YAb7xVEVwAvYsk+OPC`IQfhP@}E}WIRcapl3+u>d@qOyO#spfY0p`(>oW1j z+u01_hY}fJFvJ2z^`-EU$Z8xdUS~NPAi-<DR7;hv?lBC~WV7Jp@5L)37P2yhG+BhS zH=UmwN2jcGi`rMKFTEK6TxygnOQ;qOby=M13Lc#~<df#lLcB^(VJ@T_HXR-~yd#lu zp~XqsbAa~n5f8kx_;C`1xYP1MFbrd-as+c&ZUc@*XH)wbU#$BD%R!-G$m;y`XSbtX zwhR)ilAj}&U0cp>X^o7%-2A`7ICjo#me0~9D_%U+iOt&$(}FBL9k=Z;w{!7XI=EO( zJ`>{)>dr(3Hn|`p>K+gp*4JS$9#7O!1hcnOC8F@rwOR$(rkys+Z`OF#=xooIuav5h zwLv&Phr<}F`WzoMn>K=m4t5Zse{~h%QlIA|liB#H%qo<4TPA3pubBGZ@@R=kOK?J^ zbomUW2@0r|KG{7;ml!UBCNj%kCA`JDA$)2HKZu`^P$bAB!w}KE6ALC!J30rtHgWWf zcZTYD1WBnM_1PKVK|&$t2Sw7z-E?kFM9xPjuboe$*}bAs7B1v(_kFL6Rt|Ni?CGf4 zz%?_?C#GarRbEWn&Wm$;jPOD-D<hj8VdbnbZOi(R?b1Kh-Dgo7&rztTJLUHun?R8U zpXn8N)>~mhY@EObYmfs4&M>WM|4<I@%E9#XHSVXfoiv_zwKVD#oIak}aeQRH$fTb> z7Uh2mfcatsD}gaWN`1M4`D*_L{`pI6BphBklHGYy>zd9K!62k+@u@bI#`Gvok-G+g ztBP~z6r>NIGw=RmMsx$HV7z#<0TfpFLvRO7P-c|MXGbF#`OP)o^-Ft(`bpNG2Q(X{ zdflb(b%x}@>f#Yu)Gn*Xi|ti-+3nHE^QBRHG1cDQp3c01nUUZ$tPKla09Hd++c>{r zrpBfMg?cu5K!=xBR9?fC-QIE-a)ft9_j^vg_`|>j;u<0Hj(DN^9@9>4Mk1Nn+EM8m zU9rD$CPzQ5qR|xUigoq{Dnckk@E&jW@J<)e07Bw`f&fMI%93}#b>Ax`wzT*!z{T;e z26bk(|DJ35|A%znp;?v$+!I2yl(v*JO;gmfED9wkm`9|r=ZhzUT)*wQp#zY_7a(^Y zvXTWv9{1FL`ZKSAF#l!xwBhJ%JE9gBFKB~GX$6!*+2@2b90^0BR<8+!H~4>3x=~?M zZ%?3U(~t6raZ(UrYagqu99w%de|~I#EZ$vTMjc;Xqx_+;>I%iNkZDxnu1)cH=k;MT z?SLhP3j#eSJD`J5K$r(RU~0^6&6YMLAY<*r;q971<`W>w*)#q;@{>e`tzlYM8ztqW zjXuwJ>0XVwVNnMWN+hronB}Z5+o+k8lvS>Dm+*+Ko>;XqHhbP=ZXBg!LetB5aGff= z#Vh6@n$7m{oMID6pg7p2BoQynR7?i`D9Pd8hfxp)!=Y&-B8tfNiOm$wx26@F9xl2( zo1%HC3nO%PS*TV^$gI{(z4r3&Zj4;1?cAyuHGJ<e%|6A8E-lUuvm=^bbWVAFj|bn` z&RD3UTOD<@89U1N29TFQUSt<5v)2e{6H72(y3frlyKYaBz;*`|Fd{b)k<(-H2|NjW z|3qpmr;krpOi|rs%8*`j!=b0f*}^g=3#UWVvLh0z*M*VOWLe`~wnq&ZbuqM<d3b$6 z={1;U=HhI(hYdCo+C5rkvtb;IXjOf`@J`1)n9SrcOY0q~`lhtnDA<IM1$kXo_4^Y` zI@&`%B!9^zudDDiv2uXw?T7IdvTl~5n+da@@)fZc6H1?lUkv^IC3`+E)6m`OR!;V5 z1f~-fEW>RwNTUyW$9&{uvryQ0fmb?l*)f%=7hB)OW(^P@$>zSrj?}?OdochIR8=b} zml7KWs$qIX3vG2d98;rD$21~vaOSE@)y=DYZ#lg}g$0Y>q^4|bzHGQ2i(uV;U*-v6 z^|t@CxU6Qq@zy!bIe5Oj@6);?hD^mr3kX!OcW_lWOMEy()P|^-DV;J>37$Il(L*yw z?lGPo+*!&b-L{K_kqA9&3y<Mu@444-J1M!TX!dk67(_)$qpLxKE83%$u6#y@!DY?0 zNEF*|%WQ=3(D9F-94$4{XGglIxP{-j*-z)F&wQ%q8wTwyV4|$zr>rrgf~Qa=LaJ~! zi-kwZC$A^rfTn6XI2|>@PyQ>qz`uw#3AJ35taQy)Ti6_<iZL6sZ=rcuX2BGivH8!> zLOlY5^EFEZ@ibn4k!|XZnNhtjw;wHDDEAn!a#Vaku~6g3P4Xhk?}@mZQ|DH@)qZGK zMN+dQjz5mR5j(xgCu{xY+v!-GEIw1mg>9FM_3`LGZI{njn=dr}FcbXF+nO9BpO8lF zkwpQCMlF4ZVa}fa(|^zLu8wMeqY1TNlhq*96Kab1@7e2x9k<pX;D~BFw(&oy1ta@m zkO_+|L>M|OnW0^-^*=Km<J{1Muh8XZF-az{<5Irb0^`?XUJ#6t*KreGh5d;UKRQ6# zTZGhtAyDDT3??~sFv}oMd6M>1KQc1cM4nD`l4p>|6dDc#P6Hz|Un{H>zyVDqj`^{{ z0jC7*fK(e7z(FLT5SBoOBg?z@+bRV_2}}s-_#09SkVo1T^pTL!9hRDb%t46;y*AS< zIkA5?nL0;lAzYvivkWAd1w|DVduYICbz(F|N8ANqF(+w_4*D6>h_{nKFEzO^PX-=3 zxT#o%;1>I)9syyab1h>uU5^xl005%*DUoxQ2zjw{eFToSnCU#=fsqq)3@}N?53_N~ z)t(oQ$D&-QgWZ^2*2PZ9?6cDCct%Kmj#DSXGUH*%<9#Yl1EhCJ5{D>zvUbyhB}dOb zU!=O9+Zyv*WV5P=qcq=PmY7*n{?HuE3zV#KlgSI8Vx>2T`KZUQ%peXe0~wuQP`1Ub zOx|)Wd1zY3NgO`vjNrcYpl{{%7nF!PJlCoDfx%gk=1i6Mxvb^Fm92fZ%I+I^Hpi?< zeBCF`V=yM<CxFoJPY}ziNakTTO^RPt7r4#l^$U+Zu+DYM%|!ENmqQyy&9HrW#528i zXH)NS5y1TvgwhtlnC#?CuV&?bI=XqNR;^N^hh;hujQRK?Lm!Z-TEW%%@_^RUs<yqK zHmd0j#cv^VIK>h`6I#Yt4`AC~V<KE%e(Wawu}>v@Be*F4_`(FuP3FLn?QAMC{sSEJ zBL36E1HW*`Jrd<-=#1nuUdl6t*?w-Pml_-VPvJJL9=hMr1h}2GP6~_Y*Ul%eEpTX; zw1B;DvYcm{kMoKt^Pf{!$q_GmE7?gyrRQFJPyX{nnzw@z@T3>pxBx9msL=7;FN;ZH zA{51!sN9xQzT{w}APPVtRjn(N!@+0uPd>TQvYP+9Mza1}hzlbF{eN!mmo=qgH`$ST zUTfzRz!q@sX$)jL1G9%`Od8L@PU1j9s4F)Gt;eax&yRNPQ1KebCuOf}sa@lNDKe@k z(RvAcD`b&)#3Y_xJ9~L|z8|;>6+{__m7m^FEYK_@!w;A}w8iiaZJIsa>f|N9-h3Qp zK~SmDf&|n^?}apQHWps^xPM-J?%(fYJ9~L{zCU9Eo`?%XH47vtm6fk<czt9GSfYLr zNrKEQo(xT|32E5@i|2Ml;oW{aq_SLuq|%0HS!Yb+qijluC4`F@1r&>`w{Ov<hukx7 zCwi>WlSZ=ZZ-k$!BF<|UdCHlI7?)FDi2KOL-|9+RwdKrHL?o>U**l4WO_dTP&V?~X z$DNPZCrA_&19|oYGBjpUzgrgri;$Wow35Lf3KbJUI{X(Z8tE_C;N;-(VD|FVm|gT} z%c6RpZDox%g-%aYn{8fgl#+DRmS>R-KD*u;@+7ohj-0KK=0?-o4D9yP2OLM<uhaf+ zdqhHxLz;X&pka_<^1wq*g!SnwQYc7nELwaT_HI>eKDM<<+;dZpM8HxjVxF#*{oPe& z32DS+qVHSDVsxHDH9mzswefvV8Z%bmWwGJVP(0eC`4acl*?J5beNRlRiBZadbD39@ zvFY7t;A?Vuh3jENRQn#Qxrx%y*}R>1*z@-U$7^iO1wL+$fn@+KP4rL7WO(m*MoUzV zS2j&`19+9MSkjO;%^HJ|Ck5G8<aqTyPnDTZ{dUw^IrVqXd~r99SterSU>O@S<tO#Q z2Vr-?7yzuhYu{bt)m2@?+RTnS8K-%IjxcTA9hfvZR@cX7A<{o&1M*Zlv8v^$U2SQ! zT-iljyO}iDy-X80L_EoIKt}g-fUE6Bg)|xwH?NMr>xhX8+6OlyaR#PZM^J4Wp@Cyo zmbG7RnXH-p6l%5ZS<6R9NpyP|9MNqjb$a<lCT^uuQR~Uv`qo2-`D);4liL!x`{cZR zywh=CR~{beroI`+1i~5B_AFaHE+sbDDPRKhVgVS02s)PB#_dz1>rHTypviM#xbN4E zK@VRcZebU-025130NK$cIzcvKj6?M9N|j(74&{hEwD2JOV0^kT%>%8pX}=UFM*$?3 zAf=`HUdy|hJzaJWItT?`NW`pc0p@rCF#*t-_t|}&cFMd3v~o39L(A-{>FA%?10dZA z6(?1`hma<=$k?C(pd0mV`$*mGPbZ>-UNeK*WPB9$xw<~$XYFFofKB9r(C(UeVN$CC zGar<q@tbxepv#BJiD$;9ca0#eU<yMr5LVdVb1r+OdFUyji~LdMDa<hbplM=C=@Ur^ z-q`Mm<iUZLnwH@@)F9n=PZ2YF_PkX}jxM#hD}Pw@Gw989;2!cb^qEnc(#x>4IaNTM zk%|QeQA5a`hcH%rxF={BvOXD#&N2%s{u1Q_<J@N?gR#x-ixtNv@Xp$%H(v@=+Y8Cw zqz(ho*RI#V2V?4-y5f08>zqOvXT-c&=sGF21l3O>UDql@1y}$%0k{0~oc^KW-+;*P z2Nq@5GLGssn~V=cyyGN`<d({vkr@H{l&aBV?FsM<8co1%-ZjK;bBBE39NrED776&y za~K{C739y4kw#GG*?y}vDKEdJ2J_TVeJ4P}#kJyz9l{BWEzS!9enBnPlAg+=esT)d zWf2pO{Q$-sN@1x1&{TQbavgFs>UFTfE#NmB-Tsk(NWKH(hdQz<-3As4fbJ~$ofYpk zrzgo@VU?)aG;0mdNh>6Z%y7<P>laI}Gvfb)El@Cg=*ztxe=Y<il)M>os!poiFLl?& zlpK5m1TCMM;&1mv4!b}LyYR!jH`;Oqr`0EJ=T^W|JuD&6Q$iEX^GqDbO=j`|CZ}0$ z8oN>IN-vM+TDkCTJ_pR_p=pb@<OA={$MU2meY4Ppxj2(Va7rH&NETRxAnkwnP{Vcg z5~e<i-XY_(R%7FPT-Fb_)@6iTc{2BllSxC>WF%=WrO!i>B`)qoiwyl2lBo*{Wd4pE zqw!bUUL1G>3*I(nLuRo!$-M31X4;$N+vPyx@r<{hra){W|0VIYR3&eBN6w0!0Cu)@ z*-3|!49?MJaQ%Bi>94(M_sr%kG|8bA&Os~icy7T{ue^2;@wJ#sS!C94@}<ne3^E*D zyHDZ)p<Enk1RgrNoib-;CAef|Tn=8Pcwv#9U)G`hqBQ;PZR@h%(n(R@+KY<A+Q~I4 z=;-Aub`BG@oU;d)tZwVhUJ!*n+i@-B%^Wc(2|hG=MiFrQkHGM~=yan#rd5l}ACpT? zOYK#K#g3SW*kbf!OZGxMZ-Jl+iFHxX=P~{0TCssZnndQG$wh_MTt><zd6o(>$F`!% z$ET9U+r(;F4>Ukv^(^M>I#bI^Ms_Djw7pWJnMfcUqdstk#r?oE5;2j(ROq3MRA|_T z-cB<s<HG2kblC15N+%wVfH?ywTXYXko#*6Bo3r~M^LtVk6;h>vAr+Tp?B?0fUG?s8 zKAS_iONB2BbYFUNBS5f_4oaAej*GCq{j_k2**ANA<%XqEh~-3x;BWy0)M*A4`8NY) z^<V?^AtsDwN)gr=wYLWoIhrhS3?@}UtJJjKzp$zUb>Z??Aglwebd_*YLhs4QTr`yf zbM;jb55IVm6|0AIF#PJY$Jh6s&kt0S70fdE$-lrR%kz4#bPM*Op_V*)CdKD+*ztHD z(+jEcvujQSbazzVlJr&n+=Y|5-nK4%)M)HlKGLEQG8$fx)47gLly_bYRzFOG=iQ_1 zM<G~nm`=jy?39xw5x>9*DPSxALf9FY{$u_PJIntj^c+n8gZvwvSglq>@73BpqesE` z!E^#}dLUxiEi`k$!55*;;QBb{TA0F-i8)LEx82vN<RkUUH8qtabG((K;*g_#FB~`t zr*Z<&agI846s(9L0%Xarcob$Qa#3;;2(u)tCd>&eO^dif{c71XiX-7Ozuv4RDh!HJ zB#doGQ#(XuEHHv$VqPg$Wt8NAo8i-08sku6Wg%4=WP+xqAPQ(OW($Alj!XtkVtGnk z1!YR`fdq)e{9&qt<d6ycEZ}%(U`kYjC~NgYdPcNL3=It67UlVXTxqXqilnSAHE5GL z2qB^@dJIyUDEFXl#co9*e^b(^V-!R?24$EtdIyCkdlIzjG63!JljI}Hkh(UKIw(Xa z=_|hSO87o{v__+s=SGsRKt6C<!!l*%Jh7Fie#)ep0~!qZX_Glc9gL8D)-PiJ=~U=4 zYZ^IW20cP^T?V~}n&Io*u3^}l6}4B8R(%pR@;pv$*FUOiXkgSrQiH2?;t7!N?7aDH zG0g76qlUGAXColJ=fL(B=o?^x3zqZv7$7rnyr={qWr?E$(H6t?vHr}lw3!?mMCG0I zX+pEG)T)<(h!`%(uRmLJC^O)t3s%PrOO~C`TH0S`nJ6j>fr9xDXxi>T!XClJ#6-_k zQ4oM6s4-Grp+4l<W5Pv`YY{VJ`V91GZXB&Qjz5*!6TJ}xs~LRM`u>97?OAgmW!>ED z4~DiT-uC`hXfK!1&z0dwFt=^`Z$&O|lX82amC)&*M7`m7bor5)n0tTj`>Vg=;eIvz z%D*ygdxwdstb6|*TXglAV)ky=rO|!Ov_~$X^YuV1vHQ?t-De78%jJD}GkB@VmCgm0 z_ib$#Ycjj#P4Bt5RfE42@#V80oO_z>@#On-c$R9DFqgkmX7Px$FtvJeIo+Q4ws&hC zkY@un<3KyDvMKLufIB847wR2<dLHy*^7=je-u5M1#8bPh(SuhiX<h7<`Q`QYNeqPt zZ|}P()0ncyQD?DyVLwe1pqN1G4~Y9Tkbk+P|GvDKrtFjU{f9Q;p=Az#ERIfJyu2J< z41NxmZf;Jy)wD+XQL60W$s*2ULQ^AV`=~1!=U?h?P*pTxL9cn$mKnnG%B?CYhr@#8 zCd&ut7z{%hj+xhH%z_^0i=RizgDm&8#tuC5hh%{p5n`t*h5V6=n^XrqFT=rXqNfFQ z4!c*V2Qmwk`~{ieNHvw@C`eD3ElF=FMy=><_$GJ)O4K^mI|oJFvFub_YC`hHHa$68 z$90O7T@sfeR7|6KjMTIif@(QTO)*T~MV$y95qjqz5#kUt{ga9u{LiPP^v9Wb>FR|? z;Mgcb$!*B?gl7KmB>D`@PmRt`nTav2vqns&EPavJeeX0s_Iwv8=sHG1mN&MbVK=D2 z*99HMW(;rCpd5>n61m?{!Hsxb&&P?Bp$WeyGhzp+3~)$e79S8pMER(zjL$!5I;Q~w zMFj?8V1$B=7?g^+cr0CN!W;WF__W|EMZSMcoe-`V=~Ll1c0aRIjmh}Hi#$T2OvjQp z`xjVYrYc3J$i@v)I{wLRwI5dHrB#(&LN1wJJ6%|uX%&va(41(8q2U5c>7qJMkj~mi z8NUU>BG8_y4I}(~j_Ox=Y*ozsd_FnELt>ut3-}fTDGj_X#%}rh_=&;)WrOR}s>=f~ zeW_-ryVH~DAO&5yCSH{}+u^>vp5=Ky5zwx+B+`wKI?#&UHJn&`lBx`O9;g>pzQ-*> zrZ2NiZIuu_-FaMq!g^W!v|Saq=9qHkum>Fr{^JkBO+8-*6Y~&X7Cq7K@YTmo3BFN` zT!(sO;^WOhDwb|E&q$f-(80SfzGw)3Oynxh8UE+1XYsg4y(h)NjXlo4+~MU_X{#*j zku`QQxdPu9JNc0-r0VccCu9%4%2i)3O|D6ICg+(Qul8Nra|QY3S+X?vhKPgIK4HnB z-B>|J^cd>ox${Y(T{-S3RchmL5BJ4tgl9E}=Fethwv8NDe~zp9?7{mgCW<Sd9xIP# z=lyT<3ms!>%kaT1+NPshi*;w@c}u5&WhZuV3zyRd?P0ynh*1;OBncB9G5d)-{0kny zbkuk8`=(S(`?8(Q7GLdZWwROPh}6YLlX1FRu}hJT8u@9GV(EfQ>LeqMcHqj3zBdzd ziBcco<lh^Mkm=OMg2|c<#~mW8){Io0-FdJ2yREYT3dDVDy>Ar<_!Oxp^oGSgPSplX zq=I&5iIk42Z9;<d$?h35XqbezfQV@dxLOmR&9hq$p9God-B-iHmnM`>Cv^#3uNSpx zasK!4k4rQv#HP#J+(Y$O&12qam=*pS!v$0C^OOl5iSec^nyUcydM7x@L)^-wYVfR} zXUUxiri|Ww=EzMmGn{qdoD@x`2P=%n(@*v<wGgCfJ2PPcpsyyN$=ZA9Mcm8N%)-U` zpYR)~i`t)|^d&l#FTiXE)fcT=)yd-Li}mpFzhFj;K6~6kqUA%H8)aGY5y$t%-*#ik zmh-=x!(}*DM_IFpTqH_d;u`P?>$S&SW~9y;F-V*;UZ#wd=h!uOd`e<iZU6EV!SF94 zUM3b6{Qp|rlNI}I2k2qCU#YyT;f-Y%LS8y7GKazi?EK`#fvZ<iXlXLuK23<Nfm$TE z-YMK$b{nJXfP+r=c;RnyFoL6u10cs*`I!XNGy2mM3E6|Y{6y5%GT*6@FisZDhYYbA z=}D&sKnB}Y!3+Q79K$b~C(8wla{q-cv+?Kel{!c(ss~sGi9{7N;3M-3GNb6qErY#F zL*86Jz&h!d^3x^zsX^z+4+tE?5a4z7NR1*P`*X^z9)&a{kKK3!&VlpMJg-9&dub!g zkfd_`q^5-)x`3ULi<7NSwtPvZ0iUzkNv>o6jH7E9kZ~o>e88HYWM*p9M9pnh=yD02 z*}dRh3q5N&%TKWl+flbn-tHVoUjR9N(7R3hvJ$GXt<Gh4DYe#$c3${rY3FU|#gcRa zr_-R9sey{>I0vg*a$VJXQ4i|-9>!c6((omhsZECq-S#@Em{{fupIz7O7oaM;G5TN5 z>|Zkq7})6lyX92M?(qLpNRb0lg~0R7ZxUt#d0HaxHb4udoC$|fw-Y8alYi`T5h=Ei zP{EgS+(;bRvp-HJ7L_@j%AdXtuO1&9L@<$&SPT)FwL2Kz3`NC@)0=6qx7w=I*wu80 zbxiVc=aM*JwE-gL%nDuXXcHldEga^5p4HDKH>-xEEC*vAX{b~;ehIkqrS78drbPCl z!89p_K5v*yC*V6iTpzrUxj^Olx{)JV9B@BtYl(pb0FYy-%}gK6f;OK~>=VG<8`(he zQ|>_%+D3;fiV9m>pZhaOzK*#AjbS?B(O9NoFVWYP&67rY$#dOfxOgG<Q*%15?WJ;8 zPUk5tc$o0n@yP1<uCkUL)Keb~>6o^hUudUBqZVR6c7vxSXFc*T$cyDL*cuSS3fUrp z1463nBj}lOGO_NSwM@FKPSp3)VayOBg$>=i3kzdlY4EYbi+N^i@qvU^>Ne=~kF~n7 zg4THAG7C3*v|?#AQUYv9&IWLJl^)R63=B!o69Nt#WeEeid7&kQm4KC~1jqOaL=P)( z7_YppY)*8HA=g_;bV`>K{7uISb{8iMdm3a9@bvdY8I89g>-Xg<=@EyNvDOc+cRU9T z|LjT(-tzL`Z;to8N}3J7sXcm=cbpPi+TA1*A39(X{0OVdXm}G4@^ICsnL!oIa{Ciz zQXAo8)<;*97y0Mvm|$%)7iC0I60||C3n`9y{V`8o_)*Y5s$uvP=p}?zCt=+=eT_Gl z{II6SsvF-Kds`obT4=F{4iy7O?`Z2sAN#j;BXZl8Y7?g3%Of(*rPZ6mB`EB~&?|vv z>~;3ia0DsI@=;|+S*5&W8Bo8si;z;9v;dde^v`dX;<RXOg`?I*qwq*=Sl8^v0We`H zx!Ye2{&EkM6%o46+vHdze3wA-VCU;c{kGh!i%X`9-B)D*?HYAz-Ro3V0cgnOQLA#& z^G>?pDaIAYvsj@|t;s_iI^MKxwU!ZHx>~ctc{7jAnxq-$(izT~2`pBXWv@rCe5;&Q zhF#mCwuhY;HcxfQ>KXPXS=lxRGUaVswPYdQs$8<EzlJ}vIpB5x16NdgiWgN?McsFL zlF6;dH`PR_wVyyaDCb8VvkPmWe_=m<CDu87ket?UA<cPxVr{=eNSK}mxADxtcX3`w zKRfvrN^Wa%YHO)+(kBLZ0(Y9X)yAqCq~(fx*ra7jlR;5Br%mHnt<UxTfx^lL&6n%o z7%k|M(gci3_GW=dWG9%XqIK8Z$FxH@bw(z-7{mERL^xVMWfRmWn^7E6Tw(42ep3~V z-E`OyZfJ4XxRO~F^_y99^-64>03f#x#?~Uu6UA~xzF)9M<tJ7{vRo(8l>)}U?AZPU zX>^Y@!PC5HB~lR2=*D|DShbqjtXr(B0z9gMIU4AF6Re&sjvcTEyH6~j(8nWlujU>V z^YF%nd>gGwPYL4N$9ZREKt!8qd1a^AkfMLj(3Ap0rDRJ>zP*yJ$w0k7R!9mzGJojx z0f|sHW-<9-WPP3N<Ku|oa7OmAH+JyXl<$4NEmZzxip<LLZ`(21{`(7gHHJ=NChOgH zZ$Rr_x;kL^Y)`RGf&}TJh12S}Py#2$5fdyJdcV%iuA5rt+Q^BQ#YqmaYUTG2QjXK% z-<izy+0{n$+Tz<H!f4|o?b<(l(LvIRWG~)`6ua%TS+W11Tn+CO(QNmRch6lSJM0#J z*}Gs!j^{I=f7_xHW=E?NpR>z0W`K!{Kqhx(g-VJq%j4|ot!ZtI+3$=OLch}&uoNAd z1Omsq>&t!PDT@8u%zcm~^65;0?H^Qfz=ZxD#~M@LsV?y6uwvw5#lMuKsJa0d{<mlz zJg)*(Jr@Z0qk_mYU_mv`Qm5ObMt7>M9UWxmm2NUtE<u4MxbiH3GcbUmm_$TKI9va8 zcwEz~QX}M-T^G<gVef+O;h!n%@S_?gSRHj%Q50&ZOxGBe&Tf0m`GjeB(k%e5B?jUx z9ON)Dny)T9$*N>;4ax@J*R!v;xr;4Fg`G0#c3`Ji(?2y8p@I7~II_RzGGd*mddw!E zVJkgjhb6X}%z$8#WX54WBge3B9DaHA3sTO^XGkD~@_^?+4iv;7<);EoGl4_hyB5wL zf)hjE&Euamb>me5DXidgAhAN!fY8N3l1qrt`%H;9Y5wOMysfN0_nPBGNab`z5q=59 z`Wv>bO%C>v^AJchkyVo^f0W$s-qep0{q*P~<I7ev`@1~*O_Q9jVa;|!*_cj=_7OIT zdS&WOj%1WjuU2gJ1J;^0O-9ZPaRfb^7L$Z5l@Q<ZUd3`Ciy(m9uP`}|(>L2;wo0gZ z-SgShG4BXlH)WKI*pYHl+4G}>QM4(=6^rECLmZ7K=fwH>WQ8+EQWO#FIY3uGZfM93 z(;A<+<Hz<O*`?&dht!N_0<&k|1(%8*DAp>(i*z|nBXP6$Fu@4nzDxD7MhM|XxVi3{ z?7F>kqQmb7pYDyD(7*TED*f03_1oUZA5jRRiy-+meftCy$;XG6k{ztOdE-0lxg!qO zawQdAFOaIOrNpPEiE%Rk09<VrS;WJ6S7kf{>@$)9IE_j0aT^@-58^fwh7Dw!fKFoo zWo#-r{2E+u$Zn!(x?#%kC`E*<B1C82V=|J2KVv{P1v9&7)HdeGEFd$LXs$IzIyEm1 z+vveT%{vb&jbW`P0nLGTEZ*^FEjQ{$#M~G)r8Rbyu|CbPI@nYiCn}6GXuR{}NIM>f zQ#hH8xbpk)PlQa~`)kVEta~a>>!EurnQ(#gRN=Cp$~Vh4S`}op$r4zCvXsVyt-H6- z-ap(eDd0()vD61_8{S=ll+4GRG>pgz4$9FHf(0Su7=kcX5R8Yb*u5aup0X*RdA3$S zz6D`X3_2+*pP9lij;U6kFjm6i83rpW;d>E??J6pm_rQ7k{XGf8dNhq-6V1jx?K%^> ztcUC&CCjjAznlBll_kO*q9((jfL@fVTmbw`K-Cr?SvRk=+M7i~;Okx_nM4~$P?>|p z{7E($Ahi_i8yA2-Rn6W-(amE3c2PizQ^9ZaJLWMT^9UB9)ZBm@_a{;V`-U4SxG*6s zwGf0PtKZ~R0F>E4HdtwhqKm`;Py^GX01Wx}m)*@u2>_I~VYhpB@bpE3pUA9;WLqiH zvAW@5RAWG-sH99GYAM6nme=jejO#k>JkWAPZ2`8|-QZF8APSuXJ#_+h|3XnQqvVj1 zIpM_G1=c&nem9R^u<}XAIrkiWhV^H!`T9JN9)VAN|D4+o#ek1*lx+U-W^V35D5W1z z=aXUy0uy{$82BOAR6t>Q0&SbCJNU#7;guvE3$xF#d5@SMk@puKp~-!9X%UTIU1^>w zsiopCu{x9%j>xPcfhOb|xv=m88;h8)av~!_8y?00>ae>+HdE19g~c6K+jvYg!!q3u za+B+r+;^^hJmYYquX_7&t-I4_Jb9hCE8H)8Wxkd((j>c#T)jW*6(Kal;6ktSh{y%@ z(3^<1cs%Y=*1bTNpftn?YTxWKRw>`nB)SQY`+n%+<5n&e(W006YZEpGFKhD2sixom zS!}Vg-9XuTJnREj%grY~bF}#z#4#gFn_0>W!rR1U1=T%n8`4)F5cTLXu@5}`?Q{)@ zUAGmx2B4V#28SI)$Su9bX9#@sXvCW5?q(by)-}7po5#V7kmLt5M>E+mw~N~f5amv& zEN2`b1ka^}UD<l%7U#HUf<8z-><fu1odBhL!1=_MA3X#kf@BbaR~K-URN6m7-?DeK zE5LWRFO&0=+Z%Z53#tNwY*vJ$M@k5}jwzYr_zQ1YqD%NM#qZyYmFz6+|Cy6jtLn&Y z(xZ6K*4`BoMMw4;S=lXuEilW#bdZHqG{MRvYNnLreShkVx{7bW!44(<IsM4_beNIB zXeWruGR-AjzYpIV@@E=|8)u;ap<o9m;z*|+BdJbpjC|ap=j51-ZKKI5fHL+WW-dfO z{h7P1&^G@_bCRi4>4Y>pwnSuoY^X6i{<2Nflj$+lBVE6ZBH|?K5;6i+HyQil?d&o% z_CM8w1U{#Bzo@ziS4N^I-&#E){EV;1-~rD6UZG<^57y;iuNILWVF#2(BfyNpK`H6S zC?wll?$W7I!ziqKdi3b&9$lNf85?!SC=&WxgGMB#2t>8j$7k>R`z9RWpRc@^B=R{^ zW0`RdR^O6ofgL5L%Thw+aVQgrh`qskl^Tl<Ry99l4z7((w=D11SW~NCvCKqDhofFS zmpuHi4$!S_kmS-0Pn`y2dgKWJeZ{xv1*3hOwJ3Hq3TSQsXz@lnmtgdMh4F#ruB9fE zH%wQuo^Q*kFUiYR=AEXR^Hm0Lf=VAPTe2$Nuw-}`a(n`6f1Uts=jI0yAY|Z4s88=D zJpJdK5LH2P0ZewpnY1-o&0t<YxW{VIf-%c&{!{cc>tNrR_&6!7HqdP@7@<Z*;8c7n zh`s|eX29iX>k3?9&b9k+f8LY)(gt;=o8>4CR>~r+UP7Sv_v>YPb%=@qf{&36HvhfL z!+cUhXZX~IeYknNy_hZgg)gMg#A|tnl<d(_$@}d!&r>r*laVu$d@^&nqx|5_N^+`J zf*0AoYzpYdcLj&Ren#I36$2G~MuQgRM1Dt&MljEm)yTK=a_skJb9=lBIy~%xB)B{v z5UpW#&2tC*24@~>G{JiwT<A~Wp-^&R3b<k-4123EHtYl*ENCl}9819kTR==xSRy2b ztyrGFTuO?8yE>hkjebb9=Gm@}oo6=tYzC`lvfFl;M9f0z1o-aO5cP~4ljC}KY@!AE znaFyI0pYWE>`0;ggjrA>oO8ks^*~AahD~F{3%Q)=>SW)gj)JU*2<&Me0iX?=1WzNM z!S#>O!mTK|D$+cG$$*a&%a4e7zV7ZeL-~D6{l|5|-|z3G(s;ZYcKQ?D$IYf$MS|~E zWyG7_^0)ij4&vjmKk9?MnsTN+|8iCT)vUxw&+?yl!m3F*ZLz}i+}6%X(=A9BJ>;K0 z9g)UtOD`6+cr`HLRu3&VEE^Su@_gPxBP|VH%8+tA2_xbA!}oz#rKlH+R8>yjo}a9~ zMrnqp22nRHWQ!!u895k=BzX{&s%omgx{|cEvdM~HJvAOK1le1D=G?YX<G*a){KeR4 zn1u68FFY%t+?0j;>~QNT!edQ6Ke-GE;4_>b<_+&!gRkz|+43b&1)P9KyZ?)%HTz*{ z<B;nK0Q{2d()sQw1Y>?s&u_DAD0tW3bnC!pOc@fUVIatZOW*;Uj8ss^X=~j(G<l%Z zb^4u$d_f|RmyIxaT#pV0$@#v9W<(+jllII!oPYYb=BROYkKcC+9|cNgr_$1~P;`A_ zX|&zxA0dGIQZOi7Dl3hjW!I*&1zwLD_&KL`gZU_!t3gXleedn;n|=%jd&QFm>&=y` z9khkp$1Q0Ri=+`|8V4UluaIZzDJ-+H=Wgwx!J4Sb8ffojm<mV2npT{&k#p!6>`OP} zd8LrWW706uvK*Ah!1l7BjS!4uY&CQZ7o1TYQI4f_dN;-jCizaBfys0vtrCw^R$hLP z2ME}p2bE7~&5XouC$h}T6%RkQTFzTu#dVtEFZ0n@+>O!Ccf>j?Ex-5ny>>Kt{!7jt zNSw`S+S9Ft)0hr6HRsn|0La9w9|BfaW8T*z11ty&>w_T{8^OYXg6pK0cqnawUcryc zqN1-;1{4}hX`fbBVCg&b96El#-M;@YL^Su!D<3rS81zt<u5dd9;9#&~$o}k329Ndb z7FHU9sAk&Sj`B$arQ)TtLh+?wjMt&M`~^vAw$yEp0g<HatPwmQc$4Hz#z_v^GbLxr zy)|)?{tgDh&?=I0t5BQ>eaWP~gAJU4jK3K%?nLq+AO>lfZ4ejJZ7sQF*s!d`gN3`@ zUc#ANqT>%6+wd1h8ZdLf+D|ODQL#Si!eB8Ih<2}Z0$XJM#0b_P(y+Wra-<O%OkD@m zfTvCG*}6$y)r`YWz5x)m5Dej6$=Tm~bxZ})qsrfIH^K|VPmH@54*rVP>O*I9`R&FZ z<miSqIQSsj;|g5aX85YAFWVM&?#SkGc0nfZZwSsFEfbqPT&{!**HkYjf}GO=;<UO- z8xvYUpHKFSi|*c9cx_=8WA47AUu)EwEzJinRrJkVWW6~7pomtXFl(qo+I(6zv#ZoR zKxQgdPRlLUL3+f6#n87g&wht)xZx*j_xsc8@^dNQE|2b3@#<f>MOhowjaFZ;o}R9L zF>^DwAt~UD*lVA&jS`d!>y3zrPl<Q~Tq{lP$4f8pGfhWXRi}hTNaWnW;QmiASl0qR z{>y4}wLkIOwg8r>JP@%XQIxTaz_lAtwdkTO7~nSEaac4E;2N3WLRQ3{MCzfF<Lmax z%jHaJ_A^1zBQG|^y$l7ZuzzG9NtK;SgqBWn=Fu0pg%$fw^u8O3;oe~QNC>AT)h*xd z=?fJBYviG}!=Czfer+yZDEu#GEKhpuF=`(35yP|1J)9(5+%{?8XN>bEJ`5}ix7DFo zAa#8*v%arNc%LC8d`=oapM61a9b-eb3aDQW`n(kEf0sUe(|m<5{sjg9Rr5{H$nalL za9dr<DO3D^X}+bGb@%et-TVA3<?5?svKkVrhI6ixp!(Gd(EQQjlzv_}ANi3OT~{KI z)Eo_S^nAb5ax5S;@dI|?W(xXmeHkM}{}QM1&;NnKfFd6bP(mp_8yRnWf7(DD3g>MX zI;qEZ=DreIB%5K^qBAksh{r}cHK4J2b$arl4+r~&BM-w5vlK_#n?okofVJgCP8xXg z6sE@uK8w_C7Th|-AQs{hTkO{ZHl#qB@>*8LlUf5-hIf*qpHz<`Kk+B1T2~N!IjcuF zbKj5Ajr7jr5)h)bAERC%mQAVSg2*Zo0lLQKXDHOL5p7ULlW~=TNGwlJ=S#EGPD9Ns zm_ZZa%0!KJF2AJ)Sa|(&1@|7tHLr*Z1>HnXMdFI-aHDg=<&ZM^*hOL>!Yn03W^bIq zqM?x{>uy%kjNJ^4S}mC|FH&-MgNms^K1q)3_bS$7C!L21c*~lB!|Wqftk^VHmB*Lr zUQXZBCTLL*z3Gs4pAurcGBPngwWl{MQCyU&)62b&M_D&2#B2=on6gh}<YPwHf%#z^ zTb8ZtuTEnvtb1t^@f+GpM`v~zDR)b{8cJ@N!7VTeuK>{$RBFx;5<J>x&wDb2n_0%9 zUO(=%DET5gsj2E_(%c|QE%}%%qR3N~{CMYNz_|r=gip^M{%1$Jq%rbdB^UNg%0?do zuwec|Ft}4JD_BZE#LCa1-QQrdol?oFTI(Qjd*mMV>D($Upy4i_L)W;|Xo>}-oQzRp z(h434;zHCkkd`%9xrQoLXhr-$l#HAuIWP<8gO&R**+yW>Hovuwk6X1gkuBBRe<Fsb z3QJzdURw9~EP8gt8|&VV+v5}cNkf<P0_uHKmgcZ(EF$>4`eP8%y!!-_yJ;d)`mZpK zGu)J%Wv7Mn_x<3e8y?;4XHD~M=3t4;v4?#+I;q`qv<%s6C;H?KZc!3vt>emB7>~=c zyI5{3L0%5Gn;n5~_Et4cpVxg7@RyNNTLb!D&ITyg*zI+I8Q!!!zP^3m&tyA|xuUz< zL#vaKJ?t=S5>?i8#_6{u+_Us`mdUy6bA2p9D_+y3|G<mev6_p%*=3Q7Hj75X_~FI9 zly<7q)9*4ZkFB32vXYiv&LkL8b_`G%`>aW}a=Op7Z}rJhnmgC9$Xsb#-E#?osKfFt zB^;5cgZWUb{f|6q?!@$aU^-K=aZfy2vljFPiBsp2vhUoPvajS+m-6K_DRAM8(qw@~ zO7nJmjWMh>&Anmhrjj!y;=9^I7;TbdwMKL*xWLsFoI^J?oBPH}1#5v-x-0VT{w>sn zg7nxKNiP-duY>{jkij0oUxmH7R=AU&{Jmd*i)TE^{~Jx%{%s`1z{tY(Kd`<zZL-7k ze5#q7(mhB|KNPR-AhF3Tju&Ek%Gs0>Nl90QQ+trKr(f0T`4w4Hs4#94lf~mh^1tx{ z;Xm8*Tx83}q$a-NaXca=1aUv5u;EGx4jc|eVi4u)?=Zghe3;a0YRd^-(Dh22X+My^ zkU;8V$ouMAuU51i9y6Ex463p$-cHUYCLSN<LIQIw8G&~*6V}6YTQj|XWP5N>`@E1N zN?dJcR%6SF3-obEN!c;HTM6bmvmWTC*$avoe{0t)JCnBEMQW?q+(#?M)Z`o2clC5| ze>=PU?2mq3O_nBFp-A<XJrGK1-K||&a)HWdU0$fNRA-kc$$sZ5;l5cYlvFNUPh9m% zUGxI`ANgpeV7YChFIRJEwBNdF6%-3{2~<{tuWMe48uaavnISwALtO1*n9*19nAvk4 zL?NcOcF=A-kI3E{l(}ukTTTG|_RBbWwoPn}cTRBXRD884wQS^Wcg{Czp%J-a8|s$^ zfrnxE$O1Az-evY4Kwy3qCJ8gz{vw(Szd4VP7ypQ4ET55rggmbO<{|V})DbWtWnZ%b zR7DrmAD1y0KK3EeQ-B~UEHFu=F@1>HPLo?5oEb9=Yy-&FjX_h8F}lZeWD)n>$Fzmi z0jsGaAj<+5hLhd6GT_FpMfIiZ*%>fFg#}qL)p79U6i&b5^$Y(#49W-4Hi8@84_<GA zf6RksF~G$~1EcT%^|cS-GkF9yrw=SRH#g>O-&ldF)!msdQ*i-x;;LSV#@;qh)j`OV zJx)}{?xQ7e^)9$Bf8i<v=O&Ib*#UA@CP8-a>r+Rc6=jE;o(By6jK=_T^VNXY@_2u5 zTUyUXu3ao()POR>&ZYu-4-<gXbL(i>8P_QcxvRH-nTct;68$3|FzdWRnaX!llBcr% zg$(us9gj@MFAJ756z&CmB(DNd5hZ5!2yK=9?R#{9>nIqa8X6Zb00-Lg<kx4q)*)WG zQgepg8F#L;oZ$f`C_ELh>2krUse%}gtTleoFNsFExjZpZlOM)3@=v!*z0)?gf2}N? ze*0AHx-Cdcc!EC~?|OrSKML$UCI+QdLe=%Qy#HWSkF_B6^3NIgrEM{9e__L#i?x6u zflsApw?8x~(G{iRl&&A|o}LnMLsJ;=lOjS5=!!8dA%x~Zx=zrFb@GD#$(v=QF*td` z7hBT}b2$9WKLr#h*Cqk?l0F>FGqA+&R9D{AVcSt5rKrT|2P1pXvH8SO*Rl|XiEYUy zP%(KPTybHim#f@@b6nO#=-H{*Sh7FEFlB_~f@|;=V-dx=Dnd9&p0uB1XPFqUOJ}s0 zYj)CMl>TEt*}CKA5Xbr~&&Cd6VpjNozCeyqI)89<wiWZ{^q1FCeTyQMsx3+<Wz@6U zZo{+7+M?Q2?anCkK+maEe^KIB&)`;}mM_R;ijq9%lIF{%v7QY94aU07vD&WGK0S_f zC1i4!NdWm*v9)}=S26hmIrvQNbic>-sf(AZ2Lsqu>(WN2jI~-%32%Umu*dFmG?y5# zi%A`)UrDU%;)fIxGK!F5Xz%4`!x*qh8swW4+N!@%2JI+ap1XoLl#|EnDz8X2n)daz zQ|_*G2jyFHcL4e(JQWP{jpL)wC;?G2ao2tC`=gEtlLZCWIi46!dmVM(=<*kkYcJmX z--h`N|5eKOf3C7)W%-}@4shCG|CjH8p<Ow$h+M(1-ftC~3=pYL{WETe9_+a(nz|%9 zCrAHv_tZ!xS}!sCCcV5qK2e#H^*O%atzu?g5QalioOekdgB;AzSK7aUPioIyClF<L zi~up18pCPC365leR0*;qzziCt5P5~ah{V{Q2(gMDRPuxhW@lZEI4-_czg5#)1lS2g zZ^j>aozw|33lw6=kC;JMBd$z+A1i3Re+XZZij*QO1;{jw{Y9Ie)ED?`y)MugVxVI@ zK#hc~$}d`A2Zkk#M2|ok23efA8G{tjP|Ug*1*tQyf`H^V*;HCPurDQHSSDmiLMI%u zLS?l8tLa#CK0;yuWU~kpUYBeSvL_?Lio`#EpWP7%Pf0xM&Z!bJt6t=}y8$G6hC@mI zA+VoLC9f(<Nul2pUCXSRA2MTzEJWfS5?m!qo;HntH8V><TU&tyjD@c_VT%>N!6|l6 zVQhNP<>K__E6)O_OKvO{9hpxkyziJb@DJ<y9pxc=g8;%H>pBSOp=C(O<QLUhzBsBc zUW8#K3_$UlL1wVxw(!(-qhaxge%2(Z8WcN?-oC!AA0~Cx6m#8(h8#Or<#2ll*7z<4 z>6}@Jp{4T;zgD=nV4Cq}(pbLZ6KcOPscafMgLDN{5P2IsDp|M$oJxP;9ysd9h-5#A zCIupLFF0sw!ATaYT#j`MU+}6eB*Pa@%kSH1Zyw-oJ4N`w`!QW_*ZSAp;O#s`YKbDJ ztk{A$r!2UW1q$VFz|H&37eWp<<mRc5o&&?F9(O1sB-!6*04G!PgA2eMzlmq;GBC7W z?zr8NN;dr-@A}<mx>2FOe_H5#JaAiTNA%$L4|{5TKIsocK3%u0a{&kc`n37EOn=(7 z@WrBcPI~j{PT`vCetfcb+4*jLW9f>y8L5xV_x7`1<Msx#jHcf(-PaP#9wct=Ko;zx zw~zfll)Y1ME?w6(9NXBjZ6{Z3+qP}nwr$(Sj%{bhww>&J&+{Gp|5x?i2lrdGdR8BF zb@joTqk4`x)|l`|9Wv#FbC!kPUVeR`)oab^uC#VX>cw=%z1W=eBy=PU#k9s+V!ETD z1Pos$`(tZ|gX(o}eq<Lh*3G`28+a$D{k{A@uV$ZzcKk7)nk8>$pXt~7?Q?odUwcw# zg}h*CVvVU<HYhQX)Eq0{YNcYd!8hkMf71;=Pq(Xe2MWLU4;uQf5HUW7!ke4#`4#3i zHs<j+o12FSzAaXNi#A3&h-I}Bbs$i8PN3Vh>~TK44wcR$1`+A-Ie3^Xiy<AbTA>#E za_Gbjh4AlJtuhjC*>>#QxTgm^J)EjDm}y{`+iz7e=y()379sxyv}Jb1HOWoXSchAF zqson7KTex)8rm$Q$?e{UR8B;2N07o3s|Wnb*1{`iA2~9SRXVq_-i%YCppR(Ky@50e zc>zvL+eDw^OAp&)uR|uewOV#A)JF10m1XvkcqU!Jj&+u>!emmYVW&DtX5(yWJ)BN% zQ5+Rnd^Wy7)1vj<^NXP&W*6~&hsr2akgvFbdIKD!l`FXvv}xUJxhXWIEs_eSyUMgC zv&Dk0K_mRtB41eci0bW=i89FBByy+rT`Uy;#kJffqsnzXnzWiMiAEpHkEJG6Iw2BI zsC-&!&qRK$2nUx!x-d_CD=(burKwnUWH*L7AWANaY)8Q#Br~o6fhMk8U*Rag64xny zO<tk78Cjz(Usg39t9W<}0S=@XM${EhD*540i)eKlmY||6C6SomMxq*ZygG1K{_WQu zP9f})=Ye^c(t<M#F*`&UBY}CC;EJjCWCCPfK~ndd`QaDCFFByk(px-FH0-iAwrJzn z&B7`=1sj5`#E+(;VkL|AP4QunQ<}OPZsI=aKhH2CZ!a)M5V08HJuvWAfn|dn1jWjN ziW%`qWW(Ajo#N+UTV5NEF>%VGX5@%9qUsfZXS0z?pWQCm^e!386)u?PUW{hFdbAWP zlg`L>9p38H+w@>`oxHONYfCGqd@@;~nM=vGb76zd-U{4)F8%oijxmMu<wKVo#jz6C zv*BoB`(7dp=EGtcRpVrNpv)f3>9J6`l4fb`P=xn@_8!3C0Bf#@be?dIL=^5eAYZJy z)9|4CGn`>lIsZNU+F2u!LpYtoFLyGSN4)Qx^P!hlTyMo#B1P;J0kW#7^K2k6$s3OJ zEEV5_?Gaj?W$HfS8C{m$w&$?>SMH#!QWIp>JO<wET+p0vZP}kI)HLr`=*Pu&n(CM9 zIweJULcoV?NcQV3?7?=vlXl(H)pxl2;a{Wc63nzePzXth!6L9xswFw?z@A>79+0WM zw_8J>+wW^H+H&KQlh9aeycWzC=s#R8F>=Z6<j;cV3%+zMCpf>fmVD`!(_+Tc<eov6 z`C)WprOP+d<XY)+t+csT+FUAZ8=t!Fs$u*86PoN!y9)AL{IPHnaVxxj5>DmVPhAG_ z1R8;!W5`!gTB(`g^>!;1_^Zwo%Gk7}*BnrZ1Y0=grBHrOAgz~{_N3@QVVJ6Ggs~6S zA46c8B4n2amL%eVFg)oz-P?$z-rJ=-a8q{5f79h~k=HMqUUg@23C`n)cqR2Yt)TCN z=-t~_!Rm;OkV=r=fW2;6a}dc?y^66C?dN2_N?ur6(2*@zbe2-mwU=Bgd|Fl*UvJgH zog>eCh4Q^RDvC_&&wOVOMV8G!&Z|l{o)i)wQ5h{3HdhYIDD$U@3q&VY|3nI6-`~P9 zLYwiy+g&(qjkK-QsZp{Z;*HQp{hGB=wzk%)n`WC}(@EocWxoCI7pPaU;X{2D&HRK$ zoIKxJI<%&+nx0TOA=a+0LJ`9WudUS?>)w-~Micc<=kH;Eg=F98?)iE56Gm7%{+*jn zT|*yk!IXzXF}`4lDQM0r(1=<<fyHfn;g#jQCm9fxk$zWBKzc^xr|{Y?luJdGM}4MJ zZI+x#Ok*e6r{2zL%P##*2EAiRO5LFQ#zaaM6T-lp3z5F1Wh80Iyi_S;8@XECcfzMU zRYKzhks=l&mBXs%xvhfz^Z3gX^4OgZ>gjWr57&(nvT<P~vzNPj5}{wNt{PwdzgNz! zU~ot^(_*p9q-$Tr*cq7Cga0dTsWKqQBPZXVV~u$1T;p`kVwdQhf#WAY`OHo>R^ADn zYlreJ$?Sap_|U{g_JhFo#Crky_<gIb{f>G<vCJ8^-j96B9~ebbj`knwT;_jZ&Da3! z|6Y2jB5S|J2-o|mer5sMT!lE*)S$dtx)o(~hJCw?9%xh<$uxG4YbyNnO*vt^)PmW7 zN|kit9iJjIkB$69^{zl+juAr~syZR1vP&|NP=c18Q?yyI)nct4on1p}>6?38W6&f8 zOFMv0%4;7Ui&v~~jxI?6(LHx_F=e7h(T@Uy1hz1rB%y;&X4N)vjVB0kkRD-BNBu;h zVvEcGfH1k^ZjtCCGbxf_MBRBdBi0d6k4i<dG18$9gHBImnjhksq9V#uRrFLF-2s(V zD<yEBF|_tB*X_OpU1@g&8GlrPn&cc4sUm@rp+ItnbFlCp+qfi}Pcj@Kr4Aib8TXe3 zfuVV34HqAoGqIp*C?adAGJsMoIpR6m05=y81y`Fq3=blwwLYJq*KT%U7|z!T(h)Q# zE<S@cfcU6-aLq=techQ<d0pysXD=q!4Zj2iZeLJ7w+LUjF$DkgSiPSTjIXmr$i<I$ zEQ<%e!t0PK`Bm?jhM^)Tj?>KY$ZZT#fMacBvcqvWgv5?J3tR48ERLG!ha_m$nSQ&5 z&7hP5&=-gk@}DhPn=;JT@7LF*o9ox{&)XgDNWVbkGA4~3*R591^+mj2q=`j;kPNE7 zxl%zCZdB%@ypt@>jVl!1wQ=chgE)E^oLd@B8kJvFuPL*CX={#cHnVDtUTEX6Ezb1? zyAyuB_j^s#^X8%O7&44D@NGAEo{LFZ9$lJ0A3eZWJ9)}n3NjK}{^5CC^Cujo(U|~I zgiu3Eq)sm%@CQcQp)vf2t;zaNvlp3}{&k@+qONV9E%DzeSOS|E39Cz;0|6@(x8$}e zWHWX$RZ^0shAeH0Odh}#ll`}unZfs=?AaAtzDD$?54o4P70oUckA8RJJRXm6EaoC& zNzxR002@;1crm$g%)}s0$BRFmp6uCwJd(QZ^>-3Nc?#;}OE{LJ@7pvhizZGalT$-^ zz1!(dw&`DpFZgU#u6-l<;bsqi^MgWcRt|C5vXUk;<i2}3yoPd7>G(NNA{UQ)vX)qj zzXbtNYMjoR+`R@AL8sgaFg!!TKM1zShcI-uQ69zNGNC~2VjCy0NC9_^`MzTE#lP$i z(Z76E1n*YyI^np62_;Ds4b3LM!*mRd%f=mtlejNTKt@5BY^kapa;)IKrZ}Z)#ciNU z3Fp}=nokYxfcP#@#)ID|sp=th4C6#8?v2uzX37(Z@FFR=A2?p{dGI(S)5@E1PL9La z_Ohcs7@>i!PMet$3dg8sxdJm_yjU-amB;LmrZz>JmX-2b48UN;c;4BnNjz#-wY-N4 z-Ls^oXI(BNZ}Oo=1b1u|;8@@u0>7igGUBUG^en<m4H5cLWXPcCi_9iS6Kg5oav~yl z<aQehye1r!&R$qWp8Fb)w*V8^Gcc4NZoM67g!Pr|0;7w_ffbb03p&b`%>DiWMmDq% z9I5S(vdt^b_MUWfREWb-rJJ;h&7+&-<9jI9A-E}kA}0PRe>-(Ukw2`ij)vShC4A9> z4AijRF<z}{zzO`-{c*%Js#Ad_w(WI_|F?ggk1t;aE50nhe$@ZPGoXJJ^p&-s0EiFn z^ZDHbD(mXx@p-0kP~YGV{47U~ezayz>0V2^b-6I@V+s@yX<x_R*Wb~{!%cUO!L?83 zCJpPisFH_RTdQ#)qUIV5{yoojXZ|tRZ&`6yf`o0Te!T8?XDYLDQ2x3yI@v1Fem4ls zXX}RxVSAwRDBJ8J{^`_i#1#u$FJHxJt=|h~`GS81qpN*D{JSh$W$)8APvu7tux{5t z1Sg)&vLf&{697aqomq9N+Qw9shh+q|Z#eHM@b)zfI%qx$dV*kyz*|5S1IdNrX4KSo zsYl+s#I-ZX3`3OtNa1Z^p6F9;MRQ`|Gf&Dw%61rBwn0Du7ou5tPM6HP=!=Z>g1}}P zE81MC0-wM%KC+Ndq<S>h66X2bVkvdln^hBsvVGm<)Jxs&xrxA?@!TpU8ST(-cGZlS zJg>MT`BQ?f*+jge$1#L9&r0XLtuoJMGZygJw}4n7r-UxC)$v`|&S-c7$TOV}si^_U z<jBSag!jg^9S{qsY~K2)YVC^CNoiaa$9yPW9QtUg-Hq2jt7W|Q{b{2OMfgIsQ<~D5 zPJFaBY!q&#)i!L#yG0ny+u^xf&>mX9X0Z!eGOlSgQq3Zqa)_V1IbAhgtW{k(sVp4& zWEB>R(L3{FyVkR%&Ccv(>;0}VBvfxxfHU%jVY6Hs8GWeDy9Ome{sv{uo?L}FS`8HP z%%BgDpi@yKK~7tWD;xv$T;!AePo0%6Me!po=DFj_8K-N<vD$7stKz%*-JP5Ic#WOJ z!D;Cm&b76)ldpWjB6NO6#$R6kvmyjDSmI#tM64L#93J6y1qrtcB+7hF{||V`_D>Bi zW>%JePf2V3ce2KR@DOPp13Cf=zlgF`Ue4Jj=-IA&6$ChGAc3x~RxM2j5BlMjg~vp? z?VzpulhjFK*5`;Low4Z820+7iN45cb@Ku$^^F0lPLP${nl)}#e%oU7?(qK4J`7}A( zym}-T!+_)OP&SGnr<*UDhca76>x|kj**3YX8rqmETkV?o=5^S{PhSS>Tj?*u2lBix z79s;oZV{Y8kWjz98uw&*{f6YAFHk}g#WSC!Za0KSED#>X+1!z%IcR(x;i1=iBtIm@ zkW9uqV49)`AeWfNPibm?V;NZJGmA658T0;pP!eEKWaw6W7%%#Q;8;VK0k^m?FkDdp zrjVA-Ohn^c%Y9rlDsdU|l6iRy5iPN^8j+qB_+8J2UH%lFf<iXuydi|TWN&U=l2(~n z9eov~Z7zCt@(jl<Mk5y8QCF=OHSNrMSxu8!H_K8z{(fD}1?a@DY4hpEAPD`S=@|%< z+#YzhGCr}yEZoSVLy_%2`ug$6p~%4OASfV;PnIG~B7*|eg9TE;S=(dkqkMfbXba|$ zA|oG;mGy-T+_Has0b!7|Wu-MU6_nX@jE^8@aNUxL*!Nsi)19fR>Qg#(IF{+zi#2AV zRYCJNmTi*8ViT4DgF9Z@ZJu5YRuE#m?ypT=l-0R1KRAIoMU14rARB<d=(n4flkJu3 z=SyVlVjxE-$Jqe?dsggXD92i;Xue2;$7Ah+=Z@qL$^+mEF6e4$9@LJyxw(j0n>*7= zFDqATO)N>WOJ<J!MQ{sG6mM7M)Df}O*i3SKRbU7iQq8;?r*0Z7$(CFSUiRfL$FdtD zj2z`*Us8{=H(X*m4=t%95NLf1RX_uk<BJ)Sk&1(e&j+oTXap3_CMhfKqo{)+ecp)K zFmmt#JLAU!sgZ}d*TxFvQaEHC#4_!EX<C4fB^uK-BwK)?e($l$wk(5RPj7H6!}Rcp zADap-?5^m^xa<b0SYJ};*Gl%sa+gK<5Q&{R1E(6OZ6EvYYyHWE*yLJ)Zv=oN<5jh@ zo_T|G#hqdA#yB^Xe^4_Mi2lAAP^~1|aLkxDSKp@uy5}?q)yd~8b|45!G=w78H4OyY zIM$&pm_R|kJ+#>~lWoJru*5D;-8`jc=~Qz?$kSB)%O(uOv;Hl>XYHZ}^dXgPV>P$5 zhB3)i^J@j~qS<=l9l~#(jQ(5G{L?o5yP(KbxI$t?@_=TOhahKPr<(-xCsWPuw|~ss z!fc=l<k}@rcNLnqU&ZEv3LoZQz4S{pUcbfdyMg2W_lg77D^0*thOEASHadJU|2b2o z17(Yp%A5QRlVpLaq2W*+7L}*MJ@KL{kE&uC%muS_`poeQc?h2hoE?v{P1x_sUkRBZ z1#2+e3<V5<C>;y4K(KARfu&M6g(6zJ>f$jT`6>z*HSyXs!50_^AC#pigcYk)54w@; zdt!XZT@~`GiffMpxtYBjuS<<0u2+j7W;Z~)dYrQ?s&W3HoeFw3ZgAYR5=q!d5#DzK zvDZ~Ki$$!vuAN)$qmO7W0_$z^bYyDraWY6xn|v8;YQpu`%1V!QfmWBJc7Rn8lX73l zhjvJ03uBjj3hPLSS;r4pai2Rb-0yt-jz@pFNg*^LG=U8vqE~pGU%A+Sf#V;N|G~eR zgOmB6PA38W^;n494Bh|E?GC$rr15DNvC_e@F;?5m-j<_zwrZc*mO*D4PA+&*HC~>r zd+A>@NDi}4qM;qACm_f-?hhD%CcHCzJoS5g>5Ucy0zF}F@CODM%pU{aF@;SJ8Tf<6 z%c1c5|7|fH-}vd>?i?;3CYoQ9jmm+fa<<I!KNeTC>%Zc+!+*)P$EgVy0QyN1;X4Wm zq}=B56WpsH@B@SL0*2hpR#)CbM!ZOL<p$2@__0Yi7MU+~ZSK>sDk_D3f^xRD*#)N^ zn16(K5DrJSx@*hef-jn?M;a@Qr4IxCPXOVL7e0X$dnMZXkV}QZsshY;3B7D0QU(tn z8k{npDO#E2>7=`T1dZXXG!R!SdG{ma@N7W&S?yE^)0Xh0P^+kVD)@$ey!$I}bCS{m zakH=qJC>&U<Dq^I(b9M|XPuiyC!&r{#9-^yzu@8{ic$`_h|TIUV314V*9tz7vn`l_ z#T&KqXvX83H)@ecu1Ql9Edi=0vDn;%WoTUWK+krO7b)pyh3XVfF9S;{lkQw&EgYIH z@^DX42)2`|%6(Ls_D4FJ1a+Ff6x0^p6EHwc2eC~LxINk$o?vx<OMGXb86&)`MvEGj zAuMQ$4ADvUufrrg2kBojMtvZ8@Uo^8h|-QY+TA?G+0Z?X$CMy^-2BPfR?su`nH)5c zoY!Z_IMyV+h;@~_EpuA*e##Pozkxb;$D(1X#m9UG;=a+b^n}unz5p#nD@N{J9BTH; zg^HkE%rnwK!V&b9>bwM&P7E92OlQgZFyptm;SE>2U!;oLpmmPy{A<6H=_=b5Wf0)g zu;hkd=yq>{q^<rUN7-A{1%;#hBA1dF6TPYA3gjhM^<sqIlJ+#|mNk*#w*1yzh9zZ) z?d6_UgqCSFy2O#EKckv^jnjJDlxN2cVAzj>F5Xw!UJY=gEzZ32lkRxbg5v(>S)5}* zM*v}Dw&2I5gsL0u0n^A(v~F#`<$bNfIcA*qLxWEejP2Uc48dEmjkiDoqap*1&zagC z6J>zCa<5?y=c|&X4wqnI$XM2MV?^}&V|$u<e1U6D(LMW4hU`@7MT{4etGZzb11bjr z#qjN0fmpZ}@Ifb%ni?8$KoRnX{dseyW^saZ$}pr1Fq-R#NIowsQ*TgJl;<D4_=K^E zFdL+iNQGqWg)xY7Hf&Nt7WqKUY1VJc<eoyeqD7|ChOL}<^5B{`2_>hfJN*WNA%>|m zTK>Cc9=tZelgNY_aji;j0ZX|*U=&LvM>ctd*fC@HXZAEPHB$)d8}lrgbp}>){r5a@ zq{zli$4i!#yX7H9Rl}!Dlzl3t>YP7(!%Rl9=9-TyEg4?e+1lo+?h`(axO(^3rcsNO zGV8VbBnsjhSuBI24cGR#AsSpb$DRehZ5qI59Hjo3G52bJqvHlasaunWD9UQh!ui%B zrll|XG;&5mIWhaq?gErWqSGJpF0`2!;)=6iOq-k|Snk&Q8FEtz{*t^`MQ&RZXVaMr zp~gjZ9c6+B-F#aG^SdxCQclL#VCPQQ_HAfxNgUq{e}F!`hj$42BK|Kb+A})Q{{%e1 zKk+#1Y|Q_j$4QfS&LPAcz4e2!TM?!t{M+4@?3N|HWQLeKVS=l+F|3I}Yn1HsS+sX! z)_idSR>bqQ6aFfS<N*fd^V(O_Gq(!`fi-P}61)OI3Py@K1Q<3@4f5`<TXpXb#(b~d z+KZYeE#eD}JQo}9SCgXN`lgoNfk3Rrx%E2!er`|{2ST)>45W$`Y<#>SK%$&^gBM_& zR=VTyX$2*MFVtLqvUWKAen==59!r^EGR?|_CW>GIQOwX#s#DpqD(hy)V7Bij9vJtZ zG-WY})uPxpLKBh^ezclD6WL;mRmn<cr{8cGaUmOt9LLG3Ry>9gXDmK-fca()Pc({X zvM51Xq@T?an-Ei#apqQ#Fzf<6=(pglkISVrTgZ6^)ffn!u2S-`ZgEadcf=J1tJ~;u zGhRo;YU5P8z5F&2DHS960VjRX)J>hT>oO%zXcvs|`J45aZl;jGtphUTfoK!-jkdS! zzT;XOy!#S}*w)9jJF+k&N8Q)(?uI@Uy$jsF$hqZw`KKrI8Nl4if$}IEsCp2hWoKi3 zWDDfAvn=R7xYXu_R?`O*YxaiHww3SB{}<3B*rjW98A?$tj>e<kyiq%=Bth&$Nysvi z8Y6jCOOv)kuD0USXOy!H7JE=L%^_x*2Ju^Xb)t@bmsF2opE|^neQps}Hi4&F>d_Pp z1U0DK5F%CDvSwAKh(o5;hbc0G`$9gs!mze#_z+Uz?ugt`G2>@}SPDWoD@PEk%s*h{ zLT2UHZsW-WF0nLVeY%{IZ|Lz$B^J_l?WXf(@NtA~Qf`ke`#Z3!!x1eMW9hjo-1u4J z^(iQz@?Es>iUcF%b?p~Q8KW%az;H_<Z1TZU=nrUJws_}1k(B@19fs-uZz;3=`-6JD zTGH`<Mv?n&>-U&C9lE-^E`gySz9N!<pba$m0LU@m8;IHwjn*}40pGWeE3~b8lGZa8 zf}hOWq|qZE7rI9hl*$>Tn<-PIMDkH&p;Rcd5P3xgvW`*<3|lEt`tqpY{jk<Am!^|c zdJ;*MBBPCRrKCED%8Db6vN=98s4Qyz6kDWd6hqA+i)h9J@FL1GQtL-lX7m_BrcpV+ zlL@1_P?M-a&)lg>nE#|MrBIGVf<GjVA6ds4Btzr)E6uJ~*uxN#b|c-%gnq-lIo`p) z-7C`mnU#a9k<<YOXPrEzbZtU%gcv@d2AwsjYcW!g3K}OfIvmC&kD|A{hxZF{q{`9{ zIzf5Y4T*ijvKdd+VP>y01$Bh5G0Xv8g9TP*rc}%*$1PMf%w)#1M1u$+21|HQ>`dUs zS&tUcD1FOhMR)ogVnC4dYeE@$A2twdMCX1GRlFT*dHkp-YS6;Y)*_Wnp!=c@nJ7%` z75wXL0S0MEld*>KA|2W*%!;)GIF&+nB+_&d?i(7v`07Dmttvq-h8$KL^kjmV7Rv7z z9z1E|nH783Tt}8{gJbNTSn*yu8cus87W)`v_yqG)31g<|fSN~UXS@~ADG01!$HY1w z0c}jP9_61M%(!EN8D0fY0JmRgeg^qnpr-5w*$6}tR~uCr5P1}1#GS(3sOOadfoO$6 z`ToI1bM%n<k~DA!qc00y-{+jaA!jy;OkV5>)QDd1`+4~-1K;PBqR~KTpm}HjL8&w$ zafcIvDLG(=s;q=L-6M#~$Ccd!Of(bgf^&p5bH*+*esKiNJU%MLM$O|&vW#g~=2r6K z>*K=B>&1qPCtO$zY~nudRDw+cXDjd&tCM>`H@x1y?lRhsyEg|x-~ZW%%V*2KGxr9| z@AGmF4<n7>V`N{N@m9UP{@&$fiveNxX>HBk&dT3++G<Ss=jM9lVdR-%X(|8}cRPRS z)nnQz*gH{eF!2VsP6dB2YK-R-_{H5~fVm`@wZ`%V;EA%GUm{*|`T7i{|Bc3r&)478 z1yP+o#&yu-f!C>Rsr}fNW_xU#YP)jykyjz!hY^lpzq)mJ->;|peS2^>@+^DFA)Yw+ z8t#w#*YoYclm{OW0rQ01xL<?@?Ht5S5<7b`7Ii36@cC7-j<K|VySA$*&p4s)*U{<s z_;`GLYH#Nc)~4>->Fet2`aZPiWme63fnCy;_=r-XXh}(y>Rj62b?}<XHP-2|(aK|9 zzw0=g!zXFcszV~RrXhr5Ev5voxtes)AjrGIFK`BhD5fP3h-)yD1R&fem!vgb5YH?& zImkwb;3rf>iqS4Ba=fN<S?2{~fVFZKt9fp=e@P0Zx7=x9OSzW(rV+mCL1;4_$y?<g z;CG^GPQNuy5`z|ZXBTgjS7y^OK3?4Bqz-RPQq_D+dWdM$+LXT#+1GHtDQydZk(N*T zkY8pSLZ0VDzMS6CC}Z{xmNasv`jS*a)bi3#XOx1@vZfbuRnRCE&4KHd(lv|T5j8)< zjCDKE?9EJL4ljzA(zW;det-FRSj>O=Q1b8TsRls|eF#b&ItO`2n7Kt8r<lKEYE4OY zIU72S_<M(jr^RG(*z$#Ji%FGVMk7I7$`gB&Lwt)myXwK)I-ZW0UHWijR++Ov%Ucq- zHFq}LSpb9a4XEAXF6UI_kyIz0F)M#Z=i#7u2jCHz_&7{M5XH(d&z!BJJdU03v@K-> zoC=g@Cf#2>E=hJp<YdV&z3&;u%QBtLe@kAMmm=~k4JvQR?`+Eae{0pYwOe(t&Cd2R zYy>B>+x3tFhkxU3VpN{pujzg%Hs9`xUG$yNuifs;<**!wfBWrxRNi*i4Ny?H9En=! zVMuC5I-o&LPD+{@kKWwB{YPiFAk1`%q!nL`-kQWVQkz7^AF~-Jef6c<@PrI*H12E} zofEZ}v1P)7f~1s1gqQ9zX^=3?{z$AhlC`YQq$;OFD=gNXb{taxXdgeW-6qgRA8>ZM z0M;sKB@7Ag;?hdrNK_@R;l0tAKE?cKZxLbQe;DFgTO69#?4~<Usz~Tk7TRbDmGV8W zV2DYvJv4D-FX5sO5NTnJiSIm@l4J^mhLi+tElxPQ2~?g|=#N9S=QIiijk*dpMPut& z5h#F5W_ub8mO_8q<@&YlSS16jY$9d9KpJB?foChv>PkD5p{y3k8AonxQe7=IV6!Z} zyRaaX)%vHHi0p}^iy=!R^Or+)=U}4|h074O_FkhHou@b}=dkfsYvF_dD$2D@HtFVq z`ly;0wzMwe&cq<+QJA3A;Em#8t)EC|U~wVy8;(awNQZK#qU@E36*+H#rv~S;qW3ho zoP~E7{LJ{mtAo$#%NkDiU}8$F+PR}8yF+9%J=wgLSQO1;m+_y0QW&lBc878A$K2m0 zLXYZ3WogJyt(w;=HkQ$m9H87`@KsVTqz!?AlV+?qpM#OBPC6M41T<lN#DW$v$ky`% zl5X)h_YBzXw{tz6^pkw(*Pvn;b`{@kDT>7LFq32q_)?Ty##b4OjJk7Fle{@#m_$o` z4mM!Ihn1bDlnqMgsG1e-DFuJrZEb@3XJlR-oS@t-4b(56BFJqu;Rf3S-n+ye+FP_x zv2z5y#Sn-?{hixT&>cMV0k(L>CD<Q(Sza`j1+#|aYJ(*z;Wzl4a0<Z98R>IS>W}sz zj^(V34Nl;?u+hZvhJ*WPTFSasD}P>U06Z8n+xGjoyEk3c*U;ifA1hU%Q43{9i*#-{ znptje+;rEPj+4`fdj<OgM?DN#1J(qApIKu`*7~SY2&an=S}tsH-Vg{NqW+JqK|M$@ zuc5-flu%Web)&UQt-|L5RZ6E6c6c4WoHg!~P*0B9_F0uTs9;63xYO$xqp5}Z;pl{u z?iO1N$^Wo8z<`L}?vu8FSM@O9#(?V5)olDwF)5wZuC99#R1I)U<^?93{dCW01F%Tq ze>4sB0U0Z+qnLt%rYP3em5RDx=&dGL-ePgnBiYUHazw25T`W0V7I+hk4iKyhjmV_| z<5*Ej%i+V@Bx8cd-Q&<<q~ctsJ*XKrZ8fb=rQu;q)%4Z=-fGj17QTZIe_u(X%lnCX zgde$gqw)lXrdg76OK8quQstKnLo&XtCndRt!E%XqHC=Wb#DB)JX6ElbTjItZG+QQy zbx&xOVw=hM;#c_<P96&kr+vPh7mQm(nkO>ni{8AWn<We*@7DdR@e5=5SV+0z)dug` z?lfEEzpdW(wx;(vg=p;wsPf(l#rVJaQ~BP1)VxN2YIh1ZQhxsx3O?e|3KYBozWxD* zgIYQHhsubB`JX!69RG_B_mtfhBT~;LjYmm<#Z>!*@n#FK5}F0-?jKx}%(lqMB<TsL zhgUMu%}Tst0r_qXI(M^h5|kD}ux$*2(~)q77-CQ{rqB~>kywy2_$)=3C}mdtLU6n7 zhx0}iu(|$pbdpU4T7hsCl&^{Yn=!w`%kNdT%BNNn6z$!OHlI9xwEWYN+aL&@ptCI> zW>7jbE4Pt@%mUT7w*V-I;)SW@E@2%9C|04JqVfZAL1s%3nNilTo*<}VaEC&TKZc_T z%xG`4jrkQyLd0uLi*Gp$OMwif{`b9c$pVy^R1`=-)OCWA$pU@P)xy@{kHDOIQZ)h& zvD9S&(wT8TCNg?Cu~zT0Y1j9C0?|^Vcz^t?zg-JB1S%5|0;EI)Mg^e5st6O2iGg>* zR;Y%ulTd89FDdAR3NuH`eSEgJQa0-JMz42Tm+!wuTkU-4N{2Zbt?oK%$DX#~8;2z* zj}@PpT`5BNMlfzizk1KrIl1Ku*9p2}z7IxiC*8u`Ts~Lz%6SFGV`r^Ilah_@S1F<0 zGwf?CyG=GqW$zi+RVPPl8A6A@4V!s?Imxqd@*Ve+e;2vhDHXnUo;x{hv$_Ff^*Qw) zu-azU^Fm-v+vOUY$3`7;q~OlGek{kMa0q{^1qBv<nD`cKe7U>T=yK1%=k+%WA8z}( z__~{w!q$tWI}<k7tl4gzu&t?!a(Y9ohSx<thSLV{x4q~ZEaGvvXjXhEDFR5`p3w_~ zK!{HK^%7s@@zrrF4kDQ0wN8G78>FB3b6Z9J{=?p6`zM-`1@P~+uo~L`r78X9>i3XK zMxW8AjorN$)U+(y@hTB*|4ULfrV0ESSJ}|-A6uUVB4RP*!mgCZwCQv9nRTaUM_>m= z;G^~H*6Q(-mrN*PEpv2mMI~jGfD&XP`MtvRhW+c~<FTA_bbm#EA!!t(IiVOW3?#h& za=W%F`|NXNY^1w-q#qWf06>TbC6{pIm|%~g-+yQTzsnDS*{A}+-=(@0;20+GD<*pH z@!%HRP0COt6e}xSIT4gvJZ5b99J3s(aky&zT$u3%Ml>WujVd0nNrI3@E9Q9h*B_NG zvtVB=wQ9A~cY;od!w!+#RJ>}s4t6DneuBMg{+cLC^bMwul-b6<d3E;u<Za@&$(mcM zX#Lfrc&#=^zPdF>mw4rCY4WFVd%M~2;B}wHbDhExHOKh+fX%P3Oc+CsOW##a#yKhO z4z-s~`{m8J&8@CYd%N%G?77RKSxTGH9}%$dDtguXNxzB<mI}?h>XV3`)z-<aL7XX{ zMUEFu>i#n=qRZdF7_`V;+X|-=a>y8Q)wi#vI~P^BTt9Ho5;1^eU<Yib-*f{UQX^;j z!lzz`9^dCf#BW__>sQ@+Y__X6*{Yv!1i7kQL-jG{YMP2F?|U5WXE?t)`WuG)zVq(- z4g|i@%I~sQu#C;r;oBeui6ZrraTv|55%~jgh5rcqyadbzWFvD2Y412*^+L<6WG{Lz zE|L-x^VGno4kAooy+UD00L678H<swQZ0QK?IbW=Qj$+bVrykm`?k17!&lp&xuhh=I zik_5pYe4AE3%?smQblosF9^_&>c!x6EngegWDtW<NI-E$BN^u(BeB&w=hJI*Qb`E) zLCEvahkvl~p6cItG<e0l&)@q8Sh}d4{qWS1>)fKEk~Tte?xh$3cti#j3@7%6@;3}K zT3sx!oYgmu<*t4u;Yte~KNiWms%FygV;@hGZ&d|0fn6-Y{awH~)GyvljjMpV%^MUF zOdvhSb<1hEqc1WL=*<f_r8-EO+wa((7-=C<D$0nnc-3s38PDBhVPYvAJ%<Oc&5{$q z@hzX!ANsDkn*2=mVL%QvyESK?cYgajUSkc~)}Ki$k+4%{r5^>B>})bkZ3Z-l%1pY( zZGCG<=bR-j62`&TxDj`|MylFs@BUft2vY@L-25<6Jw}Z=7BR0`oBRrSl#~su4<Bo@ z)U{hz)e|byXhqY$i=`P(NPON|^9V%c)5=X=rl)DGrCr)odnnDJik%mMv`MjRLNI#$ zojm^J1iz@IyUZ!yL?xIpC$EssomA>T_<UW(E#K4nk!P*p?dErv(F|ro8*Yv_kB;nq z<y*ZegORIV8PZN(|6Ers2RZ}E+$G!~04RL*Sl)kkP8q6x_*P4`eStD6f4)nYiP?O; zi_j<*R@tpLW*mu+beD-mu9$#UiL)A?cm_=bA)|uEd=nacfV?53?BL<u5qRqk!?!P> zkuV8I6FxW__WI?v%G48`rZa5bS~!mhJ&`AjLk&RLYYgN{_CzS9;xzTnd9n8zu)SJN zF-{cd)idNrg(tBKG&QI%pmbSP=+f2tL}9`<bFG}35ruSV=;8cPjB&Uil*@j)u2Trh z9drK8xY(wtr*3XslfEDkgfd7tisF!TmYmi{Ye|KiAh6Douu7<yA0^|AL1$`#-4h)N zdoO+DY#|~V!zdR<%}e2Eteh?{JIDBhG}eMhN6x=w1hPSz>I_C;{m^0pvP>jCpa%(4 zmVYAvE|#QQB-9U@n}ka;y0k$w)e#xc0;{=SJv|pf>mQcjYBZWYbutPXT!586RnD=U z5;%v7j|3y{4?4b~ardL&l5qbI$juJ;2YU?8e{YYmtsxt~CH7z4+_WNyRhaPXX{)F* zp+I08)4VVWn4Wewy494nwp`;+UrOn-)~4gdHf1y+1w3um(cxY1KGaIA(DT&M*v8R{ z^&+*9%hB?c*7;e0kcytQL(Pg!<&J6f!^Jg0=a9{dHXoUJA`7Tu+OOvP$*umVYx*BX zZ<cpY_ILB55f<w2J!oFA!(}60&sX3TCA~gHDBR$WSA#A!8%)xI8ug3oqgQCRbD{*> zw3%Y*)ji3kyp(9L@xB@5BoGigC(q}s^Wmi9ROo{z19h8r0{7>hom;-uTF1HCRGTx4 z9srQc9_%ll<#0F&<~KOLAj;4V@mI`n1Yn;tW2)+=G#KUao#GK6s~YZXm_~36j~JB* z&<;c0ZemMkBTDetk3O+m<nF3&k1qZuN1lpemj%SgES4a1=ay}iZiMf?nu|M3=HyU; zVgWN4q^GrjFZV?2>}|5W3m}Q7y{QY(VdFyz=z=oR*r1&XDr?5yZ9jim%qLH_s%q?# z<ig<6^@b?>kQm+Q{c?9(ZThG;%{%*a(JzatqD?=CeAalk#=QF0?F!)6rW^yDt9lu; zSC)xGkmM|_^wP@MMedqZ_2rgElhNhF8?t?UyZdu0#I$5LeL_set%!i0n>p87T?E(g zZGTbuO*#&&?q=r@k%_{pVX{K>U=B<^5PQfIAFIk`T-Vn-$8LD?7D1ie{1989>a|kF z^Gd0$ylvH^N*x#3EIUUpMvv!-R6>Yu&|VbD<@Dq7V$K;4vqc#EX;@>AH^xQ_^Wc?| zIS1S(nMmKLvHqQKn$(lSJGvE;yPle?gvQ5whH~2USX`IQ>MoKShq0Rf9fO=aACPum zhSBon(&;x<Fk+V?b42OTG}bGlXEo2Y={GrHlI@fkK@*Ed$w$_(eE)+GH${PmgD|xI zDj@sXw0vY>GQNjgvEku#P<cJmy+u4COA*p!3`Q1Hkb5qkTd$TqGV<iYtR|H?CNZkX zSi(RpXd!>hR5bYuq9wROpAZI7c$?_8l8@y&WJ&Qv$5T^GuJ{{MU;~@+ED!hzZru#i z_%WyZq;E5oL$y%`klNh<PwtqFBg4BoX?xQNKcDY~y|EMwp@FU{rGa-B9Hc{A1EC4V zi664!N7A(!D(T0!C<bceGkID(rr)~WC;=;-K3+&3yA#!nCH8}eI3QK~4=Mehn&5w= zGzTl||HAP`);XII>AzCg2=gdvXwtn5a#=GcE8E@081dgthEah*f8u_8F(d(_!MT8B z)Q@%FZm%o8$O3rcGs6d4rgyJ7N+}2841s92D9k9z5#j=iMj?5<#Qte>Wx<}2`18jD zN1+^w-!bk(H;+JsM1nB}L<TUFVDBlzfTBRr&KZ+hRhDP0XkNQOF(4t_5oA{&;^CUt z{$wq!(@s0L${n^zx!Wq2cGc1}uKG#jKd|SENRWjF^jgD=vAV2r=V%WU!_q{@>sxDG z%<H=t$^57=Cws9L2?oE3(O?2e_87P2^75dyexHzl!6adRvy^FrB}zaQgUnFy)1422 zSzzvgQQkHHjM-zms2^OgJwFrI6=Ot&_$l0`9g^-0ZG5NO@aC4WlN4jAmDy;)la-ns zJ7@6atS8G;GLZZT9b|MOTFyOmH<gucuG77MqVs%4Biog1H;)*qa<eL1^0nBx<lRGU zuKomd_JS7WUdmXRlSy-XC?eF>MeEe&<UZcUp0HGSvRJtmAN|U&);>!QdF)HtQ-2`k zs@?k3L9c!Z;rQe=jE2F5V0y?L06zV7iedZ(KO0EDqiUmPUZr{ATbuTN5wfVrAUs{Y zW)W3Z2nulWASb}!W%vw82mQ`dI-vSogH_dw!_t`w{BwS#1%bdvFm>E}%3;WN{G=|r z?DXhXa;KH2ol390^5x4g*88oEF`>x+?#qGej(+wiSa_R~=4q(a(TxzJv0R`2+avmS zBq)H%b=%cB@OMVPbcGQU67}812fiAlkSov@Ytt;yOcw4XdIq332(Mbb!Q=_%m)>(# zbG1&%q8(RnP-+!t&7ZDPy}_>pv7K1Mu`dtd*3x~6Ta_(0w75x2tyJ3`tMaiGuYxJ? zD>x39GA-ATl<Jr0X3Fi4E+^_bldM?ldc4zPVCRH0$dt}%q7$oei^q-EVT;_n6}yhT zBBaS^!&QEY!A3|#ozoxSE-9&}|Cu<PjQ=3i<@{e%*tHt6&IbUb-bWgj7DS7u@5C*; zm07hJOZP!K7EvZKq&1{$Hgc-J-)$z|K@pHB^Ak-gi<fr1yse^)$riB@{$IRAeb96K z=E?H;SfanQN6@lrky>F`j1$YyXyg`bBJrDK-w*#<*GaH{QsgU*l#Y{@y{AYfq0bm@ ztv=fJQbp%XUNPEt$9=YKVEBGkYj=*ShEDa*^~wCrlKq>l;1EFg0VBc6E>w76`EZw8 zK<45H?B2<CMwY=xL=S-IFX$C~P4=fCjiMSR9#^EzA~MAy*Ks!tn9K0&ry?Syp}ECn zK@#L+%ZxV~<|Z1T!8$QyoWr`sY(pB|+tRkL2mtDg(7jkJYaW7XDO<P71Ji=tjVs*h z?jGs$^?{v+0=7;B$v}>)Jz~0(Pgmyp#Z(M|nhTb$C{q&Y$WaHA0s1bV!CyKUCa6r` zkWz%h>g|FTYWRfRgueM)<=rM+E?-i;*`(28s_VL|_F3iO`<bbn)Y%}|g=o5~h*4|p z-tkCF{3Iy@CL8*Dy2_Zjxq4iN_C$<~h($(p268+H$cyli>B*FN7vU><8u<<cL@(Y^ z({LvFC`&P#jr(`6j2RvT8L@M>#;(McL~tj;>p6?Lc-USAI>c3QuDj6=ew&>h{k{nF z$wH6RzWQZzO?yM_K4pT8AvBE>DyV=Q8oaV&9eq<?Al?8)pqbyjEZn#Es`R)swvHv^ z$_p6A>M_q}3`{Zc%eNvtnpH4To$iva#h*4uZuw5DZ(zgTG@k?P88iiNN)ly@vV1Ab zXS*30;B9L&F!(E~$!n6D!3e7?2QZ2NGX)7|a^thzbRZccdJPl<vw%ich(5|}rBFfj zakKoX;d0+$9ZyAeZi-nL3I*WF;#W!v5*VCGBz01xSMuYQbtLSvpr7!m$%*|MbjgIy z!L$v`cid+-S|~}-TFwea?!dm1+?aXB3$trD31s!pjMC{k(}J$?fn1ssZlFN;JDy2? zqQ-?=?#|ZVLYm{nVKTcdXv+$;1#Pd&mL&9#@e;H|Phj(U(qw1yVDMleBC+@Qld7`G zdmnTzAeR^ri{Czapy<z_V`O(YL|?7Hbi#t);U5WGe3je6_iH`rVcRcbFK*tA0sHM+ zvgc`m33<+avk4Diu9_I16ol`N=n5R5RvYrY++B_y_h33tc-HEjW(!@W{4JIFay)t~ z*|NDTnY~|85X7c9?ii&of~pK1KcdSTiGSUWaB#I6SB6xCd>gGd>HKgvEP}Vsc%jhm zE~T!-Zv=OC4jjNIivdLr5Lt%sq1gA}K5qo?+T=$6fE7&t@ZZeI`R}d1YtyBjivdUh zw|~)b_YGoqP&%*G$hFzZw};!OQ=$WKm4h2G?n+*E?Ma}=1_6%Dd_=~T`TFhHF%=Pc zB!Bq-X6^g^2P!a{8QfDusHDhJ7mU!Uu&IO+Oh~oR7L0XL<q=;ahwl$=P2@zX9B7eb zPgM3g80Dcy?*DprZv6V3q~(77TWI~#slS_@YAKVOeKdBkb#-a<avKw1g^OGbLsQZj z^DuLD4;csJ@dIyTQW>XrRVO<P5H>)rsXjA&nS+Cj(|`m>97Z@w_Chj~MNpjvw5Azc zO_PC4^Rk69!qd}uD~vzUc?%$)Kw6VOp~@*vN*aVj&xPpG2{81>>A`E7aLsQ~1YWF# z3}B-qRlHGBfWnd>orF-**w3P24(1MwY`*=mfBYU@)?H2A+U(V`#c4lVHN8~3Muuj9 z{_S}3<H6o)*))sx*P?kF&U}WjwyF&p{a#v=zgvBmsVub<x+X3{<c}8Byup#XlxWAf zBRvq%5^E$9lU6rBXu{}14x$q{TJSum^mOxbP_@YDwjFV~3bBj@X^DtX<?a+!FsO)@ zri>?zjF7|^tPy{qHcClHUz}Y+AUM1$hGx2K1^CgpYf2f2<2nlEH`K^%!O4cU8~<-M zQ?<~;EKYRWrR%h^v1|2R62gwDofT7#lZsP^g3p1fA)np1{O%fC$R@}=me=v-DzC|h ze7ylTQp$#bUM+K1MJ#>IYTw+gAZ|!T!Ad0dBtVw)xcE=8`(2xS4*a&RWmOR#xNQ?S z92t-R3(@TIs^x%h>qdgx?QJVCtF5<#wTa3tG!k*iM+$fXPO>dM`|yq57Q#Cfw@?Q? zE5#8J;KA$xar+Vz_)IV2?XRnKS4|CVNx*Qe<zv|&*F&@zj{qRXFjlqV?g4jC_XiyV zekFrTTX_o&>`+h-6}|jA!l!$bi$jiSl(q<;yP)j5T-;pvGIWIVz(@TXOy13LfQ}9J z3jqhUQSNX(ZEOi_Ae4E1`0TEl6iF2c%y-%nhc|}|8yD~Sw)nOXs)%9Oxu{~*PH#1( z8C3ZNb`@1vwN$ji^OLIR=Z!zQKUIq;-%ERUC$ugfw=T4uJU5h&^!t#!QrXU@V?|9g zGh|a3^4Wmr>+WoQTQ&5<+yNfY_@|rOG(m4nKh;5n5R4iI5(VR85-<a{p`;%yC-Cp! z2U2W45>iip9wkP*>L==|Lc5aX!VBjm<atlB@TKKhlRz~CyNka(x!x(fI7qLXL%m?~ zxda<)rhR=Szi-^i=oJe5zAD85f|%t5@5|iZT%~upW$58pIC+EdpE|MVKZx><&a(fc zZ36sD`3DEf|KljY%J}bx1IgOsb|UxA{a^XVxKU#iSPXd24nUI-7;Y<^G>qt}Ts=bF zI7aOE$L^`B{Zy09oQpQMm=DtUO`T!C7j2VXqpFe9@6_=)ELpeG0%Q!-LRAda`CsBD zYAcBYaNlSK;tQp4+{EcsHZWu{Al!o%;BHi1JiPUCB96IbOj3i*G3xtju^rQONxZ+* zDVq0;pt`6yi;M%5923cxE{I{nhOLWCdZG=D1z?hkk*?*O(4w~u#U-!h+)_4fB1mKn zl{N5I4BVqSL1c7vi31(w=$UY&M9YD;j>v3Sij!Rj^PF1aI!GtD8qmSPu@0%;X#NxO zFk&)Wv>*>N;=vn~ne_H;s+Ni`02%%QQwtplF>wJ5v2j!-vcUH;HttZlAP9FEs2vPe zc*df`<UqMWatIDW_cZW(+Drw=Rt&R&S8-i3V$HwOl|wJJnDoUopy_EMC<~a>hhknO zMQ~G+auQ~s$u%&~VCY5eD$H6o0PS+{*-@5|TMZ3yvC-)gOd5BpF%L>ib-WDdhiYI_ zz=ukL67at*fja+_AZYOgxPQ`Q;U}nwoM6Y5LFQpFQe&hF=1mgOYK#pP?jxA|*#<I3 zY@(KMry)Si5`^xgoMW>sNTi$eRbBS<Mu-(e(bPqH)SBFZO@SKO<QnaAss09VCe8G? z+7y-T846>u$K%_!@pr0+GOunqw|}4Z|BZ#jj|;5XBOyM!IJw?h%O>yxSWaD0)wPr! zKri)9vL|tDuCAX@<6rvb+Ct|&N@*MBA4+M{;}dnwvL~juEV4(XcP+Am#ou+>f4aE4 zI>h65UMq*_40C1sJujy*rKRf*IDFdlU+Td@zE0Zae?KkT>Lc{y{RwB%>+|Q>6MQsV zx5+o?*}rgz{f@Xg&Axuz_i}H(4ZE}~&$0V9K4ZuxaPRL_cLQ~{O#HyEw|sf4UDECz zQ&;DPd$!t4f}f(O&&jiIW3byCa`}Fps{XNQ<G*?NZpaTqsBib*`rG6CKrM#>Q5KBB z=B>Su!qZ0Wq1#g{BY9=4puwAm>ABzLzuo(X^X|Qz<8ynaJ35*o{niibh5zT{=K78% zfjxX`d*wMlwkW<r{yxs@E+X~k{pnA0;O9EatRYE|!$4l2NjmIjz_*PorN#v{tG<Cv zmeSqOA+bL`hNrF$TA}<QNakvTMp3R7f-}x(+6ns%-JETncBXdjmM70&i2E>=<JJsf zgZzY0r$~+NbCsTN)BfFSh8<QN&k{c<lG8T%Qi}6W5#%P4r=-unhe%(>3h+6lhuRGZ z<as9Ws|<DU1_UkEABM|N<CV7Ag^0QsTWxTb7DijSh@Ubn6#9+tJ_VdZ#iYAbGwlY} z13@Wl2J!bg(o4>}ZcGwq#V<T@y5ipeFuQE>7xPojDntoO0uS<M)l2uuN4T^EQ04jm zK9B1n<5<vkE^WsQPt_)=B?LI-Y7+)<%*D(PQ1={iiV#Hh$>-VsRuUi<+HL{4TJQ~S zDMtx$qWLwgh-uYStR;@W#gvz8F3DGT)_I(XzNq@}e_s#cnW93|fM47RUzjE*G_?$l zr$8G&9jQ!hytbw|E9Z=oFYCI!IDPTna`C~x$P-+e;9I6@5Ff@eDQfA}u<gpL80;Yz zT=pj}_jvF{89h_IV!TI)h;KlQxG3_m2rvAil75R!7C-c*2us*Wf-4&j##UyNnMZ1c zg>DHYF?(q8<2=tIjwhGfx2&LDp6>DT8kJjh;vu}HHD#`)bzI%@GX4*SZrp%3yLizh zDh|zKV>j*ANQmXCD7Q=_1I@INNW*__#Z<>>{_F)*F^$y6hj}~uF|f`e0g3X%1|$(^ z>747({=aJm65I{$)tehbzj?|H;?;ZVl(vfX1L-OOS)28QoV)}>hx}?DyT3zNpWuaK zyKt-D-+f(Ir)R6T_i9I92X{7iUn%S*as$DKcg%{SmTwGQYiSXTO*NP~KBHZ6OicLP zsB&4-hVsN|6qh1Qjemgb>I2>NfvQ6sv&TY6If2F41{^)SgfYb}Mene{7a!1K9un)S zeodNh-dT1e+-T~e1A-TtOX_U%x!9`G9n<A<W|dawLiP%Z==Cx$@p}lk1m!vCI2ltA zSAOzvj3ZpXfsdhEQj$<;bQw-~D}>4XZQF5mIhLwrQ~VFyd5p^G!FBK?<T85XA|Gsy zfN#o$jO7_KNF7ciQ`zRz3=$H4DYIqv1xG{z<xZb(fy3Pd2o78RNj=<EnbMLwDO<Z^ z$RTbx$X6?LC3DU@M1$}H3evg|()e8vkzhY_U3Lkx%d!ie<x(qID^p3KY3M4!W?c?< zU8Pul!VPhW%Ku^Q9fO2xdv(FKZQHi(?x$^=PusR_+qP}nwry*^J*Re^nc44;_f$<K zRV&HgwN~z2N$#Y1R)(UHIGbn0?f&bSS)}nPP8rzATkIaO4ReD)vGhXNL6x_(q_yzd zDO6>cdQ!4V91@Q;%BZ1uEo968Q~_ZzKNMd6l`9M0rC-x1F^Z2|a2ceho+NzjFc@CO zvBWHbX0r1?-^S54Ih*!mYHthA65JxP(|pttoLh=cm?-1t<e|61Rc*6Yia-34>kI6g zlDFC=Fldi=y>^73C!2DjxU5~k)i7x`8yjeDT)`h*43@$s7mf8nFMEk2o+@BnjD|b` z5uFM3b4_!5`H+M71{R8SS#<JkTk@7afhC6I?a+9Hh=!Pv-V>o=;gf+OXO~d1(wnF{ zc(?te*W#j6!or+Bs+B7g@H8q{My&?*w%bbBgIgo*#qBbVla86af|5)sMT_VVncHV| z_MS4OOjFN4en}i(=sP;vPt*DDU?z}e0X=>=L^Syoi-?B#9Yo^DOR_f`QOdj%W!~r& zLK}ZJ)AFFbMsQ^G>n3nlaH?DQL7zGN(PgYWszDDpVC-RZDow1gV%(=x)1C(3XW8Nx z8^%2!;)G%_fw-#U1+@tR?$szsrw`X$%PqkYkuXuEux2PPu6v=M;HW{spr#Vl<?Lxh z`^?V%Y)UN-)tAB;XmkFt0HZTY&2ZrZ&ba!mke(idry$lTa1*kAcHUh|3Ci0d2<x}n zgtdyFrs8!z{qjK8;5F$6uA0j|N7+eaY0RTb*8SLGIh-S(B5n{o!85VM<FD%f1q@Li z`iJEhoGh&WP`YMg;r!P@7sj~5Cfid@?Ou7YDG>;?WPH2HHOr#CrWU7DLKJXfT`;6* z1qtft_eW1CxMC4a<+Q_DcpvaiPXJFFq}$!()%xF;w`3H-kp>a6{tGSyjRE5f&_9Ig z1tN7+0j>rXwRAJ5knn1~v*?DH_cT!&EP7*Uq1KDm^sUYokL_WDos%(r=sJy)-yd7r znIp>W>AvdSIo;aRKN*nvv%vLcqp38}2?V=SJKlSOfT6X(Gs-Dotv45B^6`cQs8y4D zhA*R0p12%|jCA*htPyV#g~c!l(o8ieMbc9!iPHHrv3iu89pywRqLc{EuUUrHt5c#_ zSlxibI3qzWL;@FxVCv+Mo!5xGN_p8MvPh5#S#wGQ!&Y+-J$ytu4OZnPQt9mo`({ec zuNr@H>XRbz`!%7)Q`VCl^SQl)$`7Q!FuaQurExAcdEJ3(09!d$yeV*om^g$vmO$h7 z2-<{os-t7IiS|}n3U04APAoNDzImBb?cXp9v9B)$EW5WeD)h&2Ip~cClyUIq=r6ol z0a3QsHxhemGIQFj!6`#T+OwhY{`%S(Q7xX$px`x^vx5idteR*P+O@WH5YBndm{{aU zS0RN3iBf@5i%65`PP{6PENb1NF_t=+T5_e6q&!B1r9~i}NB>bKh8T4kqb-99;O2rq z1yYZM#vEcaBbW)F1F+%gK*u5`1PMw<3MWP#?$K0W)C_SIS0`r#5qc0-C&vVSCeNCW zX4+omQy0DlRuDVB%~zjJnR=%%kW4^mAF;w-6ar}mkJ(M#46Iw=o1vSjSM0oFvWDIt z#d|8#*TCV9CWs*(Ur<JRMNeCk4OLr766KEn0i^v%!#Ex6mLOJRVc#J?{amxm%$m45 z@06u)^He5M2A)tR8(M9c&Fr*Rlk;5nO(?!s_~}I;{YBR}I{(^LsqQZSC`hbz7PgiX zIc!O-b6a=irQn=U;zGF~;7XwhFuj`RGpJ@p84?H8r6C?6ey=8D$?dSM!`JuDq>jy~ zt;(mvXOBJwPwvb^@>$>Lop!x%QE|;kzu6onRYoi9oV=NI9geWoA$Q-whc6YiLsGMV ziYEM=>8sF|_vXAi9G_@KXp2v$_cJs%m40)18F1Q2nW>dW&`V>py;^yGMrO@k+>1wQ zFZIi$9YphRwvfeuz0G3D=uEl+2Ny_lf?885^&2iy0zh(x;+R9W*h;s>f^bfpFMJp3 zFRHCH3{c#NaA+lHT4>RY`0&`<@%SlW$<(bv8P<LxMo#awb<%Y?YbWVE_)El%$FXkj zuLDO95MvF~FX0vhhYL@JjM%fpF}n{-4`uy;b;6|89CV;@Q!Y}(nge*&9;%>%2Wckb zNub%fvdst!9y!2*{n64<O=txBA#6&xAWGm42e5+;uyN+n##WPY6NeK464wYU<L2(M zw;lO->eOgA?<vY$Xe61oj-eF7Yd}wHTG&H~fI^!&sJ^K*2lC@)Ica#I&p&?DLFqG+ zLE*uv|BPuFPv?4qcuhHHCzu=SP39?`Wo>|vAB~QsdWjX9$at_*=T?7%2tyn4vF9SJ zycePiSlG$eVsLD@Igb~s3+!|0T*kZF*xLJjVxfy434TfL<H@m+-0>`)^Dt-&GhFYR z1d5gF5-4gBS<>U>@p5`xYc{*n#p@|J7k%@<3R;7W@p%yEzDkgWhy4@qxp7gkqmm={ z>oCB|IY6j@1QSca#TuPD;*p}_Jw<SoL`#;us0ZtR@X%#{64Mn*5L|&JxoCQU+}ye) zBv}`*y{5>1yv-9nC@wORsTEDT^5}%-`RH;i6QW<|AX(Y(CShXB6Y9~_#EDC^%)d)i zp$k#&n$1or6gp~N^sxqJuE4De0PM}n)y3m1EO04#T@8p%wh~6RvS;C@>KbzMti41L zW*5q4em)_m1~TEyde_S|y0q0?gG+-v!T!eeXP*hKR)7l#P9X?;n_eu%Z&RnRcAh%z zhEpoL1mTuWVGl)9baicuzdYV}Gx4Sle<_)6e!P5Z(G@Wm=JS1Y(V@3lI~jM}y22%t z@KPUM`LW^#U+ul7ep@HEV{_%r3yjg##P!W#)!hdAi&*}p6|HlHoDUU)FX)>hlXn`( z?fLf00$)HuUoljPEgdE1=Pz=+ewLZuW99Xatxz%r84{@Nds4Bzh-vtO@XaqkS`A$H zKb&A}4F9;n?q3g#9{#TqKHGoQ`|3(31g7t_jAN`DK^F)l8tFVF0+i$1Ee)*K<IiqB zc3s~HYfWse*s1f#6_{9ULmp42)j_t20(`K)d2qYi3{fzxP?XF)0v$per0Ne)WX#Tl zTgrO0d-16gWOk#;S<r`!ks|MdBomsWwS0AJ(Ns7~m^OV}?(dr|*-SKhTiILcoh?Rl zOKQbyOA2d=p~gVw{X`t9f`yJ9p7xOincaS{5T~NWUJX`}?E4uxKrTT$@V*&|#viv) zna@*y5)KfJ`SBtk5hXDF9cK)seWN)iBT8y6HuqNYrvr)eu}+8bAc@m35M`uK*}&f7 z5meD5-Hgy(EG|(#F35CsTAdY|XAZmDfW%*>ltS9){BUUK*|%$QkfV&o&08&WqcF#R z?niT?)M}z5do3^V`P=XhzdclzXV@r>*f>vB?>}B<*=_B3f_4N$ltAz>DAPl8<ssqB zL&$^-gq@s#)BG^!0uT~(R9qN=3#H9^YbK)kLkCnUJA4O531SJ6SoU!)y>>ZD#=THu zP@`HApj6Ve@R=hVAh+@*gc=~<yaQBWu&rH+xJqD;u^eGj`Uum_k<)X`Hp$~q2NN;` z<C2FGa0EJ2=_7{?SxZ<teSvW0i&p~kGI1t(ZVTC6tf5__CNTyl>Im&H6V)v|5T1o& zdB9N-Db9DptHzbAXK7KgN;}c^+AJeFbX2XOrJq0x+^hb)+3O^^8bOI-Q-R}csoCJQ z4kZMOTi0KyzFd->sjtb~rs#3S6-a6cg``d0T*JhY135g$OFXz7FWlPbw!L|DQl4gq z{+M6WTubc8dTsUK34vB%XrKcrThE2naiIldZ;|YFLwH`pY06unR~o)3A(fFpiI&3d zyqi~?Tdg@PD%)V+-dNkKZL)DHIInK7R<4&cHR2QKe$X<WFSjGC$+zpBUO}21)m<uJ zTxUm4kFaOdwVSB~pcZyamnsv@*6-m+4lt5`X)G5&qD6r!C51II^+TXk6bK72n`bM& z#0!${#mTP1NRV``AaA&S;ucuKaAS3UcyF*K)XbCH1hMs=mpLrXk56-(_Q7e<bn;P3 zCUY4ofHTkPL(AzHD77wITPy9}m-5kPNWf9OL}36455-8%HNGRmOaSKU2@zB?s7NqK zkV%ux9>n&eVBE;qOU*upI!rn7fv^-pHEKWS`wO_Pu%};JAPEY6b@J}>P8VEegV9F1 zw9;PO;+6JD5_xedEb%Fb5J{0-B4ZI7Kq{}BbZ45o5-lFaC#}H@5rJ*Y2yC{;`De~f zkOonSFp!q>$rUne-3jJ_4&#u$<FU+@!LfL75Q|L&rOrN<Wm?2Ko5&?6P4%RbJy^X` zW?pYp%d!#_8(<lvo`vSC57v#LL@n$cG>)+Pv%*B~D9;>$0u>OJc|n+u=(Futz{94? z*{5DIBN+~Cb}t1=d?hFo;l0LDs{V>cl&_>Yu!%&J&+HGa4O8L)bo{Z0|6m;6P2K;4 zoHd2#!<0Aho6r7xoY;Ra4oC0Dg&xM#Ho?LR=?L*fAM*3N^bbCco&BGD92@7qpBXag zkST$(eM!9rt1O!Bv*?yObXYz<kY1lOoRsYV@ppWQU=AQ+;{BujTL1`>QgRr(JpZ<H zw%xnGpQ^7PKe6?3{1RI#0E9GQLca$_f(TJX5&=1Ygt*@eaVu2x$HWC)5@+T&q6CFG zB?t&o9SVm{CY!g#hS&1a`efDBquf%*l<R}Vm;c?H@7-3Yj~s5SA3P@hfN5+c@l%dN zz3=1`fH<X0-%NBB@DN6jqK+<L{pc3*#otIISR;c!7i_ef#Sm*Oh-k_%)n5Qd0VPvi zcb8!!(HMtR+h2hid|gB&n2ea3i$RK1ir`ANDW*gu<l2-(&>s;H7a1rRfsRC?TQYUW zf=Glx1Onf*u{?q&^5D*W$QegiW-YQ!RbJOedF<t4Vnre--FXLh3^A$%gu0T)1ZJPZ ze&UfFb}x@9Yx-s<JsF}`>@E>at5<<`+jnt=OQ$ygJY=xKg<h+aZU8(=qvJ1J3*PS5 z&*R(a^(H*NZEbh{M)-{@zgO04i{tI-ZrGlDrc+L~*JIL(d;5dp&Tz{-bRw-W7pN|Y zP@7lE3bbFhcSAv)gZSZfe<R(KW-6`2Fjn46*_M9hARy(kcok5TLDZo2`cWlPfuEbQ zx-y-RGh$E#0FW|4y+}luo-ojmkddVn(!CCXB8L~*@t?L5d0Vh&yf!d|n+FF4(V(DC z#8;dr(FdX%(B^A{y`J%2Q6<!iNf3Y+jA=w502=K#zt-&Af_L`bMb#U8hEp`pxMdHe zB0Sa1j=#<;Co17w`a-UTxD2m8XeuqNZ-1iC;=6&(Gj(@&FvW^|jEev0lvWRCD^yoH zmv+Y1P-qjyu--wfNkV(GmdOf`984(#pADu(J^(_nCw1gP0eC94Vm~>>Fa{BikUERL zsJchBCE(fzkx%C-z_tq-k?h&EMNNn62tl|Fet{5n6F?Ldfi$-mK28uV%{%%M4q(xV z=>NHu<q5@!SNBu`i%aAyXD?P`oL{BR9m%HExJBcmDiN2d#`g2$UswXBsNUq+L@Ngm zydA6Ca6MAHX%CE4`|6sE6ir!)+=YuU>&&!FX|l9MsgHqNwaDz~*gEP^X9=8}RW9Ma z=39_sV9_M<??mFYeNxDtSy>v32{EY!9232p<hWtAW=KuFK4#|84hAkouk_FtsBP&3 z5a9u@an3vub+y;NB&&Rkwgy8d2-8_r<oDwpnK6jHCwviLa`pwj@=qJZyLu`Gbo1&1 z+RVfXdYB30MeA(1hHkL}kP#V(o^e?8W|AjyaSOxs;@;)Cn!D7^xu44KEw0`K2p*_j zvB>0Yzed@Ko&sKO`Bt=^9QMbQSw-?D0t3fI_9i+}S<Eb6T!?{>&1OuTL`1e0K~tnZ zo!MmC@d=o@@Z-2ZG<(0=XKVBB3A}K;Yit3W<>%|T<@7N|FL9U{6Y%+R3FC~D>RUr5 z9(kjek!6T+oT#E4c=Pe%Jf|&vY^;koJRIDosXQJB;aXY$tP$%Sh9HMHJTmJUmgUDw z4~j*FTvr5DOPf{QGrIi+rsj6?{s#}o!TCQu91GL`!2rWVnb=GLn2_7A2+jay?buV` zG5gAvg`ABbEf<w~21zlZIiU5gZ@6?xl`!RU@?N)*7v>g07vr%WF*%c`duV%Afqcov zhdw4l%+owjGn2s=d&^yyO%Wq)pFfI1gc0ig4vGdmF~Z+Q4<78Wsa$8(oN4_|&62v4 zr)Q3s-w|!pp;5aFMquqrRea)~YR1uz{LCN<M^_%5&Za_8b||u~R_NZb40}Xz8OK&Y zT|=Z@bP)2!csubxfTWb-LvIVwFKg)|f{J*XHV*^cMEg`V_y+DJ0L8PCbf^4bkP%&P zgP#&3javq^=Oxo8-Zk3I=)2{g%xc8;Pabfx!2nZG_}V#9wlAJSgu~a3{BGRYR~TfC zn?4_V#jv4lFc&_>mw|;3Cx16fYC=p)97HHB5TvT1*uA|uGi@r!HeGj|&qAG_?`yl; z$hMLpz{MBS^D}G?(}Y8Rykc2jt*kd^Ydbe?&UEO*mNKRbw4yBIh+MDZ2`J=y5Xz6M zy(_lhq6VLkWg`=xeH_LC>)&#}y}qI)j^fM`>>X6c>teig-q@i>maPBht7l~RrwM`V zEdRa<cR2OdwtxX+boW#3iIjwV6>TCmb%yh~V3UYOqoI=p$0ZR5IKZv-`*oEnbHJ{^ zX_K0ueE0U$A{QSu034vd&hf;#M^7IFXPU7dvdhyCM`^GHm?nrtNxUyJked|Bx087} zD8jYcr5-jvKZ<@9y!C?qRva8nvsMlk`JM_-n9f$f4|ckNmgK23%oifC#>8T*A3M;V z$Bas7LaEvi6fuC#ABzRLZKtmoVzbG21-<tK(HySz<^doJ{o5yvPJLt@GFGrT{~@d4 zxOD&q2!v^$MAvi>u1%|UaT*B*eG7G^^+eB<=SGfycP+L+WLV@~oH>Pwzw~`kH_RlZ zltre1K^{>d$HE7o&n^R?h%)lj>0Eq^JKt9s1hr*lcXGc$Ke>L|bgJtT7-h^xsD1*y zbBD$7UiX*4Q<n3Bky|i>>F6iW%C@ndU9N(jxnw`<#CBWnB9Pw59uLe1kL>>Bj9%5g z?)$Gc>Ma>*ijCTM&!DFr2|rC@Y)LntvpBC42|5k2&W<!$lj~vh#(dk()rA8`M@CjF zB6XULc5IJys1}|nH%tDBOle{7+fq=!I&sQ&0e|9Pc|9|1?A1%MUF5h+frPtMGcn|f z)-um-^<el0zFsU?ql@}Y9=k;=H}|*?lDsuJm5b%fP#)aN%c#r`?gWRh?akPM^Jr~% zKcKYLv_BeyQ`xyXP#~pE0+x$JIAPRacD%d>@vhD7S1nyC3)CfLf=W(}W~g<SnRyaS zDotsA8}QG!ywXF-SFd^CYIdojY%Y@RafH&P`w>Jv7DARP#qE$HOCd3+LAC0<X_0xj z3!$jFQh<1lPxn$wThW-cqneaWPdT&yWg{sp-s)=1a3TKO@qoDUs3)@8$Zq{&zZC`a zR1zRsZ9!NBbT<uEDJ?45iFg)qh(mu-wh?sQCyjfNMaowYf_T&pIp*{OK{9B_QGhqX ze-5x2R7kZE5$c){kW^K;t{LCGp@*Y?aGd|Ps?Pae;(u4wS^j<KIIOuFyVVBkliMp4 zdmSl8LaG1~0DMCyp_K<3KmxxC)^9lS0wNe_RmV+9_v_8?ac%r)*_HWr;-{njGPgt? zLBv17L`4Wn46V#zH|ehloy5Y>s-Fd<)~gtIqz0GpO(mG2=QviV4cXojZ4Vm^@`@$Z zpKNFQ#(OHie77a^=qY(7426XfMrbnNUvz+qDB#}(S*KhWEf|x*l(W<~z8o=V<huZL zdISrtjfI67w)|`iWd-SN>T<PHCb-5u9TBn+0yBsZl?-u+%)<sFTjV~-p!fo2>>ygW zCs~dH^Q#EWpk`hZB5O|^fr!C{rm~|x&VcZaY>VQ%En{lFgft|GnG?Zzq6rKJ7@QW6 zRbjaj7tX*KJV#-!kH(}CasrY#$fkN1v|SdlI?s#sR<1uGeXlxv3s!l2f*h3lN9spu z1SWcb7RCNkKr~)EuRU*`p)W;fyl)Uzj_D4et0)OX|E+yb!EURV#a6)4`R*=T5x1+i zxRAkA&v85L16la?E`7mo#!ks=%M|7B17^^?CDJRev;nCven~ZIjbU0Tmuy9UY{t7B zskz}MhD{O!BG@8T=44Y|%+6E*+7#A%-!eHAE!4(d^^tdl9H1tWCe!O!lCaSmn<gm> zrF)<%EN!cTtZ*gEg=M}4=5v3()+4)D3la||ZB%T-WIHf}bjZqC{JIvO^ZIjtS=vgI z`<;HH_sh>ULJNPdyQBM-Rc_BF{^+M~kH_Qg^h@ewrB9njPM!Q><n?ar@7m8t)=1{` z%lI7bpd(Ru@|FUrsh&XfND!zWq6lK}*6e<NV4XKsi*Kiw3uX)apk7U^+HJ?-^YZ=m z@bF#l{`CDp!7i>VI{IjDNUqPu-mE<@%xpADHZSDn?$0;=8kTCw-O2XlDt!-Spv50r zDUB3iJAgZrb}QBnOS*|-Ea(y=N!d2B5Nw+9dix})%dz~ywEcV<oJZWKu_4BOUpZ=2 zY1S_^M&yCq=(G9b%tMa**tJ8e9`|cRGz^39oh`S$<xK3ZW^XU&bza;(C4<km{lYqL zwl5zTe3YHG^TX{)gT`;viG8+JJF8hjxh>3E`duC8!DkHCQSo1_54BD`I$!w0Pt^y} z(Yw*nPU^16=OK27!c)CMH95qXVWpwz<PvH*we%YIj+ArF(n{G?HXU+r_k~n)?{~3X zGvUu2RC7|Igku=?ImTkq02PORmE)z4&YlZCEeC!Ks5$50XMO?1$RHRya0(*|H_!JE zl~=qtIu|S6N5Ljbi(S|9`@9H}byr?Yc-2*4UX56-sTqO45wxC)%rqY^Kn||YKiBsU zXlJO`>XcG5_<|NOm>LF{OXx03VxLZDTqj-v6$LC$gLW7%N!&b~S8A=q$?A1Q{A-B) zbe7+V*BpThXxJ-nOl9;}YaSKCmrW)J5eu-%#p0TyQ%^dwz}3(j<hWHdszJ_*q8Sf@ z5;V<Q;7>NIj@%Gs6tD}&vdyqEo%t}$_)TLQiSRL)f~^$Paa^_1^(kK}L-e(DyMR}V z<g<8sU0c_1#{dqzNgysBYt97pOzIb!^~z;1)SB$AX=1uwz|9WEBJWD_y#`ylTDuM# zmb@_0G|$zhH^!~hVu4b<M5aY*2!H3XGFP$o*k^<ls6?h;BPw)GdQJin@BXe5CTVWN zmxO-%j0y8rg<%qmPE<=hMNA2+KQax~3cUjIw*6@mK7@LKhYv}|j$p=nn?ohjVD>Ez zqXJn<K9DE{bfKxNBN0Eb6Q80c`iqn8JQc<P7=G7{sB?7@=W+A;xnYJC;*%TVO`GPv zX{os0%v!4J51VX<DVa~tnB=BAC%RO>YbI)z!%3eClsi_JY7xm)OgMg_bA&*&H~z;V zZ2RuX#HuWM&i0dVq02jHh~Rh>!%0Su;cVe%D6cx^>*a+Yl2&ekoT+RzA}ZfdA%@07 zqc;NQVqbzm_ufmOrL3t=>^*~hI|W(UFS*aPGJilzEMwkX5;~iih=L<hUC2Ef-5Kgb zRr4$}isuuOQ%|pj2SViOx@D28erBItSHEQ|#kru5MB^+I$}q&Xzgk|ura@J?SDjk( zrdicSC6h}f_&<y+zf0fQe!^NQ611zC{Yk`CC`LSxRp2rU#1{XYWpW^b28{-pmCN+i z*?t(n$kGk0byXy>^XzR4p2XTvt1~c3fe1g%wNpERM*8;?0+r6D%uG)3d&m@>I|)B@ z>5oMPn>_e{Ia8Rk1x2VoNo_bPVnw+v2Jx@{w0T5^*DeOjz0*#1e~L~e_+bvSBai|L z3fH-QL7AiSWrQ^J3`7llj33bS#aYzF=XoCY>sI|;T)s2sxfjtRtf`$=NJUKNUsTg) zoek1p75O_w-6U##@t<@<NjPWIC+{NB_IhdU8#NKXS+rw}n?q07NCyh>@5d=BhpaBD zH>Fp^OmD>XOdopazt-!7{PFJ*!gR5p+@VtErq~ZJ>XhN$wpfjn*6T?vRvS3Y7LH3L z(+Zhv;@1CBGDY}(2-C4x*xhW#w#FO_r=q#ooot%g87)gRn5Q!=R-_wEGgud^(oLsX z{+G#pWvbCMhxM^4-E5l2@<fAq_J5huStqMBOsAPFQ#2Z<GE7!z8c!_XKZZ5ehYbU$ z(Mwx?lEFdC;72QoK1S4XTJN}r=2(@sK!{Su_R{bLlCa9}(ghg^>$V#}!sru5+67op zmYGZ;SJ-S?nb1@vX^D8euti#y*A-Mntg+fV24K5?NVyHbH63g7{kqZW)TJZvk?a;0 z>%JN{17+9qzW@o^MDFR^m?7@ry`MqCKEVAXj&gPQ0|c^%(`SGK6g<dJ^PnD%%(y@- z2WJJE(Au-=f~w9_Oyfrm5z}IzfP~7PoVWOnGvxHum+2L(o1q?P`|^l0pQN<@j(8L^ zV;X|RbCU7<GXzrDK{h{X1dPeG5GX_;BzzbER?WJwg_fP64D%Cme4G=3NY1tn+(}KI z0s+baAl~s3@h=QOa>AJANAx+<g$gKF-HE|)A;o5Ks`9IXe$bB3fCN~7@lE69eN76C ze25&2kKvVG)&1>jQI8u~uk}d+Gcmts7VmK-yOyTZhN(o%{#a$=r&Oj`Im-KLl;uSa zLyOFX66C!xs3=OqJ^=&y6PX1moXnB)W*Fn68I5A!>HYxFT~?|sv<l)svpiz8Z}vWN ztCF`4lT!MuP1oNO3II(Ih>B7KB2}&{O#W7!Gfv6@DaMEA83oFUjqC-e-pA6sJx=-q zpXx|c_z#$hk>MXQh8#?s{~lANYuRQppp5RmqxeV{C9j|Sv^ncE%Vu=2!6#Ns6pX-9 zY?)4N_<VB4m5?GRVxi}RA$`5xYI|{z3)F!iWLfH=Z=Bv@0Lr~uSp^RB+A-K6ELa2k zivrk~+B>;=v$pPA*>m#u(*>Pejn>+l`JS{!LSI|ue=o-=2LPy0=NERCz?v6qZwVoc z-O>Xr!OnuhFY7=uNDHT8kIgc+t@v2h#SXpH!NHc2<$qD4V~#g+6gV1B=ScK}NKSH) zu}lb$NT$6dq2$MgL9coNNU~b_Ba@iyiJfH3Coo$?f|{vCPRb<{HiLS#Gag@P1G6vV zV%YlBQWh(R8na`fvycOJ<`Q!}PO3MBZ_S6p0d&ubis8p~!b{-9u~wH@p_l1J#8s`l z)M>Jqo(pKK9aW(O_j*MpY*#;J$nYFraiq)qg=bl~VRa~U=h5yzayR<gwWk_ffL*th zXkDb*PT86jPPbj|pucB2jE6`(=mQH`|FcQ>?HE&yc}N)v&k598#F&EGs0z2XjWejx zP9lkx#K`R>lEuf_vZ3b?;Y^9)fYHs4f;+-V8ALx3@V2mCM8~4gm3k2M7_~~rGY#ZI z!9a!sg=p3kI`9qv)hbh81AHjdq+@>yPV(BGD~$?$Q5rB8H=oP|#1fZB=b=<8+*cwo z*}|<ZRZJDXD~%dgJ}I0eX87Rb_N`q@7wbNxkq2X@FTD^Yf6t*JHnts^5JEDEec5tZ ze|(XnZH5_h)2?pdXXP&1VWxpAO=)uZ@qUn$oteyG!Y|OG*zzc_cnn;)R*o>szFC-- zv&$YMjy}f0xF^lWzgc`hOn3zs#`BW9WYm}6Q^wH1krt7sA8ysdJTvkq+=V5=JpJQ7 zNm9eOi4V_E3aZ}?sn~>3mZ|CRj=+qI?P2}uZlKI;Ut$`#g~hbhf5FZ+D?{g&+obyE zTq^y-MO(4tjp-L=sta%YM4*sHu@gCh3BM}}XTmEltDX^sLTP*PnA%ZzyQNoY=H`4b z*<F8AjJlCii!yMNtz%+OGrN-MSd5xW`uV-%a|JA2BF1PZu9fY&m37U|d6f}x;Nh?J zPe4;fE!fe>FW@R?bl*Syj_hpzbYJ4%&vl&E&~eP<LhwFSJDbmG&re`r;`u1C*pkg? zY2kJ>bKu4j9b;7Lp%U5r`h=3mT=Vy{I(Qmh!^m}Xadv42gRlVrIbG?czFfwR^0WN} zL9WvTK0?O!<VzzmMh5p+0jLpEaO>8Ng2buji;=4X-#31Gd3av;J*2O6U0I*_FeQWq z2kiLe%-Yxq0>IN!(<6X*O1%YW!rcYtulQrMCyk@kc=n2@u9-`-RxvK#600NNWhHE; z`3FgHL7P$KNI8PWu+@oI%x-AlELTc}R(xmcTr*2+?*gRLj>X?~ch&0SSS0kK(+1lH z3p7yhgvfNAEIHsJQKzho{jXbMow@p0k}vHe<q}}s5n>e*6I>z@K21Kqahb?%@hxr- z6N+2F*F?dlo6%KFPi#ClQaDvDxQyDdqKVU`A{N7N2dT6S>70k?q+F}hps_$90~~hJ zcJ-!%LUJc`tHHwu&Yyq}SThBu>9^GyQRh3sfJdk54UkUX$i1j<%1j1Gs$>3Nk9l`G z&SMLdVD~gKdK>U4EA)5P)35KVB)U`PrHmepd^Szdv2?0owK>~}pj}_hXkLzvX^~Qb z+R!}k7%LfNm3a-U;4T*%Gty7qFnWGH?YZ^S<u8o%J5RSVB&Uy;!!N6Os&kepHX*Ep z#L}@_#jK^`<$0A*UEp%Jm#-*zLDmy{Yg5gm>hrV4M+_GT^BxtL@wuJNS7XBMX}2)b zUY<-HoO+>L3$0De?U1Y@F6}vh&iM~w!gI}5HKn(0;=UNOPdu<1=IR*hBH<uJGLOFK zf)l%ryX+DZa_-3<O|LedT;Ddg?naIHLmO3NGne+%=1!CNQ>rlBJ#D-1S2>?j>Chdi zUX-r5f|6C#CBY~jWWyY?%R+=iFvAMo7l(ZE@*E6ZzqaJW$xZ2Eu}yYH$#yKN4U61@ z-4Ltd9V);<mO*l9UV<h3%$smYtSHyKE(ZdAN$UiLcG*Z03<O5nCHXjaGPgJWpfq@Z z64G!aYQ%noZu8B8Qk|Aj-N81&3^1Q`s(w`3Un~qmw(D6@L!h(FRZ}&(?3*@?6i6Ks z&d4X}1U{TDc&(RFTE^8vHe}9YM$xsx%ruKcYm5RozA7HrGM+V2QMgDd$|s(c(!;mU zNBz_^WB9@RGOor}^kvNwdkuFJ-!KrJ(gwBmy!^5k6ORS&WOz4LZ!A)TTSS#~TCA{- z7I(z*(|v{lI~d9(0~2?C3QRZw8J$ef4qPfq^)9m{_}eqP=)xe(xm%;dLJk%|wxFKz z!nV=aJ)DEJFb)A%noURYW?k2YVxh)gAeQ6Lj(<#w{>x#Rj0}wI|2wh6#__NB2y|=d zL>jjudgtopj~*SjTnMX>s>A%~Ckg=lxe6sQ#mDi4ATu4ks_B1!<t)z0&_&*|&%*Oh zS7~*QouN%G;wt`oVO-6AaTG1mfEaCUY{ZuS*5YUzXvS8SZen(FlGs3KeE^IV!B3oP z#`CA&)f|(6@)sOfY`Fn7I)t9#%U%ir(AfM1*()pOI|y58)`wuYiZjIA=)Q=o@czu7 zai~ufJ%ZgukHRf*J&_YHv1VNTj%oWI*V&RFnF2%6>je3Yg8AGfZi$abYbVKc6a!1f zq`P>gglnbprG(faN>C=-F{)q2XdS@UN$ep1kwEhstg7r?Y;Yq^qHEt81`7jN7;X{A zb&8D#3BCj`5ouQct>?;YD=Ot%Is=k4!h%`nWw2{~to6!tx{Ex=y-|Ju18w@GA#VDl ziRP%AlOCFr6@7Ldr;*!369RwR_<8ZfhLeu0&rB}TsDOw(Vxdlu3}dhmls+@S_^g3a zmu#fLLLNGk6HAxhaGj-SSep&jx{<ze*iUQTV_+kxKIe|j`CUaMQ*4~xbP(Ev-)|<& zxcRGrzBMykZqmlFy`;9rawPS1y1vBxS!YG3r!|Z3V@Uq-OCW~dj7ts+;_huwrx6mP z3VV`FY*4>a>!smYbOx~fs6Zky!PDpRRJ7p>k%0#Tx#<hnlHMLt*w4mAqJ(F0kfKy; zg{klfI$t8oOAS%e`(A^k8|JW(bAe>?cgSKtASP&II}+Wsl>X=W+nd|_>tuTHvvcv3 z|Lgnv<7?D*_v`WIX?$?g_GZ^-y`J-FwRAW4$L{0lk0$<&tZ&cnhxaFva%}olbgV?7 z6b_?<%H%%t-0k7Zfhf24j%=^z+d+OdpJng+Po?h`K2@(ZzPD58?~gB%;UR=NAiW1e z3!Xjyp19EiV4?L1!xclj9Rq*J)d2$|*$Cdis5^3IS`b@OZ22n38uMEIXa3sJ1RP4} z8Y+~BC)656OdUBC*M34z_`sp`o*Tznt|<`qpkTc#k@8Vpo4VjLhGQZsQH(Re!L_69 z@=k0FvUvM158ypE(wx1%cDf4)n+2wi^i>Sh?h~I2trRC%0J2rv=oxhbhg1AOZ&PF- zUWmF_7W{}p0d6LWEEy!HowgOx{y8i}|Hu$c5#Szd(!LshfGcJJeiVY@68s?xNKBZ7 ztUV0gXG*ZXUA({V>?9F8qylg|FU|rmhJ92W4yHZzi<y`<-5M=|<uwxsevEz!dCTw< zOj|jzEaDZqdI!H;zyYQN$4aS=1j9;YtR=}6rUb=Gh_Ao^*GRjVAs;Ygh~5Y|$zJJT zZQR}u3`re@mybZe2cr=)q(fDL522s|I9wt%$r+{u3|AB%fkDvX6?)<ujG)KF?#|Da ztnd5fuI68!D?VGFx0}w@<@4jg%vb0u($cv($J^9$cY=inV6Gh9Ztu5`M^AanQnlP} zt5W(KU$0%=-zRH5|NiZBrM>N5_g|axVlO_ui|s*p+uj~uS2V%PPX2A*$7{7*p0BkO z+$g5PIP(6=+MNRnh%Wb=R_QmmL%Qx9rxa~pD|OZ`EQRRzHH>a7W!Rb!<-#~|!dM}^ zU>+!Ulm^s)AoTx94k-VV9%zm<#v0?y2xo<If_b3b(f(t256g1+tQTC~`<oT7w`;l{ zFGME795hJ`dW{h(yrD&48by7N^?04)V~+uW%RH-u1EZIDecXpUdeCNvK#^`g4aW|% z%9P3AZfI7wM8|?ad7x)B6?~CQV6wFUhZ$vj0UIH^ax;0SUDy<Qd$2br+QWnu->wog zM+BpoM!ZvW1!(|aR2|(%V+;jZM4^<DC=kFN?-w*_ZK>`DGDAgiG4*ShzGt^2L!v4q zs#ZhJG|j$;y;jb&ez@%_Bd(`uBXAfa4HAH|uZ`I*@49YajR>4Um~8!@hu-E9Z#*-o zpxEHcmZPr?NINYDS}4Ka4mA1+*x;!Np92;g-Wca^0NVIe%)k=^AKLxF)@LbkghEDw zeJA%~Vz=cfAMNe(uN0CzYn2Qla~%sW2#gVnnl-l5=IFmW34uatMpHawM6q%r_vs%< zp=}){)}PFAW3*g41ri7#E%Ula37v;+>OdE8*lE^e@tc9VH1UuVl%2Hx)`YdT5rK*) z1vPegW_xkxqg_RmNFcpeU8@K<ca!8$Q98^6>`DSCM)vi<hcxh~-HGwzuz>>}ME-{? zBQ}2!;3^H!kzm4W8&W|8_p7v?#F3I*F>pLf0}1S-=u^f#hX~e%i5B;T;yfO+aC0Ht z9@)GNU!&HTv4;UO3k5~^?d{r%M|HXN9jD?h!hvU=EHbbCx*5NK;j&U8dY0jgChpw~ z8Yu)Ig+8x}_i$^!MF>eTCQYIKitntTfYQhtY+k?wzU$|p!wtACcH=k^^%cW&5FFue zx5x$y>6-W2&2?#J8PSK%BQ}i&0|R|mdR%gH)Zr5I?Gc2idtN<<&QRXd;ZQ`vIaT65 zm@ZG}avXsk;&hC|anzdxKgOj8DIt@q?9_D#-c9r3q?8%La5-3p=p7kwrVgA{baLqX zCUp%TN1X@)k*nnF3FieFH4+vH@4XKraZE_EfhI**dt|S>mtK{3qWY823_cR<nn0!` zqf6B%Lkdk#y6{KRp2z?e6UB&=fV&5utvqQ*CLWiy%eG<~;s~ei6w<IE=pB=nzXiD! zies?4v=Q<cxr6wN%n@!Dv`;C8(yxyjpH4+hBxHB|@u7ZJ0U3m12LZ<*v($IfS6y<Q z7E3uX!ELTNR5GctBPy<)k@?`B{13`vsgrG#hnrkbjGkn40d2wL<4|@@K|4aM2{1}> zE5Ai-vSivzcJBp?FF(Z{X#6lJf!RS7B?x*h{$*uO>NcZYTKGNboD!JpwDU{mB-d@% zG6JM*8?OP;;WF6qt9AMrTV$qBJ<y)=Vm152&Nt8~{aJryguAaH|Fb*6_ryQJ_h1J1 z>$yH!Tl2(`iucvDaHySkXGz7|K=yO*)B6{o?7vx}LP2i6EJS6n5^<TrnC>5l@*jxy zf6-AzO8)=vJo-0XD>)d%Np}TLzcDHqcX^NjT`MtAGN2KHcv$7f1&YLcfl4-9XP;L_ z9iVbRI`)fH0WY_Q%9O2yV%%Q)<Tg`LM?o_HPKRIS4`35z*KDU5MfXJF!cmvr7pVI} zCYBIl(|N_BWPCDdg!)y9hIaR*>^O1Y`oyv#n#SUZw)KwBpOs^RnygC)8RnX)3BnDR zR?`&c$<tjz(GggCiPA^-_!_Vk_AdX^BvxMJrgUEcziy&R6^6mp0L^`~J%C_A_uS_( zLVEWvbo)1Uux?Dqe~5OOnEwGEbFlm$;A8dwJ6+{-s`kbx0o^z~&Eul8S*=*gW}sMH zBZRVr#_A6vP5=4KoZ2i2RS$`BO-cyZbIXmM>u3dW0{}ukfv)!M6@_TWGCF`}XX_vB zA020U4$(%~mO)dH`7YhOH^i$}nkHZ_-ShkA;Z&~MSvnD4`K5{=9srPRE2Kpn0vb^4 z;0!A`_R9|{zlaNzGf|o%!0r@{e0K?&MvV?-rE)+p-A`7BQzf`vvt&%E<xcpF9!c`1 zELGOF*r_>mB?73XWHkWEcJYbI_nYR>iL<CJ9B~i^3(zQqrjSSE_;3)u7e@-1N)`ns zWKe=ZSv*-Z_pI(EPj5u|oa%X?Y1y{!Ju@IOd~!sI)-Q>neU9`wgC-2?A3vIah>(_2 z>_4ijs!S7M1tb%%RPsZHGu=QD9!cIm^8MU5M?|L5WONeD_ZWN>LMyE6_i3OWdeI&B z(as6`kW@i>H^qz2DW6&l$3b0KxVVyBvV4l`4y&;PIItGf4Y-L2&t_`GANO8mMfKGW zYohU-iyyiy+81bd2o9g_Co|efI;q^dU77D)zU|lyo#D~yK85b>S>RJO+<^Iv4@IMS ze|AX|!8}515p!(Lmp~_udjb;}HYupEIe|BG8iZO~i|2`!&&92V;jQlpv}Eriudu%~ zFyJF~fOM4pEG(%}cM&;<oTqg{d@r&<FCeF&J?pKD_MH#JfGlO^!fFS*yf+=wrHg1G z`5;Wl9dBZbGs~{)1KLkEk7Ew3)XEyVx8G&RI(=w)_?@X%rAt^}G=4eV=Xubb0oY&? zzAjKQ!Q5lRBIf!){iu3!>(tEgh>Pi?8>D%Cy>()Y$;)4ZQ20hR?jDIpv0{wgyWE$1 zWW@t`2{)$766PZq7C2wt-rl4ibN=RIhU=-E*kXvhi)dQ;$cHw(q<8e`EM57mZ?Gh9 zWBpwn%j3JZmljC;Negs6^*PiYe{#C@3>R~PH!#%6!_8q;%rmym+sXjtrJ6OK1T*S& z`T8=c0-0sEJaDd85`fyV)!1ko+s3*_OhLsf+Je;4o%9+DWr4#5Zi%OL^xM-4-yHAH z0+CG@x^WBNSTD<Bi0x;VA|_pkWMw03ob^Ueew<|ekGU(3e~m=h{vUfAI2ivu5|y#l zX+_+=RI^*RdgH+V0*V5VglPrU><jCbuyot!5JF^$1JVFn@ZEJRn<O`TtU>oeXP}Yl zuyvy|<8VBQLyE^!L{RuLoA3vr9q|Xd3<ieQ;0DK&!kj&l_dLl9s)-K7B0=2`+jZ&f zFIyz>Ap|?r<%r&o-?GR_R4MizY^8MsdL-yxj5yBAf-gi;esrq=Yi7%_6l|nAse@}u zm*)Ykj!xv>$)m33&?Pj{w1*~(R^JN5+*RcPf1G-~N1|!H*M?OMZghuU=`w=5RSy&M z<OCgk#gVjg<^u<|Nq#hi&OyF6kfN8J^gC%r!q@HhBnr?LmX!r*52jgW0N3T$D&VD2 zaw+7cF`G%AHJE4ItLSHL$Gk>`Z%5yt=0uS^Y)6XNaH|P1G+DFEce70^bZU!*L%^VQ z=4h9quy$+zTV~PLz9Mh(*3Kn{%daG@;ap|hEU!h_vmyK^{6!NA)@BGty`;owrz9Vf zpL$wolDMUAs2Zifma}QYqBwbu3pnWJ+#)XkyE6(Pu(OjlSQ!eJF^Cg^fY)_n(6^h4 z-#_lcdPwkf?(>cXwg_=;fL%HxyqQ_CIvT#;W`c=t8MF6}FJ}~7vHGs-;aCxUUyf5x z=uUrZR*DuU20|u!5HW}^2iIO<w9%R7wT^oy#b*_fL?9-==pO$iGRA%Bt?Euqwe2Bb zou%}ih8E334^oqQJ1<K0I;bLGR`Y;PvA;G7(0_j|)Jp@mbBlJn%gx@=<Fj|ycJREj zv-5K_b1`$4pFigI_x^I**H(6Sm;cM*^Nx;?z38>HH~YuuV?R5})<%|p$HxoiwhpHL zpt!N9%uP)oB8|>6LKh^~8(p^xqLh9AY4x-9b^nR!>-ZJ^w>`RKH^{cPyT8{Nqbu3` zII7<>oD&~J&_f!6og`t5w}_0<;L@``?Qc6kK{c?yG3vf5NhumMa91C>U7KYrsg7O9 z>oc_ht$5JAJE^<~k>T@z)KfAwAcDkSRT8XLxE?ZP%u1|!UOGRD%WVVILdR2^8-^dA zWTP#6Fn?aAzfT~9c$w$*1Wm<hN0=ZFr~<esX%wPkNMmp@O#loOi1m4Ue?vUG@Dj=8 zX^q6+<sZ`|l{$t(DhhM%8$1xgb__*P)t1%!kmcR#m;emW8gW~YNCQCi9jp{q&Q=VG zFO~ZzaFjVsa{#`>l4<@<B9~3nD|1rFu_Vz42~FE0T;&*<IEw>;0(SZdq8U<9Wa|$Q zc-8x-OPRzB3@Gb!*Th)jWCJz;J&=aU;*cQ8TBJT4OTmbl`8}bB5QkOFW9NAkyK<D{ z0uS(tCaBao9*zDCQ896Ph%U516Ic<3Z5bLi#t9k-;B^zZ$L_=?55-U(fw7Z3se+=2 z31ssEg19-^t0M8524YczbLA&ET;*+rOehF8MEWfhK@${JgU8>q7MmfM`y)_`2kKir z(F-J@Ju5EsKtU|YV`@18@8ebDffhJY7u-tX%7BIO_Y@%STzh^&*>is8v?F*%$1Wvb z`aMje1P|;d@%1q`E8GCI-W7WJ11YR~8Qibm0st?NFchn6@__{f^7Iq-SHpUo>pSWH zyg@aXh|_{VWGN+51?qSZRf>>X<*`4P1xv6NNVly?q{R5dVMS46!JUH}AUwGfB<7Gj zd^55qWBs(@q9yOyo;7-GEI5On&J_ARFU3ZHw{R>mZRWM+NYMo7;;1yA7Ovz!oke$Z zK>Vg@7hnteZ#_X%=l=;*ydPO|MTCTrjYWB?I!fDuAMiW79Qe@_-^SuDC}1V;?+~GN zCe0`6XQv4wgbSUD&Y0gvO{GXJE3PU^QTJ)gABLZgdzXr@jiRY-F*;zPRuQ_Awt_;2 zx;=ZZLr^T&!i^NHSJ3Du2RpK+O<ge{j2sKs@r8zB14Kh^s58f4$j{R$SX-#ALojEO zAZ`f;D2+;?r$EZ6@dG?cVKFq+|LGWdP&4f7D%*ReQB+VZz38P@EUyCbC*dsGB#);u z3N6}r5v@ojXn-;g$`Y-B@fpr>Q!83Xj&>6hDo_MtN2&5tGaj#<D_b!X2q~cvT9$P$ z@*~=*LpbAz(2WyaT5080qS)NX*2%UqDZmQyAGjt<iXWEe-bS5Jec?W`O+NL_lpiV3 zg)o$((7J%VYo7wnk)b3WpW+$VQJVOHIWTb}SC>xvVa)RRSnU-~mhaEF<@<fv{CuCQ z{OlYxxI&#>5WIS4@p1L|w)?%Grkx8~yiBbfIKRHekKO;y)w^RQ>*o9hKyG!7%^fiy z<DY$fbNYSXKfHcR=l{OSZSDQ~*#G?GA8>PiSmH{UzJ!N=W5KtQgO4%!3<@7*WVw%0 zIx7|Y<4E9`=g5F>!w2pTH-WRnY3|5C`)biHH|ec;v*?hU^4YXidd&A<CfgMEl`dFg zI43wOI4`&doFvXN$GH=I%@hlb5|i{4lmCy9o#L#yVxdv`{}x&-)=Nw>Q?AD!K2<LG zH;5y`GgqiFMN_$Ub5<&Q<lV_nhd-pN)dYr=Hd8%P4cBH)r3AHxprJS4wFOJ8p9%1& zVg_Ph8J<nY^|8&@U7k&+E#->W$k99igR)8$tx*1y#LdA0#joRyYdoFoN3}H2dt6Gn z=C$03DGTxsam&!S3B6LFzI#YFqwW|B3=}@_-JIuH7Q4Cxzb0cK#PZc>V6x$&1KEea z(S$1s@s44K{Rf=J&CF9EBd@*HAN=wVPo0TY@#P}kMEvTmnuc%8Z15+FfR?W<|EMk0 zh8uJ~IE~bme(M1aCjF3y@SgixFH^*;W%YSM+gcV_w@hfMpJ93OQQ*X7Ba!8f!dI0* zYFOUB8Bl_OMgyQ`jlvt6&&>_q;_+93*!KXp;_^>%+i{n||DjjPQ#!S@4TTS&y~ucl z$FFICkrW@~OEr*t>m6|(D(|qxa1niNM%NPa$lKzrakM%&(7S!1t{Nm`opoMQ%23la zM5se8J?WvG27)qK+Imeg)zjc`3`L(2YE*VPch|Gf_4uUqZ(*gH4)bHHAty$9Nj@pY z2y$F$T$l=qUr?i%wiLWWDFG=?QVT8e$2+AiI%y^_)`rYhWaiS6?Wtw0g@t_LYUbAq z8^Sw3`P6*esLUr;C^xYi_mWlaRD4{Rar7{9+h51@lzP0NZcrYWStS(2qu{-kn&zZ+ z4PgQ4LqGCRJJ#9!DiOp6vHpEKgk<2h)U!ucsI?m|W7)}CJ;m1RoRIGUf<UoGx?&FF zRS~PTe}z@)Y@rvpf+YGwk12ytmR9WpcpyQ0;B^hNT#;%9BR&DJqK;4X3qu2!5^2nM z15$w8?MBw}Bt^F2>)f;@F@IPK%>AM}hIu6h|4|vzNT2lT_3?-*0NmK-hT<fP^b5{E zwc_|s7?JgVwuv(mFtRXn{I|wLz{bGJ^xqmY!T)Y}WoKYw`nS<&v@59cqW31h;()wl zyeX9(G7$FmHf3~z5e!Csv^5ej$a%tzvSKl|h>)T{973_6kdWv(f?KEu|Eweb?=R=A zr_0Ps=f{Uv?d&seul-J!<xs78Y*S!4A)>lZ9e@N>Syg2vBp9F|fx&;`0EoVE3z*T4 zfu9v%4jBV;7@Y994|sSJ7MOtHOJxG}u0lE_z$K48C=h7ienUlldrAZd3J@U4pX)G@ zKY%I(cy^w7H30I^;eG}HSrZaT>{vHvLBp%>pNM0y$AAH(q{FvgP~cP@{d0B{Ab?B3 z`q}z6ZxQlg)N>G!!Gm=>zY_hlhe5*yMIfNOyu6?UHW+{;8wxR}aC68p&OlfL3=B=+ zQ+RHGm}TJhf#3dQ0DB-<-2IHbuwoM6RpcPBzz3)`b`&uF{h>SpYlCwFUe0;(C2;ci zpu%4+EAQ8K;BTjPe)@oSy$j#rJrW?|Ur-?e`4a3XAp5Z596-2xH4J$@88HAW(4OEB zf@^vlLfVWHUOYp<K(4`S`?x;MaDWw*SOA1>LB4kedFC8Yk%)bLI`j-sx<&o?jZ_1= znCB;8!upJU{}*HT)ME*tZ3}pn%`V&QvTb*D*|u%l?y_y$wr$(1Y~B5Gb8?dXaQ?$g z#u)h?X4JRxo;enpA8;qoFZ41{(38abI|XkK+A9nW>lsNtkOI2x11zm%f{?Ha_SP<& z6dn!@LMj|iCLGiND42%1Bz0ThU(W&iJPF++f5`OumKRTz2Sxxng#-i){s6ogk&&>F zqkI7m4{vgV0^|TJ_@*$CdO@BvQaq4XH`gwllUuEkSwe&tP)+~aM=&rU%v?V{jeTs> zIMFuGpUtn;aEKUS`L+u4@dwzOo;W#q5$0T&o;vgx0~su6pb!bFpu=a-uE4|RCHS}a zkBk>4=+EM|pYf6?Cs6<<IlcT|+>IR>fnQnwmzkZr|IhFIu%TZ#kVoGfKXgI`L{#5! zpME=mdc;2h_j<-}dT&3w_~m@|E?*|6-`BT4Ys9wpYBvG|?!p3n2dN^M5qc;?ew`Wp zzIILYQv~0A*S*yl>d?MYXehDn1rI@D;DRK*PxjF`TX3d+n6V+;UlfbGi+!v1A*A|l z30SYg!$EPN0pF9MyL@GE-;VuzX3v}8{d<@wA68wM%<#RIKUX5?AYvPOS4Ht<Sjd6m zB3&Tv(tG3zc}Q5jUC)fQdRb7gutf3d-q6T#>quw*qG0rpbQIud&RuQ$x1;_XpDO|W zfi;-2+Em{P2=9QHk=BPOidWU|6h9p(#xzWL*t9G`;o_j|${;O7TJ&_jH?>e>$(9Ag z>5$hj*sAfm?TSM7C>Zf|4W*6QWs1%|%as`$PibHnmlL6@cZ$`TRkzsl+xqef-um?c z#moys4COms-Bw1PHJQ6%O2H6?N;Ht7Z4yUp`7gcQ&6>@S)cJ>+%ju}79DN5Wn?rRx zM)%6|#J}J8o)}V#47u?2vaUWOv<02;e#gF!Q3#rmEzy$8lWoOxi=N<;w^ezXXV*8G z`9Q<#aM-1L_on-7QZ$)rn(fg7636xd=acj1-1cFDOl($u*NZ0D%;#-}6Awki%BPm> zlva*vTSv;~D4ul+F43Ugy;${f1r}#%i?goJWyz28EJoLYP~G++uxJZ2ZtcS-?R833 z%<4L1o15~xnS_vBq$VXcx=^pc_M0<`v7BUjzq`sqZ}h``Wa+g}H51sU1{y*ijM>m! zk-0?z#MP^GA7H!#3o%>-Ybl0Ndja<N-U-0T(qO-m;I_#z(JIg-*NXvjXY-{$B8zX^ z!basF!?8A8cxX=a5W~{cn*}xp&n^IBcS(4$vLM+Z$2RJt2VFNxmAl(^Ot_a>J1X;R zH3VrXt}sDS@Hxv2*CwH#2_AGBrFEhtwPWCAO&aF#3P$?zUKj5Ma-sKHs0A4sj8_`8 zFpk5aG&2}mkPlFSA#wi+bg@{RXP2noDcwd3c1(1e@f%|+y?`>0Xrm5<ltT!)q|9(X zfA`jW%UR%HSd>&`2<;=Rg1@AoyQG!pe!E-z>m<<g9zK)DV9rO(-XZ2-&`Qk_X;u~K z@p+k?g1Roq3^Hz(+sN(~f}fu5+F)E;uhq0sm%EuwYE$E<X2?XBCIIwcwQu*`yu$cU z6CXH!znWTwi@$a`@?nei<(0En1UXIVo^wq!YucG?U_xl;L+|arF<xB1+kW|1+w5Ik z4a&32faLhQU3>$w#mZ)4!4vVW*~TT3y2Wd3ao>Z%9L};I!tw9BuFYQ}pwAg}o~)B0 zt0lC@gxLLD9Hh&LK*v6#0YY%rpEW>7x{jEA$t8~!^k8-fyJ{v@ny?rG1Mv(8IsZC5 z{Tvb3*h3o!pAz-b*&VOAJ16@J`Aw`#laBC++m_%j>|jG8(IN2&XN#beVAGQ#voox& zVGd?7KG%r*C=H!vc>&n;V#j|^B!OkiGBvyVLE_W(5S_{O7rtRmp$2+Iy+pe(!}rWz zkc^};mMbcT*k=5R{uMjZ(^D&L7M_g1%=P>l`2{z0k1To|h>wfPma>bDkUBQyuhn<b zVJ!H!Zl5Mk=FwT(D(U-hAs~$&a<(0jUkG^W(e0y892Vo*(bd9vueLve+}Cdr!b&{T zZ~jyH2;&^uSUZ5T4jWe;4(bZUGW2(D5XaS9_5o+`yv7+^(kui$aL*o?l9QrgV^Qv( z{1P@3qcg9|`cYsOXQj0sCj2Peg_+v>*Vq2O57y(w-vuFuL3S<=j`smgN|Vha9)ut9 zyYPH0BN)X11MBp<5<34qb`Q}999kJDu<n=f)e$S-eh-7SW$K4gq3PBku$JxmemKNY z-)q)NQYqf#eAFTFP@|La9S(Ej2F7OLneq1(x+tM(<*aKpL)nH*5e)C65hL&iY1$m> zPU2HFL6NLtUpe_jjw^u=&iSY@u?11xmS<(^_Zk4pT66D;SQALV<}Pl%uDp3=BBh8< z0Gv#tG8Byq2X({1-@j{~ZZ9>+F<Uf?p*6J|06?ds!0sojc<dO)ZNnUU4>spBJ#<=E zOab|^BnP%(02+iclyMXe^fqRS;h3#HFtNRq{{W1iH!Q=FSrs+HVKdLg4qsef<O&Ql z&@}hbCKOgfXg_|~Cn4Kuoo=P|>@k&KXA%AHN*6xPMxshjN+;osnES#C)4A;l-0pt$ zW#l9B(=T^jDh=mC=9d(#qT-ZyoU0wrP(8eaH5OulYoa+0+(qg4{M7l>QYeV1;f*gS z62VP+X_$RJvzpx_-d`tE9LD?>TT$g##LxG69%7f6byXv?2_CeIu|Ntp{28&~zBxo% zokcI3?e@HS+RYF{jW`FrBI{`7BPt)a9@CR8jRcOx6$jR-Jr5N&F1LBJ^MF3-ph}9X z{t2qi=2qB+u<Qx&e|0YOY;ZuTzQtT(2?q(Wdl7gh^T4rM3%Y6c&ST=#atZv$@u`y? z6#C?&6kblyX@a5AHfV|@CzWuZjt7gTqw>o)sfRxLPuC3J;>YZDPk7p?I(#4jJon;c zd2FXLl=3d?jqPfLRkeWk0<PUZ&Gy`O@FfH%KK2#;bCKvA4>Q;PKc1d5eulzm5oQe} z3B&_eB0Z{CeXx~}$10}UN_$nhTx!fp|K7cR)d}mA`R9@4JKuz#6vr5_X`@OgSox1j z2-ygetRf*A>H^_Bs*ZO2E#-PEByey7*}Aeu7hT8cBhUqIR6Iz#cb0il{bZgdYS}%L z#f{H(MuXajce9K-o+T@D60XCO;=1G3AyEIB3B_e%J4;r==1G0+<&E=L?e|g1l*x!N z@Qw_w-ydplsT6!X+<W@i{$rQ<{@^IYUUy_~<_5vx{cRrf)yAy~Hvjb*HUjU;?HlMQ zQb5nDhlOa2z?*xK8?hMm4c|NcJNa{eM(G!>XLjfPolEx@$79l@T8#6{?qKVVUiLqk z9`S7!Z{!|FljAVP8>rJw)9iH`TvRIsyiKE?O)d`HC6dz*C{o<nw3Sk4)M6U~&?^MR zCRVPCOeOA{CkH>{JU13+y+XdR)dqdZTeq}4l7C%^_rg^tiwL;44&Q0Ll<^10CoC9+ zJY@HK>Tg8Mk=ZcAcR&w2HK2qHcWOpxJ;TFVM9ZH8^Bx}!Qady6{Sw9r89!9BKa|)U z)f=Mf<|Q{{0?EwtD6$&m^|6{JZIJUsCY@rY5wx5>vgDlHBN$Z|*3t)w2(fD*NRZfS z<e3*)v5}sc79R(o;%+I5y&r#<jTkUFY1eDR(k4<4DMCs&VknzFwN&XUv@U0M;5KtS zkFxWT&xjIfJ4#GvSzaLc7k3UvYl=&&)lyX8_8WG8!jb67puxtlA`JRnYIGV~7_OOB zNnso_VOTlNCDd))8*WN(qBr}>lxwjKYB4ed#d^C`bd|$BgRd}(FP;_@JT^<xFf@K{ zo3v`fpR$Ru<tZ<$QbgibE8=0@CJKc_b)S|*S6IC%PTp?E8qKGcXU0>~^5jNA&$t?- zNm}q#qRc);i%Svoo@=ThlEDvji>rnTCZ(u2FvPiFlXH~LkYU9~d{Qix3wFW&PWkM? z%A3t#<AVwygJ~F8gMq+wj`v_sM{KD)lC(bzZ(Z&tSIE7U>uBn-A3qkgq0s|#x|U37 z-J&v7(i*AdKdqibKE6)sU2z(C@Io0KTOH8h3L4U$v66oJUhZ#D(27o2A|gvsZ6n*p zyJt0qo~u0<T2mIkuq7o>r8N~E=swC<aj}z^qiP_?F1jbHy|>tIXc3lrK4qgTbR53* zyH;0R+m|(@;{$IY`@b^Q{2y2nN&fB_F_})r@jOXaMnx#yF@NFGx)pNCi_VyUT=QM# zWUnFfyN}~_bqQX+x&IxUb=ad#8~_H~q&0g@ug?(s%7LWR*5gdzrnbJvtt~)+&_vPp zrG6dp+pDiGBs&)<rc<I%RpSnp_S8anE9NH~)P&`YzU^-fKPn+5k1xFTbemWhr+4kT zhaLbNzw!dnlvW(e`2Q0P;SQvG>Ag&9M1K?`vpKW_%sL$XIlHxOb7)FsAS7%2TCflN z&QA|&Sqg67tj;eh!7dtfRv5DQZExF@joJIh$*)EZkkA=dI1sy+W+4tl#;G{4ACZJv zfD%4VHR_6mEIAe)Zcm6%#<bz%_8s?Fhw;jpdbjfnbbt#`an-wOelj>*?QBZKGx=@k z#?8o%LTzBr;yAje<=@Wo^xSop9Pwyh6E2;f_xa2RIm%GRqH2i&LzaziNa^p%TXzq! zltHiK{L3PhS&ED)$!CT9Lmv7fxuDQ@w1>6wHp*(}RBQoxrGHBE*Rw+!P$@B8t8z7t z+4#PvbdwEQhB3cXVi1jo9J2Uu{C%^*5ZbWB3JmqAeJP!3#Eqzgbwf7)nRm<bIz?Do z;3%uP;GAkE_7b3hPL=9VnYGBy=qkoXcch0lDbGm-W0h)R8&dbkA8gQk8y;M9GA1A% ztKl1H!bpksu(o`#Zc=n;&(A$SB+DySZbdO{=mH0_L*VSJ>xQdL(k~ruyd|di?L&j^ zp-j|N4$)~c62V)7t1#!-LKNG#s&E{O>zd0ugBsZm7to;yy##n+o}E}GHBWyON;}Iq zg9q0PuRaeP3n=Aym||d^*(1_0ga($f$eV9l^rgSRmsc4Sb$Z37xil&^H*_|_>ZH(& zS?%p-ZC*4op%+!#%$8zrZ0N4361O}Zfb$s3ZKvMivdE;lDPFuRd1Krwbu={cfeDt) z7bYny$TUbEDs(p+s#*xeg&O>%ZCdViUcbas1iJg<AOyat#>m!i?I?d`WN|uOIFhs- zu*h}r{|lbNn<zwx_1P3@dMuU~&Q9b8Wm~#8Z7daf30qRXXF7OfgIc1}Pt<rkc?ixj zm3KTUr4EVDq<;FIq&YHbB`>Pw^={Dd>Iot?oo?PKOL9^E{$}lAw^#i(w|M{qHaJJe zs2IX+5dI*^lh%_6BYz|oIGM@*c}s8WI6N$AD&&|_Op=gp_=o3}>i1~NY;Sze9zJ}7 z|H73|{bCE5&^Rbvyb4(Z5uM=zm$ddlSe6^0yoeDt1_OJ7);IYS!lZjUA-Q-8R6Bse zrPU=%R*=o(=fODBxqocQ$gP{o=!b6a^x;XIMR`>()A8$KxNdAU+akLUr)lDQaj~x7 zS*&)bfLKsXoerV@fT%^3rBqqp$ve0et^}uLo#V{kzOj7Zn3kZ_V+k?Ep0v}WgD3qf zuzA)(RQm^_OU|F4^U0Q(3Eo+QC~~kjVd+VNvDY1U4Fl(D)6mzAclJ?*<AvMS)_8Dw z^l<s`FW+xF;9eX&6?%ZQ=Q5EJXh;m}iivlu0E?GMaB^c?TaIY;kvVPl-NgRYs%43c zXykkQ)^UCs2ck;W77Jw=ak52>masON#b=o$>^0rb1axPy&VFVClCm58N}}R;8;6Q< zkyRFL=R0ofDJ7d)Y%rs9mE7g29GVrr$nvk<3+yLxVXxp3KXyOCMd;ue`iNdNU+e0s zq*knERVhlIs94;3+4Yi1M;C@ejD`#wnbjaBGpkzi0891WG0eDvK58fdsw$&}mfCrp z(w6Q^JLehtN<J_8TF<76>8$i|mBH3u32`k)$RwwAugG*~YyqgY<ZGYKvqw_pUdU4T z4EZ($IImZN2?f9BMGHz>aj{3E2DA;hIw~~VZY~t9OZ^%5HnEe~qvOPn$V8z%kit~w zpyXCQ>btcUb$`liEb*K_LckXdo&PdRt5hsE3h<Z(>!M4GB&2O>Y*1IWw-P8+En9tj z$^PSt%U@m59`M9dNX2YF3-3!(8n<aMMMoHk*^-hcByO7NEsW5uyq!=qKUCGvPvT+n zk;_eNeYU<%&uE(Je%Nv&7Wm@vY1Lz$N{mxl1meIIZ2pZ}qisR!ykgh%e6W&B(UIZO zap=s04;MIbDwxnQ;X|>Rd|$s-@mSszfJZ5W8gFIC(6OC80a8$59piskD%@t>SgND4 zBrd#dOW`~*Ca5Ls!(d6SH_(jn(!Hj9-g^n3m$th+xpgn$N05OdV2|KgWpsQ*?I?g_ zqdt-Zc2xBwBiOV$nb-`cc}hY{9n`B?gpp~#ukXpNN}627{%ds1qz6fH#2$ECD>A7y zMXi(*@D5MRL*)=IY!j~JBGG<M*`@iNu#8?TCgcn@pjWz;*SW2S@W3av*<ATLl=9aB zqVg97lOlxlHPQ<{!KV4L*<reyU#oC&N;J9L{4DuY>Qe>1HIO1AqvO4P%(PkSnK$7g ziJ{q0S<jJNdEPF5KZ1O?pq1?yUxOj@EEbc3jKOI0G&lS_F@%d&mQHFcYz)dzSAp0A zTLgL5@Xmczi`=5&x*<~|Vfq@plWNQ(vX&C5x#SwuM1v9!^e*I4U-u5q+yuAK7UqST z#=hE<w(DK`$Koo1h}r_$zzbH<UI2q<Ky+U$p{sF}Lvof@x3`$d+R2=#aT4&{cLv1@ zfvs1O?&`siVQCl3^>^M~8{PQEFcekK;e{P9`P@Y7u^@i?c=jHe^1Gb>&#9V6?Kv)D z27iwh)6^^&<>$UBH`A<6MPfpO@d?(`)dIGsq-tGcLkwJ%=~b!aQ=!=FxOY7YC0wd) zq1&HtzT-eL$Iimykpe7!N3q$<jW_=wHNljI*WdTvD)lC+YAnua@a1Fc`L?|XiOCM` z9Y1;&1n5<i_mDe)(~x*KE{G^8Bp#{-?>E|fZsno=&gPM!rS@I>Z=a>5V2#r$?$JN_ z2Ztdh7v3+MP>#t3l_#W|?8dm`?(L9ZF~fS2uLAH<o!RUibBiY#pPGSRo_t;|FO}ky z)rp}6vAijzTQf|juC!f`4Lxh-Cp>fWqR6rwW6cJY4bODqBTegxc}<wS8P2!C*{OW0 zF-+z>$-PBR9Vg-M#E8^5OKO}C1tUF4;nGhA2T}rRl-q@IMSQ~$VMs0+;73Bujh{EE zCDGQ&waC1vZeiGFXmgm8Yv_u3@@p5N?eo%A_31q}RFh|JC?Gxzh_&Fgvr7U5gc%&n zC&`GM(&m+m>)v3?Tku(ez=O!Cz#b&TzG6?QY0cM`2&HB#%?;nbSiih{eM23PSm<qB zJjp_HHr7_8j{Y%sVy-X$BS6x2^wyOx{ZGTjM-eac;d-bTh`9Bdv=jGKM3uWg|8XSK zWyqjpNyt6aAmC^^#N$dA7UuvjsvZ}M)X}-Pcsi9LU6liLxvy9Osozy^SNaNSWjtXx zq7y{o4gOw=RdS0R3X^Ev=t>~MNxC6<Y{IY^cFn9ecRNPxGRA4u#JioPc{d%&<i?w~ zDNSyuHrAH-p9LXm1$Dkb{fcw9_T!adV?3+YJN@=}6C_heB5oh);54UyMac$wLojD0 z|546fRsF8c&#)a|4w><9d<lw`iQ|yJMpSwThAv<URGlYaEcUSwQu<W8u93xo!}oV9 z<ngFh^x~5!9ng#3|1!Mfm}bWWh&YT^tX_JtX0{9=-ej5MxY-8}XCZi){SEbz=_*PH z4CJWJ$rR3ZtisZ6FFDOEbD5E5>n>SfP(N+k#*}hZ5~~O%ip(GiP7J$c#t$~2R$8UK zYpQ)oiTQg`&pT=5g|lN+UI#Om5}(|L`I2gif+qH+6M><N0b+=xu!1+`pFOp6h(n7X zBtM67W6=G)dW7VS0PDyI@=bm8P`}p9Vlv_=E`5+h$p=#NrL4tAn(`eT>b=Uv%bh?? z6LPK;oBv>Jwi6(M>tTibd`p|F@`!xKwo~2z<*2ROzGyIalrKi4rof@5{_%G4D(4n( zU-m7s(z5OrV!+W63d`Z8llZ4Q_$9hAS8x4vseX_tVFP=A#L^^Q(cvaWm-sWtu8+^> z2KKB+AflsY3Y>cK$P=#igHaRz#6e?r)GW~{a+k!DI!qvjp*2DrP~OL^b5I1Y6!SiY zZvS<0FP;*t6$b`NQrn5eR#m}hd`%RRq$4s!U_drrMFGw;+;KWAhk&IO7?rm;DPvaj zyDpk)R1R7ib;GTtII|vw18WS>f1F4sy?c=x;^qf@glTqSIE}up<sz{JdEGBitZ6(} znIjqhgYkA1o4C0|!0Bf^KdN9vqI+Uap5#VHuRXD*5Sf=8aF}%2v(5Ks_;@1i!HRBJ zH$~C}`hhk!g?wHL-^oxBH7~jePgg$Er|M&H()gaKTGm`Q3;ky*$lT7?_AWnKSw@Tj zamwlNmeK`4f&Tz=GnU9~JPH~jEImm1kk_=Pl}jX`X-xI@d*!&#%*Hlu!hdKHjH@h8 zt3w_*>~_u2&C|3c@J&{?Q-4prm&q0x4Zb?Nf;$G_A#wSVfPV0%8yfaG$`BiM5@V}H zvy~Bbi_!br;1H0yi8%rl-Xu~hN2R@p+cR#8cOxz(J@X<kk(BTIUzv~PzcL@=|6)EC zuK&h->|Fo<b?g6u`P`wDl`a?9K^KZhB{_(?DTun=;&+5BB|*W31Ie7@b&EO9p{1cf z&UMN`|1;^(i>P!w6@+@u?zX&UzkZr~>`bbSds$|ux@LK1ue#MZ*WsfflJlsb(zszG zP{3h8ia}^PMpB4~0MKaYprB%soLsVdSm0N7JTRr$Q(y=Z#Kk{g`3E3iMs@5ejF50k zV#FXXyeNQpDgYTh!oPS(P!JNqyro^iq%c-N^ec!kQ0EZ9i@YROMz9jZG4K+^&2dEk z^3w-qFW?qbP*D*Tw096h+LjTC6FeIHERbo2k;7UH8ViI`TxgFm`bI$Uc8uGI5x6ig zu(Puxtk2PeJTWMhqXyVR807?u);CWJ!-R)@6~oShat->*rw|>0VRQ&B{Bgu8#ADjg zN5TSF3HA{)lHuSUL<A4;0@f}7Ms)c8Jv{JlnChnt{(!yNeSn~Fo?r3DuP<5@yf+>! z_<+2vt$s;8&IOn~Xo)_+`vtc!7GX315FPvt8i-<!#!her5lY&JsNQ!|9RzYA9SUGf z*(dZh4~N>q55f>0MCs*({gDphGi4)FhB!Wf6fvA5>wPYTeeoBnI|b5ymbTYOCUGqM z+$59Y!MJ>ifnA)_TSo>9+y+~efA{OllKr%B^)mvP@{-!xu%H260RK0^tPnqR#ygj= zFV}B&BQEgw&cZE_SaqB_!8TI(50Qg7NUweX7LuHL-j5&mcRLA406?A-9L(OIt3QG4 zXC{_y5bsCR=;H?D1w<XB{vHg(znA}~qoJP$K2n&(`v>7?+t5IXt@<P7<kOGpXR^F1 z`X1yJE>aQ%ym%-8fDBEB7$1)e2L8=5+xvIV?zy)bQvWq~`%6Ncu80(t=m`_%>ikP~ z=rWGk{W}_gVJ{c`QC^*I5WxGB(#s|f58dw@@I5PX%X9Qo`lYAwt@ifw61&8Q629x3 z(+l{CBfNr?c>NaAf4Yk3p9!Uh<slyX3C$S%#xd8yLIa*Z@9NUQWATtmOHx+NKnS^o z_`Cfy49;KJ6Jjj^VgopTii>+Q1F8f3Nev*WSU*>Npl~6;zf+NTJdxF|x*=k0*6lFi zc{F~iDno<w@_NPPMgQOdo^Jsk|Mb!Qbs|7Mh1N7e2E2V`@Q8i~iyG7s1AdPR`jbus z9jO_Kfeh%grm)~$M_va#Fi?&QzzXv6@z$}tYQd~s_|^I$@xq^g1;tOz77#J-(=!b4 z%vdF-bwLQkq5h_G8z$3umWVQF+u^%&TOpoWN%PFJMyf6$^sr`BBjDn~?HhV|@}3%f zSFs&43^fITl&JPo@zATYKiizArNp8|8$M&DzvDDbwq#h34;k2j-Hqf~_I@T2E|75k zdP_A+)j50mP}~G?2#!;eYeD{^(53FR!hJ~~#~o!hU0cXt4%ir^SzHvIbpAwrLE+v1 z(@q+@pLtWEBD``t8dvKC^-dT?fMM~n60Rn(z_|6;IhrEyk9kZmGs~+MJ7%!>w`+xB zPR`Jb{1wJ{bGR8p{i{)jc^;pK{8Hn*lpOg{==UIpY|ax^y+-?I&ajASXER=+-GK2U z9W~PoXmcD_5|>pTXX#+N7h6GipsqK!DnQ6*^@DcXLfK+Hy%-TFtc15e$f&T%@aysP z`EGrj2qn{*EBI)yv~=PC5?b{IMdBd@ZrvGxKuQ@CfRRIxIoWVJh7XdTSo(D<9kp3L zb{Lbgia*Gw@Ie(@`@2brSPCP1ebYy4d|K16)UJH$b!mvnW#dME+qEm=En-nf9OCU2 z@>&On`31fBgktU2v?w*KY}rowS=FKO1&Wrm1Qmpw(!a$vUph079(nTblL&3|DD4ho z#@qdmh%c*(P@ae+mr4$JuO6LNS;yNoObp_NW%{#@8*9CaQ6D5H4w#*$Z0GuXYcBK# z2BuE+yw63}vDlKUe3t;D&$!^kr^AtMP`Kjvvybq!CSZA<N@uB^I`<6{8KYTG*4p{? z(O<ondFxN#$X>Za#wudIF#_G_GHYoxE2TG1L0ltCHo(d`r!DdQnaAOp^Jfg2u?vNh z8{N>hYoUVO?3ctan28F24dO*RIO)u?*_JUiNr2y?Nh6+SJ%Wr4+r5BE*%*U5`0#2? zv>{Y}PB)KsqvgPT2~|erM`zIIrz!P~R8|YW@wQt?U<_N=p{(Nwi2-aLDL0tzaaiwz zCcopdhkr}AmC3KK2&ZCG8rjCft^ARyA*5oA+2KSsAtYd<XQp_pB3tq@=3>P$$+SZN z<}76vZE!lD4hTe)3-xzJTYo!ubL!swExvAP5k}srQ5~_^HY(7zpvr>Mx?Fo!735rI zACo0CtFiomk0@O+3ieirY)o^??*H%Lg^yQse@Zu&rHs*c)Ztxw`+9rxDZmUG!W4Sf zko9BLa+9dAf`J{~Ho+>%Zohbc1N~h@3C3EJ<3RUM?`!>EKSR-{MMM@G`o!h06C$TM zrG(SJ5TQ4+)YFd$i<Ir(AeEGqp#l2yvlk}NU5_=SQiPv06a!{TX=t)e#SJ+Z=;@v< z5RJnTxyCd$gB*iX@=tNQUd_ihMO2SVrQ0b|lhuj1Z$u2p{B@d|>n78>Z`IU%A1g)k zKo<tm<i~cyPi+wuGgQcX3o)L6Poa(k?a04smL2X;5<?yTR@wvTY{h(1UcA|5VU(>T z7iW{994T;49!MkDT&avl-Pe``D|hDgysEs>rm=+HU6vY33hmY0M=w<l+EffK<G5BZ z@c(`Z4`2VDt{YRfTo(fa27Ad#>_B;t&qBl7v)1usrd-hAt=iH4F70@j4wZ3F=<Otb z*#QJ2YA@$Ws(6>Al9+ZfWDpqLx9cv{)1mgAS*fF<uT;$9?g*+vB&B^b4@(gU;nfJe zUwK6)>?&mxl8(y$l)-4xsGK5=Hdu*$YiQ6;oRexb2JGq~PMsEt;kB#8dSj|tUPI=} z38*y%)Jd1D5Mz@Q*oQHBx0m4iIIODZ0at*t(!&}`g3{|y!F>{7NgIX3T6)?JyQX&u zGRS;=jhgzTYg`{YyzH$^HZhh+%|4^^Q|K>mXLF&_s0lf3E77*cut<L7SxpUwlbO?| z_w5W=e_Vq*wVzyk3w+b*ix$(m<tZFUzXldDMma-8rLGudv^8Qcd=fD4eNx706kJpd zx80$<hK@A2VqzHk%k<^*{2q_`;tl(qA%93utU2GBCmo^Pr|`KReVYy57o+_k(sezk zW^!04-?fHMeE9*TPumSUEFE*rvnr-=Rz^Vv+k5xcnTH4=*dU5q+ageZh)LKM(-nE& zqy;uAM{AP$%pYXCmH#pIVa)2MPS1Tszp9`vYE*{3YK+pRAH08H<8Fgl={i*@))e(9 z!#KxeQ1<|tqbo#iR6)w=;XCuTV9tFC?K3OlxDb7DXkf3h@<Hn2hIg!SU9bxe?nsBl zA#w5aGPH_oxp(goT`0=7(>JL?9o3$Efu^X|HY7fDfuvJQNPE1J(9sz;rjeN+_EAeV zWCbVR5Jq|li0wzOlZS8aV`B=3oEIm&wkp=Kv8H#M?AJ)660&by>6F1p_iwx1Ve0QC zFL5oHm`B>A`SpuFzuYVs%GBkci`Yrqj1Tx{@M|+U=|-_q5%>!IX}qf%^M*_JVH)A1 z&Ul=bS?rp;+bj7gJM;0>bL-DFe|l2w$IVmC3{1CFjbjs0!z-N~+7B^yVt;Xn*GE9x z!->fD?ojtm>c6(fv~YLLal}y&u{rc#vOf|03>KL|RQXs~#>5A=GMwBgIzzSW!l>mo z%-I;7klfO<8muQgK++&&>U!#}uCon+Ny)g5^`K%LZL$W!CfkyCN6Q={sn;HBSg~bt zsYfnTRSHW6Tk<fc?>=fhQq^rHf8_TAXLTIh$QFb#<p&mJcQbV{+eh~(Kl6JmcI>1} zUwqvKt)eg3RsuQ$(RNb;EIWa+_0caey{&lE2=o#vC}OL<x~6GX3Ys!jKFbk8&dV_t zx)_@KX~C~~qs~$4B=Cl>I5~a##}VYQ<T{)?HE;@#Ri_z5x-bO|qMTlzqBpu!Q1K=} zGf5GX+H}ya%na_48*?4UJb}DUbpp@h1FL`dgbSPIC+x4scg%x93mkuG2I0pg#=V>v zHXCZC-gNAKtWm2Qu*kN;Jl0aSa<M(S(S`?FKh$Y#`;5HBFBOO<ibtH)K9WX8i|b^= z)&2D!vvxt0c|H#Oo78Bb@+%t6+zI7akE+H6kt4W)oL5IF*>zXiB>pf!|KQp2Ls&B5 zga3pqkT+BupI3z3_;s^PdCci^NQv^<$uKkg#4FNrFueze`k^X+BQXXvzcXjMkY}#f z+uWQxH|p}DCmc%&<yAIkXXm!7GV6?09{qi?e|K3K<;2mD34M!|j&M4SPyCGfQS|KC zc^W!xe?m0E_L5rq1yeN`9DIhR&7?;hRVT`OQa*p$1*Ml3^#|6?LHch#(RCon>cj*` zJw0I%O;mVVykM^uI?k*{ik(2X#osN+)J$Ak$M+Dq#a*v?ZnL}S`Z5W$!eh9rOHZ0$ z0UyeeU7DvEmK4Ti9!onBrLAqNr8k<%zZV!R-Os#_rTIpZFh?<F%1Z9BiU!_ne|Rt! zD0MFHgYefEybGhaf5)~J-ZgbAQfu#_VPgAY_-(lAqcPnK1u8}=*;TXes)mQSA_2V` zDQtV+J|ygt)G^#667=Lo?UrWKoQo8mOv$@fv9(BgTf5!bEGl6cI-6+LQ^hAwe9TeK z4S3qx&2gUih@dDB5&Joq8gFezr54w!p&*F^%rKQe9Mv4w*Iv>In7#l(x`7DJElWbw zR>FH5r^@`O7`~Kl#rgr70cwsQ^vNWK$}}SRs9cmRMbuu{Y%y`CY1Bc%>><mOX=$OF z68>V?ScO~1E$Z6DuBLWa<t(Hk9PL84zt%RYGC%fLy%fqIhc`NsqvL5izvzm~iRKs3 zMK-2wO;j5X!|*;7EyZk{rRW{W;;hjC$+#ZhJF8Y#R70Y(k;}c@vTm!p(@HZN>XYjV zG?hiVK<`^aZ@=J!=Y`4P@y?jw`YMIle-u4|Ik=n)z2r6AsA+6K24n%<>$aKCp+k*w zmHSaO-RE3M9-K?xp<Qku;yu^mUK@=*EW-{CChTu({LVXy>h`OZusiyv`6^aP8y#22 zGCZFrT8S2|RojOcXH{qv=vuE|kHc6}Eq7EivjP*(q(M#2G|v|f7VUg9Kd;I=f!EDi z+*kVQ4)8(}w!XvsCM5;!4mp%>D^Dwb?p-u?AGG=8nC)@)RUI_UdgaIa2<XLY^V=A3 zi0=a%hE=2{DI#A|fLvnoi4OCrw3E>u#-v8(ydXlV2k>gxxi+Aa`php7q9|d8A>V<O z9#n#^7F9p%hmG_rQX|`%7nRj-u-~lE9xnEY*83uQwypS0)+y(v;YmE1I+(WQ2BQPx zIBpTTvEqX}_fLO39Jjt3=2Pj}5thbC72w{yLVRH#DmwceJx@_qx$)zTf8Tv0*>b7h zk2TK9+}rS8;NZB>J)rYRR1f7GdIP`-hs|rA<H;*LYnyU5dEqFojin2=L;3I2Wb*Op zfj&q0%(Hb_V&p?YRxMq?sqk^WC#Pe3m*cwjP92e`UL*%=>Q7yf^_oDtoP2jq$43#? zo5%VOn_z?KMCCyS4W?JbNt31lpu{RpTn=Mq5&xNDZqiWe2UnqJ@<Pm336r;syUI~X z_TKC<B`MEhwjA<-YnvrRsyoZy)w=ADNB_(?;C+Bt-8kD3v3QCF#mtj@nq<EAP)q=a zpYhgRTeB&Lk4N#@)(hgSWeneGpdZ996Kbt6Vyha)c)0GPMbE3Y8trjCw!=GfIU9>v zSeEv^qS|RZyVs;co>92=%;;R<-D4VSA#^d~t|ayX^l0oOEtV-3&MfbafQ+f`XpPL_ zH)fi-(#iDIFy1X5Y)c^y9eTK>axCi3LShtij6d%+kT2_zkuKtyJPf{UH`M*J+MS#0 z%3@tEEWFjbPLa5FXBRCAtSe!Od|0;!mKE6iN*eFKE5a6woCtMpYz+6#bN_?^&2ek_ zIL7>j7}C^qbj{z-9J1dd&f7t}I-k{z$^1-4lT0xG1d4;Gk0<&{gNHFQnOw4takisM zcNd)0FQNX46j>7xc%v~A5b69Dvj~(_>ezovG?9_TfReX7l<qvq^NVs@%S)&}Hf9HF z2aNwhd}?UL&Zu|@GmVA?h6VQ|#%bB%{C2FEYz}*dN2HQK$(qT<ur!~==3Et6vZ}M} zU&U$Jj6_r=-r&f8(8_Wo)1^$wo{@~|gl;$W!~9TI1)JVE1h#2^j~Nh}i~bQrk#0ja z*1`DGTtInnp$^V3?6H%GJPlW{Wy$%dxpTpfxZrCC%&p|<rmDE5XX?>@nLEjB;tHCQ zrK#PNLP<(rrBgMo38UTpOB_qxoF|3GtiJM3fl8mn0|NoMV?MfMv!92pS;LDUg@nTb z<>O(*BvO5Fa!o%@Unjb&R$G>A*D^c^R(DlItKsh-fy93jI>dpU=Uu&IUk7IyPj~Cu z{m6}fp@FXI`9d_Q;E*B#UKi#2l!e#MZu{oUIVvUViK#w~x+fn{hmX+&wKEA{QNNPI zo?y3M1~x*Jmez-5Lo5UCFTvYJKM9)<N(TeruLc*B6CF2+q0Xj<w;2hS_%e^((5>yd z7>1q%U?KP?kVdTIz#|l{G1IG~lU5(p6wo=;RC>Gg6T+)G#KKGka_I<fb$)oaQl-rm zkxNNj^Y{0g45jBJsGmbgnJygg)C6q|jog0E4?f1>pj$cpdy8uwgSCQo?&fE>Yug$~ z3azFG8ABY2iihgtVmD&{3T?BSIwyTR{fAw+Jr;71L!o^03s=KsJ7Y}re7s}pP53d9 z$GN)}Oj(vi;#-m8mVMYaxY<^oz&J(16EQ`-)E)<=UD`?DlD^WlNeRu@<7cEX=iUVt zXShu}v4XV^p5rws+ewh8Z%3ZzR%!lnSwwDmY-<VYzK^tKZ<1e%I)8F~;n@XBoWTUz zFJ6<Q7xX+{U5XV`_+qVKS<n~s-1$#caSwg<T#!_z3<)FqGGP#Wd}nxBn+CdH#ZqcK zk^|chP*YoZCxXXNVG#fMfK~=ZhaSQvuFB#(%FXkJ+(lkK_2ta%s31w<zDUC@4GW2x zf@urmTwasfmo1{hr<)D5;J0~Jkzen$L6(+Pjy>97OaR!#=d&A3)3CfaL#RYbTLO3r zcBz1!SK*dLEJx#7!_qtaJ=qev{NteyJtUeUZP@Y^S8bMJveCoA$onZm4+Y*N)g}(b zMQUlJ@8yY753wfUNrd(2p}Fn?4$*E0P2D1;|5uZrj3ZCt;qgBo^SnH?>U?{>JF{(1 zb^D%yt;+uV>hg^dtEwcP87p`8dUC{%?V;4nYprBgEs}=B(?V>p&(|a#tdpEb&C0v2 z4)aj25P``j^jwDv3ab!$+kXbqIHz6E10-fu*jgd@s+3+xF4IdEVF89}MxQmBxnfhr zNBAtDlbIk%zfOH*M+?%*N+v2>gi|BO{_Oys7eX0E^%6~`U?Ib*%u8Jiv*GN2{Vun- z^f;9_M6GF(5m36ZheWX~Q9p!Mev5{{E3}&9?;Or}Yq;1@uC!8cT9t6ima%Kv!OYEz z>vQ;}p5@Gr!P+aAEg8$<8kf`A{%oyYV|^Xex^vp)$ygxF9eSv(XFaY@x7E37OCpYd zHCfV4g~P%$VEf^5pSc*6tJuda(F{U>?dIB^I~W`9Cd^fXbGD70oNyh#tZw*a2etXU zG$>jOq)z{)lQGdeXjNuzVo<pa?zVc^vPD((#bWoJyxY2kx-5#EahO+dgv*vI;kYZU zK}~^vN*T_&)HX(1A6#8hJeD8@%P_vWqkfm__O;L1)h%PH-w2sPUAqbyus2#~Bgka# z7-CRC4gMGb8g+S_7V+hWjyvbP_*~oeFa|V~s`9$*>G>5CTCjwb-MtOb0e#wNZ103a z8nje0RdVC^Rg#Pl;}Q#6V~ip+RwUz=Rp$n;Ipg13WmUCc$rWm84*Jo*@M_C(PAC$r zbc@J*cLg$=e)|%F%=mSk+n=(YW~jvG-ndV|L-E5aKkc}PUokC7T8!qD3JA{&NC7)) z+r3|WA2U8*jxt>Ih8e!ps!Jw!BYb~~=PIdLpzmhaQlC^@<EbR-9Nx%UuJzP@$9Z<9 z{w0H^8}i#dZ*MV)S!9X)2;pNni{5;=v<J{-etOLl_JzJ`b>qv~nB|ntKg<}zymMSq zwya#t`eNp@(p*~P-FkG_%R2LH)a9P7X{}q3coZKlyf*L&gnj8ikc=AqEXkEL(<@E7 zjc8tPKdF&wF#!ooYC4LhBf%s27;94HL>F05x(AuC4jUPKvVIeHcHs^H#e+_x9vEoX z&c$%}q?niWsSQs*eIA<67CyqZqD46_HD%<O1*&;OaeMT6cWT+h<uThHb3y-MVSPb& zW7$(-2B{G^!p@t2Xk2dpjz-YyRp%>I+9W|!4@r;sqcDEHBRqe*g9hIYh0Xf$_{TGH z-dWeULChB#?F;Ba!z0$3@3EQ4_%)e0e$?sx?klhnOhhL^AKxS`QxjE;<m7b78o{IG zxQV)Ck@Bd4P<mSX(h8n56hEjbb5Vaj&<=}fXV{oBZrx{|56Rc_gh^rZ<S$iTR5?!p z!S!o}dPMFD*H#9wLQ`rb$4i6Qok#fO&FEvrI|Et~<-x__bv5D1-X$sSgOp~G!gBq_ zaXO7I|0<upH*q>8tNq4VOPhS(<aw=AelZi5(6htO1+O>w&NI~UaUfFyvHO?A{MORv z!PnH6l8>XLXU6_#({y5h2y{NnPZ;S#QN}0Djhl`}?QUI#*Fd3dbQo0b$<gg`6A*JK z<t)F=9X~+nB(}VrVqR_(p?uXe@md}0(1k6Mc0RICwFlw$8#%_2f1$#q+$Y(G?jrnn z@yfJCCuTy(vYci32njrbC4)_;HnJzU?Dvm)fjL!e6SXf`!BdLY>7weVvDf13<xJEJ zo8ev*X-fg<u*i?2QC^=kR`t7asDeq8V<CtiZtM}a-84R8TL>5w@A?vhux285vX7VA zn9G8d+1?OW$}~l3M?GrCE$a^Sk5I@U5F(-Hei@~712=JcX=^KFeJlz31gu85BG||{ zQ28(iF~MA0l@HtRIQ8r?IFxmQT_Cz|nH!y_8Nq-nxmm|lo~DNTSqO{%L()hwhAn~5 z89opSmEl}1v*EDc1iA2znDgp%!;NTEhueTuwGMLrRs-`3N%btD^1pH(+kfLc7A~&; z;XF1jHn#uHd5r&e&U1!PPO{ph-=>Or%<~Usgr}p%Um&96ga?CX0vnv$mXwl|iYS8p zx3EA?O)Tl=1_%3D2>iPC^E<6_naOD0@yO-Lz3i#IG%;IVIZSRARu@i2wnt+KkJG~= zs?9h14ZC-Wd31P+Nn~iY8kUcj=a(L_hL9(Ti3Ljk-3xk@AkPSEqXa0NbHIV-6r5fL z0ic5Wiw+4D9DIHPKzzT${GdqU4*(E#xKprs{ZR5EefjjFSNG7Aa%58@7$LR~FSP!@ z1|R@@-c;{<Zrp+^D3QTJefIv4SSD~TqHe+d_yA96X!ywcPc@joQd(#eQh3nLZf>Vw zJRP^h@$3uQNB|&X5}hFC1*lkuP&J?z0LI!MJ0~#q8ombd-oltF;K~=wHh~`<3_1r1 zg#`}lCS=w&P@N|U=-?8RQ^C(W1`qjxQT_RK3%Fgi1`zSj`AvK!e^nyGfAe6&2N2<9 z_u0!~Z9(cIIQfG%B`v+l6O=&#7`HCeh}QZc0%o8(0}K%LWt{tNGJ`;*8@K_CID2}x z+C-9Rza~OvAx>`LNN&}zACu7cRqvrCB&hI?g&!|{VHwHL0tq@PZ)Z)f_o3a|Ui6@> zu(l@NF`;SIDEEGGPOYO?RNSgTZ-_p|O+!Y4LO%$gp`f6G31)-HBZbr5s(JXxQJ&dR zo~2^P^sR2f?1R^d2l>AbROO!ukl10?;iCBqcL@7*|Fj<NQj#D;>q7+P0aD~~v9iu` zFU(n%-e<A9y~(D)^e5s@2%!6ZE?;t6OU*qsi1!e4eu95?802+SuOsqtW(kLW?#9Q7 zc>z0JL<WEx5d&lZnZIv%Bn-g&N9RNU>=pOZu96+=dG+}9r@RcdRUAO@-S1DZv&*^l zT>x>a_irEcvonYSblQZ<|AFu#^A7GoWDaTWrxoB^`nl`=Q#tVy_5R~SOs)nMwre}H z`~5SB;2O;3{*CTm(m)GK2ZsQziFf;h$QJya&;Ypvdvfu*tE+;BMTex(hLCa4MMTW+ zn=jy+7KJ(mW?76NB4qu8e14;n=f&B#CvOuBceRQMl|4NBqsQNLLG*l98wuxW(5oZg zRQA2ChJq-h{-v1fUk43{77gT!c%3Kvg^U5|9yG_?9O(IZ!T}hAlE|B*2C$0j`Llsa zJz7;Gg#ZMhf~RZmeo%jJNIcfQBdd|2R`=|(3Ud5>d}>|DmqDQkvvS4yO9rp01he`w zB%0Wt>frZf>REddm~CMbM<1lQU)xm1{z!WaX#mqz#<P3SuI=mwLq~nE+Fp8)Jky#@ z!Dq-TjSCskcv6oM-JSUL@LD$n)2opm*+mMdXH&;t4qei01z3iex^vArzgd)<WbMBO zHFs1JCp*RmZTv~|_M)TN(m~KkGnboU&`qW$TEZ{b*h!;`1v5%IE-Lx4I|d>HhjS*` z#20nk=`%-4o@QpAjh$Uepb5G?wsdI}QN^Vsj*CY!mQ&|sCGd0eRSyIEi7CA)e%Psj z^g2C8Sfh9?M#EU)2?=y9L9x3i@?++!lyFgfe*`VJRdFjU&GCSkduIv8U+2dWFBv+P zd#a?00#b0%5I~fWWP4$DJ~*$#%#{qpTw1m289B0c1W4<kn002-rw%0G<8_O}gxM^% z7#CsL*1}Rpw6?mPY?PB_d>{h9$^08p6{9tCF-Nto&_N+7GhEEfhox7SDTUliVBkUQ zr%sqiVRMAqMA+tKTEL+r0pLFMHF`7jysh|!32jvtlkGRX3TrIM`-a%gy&x4PU1?Us ziR|x6^xk-m53>W{OFF4(uxbT6l$TzjC~fLF-R*3eP9~UHY%d-)(_F8@?5zmkZjcNd zi|A<qrNG;&(=kQ1V_yAu$EorL6pe{C{HculwSr*b;8p2y2Gr<w+bRx=Bq@yiKlf;7 z3L-197~I2#w&CG(@2HDq>MK|nnVO`xjmerUbJ(nMQSUArZjnCmA)<5)0bxTTd&3XW zCLgMu!y^!By+U|+>W%_mX~}!u|MXSOyt-8Qh?_1vbFD20JMp?P@iq@fl)3oVyhP>{ z-jOO$Ozs=BUqOa%gH4{oY+-Z@JqoiuZ>4QYKi<zXQ|8#|_(jRg9#y2`51eb}5IC`n zwRV6Go$7EVs%rhI#gPr$3s-mi!Y7r$`>lk!V*#m}h6;Jif=M^k)(aHjd-PV(2rl!7 z!d5wQU<RV;{UESdtgE8rlA{IbL`HZql=rZ6%}%SQz067P^LrQ-m1s|nEQ%X#Mn}iN zwX2l8#x#s0Gah>fgp2Ks`Am<`Wq_h+q3k+Erq4@Xe?qDi1mimAS4${GW!&(eR1Ro$ z_q8gKfvKpa-uEdD<j4sjSAK{<#}ghPkM7V8Hr&Oh^lQL)JXI+w2y~ry)%K_BMn|fK zsujg|dKDB{tpBQcE|}D1^w?!OGLqhO`aQ7fy8PQXJoCK6W6gkScV4F|$_hFbw<yI1 zsJkKi{@OD{%gB|vcU-zCoQnmUj}{lQ_$Eij;e&M(4l6RY>xeN_)B`RMcy;kCHz<~6 z-P_Ha-}rpb{V&3MYf|tJo0Qu)hJm+2btpiboABv5k*#+NX)r<;mxy!YkOxwOkUe)b zEZ&r&Okq4Bu45Oo;tPw)N$jN39{kVYEhWr3Qv$Q3)L$BP9QW4WnuTW!Fi+1+)lfp4 z3?O_mAew{RGENYL(>r3p`{XAjsuj?1E`MNbZskD@yCz2{m9q3N{JjPEOPUh1ZV-oS zog)ZEU?&h4nu0kSr8+rsmv|0FmVJ(U$ffr_vDWVB#RFdflu=nMIjJ;%{>bAgi7KLE zEhMa%PW^Lnc#`T0#3*&t0`aW~M(qvT#9eu-qfaa(&(yV5|7_%eN$|DRDKfaC_rU~i z!g-4sC_F)Q7OSO@)=vAR7%;C4W?nI9$OsnF?w-cn5K<k@*9|R>N7HRrV0@R&MV-B) zhW;Fmge(flQ!e;H>=urUX`=Br=i#vqG4F}8`NM+*lpu`J3{jBcvz%(Zp8WA4pG_63 zl`O?EM7wQUJ{A3fzt?VP#4Q3juASr`6-|AIoO&{y%kfca`}%yaeO~9LzsTA*C9nI~ zer6RqGnH`qLA-367eN{R_?I~)rDYQfj;HNaZz*dG<_TmKt_loN;prTX0(*+S!EB&` za(EA;5gAm3zi3(dr<P3!KFUwcWPy~<Cad=GE_KR;Z{Up4>KUniu4sO2PQOk1oz`$f za6!1Lw8;L-&u1ciJo|{LcKwn_rAG!=WExw<@n^_6gfM9<%J|%D=CkYEVEyg)8s{y_ z{>Q9_eX!fg8kOuS?CaKb7|QP&-lZJ6#;^kT&^X!<KfUkc10+0~VV%^?bUg5dmla)$ zN8E@cs^`Xkqm^0EzpNd{gxq@`m^%EQxh{X5O_Dkj{xi=+JD;u;N17BzK4dMEzi|rj z^5VzREq8Y@J6SP(8eBp`fQddY6tk0H*M%y!#nX=-fjpaCkWXndKICl@<76?V!12GK z`vNHSk5P22AJin8*RMz9&CtEHrH^Pp)R=|r7@ZYY@6eSz&Mk7%$O9V<$M|3@k0a8| zyPg_WB6Ao*3Dau~>?Ld`R7Wpmex(GToo~>G&J%4TK1;|PpKgQ56Au-So(IrwE^=j^ zeUQ)HQ4$Z3+1@l7kjd@kgVvHvZIn-D6pJE82Yy&!9wxc2f0b6LvoFv_C9D5G#_VB9 z6aYb@XxX-H+qP}nwr$(C@yfPs+qN}5tJ(BoBJu<7Hsgfj&D<>=eSM;da#1gC;~7X$ zy*5un17p)Q4AS-JWZ~tzP5?@GG+WkVV|W8uFmV*_#P7kRzUr64F_2;xdicVwvw>JI z^FEc?K=sC9o#+|(W0j(1;o=KX)n|&y-q7QJVdA~UCC(c|X-T#w`$DLXhb|ON(+o~N z+J6US2ii9gAALa^z1f+fcR!*7IGY{aVMEBUS|LG5Q|DCpw-wzu`<7B-MG@bQ?fwjk zpKC=4pufBBTEs=eIt#y8Pa@GX2Cb3|?9wOeCbH;#j|I?Rju6)br4qWS#pPZfEFRC3 z2wFE@JBClmR`2IybzXF5!@uuQ>Gn5fR4_B#V&_wK!P|G;wj60XjBRVwF{oo5_&Lxg zCb7Du^)e+VOyyo*lUGL(pWrRJX`=J*5!uMrS$f@B;<x>7o@)}ysY{h0DjSR9rMpKp zl~%8S68(VfiG^?(gqSrlr%ZV$XdOdewIW_jD&q(1jWPS^Oc}{1WCkqXw8tL4*~$$( z=%4TLb7A&1k%dDfE7_PhG8rJ|8K%>-`>bsLo~#mP{%U)OtT47QM+PVabBPDp>t!_v z^6y8%LNAZx_g2M3PssQh_1ZF}eH)Zk%`?xwbTb-WO=$jRbSDY@TD{kTMF5w{hm@fk zrhUG{Ij7(<+nav1dpA9It~PbOaTDKi=}MR)k15dAFME15_TtS9kR;lfZwsvFZ(IqR zf=_$Az2++nFCKpQm-QY=(a|SaWvVE)jsLrw-*W=@iHpR(RgqVh+U!mcnjY4AV0mO| z!FfkkGw(auekC~(Ga&V+FmG$^80u&ZCn{o*>Y$*I?U2lXQCDicb@3K@=_xzP$u}Hv zn#XS1=a$&%lKIDpU$>T*w1|@Z6EepJAuyrI8Rx}DLDX8E-{j92Ov$1HiX)Eunp^4} zPqeXW6la$%BW?--E;jxgYd>F&S>A8@)L;sscMsw1w688oe^?O_aJg}h(X%U}3)C}w zbLBC2o07a3A)$>8q@oV;9MU8t%E!2ClDNqZHe659fD`HC{Uj9yRtb?L=xeu?wa?$8 zFy`&2O@W-89dni?Nv@-2ZXca52(V?&#n~Eop!=e%id8&PaPfAfUo3IT)DEfdrnP@Q z%Rk3zHdeKW^4pC<_mA1CaY@A>H$)dFj-}LjQ5kT?<_YE%9vQ1Wr5FBu+?tbqqhJBh z%}XdZXpG2143Lc3aggzwj1^jtya<}^)dO@nW48e6;31+C1S#5sJf^P7rk;3EOKYoE zc(e#kHYuq_WOBrC(d~=zV_Eams0DlUQPwC4))jjcbOx}NI+m6>aB@_JYmgNCln-wL zWDhRWlsg{?D6$lWmL6?1jp`}AHCI=fR?+g~0XS$6Yh6TXgedjf#)PI~WR|W+UQXAx z&$A&OVubz!gyo2NYNjqUf1h@8Q0vA@e8Y8EhMS()z6xAKvWnQY^`%EVq&W9mZ@oCB zvTSFJh$0@Oc^4W9Z{fsVV^5Ny=<8ka$i?p$T(7%G4bRLGz|%&N)bU-X`IW`)@T-6V zRYp4UYfwfXUQYT-oYH+vB4o>iweGHE&VPXFrzpJAe5*AhOFK~k#v$6u;Z!vMo-ylK zszyyt6`aN&->duqHJr2Hp(SwyRWtO`L9{n*soLit4aWh|GGm*~d#x>8l;0`eF0)}) z(LXy0pk4Q)Z<c6`650ocRHXbS!k#neB{a;pvtS83K00!~l*)9XL+-?Mg3?VTPNZQ+ zy6u2Fzvpe%{j{f?-DBv+Q>A(Q)p6>y9tIrBjwrtQb0ihi;+40!l%E6L`EYg?m!|}M za0u7%u-SevmAf~FrC#tnF6U<UB^&5x67%E-)J&2pj;+Cc;|7woDj2=nxH>ne&v4ri zhVu8akM0}dQV)5C!g*lXBag50L|L1#5otYTdl9#Fzmlb=36#r2+^YaG$AIG>EyF+P zO}7SD`I5D@3cV^z=5n)1nJd;iK0c=qqsneO$&t-|kZ?cm<NM=VgzAYlysuXTOFb+~ zu<y01e9Dzo4_DKU7W|clPBwo2irtgTTswUCAx|jT=^qc*k<*tUB9<1;+u)FcIUf_p zQCE-BWA{rwQKUgRM^{SqEMCw-)|C(C-?Ea&{`~Am8eL3kJ>{Jl?7K11@VM{d^39K( zG}jB+{1sJ3@jssY%j2j6ON6%$p9i#AjEoqf3Im787o0&b)Xxs2k8{%#9`;+p0N$;f zXCbN<?=4E|EbJ<g9%R_#>86L+C5%j*V#fViij!YI!xI@+4ZBX%4Ld#&EJj4Z*2M_G zoad6#n+WpU-uiq6IO=2;x**`0a*RA!6=tfC?w!*M%PsX6h`#UEoQ(T!$}DAT|2$Z3 zHMVI9Sqc9gj-MS}IKEK>GUGdDbCZmn@<qdsN^glcv(HlP(88C?2-_8-Ffq{B7-WLn zur5q{TEx?BN|_1jTgR&)P7D~%4>&g8%NV6KsJOVq0w6{tn^NBdq%&e;uCw{|aO1+! zEa5!){@`d4V&kkLzsKA?I)l@}f`@++@I6n(s-5S`rSI}{Ag)g9XeuwnKQ)W7;mNa> zi@{bIVP*>lpRC6()K$fNVAw;GrjuikNz-d4;rYAUHoO-U3qnk`HIHJCetZ7GM3X@- zjeQU-!>g%?E31VNb~>n?QePF(*rFAVgh(lGmPww|(8SMj4ksC$aOE;ri{i3etQe)< z>%Vi0>xlc}JuOQgsMgyuLB){&ir_`KkNvD4%HNtQebB6uSVHfVZod+r0YJ_xkooW` zLBbTB<@Jtf#_Es&B)<dL({z<=`+>Z;6Poc+^MYm=%=ezSeSc0r<_f^==t!nnY$}8) zM-r#m%bU)S<`XU$d+D0;yL&KBCV|6AUTJH#*9YxPu*Wn(R9=#2QnEZfH*?8Q<8S=4 zx{UJ$9Ri!8oxE9V($SNbofBY0z!rw7y+6W<uxv^7tAw=S1px88&)+vU>5B7mC-u$r z+bq|$uXsv`tDBxx&k|;#2VY`$;h!Pc#%yX}nrVQ?{C>lDb4L4&3rdObRE_a$%hQ&y zBo}F{_^<Kuam)~!WlITI{S?QAqC9uYHs5B;of%4kYfhg;B6Py%MhrcE;^n5l(@i2v zZpcAPDd%ZhGGDmxHm7a57BUFJIg)W=6OX<tr4%&_)qX^7V9Ni+(8Lb3$-8JzCUM^b z*SHhimwRF*9cC8^R!h$8Y{T9L-vxj2*u%EVYwQhC)?mOKX^}jvgqQn`8!5AE-LAfl z*)Yis&mtK^p1S*dhO#4t&4@z7t|3Q=p_Hv*a(7F*v%YkU#2cHhvJh(~-4inlEj9z8 z6Wg94R(>I>hiiE60}>T`hVcYARAnYxtA|dBSrxB%|9;(%U3Zo<MfrXHu8icAuZ1Uz zA)>rh6Xjp%v(eMOmZ6;N+LB)<`ig*~LC+g6Y3m>B`X#Nc&&oCb;EZ-II%QVl+U#c< z35kmKMqV+=W$sJWb*&>^c(?d7PDoCKL{*n>Q6)&m1!&q#2V77|`w|IDMf7c|ErrQ> z%dhxysCK#P41Co(ooN<{cLWa38Nt;wo6CI-$MB2=9BJd8NI$!2b!QEZptom$ok&f} zPG#mNWx3ZuClhu2;LHD=kHfNGwdx;GZ}F1qnmCO!S1kwAd=b>^XYi3?OYD3V4k7B{ zjBtVaEg3%pswO#pUd*F>Trw8h8RUj4yqJ{VLNvPD5m8T}y9q{VV)1Pn?0FVJ>UHSl zCH%g2G-scr^LH93s|Qa1-uUSUUy-ni@Po;Oy>N8fY~f-jp}S}fI3V7=%{=}r6Ryvl zK#qAA{>jNy1R`~LjL0`A>xa}-G~BliX^x)L0*bieTC>ShDyD}zvw(Yg$D(D*ehQdh z-Iuv}pdPRi0|QF3HRT98id_wXc7bGRr$+)ZD1Nqe4Ne;Ys$58Pq{fjXTT0GVRfWym zlR#aRSZ@Ia{OukUyWWDE3v5kF*><&%-KCm84-C&hJ(Ay|rL;DaxAZfS3syiWunNEK znA5EbX8-iyx5!828}U;g2yAoiU$>!ulf;7KIa|bx%9`$e@X@^RoHNdn7kTdI?H5~Z z(DS8gO!7E?Iw@vnc3OiY50nIH9fkj!a%zFI9on^~gL9_@hZj663OEt`+C}t=_Bfwp zpdXRVk;^b^Op^2JSLd2`DN6UA0B788D1)n<!K&HEByGgKjl!t{b)$?$0u!%kKwBCN z%qiC>Vx<xs=$~1@>wb%wPbcj!!IJPPI%Gncl7T3t;1#T;nkQh>u9Ua>vHj-I$$i)1 zd)RHbp(b+gFb>+vy{lbJ5Z?3YRrfSEdOoj*Iy)yY1I=>FZe=!YhF-%hMAR4hSN7rY z6&9tQ&!ytR>d!}oIMspZ6)Gs}O3PUh)-qGA!?FD^9$oO!;Mh?AzQ4=^065{*j1mGt z#Lih&Rh1RE_ab7~YPSv}M2_yf6-6t)!RL&s1Yv@DcIAVVJ!`UB8n3m(f2-J##EvCN zUZr%ot@ME9A)VURCcu!;6@!24Z-uKkTUT2qtjB{po$(&jvSotx^Z`oA%kNvh7E=TI zgGi7$|ATS#YVJiO?6l#{sb+k2Vn%(s=!x*~I_lAr%ot>(OEWujC7iP}bIuFZs*!S6 zNWz>5bxTT6WPmW&G^(+gMgLKdO>=NxYxkyP!Klg`y`wF(=f2Ei;<$+qcZ2fb1Pnz5 zJ=Tl8ve-j++l1&{BV*b)raytj5y$aB#Q^g=LHoR19BWyAw8Ld)O?vQJQgC!Yp2&U% za2%#9w<B=bS-r(=3GOQV<|Ae+dp50l(t)8Kh&*_e?#(WT)a0m#OH!5E`r)a>T}5k^ zIxHj7G}g(_ti`k%<6!Aog=xXS#NRNMK<yfH6(rXk6?qRKhT=8cXpwG1RTS4f6%+3R z8f-^VLjNZ6YQ82J(S=uzbH1L(m4M=R)h$V5Fv~(~a}H7L-J3XLZU^^JYIf{Q>61U# zY`~XSNaIWFtmoIWW?r${=VJxJONb|jHxT)H%C{Nj?x_&(af8~?Lb8+wU)O_p`H<rm zzX(W&v*W?DW!;MI)fmT``LZ$d(Kw=HHWf;8Cp6LQTkAfrB~T{<aOVc@HlTe~**wur zw=gn)r}7DPwydvyCYhLGR8M}{laTRGGO(mR+F^?v$LXnZ!}oND@L`HKJ8MNmW>!&U zfiLGo`T@xf&i-=ZK7zGyS&cPe{0Mfs?R{0eU5uD%#;tpUiK<t`OO4-*fn`7+)gldu zw!@iZF2@Gf9uv!jig0A4o9H+e<YO8?r-gJ0MjNkR4YPZfq;XpWZ+r5^QgmWLk>1GJ z41H*>E|~?GnX4ox;8hf&=yy{*#aW$n#~>D(*)h>;be%IN5Z6ntJpZM$bv>PGfCz~% z>1FmsM=sjRHpi2L6RGCGSCrFz(@wL63n%HFyd6wpe9zW~<P*Q<*wpF2q8s~vLpL@? zrvF1XMm7d!=KrQ{jBFfi9RE*stLZdOG1YA%&0(ufO697Q+Nx^4scDwmtZ25~YW?47 z>&|_>-fSKD{rp_?^1otuiw<Wo5}Vby&c@41QItyz*;~}YqcpZU6&Mzjo`H;KXkBt| zN^5INE>Hl(;sW}|(m0fq1i1<Df-7576Y_!+kPDz%Kp+5N0bpPP!r<WGIFtYgT4SSg zD;pz&19bcgq5?%leeu`&g#<kB`VK$4lk-+KrtY8XqxTO$TV+cVpbqat_*=t94HO6n zhD0zhu>u5vn4J7UOGgAvh@PYX770`n;O2!6$SLj(tppU9Tn4Z(g)afX(A)x~`RxI~ z(9p)r`c=;2z0s%f^A5o4-vzTU_;kmf-vF?9ijT%J0B&w#X=(fWf@5d_$Jn~i<ovz~ z3})?Lp6nl7xW@<bzY$ygBQh~I|6w0|tiPkr$Z6>b?g`ATj0N7eSK}m1^nY?;Sa5zP zZ|k|xXYb!Uw=XGd2|VH_{h4}0KdoOAoLip6+XrxQdnZrlLol$gvNtX~dt`spXTauO z@?UUhW^ZBol?Ph};4Wy)%Pj<*-~FYZ*1z`ee9CtP`fa;>v9Y1i`EA+y)K~nA4z3L5 zoga)qiwk_Pmje#(>xh-D-9P`uL~*1hwgv$H>AMMwWBWV!0&f0N4<7%^#Ej}Ad4{R2 zrO^Qh6Cmc`!n6+WqXazubEjJReT)3wBY5zS?*F5G{OybU(r5kLgM0Y9^8BrzCyGNu zWAaM#2jAaAhuOb_HHJ+9`gR`EIN$j3AAF&arPcX`$Nsf0pt|29`SW)e#(n-}3*MW2 zuP1nJe*R<2+KkTN0){=2!G)0l5c5Lw=YFB@`j<*LKRdV#^{&3)&x$NCBq0B%?;}N4 z26n3U*PM5<M^}(~;7|IeUgED<uAHujrhs1jS?_+?S9JVqbysj~^pw8-M<cqqdGAmA zJAi=D;0D&d@XZ^@5+h>+u-XT?fr-KM3%~ITI&`0JZOIGHt!y4Jx|ei;`K$W==kx1a z`l4?TQVUZ9`<IC-3eHPC)OYmK2lLksi*s}RTlHCw{MWYsr}1Y!A1Gj60JuF_)B>2^ zr|F~>CCqBJy5F84X3q}%ZV(`=n5*Ph=U(cXuI_ZtCZ2igtqNfKLvm&wJvCT4Gu8`o zGT^`-2CAt}bk7977MxK;j_!J7j*Yz%NT2J5Xf&B=)xNdTy^I#ZMcp$wFx%c8<aWS~ zvTK5!j61!89LoNXuVc@WB#uoYA6&9Y@$8o3m0-W(S#HjM6qk=T@hKh#2Ht5$;Qi`Y z!BlJ@+40Q4i!29ugsbCnb9)8DN2veTz<J{^@l}`-yp%V>9_|gpjiB>`w{PzdypIp_ zYC2`hGDIYsnfNw&?M|UMJ!pVKIsQPVfnr&Zaa~*9mkDsL!`r_)l=M%*hJ9tD(9-ro zSgCx71@oz)4qxQgiEh^&&Um-U3gKE0#&qXpi2U~Kio4yC6p4AC$K58jVf^`0541MO zaS>heC2XdT+VHrqC;6YY@gg_S4cI?)CLXl-=v5Y*4tG;A<>@6=2{HboI%P>-g(0v> zpq(8}o1P7p16V+TXWy=YQv7ADePD|kf+g%A$_dERiAen$TUkBc*io)`Aio8RB$S%G zCX(_@u1Dj(3}&+ikP5Y-=~g$!rbxhCw~6lP`r+k9LU5Ex69zamCI42F`f#hBP3J@K zlmGn8&b?{`n2w_rNmx1&a-enk(~mB?qty>rPzUuoxG{`$f04tR=ja^EH#9ivJ7`iy zo%`eG+!p6PK-8}MqPQWs+SU2TDXeQbd1Dy|o~CIELxE%1OhoS_Pu%ROIG4@|k-ZB9 z7K~Q?C}ctfw9#1JXr6t?aalhWoYmCge_;pFPrqps0B=b%cW>Kl3HZoAj(f=#Y7f$R z`ctR<O<tO1^$MP?UiBE&FV{VLb$kN)khT8k3k4$?&~TgH8}u-F@J3Uns6r9))r|oi z5~yuu&r`zN4=gII&2wTF*WN;{lk=0a??hx{@S6Zqmf9%WuD2W=!TeRO{$*ihJR7+4 zuT6~lhaFO%QlauGz7{jS*Hc@~u4VOsMr7G-z0A`~FHtak-dzdU$VkF$adGfw{zkrK z;be|rsl=cTd=v{fEasgf(5eumYOG{#M5?hi?NA1l%Pwub7UwA7m?H@)4P@*PmS3mv zGA)ziADmMZ5%Z0SIEfE9cElfNG|ri!#2qTK`#TtI9*Z=jY@e6R(}*(4!#N`Ldvz^= z-#!zGcdfw;d@&`rbRPU<s)*oSS#c%1ka9SnHj%S-p$TnhOrKQHa{Op95%c&=#b|2F zSWrJ!S$@~hrvqvW*eAo5ysp?s`sb0I&*~~O+b1J10;Q%H+gf~__G|-$kwWX*PCZ7G zRqDM@j{bv1gcW!Okd7hz=KxS{t<Mk89{mr(_7<AFNMx*2pxh>o>L){)j7W3xv*a{L zp^T(`t^`p);^sNf`t7I;+!CU>UWlDs88IEKP(+pe^F8Pte=dgD!|xVCa#MeGjktj6 zn%R7-*yAl_nb1b4uUQ7*hHtbi$zFO@8!xAMmzbXA*W+YErk`Y!P<Nufm1>E8p+gnL zeXU!T3!9QT&>qX=4<11Tcb-!2jEK=@DU5BbRjjp+7Lho4okvR2ciGxKl+@44<W!|! zKRoCa;D4CrU>8IL4oSU^Sc(e%4hCo?l)p>KVm94M^6H5i!ix<`js1LR0Ny#Zng+f! z0F<ZDN_LA9ZT>eFV}b+b`{0w4Gjj~PHWho+3aR!DZ!R;R@6!1a3?Yhl=aYhFd?7<& zy$b3G)~Rpou<g}+k0S6!fO05945QFcqdLdj4UW70l#mW?-JrXY!7KuJ9;nbCuW&3F zFLe1__E<38WF^oVsl*>?pqmHEJ7_%!o~%cz<s4C?lvPysxfvWfqKx&_(LT+_i=U>V zB=e~kyjRF}Ex{|Lf*r>}*wA<AQYpzRZ)|Yrm1$qmr0Tlz3iY<6_&NHX@GHxZ(>a?j zhi==N;(&19`KC5Uj%+=E&eR@j8{D=bOCs@#5D<p;FdT{a39CiHcKa_{#P`yEGR|Uj zVIf2p)rj$H4VRng{3_261S_n)v{4eWdS(|ar^MINELmLIQ$%~)k+IVoNf)NxZ0WCB z4KSm3G62<%7|xhV8;qI2qy>+|Yc|e%Q6=ol0*HsybHxvA*zawCT5p6){IFN<`U6jd zVbt_&Gz*2Da5Wafw46VA|1|8-QCfR(NU8noA*&ah(7dzes*_e<q0jLq*#~$7!NLqh zpa$pz3tX)x`NWgU+ikIuOA9?rbIT<c7oL5z#Zv1)fKn)WFU77)?;<AXUkL(H`%iL| zeBVI@os=_37cg&~rMRva+BTpV87j^;J3*4R=XUxhbUcd0;$_9Y_50Fzi+C0#I2pl4 z*c_LJ(o0Pu36B%qU=29H8IehLm|yOa)aXNrUEv9Z*`*fbR5yYdD`ISGj>nMVRUKe+ zBXO}d6*_<pSmSY^4VRY5U$EM&7mZ>aO(V#hvJIrHHj~%cR*4Q5B-j_4|A9s;I1Ou6 zK?Wd}*0l_4UowPzF4~7;9uNAps+oc)Fc^I9Q0Fe+9opkS<RU8RM+i>{R6OO)T11IB z;;)s-j_(_uY*Z`QcFbMBz==Npk|BJfmAFaZrY}iS`TtnthDU#_EmZq7*5pqYpfIPD z_d;{fi!laUd?i7sIw3s4>sPkY@=I0NKE^<`q69sELaN(V8W?!E5uR)0MT{C<kZ~Tu zP|faLb+RX|RwOG7#wnfS1IHJsP~5sW0XxV#8#5Ya(Dk>}V5A^z7Gg3lR0cP(Qpjoc z=4)>3!1VMfy)x@nP!;>RWc3g=&h`4~YbWi}KgDZ+qkV~vuwgO#?AZj)ms*wYX50Fa zfOXOGl*dJ56@+oKy6DW$=^{U50>?#Wp-JIkd2n?sTDoT7hNnUXHu+(Y*2na(wBLVU zvw{T_5OaEq6H8Y2Y}GsD@_HBtqUn1@N7nk?%F7ED;rWawS92tmaK0~uy^r);h_ys3 zlaBq%tzToRezBv_8eX)bgryb<lgblK6&2<Rw-P8Ab)}R*Rq-qk<UJ#}o;@DPySqWv zDnGLF251-=;5X4jEUlm0%vHs6eTig@+;W?w=k**2tJop2Ku9~z!9w;b4w3u4H!5v9 z+Ej<9t?7%{nL9UnsEu-^@qWghDT=)P(OH7{kSby?#SK>z88tCLCf*;+N9vPvS|K50 zq1NJG8D3@$%O{$kq3GZ(84LEJSwH4WQAihEe>qFlL;ms$Pgx4Urz*C&(|@0SQ#0UW z`*n^phU9gCg&LF^J|2n$OW%Pk)KRL5d8K}-F#~j$Inac?A#414)cO+~r1_An%Cum| zZct)Y3llvSNMEGart`gw=Dxqsn)LJ(EMGI{&b~}2mnK}~fkKe8ymZfYGAwU`ME{r2 zw|19R(IB5OOypv&))al~S^tWY5;LGrB;YT~UKc2yk-(d_-^Yr{D<$W)Iw7n%vy*SN zF98Ym9CraCB_1kb<%YB3LIi~WcnUDZ9zO4Mr|$;Z`B);Ay8cmKnm?5r_JQy~SzHh2 z0MbA>tN7cH6DR*GhTgW9Bvh2t0%+4iAW8=8>~OZJB$R_5KQodu_Al}1tk#o?Arpym zZ$dTLWe0j=XD#GdkTcc0L7k;}UP-MJ8{PJHJ@^OSw5)t2zxu&ZQ<-81a|dpnv^SHZ zHR!4lIc6}tto04a;<6*M0mcJQMSwq8oG+2Qw7|@?2hv-*ObI&+7%OMKmOH;Qfy*-o ze7}?NWWxd#2ZsERgaI^S0tSv^d*pi|LhqLFCm!ARQ}KD4gY>Jfr}wBjocW%G(%j)u zeYaCAZ)O!iMln6Yx{vEq$+y2yEYS~9<1@?62vw9O_=2#>!usP1zQH-_WC0YQC@_|v zX-Acg9~ZLWh{#@0{E~N$t00!iS4Cp$?3KvSybLNVGQtdn@g~^+7Es=D1q1HoP0t9_ z91)$9YvPnF1SpwK=F$&*XppU*s7oE=*%8Z^F|&kgMz;I%>zR)pWW5-TSjkMjahF7X zb*!0=f<SfBxBPv`Y7jZMtt(8L(|Bvw;=AK6gSEWt*c7?IY2WlS$11*WT(k}URV=78 z!I06x1hH(7(e?cId6Acc;Eyn5g>A&`H)SEDO%1-T6DCD3M@B}N^|$UKV579BNwnd~ zrPoW-R06=0u_WBuHE4&tM#Y)dG8naq@5}aBHh*1aqPkOg0twtIbGXk|`4!UHE`15) zHRdAC0~N|{$n~RaccF?2(j5@t6xX+!=2J4fNhF{0;QTg!;n)W@bL??|BwxrkBvL%^ z-y~tWH)3ZIVe;>RsF-K$vyRKPk^vTPq0K-HHP+)&2INm&?OXSBSyG$CP9Q0`rkBew zkzjpD9d|MC`Lq>GPnMNdCSk$%LofDEb}%)EG)roj-cX|bS=bo1dZwssYSETV<NG{$ z@SThHpV?H2FF<9?B++718>Q!4du>^bHy^0sKKJ7I5gB(|BT8hvY3W;JppAox?a=L$ z2#TTa!GX7C-lVWc<u!NuF0}xJD=l5q6{|;C?7&lPVkFZN-&ah*(u|o0(ry1iIhCeR zOFd<4y-YZPT3~+ZL=YWjxbA6TvjLm><6!UUOAQ2V{F0Bv4L)ngO;@bLTcbo~t)Qgn z8d|k+wylLPq(g&*J4j}XZDH8&n~3xw&LyZs%c0M^6BMQ;+-APV=IiCue2u$d0L;j8 z0!t&%B*Wf$NZ@?QOkyP@N$=I7nbq##LS9(76$T^&hG~oJV#Sf@A5x9>rm;V%cO-Bh z7#u56GImKaDvq8S^jSHZv|-oyO(;P0M~QxS$5aGwDU$tOH0dd1PYgtch_r1QL&Vkg zV?udeTj2Vol{pUaLP`odXHjhSNIYJM4`>ka#>aa@h9Z=z)FSc?lY`uZ1bliGrZp?R zOe5ARaI4dLr5b;7Jf711>|;b#2jN$N`$zPHdzZ*A)s)uw$ntCR43lYe<~9{g=ZkK^ zjj&TKPkuk*Wk+KK07CJb)7$q%Ef`NA&V+<$O8^2=TT0T0oV$M*j?$`^@Ud{WIn~Xc z-Ni86_`~-<?%ikki++kR{e)%(!rQ(;vuMpW9;Y*`bQju7p|+MT><40*C1TjDcKZhu zDB!jx6IoIpz~Cz8U~*J4S1EbP1AjTik0>F1d1DUuFqK*gTr_3f2$bYq;0+;^9b1Pp z#^i9C5&M~Z9wrpLF(Mh<R;=L$CWB?(IOS$yn7Al3a_!jkXn$4NNMbg_%6gL1s{P2% zo&9rz(2~2w7=*?Z`f~{@em;$E&3eDB2>tt~N5EX|Wkt`oARfqbe^+b;(i9)UY9f=# zFk@0h&vW_Ow<Sv9aiDQ{WllQ#yMNT{Ak4Z#<zcV@=H%J0S;+oR>x6EYvddTyf1}Sc zhi4Z|e-8=hQ$iZ1!s2VgJodbf1BVXGrP2YqGd!vMm`#NFvdQ&ahgDp%)?}p+{+{+* z`<A)lRMYuyl%KU>8rJ{bUwT_%#@IrgMw*%tX$MF^m&6HS$OMfnvo;DFG$2OHcR@;L zIwDb?dXc`RO01CCZ%p8L2(v|~8z$JMyVX*+G+NDgE~Q@%<1fypEZ#1FS|T9*>2hZy z7Rq}6CIu_Vi;6&PVLM6h01N9%>Q)K{Qk*rSW`JSe!!MB)*wxix_pg~P8erQ!wksBH zn$O7~etAN;uh6vc@sg+J7)zYBZowPKUEf3kG_|x+21L=r_Tf$)WZZ0r7stx9QYK9C z329U^(CpEv-Tp$f`n2zKJ^G9uy`m!6q%ft|EQB*N_h{ZJ&a2|)_!EVRq_`LC>)J01 zJ|@38GJAKxtcQf80;90X)1TA}t?sv>gpb)%0;VR(JbeTSQ_<gC<)D+{k*0l0c3-MM zSro}2H92SS8DSh95CdKy9!5Aj_KF&&y00$Ql3!K};b!qiQ^HF0H+xFniQgiTo|}}g zX>2t7?y#U7rj4@q`=f<vl<y4i-}!DW8tZyS=|tY>9)a6F-qqmokF0xh(x{j#KxHdY z%|HT;Kh7JDqZ`Pd&nKLcb3<L@Wn*vFAhfEeb*90&Ze)F%a9M)|5l&C%IFV?{sr-2u z$WiiZaQqiP7pK=$O-cV4g(tCrzL5K_IT%~dTCL@A%FYfL5U;o}!PD&}!Z3w!GO;r) z39kYCgj>m>p?o_n{9rbhE?yOZpF>I8?bZOd=1Q#5H1=?_c*+-^mzYb)GTf_VK?19K z&C4LyZ+~QR!r+1cZMKgcHJiQ2s((q{B4boEu60BsGXZF?$YGRb7h};&c^FQO6c-O{ z4Ha{XcQMj1>+q%f=vG1#d8rw8rL)3}092h~T$(wZm>fwwuZK9-g{kiGY781$RKjP8 zU64KE9N{;wcX^*e@1ND>1cd0|SB%2<jxx8p^uod{w*UzN-0sokx>-AP#YWcQZA_fj z+Zb*g?8?e4FB*=jw3Q3Kezm6Mlt_CtxZY)^#WM!NaYrfRO(hXzzHga|P=S*QApzsG zJAEgiNv4NNaHJEst3v#R0)JT1n!}Q43LYZJ@cR}3@vZ!nvL%)?dCJzr^`P+0qf>o` zjioXPu8Aw+^{-^Jy*b@!))8nme@99KOp|bgd5DN;{o0}q2{DKC-?KQ{Um<wJl@R3v zbDTARm(w2#!d(2Wz`!r;)@S}`n{^4ZiHf!?c>1EZ$k$i!{<7kh;>5K;w75>fvsp7S zyI$;<$+{DigV-Ri?CzT|PfJdF)%Uc7CbjK2FU~;WIKHZ>7tW8HW{V@xvfFfk{FfY> zguo<tkxuOu_EEGG<*Bh8V*@08hMk5odS;?jJ#sNQ{ixDdfZ3@_@)iwa0)^TY#zbVr zA0^MV@cK!qCAvEQt!ejE&>e>;`TAOr^)#1wMoZ#w&;M$&t@7^iodu)0z_3z+T2AR( zY~Phl#?qV${?4Y!y?8IXq&G7)hi$|L`s-jllaUd6lFB#US2oKHx6HWd<Va%dW}ycj z2FHme%rO|GHs>dnQlWR7yb(d3fcsrAImOMAVAHV-h4#?ydUTXJnjyBc1@ZBs|5G67 z<5T*H(Zf<dLLDxD@@0gwngI`X`Y9Ewump+9s0)s~<ot-=1Uk85hJw?L=aNE@NiTu( z|99>bLe~ml^Des3GYzx+x>JStI^MiVhH^OO6aE^4IdqvM@M4FlRqNV3QW?alDL9%Q z!a8~fk>f?GEh(YXuQZMk$7>(KTj<gop&tmS-@#S;r3<G#+!rD|3%@;KrIw9n+@Or= zcJz(3iHU~9Q)!i0NdJn!G?<xY4yNA@(>UbWL{AXc9cqY&bIFMC3P<MF=21eQT0&jF zaQ&(J?GgmvT8G6U=~3IT*pC<=8jJ6gac|G<C~r@kbs7AobD{2omko+1q6P2-^33+W zyqoNLHtR7%2#%x|3^aL8_?}=P2vzFb)qV~YdCwGc?oafsWQ`=m@}pf$1oQASv@&gR z(T!x+!F~LjP>WS2J=C<wbJxop<Z(iCEkzo%R%{%C)SZh@rXE7Tmf{t#X263>{wv6* z`;S^#5+*cmD%;%ZC=45ohh0JA@ir*sW%#syB~!nc;08E$F7^u;#ZT;BLHh6{T5SZv zlgJFLybIOtKsB7lbdG|Qn5K>C4@i*T^c4Z8caq($TC0p8vE7zlQ#f`=MF|{jf3_X9 zxzBh^obTFtS9DXQh^CiE6cRV7E%K)4e2=o;r?^P?{-Pt0Vxd@N*(973d-6FcduuYQ zInZAOj=>j`N=q{qNu&vmgsIYT8+-t1<(uioDw18q!He`Zl{|~k4qc$U`@~?MA$%|Y zcYTB-+pXg-HzIAo$}Y}-WGChh+;Q$;`0e8e@CAr&ztwZ{*vfK3Cs9HGSl#$*<@Erp zb(5nK#~h_l)^>0&R9|D<i-SF|AJSbxbRUAsWDf_#AhpxZWHaKi<6joDgZ7CHY~WvE z3l?}BOY`_;hU-6lPfVV?GVv|RXr9~rV1>ebwBFHVSAH%4<Y%S8t`>{MTcf~M23_J+ zp&B%}IB#m@5h=vqPBe-eYsovHoFyj1L`aPb;<m{P6a_~Ekl8u;U|pePZnYF`!PNE7 zZo+kLG&41<40vS>BiU4^avrfM$@sb_$Ktv^ct?Yew}r*b?Tp!EofU<{<T5!PX2`pH z>x0$kUS_mU^)L<R_j;IRCDAm*3VbwH`^U!&>0)dZ9dhemKH^%;*^&F?yd+#FVeAf3 zQHer%eubN1q6^6D1zmX~FD2M0CNnWuYX3UIbyFQ_4i=zXG0@rBDV0FLhnpEiXE#y} zy$>n2srzus;{<LZsog5S>kH}Jp|{suGi~Z37ZRcEJkfZ|nBD&bNaOPDEkrr}!-3(? zC1!JRa<*J{)J|In80JQ)iws*eGYkO*{x@snN!-Dm&U^YPrYnMHI<31k#HV4R6lVhM zE!9wzJ4k7#Ob6Wi($t-}0M)|b+N08q8knvW{+*%gOF3CZ0Xcwd8VHLMat|+OuX1c= zqiD=L0O!jI*Y8|5bpsKl#*$#x-cqV{kogvf!!=P7^G7$1jyrBO4H-wRJTrP_N5{sI zz^|iYDC_hYalMGRdpW)C0khc|Nj=P~IDw?>EcTrW3F(;ng~K+|`)s4(vfI!oh=GVJ zBp?syZ!7T_^JOa}4YL}j@2O(mRFQV|3X%j@p?F=Y%Uuo0$67YB&Elg?@Z)%_4;+}L zZA2L3P23MUFbZ-jX1|6nxA|#c_@mm1YAlKZ^+R`a;%=wbU`{hz&KW%qL2GE1D=!|e z)QlwRu^s>JVX6E`3dAQe=69_4J=Tj;n3-$WB~5!HjO;sdz9ayBl_HR`CDx-Bx`8G{ zh&5;~`-F<sCF3tCJkvwa#WmzXA@TIx_7mOd;|muDFzQWl;euMjKrz3*PyBnNHcz<= z(H49G%P22KRwO$ywKM5K3QV+S+*FY1yX90{G3Xrl{clzajFd&WtFZnnGzslw|6L>o zvkdX1!L+Yn(Q268P}FIywwnqHjvgzX4wSFDrZ<v6I3FK>;KSQKa|@ZvFuJSa^kLuA z)iS9mDf>e4dDzSNy#Ux%&u`0ed7=0qKwp^qmfW3j`&@oaW$&hb)uIMZ1P?+t8@HGO z9t=1Z&vkflMA&pd!TtIU+PNW&aCTRWJ|;!xjFPTVKZR9C*MfNag0E_w!KZ{m`iW7h z@u5Wb3RUQ%h+paHUN2Yk3)W&pKP82P-EP#vH=DzH0B=*Kl2niw`!-t6Jm0vEcgXGZ zUvhK*tp`eQM>PI2G^jI*N<aZ$myU7m^9wNqYU;e7V$_N(5ouprBvP7NDP{NSnl-ET z14~`u%}1iyOh(?NbeusD121Md*7~C6cgoaL>?Q*#W%DeLy^`2R8o|X395XSxJdGdy z%Lt|p%aLIq5<Exz?>^)8Vt<f#ja8!TQsRLI$b}1s=(?!j1~o34vwY7yH|-Qpw!~S$ z2?Cns(^gybu<tH<o3QSVV%LrZ4Vx(hvdr&K%+u8KQvTcGsp2ddkZ{%6KZKL#B$QRg zRmPy!jerDNaH+>te}!+wCWK1bKi>oi_J>fY-Uiyi7uy`8(6=S3)m2D$zq?_yH@UhG zDu8?GEGf?joul*y(PtkW0DBbpA0Bp*UZp!P1zUsDLOze=%^6&tMtX5h+8GSTaD&nG z82bX&y~wOwrG0M+Drlq3g!(q-<#{M44oM$Ab^HuyDQAm!1+#M&80)^t;wKS&l|qC~ z(`xg>vgs`5UxpiY-<#vp$#i50D8H+kY_lFdpwc@Y>KMNtG*x?%O9+o&NFI0g!w6-l zY)4vByio8sgoc;kDe2?(ap72#MV0AhPo7GVm&>`ya8L#@{^VGJtz*o@eRba4Q;iJi z6PFv}9XXKq&I%Z?mxPZgKN;(%JDmpVGps18dPAvs{V$n&qbe3hL_X|(3%}D#W28HO zP!lFRA&oMtcA@~Tvn@SYqTIiOvoQc>d>?RJciVmb)qOdQPtv(RyLVAPW-H2Q=O}B4 zOXQpCb{jP&LHf5{G2jRBMMT_^`?_h?AmX{Ra>1L!4Ua+C5<^Fqp35Vl{dn)T?3pz* zCK-)PMrAu@C;474P2seQ1S#i|%T1$%OL&3ezkpyZaLP>g;r23FSXhRz`POnmnKO-9 zp#(ov=_iD<f>2S{_tJB3A7Ax{V;BCggS2ch><Y3^)UnMo`V+uK_|I0t5ZhH?8s=k$ zi&BLWk$t5b&{B`V)_gwHtJ5_(!%+6rloxNF<4(f}FFg%#Zxeq$kTDHWp8)(cIY@1+ zUL0;m3J*H;I2G78xn_N>xjPVsUX7!YTY5NPV6j7KmddUDVXO5^lC&=%SEQi(z?NM4 z6nuw66t5fE8*N$_mxd#5D~143a_S4^kO0`4r%)85Y?o<Uro&JLV9;}Mn%2h*sHcyl z3K|>ziOZ+u4<lFa36!pe*MOeaa4mrqV~tx3anQAMuX7d>7@|w3uzFEphcFe`-d(5b zV=BVZ6@0CpwAT{@grfon8nBoA-W#ez;T4^|Rhukx+}dql&y2QTg_?3R5T^QQUcDbT zuDM+ruh_{CP)6Hrf%1sz0boK=j>SvSE`TKcqT&V!uPqHqgk0E<R@yAMRLo;C!tyH_ zL5k7$(0F2awXu$}y6VdT7lBtBVFjCNW}*A2qw0^Sxx68x>AaU5yAWklQ1{stpL}gq z&8r3lRmTB*mS-T*2g{pPQdb(PXeQkhcZrkBZdp0B&Bt{M?R|90XDNOY1ZTvyL*Qa6 zz3k*bmC+Yi*yz>ZU%K;x{-`fEoaMmTr)i#X+R+<1N1L7L++n5Xyfi`&?Rv+ak+)e- z1_62RADch$1fH|8xoQ6AQ8kh@{j(oZGu|u@QQi{4?Z?=dTpkZ35!t9C0@Ul|g&!Pk zDM5DxFNgbhQEXh5#=V}VnG#Y-C!!aRUXEaVvm2|2ReUz4Mm~x_6rKFt1j!IkKpgc@ zTt6uR-yI3&HcWEVTC?VMvW2AQa?YOlG8gVX-6lY%jVn(NMiYjW4^BG}P%ljl_j+Eq z1=I37l$ceNhIxb~vq>8&Je-H8$y^KD{^?w<bk-Lm5MXuX8~YzG?1(fn3&b%$hG!Yd zgaHWSC+k`ms`7Hc3S6)D*U-%HSxVhd)`}-f&^6WRD5#cruT=*LCZnFQj=U(KMHLHl za+msIZw5`5a`K3TR#F|`H2ZLa0+Tbx^l1=<KDD$(n;M0IRHl5c<$ApX8eI>+HgwGG zW+qU(Dd|VIG|d`V@P%#jZ_TWdQ~HkPZ3p$he>BY~i$}R@0QNA<d)OB!AB_0YzD^Uo zfPGRT*i?CqeSa0%0*44gr(y9+MVT$|EBWvZAz}}NxPQJK@7+u>CWMj|^i+_MVu)ik zREckFZY9~b!IScGUj7H0Vinf6Z9spkdp7{1{Q%a>QkLmM{((21YGnjUOJHx@6dt%C zrGSgNwD?%Ikg294z8-@sr)L`zw>B(0dXS3?Eqw*)CbUK6?W%&~pw8~*6)~3{jf3v1 zx)IVb4IN(4X2r*KJL~VG9?Xx^4WDvJGjqWcX@?J`4(&#t#b{`Fmd`gC7FPVpwUx`) z*x!RaJyTR<gbM$VzuOo<Ry(;4`u?O3lG@d9Z(N@*B?6YrF{KR;hY8LRP^2#7e9Q8) zzDtrg!G%s?k_j#;sfy&CoD2#4Tjy=gc(WO1(^+O{suB{h@uE3I`*xXN`j+Tpdr1lS zeD?jeBU#UMzB-1Lu)aBSvp3h6;RjuPa}~S~a__bKx|F_BR4>uvz-vteu-~dHQ+bn& z2I#HLV^z%THcJm6l+DD7NEYO6k!|Lf-z2(;ILHXpZJm7JEHkGM$>NYy&OjMc*yN@L zVOqVf7JKMmJv#HRU>2gQ=Aj#;<IM7!7JP4?aj@xp5V-YyPQg>N8_5V*6_}W{O5J<F zf!EyIbgr8Z?06OIOv1_I^Flf1j|cdqNC&~fA2Wt|`(Z|%Rva5H-9oRW(9ZROhQ`kX zE?j0~<}&g+#35kbRb~)5FgsKEZ2rk@uTR`zlA_EZOC+hrx$EK^DOX{kpyk+`hcMRt z!&Gq2EfJ?P$uGF(TNdvZFDO$^bY%<=D>h<4iVb~y%z=ott*pS=W#v{E1q>!1yS5?Y zMASwmBfb5GeM5*4juEjPgKaZi&KJ-bmH(GFB$RNkb6q&2?nONvOG!(gNGG%bcy#kw zi*Uy|%}tJm2r$!I6Y(+-4a*={YbI``SYp9(8Y1t+=@IVIEY0uY>V$usHd&&*Pwrl7 z-65j!j2_D13V9P*|CQ*B(e~ket80Si|HgOe&EuXiw^>c*d;Q9YTlfXkJ*;UgHG-2W z;b2c`SWZJiBmZQfFCh*@@dvKDdRx+-Qfn5_2li@1i+1?!Td(0m60ZJ^DQHzFQVN*) zyPw#Xshd3jf}jwU5_P#q95Yd{4o04?HY}#A-Ot(#g@B#b;Gz_qL3S1tHBuVV43rvj zQ^?eavPb*?*8die44NFzn@xwy5qWU4eb#0y095qj0ioAoOr^Rpa8WmI{vO8ZZiiG% zx)7K;SEtXubv?SN0>vxd=hZs?ru>xvElaumF_~IiHA!javHXyF&bx{65Vj_+Pye%3 z3qg4Ho1&6+ddGz@u&9?1GDL<5ZV;WT8+96;Ln*r9D%HOMy2q%$yd0lM$WOO4GBRtD zy)@l3km!#GvEMZZ$uqKUXc<l4xRjB~)=&-3-4C(W*g<k?Pku?8qTGu7_{rf#$njmo zr+t9A01K|Sh+>4I-g_w_{VYK)qStA_!hcE`?wD+#0d0-I*YLja%)P$5$?P+SIOC)J zXCc{({{n|zOI%{_f{N@zkS;tYlcbB(f8;@QupsKuNrUT_(bKr}O@y4I>~#{D_=+pL z)sEOA2aq#1SE}|gE=-U$B49Eg;-ljDs5KsTKBIg)Ay!nsKNE0f^RyX3E!lR{x}3(E z1^L<qk_RZ>cXwLS#-vW3VC{w+!HHgp<17jz%6$%V7P8duJHn}=p=tGe*-m1-dm_Ft z5i+70P@Ju^t8OKnBQftd@O?_@n<}@+wvlgOMVdAk%p2C}KNh;z{^h737{KyT6TogJ z-?~qK{i7>v|JYnCVrc~FEce_5ePa*_G;NytAgf&B2w92sWV@sf@I|a}fzIh{dg76; znOSA74ECD{F}9yZN12ahJ*f$|^zr^lN2A`3v>LTK3G*#tgr5I43g--6pURt|IvEv@ zKSDm4EkfM2h+T4tZF@{gcdV&pCqa#oMYu!Vt6@VeNNzKCIt}M(LRu?!JjZiI%0dzR z`nmGmRxD9Wh0`~l@5~m<iV6&9doDgo$oIxldVN(GbCa)YjiH3Upl|avBhhH%dI^6! zahf%ma{So!tGndcnFgdTKx(>?3tG{_<QUmM-gQ8v&BM)y{(%SuErgH|<DB1dCaNnR z*I;4Y*@{|oI-MhHo};`e0wMeW)M9j!p1|50fO<{K@TD332|E~q{1iVXQCK2kOh@YR zs|okA(|kknU3<+xmVNd3+m3L7yg9z!HtUACn@HU&)V^;3K9IRtUPt;!Z-f;coshtV zRBD>UBmLrRcmmh@tEp8P-bsgIXsEl=#k;nm*|RRa9|@tYS^W#t1_Tip(x$}u*vL|F zcmo>EtnBe?Rpn#@AM>hz_wiN7R`of^%FOw6GUS7dX&QR{)3IHEr$+R?+9iA_xo=O2 z^H4MTUEh0(zZ_W&yrKQ(dnSFv!1Lkl1sesjS(-G0S}aVNnb`W~vUd%78~%xME-X*O zCM%$2Md4XN>OsdvJD!#;H`Tb|iVZ6;g*9n=v!gEfqhcX;B`$zba$9_wxJN~=3jY~6 z;QqwCp`F&00-4%XU=ItuC-Msu0_a*T3m-!hkp|1-!Lwb3OPVr_jX6w_x;)-FJb~&? z+<Q}(zse|!zfuRN;)%(3+S$y8P60urxZm9iCw)EE7~w|(@3&okVlvKyj+NWB5k(+@ zHm}=wUT56B8+IssfF@j#Hv?r}hGDHDNggKVGkLWnYP>htzo5S8-7nPADH!l^0_*yX z=xGlk|0Ovs%k4PHsYS>?+Nt<k&hE2R?V3<rWF3W?@!n9r7J|%rSqk*rF)YS#h{Hz{ zc}M#8fQbPo4Jsh**HE)KM!(2}BY)%3(Y3gVw+az(YRtT(MCU8xcjn%P=OBEP7U%Pk zB~lrrXARmokS?pq7+Qds<DG05JybC36^R)69r89F1sJI5U}p2!wfRju#g7&mcI|!6 zG^`5I?HAJ~+&vPKx0l7hk5~_E5(_(zLR!N6+Zp?+sdf#2{~@~Te{lw?x4|&74MHx$ zQ$Nf$J+Kc4srr=b7F0SIuo$PYYx=Gnzt2aZVFxURN(8On8CCfmzO}-BN&k;PHSzp} zWycr66;6p!O{gZ}NkF0lLL-OGY3i(N;*ts*@~?0g_jy74vwOY?In91%HK7Q92i2eB z?%m9>0*<y1P{gygE+Gb<=-V;5MZi4;5d|i-`L;_qeZe7uL0sVgN2>31IoQH_cvUU? zB8mGm3t}x}M0Ru0<S8^i=hLG6-=X2j^EkH5Nq%JLvC=XSY|8V#uj<vEMp|LM6V2Q& z2>-S>tOelmOy9I)-KS9RPgQ)sg%&5@aL66o3aHAbFZOC<>)*F!2EJRYD*;;kTUnBT z_OTXJa>m*C0<UJ(hi>F(cd`OtpPVG=C^Fl0BPvyQ#WBYMzk6N8))%l<3D8;!f~j}t zFRa6)MQFN(jdynHq^Y=HCs2;FL<N7lH^|B<mk4O{16v<hLlj*zEC)bt-ad%5>-gYy zl<D=StN{&b4sz0&I4Ya<pkc73J#81uHl>+<QZBk@=wL*i(z)jiHWA9UIyX43mBzA< z*7Y`aX5aWgMP2h0GzHzI8jwna5-0=kH3x>ETthmL&Xu3ksD|{d8Jr}lLpqL*9Pzs% z6C3~I=o!5^8eMQRFbGQk8^o$|c75V(yNBom**iv~rq5OL9?)o9i<fo${y$;}J~#EB z^0L(Ei7ygKX>8)5PYdctFi}%2dKNS3_=?CBQqLq34MWF}K%1?|qY4sThtDAsvEHMA zx(G>gr{?f%So+qR34!Z=H01>C$kC*r4%m^~M@$uG-N%z{#7_K%#D}t8jS435t5P$J zt35ohB=i4a?3{swVVEGjw#|2K+qP}nwr$(CZQHhO+q?H&cEKN9(p3{o&=btmBv1Px zd7!>Ev+D+(qavPaDBQ<vk$&1WpIbDcFnoF)YTb!{PwM)Nr_ed^kElg+)MwT4k-ksJ zn)UAVZor>ub9qZR>@P+H9zk|jUpM_lE<DtffVZ-|NljJfGTNbaFEKa4;#p%nEOx)9 zj`llUrW(mL89FF%NG_)P^~E75&kb|2+HXe*bu1?zXNWDIO2}nACPzlHZ#E5P$SF_B zX7RkzAWL3KBQ396<LB9>&yLAr{3!p55{{b$ho8Pg=7rs+#43Ku24J3Q>PC#Qjt}uK zEdDyYBn%ngPb>=sq|5xiizt~d6ol^$yoK{8v<Miy0=jk<&32>q#?kZ6iMCa+_aLKi zos&&ePB{GSV>0!~2ua%yJ&?jE4o0@fci8V#g!F_;(J_BX6`f}u>31EHZNq9DgZG_K zC*M%YXf!n6I@6i=h~hvyx&82~S(Z`&+&qkgZOFrE|E_fux$Tkycs2tcX=<In?FfL& zRdsn;u%tR3CbrXy!RD&MKX<97sb^(V9eaV1Ai#LMIP+6pIG#7qqb(#qP0nQ~HR_xO znv~pa(|W4XOV+gBPFM~3MKNd~T*E*gI**7%ZB+lrgSoZXLVc!!#1jFNibpGDzM?G= zm6Kjxlx2*B9?QwSq<rUGHf9iAs^c$6mHsSEmV;=lJzO85X}m-DnKtR^_33I>Xi|wd zH~Z|RVNtaA={P<fq*usBhoS~qlbon)G=QcWIT9N;gy0NLZyp~&YC!x!z52V)61C3B zxHltBvAB`|lRKknh7oYe%dvN*@Ka0GV5bX?vkCA*Y?L4(LM04*k;*sUi<yq5M~W_# zp${DdZ)~m}$ZAr~ZDez(V^)@yTl%(~lWSn~Rb~pX#{%7|$$QE3DH=f>WYGDmcPXVP zUk0Z<Pq6yT;_xm&E8A#}llvcXXA2?a!%&rdd)?n8WOzH+IiX=02A!;lo&&4c?pPwg z{Db&pGiQV^d!v!d5LQ~;whLiUf_-0WbgezaMLZJqy4GI$8I!!pQqsIzdN}{GPV`Yv zUU9qvJ2JmB%A;Ja>a!5q#QCNmkTUNr^USLvQlDdxmCnXRgU1^SZuI+o57HKLkj5gh zT6Zq-7{QuSqTI%PvEctK_4*y6%9X8bDZdcbaZStxTl95IcG#I?@Uc<C=<?4J`mvpC zSkRcb73~v4h+W?6aj2Ga6{4)T{F00+Efa3W&`uAqWFq4%C{`LACQG76_8!N>rTEI8 z`of@@4csn_obA?7yc>~Wq=bZz$eG^$x?L$kQcdmnI5L&1-c>`($=;b#VUTWwCwLgv zCh_#Fwj1z7q`R*~8HLpGMK98-t{zG#{cs+(w^R0WPBJRp?1bAM_EPJQ=D_=;U9%oQ zvmsvBANY_wD|}Ru+33IGI2evu|GMT>N`6{~v`P0$ux<Hxo3VJ8C>kL-1PHyeziah> zoFDfWW_BbXmXcVd1^P%vnqMno6p}na3F8zg6J5)T5sU%NcCQ&##<P?UTJc#|G`k3M zgu@c&L9A=Y>crzt6_EF)M3Q^oV#*a)wey)QgUkuJ2))Ss2WAyeZewM`;aO1H$C!q~ zU#g4Ed=H9Hxzzj6BIjOT7`fY37h#OFcc)U|WvD3=jvcul)@?sbDZY2Pc)FDdukTgN zOm?Njy)A9f>2Gu0Q)wY+`(SG%xyrJ5g*#j!t#*PfiQDRM<y5P*`}mXI0$iq7@pY4_ znucJ&R)@W?Du=EfY!)>8O-P`)T65FVLlk)m7NU6~EDxY-yK&PxJVNmTGkW$8!bjg~ z2<_F_cc-QMW5Cuxir%m*h@zqvOlq4m_*E9ws)m@au0K`)Eb&`Ymc8CbuFQ`n%egs; z$7+V~jQCcmGm9HCNjtQrl%1n)7oc$fXku{4E0Y-hi%TX9UYA#n>I$I=?t_CEbt=xs zdkCFd){kr8RjiO|xgY)RPt2|-%WO?{iTFX&(Lj3|<@@q8kBOZs-P(;b%#AJ?yk02P z6A!f|*XiAXqwJU9Pk4)j3i0)@1a}-4?rGNNCSIw05`F-s6{oiM%wTgNSEwy^Gg>ml zLil!g?ADM?<vyHwJHddkTYD-hopw6RzY|58S8^&K>8vWYhuB4a(Xw708P1hCrje>4 zJ+IBA)EY&L*Ibb|Bo^;M#HG<#z!eO%o60swJ`hZ#V$LpSPn)WDbYcYU8!qOOhjmWv z8JuOo>UVB^-|eDcq}KR*bj4`J;rs{mk_Lp!Oe@amBF8B+ZJ59)vg24Qp64{TM{Xr- z=?Y`srs8>Z5j6kXcIG5u0Xgn=2|m|dp35%U-h?ak@M@&`v|N@?T7z1TZ$pHajXZtd z8o4*+zzL*u=Gy01MHu6d=o!gh^Ux!6HPaDS!0xcPk;mWt6U-&n$Ov!F4hyJ^XntF` zXqlYCs7!RM&*=Z=8<GndLvZ=%Qi*x3qwRBr&n{MlR-gF&WfVA6C38zp{;GA!byP0r z39YlDGTPw-ebd4FR|UNU-=_4Lv&edX!N}icI)Ns5)IKkX*obd!Fi;7=D`1O^GDL#p zaPWByl-@dWAQm%a$1*{d60^r-$JQ5@G7R-u>Z|p6Zg9lf(FFb;qC5!Gs>4B$garpV z;j!AzBYTQW|CNU@14&HiW`IlrJN-d52L>OHlqvo3J&Ag(I0T8_&09jdl9V2i>=7{| zhS(PF6lTgU4qwXbK4W^-R=2s=9272jtE@0s$c-tTX4%HpB12QUn@~t`R!xk-*y#(Y zB*`r&qN8b9Z{A~1IQpvadstE9eHs$DcuC?vz4*xj=IJn%3#B9zln3nfvP^fUhxu!u zr~g_pDHF^)<mYU$OmkuG`2}*?Fv`oWAb|0HL?LU>y$n+bj`X&fVAgEb58YvR8^-%{ zN*nquH}e+iDC9xK8p(bm35gmLR%O!*jl%plF=G8tl7&UrzS?{oy}U*^@>%fXEmPI> z0k6qZe9wExZs?3a|6wPC8P9xTW|zmp!*bnVW27yFG|tcqAFD)=@@70Xn*fX^SB*K< z>vJfqhUl1Zi=GnWaoSugA(VFd>7casQ=x;&Y3n^|J|WHF;Rd1Q(#V*BP>rt%agINN z0~>j%6G?Yp)Rhi8^>gM@X{=Q_KE%|8`zCBkS!FAU_q^$h-9fyw&{Ne~r4=Y!6g3E4 zGJ~bGa$S2=xTwp1H)}iH<US9`3?CzAx!awQ@2V9Y{NUMpv*1ZV{p5AeB+_MF()q2a z8hWff187Sae&nMK%M%X&M#PjG%wh3agX!CHM$@6$C#`&*9{B<8{g@Pp6GnYKArtAC zYk0Aerv_eRT_GNHT~jgh(K&ApKagm6!-s5%Z+If7IL3CYsNTLsqa<cn)t`^MymFl) zf0$*uR(><x<cg9EQ63$X0bfX8aD0gX@;yGeEv_2dy}wA$%U}D34JMyOpxocd<BC{9 zddUTg(P{C`vmcJjYzD{H1i_br0fyS1{G<Y0e^${=Wle(j{?W1TNJDh9FRZFgDCSr; zXD6zAMAyU50@}nE$F3W10>lv)E}fFWm+=ky2%Z&uUsXD9C12DnAs581J}3PFWMQ;y zVD9?QsMLrbsCy{Afbne_`eSdRpDqE07u^XRrZ!}dtr%0%d}c%Xt-d8Bt>HyYEci(% zVcN#3C|*idKgyBNT6Qs811VV3QRV<1qkbc(PPD8%kc;@cqUt;AR5s0KbD0MzP`~s1 zFqxXl+PSP)DXj(^l~CxG0+;EcRL;T7(c!T%t~kK<Opl`f$U!jIbt5m0;LEN3+0)nv zF_TXpbI-to{V}8s*ER~C<Wr?F+RWNOexY*>E%6(6!wln!YFQh*VduOIa@v<YKisRD zw<;n>wL{l9NdPLiL#Dd_kNeXXW1Ph!W(NCu#k(YKXGqv5Tf%oT20^fNtYOV^qdc8f z<&ekkw<ixGDoRY!SF#)86#^1VZ*o3q)-sh+@|4<G)*RuWn(;+{XI|XLO^3|CEMbP> zt#?EnmC48_0jGaJBp6^(<C`bkr>;P=mnLi_V_(Q0`i$2z?=JP|2Hwuw0kl25HMT&~ zUTFd~vPwqpvT4Xh@XI^lp_O95xMs%?7<&)IxRtCFV0eHc^dX}ekMY*VujXM3kVe8g zrwQMM0o|MV!nwgn-R{~Y@SCgkbpW;_nR5z-U$SK%MY{HaY#`e0`S1iUd(f4XAaUL* z^6l*21z70xh35qGn}!mO@WRlasZOFg4BY#Dr4@b>ao0bmL!;a&;$7Qg!mWng#1mEV z3of?Aio{fXJ&l%YOp*d8jaI5ML+hs1F2!GS9rRZsIKC;86+n5G=js01^ykgx9a{B4 zUW2Es&XVD>ipqXN0&7g*4@SqYHPt$+6i{TfhW8V>SSn?^ffw8a_nqhLvxMo0--TI{ zfq73_eTjI8=L`>MYF$(Ogq8W?kV4kr!IA=kb`R8$*&aRXPScBkp?;7n{N7=<C6&pK zvc5{1?w{j-w|xNC4DTnfb^MbVk$=8Tx1R^45nahiY6+2Lo7&BgI?(ST5xd5sEXzSc z(y5!@61(mfwC$rR2KTx}omB3l%|*WmWSL7`y#jS{Dq9}E)WjiWW+Xn4|C`~1ETJ7+ zsi$utD+ECHuKIDPL{an75yCf<AHhff-5ON7=(}ve(ju?n$O|3bX0_R$VsWH$i6W#~ zd08HyDWw^1Yn0IvZ6S-VxCNx7f)40Z62bY)H!`s82<yAqd^aAnb04VKq$J!tBJ7_B zMu?mP+F5IuE*MY?#qZ9ks*&BwN{uvLSXg$p1K&=sxB!F957C&Ff=@NZ0Gsr`XY8oT zQ(Q2p3Dc@1MBK>_JOr^yP~f>SY$^5eqZ)U*66ff$`2T*TTK!>o6R>X0+AHqyJK&Ct z2VLqCPGRqZluB7X5g#$r-~>=!jWp19_B+Vc7D&fRZYfqTRycbt-_@<4lEjw3+Hilx z3Dnkwq@?&?1_3}h={P=?$g41eXLZUG9RK1F?BcKZ_h>y{HQPGtDX1*|D)x!5#;0@z z&cHia7yij8G*3JF?BD#->ChC&T2cOG9y4Wj6TIv92{aX%8T<hZwo2K6h=%tHMdOs4 zHOVFiMMb>Q^*GFov9Ng!E+>;_uRAXb8EiWD5lgZv04TS9q(j?S$|dVm1;Z?axth;F z`n`;LxOy>QMm(lw0njX8K}i7HSS=-`!FSyBJEVKypm~-LUmW{?<c)UuWM6?4-Q4Qd zsH{PYVb&C^Y9~r*{}_Y(ZNuvi9@!{b9~onItDvOU{Er_0QU4^MYj)OT^N)vKfFVv$ z!fSQ08a`Z9=e&e#dm4$G5Sr!hRh?Z537>!)e2m`Zia!;Nm1zPEU)V|oLV}hv*1e1X zC|q6LW{!wjVW_40K8pnDURvrp<9S>dip4|e=+t$~HK87=fMri0dCLp}TKJ2ju?Zj! z2G8ba1kUhcT7GO}FzWcU?dJ4?&ms#<R?NU2l5A_4_vwTg1=-foLkAeljS2<D4maNG zbE&td-Jhcr6-Vttd(ZJDx(7yUCtlW>{#gJ3WD&Sz0{5ZiffHtqnW+vg^HUt3wpg9( zdC`3k|9JPwfh3hy3mEPdZXM6b1;z?A04+zzJ|{cHJ_>fBf=4!|QtKYU>aPuAj{PNU zFq>(wUr#|>jW2RGwXabSGwK}JXwz3}DR4%j=%g~reyaa{Z>&S%3&Ub+@GPS?+mwpU zM%%Bd#q8CnftjVL|1-QL(Da<wRmt^tzktZne|h3&wRD}a1|k4ZrEi=U9-d(Dc#fi5 zz=HaV12_i2{`<7~ljuQKRTqt3y)FWz647)<JCUNeP#;pKF>#i?hi28I1WP#&A!42> zJP7WNDBFri0a4G20-j))n8-VLucPtf-HWFRTF^aLDyf19PF9syc=d|%ox28I{R<ky zY|l9Y#Oka}4;7PQa;-urlccc_E)8%gRjr9LVF@Yv*Z0{*=@#-SCQzw%9jWLaJ;Pz0 z&oJw6K7Uc-JBwKv6(O~^#{#S?rT-m2>iaH%ymUi?D4<lj>;Y#YSZ1FDvYIz0+|S)5 zI*!o=ksDHMbj73(2T9^)t#_--<ayX1>BHa+%}yX7#PdJt5*+`NF2Tt1|Ij5ESXuvP zMDu^$^#8wfi5fQ(c^#WHlG*{9_Ys12FMBt5gzPAgj`prD5H~kB2wD68^bKEV*RIp+ zGV7ORiBERL<8^ax(`sr%B`i=_Aw+i^!x#buT!U+#iHZIJ;CQA62KPn<rrP8pL?CsP z5Z}tEAG|-7Ux2_6oY|fpTq6pL9l!$si{Hqfd>*2I5J>;@^i(t-Al%<t`(|2Z1_xl- zauSQVx!L*8<l_p6-uVaq_^7m}qk_f%@n{6n9I~+iNR!K3{+mxv84w5%&XnIjqJsnh zzc9a?f`kq*KQ&$rSR9}xz!fYNKtxPP%8AIox&v{3^Pe~{J>Ui)^`8p>hL5quFB^+j zC_F8Jmp|bD<x3d<I>4SAf;4|XF92HmyQ-ePzT({hIC=S3<OH+~iNWIV12|a`Nr@fx z0r6gw=KFzctOxLNSM%1xGm6Cb1ob53bi@Gf6IB+LzxO$Frem^y$Jp5Y0s`}s;^mIw z6OHvz`~>;Td*{P}ovywDfagaI?Wu?I`!{s-#FPYFiCx1pVskzD8MAL@X=VMU0de}{ z&M)`Rt|OV-{Run`{IqfYrI79ajqmo4jxN6BZRPuQ|0)G_1o6x-1_K6UoDh{J42fAQ zIaz^>_6-r5*Z=|1GyP22UYkGRr6bSZ<^d`E<zQyQBZ7_MTS=+;Gt7eoDEvFVM?~WP z`CBy!{p%q8gKvKKD<1eGy7~FDy6t;A|9cPr^XohFD?@W@Zcb*a|HSb3qrvPSOKkuj z2l~Cm?B5f4QmcRXbD8R&++KX?>v+41#p?I7_>p?MOHU3O5EBTlmf_1B9PWRnE9&TJ z?|`0HU)UZPhtW6G|4^v$ySBuWyr!P13Bc3&Da!}&G$k$d8&aN`j-jspOU?VyL%26m z_|1BZ6a6X5QjpcuR#eS=?c1vPbEov3_7AG8nh9(F%Zb7nf9Heu^9T+RpapRAG*z_) z;Gse$^S?5>adc|*`eh^dJ23dIYswA?%ISdS|01#@J@sq++ne*tasG`Fo!*2n{&q80 z#(}Ah;XA$NgY`2Y665NMd;NX7@H76wJM$y`2jL8eML<0h6zvY|OI%jMu6$(t5*KOt z=FA}U3ciW5QgM3rsT|1JlO)92G4-rh350n$=CP}(eHLq@>sHct4eM&4rRYKmH0K1t zJz?JIw6IF9#bNRGjo}g%uPDn*xJ_qj!j|96p1%CnDw>k)0<EVHF{Y()vrqfa+<QFR z(T9HG&L+MmI?=MIVN?EUV7}@pR*w7#4)3<YGYstWi?c4j%k9B}spx>h9oD`ZDOTbT zSNrA0_9}WeKQD*f*!CaMkFNoD+5(SCdJpsN!c#RWo6#8ogGag+&f(O2vKlZ{HVl%x zqe7q2Hu4gPp^>sVY2r)h*#fZ*9@OH5gkP!T)1yQNx1S+eCmt&N%UmpqeBJ|Q*dAnV zz*(8%-*u<0remw?brx7a$ytDFCJ|W@R5v^HpJ8EGQ+LfZPyWnIdVOjBGj-OrsBvre zql5_Qj-dcZEW>soKzsA>H^?H*AewL~*PVd$Li!%92i_WC8}%&e)4vzGi)WC5r)m+} zFXLkuv-&+IGE<XC)hn&<TZnj*+{p*B5~owR8oxkp^slC}id2HTbNO3+=MJy89dF7% z5U|U}S<CP)88XeT%m?jASx~y<7BD=io_$z9606~MaUK^GV40)Y`RLE(8Iz2zNxT<n z5$o_mV1_(}h7t)Iw9Tdzz%Z#%&0>?Cf@NGIok~;7752P%q$(mHz^|#8IdV4&##=HE zp*88f^jhyl4X-@d-~_jV>G&RmpMFo192{WE_LP|ARp--Kq*u=**|iHB&Ojuk>_u3W zE4<#6<3YFe2>9|9i`G5EAAC8P?BYzPi)*%JV7?Q@zKZ=KhP;L3*LqO$;9ROdSEa2K zH#760nF$!}+n-x+;;JkW*P8F3-<)2NZ9^RkbB?m?hQ+sI)i=eIu_2BYAPXhr&)x;3 zW~0-yl-5NRsjFT1SqTk8w;ZA4xjR>_vs3dd9Nq0z=Zc?x(96JsICwup?e_gMp`U0X zC$N#;)NEI-1ZErYvjdM<v`SctblJ*#$~*qPCdRN_S#h@1jmInJ5O%3(=X?)k;sBi> zo$qpmEb$P-<${=$PX)B0pyMo^uR+$s+oiL;L`Lv1&7j@<c$o#)QSMv@U)x@-4ZEaJ zI3mIM&7M*!nSR~4fRn7KbP<I*;&2%YPb)13<Z_{RmM51bh?^c59YjXHcJWNk^^A+? zX1*MP+sm7z^aF8Nw?l`)b4HJmiVCjXW<8WVY_?h<;Fz)%f5V0=6V*J$CO=-0;famt zCksBwl+U@ko+sDGX}fc_aSiA!e`3~_uU9!sm9VnGpU@zgc}DB(gJBQ_yR6A#)Nw7- zQ7Fq6!7&{a{07#|1ujMXi6wxF0!6y;rN!|(8EcJCuUcJDthY6DuiZS2@D81j6a$|^ z&yg~Xgc;SzF~}?>DA|)-JKJK2jK>GveC=}V3D6J>_VVdLmvGn6^m+Xp2ep|q&xg_x z#bGari1K{5@!3n{Zl#KF7b95`x2Y}{NI)-Y0ZWZn7Hk_#2Q+fOK_5MWdPgV>lH%2F z6U;6@jnt#|MyG8r{gCVhzCB@iz(WsLUwBbX>0R*{e%*k__=MVL3VrRWg92C@Gv6KD zLdH_BJ?+hh$D9zNZks}OEb?(=kMgX)=A;3T=GDuCp|}_wScYs`Q6!1w2TnSF!p+K& zAjPLHk(tc?xrNk%>DI!dn%u<#Kc$U%!}x|ir7#-|OJSy%7}<A?sU`6b1O7b*s4sEd z)Kxi_U}@}mL42LdON;_Dp{Nx#hDuoB&?SxL!Am;ZBKeS5Nj4^q6zLwu!E7OqBZs7e z@n@GY?}LLO6FjyH&?ikc@Lwd|@1Pz~CVv3Cq1sGq`EB+y<0HC#Hjj*xkYQXxY+;5# zEx1uz*oa3-?`<UCF?w&D_uhFCsF@}EeSBJw@sKb`Qb1;Csx=-fmd-gbVugSVj+#tf zoJ$ON_CL&qh6h#tfTs~<h5EzwoT$_539w_+U15E+8Ffa{`c#z}2ocV#c*l8k$P+~8 zzuC{?Ap)1F+*327t$ApHeZEvyNSd1ywkz(ft}EkeI)WkLTD!qdqvpd`?Jz1WMEKy= zwd-Wewf6oGU>`?&+@b(Bx?b$h+PDVmr+b2?s?fE-WXfM$`~CCIK;7k*Ouk}szkL{o zApOSlY)imcj{GkX18fY;!B|w$u8t&$0wB@jIYIdNRvnl`rjp!?f-^=lE>C3JmXi_) zKwRXFa;t3Ud+yo>22JUmT3qh@*S(rNsYk=#%VsXsDST<-!~0b`fd{nrh)qneltStF z#r5?^F+OIErjHdToS3#_+vym)c>P^BR9e&7^pDPAz%=W&DiJY|T4TK%*s)b0zQf{J zi11M;T(P#qlg{Z~7t43?Dd@sEOW7``vx^1PnYM;3RyHJg1qYsKDmoRDwptO^>+2J9 z6*cyfg_nIjt=U9KuZ#<>Wr90>JQa`8>K^JyVziiC8)iFTIHH@8HGm7ak#|16eOCdD z8Jc<tq{c<UqAlDO^c?h~5BJnNB1U7T^lXIQO-gFC?2mC?R7{6{0amdOwfXH_EX-lB zOwEx5D0<{`gr|YO+XDPbw<)tBGmVaFX}o<%f*>YEk;&onH3tn8cq}Xjze_7T`t_Eq zdvlHang%8X6X~5olJDQyu@t7;v>U36II6xa(v8E)#u(J-fDXcOl5!dX&<cbOt$?`< z`Gld$^H$ra&2>RA?i*6opG{u1B`l)h%^;Mt0rpmFmQK-nFLO61>^a<jg4`Onv76^B zqxzR|fZ%ZG(C9OLAr9u-OT`u>%R)glI~%P@`kmQOp|!^Rbr}yyq)4ZS+?U2+0bo07 zJ2SC(^HW+2h^<5zE1yD}sww2<A1s%rCr|Ll_3w91G}#HFfVZfw$r$P)vRhaTVfb>7 z10O$FmE3vM5O^c^o&Gu#NT<df8ibUdh*Nk>K$k%{eV!b^L?yl*N;jk9+_aS=MB29Z zxo00T!B=F4h6uQ2ljWfeqpt}vk6Z^kmb5PUL?W!>ou*N28?_KF5SI=;OlO3?vL=Zs zYfWALR!U74IFPQ7U=-E2zlTsTWv_HHyHjgD`B}WUN%83i*Z3;>7;NJr7F|7?i$eUI z?vL^2$T(`B-I(qmCW{Wfa@J;gQzYz|-nQR5`x&XEbBX}uW+l$aKB((2m@<x@Em6(i z5VES&vLA>{KcOG8my?2muae825y|gLNo&<Li)$gbZD%#f-FTDB)VLJn%1mI}#Px6y zEk2(bEVja{TU*{Vi1#@Nf?tWxxFwo8_bojLK6*h45mE<ey<3{>tQ_VFPCH~p2BPzn zMP_$3@gGoR%55jcBW5Ok9Rh*nCx0|>adL0Y0tv$&H()`<<H<uqdtcohM111<myu;B zV<L4LUn_)QQ#}m;hLR$4Pie6$zFD-CPKshfSa~S_jX1Kq#4UJkfK~mfDt%?K*^==M zvWE!F>{4z%z|XsLlXbFx1=u;uy>1muHWZ4^dV#X?a-pq3ueu)GM!6)3aIcZj8yw91 zXCpXtRuH9QUOWp}t+mydIW}3Y`PJ*N)Tbp**ZiuPJG(b6c)H8lu?yYM4xNAFsiyu! z+TGqF)voRm!+HogCaRYU)M0D&W=4|#9^2_Ur|Oanu9<%ZI-{G&zmJd<OWu_rqqS39 z)>ggokhKYGq$iGxW03VRB{BeI|Lk3K6Qs@h^Ib<qJ}8J4N8GFrd4EvUWQ8%vgwkTf zW#6W1!Cq<_%)Ka%LY87;Yq&+78-8aN4>C0}x049ekCHp_*>;+8?-eTQcI~mEM{NDL zC<uce`X&_D`v=n<lSZ%{9G<(Nd=$PBlkKfWbg=T1Rn{|?dyd?G+AEmRh*2}pUef|N z?1ld@0iFY7&pueHt5<KmxFFcA0F~=jW#}7jM!ZQi+5%vM8557@2-F-s<G715h0azI zR5~<l8ta6!A=zq*anA7%;hJWFvY8!9#&KdLrVCh%r1{_x^RCp>)m{Qk@W{$(@5zp8 zo@J7O#MQ>GZ&V0wQ|G)WG4|#+#6Y-NNJ_Rq^ca={+~wvM1-FSYe+?nON>HdUQX}@E zdPg&WW)oSkQO$`#bpkwY2BCDGkCZ?eeUPCr;{gSX|4A^M^MkMq#p7*sB2TCy9`?Et z*U%Qf0YGmsmqgn@;qZ>euVekB4gZgJ^qgrJS-;Xo3$@R7vJ_E8Z(f}10dj-SE`LYj zyQG1P_&gaTfL%WX$O>UjYi9?vX&1V;EHu+<XwGUoveEt^_^d(X=EaKZvTQ6rI$$9% z!ag{S?Wu*P1Iqy{#8`$Fvl@XD+F0>=s$NIx-dAf_f%J&;om7iG2;vGPQ-=;USKad3 zs6+6rQvP)8DqrRT?zd9F-A04b)!MZ-DTmJSd&y^q5&;=32kQYU;7J3(EWgx1-EiRa zpb2gLt&V$2QYcT;yX7rUXhqs(Tc3g+tk7mhDU^qi!0vL-$TTiW4wvUi<~znhZ8=%x znRn*DWdPj>eC0$#Q^AsQ&7K&?d4z=^#1`&^r|GbqK9y&H4VY(*!^M6#S_uQ<``V;E zy2cU3GCoa!ZhFBb5gK`){|kv*3vWAZOTcyCr5XIE!gbz-$7zt|%8#sP`T*|ELgihE z)n>3miS)agrAAaH&Gq1|O^ayyXrx!&%^QwNMMwND4SWl4oJQ}aSh0U_6%*ui$pT(= zF|~O)rGX1f;^1DwF8>;99clDjA3(rpQ#Q%ASuV)_!aI>(p><MbG~gwal7xbFGpZ=R zJLHj=Th*iMMMcFID&kH25;sa<!zF9!Odc`K23OU7_1a$!^mK^IfkL?ufBPU*Je1C^ z7McfQfS8eo2uIC^daXP0=*hm1AbQgh=T?H0GwPos^#*vvioX1coU`-;DO;`t4<9^x zb?aE*b}ZM|fVmo5A=!wL+^;RMr~<;`V9KKcU(g|LfjfomfM;cZz3nqk9WqD8RgYGV zj<!MdenYdYfLvUoVuOdiVQipQILx`e|D*OuTGcMaFtT~6M_#^!{xXoU#1)xh%asTF zu;JbOlr}E;4FT_tjmP@b+Hl@C41cp7@3tS+TWj&zp)k*aObE%2ppT49!n?;`R2aRf zK}8MFso7^7->1A>kBkzegW;o9I*NOG``3dB02A0Vpk15W_mz99qaAi^z}~fzkTB{p z+nmaw-VCwQSR^0KFI=wn0&Q1>2iM_5Nh(4%cYCQpC`qgoBui!;p{gj7beWrLu-91i z*5RyC&4!k;mZ*!Cl*MKc>2U4}Ry^y;HD*$Q3}85Z&Dd&h7vT)kp6YOOs9>kP_2Pe5 z`^s~_SV-h}Md)TwwRU6hGgHha4SB44FNvO9_OvJRsd2N(Q6Yi$u+gsU7!go)_{&S@ zjdul$%!Yd6YW^IGc~K?AC7B@2Sth!F$ZyXBe8%=~e;gNA+gW}FHbw~)wGeT2Lij40 zG)x_|?dsWvLYD8tKF3v`FmDBO=Mu&dxe(N`niS^i0ZSNrl;m>QN<zs!sHdS*EOahe z56oMCOltZ@ewb=Vsm+8XE^pJAXs;Ri-!Edv<i?bpCemjK3$hqWw*4R0hP9!}z7oHy z6_9WOg|JKvdb1VG#jiOTn)5-ST%YL%BY#k-zrf2S_m0hwPH67aq)a5mM;x>+57&nY z#Plwj+RxODDQksK?-mzp=-!!3SHMcFt3?c#21m|7JAq=wmY#+AT2QDm-wMjPvf!Th z*YeW2m3Z3?joxa++D@7;YdMPVLS#xC<jR7gY3lbR3EA39{AUZC#ah7ogXXMFjs}*c zLdeDThbT!kD(qX^HkmekP%)hv4B-(Yg}#f&Kh=T6y=8#RZ5O@v$&j&PoqJ+JV#dYO zbW+l1{V5|iS4ioTy<)-53U=S&ce+d`t!t9KhB(-4*D~(cbc*Y-ef!ULJ#mE}0JG*x zp=L+<ZO?-`6;1QES?R;!kxojH&iy-;DgB8d#pRgs*o{Bp^n~|E>RAuCQrAOtMolKH z2TJA&P2610kTQOT*@A2t{UJ+Vd{nOTN=jap)aEoLtPa;pNwL=^68#se$(ijNM@pOz zc@By9XrJ5#rq`A|ul(&yv$rp3Be>Tk5DMQ&tQAU(K-SO{IrfM&HL^`sGCTK`h0gqn z(=K$Ow9+)aKBg)A&}_~ZLBoR4w<S<@b%cgVc5W94Xu4EK7Aihg_sh8A!~%K3=Gpso zbP^-ODeRPSy4?$cmq_ayop>biHWUIq{EcWKm#S*q?Pm%j$G1)}-iG4-QLVNpRz6c` zem&n>`YL60Re^@LJqr#oZ$?tr30cm5{8)GC@icH?6}mwSp4jwtN3;yA=wl?=?Y`GM z4FOf<zjF1Qxg$sPtRgL_wN{12eIX5J9zL;b=JDh(4jh5fo8I;~%HCaTJKVlvm6L9Y zTFvj`%~hBRqP12oH0qK&G7sbL#G|C=ZzhDQoYb;zzt(GJpMa(=S$Ca?RkF6OnfgdN z7;3?aES*2ec1o5K5Ze&ez7bg8%Wo4s#4z=_YW_{#s19dU1k5Ae>&|=sv@cLE>;5za zFQDJzy{(f%F!mwB-%;cibP_Dz#XwpW1(JB|ha&G8TUPuQ$i5>aZ=KX+qfohJD@9NC zBlN7erK8$ebBP-V+B_o4Q?nc*(ZCa^tX}rPnUD88DO+e;50(nlkNA+`Awvrbbu?jh z&|ree6-BskS?^i29cRR)_1DR-K8!~7>hJ_8$O@9@<mQCXcvEB<2(;hq8<rVAuK79J zZ^ah=etBf_dmb%iRiu(KND;WLob^Ud2!vv5D_w}qHsKyjwA2Zw*Q}+!Ljv(*hj87C z4w9Q8(vEkKiM-fr;^Yacn2#{a#)qq@cX~fVvC)&>AyxG0;r@BK&q!QYVq-i%Y&t_q zf)SdY`KI*?>4?03={mi`Q?N$+ho^1_fi8slmQxcUPu6;7WMysgJ$ye4yKV<*Vroc~ zaQ)LMyahK+A3El_jUVK-X|3}rnEp>~)b`C-Um*F9Zg*=m^s-r8z{)m;(_XB$0{v`h zldMO9%E}qze-b;Wi`m#bEiQ-wCLznLuazz|E=Q`3sdT~{gayY?fK@4Ls?$DfhDB+j zJ68@xmg3C3%6wX7fML_QF&-|OXDbEjv>t1DXS!h#jH}fNyW}3J%Q?nyu~GCJQd?i0 z+HEk*67rQBp3~`*3$9TVkmiFEImT(2whz-){?|${KcuAo)kYrVq2&fJ+F?Mu#wckG z<lBA18Ua25GOW@hoXKOb3K#fEcjt^{o0qGUe5*^4zn?Nuo{I3BM_Rnpr$AVJo+P<( zAYW`vt_2KpLoCpBpuDY<k=Q$MrEt2gKz{GNF-g^{LOU$>l@5Qi2|^YG;aqFx^-Ess z2E%q|u4X2XGOol$BL3{l4|qx{*v;=ZJPTmsHgfQz4l~O2#-Bj<1iT1b<Ep4TuDg4u zNslBVbzVQYQTsVPP<#7*j!z;!GFgI>OcdpN2@&1wozC3M$;~tal`r2n*PmBerAz3_ z6!CAJp`tLNl#df6hWdE94^&O`Vr30I2J#qE7oK01YMH3BES`#Zxr8VEt09A%U#w{| zNFFEU`j*MC5C7Cy9pKCQ014(w2$hG9+fGckFM!Mk0m&Gb7tJWOP#f4(KpzGwVDmPQ zOzr|A<Tk>D8aKgJX4~hlk%rvIvcmW0pjkN+5(TJkF{Wa`!9i^0On%oadRG#V-fdMN z1{S$Vt1c!ZuwnKlcR;)8Axs-D!!h-NyMi|qh+5oYJ@v#_jn}%#MWO8UEd=LccJmFS zt!c0=tJv$CfJYIn@KlI)xu&5sp3-#^kvkr>6D4yPaagY$l~xb0>IG~F#?nj{r%B-h zyL{6kJoykQShjoWZo@w$2)SV9N(rY(W>F|SzqokSF#jtWjf(yRh#NKjb)Nz}Rm+PQ zGpbqHBTdbOfutQ+NQxl!JPwYPiXYK(V}9G_4UK1$E$%V+QQNW#<5{R}?cm+n69p|V zpApTFZrgWffjFsaMd{&*fY-aR$Z5%js-$dR*QaJ-%5Qr7C~Q}zmtv4tnkep>3D{0a z&`PM5fUr0g6E0&P4~vTJZ$NF#B{MW#IlNGNK2(YKWDfAH0AQg-vlz9ZU;J*D9_wuL z@=Ei1Ol?ha$!KMYxI`oAxjiY7lvzJ17b3-I*a$U3WcG6sE6m;pEYR-8#L<YHtV7fM z^Y{l#h36lKV2mbDpW-=e=P72fM2X+IOAH(j!58_>OgH{?u^oq97yeKWow#>CIJxrh z_N*}{Ft_u(FTD3-mCFNRDP|LgEj>YKf$U8Vr~w8`P{FgtC&X920dbRG{!vcR?DIrJ zyX$}=fS)PQ2-O$r9E3_|Z5V6+VDb2JC2@;`42gjE?rXy4DbN;J;FPyL5K^x>c*3Lo zMT7zR&paHqZOpa$4Q{DAQoHM*B70)l)cj@n<7pqQX4PZ&^WHeLua;<ltfP?(t&D%* zOXDoxGlu9!H?5}qgw4e`vHqS+kAL8y<L8@TXP}1USaU4n?U2T+%<#6YC~CLJ#6Z5( zjhH1fhsu6`D~kOp$vW|MKbPuKtK07T6B5SgUsI&xiKdH_j<+BhwsbHY<8b}X>&T#m ziX1;R9v)?(F6)q8>-J?jHi1^`_<|<oZ@L~oLqMsVP~AB877OiO*r-D!L@`eedG@iA z3uiQ63Oh?gA&%-9$&`hSeMX};()%Ad2gbmS^E(f4oy=anhdjjqq8}`>=Ee@hiXhU) z@ii+&pu}G9S@{lV$O-q1TKM9!;`O{BC0n5m%vNA|mBxsB4VMtw?l(e&CMK!dU<M+v z29L-@V_k|_TG!w{9=m***)B8WV!dN?M(xQ(u1{8Q&Nlj3qcXL3hPfc0N{PPvf}^J` zG}<1Gz1~5uF>}+V4gdKMAQ{>t6f#;O$o0$+w2XMJDfv7Hy-D7MhHb5Kw+$v{jXPUV zHIXOfYOSDGWVf<~m1AEZt^)zkFiY{wF4W1=N6#D8986(Ld^zOJahLX}PfY>GE-LIg zjJe)hF_&$OSi;2c0uyC|H>dMMJoZVSQ3S$-!%TvXb81}dSHvbhl3Ur-$r6uNIJIhl zTAt#C19d6AIk4{|YX>RY!w*J?)1LP#T=rY5UszAyG*l$dRKJ2qjO0H*hQaVNkLzDS z-s!jT=vM3b$*?8<DJIAx20QLg|Dx8lcs9%`k5XS-6tTS_SaFot#d(}&+=yI{f<05* z665W00hP%V%aesjEQ|G)Oae3YDn6vGtd3_5@{kXfyJtzy`t~BdgOwY=e<+X@)2m$* zqc%PIQRqr)E}_w>6)dkG6Vui0HV{u5Z5hAt-Vf@6rg_2n$_Crx62GNlQbUKGw1f`0 zsjq@$-lciSaDC)z{2VYCQk}hBL=_F@dcio2u9%Y&Nndnl=UHODNeQpi6xpN36D@_d zmLTVuKeMeB+^u*E0Ov~%ZlQ{z#cJ&(z%B+O`Fjv5$y_z<2p~ukF*Jas)s$_ad82#q zCD`6)ull~wNL9Aaj^ul|ZDFW}U(O3Wxf9^%2PoWm`0;Fs)~9@C>Gz3e5VW|R)=noX z?v=AROeClD3krA|)AjGMS!tRr_M@dc4Rp&S9?y9BL{m_Q{uWb-tsl2S<bwB<@4+8{ z%20LZ6^<#z`{V|hr~>N%Aie(h^#lP#fo_xfHvywwgcFJ<dV~O0UAk>onqV`m$y*{p zbvn4i)f-f?qiI+F`M&LU${l4b1E{HJhC2eGFCM0p!3N6+r?yH~?=zV)=g@z}TO?^g z@|#xe_PL;!ZB6m3c@sj1vk{B?jV{ZOxCMQiX>Bs|LBMkiFd&SI7w^=Lud7H%o!PI? z7f2j2XP6VxzHm%(zfXSMeXe9ZqZ*ZclbV!7Jl(!C{LH*yq=Fb2*}^+oS?Sy~BB#Ml zfyAJWjX$w5BLg6<L}A3-xSoh!Eh+LeBg^JRLEku^xO3!Tz5@y|*z_Hu>_Bd}s!vId zK__|)Uo%cW!2#-F9)~a$grO3Y+T)-`@&+SL%^VxEh|=?gwepJUW{{?yImJ@({kay> z-p$8E{aO^6!f$k`M#DFh%`(BNuE}q9`>i2MVh->OJ4Sd+$EJGX+7f18P_3w-q?*#l z-Bkmj;^8FiKN#cF*wG2!vDE!Y)axD`Al}*ao<4iE2?EbEi=G&XGTl@K^-!ZrmJ8g; zyoXyUYKpWDn&K=)BbA<`O2h3K=&er2!W9Ua-%WBTCA<DP)2falXZ3YQ2@P3?jUn{m zOz9GW0X_=vPE}ZSZN5IWc*I(zdBF+=TatH46AAo5=sny;!osf<xv$>+_BVS;AxHZ* zL*f-&Y=q!(G-qALhlglpn>aa&DHckkRifgtK4yg&;9ekTcDruge7vm<AiIjpOutlc zU>L7v+MWhT+9YA9Fg(V532TlRkKBY>XgU;8{$Si4H8^M7u6-S!cH9n`4paD(QQ8`t zv#?i&u1Q&U2qs~wy~aUID>2o*Zz=aNV#RdKu);T8O@*)|IaL%pPsF39gWA5E<3jrM z84!~20HgV^WSdA;x{iu%&$i;serxxZ-fj=o?n1`NatxuoH6N+>Nk6g|e{%=C7bmzF zMoSY$oM#q_c(XB-S^no2%UywlNa8Bpq=Bd^|IV0H+5vYvT0lWYO_FX}!r-$(BhsCk zj?@wxMq~~80Z}{jPsRk>Hq0@3!Cv3&&VIbZ|AzN7+Styd(@7<WdOJitP>)`Opj+Cn zQMG6fEtP0?E>s$~-0K;bsKp3#ES>eKno}%k65-)3Q&<Jf=3*~;iLmEOCeU1SOACgL zUWR|)FW+3Yv|J?T%3`lDk7m+SnXGGskflZfgAID8o+oHTmcWx;vO;OLhqMuuaC(DX zH!Mq(1FN<vD5geVeLOh3a2{=!>9n{w#Ke%GY2wD{a`S0Q9pt0C%+aDf<f@$lw+f@y zM5G_<l0vus&;1q5KzG^WBWmq*D15d@qk%w0VT0NzjHqyFxLa?#=z&_;l&Z<T(Gjw_ zIYO%)iq9r{>{e_RUE+O&i?$##-L!wH8Mhq5PeeScCNhMp#boS#^NP==g)7-s@I+70 z60{apH{;*)7h&jUBVBz1>t?;r^AZW7Y@SeH)NM}JcoeM7?4;&ekK=tirVD!7CjUZ= zxwn)+K92U!1`fLx0GBygglI(}Z9%H!CMalY(f(C+AZny@)d+=<${A?%M~>csT2ga% zOXu+O9Uq>ybgAPrN0p@>IhOKOVk`%CEyWAv&iz}=gIN>GU~7L9?DQ}po!@Gk5AW-@ ziywu;Zb^|f3b2o-uZ><3;fcZ!t`~EEs%j>BWOaN!Oi1>n*&cx;3Motk3<(8YT3ggO zTsM;me<+|<9rRQzeR(!pA@BDDQsZyRTnklSPX~}JK$jo6tfZ6I*1=;e6*p(dDKGg& zWC$B63da?+m@rcpZR+wS6D}(ujMv@e$OC(qv}C>$AScZE6vh%-4Fp)Zc7<p&l9kgp z+4CpfGQAOn%98jCLO|;_4z2M;D7JKL@Z$^{{3A3tU^0bFBr}t-F=z8o2A}tqhiXRB zg>e&TuIzo}v{4g~fs6UkZZ%J4*UJpY`So(TAHRuaOED?_Zt>W+j@DM9_wrb`&-On$ zwGd(icaYZ&LZ&NJuwZ~I_$5JfP%J;(25pr&!Qa5({BRSlO(PLXMn7z@8_8yr&W@5a zL6aE!OKC-r8j2RRjV(2(gi@d0GdJ7w$4tyj*bK&NO6Om|ymsCMkUB*V5;1N5Y>zGy zl_SaE3TJBnfh!qQXbW#I-@joIvf|eSjoTgp95X@-G&Ptcv<K-^hDdSm7(JOa<uEY9 zf7+#v?#<~;WQJ6%C{SE+6+ZrDKLrk@F%!mXkxZH4Y;<q6@ZFN{Qu>*Ry&yPt^mvIQ z{4yul#n&Fmu-EE2w40ttSfHlKw!e0b3OFsW_G?F~J(b)Ka#T{<d?WI=vXhy6*o2o+ zcWpNf|C(MI-c9F|G6db08jG_X&EEVEG)82hZEKU?dPPg?F1nFUc=7M*sEvnnCm+BY zEn#<FBj<BCGhS@cp;#xFd*Uow!gG^(1%H55E5}66qzNbsoIMVDbm=}6!okJ4qklBS z>X6hSHopAU88TC{Lx=;&+9&9RT~he$ZIFi%#dQ5%6zg2%4bv>P49Qc0LV_$oaaZ+F zZts(x+Ssu49Mxp{!i}ehU1~y4#SDl?%nDGJhsd93r8BPjm8X>^)k<?9#{x;=>u-b7 zThnM;ZO5e#_2<p}7Eo}0AtXJKr3Rg2?zE@17I5UJ@#9&8X%G3$tnE}tzpj%{ubkDs zz6uEx9iLOjTnHoWQiH`W=OBR}2Jta}jA-yjWlZ+|5j;Z3HP3=+<kQj{_i#$t6%@WN zc;(K2Gqx^Vnfx}Nu(g_%|FcLlkO`gf9BE9O{ya@`wP(7?3Au9kJ$%KHYw?_V==E55 z*E)ct-2dWw34Z;DqkC@$Q(iZ4v0VyPHl+{PrZbEP;{kt;wcIkpl1M|^(qKrR2fT0P z!0qtByHFS$V#gIw5zF7}FIEAi2#PUt&nUz#5N;mnR6W_lS_<3TxP(sXBD*$KOU_=H z=`4C~>BW~y@k|LE(p?#QBQk3^St@3yqs6@HDp&^>vA;a~!>(YQ5JmgzpH9w!n}=U= za$7<!-uq^I?>onO#B!nfUcjD7_h6a#(2)itOo6d4r8XP=Psz;}oB;gg%hi|8=IoWU za>TUB@M-`n5w7M!{%6L<E{RPfuZA)BQ_y0Gsh8CKKx#W4Vg9V`YCy|%pMdS~3AQ&n z*aYZG1a00M4#b(|%<8&vEH%`3I<9gCGK~!Lfp`qrE2f<IZlO*`)sa3EG)%)1DgC-Q z!b)CQ%S5jTfvB5*qQ|lrGR(0CH19U^RpD?yjSb&6JfZNOB}|NLY`GHoQ<jF7i3#Pa z<5i)(rjY_c0<`2%i^oiBH)-!}f9Bdb189f1!tUN&%EM(mWK<CMWjV(INu@(*XvGXX z$^=-xJ2T8eB>{+^x<FBY{%(%j#s?Vu+T(->E%3QB4({ix^z=p`a%+{<Z+&ZQnA#a5 z2r^)A5hi^8jdCUzZFiimYk=<aO7uP1Rl~VA!{It);v`!nGac{5TwVp$`<qYhMk~$& zR_v7!ir;>k#zR<_UrkW?Y#W2jF$veMdlQHF`tvejdRNO8R~lUb4Z-0o3yQS~rp{KN zu1oN$4=AXN?E`#PdRkjivOz0P4TLG(N%(L}(YeB0wLL~+tkC;?wx4P5R!pYU9cNIr zk*Ur|43m%o@P`PTu7g?h$L_cx*zzjF`%W&)lvo0UGO(`fbTnoE)6m!M(Z(GHqAbF# zAW<&qWclc-VnZ`a6v&kPutjc*c_6P@C<xzTtu6&m)gb%vG+?@&0|1~uDHZ4q#_`$z zb5yg7%(~OyMvECvq=-3XzqK#BNqHOf+l?(wB>CX3k7?L=?S=v1Fb&*2T=(5`iSmxz zRTn(OIjfnFQM_Bk#8j@%=LRBP*-PP_7_0)HEZlo{&}O;wcU{>W(E2yOSe{Nv@5C$I zikwErQFoI+M@2c~S#&B#48xT>paR=y+cYsMKt;Jk%(~L>a-1J1VTcQxS_%B$29+*T zW?ei;n1!>^V?E1UR^ZSDqnH`ZUc$4!ccu($do;GxZ3btr^@ajD3*~f@0{hUH+~niZ zvJV5}skoSiqKq#&`dF&Z%hJFGoK3$TQ_w&l>#sJ6nSaJFZ;K~?gF`&o>PM}hyVvXa z<LBmyuA4&G^cS$|yqNLv28Gw-GHu_fxN(lt7UYm6G$_I8s8_}>1I=Bdz84znC!0Q5 zX;%tnv8Vmr{;?O=Qu>{?9}{y}SIG%7Pb?c;M3tjRT*FPI8%NKsu7>d{pag{qcX|<~ z6!|%+cK#Js|3f@`=jGx^P}y<D*OZN3U9L{jq=micjT2%4;`r*uaBoD0{&g%=n&=cA znfNej^z%SF+g16$3@3ig%I9IXV%`G&KDg9-xAIWkE=|}kn8-i8+kRdv;^AfPc)Cou zq7>y2f}lpui%})y`pTL2-xXENSbH|+5hm(YX2^{AopFE}DKJZ(t9n)9p#-W_JwKt4 z$cbl_Zl5^qp6OE#oKKa@M@<*PU~lQDu}3tQEGAk(-)vY1Vp3BwZW=Zzel<Y8X0N+g zsFsoG_k5SnEE=MUFk|(n+ahXkbXXAkW2=iiXl&3!-$UXpGMueT^j!mC<&dG7YUmY& z1jV7H4FlEY`Hcg&!KerOK}o)CATF{XSUENLM!O!s3Gm#ClDTaY+2iowGoilwbU(Xr zVUCaL*a>)@V;AdLKaoa$K_~1W^HVG5aWaV!3(+!6LZarvK?uex?8NU5sk~Q8Cq>gj zN`Y>URN2K%EQ(ljPU(p5a6MsBVfOs`L#Mrb?s**I=ti)*u$19m7Xo&14mW<wV)<p- zahGK_3qcPVnE`AT+}r5G%;dG%EiZVY!2N6&yPcA-R*wI}$T=*DqG&<3Y}YB<wr$(C zZQHhO+qP}nw%u>mJ-CDZg^ZoC2N`Rz>44t4+t@HK+4}ctwPBDF|EphaXSyaV;;o^e zlG~S!_BTx2;-nfzwp#AD40cYS!u9<Do&}y>f#boC_qtlG(E<Ua-TmDLzg}4ux1Z0? zU3R_ivZB}d)#AWutXEfv`e>J0g*MQh4~k7UNXrIbq5yC!_ZqNs*m4*#$qH|mr&@zi zo;51^EJRfddK`%yytfB;sSPxZ$HS~60Cm)pi44TD5UaAou9|HhXsPx4Nl;+QlzT{E z=0#XvUurRrhb^z7B$v-7R^kmQp##eMBb7`~{`qH5wZ6#NH0K|*EK9vVlI58UIf@4X z*0_BC;8rM_KG_(HtG;kT0E~QIPKy&1oebB4dtt{9k*Z{?MC=v)yg6eB3H;*1skIWB zRncA9;?07;{BLR7ah<NySYU&4`lKQyd1>rCdWA4kqXhYg&MqNp8!BO#I@cRIA#Jy` z`f0J#V1&{8PPCL@G(_0_Jh_|1hAJRcnQ9!<e^4yjv4dnmEZ?ShPK((z+AzT|Oi!X? z&sucCu~g?I9HgCd)DX1GWWiH^id7@Thd{V@!MV34PO?TmKJ~=u^|px&2BGEEQG8$s zU3>WW=xbA5$o1y&LWzKExgUD+aUwx^3ot83(gmMj(9^)9>!17&3<Co|4~y;?-ZyJd z*RW<tEczEY_+4R#GmE%W$n2&f?<-RP%I9~8jVv;G`ov;o=g7(+TLkH`8^$YKk35T~ zAWc};lg`NL7PM2(lFcofWTg6`o_pZ-Y)s`5dHMIKE~U$Om=@cHb<$;8*r^((R#Ar& zqR9utRn|qxL2@DbamR8xA~Wih*3^+40n)8VAhx(hLYWgqfCOlUVqfbZC>~HcFh}wG zovh4L7&1`omBIa!%p1b2sHh?z1|hE<<F}$_&uh$OSY-Ax%eGHtQAZD4K79#m44eJc zhRk!Y;b?Lt(N6>=EjJH&$;o3Mz|!&w^?y+ntPKB2RWLLBU#fzQo`L?qpb9p2W)}Sa zU#P;_MSa<(jTT~&MCWiGhbYF`&20>Zo*srl$PEI5a1kGW2MK6#hdf8pjfw=;asJJF zudD9u`e|-=507c>PQ#(ji|5S~m8hl^uI%6V1}60#jF3H0hr2MqB?6h1TYD^ubc)g@ z22`R$Xh1T8s(gP?5?)k-!YHhDh(G&~aSeh#qCX%yNId8kKrSCRKuAbP13Dn%EbXo> z0+$zvzlhwHe@afyk=@iCf`7|fA2)o4eK-zG|MUF;U?^u7dw@YWc=(?~Asjjk|9TK$ zD*`z>eo=u%ad9nxzJmN3FuA{hep?tR^G;0x0+v7JFc?fwkOpAutS!K~9=QLEP+9z5 z%|Hikeepg36~H#AHL!;`u-Asaj&Bz`0Ifb783gw4J*<B}psTGa{qPVDel{RNI_xse zb5?)Q&gus|0UFy`7(^NP9&mao6E<L*Lr^<D0K5u|$;sbgM17m!cP(rfcRS#0D|`aJ z8P?k#&Cdf*Kes!gDgrvTKY$m3?^+`mFh4>&^z!6a!7Ffj6xK03tQ$Ls=^Gm`oIlq3 z>?AA*=+FT?J^Xr~-Ps*4;9rRs6&hOkTb}h9pTgfMfI$C%ycR9>{!>^cYk1hED*`&| z+g*S{;07nKKeyk8z%A|Hqlf>_uQtNeU50@Vz5%FXs6Y=OemxCpTPM?D0kQvyUn%37 zpX~9U|L`ATz#q}$@7?fEndsjM;-B5#6JNo}PJz4&RaqF|yVU{!E-Nf{KGb`U6+mCw zjNKr9|6K}j!-rpDO*X##-5=>sUI5sBANil?PuU%vIYs(T5Nr0J_Mo2zfxSmK8hSCL z!1_9{bxl5e+v`~ETmLvLR6qdU@{dykfGj@z9G`dRD*~3-x*f**pJRYQzMrBW!Zo~u zEf0nfhK0%N-(Kzya?J-lJcN!N8vXuXDx<s;*w5EJmXzk^2K4?E<na-xJuez65CpIX z;Gp2(@1M*DAA5h_oTVxRTR2*Oa9C6rIE4HA-`d?>(gvUYu|Df;{vL2~P<>zkuIcSw z=$<W>8(SNA#b0$m*zBLnFVl~HJ=!|h)mC)VOcZ_C@-wqAiiYZ5e6@rcI6}!?iIhT& zt*@<oh?AGT<#D8a#)-{|RP82Wf?mw-k{7KT)}(b7Fix@j>8tU59JZyO=j!Y>S(Nll z;B^+k_Nhp_#TQte4}6(&nnDby`!kzbSab6XwB15(Eb~*R0k&>E*n-zF7$Q@4*FNZa zvGQ1AGr}?<qUy=b4HL<=b~e)+%<J1rD<0qNcD|t>Uev_<U?erZMI0;Qfz8Eh)9C5i zkrg~(%F<MNJZa$-V{Db<*H$N!Y{JMP*dn(!E?@W&Tnf}x7$tu|m`b8JZ2-l>2h(a= zvG9rL#52!=M>T~NS0c9M<ni<cpn!!DU#-95nUJHD9R@vJk`)aHt2?Gx1EY+q>|%f5 z<YpOEjB28Ji1r1f!AoSZOOXmOiID=@VP5kzJ?_Dm<8qzi+jO@gXzW?=VgVwH%5+;w zOT#bYJ?jQqv8-4CeSFWBVfy_coxbO<&c5JV2cMg}Y345*bpH7d=_<B#?U&aLB{C6U zYmRPAW_ipf*%;=+Drk9#I&kJB(VU46WKWhdwJBDFbsgK&=i8++bEpQNcZ1#Zh%oIX zY@>7cG3A}Ba_6EV<9(|09-fQh;R7e{#CM2Vrb5DyCXGFN|GB*qIsKo7!7gTvB1u5S z^~rp5)%<m~)d4xI=~0-8ljpM91y8InkL?e!t^-b=VQfjb63T`Wlg(qsws}niW8~O^ zakgsnNSI`5CD~Nby^EH)oc$8A2NQ*_W3{8ku!^6p?i}>Dcs4rQ6k9DhMLYf(V=R`2 zmu>5MrKZ_KhsIh_RMkO}IonriD6vYXa%}|NNHeI)eDVN9RnHI8$`p6iZRR+nU0bDp z*6!FxBdGc*bJ$u`ct+&;0&Rs^+-?k|OARIT?Tk1+q%<OI7KZ^`)6muH&~YQKhSae5 zeR_^(HXc;KDGk|PF)7r=YpzA#&e)EfM!DC{ng9BW_LZFYD{+sw@m80G<6G?3Q#g*1 zpxV=q=={G5^IaE(5x=qBf0@Mtk28iMr^3-n8D6dFxm0W;&z?#*9su$erBE!AKz{t+ z$yPw^LbAO}<I-_7ME0myKb4tFVPZ6}?%XO|MS-^27_m$@UexsV_0X_~Nodl&=8SbT zg<FO@#d%eZmAaO36iI{Fs^%WWAIiEUZl>wHMah#AgIhXnjYSvOH!6aqhym73439e0 z@Wp|q$MaDJrV$;Ihnc`1I0ZzQBCFCQjo$+SlG<d=gxu@#6j|Y3&s3+H(0U_kL;-0I zx70qLY2Fwx5&07ob8t3t3aF}XO+ag9>~cigLZAxch;Y-?hO{3&n5;oYAtW~?l4-t} zI3h5|=q3u1{kxd#4YHmzMv9I4VpCw%QN2g7y$_{4CYid0sYt|+MLcChKVdF`IzUj- zuwiI7*9*>0TQoqKS<VMqXzRlc`59GDpSQFYLl^44p8Uo+c3RvX7gE#HAafmg1wm;@ zy$-U_OZO>j7+@Kk^H))9smeOkL$&mvaH(ulkv>X5)cXyq4Wv>V6HS9$pYWAkEJ&Vr z7$?ZhyW>r#DOmIQO@%3Uy|ajuVszWEzKjwIA4wfouHB-(3q&6o$3+=!di85oO8?&X z|K$#5m9}EN0Hc=A+o&{Z8r9i00>Ksst~0!o|Lu#{i~d?of-zQDrJ-_Dr>Fw0035*u zRfTT|j}4fC``lP$%m8VM&+JAc1xXztq89Wb_+NSy1iT!4v2g{s*L`CFt;BjSt9~oA zF4}?hqidG1;w96hGvy^H&V+P@Ek|nSz<SRfOb6PiqQ9ETnvRNh_U+YJWUbKro02{) zWNK~)Z=l?nucp<}nrOQVh4Ri)fq~&cX+%i9wiQ%0pOk|+{H+$4i3(E7HxMSowIml? zZ{Wl}nwphtFuXXLe}9U4mx#Wa_B4x&EU(*-9DkH+5!&_UxO|4k0woT#5DZFoGZmo{ z*sp9vPmuMc>$T0VihTz!(8e_wm+M@sk;Odi&9V=;CWvv@NvwL}Y|3b3duE9d%43<R z#s#E5!l8Kv>#IMPiL0R7zm7FRejOI`LA2bFI>nHpZWUvb;O^ir{5KS3DDQt8mE9Ld zzt!$e<&CPbYD2Ova@@z*wI?gLSGN&{uV6^kvZGR4{k}jqP#VI@`QlSnO{C_{aOwqT zxik<e{<0Oa&HHkKRMUA<-Yd%Z8ZxdV6C^cAp!9LuuM8u^JU+1w^N&x%j|iV74gI~8 zIyR6pV~G=B+R%B=6xuOSlIl1!{18KY|2o5mMxJOL%`Wz-f<>d5*Y@Ux3`L+mBK_~j zAl~Z8LCe}V-4-WnsA*Y2qvC`ZPssv``R<x@M3R@P=1NgF*R!ErW<w)37cVgjTnO_^ zOxe6W*T~zKIJ?Xo&Lp+Rn_l@NWhf9yB*(1oa{{950z!T}!3OS7qp6GRXL1>nvZWjs zrAv(ZUFxwK*b`4Twv@46aoX=2vGOPP41U$cc3Dx2E=c)t;&URdtu+&$2ooG*+^K6E zE<bVNvNxxSN+#7}i%U3SHXU*LT=J@6Ko^qpL}tFEN4#9Za#lG+LzGt!@GtIAT##fS zvy^+&Kc%BC!>}!TksU6W>9C5&I5J;yO!^_Pirbzsyg)YvU9>Wqp3?8A*E{gwbZ-br zYzM%+*k_XTlK9PK5OXcDZM=e{`DFbs_2>xMHh!E}GII2pS))5Tg$>dO+?jGH1VkEw zWPrDw#%rzaN0h$Tp#Lp$O2GXI`Y_Pi>g)H==xftf8idFjfZE>H)`YqrK_HgwJ|Np~ z-7LuSLT2Ys0*z_!t0cI2CT^PPaZP1JH9M~Y{M4Ix)mns-4CJ<#(fUnkc6gvp?HbcI z0tYE*PS}by0~wS6byAMnn#oMQk#(65?-D8_!adY`&?u=x1Qy?FwvStdlAMWwLAXT@ z>skgmj1SYkA!>s!nQM`K;DOOKb&r;4Ef=}rg(R}V5~k2vM~Sw}Tnz7AhHJ5t*e{jq z?bPTjH+*}pOuLU0{1mQdF4hh8#K^JGy=xS}lNL|#A&4vnwRX&(n>>Y-c~nBOLmaML zBZ(z5Jd)byUn&kMqycGwQB8r=;OA6+zin9Pn*J18@hwGDEZ->XnO=2DV%-DfkzpYd zy?UUQTPQqkld%BRtkjpoYDI0Kdu4f^7ZNHng|deYQj3uJ*|N#qW0O>|Ozs>X<4qIw zC>v{;y{bf#0GwK4tHKIndd(f2xV!-_3SL-8-fSawwn!~NfvJ<XWzk;mKB7_twaOi# zm-2%xMtLv_w=Sjr9!blANKT2`95?IAM`Wmj;l73=F5@=Ou7%tkr!PUiCK0z7Su<=p z6_0ceNB?^FUNlDa5mWMsy60jS+_$g{{@ck3^qbsq(D&4b+m9>nQQT@6Pu3EJ`RDD8 zOe+G`r6EG&+)g6g_*|ctXxg;`FjZOot<%w17P_kYi6KZvUlp+u4uxNXdUJ22hmI$G z(IuWK-x>3ywc2nSF{<8izFN#4r~SVg^ZAu`-7f65;F!?dAW|yUKEa>bO7cbV%4}MJ zR}4U-eO-5%pC6E8865U>MawRj`M=}nc4`G2E%k~EB5hWy>A<C+$yubhrhU^i{qo}X zDp;`;UVJqXxnPeLbCBBj8f6O(eT_^EQ_5aw1F3QPNw+!FAca_6R=$Xi*>nX{e5hmU z>q1jbJlJsR=H@nK%mb~wXh^@!T0$*!B7bNMqJ7ohZ_4|JBHa!uu;r(?M~Bq9*v^?R zhEhW^t4mXX<BPg~=uC8tlw(`)Wwau16ehI}wXX7kYDWs*$qu~EF-MFeHKA$byHeOo zy3Dm@yrm2qlZUq5d5+vTmw>%R7c{BnNGMoRFyOtNv8(Mi85#C`etHfnpPS){3sYsc zLp;N>Z?K9R7<<VGxsuSQN@D5-1F(>bWR_gBBklVO@UotdWGC`%=Xb`Rx>RJGp>`MF zbM?4%-5gc$uoBlJkww}n=!~=UGVW*8;~alNt;`Wdgz!Scb;``NH&gwE1~_s<?A`$) zro4pi)P-vye_?nmx|Wh;ggzHzSrqc^$VE+zZ}@-VQ(Smm2&Sn`5*bKw+SxY^+wlnp zs~g(DKpL4iG#qx%#LkQtM5AW4MXchwUfVBP;}vzfp-y<s?A`hk9vqx{==U_51E*)w z<U%JkD9GxHLb~+^UmEo#Jflh*Dk7E@G`NbqOJ#LZYI>blZJowuWL|{`=VdeWzL0UP z2t*-BDbQ*2yZh2pPRx9X@N_~AH_u*=%}Nm>=u`VbqxysEK$rQr47IPycKWpT)&==C zo;^}l?e&SFCXlwLeDAF?d6H!5M@wTbjv|{vb<Z2!ujYS3efR>_-@|Hwn!kPF!EB$R z_HQ*~XOpmEBTC;{yO_%FMrPUV`UT}8R{wssRp4^~CG*P*S=pw%&dG^crDtwb`Ixv+ zQ3_Yy_{FqZz`WPz6e!G2{k4xLNTqM?v~i?uubHs^QAcTvxyc*7Ji<p$taUSV6Ak+- zUM<KlNF!yn54~XyDpT$y@5@3)9{A*1`XnUkQpQ~G4DQdrOO-HK3}|N&u|Fu)jUJWC zh+wX?I_{=E!*Twhgw#8>tq`q=N%<!?wk2_;t4g39yb}uo5$aXWE^=m5kejJ2z41*J zj?69N4zmCx$()SQuE0F-kHkYq;|XBNV6Q*n{(?7um46H>0eweTz5xMG6Qll^`Otcw z!52oZM#dgkCN7Ky`GTp}_akez=`og0u)=NVC_k=7<gdh7`nAN%tl^DHGc5NK?{rSX z_m`{@<>H5@?_(BURG4lKbGGk9`d4@zPK)9tkXXW+SI0m^myuSj7W!)S=*E;hn|*4) zU-QPa+cz+#Gx7;Ro4O(zZ)Ir%ACr5=@L(wBU6;kl7^Nb~^ULCqEnt0A63f8Ps;bd- z()WJ%N3s=X$_q|LFF(eb7xj{<{f6tjo0WSlTzl&z`u$`{+e2VFNvwI@mQ?0_hw`{v z$Er%3?L|jOGu|EnI8rooxIAWDPzIW8FYuZyS8Pke&}KFh1V{bE{XF(c<s6(b2kJw5 zm1%(VFy?q&21NhRb=v1#?qTK>oO=4oJ}8Ao<Yi%_Ap?H7pq^!9`D9m|SX!a(EvCV@ zMA}V+Muhue*u7<mRr9F`US1YMrm+kf>XOpU=qFsN<$;y?lrGxAAul9H((X%4;8ig* zlvv}cD!MTg78C!1RXpIV!f?V9?TkC(Ed4POe>{fm;%BN!#Mh?0B)YRW_E$DVRokwV z`d$_^gB|@|NhH9eorqY0iaUK*Rf%KgtrU1A!K~;?@En3A2rG;oL}f`An}zHVcdi7T zEN+3OHK0XeI6ORCuwzGxM<-c7TE;hmxIL?_?a^>9SDEL(TG=?Fysx<H5a>j{bP`l$ zx{^DA9Z{TnoWWOG57TU^kxOlp<TxToQKc<x3-0KFlb>{ASCLQT_J^q6<TAfBWG5o` zP)9}8T{qbvaHAkV#_6C|m-M%Pw+?1LA(j9ntsD#n5*j<(Dl=YBHxJ%mQ#$ERvl=GL z@Yml<Xy>5!Hbuh5(20Tf4(9NQ`u^6^DNQQjxh}P7&Y~Q|SPU&MfAhRO--4Wx-v&bt zpjcC&33%{w&6FYDAY+8Ab$@(E>pzl#G*R2>Mfi#BPZabupt%5jz4^l@Qx<iN@o=On z$m=7H-rn3_-yfc9QblfS>Ucd65Ge5o{cck-35=(3PPn5>w6sN%64<l&%FcPJ_v&{I z=yUkC-Tpw3JGGF+bvsgv1Er=JaKw2!T&#l7cD*e*va&WZN%&IDJbsqcA{0!x79C55 zfZs1c0VN8xxc*L}g67!xs_*|YqNt|C*>t9#@1WZ9G;^^ks(D;N43@(m^KZdfkKn#B zIbQ~dB1w3D{=-FZaQU-LvlZbAyRVmG5uZnyJot!M`Q-N49->Lb>)g>d@JcG4TVxAp zIY0zj(aNZWfcwp#_VssC@CJx{LF1!&hC+(9=F5W|GJ^M=5>&BQc9mTj=tklWpJ&3w zO<OsG;_^T|?+jWBPRiNxVWJxv3P<h&D-pxKH>JfR#H*7%^GbcM?aUH02q{{TF5T4; z+6C|4lklv*;p+u8nQw5@p{}{QtBxA)Cods=&n`%XtG@CL3H@J@F2v$B<E%xF9(S_4 z-%|7hQ2Qo_2Pk5dHc6o|#iN>oc(#@rZTXtFa$PKfQD1l868a>wwCV^BiBK65SP<o& zX4>eMPu-9X7ynU(8Dra?blpjro64g+k_Xy(+*T>)(fUuRJxr<NgtO<3O(fFyz7Y#* z*~Tx07k}J`0|!wq@szK6Z+X~chSHks4=LTobcz~J&0rbnW|AdUMH-c|ETL1)Rr@X0 zc6$pbt<;VnGi?zpnM_K$G{jec$r8SzLe}8jZgD2wNU2Wy#%is{#}jaQ(-24Dw%D}@ z$`51eMAU(K0jk)(l-;y{jxW9^D4ET8c5NysNZ4f$^PcV$Pae>&Pbv3!Qj}p5l<O#0 z6)g%N&Csba#58eVlJez|F#~?&@(G<bLEMnCA#!qc2YQN|7myvMKwxelUi;xjuB>zt zcf29#3^I<MGQqD{zhiLTQ)MJeltHoaD{wHXJ;Yw)&Vlc!%Mm#(xAB&5Oqj)nrYzdh zI^`$XD<<bNqoU@*&<yrMAyY#4Fj%EQ!R{f~I34CaC3#3%hD*6&saoHW)>C{oG!_p> z<asxJ{}7KoDy+MYiH=VV8ILMEm$45zbznE3WZtI9X&sa+8mzAVJJj~rI7rrqglv(5 zlFb|DN;v|GbJpE`M8g@pj%!FF){0^!FMhPGS|10^?n`-y)3!T+|K#ZHOU7u$_P9a7 z7<7zr7T|SkZY7g*3Q3Q*9m~W@WCl~))`!57=#pSQKj%TxG(WZ#ovbiB%Fl@~Z%;z9 zFTwi}s2^MqgKaVpOAv}*!|u+aWDTt<&RGXjAppMIVeh=(NU4~gIj@!^lrJ)(-ZqWo zE{AaB-kTXQYy7KkQC;xqXr@CduxQce(=?G&kb<qWT)6v-aK<~SYZPADYeX%i3qxvt zBiut;;S{^JDcc=ZQZISDJ)-qIQ&F7ulr#r2REMjGWR2YXC|OxV_AUbb%_5sthgGOr zt~M_{je|Ln0LlRik1HMaT$Jk|u|2lRR?b5uOKR~;v2Hq$-L!C}c`EDAhD#xj!f5KY zRbgeEw9y?^?PW`vaPG0$qt}Y@F5{Q}JW3})VO6Rz=x<?(Z(Xme<a4f<3*sZ`BZe+{ z_2c8l#R2WFy)$YviHs^gxX-q9TpasbKAV1J@uZM9XU&2LlJuxH6_``LYt9+45!xsu zEp-M)5JSg2y1p<GiCr|tGN(dkX#yNWCAV;oGBx1jBx)*_|GtRqIskjlWId(SzI(8# z3!Pt!AITvxeG~_C!IXn)Vx1fNOmU-TFtG~kkXbaM1i%YRmEi8pV=-ekYB`;oh&qX8 zE8e7NxTgWmQ+qv#R_gN%RpIO_L1Lncc5mY7UyP-czU=&&mQH`ZX^7D}a9C-Up)jqx z2(-`I4Cf)Ud^Pf@R(m~$QJ8Ui<jvzfX70q!%*cEMC7)hj6tJ6<9jGG$69Op945$&& z>&B3W;p8WxkfXaWXKslr#xCL9JSRL2p*s>`a;Y>DGK7~2?3tj=Kwq;qvf@N`j6GZ| zo36QNH+ny3W<8mVw|$`hq97~-tLS9|Ht8N!tVKQcFl6x|xpl%2D)+ruCTU0z$XzM< z<_8?DMRNJkv{>5W)q>-~+h|<b*R$`D<}0Ll%@h{yvv<>T5WtiMXt20b$f*mPnJ9=^ z>%=$#xgLdQhG9D9Q^?PF^U%%N%<Ro}6`trwuhW$cpzCQ*Cjxc}dsG@_=kn<)Xd&;x z8}%miaoT%iML}PgP?u~GU-vjj4{y{1PZav+e3H_EAON;APjl==Wx1P;E>FUoR*z8P zt&O!lI*GkyE84<<gPgh+bF!Actg+<3j`VxHSD(G#zd(z=1Bz@n(&Ou}rf$~?n7zMb z&8nerT+(nj$+faEbiG56CO0!J!3UUwGCT4b^r@hRVIs*g^iQc0>9A@3TxQkbo7?7x z6sXN=5A!H0E$4y_b0H)|sD&mjNvY*97^f14c4+o7hQm64wHut-8~m8=Qt?%9yVGPw z`2Z1Sln^v4^SpH1fRN)srJ_M3hsIV9r7)PnVbQ8XOHAv^%GRU0eg`qu&uo&l?b@IR zqtlYCV&2(@3-El>mcSeiYRhQzllnrAjVX<s;lY8lKiQS%iRuWNpUTyy0cj(N5{m-p zD>N0m%tz|+xEB{mKP}d{=<M2JX<%g2Yaa&%Ypmo>xuil@4e?1rbpFyqu)panQBY)d zW3FOMx=$MVa*<xVE7G@91QCO*M;=mL$KMOWcPj#yOSGbFignb@th6k?gC}#Tk@cb? zDn44|Y&Ht33E4-p*m!#DBx*H@v*6|_W~p0>MVFD-t5sN#c<hu!r`5#%xmw^7O3tgL zZx#%}!|#Hg1nvQjPP>^~4pg8BLjn8dMh2%#prrUr1P2Z4^fogpEYCE8k<3!v!7xQ2 z42NIaKDU%>Gh|n;U&~{B?e|A;M}+FPFhz%l3BQ1Z6Q>GPXxD<2O;eT&E=`BAcquOO zhfL#Prn49`Ry&KAyD$<E_a=+JHK(-bLK_y+K3+#b)Z$J_YMQbk*e}4RzxV8<U4k&v z<`QTPt<z-zDoKP3T4v5|KA*`A)FbcANAQSrVmKASVoEPf6^6B`3bVtQxz;pd^O%{V zQhs^`>lvl326Me8Q<O;BpAL>JRQbu|X5PTp`W*S6pW$>pFQDB4w=<Uj!#01Sjb`vQ z8*RdoV?|U0jdkY->%{$xA;l=|H>UmT^oXf7QNOYj)B<%C65@S$fn*kWy(q@TtN1pb z4BMt>Ku9X(O@ynFbYXwnc$<n__c)mz9x7ty8kzffU3nlG>jgW@p_!e$U}oCY9vU;> zC#yQdpP+gRlJx1ha4l%nbDV=znp`o)$6)Z!jq^<?Z4-0$t4k7a^?M5~r2$fGNk1Xs zZ(`F=mv{{r52ei2+6J_7)&>%sFDVXs;1h<`sP=wv7he$_4P2fEWCF;mx2lZiC&}v@ z$BNi>dzR2k)opo|lqa~2%}P%E>Zq2;`?Rf)Q@>jy@^V+<<O1H?mS&X3EBL=M{NoZs z13j8Qaj&(iFG$fFg_wJA#WJaOS*OoPfXC4ofE$-BbRCOlVusDj)h<1_-^x@Zi@`=A ze3)Rv@b4lJMId?{GcP|qWs1jkq^?hv+L>{KMAy6&9dkL0lrZJf&p*Jd*A2D*T*sOI z+d0Vk|2hXbnCbu9ImpJ&^#41LyP7C#-z3uB=IRe%26lCIfk1++fnl0!W5VB}ZU-W7 z(+uqF>;!dztWCY;WN<Xi=6spmel)CY+FdBUENgiwB~+C&L}YAY1Qp*{6G&T6SAPSL z)W<Y5B~|9cB;xFmk&47qpx=|82^JJ4+JgWR=yPdF;DZdq&x2$D5etw4xVi#h;o;#y zq3{pR?(QI3+X4d4S5{drGSJiiDm|t__OJi&vDoFx>N{xxylh25k8jTIf*C`5KtJ@k zDgy@qAV4GZ!&t)tiIZ2EPf<(&n42Uo12W=k#S_hA<{w&H!?FT;17-PJ=kPlNFmZ|b zzwp5UAaiLc-RqTbF!YTeIROCx%D&<w-)CWs&wv>Jr9~p@!#g$ua&h$Z0QbuRIEm%c z9M^y&Z~?5Z4sUKe(*f8yGIjL<Zg6e(XsmZ%>;_h>a|mQhV-LI{^lPc2NL={s2de`R z_?@@{^;H16n%bq7x{}WNr98LY(oAQe0)cFC0^;Mdjq7zp3jiq9C-tz*|IoZ?(R+#A z@6l)H^tYb=3HL+TgJb~X$kYhP%Gw$18vd>1_^m>|+pPfK+|=y+y|#XBUG~xY6UgFQ zF`52jeQnDojc?mN)z|u$+Gi><yE+ZmKl%yZQPK3{cd5-E>&F)UT9;Aa1q{gC($wM# zo*p<YubzC3Z$|;x{Ku7=@#jPQheiI|hVX4y@b(wC?RRqCr*rtX_w`*@P?A$qlj6^6 z2Yerg1MIHF$gkDEmHWR)zgx_+ZGP#{@?qCEfBsIM>sB-K{qj-Tnpl6-a<D<(SCJUB zp4c?iGc^7PK)57=cKAyv^}{1T`(ey~R_ppsE?Z0S#jNUS&STd4w4n42jZA*fcF>^f zBT{bkK<s~nKpR<p)ZXose_(S(q_h>3RB{gd)NB2)D!X9;kE6PNuv-7fMHXhC`{4XS z5YgJ4fZZ7z9G-yE+1WRCZ+Efqd2Lne{s>O?0@i;$R6zu>2W$a$+B!8hertdEa{Y3j z|45>fYa((k^o)wY0RQ*kWj6gFe-*RXxj1_fzu!*$sy_MV{N}hJj=>lOG_sqR5FwhS zC8R=>56oU-#4lZ4>IYsyH_%pnC#GI%>aE@+Ab0kuSUf9X3~RBD{4AXFc$)ooQ_J=+ z&ik86E#!c5P7%C(im#?ebW3bc4b~sb7|4a?cow6dxwAf+;mU?)DjS+O9yM0-_aOs} zt22fWFRoK(--@Ja@4P0lykP8-jx)`-QL8!0vn%n!#Fihv+Sr(Rf_{8@ZqV*?wuE6a z7RHr<_`UCjg&sk|yAqC6Y9^q+gP`Mhl0WmCdSbr|L7b{D=1T7(O;4(xc`c}SU`{lr zvzk&+*!-;jA+vnH5RKT_LJ{+Esolz{OtJT`ygg4R@~@0~lhK9x$;Vx^$9zHtKx1t8 z2xROVoETOFrk#;jS?0qs-MOQ=0*nZQsTJ>!VlbT(49}*p=bowAT+fs|6I*}#kO3`w zu6O{<(BV$I0hRsi7#(ce0W6^#Q0P?&BU}VhOIFr;>}KdEkCG9SB>gF|?j?fXd~EtV z_(55-!UdkE@LOZ=<gd0p!W#L02Yh2i;>lTQd`qJse@Uf|-;%!@?U!`CRd88JXsVr> zNLSSf3fDaW22T&Y%?~quB;}#Yj_VdPknopW|Awwr$0-UDlenJe-Gp6yOs91Kbasog zKY+nOy+9y)^Km_NsXZ_junjEpeI_Y2$|WkniJPT!Iha_U6U0SkPwsPM4`273(EZ-} z&I(%84EIbPAQTFQMO3tKnurl6KHnedP@SRzE`-)?^A;+rxtO5#&faPM#BVMQ^=8u} zTgk*q9E>oA%T`2s2AXid$i~B}8Yxzj>5{#e>|A+O0)ZG(m)RA|knlkWGo)FLV_;s$ zaFmnj5^--kgHba*oe~NfGG@bN&CJJlS#OC2qnTO1;jP)_KkGU7>Wut;XW}Y#*p3nf zU2=6ROcG|SQ7I<5+9MhW;2FOguJZO9=4rDUKlSWazJ5N<MXe~glD5FN3CS$G#$}V9 z=tYzQPoza7L|ZjzV`zUcH+9{U*=KFj8!@4E2Kh5MixNwaiD1_{qzVfXKC8sGN#T); zU~P`9q^iSZGu}Y^Y>wBFyl=yD*yb<Cd$YwS72H^>E&a5ZNCi4`<htNl>Yp9v>9uu2 zY{K5JK1uf&W<>u+Lta`DHx2fZYVjYBLAhPaM}=@9pn1>j>~9gm+1Cn1Mx#Zjv{w1C zs&!683$Tb%KKe1U{f+ofty?H;p#y`rfWxzoj5|O6%<Q&MmX}-m88S{=3)Y`=dEov^ z?g!bN6z6MtmEp9-+<Z6E&&eSE9>?V3Dp1>QD&uIBum>+!F9r!$W+}b@!f;lG*h9j< zk-D${w8htUnNX7HiFWe7n1xvrbauY=E@|#Z#bOm^ze~|fEt*pES)SY9N8D_Rd4x!@ zw*=<nIS=UCr*iX#g08z|S?xU@MH>gN@}=sY+&3?G9TQ2&$-a<CJ)$uTv6U!;F%7me zl{DA1EZ$>tM{z}0B0yb`KP!05Bpii|CZH+c0Z$Uc>8xt2Hg)qQH|<f>qboz1@}?Zs z;@PUBPT(sXRsAk#>SZcCXK==G9}VfGmd6kz^HQr1l4K$VDM#<lxon%lG5#pvQYc7= zd>*jkl2dAG{*Db`-Si5vIGFyr<=_?V(c^_4&+`b)E#WL0&<k5{jIL;umW*Jm(fs>c zxZ&j6L587#++z0h`!%P(r!^M+-7J4N{6?ZnQ1@9R6I44pE4x1@3;h?e97td%Jok-A zLBv=7I|T3%ID|Acdz&lwRD4VnUEGiUmP@gCb6#C*`-8t2bbq1m`_D?j;cpZASbkp3 zn>#f7kl4%OWcQyr#5yD_yRb*A9tKX4LTdiGC5J|&NLC|KHFGaRTKdDsj{ynpZ2ph@ zZ9WXn1L<hWlZ*Tet!*WX>y`iDApuGWGLBjjSsv)^x_E5fb3Vu8d(J~IC(p18C2tg? zn0}YuMvU5o8K;YIX$Gb!eFe;p%$7t#-q_G%?Hjcubb(wom2%I{GkcBROu;&v!@E<~ z9O$7dygk+l@eNEmwn#Lk#C>qeK_ZmMIK>qL#V>8E2&Bu0d)K{$Rmm0h3WERpW`vda zqrXx?7Uy$*q_1K3-SEyy$8bfnR|epU%*!?s;V!k-8U1C{AhJI{r9I)EZmW4>N`eOI z!Q#{;_NMA6<Mm@B5P>?W1iRjA00|*--<A#-!ZrEvAEkmTjOsDFa^uJ5BQlJWjLX7% zlDP-^dmw&N=R-2|2X{MfNB~~-u-5QPKsO*Vof5VSDP;zlHO}+<cz6aS>jB`Crw<u( zOv|A_c3+95ECHd;=P#DAK_f%^X}KWIt+kS+yShYyQ*RU_HdEs|gxem`=(a(6Uw%Xw zSGM<55RZ3_Qu<-GojJt)L7Dz9?;SpnCf?T~z)RAz_0&Wor?8%K<h9xSt>ZKrF;M%} zSuzPl8gJ~gt+&J6L3_J;%BD#ZB{vY~!dCj#Bp>gdU5S4@d<qtG6E_kMf(>NP5;+os zb1$WO9Lny8;m=x`+c{DtBwoCf3xo^nXVNH+0#=k#s@(lv+>BGQ>eR<JvQzt}uXo!o zz?-?F!>;Yim}eXca^wR@ssyvQzROU(0S|*Fp*P>M=P#Iiak-AWqW75;SLs*^IT!1T zk7B%n!DvwVh0aPkk<e5Lii)}L6wJteG1Wh@Yj#ILDaF@3XU@4?%>Uhr|Ln(ZgU8GS z2m+T%(b|ytiM_J8)$MXnMq_P61Dl{x=Th|fA(M1TY<9j?M(gIjoh%|yL-)tXc@B6x zbevoOSveaX#7c|%eN0SvQWmMg;=H7{l~iyf!^$p3=^dU`YXr?zs5lHMN4OERqcb@o z&u-exk2Z^dKsfDK(izL_$Y*C<Zh&w;wUDPxCF#n1VIvE-Krf$1l-)t?Q9TezedQgH z){U*oq^S7m5y+5HpLQ%UFKm!dDR4XRt%R!@I7oQ`EMd!S79j7em0pZxkff395R^r4 zTk6REy;%C4YW^@oc}kwW)=Xz<_F2iRkJN4!dIlZ&Ui3A(I6?>$iJUVuGjyax!sVo` zYxgbQeVv_K9~io+FWC)RQBLA>6p%B7^rLEp8H82HGG1w!U&j%>GM*HrHI2}Rc()j} z*KZR1n;WuISPq0^;U~>tO=7eo5pRI^n6fXX8BvbKZ5_`$fH6%4g9@L_t_S_xQ<Xs{ zqEn9C;Tc10!;{;DOG7PC_>QWdHTTPx@E2MzWsM2$(V*b6Q?j2e0ypK#BTps6fo7x4 zh<i-?-Rd(97ypn9pQphb9S4W6Z*oTYz`%yk9DF|NUpE+t6bau@IwzbSgu<42ndmzu zk`P85YW9T;Aw6q22KhrJk*=??mmAVu<(K0ND2d8-3R07iM<st3_|dAho#EHKMp61` z%GcRf59{{e7v8_g9Sv=hP-7%fVIp4dFO8=ra52&3T3K6HKgY%Asw}2#%l$LPFx-KZ z4(l^IuD5f}k*`rL^!s4kjaPKe61QsX%4WFWgBEZ-SyV#h=B=y|Dm+N*h1-r8%`B59 z-`7?-g-pAZH9Y&A7sY6+?0?@LcN5Uj3bt|VEfqPOq!iC&-%fK|7%&92yt3Z*9&!wR z7br*ur!Q70U@~c}dmj(Re3Ppz^)>swdkyxnqSHJYF$T9@5mJeo;HyMTb=l%94n8g* zhjA20cXosdEXvK%4x#9ILF!6TLU11}2|<Vz`CmZc6gM1E<Ij^S9Ss<ZZ_Vsa5bL1X z4-9^uNVutvpyzz9jb?Oc3tDtD=JcOWR9tUt+Fz=$^P(N3Ba+>QNFTBF_UxL3SqquS zzNdpo+K`JjeSMkKmV~^pdhG{i6O&+Uh6z+YRLP&cPH0=EspPO~G2d4#FmF*xUfboP zY+JEE8;eGDB|{sl6YyOph11d@O1FTul#{;v@O3C$J!$;QI6zfvc}b%?rFxFG4YghN zNkQ|M@JMAF5_!G<KwiWXXgjR4w>ZCY*|r8|y{AprGjy6f<w)c>Nk+g&@bQuye{wt< zYU<`$L?JLg+r$|7*5Xkv?Z`xl95B_vK=t$dPMk=0Hq@b?Yr0>86Yrvar206La6hh@ zZK7S2G^tC*Gak#5HbH0N3$WuhSjI!V@WE}!z*@``co0Wrtj#k4$UaX{3{~m!CcYG{ zA>?#2irZ7-R4d-`glm2_pr(Hb2jvHc@T}7NTEn){MRYyqW1O~XGO>MrVOsjW2rpVX zN2}PvfMNPcD{2nFFk4WuhVYz9vHZd9L!P2wjkoWUwmDJk#HA3`Fvd8BaNZ26ROtpV zP5P!ikj-1X^dsm}C_63$qlV{<gVpW#o>rm}>pGu(QmTh4R^ex^n{xhQcL1ElB}Q`L zGiawQ&rtU1e=u51*=RmwPkp8K&LuLHTc2+sGJW^llJ5&nR9lK24))PJww8VdPugTt z)1@z;VD4}rLAZ}H-`gF)m8OehFm~?&H{=VCZQkK3Y~Kfr-{*`-w?5;$JZ+Aj>@;kE zLU^+A%3zYqshC`L{6a7qomv_L5%@{P1+h%gz+3$6X=VMkr!F&L3RRC5_WG$AE~uWI z<{uf*A1zgV4myQW14C3oq$H(7&5<~VHh{qL_I1nCH&G2^Uc<^=&)mq?zxrf4HZPjj z@_$q{n_qT|&hlu0Ddt-)Qd3RoK<Q@>@~MWA_y=%_K1`Rr_(C9Sq7N-AWe~3Lj5dqU zkV*%Or4Ja+wznTpYkICuBLbLu)p)FR4QhQ6!ZRR6@a3K=X}XZ!F7mFBS;|6Yd#oU7 z#icdzp9Ppn`ctKYt*C>er8@+O48*(ci*83}*z;oNrZznCe60;O6aZvOuI&9v0zG?N zxtIfgBi6^WJAJior_3{Xvz?teUR*v%;rI#s9=HX2Fj#s6Qf3baqJsJ~sZ%v==*S}Q z>}}4dGe8?$!xcU!$jFh<`=kMg?7tFMmv2d@kchx!_~ImwP#f(gUWvplx31V-qSKR< z=xr8!6aa`IAyI>dkKSgS-oA8){4-%Yw-w8Teg%pj{<$#6elK%44uDYD=Ltc554l4d z*4xwLK-b7{DFHG@T5=ENXB9SvX%WE5At8IdLbZ{JLJ0xAYx@wXYsZz&Krylfy`}is zW)8WejDWkX02bn&#vj+WY6?oAt)?BVLj0Zc7?#r8#tEY{qJDiu>;8&-fOE(mlI`p> z#nnW(foud&eTK1h<FFJG6ydk;5ECXz73Y;1r58YcfBNTUxB%xN>T7)=owP}ayF95; zERE60t-@XI@%oJO$MB7h6rd9s=~{C?y_BHZ8c(-ta8BNFa-|#<T+(C@gAbgSYAU=M zrp+tho&?w`H|s9GW4*AZXKQJQYQvhtB?&=UQp~xKiMOMr&jp4h7GrQJC|W!;=^|m~ zZHWlTt%9o31B9L-=>aQ=>xoI%Km_>eJs>>gX#fT$t_Gx1A&Y3n;K&fH9#GT`=jz2? zcSAO@<du2?Z^G}{2*$^`(y%lSZY&swc-N~ib^e+^^IHft{mT^wMS&Liv#rSf7124N zm;ccyJQ|Cm^^OJe$<C)dhlCaTU29j&o-rqJ^J3xdsx)yG3X`#h%UgGt_@DrNqDBn+ z-ZVv&UG}*8sEY7#8)aISZ<UFBNH(l5f(hM0&3g?D?eMWOcizJFDrSd@F^#MYUF49E z6H{e)x~P>?nPJiBs0(V8jWW9fmle++@GcQ(dup19WfiR!-h306hxVMlNuR^j2DRQK zFx^rx@VC&0JZ-#BA5*k*;&y@D+_Gz^f>d)a9CH6_XQMm*ab^Ae8EOreZma1u?r`r$ zyH;!HFQ8LwauLmPTk7V3Chl3+4L(EPHmyyPiotsQDA*bd@tvh_3Y#B~!xmWksQT6U zmF=f#MDrj#)Uz$7Aq&Mbzs07>B(5+FlgD7nzq&invGZ8nFUc2NvuYPG9d0CTwC9Xq z+Jg;d7;M%r@hi!}96YLi%bOrIXv}dE!wgdvcsL?@HBE3;*U(D10i3<uYXQHd$%MOY zOouSHqtc9?ZjBxdSw7C<=T^wZTV!bt_ZO=wG%H3VeROJjNENdTwFEUL_b?VmIqw`4 zBZ+#4H<TES;>_IJVxHz+gvbW3mp6V~y^9dnZr>5{Fw=atk&HUxOI|9V(Fp5`T;m)N ze~P^m77`YT@@Jp#2<#c-{s#c#&`Fnu8;}QE*lOAEx@Ih+_9CW(%SUT)g0h^Lp-FFw zzl=!N(qKkbN66|WHwSoNGQ+W~%vk2{rhPo3BT_~fu`8p}CEhXl1!lGbo=eb&=(*># z%P%5@j7ucm_D~px(Y}p^bgL=eFvT)3K7nKhYN6`~kE84hQQ#!h4^Xpx`yeywXvJI7 zFul8Me+6e^F5#s*t5aiO{_5dwfJaE)k6&dc`$p$u&x@6_hOdCPjbOVPY5#`h&sa)f zD&ffp_axz((x5!&5ql((=>2fGF!=Yb(A7fI<Nc^JJ88xM-FVU2ss#V#RGx=~|06L~ z%G+8ym_iQi8tF85>Ev~UjBIL~Nxh#a>|)ys(V8AlQ<zsPCb#-1UPLo9Lv?+4Q+Tcp z(;}pmVe-R5Dq%kDBxDCRQyIV7DsM`WB$ETg0^Cw(!B^Pk9Wu$wm!sR$3iYkdq!^FH zRUQ9m>3!5;+a<GnH_R~PV$Pi+;51AmFmZ&CCm?~YI)qLK0(lXi<`xzh6!L9JE%vkI zK*!FcfUEa3dtyr|x<l}28MdY@Mg`MObqvmtlroYuyt6Op+z<M8xA$a#O`QNOrFHrV z$)sz3bj?V?M3x}Iw!T)-a-T-5XS7JVS2sDLYOxk6P|$i=g%qEf6(B7ptLbO&v(*5h zYDs3=>!uKOFqQ^%;bgPBd#g(A!lygJ(bOuYv04Q6E+REB=1UX0;?rxfE{%fNkN8!- z>lRG6uu)AzBL_tV4&adKWOb+nxFz>24QpIqkzQ03jLs?XZ8xR=Tg^hx9R!4Ak5Iu0 zGQ573Ro;5JAdr`NETGnmB?t{1%a?u+3kG_J9l<TyR{rdGp0+xiznaVym^C4V!#5^g z&i8iuIZTzNrcp#%R87mL^2n_4k&1N0R;TBpJkKXsJB0Vrdi(lehS3W(!`T)#Yq#6; z7~QfQk@V1=CpyBx7H9Fu#*ArJKD~grB*SeQ=;;3N@8f>6!O-l<z|M1s%uH1ZC|RMB z4=xWY%_>$4d<Ys#hySb}g3Gn-x>a_KJBpfJU<`Hc9*eNq>LwRC+fwz@fu2`8Ua_OX zR7Jt78kHu8nfzo3b%ABa6KI?)xwyq^CWJ}8_Aty&Vd0U3a|8yMu5{Jz?mj4r393_k zSr3Ed+8lSu^fwl?NcHC61>xTr*ZyXB9sH{IlshJDXnnN5FsQbu%f69yaJG>M!GJ91 zGME!Cg;m)q3~FnhSKIb5asvC(SA|Tq0%Zsy+F!+(uoF}m^^ct6zv9!?fYTRjwdC(9 z?Qy9P+R3M#O0VPF@QH=0%Fsc{=-peVRzuR(_o(hmltovu8fJM<r@1b39@WYwt>x~= ztx~Ru^$`95@+nYLwn(29Y0;JqJd;<RiE1a+6H(?v65FSkwJMB;kAZoprMquP3x$8G zD!N^{sh4|pcDai56!vB=W2V2V;njwt7=DF)<|8@gu@lbFU_yS&OjVU->r*Rzw!Ln7 zq18f!!CHMsRhK{>a)ViGQ^{Ou*Ql|3c&(>|Ejh=9{4G#lQVixxMJ8H{qg7-GAhK+| zsgHI9Kb@58k;C}nXA|Pb{cx>wkUj6#&l;)loR`YR2fibFR~yjm8r;f~)2sRF97?gp zCHnb81L#fC58=q)zf%XN)(Zl+!>m7nS92%9-=Z7Y4(Pj6w5UZZ4|qs`XJ~88>t8{j ze$6^n9>GLE&Z1<(t%}aQgz9-NzxZV*$m8*-p4CmF0~lXBR#|-ZVhdJH`KvbdXb&(a zLbPn%q<v{C5z7Qq-8Cokn1#O!drTY91?CCm2GKegE&7H;pfv^Twu4p7Q8JH@Hbr1V zAkF#(VGO(AB@1bi=6dTjuoxYXAbA&olt7j_`yojPib)Q|uP2wR+oJGSHY%llQoY)y zP2Z$^pZ`kVAaIMVn`enep%ZWL6FL5d-8i?oA@ZD6kupudmfS9_4Qf|=Zvg!oTzM1G zbR=nGg{kmrkU-sb|IR6}`o*Y}Jsa})+LG+trkfh_>|oa7<Qy^hW@4tG^AB0_Ul6L{ z5t)n=L^(+puPDEx_a@I^R~3)#ye-bj6d=3e#7;_B3s87pRe7~N>AoW%H&QgGbelGJ zkqrDE5jpp@o|0PD2nSeAH^*;CoYEr+UojmZbB8r~eZe>_tP2ffP|Zvo`oKRJ_3S=w z&`N4MuNXi;YOQ40qvXB`Qcq52jEIH`^O1zp$>Gao3?5BWI2wj6zXqRacy^-K7tZsz zU^Mmgu3(yTNGr2o$SO_l<y5)AT^-9A^bHGzg{mSKs&u+?O7s{QP8X<=iJHga;@0lh zCMpde@FGO-<P&{!6cdKZZ1~P4+$M5xT(JIOXI(n@hMBwcdaAM`EZ)x^U2`yk|J{x$ zL+crb1cGT!B@?`a*VzqaING5`AhQ@S9!&VOq}I+wY<at7O$aXc4-ZdRl-(FP?uboU zu-xia1Q%1dYegL+ziD>#MYw7C9uV2qlvG>*itON}-F{WPlE*&{BBzO}HrEJfPl@e+ zL3$U(9V#>+<+`JE<cNC(Hd&VX7M0Ioa*iS@-7!-mKyKt_5@-c=b8c?(*wzY{&4!6( zs}@@>axi0Kc`gjx$$IHyQJLAy3P|sV9p6nZUIdX$Pt&i3s;{8@RMbgxLGCDlTlAT; zlg}B`!D$NGq3#E-=zeeTJ&(k#0iIbCqV2Z~p$&OI=(1pYL5GfSlDd@j&9)n;nDuGC z#yrZKjdmZm-=#97F*JL%8)#DRVX3M}*BREpX>dnsgNi;D78r`5X5e?_CyD7%{}4*E zkdb=$_8W7h5KMcql6og%kLaUptR>3nqh4U`mUA@1Ca$bxz0?|8HOpa&sE~NI)%f5n zjlGiqz*NmBlCtcM5$S((n7?ViJMRi4qjnNOzLpD!h7(;wFfixr2tb+v5TcZG-xq4? z4|p2ozI~nFWbH7C!jlE|XT{Cq9EUP_^%kz#M;-dtn|e>5$&V{XfM>;<aW|E#$Q91R zw-4k%A!ZYcsMpXqL&MT6gwg(J!m9ANai~tCfm_|M(hC@hbcmLVE}VmP;Ud6uxN*XT zocns5zb79>x?lzTAI9#X%Mw6a5^&nKjY`{gR@%00+qP|IrES}GrERm$>D!~%z1AJP zAFzipi}?0FTSnljV?J}oO|FV}cOIIqmB$aWPi!@N+3KlHL%mk&YN0U{b_v^xqsJ-J z-)Q!Kmn+eGEm;k6vs`b;a_yCzdnG;7uN?^_a#$SrSs(1)PPaMQ_uk0K<f2(=h9rW4 zQK2yhBKcl{&k<MP^md%?cvq*@J<1ZrpVrl8XcRXS%trv^*?48A+@Ydaw%a13G-G>D z0-&)?U{YpV2^pbj#+AIxez)55%|*IRh0m!NvqQTF-Smd%Al9j77kv#)N60GlD)+nD zKZQMoJ(sMwC&9tSt~(7XTSX3S6DB77nY`Tq<cBg9+VFxGlmm*p*d85{42GMXF&#JW zB<w`yra3v1-~j-9D$c)E)=KV_6l}7~YE;9)g>#yJTF*0EwmfS@FLi4O^--D0(;0sd z)~lX_9B(p%r!}3A3@tS8M@)Lw^kRb<y!4H-9~hF^#G7ENh7I1uc6^DJ%yH@gU-Q3# zLyx&0E-sJxn4dX1#tN_Qpm5pm(<PwVf$RmUOMNyE*#gR3l9_a>ZkJ}-#@>z9>j%__ zIO8nZAO|y#jufy$l!CUAv?5^%J7-4Qdsm&c^+{Bh9}{4q7eI*FT%;ma3baI4*+v2m zNA;mM1f90oG=W>b4vbn;5G)n$$mO*7h>|?9k`7&QzUjzhO7ikHbLO?<!O_$Kks10L zus6Aw3wb?zE$@!BYxlTjEmfw1Ob3q6nf>5m-eUMex&~8?1<_yw?+pk<vr`F(dmfy) z>}z!V-QpWtpYa{R&7YKF#EZsqIaf%?CmE^oG1IuL$qP;?1&!F;#x%uwcSR(Zr?7-F zG|-uV^qy=xW4(Gpp*aVPa4RUMWTWV->ixXKLRu)a2ul-tlfz;d+4z7yp0ecnQt|tu zb5;oo)o^J&jURf67BMlv!H|i$?wfEyNam*Co?86AXi*Zu-zHbK0@lBgOEXLP%eWI_ zW<rWJEecg8w%H~rLAK!3b*~bMpdGq&C2McaOhI^sRLFl#Xwu}19W2JCs64dsKaN9V z4Mvx<-`c(#YM!%pa6_~(N(z#<=<_z`6CDEhv&)>qVWQJn<;&CuRT$s{L=dQP{EpIB z&kx8%W{nT*S`6$JS4dZbX3kRQFbiPDd%6z;+919I&>2?e$(Q4>t?WG$ZJ&^q39n{W z6dOutD%lbS+EIQ`B3ocBeM0I&d*CO~M4?xY?U`0JO`1VXc`$_R2)cu?=P!u!?^3(6 zGaj1HAs<Sw19?cn1g$UFFPo3o_?owdHO|g`c5v<Xz9s{HXKt(9iR|~^&||_#p@_QH zcgm!+3m*5xr)Xl&4UbSU#CnM<HlFUXU^PcIcWoQm=-~_AKrN(pOZ#{z0qja$J(4Yr z!X<Dx2j{gnZra=DW>Lequ81NH8R3XkF<0tijcMP1EVc+tXCu1LWgM_-hYy8UB2kj> z3N-7baC~!rI9hPhEdwrCQ2%{pe|#p|iOqWl`4aR+vqd(XwD7F7*&!P$gQV<z(}@Pk zabj`esi5J9`Ty0G+4E#|rciz?nho}7>wMN&*U=6#Fq8T?jSnDr`e$ckQLC@n&8Bc( zxiRL{KE2W7P>zc!K+HB;PThpmYmsy50hT!`2^Y|6pmtaalVS8a*9RT7ly6-}*97$Q z4XOy=6k9|m9e-amv|q^{nPO4a+ErC}>}fh7*G-#g(Yrl_u+woFVtGuB);Nn<OiM5z zQ02PKo59VU#c{Z9hU#EZ9>jz(58wYrqh$BsVqj>y82^Tb_C(F7O<hSkWz0Y;pma6s zJhN53Sjyo2xkRi-*7_OXNSD*XIiyP$G}nUXC@SWDPn&822z!5)j?UXAK<<T+Cpx2c zUXNEV{S7TIHR2+@?U*q=RsR|*)&B+Y`$(=f10$<P#y6#unTRe&&MjJYQM{{;H*Y>$ zk1&jNbci}3>a;emRy9FDyw1|Xm)Yf@xWxqI+`O;A)cuh|UP7+<r%gtzCQy>RbH?^I zD5E0Sxx}vrH}VD(Iw2{cE^wn5MtqhuXnqsCgI_XHPB_)7U7&VWRE(C`&2az24-cQ8 z6SR*w8drvse|U8DkLYN7BfcU{TyPj20amEJbcHs(Wx5tF<P>QQ`YGGtgfqIH2zTm_ zDVim&eGu9k=9<ftO%NTv_r5&9>M&9dWFk-6<Y)3u4eX+q8Cj>#?Y8o(TBKOIzd)f+ z<sMbRJG^1RK8W*1L``{i9`%f!`kYuaMuzrvVN7v7PZLl%hmb(V3fq{UWT5+y>N}ZH z+7Z%~d<?gz7j#<ubOl$lub!zo(RArHB}_!Hg%om#8H^p<I34Bu3cs|*uUC7gm{T5M zwLbjE0a2YrT5Il(|84FArm0jY4fH*0Alhuk$SUuf8u6r!*Cr!&vVQ^&e9|6WO`DR> z5Q^Bq%l{<rVqzUEQ!9fGt4p$6L83V-YTa9f<wgm@k7_fUi8)mmQr)t;kwMw+T|b7m z4=YOZ^c0o$$r~A`Z}LT)J@40sTSGwuG)=D{V9`RXFuU_*`~4+3j51yf?@F1EWnrM< zU_LPQ+Xl>6q<}HMyDvtD7rnso$~M<L<*go1@Q8$*Fbpc^DA~?`)`ud{!Qe7-${-^L zpsG47A^L1ENcKjjHC?z|{!(w!{3OQ3Da-TfF1CAcT&G%e>E_B-CqOG}gLBid=(R*L zBKA<WE0(2e^Fw6U=@NJT?Cqlb%TP(&wj4{@xwARWwOkdK0AXOyHA*VGZO;wfoxMlb z#kI}<2Rb116oX>!(xk)Y>$h3Q`H2f9s$?|k_C3?$FLCE(Z>_p*r}ps$r;%q)d~SW% z)!C^GihQVIksa<ViGiw*#I{_%r}O2|N(V`@mKn(z)+csi-io_Nl!%HYYi>HiSHm3f zpcP)<t!xAygE4>~pe>qlIpaBGrMEz`t9IGS(~bRQ7<2TIu;DJRmbB*`I|%(DWIKgN zHGkEN2q9!ntRr$5qpe*CG~rL0d%~8Q(|$OoX{&VUGa-%jQb`f(wegUt!f9;u15q%t ztN78juLX}g>O_ohfeTFM`wV3?b5B$2_7?~Iy=`XcXp=|;VFqrZXQuHF2j>^~cm646 zM16~a{>(>P6WPC*;07t1WD+mWsI3g|4?YA55O=*=!*jh=<tsK@cb9b0%N~2jzl~mN zSX=?$LqwJ=8{2@t0EdEGkiz|p#sbq^G0o?-Ei+Tl=`CI!zZQFBYm)+<t{(yjtkLdQ zt{Av`u2v!AhA}Y#FqM|e&P{2Q>eLw2knxVFt}64HyF!tuRDR!ogkmv5JzbQJ9(g+f z1$cVMCFQ!)1XHjJn^xC458o`MhlZZ>N&G?alj_5g5PPQdFruCJUwQwD;%$A-xmKOc z1c8i=Rlxqcb18$yL1dHZH$u7wO<Dw0jL6WLr}{?i5N{)xV^ZFF^jUsP^Y`LAhqU(Z zjKd$R6_&t(eO6YQ`?nZIOQG()ugAC<D>kpgGE*mK20mV6@{mdX>mv~D`|;KTwrM@v zNs(*hmCeITU-h!@zhpf}-0C<&;`>CS%NB{R4o)W4L`*jgI4|EXN1?opWP@l@v2-9D zjkywdHZ{r0oI2$Z1ypQXd_DPg06e08MxB2m_Jcfln&-ZX4`ykAh2BE%Z{6CWTl@np z7aMlcccgg|uJj0vm<z-ese}qGV@mzAD37llDLai4Ptta>yYGQ+1`B8$q+pD8P(@lX zPk6zX+<<@Rx*fci?bnn3^{N;jb_mi6BM=)iecf%S{<g-P87jp|g4dqNmEN^Ue1zT2 zA>#9A>kBh$<@S^qOs;jBzs|bgH<HAfOhNe(>hfA>|50u%{0xuXxPU6P(eWehLKT{k zJ1^dm;Y7oU{i$d*&$Fo;{boJlbT<xi>jy17P|<rPXtC@51IEf@5k4?FzRH9Vdz11t zv|Vl>5dtQ&>;qE;J=QjDB*?onn^c0B_7SgfBh?jvECF)<SWv)0YnVGFwP;SP!KkA- zAJ*r|C+G9g`N|W7f1sxuebOs7&zE&rXxn)ix^Sb0ePM0V47DgKf!iciFcSaUxdTC+ z7+K`~(3sPi+hq&nQMfeG;qWFW7-CDRt3%>XKWciDrqW7Hwx28Jo{)i>@ckNVX6XVu zawo^Q;lajH)Ws%EG#Bm!;zjB@Uox$;&`98;^JM+YC{aT@`_Vs>4k^#)gz=LNr^48V zDn$iqqiKj!lo`w-TSc_bqc^obIB(&oT}BACE6WT%pDS@<)0>i~;9!uL({F#oL1n#i z2R$<q;bTYYO#=+l%t4K|0bcj_9-p7Q{$MUkOD=eW2__M@$GfHS5X$7A`iC^JNJDs- z*ZAN{m-jYgWFmfnH8~_*gNA`etcU^nJgUUH470=*G1&kjJIriU@uv|86*i`veF5DO zfOX~57faN|^4KSMhyJ7Sr=Zd0(Xf5?+Ofy)@u}U|y%m-(W_#z+Ar(EkAeybK3=O4@ zXw7CL>!SdW?C0@Gqwug2z)MgWyr-8tX8E7vns8dHt}lS7Mz12!)EflEJx`!g<ajuT zj=;<CKXJKFTGzgczV3>=B@x=^;f-{L!}CC<kL+au*Kxu@&D34fW0dqC-}{UjOE^_4 zYljwXQwnkMtD%7zDyKF}QFc3C(9>^~Z9BLrKOAZZ(63C7$eqb%YT}a#wiCnr#I@u% zu(Z#$loPH)0&7PbrZMGju*a@M@BJQ(t$+F59u(PB8+lI_C&Wqlp>^TWa`vr##B>Z# z+Se*eg3c7XT=1!*Bc6*@$+U@oDC$dz8{@vi+|>>>$y7M{;L)J)tdA%OhA9ahM%1Dw zz;ii(NI@)NlGHuG_=|e&x!jTLec`Rk>B?7@zdLUEb)BKqStfdpnPp!-K;p3=Oc{c! zJuCyaC-oCg0#B%>f!L`u88{opMb6Pin#|)z-PqcrqmC=MG00$%T`KjE&k)EHXS-(@ znx`y}<!mz)6`lLi9Kl{uNZT5~xoZ{ayr5}{M|wE8;kk2A<<G}%H`Gh~jl<7={q6l! zQ1JzRFVh}dTA8n+-ta3XdU1nzJrbMG-^|%iPb%TTW8QCh&I|`?;{FJ>TG1EnK`&mt zD5eUt>NZ;qHV&5(EtE!3UX0fC1Nn1ORHo5qEp0oH{mRP~k!vD?J!vXmvR45(waV+g zhTf%%0PLT!?#NE63SZDSj~#(l^e;#lmD}_AQc%8aD%&!f7FN(AeL<N?(2e(-1@m4C z*;;1f!;{V%FA`$q?EE6N2wm0}=N8WrU^1)Alau8yxhaA|6R&9*`N(4TJ_RC*uU_2V zz1QpxsEOn*yGhSBGD(QEb@xVp`DVbwSr<fQXzj%X0?c~_FoL3frN0YveBm+P;1-{I zYli#mB8b!hPkBPzJ=+c90r=B-Jf%_pB5X7Q4r$KIHRgc<4Y6r~AMmyHAZU9U7ut6c z6fb9OiGM@eMorTdvBugZmCZ34zD~}x2~K>6k@anLs0e3_9{JQ`MD=c=+P?^#)#PWq z(c40PU}Ra$+}&1_q<gx>k2T;3w<dUdydu0208}r<50d<?dZ^~vm_L)EPZ+<ozrDyi z`H!s}*q~R0s$V3Esyyx&A~Xh$PYm0!rop=BKEC`Y&)Kx0I;-m&>b|gztlyjnh^~B8 zb~i$fsQqT3y#{FI0_*z!VwuQNz2BiM!Q;JdngNe@?<_1J54T&Aw7)m2rOdujpI_sm zuu7*HGk|N~*(eNtp!NQun?@4v{3(R!A*#YI*oV33mgz0)jb-KLbCw9IXg{P_mtuH| z8OCgxw3I7W$Cq!K=hr0nmas&U&6nqI{l7<?G*#SHSE$^)kqx$EJi-Vfehb|Al$;^A zsf48n#H2w#S6oyuxPS&nNSuTUdGT#|hyI2-RC0`j@QS4<l(lO<jA2=On<RHu{kTf4 zZz0&}LBV@@Nb?FV{fC{S*DlSMNWa~@yO3Z{fte{^Go)p1`rd#`8OOq~SM&DxsHC)G z*b(ulqh4YATZ?m-x0q%ziv!%BeM{4#nF)Luynhf<H;eY@<9-8j)CKYu$E2D6*q>=$ zb68~gJbF@@eknQG=cI|6=@!GS@XiZ+x@l-48&O`G!{Lz|B}jjWZ`qA>^2k!e2i?uC z6l;R#nKoXHA-7<Ls4L)bAy`au400wmMXZd1hvd;#iMDLn+&;#m$3&mGU3XeMAPbBM zJdu{K@K=YKOx&r~dT=JwVmZt0p>9wF!osr${7dgy&ZGEEPt<3W;50*lYQyiWks0^0 z^T=@#D=NfLVX`HR7^^f_pVal!?N_~j5{0PRUK^rBV|yhUs%T>N_7`8&x(e!q`QSrz z-~s>|Uz+?hz5cBzK1tr9p`lSSx>CQUE(2lZvhtpYBwDzz+ZH&H*n>MyPfdQQ$JK;= zufbN9uu6CAuDlVn3}nA-mq>eF=Ymo=HqSuL@-0Yzo8$)Rq-d;_fwQg`setRSl(G+c zhTss*lwwX+lPj#hQyp;$oLv`5El8wshCe@J=PTJ}pocs<1!<c7vGnYgz4_M&K+zml z<=5DzSX1Fi{}5aHT%!!4#@b~5+zh9&yjN2+*low}faRIY=KFM^2E4f{>V?TD{-21V zJ8mE{2vwlMe;t}|{C9?t^?!yY+*}-7|7~Z&!^zD4zh)Rc&DHd-n;DRX7&_VU^uQtD z@pku$t?@Q0oIO1~BOyX;gANoLAwqneA`jjs|K8`hPI%t~y54^-h^}k3Icl$R+ic<_ zq{>U?X)Vr-;4)kqBb!~Conb)I{@lpv=dBUkq!D~zYGDppXf!JoF&sc1i<Fn91_cEx z(LwwECc&TwS%k_3r5GXs!Nv|sEi5EXM<O{qxBzWxZVUs%VP9*-&Cb>an13FFF~5F5 zKcQXPnHwV)1$sL{?(lMN2j3PmVE~VX-I;Mf+91GZ>+FU=V9hc0wJEJZLR(X)gz@Z< zBYN43k4$WAA;ErW1rNT>8%YLrfkPO5zk`CfG;+0kt>m!nz-MN$fxtL<K!pA=7#_SM zX*?#5f;@nU*wp6X8{h~3lLv~0QY7$lid2LILg$-Q7rRvmW^i+c6o`2O<Lvd==sRRE zsYZ}jJWmppPLA=AqAsCwb<bOzA$(D|JFmgSJUH|-wlWKP@>E$q(1@LbjRDu%><J}2 zbhjwfB{u}ZMrSFdTQnhihs`P#wPtAE$*sGk`%?>s1p;9Q8kV&clAmvAWzY%Sogesu z_{qErPDp4c3Y6gcIelHg`%^S;r0dG5rcj@mM{*(S08i(u_9pa9X6twda&Ypo<8XHL zfjo<e@Od4A1DHiPmPHk2gZ9-$4#M3eNY|eN{YpU_d=OI2z7?W=3KTv9MhyZ{y@8%b zfF4QUDJ5XPe*vh#aB5;(3(@L}8#M5aaA3X!atq4T162g_(PF1}0}}Wak9h%%hS=8L z^7-*>0^Zdj0(z{Rp><mVCje*IEgfFUk?E<C@!yUu=`CsLe4BD(aB$5KS>X1DjCV{u z6@9okCbs6t0jM7hJ^rvq2OnH=Bg=4Rra&p!f&tRTzO4bShmtMB(-vE+sY&T;79dyd z8<S;vW^|B^7k3CKkSn#lBy>v%Ik0MUjBpp!;Ex_td83PKALPUHGuVgs{?|`nGhl4w zv!R6y1+K{j`ogu**~tma004aa-k5sWw-Ve8C71=oCGlcdIli&F1KEFqMHo>gV>bgC zLNdpJ&H!7$kdY@dj60wbT$*{4SAY&&M=Xo$L0)B`G8R36WVGpzL22jWz;y8nlYn3R z!0<^iZ&;nN-oa(;#BBfZF%wTkT`?or4p)Bl!7&&sG2Zx{XrB2Or{GzgutzCtTpakV zRYR(ExH^P@0a9Jvt7DCgWI3|*$+7(|N?NL|WFX##XrSLVos^uRl8*lFwZ{z<&TdZ0 zKk%=zz3W;o|B+DefBBYCdjrzhuEz#TuwbzMs&CaP#Y9v|`>#dRqkNizldt7jLRS}p zA0A76(0M<<Tcsq#c{R`R*0`#RpXf^5JiXEm{nAb{`HqoQpdviUF-eH4nqaYIqc7eS zsco$iB-rK<8m=Y?3|<vZ)f1wuA}31<ODdWAL*4ORF7InrNajhz+6_*!399yRnY}V6 z-jf|RN`1Ene;-WbTeOP<H9AmeA`ls(dpuU=5+&#8cK(8_Tedz+ux>|vJwg?4H&Tl@ zNfoRXOZm>)U(+Q>hgCRs_E<cyZCVlCViM{k>;H41s~GLx-I)VD+oq9~_fg2mH`jWs z9=g_WtWm6e`<}=Qk=y^V39`Nm+D5f$S%=(Kk@+XM0E7Dra|Y@XE;b_#Eg!LBt4`gZ zy(X%v$mgPb?tDhM%y{bXs)9CzLIIxiiU>(YN?w4#pDKZaMQAo(XZW#!(r;8UDaD2$ z!%6%?ePObXLRt+gcYf_xb#ZWwxvFQ{l#TNG0`!^7&yi`?O{n5A{sulSc~-p@B`Ilx zgr<(4*3rq$i;4ak41&&p=4o)Q)~G*@#hi!4Kv)SG9cG{nKDSBI!cDLkny!t|_|IJj z=0R(Bf(qkClzNtpL1&^{^-q+QC-hDdZW!ImA>QG|D|iUH^TJ!59au-mUxPQ_k6g<T zLG7_b!{C3Ip`u2iL#aKIGG3KLkbJR4k*7~RuqwcjB1MDjfvZLMqP|${5msWVmyy|9 zIurt4E>6)nH_UOnzj(qS+_G~4Z98Ezf(i?o+MF&MmMW^|i<<a;Gy1u`#a7dh<NjuT zIR!CAdu_^V|2dPT7LCvMz)(Z`PSWg2@>Y)CzPSlE%Eb|xt&!6h&j0CQqW-MRbak&5 zHIYTyom6?3VF6v^!hjbcPhOtT$)aMH3+p1h(kN6-#5^IqF^5N0uXAHB(Vk~R%$>!^ z3nGx=Y*xI(U0<Uys1~JRE&eEIvb;2HX!kFj++fU4+zDxS)a>8X#aOizhrnj+zl3fJ zyd__?9yEvFPq7~O5YZ4b%}ah8bq4(|H66HIpISX7Vc-8XFAoa~<Xti(&8fvp98~(c zys`8aW$m6SnfYi*!hF^OX=Mn%uR0s&aMcii(6AJp^w+dh75ws^Lg%`ANKeWBis|4P zn?<%>NF&k?Jb5oVz4>#!up(PLcdxs3%s&2gSV&KcE&lv)jqwA9+c&+sM4265wGiGL zSsw_xM=e3X_LVc>>O3aOE`3Zy{ybb;?h^p-)ZcWLnX{3U_c7-iGIf3mAdU5|iVpis zpP^7^t=EK|O@=Mz%tQe4LC3?WU~y|BxRqrz#e$4FjKoW6^&ZWj`J*zcQx2Io(c@_C zeY0RaN)y#d=|8)eH2bzINq8wCHAo41Uqkpzr%acGq;&Hrepf#kIHLg1%}_{kk&x^C zLC-~4jrT((RE?MF&Srm|atIVDdzCI$pUg#6euyhuPDEaqoik6l4jn7|#=%9j<|X&G z<bNq%qh@>hIEsN!Tg#V8;Yit0Y`tq<VCaEa>Eq(wm<80F_SX{xILeIvdk{3Bt)wb5 zqZbDK*D)t5Vi^9~YG@d;1QRcA7B+y*&?w5VJ6E}6o^nF&L!G)Oa6enpe$O7U4M5S` z)O2QgadZd^Mi1y?-w|Iwf}t9{K7p}fFtG0@&-i6>{McfDwp+@2vbTx+amwKPG9BSp zp5=Q{TIEJm22b}~p7-TXoJLdWt4(0Lvb#9GS4r8B;1H@@T9jtdJ>{k%Hg<dn%3|oL zb;x2eg2@x##vXa714rPOb6S6v6Kkw_d7g{XfL*q7()_1Jj>B}qbKgzUfrXa`%H!co z(@c|ADyguafr;OeZ@qRry1c2sqMOYj5v-{{!EAP{HgL7eN7YuN8{K_t@vD28raKVd zc~(PO(MD5!&%;~X@(O}63z5OYG70^@U^+9A^d}DNvD7?%*{9)c{wnHD<Fx)4x#olP zryZui)3D@<@h`s>J&hCBG8M|)>cpGOdp}IDt)4!MXy0t9UAJ`#q}_+i<7{b@eGqHv zcW;jm<jZ@u{%^{Mc?M^hXRGXC^z+#ZBVIWDqILinYP4r+|6#ufgLF)&<^+}lYL0YL z=dWK|%CPXUtR*EWk?YHxf{*R^P(~gH&~il6gbjUr__WK*y%)8a4dv|eTumg2b$E2` zutA_JfqxUs2Io&J)_!%yFl784y20m{Z(8>^A9Ja9Rps5X@#Hzw^m9<KYr8-IAvRB& zr-wu237`mzL|XB38$!luW2Ky_BAa*We2%w-PnK6jCJ|L8|1kHv+(GNAoIol;Gip!m z-f>6uvE*^SbV$#&mQ&*7xted?Anc&A`#H&9RNQ}NXvyO&VbC;Z_y#*I^fZwZEBDc! zRPDw(W9kyy2;J!lP(!5V1Qmqr>){|IZ_Kej77|Fpru&8YmNs;4lkqjx?0WI~LHK=4 z3-(~vz(_jD50O2(qkg0T9wvf=Dfp&+jpGpc2ht0E#X6$hz~@R{dzW*du=A7bu&%`E z=>bK#C_=3@d=vXgm_o8gm{@_DC<X<<8P^ib{YvYpL)v!9(LQ)&GOq~$P^kQ1Imsb& zqdLQC-4k7o>-Xp`B>xg0X$U~^c#Bog9bpc1#lUE%j_YaX!|eVj!?CY;d8YG#!&+!6 z?H>~Eveo2M5)FxC%X{O5^^g;F(8~=HU~=y*3Q8PDbNJ@}{I=V&&+ZTgkq&9M-<B#h z7!qXYHs{Llb6@((LW8{!vQ<mtN~FG0_rg&;^eX$T28(Hs4OIO>1X`l(lX7s_E)3R) zgZx;fywts2(_nTk$H0PR37(tkU+GAl{@|i>deQ9SECxp!$T^taaS$@@Wc06Rp9RzG zBGT1wFZok)GWtN@rG!vNRFqz%fToP$x<?C!fSL;7Gns$oatQgaGJQVc3d}V|$MZi4 znPfD|hx$nF%cB1z7_5kAyqJ%&PySe$zpf8pWEn53%j~Me_z+-lE2`UJqm<R(_e{Ms zPB=ND@WxS;gRs2yp`f;|s)!eOx-ZujK7UC^PhsWm|DKbF`~qt-53ZxA#=ivUQL(lm z&Z2Sq>jbGEe+r06o;?A~wtOxRMrz37&@FYQbh}aSVQ*#mu(^a>hjPLxQjqQ9{aVI3 za7B=Et>_q2X4xCcuVzQVqrV<b;YCl;ji(l7sa)sISl0@unxy7&oNetv2qp(QWCk72 z3(Wo5!OS(zqG1H5uZ_X*1$op&J}ohQUHAn38BJ7}{Q}9qAk*|?&+5@cT$w!i)N)f- zrEG>D1`j@LXKIUv;>o=WwbH5UMp?1IM|^F5wxT8$V~*4j%u_YdKno(4wB8Rmc0;8K z3M_8~Vp%%kRC2FjzEy|5W4L=J|5Za~M^u*5MegqrdzC2EV=-)W@r-JWBxzh!bhoC~ z3=M7{IFmxVl~XD2Yhy%mnbm5cMnT6Mc#akft~nH!4!OPl%p)%IZ+^A-v*!}?IrCsS z*!N*b8kT`CeeN`6N3JI|{6aWvl`jvOo@BCiM%q8ssE#o#2Rb|uWM1q}WBwwtd8l9A z^={MU)kr_zQSo*KH3SJL+<>t2J7bu0KqP5zYCyxAO;Is6i$3O-bKaVitfk)JIv&cE zb^Ibbc}|LRB)Lc$wjdszoQ^j0mk(~XAyXvq(?af?v+P0x8Wa5x4P3mEF?<oIBnSb` zHfWe}nP9@kOe(#T+2cBB2&R^@7|E$ap{tR_TC$1F$VId<z?91<yfhkqPY{W7$&y;Y z2<4@*&7WD=GvOkPBM?vC!llN02Rew0ZfJo{?Qa>d+4}Svh~l97VR;lpm_d>IVaNW9 zmwvD<Db?IA`mwTj{Ad}&%d?T|_=GsghmR8%wrX6a)PqX2)J0Sf%WPJRx)NbC3kW$} z4r!>>9b}>I9WHCJ7MIvFN`)DttNc2=qpe5iDe*L+uRh<BP1iPs%AIG!a#X=@iff6D zh*TYnaE;F+4}hDY68XidN+XgISZ2=|Yp6XlX8_wnVwFbNTG;H~nNG~t_mIrk3Pn>0 z!N-<^rD7y9V)pRYW=|eJpZSsPOIyvoek8~|n$6xVyqwQsq3Dm7R$U>ML0cR08-SH5 z(^!6$31gmY+P|fz_@bt@Avh1qc-&6nqkYs<yNpv|Qx%&fK^3O-#0?y_WKLDRw>@Zi z<hRD|;_$U6Rh(=(je>%RpE=qE!~Tl%@!5NQ-Qv1`zLb(EGn;Dz9oY0+y9ZuiE8KI+ zya`=-^@@WF4n~vH$w#C$-3M3PliMY*%vkdI>WKNCJ34Le3Jthgn7t2}HH)?3@O4~- znu>VYm4Xzdi^<*D4yj-}f^T!yGd69r@I*x!_tz!3YSPwx+!w1;bX(1?kN&;)1v#h3 zznVXw|1$D6Z{}2zCgjGD-`biHMa)b+%MqHs&#f>{o34)LTJYNl{~vp_0}C2kTr;K= z7#pg;pTdF`^4*@Dasa2&zptdaGseUZQ-8hTM=Q^%ZDxbTd6275x<GI)|AnbP-`N^8 z49LFl5w$BR3Q0T89vqU~`iYK&LX=xggVt6;zLbHwH+tKn>%Cfa$c`_o0c+=?Q=QC# z=ynJ>9H^B$zYsj}2E4*KVLZpSVEJ`>V^33<<^CGTh8?4C$u<`J@yf_!i4-9rOPbvB zDO*>(bxJLdr30jE73ID4z`xJzyjja!I|WS~1^jwEyvM;#82XZ*N#nMdHjbu!UL?!Y zll}Tj)t}`+Fm!uacQ~k_Ld&VuKKD!If;}0poGmYy41Z~wK?4|~dvVf3(uBXG&q%Y? z3x(&$5_blI{Wy-125E~_Od{lcp$@AqpPP4<($C3J&>=qMdF8n=vf!t8>bWMN#TsXz zN|9X!<ylAu!i(AzO_EGwGNicdT+zlIw?DRvC``8ck(#KU;5YNhQ{8BCGr#$xq^q|* zOmMW3)%dM3PR5q2Ph7+L;DE&fDh#cJE|>gmukav>=+l1j3bM5~_iF|d$5%&;ZJ&MH z)AL6U8_J!UR(sL3wNpm3A=C|pYBft;|Iy23w@xtj_9N@hFwW_sw%*HiDEC9Q*QDJ^ zrkx=9trg5|z@UP$xN*)-$VLr;P*D55Fs!JkjuV!_y*T*~PoTN(Pv4ULeRBJL-6c{S zwQF(5i76DRQb>Zst&&Hv(!B?u>VQ6=DRCV3FBw-VbkU3~Lofqw#qW-``V0>?>eyh8 z$v}i2%B(h*yEV3WyomdBIYQxgiM`WHnAr23$Hs19I!y&1eUx6Lb>;gAVn8kuqZoOL zD$79J-z?+BLGp?^1O@+{T=j5!PmifkMp&iu)a)Z=DD*f}98^KrH+hXemf6!LpB?TD zgyq@hPL(9zTRv75c@@T;nhT0ozt&n8mcrc)*=X3y2ylyPO#0riyUSX8XR}X1OE=P9 zx=Ut8!G~+khn%0M5H_NZzapHK(_G-qM_#R`Pin)6{zyTapgt0)MU$4e4i^9lQ|~r~ zWWz6`FXu}uTe(*6J-e^FDeJuVJ~mj9P;yVz;gJ9^!Bj+-+`PNiN4S-52Jxs<2>>VB z`9My#`5q3A!zQazk8HY$Y9;|OowhgewR$ZmZ`kpyhSBOr9N*r5HzN`npba`B$RjUx zADMh)kLO0Z>pTwPY|+;dyHSn#@g}52w}0Dw;@MQfdJ@}Y=APcRG#9R5-^XRNYNCgX zg8Ns8j*}!1du17K*`jrbJ1<*n<p=I>Co0*y4{9VP`w;PRM{lG?S8AiLUmE5<I!pzX zEA<%?^4Q<iZ0DOG8rf>1B=A!j=Y#4A;6{s9LhaU6iZ+n#P_%)^-pk&K^THi-NNheK z>k<k96H)z);C$}+^z}VGGI?f6HD{H=aa56N{Dknd>`#33wnwjk8H5)Wo$smFWL!cY zGmWyht@s^t$Mf{t>n?S5-8N5G<fHIz&)mX+Ea(1!=HpEn4aZ8nn7H^nUkr{THbA#& z<>~T!!3cjJSu_I#%Wu-)0LhexarQGndfH_7l6R$MiW|@4@i%ic!L@;mqWelTTJrv8 z2AqDK8!a}?ROXGee%L=|yEx^b1}WCpfldmzB_;&7)qd6w5P8{ifn$f(mYF!i34KAk z?0j{P`5xaLr};qUP<7Ez%Qi)tWOY5Ip{oSHvq-1%Jwy|hK81JPVP$xBe#|oZ`-9Ud z3!s^pDAoDzY7#@tAy{hwK<;&9gA8<mc*FNE#0nRvfl+p&I)v#VRmG?rwQtQf^kcp8 z&`YbYkt<*&zsS@5@3?^R5-t?_oW)63%hx*!eMEtSf%zOAUVG#c6rA4VqZVM~mPbFK z&IFSpM^oH;x$|(2OiIg4$1Igt`@V;{+Ht4kjDYh}-G0GyPe~*|vG&pH)uBAWWPKiG zK;}YQPO8i^9*R1Rk`9l3y6PjhzeB@E61QW=|Fw$}^`-5?v-a4U_tJ0C%c+-ERlV7L z=PA19z;igv%?`@2bS2<VK?a?W#d2hqEN#djyvWy~AF1tlN_k67AxV71)P82p8h1LF z6*uC-%@lFP>DV!s+!OgvWuZ%%L<HXFbYsdVzUQe@$r$vFR_xY!235xE{dx*Jx)C>x zCrqtSrYdwHtD<tfQ3B#GIr*#2N2lhkr_s?CnvDBNOKROw0wg7JOBx)lU*qJ-vEjp| z9O;mYdi`q+X42u6>23<BXD~bhax1e%bhJpHF(-V#xm42o`KD7qf#{eQEiMzj+xXM* zNw!xPyS-;?fcl7Rss;WpHEvrj)7D%5%J4gvbni>{SZ{r7`K}jikd6mw>5hVO(AyM( zJBW<Z?(wnTVmktwshO=DR2EcB3&8#=K$$l)`;{qj8yLmKY3%LGW~Y9WW?Hq;>4=z) zlV9$d?cs7EL|VbZzTbPwx%S;iNzSE>2aQv6*re~s_XhVj*Wau3ufWieo+GV4<nwWt zF^uo>Po@hY_o&OK%nxSMhnBRnGn>z3hvJeXxrWIoLwF>GtvuKD<`pMH=$NJ+FO3zK zBpLI$iYF>NvR1`-{-bkIyK8+>#iFE(klEXo-VL`La~^sF?v^=}smd3&e8v-}AAcMP z@r%GpwmQx#wyS;jPrt)#6(osWwWiaqyS};&*`!28L9Wd8`a_IAV0I{B1=xgW=dHZ+ znj7zLn?D*QdEHjDS_K@=S(x4AV9y*UQoGSCJ@W}mx5gOPavq15<GLQCg_rLYa3tTl zw^mzt6xCAle}~f5?aL9x4QM*Z2pNjJ9PqWN**!dQnQ%GJ^t4x5cr!Bb1=f&=zB7C0 zmpa;yq<~JZg;jEjFZNPP)x}4fXLsC?sGb8HSXE9nXydVeBkk?2(B8xJ_`Ur#FFKMk z#pbO7qYu!mrK2IAD{svZR9!A8@}*YVz}Df)EtBbc(*_=by8im*D;WJp=J3m)3HEh2 zm@1fIF{Aa3=v8ntGwmd@pkNKseN<)RY3-fw1UF3q6$OylQ5`oFs#tPC{w3YW5N`E5 zF}dA{z?CBwFB9PX1bIB1I-;rDShIJADi>~Y^{`JDprWQDd&^8YihZzC3x!H=%lBm) z^acNwmt%7{(t={Jr<_CM$dMRDhZa@SIHh>e7;h>5oba4lz|x}sHaVLNkEZ3w^utc# z&`Dysit@KAt<l*zRx(Nn8#OzaRjV;ql~rW%<LfFTrvct=)}!+?(s$Fps~ZflFCUUY zQvl*yp<7JSF^irnGk*UsD$#Aze!N}D$<jg0-BbzY#*-hsueuNh1>alJdqCnz*02$J z%bS63TBamvA9qm;S}SSG*(bXBw9veCGo4RjY^Bx$7D?36w@#GQ;SrcxS^jv1z)pw7 zIom3QPo&QGKi__!M%021M&y$E&9Awubg$uB8qRk~N)Wn*VwMFt%BPK#i2cmZp5&5d zbw}L*<vcne?G#RQ?sXPksEHCzxM<8<*7^F|MMd)z{D4vFe`Oy_D#!nrO-Z@OmYI$F zAz^(QlVP0uUGV#+R60Wh#F3I%TGy$xd9PvJpKmeZB^3g4*w#{fUF@b?_F{U>W7=#+ zX#(-P-PTvz>oHOe-kp5^c!^VZ+=>o91Zff$@OZ6DKesMbHTiY$)$;Hy33`efjvT9) zsvq0>{jMONlpvSyI;ss|Tctf=dpUely38eq!zQ+qk&U3}h0P|-{?n4!bKrnb<BixS zJ<rSNz^U3>lXTDTdL^D>b-ZI+Opgt3ub*b!-+Nk%=fI<y0+Zo2hFlB@DeN<HsmN80 z4OhM|O|6MXoK|LMZ~iZ?kY=NbH>Yx+*J=aNgV;~LFnos<6?hp>3o5ti%Ar(+DA7Ss zPFB>sumHOv8!I;C!WI$>@;iCrbZN!4L%c(fL)U&4rW1}QKfu8&-a`8fzrDNs!<Ycz zz!i8Azn&S9C6GWMJ+XH6(kqsk)<hi?Enf}eNTRJq(AXX%vgGHl*VL>Lzo|Lx#Q?6U z;+ySdi`+1k$TPx@>=b-r(k54<_W;f{KIF3DU=e2`6*9iZ2P!bmmsy^;+$HZtI2KBS z9hrgRnokg?zT=rs%D*8{svGj&Lt6R|(^B~MHC-&rrP}9@MeBZXHbzTL@5VN7cmWuS z`ra%%=rzO!=Rz=rdc1$w)Q-wN+$coF>o(T&$JaNn0A(AYoZ&{_W<fMxCGi+qq1hv~ z6l!^C#mJjFTus(HxPx!rzk;&}O_eXB0YRmKcvNjuL<=Y%!}iNHb64dkE0cm>Ylc&q znyA&5R=A@r^=Wu1f_`H3G%v{e8J=I=4^`zRC79WOt+h@)#m++kLa<M&HQoWGeqNIe zsLzh0cgA(^nx=;l<{yhqfL7BWq66*2rA5&N+UQtequHue2G_o|%;TS?dw0nkuM65D zHF3*2cqDxzcpd3a>7j|*Z~2&!Hdh`elK!|7`A#2+aJARLcE5yu>bTsfvmM)ZMp8O= zgM3d=d3`YE_lDX&kpcQew2NqK`4%Pms6U^Wc&e!;aT8)P&woAgQ7iwLo`m%tnv!N= zm4W?mKe!o1;e>hWBePNDdAr0&<Ar%e<p!=^(QdD}uGl`xl!{H^)E)s67UP9FpFdzb z^`J9`@<^vkJLG;;;*4}0Y5i%$_GAhcsZL{8=y%V>>5{;);3X5Xc%D^`)q^n+)ZsSS zQNrx9&hZY|4!a3@9l)o4vOcvE!a|}`R|FLQM#2!kt_iHayf{lGLSm7>U)zDwcFMP; z+iV9^H*3AnPzxlyc44%)-*jw)@j}BDv4E<&mI$)2Ylv?>8^a;u3eh-YPix<RY)>qW zK~CyNsdf!HPm$n;BWW&8H$vEmhHN82AjY*vrid3o!C~d|&$cUwDtbnZ;6mvfkLYoK zz`EQQ1lkS8`lI$gboyk`J+<pCQFa?q*PoOa6mZI@RuB)LiP9`~r*N;LC!cmMjTCjZ zThH?eZm{`$8RWkdQ6m@P7yB^`)RsiL;BQIAaHu@d8kYuVbHdA9y>lOnM$W++<CLHO zkb3Zb0Azv#jz`}mZ(6@&DAvs5hQxYl^r;*`?spSFD%q!6$kn-xVj@oQgVQGQptp?% zgdq!9rwuMkB2lctCZkpR_M+4DI}(Z*ULjQ0;*TM#(93?zse$+o4(Igk1XQvBziD;? zgF(I%m;}{Mr>S%+aWKw>mliR)Hrq#GmS!@-cnVofXZCXG0i8M0J&i=J;7N9Y>yb%n zE*U>>b!6HyAG4k1Sk1mXsAt2hXkk5M2k)JzN)(mQQspjzl0$-ESQgZMp4>_WO2+TL zl4C{O(0(k%yvx@Dp(RYAnn->+qt4{O_g$_G7=z1$O;ot3`aohr^P?5BN62zP+T0u! zI^{kuL+tF|X%5=+0Y2?jaBlNj15R{qLq;Vr3ls#-bJ%qo$GQ8ipS6Zcb+l%-dYW3F z#d;3my%mT%{~}d~>|t<VPW+4{$%=qWQOeczIL`59F!tfOqt*kF@ujIpPFX-SMg1^e zBSM}g1&|lqIlK~w`c%Ho`x-m<@{ZwU<vAj6I_g8g&(+$%r+VHfFO$JU7HCR(zC%k& zM$(tZb_aFiCDH5?PfJ0;#1(3`2=am{OtRiXkdw~3zL|sbB^*h81%p~wRL)t{y$47> zHlQx4Qn$HX=o5zZ+gZK3;rw<5LS&`?OibVxsuZH}s7!oACDPm5O@d(YQ9A+=n#&)_ zce{@#oW`$`A~AnSwF^SJQuu-@ZwA=}8SZyopwcLP^Yo<Pl&OFy;<xHW2XdJJ;H)K{ z%w{QC_BYamEA1`iD=SSry;}jNp$j90`6ToiYoI<vv(IXbqxn@q)Xj7D@zplH6aNU+ z4urG|bXi*4SUyyfp4acQX?*{?^L<P4O4oYktxg(M70G_3c0>l5m<>*X0q#&17kf}W z#&e$h3c)qOk9oPN@GM2k1YRiQ8XSKwRsPk$eI-%3=8?QVqmc_AZa?VCo?hFEFsNdM z4LllW$3emnQA;0F6O4tQdh<Ugh^~3Hz(pd$YBBz?o1lg3>I51a%>GN?F1QlXd_#>| z3(+Wlx|;>JW!S?NYg?8lYccM;7b%irNh)X22uCgw&muFNCYZA12`-!8TO`HT`5u`C zdll5b5F=iXJxfeoCJxhd+n7oLN9R#}5C{`~)(!Z!?u(O_u2=ot?NHMj2V3x;c2MZJ z)a<AO(3OuWG|w@K8F0R>F?dz?wodIBS(A;N*U3_0jv=Y<;4FEDx3Z+09)l7?NbVj` zf7#e#WEc%oyaG6a4)zGrWAy#Fp(0aljFHUu2O*A`{!uI~(w>HfU6ZdhSVz<HKF_PW zD7CJI@{d3!8(gpS;5Wht{!&l?GCr3724Csuzk?B(PB+d{6aDcFq<1degR7)s_4zu; zB(`yqq9IO3+B~LP4B+5xa8&2pjEzuqB&k&}gvhnJW>t$VQxE6LIQ^C(98^X1TqV{f zYYe+l;AOjDp4F*Yupb~FY?-4s&1i@;DzsYmOd?tg90iu}&;P_MR`?<)90yFcQ7~g{ zbnK}JNF_m3hi%c2qaSX{{ctY!%tns~Ien*QJ6Y9qzU=Nn34z8m($l_zN)8X|i?|*^ zX#xbRGtWX^Q56RWs4Hn`Z{j-)Y4aIHX7#2iFcYS%OY9wz22q+ZDtb8ov?KJr>+G2i z%l}}^Aqq%s#N-G{D&#65L%K+7&Fxi$G37Q8lHx>IYt@4Y)Rx{M#riM`di!iN4I1*R z_LrpODt*Z0b|KnQs$Ur#F~imFrKy&%>25pCVz;G#j)*P3Dl6Mb%O_CQvwYRc2z4*e z9XW6%uHcE+33j@9_)$LnaFtDU8;Yx7CfL-n`Ta$M)`=N~X;(T)vij9!KQWxtwW{oo zgBJCdyGS>2Z>Y+tior<NF8q;Wt0txRkw{&hPy=JodQ}q#4N-go<g{nw+PYBPDx8<` z&fAylpu@K2SN^8QkPd)2AzDQ4zm~ta{%iS*jrspkhPiqE=Oyp|rwsG_@0H;{9ja*- zd+n5X?fFAYc029%JITg7?fJ$#77_M4?W_&}-;HY3+ufSXn&(CxUDqPy7Zxeq*fb@P zY>mayzmsaSf9JC^k`sdANi3~xPmapW9O*0<XvAvGZ0^85=q$rYDKS0RIo#S?JJ4C& zI8VW<a&th$<>Eo*<Uk}96clh&f*SimBTLJ>!r6jE)qm%w<m8+QQ3A6-;`jk#&l@XK z%ezRzZ|`GktK)x%)>r30nMQ$arOnkegImKGMi$nla3~p?i)m@-&`MD=)nKFYw{nDt z_8@SKlAIaiAh@!os(jR{GC|pW<b!AX&_PXo`O&9B<vdIO#?airaKQ2i<l-5C-Pzsv zxx7E6C7|3{yxTgwJpcTmwRk~i2@!AefNz6aL`K$@cE=`9ieQ1K7H>eA$)P1cL-?)X zo*^@&FSRALsgx|V<=}o59GMAler0QT@w0GKAtP`N#J6Q2gX(RZ5t#PEv}c$#pkpZ} z%SRp5Qr+_`)D$NNN|m92#2G;pXbOaMb!z?5#A8&*@HhizgCY(tt?n)^jgGHQT{6uY z-UN0(7rKK1GOrK`3GDa*r}jXmT3~i)c}r?_JT4&u`O1FQ_<W#guI~2GB9M(P#lzwa zL^2|9MqZBqAa-tZ_0a&O{KLkU7MRM+-qg|Z2$GeRGqgCf#Ro)$E&3QR&AuB*JOM(* z0Ciyi|5qB0-vv%D0bQbjhWF2b;aILsP04Jn|M)<Fe_4VCWXBhg9y}L7%s_zjc=%!y zz{14hy7Kr5;MDbiPHirLZx0BbRn~I2-wv~#4J?lcPB`2bm8E8p^;AWNl(jU456Ui{ z+b{ShTW@1&a%E*|ZTXeC6WE3+JTp1?VCY7Rl`+2V0ZbbFa!jwzp9-uyVA2Op7aGWm z|5jH?_zG+>0-9Gnc%tN~^AiBh-h^tB+qgapBLj`X!fy6J4O-*u2tahGkj4kz?;S<+ z<md%~xk*4Ulb?l_KgBJj<$S{5j(Z4kz#2dxKhS&m9}{zl$M_o+FfO6Fr8s|T-}<{S zBye?{F(D!FH(&$oL-#c>56JOeQE^u>&TKpLHoiNgajA_v@1EsNo=Ub2?jKh~PKs0> zPb(1);CSl`xIFC1ONT0KBXyHs(F@!b$e1VWM=GyM2zWQ%OnR@#F~C0fLQ#FgCUZ=7 zZ&oFST)s{pw$!VV^4+7Kz6r8!VyPm$m8Ye>O!pH#koRQe6W!}o`a<u)`YKK4=Og*R ztK=9h_9W#1EnfY{J3u1K>+elPjE7H%d)EhkFEm;_A0J9}$~pQX&qFQe@y6`rXU7fz z2i#5HskNo;)fj~4m0g`hKR4Zo3O`}=#7<{9kHt9x7-0McNgC}isBb+8vEcA$)Y2xU z#F!cROUcSL_uJ^bo2J_XwgxBC9rD|zacyCJcQM-N3l#K5yZ=FJ$BPP^Sh2{`u@8xh z#s`Dbh$*Ww#CS&JmlNd{s-+>5$`s89{vq>LEaH}ISlNOmj_H7|(xLQk6g(FV_6XZR zOXG}q++=uqq(%-63aU{5wI=bxcG9E5BTEkyMCO#f(m;<;8cS1O`<cY!rU>+Lwc~QB z%YAtTrFs5NWHyUt*r5Wex0>Q#hQ5!)=vz0qy(@52UKjp=3<%9m4W_zG5%`rjjw&Br zKv%?SZPl;U<!6|IQ5VY;CQ-V5SV4t%Tcw)6CzE%BRJ{7<uXOuAGlyRK!DmGHalvf5 z0UMDkZoewuGLB)<8z;h;Rh)-Z!9JeQxoov~C^zt+9#uLx*_}U!Z6qqISQPVC?hA@% zt~Tf@AK>D1$P``6_G|-tq%m=;halTKYaF&Tf<g^=`5#62ftPff<qcbOkT|NY^;#3f zEF;FQ<CtW=<Q#uXCMUl-oDmCrXmOZprZEgVOj<A$x_k?2dtzSSTIAY~!uqNas(siy zTDjaE+d5&L%f}lF#l@QB5~Mk58B*+pt+E56eEU-ImRo9llfdzgRg1w|NRq&c!k?AF ze?vTqJk&`4Ys-Pb<WJc`+Z2bD72@_ZR0aVXr7(2Z!~RqEcEzJyz&Y?GfAWwsmaz4E ze|`@w)SO9Y@mSDdB(GsV1~2DcrD+l+`q0<0X+U^2p#hHo+DlG>>s^jY{2a9MR{Dhd zCSZWykweW^xjtV7$C$K*NncSWG8CyaWZfYtcLgvTmTaav;)w5Ky!LZrq3c3oC3_Ov zrO<uhcST$DXm(i6BqcusQ66*1##uz2*GPaND<S}I_LW$y@P{kexVm8l9XekU5h}^) z@y)WDTNKv)hY{CgOtq`BR7M{RGvl1yJbg_;xjj+fTFqRABbAn%58w0f)?y-a@c#e- zK>ojb+`F6jMOHK36fh-DpA$1W<HqK>PlHS*D9BiZ6)w%}5A4+_=Gi({YF3-1bl){Y zcEAkvLA}XH(JwaGN8CIl4%ba{+?Q$OlQxL`*fyV;x4tV&9V)dBt)^ca=hdWKAZoi~ z_$MyAc7T_Z;v0ZtLyAv&K_z|V)xxvV(uk0ZEwsZCAM0KCKB=w@kv?8$;1xKZLHa&_ z$dR<X(+q?Sb++!aqNoRC3M8gHeoG5dt~MnOpiLbavdkuvR;cwi(bnMi;=R(PgOV@% z^^r4$lh<)TQ*_vH$XnH<yW`H;C2Jf$X&mDBtd)nQ8$Av99O8+w(bjL!vfa|zeLY_N zpr$yw#Z~pt{{3iWi5@wlu#ax9#!qjJ+l;wB+<gLG_id=De5d`w-8Y|7GTR_Kx5LEX zK3iVwKH}Ov{<(|n4@Y$C00>|^Ude%_wc_7<xCs7u3K_0iNBEXc<u?2abPWh0GU;w- zhbVX!A1aC@m0M1~Ul=pk%V9s&>x;*+k%tY%Lb$KRvY=3qdcSeLlKcV7udhxg`6H08 zFfz&GJ4&!+%dSBxwEf=u*9;K5Y5~3ZU03M$l%sRdtFTdyC2U$!$)cqMLvYPvtM(tZ zYMwXd^(ZKIR5NTsU|uR+uCqEQ4Crc4wnV)f87Sd&D-&OZchEP8uJ5<XtcqJS(bQWL zk@`u*>9FgT#G&`br8)$5%cSkuV}rZ=sQl0u4&cRP61awVnWZ%>cRr&6&a^xiSUgFy z=6pLFzq-WGk(z|PjhQHUE@x0Vc0grjrKNe{^c|r$Dz{(K)PrFvm>HOyoFngR*PyiJ zSSL8Ot>4Nb7vxu6-JDex$;6JOw}@bFFu_tjBjPG`qc9gq2+z<FyEt5uu=3CBhXTKv zt%B@R6?Ma={m8&)k_c~pq8HbN?!1WaNZ#nL@u2+H?=#8mx3Ce!X81E#Zl)QhR}hX) zd;&UtdRz0Evjo=hCy(oRRgK#BQLS0GFETG^T?1Ak+_D(ow6B2Aqc&UuJc@MV<I2lv zy=V!<+Gn)rn8$xvA|Vd<BFtA{eXBVgQx_Z7%qF$>_Et63?9MU_mWi+?d+(%>-9-|E zWD=DC!t0dU)Bj3gH=GW7%H(h}Jsx(Y$?w&0_j?Nydh*!d7EHM$<QHYAk5fX*;X39T zu;sxf2oJ3L704Gzx3$C4a!I4`2-eZ80U?An3UcN%aQ1KS7|#xRE?c<B$x(ivC@x1N zzL-^fSV}~3^GWraGV7jghzX^Nh>@sNsJatLD8lQqhGCM}ADd^W0;#u5?P5x8OnuT7 zJ<CuegE74iKO!3HBXFASMjW5|3(TGjuDAK%PHXPw;y(g>2ND|pgiSF<^tzsf$u}!! znNenfRbJ6>SOtn%+7gOb?NtdcA$Tr=7Kb+;&f}N#kS*O&i-gsRs<$=&4&)U_x3;Fm z)`u~|%LS<N(#UR=jt6)f>@Y8LL|nRwz8V_b!1U`^8_eD!iH-h(+rD#ZLy=J&Wgx3> zUA6xaRE}%gFar5rYVd~|OOG4_?C|P1?t|}7P)J2NU=4S_V$PbIWCW@o$sS?vOBqY) zbMFLynBB*)7f9i~?ale1OCecO6`)_dlnBbTjq6asJ8}CPyB?!V<>S4EVM`46IM4I7 z?Xdlb$6Z}+6UB8)Mm6}Zzb#u1Z6czZ5=5cLMr8V}H`3fK2(_@e;x^09n%v6(uy)~V z2;^MS%YUBe1|vRy95QNFT-y+Yp9X{KroE?7@`^d~jB#Q(CRQTxYVLHDn2S@t*iXg; zGvpC11&#}pCR9LBG~UNZX*)WTkffa$TnnnBlhYInXF{~w0=k;UT&=mq{v%bvvbn|f zaX5(ew{(g-uXKdUEZ$~#uyCJztyoy=nS$A6+mF{K>E4jgo*!zV?e{wq=UEZcNL<q- zSxAc(!q^TsyS$RDc?%LCTVBNu<Kl7RQM8<+>B(pJ&lchBG+RE%IZ^a3ecRtjXW=9c z?=f2;&3rNre*0{luh#v*yKICMX{zFwA`4)z%CNu2fg<MKBxKFCwrR=?J}WTP3n`rE zQW*}ucR|jc?V=$kh2b48fX@f9Cu!81qgZS5w8<0IPJx*UnP?MTmd$USR(M;j?IS3M z>E^!P<udn`WRKejQ}Uu_f98V|RBiR}xnLaE=%UnEFu2mE2l6W4H!6<U*`Ur~Cg>z* zn7EZ14`Rk~bh3q@Nx@5E(m{u(^m;8ojb>s+_|eKLs)ZJQM0Su{+|Y?E$=pKOZy&c# z)QE*(PE@;=*y<)t_1p5QOHmhc0lz2j2ad_xpxj6g(-7xfK1Lve`1Br{=A4>9p1_27 z)=?ghDiZ&AFW*i&(jCT6Gp*F_j8$hx3%sF>>9DDHiBa~h0;)|DzZ0Yl25001@PE=0 z+XqJbhKf3o>uW|WW>$+oQD!O!>$QH|#<v7H6uVH@`ilYf5((fB;9<}TpbP?_N8GRq z>-A$C0HwPWnU~7}3#YR=!=!J~csDp2%NjNJ2A3E(v?&qS(LpRvX*NR<8TCo#{y4?C zW{ATL_4}!cxHOu%iMV2?_PhA?NzD*P``hwlb7_x=xp3A}P#~sQ(!K56Xc7jgwt7FH zt9mb3Dtio$sp?DC>cx#tG>A1W`dFjf`C7j9qwWnLFvOwf$A$Z+Hc36ch$BKdv8)nf z?`RZ9@hicM2RKyDG-mafa|F#hG)&r+-w6+P{0mx?b~?T!{8;tqI2ZrCcVqNCpKb<+ zne1MQOE%=Ah9v4g109SRj&n`HL4e%Jz13=w>usV66711u7jaU&p$jRgjp|Y=+;N<t zhTB`HgY&^gKSC7fhlg7Bx-h#)OVX}8(~&!uhg2%%xpzA)_zycKNn;<2-D7%-7+**+ z$b})~W@%OlcFU0(LZ3@%l|C4U$I^&ttw?6OpZiSVH0bF)?py!;ezBpkkuhDs@T)=; z$#A~0A>WDW*#9Fv3c6$khjYXr@4$dZ9)SReEZeobUIfU}i=M>&DN?mND7>6J^<<bO z%#zhbjBxz%Ak+oytK}i6Q+BO=rLfwh!0$t$GS4%AKlp*8;fnS1l3H20lA`pX8BS=< zxrPj{hi-INw9qo*5HRu{Rh0+lfaa#W>)P7lz;;c7Y!0~wU&cvyttr}N5>v4M!3E}l z$9c1sef@Y)&e*+OHs|W*J*_?qvXV8Urg7``uDvx%-R=2w$S<~GeJS%`4u;0iyvl~8 zbX!_prwv7F%cp)%m_JV>s^XL12PXbeH~6bSuOWb3!qj-w4~Iits_2znpClkq9+7Zd zb+}R;&&^-C6`mg&DPM`l_b!Zgng|?>d1}1H3%6>M+tb}kz;P$TLVe}#<zY&uoW=^F zTA@?`xi~+@kxjl9u|^RHTwF053yg@NdCiaWQ+sY>Mk?Ps{i1rrUCNvIXUqz3xVp90 zC*k1XSHHKCK~}Ah`BIpd-E~rEDcZdB`y!;85em@Zcu@jnn`0j<jS6<XHxwwQOWQ9< zoW08fDIVJl%SnMSr-Avc7`yiMhLw8?49Q5oY&I(%Wdf{{ZKy-fv;Fq2gUVx@o^qDg z69Tc-3Qz!Z!8OGXHB=)|nh|mtb^1R8(!bo1d=$&ABc^uNYrssK;xB2ah4ts-$%g}V z^oIfB5{+3st_vzHLYO}8%RubxcP*Syncom`p^vv1qr3D<dHx|7VVj)lUQ*P+QCk*d zXyoQ4Ppa~3a}MZmtK$mNUkZD-@vUbg5^)i5AlbNQDI9uC1uQ}r#TSHjo-`Kl&pFRQ z3<zUQ&ne?rjQAZJP2J{0a@}QFtjv`3V<j-AqUlou!~!K~?+)|%%;yrZ)^D0Mn52?C z@jlu7OV~ScEVSgjVD6L3aHhLx!7i6{lHy^$^$&$=gD+YT7?YRq@8yu~Hp8$izuAaC z5x7A+rDl$kVW=WEaR+J$d#E#<^w5^1Y*smr@HtNCbnUo$F-^`Ut%MYU^~y3zEME}1 zB!TrQE_>eP?cd3hkp(Wy{?N-q)J5xiRz3+Z0xVXDO%z1*0!LvXtKe<XgL!Rn@s5Yf zLEOl}@*k>!(wh6#255<j2kw2EH6nAsIz#HEtAerxQ#NX&gVCXYDKWl~anqANWM-%5 zky?A!xW612DoX1Lr`zDD9Av%>CZ;vg*N-M9Bt?~!QdEVS@kuGIm6$MwW&%huAGT%< zpzg4Z5J1pP)Pa1YeckF`bI~pDAD6Kb>jl#ARv|DEP5Q!*R)n}kA4;+7kKG|hnkdM< z!S(zx;c_`8B)?6_W4dms2tn+}p-og{I6i(OmdKddGE}7c^o=n0muV^2oASh<%Iw8^ zYx@YeFixP<EB%D_x1FCb2eW=b8+A7Zua497Is}{a(7}OgSd*(Pn23-tZ0kc88MWD; zle0eLWr5AKk=GGAlw*C)G_w^qa}w}ePh+kpziT#aJ?3vhq$CKkcV0(O-~_H|pJLy^ zHV1!~QqiN~-z+MUA=0i#n^2%2*PXd!vC+=szcH90wb4ru?FXLZX{&!$H4ZvM;gKV@ z2HW8LUY|rhS{6*uI3U<Jx&>4TR{?KCE&l}BW1^ppvBF-;D%GK=VrUik3ay;dls%&V zgCCPVOIdym?o5L*0wXNg4BjaQvNddtHLIKFsZ9(4&edv@oLOHg=2}n+na<s3wbS8D zkeQ3PwT6{*G<ct{<JO)dqCW@#AL$X-P(}plhp+I5d$+*RE&WE3<B7kN1kb!T{hZ94 z2%jtPZCut6xf`9d^F3NX5pj3XbJm33MAYs5{=Jh;tAsikIh4wl*w)unNAwQ2N|Www zk@qWRsE&KVR`N?Q@rN&P#GTeIe!(gA1`@ikY1kNoR&|-Y7V_OO1^-X(shX9JdUx}I z&n~{*SaUqTSqJ!;v``z)s#w<WTS$@kXR$NHV<%N51uJ_E%k2>v-K|6#@4!%Hl`>=* zjiZ+~=<v9hhLO`ll;WGZh?ra?AiOvn9`M3v0_NA+NgFUSM>R)yo5K#_5HQ=7Gz`hj zR49?sKMrou?T*s|k%o|1CuZLbLG^dOchUsCLT5B64OT=cXF$3<@xdJZA7N!GN4~*i z<=0rJws&$!fua2OO7@Rs5A*G~ApMHdYiW>E(s;MRb)PLfEG-0vo$_SdZ#OdFdma7j z>;)Mi{m{Zuh27nauoK>E5(SQoLQvvgmo4VYq8L-nx2TEjhMkadJLftwv=QwkGXcoY zgcC+sC0Jvx=e?QFoRQj+HYNlvigs_ng{^9FS9-C{zLn2l8F+y*LoVHZLx$AX^;$n6 zM>ObJt8vJPGpE_gDusAjt&b;=7rF+&vj`Vf=Ur~UWl6<e&POOcu*Dz#j7X<J3$2$p z*9M+tANEdv(HYMaTd8wu>g%<Vuj45;F-xLPiAWYDt5+RJj||$Q9=Pmi#!^XeQ3-Or zplD03ERa3s0M&c13CmB(qF3EI#7G|p9%0aq!Y$D-jCd*4+q#Q0Qxr@pmvua(2i1_F zCUly){aAa07sa#1upnp`_oYG+o(NOoB}u&Kd(~G%-RrScTr|yC9oYJlT!^GUu$sQ3 zPR~;-k_3>kJm?6r^?d@4%5O*G{jnH<j)d@(%u&iCxJD0##iDpKe!PXf`bxlUONqW` zt%g?7VN)F9FBR#WhqOfeCM`lM41Q+kADKEa_Dh-$v0MkWQ{$FPeb<?}|Jpr@H?=?k zOrH1x+q1z^Z$@ge_VvEvu&%K!?@(POh9O}rXMQnkmiao<rS&RTSUAh%63BEVbMHea zm>?m<|KVJCKDe6yd1XRe$mLg7;1852O!!uxKkpks8|Kc<INT8{g;*)#gyY?_FpA}? zyd=eQ5Ei<jFQuJAyx87^%J?*jisV_}IDwF971Z2%MPQ7jS@l{;-%tnc^!X1+copep zuh<~n50dZol=pn0W8Frd@H~~HKTowu;pUb7scy^L>jJK-H`g5oo8=;2;VQXQS#aNf zAf+q$hw;gordLeP=dWRhBsVgVKA{1<n{*F23v+8)pWw+gQ6435g#!Zj-m%N0@jv|` z|1<{*W_?<gyMyn)@~92NV;hF+Uv`*LW3kz{FbE2y&vbY<w5ZhL)%jbc=B@sc^36Rl z$`@0rwb}FoQq=u538Q*Y37M_n5Uj_uyLTt{2$?c|J*KX_`i7AI%!^oJlpbKEGi~Zg zc2<p?8L0|q0=m_`D=%{|+^DEaiO&n0V7npYr&qQXye52h$cbnnY|9F~mWg`S+^XNJ zA}!C;xK$0@(N%||K`ed(yAx|bzx@WGw<6NgOc*T&<gL4pla?j_A|p0}n&k;36t1mv zho<9co|;Y>OH4ekRq?zBxB|vrqCthXH*HPu#`@i<)f|&FV=)Ugyt{<u_H}P#hMkoB zt^9%}B7{A+y%9oG8lZAMS66esFi0JOA*<+OXrLe{E!GAJ&v^W4@H(1`Q*LZD?uO6X zzENZ;L^slgFpQRF<?ID!aW>vVh8yX{Gh<~8EU3BxDjkmB?7A~&<&p`tJU~7u@#FDv zzFYdjDI7?2m!ArHDxEuSz91I;;u52cOTM8idnHY&Z~LpXt^0sLec{Uo_W-$pS>r?b zkBTVHh#65VBQwpMTmBOdi4%=Uf5gK8i+MV6k`m-(U0u_B^()m48#+>nlS;eV;AIDo zs&MZ3U>d@Ofe|02z8EA!$!5I?y~{2s9(4im%$%_zT)FJm4GzMCdY@u`7W8_gk;G^J zrV9hBR)Uc1CsPE>>eR5HyPACa96{$QZQ()Uy*dM=9;G;az@Xuxq3X+)cIelcoOfag zCCowgJYO8X5cBB_$2IK13CFQSpHrhQJZwtjS%>+`(Xa=+e5Ei^aWgq1K>@I+H@e}v z=9DWI^_5O9WIh6<s8^4~2RM?qd9aWrl`{9x`Z2Z#c@h@6uPiQHjMDeaWfxset5Fuc zPUy>z4N#4J;!Mx0E|b$mGxP^7(@)6s5ICjG?o$j$ZLZXZTV&?aqR`bic$6basU3*P zS>s#Z=N^aEoeE4$nAxct@qlxH&#HJ{>~%G@#EqX(noDka0s-3}W!PR?j?<>Zu!7b2 z(<!?L(#`5DRF>m!Clqj@b5aX@U`_8#e~Z9qnkGMa!ggQ5nzD`dEOc95JvBRr>7H(~ z{V;f+vW79;7sWEeWqh)qer}0P#VB2!%Vv3W2f&dhgc+YTe{j6;iTEOnUf7abtaY~z z5umvxUwHRm=832r3t+qTcNDbPV)iR7lY*Yp>wA<JJ_=i{Ek_uGwh^mB?vVqcd`%J= z;O1anaf8~Sy%DV3%YY->yCc>kFU&VWk(aWyVLBE<#%|bCI1<g@_E6mMlo>Mf46MQG zDJq_sFh_ypy9+K3TyjYG7kb)PWg}7oQdHT(57O8OE|eY|)Q|geXI_dq(rGgo8b?oO zCb)}&);dt3_}EZulxqpH4Q>%p$wC4BN?Db@9}mlk#MwEnOx)P9lh-#6t5rW2Po$Ah z7&_8XUhb^3QaY4dn{SK5t<CfNN)^UFMlCbZ$tJ@2)<-p&XCOMm3gBofAu;2TyD>3F zLSev13h<(+dD{i^UPiU~<=<`GtdTQvfVc_eS}OVja!N2Hv8{R$=n1bti><P{?I7%M zob7h`S55KU#HhfdAdlArI4x{5zMrAbEEI3yK}03QnHJHL2C>jQN=JUBni38l^8X14 zYK>|cV_}Yc^(I4GP>F1+N`J<cGYD&(+&5Jm6O=q(fb6P`iksM-Yn6}Dac9$i^$7xd z3(#%Zz;9eS@R4h*Ig6#yrJMzqn;+UR7Pw0NBynZ^s9OSWuVH#br6Q2BZym}qW)38_ zm&B(s3_1Bg0q4r5ww1=2=A^iyYNIjj$e;yY@gnuk38pyAa`Ysb(5Bq%BKtJ|wEcm| zs9%+MtU0P)PK%_EFgTW}q8q+8Lig<8HP*HHVSd+QnRC`uLU>tzxgCBD_UEjYzgDqf zx}eprwZk}(Y$#EP20fvA6_}ox(~$#dePtTz0%|K>yToPOsd(J9IhUSVpfGJswvn2@ zqpO59ZLTYSsDok<El?31Xa}4rq-B+maNHZ40c|QG=B!Q65bLK<nklIsVzKoGc8?OV zk&?pwX}@AKo~mf|41~_5U)A(XR=zqr{$`N&56n90L0$-X3h1zc>-}{H<=TzY%K69M zc~P|P1K7ySb@Z9i{3li4^}6AaNnG*v4vSx2IAca4uw&!lj({KjB(T6JRX+&xlc=c^ z$1XU^la(9@e0!BuU`n3Yt60hSAjJ-S1;g}gi~R-B=o@+sqD&jA6YEabzqAeeBtsqc z1+Hu_B0B7ZhBs_{$U*ixmpqXnZ!6Nsi!Nr?KzG<j5*Z(LVdlPSf5`hxnZ(4Q6_ZID zxwUj?C^waLy@h&+duISA@4PPK$Mzyhu=@>$fAuqp$V}_|VW)R;g*e_L+zn0*U7!r~ z6b{(C#vXR}kDxT-dP*fq+O?&hV51s%#oSR<Hat$wtd{wX&J93ri!?+}yVS-0)_noH zLP~wl=VQ8XyrvTP@vNwXKI9dX0C6mDW~-i2)~+|=S#TuBd7Uv!%YV|h4T3yW_*>AF z%Sl*_?;^n&DSdeFG#eq6=u3?lCfSlmLWASDI#TNB0t;0gz{I{H=myLUjQ~LhG^w`> zmf@c%!UF_GvkwZmt;^I+HUOpD=7~4gp3%^7enD`Yk<k&(Hr9K*eI|cG`q_g^j4;+_ zrw^`-z_ZA_e7fFvTI&tM7;#cftabMUUk(L*TQ5od?zd23Y&)WKoLUr77t#>UGU*ag z<Q-ZDZVoQ%<I|asNAWYg<B{+4)^dle*ye59b2xwEwd@?)63<TsS()Rfo1`Xwg(S*# ze{V6g4CiVS#5o<2Pcn8mvdFr@eUT?E)=KF+qvfFlb5cSySIUk*{-y{?{QD`lVlw4I zt%0s?=p@7`h%IZeC1Zf$@PZ<5)|NHrF?AP2`R3+ye3-l*7XzJhuRAJFe@?ndpb}kx zXF`>kw}@_=p~myxEhSyiB|1gf;1KS7Actz+3!(0ixX{jpBDH3aYA1}Hd^&LG(CtwZ zxbkUT*eX_yt=pdk@y18{ll+>l1hGJgJ9&3d<UZ@0pKol>KR6HB5D~<2>bPnVC{S~t zk?L82EY^CPXu!KW0<?8SvUbZ$-*oUy#%jF5pf{+C+C8D?uA>!HBiKs;p5w0^_7jPm z-EQZID0F~K3<)RlO`h$*#nAIsN{<uS@621lB1^omc%GwI6m^N>{U=F=BY8=~E8p;o zurc13SyM4XqiBn&!F&?FdO0FeNpp^K1g-#*tON4sui1JgbBxGc<>r+>{3&56p&%qk zb%13|3Bh;@;t$lcBA=5vgwkcjdF0Y~|4EPPl;>&lM68Zr5z20E?TcczBP-cvf<(SX zV2Svmot2R#5v{ogv{r3>O@SNwpZ4&<&A#s7`O_-{b|iI3J6!r@ew?G27NRj{%k})W zmt)TBK<RxV=5PCB`5Y>9OI}xa##ok_C04ZsI0i{^&}#Kf3s%SaKRE9y=@4r70=yAz zykRm6m;iRPI8Jb|9j=~lud6gq{7zJ>0P87{{bF5vdT6@qH#CoGR20Q4XUe6@4!R-S za3|Hu1a@~u@Q6q6JeV$$?2(=p8XzC6dHYVm_I81-twp|rZ8a7BOtcaHyInfFA7D}6 zXzqFTe!39nLn;H8bX;Cfejpf+pehu7HyR+|M#X*z^12OZsQ9UPKPP3ek$WD(=UeOC zEd72zDzXDJReLVeSVFhIQ%k6zWvK|w4o~67pDp~t?7*V%A;G|}_9)oY>;AJ$M)DCY zc{*x6o`0o!BVmf>bo<)b>8K!>m&PX@U~!vK0&M~`^gF61yxFH#Dt`<Hf_PL&XEY`D z+JTkwv8<L;FqOCPnTOHh{$=Nv7#*#HR{9+upJ&E*4SsA?H?4)<dv~4k_t1^`y6pAQ zKy3<aZlMYm)AWS(=QWJ02k#|r3O}W{THfP=v@Ka*l!1+_aTT(ZA~NN}A<Fkmt~{J~ z?R2o9_%CTi;`&Eafs3?`!ivJ>A4;AnIvN5eGsF+sqKh$W=9ubBPfe%VDAECiWbyZj zOGbTE?-n$sL&z(^d%_gDEyc~u*bsk&ZQ{rT^O>=6P~`vPD+$Z)>RphYD#0tQ91s?S zz8F5Yr!ztD6=R6~nC|BYx;34I2}UuYa<h)nRmdY^fx*D$b-EWd!I?okUQJL2N@2)f z<%)A$=ZmXdZ}N)`)3k}zMvf-dZdK59A<(p!)re?N<>SHSQe)ukT@ma@?RhBLR?#f- zK~S6P?MW!{+p>uH9nwu@9w?+EG8Jhp#&dwepu4F47Ll(ZuE(NO3A16}7DQn5$D1S# zVS|<#LYU{au4)2^L?oQd$04O~3m791qmtp-ItcVfSSvfo&*6@Ema46_XW~{ar@hkO zc~`RZh~xAi*U(cZH!fzxRCbD8uzao#V7id4bDsPl-Kt;@snbEXD(TTt`na>3PErR| zde>&FHR(G_+b~{GTh5JYD{S)=1N{=;62bh@rv&#f=3}yD^Re{CL$kqW{JEbOGR@nv zKV4#<98IWKK^&^lHd1_}5x~5Qpx4DJXnxE8aK$J9d8ar*>Ktw@wa5c$io;Io>W|aB zRi*U@2;pzTf6v}UHaIvG*|c8vLxm!S^QdutO`ZPKn8y`3_es_sxB7X=lp~F^VW`{+ zLAMy?z>gzotWN$LrH+r(a`&xmbGgTRqd^!Nu@w=`Mua{+K`G(-E+X2=knlDR<9E#P zVr0kj%htQU&EyUp(r4isD=f-EFt@(o@Esr9+p2Vw<~|C@ka?ZfN@-~iE6wM$(i)Ra zRQGj~jw#YJWD#oKJwk<jwSuDr#)|!MDB0it0x{0)qj*u%meX$c%v+YG6%sbs7HPE+ z5x02?EZk5oS&6R4qBY>(V*|Cv*pauw1nj)8d*znHR2kq@vRqV8_08K3DgF|-?87!_ zUtPxuV8NDMQg(NEKvumbwxmPl?d<PMlMGr=Y{Nq=oFi#F!2P$$+ml;)!WC_y0<&i< z-ecs5i#HL`fw;u6x3VwYPQtB@VwMdOFC*}nN#Yyj_a<J{5<{YY?uF@*$QPz>C#C8x zXeo^hUY%;keVY}|Sci;ZHTH}#m3bDDpv(MLsYbutsYB*?$B)CdNrYc-fai;EBh`f1 zu2|j5jJZSb7Lh8Tp6J?|v<E}+nsyf(#+Uwtf4d{NY_4Ffb6)oRF!`CpfE#K)T|23+ zX@RfSq{quNI1nmhJZizoTvbx-{-)0%kQsPxWy5b4DFZ5E5NlPg9_PB+mr}P{08E}X zQI=|UM@Gzd{-Xx3OME%|yA-wyhUD<H;VR<-u!F<Y-YoAQxRn^#IlWC{ux_2wxt+t! zXCtJowRIba1pQ=jj6R)=9+L}$K_udA$4HOK)vw0oh3z*Drzl{uo)AdpKeQbZa>pKP zEuibmaFf%V{tNNloVc2?!j~U+NPa+2sdn`wuZt}oV+KxM8a3abF9l>T@VxG1b{4w} zpApfAilQyZbhSMtGhMYkO`@oGqLi8i0-cHVE?l*l0-mVwh~qQ5ORuD30vzlOxdbqE zWw$)oQ*Z(%#`XdzZJ0$R7;K~n9di^Mt}ftkK{;Iq4_1Nz!C4`cA!4a^R1sUd!ZgP! z<B5cv4JwVf$uVkvIL=-~A<Be3fT-{LEwH`asI7swh)@)@rJ9II#t#NTc821~B~Aeb zxxx>!>fi7M&62b^6|coKzR8=i?*nw<vP7203DmP{s^L_en1)t2F_Md9x9j)46yLM? zb3Ajg3Z*V*5&L`Ymz6p@)W9V$5XG==j#>CHL&a;^syj|<aCOfgfn`XmdU&lWU`NW_ z;9yjg{bH*|*@;dYIGcmAT)AEZ!{1yuc?^T$G!Ccwx?yc?Z(@Ck9w3uV?_a@tmXywg zWBRt<T053_G6u0(Ai~7I_1@%1|IF0D1*UB=tXRzyRv>c|pgP-UCmG(u6l@CQ8%>?S z;f45MuNHlr$K99C`Kw($RBvbnb=sJ<r`K+=_T231oL)I!`>Mj9iWZ#t`<yBp@8Gj1 z8<6IROaq%}wErqXY>y@&#cj&1q5M??0lZ;+3v*#@ISot%VKiYswyL3j#24g7d~zAS z+PY(!5v_b5Om=j*f8$`LU#f`e8Z>L;P2pK<@x38v$=XY*EO&1tmi*3<rz>~%IaDRU z^rUV&=E^)lyz?xS06o8<m`<xS6f;4zdOL1&Ww*V24}C`8)+=4Y#m0@-JcYwwuTJmo zGO1ECSz7p2aUIs#VHni`+lIRodj^3}lxYiJ0um#9QhY+Ry@@tqO>lr}g#vowB_`|s zz`h=p!3l!V(ZV>DOjP0n$yz-s+L?~L-}u2{HVU;rMpM*$RcIKh4unv;=Tc1Vf2?S6 z+hQTokn!_)n1gAoqr`N{3jB{1IRxoWWCs`k!W}b5nB24O%!?`hs%FLIyl!Pl`JU)k z9sZ{3^CJhpTWZQ!x#hM-&sfRFa4&ma>;M?Rc4PZ2UgCIlfjF|Y-fU<}AxrcuhXzeZ zQ>`NuRh^UoAL-^*I+;^t^?0C1J-AE<J|D8W8=lKaQM|`&>YKC$0!MaNQF0<Lt9-t> z<SXX24!j@eF%Tp<a(M~M&+`@*2Imw8Nq@4d%#Xb43D=27l7%568ut~_?5d8;C6^~( z8!54u+XT~2f4He{Kg3~pBkL(K;Au5D10Hlq>l6*z*v=aW3Y}(A##|CbNlAFbN8ki0 z-Zjp&2QSCr$^U9TIh<_g;EI>$$U3<x;ZU{?4FW=#BGG!f3foPHe~uBu$;qITDrf3X z5C;;`vN*cp<$y6-IIIJmrev8hkbz9?FpoQC$eEUDqgyxpGr6v+=F<>+Ce~<lULaCp zGU+5Y#hXRV=P>LA`&<PPxXvPb|Ilb5z^AFC1xa|e*>G5vu-Op~*HUlS_-AId0zUVo z;|Ix;HvKNz)pM{M^W^qOW93d}8R@G6X@%o#Jlw+eU8POWFC7%!qC;lVW9F`thfZjy zIeG@|jQKd-0t7e8n(sL%UYhrPDe(tbq}FiP>=%3fDnq9|zVnp)Y%i0?->%<>v{{@U ziTj-u!PZ?2xruk`3>Pb($~s~%Zo$^a_Vpmhl0y5$?U^e`v#|BNZ(0LFmG!%tB);T! zUAuS(>u1!1(kC|a<crNI1ZtXHGXWfdgK-#h{qHnmd>Z2LST22J*h__KvJah&09wOm zj9seH)EiGTf%g2HsMHIy3z(ofa;wp^ial{iT^@xN3+6@P{YLl9EcT=a74EKT8wgg> zH!k_XEdFuqJvbs`cR7G?D7pL3sg(oON2^>MY-->cQKD*JE2u^AhAEQG1ususWzLBT z^s&<H5k=e4d^0$8aP?lvpzdGr-Wq<cb<(|8w|bl`S7}BUkKnIwrPT-~&QtR+O@`i< z*c>}j6Ou4wbGm0JbM10?TAR<TBq@GS4n-EaW!xVeAT0Hh0<TiiG6Y_k%<m@124>U9 zGj(*1$hXDR(DpdlWtwC^I9&WUyhwis#QBo<H_R{w8TbXlHM+ESE9;JG{7_^(#Fewn zVEZ%jccwk(V<zBmp;4@)qEwIpf+!}xEX#<3MX$|LoDdIGn?n3QT9BQalwPn4?tmlQ zPqvn9zQpf2aw0(67gr1IyO08neY`JW#to5Mc6%|5Y$y^C_*4{XA=Hwa(1o)?-egfV z&`F6-dO-4W(<4+?(tiqr42SnRbQiJWHe&lj9Mn(El2@*!`6c!CEjcf<_G@^fUp06F zcc(qbFZXOW@ftT`k_v%xxFHi(`;Mji7L_KVf^BxfOeYCZnFzuD+?OQ0H7WO#j$Y;? zMo-!Ee!F?Q=}nVX)Tb1DFW$OZ%b8ZyiH8XwM<3^3sltK*Z*LJzf3`K-r<;ofOE-n# z>)=-ypQXNv5(LpG9$n^W2?vFY5`Z-`e`*7<*MFIGq3QjC7M|S4VoDNbPrFQ<59N2& z^7x1W?q47<0}H~KT_4~zHuF+(AoP(mU0bYOVU&k6x6e0jbl8w+0rov04xQAl(z)^9 z&{JcQ_-T0s#6PQuvKCmYMLY#FeXfWDSQLf5Q`5J_=A(M->dsZgbUK9UIpJ{aOOt$J zS34VRA1GG#eYx)2B>}@46*RBX{Om}q?0xa02O@aI^(?xn#5rJXcPI1AH|%cW%QH=O z=O&KHzViYzX>>@CRv;dm$&_PBp<MFgU+c?gW9#kU&|w!{!jq&lit<&Z`<Y)SnVXbN z>m`y2^6i#nT`VUyUB4K}u2Q6+NrBOU7eIx?fd_WG?r#255>s-qV}Z2$T9ZovHFj=H z(7W>O*2SS8l_EkE;g|~=b!BI?(A*9+OpSPL43Y9sM%Q(nFPfKxhLSawk_Vp{`^W?d zG|=R3rc?FJk?_8u3f}nZ$LY}kHRsEpUkrn6z&%FzW$D(5g?uaU>D22;*rfe!Y2%Kk z$9OYpWV4BCz6h_e9>VmoPUcJ6r``}hKYv}VhQ3FiJU#)*2KS~M8USD^AdogOi>aU? z2-L%u4>|_UhJ&O&$)zP~T-lcpS;d+(T+K=ROV7c5jxRNM++1@q{q1~PzYKSONn~b} zZh%q`F(EOyP(QnL|FAmOH}2d}U<zu*?BYT`f7o!%6J7Vc2*K;1#aS9)AiRBJ7Y;Bi ze#T*tjo9#G^3)Y0qX%Uq!3&e@Hn@$l)N?mwFQ~I9jpMtCUmVV9c14Z?s!LKK!F|t^ zxSUFtrcw#Wh?!S6j$+2TKt?^uPfBquUzEtw(T|Vx+kCD5^y~JGbRhpxzHmD-fVN_D zSHcizRQqnNjz6MU$L5l_^ON>(4+K$35*77SgwSmS(+THpWn<gWa)Oge(=QW8lHM=O z(;0wVgA+bq>gYlbDx9I>!>ByZ{MF?GVsU6Cza5r?>q6&O%x;GR06GwEn{hvRFA{qp z@X8q3O`Bm3dNI2TJLwz*8B?q-SO%|rV7~E(y4jU7^iFZuyC%R|&o{YSAAad9o`jf) z)^cK{nB`D_JyY!G79A;WSilS3v@k@a6z?0K>r+R&E`p1ZTABHa)Z)yymaA;Ie)mu{ z$0R(Ea9o@QFUq=x-G5x|M1_<wiRhe4saql^b1$I?8PC$Qe@3~{n#WMG{wn*-0BLRl zy8Ql<aMc%3$+q;AK!t_Y2#3p{48@M*DiW0TOCW2(@S!eofLH`CoslUYfo=xfiS(G& zkfUuUwytCKg2$s=$KsXH-?qSBvZUmnoC#54!_Efv$Bh5MoHh7oji#oZi#v<a{ak+( z5+L<?=is7Nf7ZS45;4QcLQS%qZ+CuHd)hm5xvDxiBfIy<W(f-7eZMqXp!orTjG%8X zn{+bGZ%kOW5Z_p3Rt=qmrKbfoeERb!&JI8dEm2-&L)h}z^h>;CTYUJN{DexoFl7>2 zH98~F#7gj7{4H@1S7Nz6yMiv&hu%MDxyzl_VaX&iL#`MCD%uGxXQ)Y##DYSmEsq07 z52AXw)s{rT^Z*}7D!uB(`sHolMH<g`J_ar0@;?3{{hKf7OytfiZ~unAGjyg+FtR5H zVl37<N#_0*SMLUSlBx7mt$4SbPZqqh2T9DmF9KvCd;UbjHxCK?o;j11p!=CHM3`q= z$bb@2w;LH>%0tlr$eec3e}MCZfal<lO~5Z3$Tceu)@42Gp}??TcgL$y*^Z%j&n1eo z0$m))yv}U6$+!Fydwbi!iUIWf;v-$P_=ka{=vh{k5FQLU<n8mE-I)MOg<9Nl??QWs zk}K5)qYmG`W$~ue#xU(U**P<{oX{C_Q1Fn73lYm3gG2meeEEj_mbW;hpaWZhWGHR- z2zp9V<k`>1bSg0=@7#^j+kKumJ*CZ+5Be_s7PlJ!+m`9~pQS<wvSxrL-vyIZcv8yA z&*=eZwc7jJE0z+1fR~*rJZaWM&#Bz!Pm*7kyQOHizY96>P>yDIbHgrH%Z>=cxB-^& z{i?-ubf^Vv$t9aaCoZdVb7oR*C61)fR1>nlm)ak=_svi@dI!wQ52|wuJkwo~i)&^4 zUGIxLG=$caWsay&(p12IbG6?n-cQm>Hi|IJJ8tPEVXaQmi6G)<2T7ivR@;q=Yp#Sp zkxZ1NkPTh-ovDSBzrNb_t7A~vFh*Bbsb8syH=z|?r9xxZ^f(4*Z<DxFWe`U!;>QKp zLR32YIE-CEy<mSec6eYU_~rMVJUqO?lZwMRp_5P6)o`**(OPi{HCNq0M{VY!Eldkq zf?#*@hY`M6n=A)o!)hM_rxy)VC#R*%_~Y`vl?q^l4i4P>hG?r|QO#DDt0evM1Yd=t z=p-ob*EY|Qk_;;zn~+2jR<4qI{6>lff?zaGL{XIOTy{2E-ba4Z<;9sGb!^^iS({MB zhjSzKZ_3qPO>xG(H0)!!pFOziUV9>|%OS02*3`i<uVF`#C*sZX+MJYGd)K(g<<04Y z8_95fbCarBK`73vECmJC{M|F~&I<3J{nC>)<}vSyw!)V=wv8M3S*aHmjOI>A)Kx+i zFQixhd4<Q2U!qlOI6@(+W2Rl8Ii`osfcR6wrVEW$j(_~j$jTBOI{Ml3<%3i=3NJeF zwzyI3u<xX6pVZ}>j{Q-=k@OL*>Q~qlT2#CZF~<}(NzlHO)V`V6htyst3H`e#cY65D z9j`|wHrVMx3e|hqZ(UwQacpKpD(EWyg;JJjW|85i@fyOcdpsLgA=mdK*L?Omzww~# z(u7o~cf1Sse2ItzG^l1V*x{VL@rlTja_{0Hw9ht1xeN9c0=jJaUre;#9B6@w%mFT7 zWwW6Ce@fqMF+Rm^6u%ZiP3HHS_k0*LeJ@I-0z*@U1E7Rpb<I?q2idw_8Tro^sH>Vh zw<^OHRM9YFg9e8aebqL~f^bhr8-_JQp!0Y}f8cW3jnS7QA%k?d<Ub>X3kKDJRVs+L z>ab%rTI~FQzy~W-ujdtJM6{vsG|3%1J|l2K!F_vEw`gSjS+eqUpF?*~P{t6$py=te zyuLT8yQf!G#)1Q>34rjM;<{m}UAt%QEK|6}jEUNs<=4W1m&Lb?CUCqwtNzgH*L3>h zlRC@cq8Z4y%!VT{KS(>x(cef^>4iEhWJsg@E1mPfohJ{OrLw{&%or@EpsEht|Eamm zCan>x9x*bGwkbIl*bRsF5FDx72K|U-ZEhJn>P@;_uq00T&~{7WzJeDtLX_t^n7S<W zGW+#R0_%7$vSnxeMfC*%H`Wm^*0akHtuPaQ1G3ip7kjKjzO>cDtd(%ai%CQR<nS>k zuDv%^-IQS{$Y;xsy>Z|Egz|Xk#d!36q=6W<5CHij`YGdYq-v1L7FIu)i^}=SXy!zg zR21DyWzTVQzg*Tze9>2o8?=_~LcIL@6bto7X*Zuo@^;3uf{&KvNB85V1rGI-<prFN zcL50AU7#gY7Q3^-!VuvLcn(z9#X(b)G)pd~&rOO)3I)9V3(k)rJ3oBf6Xg39Zyg?h z3)hrBRy~p6%OWs#4J~ymNTvxgN-&BR3wB4UUL$YW3+DXpR`Gm*LLoG9>cxwDf;U9l zy8%G#WhTNc56Y?3YlS~|Hh5(P&SN$*`ve{IY-g`+7e6`NUEyK1)Eh}FN=}^Uu4Y#v zK*yb6(dW&0SKdi_KUhi?*${y-r%BRmn7-TB&!9i9W-{R3%miqeb!v-AeXaWf8YsCe z%$e)r(>2!C2iDi#ZZSr`dRkFWNa9=H9rrLh-hW2m6@mE|`38ThDw$@%eaYBp@sQHS z@%LPHnt5`DEj{F*-IJsLk5VzX41Q{hS~PiRGER|Tx6UiTMo%H!+_VP_>NJxVh8iKj zu@e0d<8*tztz5Mbv8ga<Yap5gbs{YN_q+XW4!MWFfR=+9WtW!wGrr^y$I^)f>^C!* z+OLob>M#`S{v?XDGiR{DysDRhJe!qQzq@YE6055~U@$GhG_8YZ2-Ek{qn5p2S!<}o z;>Cj4j>9a1#>G91@wncPrKUr*4{j&%?0C6`EkQP{6YXqrn@4CE!7*`FYSO^?KMn_r zSL+{9i7c2$U`bHICU0Qxq^Wf1%0Jr$S3c*(x3Bp7(SZlb$S5Fx2HifZ9A?d)=z6O- zH(w4(<1qd~=>LI`6&y>b+B%u2UcXs#Y&rNE+ZwaGCixjj2RqYHT=(c--gBslNIkwS zAXdr~VM@iTD@&;yXEHAlx1>hHu+%zdzYn9h^NW++@oLN0h0x<2Ss(HIoSVnZGxPnp zbjs8Wheiz!Np3A0aHN0d^!51_&bytCTC(zC6=c@kkih}Wy(DL1c0BSn3ykDZVY2a3 z0RlaT64lo}4l4Pq4QlR(A%9GIUcR(dWrl+EGsQNy$s?3QgWYrWmR7<u`vm%E9z;w% zE_m|st~g##)lm(bl+Nemj6(^?UJ@G#n@s@PO|Zii>St+ax*7vNT+*A*({Q7gq~8ok znw>)j3hJp92g=NsipM01SzZT;T7f_exJX<NZv*ol8h#s3pW^JNN--#6<wYQ$t}}?^ z95ZneJ&H^)yep;20_@I{{g5;ybVdRzI?{3jqIBv_mAJ{e_M!f5;+07=to|PJ?!yht zcn#lUU;Aat$U-&ZaMm+K4CXXF;`IrL1VH;O#{OY7Q)>W$s0xT^gp-0d619KU`RV?$ z8xw#lcx(H)1*^!z@q8i-r7iW_JK*s_2|J>$6&sXYv^PkZM=PuT)@-G<_HgrxzW56d zBD~cOeJS+%Cx;t2Ojj)&Pa_a>=S^`=4@+=WNOD|{_Fh%Gd}NO6sLPw^3_<GYy~0j5 zaKsS=tO{3pXt&mEM%0f_W-qPWRwpagbZ|M$8Q8OC?9IA81AiP};U|0$XA<8I-DeBF z3c*W!645P}Yp6v`Be$)UG81>-x<8b6j_fm#5we#hi=?c&^vO5a8~l8m`UR}wya%TP zB9ZK5eZy);=3R|&;B`LlN^NZ`gc`Q1T<Aa$1r;POS$}3Nhk9LwWMekwsdh@ui-qj^ zQ$_ZZJtE84YlB8|<<tpZWuWIjD42zgm(X|r@R5!<WcrK0M7YlBJ_pf2RL|z>r9=HX zv6)%f%<(_z0?mIHH)T&YGZyw%fe`&A6nK<{q64k1z+xf}@}bt=JQ^niFS3XRt8XHL zE?y@WQ6u~*(VFXjupB<eWavzN`k~7#)4BOEr#g1+mz3(tt`1Mq)WZMJ3o+GAF;`8^ zY92I@kp<;vmq<Gp_Y;*78G05Zb4FWc3BXBXdzYW`wUCm@6}AaFzp7)pSX!vST}32K zlV-$Zp*1uxnn{4LoDyA@Cr|h8u`tSW27+_WE5;Yc@;Og47Ml990<fq(Kt@DO*x-KD z0q3sCc3F>)QJ6SU02LXGx3D*|$rNn%?P7}36Hxd7HtUW6iYKt(#X!Hs>u5z|z-ZEP zCwvD|<aiEHKE9N})2yfT?IVIqc<to6xkWSI76SEZhV2U&Q3bV5k*K+du4$@0^QC+9 zp5HY9rE>SPpDh;Sz@en2S?eyEPQ*~dZ3C-l@#-Tn;emcljGzB}QuXi5>t#y%K&HHX zWCmi{Q9d6;To4OOI4<tXLm#Xa7T22lZY)Q#=rXcO><vsGxy?4u`Tqh$47>9bw?l-v zXMPy-$O$~gn;>*i3Z=nWWi=u`pF~mlm|9GCy$Vg`T(Wj=QpVbPI!F=f9D`%R$;!L~ z7?I$DaOd;mh6p&$ZZUFd6CTm4a^^9;Fw+-T;oj@&eT445ExiPfBd2tG05zgY@YW3+ z0sgzLP#2&jv~{hd2g(NV$y&K>@h8R?-b)6rCvp@@>KG~mX-`oYx`TLhb@vYxy>8Id zSD_;nScRpySJO>AKzy7!N4Z6YUDi6ZsdJXn%Ij`f0_cNId@NB*Zsjsf${@l%MB#B{ zEG`i91a=GsAk)%0VGPX>A7nW<yOC9mcw|kSMa5A7GNnzA*U>@__XH3Sv1?3<97sI& zOdOp+?@EM^yeB3L?i{D!vn%u&!j|~s>L>FqJ0n0t{M_FT7|v~$eI^DkjD733Lz-H> zz=gxP7N}9Ea@JKY6n7y+7KFbNw?@8Ukn(D1V$xrU4Jg9D6D{Pjixrg*{JlsE4qP&r z?2v5id95wUPay!OG`#<Fp096?M8zn~hzN6ujU;oH&9ffV?q=s8RjlIyNLvRQ2KmKD zA%$Oja3w<A#P%(AC9;&R$YEcLprebQFeWkk;R8Id>r|xEgv7g)<9oP#8mjdv4HC*| z6%2EnBMP)&MFse9ioN@{aLa$QFfhq<+>9|maQ4BS7>*vo?(8Tcg-c1i`;PoxC|{es z061ygvFu9f69TmMwMMl<>=!1oq(Dt$b9s-6oMoa~b@ymg>1u+vN$R)8_SbFMY~O}D z!c|ZCTxCY{dR_|)q=$I;bGAyqtEkhAktL}QrH1|VgUFoBI%J=5M0r~AXe3ufzBY#d zt5{Y$g(^S``3^eIV{kQItn$XpO_pdJX4!$THwPfcBnrDCYh$!6qS<_X4)b{Hz8>8I zvf8r{Igcp*i$a7$lDIF@8N=r{D5X$2<bBPnTa5zIiATU(DswrYapXMLHv=Dd#o0jT zQC$G&I~U?|AxbhkQJqvo{i@#V5_kFg{AdM89;c>}ia7K0l4mq1j~8hcB4?d3G3Vy# zZMbqS(&VRJ^H_6X+->UXed>wDaKB-STgveiF0nUK=O;G|UBK`gG+7R$f8@9d4tb@_ zAtIHOrZ(X$y!|Sprjsp_Gj4wrt_|Y#-7R3&Y~B2Uu40YVu`^&;n=nw+&~Xz)%K;HR z^DbL0bYBT`BePGKLl_y{D11vF_u7#>Gg!D-rmZHN&3+wW+KZ9&$C|V@Bq+C1*GH+9 zY0fc@A;B6r)b;f!XA!@@1iecw&#*A@<*cNo4NGSHh?E6i599kw-CVO4!)SNaM)>}> zmv%{**DS2wTqED{Q47tNw3n~r1n8VwyL{n7%QDaAf)WQK7`RehuexiSc6t65w5kj} zqh-`>J0JDMY}w^`2Qw)IEP{aB4?`H3RajQiwhG0c4b8BH6SqA@MGj@G7@0cSyT9OO z&zdAt>cJu0queb4se0`T4b`gCal&R~i+)6(|H)r7y@fwcNg)Kdb+YIJd+cM`m5xyp z%?f*jv7HG6lO~P2l1&fD8U20jn@i%j22LHZpZS1il^)S_D@@=#{O<b8yr?*MFrWVw zsoJKCl6X0R;zDG0>=cD90X-xNmfu#^#n`w{(fay5`q5KgFUNU4{*+FBL=?P0==8y7 z`eu7RF_Ntbg`b1<T3OUaTwcEW)Xnx9oB!KTUcT!YrPz%0w=bGh!est<u;5^(D)yEO zxP^E2;BI8ADN?$nclEr;A=6Kowx9IFj16^tD#lG4Qs&l?fiwD<-rX`x1QuufwW_@D z&oPt<B|Cu2uDmu)Q;zStXNag;Ds(f>u6Z$-`caN(tZe5pAh7IW+PAm*0xSTF-3O+x z=rN$Hls%$^c%*1CZ}&oJZk{&aVxAAz3DmUB!D4q)@|ZeoOUNRyiu!6k(Fx??842_5 znO@C)payR(`EudNB%fmvpYe~I_VclEcy*{U>?4G5!S^vguXP@tsNn*C0)^}}`MJ2b z!QPSYSJuF$jGe=hD1c%G$F^<T_S~^;+qP}nwr$(CZQFUfBvo1DCr+K-bQ}D%el^e# z+W2Mj*h7q}c#yuu_7;E?boG6NJyD{x=~B4y@%=e{^)=Wj569wAx%6_1$|`8DDP*CZ z4XMmuk(_nlfd=f1I3O1Bk}XjVv%?qK^2+g&JT8>Z;?3-DpJOCQrNBDZVE_{&i`(zn z($C~pBopHuUP@=$7U;T_tH46o=3JX2&9V53Y^Y`b@tyxR_BnOP+dW7Y^fnhVOMCa_ zAov}Wo+)rN9i!H532A;8l5?B9ra`1lb`}EE?)K323wcEmX7>8huk`P-W9__p>~31% zF-+j**lVW=x0M)r3{=<Wa~P#}dmah<Bn^p&5)o;cEG{Kya=vKYpA|TiLh<mFa5s36 z(~iml0p@dt(f0&4^}@=a_mw&7^;|Syb`T=VmUZtf7~~B5Ux;5yanORr-11TA_@Kb+ zbsrV9+l_AN+#gRa4$nUb@e5w)1skPCvK(s&c+=V^16t7wOI>Sy54>G}U$^naGdK_- z);oitz-u5dIo%v2bl8LaIhjRmg{DpSNy+rINN1-1YgynGuo+YJNyIrw(+$mq-%lSs z&2k2*qPpxaQt4Sb0)jXc>on){Lr@Hhwwb}SeP2QH#NILm3jR<OTu=sl0tVKI+_xrA z;NyLyj2i5q?2S)4vio@&tA|5LcsvJzc5n~;2fye$kLA{yF!=)e_V_jG6RGFa&3_=o zG4zgYIXm!PE=pDAbQ(k8jXSXx9oW8@^41F(xrPh(O}`+ymLhxrwR(P9N~`(Wn%R?W zmf^sQ7KD{qs<RR1+g%9kSYa$u&Pc#vuzEAhcaoHNQuwE8izc5BPOZys&~0-41(P)b z8r#i&HcNDFNv)u5aU*i&<A>yJ@+HWyse%&_G<G8)ndfnTEc{mNz-b8JEa^v4<16T> za}KmL`&7k^Cqhn%IURIaCnVaW&GjmhKdn-CX!4T=haWg-l9{>jShE?zIkxpZGH$~r zLfI*47Z1L~M;Tco>^)T93OTNrK6RYphd4N`XE}F0V>^fPq?G=H7^uz;rN~7WNlFjn zf7OpbAH;#BwHz?POB<x&2e}MNd@qtEZk9mT-PsEEuY&<<7e>d2%bbGP7jrc)wW%#q z!`%xlk0@g2=yW_N6!ak26dnAh264mXgfJW;)5suIE3KYLT&EgdkeKS@Fvy5JPq*Le zY!p(>mb9>x^}DE5C**SF5`$;>78<r9unRakD9AYPKI9_s;oVwwB@l%9uT?<|V0u`k zgz%1!Pcc(N6dcOs09oqkCK7E2wDD%=PSr>++UiUB$YdXWezP6}xb(!9qXVa_zF-R5 z|GNjF5HA7E{9*6%ufz-awdvO3gwX8>Yf;Dyao>;-Ao3bD3-w?x4sfQtRB77JCiAK2 z`Gkj)(;G;!XETMXtQqM@R@8B%bP~UJL2JoBySO8r(a<ZJ*~MB%0!EMjshXmxSy~x( zwjNw{<L-Oq@oyW2H|4$9*J-|M7u~q7s<zcC16A|Abm1smOzbG23!;m@sZKcC*>gLb zj5Q@>Eo>3<I6LqfZA%E#lcvPDm??w|Qlt2`x0=WxnueqFooZypns$D>HUCNU#f%MQ zu|RKD6|hI={CC{4SzV9>#1{3Fg9SlUcKbpQIb+5`DK0zfnK}Z4vaU^CsmcOW<iujR zm-c#UytKp=dVCgF7oc`y9we~yxi>SE9Ie+rVH5CQI($QriE+{B-v&Ydqpw-k0R7EL zvqK9M{OWjHtq<ovTUxVTd;`mkJ}KsEIJQ{$NHGErAj1Bu;3cr$!}O7m3lg@K>FwYn z8UH=Np8VL^?rik;Q9_X>+KsTuHYk|ys^Xhd@l6J#hSDw)DD1b+PWxhfx_T^zN3>&U z?ZO}wz04}A{fh8uj$nHsHP}pD#Rm$L&qKqh7Jvku1bB0au>5G7f?AaXH=}{S8|nN5 zyyy`yu&W>bxTC)bxFods=i6OJIc5H-94#|}BL}T|F`P+%4E<SkQM`3yn0nOLnL+FN zjCr;ZnalICxB_SWZt5$c7SmNKvz@$?^$!y@>+EB>e6rUn*~3Aq>S}CYZR{vz6tcnY zm}jtWUR7u>G5omur(mGb9<NtZL`sn4u;GA7o1QqciJka=a&u{|@!dknpc=FGtEs&N znz7c8R{y8Kjr0Gmce4Kvfg20!f5$xkm%!~mNXGF0&385%xu57Yk>OzDa&I*3G}w^m z6dPTyx5mVBwc1n}ZME81eg5${old*#y7f+H!+YuVskp7^s9e>m91llQJqwMth6*@n zVUv5Bf|1$!cXzZDG!-@0v~<&^(eyCQFKbLr^h4dF8wC-QqdNd#ab#?5hGTI6b^u-q z82MAoL-Y><>7O1R1`>mZuWxp6r)Ony0+uf)uT)rAT>LIQ#zFVb|M186CB&YVvH?W) z;nN9FYjIoU$1LeZ{#^;65+LjwgMp-{YXJfhK}BXNJ|Y27L3*(IgUo}S-?u@Em<dxm z5&KtnAkL2>io-HAxB#gCd;u^twlK2&m9dJ2_Gt^n0s#9L;m(hL+hNSlK$yS5{{ycF z=2Fk%=KB2sOXmiX#)YxY{@o2oqV3-v9iQBI&jb41l(GI(iO&hT(SyJ0Ti0U}(GnvU zBL;WkChy;?jx0R<t6iFy?!U;}jy?4=@UNNBlQYsHKJ(N3M1M^?rN1=Rw>^Te2kPYf zNt!}{U|@4=Zep_k%le|v$O-!Bo3wXjX=D7EgE|L*6Ho#MH=@ojI?~JR+y2|0^?QYU z-|J+rZ)$S<Q)|BI>;6@PJ(Z0WphgDcFiq{_jLH5zWn*m%F#0yrEw+}n2Ar1uYsKc? z`T;)$a(-U}Rrq0MUiOP(U}$Y=a0JHymf6QRvB~)@1(E;RtC+suBY*S@8vdgN`fD5i z`XjsbTRHdh8vd)h`{+}Q;?~lbz*hgm_4m8O?B5eH(g%L;vI1!I_e+gQ2>{;D3o){N z{)1$#XKQo(;|Kjyvvb++tNP8${zLtBgCfLU>VsNfZepze*|NT+u)PIiQDt#sVggRb zQ2*)a_S;yojt+oRJ!R|fBl^4Y{R3lU{6Uxg&rXalp5n8v|H1;=ME_aA`?-9nfk#g+ z4o(U+Hvfg$e9@bY^eG(_U)q9$e9uW=I<}7fUERZ{)YsQw_b26M<Uk9|4GuiNG5-3* zYSZlX{P`{ZMumUy&pCq0!kyXz(2{|Xk(u`I{r$cFoJpMZ&4+JbY+(H{i&4pfv5oqP z-T7hu2E=6J;`~zm*4f;*J^gX~T_FMl*a{H0r-*0~=MqFEKP#7ERbLM{DAerQn%)oS zcO81J1oHGzZPD!|*W1)O{=8l4hlWbr&Z)kID0Rj8SY!qr*h*7R){^X-(DkxYy2#;8 zf{Ad0-v|N}*)kelW_Tu_t#n_b4a>Qf;)8P^Nltc(+{uF^-BiOdsL3t+7Snn7o*T!x zit~w1xG-Yi?qLbYTRqCnQ6R<U;Zc5xg@S>1+7fuZKA1Nd>Q8vU)O#bzMfh=dTybx& zVfzU6cG`0cbrE?MmiTfceQw1UuSYI>PWRToE3}~Rfy!D!lXI`urL!`4Xv6MiMcgL< z2|WbuEpc>zk64NOVTNq$`fc5vcnFvd%54{?s7hTqFWh^T>&Xf|BbgN&%5bMScCn5t zu+P8Su1*v8N|tns#>3S;Qe0OrJ6}gd;pJs@9JBDHbMK(aDC>|fDe0LLi(<Ncqrs=J zH-=nz(r6r$vKMm!4n-QG{)@dtO#AT^dUU@fsManq931!4>`EO|R<><Ga=CiYH5(<o zV6KS%1*b)~S=DOOs{~rMIuCuQ$mpn`l3Tv7y%INWLhfR*O7Y=pPsF`uB8*BCy{A>U z_}vE)`cZp!QCWbyZUgmq%`Q`)dG4{+pz>Sb241ZYhwd}*;6+pYSytSywuFeb#_VN` z(PomZ)@Vm6jQh36?l!*S!I;PfrLY}f@H8%<FI8n`8-1hYkeP!FOiLG8fcLds=jq0} zrX$7|CZYUjBG7fIaq*HDe$J8p$7lZ@UR{~UkT`XG(po1gYT|jj%S|~+B6RHxBCYGX z<4PD`pOmNBL=e^t9W!>A^TwN;k61a9khCgX_`|ER!?642Dg|@+?t9BV7E*reSR1b0 zuK%QbS7ZY9lk}~oR31Y$b(e{i@NnG!*p2trIXy8U<k&$9I6JOtkr#+fU5qn%zNAgG z34Apfij_deUMLEq&Dq#q+wDPz5n5h`a}!HIcdIB0v~DT%gzW@iUqxqNUZE2+{Vi7l z)9FQ;`xM~VLPN$2p8jSTnLxMTBCMx1nmI3F_YGNI-l9)OvrG}_@6g(%F|>A_4~5Vh z3o3DgN`8<=6ZT{yK09Yeq4f48>_&wfvmsd4!ab(g?~VLi=+7_~{0zZT&O|Oz;2xZ- zcXj52!6*SAdE4h;FFzO_tVlE?bPE(EHxrj7?i=?Tntb4|5^a!OU%?zVhd?NFMMB@{ z(8G|4$&pa84;T+$<1SC?nCi@0w6FrZ<U=_O4F?qoi!L4dA?Ajs!iO{6x%}88!9RuY zj^a;o_*h@R0HWa}8^0e@_0rMqXJ_-vbF?RvQm>BC*2)kM(OX;{PCYs<v_?m2VQHt; zX-cuHZ!P<7dC4Oal>>df@k>nb&P}{?U{beN%5Tbxg4t@z{#;^}>G9H9qqBdiO5h>G zB;s}%g+n;V4(pj4+#8Cisdy3$*D@PO@&IBCsgE7MUuvlR9%v7jR4ZcCjTZ*J!Slnm z76AB+n=dQ$WCpLf_RQPAg;=kkHsPR#DnnIQ>=pmX75@Fcs3n^mk_M-b8-8L%4~-F? zk}(oUnp=kr-MA3vk~NT~&Xl7D?Zo-J0f(Rd+_5uu_~Ig=OW{MBKLnYtK!cc$o%_vP z_<?h>Rrxcmo0qCXy&-6lq&45(wuC2Tj@B|1q=Y=^Jb$k>r_beNZ4n0-+?e=gi!@*z zWfy5Bk64d5huhP%I5w>;tK@0WtA5$MF1n3Bca(82;8c2~{;uV`EJcd<JlFc5G&R>v z_@wd?V||N$*8DJyiHZE3ps`MN+ND;xIY5Ty=%tXIn!vzV<<N*$C^;kf^{v#j3iTvF zoqd`FJaR<>8*$fQHbptyt=Rzh;z4YxhLSO&(EuoLmwR#;4H*Y@E3csG7)vPrLV~{f z23bk`w#0#{>m%<3j6Gk+`0Aa-F_QVc`kLd@jMxwyVJ(+yB9+I+&#Ab~!C@QH!F!Zm zenw&+uPx`!>xKsf?)Rh*f+^#mzNt&2Qg`$`q;dXc-9b#-*{fE1m7LzSo-c<|{qHbm zynu3bsycP~=R;yp<4LxlKg(SDm()sQ>7uRzky^)@d%^#DGrQli1oFIVEjUw6kUwKy z*iB^qs_?#hR0nLwpaA7oYWj?YE#}#wVTzgy>Xt@i`*L=U(4XT$o;6JW1GOAV8E)ZM z${s#S{Gjcn>@i;FEDy~b&qFH|MlNAhw9{I+f$0!_t`(-hn+}fVjtaPOrReyuP!Uun zX9l*4(0ZU|43<a}TCgoTp=#Bm3RTH=9cc~ZrUqfpuv8QN+V}gNQ;q2D+<2zWc@_es za0Aa@U;%lB?*~g8d0)+D`<VHC+WcXnB^+C0N<pM2FJ&5STEB<Z4mSP}lf9k#@YsOt zVbTW1vq^&DS@$PcaH4;{XTOO`SYuuc6N!Kj24`-x=?TeEtZB&{vTyW)_(I(wQc}}R zW4(-Pi}wgwXC%`?NXmV1w;B+C0)Jv(U-o!nDFFI_gdxV$718uXwCZ^#TdOiWd!u*r zmpE8Oam1bFVS8krAC24=;YkrWJi~S*ps3v$>_pLUzV>aKrmyN^j~ahuSLN6$OiG*Q zT+o!`c*#eweYyBE>N8+sf^&`th_+f!Z~J4J@jUh_Ejj=BOV;(Xqj_`CK2<H+CFnLU zGpR(pa;-`_@jjcsW26L4==we`oC2IFmlNsiO(@W~qKjOvU}R$Lke9-DN<0z#CIu)D zo)co@1;!1K@E&!{C!|PnV*TG*d1AyI5E5)3mc?#4%q9wM5Swp*|6Bp|5Eq$@k3f)z zCzK|<IkA*LE+$yiR^n(mJs)Z@q@c6>+35Jj>Tq4r!kgN%tv7n_CasZJtfIqQjaD&~ z-4{?j)(XEZX1h;LO)bbhk+v0)m@wr;%9lewVhx;$QA^DqmiKMaq$paSRY3A1$XmrK z_N*B%$>O^-;;qq?gP8nUrRra342-FOE%2Qr+->{x#G9e`?+4=}7k+IwZS7$QkuuH{ zHvLYi;ylMPy4M^ZS(J2tI$)}Frp6w#l8#Z2`j56|U~Pg<I{l|3qeJidJH}Pv?t*?A zyx>r+?i#WlqE|RUddBnbC$D8mWt^2;)$-aUV8^vW^Xp?QCsREp2(DQQKcCJAT4s_m zFtjI1&y~GfZ2|liRNl4Gy5|d$3g^FqmqQW-eNUfE4%Co=8ekz`P{?dkU6tItM=Sz0 z%tqU$o1CD=mzHp>jI}Bh9#^K~9Z%X1pE7}QE;%X_3K1n?J3$Vmy!w20^oeOmib;N` zfNIUd#)q6U#-$`gCp`hJ>jYac%^`C8G!W06fNmy6FFgr2g=waTSoDG?l}?-)7tQ=y z796N~kyKHfo&0hmG{DDJDkb@EM=r)Y1MbiY<p6w<PnZ<Ku;1gcajo>;a!>%0W)Pl6 zg_G2$pnTjU-xyXBcEJ-P#mxaFVyP$w*Bm@s?>LGDOfnF7%MV0tiD&QZQ&XtgF6ir? z#*@h^W5afI^}YmKBxL}Jby^kgFB6X)3YJW+Mrj5GuKOPfV0cRF4>aCu#1*E%D8`v) zky&s0`|h7rKFVl^4!Yh-s}tS9rFRLF4GeGt@ELnI&aoAI<*UOmzf-xm{h;g7f7c*z zfw5rZhZxIIL|bM%Xg+57l!T)~-~dy@%7_v}v@Y?qOb<xROA7bjYABfA%WvCd!w?h- zZT#1nN2T|&Ro<c5EB!Ua)XY$AsTAk>aRqd?3Vsv4@#NkoNz_x!Kte4I#CnA$#lckM z4Z=DqpT;P!7t3Pz+41i#cpy^MOL?f&B;uCFfxisjAPat29PzdNe8HjftldeL==l); zYAe`_pF|XHTCNXy5$a)x!3QuRp4T%aUic~C2Bw^iD+0`|Cx3r2@v!9g3|UDci(g5# zakaFCa&7%0jNH564je6=x@>)+!wV^+zzQcO>#%#gn))?0-p7X!Fs$7ns_h|)Ir%<W zzrtvCMr4Lr6BvSB+`KaY2IreXfyYx$InkC!!)qVkw*iLkiX<3A?KTqfuO_lhRb?K< z^pWa#$j-pMq*r(iKTmm>s62anm_6ENr!S#=W#H2CCr#V=V4x|<{1Fwxpw{IaH3w5s zCLQl)z6LmgMKmhQ=xq~m2^UUKeaaYrDSmj+$2LhJ3g-oZDm1(rlpd17B?LeL$zb)_ z!@jOe8qiyW>xc@yM+Cfm0uG8m8vhZhRp(n2l^`JicNp*>fUADim^0=TSme=-xC-#U znEpK*`l%}%UzHZ=h|K&1cL_qQ5ph>nc0R>L??m{Uq+^a>e|)^XTIEJ{FS{YKiDDhw z0#iE4rQ|7O3c}IOiEd6vP4HUbahG)(1AY@rD;jlZqtmA!>6AQbHqWL-kAc~b^#<cO zhHTf%*uo`Rx!|CG;VTso)|<c9;cdk<)5llBee$6szUy}giYCxI+Z3i8D1kTpb{RW^ z`_V+VP%87Sl)`2SbGgeTUp^af{ycj5zED3xmY+C<bL~w3IoK=T29#+ZZ145-YfPZa zg`!hj?VXEDu%`B<?}fWK-m9D+gRWIx4wKDPE0fQP4*Yryli*=MJf@rqNNQ-q3=tSP z3Hw<E8OA?a*No|u$ALcOLWUj%ftbX6n{Z|g;)3|$KyZ9z$B{k+t&|tIIu{Ud-(rcX zje@T%%6G}WgbUI-IQ{WPHw(&MD*g>R-Tt<tI^^;)o!INHmd{;f<#0JBWec+=#aJf5 zxz(FGLmm_abz2SxZUy%{!5Y#4j1KB)h9s}vJKSJ9lQpzue9DerF!~|}G#w>h=UIoL zHKe(5V#pGlUh_j$=1x;_{u*gH5zc`tM+DS0M~43sdB(1o2?55<a|+X~Uc07`Sub{F z-2ee~+BL$ZfPXK@<;!bo8Z*9AJ7uRCvn$B2>?~qyOE37vYCT`3+a%07vv}JUT%ZYe z{x#t;VkZ60X9{MRgL!uCE6^0{^9)R}dez;9m>6;CTf^C(QvDCZ8_cVzf=Nbwi)VH$ zHU(IK?cBLUQ{EAzx(vITSMH0<(c`HJ(Ssut$oqbd){3&Wo&we+@OjsSCuQ_Tw11r$ z+czu<CC?`hCGM{V`vO6_!Y?V7!D`*U74wv%?29L#s&vP$98euT1qAAG6wNe;@c)$U z@0}XS)GQdy?0j_qwY_*UWqb|V#(;;gzY*yaEY-r1(l?^(N9ksCE<M69k&o2#1=2aX zXZ>rkxy_fg@!a6V<GmaR$FQ*EqXLb{Zb$OT$_PYWY9pJ7Mi-Ipd5uDo)H|tnVxd$l zg6wxw!H8kmD5H{Zq`w%|g?CS!|A_Va;EL3tE>0vhOdhU)e{4o&OBuD#H?03q?lHXI zoQ!&pZ(hc$b`(iH;a%8cId5ZANBQ*jz0vzfq~!A?nUPw8J$R^hPj^S@k=I}NRm_$g zp|<sV_Lchkn2aHu>Ql6`yuUHwsL`m^qZoCGkxyqR;*yc7<`+${(>lFIvmhVGGt07o z!xE<l>m+s`=}X?)^upo6K^_(GSsDdldOSbmvw{WA6z{%c==GEzp$t9jr#?$xiQ7Zc z7JwZP?;hHI2wQfBzhUve=+vy_jytxJLkO9LiVS0<t?x2)1o<xZo;Ix7hv^K|Nv<Q8 zY3S?FOBsxXqqR}QowFxr&pC8mJ1uz5sU{wx4%Lxj5^fogxh36BWNHm-)RgqOeye+n zes-b%YalYVez{(x4*lLeus$+1z#g9YC6BfD5o%!CF442kO_Cco#}+w9Ef)#s-yV6; z4cp5OE5>0i7>_(I#?@a=#&yqKVhM9>Sy$bQRKkg=8vm9nCHqLx6j)at5L^R8V2oI% ziZF^Rr0cN87SeB?Hbh9U>UzC65aTyeXH`(@RUf^Xngj;!dDSj$6_06|%m&71HEuje zhz{<6`BAvj)Hawp-TQL2XOR8Pj}D0QmbP*9cdk{XJ*1ysr=O1GJ)@V068U9`=w)LA z+7IAq(k&U%>e4R!9G-BT-#}?0T<Guu%RI&2Oej|5g=-02kxl{QQ^~~0q7{<mwnYw` z<fFIAoMX*;StPC6$4f>RtQN5)C8cPsXcn^(T|wNrZz09}7x)0uQ@xw7aVNRp>Lo}} z04hG}r%O${sB*4G`0o@jWXAWM@uy)dU3qJzpL-X~eDlyeB+m-oiut<zuv7Dm1brm; zh6UM?G&86B<DVS#R&JHNcO!K`SzuD~QTf5OTMveHAI_<7)8o6&`Z0WL29b+rj}V@e zFb;MMGX47@t>a0rK`;sgKhzxnogAe$IN}|_5hEr`|M^w=UetFbt0o!rT(A_lTW52Y z5FXTV0E(kd=H&3@c|q?~bvQ$ITXSH&L{J1Jw>az$9m8_6uW*saLIJYW71v+A)EQzK zM2*lXWb`3o5l>3tE<Vrqbo1}?9+o0=m*{!Pl@TcAJlqjE(IT~j5xb6RHc*o=Id$e7 zl7~e}Boyojt@@e)I!_|f5OZ6fT*Gg?s>CpLfH{lFvI_EbwrCVRvI%tv|N7HX!+s9+ z7v}!@XGDtL>JMF)2!6P&?{Y+w#?zu1;5>2}nH$58LnT&DTj*A%V@P4`U<gu(lk46x zXq5lj{$^b(%CC}m-4;^CSoWlXrGM@eYtwbDeVswB*ZRv#Brw{TbR^?C_KZ`^Rdg4t z+H8{*X@~f7do>}6Bx`i$vFlvg%1~2b<orPyV;N16qvE|3(eZ_5?^|UeQ0eFMp%7=y zl#oXDqn5L4V?Y^)3XQT)XE5AbPDS#J+lgRNx2N<G%FN<(OStI|OIJ)VNpg7BJ$-cP z<TfP4(edMp{=TFjoQy+fDYFy%+6jS_D4aOi=s%3ILsoa@Z`X|(SqagPvy1X#470FH z0@7eIrsLmA0OX#XqaB{X%%{gB`v|hV_96$<D+`CkY2IZ=@%krtL4%4_m<F#6j-Rxo z#B2pb#rq-CtQVeVHr9`^{c(*Ac8Itz_`+uhwmOmM(RyJ=Z6u}f1QG<P5V0NY-KsGy z++?8s7q#GeZ}q?mwVJ2yc|*-LS?hiF!>p7tqib?lUh*>nZH!{5j*mISikk&~$XE06 z%cZ2$+*+DJHK^avy@ya*%52ez6#{2aR{5F6=5=`BQ_3hJL|bVt5%vJPuDDVb6Jrg; z<|$EcvT(4`ZxN14yx(t`n-P36Pq4T6XPx%D46U8}uIvIl0u9UQ>zXWd3UUNSAt`}J zY9~=c>9ac7_vMO}daHtR-bi`nwAEMuJNUdtG6R8K!d_!?o8_wp8MlEjH*e`pD~I`^ z3A<N+A!&nCXQr&-6q0s#C>rI{;tt`~?kLOTEfKjl_Ys9Q?ARDWq1oOw-%FqAJd_rC z2Gnfa;wZ;HWOc#kWlA0re|Y#=eU8J?W2Gl%TCRv-J0KRzHbw%BV*N3zw}%RALXi<r zijgy#=LInbhEfF3=bd(XTr@26f@HwArKH??#!Kx^WleCcbkM!yES=1mXtzA(;tMiK zOM9n&O<-h_Id!cQ3D>gL9=Q?nm=xXc_Sl$j$WX`TViw=cJ&>hE3)y_y&gXy2?qI8* zgpiQAUDk!>H%D#lx{n=oLg7%CEU1a>WPwnQiJUj6!GM0@tKqOcd6v(~9N=i2Uo^Tx z&=HHE73-w76|?=5fJT9Y$eF?f)`SN$ag#CgGEV8F3UJD8O|V?+<As_65;>nKWx2z! zcdA_Jt59~+|B59(F>MBKZ9iI4f4HYe3Lf_sDsX|Ul^vdmtQb;V*_p&0AoQ~E<g|N* zv?%99Uf*2M7uzfuN5};II#k4fgRP(4o|0Tc7yX=X5T%O_qVC3D&U^&0Da68!ClOzQ zrnIYuVFpaV1gHKOIb%#8Zrs^#ZjJ;Q@>@1yCXm3hsCagAgf}3BF70Fu_3SPApm$lr zF+HPrGXpaDy`b03KSSzGQ}sLfI}1}~x~2<fKc(Ye@Srv~dB-ASQrtpNkYyT)h^RE4 zr<|;yNrwNtdUH*^e-Dw{Qs0XXj*C}I!F8}IQN~4K(4x5Mrb0;eb!Y;ZQA(sGelbDq zR4+wU%X@YUhwk6VUXhJTDCKzUXefGjM8RV!k#?{Ss0p*_Igc<NKTSdx@CpW|>WDKC z&mn^38UFdcf-x5XvaHsGF-~VS-6US)ZfR?_^gDT6XJ|21tufGb5a}pBPA3_~`&JAX zyigP$GDXhFp5DS|pl1n#Rka?}e_aXD2ug;HE?OiQIt|zAy-QM&v0%yR?Z^H5VQXcF zq}vq!iNrZGff5AnT}1$ttqBR2U6WR9KrpItsnR5yxNE%^{TbDYsTks~>W~<bYgmG> z>^toEXlI(aQdd?8i{#Re%BJK;8tdER(c3rA0`mbjXu5zg><Y=;VxuA4K#2^>c?-;< zafx~Fp|>Yt3p;AfV!Z=HJZJ7=!MuPf4COi(v7_B9p_I5Yu=BXj5j%Z%E6$^GcbGpF z@skHe9=v_9?s2bJteO2DB<;DkgIwth56)%-{iL{231>sonc!T>o*hnp9a#zDs=#%z za(Fg}yNO0MnR3s&3!!Y$UBt_B-XH)Iy@U(Sq;SE)9j1gNMx;a|i5?QC?|Vb2n?4|r zW8E$}5+WXdDl*gfVPHc@^Jq-o&2Br5y4$*#Dv>sRx>^9(qs3w^GzcB>h?j-zm#8B{ z(7jmqWGys22{-9=lThn=YQdWyj-*DUNTc^)?4d+YL}R52MN)#_5;>$&k)VR}rTGUc z@g$+jk*+APZU0i%OUxoCw$2^<kVOPjp|7@OjBOKLJSv6mOn6E{Go5!}))tiXm%mi> zlPy={i6fRyHT8AKXRl3|qnIfDl1*EM@Qx}*y0BJZKjso0>Nwwf3t7{f_$b1xzA589 zgRRJ=@B`{%z0q_Bbgaza*OsR49h#`3;d<X(@_A@E4HNa|`03nrg;kzY)(50|GM8{* z6$>MU&cv76+l2l$it3(@4Hb4+g2C02i6$jDbpc@D1sU{$IEM4+JFHiqF^1?H1l;D) zAK|<EwAR1oBs1Ei(_OG|HoN7BhS`?UpifQMo|mbFAQPr$E{*d(Q#Z60Rip<W%ZXi| zWzVO!A%h2e)&bGkIH*I*HKc~*W1?X^T$n(GLvsD@r5(0^R-p$R^?k+&Y9`i}O7G~2 z{X9$cur*r?xC%@>YqEX<M?~MUeJtDwT4s+I35RR1381+Qh?6!oE03a(1j~oY4<49& zc=ii?@G;IXg8M5D8nc9`rOS9af;9H4kVH$k+<pYw@XDRR?D%wN&C~WM5W$1|zHZ1d zXBVacVz#(f#pYd*FElGR71_igS`7yhvH&Jk!utuUN<A8Bn{c5+VK6HP2Bpfy)#%_5 ziVH>(_(TQ@<QtaX@m=ikl(j7WyO3ach@@uIFZ%DGJ3H+d7`0pe!SPp#&*u7BM<IE= zpJ&#tbMyvis-_Gpnm?`9Mr%JuMdG-YO$LL%ezRD$47m@RIasMt{)ld>CN_GsJvv5K zl#s_Q=0Oa27foF`Ze8|-RhI_5uJ<D#j>wgu^s4}pq{cY^Z=N9n`oueY7}~5ws$wow zA3}BB)Gol9Kw1kz^@bFBIn|klned*#8gIL-<~QG#{twJ25ax=e<P*9vs79%haDZKE zYBF+v>%N4w_MY(yP4ySpFVi}>OQws6<E~Wf*6A$I(exU*VQ_=kYUS>TO{X`{8cr=$ zO0_XEeTD+Ud!04i@u1HJ!?4{U6((_Sr%x&_Uzs|hh3C(AKN<gG=U|iLIjv{oRq2l{ z7u2h>)%Zy1VM{}>g_oV}D>2+>P!Dz4Fs2FNFJArL^-*~CrYwG#aKhQKUjMlTXc)qQ z<q1^7fE5J-qT<N1y;x9+J@h;t)e=IAaBQN!C!j2D%-7?30XX_;v?m79bhiH}n_pR~ zrkp`1^ZuF<J{VYYg-Z!cQA*AZiAy%We_bHBY}96wB6x)*IJH%gzx0MVcg%x65a3i= ze97PVRkb~G3Ks33hW{pD5q7tI;;&86yu0awyPOJF#hK4Vpfufh5iNSCu<l5x8Smlb zZYQ6!*`Zb)*2O>n0iUBp*HR!^egMj@hppX>gy2A=8`vBLf!9XV)if{H;B)PgZ{%zu zILY(q=C!?#nEK#*%-XO;W3I<eb?0tbXHNbe%!{rACtsq!#7M)+>PU;tqZt*>CUT5@ z0k<46EjKPN$i|f(^$W@(1^RM3l`e%KqKT&qD$*(V_lKj0HqqzqQj*QLFh<^BU(tC< zNJI`QJG=I0(V#Xu!VRBn<&I7sN++@_78akJn$@FBBvFr2F_HM4E$PQtgy)f6YgOtU zYoC19qBVIg`l8y_c2`DCvpX}(f4op-zKC(=z<j$m@e_F^<XGzd&!DvHS?vv-Sc>my z1yN8E(>GE=wGel7Dtx)ZxgvDR)#E;8l}=+zc~yH^P=%PVUl8qwGM|)NBMswhWRfv# zWB3Eg6*iMAraE*pgDXBB-xv(qB?2GfQg7@Adoi>N!w^Ji!%s$u#kBt<xx8|}$&wXe z{_qJ$Y!BR=cX>dm#m?!kyLzdayLmazL?aV|Im+r9OC=gha5OMji6m;#V5Wpdt%oUj zt8U2baDN}u2td$?E{vF1LsonhHMrt(`EbG-L>LjJQC{Kd&*}EPsH`pS&^DgbAxWiq zC|{+!2uN_%oL#zpL$v1_vKxFFEjrM`Bb?h%K2CP!ejkR70k4F-rJiI%wtT|ym_lu! zbiZUAi)EmB=F2EHy+o7{#gc(#<5640)+!1D<C0k=+Hf6K;QOECQ99j0B*BUM+Bh#a znq#)s>+cGRtU*X55_1E&pO*PZ8anG$kvv)*;V1a9WC%^a2QQlJ(NB4(SIOjfk{GKO zVUsA3Q=(n&o;sMy)ol~KcJxzMJCG5YjBX@G@_)A#9fObZXU12uwtq6J(O0gj>Pi*~ zwL{Ev2N<x+{)KEbLyJh$(fg|~JQ3R|)l=FDsP`5T7XWS<_N|AE5<SU29o05@vxB?~ z!;Q$8uNg<%k`gXCH=*@$l=Y2g{#(!R{3-B3AhGTVroJF|wR!OMTa}<0SsAS6O9&YY zFV;bW6!t3PxWC!;(5-hj72K9PoniCR<ruCWJVcSsNxVysEF>N{1K+G%ag?EXhWD~u zcTtI1j=ockCV>rWOHz%dXuQxMI~N~Wv@d@dez5|@sO}!@FRgRyTe-TKda+E1kr?VC zDhCi+tChFpfA7fL%?WAXk94c*AlYsL)AlWNJw<6;opV*25Rp8c30ocD^Bl1W$=!vQ zq*5u|8t=Kc$H@#iB~$M|_IQ5!y{64})oa~Ybk7)FJqOZh9~KL&4f<6E&s($yJy-nK zj;Inu4>{hm<4@5B!xNv~0Y$(WlpHBZG6n090NwZ2W@dK!dx3y>(#P^)lHk`V<QgY) zMw>mRg*8{}m1P>i_sK*B34*Uo6JgJAq+&DwG<QL5`i#Kd@+K)tD=%l!UfL!gRiXdw zkB15b+ktPS1^K(o(OxEi)t<=wKFYC8{^c7&l`^>EOesXcOkAFHKq8x%615$X7pZwA zvMj;ur)hQUQhoiq&`+M+P~|fVhhQOZ#F|&&GoDn2AHiU+i2B7?pp*v<*NUr8yVu}Q z4Vh6sqFY>w%n`lY&nia+cafjUS%Dn%wLU>VzImRZA}!f^W&RNbBfDvWqjcU0D{bf9 zvPxR7K+gkiC3ZO4<vQVw@C-QcV-`><_qJc0$gj=eR=;nz>#8M8jRf`vrkW_1w-2*6 zA3)fHh=?xmBKKH>97RLi+{$d5jUf$m>8^QL+W{o>GUo_R83jO=Xw^n-!iX}6+)d?L zoj3|_2DQ~?VW++sr>DvWai?RU3dk5L*(P6Op5cG+R#d)S3uWF62lX;6&i~cospw{X z?tHXbP;dTu1;iM-$N>)T#!U{Cx}(ZtPpWa>c%;k%2~`J>NH5iw0@MBc;7F%DYl`Fd zjvoBl6B|8Gw5N5MGxm;^H}pucYdk4ZepszH2P(*ZvMq0zkfAQYZN<}(0|eIkYq->H z;^YPx0r+mf;JW@`_4U9MsP4()QtVe8<Lig*+ys3cu<5aSZl_>4fqv%js%gVez}>AJ z5+*jYRlbJv-XXvwP#G9fyj<2#Ln2!^f|x<A_NpXgO?)tq3k&vg-IHuRY7`rTt6*58 z6a=}%Bcq?gdZ%n09gVy6cl8Z-HMhGwHzPe)c_tFip7Pc<*qCCN8t}|UJpao4<hwW) z@@qpvY{DNm05c}%O9^mV#pVyY!EPt$>D5a$52MWYJv>jMVEP3%HiOoO0q$Mz+sfyB zH=Y5r4`+3I6)E?eoHe2!{#NxhE{kt)02jtTox-)uFMmlqUqGjYbbcV9;KXd6(12j( z5_AGTjShupSB}LCY-fHpD^F5x*ZPvrh!r<B*M*asU7Q|oYaGVq2s`3Xs|p=d5>5p6 zvl^^=D<I}Nxefx^P<q>gfVpysrRW<qM}@(WYvK)Gw(fS?KCI&+tvjIFrLafsJbZys z4zsnb@Gx1Cq)_l{RK^yx6WxHLI?jwOjCjf5oK%+|Ul};4330Kd0Fx2F@Ikjkt>TZ= zwt-M$vVmUURXi6hby+6A;CP$z^J6D4sUgwfzY%OYd)bkt3$i#5!;3X42$4gDmqTAe zPz%ji*NJt#U>s3xA-SIceR`(&V8lbXjUQEyfaT<#WtU7{`t>iemgY5*5yxBGtYC4v zt~V@$xDZiRrb1(c!>G+mSxAEye#Oghy9c9GdWRyE5O~^B>q<dpxYn=#>$I$`uPTNB zx&96b=G!+dR7-B}s%xW6(GRIT{>z(Gm2Vy0Ex<eKS^l%6f8T9oyc$*4PJyU|?0QRk z(@#b{u)oA?j4yX|x&3$LQD!w7uZStz)R8?~Hhx0D`9g#Gt6%;EW;b`q=mJ|VJ#=+0 zo)2w-RBY@6>{42jnd~-=e51}E?PLM8h<htoh$MF3bbS5B!ugKGgkCG8<xGw1r0eLa zVXtH;W=T-IfN1-%z#*x$PZf(qEq|14^GuFXuc%D>MWW2=NRn|>CJS^ThYldkN=AHG z=FU84#9|D7LoCNglFbu&*8qYGUV&O)t`ui^D$O?if%_m^dqzjbl$G&=|49<xRpR<J z_&w#}P`3lx*n&KOd^)EBf8}8Ox`Xv%53lsNHUqP1)msvKSti+TV1yGzQq+6gjoqA} zGr)t=?EtAOTqdA6L^?JN!}B*6<-wFzc`JOerkbPvManH!DvNt^@X*fC^?~}Czx?qD zwa4pUV~ECQP!70dUMQvduYadqYYZF%F`*T-r1=~Y%yt1@`ZLJEvVF4iMv&+kXngUx z3N2y=7#Iktc^b1ci|H`GY0C41<-9@joB=;E!?qu@i^g`Tk9TzWUdGc7OZt4mwf!Lr zxdQGKnt@f@#u68FwaY9aIckP<!&gv;$LSD9*Wh_$d#Hox^fY0k{;#U1)6sOZ)z=V{ zr0&G?=6TTMjagG-tjd%;e%A+#<XIGQNd0o?<XYx#>QL;+qYl0InLr0w5|g7wKSPzB zu6|c|{@v5ZS_T)-!w)X^A(@y8*a6z+h-@q=`>8ZI_-h)=GXc*lDba$q@Z$cc`L}B5 z#ZBO70WZun{0ZB5sSYkf;3K5sH$E57-g1Y=wTWo;WFa1>hq}X~Jhi+f@U3NE7n_5^ zKn->?n01z+&d{zqWD5O?*v}~H30|t06-6;m+F}->SyLx@{2WXjOrWOJ<H|^T*+;d8 z#U>OJyO1nrt<j2tTuqZ73O=3}5}0jE-ZNSazG93y@h@bdUA#UAUG7VmgqbU)#24m- z;i-?xMy67)l9W;o56(zf<k04|^EuFOPS$z@+;aIxRi@n+k0at6G<r&@uRH#;haG&T zCQomZ0N%_Z{eG>mkomnbcPr6B@L<X)+m5`Y2R8xkx(#+RI=ibR|FC3NtekH5oS-_j zo45WfYr0G>?7^9^jhRBr&$)$wu&#)*D>sRAsyVLy`t%e}axXxHxER}9q$1;;5H>v? zs$$)8Qe0R;E2f9wgrGuXxe2P4tk_JkqmzJ;{?_i97L{Phir|vuTadug<f^@3qtkE1 zzAKJI1fP+q1)-)wzrKP8649o+AzxG*80Jy=UR})2#{gW|OkkgCF~RtLq;7uonz`!F z@`<Q>Kkr^wURlaQHCKZq_lCMIxX{SFz!wfUxi*Q}zY2loQqOvE1JQWwOHBAzc?6?A z!KMnO0$SJ0gQ1hA=J@%x?cZ&7nsCDD18^M$cRq|lt!zeW_lNdGVih3yun$qxEP;=~ z@p+U$B}7D!MANf~6HKjNg!iG`?DGI`RRPi1@mS7kMCBsVTfuL2NlxMSU-@~(AW}`w zB9g8($+}p1N|j))`98N5*{X-O+grdcQ}o}~DPyP3))mL&v6!B;=4}FRQ=Z)Bjy>Y+ z3-$*cJ8>x+>XW?4J<%nS{lprf!b(#Wi=S(KLQq6`r~=IRq_!;Q%x?1#jucG~A5m$Q zeN8->;%1{|f_@7Y5+U^qY1l0Qd(e;JzDeneddVLUlByo~RkkfIF!70IiBU>?!UKQF ziDzjas%v>!KXG`l;)_!8)5zoLfNZl@0cImrCKbuP<4ut)OHa{X2J|LyyKRsb|2=ff z)R@BY>20WJvBZd~nH{)YKm&YV<SX3--iFQ(i?;DD3#r}(qLAx=7jcAaje2Y2gN&ed zN*vjt)FaTcF1Bk61J}H_`tk{-H{JHh&ZiJ^$6Do;YJ)oIQ19$qrx{^{D_OQo&og^! z@yhN7IaA=msoQ*_8Geo7+fVwh2WGvOASZYDTretcYPz8fmkK*1d%@!@3Qtr^-<U(l zzSXmx#b$yP$p)nL^?ix;z|GOr-m+({ktj;rz={`|07a=3$|yi6&P+m~NTPrCM=X50 z7Q;VB%$J~L44(F{&mh_nNx91B1f2zq;!O6s$u4V*MpH?L1Zn3az=d0H=`3EE+QMdG zW(kO_Q8pv*tHE5M*`(1&@0`oexbJ@$q#Zwzp)D~49x6dodhaUo)e<<C;eIby4K&Wm z;ReQ@)%36JvYHLM0JwMcxH~S^lc-O#`ZX>($C;9rnzXeLplU{zKJ5^OFq>48N{GYX z8krpDCWyIgK@Shy5max%k4OKWck30Sv0iLZ2dlsfH8${X@&73wEt@o^T&pjOO5g`Y zg?4<aKTqL;eRjAH9L1mZlQ<(KM3U<}mCutp1@)-p7Xz1%7^Y;W-5Hs7L}fb`q+L2( z%dmG9xD{+MLbZwHnlP3IP0@-myM7>S1}E=%s-+OY2CG7+e5sX2{60+!u$n&$$zky) z5fh9rMds5<c#io%`OQcdHk<%Y$W5gMX(}%wOyK3*DJT#s+98`po3UzqH|Jyv{Dw=b z(YOb2lIO-0n%8~_#p5^_-BR__>l0$b@2y-{L`eHMZZ$`xzGrj(HbM?`G+XVohv4|% zgx_s>$E=~f?tU7$8JmYB*`PT&zA`gTvgfL?(c)T^moPOowr4J0c2m)no6&QSVI8OP z8J`I>YNUGsP{$YVnx>@rmEUpZp!>Wbk@`E^({qV#%Q0SJLp)!((e=Xb!M1Sm_hip- zQ(8K|_!3pEfI{$W>A(2Ud<?|@vI9X7H=`x$%uA!<ng10SeNOVlXx=z{<|i@#Ved6V z_fbzKaxPP%l-PK&6+jt*$qgmQr0t2&^-YVb(ZG&*|B1s_A94gZ7;_2CmqLiN<q`)I zKR=<zA}%-U*z4AIgYZuc;2dT?VrJ4@F<D^S4m4@fJTLIkqud`*T<_WE+RxJH#s-d0 zijLQkZsyLMY}u`d506rHwz}QZjcFHlg1a;fqZOB7me&hp(qrGN1+73!_=T+r6XB8A zmEoxbZ|}E+_QCb9n+Ivw&qKa>NXwt)fr&W@V?{+o&h0)yOvZ}YHNXtO|GoTl6ag-3 z;#+XdmOx@UV-b$6fy!t=2nlGtIR?OIKiPW#jOj6a%CqHRTJKBtAuoxH)<ai@YO0DF zhZ;ve2i_DSfzixRGG*ZacCzU!F1U{dLd!xYmO9L3<onSKJ%4NX@>|Oq)FawYuQ9%H zS#GJAhdhR5)yG1*V2yBOW<VAgnVb_KxNGHLBxX~MD{N=$5@e&Wx^K@6Xe$_e!hI^a z?5_rvq5uAS6+B(T*R@>LT5f`cIJ?co7X^PEy=*4+>xNwir%9X9x&3!7-_>K(PSV79 zX?)-Bk~2~_r1L|ac6>~wb9mvpjNR240XPNecrY^ha5`pKRqX#NI*u9u;N7U^mmOdP z2D6>3^tOxd%@z_e2-c#4AtOJd3x9k$r^kC4d0>@zU222N?=2P%hXFNzkgoGxGgx^_ z9J^wR5Zqo(oiji+E1id&8<HrUbE~itL2+x?0y=?jIgS?cYVQ|NvJ&LEvd1ue#TaK3 zmD&oo69$R(GbniEz4$W4ox*VO3&S47Exb|BCfJBKRxfO2mAN3Y9Sn#ZIizq|=KwAe z0^dGp66ssy_7XLo<mGRjrO$@+4BN=mKs=fSA$2FF8kK0DC$p%dbJ8TexD+wSfp8O5 zC6-(rvVLY&YM4ms0ly@L{B5DszpWkPAr$7m#JB2m!f5UF09K$bz4UK?hIeBC5*Bx< zGLzL1d+vIFT?Z9zf%&tg9RJNXk`q5D6dl&K9r2WQjGb6YpS=}ajq-s~#W}gIikDBu zF2CZ%B!i>(mjs-N*%Uh)K}af`=}gD>M~A7{zZkcOm4^POGCKf_bm6f&{!Ur8-$+^j zWdIxh8uYqJ7|6{*KCncB!&-1$0*$Bg_dsLKdK;Nj+Mua+g#PVT^OR<P?6E*VeogfG zc1*@*w2d{z?P(>4`T+Q^wac_YbdUCpJ6NgaxuMAkKxwqA+rXQ$wAYFO!i{~M`?v%U zlnpiGl(T@4*pf4miYwiE6Iz}1jiT7uUKwKYcYlProDE~Ubo$_uVCSvl^My)$K+Xb4 zkJq%UvOK$Zxu+iqtoY}G>YShXKH*jmZ?AATDmkI@rNz4z)T~qL*;a=_A!*yhx_TKO z4tX0ontB)S7IlL)U0*>Txdt=TXQu`_Ya#kEIbytS7H1LWW6k&ZA3|_h1Fyf7?9u60 z#K8-`I<HdefkFBjk00{ZxR=fHGi{8DW~9#cV{>;0v0wW*AND`I8=D6xQNV)6!7=H$ z&ZV4=63F$D8yFuFmkYNFL}-9z2M-|6x{KRI>$rY*E_w3nR9+nOEwr7@*ag>0cB^qK zBt)Ny)H=oxjs_AUMhOb)aj=-!sHnS0Gg?20T^>y}Ne%9J3}I!{1$j~LrsBavs4%s4 zP0%bbq>AHo0@g7XQW%~HWtsXMRv(#c1~ZLulyWZzxVf%}%sTLbPUY8h_(^?GKiFP3 z((+2wzO%`L<Q@ols^U;O<7tnggh$qvJut3R5LxhXkQuM6U4aJtwiG_pO?!h%3>PS; zaE18ir~oPOpG=~a7$J7N19C*({D+@H=f4i73EDp~e&GTOoqdPaL|!Mpp<rwsxR+sm ze)c1Ij#6&?!bCz4IX6dxhtS`*xLe2#2|#`ym^OYoEGCWXu%<%Cz3^Th?y#fp($2`H zn_QqnksxHh>W7lS%J(a--f!PhZe0+U$Df{N4+B*IG(S$WA_1A$;7Ta>xsDFyN@Q>B zhA7%}w$)Mw_YK(EE2RjwZV8Tqv+UXf>HsW5?_qesDT**c{#-^;z|AS`VI650aco?& z`wHCZm0%JfCs*n_h5GuTa{}mo`q<rrt@u&n?recnN!3s)`E#E#$=X^rPl4Ppe?g>$ zvt0qbknyIXtYuV`kd<N_d-s@@8IHv*-*CXey1@`3h5IeUqp~W2dKqe~^OF)0L7W() zJnf1MJ&(h!4t0oXmQ56|ol7<DATZ8w17iEFuiYZVW7#)uuO)J#CWjw&*A1kIcvGqW z{76YRp==)~wg6d077%z+UyKpZDW_wG!zuUJKCL$1p5AtBXAX$Afw%&H!>(Jfjyi+2 z35cF}&!HMvE^f6X4D{>F!GVg)QRE}n(WgN2FuwI8()Z7B_u6M(KXTp$-tu%T^Mw&9 z;Yaqv^V8291#dfal{p5&#YTJ)z(UKxEAQFKmjnRtS!Co{z7m3@(~WNXHFfc-W?SdO zw6ocXNU+tv`s)jdEv$ys8(waWzmD7{A~`jRr13>i(gmB`^PViup$$tz=`ky{e@`li zW4*?KN~fsYoAI;O+j21>GC99Fvh<{E7<@17$V6{c5^(qhnF(Z(_!d?h;lCKI2KSx} zwrTjWmJ3}{Mv?IVj#CbCI|;37K|RKz0}8q~b8%E{cE@juIJfsK15l^%9T|(c7e;Ms zN=1{6pUAk|8+b*0{qv;CyCB7@yOH72NXIZ*nr~^}Q6~ahu48vHN#qgUf+i`HSg(8d zB!SR9Idbn7$Pv*G$w0l6(j^AtEz;2n#sAg0I{?|zL~Gh@+qP}nwr$(CyHDFZZQHhu z)3#6B#`JeR|J?ZJ#>7*RJ9n;?nX7iyuB?0`R_s}m41?^HNj~A@(w$k%?B9V;Qsm&E zo18cb{+Y@8n=C=yE<|Z|xcD;#jYDL-I&RvxD60}B8}+ddb5WQ%ZA}Mg*p8{)_4lE& zscSDf6mGXKk7e?^Ryf&5$xkNMtUGhNZ#s5F<oAOwlx~il<S^^^LYqHkUl+Jq$i!xs zLlXruiVC^5+H_eHSRZALF!7yIg=RraF$4K*=)igDlup8?#Uc@is-@X-L5?}n0>Dp% zK5Q<e$UN_y%(w~<#>V4HA`|%(8UwEDWZBMvlrRidApyiHl%_(1sAA2S%sQ`al;(dS zf=BGg`5wk`1=oNY&!^R+#6?gS3K-~YiX+p+{lPt1iD=B7vtX=0K)iuv1XToP{I)8T z#8g_EVdD3t-NFMeUYFDAc@NN381q;30dpMBK8zZp&R=MTGB(jK|CXDan{LlC?~KK9 z1Q43`dvt-@4YMUtT`lDXjYTk|1qrapxi}a?aoKbQyZK;a=*PEXrUg~*`{N>mj+#u1 z_@+N#bK4fZMGpg%_b$o45NEPc$_4j$8O4q`6aT)U?O|v6)si+m$S&lhj}%X$N$dG- zm!0B;+(T{mU0=P@f#X7A-1Ev@gy0kR%)zyu<G*jwb?WG=2C(!UB@Vj@YRNE&t6JhP z+xJ>ARBh-FVgsvw2%yf>RO1%n6ZsZwm}7JuO)f<p=p{{S{cYKX3k+ss9~G5cSvuXU zUBSnOvyoeH0^wA#1T)!Bk_yHvhWM%k{+orL|9V&{5too9GD{%>fqsz`q{Y4)15#Pq zX*%>-MP}mjer0v|qJNcaaI^CxgmTsI9_ZnPtW?8LR(76pdfSde3uWUQ;F-c7=D*8O zX8x}k$|{}?rUdlzMpnu$wovqP1dI#}|KuJ!IlB;Wvj1mhG7ASMC&B+PGx<_S+kRsV z)$h4>_W&z&xLrR$G>~J>Ced|asofR{q(2^K{cIvpJ+W2N-**-h?r(y~Ld*VPK1B;l zxHIQ{&O2rlrD=>ANnuQVj8iOZE@N>WA(I^~n+X}`aM(mL(&}7B3l=t6BM(h@q{yC^ zPmvm~0Q9m0jsZ>t^l%-ha#6}^&|@YcA{+_p+#eJ)j3{Uj1jf}_kSeB^a7cg=8X{yO zV=bgrAqksMz7$8XK`2;SJhk)~>gb!0X%Ny?a!E1~1EB^Pq~K0TKp3PVprRs^u`rg5 zC7nUMC=;qagFe8Uxch*Bh9v`O(@ap12@@?Mb(y3o1uTX6DG7j~h#49}wu8FLVg_ld zQ^Tl1FeH-*3Rsvu6TrhNGC{r!)=V>@LJvs=AOZ5FAP|Z^5*;Fq)hLP0ISCcuP*_B= z`6V0&5)p-}0U!e-Ou!ihNf4D<0K($my)xj#`ERgRP%Pw3l?M7$8guA0B}`??2UwPf zzedU@h_JEZ6>JqKumpmZ>xA=J;{~`@K}8uDLLERNyndItW%ri>j$khai!q=pIQ*u7 z;Ai;dCTb?3kU8ZN&n=1y0(vSFdMW5BI1IK+l^p{Slt^=iDx1?MQwKj0xCqQZv5T%D z-g!_aDKgqFrW_OoplrgS31qYckOmOEXA)}d*Z?;Y4%-*${0n5jp|z+Vgias`lE_NX z6#@SgY>JV^FtrY8zM!Qzc{RF9D*DU_ELZg)!GMzBp|1&$&|3Dff0iHru(nt4jmDoL zkA4~awX)I(H&?#oo*(Y+V7TFKG7h9G$7dq%Q2ss~-_nC)Oy0MBhR<n`49f-HjcLz- zelrSEL5w~_qQGD~_~In5@k2HByThY<>`r`5KJ98szKnC~>+2c#WrsIt&WLD?6~b@` z1ZWf<jBp&Jy979YOe6yzG$;!a7!smQ`i7LD2NJXqZ9s+ve}rJ1*C^gbh=GKWvtIz@ zm`{)xO-HsVl^-f3(;yQ`MFxcgp=Jui22UUoa;O;}geViF?Ouf0%@!#{hNhl>gajl3 z8ICiFnw2nKlrTz$0mGr1Y&kXn;f?PP;C^_(7-yEie$ezd$UTL~I3&m(ejywn0fY&8 zSUprDcTitc=qh9q@pk{EJ3wGP)SWSO5T-(s0Y8{XC0rRRSvstiD}yAt&?m$795M|C zh9a`*JhuQWm=y}F;QKP!EyX(or9RNnBF*>bCwLhIVdJ8WA8VGc6*;fo)Jov0@p7^- z2lmKa+N9{~1aLZy|Ldt^YVVW&vZlrpB2--1>A~N(#eVVXi=jT<Fems1#w8;hpy(he zkb8!fTOwI{l`xVR$0n!Keom9!UN;<Q*=%@E93%?Jv_Qt3xl!sEK|lC=N7_wC-_GNb z%EH3&N7SbQBUN|wk*X$K2Liry?6*LE;8{bM6Q%WPLCoS=j#^#hLnO~D2N4}wF+f%& z@9Vcfvv}o0)awY!Q<5Wi)7WF2(Ri`Gr8!|*q|CigRaUh8)sbMxpJ4XrQ|Cxx`UQVu z8V_p04AX$Dros{RHQ><0iWY-l%Rl!yLAsy5-N32;6H0L~%Q|#DRx;2<vm+$#2#QEH z8u$W)@hZF^z=k2tam)R>tF5*$B=(z;e|YC`V4K!DMeE`AM0=8JcK9<v9>=ntAm2Eb z4ROtw{~VF!7ua+Q-kR2Us<>4QB8QuGT*!XcBSZh#FT6-@pGt9}Urz&mJRZ$>i=HMv zcHMNl*0eY;!ajdDpSHae-ffH?tcbPF8T;)pu^-2hTbGG9{BT#`yiAG$F>djAHZ@}E zwd6Bz=iYkrzUW^l&p=o_^E{#S@tZx1CwUoLPt%dtc|vV*8VyWs;m(iqi;31l;7CJk z5Vj;#!t6RkW#}$_xfP4|#)jOux2q%f%5bH($YTz?u_1sx(r926ba#ohnXI|yiZ{X^ zdhJSJ+~<A`oIZY^d+WE>;1wg)d)fRtE71|1c4eiAXm9sYF}l|IqiP^f*o{zX>QZWC zb1$7)=~0EzS~*I`ZmSyS;ku2zQY;4vo;q{4h|{dhTe7-%R!@IM(q1u32|9tj;gA+& z$4NSa;VyN^{l_p3+;o3|V;*Zk6apkLDa(68ZB(xzPtCw#rIdvSi1)72iL+aWK6N_b zG_*4yLH!!Pm&fnDHGDRYzZe9}?8+u3(ro1Rc3=AG7Gefe+=46_!pHEJc^i1;!eG9X zX8P-#F5m59<2~y!IY;8F*+s<u?qYM6>?HVoV@5dMsYmk@x_w||@W*qTlmnE=%ob9d z5&x07^!2h|#_Wfc>*}rtPv{?%*isLY4IV!@=BMMdQvB^+;1RuUd?T2JwS?i;?w1A5 zo@}eW1A9<!MzS#iV>?hAS#^J%w#QdA;}5!+93GFS<E_TN^sAF-sa@(Wm@xkJy7%2l zxI0$uY*}e`=X<MYYESeUzAg{vkG=67JsJ9_%0KtRABU$)dAhJS;b4%g`H6exNke!U zGHXdnr5BLh<9L753n86lil=zT;_ky=3qR669Q_h|$Mla&Un@UczsTI%JKG*6QE#@& z+1$^&#-LlLqKm0Nr&i8Onnl+0U&Hm?x904?Cc1Q{(41eq9ry02YS9`o5pF&ElHd7j zH)(3`z24Gh&xijo@lVd)-`A#{_~pvq^WSOuCCuKxx?J6h_5}2%y%uY~d9G46W%>eK zyC@#{AN%XkF2i=2_DraM8Lb0oy!HkhTD_6#Pj8;_=%1Y57eBwg?L>c2^=7K~IkaoM zebj#Jyrz9vf8~Af`?aqsb@fE==ka@g93E<_d{Bc&@#{@hghzX_{`P^>i{@9voPxoY zo7AZIyjiu(n<u<fZn{(ZOl%~4{Kncg{sc3-!GYPskEHCH^appQ;9^zFIaV;&w%S-& z`8X>8$d{WvZdKAPtWlH9I>Y=E*{yux^Rl<+SSzOx1nh-~Q)C1Cr2!c^c~zN4yg?b3 zAUNE#Z}&0G9wZmq2_RTdw=Bp&kSgn0#(k8y6PMS^?TdWm*wN-uUq>!J>&uFZ5Xxjw z5X2U_S@A2T9W&teRts$iZtYY|PqAr7Y@RRA-EA#`Vs*bu$h=1zz%qpW^s5u8TN%mw z^JzRupZ`I^Wwo!aixaAsQTt<FokWP$jJYy{F<;2*qM0Gzi>9ivx>4|a{a2KBP`fgo z&->}a^dh=;5T<0Ph1Fj8wt*E*O4N38R1vmaDVWUkm<UO}4n}0yEZhDbe`mxC+tAQ6 zwq!$_u@X&<8FOzA_T=!<idoybRNR*|r!%_cP|joeTW=5Lo8C-~n(b3nlxCusaAn3j zE>lH^vKX(go6p;B(P)TR5PNn(><u-F)M*PQWv8LoOL}sQ&s_W52bVAsF<~WRK1+U& zERq%WUMupM14w6~Qg}*RlA(QNO|HrNWS5T0;wvVEz19kzK(b$ouSsAYX7-vE@Kp@8 zVPQG=9z}YaGEhreXAK#w*v1&+1U1t(2FU=tk`NlUS?~r3A$TV&+GYg*SS#y=#l8cH zy$*vi5cDp$IAj^d0!6%L4<ZB;wQ|3HCH1d4S&y$3v4AgTN&qcWQo^$8g)G^!I@=-3 z1yVnHXIwkJOD_GpLUOmDK>W@Wcz(94><V_D=GR0RS`vRA-J0c7^o$@&@*3X&nFl+q z>RI(^cdPCh{+92jJ$G~e`fh&tmXp6%`&XUzISTG<>Kj=H{f!&A_%*HM?mK=r6z#x6 z7ZQS`0u;GqwFxY8Tbxe!)!RA!zwq2!0I3>a<86007?6GGU+ic;-5DAjV_1gAu0anp zID3HYM;Ah6ZVf}7f6Z<}_hdzF;KrQ65t%##IaW<=2AYfQ84AwzCmrhTZmA5|2rs!i zqIgnA&~Ihv3(hyR4G^6I<fdudh1hEjzU`EtlH5EABVzeE^9;uc9_X^VqmB;J&z0sq zZ4AYSMHJs|+l)lSJewhZOnF_)7N9hof@<;*o8JN?)k6efHhz<3vxs;m{b8CX7)cUy zwvSE7n6vtp4Y740DD=q0pOL%86>>(u-7f0?WJ^FSUrI=~a|zg~IM5xQMm=(04=K(n zi_l=LjmUqCeQqm{%KB@+CekQTB-xUYddsPm6?qW0_{q-5gk(L#l)?B5P-DTy%5u>@ zbk!euqw9F0Dt1WLMG8r?Fj=IvE0lks-*?@9W<>2CHr>bB6U4B<T-3a;HM9Sv(0h`s z>epou=|mqL)f=;4$&N%%J?4fO$%nu<nc|}L6xT>DMRc|4cbnGiu0vfEBS*9)x-o-a zK0Y2+W`j0|?tx?E$iNX`Po!;TLZRE%WbrrkhjRdn#OUyc7bB*oj1io7VBX8#EN^E~ z#H9oxtC*Bc{F$)mAuA=DSX5CF(Fm<l6RD{zeQ}%GMNM;#!DWfgAb)FHSiNGLelS#p zwJ55qds8vbM&yp2lzxd%Cf<k)xox4CT1i6-Zvk6Q5iB-g(nLGDEV-#|*!Zc+VTt&D zM^YOav5AIM*hBo^q6+b%3Z<lFUbJd1#7acON|m7w@u3RjdMw0xDbXq~kt#04Nk2q( zYVRT{?(zvmZnScNi!jB?rIJG2W-{AWxAPEs_E37Sbflb!P^{2YDf7jhb#*|%%*_z7 zA0rDP8!Mq#jD*YGu^Eb1kW5jEAK3!NHs1sBK~B_5Nz_7)N1WrW+<G<)ok_WoXIyck z9IOnivLxr_-~iVx6Ppa_AChxM$mQ{zOhGD^X3u5gdr2i6GzwW@$n*L@5^gwYcVgxz zh-a>-hXjk%M~QnbP&f^JW5>V!)uBi*vG!zmi%O&Jn+kCs4;G4e-CCVTZwS;G3Yi}d zMS3*L_rvS*r-Tq8w$Dr#znmwX-P@m}v)lgwH@0nE?1yJWh*y4?crohQ6H1Wzt%I$@ zMGn%SE$gQ7OxbKSe?Xb9&F0+-biLWk@YkZLPcGnx`5$1JWz(Xor{(eUr{~bBh2KUW z7rk5g!rkSh+VSd6Ic~<r`13g@a;kPpDGGa5LmjaoidI)q|DJ~4)wpiRzG>j!!-a%Z zTxf6$P3)lyp+YT(wv*O{7!{GVv=o%rYH*};)x{{Kp3GJz1*XVFu;QpKKg^YiCOPGR zG!~U?2canvB5_DX=!lP5ZaL0PkqC-OD(g~cL0Li(NmHc_A@1032nsDmGL3(PJ*#NH z?{O$fO~g=yD)-cMRyvImA{Ruujag0f;OORgo-9RAWA+Cu0wQF<8FX*z==~Ud#!_;* zwpook%~YO+QpbceJLIHoqe{QkS?{<3>0^HsbVDY!)*-DZ2$9NFQBg0bnM_n|23K~8 zRg;L^j#3hgVD0lE)R1gqj|q5d+ud9;HMI^+KCGtjETJ}wFltbMh@i?3p~z@%E{n$6 zk571VOHMYOPz|V}p&r4B-`8{2TryR}&?g}E<(BFIIjCZ-rkaT!c#TRX6(!o_)=D13 z#b-$SY<`(88-b-35nmkSUoeCF&hJ8KW^7ny6#-FJGS)0FGgiTZX)`gPZS8Ox>9c`c z7WEmoQdPy0$*<A46b#NB3v31o(ihB53T@tPs-U8vgh<PzG_wkSPb8dDvR0%Xu^N!l zFwV(`+lN?frG+B1*0Ba(rkd#58&NzX3F(dsc$Acrrf2+G0$GVtgsp{pCiD)DV(4H{ zWZ-DCV%Tn|E7;9;P~ZU3j-W+zDr^wev2-{dz!I#gn23TF4yl4twl1*H_4=jrH?SG( z1Kp_1DcOMmoJ!YpvZG-;6^@12p&CmA8qYq%V7IFnVL4q33$mm<M=A3!(S<blvX>%N zpOye0Am{+&2E>RUh{SI-phnEKhAsu<kK;6F{=q)q;9NV>MZI<5i8s@B9U8#2t(cB{ zY}@syOjSIh0vakiDzNQ7%my(kQtF5XoyMLNc6wJ4)E=@4^a8hn2hhf1_1`9n63QB( z^NDA^mgt}q*&c*3>}AdfNQbQDzZETkwOF*Zx_E6Tpy4SO0ZbxLvd6FvU=|T-WkorK zH{JBtTacD0Zx|><npBWtvR5o(K<=UTOHBI23aEMqOA1GvJ87kcasPCHzy}iSxA%Qt zM@5x&{1$_XdyDs;fVpE;*P>K()VGA_iWdT*M^!FH)uL{?@_p=&F@z$=v~DKXIu}Yn z+J{GNsLB!Dd|#(H*;G|vikd*l#w=rNCd&LH6ByCd4;6NCuDyw*Cg@r#OUSE&Uwk_g zfR0hvT?4z!vUDM-twHf1{Wm9k09py>1$}v13|pU58fVVTXG-jP+^7fm&Ys-`Vzwk8 zNinpss>JlK=CE{W_iv?Btk6dLUBLBJ^mSz!C5EC9$HW_<<rp+6Lq&-v)e1BnYpU|y z6bC(_J#8b_69GD`EeOl&bCKU7_B2Z?XfTClL+bJH)Ytg})C~OvGGjeW(n@J9O+_KV zF(?KXD3`kGBP&9xgcy~)me{3K64=Y*T1u*eas&PI5c`1OC$)?gif_|levQLE;D`Nl z-_Y3ELv#O)D96mo@?S(bL01<GdnXD?dKF6-8`GapWmh9BQ)8E(n($9Immiyqp^B*n zfxD%P1%ZX9gQ=5~sTqNTp|Q20xhW;Rf|I?8tFfsQg@cLNj~gu`9SZ{;BQqtvw5g}N zy_1PE1trwKj$~<XCt~PgN<bmP#l*nK%)rXT!N9@F!pcm`z(UTzK>p(=Yj5&@b5U_J zbZ{^=A)psCv~f0tqE}E6)u0n|wXrcWw6imHBA`&QuyiK)IsP>s8Ui&_C+DB337F{^ zSr}P4nb>HV=ve+e%pdokQ<JfDGbQ+$kcnQz)X37%j*`II!O+FR+0>B0?caK{(J|67 zP(tzX5&Va?$-(;nqiwQr{=2lv&cytm(k2@#`~OthY}V1X$6;^qd#+6%Ed-UD(oUcu zU_c<zG^k%QLA>Up1qxIb4lu?}%x-*rKB1m@@F*$m6i-bGr%*|#np8(e>(pK*>&RKR zME<1XNEBSPtke{9EDd&J+RvF6w5W0$;m)t$)~p7bzMu&eY~(i2PD$8kx449ku@Eon zp8JS>`rx>rXoxs!ySM5McGokmZ;`s}a#a-bI)UspGI85ZN=evyEz6GCoME2->4e_I zCKQYrrXdCh)-D*`xjVf()rs(jLE#cee6Qe<&Wb*}pJ2UScte+@(Dcxa5hDynmYdCS z>J9gu!K_~jleEI>LqYEbW0%rlU{1ijI*e~XE{kv>AiAV}S)dN?z4;|SLo}7bItIN* zES{KrK?Xs+PY4E_OBkHkrV6zJwWtfJA_adQo~nqG7Xob|`$#a9<)k}|1==z;C7sMh zBD5cAVQlWV5LP>{zD$1(P+Bm{9Z6f17mDd<UmQmi*}htBP#G2CfvX6Q1|$>xZ6INh zXDK-N#iKX#@cm6Q#b1JH@cuC*jyDPfjRC4zpaRrK9_im&kg>m;ylx*?==HwR{cPbo zzdvTP-k<ULH@E%#{lCAyo~E-7S6!8}&SIUK>#_8yc?wgM{wP;dvQ=kFN9I_oaw0?7 z*fG>#q%T~;1`QJ#`fdC2*<VGew$8Jb1}~O_z!9!3cLg?KgtU5+T^kA6047UKKd2<i zvyogUS8|sB?!ykem)YJrj+KFxB7Alg6)DHCifeyf4hFNox9Rpiy8sjrF`erU+r~|U z(Ogn4B=hPtzpI&xlToaGH_{?qL>#PAOiM0VDBR`s_`cgef_LxT=KYdHyeGH#nv7Pj z?V*{=qHKSUayZ26yqrl>N~|Gkt8pR*)Z;~diT!>La#bzHfKs>bR%{+gmx`=`x_Qvq z=HU2k`aI$er^$M^r3A@9{)`fR>YMw!*8gjz^}B0roY6tBCv>O;$=U=w3Tb%B=5m`= zm;)|e9LDq$N%+D9q6v?2l9xR@83&=SI#Wl=?N`vnl0J_93hv{YSG6cS2F&lxO`W|c z=bAP%zz(?32BrD_PQB(R<3AKC7$+C|BL=~c`2}so0#P<Ka0r93IL2%MtBLxX8pt#7 zRN2<_9Chi~Yih``;#YGgX66?K6&x@^%wy7}(h?<H#<nZ{4;4^YDR8QeYP7Zwr&2O< zn<#}7grJZz9P2{awgAg)tEh2T{qH(q+BJQCgOC6w6%^q;;aVuMFk3!y1^{vjW0j=R zFfy(jJ%qV7j%6ehpy&BLw1_px7iis}*ABJ2+X`{UE|{zhEprrSI99l;e~W+7RRA3s znPhXYg6EN}QiXJC2|+f@)7Y~R9`J{W1#*RKBx(r;AY%b-42_sZ_Ax54a}KO(sF+mH zXa><WtFRF{PHM{!JUg4}IhIwPBEhCbOoU<#*DK0SCM!4n86HZ6aU9nWvOkVG-=s=J zcz0l7k+4%i!qTM1MmNq3YK0^-3zfQH{W}qWHCkmC<AUSad5R9NP?pb?PiQkyoT^BS zI9!kJ;!7BzkH!u*?ttp7hWi+UDuj<4^0&RtuB>$*U28qU;k;<vEm$NxQ`eGH*I0C) zX_W5oNeiwQ?#^tA=Wu?NkDz5F5?Be?0vwG|b({Bt-ToN59#g8WYLrj(!Xh?{14RL4 z`z})jbw#j^4o$RVxC$iL6M{`~ZUQ@B;q6@cUJHrgHJY{1M1@5g7`Tvy4NIYDi2mxE znwKG3Wb`9SxScqrWf6^BrAjhe3*k0#eustSLJ_(CYQ%tg0zCw#OFY_%#$P@mOMuBX z9h9}P4Y=;u>ywGD{kfp55b5Ru7_3dxM*4|24B7L9=<z}vS~9I$L~j}|R^_DpAiGhp zr;PSN!wKne-Kn%Fo~RJ5AUCiryc&i1mm!F4ytxdCf_bBAv5aNKLJh6#FjkCNxcVBa z5FW8vQY3WYvhorK)X`}+uF}R5D=RzP8WOr;Ysh@j@D>$aI|z)WyEAFgNPAp%xag84 zCo3XG8}0|Lo;>RNC}C}Oj;|tj38_Hj2D*lEHsG^ZX6XSxO8pvj0TXKhc{MI%B1QL& zUC$jBcN|bqHL0qXllmDjS{FqHSnHSrw1VbHsy=5-Lb9sMdyT?9(ayDb7V{Z6aOnxQ z5*k~iSWNWLW^cT6y?9_zyqn!2!Hh9hqQv3`RGb=?H&iVXUs{?(D@^y<k#*vHTia7w zoQn8+3%rIJO*rswT(1@4y|@)CZjL+x!Up9S>sD3NaZOcG$QF)H>C<EuY5B8P&v-Oc z2NrD3;-th%OfTo^d0lKL+B=Al7n$V%40gI9YZp<us01=j@BvYLQQa=r442E+r>omN zv(mNdDM|TXb+QQxj|4m~6bsZ%Pp6)WE%7dXdqhr~dXD@|+b)WAfXh0WNnmrJ`m&Z% zE%xk~{t=70r5kE2zWYI)aeq){jbflqSWK^<$IF!#7b3k!&jDO@N`lL=P6Y3#s62BT zpO$cItR?LL{PGR6TlCq9Fj?qS5JBhDLe#`YivZ=P@tQ$bh!6$zi2}ONo?mFx@heX8 z+nk_sXu0~)vLSBtiTbQ-EE>4%k|;u3n!_Oa0_HMZaT_5b^oamG_Z`!iGNJ0quzqFK zL{MELIB{r-^euC~W7gl8TY4Z?xL;en(>rnFB|3ljy-$b3+h0q0b$NfoMcOCx<$Qeg z{#}8$7gu)_`?i*j!@tf_i8_@h|9X1E-${Po;Wr3(Hb=h3!&}^Fb-&(@Kwu5O`n_?q zZ%S?F|FY4#^ZoMXo#0P)T)MOVY43jdEn@7-b?eL>UrOGEzmWBWibZQX13|%WW<~#u zQkAd*Ck^GVbkO!BwDTFlLv83fp+*<8=v>V!3U@+j^^B5CY5tNNl)5mVG2m3Yga5bm z47V6hy_zD7c_frMe<4ox$X}sPbVGRyRzL{YNeWQH1+1u_uE9>T*5lstPlF!VO+5D^ z(9PUKwv{{}4~r|aH`H#vLkskc!cr*;1UX!EROHe@1?sRyE>-Tj9cZp{hFUCxZ$%m? z&zBGEZh|^HISOSbbu3E$sOqHGuS6HK4p5%lSr$;9Jsrlr;KAc$AdevK$D+_1fysb> zMlv1F?sLX6fV=s9$ypr3j!~*5;f;H_hUIxLY>wg(n~VO)RdKYLsdX2?oBJ2k<&bm} z67;l=Z<_z_^jZ#BJ}}pXJaA0W*r{pr>2aHdCM^($Pih>9!%LM*JV_DPJ)$Inm1~Q9 zz{(zqDiNi-+gb|IYnzQGXZvh!N+E&i*AjUE_{l9~U~zVCO<QMz`+8}Jpyu-Uj*pg0 z{(>;Ilf|cKR9ja79t}StDP(E*R9+b|qNiMn35=gyO2{EcDbVt7y4YZ4(-}1TGTB5+ zw;6pW7b>5;vcys!!@@4XMs$@_nGEOn_p>k1!-jPi=N1oLTgorS8Ny^>fYvF_KN1~N zgvnHs%CdY)M?61fCz3?1KUyxFx?MHRn+tRdw?f&2<lrNrD}^D`KE>G}PdrvV3rGNl zs(Z-EqYJE|jFgf!CsU-;mU77=C!C5E@j1w(frHr;ajg$gBi_9KghliGC&NwbCLQ!u zT`huzc?OnfHZn2OO)hx~=A3FY>wdVBio2gqhk__l(z)R9DAet4yf4%(F~v|W+1Lp6 zD1UTqUp3`#r6XQ;V<{r-#7sF79o1C%fx(<}MK<i{s#n*y23~QTzmLE7`yMYHMDNZv zpOnOWCTtVEFEuy)rKX<8&;Mbav$~PJ*}GCJxwTfXRl$*4wQYU4oLl$E@JKpU$9Oyp zx?D-i@QyT9qPd++&$weCIL7u4jw-pvag5Q<L{<<|f}K!WIizzL6>l7DCrYw7Jzgr7 zZBUZ7^EXF}4v9hum~9StmP+)kjHdhMZFVX<T5M7mbb#Bypw8ZW@Y&Wr-C9EdkZVV{ zXhm4bA#0w`VLiR4d8}_wc#l9*ia<H7zmK!``}zCZt?fqmKI833Q24v}X8!2s>r+d~ zsEfv74Q+=k*Pp(6?c&U<ibDiPZTC#BNXh2$aj}&(j}t_ro;NAVN407(2uj%+BA{|^ zL*u+YGA{`=*5eE1g>I~%ytRb5@^%W?GRQO=xkQyl-KQhc2x=O&YzA$&EEsj;4p`C( zo#?2NPy^kvVk@>^#re4%{itv~l%9_XzM?v<nW~d`t&KCBWd=za(uPUG5nPqAFw8a9 z_DxpJ&D#xbpvk$R!P|!jl~1&(2)N({3tjcB9wt4Ncl&y0v>CE+l&Zl11F-t++B%Sg zEf`XT$JWpb+01LQaKjmAy5`lIp-KSw@0$Q3GZY#<(BN86XUtu9Hnh1|7_38Bicmq< zWol#Br#X~tq$o>hHmJ^<WCXH$E+crbcH?jkM*hiha9MvtWANg0Q+C3`-<`%hwSFHc zIMh^HQHJ%&qL+=fXwp?E+H2W0@KmBL%1O<;v;E;PMgeGmK>D)=HY5Sz*VLFqhkq|A z%$$keApfx8I!Cvr&vob%+7-h`<jZGj8iih(&7&L@t$ZhOw%VB|m*M+860N*2tjqV% zx%B9?(-K&i^su<`w6^3iw2xj|6sXg*6?M5ye~ATKkw>>=u3Y#GIbnxo@eI4*^N({Q z^g2CM^WBZvxUAnPGw)!YETr%WdTGesgXH*{3I@!YJ(ffo9*jCHj4-~Q5Np(&MViVH zqi7Qc>1-_8huphQOch$G$%;_8U;g<~4=u3ewHuq4;3<S6o0*{%2sXD~cA~DI<;s^6 zLRzVb`X-cO2h99uk0`KtdndgsIb6nUoD|B+ak$CJpSP}yXD?s9i8agZnG<nYXz62m zjfR0eNP)I)!mg6Bo80KiFgWxMWpur%$wl`Qb~Fh>x2}4D-04N+ItOYE7&Li+;1OY# z0$Sa}`mYXsOP&m(Ueg+$hi7e~!vwk2eS%t$0py$2jmD7!$pDz^4Od-~7*ApKK<VK} zPeEz>K1zcO*w>(x{89l!yJZd@NQnN;g$^Q`dqdCdi^e7DMm~P6*p#xm@K2QG6Y*z+ zJRp%S%>xHi2=7yaWvDz}7hFG4#dU0?hmj8pg8jEHoVU!ClOx0o#g%|M^6*j8@JfL( zCeI7AhYq4UkeT%6S3<sYRN)Um3iOo|P>S_*^xt&7sXFy0p@XUfAAq;b5jWt!m!(Sh z0ru3LcyI!CQH4GE@hy$@v`GC~iQrPJ9NM5jt`Xw|tEq|X0fP1N(%gOet7g43^g*IZ z<OuFYx|&obb-#m1sc~um>h;OgWsa6n6DBJQ9z7F1d-?eFe8Y}jh3icYeohAeyfu(R z>*u$oLU;lQ(N=tL05`Q?IT1g<SUw5uEq(L^Tz~&5-n7y@oBk!f&3<FP8fv228sOU5 z$)x5Zy5th&P~z%Y=y)HA?$P9(7U2_V^<VrJ{tf2?y9Y}au7fgBO|8nFTu8;mIabFB z6w{@7waIW+Ufs?lQX4L>3A5#RrPeE`PYbS7q!Zx&UNu==O4;XZnZoXJ*syyrLGvJY z6)mNw9j>P0l@>FcaZe5<{T7g)oVG6Z%<HGC`<ZGk&K-AUOFP$8YL?D75MX{-A(jZG zfcRjy`!}ywzOOqgaeu#V7oS~rVq4+;?VqpLH>5qo%{AU`EYn~vSR57&lt{y>dx<`R z__?^Pm@_cQk>TYjNAh0r!IBC-!oOtyF!%W8G#x`y<Ytc|8}V?)kx!<7|DGkK@0sN) zGluu4<No>+G}tEt%niHA()LvR=Px<AIHcb?Zi!$v82G3ruVwzDG9MDBzaTH<LejpM zl8$^7{`P#VKj<C<g!(phEguVCR94ko5~^9lfQ&|_B&l)U3y%B2>p01(j9SJx6|<%( zS;TZv_TC9!efr~ek_$JcB{}h>Nl}hNYf@Nh?)nWKE{b?Ul4qK}A#JL?o&n>YA-Q?` zI2`-h9vOG`Rz-3a<0;wX)*&`K<u%z(TN|zywpp8`_d3lnG)|8-yhaJU{~ep+_v3qb zi}$OomyG>RujlPu-q;>ECo>oTz24Wu?d|1OC-3;B<omtD2R7P)``TUHb948{vv5`_ z{60KoYb(6I|L5IkTrb~;xZ%y)k$bIPJ7b&w<Ai*&{_n}jJiaFP9T)^RuRM){{cm7_ zI(@bOR_Oab6)FuSQ!^-fNjno$4+3olf*&6?T_}2GOE1%ZsYB7L6KFFMFcUETv?|%# zyZqD2{4<KuKb_3%3I0tz{O79(fi@4Th!`8AkdTlFgOI2wlPCidGZVXzASWZMD625L z2%`ue!T;Sw_dnz@<{#t#R30N;lZ+sj*9yOlsi@h0zVI#IZawqesd)Y=o>@f^zk`^V z7$WvXT@1vA1}Or8Jr(80agsS8f`ZWLslW#1=L^A86yco}1;3Y1awZos=`#{uqpy)Q z6Xs<XS@h#rr!|r?L!ZsREyF;Kr?cm=n?a1NqW|bw#}48&r&!gpkQ>yjdo`zJ-W&9+ zqcx*vLL20-%Qc^5MjO<xOE#NlN*k1~TQ-+wP8zhYlQxrQQX3Sn3pbBu(pD*X7d=Th zvsNj-7d$CA(^e^;FX36#gu^xpGq$T-_8g0?7PaVH<{q1+<7DCfZnbh}ZS7lL(`r?` zj6G&st#Q-5Y&nKoEq~IvOg*Ms<<+jlUb3^g3hcIe{$pox6<l6#=EIeH)N$;`@w-LX zR_vYtM=49Ov&0i4wroqGv%(W4w!B-hv%nKaZfg0>v3W9+d@otc#8dK~C0j9?ht4WD z)Y$=#uB1d$ti0Z`ZMQ494t+mxKQ&D$32w;KvGoN~-Q2ntx7p(jBk{aE<E61|*kZ_G zghL!4K}G~kQ*123&jPV0M8Z&`3|%g)%Fyu?ce^*#{RWS(Py7WWZx7n#A(GR$1cs5- zuGs9VrR>*h%DeKtizSP(-<0HZ)J|LpC-cyU!8-#zEA{jMCov&Bqa>Ooo}<V^KMaNu z*o`N_TOAAQdC!VOVC)uHGeXWbuza{``5GT;E6m0LiV}R50kuqt+1Ys;CvtdS%M#A} zxakJrA=hC<`k-C}c@7W~9C(12a5ni4VQ#M3AR`BGr?Ru1;lot(9!NG*#>^lr#Aq$| zI_U9HUuB>=uyj~sd4?xiw+_G;>>?i1m00GUl-1SDFXdIfbUI*XFg94T?Y{g#Vc>8u zI9MDk3FfJy<L$TtU@6!s%-o{my~VP6%iX#E;=#e<VDV4GUXr_{%MA}}oZlTX-+OoM zFb7y8@=2w=7pZ)#u+(&CZ{#tCOrK6V_`M+@O^9e6hMF*R<8t@+`>6pWO)x4#?TvBR z%dcZB4d`<N-l1~`;vs1VW|;xBRj3UE?u&q&I%u~+yjAFT1E{A#Kn{rTT?U-MLI;@G zK}ZhBv|T2hz)A-|Gu-bkCcj-u4p{TuDtwGMN4S~6D$;U~&3$qdc`Y83Ta004RC$G& zpvkC7DV<}xVPljyMIN#CGt$phg0NxcD@WM<Q?AW`EC*=2LEJXz=UqOYfbbg#yg_6S zsM%f4u7I=~C_Q147qsnu?-u}k!m4)|{onVyU{xf$s(V@)z%bPRJ2q6(fl8*FHx(gX zjcDHwS8bzG21c5uAs?#J=&Zk_J!{&*%vK0?zDL{k8;>0|fE@J)HCO+GG1cXwW9?o% z-1z2yusH&JgwlkT|A8Hf8+v6z#mete(nVl?U`A+4Xlh`5U`VJ@sFA4uhd)k4ti7D% zTpS0fhRPo*Vkk@~ct2#IXP`U&8}q5$<*(KLkzYmnZHh(udS`sOnm3~V!cn1Ow19r; zvG-0a9EC!WKG7$<oFoJH&9}|!=mN-8s3!xy+JIBK@2`(}_Wdr<Ita8uB@HlIk+FK7 zb)YN*QL8ZjU)Jh_S{mTk2E;bNmBmf?Y^BHYY(uDO(&GzMn#9Gtb-+*kf*c^>doVZ> z(|KQlI^H0$LS4sleUcooX@*bq<N8%mNwb0<h>_kp0UBFFrmY4~_7nP_I@vbsrPc`k zWp)F+Z8@2}pTitSaGRmvHwbuwU9`D<${t{huzG#c9-xe{SEa|{%JVzc9^lu6NHInH zuLty#cCp84OCO8DZ3W8COTYR(q@uqWGVd<Ql<o`tBTA;Y%iW*_n{q6;7i*L3$#-JG zx1fHDl3&Sf=Dco5HYZt;PulreeI0bpe|qf-wqhDp4+O^&=*r0DyM%QoS-Arg{X8s@ zjmbyk>~bDDHAJMFH*z!azlAo(obrt&Pe>PK0kgPLU5qY5HgV;rzdw9*5T76SuhJKD zLM`L{$ak)MtiJ4ZvwaZh`cZ!ikauD6$AjlQN{ffZ(r?-B3Xc9vw&iOeG8z$!h)c{R z=5lvwri7Ijqm5KlC@LNui-rr|!G5zmEvlWPQ@rB~D5g@r{NjSF$C}gmOga5d<y9gt zo)>F|t4bAq#^Hgw<Vh*}>HZ)S*g;UtI$JQFIFZ;P@;p-ORQT^mbs!ZX6*(2sNn39D zi>dpR>j9(?{0rEBnrahk8mevuQS_yNsyE9vl-EC8T|}d$0;P(iil{y(N`A<f$~>!; zHWeur_?0J6GZ8!yER|xVs)ebDsYt0nsnE?s1#eXaP^M%a0G{$6{E1j0ro3FmpOuN0 zik^u02dOZsPpmLcUKPB5XXz$@^G{ZORLk9OH?>qggc4*8J-N6+ob-Tp2KeJaAPtCw z>(b;WyD0L{?1k>{sG3v(=xAjwPbw>EL(Hmxlsa6s!GC?$*aZBlgJc^du?eh3*lDg* z;`(%VjI*sncI&rW1@<<?A4(halgo8G6n5k4aX469VZV6jPp0!Be~Xqs9CSd59hAJ$ z<@QCJ>Gw<zgLe42a;9xS>U((Ea(^dAPrtA>L$n>RuljU7;N<rhc|y`|(5^~Z?!D(H zfjvOvcQLyH)c<WMxn;ctE!r79*)y7Ur`&p*v`GBfaL5Pd0`Y=+K|P?HQqIv!{jCId z4E6DTeVP;;>yG!vd#Dsx=q~b>d``R~-IDG|bD53sla!+G!Onr|LHD7*((CDN^0Iu~ z{|mZ4*@`Yef1iui-Smb_+3k;^J6}*LIvbG-^XbO{A#@eDK-5ALvN;+CCjC|x+1U$7 zuJq=_!<FJk|EYJ=-RAB1ynl7HG27>gVC&CZoTrJqGSQXhDIfjCH`b8mLO=K8r1BF_ z!KLN=WGlHa{UKiu%nktin>)eFk7?Jt|2gOybZ2AH%6GmM(nhrD$$6cV0nphHZwkEA z?^3Ala_+5i-mA5>WnkUZV6j{mum^hsO|9Qb132MzE7{M@bJNFGs<(qW*2bpUZDd`x z4wI}uR>>N4&Mx@UpfSH$boDA|s}9@-r}<}vn7V%gSXHxv?>FQC+P91AcjN$k!q`wY zFt2YGv-c%#IoajW_-=lxSdTXNTv_k2uI*E818Z4cKQ|Dr?uKmLW!ntwbb!CuYliQW zGqtvE@P(1zrQ`wj4!X3i>#<)ceVERRy7dNh`>UlLd&%tqkH1Uo6Etg()>tgyW?Lfg zKSvMxywA)5&FBA(RF~LY{o;pe{L$TPslVL(5yVg?|8F>&LmjI3MbLcyf5FLGuP-M5 zRJ;%!39ES!U%;32C;3cx5U;<a|7qkNX<!WEPg-a_&}E8h-d<z*y7e!_%$loDnvGDj zA!9Teia;b5i^2G(GG8^@>&;cO6~BNlKQcd({PnhTV4*Da{X`neR$342k0+jFc`=yD zv7R{McO-&iD{IXE;)i1^ZOjidD!#G!65HyC!kyB9Gwy_v=Uo4Y<NX+BXL2g`pT+GC zaHB9g<9yMr{+%TYV}b$9h#}nn_QsLg_p?e(8iH1Z{Og@%ZHQYH4qJ!F)^C;`LR*L0 z((kqk$Zd#z5yo4G{?w0h5f1Et0Qb*LB)*4%6OQbFB-d}r0c^g9lO1l^27tbYq!UK% zfLhZpgY`XfJr#Rp|KW81En}xR{eNy=oLvl^Ts)k9HY-fbj7*%2P^6@y@?uc`3*6l| ANdN!< diff --git a/libs/srtp/format.sh b/libs/srtp/format.sh new file mode 100644 index 0000000000..fdf23ef3c6 --- /dev/null +++ b/libs/srtp/format.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# format.sh +# +# run clang-format on each .c & .h file +# +# assumes git tree is clean when reporting status + +if [ -z "${CLANG_FORMAT}" ]; then + CLANG_FORMAT=clang-format +fi + +a=`git ls-files '*.h' '*.c'` +for x in $a; do + if [ $x != "config_in.h" ]; then + $CLANG_FORMAT -i -style=file $x + fi +done + +m=`git ls-files -m` +if [ -n "$m" ]; then + v=`$CLANG_FORMAT -version` + echo "Fromatting required when checking with $v" + echo + echo "The following files required formatting:" + for f in $m; do + echo $f + done + if [ "$1" = "-d" ]; then + echo + git diff + fi + exit 1 +fi +exit 0 diff --git a/libs/srtp/include/ekt.h b/libs/srtp/include/ekt.h index 86bfa17adf..a289a53dab 100644 --- a/libs/srtp/include/ekt.h +++ b/libs/srtp/include/ekt.h @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,15 +42,13 @@ * */ - - /* - * EKT implementation strategy - * + * EKT implementation strategy + * * use stream_template approach * * in srtp_unprotect, when a new stream appears, check if template has - * EKT defined, and if it does, then apply EKT processing + * EKT defined, and if it does, then apply EKT processing * * question: will we want to allow key-sharing templates in addition * to EKT templates? could define a new ssrc_type_t that's associated @@ -69,14 +67,13 @@ extern "C" { #endif -#define SRTP_EKT_CIPHER_DEFAULT 1 -#define SRTP_EKT_CIPHER_AES_128_ECB 1 -#define SRTP_EKT_CIPHER_AES_192_KEY_WRAP 2 -#define SRTP_EKT_CIPHER_AES_256_KEY_WRAP 3 +#define SRTP_EKT_CIPHER_DEFAULT 1 +#define SRTP_EKT_CIPHER_AES_128_ECB 1 +#define SRTP_EKT_CIPHER_AES_192_KEY_WRAP 2 +#define SRTP_EKT_CIPHER_AES_256_KEY_WRAP 3 typedef uint16_t srtp_ekt_spi_t; - unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt); /* @@ -88,24 +85,23 @@ unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt); */ typedef struct srtp_ekt_policy_ctx_t { - srtp_ekt_spi_t spi; /* security parameter index */ - uint8_t ekt_cipher_type; - uint8_t *ekt_key; - struct srtp_ekt_policy_ctx_t *next_ekt_policy; + srtp_ekt_spi_t spi; /* security parameter index */ + uint8_t ekt_cipher_type; + uint8_t *ekt_key; + struct srtp_ekt_policy_ctx_t *next_ekt_policy; } srtp_ekt_policy_ctx_t; - /* * an srtp_ekt_data_t structure holds the data corresponding to an ekt key, * spi, and so on */ typedef struct srtp_ekt_data_t { - srtp_ekt_spi_t spi; - uint8_t ekt_cipher_type; - srtp_aes_expanded_key_t ekt_enc_key; - srtp_aes_expanded_key_t ekt_dec_key; - struct ekt_data_t *next_ekt_data; + srtp_ekt_spi_t spi; + uint8_t ekt_cipher_type; + srtp_aes_expanded_key_t ekt_enc_key; + srtp_aes_expanded_key_t ekt_dec_key; + struct ekt_data_t *next_ekt_data; } srtp_ekt_data_t; /* @@ -116,25 +112,31 @@ typedef struct srtp_ekt_data_t { */ typedef struct srtp_ekt_stream_ctx_t { - srtp_ekt_data_t *data; - uint16_t isn; /* initial sequence number */ - uint8_t encrypted_master_key[SRTP_MAX_KEY_LEN]; + srtp_ekt_data_t *data; + uint16_t isn; /* initial sequence number */ + uint8_t encrypted_master_key[SRTP_MAX_KEY_LEN]; } srtp_ekt_stream_ctx_t; +srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data, + srtp_ekt_policy_t policy); +srtp_err_status_t srtp_ekt_stream_init(srtp_ekt_stream_t e, + srtp_ekt_spi_t spi, + void *ekt_key, + unsigned ekt_cipher_type); -srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data, srtp_ekt_policy_t policy); - -srtp_err_status_t srtp_ekt_stream_init(srtp_ekt_stream_t e, srtp_ekt_spi_t spi, void *ekt_key, unsigned ekt_cipher_type); - -srtp_err_status_t srtp_ekt_stream_init_from_policy(srtp_ekt_stream_t e, srtp_ekt_policy_t p); - - +srtp_err_status_t srtp_ekt_stream_init_from_policy(srtp_ekt_stream_t e, + srtp_ekt_policy_t p); -srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream, const void *srtcp_hdr, unsigned pkt_octet_len); - +srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream, + const void *srtcp_hdr, + unsigned pkt_octet_len); -void srtp_ekt_write_data(srtp_ekt_stream_t ekt, uint8_t *base_tag, unsigned base_tag_len, int *packet_len, srtp_xtd_seq_num_t pkt_index); +void srtp_ekt_write_data(srtp_ekt_stream_t ekt, + uint8_t *base_tag, + unsigned base_tag_len, + int *packet_len, + srtp_xtd_seq_num_t pkt_index); /* * We handle EKT by performing some additional steps before @@ -144,10 +146,13 @@ void srtp_ekt_write_data(srtp_ekt_stream_t ekt, uint8_t *base_tag, unsigned base * With EKT, the tag_len parameter is actually the base tag * length */ -srtp_err_status_t srtp_ekt_tag_verification_preproces(uint8_t *pkt_tag, uint8_t *pkt_tag_copy, unsigned tag_len); - -srtp_err_status_t srtp_ekt_tag_verification_postproces(uint8_t *pkt_tag, uint8_t *pkt_tag_copy, unsigned tag_len); +srtp_err_status_t srtp_ekt_tag_verification_preproces(uint8_t *pkt_tag, + uint8_t *pkt_tag_copy, + unsigned tag_len); +srtp_err_status_t srtp_ekt_tag_verification_postproces(uint8_t *pkt_tag, + uint8_t *pkt_tag_copy, + unsigned tag_len); /* * @brief EKT pre-processing for srtcp tag generation @@ -157,16 +162,18 @@ srtp_err_status_t srtp_ekt_tag_verification_postproces(uint8_t *pkt_tag, uint8_t * Master Key, the SRTP ROC, the Initial Sequence Number, and SPI * fields. The Base Authentication Tag field is set to the all-zero * value - * + * * When EKT is not used, this function is a no-op. - * + * */ -srtp_err_status_t srtp_stream_srtcp_auth_tag_generation_preprocess(const srtp_stream_t *s, uint8_t *pkt_tag, unsigned pkt_octet_len); +srtp_err_status_t srtp_stream_srtcp_auth_tag_generation_preprocess( + const srtp_stream_t *s, + uint8_t *pkt_tag, + unsigned pkt_octet_len); /* it's not clear that a tag_generation_postprocess function is needed */ srtp_err_status_t srtcp_auth_tag_generation_postprocess(void); - #ifdef __cplusplus } #endif diff --git a/libs/srtp/include/getopt_s.h b/libs/srtp/include/getopt_s.h index 63278e9850..53fb25ba71 100644 --- a/libs/srtp/include/getopt_s.h +++ b/libs/srtp/include/getopt_s.h @@ -7,26 +7,26 @@ * */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -49,17 +49,16 @@ extern "C" { #endif -/* +/* * getopt_s(), optarg_s, and optind_s are small, locally defined * versions of the POSIX standard getopt() interface. */ - -int -getopt_s(int argc, char * const argv[], const char *optstring); -extern char *optarg_s; /* defined in getopt.c */ +int getopt_s(int argc, char *const argv[], const char *optstring); + +extern char *optarg_s; /* defined in getopt.c */ -extern int optind_s; /* defined in getopt.c */ +extern int optind_s; /* defined in getopt.c */ #ifdef __cplusplus } diff --git a/libs/srtp/include/rtp.h b/libs/srtp/include/rtp.h deleted file mode 100644 index 0e0119cf7b..0000000000 --- a/libs/srtp/include/rtp.h +++ /dev/null @@ -1,139 +0,0 @@ -/* - * rtp.h - * - * rtp interface for srtp reference implementation - * - * David A. McGrew - * Cisco Systems, Inc. - * - * data types: - * - * rtp_msg_t an rtp message (the data that goes on the wire) - * rtp_sender_t sender side socket and rtp info - * rtp_receiver_t receiver side socket and rtp info - * - */ - -/* - * - * Copyright (c) 2001-2006, Cisco Systems, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * Neither the name of the Cisco Systems, Inc. nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - - -#ifndef RTP_H -#define RTP_H - -#ifdef HAVE_NETINET_IN_H -# include <netinet/in.h> -#elif defined HAVE_WINSOCK2_H -# include <winsock2.h> -#endif - -#include "srtp.h" - -typedef struct rtp_sender_ctx_t *rtp_sender_t; - -typedef struct rtp_receiver_ctx_t *rtp_receiver_t; - -int -rtp_sendto(rtp_sender_t sender, const void* msg, int len); - -int -rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len); - -int -rtp_receiver_init(rtp_receiver_t rcvr, int sock, - struct sockaddr_in addr, unsigned int ssrc); - -int -rtp_sender_init(rtp_sender_t sender, int sock, - struct sockaddr_in addr, unsigned int ssrc); - -/* - * srtp_sender_init(...) initializes an rtp_sender_t - */ - -int -srtp_sender_init(rtp_sender_t rtp_ctx, /* structure to be init'ed */ - struct sockaddr_in name, /* socket name */ - sec_serv_t security_services, /* sec. servs. to be used */ - unsigned char *input_key /* master key/salt in hex */ - ); - -int -srtp_receiver_init(rtp_receiver_t rtp_ctx, /* structure to be init'ed */ - struct sockaddr_in name, /* socket name */ - sec_serv_t security_services, /* sec. servs. to be used */ - unsigned char *input_key /* master key/salt in hex */ - ); - - -int -rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy); - -int -rtp_sender_deinit_srtp(rtp_sender_t sender); - -int -rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy); - -int -rtp_receiver_deinit_srtp(rtp_receiver_t sender); - - -rtp_sender_t -rtp_sender_alloc(void); - -void -rtp_sender_dealloc(rtp_sender_t rtp_ctx); - -rtp_receiver_t -rtp_receiver_alloc(void); - -void -rtp_receiver_dealloc(rtp_receiver_t rtp_ctx); - - -/* - * RTP_HEADER_LEN indicates the size of an RTP header - */ -#define RTP_HEADER_LEN 12 - -/* - * RTP_MAX_BUF_LEN defines the largest RTP packet in the rtp.c implementation - */ -#define RTP_MAX_BUF_LEN 16384 - - -#endif /* RTP_H */ diff --git a/libs/srtp/include/srtp.h b/libs/srtp/include/srtp.h index 6d42f7b52f..1fdd6c3aff 100644 --- a/libs/srtp/include/srtp.h +++ b/libs/srtp/include/srtp.h @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,7 +42,6 @@ * */ - #ifndef SRTP_SRTP_H #define SRTP_SRTP_H @@ -70,13 +69,13 @@ extern "C" { /* * SRTP_MAX_KEY_LEN is the maximum key length supported by libSRTP */ -#define SRTP_MAX_KEY_LEN 64 +#define SRTP_MAX_KEY_LEN 64 /* * SRTP_MAX_TAG_LEN is the maximum tag length supported by libSRTP */ -#define SRTP_MAX_TAG_LEN 16 +#define SRTP_MAX_TAG_LEN 16 /** * SRTP_MAX_MKI_LEN is the maximum size the MKI could be which is @@ -84,7 +83,6 @@ extern "C" { */ #define SRTP_MAX_MKI_LEN 128 - /** * SRTP_MAX_TRAILER_LEN is the maximum length of the SRTP trailer * (authentication tag and MKI) supported by libSRTP. This value is @@ -97,32 +95,36 @@ extern "C" { /** * SRTP_MAX_NUM_MASTER_KEYS is the maximum number of Master keys for - * MKI supported by libSRTP. - * + * MKI supported by libSRTP. + * */ #define SRTP_MAX_NUM_MASTER_KEYS 16 -#define SRTP_SALT_LEN 14 +#define SRTP_SALT_LEN 14 + /* * SRTP_AEAD_SALT_LEN is the length of the SALT values used with * GCM mode. GCM mode requires an IV. The SALT value is used * as part of the IV formation logic applied to each RTP packet. */ -#define SRTP_AEAD_SALT_LEN 12 +#define SRTP_AEAD_SALT_LEN 12 -#define SRTP_AES_128_KEY_LEN 16 -#define SRTP_AES_192_KEY_LEN 24 -#define SRTP_AES_256_KEY_LEN 32 +#define SRTP_AES_128_KEY_LEN 16 +#define SRTP_AES_192_KEY_LEN 24 +#define SRTP_AES_256_KEY_LEN 32 -#define SRTP_AES_ICM_128_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_128_KEY_LEN) -#define SRTP_AES_ICM_192_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_192_KEY_LEN) -#define SRTP_AES_ICM_256_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_256_KEY_LEN) +#define SRTP_AES_ICM_128_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_128_KEY_LEN) +#define SRTP_AES_ICM_192_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_192_KEY_LEN) +#define SRTP_AES_ICM_256_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_256_KEY_LEN) -#define SRTP_AES_GCM_128_KEY_LEN_WSALT (SRTP_AEAD_SALT_LEN + SRTP_AES_128_KEY_LEN) -#define SRTP_AES_GCM_192_KEY_LEN_WSALT (SRTP_AEAD_SALT_LEN + SRTP_AES_192_KEY_LEN) -#define SRTP_AES_GCM_256_KEY_LEN_WSALT (SRTP_AEAD_SALT_LEN + SRTP_AES_256_KEY_LEN) +#define SRTP_AES_GCM_128_KEY_LEN_WSALT \ + (SRTP_AEAD_SALT_LEN + SRTP_AES_128_KEY_LEN) +#define SRTP_AES_GCM_192_KEY_LEN_WSALT \ + (SRTP_AEAD_SALT_LEN + SRTP_AES_192_KEY_LEN) +#define SRTP_AES_GCM_256_KEY_LEN_WSALT \ + (SRTP_AEAD_SALT_LEN + SRTP_AES_256_KEY_LEN) -/** +/** * @brief A srtp_cipher_type_id_t is an identifier for a particular cipher * type. * @@ -131,13 +133,14 @@ extern "C" { * SRTP_NULL_CIPHER is avaliable; this cipher leaves the data unchanged, * and can be selected to indicate that no encryption is to take * place. - * + * * @ingroup Ciphers */ -typedef uint32_t srtp_cipher_type_id_t; +typedef uint32_t srtp_cipher_type_id_t; /** - * @brief An srtp_auth_type_id_t is an identifier for a particular authentication + * @brief An srtp_auth_type_id_t is an identifier for a particular + * authentication * function. * * An srtp_auth_type_id_t is an integer that represents a particular @@ -145,7 +148,7 @@ typedef uint32_t srtp_cipher_type_id_t; * avaliable; this authentication function performs no computation, * and can be selected to indicate that no authentication is to take * place. - * + * * @ingroup Authentication */ typedef uint32_t srtp_auth_type_id_t; @@ -159,120 +162,119 @@ typedef uint32_t srtp_auth_type_id_t; * */ typedef enum { - srtp_err_status_ok = 0, /**< nothing to report */ - srtp_err_status_fail = 1, /**< unspecified failure */ - srtp_err_status_bad_param = 2, /**< unsupported parameter */ - srtp_err_status_alloc_fail = 3, /**< couldn't allocate memory */ - srtp_err_status_dealloc_fail = 4, /**< couldn't deallocate properly */ - srtp_err_status_init_fail = 5, /**< couldn't initialize */ - srtp_err_status_terminus = 6, /**< can't process as much data as requested */ - srtp_err_status_auth_fail = 7, /**< authentication failure */ - srtp_err_status_cipher_fail = 8, /**< cipher failure */ - srtp_err_status_replay_fail = 9, /**< replay check failed (bad index) */ - srtp_err_status_replay_old = 10, /**< replay check failed (index too old) */ - srtp_err_status_algo_fail = 11, /**< algorithm failed test routine */ - srtp_err_status_no_such_op = 12, /**< unsupported operation */ - srtp_err_status_no_ctx = 13, /**< no appropriate context found */ - srtp_err_status_cant_check = 14, /**< unable to perform desired validation */ - srtp_err_status_key_expired = 15, /**< can't use key any more */ - srtp_err_status_socket_err = 16, /**< error in use of socket */ - srtp_err_status_signal_err = 17, /**< error in use POSIX signals */ - srtp_err_status_nonce_bad = 18, /**< nonce check failed */ - srtp_err_status_read_fail = 19, /**< couldn't read data */ - srtp_err_status_write_fail = 20, /**< couldn't write data */ - srtp_err_status_parse_err = 21, /**< error parsing data */ - srtp_err_status_encode_err = 22, /**< error encoding data */ - srtp_err_status_semaphore_err = 23,/**< error while using semaphores */ - srtp_err_status_pfkey_err = 24, /**< error while using pfkey */ - srtp_err_status_bad_mki = 25, /**< error MKI present in packet is invalid */ - srtp_err_status_pkt_idx_old = 26, /**< packet index is too old to consider */ - srtp_err_status_pkt_idx_adv = 27 /**< packet index advanced, reset needed */ + srtp_err_status_ok = 0, /**< nothing to report */ + srtp_err_status_fail = 1, /**< unspecified failure */ + srtp_err_status_bad_param = 2, /**< unsupported parameter */ + srtp_err_status_alloc_fail = 3, /**< couldn't allocate memory */ + srtp_err_status_dealloc_fail = 4, /**< couldn't deallocate properly */ + srtp_err_status_init_fail = 5, /**< couldn't initialize */ + srtp_err_status_terminus = 6, /**< can't process as much data as */ + /**< requested */ + srtp_err_status_auth_fail = 7, /**< authentication failure */ + srtp_err_status_cipher_fail = 8, /**< cipher failure */ + srtp_err_status_replay_fail = 9, /**< replay check failed (bad index) */ + srtp_err_status_replay_old = 10, /**< replay check failed (index too */ + /**< old) */ + srtp_err_status_algo_fail = 11, /**< algorithm failed test routine */ + srtp_err_status_no_such_op = 12, /**< unsupported operation */ + srtp_err_status_no_ctx = 13, /**< no appropriate context found */ + srtp_err_status_cant_check = 14, /**< unable to perform desired */ + /**< validation */ + srtp_err_status_key_expired = 15, /**< can't use key any more */ + srtp_err_status_socket_err = 16, /**< error in use of socket */ + srtp_err_status_signal_err = 17, /**< error in use POSIX signals */ + srtp_err_status_nonce_bad = 18, /**< nonce check failed */ + srtp_err_status_read_fail = 19, /**< couldn't read data */ + srtp_err_status_write_fail = 20, /**< couldn't write data */ + srtp_err_status_parse_err = 21, /**< error parsing data */ + srtp_err_status_encode_err = 22, /**< error encoding data */ + srtp_err_status_semaphore_err = 23, /**< error while using semaphores */ + srtp_err_status_pfkey_err = 24, /**< error while using pfkey */ + srtp_err_status_bad_mki = 25, /**< error MKI present in packet is */ + /**< invalid */ + srtp_err_status_pkt_idx_old = 26, /**< packet index is too old to */ + /**< consider */ + srtp_err_status_pkt_idx_adv = 27 /**< packet index advanced, reset */ + /**< needed */ } srtp_err_status_t; - typedef struct srtp_ctx_t_ srtp_ctx_t; /** - * @brief srtp_sec_serv_t describes a set of security services. + * @brief srtp_sec_serv_t describes a set of security services. * * A srtp_sec_serv_t enumeration is used to describe the particular * security services that will be applied by a particular crypto - * policy (or other mechanism). + * policy (or other mechanism). */ - typedef enum { - sec_serv_none = 0, /**< no services */ - sec_serv_conf = 1, /**< confidentiality */ - sec_serv_auth = 2, /**< authentication */ - sec_serv_conf_and_auth = 3 /**< confidentiality and authentication */ + sec_serv_none = 0, /**< no services */ + sec_serv_conf = 1, /**< confidentiality */ + sec_serv_auth = 2, /**< authentication */ + sec_serv_conf_and_auth = 3 /**< confidentiality and authentication */ } srtp_sec_serv_t; -/** +/** * @brief srtp_crypto_policy_t describes a particular crypto policy that * can be applied to an SRTP stream. * * A srtp_crypto_policy_t describes a particular cryptographic policy that * can be applied to an SRTP or SRTCP stream. An SRTP session policy - * consists of a list of these policies, one for each SRTP stream + * consists of a list of these policies, one for each SRTP stream * in the session. */ - typedef struct srtp_crypto_policy_t { - srtp_cipher_type_id_t cipher_type; /**< An integer representing - * the type of cipher. */ - int cipher_key_len; /**< The length of the cipher key - * in octets. */ - srtp_auth_type_id_t auth_type; /**< An integer representing the - * authentication function. */ - int auth_key_len; /**< The length of the authentication - * function key in octets. */ - int auth_tag_len; /**< The length of the authentication - * tag in octets. */ - srtp_sec_serv_t sec_serv; /**< The flag indicating the security - * services to be applied. */ + srtp_cipher_type_id_t cipher_type; /**< An integer representing */ + /**< the type of cipher. */ + int cipher_key_len; /**< The length of the cipher key */ + /**< in octets. */ + srtp_auth_type_id_t auth_type; /**< An integer representing the */ + /**< authentication function. */ + int auth_key_len; /**< The length of the authentication */ + /**< function key in octets. */ + int auth_tag_len; /**< The length of the authentication */ + /**< tag in octets. */ + srtp_sec_serv_t sec_serv; /**< The flag indicating the security */ + /**< services to be applied. */ } srtp_crypto_policy_t; - -/** +/** * @brief srtp_ssrc_type_t describes the type of an SSRC. - * + * * An srtp_ssrc_type_t enumeration is used to indicate a type of SSRC. See * @ref srtp_policy_t for more informataion. */ - -typedef enum { - ssrc_undefined = 0, /**< Indicates an undefined SSRC type. */ - ssrc_specific = 1, /**< Indicates a specific SSRC value */ - ssrc_any_inbound = 2, /**< Indicates any inbound SSRC value - (i.e. a value that is used in the - function srtp_unprotect()) */ - ssrc_any_outbound = 3 /**< Indicates any outbound SSRC value - (i.e. a value that is used in the - function srtp_protect()) */ +typedef enum { + ssrc_undefined = 0, /**< Indicates an undefined SSRC type. */ + ssrc_specific = 1, /**< Indicates a specific SSRC value */ + ssrc_any_inbound = 2, /**< Indicates any inbound SSRC value */ + /**< (i.e. a value that is used in the */ + /**< function srtp_unprotect()) */ + ssrc_any_outbound = 3 /**< Indicates any outbound SSRC value */ + /**< (i.e. a value that is used in the */ + /**< function srtp_protect()) */ } srtp_ssrc_type_t; /** - * @brief An srtp_ssrc_t represents a particular SSRC value, or a `wildcard' SSRC. - * + * @brief An srtp_ssrc_t represents a particular SSRC value, or a `wildcard' + * SSRC. + * * An srtp_ssrc_t represents a particular SSRC value (if its type is * ssrc_specific), or a wildcard SSRC value that will match all * outbound SSRCs (if its type is ssrc_any_outbound) or all inbound - * SSRCs (if its type is ssrc_any_inbound). - * + * SSRCs (if its type is ssrc_any_inbound). */ - -typedef struct { - srtp_ssrc_type_t type; /**< The type of this particular SSRC */ - unsigned int value; /**< The value of this SSRC, if it is not a wildcard */ +typedef struct { + srtp_ssrc_type_t type; /**< The type of this particular SSRC */ + unsigned int value; /**< The value of this SSRC, if it is not a */ + /**< wildcard */ } srtp_ssrc_t; - /** * @brief points to an EKT policy */ typedef struct srtp_ekt_policy_ctx_t *srtp_ekt_policy_t; - /** * @brief points to EKT stream data */ @@ -285,13 +287,13 @@ typedef struct srtp_ekt_stream_ctx_t *srtp_ekt_stream_t; * Index Size to correctly read it from a packet. */ typedef struct srtp_master_key_t { - unsigned char *key; - unsigned char *mki_id; - unsigned int mki_size; + unsigned char *key; + unsigned char *mki_id; + unsigned int mki_size; } srtp_master_key_t; -/** - * @brief represents the policy for an SRTP session. +/** + * @brief represents the policy for an SRTP session. * * A single srtp_policy_t struct represents the policy for a single * SRTP stream, and a linked list of these elements represents the @@ -300,7 +302,7 @@ typedef struct srtp_master_key_t { * master key for that stream, the SSRC describing that stream, or a * flag indicating a `wildcard' SSRC value, and a `next' field that * holds a pointer to the next element in the list of policy elements, - * or NULL if it is the last element. + * or NULL if it is the last element. * * The wildcard value SSRC_ANY_INBOUND matches any SSRC from an * inbound stream that for which there is no explicit SSRC entry in @@ -311,47 +313,44 @@ typedef struct srtp_master_key_t { * is intentional, and it allows libSRTP to ensure that no security * lapses result from accidental re-use of SSRC values during key * sharing. - * - * + * * @warning The final element of the list @b must have its `next' pointer * set to NULL. */ typedef struct srtp_policy_t { - srtp_ssrc_t ssrc; /**< The SSRC value of stream, or the - * flags SSRC_ANY_INBOUND or - * SSRC_ANY_OUTBOUND if key sharing - * is used for this policy element. - */ - srtp_crypto_policy_t rtp; /**< SRTP crypto policy. */ - srtp_crypto_policy_t rtcp; /**< SRTCP crypto policy. */ - unsigned char *key; /**< Pointer to the SRTP master key for - * this stream. */ - srtp_master_key_t **keys; /** Array of Master Key structures */ - unsigned long num_master_keys; /** Number of master keys */ - srtp_ekt_policy_t ekt; /**< Pointer to the EKT policy structure - * for this stream (if any) */ - unsigned long window_size; /**< The window size to use for replay - * protection. */ - int allow_repeat_tx; /**< Whether retransmissions of - * packets with the same sequence number - * are allowed. (Note that such repeated - * transmissions must have the same RTP - * payload, or a severe security weakness - * is introduced!) */ - int *enc_xtn_hdr; /**< List of header ids to encrypt. */ - int enc_xtn_hdr_count; /**< Number of entries in list of header ids. */ - struct srtp_policy_t *next; /**< Pointer to next stream policy. */ + srtp_ssrc_t ssrc; /**< The SSRC value of stream, or the */ + /**< flags SSRC_ANY_INBOUND or */ + /**< SSRC_ANY_OUTBOUND if key sharing */ + /**< is used for this policy element. */ + srtp_crypto_policy_t rtp; /**< SRTP crypto policy. */ + srtp_crypto_policy_t rtcp; /**< SRTCP crypto policy. */ + unsigned char *key; /**< Pointer to the SRTP master key for */ + /**< this stream. */ + srtp_master_key_t **keys; /** Array of Master Key structures */ + unsigned long num_master_keys; /** Number of master keys */ + srtp_ekt_policy_t ekt; /**< Pointer to the EKT policy structure */ + /**< for this stream (if any) */ + unsigned long window_size; /**< The window size to use for replay */ + /**< protection. */ + int allow_repeat_tx; /**< Whether retransmissions of */ + /**< packets with the same sequence */ + /**< number are allowed. */ + /**< (Note that such repeated */ + /**< transmissions must have the same */ + /**< RTP payload, or a severe security */ + /**< weakness is introduced!) */ + int *enc_xtn_hdr; /**< List of header ids to encrypt. */ + int enc_xtn_hdr_count; /**< Number of entries in list of header */ + /**< ids. */ + struct srtp_policy_t *next; /**< Pointer to next stream policy. */ } srtp_policy_t; - - - /** * @brief An srtp_t points to an SRTP session structure. * * The typedef srtp_t is a pointer to a structure that represents - * an SRTP session. This datatype is intentially opaque in + * an SRTP session. This datatype is intentially opaque in * order to separate the interface from the implementation. * * An SRTP session consists of all of the traffic sent to the RTP and @@ -359,17 +358,14 @@ typedef struct srtp_policy_t { * Audio/Video Profile). A session can be viewed as a set of SRTP * streams, each of which originates with a different participant. */ - typedef srtp_ctx_t *srtp_t; - /** - * @brief srtp_init() initializes the srtp library. + * @brief srtp_init() initializes the srtp library. * * @warning This function @b must be called before any other srtp * functions. */ - srtp_err_status_t srtp_init(void); /** @@ -377,20 +373,19 @@ srtp_err_status_t srtp_init(void); * * @warning No srtp functions may be called after calling this function. */ - srtp_err_status_t srtp_shutdown(void); /** * @brief srtp_protect() is the Secure RTP sender-side packet processing * function. - * + * * The function call srtp_protect(ctx, rtp_hdr, len_ptr) applies SRTP * protection to the RTP packet rtp_hdr (which has length *len_ptr) using * the SRTP context ctx. If srtp_err_status_ok is returned, then rtp_hdr * points to the resulting SRTP packet and *len_ptr is the number of * octets in that packet; otherwise, no assumptions should be made * about the value of either data elements. - * + * * The sequence numbers of the RTP packets presented to this function * need not be consecutive, but they @b must be out of order by less * than 2^15 = 32,768 packets. @@ -400,11 +395,11 @@ srtp_err_status_t srtp_shutdown(void); * packet, and assumes that the RTP packet is aligned on a 32-bit * boundary. * - * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN - * into the location in memory immediately following the RTP packet. - * Callers MUST ensure that this much writable memory is available in + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN + * into the location in memory immediately following the RTP packet. + * Callers MUST ensure that this much writable memory is available in * the buffer that holds the RTP packet. - * + * * @param ctx is the SRTP context to use in processing the packet. * * @param rtp_hdr is a pointer to the RTP packet (before the call); after @@ -415,25 +410,24 @@ srtp_err_status_t srtp_shutdown(void); * complete SRTP packet after the call, if srtp_err_status_ok was returned. * Otherwise, the value of the data to which it points is undefined. * - * @return + * @return * - srtp_err_status_ok no problems * - srtp_err_status_replay_fail rtp sequence number was non-increasing * - @e other failure in cryptographic mechanisms */ - srtp_err_status_t srtp_protect(srtp_t ctx, void *rtp_hdr, int *len_ptr); /** * @brief srtp_protect_mki() is the Secure RTP sender-side packet processing * function that can utilize MKI. - * + * * The function call srtp_protect(ctx, rtp_hdr, len_ptr) applies SRTP * protection to the RTP packet rtp_hdr (which has length *len_ptr) using * the SRTP context ctx. If srtp_err_status_ok is returned, then rtp_hdr * points to the resulting SRTP packet and *len_ptr is the number of * octets in that packet; otherwise, no assumptions should be made * about the value of either data elements. - * + * * The sequence numbers of the RTP packets presented to this function * need not be consecutive, but they @b must be out of order by less * than 2^15 = 32,768 packets. @@ -443,11 +437,11 @@ srtp_err_status_t srtp_protect(srtp_t ctx, void *rtp_hdr, int *len_ptr); * packet, and assumes that the RTP packet is aligned on a 32-bit * boundary. * - * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN - * into the location in memory immediately following the RTP packet. - * Callers MUST ensure that this much writable memory is available in + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN + * into the location in memory immediately following the RTP packet. + * Callers MUST ensure that this much writable memory is available in * the buffer that holds the RTP packet. - * + * * @param ctx is the SRTP context to use in processing the packet. * * @param rtp_hdr is a pointer to the RTP packet (before the call); after @@ -458,21 +452,23 @@ srtp_err_status_t srtp_protect(srtp_t ctx, void *rtp_hdr, int *len_ptr); * complete SRTP packet after the call, if srtp_err_status_ok was returned. * Otherwise, the value of the data to which it points is undefined. * - * @param use_mki is a boolean to tell the system if mki is being used. If - * set to false then will use the first set of session keys. If set to true will + * @param use_mki is a boolean to tell the system if mki is being used. If + * set to false then will use the first set of session keys. If set to true + * will * use the session keys identified by the mki_index * * @param mki_index integer value specifying which set of session keys should be * used if use_mki is set to true. * - * @return + * @return * - srtp_err_status_ok no problems * - srtp_err_status_replay_fail rtp sequence number was non-increasing * - @e other failure in cryptographic mechanisms */ - -srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, void *rtp_hdr, - int *pkt_octet_len, unsigned int use_mki, +srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, + void *rtp_hdr, + int *pkt_octet_len, + unsigned int use_mki, unsigned int mki_index); /** @@ -485,12 +481,12 @@ srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, void *rtp_hdr, * srtp_err_status_ok is returned, then srtp_hdr points to the resulting * RTP packet and *len_ptr is the number of octets in that packet; * otherwise, no assumptions should be made about the value of either - * data elements. - * + * data elements. + * * The sequence numbers of the RTP packets presented to this function * need not be consecutive, but they @b must be out of order by less * than 2^15 = 32,768 packets. - * + * * @warning This function assumes that the SRTP packet is aligned on a * 32-bit boundary. * @@ -506,16 +502,15 @@ srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, void *rtp_hdr, * complete rtp packet after the call, if srtp_err_status_ok was returned. * Otherwise, the value of the data to which it points is undefined. * - * @return + * @return * - srtp_err_status_ok if the RTP packet is valid. - * - srtp_err_status_auth_fail if the SRTP packet failed the message - * authentication check. - * - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet has - * already been processed and accepted). + * - srtp_err_status_auth_fail if the SRTP packet failed the message + * authentication check. + * - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet + * has already been processed and accepted). * - [other] if there has been an error in the cryptographic mechanisms. * */ - srtp_err_status_t srtp_unprotect(srtp_t ctx, void *srtp_hdr, int *len_ptr); /** @@ -528,12 +523,12 @@ srtp_err_status_t srtp_unprotect(srtp_t ctx, void *srtp_hdr, int *len_ptr); * srtp_err_status_ok is returned, then srtp_hdr points to the resulting * RTP packet and *len_ptr is the number of octets in that packet; * otherwise, no assumptions should be made about the value of either - * data elements. - * + * data elements. + * * The sequence numbers of the RTP packets presented to this function * need not be consecutive, but they @b must be out of order by less * than 2^15 = 32,768 packets. - * + * * @warning This function assumes that the SRTP packet is aligned on a * 32-bit boundary. * @@ -550,52 +545,52 @@ srtp_err_status_t srtp_unprotect(srtp_t ctx, void *srtp_hdr, int *len_ptr); * Otherwise, the value of the data to which it points is undefined. * * @param use_mki is a boolean to tell the system if mki is being used. If - * set to false then will use the first set of session keys. If set to true will + * set to false then will use the first set of session keys. If set to true + * will * use the session keys identified by the mki_index * - * @return + * @return * - srtp_err_status_ok if the RTP packet is valid. - * - srtp_err_status_auth_fail if the SRTP packet failed the message - * authentication check. - * - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet has - * already been processed and accepted). + * - srtp_err_status_auth_fail if the SRTP packet failed the message + * authentication check. + * - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet + * has already been processed and accepted). * - srtp_err_status_bad_mki if the MKI in the packet is not a known MKI id * - [other] if there has been an error in the cryptographic mechanisms. * */ - -srtp_err_status_t srtp_unprotect_mki(srtp_t ctx, void *srtp_hdr, int *len_ptr, +srtp_err_status_t srtp_unprotect_mki(srtp_t ctx, + void *srtp_hdr, + int *len_ptr, unsigned int use_mki); /** * @brief srtp_create() allocates and initializes an SRTP session. * The function call srtp_create(session, policy) allocates and - * initializes an SRTP session context, applying the given policy. + * initializes an SRTP session context, applying the given policy. * * @param session is a pointer to the SRTP session to which the policy is * to be added. - * + * * @param policy is the srtp_policy_t struct that describes the policy * for the session. The struct may be a single element, or it may be * the head of a list, in which case each element of the list is * processed. It may also be NULL, in which case streams should be added * later using srtp_add_stream(). The final element of the list @b must * have its `next' field set to NULL. - * + * * @return * - srtp_err_status_ok if creation succeded. * - srtp_err_status_alloc_fail if allocation failed. * - srtp_err_status_init_fail if initialization failed. */ - srtp_err_status_t srtp_create(srtp_t *session, const srtp_policy_t *policy); - /** * @brief srtp_add_stream() allocates and initializes an SRTP stream * within a given SRTP session. - * + * * The function call srtp_add_stream(session, policy) allocates and * initializes a new SRTP stream within a given, previously created * session, applying the policy given as the other argument to that @@ -606,13 +601,11 @@ srtp_err_status_t srtp_create(srtp_t *session, const srtp_policy_t *policy); * - srtp_err_status_alloc_fail if stream allocation failed * - srtp_err_status_init_fail if stream initialization failed. */ - srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy); - /** * @brief srtp_remove_stream() deallocates an SRTP stream. - * + * * The function call srtp_remove_stream(session, ssrc) removes * the SRTP stream with the SSRC value ssrc from the SRTP session * context given by the argument session. @@ -625,13 +618,12 @@ srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy); * * @warning Wildcard SSRC values cannot be removed from a * session. - * + * * @return * - srtp_err_status_ok if the stream deallocation succeded. * - [other] otherwise. * */ - srtp_err_status_t srtp_remove_stream(srtp_t session, unsigned int ssrc); /** @@ -658,7 +650,6 @@ srtp_err_status_t srtp_remove_stream(srtp_t session, unsigned int ssrc); * - [other] otherwise. * */ - srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy); /** @@ -682,15 +673,15 @@ srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy); * - [other] otherwise. * */ - -srtp_err_status_t srtp_update_stream(srtp_t session, const srtp_policy_t *policy); +srtp_err_status_t srtp_update_stream(srtp_t session, + const srtp_policy_t *policy); /** * @brief srtp_crypto_policy_set_rtp_default() sets a crypto policy * structure to the SRTP default policy for RTP protection. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call crypto_policy_set_rtp_default(&p) sets the * crypto_policy_t at location p to the SRTP default policy for RTP * protection, as defined in the specification. This function is a @@ -699,19 +690,18 @@ srtp_err_status_t srtp_update_stream(srtp_t session, const srtp_policy_t *policy * with this function call. Doing so may allow your code to be * forward compatible with later versions of libSRTP that include more * elements in the crypto_policy_t datatype. - * + * * @return void. - * + * */ - void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p); /** * @brief srtp_crypto_policy_set_rtcp_default() sets a crypto policy * structure to the SRTP default policy for RTCP protection. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_rtcp_default(&p) sets the * srtp_crypto_policy_t at location p to the SRTP default policy for RTCP * protection, as defined in the specification. This function is a @@ -720,37 +710,35 @@ void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p); * with this function call. Doing so may allow your code to be * forward compatible with later versions of libSRTP that include more * elements in the srtp_crypto_policy_t datatype. - * + * * @return void. - * + * */ - void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p); /** * @brief srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80() sets a crypto * policy structure to the SRTP default policy for RTP protection. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80() is a * synonym for srtp_crypto_policy_set_rtp_default(). It conforms to the * naming convention used in RFC 4568 (SDP Security Descriptions for * Media Streams). - * + * * @return void. - * + * */ - -#define srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(p) srtp_crypto_policy_set_rtp_default(p) - +#define srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(p) \ + srtp_crypto_policy_set_rtp_default(p) /** * @brief srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32() sets a crypto * policy structure to a short-authentication tag policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&p) * sets the srtp_crypto_policy_t at location p to use policy * AES_CM_128_HMAC_SHA1_32 as defined in RFC 4568. @@ -760,7 +748,7 @@ void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p); * considered adequate only for protecting audio and video media that * use a stateless playback function. See Section 7.5 of RFC 3711 * (http://www.ietf.org/rfc/rfc3711.txt). - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -773,25 +761,22 @@ void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p); * (http://www.ietf.org/rfc/rfc3711.txt). * * @return void. - * + * */ - void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p); - - /** * @brief srtp_crypto_policy_set_aes_cm_128_null_auth() sets a crypto * policy structure to an encryption-only policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_cm_128_null_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher * (AES-128 Counter Mode), but to use no authentication method. This * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5 * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -803,24 +788,22 @@ void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p); * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt). * * @return void. - * + * */ - void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_null_cipher_hmac_sha1_80() sets a crypto * policy structure to an authentication-only policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&p) * sets the srtp_crypto_policy_t at location p to use HMAC-SHA1 with an 80 * bit authentication tag to provide message authentication, but to * use no encryption. This policy is NOT RECOMMENDED for SRTP unless - * there is a requirement to forego encryption. - * + * there is a requirement to forego encryption. + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -828,24 +811,24 @@ void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @warning This policy is NOT RECOMMENDED for SRTP unless there is a - * requirement to forego encryption. + * requirement to forego encryption. * * @return void. - * + * */ void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p); /** * @brief srtp_crypto_policy_set_null_cipher_hmac_null() sets a crypto - * policy structure to use no encryption or authentication. + * policy structure to use no encryption or authentication. + * + * @param p is a pointer to the policy structure to be set * - * @param p is a pointer to the policy structure to be set - * * The function call srtp_crypto_policy_set_null_cipher_hmac_null(&p) * sets the srtp_crypto_policy_t at location p to use no encryption and * no authentication. This policy should only be used for testing and - * troubleshootingl. - * + * troubleshootingl. + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -853,27 +836,26 @@ void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @warning This policy is NOT RECOMMENDED for SRTP unless there is a - * requirement to forego encryption and authentication. + * requirement to forego encryption and authentication. * * @return void. - * + * */ void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80() sets a crypto - * policy structure to a encryption and authentication policy using AES-256 + * policy structure to a encryption and authentication policy using AES-256 * for RTP protection. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&p) * sets the srtp_crypto_policy_t at location p to use policy * AES_CM_256_HMAC_SHA1_80 as defined in RFC 6188. This policy uses AES-256 * Counter Mode encryption and HMAC-SHA1 authentication, with an 80 bit * authentication tag. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -881,19 +863,17 @@ void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ - void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32() sets a crypto * policy structure to a short-authentication tag policy using AES-256 * encryption. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(&p) * sets the srtp_crypto_policy_t at location p to use policy * AES_CM_256_HMAC_SHA1_32 as defined in RFC 6188. This policy uses AES-256 @@ -902,7 +882,7 @@ void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p); * considered adequate only for protecting audio and video media that * use a stateless playback function. See Section 7.5 of RFC 3711 * (http://www.ietf.org/rfc/rfc3711.txt). - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -915,9 +895,8 @@ void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p); * (http://www.ietf.org/rfc/rfc3711.txt). * * @return void. - * + * */ - void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p); /** @@ -947,7 +926,6 @@ void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p); */ void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80() sets a crypto * policy structure to a encryption and authentication policy using AES-192 @@ -972,7 +950,6 @@ void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p); */ void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32() sets a crypto * policy structure to a short-authentication tag policy using AES-192 @@ -1005,7 +982,6 @@ void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p); */ void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_aes_cm_192_null_auth() sets a crypto * policy structure to an encryption-only policy @@ -1033,19 +1009,18 @@ void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p); */ void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p); - /** * @brief srtp_crypto_policy_set_aes_gcm_128_8_auth() sets a crypto * policy structure to an AEAD encryption policy. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_gcm_128_8_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher * (AES-128 Galois Counter Mode) with 8 octet auth tag. This * policy applies confidentiality and authentication to both the * RTP and RTCP packets. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -1053,7 +1028,7 @@ void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p); @@ -1061,14 +1036,14 @@ void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p); * @brief srtp_crypto_policy_set_aes_gcm_256_8_auth() sets a crypto * policy structure to an AEAD encryption policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_gcm_256_8_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher - * (AES-256 Galois Counter Mode) with 8 octet auth tag. This + * (AES-256 Galois Counter Mode) with 8 octet auth tag. This * policy applies confidentiality and authentication to both the * RTP and RTCP packets. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -1076,7 +1051,7 @@ void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p); @@ -1084,14 +1059,14 @@ void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p); * @brief srtp_crypto_policy_set_aes_gcm_128_8_only_auth() sets a crypto * policy structure to an AEAD authentication-only policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher - * (AES-128 Galois Counter Mode) with 8 octet auth tag. This policy - * applies confidentiality and authentication to the RTP packets, + * (AES-128 Galois Counter Mode) with 8 octet auth tag. This policy + * applies confidentiality and authentication to the RTP packets, * but only authentication to the RTCP packets. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -1099,7 +1074,7 @@ void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p); @@ -1107,14 +1082,14 @@ void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p); * @brief srtp_crypto_policy_set_aes_gcm_256_8_only_auth() sets a crypto * policy structure to an AEAD authentication-only policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher - * (AES-256 Galois Counter Mode) with 8 octet auth tag. This policy - * applies confidentiality and authentication to the RTP packets, + * (AES-256 Galois Counter Mode) with 8 octet auth tag. This policy + * applies confidentiality and authentication to the RTP packets, * but only authentication to the RTCP packets. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -1122,7 +1097,7 @@ void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p); @@ -1130,14 +1105,14 @@ void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p); * @brief srtp_crypto_policy_set_aes_gcm_128_16_auth() sets a crypto * policy structure to an AEAD encryption policy. * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_gcm_128_16_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher * (AES-128 Galois Counter Mode) with 16 octet auth tag. This * policy applies confidentiality and authentication to both the * RTP and RTCP packets. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -1145,7 +1120,7 @@ void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p); @@ -1153,14 +1128,14 @@ void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p); * @brief srtp_crypto_policy_set_aes_gcm_256_16_auth() sets a crypto * policy structure to an AEAD encryption policy * - * @param p is a pointer to the policy structure to be set - * + * @param p is a pointer to the policy structure to be set + * * The function call srtp_crypto_policy_set_aes_gcm_256_16_auth(&p) sets * the srtp_crypto_policy_t at location p to use the SRTP default cipher - * (AES-256 Galois Counter Mode) with 16 octet auth tag. This + * (AES-256 Galois Counter Mode) with 16 octet auth tag. This * policy applies confidentiality and authentication to both the * RTP and RTCP packets. - * + * * This function is a convenience that helps to avoid dealing directly * with the policy data structure. You are encouraged to initialize * policy elements with this function call. Doing so may allow your @@ -1168,15 +1143,14 @@ void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p); * include more elements in the srtp_crypto_policy_t datatype. * * @return void. - * + * */ void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p); - /** * @brief srtp_dealloc() deallocates storage for an SRTP session * context. - * + * * The function call srtp_dealloc(s) deallocates storage for the * SRTP session context s. This function should be called no more * than one time for each of the contexts allocated by the function @@ -1188,30 +1162,26 @@ void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p); * - srtp_err_status_ok if there no problems. * - srtp_err_status_dealloc_fail a memory deallocation failure occured. */ - srtp_err_status_t srtp_dealloc(srtp_t s); - /* - * @brief identifies a particular SRTP profile + * @brief identifies a particular SRTP profile * * An srtp_profile_t enumeration is used to identify a particular SRTP * profile (that is, a set of algorithms and parameters). These profiles * are defined for DTLS-SRTP: * https://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */ - typedef enum { - srtp_profile_reserved = 0, - srtp_profile_aes128_cm_sha1_80 = 1, - srtp_profile_aes128_cm_sha1_32 = 2, - srtp_profile_null_sha1_80 = 5, - srtp_profile_null_sha1_32 = 6, - srtp_profile_aead_aes_128_gcm = 7, - srtp_profile_aead_aes_256_gcm = 8, + srtp_profile_reserved = 0, + srtp_profile_aes128_cm_sha1_80 = 1, + srtp_profile_aes128_cm_sha1_32 = 2, + srtp_profile_null_sha1_80 = 5, + srtp_profile_null_sha1_32 = 6, + srtp_profile_aead_aes_128_gcm = 7, + srtp_profile_aead_aes_256_gcm = 8, } srtp_profile_t; - /** * @brief srtp_crypto_policy_set_from_profile_for_rtp() sets a crypto policy * structure to the appropriate value for RTP based on an srtp_profile_t @@ -1232,13 +1202,12 @@ typedef enum { * * @return values * - srtp_err_status_ok no problems were encountered - * - srtp_err_status_bad_param the profile is not supported + * - srtp_err_status_bad_param the profile is not supported * */ -srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp(srtp_crypto_policy_t *policy, srtp_profile_t profile); - - - +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile); /** * @brief srtp_crypto_policy_set_from_profile_for_rtcp() sets a crypto policy @@ -1263,48 +1232,43 @@ srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp(srtp_crypto_policy * - srtp_err_status_bad_param the profile is not supported * */ -srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp(srtp_crypto_policy_t *policy, srtp_profile_t profile); +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile); /** * @brief returns the master key length for a given SRTP profile */ -unsigned int -srtp_profile_get_master_key_length(srtp_profile_t profile); - +unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile); /** * @brief returns the master salt length for a given SRTP profile */ -unsigned int -srtp_profile_get_master_salt_length(srtp_profile_t profile); +unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile); /** * @brief appends the salt to the key * - * The function call srtp_append_salt_to_key(k, klen, s, slen) + * The function call srtp_append_salt_to_key(k, klen, s, slen) * copies the string s to the location at klen bytes following - * the location k. + * the location k. * * @warning There must be at least bytes_in_salt + bytes_in_key bytes * available at the location pointed to by key. - * + * */ - -void -srtp_append_salt_to_key(unsigned char *key, unsigned int bytes_in_key, - unsigned char *salt, unsigned int bytes_in_salt); - - +void srtp_append_salt_to_key(unsigned char *key, + unsigned int bytes_in_key, + unsigned char *salt, + unsigned int bytes_in_salt); /** * @} */ - - /** * @defgroup SRTCP Secure RTCP - * @ingroup SRTP + * @ingroup SRTP * * @brief Secure RTCP functions are used to protect RTCP traffic. * @@ -1312,36 +1276,36 @@ srtp_append_salt_to_key(unsigned char *key, unsigned int bytes_in_key, * traffic in much the same way as it does RTP traffic. The function * srtp_protect_rtcp() applies cryptographic protections to outbound * RTCP packets, and srtp_unprotect_rtcp() verifies the protections on - * inbound RTCP packets. + * inbound RTCP packets. * * A note on the naming convention: srtp_protect_rtcp() has an srtp_t * as its first argument, and thus has `srtp_' as its prefix. The - * trailing `_rtcp' indicates the protocol on which it acts. - * + * trailing `_rtcp' indicates the protocol on which it acts. + * * @{ */ /** * @brief srtp_protect_rtcp() is the Secure RTCP sender-side packet * processing function. - * + * * The function call srtp_protect_rtcp(ctx, rtp_hdr, len_ptr) applies * SRTCP protection to the RTCP packet rtcp_hdr (which has length * *len_ptr) using the SRTP session context ctx. If srtp_err_status_ok is * returned, then rtp_hdr points to the resulting SRTCP packet and * *len_ptr is the number of octets in that packet; otherwise, no * assumptions should be made about the value of either data elements. - * + * * @warning This function assumes that it can write the authentication * tag into the location in memory immediately following the RTCP * packet, and assumes that the RTCP packet is aligned on a 32-bit * boundary. * - * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4 - * into the location in memory immediately following the RTCP packet. - * Callers MUST ensure that this much writable memory is available in + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4 + * into the location in memory immediately following the RTCP packet. + * Callers MUST ensure that this much writable memory is available in * the buffer that holds the RTCP packet. - * + * * @param ctx is the SRTP context to use in processing the packet. * * @param rtcp_hdr is a pointer to the RTCP packet (before the call); after @@ -1353,37 +1317,36 @@ srtp_append_salt_to_key(unsigned char *key, unsigned int bytes_in_key, * was returned. Otherwise, the value of the data to which it points * is undefined. * - * @return + * @return * - srtp_err_status_ok if there were no problems. - * - [other] if there was a failure in + * - [other] if there was a failure in * the cryptographic mechanisms. */ - - -srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len); - +srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len); /** * @brief srtp_protect_rtcp_mki() is the Secure RTCP sender-side packet * processing function that can utilize mki. - * + * * The function call srtp_protect_rtcp(ctx, rtp_hdr, len_ptr) applies * SRTCP protection to the RTCP packet rtcp_hdr (which has length * *len_ptr) using the SRTP session context ctx. If srtp_err_status_ok is * returned, then rtp_hdr points to the resulting SRTCP packet and * *len_ptr is the number of octets in that packet; otherwise, no * assumptions should be made about the value of either data elements. - * + * * @warning This function assumes that it can write the authentication * tag into the location in memory immediately following the RTCP * packet, and assumes that the RTCP packet is aligned on a 32-bit * boundary. * - * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4 - * into the location in memory immediately following the RTCP packet. - * Callers MUST ensure that this much writable memory is available in + * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4 + * into the location in memory immediately following the RTCP packet. + * Callers MUST ensure that this much writable memory is available in * the buffer that holds the RTCP packet. - * + * * @param ctx is the SRTP context to use in processing the packet. * * @param rtcp_hdr is a pointer to the RTCP packet (before the call); after @@ -1395,21 +1358,24 @@ srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_l * was returned. Otherwise, the value of the data to which it points * is undefined. * - * @param use_mki is a boolean to tell the system if mki is being used. If - * set to false then will use the first set of session keys. If set to true will + * @param use_mki is a boolean to tell the system if mki is being used. If + * set to false then will use the first set of session keys. If set to true + * will * use the session keys identified by the mki_index * * @param mki_index integer value specifying which set of session kesy should be * used if use_mki is set to true. * - * @return + * @return * - srtp_err_status_ok if there were no problems. - * - [other] if there was a failure in + * - [other] if there was a failure in * the cryptographic mechanisms. */ - -srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len, - unsigned int use_mki, unsigned int mki_index); +srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index); /** * @brief srtp_unprotect_rtcp() is the Secure RTCP receiver-side packet @@ -1422,7 +1388,7 @@ srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, void *rtcp_hdr, int *pkt_oct * to the resulting RTCP packet and *len_ptr is the number of octets * in that packet; otherwise, no assumptions should be made about the * value of either data elements. - * + * * @warning This function assumes that the SRTCP packet is aligned on a * 32-bit boundary. * @@ -1440,17 +1406,18 @@ srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, void *rtcp_hdr, int *pkt_oct * returned. Otherwise, the value of the data to which it points is * undefined. * - * @return + * @return * - srtp_err_status_ok if the RTCP packet is valid. - * - srtp_err_status_auth_fail if the SRTCP packet failed the message + * - srtp_err_status_auth_fail if the SRTCP packet failed the message * authentication check. * - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has * already been processed and accepted). * - [other] if there has been an error in the cryptographic mechanisms. * */ - -srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len); +srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len); /** * @brief srtp_unprotect_rtcp() is the Secure RTCP receiver-side packet @@ -1463,7 +1430,7 @@ srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octe * to the resulting RTCP packet and *len_ptr is the number of octets * in that packet; otherwise, no assumptions should be made about the * value of either data elements. - * + * * @warning This function assumes that the SRTCP packet is aligned on a * 32-bit boundary. * @@ -1482,21 +1449,23 @@ srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octe * undefined. * * @param use_mki is a boolean to tell the system if mki is being used. If - * set to false then will use the first set of session keys. If set to true will - * use the session keys identified by the mki_index + * set to false then will use the first set of session keys. If set to true + * will use the session keys identified by the mki_index * - * @return + * @return * - srtp_err_status_ok if the RTCP packet is valid. - * - srtp_err_status_auth_fail if the SRTCP packet failed the message - * authentication check. + * - srtp_err_status_auth_fail if the SRTCP packet failed the message + * authentication check. * - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has - * already been processed and accepted). - * - srtp_err_status_bad_mki if the MKI in the packet is not a known MKI id - * - [other] if there has been an error in the cryptographic mechanisms. + * already been processed and accepted). + * - srtp_err_status_bad_mki if the MKI in the packet is not a known MKI + * id + * - [other] if there has been an error in the + * cryptographic mechanisms. * */ - -srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, void *srtcp_hdr, +srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, + void *srtcp_hdr, int *pkt_octet_len, unsigned int use_mki); @@ -1504,7 +1473,6 @@ srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, void *srtcp_hdr, * @} */ - /** * @defgroup User data associated to a SRTP session. * @ingroup SRTP @@ -1527,9 +1495,7 @@ srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, void *srtcp_hdr, * @return void. * */ - -void -srtp_set_user_data(srtp_t ctx, void *data); +void srtp_set_user_data(srtp_t ctx, void *data); /** * @brief srtp_get_user_data() retrieves the pointer to the custom data @@ -1546,23 +1512,20 @@ srtp_set_user_data(srtp_t ctx, void *data); * @return void* pointer to the user data. * */ - -void* -srtp_get_user_data(srtp_t ctx); +void *srtp_get_user_data(srtp_t ctx); /** * @} */ - /** * @defgroup SRTPevents SRTP events and callbacks * @ingroup SRTP * - * @brief libSRTP can use a user-provided callback function to + * @brief libSRTP can use a user-provided callback function to * handle events. * - * + * * libSRTP allows a user to provide a callback function to handle * events that need to be dealt with outside of the data plane (see * the enum srtp_event_t for a description of these events). Dealing @@ -1583,8 +1546,8 @@ srtp_get_user_data(srtp_t ctx); * @brief srtp_event_t defines events that need to be handled * * The enum srtp_event_t defines events that need to be handled - * outside the `data plane', such as SSRC collisions and - * key expirations. + * outside the `data plane', such as SSRC collisions and + * key expirations. * * When a key expires or the maximum number of packets has been * reached, an SRTP stream will enter an `expired' state in which no @@ -1596,34 +1559,28 @@ srtp_get_user_data(srtp_t ctx); * are unaffected, unless key sharing is used by that stream. In the * latter case, all of the streams in the session will expire. */ - -typedef enum { - event_ssrc_collision, /**< - * An SSRC collision occured. - */ - event_key_soft_limit, /**< An SRTP stream reached the soft key - * usage limit and will expire soon. - */ - event_key_hard_limit, /**< An SRTP stream reached the hard - * key usage limit and has expired. - */ - event_packet_index_limit /**< An SRTP stream reached the hard - * packet limit (2^48 packets). - */ +typedef enum { + event_ssrc_collision, /**< An SSRC collision occured. */ + event_key_soft_limit, /**< An SRTP stream reached the soft key */ + /**< usage limit and will expire soon. */ + event_key_hard_limit, /**< An SRTP stream reached the hard */ + /**< key usage limit and has expired. */ + event_packet_index_limit /**< An SRTP stream reached the hard */ + /**< packet limit (2^48 packets). */ } srtp_event_t; /** - * @brief srtp_event_data_t is the structure passed as a callback to + * @brief srtp_event_data_t is the structure passed as a callback to * the event handler function * * The struct srtp_event_data_t holds the data passed to the event - * handler function. + * handler function. */ - typedef struct srtp_event_data_t { - srtp_t session; /**< The session in which the event happend. */ - uint32_t ssrc; /**< The ssrc in host order of the stream in which the event happend */ - srtp_event_t event; /**< An enum indicating the type of event. */ + srtp_t session; /**< The session in which the event happend. */ + uint32_t ssrc; /**< The ssrc in host order of the stream in which */ + /**< the event happend */ + srtp_event_t event; /**< An enum indicating the type of event. */ } srtp_event_data_t; /** @@ -1636,12 +1593,11 @@ typedef struct srtp_event_data_t { * There can only be a single, global handler for all events in * libSRTP. */ - -typedef void (srtp_event_handler_func_t)(srtp_event_data_t *data); +typedef void(srtp_event_handler_func_t)(srtp_event_data_t *data); /** * @brief sets the event handler to the function supplied by the caller. - * + * * The function call srtp_install_event_handler(func) sets the event * handler function to the value func. The value NULL is acceptable * as an argument; in this case, events will be ignored rather than @@ -1651,24 +1607,23 @@ typedef void (srtp_event_handler_func_t)(srtp_event_data_t *data); * pointer as an argument and returns void. This function * will be used by libSRTP to handle events. */ - srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func); /** - * @brief Returns the version string of the library. - * + * @brief Returns the version string of the library. + * */ const char *srtp_get_version_string(void); /** - * @brief Returns the numeric representation of the library version. - * + * @brief Returns the numeric representation of the library version. + * */ unsigned int srtp_get_version(void); /** * @brief srtp_set_debug_module(mod_name, v) - * + * * sets dynamic debugging to the value v (0 for off, 1 for on) for the * debug module with the name mod_name * @@ -1706,7 +1661,9 @@ typedef enum { * There can only be a single, global handler for all log messages in * libSRTP. */ -typedef void (srtp_log_handler_func_t)(srtp_log_level_t level, const char * msg, void *data); +typedef void(srtp_log_handler_func_t)(srtp_log_level_t level, + const char *msg, + void *data); /** * @brief sets the log handler to the function supplied by the caller. @@ -1719,34 +1676,44 @@ typedef void (srtp_log_handler_func_t)(srtp_log_level_t level, const char * msg, * * @param func is a pointer to a fuction of type srtp_log_handler_func_t. * This function will be used by libSRTP to output log messages. - * @param data is a user pointer that will be returned as the data argument in func. + * @param data is a user pointer that will be returned as the data argument in + * func. */ -srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, void *data); +srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, + void *data); /** * @brief srtp_get_protect_trailer_length(session, use_mki, mki_index, length) * - * Determines the length of the amount of data Lib SRTP will add to the - * packet during the protect process. The length is returned in the length parameter + * Determines the length of the amount of data Lib SRTP will add to the + * packet during the protect process. The length is returned in the length + * parameter * - * returns err_status_ok on success, err_status_bad_mki if the MKI index is invalid + * returns err_status_ok on success, err_status_bad_mki if the MKI index is + * invalid * */ -srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, uint32_t use_mki, - uint32_t mki_index, uint32_t *length); +srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length); /** - * @brief srtp_get_protect_rtcp_trailer_length(session, use_mki, mki_index, length) + * @brief srtp_get_protect_rtcp_trailer_length(session, use_mki, mki_index, + * length) * - * Determines the length of the amount of data Lib SRTP will add to the - * packet during the protect process. The length is returned in the length parameter + * Determines the length of the amount of data Lib SRTP will add to the + * packet during the protect process. The length is returned in the length + * parameter * - * returns err_status_ok on success, err_status_bad_mki if the MKI index is invalid + * returns err_status_ok on success, err_status_bad_mki if the MKI index is + * invalid * */ -srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, uint32_t use_mki, - uint32_t mki_index, uint32_t *length); - +srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length); /** * @brief srtp_set_stream_roc(session, ssrc, roc) @@ -1757,7 +1724,9 @@ srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, uint32_t * stream found * */ -srtp_err_status_t srtp_set_stream_roc(srtp_t session, uint32_t ssrc, uint32_t roc); +srtp_err_status_t srtp_set_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t roc); /** * @brief srtp_get_stream_roc(session, ssrc, roc) @@ -1768,14 +1737,17 @@ srtp_err_status_t srtp_set_stream_roc(srtp_t session, uint32_t ssrc, uint32_t ro * stream found * */ -srtp_err_status_t srtp_get_stream_roc(srtp_t session, uint32_t ssrc, uint32_t *roc); - +srtp_err_status_t srtp_get_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t *roc); /** * @} */ + /* in host order, so outside the #if */ -#define SRTCP_E_BIT 0x80000000 +#define SRTCP_E_BIT 0x80000000 + /* for byte-access */ #define SRTCP_E_BYTE_BIT 0x80 #define SRTCP_INDEX_MASK 0x7fffffff diff --git a/libs/srtp/include/srtp_priv.h b/libs/srtp/include/srtp_priv.h index 5d84161407..82116f3b86 100644 --- a/libs/srtp/include/srtp_priv.h +++ b/libs/srtp/include/srtp_priv.h @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -62,14 +62,14 @@ extern "C" { #endif -#define SRTP_VER_STRING PACKAGE_STRING -#define SRTP_VERSION PACKAGE_VERSION +#define SRTP_VER_STRING PACKAGE_STRING +#define SRTP_VERSION PACKAGE_VERSION typedef struct srtp_stream_ctx_t_ srtp_stream_ctx_t; typedef srtp_stream_ctx_t *srtp_stream_t; /* - * the following declarations are libSRTP internal functions + * the following declarations are libSRTP internal functions */ /* @@ -78,7 +78,6 @@ typedef srtp_stream_ctx_t *srtp_stream_t; */ srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc); - /* * srtp_stream_init_keys(s, k) (re)initializes the srtp_stream_t s by * deriving all of the needed keys using the KDF and the key k. @@ -88,29 +87,29 @@ srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp, const unsigned int current_mki_index); /* - * srtp_stream_init_all_master_keys(s, k, m) (re)initializes the srtp_stream_t s by - * deriving all of the needed keys for all the master keys using the KDF and the keys from k. + * srtp_stream_init_all_master_keys(s, k, m) (re)initializes the srtp_stream_t s + * by deriving all of the needed keys for all the master keys using the KDF and + * the keys from k. */ -srtp_err_status_t srtp_steam_init_all_master_keys(srtp_stream_ctx_t *srtp, - unsigned char *key, - srtp_master_key_t **keys, - const unsigned int max_master_keys); +srtp_err_status_t srtp_steam_init_all_master_keys( + srtp_stream_ctx_t *srtp, + unsigned char *key, + srtp_master_key_t **keys, + const unsigned int max_master_keys); /* - * srtp_stream_init(s, p) initializes the srtp_stream_t s to + * srtp_stream_init(s, p) initializes the srtp_stream_t s to * use the policy at the location p */ srtp_err_status_t srtp_stream_init(srtp_stream_t srtp, const srtp_policy_t *p); - /* - * libsrtp internal datatypes + * libsrtp internal datatypes */ - -typedef enum direction_t { - dir_unknown = 0, - dir_srtp_sender = 1, - dir_srtp_receiver = 2 +typedef enum direction_t { + dir_unknown = 0, + dir_srtp_sender = 1, + dir_srtp_receiver = 2 } direction_t; /* @@ -119,56 +118,52 @@ typedef enum direction_t { * MKI ID which is used to identify the session keys. */ typedef struct srtp_session_keys_t { - srtp_cipher_t *rtp_cipher; - srtp_cipher_t *rtp_xtn_hdr_cipher; - srtp_auth_t *rtp_auth; - srtp_cipher_t *rtcp_cipher; - srtp_auth_t *rtcp_auth; - uint8_t salt[SRTP_AEAD_SALT_LEN]; - uint8_t c_salt[SRTP_AEAD_SALT_LEN]; - uint8_t *mki_id; - unsigned int mki_size; - srtp_key_limit_ctx_t *limit; + srtp_cipher_t *rtp_cipher; + srtp_cipher_t *rtp_xtn_hdr_cipher; + srtp_auth_t *rtp_auth; + srtp_cipher_t *rtcp_cipher; + srtp_auth_t *rtcp_auth; + uint8_t salt[SRTP_AEAD_SALT_LEN]; + uint8_t c_salt[SRTP_AEAD_SALT_LEN]; + uint8_t *mki_id; + unsigned int mki_size; + srtp_key_limit_ctx_t *limit; } srtp_session_keys_t; - -/* +/* * an srtp_stream_t has its own SSRC, encryption key, authentication * key, sequence number, and replay database - * + * * note that the keys might not actually be unique, in which case the * srtp_cipher_t and srtp_auth_t pointers will point to the same structures */ - typedef struct srtp_stream_ctx_t_ { - uint32_t ssrc; - srtp_session_keys_t *session_keys; - unsigned int num_master_keys; - srtp_rdbx_t rtp_rdbx; - srtp_sec_serv_t rtp_services; - srtp_rdb_t rtcp_rdb; - srtp_sec_serv_t rtcp_services; - direction_t direction; - int allow_repeat_tx; - srtp_ekt_stream_t ekt; - int *enc_xtn_hdr; - int enc_xtn_hdr_count; - uint32_t pending_roc; - struct srtp_stream_ctx_t_ *next; /* linked list of streams */ + uint32_t ssrc; + srtp_session_keys_t *session_keys; + unsigned int num_master_keys; + srtp_rdbx_t rtp_rdbx; + srtp_sec_serv_t rtp_services; + srtp_rdb_t rtcp_rdb; + srtp_sec_serv_t rtcp_services; + direction_t direction; + int allow_repeat_tx; + srtp_ekt_stream_t ekt; + int *enc_xtn_hdr; + int enc_xtn_hdr_count; + uint32_t pending_roc; + struct srtp_stream_ctx_t_ *next; /* linked list of streams */ } strp_stream_ctx_t_; - /* * an srtp_ctx_t holds a stream list and a service description */ - typedef struct srtp_ctx_t_ { - struct srtp_stream_ctx_t_ *stream_list; /* linked list of streams */ - struct srtp_stream_ctx_t_ *stream_template; /* act as template for other streams */ - void *user_data; /* user custom data */ + struct srtp_stream_ctx_t_ *stream_list; /* linked list of streams */ + struct srtp_stream_ctx_t_ *stream_template; /* act as template for other */ + /* streams */ + void *user_data; /* user custom data */ } srtp_ctx_t_; - /* * srtp_hdr_t represents an RTP or SRTP header. The bit-fields in * this structure should be declared "unsigned int" instead of @@ -181,10 +176,6 @@ typedef struct srtp_ctx_t_ { * is not identical) */ -#ifdef _MSC_VER -#pragma pack(push, r1, 1) -#endif - #ifndef WORDS_BIGENDIAN typedef struct { @@ -194,9 +185,9 @@ typedef struct { unsigned version : 2; /* protocol version */ unsigned pt : 7; /* payload type */ unsigned m : 1; /* marker bit */ - unsigned seq : 16; /* sequence number */ - unsigned ts : 32; /* timestamp */ - uint32_t ssrc; /* synchronization source */ + uint16_t seq; /* sequence number */ + uint32_t ts; /* timestamp */ + uint32_t ssrc; /* synchronization source */ } srtp_hdr_t; #else /* BIG_ENDIAN */ @@ -208,19 +199,18 @@ typedef struct { unsigned cc : 4; /* CSRC count */ unsigned m : 1; /* marker bit */ unsigned pt : 7; /* payload type */ - unsigned seq: 16; /* sequence number */ - unsigned ts : 32; /* timestamp */ - uint32_t ssrc; /* synchronization source */ + uint16_t seq; /* sequence number */ + uint32_t ts; /* timestamp */ + uint32_t ssrc; /* synchronization source */ } srtp_hdr_t; #endif typedef struct { - uint16_t profile_specific; /* profile-specific info */ - uint16_t length; /* number of 32-bit words in extension */ + uint16_t profile_specific; /* profile-specific info */ + uint16_t length; /* number of 32-bit words in extension */ } srtp_hdr_xtnd_t; - /* * srtcp_hdr_t represents a secure rtcp header * @@ -231,61 +221,57 @@ typedef struct { #ifndef WORDS_BIGENDIAN typedef struct { - unsigned rc : 5; /* reception report count */ - unsigned p : 1; /* padding flag */ - unsigned version : 2; /* protocol version */ - unsigned pt : 8; /* payload type */ - unsigned len : 16; /* length */ + unsigned rc : 5; /* reception report count */ + unsigned p : 1; /* padding flag */ + unsigned version : 2; /* protocol version */ + unsigned pt : 8; /* payload type */ + uint16_t len; /* length */ uint32_t ssrc; /* synchronization source */ } srtcp_hdr_t; typedef struct { - unsigned int index : 31; /* srtcp packet index in network order! */ - unsigned int e : 1; /* encrypted? 1=yes */ - /* optional mikey/etc go here */ - /* and then the variable-length auth tag */ + unsigned int index : 31; /* srtcp packet index in network order! */ + unsigned int e : 1; /* encrypted? 1=yes */ + /* optional mikey/etc go here */ + /* and then the variable-length auth tag */ } srtcp_trailer_t; #else /* BIG_ENDIAN */ typedef struct { - unsigned version : 2; /* protocol version */ - unsigned p : 1; /* padding flag */ - unsigned rc : 5; /* reception report count */ - unsigned pt : 8; /* payload type */ - unsigned len : 16; /* length */ + unsigned version : 2; /* protocol version */ + unsigned p : 1; /* padding flag */ + unsigned rc : 5; /* reception report count */ + unsigned pt : 8; /* payload type */ + uint16_t len; /* length */ uint32_t ssrc; /* synchronization source */ } srtcp_hdr_t; typedef struct { - unsigned int e : 1; /* encrypted? 1=yes */ - unsigned int index : 31; /* srtcp packet index */ - /* optional mikey/etc go here */ - /* and then the variable-length auth tag */ + unsigned int e : 1; /* encrypted? 1=yes */ + unsigned int index : 31; /* srtcp packet index */ + /* optional mikey/etc go here */ + /* and then the variable-length auth tag */ } srtcp_trailer_t; #endif -#ifdef _MSC_VER -#pragma pack(pop, r1) -#endif - /* * srtp_handle_event(srtp, srtm, evnt) calls the event handling * function, if there is one. * - * This macro is not included in the documentation as it is + * This macro is not included in the documentation as it is * an internal-only function. */ -#define srtp_handle_event(srtp, strm, evnt) \ - if(srtp_event_handler) { \ - srtp_event_data_t data; \ - data.session = srtp; \ - data.ssrc = ntohl(strm->ssrc); \ - data.event = evnt; \ - srtp_event_handler(&data); \ -} +#define srtp_handle_event(srtp, strm, evnt) \ + if (srtp_event_handler) { \ + srtp_event_data_t data; \ + data.session = srtp; \ + data.ssrc = ntohl(strm->ssrc); \ + data.event = evnt; \ + srtp_event_handler(&data); \ + } #ifdef __cplusplus } diff --git a/libs/srtp/include/ut_sim.h b/libs/srtp/include/ut_sim.h index d5c04baee7..e678b5fdf7 100644 --- a/libs/srtp/include/ut_sim.h +++ b/libs/srtp/include/ut_sim.h @@ -9,26 +9,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,41 +44,37 @@ * */ - - #ifndef UT_SIM_H #define UT_SIM_H -#include "integers.h" /* for uint32_t */ +#include "integers.h" /* for uint32_t */ #ifdef __cplusplus extern "C" { #endif -#define UT_BUF 160 /* maximum amount of packet reorder */ +#define UT_BUF 160 /* maximum amount of packet reorder */ typedef struct { - uint32_t index; - uint32_t buffer[UT_BUF]; + uint32_t index; + uint32_t buffer[UT_BUF]; } ut_connection; /* - * ut_init(&u) initializes the ut_connection + * ut_init(&u) initializes the ut_connection * * this function should always be the first one called on a new * ut_connection */ -void -ut_init(ut_connection *utc); +void ut_init(ut_connection *utc); /* * ut_next_index(&u) returns the next index from the simulated * unreliable connection */ -uint32_t -ut_next_index(ut_connection *utc); +uint32_t ut_next_index(ut_connection *utc); #ifdef __cplusplus } diff --git a/libs/srtp/libsrtp.2017.vcxproj b/libs/srtp/libsrtp.2017.vcxproj index 576bcd8cb2..db7e71a8e3 100644 --- a/libs/srtp/libsrtp.2017.vcxproj +++ b/libs/srtp/libsrtp.2017.vcxproj @@ -392,6 +392,7 @@ <ClInclude Include="crypto\include\alloc.h" /> <ClInclude Include="crypto\include\auth.h" /> <ClInclude Include="crypto\include\cipher.h" /> + <ClInclude Include="crypto\include\cipher_types.h" /> <ClInclude Include="crypto\include\config.h" /> <ClInclude Include="crypto\include\crypto_kernel.h" /> <ClInclude Include="crypto\include\crypto_types.h" /> diff --git a/libs/srtp/srtp-1.42.pc.in b/libs/srtp/srtp-1.42.pc.in deleted file mode 100644 index bef2c422ff..0000000000 --- a/libs/srtp/srtp-1.42.pc.in +++ /dev/null @@ -1,10 +0,0 @@ -prefix = @prefix@ -exec_prefix = @exec_prefix@ -libdir = @libdir@ -includedir = @includedir@ - -Name: srtp -Description: Secure RTP (SRTP) and UST Reference Implementations -Version: @VERSION@ -Libs: -L${libdir} -lsrtp.so -Cflags: -I${includedir}/srtp diff --git a/libs/srtp/srtp/ekt.c b/libs/srtp/srtp/ekt.c index cd2c05d9c7..b54ecf64eb 100644 --- a/libs/srtp/srtp/ekt.c +++ b/libs/srtp/srtp/ekt.c @@ -2,31 +2,31 @@ * ekt.c * * Encrypted Key Transport for SRTP - * + * * David McGrew * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,7 +42,6 @@ * */ - #include "srtp_priv.h" #include "err.h" #include "ekt.h" @@ -64,195 +63,219 @@ extern srtp_debug_module_t mod_srtp; * | Initial Sequence Number | Security Parameter Index | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * - */ + */ #define EKT_OCTETS_AFTER_BASE_TAG 24 -#define EKT_OCTETS_AFTER_EMK 8 -#define EKT_OCTETS_AFTER_ROC 4 -#define EKT_SPI_LEN 2 - -unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt) { - /* - * if the pointer ekt is NULL, then EKT is not in effect, so we - * indicate this by returning zero - */ - if (!ekt) +#define EKT_OCTETS_AFTER_EMK 8 +#define EKT_OCTETS_AFTER_ROC 4 +#define EKT_SPI_LEN 2 + +unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt) +{ + /* + * if the pointer ekt is NULL, then EKT is not in effect, so we + * indicate this by returning zero + */ + if (!ekt) + return 0; + + switch (ekt->data->ekt_cipher_type) { + case SRTP_EKT_CIPHER_AES_128_ECB: + return 16 + EKT_OCTETS_AFTER_EMK; + break; + default: + break; + } return 0; - - switch(ekt->data->ekt_cipher_type) { - case SRTP_EKT_CIPHER_AES_128_ECB: - return 16 + EKT_OCTETS_AFTER_EMK; - break; - default: - break; - } - return 0; } -static inline srtp_ekt_spi_t srtcp_packet_get_ekt_spi(const uint8_t *packet_start, unsigned pkt_octet_len) { - const uint8_t *spi_location; - - spi_location = packet_start + (pkt_octet_len - EKT_SPI_LEN); - - return *((const srtp_ekt_spi_t *)spi_location); -} +static inline srtp_ekt_spi_t srtcp_packet_get_ekt_spi( + const uint8_t *packet_start, + unsigned pkt_octet_len) +{ + const uint8_t *spi_location; + + spi_location = packet_start + (pkt_octet_len - EKT_SPI_LEN); -static inline uint32_t srtcp_packet_get_ekt_roc(const uint8_t *packet_start, unsigned pkt_octet_len) { - const uint8_t *roc_location; - - roc_location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_ROC); - - return *((const uint32_t *)roc_location); + return *((const srtp_ekt_spi_t *)spi_location); } -static inline const uint8_t * srtcp_packet_get_emk_location(const uint8_t *packet_start, unsigned pkt_octet_len) { - const uint8_t *location; - - location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_BASE_TAG); +static inline uint32_t srtcp_packet_get_ekt_roc(const uint8_t *packet_start, + unsigned pkt_octet_len) +{ + const uint8_t *roc_location; + + roc_location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_ROC); - return location; + return *((const uint32_t *)roc_location); } +static inline const uint8_t *srtcp_packet_get_emk_location( + const uint8_t *packet_start, + unsigned pkt_octet_len) +{ + const uint8_t *location; -srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data, srtp_ekt_policy_t policy) { + location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_BASE_TAG); - /* - * if the policy pointer is NULL, then EKT is not in use - * so we just set the EKT stream data pointer to NULL - */ - if (!policy) { - *stream_data = NULL; - return srtp_err_status_ok; - } + return location; +} - /* TODO */ - *stream_data = NULL; +srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data, + srtp_ekt_policy_t policy) +{ + /* + * if the policy pointer is NULL, then EKT is not in use + * so we just set the EKT stream data pointer to NULL + */ + if (!policy) { + *stream_data = NULL; + return srtp_err_status_ok; + } + + /* TODO */ + *stream_data = NULL; - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t srtp_ekt_stream_init_from_policy(srtp_ekt_stream_t stream_data, srtp_ekt_policy_t policy) { - if (!stream_data) - return srtp_err_status_ok; +srtp_err_status_t srtp_ekt_stream_init_from_policy( + srtp_ekt_stream_t stream_data, + srtp_ekt_policy_t policy) +{ + if (!stream_data) + return srtp_err_status_ok; - return srtp_err_status_ok; + return srtp_err_status_ok; } - -void aes_decrypt_with_raw_key(void *ciphertext, const void *key, int key_len) { +void aes_decrypt_with_raw_key(void *ciphertext, const void *key, int key_len) +{ #ifndef OPENSSL -//FIXME: need to get this working through the crypto module interface - srtp_aes_expanded_key_t expanded_key; + // FIXME: need to get this working through the crypto module interface + srtp_aes_expanded_key_t expanded_key; - srtp_aes_expand_decryption_key(key, key_len, &expanded_key); - srtp_aes_decrypt(ciphertext, &expanded_key); + srtp_aes_expand_decryption_key(key, key_len, &expanded_key); + srtp_aes_decrypt(ciphertext, &expanded_key); #endif } /* * The function srtp_stream_init_from_ekt() initializes a stream using - * the EKT data from an SRTCP trailer. + * the EKT data from an SRTCP trailer. */ -srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream, const void *srtcp_hdr, unsigned pkt_octet_len) { - srtp_err_status_t err; - const uint8_t *master_key; - srtp_policy_t srtp_policy; - uint32_t roc; - - /* - * NOTE: at present, we only support a single ekt_policy at a time. - */ - if (stream->ekt->data->spi != - srtcp_packet_get_ekt_spi(srtcp_hdr, pkt_octet_len)) - return srtp_err_status_no_ctx; - - if (stream->ekt->data->ekt_cipher_type != SRTP_EKT_CIPHER_AES_128_ECB) - return srtp_err_status_bad_param; - - /* decrypt the Encrypted Master Key field */ - master_key = srtcp_packet_get_emk_location(srtcp_hdr, pkt_octet_len); - /* FIX!? This decrypts the master key in-place, and never uses it */ - /* FIX!? It's also passing to ekt_dec_key (which is an aes_expanded_key_t) - * to a function which expects a raw (unexpanded) key */ - aes_decrypt_with_raw_key((void*)master_key, &stream->ekt->data->ekt_dec_key, 16); - - /* set the SRTP ROC */ - roc = srtcp_packet_get_ekt_roc(srtcp_hdr, pkt_octet_len); - err = srtp_rdbx_set_roc(&stream->rtp_rdbx, roc); - if (err) return err; - - err = srtp_stream_init(stream, &srtp_policy); - if (err) return err; - - return srtp_err_status_ok; -} +srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream, + const void *srtcp_hdr, + unsigned pkt_octet_len) +{ + srtp_err_status_t err; + const uint8_t *master_key; + srtp_policy_t srtp_policy; + uint32_t roc; + + /* + * NOTE: at present, we only support a single ekt_policy at a time. + */ + if (stream->ekt->data->spi != + srtcp_packet_get_ekt_spi(srtcp_hdr, pkt_octet_len)) + return srtp_err_status_no_ctx; + + if (stream->ekt->data->ekt_cipher_type != SRTP_EKT_CIPHER_AES_128_ECB) + return srtp_err_status_bad_param; + + /* decrypt the Encrypted Master Key field */ + master_key = srtcp_packet_get_emk_location(srtcp_hdr, pkt_octet_len); + /* FIX!? This decrypts the master key in-place, and never uses it */ + /* FIX!? It's also passing to ekt_dec_key (which is an aes_expanded_key_t) + * to a function which expects a raw (unexpanded) key */ + aes_decrypt_with_raw_key((void *)master_key, + &stream->ekt->data->ekt_dec_key, 16); + + /* set the SRTP ROC */ + roc = srtcp_packet_get_ekt_roc(srtcp_hdr, pkt_octet_len); + err = srtp_rdbx_set_roc(&stream->rtp_rdbx, roc); + if (err) + return err; + + err = srtp_stream_init(stream, &srtp_policy); + if (err) + return err; -void srtp_ekt_write_data(srtp_ekt_stream_t ekt, uint8_t *base_tag, unsigned base_tag_len, int *packet_len, srtp_xtd_seq_num_t pkt_index) { - uint32_t roc; - uint16_t isn; - unsigned emk_len; - uint8_t *packet; - - /* if the pointer ekt is NULL, then EKT is not in effect */ - if (!ekt) { - debug_print(mod_srtp, "EKT not in use", NULL); - return; - } - - /* write zeros into the location of the base tag */ - octet_string_set_to_zero(base_tag, base_tag_len); - packet = base_tag + base_tag_len; - - /* copy encrypted master key into packet */ - emk_len = srtp_ekt_octets_after_base_tag(ekt); - memcpy(packet, ekt->encrypted_master_key, emk_len); - debug_print(mod_srtp, "writing EKT EMK: %s,", - srtp_octet_string_hex_string(packet, emk_len)); - packet += emk_len; - - /* copy ROC into packet */ - roc = (uint32_t)(pkt_index >> 16); - *((uint32_t *)packet) = be32_to_cpu(roc); - debug_print(mod_srtp, "writing EKT ROC: %s,", - srtp_octet_string_hex_string(packet, sizeof(roc))); - packet += sizeof(roc); - - /* copy ISN into packet */ - isn = (uint16_t)pkt_index; - *((uint16_t *)packet) = htons(isn); - debug_print(mod_srtp, "writing EKT ISN: %s,", - srtp_octet_string_hex_string(packet, sizeof(isn))); - packet += sizeof(isn); - - /* copy SPI into packet */ - *((uint16_t *)packet) = htons(ekt->data->spi); - debug_print(mod_srtp, "writing EKT SPI: %s,", - srtp_octet_string_hex_string(packet, sizeof(ekt->data->spi))); - - /* increase packet length appropriately */ - *packet_len += EKT_OCTETS_AFTER_EMK + emk_len; + return srtp_err_status_ok; } +void srtp_ekt_write_data(srtp_ekt_stream_t ekt, + uint8_t *base_tag, + unsigned base_tag_len, + int *packet_len, + srtp_xtd_seq_num_t pkt_index) +{ + uint32_t roc; + uint16_t isn; + unsigned emk_len; + uint8_t *packet; + + /* if the pointer ekt is NULL, then EKT is not in effect */ + if (!ekt) { + debug_print(mod_srtp, "EKT not in use", NULL); + return; + } + + /* write zeros into the location of the base tag */ + octet_string_set_to_zero(base_tag, base_tag_len); + packet = base_tag + base_tag_len; + + /* copy encrypted master key into packet */ + emk_len = srtp_ekt_octets_after_base_tag(ekt); + memcpy(packet, ekt->encrypted_master_key, emk_len); + debug_print(mod_srtp, "writing EKT EMK: %s,", + srtp_octet_string_hex_string(packet, emk_len)); + packet += emk_len; + + /* copy ROC into packet */ + roc = (uint32_t)(pkt_index >> 16); + *((uint32_t *)packet) = be32_to_cpu(roc); + debug_print(mod_srtp, "writing EKT ROC: %s,", + srtp_octet_string_hex_string(packet, sizeof(roc))); + packet += sizeof(roc); + + /* copy ISN into packet */ + isn = (uint16_t)pkt_index; + *((uint16_t *)packet) = htons(isn); + debug_print(mod_srtp, "writing EKT ISN: %s,", + srtp_octet_string_hex_string(packet, sizeof(isn))); + packet += sizeof(isn); + + /* copy SPI into packet */ + *((uint16_t *)packet) = htons(ekt->data->spi); + debug_print(mod_srtp, "writing EKT SPI: %s,", + srtp_octet_string_hex_string(packet, sizeof(ekt->data->spi))); + + /* increase packet length appropriately */ + *packet_len += EKT_OCTETS_AFTER_EMK + emk_len; +} /* * The function call srtcp_ekt_trailer(ekt, auth_len, auth_tag ) - * + * * If the pointer ekt is NULL, then the other inputs are unaffected. * * auth_tag is a pointer to the pointer to the location of the * authentication tag in the packet. If EKT is in effect, then the - * auth_tag pointer is set to the location + * auth_tag pointer is set to the location */ -void srtcp_ekt_trailer(srtp_ekt_stream_t ekt, unsigned *auth_len, void **auth_tag, void *tag_copy) { - /* - * if there is no EKT policy, then the other inputs are unaffected - */ - if (!ekt) - return; - - /* copy auth_tag into temporary location */ - +void srtcp_ekt_trailer(srtp_ekt_stream_t ekt, + unsigned *auth_len, + void **auth_tag, + void *tag_copy) +{ + /* + * if there is no EKT policy, then the other inputs are unaffected + */ + if (!ekt) + return; + + /* copy auth_tag into temporary location */ } - diff --git a/libs/srtp/srtp/srtp.c b/libs/srtp/srtp/srtp.c index ede804f1d0..44625015e7 100644 --- a/libs/srtp/srtp/srtp.c +++ b/libs/srtp/srtp/srtp.c @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -48,66 +48,67 @@ #include "srtp_priv.h" #include "crypto_types.h" #include "err.h" -#include "ekt.h" /* for SRTP Encrypted Key Transport */ -#include "alloc.h" /* for srtp_crypto_alloc() */ +#include "ekt.h" /* for SRTP Encrypted Key Transport */ +#include "alloc.h" /* for srtp_crypto_alloc() */ + #ifdef OPENSSL -#include "aes_gcm_ossl.h" /* for AES GCM mode */ -# ifdef OPENSSL_KDF -# include <openssl/kdf.h> -# include "aes_icm_ossl.h" /* for AES GCM mode */ -# endif +#include "aes_gcm_ossl.h" /* for AES GCM mode */ +#ifdef OPENSSL_KDF +#include <openssl/kdf.h> +#include "aes_icm_ossl.h" /* for AES GCM mode */ +#endif #endif #include <limits.h> #ifdef HAVE_NETINET_IN_H -# include <netinet/in.h> +#include <netinet/in.h> #elif defined(HAVE_WINSOCK2_H) -# include <winsock2.h> +#include <winsock2.h> #endif - /* the debug module for srtp */ - srtp_debug_module_t mod_srtp = { - 0, /* debugging is off by default */ - "srtp" /* printable name for module */ + 0, /* debugging is off by default */ + "srtp" /* printable name for module */ }; -#define octets_in_rtp_header 12 -#define uint32s_in_rtp_header 3 -#define octets_in_rtcp_header 8 +#define octets_in_rtp_header 12 +#define uint32s_in_rtp_header 3 +#define octets_in_rtcp_header 8 #define uint32s_in_rtcp_header 2 #define octets_in_rtp_extn_hdr 4 -static srtp_err_status_t -srtp_validate_rtp_header(void *rtp_hdr, int *pkt_octet_len) { - if (*pkt_octet_len < octets_in_rtp_header) - return srtp_err_status_bad_param; - - srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; +static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr, + int *pkt_octet_len) +{ + if (*pkt_octet_len < octets_in_rtp_header) + return srtp_err_status_bad_param; - /* Check RTP header length */ - int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; - if (hdr->x == 1) - rtp_header_len += octets_in_rtp_extn_hdr; + srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; - if (*pkt_octet_len < rtp_header_len) - return srtp_err_status_bad_param; + /* Check RTP header length */ + int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc; + if (hdr->x == 1) + rtp_header_len += octets_in_rtp_extn_hdr; - /* Verifing profile length. */ - if (hdr->x == 1) { - srtp_hdr_xtnd_t *xtn_hdr = - (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc); - int profile_len = ntohs(xtn_hdr->length); - rtp_header_len += profile_len * 4; - /* profile length counts the number of 32-bit words */ if (*pkt_octet_len < rtp_header_len) - return srtp_err_status_bad_param; - } - return srtp_err_status_ok; + return srtp_err_status_bad_param; + + /* Verifing profile length. */ + if (hdr->x == 1) { + srtp_hdr_xtnd_t *xtn_hdr = + (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header + + hdr->cc); + int profile_len = ntohs(xtn_hdr->length); + rtp_header_len += profile_len * 4; + /* profile length counts the number of 32-bit words */ + if (*pkt_octet_len < rtp_header_len) + return srtp_err_status_bad_param; + } + return srtp_err_status_ok; } -const char *srtp_get_version_string () +const char *srtp_get_version_string() { /* * Simply return the autotools generated string @@ -115,29 +116,29 @@ const char *srtp_get_version_string () return SRTP_VER_STRING; } -unsigned int srtp_get_version () +unsigned int srtp_get_version() { unsigned int major = 0, minor = 0, micro = 0; unsigned int rv = 0; int parse_rv; /* - * Parse the autotools generated version + * Parse the autotools generated version */ parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, &micro); if (parse_rv != 3) { - /* - * We're expected to parse all 3 version levels. - * If not, then this must not be an official release. - * Return all zeros on the version - */ - return (0); + /* + * We're expected to parse all 3 version levels. + * If not, then this must not be an official release. + * Return all zeros on the version + */ + return (0); } - /* + /* * We allow 8 bits for the major and minor, while * allowing 16 bits for the micro. 16 bits for the micro - * may be beneficial for a continuous delivery model + * may be beneficial for a continuous delivery model * in the future. */ rv |= (major & 0xFF) << 24; @@ -146,445 +147,409 @@ unsigned int srtp_get_version () return rv; } -/* Release (maybe partially allocated) stream. */ -static void -srtp_stream_free(srtp_stream_ctx_t *str) { - unsigned int i = 0; - srtp_session_keys_t *session_keys = NULL; +srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream, + const srtp_stream_ctx_t *stream_template) +{ + srtp_err_status_t status; + unsigned int i = 0; + srtp_session_keys_t *session_keys = NULL; + srtp_session_keys_t *template_session_keys = NULL; - for (i = 0; i < str->num_master_keys; i++) { - session_keys = &str->session_keys[i]; + /* + * we use a conservative deallocation strategy - if any deallocation + * fails, then we report that fact without trying to deallocate + * anything else + */ + if (stream->session_keys) { + for (i = 0; i < stream->num_master_keys; i++) { + session_keys = &stream->session_keys[i]; + + if (stream_template && + stream->num_master_keys == stream_template->num_master_keys) { + template_session_keys = &stream_template->session_keys[i]; + } else { + template_session_keys = NULL; + } - if (session_keys->rtp_xtn_hdr_cipher) { - srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); - } + /* + * deallocate cipher, if it is not the same as that in template + */ + if (template_session_keys && + session_keys->rtp_cipher == template_session_keys->rtp_cipher) { + /* do nothing */ + } else if (session_keys->rtp_cipher) { + status = srtp_cipher_dealloc(session_keys->rtp_cipher); + if (status) + return status; + } - if (session_keys->rtcp_cipher) { - srtp_cipher_dealloc(session_keys->rtcp_cipher); - } + /* + * deallocate auth function, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->rtp_auth == template_session_keys->rtp_auth) { + /* do nothing */ + } else if (session_keys->rtp_auth) { + status = srtp_auth_dealloc(session_keys->rtp_auth); + if (status) + return status; + } - if (session_keys->rtcp_auth) { - srtp_auth_dealloc(session_keys->rtcp_auth); - } + if (template_session_keys && + session_keys->rtp_xtn_hdr_cipher == + template_session_keys->rtp_xtn_hdr_cipher) { + /* do nothing */ + } else if (session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); + if (status) + return status; + } - if (session_keys->rtp_cipher) { - srtp_cipher_dealloc(session_keys->rtp_cipher); - } + /* + * deallocate rtcp cipher, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->rtcp_cipher == + template_session_keys->rtcp_cipher) { + /* do nothing */ + } else if (session_keys->rtcp_cipher) { + status = srtp_cipher_dealloc(session_keys->rtcp_cipher); + if (status) + return status; + } - if (session_keys->rtp_auth) { - srtp_auth_dealloc(session_keys->rtp_auth); - } + /* + * deallocate rtcp auth function, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->rtcp_auth == template_session_keys->rtcp_auth) { + /* do nothing */ + } else if (session_keys->rtcp_auth) { + status = srtp_auth_dealloc(session_keys->rtcp_auth); + if (status) + return status; + } - if (session_keys->mki_id) { - srtp_crypto_free(session_keys->mki_id); - } + /* + * zeroize the salt value + */ + octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN); + octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN); + + if (session_keys->mki_id) { + octet_string_set_to_zero(session_keys->mki_id, + session_keys->mki_size); + srtp_crypto_free(session_keys->mki_id); + session_keys->mki_id = NULL; + } - if (session_keys->limit) { - srtp_crypto_free(session_keys->limit); + /* + * deallocate key usage limit, if it is not the same as that in + * template + */ + if (template_session_keys && + session_keys->limit == template_session_keys->limit) { + /* do nothing */ + } else if (session_keys->limit) { + srtp_crypto_free(session_keys->limit); + } + } + srtp_crypto_free(stream->session_keys); } - } - - srtp_crypto_free(str->session_keys); - if (str->enc_xtn_hdr) { - srtp_crypto_free(str->enc_xtn_hdr); - } + status = srtp_rdbx_dealloc(&stream->rtp_rdbx); + if (status) + return status; - srtp_crypto_free(str); -} + /* DAM - need to deallocate EKT here */ -srtp_err_status_t -srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, - const srtp_policy_t *p) { - srtp_stream_ctx_t *str; - srtp_err_status_t stat; - unsigned int i = 0; - srtp_session_keys_t *session_keys = NULL; - - /* - * This function allocates the stream context, rtp and rtcp ciphers - * and auth functions, and key limit structure. If there is a - * failure during allocation, we free all previously allocated - * memory and return a failure code. The code could probably - * be improved, but it works and should be clear. - */ - - /* allocate srtp stream and set str_ptr */ - str = (srtp_stream_ctx_t *) srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); - if (str == NULL) - return srtp_err_status_alloc_fail; - - memset(str, 0, sizeof(srtp_stream_ctx_t)); - *str_ptr = str; - - /* To keep backwards API compatible if someone is using multiple master - * keys then key should be set to NULL - */ - if (p->key != NULL) { - str->num_master_keys = 1; - } else { - str->num_master_keys = p->num_master_keys; - } - - str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( - sizeof(srtp_session_keys_t) * str->num_master_keys); - - if (str->session_keys == NULL) { - srtp_stream_free(str); - return srtp_err_status_alloc_fail; - } - - memset(str->session_keys, 0, sizeof(srtp_session_keys_t) * str->num_master_keys); - - for (i = 0; i < str->num_master_keys; i++) { - session_keys = &str->session_keys[i]; - - /* allocate cipher */ - stat = srtp_crypto_kernel_alloc_cipher(p->rtp.cipher_type, - &session_keys->rtp_cipher, - p->rtp.cipher_key_len, - p->rtp.auth_tag_len); - if (stat) { - srtp_stream_free(str); - return stat; + if (stream_template && + stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) { + /* do nothing */ + } else if (stream->enc_xtn_hdr) { + srtp_crypto_free(stream->enc_xtn_hdr); } - /* allocate auth function */ - stat = srtp_crypto_kernel_alloc_auth(p->rtp.auth_type, - &session_keys->rtp_auth, - p->rtp.auth_key_len, - p->rtp.auth_tag_len); - if (stat) { - srtp_stream_free(str); - return stat; - } + /* deallocate srtp stream context */ + srtp_crypto_free(stream); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr, + const srtp_policy_t *p) +{ + srtp_stream_ctx_t *str; + srtp_err_status_t stat; + unsigned int i = 0; + srtp_session_keys_t *session_keys = NULL; /* - * ...and now the RTCP-specific initialization - first, allocate - * the cipher + * This function allocates the stream context, rtp and rtcp ciphers + * and auth functions, and key limit structure. If there is a + * failure during allocation, we free all previously allocated + * memory and return a failure code. The code could probably + * be improved, but it works and should be clear. */ - stat = srtp_crypto_kernel_alloc_cipher(p->rtcp.cipher_type, - &session_keys->rtcp_cipher, - p->rtcp.cipher_key_len, - p->rtcp.auth_tag_len); - if (stat) { - srtp_stream_free(str); - return stat; - } - - /* allocate auth function */ - stat = srtp_crypto_kernel_alloc_auth(p->rtcp.auth_type, - &session_keys->rtcp_auth, - p->rtcp.auth_key_len, - p->rtcp.auth_tag_len); - if (stat) { - srtp_stream_free(str); - return stat; - } - - session_keys->mki_id = NULL; - /* allocate key limit structure */ - session_keys->limit = (srtp_key_limit_ctx_t*) srtp_crypto_alloc(sizeof(srtp_key_limit_ctx_t)); - if (session_keys->limit == NULL) { - srtp_stream_free(str); + /* allocate srtp stream and set str_ptr */ + str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); + if (str == NULL) return srtp_err_status_alloc_fail; - } - } - - /* allocate ekt data associated with stream */ - stat = srtp_ekt_alloc(&str->ekt, p->ekt); - if (stat) { - srtp_stream_free(str); - return stat; - } - if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { - srtp_cipher_type_id_t enc_xtn_hdr_cipher_type; - int enc_xtn_hdr_cipher_key_len; + *str_ptr = str; - str->enc_xtn_hdr = (int*) srtp_crypto_alloc(p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); - if (!str->enc_xtn_hdr) { - srtp_stream_free(str); - return srtp_err_status_alloc_fail; + /* + *To keep backwards API compatible if someone is using multiple master + * keys then key should be set to NULL + */ + if (p->key != NULL) { + str->num_master_keys = 1; + } else { + str->num_master_keys = p->num_master_keys; } - memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); - str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; - /* For GCM ciphers, the corresponding ICM cipher is used for header extensions encryption. */ - switch (p->rtp.cipher_type) { - case SRTP_AES_GCM_128: - enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128; - enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; - break; - case SRTP_AES_GCM_256: - enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256; - enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; - break; - default: - enc_xtn_hdr_cipher_type = p->rtp.cipher_type; - enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; - break; - } + str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( + sizeof(srtp_session_keys_t) * str->num_master_keys); - for (i = 0; i < str->num_master_keys; i++) { - session_keys = &str->session_keys[i]; - - /* allocate cipher for extensions header encryption */ - stat = srtp_crypto_kernel_alloc_cipher(enc_xtn_hdr_cipher_type, - &session_keys->rtp_xtn_hdr_cipher, - enc_xtn_hdr_cipher_key_len, - 0); - if (stat) { - srtp_stream_free(str); - return stat; - } + if (str->session_keys == NULL) { + srtp_stream_dealloc(str, NULL); + return srtp_err_status_alloc_fail; } - } else { + for (i = 0; i < str->num_master_keys; i++) { - session_keys = &str->session_keys[i]; - session_keys->rtp_xtn_hdr_cipher = NULL; - } + session_keys = &str->session_keys[i]; + + /* allocate cipher */ + stat = srtp_crypto_kernel_alloc_cipher( + p->rtp.cipher_type, &session_keys->rtp_cipher, + p->rtp.cipher_key_len, p->rtp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } - str->enc_xtn_hdr = NULL; - str->enc_xtn_hdr_count = 0; - } + /* allocate auth function */ + stat = srtp_crypto_kernel_alloc_auth( + p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len, + p->rtp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } - return srtp_err_status_ok; -} + /* + * ...and now the RTCP-specific initialization - first, allocate + * the cipher + */ + stat = srtp_crypto_kernel_alloc_cipher( + p->rtcp.cipher_type, &session_keys->rtcp_cipher, + p->rtcp.cipher_key_len, p->rtcp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } -srtp_err_status_t -srtp_stream_dealloc(srtp_stream_ctx_t *stream, srtp_stream_ctx_t *stream_template) { - srtp_err_status_t status; - unsigned int i = 0; - srtp_session_keys_t *session_keys = NULL; - srtp_session_keys_t *template_session_keys = NULL; - - /* - * we use a conservative deallocation strategy - if any deallocation - * fails, then we report that fact without trying to deallocate - * anything else - */ - for ( i = 0; i < stream->num_master_keys; i++) { - session_keys = &stream->session_keys[i]; - - if (stream_template) { - template_session_keys = &stream_template->session_keys[i]; - } else { - template_session_keys = NULL; - } + /* allocate auth function */ + stat = srtp_crypto_kernel_alloc_auth( + p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len, + p->rtcp.auth_tag_len); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } - /* deallocate cipher, if it is not the same as that in template */ - if (template_session_keys - && session_keys->rtp_cipher == template_session_keys->rtp_cipher) { - /* do nothing */ - } else { - status = srtp_cipher_dealloc(session_keys->rtp_cipher); - if (status) - return status; - } + session_keys->mki_id = NULL; - /* deallocate auth function, if it is not the same as that in template */ - if (template_session_keys - && session_keys->rtp_auth == template_session_keys->rtp_auth) { - /* do nothing */ - } else { - status = srtp_auth_dealloc(session_keys->rtp_auth); - if (status) - return status; + /* allocate key limit structure */ + session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc( + sizeof(srtp_key_limit_ctx_t)); + if (session_keys->limit == NULL) { + srtp_stream_dealloc(str, NULL); + return srtp_err_status_alloc_fail; + } } - if (template_session_keys - && session_keys->rtp_xtn_hdr_cipher == template_session_keys->rtp_xtn_hdr_cipher) { - /* do nothing */ - } else if (session_keys->rtp_xtn_hdr_cipher) { - status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher); - if (status) - return status; + /* allocate ekt data associated with stream */ + stat = srtp_ekt_alloc(&str->ekt, p->ekt); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; } - /* - * deallocate rtcp cipher, if it is not the same as that in - * template - */ - if (template_session_keys - && session_keys->rtcp_cipher == template_session_keys->rtcp_cipher) { - /* do nothing */ - } else { - status = srtp_cipher_dealloc(session_keys->rtcp_cipher); - if (status) - return status; - } + if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) { + srtp_cipher_type_id_t enc_xtn_hdr_cipher_type; + int enc_xtn_hdr_cipher_key_len; - /* - * deallocate rtcp auth function, if it is not the same as that in - * template - */ - if (template_session_keys - && session_keys->rtcp_auth == template_session_keys->rtcp_auth) { - /* do nothing */ - } else { - status = srtp_auth_dealloc(session_keys->rtcp_auth); - if (status) - return status; - } + str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count * + sizeof(p->enc_xtn_hdr[0])); + if (!str->enc_xtn_hdr) { + srtp_stream_dealloc(str, NULL); + return srtp_err_status_alloc_fail; + } + memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr, + p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0])); + str->enc_xtn_hdr_count = p->enc_xtn_hdr_count; - /* - * zeroize the salt value - */ - octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN); - octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN); + /* + * For GCM ciphers, the corresponding ICM cipher is used for header + * extensions encryption. + */ + switch (p->rtp.cipher_type) { + case SRTP_AES_GCM_128: + enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128; + enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; + break; + case SRTP_AES_GCM_256: + enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256; + enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + break; + default: + enc_xtn_hdr_cipher_type = p->rtp.cipher_type; + enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len; + break; + } - if (session_keys->mki_id) { - octet_string_set_to_zero(session_keys->mki_id, session_keys->mki_size); - srtp_crypto_free(session_keys->mki_id); - session_keys->mki_id = NULL; - } + for (i = 0; i < str->num_master_keys; i++) { + session_keys = &str->session_keys[i]; - /* deallocate key usage limit, if it is not the same as that in template */ - if (template_session_keys - && session_keys->limit == template_session_keys->limit) { - /* do nothing */ + /* allocate cipher for extensions header encryption */ + stat = srtp_crypto_kernel_alloc_cipher( + enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher, + enc_xtn_hdr_cipher_key_len, 0); + if (stat) { + srtp_stream_dealloc(str, NULL); + return stat; + } + } } else { - srtp_crypto_free(session_keys->limit); - } - - } - - if (stream_template - && stream->session_keys == stream_template->session_keys) { - /* do nothing */ - } else { - srtp_crypto_free(stream->session_keys); - } - - status = srtp_rdbx_dealloc(&stream->rtp_rdbx); - if (status) - return status; - - /* DAM - need to deallocate EKT here */ - - if (stream_template - && stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) { - /* do nothing */ - } else if (stream->enc_xtn_hdr) { - srtp_crypto_free(stream->enc_xtn_hdr); - } + for (i = 0; i < str->num_master_keys; i++) { + session_keys = &str->session_keys[i]; + session_keys->rtp_xtn_hdr_cipher = NULL; + } - /* deallocate srtp stream context */ - srtp_crypto_free(stream); + str->enc_xtn_hdr = NULL; + str->enc_xtn_hdr_count = 0; + } - return srtp_err_status_ok; + return srtp_err_status_ok; } - /* * srtp_stream_clone(stream_template, new) allocates a new stream and * initializes it using the cipher and auth of the stream_template - * + * * the only unique data in a cloned stream is the replay database and * the SSRC */ -srtp_err_status_t -srtp_stream_clone(const srtp_stream_ctx_t *stream_template, - uint32_t ssrc, - srtp_stream_ctx_t **str_ptr) { - srtp_err_status_t status; - srtp_stream_ctx_t *str; - unsigned int i = 0; - srtp_session_keys_t *session_keys = NULL; - const srtp_session_keys_t *template_session_keys = NULL; - - debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc)); - - /* allocate srtp stream and set str_ptr */ - str = (srtp_stream_ctx_t *) srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); - if (str == NULL) - return srtp_err_status_alloc_fail; - *str_ptr = str; - - str->num_master_keys = stream_template->num_master_keys; - str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( - sizeof(srtp_session_keys_t) * str->num_master_keys); - - if (str->session_keys == NULL) { - srtp_crypto_free(*str_ptr); - *str_ptr = NULL; - return srtp_err_status_alloc_fail; - } - - for (i = 0; i < stream_template->num_master_keys; i++){ - session_keys = &str->session_keys[i]; - template_session_keys = &stream_template->session_keys[i]; - - /* set cipher and auth pointers to those of the template */ - session_keys->rtp_cipher = template_session_keys->rtp_cipher; - session_keys->rtp_auth = template_session_keys->rtp_auth; - session_keys->rtp_xtn_hdr_cipher = template_session_keys->rtp_xtn_hdr_cipher; - session_keys->rtcp_cipher = template_session_keys->rtcp_cipher; - session_keys->rtcp_auth = template_session_keys->rtcp_auth; - session_keys->mki_size = template_session_keys->mki_size; - - if (template_session_keys->mki_size == 0) { - session_keys->mki_id = NULL; - } else { - session_keys->mki_id = srtp_crypto_alloc(template_session_keys->mki_size); +srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template, + uint32_t ssrc, + srtp_stream_ctx_t **str_ptr) +{ + srtp_err_status_t status; + srtp_stream_ctx_t *str; + unsigned int i = 0; + srtp_session_keys_t *session_keys = NULL; + const srtp_session_keys_t *template_session_keys = NULL; - if (session_keys->mki_id == NULL) { - return srtp_err_status_init_fail; - } - memset(session_keys->mki_id, 0x0, session_keys->mki_size); - memcpy(session_keys->mki_id, template_session_keys->mki_id, session_keys->mki_size); - } - /* Copy the salt values */ - memcpy(session_keys->salt, template_session_keys->salt, SRTP_AEAD_SALT_LEN); - memcpy(session_keys->c_salt, template_session_keys->c_salt, SRTP_AEAD_SALT_LEN); - - /* set key limit to point to that of the template */ - status = srtp_key_limit_clone(template_session_keys->limit, &session_keys->limit); - if (status) { - srtp_crypto_free(*str_ptr); - *str_ptr = NULL; - return status; - } - } - - - /* initialize replay databases */ - status = srtp_rdbx_init(&str->rtp_rdbx, - srtp_rdbx_get_window_size(&stream_template->rtp_rdbx)); - if (status) { - srtp_crypto_free(*str_ptr); - *str_ptr = NULL; - return status; - } - srtp_rdb_init(&str->rtcp_rdb); - str->allow_repeat_tx = stream_template->allow_repeat_tx; + debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc)); - /* set ssrc to that provided */ - str->ssrc = ssrc; + /* allocate srtp stream and set str_ptr */ + str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t)); + if (str == NULL) + return srtp_err_status_alloc_fail; + *str_ptr = str; - /* reset pending ROC */ - str->pending_roc = 0; + str->num_master_keys = stream_template->num_master_keys; + str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc( + sizeof(srtp_session_keys_t) * str->num_master_keys); - /* set direction and security services */ - str->direction = stream_template->direction; - str->rtp_services = stream_template->rtp_services; - str->rtcp_services = stream_template->rtcp_services; + if (str->session_keys == NULL) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return srtp_err_status_alloc_fail; + } - /* set pointer to EKT data associated with stream */ - str->ekt = stream_template->ekt; + for (i = 0; i < stream_template->num_master_keys; i++) { + session_keys = &str->session_keys[i]; + template_session_keys = &stream_template->session_keys[i]; + + /* set cipher and auth pointers to those of the template */ + session_keys->rtp_cipher = template_session_keys->rtp_cipher; + session_keys->rtp_auth = template_session_keys->rtp_auth; + session_keys->rtp_xtn_hdr_cipher = + template_session_keys->rtp_xtn_hdr_cipher; + session_keys->rtcp_cipher = template_session_keys->rtcp_cipher; + session_keys->rtcp_auth = template_session_keys->rtcp_auth; + session_keys->mki_size = template_session_keys->mki_size; + + if (template_session_keys->mki_size == 0) { + session_keys->mki_id = NULL; + } else { + session_keys->mki_id = + srtp_crypto_alloc(template_session_keys->mki_size); - /* copy information about extensions header encryption */ - str->enc_xtn_hdr = stream_template->enc_xtn_hdr; - str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; + if (session_keys->mki_id == NULL) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return srtp_err_status_init_fail; + } + memcpy(session_keys->mki_id, template_session_keys->mki_id, + session_keys->mki_size); + } + /* Copy the salt values */ + memcpy(session_keys->salt, template_session_keys->salt, + SRTP_AEAD_SALT_LEN); + memcpy(session_keys->c_salt, template_session_keys->c_salt, + SRTP_AEAD_SALT_LEN); + + /* set key limit to point to that of the template */ + status = srtp_key_limit_clone(template_session_keys->limit, + &session_keys->limit); + if (status) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return status; + } + } - /* defensive coding */ - str->next = NULL; - return srtp_err_status_ok; -} + /* initialize replay databases */ + status = srtp_rdbx_init( + &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx)); + if (status) { + srtp_stream_dealloc(*str_ptr, stream_template); + *str_ptr = NULL; + return status; + } + srtp_rdb_init(&str->rtcp_rdb); + str->allow_repeat_tx = stream_template->allow_repeat_tx; + + /* set ssrc to that provided */ + str->ssrc = ssrc; + + /* reset pending ROC */ + str->pending_roc = 0; + + /* set direction and security services */ + str->direction = stream_template->direction; + str->rtp_services = stream_template->rtp_services; + str->rtcp_services = stream_template->rtcp_services; + /* set pointer to EKT data associated with stream */ + str->ekt = stream_template->ekt; + + /* copy information about extensions header encryption */ + str->enc_xtn_hdr = stream_template->enc_xtn_hdr; + str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count; + + /* defensive coding */ + str->next = NULL; + return srtp_err_status_ok; +} /* * key derivation functions, internal to libSRTP @@ -593,7 +558,7 @@ srtp_stream_clone(const srtp_stream_ctx_t *stream_template, * * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher * described by cipher_id, with the master key k with length in octets keylen. - * + * * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key * corresponding to label l and puts it into kl; the length * of the key in octets is provided as keylen. this function @@ -603,39 +568,42 @@ srtp_stream_clone(const srtp_stream_ctx_t *stream_template, */ typedef enum { - label_rtp_encryption = 0x00, - label_rtp_msg_auth = 0x01, - label_rtp_salt = 0x02, - label_rtcp_encryption = 0x03, - label_rtcp_msg_auth = 0x04, - label_rtcp_salt = 0x05, - label_rtp_header_encryption = 0x06, - label_rtp_header_salt = 0x07 + label_rtp_encryption = 0x00, + label_rtp_msg_auth = 0x01, + label_rtp_salt = 0x02, + label_rtcp_encryption = 0x03, + label_rtcp_msg_auth = 0x04, + label_rtcp_salt = 0x05, + label_rtp_header_encryption = 0x06, + label_rtp_header_salt = 0x07 } srtp_prf_label; #define MAX_SRTP_KEY_LEN 256 #if defined(OPENSSL) && defined(OPENSSL_KDF) #define MAX_SRTP_AESKEY_LEN 32 -#define MAX_SRTP_SALT_LEN 14 +#define MAX_SRTP_SALT_LEN 14 /* * srtp_kdf_t represents a key derivation function. The SRTP * default KDF is the only one implemented at present. */ -typedef struct { +typedef struct { uint8_t master_key[MAX_SRTP_AESKEY_LEN]; uint8_t master_salt[MAX_SRTP_SALT_LEN]; const EVP_CIPHER *evp; } srtp_kdf_t; - -static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len, int salt_len) +static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, + const uint8_t *key, + int key_len, + int salt_len) { memset(kdf, 0x0, sizeof(srtp_kdf_t)); /* The NULL cipher has zero key length */ - if (key_len == 0) return srtp_err_status_ok; + if (key_len == 0) + return srtp_err_status_ok; if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) { return srtp_err_status_bad_param; @@ -654,17 +622,21 @@ static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int return srtp_err_status_bad_param; break; } - memcpy(kdf->master_key, key, key_len); - memcpy(kdf->master_salt, key+key_len, salt_len); + memcpy(kdf->master_key, key, key_len); + memcpy(kdf->master_salt, key + key_len, salt_len); return srtp_err_status_ok; } -static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) +static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, + srtp_prf_label label, + uint8_t *key, + unsigned int length) { int ret; /* The NULL cipher will not have an EVP */ - if (!kdf->evp) return srtp_err_status_ok; + if (!kdf->evp) + return srtp_err_status_ok; octet_string_set_to_zero(key, length); /* @@ -672,7 +644,8 @@ static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label * This is useful if OpenSSL is in FIPS mode and FIP * compliance is required for SRTP. */ - ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); + ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key, + (char *)&kdf->master_salt, NULL, NULL, label, (char *)key); if (ret == -1) { return (srtp_err_status_algo_fail); } @@ -680,25 +653,28 @@ static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label return srtp_err_status_ok; } -static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { +static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) +{ octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN); octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN); kdf->evp = NULL; - return srtp_err_status_ok; + return srtp_err_status_ok; } -#else /* if OPENSSL_KDF */ +#else /* if OPENSSL_KDF */ /* * srtp_kdf_t represents a key derivation function. The SRTP * default KDF is the only one implemented at present. */ -typedef struct { - srtp_cipher_t *cipher; /* cipher used for key derivation */ +typedef struct { + srtp_cipher_t *cipher; /* cipher used for key derivation */ } srtp_kdf_t; -static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int key_len) +static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, + const uint8_t *key, + int key_len) { srtp_cipher_type_id_t cipher_id; switch (key_len) { @@ -718,7 +694,8 @@ static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int srtp_err_status_t stat; stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0); - if (stat) return stat; + if (stat) + return stat; stat = srtp_cipher_init(kdf->cipher, key); if (stat) { @@ -728,105 +705,113 @@ static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf, const uint8_t *key, int return srtp_err_status_ok; } -static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, srtp_prf_label label, uint8_t *key, unsigned int length) +static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf, + srtp_prf_label label, + uint8_t *key, + unsigned int length) { srtp_err_status_t status; v128_t nonce; - + /* set eigth octet of nonce to <label>, set the rest of it to zero */ v128_set_to_zero(&nonce); nonce.v8[7] = label; - - status = srtp_cipher_set_iv(kdf->cipher, (uint8_t*)&nonce, srtp_direction_encrypt); - if (status) return status; - + + status = srtp_cipher_set_iv(kdf->cipher, (uint8_t *)&nonce, + srtp_direction_encrypt); + if (status) + return status; + /* generate keystream output */ octet_string_set_to_zero(key, length); status = srtp_cipher_encrypt(kdf->cipher, key, &length); - if (status) return status; + if (status) + return status; return srtp_err_status_ok; } -static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) { +static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf) +{ srtp_err_status_t status; status = srtp_cipher_dealloc(kdf->cipher); - if (status) return status; + if (status) + return status; kdf->cipher = NULL; - return srtp_err_status_ok; + return srtp_err_status_ok; } #endif /* else OPENSSL_KDF */ /* - * end of key derivation functions + * end of key derivation functions */ - - /* Get the base key length corresponding to a given combined key+salt * length for the given cipher. * TODO: key and salt lengths should be separate fields in the policy. */ -static inline int base_key_length(const srtp_cipher_type_t *cipher, int key_length) +static inline int base_key_length(const srtp_cipher_type_t *cipher, + int key_length) { - switch (cipher->id) { - case SRTP_AES_ICM_128: - case SRTP_AES_ICM_192: - case SRTP_AES_ICM_256: - /* The legacy modes are derived from - * the configured key length on the policy */ - return key_length - SRTP_SALT_LEN; - break; - case SRTP_AES_GCM_128: - return key_length - SRTP_AEAD_SALT_LEN; - break; - case SRTP_AES_GCM_256: - return key_length - SRTP_AEAD_SALT_LEN; - break; - default: - return key_length; - break; - } + switch (cipher->id) { + case SRTP_AES_ICM_128: + case SRTP_AES_ICM_192: + case SRTP_AES_ICM_256: + /* The legacy modes are derived from + * the configured key length on the policy */ + return key_length - SRTP_SALT_LEN; + break; + case SRTP_AES_GCM_128: + return key_length - SRTP_AEAD_SALT_LEN; + break; + case SRTP_AES_GCM_256: + return key_length - SRTP_AEAD_SALT_LEN; + break; + default: + return key_length; + break; + } } -unsigned int -srtp_validate_policy_master_keys(const srtp_policy_t *policy) +unsigned int srtp_validate_policy_master_keys(const srtp_policy_t *policy) { - int i = 0; + unsigned long i = 0; if (policy->key == NULL) { if (policy->num_master_keys <= 0) return 0; if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS) - return 0; - + return 0; + for (i = 0; i < policy->num_master_keys; i++) { if (policy->keys[i]->key == NULL) return 0; - if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN) - return 0; + if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN) + return 0; } } return 1; } -srtp_session_keys_t* -srtp_get_session_keys_with_mki_index(srtp_stream_ctx_t *stream, - unsigned int use_mki, - unsigned int mki_index) { +srtp_session_keys_t *srtp_get_session_keys_with_mki_index( + srtp_stream_ctx_t *stream, + unsigned int use_mki, + unsigned int mki_index) +{ if (use_mki) { - if (mki_index < stream->num_master_keys) { - return &stream->session_keys[mki_index]; + if (mki_index >= stream->num_master_keys) { + return NULL; } + return &stream->session_keys[mki_index]; } return &stream->session_keys[0]; } -unsigned int -srtp_inject_mki(uint8_t *mki_tag_location, srtp_session_keys_t* session_keys, - unsigned int use_mki) +unsigned int srtp_inject_mki(uint8_t *mki_tag_location, + srtp_session_keys_t *session_keys, + unsigned int use_mki) { unsigned int mki_size = 0; @@ -842,16 +827,17 @@ srtp_inject_mki(uint8_t *mki_tag_location, srtp_session_keys_t* session_keys, return mki_size; } -srtp_err_status_t -srtp_stream_init_all_master_keys(srtp_stream_ctx_t *srtp, - unsigned char *key, - srtp_master_key_t **keys, - const unsigned int max_master_keys) { - int i = 0; +srtp_err_status_t srtp_stream_init_all_master_keys( + srtp_stream_ctx_t *srtp, + unsigned char *key, + srtp_master_key_t **keys, + const unsigned int max_master_keys) +{ + unsigned int i = 0; srtp_err_status_t status = srtp_err_status_ok; srtp_master_key_t single_master_key; - if ( key != NULL ) { + if (key != NULL) { srtp->num_master_keys = 1; single_master_key.key = key; single_master_key.mki_id = NULL; @@ -860,7 +846,8 @@ srtp_stream_init_all_master_keys(srtp_stream_ctx_t *srtp, } else { srtp->num_master_keys = max_master_keys; - for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS; i++) { + for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS; + i++) { status = srtp_stream_init_keys(srtp, keys[i], i); if (status) { @@ -872,577 +859,609 @@ srtp_stream_init_all_master_keys(srtp_stream_ctx_t *srtp, return status; } -srtp_err_status_t -srtp_stream_init_keys(srtp_stream_ctx_t *srtp, srtp_master_key_t *master_key, - const unsigned int current_mki_index) { - srtp_err_status_t stat; - srtp_kdf_t kdf; - uint8_t tmp_key[MAX_SRTP_KEY_LEN]; - int kdf_keylen = 30, rtp_keylen, rtcp_keylen; - int rtp_base_key_len, rtp_salt_len; - int rtcp_base_key_len, rtcp_salt_len; - srtp_session_keys_t *session_keys = NULL; - unsigned char *key = master_key->key; - - /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ - /* TODO: kdf algorithm, master key length, and master salt length should - * be part of srtp_policy_t. */ - session_keys = &srtp->session_keys[current_mki_index]; - - /* initialize key limit to maximum value */ -#ifdef NO_64BIT_MATH +srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp, + srtp_master_key_t *master_key, + const unsigned int current_mki_index) { - uint64_t temp; - temp = make64(UINT_MAX,UINT_MAX); - srtp_key_limit_set(session_keys->limit, temp); -} + srtp_err_status_t stat; + srtp_kdf_t kdf; + uint8_t tmp_key[MAX_SRTP_KEY_LEN]; + int kdf_keylen = 30, rtp_keylen, rtcp_keylen; + int rtp_base_key_len, rtp_salt_len; + int rtcp_base_key_len, rtcp_salt_len; + srtp_session_keys_t *session_keys = NULL; + unsigned char *key = master_key->key; + + /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */ + /* TODO: kdf algorithm, master key length, and master salt length should + * be part of srtp_policy_t. + */ + session_keys = &srtp->session_keys[current_mki_index]; + +/* initialize key limit to maximum value */ +#ifdef NO_64BIT_MATH + { + uint64_t temp; + temp = make64(UINT_MAX, UINT_MAX); + srtp_key_limit_set(session_keys->limit, temp); + } #else - srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL); + srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL); #endif + if (master_key->mki_size != 0) { + session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size); - if ( master_key->mki_size != 0 ) { - session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size); - - if (session_keys->mki_id == NULL) { - return srtp_err_status_init_fail; - } - memset(session_keys->mki_id, 0x0, master_key->mki_size); - memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size); - } else { - session_keys->mki_id = NULL; - } - - session_keys->mki_size = master_key->mki_size; - - rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher); - rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher); - rtp_base_key_len = base_key_length(session_keys->rtp_cipher->type, rtp_keylen); - rtp_salt_len = rtp_keylen - rtp_base_key_len; - - if (rtp_keylen > kdf_keylen) { - kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ - } - - if (rtcp_keylen > kdf_keylen) { - kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ - } - - debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); - debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); - debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); - debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); - debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); - - /* - * Make sure the key given to us is 'zero' appended. GCM - * mode uses a shorter master SALT (96 bits), but still relies on - * the legacy CTR mode KDF, which uses a 112 bit master SALT. - */ - memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); - memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len)); - - /* initialize KDF state */ -#if defined(OPENSSL) && defined(OPENSSL_KDF) - stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len, rtp_salt_len); -#else - stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen); -#endif - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - /* generate encryption key */ - stat = srtp_kdf_generate(&kdf, label_rtp_encryption, - tmp_key, rtp_base_key_len); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - debug_print(mod_srtp, "cipher key: %s", - srtp_octet_string_hex_string(tmp_key, rtp_base_key_len)); - - /* - * if the cipher in the srtp context uses a salt, then we need - * to generate the salt value - */ - if (rtp_salt_len > 0) { - debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); - - /* generate encryption salt, put after encryption key */ - stat = srtp_kdf_generate(&kdf, label_rtp_salt, - tmp_key + rtp_base_key_len, rtp_salt_len); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - memcpy(session_keys->salt, tmp_key + rtp_base_key_len, SRTP_AEAD_SALT_LEN); - } - if (rtp_salt_len > 0) { - debug_print(mod_srtp, "cipher salt: %s", - srtp_octet_string_hex_string(tmp_key + rtp_base_key_len, rtp_salt_len)); - } - - /* initialize cipher */ - stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - if (session_keys->rtp_xtn_hdr_cipher) { - /* generate extensions header encryption key */ - int rtp_xtn_hdr_keylen; - int rtp_xtn_hdr_base_key_len; - int rtp_xtn_hdr_salt_len; - srtp_kdf_t tmp_kdf; - srtp_kdf_t *xtn_hdr_kdf; - - if (session_keys->rtp_xtn_hdr_cipher->type != session_keys->rtp_cipher->type) { - /* With GCM ciphers, the header extensions are still encrypted using the corresponding ICM cipher. */ - /* See https://tools.ietf.org/html/rfc7714#section-8.3 */ - uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN]; - rtp_xtn_hdr_keylen = srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher); - rtp_xtn_hdr_base_key_len = base_key_length(session_keys->rtp_xtn_hdr_cipher->type, - rtp_xtn_hdr_keylen); - rtp_xtn_hdr_salt_len = rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len; - if (rtp_xtn_hdr_salt_len > rtp_salt_len) { - switch (session_keys->rtp_cipher->type->id) { - case SRTP_AES_GCM_128: - case SRTP_AES_GCM_256: - /* The shorter GCM salt is padded to the required ICM salt length. */ - rtp_xtn_hdr_salt_len = rtp_salt_len; - break; - default: - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_bad_param; + if (session_keys->mki_id == NULL) { + return srtp_err_status_init_fail; } - } - memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN); - memcpy(tmp_xtn_hdr_key, key, (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len)); - xtn_hdr_kdf = &tmp_kdf; + memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size); + } else { + session_keys->mki_id = NULL; + } + + session_keys->mki_size = master_key->mki_size; + + rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher); + rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher); + rtp_base_key_len = + base_key_length(session_keys->rtp_cipher->type, rtp_keylen); + rtp_salt_len = rtp_keylen - rtp_base_key_len; + + if (rtp_keylen > kdf_keylen) { + kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ + } + + if (rtcp_keylen > kdf_keylen) { + kdf_keylen = 46; /* AES-CTR mode is always used for KDF */ + } + + debug_print(mod_srtp, "srtp key len: %d", rtp_keylen); + debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen); + debug_print(mod_srtp, "base key len: %d", rtp_base_key_len); + debug_print(mod_srtp, "kdf key len: %d", kdf_keylen); + debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len); - /* initialize KDF state */ + /* + * Make sure the key given to us is 'zero' appended. GCM + * mode uses a shorter master SALT (96 bits), but still relies on + * the legacy CTR mode KDF, which uses a 112 bit master SALT. + */ + memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN); + memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len)); + +/* initialize KDF state */ #if defined(OPENSSL) && defined(OPENSSL_KDF) - stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); + stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len, + rtp_salt_len); #else - stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, kdf_keylen); + stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen); #endif - octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN); - if (stat) { + if (stat) { /* zeroize temp buffer */ octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); return srtp_err_status_init_fail; - } - } else { - /* Reuse main KDF. */ - rtp_xtn_hdr_keylen = rtp_keylen; - rtp_xtn_hdr_base_key_len = rtp_base_key_len; - rtp_xtn_hdr_salt_len = rtp_salt_len; - xtn_hdr_kdf = &kdf; } - stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption, - tmp_key, rtp_xtn_hdr_base_key_len); + /* generate encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtp_encryption, tmp_key, + rtp_base_key_len); if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; } - debug_print(mod_srtp, "extensions cipher key: %s", - srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len)); + debug_print(mod_srtp, "cipher key: %s", + srtp_octet_string_hex_string(tmp_key, rtp_base_key_len)); /* * if the cipher in the srtp context uses a salt, then we need * to generate the salt value */ - if (rtp_xtn_hdr_salt_len > 0) { - debug_print(mod_srtp, "found rtp_xtn_hdr_salt_len > 0, generating salt", NULL); - - /* generate encryption salt, put after encryption key */ - stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt, - tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } + if (rtp_salt_len > 0) { + debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL); + + /* generate encryption salt, put after encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtp_salt, + tmp_key + rtp_base_key_len, rtp_salt_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + memcpy(session_keys->salt, tmp_key + rtp_base_key_len, + SRTP_AEAD_SALT_LEN); } - if (rtp_xtn_hdr_salt_len > 0) { - debug_print(mod_srtp, "extensions cipher salt: %s", - srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len)); + if (rtp_salt_len > 0) { + debug_print(mod_srtp, "cipher salt: %s", + srtp_octet_string_hex_string(tmp_key + rtp_base_key_len, + rtp_salt_len)); } - /* initialize extensions header cipher */ - stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key); + /* initialize cipher */ + stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key); if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - if (xtn_hdr_kdf != &kdf) { - /* release memory for custom header extension encryption kdf */ - stat = srtp_kdf_clear(xtn_hdr_kdf); - if (stat) { /* zeroize temp buffer */ octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); return srtp_err_status_init_fail; - } } - } - - /* generate authentication key */ - stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, - tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth)); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - debug_print(mod_srtp, "auth key: %s", - srtp_octet_string_hex_string(tmp_key, - srtp_auth_get_key_length(session_keys->rtp_auth))); - - /* initialize auth function */ - stat = srtp_auth_init(session_keys->rtp_auth, tmp_key); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - /* - * ...now initialize SRTCP keys - */ - - rtcp_base_key_len = base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen); - rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; - debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); - - /* generate encryption key */ - stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, - tmp_key, rtcp_base_key_len); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - /* - * if the cipher in the srtp context uses a salt, then we need - * to generate the salt value - */ - if (rtcp_salt_len > 0) { - debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", - NULL); - - /* generate encryption salt, put after encryption key */ - stat = srtp_kdf_generate(&kdf, label_rtcp_salt, - tmp_key + rtcp_base_key_len, rtcp_salt_len); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len, SRTP_AEAD_SALT_LEN); - } - debug_print(mod_srtp, "rtcp cipher key: %s", - srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len)); - if (rtcp_salt_len > 0) { - debug_print(mod_srtp, "rtcp cipher salt: %s", - srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len, rtcp_salt_len)); - } - - /* initialize cipher */ - stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - /* generate authentication key */ - stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, - tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth)); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - - debug_print(mod_srtp, "rtcp auth key: %s", - srtp_octet_string_hex_string(tmp_key, - srtp_auth_get_key_length(session_keys->rtcp_auth))); - - /* initialize auth function */ - stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key); - if (stat) { - /* zeroize temp buffer */ - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - return srtp_err_status_init_fail; - } - /* clear memory then return */ - stat = srtp_kdf_clear(&kdf); - octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); - if (stat) - return srtp_err_status_init_fail; + if (session_keys->rtp_xtn_hdr_cipher) { + /* generate extensions header encryption key */ + int rtp_xtn_hdr_keylen; + int rtp_xtn_hdr_base_key_len; + int rtp_xtn_hdr_salt_len; + srtp_kdf_t tmp_kdf; + srtp_kdf_t *xtn_hdr_kdf; + + if (session_keys->rtp_xtn_hdr_cipher->type != + session_keys->rtp_cipher->type) { + /* + * With GCM ciphers, the header extensions are still encrypted using + * the corresponding ICM cipher. + * See https://tools.ietf.org/html/rfc7714#section-8.3 + */ + uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN]; + rtp_xtn_hdr_keylen = + srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher); + rtp_xtn_hdr_base_key_len = base_key_length( + session_keys->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen); + rtp_xtn_hdr_salt_len = + rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len; + if (rtp_xtn_hdr_salt_len > rtp_salt_len) { + switch (session_keys->rtp_cipher->type->id) { + case SRTP_AES_GCM_128: + case SRTP_AES_GCM_256: + /* + * The shorter GCM salt is padded to the required ICM salt + * length. + */ + rtp_xtn_hdr_salt_len = rtp_salt_len; + break; + default: + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_bad_param; + } + } + memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN); + memcpy(tmp_xtn_hdr_key, key, + (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len)); + xtn_hdr_kdf = &tmp_kdf; - return srtp_err_status_ok; -} +/* initialize KDF state */ +#if defined(OPENSSL) && defined(OPENSSL_KDF) + stat = + srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, + rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len); +#else + stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key, + kdf_keylen); +#endif + octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + } else { + /* Reuse main KDF. */ + rtp_xtn_hdr_keylen = rtp_keylen; + rtp_xtn_hdr_base_key_len = rtp_base_key_len; + rtp_xtn_hdr_salt_len = rtp_salt_len; + xtn_hdr_kdf = &kdf; + } -srtp_err_status_t -srtp_stream_init(srtp_stream_ctx_t *srtp, - const srtp_policy_t *p) { - srtp_err_status_t err; + stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption, + tmp_key, rtp_xtn_hdr_base_key_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + debug_print( + mod_srtp, "extensions cipher key: %s", + srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len)); - debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", - p->ssrc.value); + /* + * if the cipher in the srtp context uses a salt, then we need + * to generate the salt value + */ + if (rtp_xtn_hdr_salt_len > 0) { + debug_print(mod_srtp, + "found rtp_xtn_hdr_salt_len > 0, generating salt", + NULL); + + /* generate encryption salt, put after encryption key */ + stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt, + tmp_key + rtp_xtn_hdr_base_key_len, + rtp_xtn_hdr_salt_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + } + if (rtp_xtn_hdr_salt_len > 0) { + debug_print( + mod_srtp, "extensions cipher salt: %s", + srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len, + rtp_xtn_hdr_salt_len)); + } - /* initialize replay database */ - /* window size MUST be at least 64. MAY be larger. Values more than - * 2^15 aren't meaningful due to how extended sequence numbers are - * calculated. Let a window size of 0 imply the default value. */ + /* initialize extensions header cipher */ + stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } - if (p->window_size != 0 && (p->window_size < 64 || p->window_size >= 0x8000)) - return srtp_err_status_bad_param; + if (xtn_hdr_kdf != &kdf) { + /* release memory for custom header extension encryption kdf */ + stat = srtp_kdf_clear(xtn_hdr_kdf); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + } + } - if (p->window_size != 0) - err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size); - else - err = srtp_rdbx_init(&srtp->rtp_rdbx, 128); - if (err) return err; + /* generate authentication key */ + stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, tmp_key, + srtp_auth_get_key_length(session_keys->rtp_auth)); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + debug_print(mod_srtp, "auth key: %s", + srtp_octet_string_hex_string( + tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth))); - /* set the SSRC value */ - srtp->ssrc = htonl(p->ssrc.value); + /* initialize auth function */ + stat = srtp_auth_init(session_keys->rtp_auth, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } - /* reset pending ROC */ - srtp->pending_roc = 0; + /* + * ...now initialize SRTCP keys + */ - /* set the security service flags */ - srtp->rtp_services = p->rtp.sec_serv; - srtp->rtcp_services = p->rtcp.sec_serv; + rtcp_base_key_len = + base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen); + rtcp_salt_len = rtcp_keylen - rtcp_base_key_len; + debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len); - /* - * set direction to unknown - this flag gets checked in srtp_protect(), - * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and - * gets set appropriately if it is set to unknown. - */ - srtp->direction = dir_unknown; - - /* initialize SRTCP replay database */ - srtp_rdb_init(&srtp->rtcp_rdb); - - /* initialize allow_repeat_tx */ - /* guard against uninitialized memory: allow only 0 or 1 here */ - if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { - srtp_rdbx_dealloc(&srtp->rtp_rdbx); - return srtp_err_status_bad_param; - } - srtp->allow_repeat_tx = p->allow_repeat_tx; - - /* DAM - no RTCP key limit at present */ - - /* initialize keys */ - err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys, p->num_master_keys); - if (err) { - srtp_rdbx_dealloc(&srtp->rtp_rdbx); - return err; - } - - /* - * if EKT is in use, then initialize the EKT data associated with - * the stream - */ - err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt); - if (err) { - srtp_rdbx_dealloc(&srtp->rtp_rdbx); - return err; - } - - return srtp_err_status_ok; - } - - - /* - * srtp_event_reporter is an event handler function that merely - * reports the events that are reported by the callbacks - */ - - void - srtp_event_reporter(srtp_event_data_t *data) { - - srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ", - data->ssrc); - - switch(data->event) { - case event_ssrc_collision: - srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n"); - break; - case event_key_soft_limit: - srtp_err_report(srtp_err_level_warning, "\tkey usage soft limit reached\n"); - break; - case event_key_hard_limit: - srtp_err_report(srtp_err_level_warning, "\tkey usage hard limit reached\n"); - break; - case event_packet_index_limit: - srtp_err_report(srtp_err_level_warning, "\tpacket index limit reached\n"); - break; - default: - srtp_err_report(srtp_err_level_warning, "\tunknown event reported to handler\n"); - } - } - - /* - * srtp_event_handler is a global variable holding a pointer to the - * event handler function; this function is called for any unexpected - * event that needs to be handled out of the SRTP data path. see - * srtp_event_t in srtp.h for more info - * - * it is okay to set srtp_event_handler to NULL, but we set - * it to the srtp_event_reporter. - */ - - static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; - - srtp_err_status_t - srtp_install_event_handler(srtp_event_handler_func_t func) { - - /* - * note that we accept NULL arguments intentionally - calling this - * function with a NULL arguments removes an event handler that's - * been previously installed - */ + /* generate encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, tmp_key, + rtcp_base_key_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } - /* set global event handling function */ - srtp_event_handler = func; - return srtp_err_status_ok; - } + /* + * if the cipher in the srtp context uses a salt, then we need + * to generate the salt value + */ + if (rtcp_salt_len > 0) { + debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt", + NULL); + + /* generate encryption salt, put after encryption key */ + stat = srtp_kdf_generate(&kdf, label_rtcp_salt, + tmp_key + rtcp_base_key_len, rtcp_salt_len); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } + memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len, + SRTP_AEAD_SALT_LEN); + } + debug_print(mod_srtp, "rtcp cipher key: %s", + srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len)); + if (rtcp_salt_len > 0) { + debug_print(mod_srtp, "rtcp cipher salt: %s", + srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len, + rtcp_salt_len)); + } + /* initialize cipher */ + stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } -/* - * Check if the given extension header id is / should be encrypted. - * Returns 1 if yes, otherwise 0. - */ -static int -srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) { - int* enc_xtn_hdr = stream->enc_xtn_hdr; - int count = stream->enc_xtn_hdr_count; + /* generate authentication key */ + stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, tmp_key, + srtp_auth_get_key_length(session_keys->rtcp_auth)); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; + } - if (!enc_xtn_hdr || count <= 0) { - return 0; - } + debug_print( + mod_srtp, "rtcp auth key: %s", + srtp_octet_string_hex_string( + tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth))); - while (count > 0) { - if (*enc_xtn_hdr == id) { - return 1; + /* initialize auth function */ + stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key); + if (stat) { + /* zeroize temp buffer */ + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + return srtp_err_status_init_fail; } - enc_xtn_hdr++; - count--; - } - return 0; + /* clear memory then return */ + stat = srtp_kdf_clear(&kdf); + octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN); + if (stat) + return srtp_err_status_init_fail; + + return srtp_err_status_ok; } +srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp, + const srtp_policy_t *p) +{ + srtp_err_status_t err; + + debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", p->ssrc.value); + + /* initialize replay database */ + /* + * window size MUST be at least 64. MAY be larger. Values more than + * 2^15 aren't meaningful due to how extended sequence numbers are + * calculated. + * Let a window size of 0 imply the default value. + */ + + if (p->window_size != 0 && + (p->window_size < 64 || p->window_size >= 0x8000)) + return srtp_err_status_bad_param; + + if (p->window_size != 0) + err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size); + else + err = srtp_rdbx_init(&srtp->rtp_rdbx, 128); + if (err) + return err; + + /* set the SSRC value */ + srtp->ssrc = htonl(p->ssrc.value); + + /* reset pending ROC */ + srtp->pending_roc = 0; + + /* set the security service flags */ + srtp->rtp_services = p->rtp.sec_serv; + srtp->rtcp_services = p->rtcp.sec_serv; + + /* + * set direction to unknown - this flag gets checked in srtp_protect(), + * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and + * gets set appropriately if it is set to unknown. + */ + srtp->direction = dir_unknown; + + /* initialize SRTCP replay database */ + srtp_rdb_init(&srtp->rtcp_rdb); + + /* initialize allow_repeat_tx */ + /* guard against uninitialized memory: allow only 0 or 1 here */ + if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) { + srtp_rdbx_dealloc(&srtp->rtp_rdbx); + return srtp_err_status_bad_param; + } + srtp->allow_repeat_tx = p->allow_repeat_tx; + + /* DAM - no RTCP key limit at present */ + + /* initialize keys */ + err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys, + p->num_master_keys); + if (err) { + srtp_rdbx_dealloc(&srtp->rtp_rdbx); + return err; + } + + /* + * if EKT is in use, then initialize the EKT data associated with + * the stream + */ + err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt); + if (err) { + srtp_rdbx_dealloc(&srtp->rtp_rdbx); + return err; + } + + return srtp_err_status_ok; +} /* - * extensions header encryption RFC 6904 + * srtp_event_reporter is an event handler function that merely + * reports the events that are reported by the callbacks */ -static srtp_err_status_t -srtp_process_header_encryption(srtp_stream_ctx_t *stream, - srtp_hdr_xtnd_t *xtn_hdr, - srtp_session_keys_t *session_keys) { - srtp_err_status_t status; - uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */ - int keystream_pos; - uint8_t* xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr; - uint8_t* xtn_hdr_end = xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t)); - - if (ntohs(xtn_hdr->profile_specific) == 0xbede) { - /* RFC 5285, section 4.2. One-Byte Header */ - while (xtn_hdr_data < xtn_hdr_end) { - uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4; - unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1; - uint32_t xlen_with_header = 1+xlen; - xtn_hdr_data++; - - if (xtn_hdr_data + xlen > xtn_hdr_end) - return srtp_err_status_parse_err; - if (xid == 15) { - /* found header 15, stop further processing. */ +void srtp_event_reporter(srtp_event_data_t *data) +{ + srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ", + data->ssrc); + + switch (data->event) { + case event_ssrc_collision: + srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n"); + break; + case event_key_soft_limit: + srtp_err_report(srtp_err_level_warning, + "\tkey usage soft limit reached\n"); + break; + case event_key_hard_limit: + srtp_err_report(srtp_err_level_warning, + "\tkey usage hard limit reached\n"); break; - } + case event_packet_index_limit: + srtp_err_report(srtp_err_level_warning, + "\tpacket index limit reached\n"); + break; + default: + srtp_err_report(srtp_err_level_warning, + "\tunknown event reported to handler\n"); + } +} - status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, - keystream, &xlen_with_header); - if (status) - return srtp_err_status_cipher_fail; +/* + * srtp_event_handler is a global variable holding a pointer to the + * event handler function; this function is called for any unexpected + * event that needs to be handled out of the SRTP data path. see + * srtp_event_t in srtp.h for more info + * + * it is okay to set srtp_event_handler to NULL, but we set + * it to the srtp_event_reporter. + */ + +static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter; + +srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func) +{ + /* + * note that we accept NULL arguments intentionally - calling this + * function with a NULL arguments removes an event handler that's + * been previously installed + */ + + /* set global event handling function */ + srtp_event_handler = func; + return srtp_err_status_ok; +} + +/* + * Check if the given extension header id is / should be encrypted. + * Returns 1 if yes, otherwise 0. + */ +static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id) +{ + int *enc_xtn_hdr = stream->enc_xtn_hdr; + int count = stream->enc_xtn_hdr_count; - if (srtp_protect_extension_header(stream, xid)) { - keystream_pos = 1; - while (xlen > 0) { - *xtn_hdr_data ^= keystream[keystream_pos++]; - xtn_hdr_data++; - xlen--; + if (!enc_xtn_hdr || count <= 0) { + return 0; + } + + while (count > 0) { + if (*enc_xtn_hdr == id) { + return 1; } - } else { - xtn_hdr_data += xlen; - } - - /* skip padding bytes. */ - while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { - xtn_hdr_data++; - } - } - } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) { - /* RFC 5285, section 4.3. Two-Byte Header */ - while (xtn_hdr_data + 1 < xtn_hdr_end) { - uint8_t xid = *xtn_hdr_data; - unsigned int xlen = *(xtn_hdr_data+1); - uint32_t xlen_with_header = 2+xlen; - xtn_hdr_data += 2; - - if (xtn_hdr_data + xlen > xtn_hdr_end) - return srtp_err_status_parse_err; - status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, - keystream, &xlen_with_header); - if (status) - return srtp_err_status_cipher_fail; + enc_xtn_hdr++; + count--; + } + return 0; +} + +/* + * extensions header encryption RFC 6904 + */ +static srtp_err_status_t srtp_process_header_encryption( + srtp_stream_ctx_t *stream, + srtp_hdr_xtnd_t *xtn_hdr, + srtp_session_keys_t *session_keys) +{ + srtp_err_status_t status; + uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */ + int keystream_pos; + uint8_t *xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr; + uint8_t *xtn_hdr_end = + xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t)); + + if (ntohs(xtn_hdr->profile_specific) == 0xbede) { + /* RFC 5285, section 4.2. One-Byte Header */ + while (xtn_hdr_data < xtn_hdr_end) { + uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4; + unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1; + uint32_t xlen_with_header = 1 + xlen; + xtn_hdr_data++; + + if (xtn_hdr_data + xlen > xtn_hdr_end) + return srtp_err_status_parse_err; + + if (xid == 15) { + /* found header 15, stop further processing. */ + break; + } + + status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, + keystream, &xlen_with_header); + if (status) + return srtp_err_status_cipher_fail; + + if (srtp_protect_extension_header(stream, xid)) { + keystream_pos = 1; + while (xlen > 0) { + *xtn_hdr_data ^= keystream[keystream_pos++]; + xtn_hdr_data++; + xlen--; + } + } else { + xtn_hdr_data += xlen; + } - if (xlen > 0 && srtp_protect_extension_header(stream, xid)) { - keystream_pos = 2; - while (xlen > 0) { - *xtn_hdr_data ^= keystream[keystream_pos++]; - xtn_hdr_data++; - xlen--; + /* skip padding bytes. */ + while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { + xtn_hdr_data++; + } } - } else { - xtn_hdr_data += xlen; - } + } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) { + /* RFC 5285, section 4.3. Two-Byte Header */ + while (xtn_hdr_data + 1 < xtn_hdr_end) { + uint8_t xid = *xtn_hdr_data; + unsigned int xlen = *(xtn_hdr_data + 1); + uint32_t xlen_with_header = 2 + xlen; + xtn_hdr_data += 2; + + if (xtn_hdr_data + xlen > xtn_hdr_end) + return srtp_err_status_parse_err; + + status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher, + keystream, &xlen_with_header); + if (status) + return srtp_err_status_cipher_fail; + + if (xlen > 0 && srtp_protect_extension_header(stream, xid)) { + keystream_pos = 2; + while (xlen > 0) { + *xtn_hdr_data ^= keystream[keystream_pos++]; + xtn_hdr_data++; + xlen--; + } + } else { + xtn_hdr_data += xlen; + } - /* skip padding bytes. */ - while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { - xtn_hdr_data++; - } + /* skip padding bytes. */ + while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) { + xtn_hdr_data++; + } + } + } else { + /* unsupported extension header format. */ + return srtp_err_status_parse_err; } - } else { - /* unsupported extension header format. */ - return srtp_err_status_parse_err; - } - return srtp_err_status_ok; + return srtp_err_status_ok; } - /* * AEAD uses a new IV formation method. This function implements * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714. @@ -1464,7 +1483,7 @@ srtp_process_header_encryption(srtp_stream_ctx_t *stream, * +--+--+--+--+--+--+--+--+--+--+--+--+* * * Input: *session_keys - pointer to SRTP stream context session keys, - * used to retrieve the SALT + * used to retrieve the SALT * *iv - Pointer to receive the calculated IV * *seq - The ROC and SEQ value to use for the * IV calculation. @@ -1472,19 +1491,20 @@ srtp_process_header_encryption(srtp_stream_ctx_t *stream, * */ -static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, v128_t *iv, - srtp_xtd_seq_num_t *seq, srtp_hdr_t *hdr) +static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, + v128_t *iv, + srtp_xtd_seq_num_t *seq, + srtp_hdr_t *hdr) { - v128_t in; - v128_t salt; + v128_t in; + v128_t salt; #ifdef NO_64BIT_MATH - uint32_t local_roc = ((high32(*seq) << 16) | - (low32(*seq) >> 16)); - uint16_t local_seq = (uint16_t) (low32(*seq)); + uint32_t local_roc = ((high32(*seq) << 16) | (low32(*seq) >> 16)); + uint16_t local_seq = (uint16_t)(low32(*seq)); #else uint32_t local_roc = (uint32_t)(*seq >> 16); - uint16_t local_seq = (uint16_t) *seq; + uint16_t local_seq = (uint16_t)*seq; #endif memset(&in, 0, sizeof(v128_t)); @@ -1512,149 +1532,145 @@ static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys, v128_t *iv, v128_xor(iv, &in, &salt); } +srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, + uint8_t *hdr, + const unsigned int *pkt_octet_len, + unsigned int *mki_size) +{ + unsigned int base_mki_start_location = *pkt_octet_len; + unsigned int mki_start_location = 0; + unsigned int tag_len = 0; + unsigned int i = 0; + + // Determine the authentication tag size + if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || + stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { + tag_len = 0; + } else { + tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); + } + + if (tag_len > base_mki_start_location) { + *mki_size = 0; + return NULL; + } + + base_mki_start_location -= tag_len; + + for (i = 0; i < stream->num_master_keys; i++) { + if (stream->session_keys[i].mki_size != 0 && + stream->session_keys[i].mki_size <= base_mki_start_location) { + *mki_size = stream->session_keys[i].mki_size; + mki_start_location = base_mki_start_location - *mki_size; + + if (memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id, + *mki_size) == 0) { + return &stream->session_keys[i]; + } + } + } -srtp_session_keys_t* -srtp_get_session_keys(srtp_stream_ctx_t *stream, uint8_t* hdr, - const unsigned int* pkt_octet_len, - unsigned int* mki_size) { - unsigned int base_mki_start_location = *pkt_octet_len; - unsigned int mki_start_location = 0; - unsigned int tag_len = 0; - unsigned int i = 0; - - // Determine the authentication tag size - if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 || - stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) { - tag_len = 0; - } else { - tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); - } - - if (tag_len > base_mki_start_location) { - *mki_size = 0; - return NULL; - } - - base_mki_start_location -= tag_len; - - for (i = 0; i < stream->num_master_keys; i++) { - if (stream->session_keys[i].mki_size != 0) { - *mki_size = stream->session_keys[i].mki_size; - mki_start_location = base_mki_start_location - *mki_size; - - if ( mki_start_location >= *mki_size && - memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id, *mki_size) == 0 ) { - return &stream->session_keys[i]; - } - } - } - - *mki_size = 0; - return NULL; + *mki_size = 0; + return NULL; } -static srtp_err_status_t -srtp_estimate_index(srtp_rdbx_t *rdbx, - uint32_t roc, - srtp_xtd_seq_num_t *est, - srtp_sequence_number_t seq, - int *delta) +static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx, + uint32_t roc, + srtp_xtd_seq_num_t *est, + srtp_sequence_number_t seq, + int *delta) { #ifdef NO_64BIT_MATH - uint32_t internal_pkt_idx_reduced; - uint32_t external_pkt_idx_reduced; - uint32_t internal_roc; - uint32_t roc_difference; + uint32_t internal_pkt_idx_reduced; + uint32_t external_pkt_idx_reduced; + uint32_t internal_roc; + uint32_t roc_difference; #endif #ifdef NO_64BIT_MATH - *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq); - *delta = low32(est) - rdbx->index; + *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq); + *delta = low32(est) - rdbx->index; #else - *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq; - *delta = (int)(*est - rdbx->index); + *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq; + *delta = (int)(*est - rdbx->index); #endif - if (*est > rdbx->index) { + if (*est > rdbx->index) { #ifdef NO_64BIT_MATH - internal_roc = (uint32_t)(rdbx->index >> 16); - roc_difference = roc - internal_roc; - if (roc_difference > 1) { - *delta = 0; - return srtp_err_status_pkt_idx_adv; - } + internal_roc = (uint32_t)(rdbx->index >> 16); + roc_difference = roc - internal_roc; + if (roc_difference > 1) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } - internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF); - external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq); + internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF); + external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq); - if (external_pkt_idx_reduced - internal_pkt_idx_reduced > - seq_num_median) { - *delta = 0; - return srtp_err_status_pkt_idx_adv; - } + if (external_pkt_idx_reduced - internal_pkt_idx_reduced > + seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } #else - if (*est - rdbx->index > seq_num_median) { - *delta = 0; - return srtp_err_status_pkt_idx_adv; - } + if (*est - rdbx->index > seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } #endif - } else if (*est < rdbx->index) { + } else if (*est < rdbx->index) { #ifdef NO_64BIT_MATH - internal_roc = (uint32_t)(rdbx->index >> 16); - roc_difference = internal_roc - roc; - if (roc_difference > 1) { - *delta = 0; - return srtp_err_status_pkt_idx_adv; - } + internal_roc = (uint32_t)(rdbx->index >> 16); + roc_difference = internal_roc - roc; + if (roc_difference > 1) { + *delta = 0; + return srtp_err_status_pkt_idx_adv; + } - internal_pkt_idx_reduced = - (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF); - external_pkt_idx_reduced = (uint32_t)(seq); + internal_pkt_idx_reduced = + (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF); + external_pkt_idx_reduced = (uint32_t)(seq); - if (internal_pkt_idx_reduced - external_pkt_idx_reduced > - seq_num_median) { - *delta = 0; - return srtp_err_status_pkt_idx_old; - } + if (internal_pkt_idx_reduced - external_pkt_idx_reduced > + seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_old; + } #else - if (rdbx->index - *est > seq_num_median) { - *delta = 0; - return srtp_err_status_pkt_idx_old; - } + if (rdbx->index - *est > seq_num_median) { + *delta = 0; + return srtp_err_status_pkt_idx_old; + } #endif - } + } - return srtp_err_status_ok; + return srtp_err_status_ok; } -static srtp_err_status_t -srtp_get_est_pkt_index(srtp_hdr_t *hdr, - srtp_stream_ctx_t *stream, - srtp_xtd_seq_num_t *est, - int *delta) +static srtp_err_status_t srtp_get_est_pkt_index(srtp_hdr_t *hdr, + srtp_stream_ctx_t *stream, + srtp_xtd_seq_num_t *est, + int *delta) { - srtp_err_status_t result = srtp_err_status_ok; - - if (stream->pending_roc) { - result = srtp_estimate_index(&stream->rtp_rdbx, - stream->pending_roc, - est, - ntohs(hdr->seq), - delta); - } else { - /* estimate packet index from seq. num. in header */ - *delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, - est, - ntohs(hdr->seq)); - } + srtp_err_status_t result = srtp_err_status_ok; + + if (stream->pending_roc) { + result = srtp_estimate_index(&stream->rtp_rdbx, stream->pending_roc, + est, ntohs(hdr->seq), delta); + } else { + /* estimate packet index from seq. num. in header */ + *delta = + srtp_rdbx_estimate_index(&stream->rtp_rdbx, est, ntohs(hdr->seq)); + } #ifdef NO_64BIT_MATH - debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est), low32(*est)); + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est), + low32(*est)); #else - debug_print(mod_srtp, "estimated u_packet index: %016llx", *est); + debug_print(mod_srtp, "estimated u_packet index: %016llx", *est); #endif - return result; + return result; } /* @@ -1662,16 +1678,18 @@ srtp_get_est_pkt_index(srtp_hdr_t *hdr, * which currently supports AES-GCM encryption. All packets are * encrypted and authenticated. */ -static srtp_err_status_t -srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, - void *rtp_hdr, unsigned int *pkt_octet_len, - srtp_session_keys_t *session_keys, unsigned int use_mki) +static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx, + srtp_stream_ctx_t *stream, + void *rtp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int use_mki) { - srtp_hdr_t *hdr = (srtp_hdr_t*)rtp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - int enc_octet_len = 0; /* number of octets in encrypted portion */ - srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ - int delta; /* delta of local pkt idx and that in hdr */ + srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + int enc_octet_len = 0; /* number of octets in encrypted portion */ + srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ + int delta; /* delta of local pkt idx and that in hdr */ srtp_err_status_t status; uint32_t tag_len; v128_t iv; @@ -1708,17 +1726,18 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, * extension, if present; otherwise, it starts after the last csrc, * if any are present */ - enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; - if (hdr->x == 1) { - xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; - enc_start += (ntohs(xtn_hdr->length) + 1); - } - /* note: the passed size is without the auth tag */ - if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) - return srtp_err_status_parse_err; - enc_octet_len = (int)(*pkt_octet_len - - ((uint8_t*)enc_start - (uint8_t*)hdr)); - if (enc_octet_len < 0) return srtp_err_status_parse_err; + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + /* note: the passed size is without the auth tag */ + if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len)) + return srtp_err_status_parse_err; + enc_octet_len = + (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr)); + if (enc_octet_len < 0) + return srtp_err_status_parse_err; /* * estimate the packet index using the start of the replay window @@ -1727,16 +1746,16 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq)); status = srtp_rdbx_check(&stream->rtp_rdbx, delta); if (status) { - if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) { - return status; /* we've been asked to reuse an index */ - } + if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) { + return status; /* we've been asked to reuse an index */ + } } else { - srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); } #ifdef NO_64BIT_MATH - debug_print2(mod_srtp, "estimated packet index: %08x%08x", - high32(est), low32(est)); + debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est), + low32(est)); #else debug_print(mod_srtp, "estimated packet index: %016llx", est); #endif @@ -1745,50 +1764,50 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, * AEAD uses a new IV formation method */ srtp_calc_aead_iv(session_keys, &iv, &est, hdr); - /* shift est, put into network byte order */ +/* shift est, put into network byte order */ #ifdef NO_64BIT_MATH - est = be64_to_cpu(make64((high32(est) << 16) | - (low32(est) >> 16), - low32(est) << 16)); + est = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); #else est = be64_to_cpu(est << 16); #endif - status = srtp_cipher_set_iv(session_keys->rtp_cipher, - (uint8_t*)&iv, srtp_direction_encrypt); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); if (!status && session_keys->rtp_xtn_hdr_cipher) { - iv.v32[0] = 0; - iv.v32[1] = hdr->ssrc; - iv.v64[1] = est; - status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, - (uint8_t*)&iv, srtp_direction_encrypt); + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; + iv.v64[1] = est; + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); } if (status) { return srtp_err_status_cipher_fail; } if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { - /* - * extensions header encryption RFC 6904 - */ - status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); - if (status) { - return status; - } + /* + * extensions header encryption RFC 6904 + */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } } /* - * Set the AAD over the RTP header + * Set the AAD over the RTP header */ aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; - status = srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t*)hdr, aad_len); + status = + srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len); if (status) { - return ( srtp_err_status_cipher_fail); + return (srtp_err_status_cipher_fail); } /* Encrypt the payload */ - status = srtp_cipher_encrypt(session_keys->rtp_cipher, - (uint8_t*)enc_start, (unsigned int *)&enc_octet_len); + status = srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, + (unsigned int *)&enc_octet_len); if (status) { return srtp_err_status_cipher_fail; } @@ -1796,10 +1815,11 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, * If we're doing GCM, we need to get the tag * and append that to the output */ - status = srtp_cipher_get_tag(session_keys->rtp_cipher, - (uint8_t*)enc_start+enc_octet_len, &tag_len); + status = + srtp_cipher_get_tag(session_keys->rtp_cipher, + (uint8_t *)enc_start + enc_octet_len, &tag_len); if (status) { - return ( srtp_err_status_cipher_fail); + return (srtp_err_status_cipher_fail); } mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len; @@ -1814,7 +1834,6 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, return srtp_err_status_ok; } - /* * This function handles incoming SRTP packets while in AEAD mode, * which currently supports AES-GCM encryption. All packets are @@ -1822,13 +1841,17 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, * of the packet stream and is automatically checked by GCM * when decrypting the payload. */ -static srtp_err_status_t -srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, - srtp_xtd_seq_num_t est, void *srtp_hdr, unsigned int *pkt_octet_len, - srtp_session_keys_t *session_keys, unsigned int mki_size) +static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx, + srtp_stream_ctx_t *stream, + int delta, + srtp_xtd_seq_num_t est, + void *srtp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int mki_size) { - srtp_hdr_t *hdr = (srtp_hdr_t*)srtp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ + srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ v128_t iv; srtp_err_status_t status; @@ -1839,7 +1862,8 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, debug_print(mod_srtp, "function srtp_unprotect_aead", NULL); #ifdef NO_64BIT_MATH - debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), low32(est)); + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), + low32(est)); #else debug_print(mod_srtp, "estimated u_packet index: %016llx", est); #endif @@ -1848,21 +1872,22 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); /* - * AEAD uses a new IV formation method + * AEAD uses a new IV formation method */ srtp_calc_aead_iv(session_keys, &iv, &est, hdr); - status = srtp_cipher_set_iv(session_keys->rtp_cipher, - (uint8_t*)&iv, srtp_direction_decrypt); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); if (!status && session_keys->rtp_xtn_hdr_cipher) { - iv.v32[0] = 0; - iv.v32[1] = hdr->ssrc; + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; #ifdef NO_64BIT_MATH - iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), - low32(est) << 16)); + iv.v64[1] = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); #else - iv.v64[1] = be64_to_cpu(est << 16); + iv.v64[1] = be64_to_cpu(est << 16); #endif - status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_encrypt); + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); } if (status) { return srtp_err_status_cipher_fail; @@ -1874,25 +1899,26 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, * extension, if present; otherwise, it starts after the last csrc, * if any are present */ - enc_start = (uint32_t*)hdr + uint32s_in_rtp_header + hdr->cc; + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; if (hdr->x == 1) { - xtn_hdr = (srtp_hdr_xtnd_t*)enc_start; + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; enc_start += (ntohs(xtn_hdr->length) + 1); } - if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len - mki_size))) + if (!((uint8_t *)enc_start <= + (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size))) return srtp_err_status_parse_err; /* - * We pass the tag down to the cipher when doing GCM mode + * We pass the tag down to the cipher when doing GCM mode */ enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size - - ((uint8_t*)enc_start - (uint8_t*)hdr)); + ((uint8_t *)enc_start - (uint8_t *)hdr)); /* * Sanity check the encrypted payload length against * the tag size. It must always be at least as large * as the tag length. */ - if (enc_octet_len < (unsigned int) tag_len) { + if (enc_octet_len < (unsigned int)tag_len) { return srtp_err_status_cipher_fail; } @@ -1918,27 +1944,28 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, * Set the AAD for AES-GCM, which is the RTP header */ aad_len = (uint8_t *)enc_start - (uint8_t *)hdr; - status = srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t*)hdr, aad_len); + status = + srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len); if (status) { - return ( srtp_err_status_cipher_fail); + return (srtp_err_status_cipher_fail); } /* Decrypt the ciphertext. This also checks the auth tag based * on the AAD we just specified above */ - status = srtp_cipher_decrypt(session_keys->rtp_cipher, - (uint8_t*)enc_start, &enc_octet_len); + status = srtp_cipher_decrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, + &enc_octet_len); if (status) { return status; } if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { - /* - * extensions header encryption RFC 6904 - */ - status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); - if (status) { - return status; - } + /* + * extensions header encryption RFC 6904 + */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } } /* @@ -1974,7 +2001,8 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, * stream, and some implementations will want to not return * failure here */ - status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); if (status) { return status; } @@ -2002,724 +2030,730 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta, return srtp_err_status_ok; } +srtp_err_status_t srtp_protect(srtp_ctx_t *ctx, + void *rtp_hdr, + int *pkt_octet_len) +{ + return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0); +} - srtp_err_status_t - srtp_protect(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len) { - return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0); - } - -srtp_err_status_t -srtp_protect_mki(srtp_ctx_t *ctx, void *rtp_hdr, int *pkt_octet_len, - unsigned int use_mki, unsigned int mki_index ) { - srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - uint32_t *auth_start; /* pointer to start of auth. portion */ - int enc_octet_len = 0; /* number of octets in encrypted portion */ - srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ - int delta; /* delta of local pkt idx and that in hdr */ - uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ - srtp_err_status_t status; - int tag_len; - srtp_stream_ctx_t *stream; - uint32_t prefix_len; - srtp_hdr_xtnd_t *xtn_hdr = NULL; - unsigned int mki_size = 0; - srtp_session_keys_t *session_keys = NULL; - uint8_t* mki_location = NULL; - int advance_packet_index = 0; - - debug_print(mod_srtp, "function srtp_protect", NULL); - - /* we assume the hdr is 32-bit aligned to start */ - - /* Verify RTP header */ - status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); - if (status) - return status; - - /* check the packet length - it must at least contain a full header */ - if (*pkt_octet_len < octets_in_rtp_header) - return srtp_err_status_bad_param; +srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx, + void *rtp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index) +{ + srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + int enc_octet_len = 0; /* number of octets in encrypted portion */ + srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ + int delta; /* delta of local pkt idx and that in hdr */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + int tag_len; + srtp_stream_ctx_t *stream; + uint32_t prefix_len; + srtp_hdr_xtnd_t *xtn_hdr = NULL; + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + uint8_t *mki_location = NULL; + int advance_packet_index = 0; - /* - * look up ssrc in srtp_stream list, and process the packet with - * the appropriate stream. if we haven't seen this stream before, - * there's a template key for this srtp_session, and the cipher - * supports key-sharing, then we assume that a new stream using - * that key has just started up - */ - stream = srtp_get_stream(ctx, hdr->ssrc); - if (stream == NULL) { - if (ctx->stream_template != NULL) { - srtp_stream_ctx_t *new_stream; - - /* allocate and initialize a new stream */ - status = srtp_stream_clone(ctx->stream_template, - hdr->ssrc, &new_stream); - if (status) - return status; - - /* add new stream to the head of the stream_list */ - new_stream->next = ctx->stream_list; - ctx->stream_list = new_stream; - - /* set direction to outbound */ - new_stream->direction = dir_srtp_sender; - - /* set stream (the pointer used in this function) */ - stream = new_stream; - } else { - /* no template stream, so we return an error */ - return srtp_err_status_no_ctx; - } - } - - /* - * verify that stream is for sending traffic - this check will - * detect SSRC collisions, since a stream that appears in both - * srtp_protect() and srtp_unprotect() will fail this test in one of - * those functions. - */ + debug_print(mod_srtp, "function srtp_protect", NULL); - if (stream->direction != dir_srtp_sender) { - if (stream->direction == dir_unknown) { - stream->direction = dir_srtp_sender; - } else { - srtp_handle_event(ctx, stream, event_ssrc_collision); - } - } + /* we assume the hdr is 32-bit aligned to start */ - session_keys = srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); + /* Verify RTP header */ + status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len); + if (status) + return status; - /* - * Check if this is an AEAD stream (GCM mode). If so, then dispatch - * the request to our AEAD handler. - */ - if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || - session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { - return srtp_protect_aead(ctx, stream, rtp_hdr, - (unsigned int*)pkt_octet_len, session_keys, - use_mki); - } - - /* - * update the key usage limit, and check it to make sure that we - * didn't just hit either the soft limit or the hard limit, and call - * the event handler if we hit either. - */ - switch(srtp_key_limit_update(session_keys->limit)) { - case srtp_key_event_normal: - break; - case srtp_key_event_soft_limit: - srtp_handle_event(ctx, stream, event_key_soft_limit); - break; - case srtp_key_event_hard_limit: - srtp_handle_event(ctx, stream, event_key_hard_limit); - return srtp_err_status_key_expired; - default: - break; - } - - /* get tag length from stream */ - tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); - - /* - * find starting point for encryption and length of data to be - * encrypted - the encrypted portion starts after the rtp header - * extension, if present; otherwise, it starts after the last csrc, - * if any are present - * - * if we're not providing confidentiality, set enc_start to NULL - */ - if (stream->rtp_services & sec_serv_conf) { - enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; - if (hdr->x == 1) { - xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; - enc_start += (ntohs(xtn_hdr->length) + 1); - } - /* note: the passed size is without the auth tag */ - if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len)) - return srtp_err_status_parse_err; - enc_octet_len = (int)(*pkt_octet_len - - ((uint8_t*)enc_start - (uint8_t*)hdr)); - if (enc_octet_len < 0) return srtp_err_status_parse_err; - } else { - enc_start = NULL; - } - - mki_location = (uint8_t *)hdr + *pkt_octet_len; - mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); - - /* - * if we're providing authentication, set the auth_start and auth_tag - * pointers to the proper locations; otherwise, set auth_start to NULL - * to indicate that no authentication is needed - */ - if (stream->rtp_services & sec_serv_auth) { - auth_start = (uint32_t *)hdr; - auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size; - } else { - auth_start = NULL; - auth_tag = NULL; - } - - /* - * estimate the packet index using the start of the replay window - * and the sequence number from the header - */ - status = srtp_get_est_pkt_index(hdr, - stream, - &est, - &delta); - - if (status && (status != srtp_err_status_pkt_idx_adv)) - return status; + /* check the packet length - it must at least contain a full header */ + if (*pkt_octet_len < octets_in_rtp_header) + return srtp_err_status_bad_param; - if (status == srtp_err_status_pkt_idx_adv) - advance_packet_index = 1; + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's a template key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + srtp_stream_ctx_t *new_stream; - if (advance_packet_index) { - srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, - (uint32_t)(est >> 16), - (uint16_t)(est & 0xFFFF)); - stream->pending_roc = 0; - srtp_rdbx_add_index(&stream->rtp_rdbx, 0); - } else { - status = srtp_rdbx_check(&stream->rtp_rdbx, delta); - if (status) { - if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) - return status; /* we've been asked to reuse an index */ - } - srtp_rdbx_add_index(&stream->rtp_rdbx, delta); - } + /* allocate and initialize a new stream */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; -#ifdef NO_64BIT_MATH - debug_print2(mod_srtp, "estimated packet index: %08x%08x", - high32(est),low32(est)); -#else - debug_print(mod_srtp, "estimated packet index: %016llx", est); -#endif + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; - /* - * if we're using rindael counter mode, set nonce and seq - */ - if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || - session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || - session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { - v128_t iv; + /* set direction to outbound */ + new_stream->direction = dir_srtp_sender; - iv.v32[0] = 0; - iv.v32[1] = hdr->ssrc; -#ifdef NO_64BIT_MATH - iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), - low32(est) << 16)); -#else - iv.v64[1] = be64_to_cpu(est << 16); -#endif - status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t*)&iv, srtp_direction_encrypt); - if (!status && session_keys->rtp_xtn_hdr_cipher) { - status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_encrypt); - } - } else { - v128_t iv; - - /* otherwise, set the index to est */ -#ifdef NO_64BIT_MATH - iv.v32[0] = 0; - iv.v32[1] = 0; -#else - iv.v64[0] = 0; -#endif - iv.v64[1] = be64_to_cpu(est); - status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t*)&iv, srtp_direction_encrypt); - if (!status && session_keys->rtp_xtn_hdr_cipher) { - status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_encrypt); - } - } - if (status) - return srtp_err_status_cipher_fail; - - /* shift est, put into network byte order */ -#ifdef NO_64BIT_MATH - est = be64_to_cpu(make64((high32(est) << 16) | - (low32(est) >> 16), - low32(est) << 16)); -#else - est = be64_to_cpu(est << 16); -#endif - - /* - * if we're authenticating using a universal hash, put the keystream - * prefix into the authentication tag - */ - if (auth_start) { - - prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); - if (prefix_len) { - status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag, &prefix_len); - if (status) - return srtp_err_status_cipher_fail; - debug_print(mod_srtp, "keystream prefix: %s", - srtp_octet_string_hex_string(auth_tag, prefix_len)); + /* set stream (the pointer used in this function) */ + stream = new_stream; + } else { + /* no template stream, so we return an error */ + return srtp_err_status_no_ctx; + } } - } - if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { /* - * extensions header encryption RFC 6904 + * verify that stream is for sending traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. */ - status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); - if (status) { - return status; - } - } - - /* if we're encrypting, exor keystream into the message */ - if (enc_start) { - status = srtp_cipher_encrypt(session_keys->rtp_cipher, - (uint8_t *)enc_start, (unsigned int *)&enc_octet_len); - if (status) - return srtp_err_status_cipher_fail; - } - - /* - * if we're authenticating, run authentication function and put result - * into the auth_tag - */ - if (auth_start) { - - /* initialize auth func context */ - status = srtp_auth_start(session_keys->rtp_auth); - if (status) return status; - - /* run auth func over packet */ - status = srtp_auth_update(session_keys->rtp_auth, - (uint8_t *)auth_start, *pkt_octet_len); - if (status) return status; - - /* run auth func over ROC, put result into auth_tag */ - debug_print(mod_srtp, "estimated packet index: %016llx", est); - status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, auth_tag); - debug_print(mod_srtp, "srtp auth tag: %s", - srtp_octet_string_hex_string(auth_tag, tag_len)); - if (status) - return srtp_err_status_auth_fail; - - } - if (auth_tag) { - - /* increase the packet length by the length of the auth tag */ - *pkt_octet_len += tag_len; - } - - if (use_mki) { - /* increate the packet length by the mki size */ - *pkt_octet_len += mki_size; - } + if (stream->direction != dir_srtp_sender) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_sender; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } - return srtp_err_status_ok; -} + session_keys = + srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); + if (session_keys == NULL) + return srtp_err_status_bad_mki; -srtp_err_status_t -srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) { - return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0); -} + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_protect_aead(ctx, stream, rtp_hdr, + (unsigned int *)pkt_octet_len, session_keys, + use_mki); + } -srtp_err_status_t -srtp_unprotect_mki(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len, - unsigned int use_mki) { - srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - uint32_t *auth_start; /* pointer to start of auth. portion */ - unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ - uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ - srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ - int delta; /* delta of local pkt idx and that in hdr */ - v128_t iv; - srtp_err_status_t status; - srtp_stream_ctx_t *stream; - uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; - uint32_t tag_len, prefix_len; - srtp_hdr_xtnd_t *xtn_hdr = NULL; - unsigned int mki_size = 0; - srtp_session_keys_t *session_keys = NULL; - int advance_packet_index = 0; - uint32_t roc_to_set = 0; - uint16_t seq_to_set = 0; - - debug_print(mod_srtp, "function srtp_unprotect", NULL); - - /* we assume the hdr is 32-bit aligned to start */ - - /* Verify RTP header */ - status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); - if (status) - return status; + /* + * update the key usage limit, and check it to make sure that we + * didn't just hit either the soft limit or the hard limit, and call + * the event handler if we hit either. + */ + switch (srtp_key_limit_update(session_keys->limit)) { + case srtp_key_event_normal: + break; + case srtp_key_event_soft_limit: + srtp_handle_event(ctx, stream, event_key_soft_limit); + break; + case srtp_key_event_hard_limit: + srtp_handle_event(ctx, stream, event_key_hard_limit); + return srtp_err_status_key_expired; + default: + break; + } + + /* get tag length from stream */ + tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); + + /* + * find starting point for encryption and length of data to be + * encrypted - the encrypted portion starts after the rtp header + * extension, if present; otherwise, it starts after the last csrc, + * if any are present + * + * if we're not providing confidentiality, set enc_start to NULL + */ + if (stream->rtp_services & sec_serv_conf) { + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + /* note: the passed size is without the auth tag */ + if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len)) + return srtp_err_status_parse_err; + enc_octet_len = + (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr)); + if (enc_octet_len < 0) + return srtp_err_status_parse_err; + } else { + enc_start = NULL; + } + + mki_location = (uint8_t *)hdr + *pkt_octet_len; + mki_size = srtp_inject_mki(mki_location, session_keys, use_mki); + + /* + * if we're providing authentication, set the auth_start and auth_tag + * pointers to the proper locations; otherwise, set auth_start to NULL + * to indicate that no authentication is needed + */ + if (stream->rtp_services & sec_serv_auth) { + auth_start = (uint32_t *)hdr; + auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size; + } else { + auth_start = NULL; + auth_tag = NULL; + } + + /* + * estimate the packet index using the start of the replay window + * and the sequence number from the header + */ + status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); + + if (status && (status != srtp_err_status_pkt_idx_adv)) + return status; + + if (status == srtp_err_status_pkt_idx_adv) + advance_packet_index = 1; + + if (advance_packet_index) { + srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16), + (uint16_t)(est & 0xFFFF)); + stream->pending_roc = 0; + srtp_rdbx_add_index(&stream->rtp_rdbx, 0); + } else { + status = srtp_rdbx_check(&stream->rtp_rdbx, delta); + if (status) { + if (status != srtp_err_status_replay_fail || + !stream->allow_repeat_tx) + return status; /* we've been asked to reuse an index */ + } + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + } - /* check the packet length - it must at least contain a full header */ - if (*pkt_octet_len < octets_in_rtp_header) - return srtp_err_status_bad_param; - - /* - * look up ssrc in srtp_stream list, and process the packet with - * the appropriate stream. if we haven't seen this stream before, - * there's only one key for this srtp_session, and the cipher - * supports key-sharing, then we assume that a new stream using - * that key has just started up - */ - stream = srtp_get_stream(ctx, hdr->ssrc); - if (stream == NULL) { - if (ctx->stream_template != NULL) { - stream = ctx->stream_template; - debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)", - ntohl(hdr->ssrc)); - - /* - * set estimated packet index to sequence number from header, - * and set delta equal to the same value - */ #ifdef NO_64BIT_MATH - est = (srtp_xtd_seq_num_t) make64(0,ntohs(hdr->seq)); - delta = low32(est); + debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est), + low32(est)); #else - est = (srtp_xtd_seq_num_t) ntohs(hdr->seq); - delta = (int)est; + debug_print(mod_srtp, "estimated packet index: %016llx", est); #endif + + /* + * if we're using rindael counter mode, set nonce and seq + */ + if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { + v128_t iv; + + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; +#ifdef NO_64BIT_MATH + iv.v64[1] = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + iv.v64[1] = be64_to_cpu(est << 16); +#endif + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); + } } else { - - /* - * no stream corresponding to SSRC found, and we don't do - * key-sharing, so return an error - */ - return srtp_err_status_no_ctx; - } - } else { - status = srtp_get_est_pkt_index(hdr, - stream, - &est, - &delta); + v128_t iv; - if (status && (status != srtp_err_status_pkt_idx_adv)) - return status; +/* otherwise, set the index to est */ +#ifdef NO_64BIT_MATH + iv.v32[0] = 0; + iv.v32[1] = 0; +#else + iv.v64[0] = 0; +#endif + iv.v64[1] = be64_to_cpu(est); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_encrypt); + } + } + if (status) + return srtp_err_status_cipher_fail; + +/* shift est, put into network byte order */ +#ifdef NO_64BIT_MATH + est = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); +#else + est = be64_to_cpu(est << 16); +#endif - if (status == srtp_err_status_pkt_idx_adv) { - advance_packet_index = 1; - roc_to_set = (uint32_t)(est >> 16); - seq_to_set = (uint16_t)(est & 0xFFFF); + /* + * if we're authenticating using a universal hash, put the keystream + * prefix into the authentication tag + */ + if (auth_start) { + prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); + if (prefix_len) { + status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag, + &prefix_len); + if (status) + return srtp_err_status_cipher_fail; + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(auth_tag, prefix_len)); + } } - /* check replay database */ - if (!advance_packet_index) { - status = srtp_rdbx_check(&stream->rtp_rdbx, delta); - if (status) - return status; + if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { + /* + * extensions header encryption RFC 6904 + */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } + } + + /* if we're encrypting, exor keystream into the message */ + if (enc_start) { + status = + srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start, + (unsigned int *)&enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; + } + + /* + * if we're authenticating, run authentication function and put result + * into the auth_tag + */ + if (auth_start) { + /* initialize auth func context */ + status = srtp_auth_start(session_keys->rtp_auth); + if (status) + return status; + + /* run auth func over packet */ + status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start, + *pkt_octet_len); + if (status) + return status; + + /* run auth func over ROC, put result into auth_tag */ + debug_print(mod_srtp, "estimated packet index: %016llx", est); + status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, + auth_tag); + debug_print(mod_srtp, "srtp auth tag: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; } - } + if (auth_tag) { + /* increase the packet length by the length of the auth tag */ + *pkt_octet_len += tag_len; + } + + if (use_mki) { + /* increate the packet length by the mki size */ + *pkt_octet_len += mki_size; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx, + void *srtp_hdr, + int *pkt_octet_len) +{ + return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0); +} + +srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx, + void *srtp_hdr, + int *pkt_octet_len, + unsigned int use_mki) +{ + srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr */ + int delta; /* delta of local pkt idx and that in hdr */ + v128_t iv; + srtp_err_status_t status; + srtp_stream_ctx_t *stream; + uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; + uint32_t tag_len, prefix_len; + srtp_hdr_xtnd_t *xtn_hdr = NULL; + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + int advance_packet_index = 0; + uint32_t roc_to_set = 0; + uint16_t seq_to_set = 0; + + debug_print(mod_srtp, "function srtp_unprotect", NULL); + + /* we assume the hdr is 32-bit aligned to start */ + + /* Verify RTP header */ + status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len); + if (status) + return status; + + /* check the packet length - it must at least contain a full header */ + if (*pkt_octet_len < octets_in_rtp_header) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's only one key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + stream = ctx->stream_template; + debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)", + ntohl(hdr->ssrc)); + +/* + * set estimated packet index to sequence number from header, + * and set delta equal to the same value + */ #ifdef NO_64BIT_MATH - debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),low32(est)); + est = (srtp_xtd_seq_num_t)make64(0, ntohs(hdr->seq)); + delta = low32(est); #else - debug_print(mod_srtp, "estimated u_packet index: %016llx", est); + est = (srtp_xtd_seq_num_t)ntohs(hdr->seq); + delta = (int)est; #endif + } else { + /* + * no stream corresponding to SSRC found, and we don't do + * key-sharing, so return an error + */ + return srtp_err_status_no_ctx; + } + } else { + status = srtp_get_est_pkt_index(hdr, stream, &est, &delta); + + if (status && (status != srtp_err_status_pkt_idx_adv)) + return status; + + if (status == srtp_err_status_pkt_idx_adv) { + advance_packet_index = 1; + roc_to_set = (uint32_t)(est >> 16); + seq_to_set = (uint16_t)(est & 0xFFFF); + } + + /* check replay database */ + if (!advance_packet_index) { + status = srtp_rdbx_check(&stream->rtp_rdbx, delta); + if (status) + return status; + } + } - /* - * Determine if MKI is being used and what session keys should be used - */ - if (use_mki) { - session_keys = srtp_get_session_keys(stream, (uint8_t *)hdr, - (const unsigned int*)pkt_octet_len, - &mki_size); - - if (session_keys == NULL) - return srtp_err_status_bad_mki; - } else { - session_keys = &stream->session_keys[0]; - } - - /* - * Check if this is an AEAD stream (GCM mode). If so, then dispatch - * the request to our AEAD handler. - */ - if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || - session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { - return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, - (unsigned int*)pkt_octet_len, session_keys, - mki_size); - } - - /* get tag length from stream */ - tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); - - /* - * set the cipher's IV properly, depending on whatever cipher we - * happen to be using - */ - if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || - session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || - session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { - /* aes counter mode */ - iv.v32[0] = 0; - iv.v32[1] = hdr->ssrc; /* still in network order */ #ifdef NO_64BIT_MATH - iv.v64[1] = be64_to_cpu(make64((high32(est) << 16) | (low32(est) >> 16), - low32(est) << 16)); + debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est), + low32(est)); #else - iv.v64[1] = be64_to_cpu(est << 16); + debug_print(mod_srtp, "estimated u_packet index: %016llx", est); #endif - status = srtp_cipher_set_iv(session_keys->rtp_cipher, - (uint8_t*)&iv, srtp_direction_decrypt); - if (!status && session_keys->rtp_xtn_hdr_cipher) { - status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, - (uint8_t*)&iv, srtp_direction_decrypt); + + /* Determine if MKI is being used and what session keys should be used */ + if (use_mki) { + session_keys = srtp_get_session_keys( + stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len, + &mki_size); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + } else { + session_keys = &stream->session_keys[0]; } - } else { - - /* no particular format - set the iv to the pakcet index */ + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr, + (unsigned int *)pkt_octet_len, session_keys, + mki_size); + } + + /* get tag length from stream */ + tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth); + + /* + * set the cipher's IV properly, depending on whatever cipher we + * happen to be using + */ + if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) { + /* aes counter mode */ + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; /* still in network order */ #ifdef NO_64BIT_MATH - iv.v32[0] = 0; - iv.v32[1] = 0; + iv.v64[1] = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); #else - iv.v64[0] = 0; + iv.v64[1] = be64_to_cpu(est << 16); #endif - iv.v64[1] = be64_to_cpu(est); - status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t*)&iv, srtp_direction_decrypt); - if (!status && session_keys->rtp_xtn_hdr_cipher) { - status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, (uint8_t*)&iv, srtp_direction_decrypt); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_decrypt); + } + } else { +/* no particular format - set the iv to the pakcet index */ +#ifdef NO_64BIT_MATH + iv.v32[0] = 0; + iv.v32[1] = 0; +#else + iv.v64[0] = 0; +#endif + iv.v64[1] = be64_to_cpu(est); + status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); + if (!status && session_keys->rtp_xtn_hdr_cipher) { + status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher, + (uint8_t *)&iv, srtp_direction_decrypt); + } } - } - if (status) - return srtp_err_status_cipher_fail; + if (status) + return srtp_err_status_cipher_fail; - /* shift est, put into network byte order */ +/* shift est, put into network byte order */ #ifdef NO_64BIT_MATH - est = be64_to_cpu(make64((high32(est) << 16) | - (low32(est) >> 16), - low32(est) << 16)); + est = be64_to_cpu( + make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16)); #else - est = be64_to_cpu(est << 16); + est = be64_to_cpu(est << 16); #endif - /* - * find starting point for decryption and length of data to be - * decrypted - the encrypted portion starts after the rtp header - * extension, if present; otherwise, it starts after the last csrc, - * if any are present - * - * if we're not providing confidentiality, set enc_start to NULL - */ - if (stream->rtp_services & sec_serv_conf) { - enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; - if (hdr->x == 1) { - xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; - enc_start += (ntohs(xtn_hdr->length) + 1); - } - if (!((uint8_t*)enc_start <= (uint8_t*)hdr + (*pkt_octet_len - tag_len - mki_size))) - return srtp_err_status_parse_err; - enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size - - ((uint8_t*)enc_start - (uint8_t*)hdr)); - } else { - enc_start = NULL; - } - - /* - * if we're providing authentication, set the auth_start and auth_tag - * pointers to the proper locations; otherwise, set auth_start to NULL - * to indicate that no authentication is needed - */ - if (stream->rtp_services & sec_serv_auth) { - auth_start = (uint32_t *)hdr; - auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; - } else { - auth_start = NULL; - auth_tag = NULL; - } - - /* - * if we expect message authentication, run the authentication - * function and compare the result with the value of the auth_tag - */ - if (auth_start) { - - /* - * if we're using a universal hash, then we need to compute the - * keystream prefix for encrypting the universal hash output + /* + * find starting point for decryption and length of data to be + * decrypted - the encrypted portion starts after the rtp header + * extension, if present; otherwise, it starts after the last csrc, + * if any are present * - * if the keystream prefix length is zero, then we know that - * the authenticator isn't using a universal hash function - */ - if (session_keys->rtp_auth->prefix_len != 0) { - - prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); - status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag, &prefix_len); - debug_print(mod_srtp, "keystream prefix: %s", - srtp_octet_string_hex_string(tmp_tag, prefix_len)); - if (status) - return srtp_err_status_cipher_fail; - } + * if we're not providing confidentiality, set enc_start to NULL + */ + if (stream->rtp_services & sec_serv_conf) { + enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc; + if (hdr->x == 1) { + xtn_hdr = (srtp_hdr_xtnd_t *)enc_start; + enc_start += (ntohs(xtn_hdr->length) + 1); + } + if (!((uint8_t *)enc_start <= + (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size))) + return srtp_err_status_parse_err; + enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size - + ((uint8_t *)enc_start - (uint8_t *)hdr)); + } else { + enc_start = NULL; + } - /* initialize auth func context */ - status = srtp_auth_start(session_keys->rtp_auth); - if (status) return status; - - /* now compute auth function over packet */ - status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start, - *pkt_octet_len - tag_len - mki_size); - - /* run auth func over ROC, then write tmp tag */ - status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, tmp_tag); - - debug_print(mod_srtp, "computed auth tag: %s", - srtp_octet_string_hex_string(tmp_tag, tag_len)); - debug_print(mod_srtp, "packet auth tag: %s", - srtp_octet_string_hex_string(auth_tag, tag_len)); - if (status) - return srtp_err_status_auth_fail; + /* + * if we're providing authentication, set the auth_start and auth_tag + * pointers to the proper locations; otherwise, set auth_start to NULL + * to indicate that no authentication is needed + */ + if (stream->rtp_services & sec_serv_auth) { + auth_start = (uint32_t *)hdr; + auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len; + } else { + auth_start = NULL; + auth_tag = NULL; + } - if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) - return srtp_err_status_auth_fail; - } - - /* - * update the key usage limit, and check it to make sure that we - * didn't just hit either the soft limit or the hard limit, and call - * the event handler if we hit either. - */ - switch(srtp_key_limit_update(session_keys->limit)) { - case srtp_key_event_normal: - break; - case srtp_key_event_soft_limit: - srtp_handle_event(ctx, stream, event_key_soft_limit); - break; - case srtp_key_event_hard_limit: - srtp_handle_event(ctx, stream, event_key_hard_limit); - return srtp_err_status_key_expired; - default: - break; - } - - if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { /* - * extensions header encryption RFC 6904 + * if we expect message authentication, run the authentication + * function and compare the result with the value of the auth_tag */ - status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); - if (status) { - return status; + if (auth_start) { + /* + * if we're using a universal hash, then we need to compute the + * keystream prefix for encrypting the universal hash output + * + * if the keystream prefix length is zero, then we know that + * the authenticator isn't using a universal hash function + */ + if (session_keys->rtp_auth->prefix_len != 0) { + prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth); + status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag, + &prefix_len); + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(tmp_tag, prefix_len)); + if (status) + return srtp_err_status_cipher_fail; + } + + /* initialize auth func context */ + status = srtp_auth_start(session_keys->rtp_auth); + if (status) + return status; + + /* now compute auth function over packet */ + status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start, + *pkt_octet_len - tag_len - mki_size); + + /* run auth func over ROC, then write tmp tag */ + status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4, + tmp_tag); + + debug_print(mod_srtp, "computed auth tag: %s", + srtp_octet_string_hex_string(tmp_tag, tag_len)); + debug_print(mod_srtp, "packet auth tag: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + + if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) + return srtp_err_status_auth_fail; } - } - /* if we're decrypting, add keystream into ciphertext */ - if (enc_start) { - status = srtp_cipher_decrypt(session_keys->rtp_cipher, - (uint8_t *)enc_start, &enc_octet_len); - if (status) - return srtp_err_status_cipher_fail; - } - - /* - * verify that stream is for received traffic - this check will - * detect SSRC collisions, since a stream that appears in both - * srtp_protect() and srtp_unprotect() will fail this test in one of - * those functions. - * - * we do this check *after* the authentication check, so that the - * latter check will catch any attempts to fool us into thinking - * that we've got a collision - */ - if (stream->direction != dir_srtp_receiver) { - if (stream->direction == dir_unknown) { - stream->direction = dir_srtp_receiver; - } else { - srtp_handle_event(ctx, stream, event_ssrc_collision); - } - } - - /* - * if the stream is a 'provisional' one, in which the template context - * is used, then we need to allocate a new stream at this point, since - * the authentication passed - */ - if (stream == ctx->stream_template) { - srtp_stream_ctx_t *new_stream; - - /* - * allocate and initialize a new stream - * - * note that we indicate failure if we can't allocate the new - * stream, and some implementations will want to not return - * failure here + /* + * update the key usage limit, and check it to make sure that we + * didn't just hit either the soft limit or the hard limit, and call + * the event handler if we hit either. */ - status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); - if (status) - return status; - - /* add new stream to the head of the stream_list */ - new_stream->next = ctx->stream_list; - ctx->stream_list = new_stream; - - /* set stream (the pointer used in this function) */ - stream = new_stream; - } - - /* - * the message authentication function passed, so add the packet - * index into the replay database - */ - if (advance_packet_index) { - srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, - roc_to_set, - seq_to_set); - stream->pending_roc = 0; - srtp_rdbx_add_index(&stream->rtp_rdbx, 0); - } else { - srtp_rdbx_add_index(&stream->rtp_rdbx, delta); - } + switch (srtp_key_limit_update(session_keys->limit)) { + case srtp_key_event_normal: + break; + case srtp_key_event_soft_limit: + srtp_handle_event(ctx, stream, event_key_soft_limit); + break; + case srtp_key_event_hard_limit: + srtp_handle_event(ctx, stream, event_key_hard_limit); + return srtp_err_status_key_expired; + default: + break; + } - /* decrease the packet length by the length of the auth tag */ - *pkt_octet_len -= tag_len; + if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) { + /* extensions header encryption RFC 6904 */ + status = srtp_process_header_encryption(stream, xtn_hdr, session_keys); + if (status) { + return status; + } + } - /* decrease the packet length by the mki size */ - *pkt_octet_len -= mki_size; + /* if we're decrypting, add keystream into ciphertext */ + if (enc_start) { + status = srtp_cipher_decrypt(session_keys->rtp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; + } - return srtp_err_status_ok; -} + /* + * verify that stream is for received traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + * + * we do this check *after* the authentication check, so that the + * latter check will catch any attempts to fool us into thinking + * that we've got a collision + */ + if (stream->direction != dir_srtp_receiver) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_receiver; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } -srtp_err_status_t -srtp_init() { - srtp_err_status_t status; + /* + * if the stream is a 'provisional' one, in which the template context + * is used, then we need to allocate a new stream at this point, since + * the authentication passed + */ + if (stream == ctx->stream_template) { + srtp_stream_ctx_t *new_stream; - /* initialize crypto kernel */ - status = srtp_crypto_kernel_init(); - if (status) - return status; + /* + * allocate and initialize a new stream + * + * note that we indicate failure if we can't allocate the new + * stream, and some implementations will want to not return + * failure here + */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; - /* load srtp debug module into the kernel */ - status = srtp_crypto_kernel_load_debug_module(&mod_srtp); - if (status) - return status; + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } + + /* + * the message authentication function passed, so add the packet + * index into the replay database + */ + if (advance_packet_index) { + srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set); + stream->pending_roc = 0; + srtp_rdbx_add_index(&stream->rtp_rdbx, 0); + } else { + srtp_rdbx_add_index(&stream->rtp_rdbx, delta); + } + + /* decrease the packet length by the length of the auth tag */ + *pkt_octet_len -= tag_len; - return srtp_err_status_ok; + /* decrease the packet length by the mki size */ + *pkt_octet_len -= mki_size; + + return srtp_err_status_ok; } -srtp_err_status_t -srtp_shutdown() { - srtp_err_status_t status; +srtp_err_status_t srtp_init() +{ + srtp_err_status_t status; - /* shut down crypto kernel */ - status = srtp_crypto_kernel_shutdown(); - if (status) - return status; + /* initialize crypto kernel */ + status = srtp_crypto_kernel_init(); + if (status) + return status; - /* shutting down crypto kernel frees the srtp debug module as well */ + /* load srtp debug module into the kernel */ + status = srtp_crypto_kernel_load_debug_module(&mod_srtp); + if (status) + return status; - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t srtp_shutdown() +{ + srtp_err_status_t status; + + /* shut down crypto kernel */ + status = srtp_crypto_kernel_shutdown(); + if (status) + return status; + + /* shutting down crypto kernel frees the srtp debug module as well */ -/* + return srtp_err_status_ok; +} + +/* * The following code is under consideration for removal. See - * SRTP_MAX_TRAILER_LEN + * SRTP_MAX_TRAILER_LEN */ #if 0 @@ -2740,378 +2774,376 @@ srtp_get_trailer_length(const srtp_stream_t s) { * srtp_get_stream(ssrc) returns a pointer to the stream corresponding * to ssrc, or NULL if no stream exists for that ssrc * - * this is an internal function + * this is an internal function */ -srtp_stream_ctx_t * -srtp_get_stream(srtp_t srtp, uint32_t ssrc) { - srtp_stream_ctx_t *stream; - - /* walk down list until ssrc is found */ - stream = srtp->stream_list; - while (stream != NULL) { - if (stream->ssrc == ssrc) - return stream; - stream = stream->next; - } - - /* we haven't found our ssrc, so return a null */ - return NULL; +srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc) +{ + srtp_stream_ctx_t *stream; + + /* walk down list until ssrc is found */ + stream = srtp->stream_list; + while (stream != NULL) { + if (stream->ssrc == ssrc) + return stream; + stream = stream->next; + } + + /* we haven't found our ssrc, so return a null */ + return NULL; } -srtp_err_status_t -srtp_dealloc(srtp_t session) { - srtp_stream_ctx_t *stream; - srtp_err_status_t status; - - /* - * we take a conservative deallocation strategy - if we encounter an - * error deallocating a stream, then we stop trying to deallocate - * memory and just return an error - */ - - /* walk list of streams, deallocating as we go */ - stream = session->stream_list; - while (stream != NULL) { - srtp_stream_t next = stream->next; - status = srtp_stream_dealloc(stream, session->stream_template); - if (status) - return status; - stream = next; - } - - /* deallocate stream template, if there is one */ - if (session->stream_template != NULL) { - status = srtp_stream_dealloc(session->stream_template, NULL); - if (status) - return status; - } +srtp_err_status_t srtp_dealloc(srtp_t session) +{ + srtp_stream_ctx_t *stream; + srtp_err_status_t status; + + /* + * we take a conservative deallocation strategy - if we encounter an + * error deallocating a stream, then we stop trying to deallocate + * memory and just return an error + */ + + /* walk list of streams, deallocating as we go */ + stream = session->stream_list; + while (stream != NULL) { + srtp_stream_t next = stream->next; + status = srtp_stream_dealloc(stream, session->stream_template); + if (status) + return status; + stream = next; + } + + /* deallocate stream template, if there is one */ + if (session->stream_template != NULL) { + status = srtp_stream_dealloc(session->stream_template, NULL); + if (status) + return status; + } + + /* deallocate session context */ + srtp_crypto_free(session); + + return srtp_err_status_ok; +} - /* deallocate session context */ - srtp_crypto_free(session); +srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy) +{ + srtp_err_status_t status; + srtp_stream_t tmp; + + /* sanity check arguments */ + if ((session == NULL) || (policy == NULL) || + (!srtp_validate_policy_master_keys(policy))) + return srtp_err_status_bad_param; + + /* allocate stream */ + status = srtp_stream_alloc(&tmp, policy); + if (status) { + return status; + } + + /* initialize stream */ + status = srtp_stream_init(tmp, policy); + if (status) { + srtp_stream_dealloc(tmp, NULL); + return status; + } + + /* + * set the head of the stream list or the template to point to the + * stream that we've just alloced and init'ed, depending on whether + * or not it has a wildcard SSRC value or not + * + * if the template stream has already been set, then the policy is + * inconsistent, so we return a bad_param error code + */ + switch (policy->ssrc.type) { + case (ssrc_any_outbound): + if (session->stream_template) { + srtp_stream_dealloc(tmp, NULL); + return srtp_err_status_bad_param; + } + session->stream_template = tmp; + session->stream_template->direction = dir_srtp_sender; + break; + case (ssrc_any_inbound): + if (session->stream_template) { + srtp_stream_dealloc(tmp, NULL); + return srtp_err_status_bad_param; + } + session->stream_template = tmp; + session->stream_template->direction = dir_srtp_receiver; + break; + case (ssrc_specific): + tmp->next = session->stream_list; + session->stream_list = tmp; + break; + case (ssrc_undefined): + default: + srtp_stream_dealloc(tmp, NULL); + return srtp_err_status_bad_param; + } - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t srtp_create(srtp_t *session, /* handle for session */ + const srtp_policy_t *policy) +{ /* SRTP policy (list) */ + srtp_err_status_t stat; + srtp_ctx_t *ctx; + + /* sanity check arguments */ + if (session == NULL) + return srtp_err_status_bad_param; -srtp_err_status_t -srtp_add_stream(srtp_t session, - const srtp_policy_t *policy) { - srtp_err_status_t status; - srtp_stream_t tmp; + /* allocate srtp context and set ctx_ptr */ + ctx = (srtp_ctx_t *)srtp_crypto_alloc(sizeof(srtp_ctx_t)); + if (ctx == NULL) + return srtp_err_status_alloc_fail; + *session = ctx; - /* sanity check arguments */ - if ((session == NULL) || (policy == NULL) || (!srtp_validate_policy_master_keys(policy))) - return srtp_err_status_bad_param; + /* + * loop over elements in the policy list, allocating and + * initializing a stream for each element + */ + ctx->stream_template = NULL; + ctx->stream_list = NULL; + ctx->user_data = NULL; + while (policy != NULL) { + stat = srtp_add_stream(ctx, policy); + if (stat) { + /* clean up everything */ + srtp_dealloc(*session); + *session = NULL; + return stat; + } - /* allocate stream */ - status = srtp_stream_alloc(&tmp, policy); - if (status) { - return status; - } - - /* initialize stream */ - status = srtp_stream_init(tmp, policy); - if (status) { - srtp_crypto_free(tmp); - return status; - } - - /* - * set the head of the stream list or the template to point to the - * stream that we've just alloced and init'ed, depending on whether - * or not it has a wildcard SSRC value or not - * - * if the template stream has already been set, then the policy is - * inconsistent, so we return a bad_param error code - */ - switch (policy->ssrc.type) { - case (ssrc_any_outbound): - if (session->stream_template) { - return srtp_err_status_bad_param; - } - session->stream_template = tmp; - session->stream_template->direction = dir_srtp_sender; - break; - case (ssrc_any_inbound): - if (session->stream_template) { - return srtp_err_status_bad_param; - } - session->stream_template = tmp; - session->stream_template->direction = dir_srtp_receiver; - break; - case (ssrc_specific): - tmp->next = session->stream_list; - session->stream_list = tmp; - break; - case (ssrc_undefined): - default: - srtp_crypto_free(tmp); - return srtp_err_status_bad_param; - } - - return srtp_err_status_ok; + /* set policy to next item in list */ + policy = policy->next; + } + + return srtp_err_status_ok; } +srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc) +{ + srtp_stream_ctx_t *stream, *last_stream; + srtp_err_status_t status; + + /* sanity check arguments */ + if (session == NULL) + return srtp_err_status_bad_param; + + /* find stream in list; complain if not found */ + last_stream = stream = session->stream_list; + while ((stream != NULL) && (ssrc != stream->ssrc)) { + last_stream = stream; + stream = stream->next; + } + if (stream == NULL) + return srtp_err_status_no_ctx; -srtp_err_status_t -srtp_create(srtp_t *session, /* handle for session */ - const srtp_policy_t *policy) { /* SRTP policy (list) */ - srtp_err_status_t stat; - srtp_ctx_t *ctx; - - /* sanity check arguments */ - if (session == NULL) - return srtp_err_status_bad_param; - - /* allocate srtp context and set ctx_ptr */ - ctx = (srtp_ctx_t *) srtp_crypto_alloc(sizeof(srtp_ctx_t)); - if (ctx == NULL) - return srtp_err_status_alloc_fail; - *session = ctx; - - /* - * loop over elements in the policy list, allocating and - * initializing a stream for each element - */ - ctx->stream_template = NULL; - ctx->stream_list = NULL; - ctx->user_data = NULL; - while (policy != NULL) { - - stat = srtp_add_stream(ctx, policy); - if (stat) { - /* clean up everything */ - srtp_dealloc(*session); - *session = NULL; - return stat; - } + /* remove stream from the list */ + if (last_stream == stream) + /* stream was first in list */ + session->stream_list = stream->next; + else + last_stream->next = stream->next; - /* set policy to next item in list */ - policy = policy->next; - } + /* deallocate the stream */ + status = srtp_stream_dealloc(stream, session->stream_template); + if (status) + return status; - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy) +{ + srtp_err_status_t stat; -srtp_err_status_t -srtp_remove_stream(srtp_t session, uint32_t ssrc) { - srtp_stream_ctx_t *stream, *last_stream; - srtp_err_status_t status; - - /* sanity check arguments */ - if (session == NULL) - return srtp_err_status_bad_param; - - /* find stream in list; complain if not found */ - last_stream = stream = session->stream_list; - while ((stream != NULL) && (ssrc != stream->ssrc)) { - last_stream = stream; - stream = stream->next; - } - if (stream == NULL) - return srtp_err_status_no_ctx; - - /* remove stream from the list */ - if (last_stream == stream) - /* stream was first in list */ - session->stream_list = stream->next; - else - last_stream->next = stream->next; - - /* deallocate the stream */ - status = srtp_stream_dealloc(stream, session->stream_template); - if (status) - return status; + /* sanity check arguments */ + if ((session == NULL) || (policy == NULL) || + (!srtp_validate_policy_master_keys(policy))) { + return srtp_err_status_bad_param; + } + + while (policy != NULL) { + stat = srtp_update_stream(session, policy); + if (stat) { + return stat; + } - return srtp_err_status_ok; + /* set policy to next item in list */ + policy = policy->next; + } + return srtp_err_status_ok; } +static srtp_err_status_t update_template_streams(srtp_t session, + const srtp_policy_t *policy) +{ + srtp_err_status_t status; + srtp_stream_t new_stream_template; + srtp_stream_t new_stream_list = NULL; -srtp_err_status_t -srtp_update(srtp_t session, const srtp_policy_t *policy) { - srtp_err_status_t stat; + if (session->stream_template == NULL) { + return srtp_err_status_bad_param; + } - /* sanity check arguments */ - if ((session == NULL) || (policy == NULL) || (!srtp_validate_policy_master_keys(policy))) { - return srtp_err_status_bad_param; - } + /* allocate new template stream */ + status = srtp_stream_alloc(&new_stream_template, policy); + if (status) { + return status; + } - while (policy != NULL) { - stat = srtp_update_stream(session, policy); - if (stat) { - return stat; + /* initialize new template stream */ + status = srtp_stream_init(new_stream_template, policy); + if (status) { + srtp_crypto_free(new_stream_template); + return status; } - /* set policy to next item in list */ - policy = policy->next; - } - return srtp_err_status_ok; -} + /* for all old templated streams */ + for (;;) { + srtp_stream_t stream; + uint32_t ssrc; + srtp_xtd_seq_num_t old_index; + srtp_rdb_t old_rtcp_rdb; + + stream = session->stream_list; + while ((stream != NULL) && + (stream->session_keys[0].rtp_auth != + session->stream_template->session_keys[0].rtp_auth)) { + stream = stream->next; + } + if (stream == NULL) { + /* no more templated streams */ + break; + } + /* save old extendard seq */ + ssrc = stream->ssrc; + old_index = stream->rtp_rdbx.index; + old_rtcp_rdb = stream->rtcp_rdb; -static srtp_err_status_t -update_template_streams(srtp_t session, const srtp_policy_t *policy) { - srtp_err_status_t status; - srtp_stream_t new_stream_template; - srtp_stream_t new_stream_list = NULL; + /* remove stream */ + status = srtp_remove_stream(session, ssrc); + if (status) { + /* free new allocations */ + while (new_stream_list != NULL) { + srtp_stream_t next = new_stream_list->next; + srtp_stream_dealloc(new_stream_list, new_stream_template); + new_stream_list = next; + } + srtp_stream_dealloc(new_stream_template, NULL); + return status; + } - if (session->stream_template == NULL) { - return srtp_err_status_bad_param; - } + /* allocate and initialize a new stream */ + status = srtp_stream_clone(new_stream_template, ssrc, &stream); + if (status) { + /* free new allocations */ + while (new_stream_list != NULL) { + srtp_stream_t next = new_stream_list->next; + srtp_stream_dealloc(new_stream_list, new_stream_template); + new_stream_list = next; + } + srtp_stream_dealloc(new_stream_template, NULL); + return status; + } - /* allocate new template stream */ - status = srtp_stream_alloc(&new_stream_template, policy); - if (status) { - return status; - } + /* add new stream to the head of the new_stream_list */ + stream->next = new_stream_list; + new_stream_list = stream; - /* initialize new template stream */ - status = srtp_stream_init(new_stream_template, policy); - if (status) { - srtp_crypto_free(new_stream_template); + /* restore old extended seq */ + stream->rtp_rdbx.index = old_index; + stream->rtcp_rdb = old_rtcp_rdb; + } + /* dealloc old template */ + srtp_stream_dealloc(session->stream_template, NULL); + /* set new template */ + session->stream_template = new_stream_template; + /* add new list */ + if (new_stream_list) { + srtp_stream_t tail = new_stream_list; + while (tail->next) { + tail = tail->next; + } + tail->next = session->stream_list; + session->stream_list = new_stream_list; + } return status; - } +} - /* for all old templated streams */ - for (;;) { - srtp_stream_t stream; - uint32_t ssrc; +static srtp_err_status_t update_stream(srtp_t session, + const srtp_policy_t *policy) +{ + srtp_err_status_t status; srtp_xtd_seq_num_t old_index; srtp_rdb_t old_rtcp_rdb; + srtp_stream_t stream; - stream = session->stream_list; - while ((stream != NULL) && - (stream->session_keys[0].rtp_auth != - session->stream_template->session_keys[0].rtp_auth)) { - stream = stream->next; - } + stream = srtp_get_stream(session, htonl(policy->ssrc.value)); if (stream == NULL) { - /* no more templated streams */ - break; + return srtp_err_status_bad_param; } /* save old extendard seq */ - ssrc = stream->ssrc; old_index = stream->rtp_rdbx.index; old_rtcp_rdb = stream->rtcp_rdb; - /* remove stream */ - status = srtp_remove_stream(session, ssrc); + status = srtp_remove_stream(session, htonl(policy->ssrc.value)); if (status) { - /* free new allocations */ - while (new_stream_list != NULL) { - srtp_stream_t next = new_stream_list->next; - srtp_stream_dealloc(new_stream_list, new_stream_template); - new_stream_list = next; - } - srtp_stream_dealloc(new_stream_template, NULL); - return status; - } - - /* allocate and initialize a new stream */ - status = srtp_stream_clone(new_stream_template, ssrc, &stream); + return status; + } + + status = srtp_add_stream(session, policy); if (status) { - /* free new allocations */ - while (new_stream_list != NULL) { - srtp_stream_t next = new_stream_list->next; - srtp_stream_dealloc(new_stream_list, new_stream_template); - new_stream_list = next; - } - srtp_stream_dealloc(new_stream_template, NULL); - return status; + return status; } - /* add new stream to the head of the new_stream_list */ - stream->next = new_stream_list; - new_stream_list = stream; + stream = srtp_get_stream(session, htonl(policy->ssrc.value)); + if (stream == NULL) { + return srtp_err_status_fail; + } /* restore old extended seq */ stream->rtp_rdbx.index = old_index; stream->rtcp_rdb = old_rtcp_rdb; - } - /* dealloc old template */ - srtp_stream_dealloc(session->stream_template, NULL); - /* set new template */ - session->stream_template = new_stream_template; - /* add new list */ - if (new_stream_list) { - srtp_stream_t tail = new_stream_list; - while (tail->next) { - tail = tail->next; - } - tail->next = session->stream_list; - session->stream_list = new_stream_list; - } - return status; -} + return srtp_err_status_ok; +} -static srtp_err_status_t -update_stream(srtp_t session, const srtp_policy_t *policy) { - srtp_err_status_t status; - srtp_xtd_seq_num_t old_index; - srtp_rdb_t old_rtcp_rdb; - srtp_stream_t stream; - - stream = srtp_get_stream(session, htonl(policy->ssrc.value)); - if (stream == NULL) { - return srtp_err_status_bad_param; - } +srtp_err_status_t srtp_update_stream(srtp_t session, + const srtp_policy_t *policy) +{ + srtp_err_status_t status; - /* save old extendard seq */ - old_index = stream->rtp_rdbx.index; - old_rtcp_rdb = stream->rtcp_rdb; + /* sanity check arguments */ + if ((session == NULL) || (policy == NULL) || + (!srtp_validate_policy_master_keys(policy))) + return srtp_err_status_bad_param; - status = srtp_remove_stream(session, htonl(policy->ssrc.value)); - if (status) { - return status; - } + switch (policy->ssrc.type) { + case (ssrc_any_outbound): + case (ssrc_any_inbound): + status = update_template_streams(session, policy); + break; + case (ssrc_specific): + status = update_stream(session, policy); + break; + case (ssrc_undefined): + default: + return srtp_err_status_bad_param; + } - status = srtp_add_stream(session, policy); - if (status) { return status; - } - - stream = srtp_get_stream(session, htonl(policy->ssrc.value)); - if (stream == NULL) { - return srtp_err_status_fail; - } - - /* restore old extended seq */ - stream->rtp_rdbx.index = old_index; - stream->rtcp_rdb = old_rtcp_rdb; - - return srtp_err_status_ok; -} - - -srtp_err_status_t -srtp_update_stream(srtp_t session, const srtp_policy_t *policy) { - srtp_err_status_t status; - - /* sanity check arguments */ - if ((session == NULL) || (policy == NULL) || (!srtp_validate_policy_master_keys(policy))) - return srtp_err_status_bad_param; - - switch (policy->ssrc.type) { - case (ssrc_any_outbound): - case (ssrc_any_inbound): - status = update_template_streams(session, policy); - break; - case (ssrc_specific): - status = update_stream(session, policy); - break; - case (ssrc_undefined): - default: - return srtp_err_status_bad_param; - } - - return status; } - /* * The default policy - provides a convenient way for callers to use * the default security policy @@ -3121,283 +3153,264 @@ srtp_update_stream(srtp_t session, const srtp_policy_t *policy) { * */ -/* +/* * NOTE: cipher_key_len is really key len (128 bits) plus salt len * (112 bits) */ /* There are hard-coded 16's for base_key_len in the key generation code */ -void -srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p) { - - p->cipher_type = SRTP_AES_ICM_128; - p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ - p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ - p->sec_serv = sec_serv_conf_and_auth; - -} - -void -srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p) { - - p->cipher_type = SRTP_AES_ICM_128; - p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ - p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ - p->sec_serv = sec_serv_conf_and_auth; - +void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; } -void -srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p) { - - /* - * corresponds to RFC 4568 - * - * note that this crypto policy is intended for SRTP, but not SRTCP - */ - - p->cipher_type = SRTP_AES_ICM_128; - p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* 160 bit key */ - p->auth_tag_len = 4; /* 32 bit tag */ - p->sec_serv = sec_serv_conf_and_auth; - +void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */ + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; } +void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 4568 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ -void -srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p) { - - /* - * corresponds to RFC 4568 - * - * note that this crypto policy is intended for SRTP, but not SRTCP - */ - - p->cipher_type = SRTP_AES_ICM_128; - p->cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ - p->auth_type = SRTP_NULL_AUTH; - p->auth_key_len = 0; - p->auth_tag_len = 0; - p->sec_serv = sec_serv_conf; - + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* 160 bit key */ + p->auth_tag_len = 4; /* 32 bit tag */ + p->sec_serv = sec_serv_conf_and_auth; } +void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 4568 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ -void -srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p) { - - /* - * corresponds to RFC 4568 - */ - - p->cipher_type = SRTP_NULL_CIPHER; - p->cipher_key_len = 0; - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; - p->auth_tag_len = 10; - p->sec_serv = sec_serv_auth; - + p->cipher_type = SRTP_AES_ICM_128; + p->cipher_key_len = + SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */ + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_conf; } -void -srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p) { - - /* - * Should only be used for testing - */ +void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 4568 + */ - p->cipher_type = SRTP_NULL_CIPHER; - p->cipher_key_len = 0; - p->auth_type = SRTP_NULL_AUTH; - p->auth_key_len = 0; - p->auth_tag_len = 0; - p->sec_serv = sec_serv_none; - + p->cipher_type = SRTP_NULL_CIPHER; + p->cipher_key_len = 0; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; + p->auth_tag_len = 10; + p->sec_serv = sec_serv_auth; } +void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p) +{ + /* + * Should only be used for testing + */ -void -srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p) { - - /* - * corresponds to RFC 6188 - */ - - p->cipher_type = SRTP_AES_ICM_256; - p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ - p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ - p->sec_serv = sec_serv_conf_and_auth; + p->cipher_type = SRTP_NULL_CIPHER; + p->cipher_key_len = 0; + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_none; } +void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + */ -void -srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p) { + p->cipher_type = SRTP_AES_ICM_256; + p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} - /* - * corresponds to RFC 6188 - * - * note that this crypto policy is intended for SRTP, but not SRTCP - */ +void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ - p->cipher_type = SRTP_AES_ICM_256; - p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ - p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ - p->sec_serv = sec_serv_conf_and_auth; + p->cipher_type = SRTP_AES_ICM_256; + p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; } /* * AES-256 with no authentication. */ -void -srtp_crypto_policy_set_aes_cm_256_null_auth (srtp_crypto_policy_t *p) +void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_ICM_256; - p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; - p->auth_key_len = 0; - p->auth_tag_len = 0; - p->sec_serv = sec_serv_conf; + p->cipher_type = SRTP_AES_ICM_256; + p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_conf; } #ifdef OPENSSL -void -srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p) { - - /* - * corresponds to RFC 6188 - */ - - p->cipher_type = SRTP_AES_ICM_192; - p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ - p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ - p->sec_serv = sec_serv_conf_and_auth; -} - +void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + */ -void -srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p) { + p->cipher_type = SRTP_AES_ICM_192; + p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; +} - /* - * corresponds to RFC 6188 - * - * note that this crypto policy is intended for SRTP, but not SRTCP - */ +void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p) +{ + /* + * corresponds to RFC 6188 + * + * note that this crypto policy is intended for SRTP, but not SRTCP + */ - p->cipher_type = SRTP_AES_ICM_192; - p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; - p->auth_type = SRTP_HMAC_SHA1; - p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ - p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ - p->sec_serv = sec_serv_conf_and_auth; + p->cipher_type = SRTP_AES_ICM_192; + p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; + p->auth_type = SRTP_HMAC_SHA1; + p->auth_key_len = 20; /* default 160 bits per RFC 3711 */ + p->auth_tag_len = 4; /* default 80 bits per RFC 3711 */ + p->sec_serv = sec_serv_conf_and_auth; } /* * AES-192 with no authentication. */ -void -srtp_crypto_policy_set_aes_cm_192_null_auth (srtp_crypto_policy_t *p) +void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_ICM_192; - p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; - p->auth_key_len = 0; - p->auth_tag_len = 0; - p->sec_serv = sec_serv_conf; + p->cipher_type = SRTP_AES_ICM_192; + p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; + p->auth_key_len = 0; + p->auth_tag_len = 0; + p->sec_serv = sec_serv_conf; } /* - * AES-128 GCM mode with 8 octet auth tag. + * AES-128 GCM mode with 8 octet auth tag. */ -void -srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_GCM_128; - p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ - p->auth_key_len = 0; - p->auth_tag_len = 8; /* 8 octet tag length */ - p->sec_serv = sec_serv_conf_and_auth; +void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_128; + p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; } /* - * AES-256 GCM mode with 8 octet auth tag. + * AES-256 GCM mode with 8 octet auth tag. */ -void -srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_GCM_256; - p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ - p->auth_key_len = 0; - p->auth_tag_len = 8; /* 8 octet tag length */ - p->sec_serv = sec_serv_conf_and_auth; +void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_256; + p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; } /* - * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. + * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption. */ -void -srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_GCM_128; - p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ - p->auth_key_len = 0; - p->auth_tag_len = 8; /* 8 octet tag length */ - p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ +void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_128; + p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ } /* - * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. + * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption. */ -void -srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_GCM_256; - p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ - p->auth_key_len = 0; - p->auth_tag_len = 8; /* 8 octet tag length */ - p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ +void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_256; + p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 8; /* 8 octet tag length */ + p->sec_serv = sec_serv_auth; /* This only applies to RTCP */ } /* - * AES-128 GCM mode with 16 octet auth tag. + * AES-128 GCM mode with 16 octet auth tag. */ -void -srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_GCM_128; - p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ - p->auth_key_len = 0; - p->auth_tag_len = 16; /* 16 octet tag length */ - p->sec_serv = sec_serv_conf_and_auth; +void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_128; + p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 16; /* 16 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; } /* - * AES-256 GCM mode with 16 octet auth tag. + * AES-256 GCM mode with 16 octet auth tag. */ -void -srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) { - p->cipher_type = SRTP_AES_GCM_256; - p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; - p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ - p->auth_key_len = 0; - p->auth_tag_len = 16; /* 16 octet tag length */ - p->sec_serv = sec_serv_conf_and_auth; +void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) +{ + p->cipher_type = SRTP_AES_GCM_256; + p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT; + p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */ + p->auth_key_len = 0; + p->auth_tag_len = 16; /* 16 octet tag length */ + p->sec_serv = sec_serv_conf_and_auth; } #endif -/* +/* * secure rtcp functions */ @@ -3420,7 +3433,7 @@ srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) { * +--+--+--+--+--+--+--+--+--+--+--+--+* * * Input: *session_keys - pointer to SRTP stream context session keys, - * used to retrieve the SALT + * used to retrieve the SALT * *iv - Pointer to recieve the calculated IV * seq_num - The SEQ value to use for the IV calculation. * *hdr - The RTP header, used to get the SSRC value @@ -3429,12 +3442,14 @@ srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p) { * if seq_num is invalid * */ -static srtp_err_status_t -srtp_calc_aead_iv_srtcp(srtp_session_keys_t *session_keys, v128_t *iv, - uint32_t seq_num, srtcp_hdr_t *hdr) +static srtp_err_status_t srtp_calc_aead_iv_srtcp( + srtp_session_keys_t *session_keys, + v128_t *iv, + uint32_t seq_num, + srtcp_hdr_t *hdr) { - v128_t in; - v128_t salt; + v128_t in; + v128_t salt; memset(&in, 0, sizeof(v128_t)); memset(&salt, 0, sizeof(v128_t)); @@ -3450,40 +3465,215 @@ srtp_calc_aead_iv_srtcp(srtp_session_keys_t *session_keys, v128_t *iv, if (seq_num & 0x80000000UL) { return srtp_err_status_bad_param; } - in.v32[2] = htonl(seq_num); - - debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); + in.v32[2] = htonl(seq_num); + + debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in)); + + /* + * Get the SALT value from the context + */ + memcpy(salt.v8, session_keys->c_salt, 12); + debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); + + /* + * Finally, apply the SALT to the input + */ + v128_xor(iv, &in, &salt); + + return srtp_err_status_ok; +} + +/* + * This code handles AEAD ciphers for outgoing RTCP. We currently support + * AES-GCM mode with 128 or 256 bit keys. + */ +static srtp_err_status_t srtp_protect_rtcp_aead( + srtp_t ctx, + srtp_stream_ctx_t *stream, + void *rtcp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int use_mki) +{ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *trailer; /* pointer to start of trailer */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + uint32_t tag_len; + uint32_t seq_num; + v128_t iv; + uint32_t tseq; + unsigned int mki_size = 0; + + /* get tag length from stream context */ + tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + + /* + * set encryption start and encryption length - if we're not + * providing confidentiality, set enc_start to NULL + */ + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; + enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; + + /* NOTE: hdr->length is not usable - it refers to only the first + * RTCP report in the compound packet! + */ + /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always + * multiples of 32-bits (RFC 3550 6.1) + */ + trailer = (uint32_t *)((char *)enc_start + enc_octet_len + tag_len); + + if (stream->rtcp_services & sec_serv_conf) { + *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ + } else { + enc_start = NULL; + enc_octet_len = 0; + /* 0 is network-order independant */ + *trailer = 0x00000000; /* set encrypt bit */ + } + + mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len + + sizeof(srtcp_trailer_t), + session_keys, use_mki); + + /* + * set the auth_tag pointer to the proper location, which is after + * the payload, but before the trailer + * (note that srtpc *always* provides authentication, unlike srtp) + */ + /* Note: This would need to change for optional mikey data */ + auth_tag = (uint8_t *)hdr + *pkt_octet_len; + + /* + * check sequence number for overruns, and copy it into the packet + * if its value isn't too big + */ + status = srtp_rdb_increment(&stream->rtcp_rdb); + if (status) { + return status; + } + seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); + *trailer |= htonl(seq_num); + debug_print(mod_srtp, "srtcp index: %x", seq_num); + + /* + * Calculate and set the IV + */ + status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); + if (status) { + return srtp_err_status_cipher_fail; + } + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + if (status) { + return srtp_err_status_cipher_fail; + } + + /* + * Set the AAD for GCM mode + */ + if (enc_start) { + /* + * If payload encryption is enabled, then the AAD consist of + * the RTCP header and the seq# at the end of the packet + */ + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, + octets_in_rtcp_header); + if (status) { + return (srtp_err_status_cipher_fail); + } + } else { + /* + * Since payload encryption is not enabled, we must authenticate + * the entire packet as described in RFC 7714 (Section 9.3. Data + * Types in Unencrypted SRTCP Compound Packets) + */ + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, + *pkt_octet_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + } + /* + * Process the sequence# as AAD + */ + tseq = *trailer; + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq, + sizeof(srtcp_trailer_t)); + if (status) { + return (srtp_err_status_cipher_fail); + } + + /* if we're encrypting, exor keystream into the message */ + if (enc_start) { + status = srtp_cipher_encrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) { + return srtp_err_status_cipher_fail; + } + /* + * Get the tag and append that to the output + */ + status = srtp_cipher_get_tag(session_keys->rtcp_cipher, + (uint8_t *)auth_tag, &tag_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + enc_octet_len += tag_len; + } else { + /* + * Even though we're not encrypting the payload, we need + * to run the cipher to get the auth tag. + */ + unsigned int nolen = 0; + status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen); + if (status) { + return srtp_err_status_cipher_fail; + } + /* + * Get the tag and append that to the output + */ + status = srtp_cipher_get_tag(session_keys->rtcp_cipher, + (uint8_t *)auth_tag, &tag_len); + if (status) { + return (srtp_err_status_cipher_fail); + } + enc_octet_len += tag_len; + } - /* - * Get the SALT value from the context - */ - memcpy(salt.v8, session_keys->c_salt, 12); - debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt)); + /* increase the packet length by the length of the auth tag and seq_num*/ + *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); - /* - * Finally, apply the SALT to the input - */ - v128_xor(iv, &in, &salt); + /* increase the packet by the mki_size */ + *pkt_octet_len += mki_size; return srtp_err_status_ok; } /* - * This code handles AEAD ciphers for outgoing RTCP. We currently support - * AES-GCM mode with 128 or 256 bit keys. + * This function handles incoming SRTCP packets while in AEAD mode, + * which currently supports AES-GCM encryption. Note, the auth tag is + * at the end of the packet stream and is automatically checked by GCM + * when decrypting the payload. */ -static srtp_err_status_t -srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, - void *rtcp_hdr, unsigned int *pkt_octet_len, - srtp_session_keys_t *session_keys, unsigned int use_mki) +static srtp_err_status_t srtp_unprotect_rtcp_aead( + srtp_t ctx, + srtp_stream_ctx_t *stream, + void *srtcp_hdr, + unsigned int *pkt_octet_len, + srtp_session_keys_t *session_keys, + unsigned int use_mki) { - srtcp_hdr_t *hdr = (srtcp_hdr_t*)rtcp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - uint32_t *trailer; /* pointer to start of trailer */ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *trailer; /* pointer to start of trailer */ unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ - uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ srtp_err_status_t status; - uint32_t tag_len; + int tag_len; + unsigned int tmp_len; uint32_t seq_num; v128_t iv; uint32_t tseq; @@ -3492,50 +3682,49 @@ srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, /* get tag length from stream context */ tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + if (use_mki) { + mki_size = session_keys->mki_size; + } + /* - * set encryption start and encryption length - if we're not - * providing confidentiality, set enc_start to NULL + * set encryption start, encryption length, and trailer */ - enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; - enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; - - /* NOTE: hdr->length is not usable - it refers to only the first - RTCP report in the compound packet! */ - /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always - multiples of 32-bits (RFC 3550 6.1) */ - trailer = (uint32_t*)((char*)enc_start + enc_octet_len + tag_len); + /* index & E (encryption) bit follow normal data. hdr->len is the number of + * words (32-bit) in the normal packet minus 1 + */ + /* This should point trailer to the word past the end of the normal data. */ + /* This would need to be modified for optional mikey data */ + /* + * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always + * multiples of 32-bits (RFC 3550 6.1) + */ + trailer = (uint32_t *)((char *)hdr + *pkt_octet_len - + sizeof(srtcp_trailer_t) - mki_size); + /* + * We pass the tag down to the cipher when doing GCM mode + */ + enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + + sizeof(srtcp_trailer_t) + mki_size); + auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len - mki_size - + sizeof(srtcp_trailer_t); - if (stream->rtcp_services & sec_serv_conf) { - *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ + if (*((unsigned char *)trailer) & SRTCP_E_BYTE_BIT) { + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; } else { - enc_start = NULL; enc_octet_len = 0; - /* 0 is network-order independant */ - *trailer = 0x00000000; /* set encrypt bit */ + enc_start = NULL; /* this indicates that there's no encryption */ } - mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len + sizeof(srtcp_trailer_t), - session_keys, use_mki); - - /* - * set the auth_tag pointer to the proper location, which is after - * the payload, but before the trailer - * (note that srtpc *always* provides authentication, unlike srtp) - */ - /* Note: This would need to change for optional mikey data */ - auth_tag = (uint8_t*)hdr + *pkt_octet_len; - /* - * check sequence number for overruns, and copy it into the packet - * if its value isn't too big + * check the sequence number for replays */ - status = srtp_rdb_increment(&stream->rtcp_rdb); + /* this is easier than dealing with bitfield access */ + seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; + debug_print(mod_srtp, "srtcp index: %x", seq_num); + status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); if (status) { return status; } - seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); - *trailer |= htonl(seq_num); - debug_print(mod_srtp, "srtcp index: %x", seq_num); /* * Calculate and set the IV @@ -3544,8 +3733,8 @@ srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, if (status) { return srtp_err_status_cipher_fail; } - status = srtp_cipher_set_iv(session_keys->rtcp_cipher, - (uint8_t*)&iv, srtp_direction_encrypt); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); if (status) { return srtp_err_status_cipher_fail; } @@ -3558,10 +3747,10 @@ srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, * If payload encryption is enabled, then the AAD consist of * the RTCP header and the seq# at the end of the packet */ - status = srtp_cipher_set_aad(session_keys->rtcp_cipher, - (uint8_t*)hdr, octets_in_rtcp_header); + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr, + octets_in_rtcp_header); if (status) { - return ( srtp_err_status_cipher_fail); + return (srtp_err_status_cipher_fail); } } else { /* @@ -3569,59 +3758,322 @@ srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, * the entire packet as described in RFC 7714 (Section 9.3. Data * Types in Unencrypted SRTCP Compound Packets) */ - status = srtp_cipher_set_aad(session_keys->rtcp_cipher, - (uint8_t*)hdr, *pkt_octet_len); + status = srtp_cipher_set_aad( + session_keys->rtcp_cipher, (uint8_t *)hdr, + (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size)); if (status) { - return ( srtp_err_status_cipher_fail); + return (srtp_err_status_cipher_fail); } } + /* * Process the sequence# as AAD */ tseq = *trailer; - status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t*)&tseq, + status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq, sizeof(srtcp_trailer_t)); if (status) { - return ( srtp_err_status_cipher_fail); + return (srtp_err_status_cipher_fail); } - /* if we're encrypting, exor keystream into the message */ + /* if we're decrypting, exor keystream into the message */ if (enc_start) { - status = srtp_cipher_encrypt(session_keys->rtcp_cipher, - (uint8_t*)enc_start, &enc_octet_len); + status = srtp_cipher_decrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); if (status) { - return srtp_err_status_cipher_fail; + return status; } + } else { /* - * Get the tag and append that to the output + * Still need to run the cipher to check the tag */ - status = srtp_cipher_get_tag(session_keys->rtcp_cipher, (uint8_t*)auth_tag, - &tag_len); + tmp_len = tag_len; + status = srtp_cipher_decrypt(session_keys->rtcp_cipher, + (uint8_t *)auth_tag, &tmp_len); if (status) { - return ( srtp_err_status_cipher_fail); + return status; } - enc_octet_len += tag_len; - } else { + } + + /* decrease the packet length by the length of the auth tag and seq_num*/ + *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size); + + /* + * verify that stream is for received traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + * + * we do this check *after* the authentication check, so that the + * latter check will catch any attempts to fool us into thinking + * that we've got a collision + */ + if (stream->direction != dir_srtp_receiver) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_receiver; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + /* + * if the stream is a 'provisional' one, in which the template context + * is used, then we need to allocate a new stream at this point, since + * the authentication passed + */ + if (stream == ctx->stream_template) { + srtp_stream_ctx_t *new_stream; + /* - * Even though we're not encrypting the payload, we need - * to run the cipher to get the auth tag. + * allocate and initialize a new stream + * + * note that we indicate failure if we can't allocate the new + * stream, and some implementations will want to not return + * failure here */ - unsigned int nolen = 0; - status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen); + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); if (status) { + return status; + } + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } + + /* we've passed the authentication check, so add seq_num to the rdb */ + srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); + + return srtp_err_status_ok; +} + +srtp_err_status_t srtp_protect_rtcp(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len) +{ + return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0); +} + +srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx, + void *rtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki, + unsigned int mki_index) +{ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + uint32_t *trailer; /* pointer to start of trailer */ + unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + srtp_err_status_t status; + int tag_len; + srtp_stream_ctx_t *stream; + uint32_t prefix_len; + uint32_t seq_num; + unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + + /* we assume the hdr is 32-bit aligned to start */ + + /* check the packet length - it must at least contain a full header */ + if (*pkt_octet_len < octets_in_rtcp_header) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's only one key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + srtp_stream_ctx_t *new_stream; + + /* allocate and initialize a new stream */ + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) + return status; + + /* add new stream to the head of the stream_list */ + new_stream->next = ctx->stream_list; + ctx->stream_list = new_stream; + + /* set stream (the pointer used in this function) */ + stream = new_stream; + } else { + /* no template stream, so we return an error */ + return srtp_err_status_no_ctx; + } + } + + /* + * verify that stream is for sending traffic - this check will + * detect SSRC collisions, since a stream that appears in both + * srtp_protect() and srtp_unprotect() will fail this test in one of + * those functions. + */ + if (stream->direction != dir_srtp_sender) { + if (stream->direction == dir_unknown) { + stream->direction = dir_srtp_sender; + } else { + srtp_handle_event(ctx, stream, event_ssrc_collision); + } + } + + session_keys = + srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, + (unsigned int *)pkt_octet_len, + session_keys, use_mki); + } + + /* get tag length from stream context */ + tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); + + /* + * set encryption start and encryption length - if we're not + * providing confidentiality, set enc_start to NULL + */ + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; + enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; + + /* all of the packet, except the header, gets encrypted */ + /* + * NOTE: hdr->length is not usable - it refers to only the first RTCP report + * in the compound packet! + */ + /* + * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always + * multiples of 32-bits (RFC 3550 6.1) + */ + trailer = (uint32_t *)((char *)enc_start + enc_octet_len); + + if (stream->rtcp_services & sec_serv_conf) { + *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ + } else { + enc_start = NULL; + enc_octet_len = 0; + /* 0 is network-order independant */ + *trailer = 0x00000000; /* set encrypt bit */ + } + + mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + + sizeof(srtcp_trailer_t), + session_keys, use_mki); + + /* + * set the auth_start and auth_tag pointers to the proper locations + * (note that srtpc *always* provides authentication, unlike srtp) + */ + /* Note: This would need to change for optional mikey data */ + auth_start = (uint32_t *)hdr; + auth_tag = + (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size; + + /* perform EKT processing if needed */ + srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, + srtp_rdbx_get_packet_index(&stream->rtp_rdbx)); + + /* + * check sequence number for overruns, and copy it into the packet + * if its value isn't too big + */ + status = srtp_rdb_increment(&stream->rtcp_rdb); + if (status) + return status; + seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); + *trailer |= htonl(seq_num); + debug_print(mod_srtp, "srtcp index: %x", seq_num); + + /* + * if we're using rindael counter mode, set nonce and seq + */ + if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { + v128_t iv; + + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; /* still in network order! */ + iv.v32[2] = htonl(seq_num >> 16); + iv.v32[3] = htonl(seq_num << 16); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + + } else { + v128_t iv; + + /* otherwise, just set the index to seq_num */ + iv.v32[0] = 0; + iv.v32[1] = 0; + iv.v32[2] = 0; + iv.v32[3] = htonl(seq_num); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_encrypt); + } + if (status) + return srtp_err_status_cipher_fail; + + /* + * if we're authenticating using a universal hash, put the keystream + * prefix into the authentication tag + */ + + /* if auth_start is non-null, then put keystream into tag */ + if (auth_start) { + /* put keystream prefix into auth_tag */ + prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); + status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, + &prefix_len); + + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(auth_tag, prefix_len)); + + if (status) + return srtp_err_status_cipher_fail; + } + + /* if we're encrypting, exor keystream into the message */ + if (enc_start) { + status = srtp_cipher_encrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) return srtp_err_status_cipher_fail; - } - /* - * Get the tag and append that to the output - */ - status = srtp_cipher_get_tag(session_keys->rtcp_cipher, (uint8_t*)auth_tag, - &tag_len); - if (status) { - return ( srtp_err_status_cipher_fail); - } - enc_octet_len += tag_len; } + /* initialize auth func context */ + srtp_auth_start(session_keys->rtcp_auth); + + /* + * run auth func over packet (including trailer), and write the + * result at auth_tag + */ + status = + srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start, + (*pkt_octet_len) + sizeof(srtcp_trailer_t), auth_tag); + debug_print(mod_srtp, "srtcp auth tag: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + /* increase the packet length by the length of the auth tag and seq_num*/ *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); @@ -3631,64 +4083,186 @@ srtp_protect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, return srtp_err_status_ok; } -/* - * This function handles incoming SRTCP packets while in AEAD mode, - * which currently supports AES-GCM encryption. Note, the auth tag is - * at the end of the packet stream and is automatically checked by GCM - * when decrypting the payload. - */ -static srtp_err_status_t -srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, - void *srtcp_hdr, unsigned int *pkt_octet_len, - srtp_session_keys_t *session_keys, unsigned int use_mki) +srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len) +{ + return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0); +} + +srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx, + void *srtcp_hdr, + int *pkt_octet_len, + unsigned int use_mki) { - srtcp_hdr_t *hdr = (srtcp_hdr_t*)srtcp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - uint32_t *trailer; /* pointer to start of trailer */ + srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; + uint32_t *enc_start; /* pointer to start of encrypted portion */ + uint32_t *auth_start; /* pointer to start of auth. portion */ + uint32_t *trailer; /* pointer to start of trailer */ unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */ - uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ + uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; + uint8_t tag_copy[SRTP_MAX_TAG_LEN]; srtp_err_status_t status; + unsigned int auth_len; int tag_len; - unsigned int tmp_len; + srtp_stream_ctx_t *stream; + uint32_t prefix_len; uint32_t seq_num; - v128_t iv; - uint32_t tseq; + int e_bit_in_packet; /* whether the E-bit was found in the packet */ + int sec_serv_confidentiality; /* whether confidentiality was requested */ unsigned int mki_size = 0; + srtp_session_keys_t *session_keys = NULL; + + /* we assume the hdr is 32-bit aligned to start */ + + if (*pkt_octet_len < 0) + return srtp_err_status_bad_param; + + /* + * check that the length value is sane; we'll check again once we + * know the tag length, but we at least want to know that it is + * a positive value + */ + if ((unsigned int)(*pkt_octet_len) < + octets_in_rtcp_header + sizeof(srtcp_trailer_t)) + return srtp_err_status_bad_param; + + /* + * look up ssrc in srtp_stream list, and process the packet with + * the appropriate stream. if we haven't seen this stream before, + * there's only one key for this srtp_session, and the cipher + * supports key-sharing, then we assume that a new stream using + * that key has just started up + */ + stream = srtp_get_stream(ctx, hdr->ssrc); + if (stream == NULL) { + if (ctx->stream_template != NULL) { + stream = ctx->stream_template; + + /* + * check to see if stream_template has an EKT data structure, in + * which case we initialize the template using the EKT policy + * referenced by that data (which consists of decrypting the + * master key from the EKT field) + * + * this function initializes a *provisional* stream, and this + * stream should not be accepted until and unless the packet + * passes its authentication check + */ + if (stream->ekt != NULL) { + status = srtp_stream_init_from_ekt(stream, srtcp_hdr, + *pkt_octet_len); + if (status) + return status; + } + + debug_print(mod_srtp, + "srtcp using provisional stream (SSRC: 0x%08x)", + ntohl(hdr->ssrc)); + } else { + /* no template stream, so we return an error */ + return srtp_err_status_no_ctx; + } + } + + /* + * Determine if MKI is being used and what session keys should be used + */ + if (use_mki) { + session_keys = srtp_get_session_keys( + stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len, + &mki_size); + + if (session_keys == NULL) + return srtp_err_status_bad_mki; + } else { + session_keys = &stream->session_keys[0]; + } /* get tag length from stream context */ tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); - if (use_mki) { - mki_size = session_keys->mki_size; + /* check the packet length - it must contain at least a full RTCP + header, an auth tag (if applicable), and the SRTCP encrypted flag + and 31-bit index value */ + if (*pkt_octet_len < (int)(octets_in_rtcp_header + tag_len + mki_size + + sizeof(srtcp_trailer_t))) { + return srtp_err_status_bad_param; + } + + /* + * Check if this is an AEAD stream (GCM mode). If so, then dispatch + * the request to our AEAD handler. + */ + if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || + session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { + return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, + (unsigned int *)pkt_octet_len, + session_keys, mki_size); } + sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || + stream->rtcp_services == sec_serv_conf_and_auth; + /* * set encryption start, encryption length, and trailer */ - /* index & E (encryption) bit follow normal data. hdr->len - is the number of words (32-bit) in the normal packet minus 1 */ - /* This should point trailer to the word past the end of the - normal data. */ - /* This would need to be modified for optional mikey data */ + enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + tag_len + + mki_size + sizeof(srtcp_trailer_t)); /* - * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always - * multiples of 32-bits (RFC 3550 6.1) + *index & E (encryption) bit follow normal data. hdr->len is the number of + * words (32-bit) in the normal packet minus 1 */ - trailer = (uint32_t*)((char*)hdr + *pkt_octet_len - sizeof(srtcp_trailer_t) - mki_size); + /* This should point trailer to the word past the end of the normal data. */ + /* This would need to be modified for optional mikey data */ /* - * We pass the tag down to the cipher when doing GCM mode + * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always + * multiples of 32-bits (RFC 3550 6.1) */ - enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + - sizeof(srtcp_trailer_t) + mki_size); - auth_tag = (uint8_t*)hdr + *pkt_octet_len - tag_len - mki_size - sizeof(srtcp_trailer_t); - - if (*((unsigned char*)trailer) & SRTCP_E_BYTE_BIT) { - enc_start = (uint32_t*)hdr + uint32s_in_rtcp_header; + trailer = (uint32_t *)((char *)hdr + *pkt_octet_len - + (tag_len + mki_size + sizeof(srtcp_trailer_t))); + e_bit_in_packet = + (*((unsigned char *)trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; + if (e_bit_in_packet != sec_serv_confidentiality) { + return srtp_err_status_cant_check; + } + if (sec_serv_confidentiality) { + enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; } else { enc_octet_len = 0; enc_start = NULL; /* this indicates that there's no encryption */ } + /* + * set the auth_start and auth_tag pointers to the proper locations + * (note that srtcp *always* uses authentication, unlike srtp) + */ + auth_start = (uint32_t *)hdr; + + /* + * The location of the auth tag in the packet needs to know MKI + * could be present. The data needed to calculate the Auth tag + * must not include the MKI + */ + auth_len = *pkt_octet_len - tag_len - mki_size; + auth_tag = (uint8_t *)hdr + auth_len + mki_size; + + /* + * if EKT is in use, then we make a copy of the tag from the packet, + * and then zeroize the location of the base tag + * + * we first re-position the auth_tag pointer so that it points to + * the base tag + */ + if (stream->ekt) { + auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt); + memcpy(tag_copy, auth_tag, tag_len); + octet_string_set_to_zero(auth_tag, tag_len); + auth_tag = tag_copy; + auth_len += tag_len; + } + /* * check the sequence number for replays */ @@ -3696,79 +4270,88 @@ srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; debug_print(mod_srtp, "srtcp index: %x", seq_num); status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); - if (status) { + if (status) return status; - } /* - * Calculate and set the IV + * if we're using aes counter mode, set nonce and seq */ - status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr); - if (status) { - return srtp_err_status_cipher_fail; - } - status = srtp_cipher_set_iv(session_keys->rtcp_cipher, - (uint8_t*)&iv, srtp_direction_decrypt); - if (status) { - return srtp_err_status_cipher_fail; - } + if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || + session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { + v128_t iv; + + iv.v32[0] = 0; + iv.v32[1] = hdr->ssrc; /* still in network order! */ + iv.v32[2] = htonl(seq_num >> 16); + iv.v32[3] = htonl(seq_num << 16); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); - /* - * Set the AAD for GCM mode - */ - if (enc_start) { - /* - * If payload encryption is enabled, then the AAD consist of - * the RTCP header and the seq# at the end of the packet - */ - status = srtp_cipher_set_aad(session_keys->rtcp_cipher, - (uint8_t*)hdr, octets_in_rtcp_header); - if (status) { - return ( srtp_err_status_cipher_fail); - } } else { - /* - * Since payload encryption is not enabled, we must authenticate - * the entire packet as described in RFC 7714 (Section 9.3. Data - * Types in Unencrypted SRTCP Compound Packets) - */ - status = srtp_cipher_set_aad( - session_keys->rtcp_cipher, (uint8_t*)hdr, - (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size)); - if (status) { - return ( srtp_err_status_cipher_fail); - } + v128_t iv; + + /* otherwise, just set the index to seq_num */ + iv.v32[0] = 0; + iv.v32[1] = 0; + iv.v32[2] = 0; + iv.v32[3] = htonl(seq_num); + status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv, + srtp_direction_decrypt); } + if (status) + return srtp_err_status_cipher_fail; + + /* initialize auth func context */ + srtp_auth_start(session_keys->rtcp_auth); + + /* run auth func over packet, put result into tmp_tag */ + status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start, + auth_len, tmp_tag); + debug_print(mod_srtp, "srtcp computed tag: %s", + srtp_octet_string_hex_string(tmp_tag, tag_len)); + if (status) + return srtp_err_status_auth_fail; + + /* compare the tag just computed with the one in the packet */ + debug_print(mod_srtp, "srtcp tag from packet: %s", + srtp_octet_string_hex_string(auth_tag, tag_len)); + if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) + return srtp_err_status_auth_fail; /* - * Process the sequence# as AAD + * if we're authenticating using a universal hash, put the keystream + * prefix into the authentication tag */ - tseq = *trailer; - status = srtp_cipher_set_aad(session_keys->rtcp_cipher, - (uint8_t*)&tseq, sizeof(srtcp_trailer_t)); - if (status) { - return ( srtp_err_status_cipher_fail); + prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); + if (prefix_len) { + status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, + &prefix_len); + debug_print(mod_srtp, "keystream prefix: %s", + srtp_octet_string_hex_string(auth_tag, prefix_len)); + if (status) + return srtp_err_status_cipher_fail; } /* if we're decrypting, exor keystream into the message */ if (enc_start) { - status = srtp_cipher_decrypt(session_keys->rtcp_cipher, (uint8_t*)enc_start, &enc_octet_len); - if (status) { - return status; - } - } else { - /* - * Still need to run the cipher to check the tag - */ - tmp_len = tag_len; - status = srtp_cipher_decrypt(session_keys->rtcp_cipher, (uint8_t*)auth_tag, &tmp_len); - if (status) { - return status; - } + status = srtp_cipher_decrypt(session_keys->rtcp_cipher, + (uint8_t *)enc_start, &enc_octet_len); + if (status) + return srtp_err_status_cipher_fail; } - /* decrease the packet length by the length of the auth tag and seq_num*/ - *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size); + /* decrease the packet length by the length of the auth tag and seq_num */ + *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); + + /* decrease the packet length by the length of the mki_size */ + *pkt_octet_len -= mki_size; + + /* + * if EKT is in effect, subtract the EKT data out of the packet + * length + */ + *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt); /* * verify that stream is for received traffic - this check will @@ -3803,10 +4386,10 @@ srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, * stream, and some implementations will want to not return * failure here */ - status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); - if (status) { + status = + srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); + if (status) return status; - } /* add new stream to the head of the stream_list */ new_stream->next = ctx->stream_list; @@ -3822,754 +4405,236 @@ srtp_unprotect_rtcp_aead (srtp_t ctx, srtp_stream_ctx_t *stream, return srtp_err_status_ok; } -srtp_err_status_t -srtp_protect_rtcp(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len) { - return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0); -} - -srtp_err_status_t -srtp_protect_rtcp_mki(srtp_t ctx, void *rtcp_hdr, int *pkt_octet_len, - unsigned int use_mki, unsigned int mki_index) { - srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - uint32_t *auth_start; /* pointer to start of auth. portion */ - uint32_t *trailer; /* pointer to start of trailer */ - unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ - uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ - srtp_err_status_t status; - int tag_len; - srtp_stream_ctx_t *stream; - uint32_t prefix_len; - uint32_t seq_num; - unsigned int mki_size = 0; - srtp_session_keys_t *session_keys = NULL; - - /* we assume the hdr is 32-bit aligned to start */ - - /* check the packet length - it must at least contain a full header */ - if (*pkt_octet_len < octets_in_rtcp_header) - return srtp_err_status_bad_param; - - /* - * look up ssrc in srtp_stream list, and process the packet with - * the appropriate stream. if we haven't seen this stream before, - * there's only one key for this srtp_session, and the cipher - * supports key-sharing, then we assume that a new stream using - * that key has just started up - */ - stream = srtp_get_stream(ctx, hdr->ssrc); - if (stream == NULL) { - if (ctx->stream_template != NULL) { - srtp_stream_ctx_t *new_stream; - - /* allocate and initialize a new stream */ - status = srtp_stream_clone(ctx->stream_template, - hdr->ssrc, &new_stream); - if (status) - return status; - - /* add new stream to the head of the stream_list */ - new_stream->next = ctx->stream_list; - ctx->stream_list = new_stream; - - /* set stream (the pointer used in this function) */ - stream = new_stream; - } else { - /* no template stream, so we return an error */ - return srtp_err_status_no_ctx; - } - } - - /* - * verify that stream is for sending traffic - this check will - * detect SSRC collisions, since a stream that appears in both - * srtp_protect() and srtp_unprotect() will fail this test in one of - * those functions. - */ - if (stream->direction != dir_srtp_sender) { - if (stream->direction == dir_unknown) { - stream->direction = dir_srtp_sender; - } else { - srtp_handle_event(ctx, stream, event_ssrc_collision); - } - } - - session_keys = srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index); - - /* - * Check if this is an AEAD stream (GCM mode). If so, then dispatch - * the request to our AEAD handler. - */ - if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || - session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { - return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr, - (unsigned int*)pkt_octet_len, session_keys, - use_mki); - } - - /* get tag length from stream context */ - tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); - - /* - * set encryption start and encryption length - if we're not - * providing confidentiality, set enc_start to NULL - */ - enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; - enc_octet_len = *pkt_octet_len - octets_in_rtcp_header; - - /* all of the packet, except the header, gets encrypted */ - /* NOTE: hdr->length is not usable - it refers to only the first - RTCP report in the compound packet! */ - /* NOTE: trailer is 32-bit aligned because RTCP 'packets' are always - multiples of 32-bits (RFC 3550 6.1) */ - trailer = (uint32_t *) ((char *)enc_start + enc_octet_len); - - if (stream->rtcp_services & sec_serv_conf) { - *trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */ - } else { - enc_start = NULL; - enc_octet_len = 0; - /* 0 is network-order independant */ - *trailer = 0x00000000; /* set encrypt bit */ - } - - mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t), - session_keys, use_mki); - - /* - * set the auth_start and auth_tag pointers to the proper locations - * (note that srtpc *always* provides authentication, unlike srtp) - */ - /* Note: This would need to change for optional mikey data */ - auth_start = (uint32_t *)hdr; - auth_tag = (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size; - - /* perform EKT processing if needed */ - srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len, - srtp_rdbx_get_packet_index(&stream->rtp_rdbx)); - - /* - * check sequence number for overruns, and copy it into the packet - * if its value isn't too big - */ - status = srtp_rdb_increment(&stream->rtcp_rdb); - if (status) - return status; - seq_num = srtp_rdb_get_value(&stream->rtcp_rdb); - *trailer |= htonl(seq_num); - debug_print(mod_srtp, "srtcp index: %x", seq_num); - - /* - * if we're using rindael counter mode, set nonce and seq - */ - if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || - session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || - session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { - v128_t iv; - - iv.v32[0] = 0; - iv.v32[1] = hdr->ssrc; /* still in network order! */ - iv.v32[2] = htonl(seq_num >> 16); - iv.v32[3] = htonl(seq_num << 16); - status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t*)&iv, - srtp_direction_encrypt); - - } else { - v128_t iv; - - /* otherwise, just set the index to seq_num */ - iv.v32[0] = 0; - iv.v32[1] = 0; - iv.v32[2] = 0; - iv.v32[3] = htonl(seq_num); - status = srtp_cipher_set_iv(session_keys->rtcp_cipher, - (uint8_t*)&iv, srtp_direction_encrypt); - } - if (status) - return srtp_err_status_cipher_fail; - - /* - * if we're authenticating using a universal hash, put the keystream - * prefix into the authentication tag - */ - - /* if auth_start is non-null, then put keystream into tag */ - if (auth_start) { - - /* put keystream prefix into auth_tag */ - prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); - status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, &prefix_len); - - debug_print(mod_srtp, "keystream prefix: %s", - srtp_octet_string_hex_string(auth_tag, prefix_len)); - - if (status) - return srtp_err_status_cipher_fail; - } - - /* if we're encrypting, exor keystream into the message */ - if (enc_start) { - status = srtp_cipher_encrypt(session_keys->rtcp_cipher, - (uint8_t *)enc_start, &enc_octet_len); - if (status) - return srtp_err_status_cipher_fail; - } - - /* initialize auth func context */ - srtp_auth_start(session_keys->rtcp_auth); - - /* - * run auth func over packet (including trailer), and write the - * result at auth_tag - */ - status = srtp_auth_compute(session_keys->rtcp_auth, - (uint8_t *)auth_start, - (*pkt_octet_len) + sizeof(srtcp_trailer_t), - auth_tag); - debug_print(mod_srtp, "srtcp auth tag: %s", - srtp_octet_string_hex_string(auth_tag, tag_len)); - if (status) - return srtp_err_status_auth_fail; - - /* increase the packet length by the length of the auth tag and seq_num*/ - *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t)); - - /* increase the packet by the mki_size */ - *pkt_octet_len += mki_size; - - return srtp_err_status_ok; -} - - -srtp_err_status_t -srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) { - return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0); -} - -srtp_err_status_t -srtp_unprotect_rtcp_mki(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len, - unsigned int use_mki) { - srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr; - uint32_t *enc_start; /* pointer to start of encrypted portion */ - uint32_t *auth_start; /* pointer to start of auth. portion */ - uint32_t *trailer; /* pointer to start of trailer */ - unsigned int enc_octet_len = 0;/* number of octets in encrypted portion */ - uint8_t *auth_tag = NULL; /* location of auth_tag within packet */ - uint8_t tmp_tag[SRTP_MAX_TAG_LEN]; - uint8_t tag_copy[SRTP_MAX_TAG_LEN]; - srtp_err_status_t status; - unsigned int auth_len; - int tag_len; - srtp_stream_ctx_t *stream; - uint32_t prefix_len; - uint32_t seq_num; - int e_bit_in_packet; /* whether the E-bit was found in the packet */ - int sec_serv_confidentiality; /* whether confidentiality was requested */ - unsigned int mki_size = 0; - srtp_session_keys_t *session_keys = NULL; - - /* we assume the hdr is 32-bit aligned to start */ - - /* check that the length value is sane; we'll check again once we - know the tag length, but we at least want to know that it is - a positive value */ - if (*pkt_octet_len < octets_in_rtcp_header + sizeof(srtcp_trailer_t)) - return srtp_err_status_bad_param; - - /* - * look up ssrc in srtp_stream list, and process the packet with - * the appropriate stream. if we haven't seen this stream before, - * there's only one key for this srtp_session, and the cipher - * supports key-sharing, then we assume that a new stream using - * that key has just started up - */ - stream = srtp_get_stream(ctx, hdr->ssrc); - if (stream == NULL) { - if (ctx->stream_template != NULL) { - stream = ctx->stream_template; - - /* - * check to see if stream_template has an EKT data structure, in - * which case we initialize the template using the EKT policy - * referenced by that data (which consists of decrypting the - * master key from the EKT field) - * - * this function initializes a *provisional* stream, and this - * stream should not be accepted until and unless the packet - * passes its authentication check - */ - if (stream->ekt != NULL) { - status = srtp_stream_init_from_ekt(stream, srtcp_hdr, *pkt_octet_len); - if (status) - return status; - } - - debug_print(mod_srtp, "srtcp using provisional stream (SSRC: 0x%08x)", - ntohl(hdr->ssrc)); - } else { - /* no template stream, so we return an error */ - return srtp_err_status_no_ctx; - } - } - - /* - * Determine if MKI is being used and what session keys should be used - */ - if (use_mki) { - session_keys = srtp_get_session_keys(stream, (uint8_t *)hdr, - (const unsigned int*)pkt_octet_len, - &mki_size); - - if (session_keys == NULL) - return srtp_err_status_bad_mki; - } else { - session_keys = &stream->session_keys[0]; - } - - - /* get tag length from stream context */ - tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth); - - /* check the packet length - it must contain at least a full RTCP - header, an auth tag (if applicable), and the SRTCP encrypted flag - and 31-bit index value */ - if (*pkt_octet_len < (int) (octets_in_rtcp_header + tag_len + mki_size + sizeof(srtcp_trailer_t))) { - return srtp_err_status_bad_param; - } - - /* - * Check if this is an AEAD stream (GCM mode). If so, then dispatch - * the request to our AEAD handler. - */ - if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 || - session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) { - return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr, - (unsigned int*)pkt_octet_len, session_keys, - mki_size); - } - - sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf || - stream->rtcp_services == sec_serv_conf_and_auth; - - /* - * set encryption start, encryption length, and trailer - */ - enc_octet_len = *pkt_octet_len - - (octets_in_rtcp_header + tag_len + mki_size + sizeof(srtcp_trailer_t)); - /* index & E (encryption) bit follow normal data. hdr->len - is the number of words (32-bit) in the normal packet minus 1 */ - /* This should point trailer to the word past the end of the - normal data. */ - /* This would need to be modified for optional mikey data */ - /* - * NOTE: trailer is 32-bit aligned because RTCP 'packets' are always - * multiples of 32-bits (RFC 3550 6.1) - */ - trailer = (uint32_t *) ((char *) hdr + - *pkt_octet_len -(tag_len + mki_size + sizeof(srtcp_trailer_t))); - e_bit_in_packet = - (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT; - if (e_bit_in_packet != sec_serv_confidentiality) { - return srtp_err_status_cant_check; - } - if (sec_serv_confidentiality) { - enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header; - } else { - enc_octet_len = 0; - enc_start = NULL; /* this indicates that there's no encryption */ - } - - /* - * set the auth_start and auth_tag pointers to the proper locations - * (note that srtcp *always* uses authentication, unlike srtp) - */ - auth_start = (uint32_t *)hdr; - - /* - * The location of the auth tag in the packet needs to know MKI - * could be present. The data needed to calculate the Auth tag - * must not include the MKI - */ - auth_len = *pkt_octet_len - tag_len - mki_size; - auth_tag = (uint8_t *)hdr + auth_len + mki_size; - - /* - * if EKT is in use, then we make a copy of the tag from the packet, - * and then zeroize the location of the base tag - * - * we first re-position the auth_tag pointer so that it points to - * the base tag - */ - if (stream->ekt) { - auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt); - memcpy(tag_copy, auth_tag, tag_len); - octet_string_set_to_zero(auth_tag, tag_len); - auth_tag = tag_copy; - auth_len += tag_len; - } - - /* - * check the sequence number for replays - */ - /* this is easier than dealing with bitfield access */ - seq_num = ntohl(*trailer) & SRTCP_INDEX_MASK; - debug_print(mod_srtp, "srtcp index: %x", seq_num); - status = srtp_rdb_check(&stream->rtcp_rdb, seq_num); - if (status) - return status; - - /* - * if we're using aes counter mode, set nonce and seq - */ - if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 || - session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 || - session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) { - v128_t iv; - - iv.v32[0] = 0; - iv.v32[1] = hdr->ssrc; /* still in network order! */ - iv.v32[2] = htonl(seq_num >> 16); - iv.v32[3] = htonl(seq_num << 16); - status = srtp_cipher_set_iv(session_keys->rtcp_cipher, - (uint8_t*)&iv, srtp_direction_decrypt); - - } else { - v128_t iv; - - /* otherwise, just set the index to seq_num */ - iv.v32[0] = 0; - iv.v32[1] = 0; - iv.v32[2] = 0; - iv.v32[3] = htonl(seq_num); - status = srtp_cipher_set_iv(session_keys->rtcp_cipher, - (uint8_t*)&iv, srtp_direction_decrypt); - - } - if (status) - return srtp_err_status_cipher_fail; - - /* initialize auth func context */ - srtp_auth_start(session_keys->rtcp_auth); - - /* run auth func over packet, put result into tmp_tag */ - status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start, - auth_len, tmp_tag); - debug_print(mod_srtp, "srtcp computed tag: %s", - srtp_octet_string_hex_string(tmp_tag, tag_len)); - if (status) - return srtp_err_status_auth_fail; - - /* compare the tag just computed with the one in the packet */ - debug_print(mod_srtp, "srtcp tag from packet: %s", - srtp_octet_string_hex_string(auth_tag, tag_len)); - if (octet_string_is_eq(tmp_tag, auth_tag, tag_len)) - return srtp_err_status_auth_fail; - - /* - * if we're authenticating using a universal hash, put the keystream - * prefix into the authentication tag - */ - prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth); - if (prefix_len) { - status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag, &prefix_len); - debug_print(mod_srtp, "keystream prefix: %s", - srtp_octet_string_hex_string(auth_tag, prefix_len)); - if (status) - return srtp_err_status_cipher_fail; - } - - /* if we're decrypting, exor keystream into the message */ - if (enc_start) { - status = srtp_cipher_decrypt(session_keys->rtcp_cipher, (uint8_t *)enc_start, - &enc_octet_len); - if (status) - return srtp_err_status_cipher_fail; - } - - /* decrease the packet length by the length of the auth tag and seq_num */ - *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t)); - - /* decrease the packet length by the length of the mki_size */ - *pkt_octet_len -= mki_size; - - /* - * if EKT is in effect, subtract the EKT data out of the packet - * length - */ - *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt); - - /* - * verify that stream is for received traffic - this check will - * detect SSRC collisions, since a stream that appears in both - * srtp_protect() and srtp_unprotect() will fail this test in one of - * those functions. - * - * we do this check *after* the authentication check, so that the - * latter check will catch any attempts to fool us into thinking - * that we've got a collision - */ - if (stream->direction != dir_srtp_receiver) { - if (stream->direction == dir_unknown) { - stream->direction = dir_srtp_receiver; - } else { - srtp_handle_event(ctx, stream, event_ssrc_collision); - } - } - - /* - * if the stream is a 'provisional' one, in which the template context - * is used, then we need to allocate a new stream at this point, since - * the authentication passed - */ - if (stream == ctx->stream_template) { - srtp_stream_ctx_t *new_stream; - - /* - * allocate and initialize a new stream - * - * note that we indicate failure if we can't allocate the new - * stream, and some implementations will want to not return - * failure here - */ - status = srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream); - if (status) - return status; - - /* add new stream to the head of the stream_list */ - new_stream->next = ctx->stream_list; - ctx->stream_list = new_stream; - - /* set stream (the pointer used in this function) */ - stream = new_stream; - } - - /* we've passed the authentication check, so add seq_num to the rdb */ - srtp_rdb_add_index(&stream->rtcp_rdb, seq_num); - - - return srtp_err_status_ok; -} - - /* * user data within srtp_t context */ -void -srtp_set_user_data(srtp_t ctx, void *data) { - ctx->user_data = data; +void srtp_set_user_data(srtp_t ctx, void *data) +{ + ctx->user_data = data; } -void* -srtp_get_user_data(srtp_t ctx) { - return ctx->user_data; +void *srtp_get_user_data(srtp_t ctx) +{ + return ctx->user_data; } - /* - * dtls keying for srtp + * dtls keying for srtp */ -srtp_err_status_t -srtp_crypto_policy_set_from_profile_for_rtp(srtp_crypto_policy_t *policy, - srtp_profile_t profile) { - - /* set SRTP policy from the SRTP profile in the key set */ - switch(profile) { - case srtp_profile_aes128_cm_sha1_80: - srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); - break; - case srtp_profile_aes128_cm_sha1_32: - srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); - break; - case srtp_profile_null_sha1_80: - srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); - break; +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile) +{ + /* set SRTP policy from the SRTP profile in the key set */ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy); + break; + case srtp_profile_null_sha1_80: + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); + break; #if defined(OPENSSL) - case srtp_profile_aead_aes_128_gcm: - srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); - break; - case srtp_profile_aead_aes_256_gcm: - srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); - break; + case srtp_profile_aead_aes_128_gcm: + srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); + break; + case srtp_profile_aead_aes_256_gcm: + srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); + break; #endif /* the following profiles are not (yet) supported */ - case srtp_profile_null_sha1_32: - default: - return srtp_err_status_bad_param; - } + case srtp_profile_null_sha1_32: + default: + return srtp_err_status_bad_param; + } - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -srtp_crypto_policy_set_from_profile_for_rtcp(srtp_crypto_policy_t *policy, - srtp_profile_t profile) { - - /* set SRTP policy from the SRTP profile in the key set */ - switch(profile) { - case srtp_profile_aes128_cm_sha1_80: - srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); - break; - case srtp_profile_aes128_cm_sha1_32: - /* We do not honor the 32-bit auth tag request since - * this is not compliant with RFC 3711 */ - srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); - break; - case srtp_profile_null_sha1_80: - srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); - break; +srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp( + srtp_crypto_policy_t *policy, + srtp_profile_t profile) +{ + /* set SRTP policy from the SRTP profile in the key set */ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_aes128_cm_sha1_32: + /* We do not honor the 32-bit auth tag request since + * this is not compliant with RFC 3711 */ + srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy); + break; + case srtp_profile_null_sha1_80: + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy); + break; #if defined(OPENSSL) - case srtp_profile_aead_aes_128_gcm: - srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); - break; - case srtp_profile_aead_aes_256_gcm: - srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); - break; + case srtp_profile_aead_aes_128_gcm: + srtp_crypto_policy_set_aes_gcm_128_16_auth(policy); + break; + case srtp_profile_aead_aes_256_gcm: + srtp_crypto_policy_set_aes_gcm_256_16_auth(policy); + break; #endif /* the following profiles are not (yet) supported */ - case srtp_profile_null_sha1_32: - default: - return srtp_err_status_bad_param; - } + case srtp_profile_null_sha1_32: + default: + return srtp_err_status_bad_param; + } - return srtp_err_status_ok; + return srtp_err_status_ok; } -void srtp_append_salt_to_key(uint8_t *key, unsigned int bytes_in_key, uint8_t *salt, unsigned int bytes_in_salt) { - memcpy(key + bytes_in_key, salt, bytes_in_salt); +void srtp_append_salt_to_key(uint8_t *key, + unsigned int bytes_in_key, + uint8_t *salt, + unsigned int bytes_in_salt) +{ + memcpy(key + bytes_in_key, salt, bytes_in_salt); } -unsigned int -srtp_profile_get_master_key_length(srtp_profile_t profile) { - - switch(profile) { - case srtp_profile_aes128_cm_sha1_80: - return SRTP_AES_128_KEY_LEN; - break; - case srtp_profile_aes128_cm_sha1_32: - return SRTP_AES_128_KEY_LEN; - break; - case srtp_profile_null_sha1_80: - return SRTP_AES_128_KEY_LEN; - break; - case srtp_profile_aead_aes_128_gcm: - return SRTP_AES_128_KEY_LEN; - break; - case srtp_profile_aead_aes_256_gcm: - return SRTP_AES_256_KEY_LEN; - break; +unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile) +{ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_aes128_cm_sha1_32: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_null_sha1_80: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_aead_aes_128_gcm: + return SRTP_AES_128_KEY_LEN; + break; + case srtp_profile_aead_aes_256_gcm: + return SRTP_AES_256_KEY_LEN; + break; /* the following profiles are not (yet) supported */ - case srtp_profile_null_sha1_32: - default: - return 0; /* indicate error by returning a zero */ - } + case srtp_profile_null_sha1_32: + default: + return 0; /* indicate error by returning a zero */ + } } -unsigned int -srtp_profile_get_master_salt_length(srtp_profile_t profile) { - - switch(profile) { - case srtp_profile_aes128_cm_sha1_80: - return SRTP_SALT_LEN; - break; - case srtp_profile_aes128_cm_sha1_32: - return SRTP_SALT_LEN; - break; - case srtp_profile_null_sha1_80: - return SRTP_SALT_LEN; - break; - case srtp_profile_aead_aes_128_gcm: - return SRTP_AEAD_SALT_LEN; - break; - case srtp_profile_aead_aes_256_gcm: - return SRTP_AEAD_SALT_LEN; - break; +unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile) +{ + switch (profile) { + case srtp_profile_aes128_cm_sha1_80: + return SRTP_SALT_LEN; + break; + case srtp_profile_aes128_cm_sha1_32: + return SRTP_SALT_LEN; + break; + case srtp_profile_null_sha1_80: + return SRTP_SALT_LEN; + break; + case srtp_profile_aead_aes_128_gcm: + return SRTP_AEAD_SALT_LEN; + break; + case srtp_profile_aead_aes_256_gcm: + return SRTP_AEAD_SALT_LEN; + break; /* the following profiles are not (yet) supported */ - case srtp_profile_null_sha1_32: - default: - return 0; /* indicate error by returning a zero */ - } + case srtp_profile_null_sha1_32: + default: + return 0; /* indicate error by returning a zero */ + } } -srtp_err_status_t -srtp_get_protect_trailer_length(srtp_t session, - uint32_t use_mki, - uint32_t mki_index, - uint32_t *length) +srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream, + uint32_t is_rtp, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) { - srtp_stream_ctx_t *stream; - - if (session == NULL) - return srtp_err_status_bad_param; - *length = 0; - /* Try obtaining stream from stream_list */ - stream = session->stream_list; - - if (stream == NULL) { - /* Try obtaining the template stream */ - stream = session->stream_template; - } - - if (stream == NULL) { - return srtp_err_status_bad_param; - } + srtp_session_keys_t *session_key; if (use_mki) { - if (mki_index > stream->num_master_keys) - return srtp_err_status_bad_mki; + if (mki_index >= stream->num_master_keys) { + return srtp_err_status_bad_mki; + } + session_key = &stream->session_keys[mki_index]; - *length += stream->session_keys[mki_index].mki_size; - *length += srtp_auth_get_tag_length(stream->session_keys[mki_index].rtp_auth); + *length += session_key->mki_size; + + } else { + session_key = &stream->session_keys[0]; + } + if (is_rtp) { + *length += srtp_auth_get_tag_length(session_key->rtp_auth); } else { - *length += srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth); + *length += srtp_auth_get_tag_length(session_key->rtcp_auth); + *length += sizeof(srtcp_trailer_t); } return srtp_err_status_ok; } -srtp_err_status_t -srtp_get_protect_rtcp_trailer_length(srtp_t session, - uint32_t use_mki, - uint32_t mki_index, - uint32_t *length) +srtp_err_status_t get_protect_trailer_length(srtp_t session, + uint32_t is_rtp, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) { srtp_stream_ctx_t *stream; - if (session == NULL) - return srtp_err_status_bad_param; + if (session == NULL) { + return srtp_err_status_bad_param; + } - *length = 0; + if (session->stream_template == NULL && session->stream_list == NULL) { + return srtp_err_status_bad_param; + } - /* Try obtaining stream from stream_list */ - stream = session->stream_list; + *length = 0; - if (stream == NULL) { - /* Try obtaining the template stream */ - stream = session->stream_template; - } + stream = session->stream_template; - if (stream == NULL) { - return srtp_err_status_bad_param; + if (stream != NULL) { + stream_get_protect_trailer_length(stream, is_rtp, use_mki, mki_index, + length); } - if (use_mki) { - if (mki_index > stream->num_master_keys) - return srtp_err_status_bad_mki; + stream = session->stream_list; - *length += stream->session_keys[mki_index].mki_size; - *length += srtp_auth_get_tag_length(stream->session_keys[mki_index].rtcp_auth); - } else { - *length += srtp_auth_get_tag_length(stream->session_keys[0].rtcp_auth); + while (stream != NULL) { + uint32_t temp_length; + if (stream_get_protect_trailer_length(stream, is_rtp, use_mki, + mki_index, &temp_length) == + srtp_err_status_ok) { + if (temp_length > *length) { + *length = temp_length; + } + } + stream = stream->next; } - - *length += sizeof(srtcp_trailer_t); return srtp_err_status_ok; } +srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) +{ + return get_protect_trailer_length(session, 1, use_mki, mki_index, length); +} + +srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session, + uint32_t use_mki, + uint32_t mki_index, + uint32_t *length) +{ + return get_protect_trailer_length(session, 0, use_mki, mki_index, length); +} /* * SRTP debug interface @@ -4591,26 +4656,34 @@ srtp_err_status_t srtp_list_debug_modules(void) */ static srtp_log_handler_func_t *srtp_log_handler = NULL; -static void * srtp_log_handler_data = NULL; +static void *srtp_log_handler_data = NULL; -void srtp_err_handler(srtp_err_reporting_level_t level, const char * msg) +void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg) { if (srtp_log_handler) { srtp_log_level_t log_level = srtp_log_level_error; - switch(level) { - case srtp_err_level_error: log_level = srtp_log_level_error; break; - case srtp_err_level_warning: log_level = srtp_log_level_warning; break; - case srtp_err_level_info: log_level = srtp_log_level_info; break; - case srtp_err_level_debug: log_level = srtp_log_level_debug; break; + switch (level) { + case srtp_err_level_error: + log_level = srtp_log_level_error; + break; + case srtp_err_level_warning: + log_level = srtp_log_level_warning; + break; + case srtp_err_level_info: + log_level = srtp_log_level_info; + break; + case srtp_err_level_debug: + log_level = srtp_log_level_debug; + break; } srtp_log_handler(log_level, msg, srtp_log_handler_data); } } -srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, void * data) +srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, + void *data) { - /* * note that we accept NULL arguments intentionally - calling this * function with a NULL arguments removes a log handler that's @@ -4628,8 +4701,10 @@ srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func, void * return srtp_err_status_ok; } -srtp_err_status_t -srtp_set_stream_roc(srtp_t session, uint32_t ssrc, uint32_t roc) { +srtp_err_status_t srtp_set_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t roc) +{ srtp_stream_t stream; stream = srtp_get_stream(session, htonl(ssrc)); @@ -4641,8 +4716,10 @@ srtp_set_stream_roc(srtp_t session, uint32_t ssrc, uint32_t roc) { return srtp_err_status_ok; } -srtp_err_status_t -srtp_get_stream_roc(srtp_t session, uint32_t ssrc, uint32_t *roc) { +srtp_err_status_t srtp_get_stream_roc(srtp_t session, + uint32_t ssrc, + uint32_t *roc) +{ srtp_stream_t stream; stream = srtp_get_stream(session, htonl(ssrc)); diff --git a/libs/srtp/srtp2.vcxproj b/libs/srtp/srtp2.vcxproj index 2cae3ea7e3..a6ac642546 100644 --- a/libs/srtp/srtp2.vcxproj +++ b/libs/srtp/srtp2.vcxproj @@ -370,6 +370,7 @@ <ClInclude Include="crypto\include\alloc.h" /> <ClInclude Include="crypto\include\auth.h" /> <ClInclude Include="crypto\include\cipher.h" /> + <ClInclude Include="crypto\include\cipher_types.h" /> <ClInclude Include="crypto\include\config.h" /> <ClInclude Include="crypto\include\crypto.h" /> <ClInclude Include="crypto\include\cryptoalg.h" /> @@ -401,4 +402,4 @@ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <ImportGroup Label="ExtensionTargets"> </ImportGroup> -</Project> \ No newline at end of file +</Project> diff --git a/libs/srtp/srtp2.vcxproj.filters b/libs/srtp/srtp2.vcxproj.filters index 6daa0d9f23..24e040fb5b 100644 --- a/libs/srtp/srtp2.vcxproj.filters +++ b/libs/srtp/srtp2.vcxproj.filters @@ -107,6 +107,9 @@ <ClInclude Include="crypto\include\cipher.h"> <Filter>Header Files</Filter> </ClInclude> + <ClInclude Include="crypto\include\cipher_types.h"> + <Filter>Header Files</Filter> + </ClInclude> <ClInclude Include="crypto\include\config.h"> <Filter>Header Files</Filter> </ClInclude> @@ -183,4 +186,4 @@ <Filter>Source Files</Filter> </None> </ItemGroup> -</Project> \ No newline at end of file +</Project> diff --git a/libs/srtp/test/cutest.h b/libs/srtp/test/cutest.h index a94e144ab5..f46626d395 100644 --- a/libs/srtp/test/cutest.h +++ b/libs/srtp/test/cutest.h @@ -10,10 +10,10 @@ * the rights to use, copy, modify, merge, publish, distribute, sublicense, * and/or sell copies of the Software, and to permit persons to whom the * Software is furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -26,7 +26,6 @@ #ifndef CUTEST_H__ #define CUTEST_H__ - /************************ *** Public interface *** ************************/ @@ -56,8 +55,7 @@ * * void test_func(void); */ -#define TEST_LIST const struct test__ test_list__[] - +#define TEST_LIST const struct test__ test_list__[] /* Macros for testing whether an unit test succeeds or fails. These macros * can be used arbitrarily in functions implementing the unit tests. @@ -78,9 +76,9 @@ * TEST_CHECK(ptr->member2 > 200); * } */ -#define TEST_CHECK_(cond,...) test_check__((cond), __FILE__, __LINE__, __VA_ARGS__) -#define TEST_CHECK(cond) test_check__((cond), __FILE__, __LINE__, "%s", #cond) - +#define TEST_CHECK_(cond, ...) \ + test_check__((cond), __FILE__, __LINE__, __VA_ARGS__) +#define TEST_CHECK(cond) test_check__((cond), __FILE__, __LINE__, "%s", #cond) /********************** *** Implementation *** @@ -94,47 +92,43 @@ #include <string.h> #if defined(unix) || defined(__unix__) || defined(__unix) || defined(__APPLE__) - #define CUTEST_UNIX__ 1 - #include <errno.h> - #include <unistd.h> - #include <sys/types.h> - #include <sys/wait.h> - #include <signal.h> +#define CUTEST_UNIX__ 1 +#include <errno.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <signal.h> #endif #if defined(_WIN32) || defined(__WIN32__) || defined(__WINDOWS__) - #define CUTEST_WIN__ 1 - #include <windows.h> - #include <io.h> +#define CUTEST_WIN__ 1 +#include <windows.h> +#include <io.h> #endif #ifdef __cplusplus - #include <exception> +#include <exception> #endif - /* Note our global private identifiers end with '__' to mitigate risk of clash * with the unit tests implementation. */ - #ifdef __cplusplus - extern "C" { +extern "C" { #endif - struct test__ { - const char* name; + const char *name; void (*func)(void); }; extern const struct test__ test_list__[]; -int test_check__(int cond, const char* file, int line, const char* fmt, ...); - +int test_check__(int cond, const char *file, int line, const char *fmt, ...); #ifndef TEST_NO_MAIN -static char* test_argv0__ = NULL; +static char *test_argv0__ = NULL; static int test_count__ = 0; static int test_no_exec__ = 0; static int test_no_summary__ = 0; @@ -143,21 +137,20 @@ static int test_skip_mode__ = 0; static int test_stat_failed_units__ = 0; static int test_stat_run_units__ = 0; -static const struct test__* test_current_unit__ = NULL; +static const struct test__ *test_current_unit__ = NULL; static int test_current_already_logged__ = 0; static int test_verbose_level__ = 2; static int test_current_failures__ = 0; static int test_colorize__ = 0; -#define CUTEST_COLOR_DEFAULT__ 0 -#define CUTEST_COLOR_GREEN__ 1 -#define CUTEST_COLOR_RED__ 2 -#define CUTEST_COLOR_DEFAULT_INTENSIVE__ 3 -#define CUTEST_COLOR_GREEN_INTENSIVE__ 4 -#define CUTEST_COLOR_RED_INTENSIVE__ 5 +#define CUTEST_COLOR_DEFAULT__ 0 +#define CUTEST_COLOR_GREEN__ 1 +#define CUTEST_COLOR_RED__ 2 +#define CUTEST_COLOR_DEFAULT_INTENSIVE__ 3 +#define CUTEST_COLOR_GREEN_INTENSIVE__ 4 +#define CUTEST_COLOR_RED_INTENSIVE__ 5 -static size_t -test_print_in_color__(int color, const char* fmt, ...) +static size_t test_print_in_color__(int color, const char *fmt, ...) { va_list args; char buffer[256]; @@ -166,22 +159,34 @@ test_print_in_color__(int color, const char* fmt, ...) va_start(args, fmt); vsnprintf(buffer, sizeof(buffer), fmt, args); va_end(args); - buffer[sizeof(buffer)-1] = '\0'; + buffer[sizeof(buffer) - 1] = '\0'; - if(!test_colorize__) { + if (!test_colorize__) { return printf("%s", buffer); } #if defined CUTEST_UNIX__ { - const char* col_str; - switch(color) { - case CUTEST_COLOR_GREEN__: col_str = "\033[0;32m"; break; - case CUTEST_COLOR_RED__: col_str = "\033[0;31m"; break; - case CUTEST_COLOR_GREEN_INTENSIVE__: col_str = "\033[1;32m"; break; - case CUTEST_COLOR_RED_INTENSIVE__: col_str = "\033[1;30m"; break; - case CUTEST_COLOR_DEFAULT_INTENSIVE__: col_str = "\033[1m"; break; - default: col_str = "\033[0m"; break; + const char *col_str; + switch (color) { + case CUTEST_COLOR_GREEN__: + col_str = "\033[0;32m"; + break; + case CUTEST_COLOR_RED__: + col_str = "\033[0;31m"; + break; + case CUTEST_COLOR_GREEN_INTENSIVE__: + col_str = "\033[1;32m"; + break; + case CUTEST_COLOR_RED_INTENSIVE__: + col_str = "\033[1;30m"; + break; + case CUTEST_COLOR_DEFAULT_INTENSIVE__: + col_str = "\033[1m"; + break; + default: + col_str = "\033[0m"; + break; } printf("%s", col_str); n = printf("%s", buffer); @@ -197,15 +202,28 @@ test_print_in_color__(int color, const char* fmt, ...) h = GetStdHandle(STD_OUTPUT_HANDLE); GetConsoleScreenBufferInfo(h, &info); - switch(color) { - case CUTEST_COLOR_GREEN__: attr = FOREGROUND_GREEN; break; - case CUTEST_COLOR_RED__: attr = FOREGROUND_RED; break; - case CUTEST_COLOR_GREEN_INTENSIVE__: attr = FOREGROUND_GREEN | FOREGROUND_INTENSITY; break; - case CUTEST_COLOR_RED_INTENSIVE__: attr = FOREGROUND_RED | FOREGROUND_INTENSITY; break; - case CUTEST_COLOR_DEFAULT_INTENSIVE__: attr = FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_RED | FOREGROUND_INTENSITY; break; - default: attr = 0; break; + switch (color) { + case CUTEST_COLOR_GREEN__: + attr = FOREGROUND_GREEN; + break; + case CUTEST_COLOR_RED__: + attr = FOREGROUND_RED; + break; + case CUTEST_COLOR_GREEN_INTENSIVE__: + attr = FOREGROUND_GREEN | FOREGROUND_INTENSITY; + break; + case CUTEST_COLOR_RED_INTENSIVE__: + attr = FOREGROUND_RED | FOREGROUND_INTENSITY; + break; + case CUTEST_COLOR_DEFAULT_INTENSIVE__: + attr = FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_RED | + FOREGROUND_INTENSITY; + break; + default: + attr = 0; + break; } - if(attr != 0) + if (attr != 0) SetConsoleTextAttribute(h, attr); n = printf("%s", buffer); SetConsoleTextAttribute(h, info.wAttributes); @@ -217,19 +235,18 @@ test_print_in_color__(int color, const char* fmt, ...) #endif } -int -test_check__(int cond, const char* file, int line, const char* fmt, ...) +int test_check__(int cond, const char *file, int line, const char *fmt, ...) { const char *result_str; int result_color; int verbose_level; - if(cond) { + if (cond) { result_str = "ok"; result_color = CUTEST_COLOR_GREEN__; verbose_level = 3; } else { - if(!test_current_already_logged__ && test_current_unit__ != NULL) { + if (!test_current_already_logged__ && test_current_unit__ != NULL) { printf("[ "); test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "FAILED"); printf(" ]\n"); @@ -241,13 +258,13 @@ test_check__(int cond, const char* file, int line, const char* fmt, ...) test_current_already_logged__++; } - if(test_verbose_level__ >= verbose_level) { + if (test_verbose_level__ >= verbose_level) { size_t n = 0; va_list args; printf(" "); - if(file != NULL) + if (file != NULL) n += printf("%s:%d: Check ", file, line); va_start(args, fmt); @@ -263,23 +280,21 @@ test_check__(int cond, const char* file, int line, const char* fmt, ...) return (cond != 0); } -static void -test_list_names__(void) +static void test_list_names__(void) { - const struct test__* test; + const struct test__ *test; printf("Unit tests:\n"); - for(test = &test_list__[0]; test->func != NULL; test++) + for (test = &test_list__[0]; test->func != NULL; test++) printf(" %s\n", test->name); } -static const struct test__* -test_by_name__(const char* name) +static const struct test__ *test_by_name__(const char *name) { - const struct test__* test; + const struct test__ *test; - for(test = &test_list__[0]; test->func != NULL; test++) { - if(strcmp(test->name, name) == 0) + for (test = &test_list__[0]; test->func != NULL; test++) { + if (strcmp(test->name, name) == 0) return test; } @@ -287,24 +302,25 @@ test_by_name__(const char* name) } /* Call directly the given test unit function. */ -static int -test_do_run__(const struct test__* test) +static int test_do_run__(const struct test__ *test) { test_current_unit__ = test; test_current_failures__ = 0; test_current_already_logged__ = 0; - if(test_verbose_level__ >= 3) { - test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "Test %s:\n", test->name); + if (test_verbose_level__ >= 3) { + test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "Test %s:\n", + test->name); test_current_already_logged__++; - } else if(test_verbose_level__ >= 1) { + } else if (test_verbose_level__ >= 1) { size_t n; char spaces[32]; - n = test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "Test %s... ", test->name); + n = test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, + "Test %s... ", test->name); memset(spaces, ' ', sizeof(spaces)); - if(n < sizeof(spaces)) - printf("%.*s", (int) (sizeof(spaces) - n), spaces); + if (n < sizeof(spaces)) + printf("%.*s", (int)(sizeof(spaces) - n), spaces); } else { test_current_already_logged__ = 1; } @@ -320,24 +336,34 @@ test_do_run__(const struct test__* test) test->func(); #ifdef __cplusplus - } catch(std::exception& e) { - const char* what = e.what(); - if(what != NULL) + } catch (std::exception &e) { + const char *what = e.what(); + if (what != NULL) test_check__(0, NULL, 0, "Threw std::exception: %s", what); else test_check__(0, NULL, 0, "Threw std::exception"); - } catch(...) { + } catch (...) { test_check__(0, NULL, 0, "Threw an exception"); } #endif - if(test_verbose_level__ >= 3) { - switch(test_current_failures__) { - case 0: test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, " All conditions have passed.\n\n"); break; - case 1: test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, " One condition has FAILED.\n\n"); break; - default: test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, " %d conditions have FAILED.\n\n", test_current_failures__); break; + if (test_verbose_level__ >= 3) { + switch (test_current_failures__) { + case 0: + test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, + " All conditions have passed.\n\n"); + break; + case 1: + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, + " One condition has FAILED.\n\n"); + break; + default: + test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, + " %d conditions have FAILED.\n\n", + test_current_failures__); + break; } - } else if(test_verbose_level__ >= 1 && test_current_failures__ == 0) { + } else if (test_verbose_level__ >= 1 && test_current_failures__ == 0) { printf("[ "); test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, "OK"); printf(" ]\n"); @@ -351,21 +377,21 @@ test_do_run__(const struct test__* test) /* Called if anything goes bad in cutest, or if the unit test ends in other * way then by normal returning from its function (e.g. exception or some * abnormal child process termination). */ -static void -test_error__(const char* fmt, ...) +static void test_error__(const char *fmt, ...) { va_list args; - if(test_verbose_level__ == 0) + if (test_verbose_level__ == 0) return; - if(test_verbose_level__ <= 2 && !test_current_already_logged__ && test_current_unit__ != NULL) { + if (test_verbose_level__ <= 2 && !test_current_already_logged__ && + test_current_unit__ != NULL) { printf("[ "); test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "FAILED"); printf(" ]\n"); } - if(test_verbose_level__ >= 2) { + if (test_verbose_level__ >= 2) { test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, " Error: "); va_start(args, fmt); vprintf(fmt, args); @@ -378,51 +404,73 @@ test_error__(const char* fmt, ...) /* Trigger the unit test. If possible (and not suppressed) it starts a child * process who calls test_do_run__(), otherwise it calls test_do_run__() * directly. */ -static void -test_run__(const struct test__* test) +static void test_run__(const struct test__ *test) { int failed = 1; test_current_unit__ = test; test_current_already_logged__ = 0; - if(!test_no_exec__) { - + if (!test_no_exec__) { #if defined(CUTEST_UNIX__) pid_t pid; int exit_code; pid = fork(); - if(pid == (pid_t)-1) { + if (pid == (pid_t)-1) { test_error__("Cannot fork. %s [%d]", strerror(errno), errno); failed = 1; - } else if(pid == 0) { + } else if (pid == 0) { /* Child: Do the test. */ failed = (test_do_run__(test) != 0); exit(failed ? 1 : 0); } else { /* Parent: Wait until child terminates and analyze its exit code. */ waitpid(pid, &exit_code, 0); - if(WIFEXITED(exit_code)) { - switch(WEXITSTATUS(exit_code)) { - case 0: failed = 0; break; /* test has passed. */ - case 1: /* noop */ break; /* "normal" failure. */ - default: test_error__("Unexpected exit code [%d]", WEXITSTATUS(exit_code)); + if (WIFEXITED(exit_code)) { + switch (WEXITSTATUS(exit_code)) { + case 0: + failed = 0; + break; /* test has passed. */ + case 1: /* noop */ + break; /* "normal" failure. */ + default: + test_error__("Unexpected exit code [%d]", + WEXITSTATUS(exit_code)); } - } else if(WIFSIGNALED(exit_code)) { + } else if (WIFSIGNALED(exit_code)) { char tmp[32]; - const char* signame; - switch(WTERMSIG(exit_code)) { - case SIGINT: signame = "SIGINT"; break; - case SIGHUP: signame = "SIGHUP"; break; - case SIGQUIT: signame = "SIGQUIT"; break; - case SIGABRT: signame = "SIGABRT"; break; - case SIGKILL: signame = "SIGKILL"; break; - case SIGSEGV: signame = "SIGSEGV"; break; - case SIGILL: signame = "SIGILL"; break; - case SIGTERM: signame = "SIGTERM"; break; - default: sprintf(tmp, "signal %d", WTERMSIG(exit_code)); signame = tmp; break; + const char *signame; + switch (WTERMSIG(exit_code)) { + case SIGINT: + signame = "SIGINT"; + break; + case SIGHUP: + signame = "SIGHUP"; + break; + case SIGQUIT: + signame = "SIGQUIT"; + break; + case SIGABRT: + signame = "SIGABRT"; + break; + case SIGKILL: + signame = "SIGKILL"; + break; + case SIGSEGV: + signame = "SIGSEGV"; + break; + case SIGILL: + signame = "SIGILL"; + break; + case SIGTERM: + signame = "SIGTERM"; + break; + default: + sprintf(tmp, "signal %d", WTERMSIG(exit_code)); + signame = tmp; + break; } test_error__("Test interrupted by %s", signame); } else { @@ -432,26 +480,28 @@ test_run__(const struct test__* test) #elif defined(CUTEST_WIN__) - char buffer[512] = {0}; - STARTUPINFOA startupInfo = {0}; + char buffer[512] = { 0 }; + STARTUPINFOA startupInfo = { 0 }; PROCESS_INFORMATION processInfo; DWORD exitCode; /* Windows has no fork(). So we propagate all info into the child * through a command line arguments. */ - _snprintf(buffer, sizeof(buffer)-1, - "%s --no-exec --no-summary --verbose=%d --color=%s -- \"%s\"", - test_argv0__, test_verbose_level__, - test_colorize__ ? "always" : "never", test->name); + _snprintf(buffer, sizeof(buffer) - 1, + "%s --no-exec --no-summary --verbose=%d --color=%s -- \"%s\"", + test_argv0__, test_verbose_level__, + test_colorize__ ? "always" : "never", test->name); startupInfo.cb = sizeof(STARTUPINFO); - if(CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &processInfo)) { + if (CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL, + &startupInfo, &processInfo)) { WaitForSingleObject(processInfo.hProcess, INFINITE); GetExitCodeProcess(processInfo.hProcess, &exitCode); CloseHandle(processInfo.hThread); CloseHandle(processInfo.hProcess); failed = (exitCode != 0); } else { - test_error__("Cannot create unit test subprocess [%ld].", GetLastError()); + test_error__("Cannot create unit test subprocess [%ld].", + GetLastError()); failed = 1; } @@ -470,14 +520,13 @@ test_run__(const struct test__* test) test_current_unit__ = NULL; test_stat_run_units__++; - if(failed) + if (failed) test_stat_failed_units__++; } #if defined(CUTEST_WIN__) /* Callback for SEH events. */ -static LONG CALLBACK -test_exception_filter__(EXCEPTION_POINTERS *ptrs) +static LONG CALLBACK test_exception_filter__(EXCEPTION_POINTERS *ptrs) { test_error__("Unhandled SEH exception %08lx at %p.", ptrs->ExceptionRecord->ExceptionCode, @@ -488,35 +537,42 @@ test_exception_filter__(EXCEPTION_POINTERS *ptrs) } #endif -static void -test_help__(void) +static void test_help__(void) { printf("Usage: %s [options] [test...]\n", test_argv0__); - printf("Run the specified unit tests; or if the option '--skip' is used, run all\n"); - printf("tests in the suite but those listed. By default, if no tests are specified\n"); + printf("Run the specified unit tests; or if the option '--skip' is used, " + "run all\n"); + printf("tests in the suite but those listed. By default, if no tests are " + "specified\n"); printf("on the command line, all unit tests in the suite are run.\n"); printf("\n"); printf("Options:\n"); - printf(" -s, --skip Execute all unit tests but the listed ones\n"); - printf(" --no-exec Do not execute unit tests as child processes\n"); - printf(" --no-summary Suppress printing of test results summary\n"); + printf( + " -s, --skip Execute all unit tests but the listed ones\n"); + printf(" --no-exec Do not execute unit tests as child " + "processes\n"); + printf( + " --no-summary Suppress printing of test results summary\n"); printf(" -l, --list List unit tests in the suite and exit\n"); printf(" -v, --verbose Enable more verbose output\n"); printf(" --verbose=LEVEL Set verbose level to LEVEL:\n"); printf(" 0 ... Be silent\n"); - printf(" 1 ... Output one line per test (and summary)\n"); - printf(" 2 ... As 1 and failed conditions (this is default)\n"); - printf(" 3 ... As 1 and all conditions (and extended summary)\n"); - printf(" --color=WHEN Enable colorized output (WHEN is one of 'auto', 'always', 'never')\n"); + printf(" 1 ... Output one line per test (and " + "summary)\n"); + printf(" 2 ... As 1 and failed conditions (this " + "is default)\n"); + printf(" 3 ... As 1 and all conditions (and " + "extended summary)\n"); + printf(" --color=WHEN Enable colorized output (WHEN is one of " + "'auto', 'always', 'never')\n"); printf(" -h, --help Display this help and exit\n"); printf("\n"); test_list_names__(); } -int -main(int argc, char** argv) +int main(int argc, char **argv) { - const struct test__** tests = NULL; + const struct test__ **tests = NULL; int i, j, n = 0; int seen_double_dash = 0; @@ -531,42 +587,50 @@ main(int argc, char** argv) #endif /* Parse options */ - for(i = 1; i < argc; i++) { - if(seen_double_dash || argv[i][0] != '-') { - tests = (const struct test__**) realloc((void*)tests, (n+1) * sizeof(const struct test__*)); - if(tests == NULL) { + for (i = 1; i < argc; i++) { + if (seen_double_dash || argv[i][0] != '-') { + tests = (const struct test__ **)realloc( + (void *)tests, (n + 1) * sizeof(const struct test__ *)); + if (tests == NULL) { fprintf(stderr, "Out of memory.\n"); exit(2); } tests[n] = test_by_name__(argv[i]); - if(tests[n] == NULL) { - fprintf(stderr, "%s: Unrecognized unit test '%s'\n", argv[0], argv[i]); - fprintf(stderr, "Try '%s --list' for list of unit tests.\n", argv[0]); + if (tests[n] == NULL) { + fprintf(stderr, "%s: Unrecognized unit test '%s'\n", argv[0], + argv[i]); + fprintf(stderr, "Try '%s --list' for list of unit tests.\n", + argv[0]); exit(2); } n++; - } else if(strcmp(argv[i], "--") == 0) { + } else if (strcmp(argv[i], "--") == 0) { seen_double_dash = 1; - } else if(strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-h") == 0) { + } else if (strcmp(argv[i], "--help") == 0 || + strcmp(argv[i], "-h") == 0) { test_help__(); exit(0); - } else if(strcmp(argv[i], "--verbose") == 0 || strcmp(argv[i], "-v") == 0) { + } else if (strcmp(argv[i], "--verbose") == 0 || + strcmp(argv[i], "-v") == 0) { test_verbose_level__++; - } else if(strncmp(argv[i], "--verbose=", 10) == 0) { + } else if (strncmp(argv[i], "--verbose=", 10) == 0) { test_verbose_level__ = atoi(argv[i] + 10); - } else if(strcmp(argv[i], "--color=auto") == 0) { + } else if (strcmp(argv[i], "--color=auto") == 0) { /* noop (set from above) */ - } else if(strcmp(argv[i], "--color=always") == 0 || strcmp(argv[i], "--color") == 0) { + } else if (strcmp(argv[i], "--color=always") == 0 || + strcmp(argv[i], "--color") == 0) { test_colorize__ = 1; - } else if(strcmp(argv[i], "--color=never") == 0) { + } else if (strcmp(argv[i], "--color=never") == 0) { test_colorize__ = 0; - } else if(strcmp(argv[i], "--skip") == 0 || strcmp(argv[i], "-s") == 0) { + } else if (strcmp(argv[i], "--skip") == 0 || + strcmp(argv[i], "-s") == 0) { test_skip_mode__ = 1; - } else if(strcmp(argv[i], "--no-exec") == 0) { + } else if (strcmp(argv[i], "--no-exec") == 0) { test_no_exec__ = 1; - } else if(strcmp(argv[i], "--no-summary") == 0) { + } else if (strcmp(argv[i], "--no-summary") == 0) { test_no_summary__ = 1; - } else if(strcmp(argv[i], "--list") == 0 || strcmp(argv[i], "-l") == 0) { + } else if (strcmp(argv[i], "--list") == 0 || + strcmp(argv[i], "-l") == 0) { test_list_names__(); exit(0); } else { @@ -582,66 +646,68 @@ main(int argc, char** argv) /* Count all test units */ test_count__ = 0; - for(i = 0; test_list__[i].func != NULL; i++) + for (i = 0; test_list__[i].func != NULL; i++) test_count__++; /* Run the tests */ - if(n == 0) { + if (n == 0) { /* Run all tests */ - for(i = 0; test_list__[i].func != NULL; i++) + for (i = 0; test_list__[i].func != NULL; i++) test_run__(&test_list__[i]); - } else if(!test_skip_mode__) { + } else if (!test_skip_mode__) { /* Run the listed tests */ - for(i = 0; i < n; i++) + for (i = 0; i < n; i++) test_run__(tests[i]); } else { /* Run all tests except those listed */ - for(i = 0; test_list__[i].func != NULL; i++) { + for (i = 0; test_list__[i].func != NULL; i++) { int want_skip = 0; - for(j = 0; j < n; j++) { - if(tests[j] == &test_list__[i]) { + for (j = 0; j < n; j++) { + if (tests[j] == &test_list__[i]) { want_skip = 1; break; } } - if(!want_skip) + if (!want_skip) test_run__(&test_list__[i]); } } /* Write a summary */ - if(!test_no_summary__ && test_verbose_level__ >= 1) { + if (!test_no_summary__ && test_verbose_level__ >= 1) { test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "\nSummary:\n"); - if(test_verbose_level__ >= 3) { + if (test_verbose_level__ >= 3) { printf(" Count of all unit tests: %4d\n", test_count__); - printf(" Count of run unit tests: %4d\n", test_stat_run_units__); - printf(" Count of failed unit tests: %4d\n", test_stat_failed_units__); - printf(" Count of skipped unit tests: %4d\n", test_count__ - test_stat_run_units__); + printf(" Count of run unit tests: %4d\n", + test_stat_run_units__); + printf(" Count of failed unit tests: %4d\n", + test_stat_failed_units__); + printf(" Count of skipped unit tests: %4d\n", + test_count__ - test_stat_run_units__); } - if(test_stat_failed_units__ == 0) { + if (test_stat_failed_units__ == 0) { test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, - " SUCCESS: All unit tests have passed.\n"); + " SUCCESS: All unit tests have passed.\n"); } else { - test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, - " FAILED: %d of %d unit tests have failed.\n", - test_stat_failed_units__, test_stat_run_units__); + test_print_in_color__( + CUTEST_COLOR_RED_INTENSIVE__, + " FAILED: %d of %d unit tests have failed.\n", + test_stat_failed_units__, test_stat_run_units__); } } - if(tests != NULL) - free((void*)tests); + if (tests != NULL) + free((void *)tests); return (test_stat_failed_units__ == 0) ? 0 : 1; } - -#endif /* #ifndef TEST_NO_MAIN */ +#endif /* #ifndef TEST_NO_MAIN */ #ifdef __cplusplus - } /* extern "C" */ +} /* extern "C" */ #endif - -#endif /* #ifndef CUTEST_H__ */ +#endif /* #ifndef CUTEST_H__ */ diff --git a/libs/srtp/test/dtls_srtp_driver.c b/libs/srtp/test/dtls_srtp_driver.c index ebf73f9fc5..4f4d0a39b3 100644 --- a/libs/srtp/test/dtls_srtp_driver.c +++ b/libs/srtp/test/dtls_srtp_driver.c @@ -7,26 +7,26 @@ * Cisco Systems, Inc. */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -46,171 +46,170 @@ #include "getopt_s.h" /* for local getopt() */ #include "srtp_priv.h" -srtp_err_status_t -test_dtls_srtp(void); +srtp_err_status_t test_dtls_srtp(void); -srtp_hdr_t * -srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc); +srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc); -void -usage(char *prog_name) { - printf("usage: %s [ -t ][ -c ][ -v ][-d <debug_module> ]* [ -l ]\n" - " -d <mod> turn on debugging module <mod>\n" - " -l list debugging modules\n", prog_name); - exit(1); +void usage(char *prog_name) +{ + printf("usage: %s [ -t ][ -c ][ -v ][-d <debug_module> ]* [ -l ]\n" + " -d <mod> turn on debugging module <mod>\n" + " -l list debugging modules\n", + prog_name); + exit(1); } -int -main(int argc, char *argv[]) { - unsigned do_list_mods = 0; - int q; - srtp_err_status_t err; +int main(int argc, char *argv[]) +{ + unsigned do_list_mods = 0; + int q; + srtp_err_status_t err; - printf("dtls_srtp_driver\n"); + printf("dtls_srtp_driver\n"); - /* initialize srtp library */ - err = srtp_init(); - if (err) { - printf("error: srtp init failed with error code %d\n", err); - exit(1); - } - - /* process input arguments */ - while (1) { - q = getopt_s(argc, argv, "ld:"); - if (q == -1) - break; - switch (q) { - case 'l': - do_list_mods = 1; - break; - case 'd': - err = srtp_crypto_kernel_set_debug_module(optarg_s, 1); - if (err) { - printf("error: set debug module (%s) failed\n", optarg_s); + /* initialize srtp library */ + err = srtp_init(); + if (err) { + printf("error: srtp init failed with error code %d\n", err); exit(1); - } - break; - default: - usage(argv[0]); - } - } - - if (do_list_mods) { - err = srtp_crypto_kernel_list_debug_modules(); + } + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "ld:"); + if (q == -1) + break; + switch (q) { + case 'l': + do_list_mods = 1; + break; + case 'd': + err = srtp_crypto_kernel_set_debug_module(optarg_s, 1); + if (err) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + default: + usage(argv[0]); + } + } + + if (do_list_mods) { + err = srtp_crypto_kernel_list_debug_modules(); + if (err) { + printf("error: list of debug modules failed\n"); + exit(1); + } + } + + printf("testing dtls_srtp..."); + err = test_dtls_srtp(); if (err) { - printf("error: list of debug modules failed\n"); - exit(1); + printf("\nerror (code %d)\n", err); + exit(1); } - } + printf("passed\n"); - printf("testing dtls_srtp..."); - err = test_dtls_srtp(); - if (err) { - printf("\nerror (code %d)\n", err); - exit(1); - } - printf("passed\n"); - - /* shut down srtp library */ - err = srtp_shutdown(); - if (err) { - printf("error: srtp shutdown failed with error code %d\n", err); - exit(1); - } + /* shut down srtp library */ + err = srtp_shutdown(); + if (err) { + printf("error: srtp shutdown failed with error code %d\n", err); + exit(1); + } - return 0; + return 0; } +srtp_err_status_t test_dtls_srtp(void) +{ + srtp_hdr_t *test_packet; + int test_packet_len = 80; + srtp_t s; + srtp_policy_t policy; + uint8_t key[SRTP_MAX_KEY_LEN]; + uint8_t salt[SRTP_MAX_KEY_LEN]; + unsigned int key_len, salt_len; + srtp_profile_t profile; + srtp_err_status_t err; -srtp_err_status_t -test_dtls_srtp(void) { - srtp_hdr_t *test_packet; - int test_packet_len = 80; - srtp_t s; - srtp_policy_t policy; - uint8_t key[SRTP_MAX_KEY_LEN]; - uint8_t salt[SRTP_MAX_KEY_LEN]; - unsigned int key_len, salt_len; - srtp_profile_t profile; - srtp_err_status_t err; - - memset(&policy, 0x0, sizeof(srtp_policy_t)); - - /* create a 'null' SRTP session */ - err = srtp_create(&s, NULL); - if (err) - return err; - - /* - * verify that packet-processing functions behave properly - we - * expect that these functions will return srtp_err_status_no_ctx - */ - test_packet = srtp_create_test_packet(80, 0xa5a5a5a5); - if (test_packet == NULL) - return srtp_err_status_alloc_fail; - err = srtp_protect(s, test_packet, &test_packet_len); - if (err != srtp_err_status_no_ctx) { - printf("wrong return value from srtp_protect() (got code %d)\n", - err); - return srtp_err_status_fail; - } - err = srtp_unprotect(s, test_packet, &test_packet_len); - if (err != srtp_err_status_no_ctx) { - printf("wrong return value from srtp_unprotect() (got code %d)\n", - err); - return srtp_err_status_fail; - } - err = srtp_protect_rtcp(s, test_packet, &test_packet_len); - if (err != srtp_err_status_no_ctx) { - printf("wrong return value from srtp_protect_rtcp() (got code %d)\n", - err); - return srtp_err_status_fail; - } - err = srtp_unprotect_rtcp(s, test_packet, &test_packet_len); - if (err != srtp_err_status_no_ctx) { - printf("wrong return value from srtp_unprotect_rtcp() (got code %d)\n", - err); - return srtp_err_status_fail; - } - - - /* - * set keys to known values for testing - */ - profile = srtp_profile_aes128_cm_sha1_80; - key_len = srtp_profile_get_master_key_length(profile); - salt_len = srtp_profile_get_master_salt_length(profile); - memset(key, 0xff, key_len); - memset(salt, 0xee, salt_len); - srtp_append_salt_to_key(key, key_len, salt, salt_len); - policy.key = key; - - /* initialize SRTP policy from profile */ - err = srtp_crypto_policy_set_from_profile_for_rtp(&policy.rtp, profile); - if (err) return err; - err = srtp_crypto_policy_set_from_profile_for_rtcp(&policy.rtcp, profile); - if (err) return err; - policy.ssrc.type = ssrc_any_inbound; - policy.ekt = NULL; - policy.window_size = 128; - policy.allow_repeat_tx = 0; - policy.next = NULL; - - err = srtp_add_stream(s, &policy); - if (err) - return err; - - err = srtp_dealloc(s); - if (err) - return err; - - free(test_packet); - - return srtp_err_status_ok; -} + memset(&policy, 0x0, sizeof(srtp_policy_t)); + /* create a 'null' SRTP session */ + err = srtp_create(&s, NULL); + if (err) + return err; + /* + * verify that packet-processing functions behave properly - we + * expect that these functions will return srtp_err_status_no_ctx + */ + test_packet = srtp_create_test_packet(80, 0xa5a5a5a5); + if (test_packet == NULL) + return srtp_err_status_alloc_fail; + + err = srtp_protect(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_protect() (got code %d)\n", err); + return srtp_err_status_fail; + } + + err = srtp_unprotect(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_unprotect() (got code %d)\n", err); + return srtp_err_status_fail; + } + + err = srtp_protect_rtcp(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_protect_rtcp() (got code %d)\n", + err); + return srtp_err_status_fail; + } + + err = srtp_unprotect_rtcp(s, test_packet, &test_packet_len); + if (err != srtp_err_status_no_ctx) { + printf("wrong return value from srtp_unprotect_rtcp() (got code %d)\n", + err); + return srtp_err_status_fail; + } + + /* + * set keys to known values for testing + */ + profile = srtp_profile_aes128_cm_sha1_80; + key_len = srtp_profile_get_master_key_length(profile); + salt_len = srtp_profile_get_master_salt_length(profile); + memset(key, 0xff, key_len); + memset(salt, 0xee, salt_len); + srtp_append_salt_to_key(key, key_len, salt, salt_len); + policy.key = key; + + /* initialize SRTP policy from profile */ + err = srtp_crypto_policy_set_from_profile_for_rtp(&policy.rtp, profile); + if (err) + return err; + err = srtp_crypto_policy_set_from_profile_for_rtcp(&policy.rtcp, profile); + if (err) + return err; + policy.ssrc.type = ssrc_any_inbound; + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + + err = srtp_add_stream(s, &policy); + if (err) + return err; + + err = srtp_dealloc(s); + if (err) + return err; + + free(test_packet); + + return srtp_err_status_ok; +} /* * srtp_create_test_packet(len, ssrc) returns a pointer to a @@ -225,39 +224,38 @@ test_dtls_srtp(void) { * deallocated with the free() call once it is no longer needed. */ -srtp_hdr_t * -srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc) { - int i; - uint8_t *buffer; - srtp_hdr_t *hdr; - int bytes_in_hdr = 12; - - /* allocate memory for test packet */ - hdr = malloc(pkt_octet_len + bytes_in_hdr - + SRTP_MAX_TRAILER_LEN + 4); - if (!hdr) - return NULL; - - hdr->version = 2; /* RTP version two */ - hdr->p = 0; /* no padding needed */ - hdr->x = 0; /* no header extension */ - hdr->cc = 0; /* no CSRCs */ - hdr->m = 0; /* marker bit */ - hdr->pt = 0xf; /* payload type */ - hdr->seq = htons(0x1234); /* sequence number */ - hdr->ts = htonl(0xdecafbad); /* timestamp */ - hdr->ssrc = htonl(ssrc); /* synch. source */ - - buffer = (uint8_t *)hdr; - buffer += bytes_in_hdr; - - /* set RTP data to 0xab */ - for (i=0; i < pkt_octet_len; i++) - *buffer++ = 0xab; - - /* set post-data value to 0xffff to enable overrun checking */ - for (i=0; i < SRTP_MAX_TRAILER_LEN+4; i++) - *buffer++ = 0xff; - - return hdr; +srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc) +{ + int i; + uint8_t *buffer; + srtp_hdr_t *hdr; + int bytes_in_hdr = 12; + + /* allocate memory for test packet */ + hdr = malloc(pkt_octet_len + bytes_in_hdr + SRTP_MAX_TRAILER_LEN + 4); + if (!hdr) + return NULL; + + hdr->version = 2; /* RTP version two */ + hdr->p = 0; /* no padding needed */ + hdr->x = 0; /* no header extension */ + hdr->cc = 0; /* no CSRCs */ + hdr->m = 0; /* marker bit */ + hdr->pt = 0xf; /* payload type */ + hdr->seq = htons(0x1234); /* sequence number */ + hdr->ts = htonl(0xdecafbad); /* timestamp */ + hdr->ssrc = htonl(ssrc); /* synch. source */ + + buffer = (uint8_t *)hdr; + buffer += bytes_in_hdr; + + /* set RTP data to 0xab */ + for (i = 0; i < pkt_octet_len; i++) + *buffer++ = 0xab; + + /* set post-data value to 0xffff to enable overrun checking */ + for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++) + *buffer++ = 0xff; + + return hdr; } diff --git a/libs/srtp/test/getopt_s.c b/libs/srtp/test/getopt_s.c index 35e8871f9f..ab631878a4 100644 --- a/libs/srtp/test/getopt_s.c +++ b/libs/srtp/test/getopt_s.c @@ -3,30 +3,30 @@ * * a minimal implementation of the getopt() function, written so that * test applications that use that function can run on non-POSIX - * platforms + * platforms * */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -42,71 +42,67 @@ * */ -#include <stdlib.h> /* for NULL */ +#include <stdlib.h> /* for NULL */ int optind_s = 0; char *optarg_s; -#define GETOPT_FOUND_WITHOUT_ARGUMENT 2 -#define GETOPT_FOUND_WITH_ARGUMENT 1 -#define GETOPT_NOT_FOUND 0 +#define GETOPT_FOUND_WITHOUT_ARGUMENT 2 +#define GETOPT_FOUND_WITH_ARGUMENT 1 +#define GETOPT_NOT_FOUND 0 -static int -getopt_check_character(char c, const char *string) { - unsigned int max_string_len = 128; +static int getopt_check_character(char c, const char *string) +{ + unsigned int max_string_len = 128; - while (*string != 0) { - if (max_string_len == 0) { - return '?'; + while (*string != 0) { + if (max_string_len == 0) { + return '?'; + } + if (*string++ == c) { + if (*string == ':') { + return GETOPT_FOUND_WITH_ARGUMENT; + } else { + return GETOPT_FOUND_WITHOUT_ARGUMENT; + } + } } - if (*string++ == c) { - if (*string == ':') { - return GETOPT_FOUND_WITH_ARGUMENT; - } else { - return GETOPT_FOUND_WITHOUT_ARGUMENT; - } - } - } - return GETOPT_NOT_FOUND; + return GETOPT_NOT_FOUND; } -int -getopt_s(int argc, - char * const argv[], - const char *optstring) { - +int getopt_s(int argc, char *const argv[], const char *optstring) +{ + while (optind_s + 1 < argc) { + char *string; - while (optind_s + 1 < argc) { - char *string; - - /* move 'string' on to next argument */ - optind_s++; - string = argv[optind_s]; + /* move 'string' on to next argument */ + optind_s++; + string = argv[optind_s]; - if (string == NULL) - return '?'; /* NULL argument string */ + if (string == NULL) + return '?'; /* NULL argument string */ - if (string[0] != '-') - return -1; /* found an unexpected character */ + if (string[0] != '-') + return -1; /* found an unexpected character */ - switch(getopt_check_character(string[1], optstring)) { - case GETOPT_FOUND_WITH_ARGUMENT: - if (optind_s + 1 < argc) { - optind_s++; - optarg_s = argv[optind_s]; - return string[1]; - } else { - return '?'; /* argument missing */ - } - case GETOPT_FOUND_WITHOUT_ARGUMENT: - return string[1]; - case GETOPT_NOT_FOUND: - default: - return '?'; /* didn't find expected character */ - break; + switch (getopt_check_character(string[1], optstring)) { + case GETOPT_FOUND_WITH_ARGUMENT: + if (optind_s + 1 < argc) { + optind_s++; + optarg_s = argv[optind_s]; + return string[1]; + } else { + return '?'; /* argument missing */ + } + case GETOPT_FOUND_WITHOUT_ARGUMENT: + return string[1]; + case GETOPT_NOT_FOUND: + default: + return '?'; /* didn't find expected character */ + break; + } } - } - return -1; + return -1; } diff --git a/libs/srtp/test/rdbx_driver.c b/libs/srtp/test/rdbx_driver.c index 8ecbf9f49b..609ce9c8e4 100644 --- a/libs/srtp/test/rdbx_driver.c +++ b/libs/srtp/test/rdbx_driver.c @@ -6,28 +6,27 @@ * David A. McGrew * Cisco Systems, Inc. */ - /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,7 +43,7 @@ */ #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif #include <stdio.h> /* for printf() */ @@ -58,89 +57,84 @@ #include "ut_sim.h" -srtp_err_status_t -test_replay_dbx(int num_trials, unsigned long ws); +srtp_err_status_t test_replay_dbx(int num_trials, unsigned long ws); -double -rdbx_check_adds_per_second(int num_trials, unsigned long ws); +double rdbx_check_adds_per_second(int num_trials, unsigned long ws); -void -usage(char *prog_name) { - printf("usage: %s [ -t | -v ]\n", prog_name); - exit(255); +void usage(char *prog_name) +{ + printf("usage: %s [ -t | -v ]\n", prog_name); + exit(255); } -int -main (int argc, char *argv[]) { - double rate; - srtp_err_status_t status; - int q; - unsigned do_timing_test = 0; - unsigned do_validation = 0; - - /* process input arguments */ - while (1) { - q = getopt_s(argc, argv, "tv"); - if (q == -1) - break; - switch (q) { - case 't': - do_timing_test = 1; - break; - case 'v': - do_validation = 1; - break; - default: - usage(argv[0]); - } - } - - printf("rdbx (replay database w/ extended range) test driver\n" - "David A. McGrew\n" - "Cisco Systems, Inc.\n"); - - if (!do_validation && !do_timing_test) - usage(argv[0]); - - if (do_validation) { - printf("testing srtp_rdbx_t (ws=128)...\n"); - - status = test_replay_dbx(1 << 12, 128); - if (status) { - printf("failed\n"); - exit(1); +int main(int argc, char *argv[]) +{ + double rate; + srtp_err_status_t status; + int q; + unsigned do_timing_test = 0; + unsigned do_validation = 0; + + /* process input arguments */ + while (1) { + q = getopt_s(argc, argv, "tv"); + if (q == -1) + break; + switch (q) { + case 't': + do_timing_test = 1; + break; + case 'v': + do_validation = 1; + break; + default: + usage(argv[0]); + } } - printf("passed\n"); - printf("testing srtp_rdbx_t (ws=1024)...\n"); + printf("rdbx (replay database w/ extended range) test driver\n" + "David A. McGrew\n" + "Cisco Systems, Inc.\n"); - status = test_replay_dbx(1 << 12, 1024); - if (status) { - printf("failed\n"); - exit(1); + if (!do_validation && !do_timing_test) + usage(argv[0]); + + if (do_validation) { + printf("testing srtp_rdbx_t (ws=128)...\n"); + + status = test_replay_dbx(1 << 12, 128); + if (status) { + printf("failed\n"); + exit(1); + } + printf("passed\n"); + + printf("testing srtp_rdbx_t (ws=1024)...\n"); + + status = test_replay_dbx(1 << 12, 1024); + if (status) { + printf("failed\n"); + exit(1); + } + printf("passed\n"); } - printf("passed\n"); - } - - if (do_timing_test) { - rate = rdbx_check_adds_per_second(1 << 18, 128); - printf("rdbx_check/replay_adds per second (ws=128): %e\n", rate); - rate = rdbx_check_adds_per_second(1 << 18, 1024); - printf("rdbx_check/replay_adds per second (ws=1024): %e\n", rate); - } - - return 0; -} -void -print_rdbx(srtp_rdbx_t *rdbx) { - char buf[2048]; - printf("rdbx: {%llu, %s}\n", - (unsigned long long)(rdbx->index), - bitvector_bit_string(&rdbx->bitmask, buf, sizeof(buf)) -); + if (do_timing_test) { + rate = rdbx_check_adds_per_second(1 << 18, 128); + printf("rdbx_check/replay_adds per second (ws=128): %e\n", rate); + rate = rdbx_check_adds_per_second(1 << 18, 1024); + printf("rdbx_check/replay_adds per second (ws=1024): %e\n", rate); + } + + return 0; } +void print_rdbx(srtp_rdbx_t *rdbx) +{ + char buf[2048]; + printf("rdbx: {%llu, %s}\n", (unsigned long long)(rdbx->index), + bitvector_bit_string(&rdbx->bitmask, buf, sizeof(buf))); +} /* * rdbx_check_add(rdbx, idx) checks a known-to-be-good idx against @@ -150,217 +144,214 @@ print_rdbx(srtp_rdbx_t *rdbx) { * */ -srtp_err_status_t -rdbx_check_add(srtp_rdbx_t *rdbx, uint32_t idx) { - int delta; - srtp_xtd_seq_num_t est; - - delta = srtp_index_guess(&rdbx->index, &est, idx); - - if (srtp_rdbx_check(rdbx, delta) != srtp_err_status_ok) { - printf("replay_check failed at index %u\n", idx); - return srtp_err_status_algo_fail; - } - - /* - * in practice, we'd authenticate the packet containing idx, using - * the estimated value est, at this point - */ - - if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) { - printf("rdbx_add_index failed at index %u\n", idx); - return srtp_err_status_algo_fail; - } - - return srtp_err_status_ok; +srtp_err_status_t rdbx_check_add(srtp_rdbx_t *rdbx, uint32_t idx) +{ + int delta; + srtp_xtd_seq_num_t est; + + delta = srtp_index_guess(&rdbx->index, &est, idx); + + if (srtp_rdbx_check(rdbx, delta) != srtp_err_status_ok) { + printf("replay_check failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + + /* + * in practice, we'd authenticate the packet containing idx, using + * the estimated value est, at this point + */ + + if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) { + printf("rdbx_add_index failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + + return srtp_err_status_ok; } /* * rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx) - * + * * checks that a sequence number idx is in the replay database * and thus will be rejected */ -srtp_err_status_t -rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx) { - int delta; - srtp_xtd_seq_num_t est; - srtp_err_status_t status; +srtp_err_status_t rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx) +{ + int delta; + srtp_xtd_seq_num_t est; + srtp_err_status_t status; - delta = srtp_index_guess(&rdbx->index, &est, idx); + delta = srtp_index_guess(&rdbx->index, &est, idx); - status = srtp_rdbx_check(rdbx, delta); - if (status == srtp_err_status_ok) { - printf("delta: %d ", delta); - printf("replay_check failed at index %u (false positive)\n", idx); - return srtp_err_status_algo_fail; - } + status = srtp_rdbx_check(rdbx, delta); + if (status == srtp_err_status_ok) { + printf("delta: %d ", delta); + printf("replay_check failed at index %u (false positive)\n", idx); + return srtp_err_status_algo_fail; + } - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -rdbx_check_add_unordered(srtp_rdbx_t *rdbx, uint32_t idx) { - int delta; - srtp_xtd_seq_num_t est; - srtp_err_status_t rstat; - - delta = srtp_index_guess(&rdbx->index, &est, idx); - - rstat = srtp_rdbx_check(rdbx, delta); - if ((rstat != srtp_err_status_ok) && (rstat != srtp_err_status_replay_old)) { - printf("replay_check_add_unordered failed at index %u\n", idx); - return srtp_err_status_algo_fail; - } - if (rstat == srtp_err_status_replay_old) { - return srtp_err_status_ok; - } - if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) { - printf("rdbx_add_index failed at index %u\n", idx); - return srtp_err_status_algo_fail; - } - - return srtp_err_status_ok; -} +srtp_err_status_t rdbx_check_add_unordered(srtp_rdbx_t *rdbx, uint32_t idx) +{ + int delta; + srtp_xtd_seq_num_t est; + srtp_err_status_t rstat; + + delta = srtp_index_guess(&rdbx->index, &est, idx); + + rstat = srtp_rdbx_check(rdbx, delta); + if ((rstat != srtp_err_status_ok) && + (rstat != srtp_err_status_replay_old)) { + printf("replay_check_add_unordered failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } + if (rstat == srtp_err_status_replay_old) { + return srtp_err_status_ok; + } + if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) { + printf("rdbx_add_index failed at index %u\n", idx); + return srtp_err_status_algo_fail; + } -srtp_err_status_t -test_replay_dbx(int num_trials, unsigned long ws) { - srtp_rdbx_t rdbx; - uint32_t idx, ircvd; - ut_connection utc; - srtp_err_status_t status; - int num_fp_trials; - - status = srtp_rdbx_init(&rdbx, ws); - if (status) { - printf("replay_init failed with error code %d\n", status); - exit(1); - } - - /* - * test sequential insertion - */ - printf("\ttesting sequential insertion..."); - for (idx=0; (int) idx < num_trials; idx++) { - status = rdbx_check_add(&rdbx, idx); - if (status) - return status; - } - printf("passed\n"); - - /* - * test for false positives by checking all of the index - * values which we've just added - * - * note that we limit the number of trials here, since allowing the - * rollover counter to roll over would defeat this test - */ - num_fp_trials = num_trials % 0x10000; - if (num_fp_trials == 0) { - printf("warning: no false positive tests performed\n"); - } - printf("\ttesting for false positives..."); - for (idx=0; (int) idx < num_fp_trials; idx++) { - status = rdbx_check_expect_failure(&rdbx, idx); - if (status) - return status; - } - printf("passed\n"); - - /* re-initialize */ - srtp_rdbx_dealloc(&rdbx); - - if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { - printf("replay_init failed\n"); - return srtp_err_status_init_fail; - } - - /* - * test non-sequential insertion - * - * this test covers only fase negatives, since the values returned - * by ut_next_index(...) are distinct - */ - ut_init(&utc); - - printf("\ttesting non-sequential insertion..."); - for (idx=0; (int) idx < num_trials; idx++) { - ircvd = ut_next_index(&utc); - status = rdbx_check_add_unordered(&rdbx, ircvd); - if (status) - return status; - status = rdbx_check_expect_failure(&rdbx, ircvd); - if (status) - return status; - } - printf("passed\n"); - - /* re-initialize */ - srtp_rdbx_dealloc(&rdbx); - - if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { - printf("replay_init failed\n"); - return srtp_err_status_init_fail; - } - - /* - * test insertion with large gaps. - * check for false positives for each insertion. - */ - printf("\ttesting insertion with large gaps..."); - for (idx=0, ircvd=0; (int) idx < num_trials; idx++, ircvd += (1 << (rand() % 12))) { - status = rdbx_check_add(&rdbx, ircvd); - if (status) - return status; - status = rdbx_check_expect_failure(&rdbx, ircvd); - if (status) - return status; - } - printf("passed\n"); - - srtp_rdbx_dealloc(&rdbx); - - return srtp_err_status_ok; + return srtp_err_status_ok; } +srtp_err_status_t test_replay_dbx(int num_trials, unsigned long ws) +{ + srtp_rdbx_t rdbx; + uint32_t idx, ircvd; + ut_connection utc; + srtp_err_status_t status; + int num_fp_trials; + + status = srtp_rdbx_init(&rdbx, ws); + if (status) { + printf("replay_init failed with error code %d\n", status); + exit(1); + } + + /* + * test sequential insertion + */ + printf("\ttesting sequential insertion..."); + for (idx = 0; (int)idx < num_trials; idx++) { + status = rdbx_check_add(&rdbx, idx); + if (status) + return status; + } + printf("passed\n"); + + /* + * test for false positives by checking all of the index + * values which we've just added + * + * note that we limit the number of trials here, since allowing the + * rollover counter to roll over would defeat this test + */ + num_fp_trials = num_trials % 0x10000; + if (num_fp_trials == 0) { + printf("warning: no false positive tests performed\n"); + } + printf("\ttesting for false positives..."); + for (idx = 0; (int)idx < num_fp_trials; idx++) { + status = rdbx_check_expect_failure(&rdbx, idx); + if (status) + return status; + } + printf("passed\n"); + + /* re-initialize */ + srtp_rdbx_dealloc(&rdbx); + + if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { + printf("replay_init failed\n"); + return srtp_err_status_init_fail; + } + + /* + * test non-sequential insertion + * + * this test covers only fase negatives, since the values returned + * by ut_next_index(...) are distinct + */ + ut_init(&utc); + + printf("\ttesting non-sequential insertion..."); + for (idx = 0; (int)idx < num_trials; idx++) { + ircvd = ut_next_index(&utc); + status = rdbx_check_add_unordered(&rdbx, ircvd); + if (status) + return status; + status = rdbx_check_expect_failure(&rdbx, ircvd); + if (status) + return status; + } + printf("passed\n"); + + /* re-initialize */ + srtp_rdbx_dealloc(&rdbx); + + if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { + printf("replay_init failed\n"); + return srtp_err_status_init_fail; + } + + /* + * test insertion with large gaps. + * check for false positives for each insertion. + */ + printf("\ttesting insertion with large gaps..."); + for (idx = 0, ircvd = 0; (int)idx < num_trials; + idx++, ircvd += (1 << (rand() % 12))) { + status = rdbx_check_add(&rdbx, ircvd); + if (status) + return status; + status = rdbx_check_expect_failure(&rdbx, ircvd); + if (status) + return status; + } + printf("passed\n"); + srtp_rdbx_dealloc(&rdbx); -#include <time.h> /* for clock() */ -#include <stdlib.h> /* for random() */ - -double -rdbx_check_adds_per_second(int num_trials, unsigned long ws) { - uint32_t i; - int delta; - srtp_rdbx_t rdbx; - srtp_xtd_seq_num_t est; - clock_t timer; - int failures; /* count number of failures */ - - if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { - printf("replay_init failed\n"); - exit(1); - } - - failures = 0; - timer = clock(); - for(i=0; (int) i < num_trials; i++) { - - delta = srtp_index_guess(&rdbx.index, &est, i); - - if (srtp_rdbx_check(&rdbx, delta) != srtp_err_status_ok) - ++failures; - else - if (srtp_rdbx_add_index(&rdbx, delta) != srtp_err_status_ok) - ++failures; - } - timer = clock() - timer; - - printf("number of failures: %d \n", failures); - - srtp_rdbx_dealloc(&rdbx); - - return (double) CLOCKS_PER_SEC * num_trials / timer; + return srtp_err_status_ok; } +#include <time.h> /* for clock() */ +#include <stdlib.h> /* for random() */ + +double rdbx_check_adds_per_second(int num_trials, unsigned long ws) +{ + uint32_t i; + int delta; + srtp_rdbx_t rdbx; + srtp_xtd_seq_num_t est; + clock_t timer; + int failures; /* count number of failures */ + + if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) { + printf("replay_init failed\n"); + exit(1); + } + + failures = 0; + timer = clock(); + for (i = 0; (int)i < num_trials; i++) { + delta = srtp_index_guess(&rdbx.index, &est, i); + + if (srtp_rdbx_check(&rdbx, delta) != srtp_err_status_ok) + ++failures; + else if (srtp_rdbx_add_index(&rdbx, delta) != srtp_err_status_ok) + ++failures; + } + timer = clock() - timer; + + printf("number of failures: %d \n", failures); + + srtp_rdbx_dealloc(&rdbx); + + return (double)CLOCKS_PER_SEC * num_trials / timer; +} diff --git a/libs/srtp/test/replay_driver.c b/libs/srtp/test/replay_driver.c index b964a4a03e..a88224684f 100644 --- a/libs/srtp/test/replay_driver.c +++ b/libs/srtp/test/replay_driver.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,7 +44,7 @@ */ #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif #include <stdio.h> @@ -59,226 +59,225 @@ unsigned num_trials = 1 << 16; -srtp_err_status_t -test_rdb_db(void); - -double -rdb_check_adds_per_second(void); - -int -main (void) { - srtp_err_status_t err; - - printf("testing anti-replay database (srtp_rdb_t)...\n"); - err = test_rdb_db(); - if (err) { - printf("failed\n"); - exit(1); - } - printf("done\n"); - - printf("rdb_check/rdb_adds per second: %e\n", - rdb_check_adds_per_second()); - - return 0; -} +srtp_err_status_t test_rdb_db(void); +double rdb_check_adds_per_second(void); -void -print_rdb(srtp_rdb_t *rdb) { - printf("rdb: {%u, %s}\n", rdb->window_start, v128_bit_string(&rdb->bitmask)); -} +int main(void) +{ + srtp_err_status_t err; + + printf("testing anti-replay database (srtp_rdb_t)...\n"); + err = test_rdb_db(); + if (err) { + printf("failed\n"); + exit(1); + } + printf("done\n"); -srtp_err_status_t -rdb_check_add(srtp_rdb_t *rdb, uint32_t idx) { + printf("rdb_check/rdb_adds per second: %e\n", rdb_check_adds_per_second()); - if (srtp_rdb_check(rdb, idx) != srtp_err_status_ok) { - printf("rdb_check failed at index %u\n", idx); - return srtp_err_status_fail; - } - if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) { - printf("rdb_add_index failed at index %u\n", idx); - return srtp_err_status_fail; - } + return 0; +} - return srtp_err_status_ok; +void print_rdb(srtp_rdb_t *rdb) +{ + printf("rdb: {%u, %s}\n", rdb->window_start, + v128_bit_string(&rdb->bitmask)); } -srtp_err_status_t -rdb_check_expect_failure(srtp_rdb_t *rdb, uint32_t idx) { - srtp_err_status_t err; - - err = srtp_rdb_check(rdb, idx); - if ((err != srtp_err_status_replay_old) && (err != srtp_err_status_replay_fail)) { - printf("rdb_check failed at index %u (false positive)\n", idx); - return srtp_err_status_fail; - } - - return srtp_err_status_ok; +srtp_err_status_t rdb_check_add(srtp_rdb_t *rdb, uint32_t idx) +{ + if (srtp_rdb_check(rdb, idx) != srtp_err_status_ok) { + printf("rdb_check failed at index %u\n", idx); + return srtp_err_status_fail; + } + if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) { + printf("rdb_add_index failed at index %u\n", idx); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; +} + +srtp_err_status_t rdb_check_expect_failure(srtp_rdb_t *rdb, uint32_t idx) +{ + srtp_err_status_t err; + + err = srtp_rdb_check(rdb, idx); + if ((err != srtp_err_status_replay_old) && + (err != srtp_err_status_replay_fail)) { + printf("rdb_check failed at index %u (false positive)\n", idx); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; } -srtp_err_status_t -rdb_check_add_unordered(srtp_rdb_t *rdb, uint32_t idx) { - srtp_err_status_t rstat; - - /* printf("index: %u\n", idx); */ - rstat = srtp_rdb_check(rdb, idx); - if ((rstat != srtp_err_status_ok) && (rstat != srtp_err_status_replay_old)) { - printf("rdb_check_add_unordered failed at index %u\n", idx); - return rstat; - } - if (rstat == srtp_err_status_replay_old) { - return srtp_err_status_ok; - } - if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) { - printf("rdb_add_index failed at index %u\n", idx); - return srtp_err_status_fail; - } - - return srtp_err_status_ok; +srtp_err_status_t rdb_check_add_unordered(srtp_rdb_t *rdb, uint32_t idx) +{ + srtp_err_status_t rstat; + + /* printf("index: %u\n", idx); */ + rstat = srtp_rdb_check(rdb, idx); + if ((rstat != srtp_err_status_ok) && + (rstat != srtp_err_status_replay_old)) { + printf("rdb_check_add_unordered failed at index %u\n", idx); + return rstat; + } + if (rstat == srtp_err_status_replay_old) { + return srtp_err_status_ok; + } + if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) { + printf("rdb_add_index failed at index %u\n", idx); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; } -srtp_err_status_t -test_rdb_db() { - srtp_rdb_t rdb; - uint32_t idx, ircvd; - ut_connection utc; - srtp_err_status_t err; - - if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { - printf("rdb_init failed\n"); - return srtp_err_status_init_fail; - } - - /* test sequential insertion */ - for (idx=0; idx < num_trials; idx++) { - err = rdb_check_add(&rdb, idx); - if (err) - return err; - } - - /* test for false positives */ - for (idx=0; idx < num_trials; idx++) { - err = rdb_check_expect_failure(&rdb, idx); - if (err) - return err; - } - - /* re-initialize */ - if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { - printf("rdb_init failed\n"); - return srtp_err_status_fail; - } - - /* test non-sequential insertion */ - ut_init(&utc); - - for (idx=0; idx < num_trials; idx++) { - ircvd = ut_next_index(&utc); - err = rdb_check_add_unordered(&rdb, ircvd); - if (err) - return err; - err = rdb_check_expect_failure(&rdb, ircvd); - if (err) - return err; - } - - /* re-initialize */ - if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { - printf("rdb_init failed\n"); - return srtp_err_status_fail; - } - - /* test insertion with large gaps */ - for (idx=0, ircvd=0; idx < num_trials; idx++, ircvd += (1 << (rand() % 10))) { - err = rdb_check_add(&rdb, ircvd); - if (err) - return err; - err = rdb_check_expect_failure(&rdb, ircvd); - if (err) - return err; - } - - /* re-initialize */ - if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { - printf("rdb_init failed\n"); - return srtp_err_status_fail; - } - - /* test loss of first 513 packets */ - for (idx=0; idx < num_trials; idx++) { - err = rdb_check_add(&rdb, idx + 513); - if (err) - return err; - } - - /* test for false positives */ - for (idx=0; idx < num_trials + 513; idx++) { - err = rdb_check_expect_failure(&rdb, idx); - if (err) - return err; - } - - /* test for key expired */ - if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { - printf("rdb_init failed\n"); - return srtp_err_status_fail; - } - rdb.window_start = 0x7ffffffe; - if (srtp_rdb_increment(&rdb) != srtp_err_status_ok) { - printf("srtp_rdb_increment of 0x7ffffffe failed\n"); - return srtp_err_status_fail; - } - if (srtp_rdb_get_value(&rdb) != 0x7fffffff) { - printf("rdb valiue was not 0x7fffffff\n"); - return srtp_err_status_fail; - } - if (srtp_rdb_increment(&rdb) != srtp_err_status_key_expired) { - printf("srtp_rdb_increment of 0x7fffffff did not return srtp_err_status_key_expired\n"); - return srtp_err_status_fail; - } - if (srtp_rdb_get_value(&rdb) != 0x7fffffff) { - printf("rdb valiue was not 0x7fffffff\n"); - return srtp_err_status_fail; - } - - - return srtp_err_status_ok; +srtp_err_status_t test_rdb_db() +{ + srtp_rdb_t rdb; + uint32_t idx, ircvd; + ut_connection utc; + srtp_err_status_t err; + + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_init_fail; + } + + /* test sequential insertion */ + for (idx = 0; idx < num_trials; idx++) { + err = rdb_check_add(&rdb, idx); + if (err) + return err; + } + + /* test for false positives */ + for (idx = 0; idx < num_trials; idx++) { + err = rdb_check_expect_failure(&rdb, idx); + if (err) + return err; + } + + /* re-initialize */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + + /* test non-sequential insertion */ + ut_init(&utc); + + for (idx = 0; idx < num_trials; idx++) { + ircvd = ut_next_index(&utc); + err = rdb_check_add_unordered(&rdb, ircvd); + if (err) + return err; + err = rdb_check_expect_failure(&rdb, ircvd); + if (err) + return err; + } + + /* re-initialize */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + + /* test insertion with large gaps */ + for (idx = 0, ircvd = 0; idx < num_trials; + idx++, ircvd += (1 << (rand() % 10))) { + err = rdb_check_add(&rdb, ircvd); + if (err) + return err; + err = rdb_check_expect_failure(&rdb, ircvd); + if (err) + return err; + } + + /* re-initialize */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + + /* test loss of first 513 packets */ + for (idx = 0; idx < num_trials; idx++) { + err = rdb_check_add(&rdb, idx + 513); + if (err) + return err; + } + + /* test for false positives */ + for (idx = 0; idx < num_trials + 513; idx++) { + err = rdb_check_expect_failure(&rdb, idx); + if (err) + return err; + } + + /* test for key expired */ + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + return srtp_err_status_fail; + } + rdb.window_start = 0x7ffffffe; + if (srtp_rdb_increment(&rdb) != srtp_err_status_ok) { + printf("srtp_rdb_increment of 0x7ffffffe failed\n"); + return srtp_err_status_fail; + } + if (srtp_rdb_get_value(&rdb) != 0x7fffffff) { + printf("rdb valiue was not 0x7fffffff\n"); + return srtp_err_status_fail; + } + if (srtp_rdb_increment(&rdb) != srtp_err_status_key_expired) { + printf("srtp_rdb_increment of 0x7fffffff did not return " + "srtp_err_status_key_expired\n"); + return srtp_err_status_fail; + } + if (srtp_rdb_get_value(&rdb) != 0x7fffffff) { + printf("rdb valiue was not 0x7fffffff\n"); + return srtp_err_status_fail; + } + + return srtp_err_status_ok; } -#include <time.h> /* for clock() */ -#include <stdlib.h> /* for random() */ +#include <time.h> /* for clock() */ +#include <stdlib.h> /* for random() */ #define REPLAY_NUM_TRIALS 10000000 -double -rdb_check_adds_per_second(void) { - uint32_t i; - srtp_rdb_t rdb; - clock_t timer; - int failures = 0; /* count number of failures */ - - if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { - printf("rdb_init failed\n"); - exit(1); - } - - timer = clock(); - for(i=0; i < REPLAY_NUM_TRIALS; i+=3) { - if (srtp_rdb_check(&rdb, i+2) != srtp_err_status_ok) - ++failures; - if (srtp_rdb_add_index(&rdb, i+2) != srtp_err_status_ok) - ++failures; - if (srtp_rdb_check(&rdb, i+1) != srtp_err_status_ok) - ++failures; - if (srtp_rdb_add_index(&rdb, i+1) != srtp_err_status_ok) - ++failures; - if (srtp_rdb_check(&rdb, i) != srtp_err_status_ok) - ++failures; - if (srtp_rdb_add_index(&rdb, i) != srtp_err_status_ok) - ++failures; - } - timer = clock() - timer; - - return (double) CLOCKS_PER_SEC * REPLAY_NUM_TRIALS / timer; +double rdb_check_adds_per_second(void) +{ + uint32_t i; + srtp_rdb_t rdb; + clock_t timer; + int failures = 0; /* count number of failures */ + + if (srtp_rdb_init(&rdb) != srtp_err_status_ok) { + printf("rdb_init failed\n"); + exit(1); + } + + timer = clock(); + for (i = 0; i < REPLAY_NUM_TRIALS; i += 3) { + if (srtp_rdb_check(&rdb, i + 2) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_add_index(&rdb, i + 2) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_check(&rdb, i + 1) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_add_index(&rdb, i + 1) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_check(&rdb, i) != srtp_err_status_ok) + ++failures; + if (srtp_rdb_add_index(&rdb, i) != srtp_err_status_ok) + ++failures; + } + timer = clock() - timer; + + return (double)CLOCKS_PER_SEC * REPLAY_NUM_TRIALS / timer; } diff --git a/libs/srtp/test/roc_driver.c b/libs/srtp/test/roc_driver.c index c23113adc9..d61ba8ef24 100644 --- a/libs/srtp/test/roc_driver.c +++ b/libs/srtp/test/roc_driver.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -43,9 +43,8 @@ * */ - #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif #include <stdio.h> @@ -55,121 +54,117 @@ * srtp_xtd_seq_num_t - this allows the functions to be exhaustively tested. */ #if ROC_NEEDS_TO_BE_TESTED -#define ROC_TEST +#define ROC_TEST #endif #include "rdbx.h" #include "ut_sim.h" -srtp_err_status_t -roc_test(int num_trials); - -int -main (void) { - srtp_err_status_t status; - - printf("rollover counter test driver\n" - "David A. McGrew\n" - "Cisco Systems, Inc.\n"); - - printf("testing index functions..."); - status = roc_test(1 << 18); - if (status) { - printf("failed\n"); - exit(status); - } - printf("passed\n"); - return 0; -} +srtp_err_status_t roc_test(int num_trials); + +int main(void) +{ + srtp_err_status_t status; + printf("rollover counter test driver\n" + "David A. McGrew\n" + "Cisco Systems, Inc.\n"); + + printf("testing index functions..."); + status = roc_test(1 << 18); + if (status) { + printf("failed\n"); + exit(status); + } + printf("passed\n"); + return 0; +} #define ROC_VERBOSE 0 -srtp_err_status_t -roc_test(int num_trials) { - srtp_xtd_seq_num_t local, est, ref; - ut_connection utc; - int i, num_bad_est = 0; - int delta; - uint32_t ircvd; - double failure_rate; - - srtp_index_init(&local); - srtp_index_init(&ref); - srtp_index_init(&est); - - printf("\n\ttesting sequential insertion..."); - for (i=0; i < 2048; i++) { - delta = srtp_index_guess(&local, &est, (uint16_t) ref); +srtp_err_status_t roc_test(int num_trials) +{ + srtp_xtd_seq_num_t local, est, ref; + ut_connection utc; + int i, num_bad_est = 0; + int delta; + uint32_t ircvd; + double failure_rate; + + srtp_index_init(&local); + srtp_index_init(&ref); + srtp_index_init(&est); + + printf("\n\ttesting sequential insertion..."); + for (i = 0; i < 2048; i++) { + delta = srtp_index_guess(&local, &est, (uint16_t)ref); #if ROC_VERBOSE - printf("%lld, %lld, %d\n", ref, est, i); + printf("%lld, %lld, %d\n", ref, est, i); #endif - if (ref != est) { + if (ref != est) { #if ROC_VERBOSE - printf(" *bad estimate*\n"); + printf(" *bad estimate*\n"); #endif - ++num_bad_est; + ++num_bad_est; + } + srtp_index_advance(&ref, 1); + } + failure_rate = (double)num_bad_est / num_trials; + if (failure_rate > 0.01) { + printf("error: failure rate too high (%d bad estimates in %d trials)\n", + num_bad_est, num_trials); + return srtp_err_status_algo_fail; } - srtp_index_advance(&ref, 1); - } - failure_rate = (double) num_bad_est / num_trials; - if (failure_rate > 0.01) { - printf("error: failure rate too high (%d bad estimates in %d trials)\n", - num_bad_est, num_trials); - return srtp_err_status_algo_fail; - } - printf("done\n"); - - - printf("\ttesting non-sequential insertion..."); - srtp_index_init(&local); - srtp_index_init(&ref); - srtp_index_init(&est); - ut_init(&utc); - - for (i=0; i < num_trials; i++) { - - /* get next seq num from unreliable transport simulator */ - ircvd = ut_next_index(&utc); - - /* set ref to value of ircvd */ - ref = ircvd; - - /* estimate index based on low bits of ircvd */ - delta = srtp_index_guess(&local, &est, (uint16_t) ref); + printf("done\n"); + + printf("\ttesting non-sequential insertion..."); + srtp_index_init(&local); + srtp_index_init(&ref); + srtp_index_init(&est); + ut_init(&utc); + + for (i = 0; i < num_trials; i++) { + /* get next seq num from unreliable transport simulator */ + ircvd = ut_next_index(&utc); + + /* set ref to value of ircvd */ + ref = ircvd; + + /* estimate index based on low bits of ircvd */ + delta = srtp_index_guess(&local, &est, (uint16_t)ref); #if ROC_VERBOSE - printf("ref: %lld, local: %lld, est: %lld, ircvd: %d, delta: %d\n", - ref, local, est, ircvd, delta); + printf("ref: %lld, local: %lld, est: %lld, ircvd: %d, delta: %d\n", ref, + local, est, ircvd, delta); #endif - - if (local + delta != est) { - printf(" *bad delta*: local %llu + delta %d != est %llu\n", - (unsigned long long)local, delta, (unsigned long long)est); - return srtp_err_status_algo_fail; - } - /* now update local srtp_xtd_seq_num_t as necessary */ - if (delta > 0) - srtp_index_advance(&local, delta); + if (local + delta != est) { + printf(" *bad delta*: local %llu + delta %d != est %llu\n", + (unsigned long long)local, delta, (unsigned long long)est); + return srtp_err_status_algo_fail; + } + + /* now update local srtp_xtd_seq_num_t as necessary */ + if (delta > 0) + srtp_index_advance(&local, delta); - if (ref != est) { + if (ref != est) { #if ROC_VERBOSE - printf(" *bad estimate*\n"); + printf(" *bad estimate*\n"); #endif - /* record failure event */ - ++num_bad_est; - - /* reset local value to correct value */ - local = ref; + /* record failure event */ + ++num_bad_est; + + /* reset local value to correct value */ + local = ref; + } } - } - failure_rate = (double) num_bad_est / num_trials; - if (failure_rate > 0.01) { - printf("error: failure rate too high (%d bad estimates in %d trials)\n", - num_bad_est, num_trials); - return srtp_err_status_algo_fail; - } - printf("done\n"); - - return srtp_err_status_ok; + failure_rate = (double)num_bad_est / num_trials; + if (failure_rate > 0.01) { + printf("error: failure rate too high (%d bad estimates in %d trials)\n", + num_bad_est, num_trials); + return srtp_err_status_algo_fail; + } + printf("done\n"); + + return srtp_err_status_ok; } diff --git a/libs/srtp/test/rtp.c b/libs/srtp/test/rtp.c index 74cb902179..f60a9b11b2 100644 --- a/libs/srtp/test/rtp.c +++ b/libs/srtp/test/rtp.c @@ -8,26 +8,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -50,178 +50,178 @@ #include <sys/types.h> #ifdef HAVE_SYS_SOCKET_H -# include <sys/socket.h> +#include <sys/socket.h> #endif -#define PRINT_DEBUG 0 /* set to 1 to print out debugging data */ -#define VERBOSE_DEBUG 0 /* set to 1 to print out more data */ - -int -rtp_sendto(rtp_sender_t sender, const void* msg, int len) { - int octets_sent; - srtp_err_status_t stat; - int pkt_len = len + RTP_HEADER_LEN; - - /* marshal data */ - strncpy(sender->message.body, msg, len); - - /* update header */ - sender->message.header.seq = ntohs(sender->message.header.seq) + 1; - sender->message.header.seq = htons(sender->message.header.seq); - sender->message.header.ts = ntohl(sender->message.header.ts) + 1; - sender->message.header.ts = htonl(sender->message.header.ts); - - /* apply srtp */ - stat = srtp_protect(sender->srtp_ctx, &sender->message.header, &pkt_len); - if (stat) { +#define PRINT_DEBUG 0 /* set to 1 to print out debugging data */ +#define VERBOSE_DEBUG 0 /* set to 1 to print out more data */ + +int rtp_sendto(rtp_sender_t sender, const void *msg, int len) +{ + int octets_sent; + srtp_err_status_t stat; + int pkt_len = len + RTP_HEADER_LEN; + + /* marshal data */ + strncpy(sender->message.body, msg, len); + + /* update header */ + sender->message.header.seq = ntohs(sender->message.header.seq) + 1; + sender->message.header.seq = htons(sender->message.header.seq); + sender->message.header.ts = ntohl(sender->message.header.ts) + 1; + sender->message.header.ts = htonl(sender->message.header.ts); + + /* apply srtp */ + stat = srtp_protect(sender->srtp_ctx, &sender->message.header, &pkt_len); + if (stat) { #if PRINT_DEBUG - fprintf(stderr, "error: srtp protection failed with code %d\n", stat); + fprintf(stderr, "error: srtp protection failed with code %d\n", stat); #endif - return -1; - } + return -1; + } #if VERBOSE_DEBUG - srtp_print_packet(&sender->message.header, pkt_len); + srtp_print_packet(&sender->message.header, pkt_len); #endif - octets_sent = sendto(sender->socket, (void*)&sender->message, - pkt_len, 0, (struct sockaddr *)&sender->addr, - sizeof (struct sockaddr_in)); + octets_sent = + sendto(sender->socket, (void *)&sender->message, pkt_len, 0, + (struct sockaddr *)&sender->addr, sizeof(struct sockaddr_in)); - if (octets_sent != pkt_len) { + if (octets_sent != pkt_len) { #if PRINT_DEBUG - fprintf(stderr, "error: couldn't send message %s", (char *)msg); - perror(""); + fprintf(stderr, "error: couldn't send message %s", (char *)msg); + perror(""); #endif - } + } - return octets_sent; + return octets_sent; } -int -rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len) { - int octets_recvd; - srtp_err_status_t stat; - - octets_recvd = recvfrom(receiver->socket, (void *)&receiver->message, - *len, 0, (struct sockaddr *) NULL, 0); - - if (octets_recvd == -1) { - *len = 0; - return -1; - } - - /* verify rtp header */ - if (receiver->message.header.version != 2) { - *len = 0; - return -1; - } +int rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len) +{ + int octets_recvd; + srtp_err_status_t stat; + + octets_recvd = recvfrom(receiver->socket, (void *)&receiver->message, *len, + 0, (struct sockaddr *)NULL, 0); + + if (octets_recvd == -1) { + *len = 0; + return -1; + } + + /* verify rtp header */ + if (receiver->message.header.version != 2) { + *len = 0; + return -1; + } #if PRINT_DEBUG - fprintf(stderr, "%d octets received from SSRC %u\n", - octets_recvd, receiver->message.header.ssrc); + fprintf(stderr, "%d octets received from SSRC %u\n", octets_recvd, + receiver->message.header.ssrc); #endif #if VERBOSE_DEBUG - srtp_print_packet(&receiver->message.header, octets_recvd); + srtp_print_packet(&receiver->message.header, octets_recvd); #endif - /* apply srtp */ - stat = srtp_unprotect(receiver->srtp_ctx, - &receiver->message.header, &octets_recvd); - if (stat) { - fprintf(stderr, - "error: srtp unprotection failed with code %d%s\n", stat, - stat == srtp_err_status_replay_fail ? " (replay check failed)" : - stat == srtp_err_status_auth_fail ? " (auth check failed)" : ""); - return -1; - } - strncpy(msg, receiver->message.body, octets_recvd); - - return octets_recvd; + /* apply srtp */ + stat = srtp_unprotect(receiver->srtp_ctx, &receiver->message.header, + &octets_recvd); + if (stat) { + fprintf(stderr, "error: srtp unprotection failed with code %d%s\n", + stat, + stat == srtp_err_status_replay_fail + ? " (replay check failed)" + : stat == srtp_err_status_auth_fail ? " (auth check failed)" + : ""); + return -1; + } + strncpy(msg, receiver->message.body, octets_recvd); + + return octets_recvd; } -int -rtp_sender_init(rtp_sender_t sender, - int sock, - struct sockaddr_in addr, - unsigned int ssrc) { - - /* set header values */ - sender->message.header.ssrc = htonl(ssrc); - sender->message.header.ts = 0; - sender->message.header.seq = (uint16_t) rand(); - sender->message.header.m = 0; - sender->message.header.pt = 0x1; - sender->message.header.version = 2; - sender->message.header.p = 0; - sender->message.header.x = 0; - sender->message.header.cc = 0; - - /* set other stuff */ - sender->socket = sock; - sender->addr = addr; - - return 0; +int rtp_sender_init(rtp_sender_t sender, + int sock, + struct sockaddr_in addr, + unsigned int ssrc) +{ + /* set header values */ + sender->message.header.ssrc = htonl(ssrc); + sender->message.header.ts = 0; + sender->message.header.seq = (uint16_t)rand(); + sender->message.header.m = 0; + sender->message.header.pt = 0x1; + sender->message.header.version = 2; + sender->message.header.p = 0; + sender->message.header.x = 0; + sender->message.header.cc = 0; + + /* set other stuff */ + sender->socket = sock; + sender->addr = addr; + + return 0; } -int -rtp_receiver_init(rtp_receiver_t rcvr, - int sock, - struct sockaddr_in addr, - unsigned int ssrc) { - - /* set header values */ - rcvr->message.header.ssrc = htonl(ssrc); - rcvr->message.header.ts = 0; - rcvr->message.header.seq = 0; - rcvr->message.header.m = 0; - rcvr->message.header.pt = 0x1; - rcvr->message.header.version = 2; - rcvr->message.header.p = 0; - rcvr->message.header.x = 0; - rcvr->message.header.cc = 0; - - /* set other stuff */ - rcvr->socket = sock; - rcvr->addr = addr; - - return 0; +int rtp_receiver_init(rtp_receiver_t rcvr, + int sock, + struct sockaddr_in addr, + unsigned int ssrc) +{ + /* set header values */ + rcvr->message.header.ssrc = htonl(ssrc); + rcvr->message.header.ts = 0; + rcvr->message.header.seq = 0; + rcvr->message.header.m = 0; + rcvr->message.header.pt = 0x1; + rcvr->message.header.version = 2; + rcvr->message.header.p = 0; + rcvr->message.header.x = 0; + rcvr->message.header.cc = 0; + + /* set other stuff */ + rcvr->socket = sock; + rcvr->addr = addr; + + return 0; } -int -rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy) { - return srtp_create(&sender->srtp_ctx, policy); +int rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy) +{ + return srtp_create(&sender->srtp_ctx, policy); } -int -rtp_sender_deinit_srtp(rtp_sender_t sender) { - return srtp_dealloc(sender->srtp_ctx); +int rtp_sender_deinit_srtp(rtp_sender_t sender) +{ + return srtp_dealloc(sender->srtp_ctx); } -int -rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy) { - return srtp_create(&sender->srtp_ctx, policy); +int rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy) +{ + return srtp_create(&sender->srtp_ctx, policy); } -int -rtp_receiver_deinit_srtp(rtp_receiver_t sender) { - return srtp_dealloc(sender->srtp_ctx); +int rtp_receiver_deinit_srtp(rtp_receiver_t sender) +{ + return srtp_dealloc(sender->srtp_ctx); } -rtp_sender_t -rtp_sender_alloc(void) { - return (rtp_sender_t)malloc(sizeof(rtp_sender_ctx_t)); +rtp_sender_t rtp_sender_alloc(void) +{ + return (rtp_sender_t)malloc(sizeof(rtp_sender_ctx_t)); } -void -rtp_sender_dealloc(rtp_sender_t rtp_ctx) { - free(rtp_ctx); +void rtp_sender_dealloc(rtp_sender_t rtp_ctx) +{ + free(rtp_ctx); } -rtp_receiver_t -rtp_receiver_alloc(void) { - return (rtp_receiver_t)malloc(sizeof(rtp_receiver_ctx_t)); +rtp_receiver_t rtp_receiver_alloc(void) +{ + return (rtp_receiver_t)malloc(sizeof(rtp_receiver_ctx_t)); } -void -rtp_receiver_dealloc(rtp_receiver_t rtp_ctx) { - free(rtp_ctx); +void rtp_receiver_dealloc(rtp_receiver_t rtp_ctx) +{ + free(rtp_ctx); } diff --git a/libs/srtp/test/rtp.h b/libs/srtp/test/rtp.h index d010508de3..37921a665c 100644 --- a/libs/srtp/test/rtp.h +++ b/libs/srtp/test/rtp.h @@ -1,6 +1,6 @@ /* * rtp.h - * + * * rtp interface for srtp reference implementation * * David A. McGrew @@ -15,26 +15,26 @@ */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -50,14 +50,13 @@ * */ - #ifndef SRTP_RTP_H #define SRTP_RTP_H #ifdef HAVE_NETINET_IN_H -# include <netinet/in.h> +#include <netinet/in.h> #elif defined HAVE_WINSOCK2_H -# include <winsock2.h> +#include <winsock2.h> #endif #include "srtp_priv.h" @@ -69,98 +68,85 @@ extern "C" { /* * RTP_HEADER_LEN indicates the size of an RTP header */ -#define RTP_HEADER_LEN 12 +#define RTP_HEADER_LEN 12 -/* +/* * RTP_MAX_BUF_LEN defines the largest RTP packet in the rtp.c implementation */ -#define RTP_MAX_BUF_LEN 16384 - +#define RTP_MAX_BUF_LEN 16384 typedef srtp_hdr_t rtp_hdr_t; typedef struct { - srtp_hdr_t header; - char body[RTP_MAX_BUF_LEN]; + srtp_hdr_t header; + char body[RTP_MAX_BUF_LEN]; } rtp_msg_t; typedef struct rtp_sender_ctx_t { - rtp_msg_t message; - int socket; - srtp_ctx_t *srtp_ctx; - struct sockaddr_in addr; /* reciever's address */ + rtp_msg_t message; + int socket; + srtp_ctx_t *srtp_ctx; + struct sockaddr_in addr; /* reciever's address */ } rtp_sender_ctx_t; typedef struct rtp_receiver_ctx_t { - rtp_msg_t message; - int socket; - srtp_ctx_t *srtp_ctx; - struct sockaddr_in addr; /* receiver's address */ + rtp_msg_t message; + int socket; + srtp_ctx_t *srtp_ctx; + struct sockaddr_in addr; /* receiver's address */ } rtp_receiver_ctx_t; - typedef struct rtp_sender_ctx_t *rtp_sender_t; typedef struct rtp_receiver_ctx_t *rtp_receiver_t; -int -rtp_sendto(rtp_sender_t sender, const void* msg, int len); +int rtp_sendto(rtp_sender_t sender, const void *msg, int len); -int -rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len); +int rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len); -int -rtp_receiver_init(rtp_receiver_t rcvr, int sock, - struct sockaddr_in addr, unsigned int ssrc); +int rtp_receiver_init(rtp_receiver_t rcvr, + int sock, + struct sockaddr_in addr, + unsigned int ssrc); -int -rtp_sender_init(rtp_sender_t sender, int sock, - struct sockaddr_in addr, unsigned int ssrc); +int rtp_sender_init(rtp_sender_t sender, + int sock, + struct sockaddr_in addr, + unsigned int ssrc); /* * srtp_sender_init(...) initializes an rtp_sender_t */ -int -srtp_sender_init(rtp_sender_t rtp_ctx, /* structure to be init'ed */ - struct sockaddr_in name, /* socket name */ - srtp_sec_serv_t security_services, /* sec. servs. to be used */ - unsigned char *input_key /* master key/salt in hex */ - ); - -int -srtp_receiver_init(rtp_receiver_t rtp_ctx, /* structure to be init'ed */ - struct sockaddr_in name, /* socket name */ - srtp_sec_serv_t security_services, /* sec. servs. to be used */ - unsigned char *input_key /* master key/salt in hex */ - ); - - -int -rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy); +int srtp_sender_init( + rtp_sender_t rtp_ctx, /* structure to be init'ed */ + struct sockaddr_in name, /* socket name */ + srtp_sec_serv_t security_services, /* sec. servs. to be used */ + unsigned char *input_key /* master key/salt in hex */ + ); -int -rtp_sender_deinit_srtp(rtp_sender_t sender); +int srtp_receiver_init( + rtp_receiver_t rtp_ctx, /* structure to be init'ed */ + struct sockaddr_in name, /* socket name */ + srtp_sec_serv_t security_services, /* sec. servs. to be used */ + unsigned char *input_key /* master key/salt in hex */ + ); -int -rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy); +int rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy); -int -rtp_receiver_deinit_srtp(rtp_receiver_t sender); +int rtp_sender_deinit_srtp(rtp_sender_t sender); +int rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy); -rtp_sender_t -rtp_sender_alloc(void); +int rtp_receiver_deinit_srtp(rtp_receiver_t sender); -void -rtp_sender_dealloc(rtp_sender_t rtp_ctx); +rtp_sender_t rtp_sender_alloc(void); -rtp_receiver_t -rtp_receiver_alloc(void); +void rtp_sender_dealloc(rtp_sender_t rtp_ctx); -void -rtp_receiver_dealloc(rtp_receiver_t rtp_ctx); +rtp_receiver_t rtp_receiver_alloc(void); +void rtp_receiver_dealloc(rtp_receiver_t rtp_ctx); #ifdef __cplusplus } diff --git a/libs/srtp/test/rtp_decoder.c b/libs/srtp/test/rtp_decoder.c index 94cd19e0ab..d718a2b3ad 100644 --- a/libs/srtp/test/rtp_decoder.c +++ b/libs/srtp/test/rtp_decoder.c @@ -4,14 +4,19 @@ * decoder structures and functions for SRTP pcap decoder * * Example: - * $ wget --no-check-certificate https://raw.githubusercontent.com/gteissier/srtp-decrypt/master/marseillaise-srtp.pcap - * $ ./test/rtp_decoder -a -t 10 -e 128 -b aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz \ - * < ~/marseillaise-srtp.pcap | text2pcap -t "%M:%S." -u 10000,10000 - - > ./marseillaise-rtp.pcap + * $ wget --no-check-certificate \ + * https://raw.githubusercontent.com/gteissier/srtp-decrypt/master/marseillaise-srtp.pcap + * $ ./test/rtp_decoder -a -t 10 -e 128 -b \ + * aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz \ + * < ~/marseillaise-srtp.pcap \ + * | text2pcap -t "%M:%S." -u 10000,10000 - - \ + * > ./marseillaise-rtp.pcap * * There is also a different way of setting up key size and tag size * based upon RFC 4568 crypto suite specification, i.e.: * - * $ ./test/rtp_decoder -s AES_CM_128_HMAC_SHA1_80 -b aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz ... + * $ ./test/rtp_decoder -s AES_CM_128_HMAC_SHA1_80 -b \ + * aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz ... * * Audio can be extracted using extractaudio utility from the RTPproxy * package: @@ -23,26 +28,26 @@ * Some structure and code from https://github.com/gteissier/srtp-decrypt */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -57,471 +62,506 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. * */ -#include "getopt_s.h" /* for local getopt() */ -#include <assert.h> /* for assert() */ +#include "getopt_s.h" /* for local getopt() */ +#include <assert.h> /* for assert() */ #include <pcap.h> #include "rtp_decoder.h" #include "util.h" -#define MAX_KEY_LEN 96 +#ifndef timersub +#define timersub(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + if ((result)->tv_usec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_usec += 1000000; \ + } \ + } while (0) +#endif + +#define MAX_KEY_LEN 96 #define MAX_FILTER 256 struct srtp_crypto_suite { - const char *can_name; - int key_size; - int tag_size; + const char *can_name; + int key_size; + int tag_size; }; static struct srtp_crypto_suite srtp_crypto_suites[] = { - {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4}, + {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4 }, #if 0 {.can_name = "F8_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4}, #endif - {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4}, - {.can_name = "AES_CM_128_HMAC_SHA1_80", .key_size = 128, .tag_size = 10}, - {.can_name = NULL} + {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4 }, + {.can_name = "AES_CM_128_HMAC_SHA1_80", .key_size = 128, .tag_size = 10 }, + {.can_name = NULL } }; -int -main (int argc, char *argv[]) { - char errbuf[PCAP_ERRBUF_SIZE]; - bpf_u_int32 pcap_net = 0; - pcap_t *pcap_handle; +int main(int argc, char *argv[]) +{ + char errbuf[PCAP_ERRBUF_SIZE]; + bpf_u_int32 pcap_net = 0; + pcap_t *pcap_handle; #if BEW - struct sockaddr_in local; + struct sockaddr_in local; #endif - srtp_sec_serv_t sec_servs = sec_serv_none; - int c; - struct srtp_crypto_suite scs, *i_scsp; - scs.key_size = 128; - scs.tag_size = 8; - int gcm_on = 0; - char *input_key = NULL; - int b64_input = 0; - char key[MAX_KEY_LEN]; - struct bpf_program fp; - char filter_exp[MAX_FILTER] = ""; - rtp_decoder_t dec; - srtp_policy_t policy; - srtp_err_status_t status; - int len; - int expected_len; - int do_list_mods = 0; - - fprintf(stderr, "Using %s [0x%x]\n", srtp_get_version_string(), srtp_get_version()); - - /* initialize srtp library */ - status = srtp_init(); - if (status) { - fprintf(stderr, "error: srtp initialization failed with error code %d\n", status); - exit(1); - } - - /* check args */ - while (1) { - c = getopt_s(argc, argv, "b:k:gt:ae:ld:f:s:"); - if (c == -1) { - break; - } - switch (c) { - case 'b': - b64_input = 1; - /* fall thru */ - case 'k': - input_key = optarg_s; - break; - case 'e': - scs.key_size = atoi(optarg_s); - if (scs.key_size != 128 && scs.key_size != 256) { - fprintf(stderr, "error: encryption key size must be 128 or 256 (%d)\n", scs.key_size); - exit(1); - } - input_key = malloc(scs.key_size); - sec_servs |= sec_serv_conf; - break; - case 't': - scs.tag_size = atoi(optarg_s); - break; - case 'a': - sec_servs |= sec_serv_auth; - break; - case 'g': - gcm_on = 1; - sec_servs |= sec_serv_auth; - break; - case 'd': - status = srtp_crypto_kernel_set_debug_module(optarg_s, 1); - if (status) { - fprintf(stderr, "error: set debug module (%s) failed\n", optarg_s); - exit(1); - } - break; - case 'f': - if(strlen(optarg_s) > MAX_FILTER){ - fprintf(stderr, "error: filter bigger than %d characters\n", MAX_FILTER); + srtp_sec_serv_t sec_servs = sec_serv_none; + int c; + struct srtp_crypto_suite scs, *i_scsp; + scs.key_size = 128; + scs.tag_size = 8; + int gcm_on = 0; + char *input_key = NULL; + int b64_input = 0; + char key[MAX_KEY_LEN]; + struct bpf_program fp; + char filter_exp[MAX_FILTER] = ""; + rtp_decoder_t dec; + srtp_policy_t policy; + srtp_err_status_t status; + int len; + int expected_len; + int do_list_mods = 0; + + fprintf(stderr, "Using %s [0x%x]\n", srtp_get_version_string(), + srtp_get_version()); + + /* initialize srtp library */ + status = srtp_init(); + if (status) { + fprintf(stderr, + "error: srtp initialization failed with error code %d\n", + status); exit(1); - } - fprintf(stderr, "Setting filter as %s\n", optarg_s); - strcpy(filter_exp, optarg_s); - break; - case 'l': - do_list_mods = 1; - break; - case 's': - for (i_scsp = &srtp_crypto_suites[0]; i_scsp->can_name != NULL; i_scsp++) { - if (strcasecmp(i_scsp->can_name, optarg_s) == 0) { + } + + /* check args */ + while (1) { + c = getopt_s(argc, argv, "b:k:gt:ae:ld:f:s:"); + if (c == -1) { break; } - } - if (i_scsp->can_name == NULL) { - fprintf(stderr, "Unknown/unsupported crypto suite name %s\n", optarg_s); - exit(1); - } - scs = *i_scsp; - input_key = malloc(scs.key_size); - sec_servs |= sec_serv_conf | sec_serv_auth; - break; - default: - usage(argv[0]); + switch (c) { + case 'b': + b64_input = 1; + /* fall thru */ + case 'k': + input_key = optarg_s; + break; + case 'e': + scs.key_size = atoi(optarg_s); + if (scs.key_size != 128 && scs.key_size != 256) { + fprintf(stderr, + "error: encryption key size must be 128 or 256 (%d)\n", + scs.key_size); + exit(1); + } + input_key = malloc(scs.key_size); + sec_servs |= sec_serv_conf; + break; + case 't': + scs.tag_size = atoi(optarg_s); + break; + case 'a': + sec_servs |= sec_serv_auth; + break; + case 'g': + gcm_on = 1; + sec_servs |= sec_serv_auth; + break; + case 'd': + status = srtp_crypto_kernel_set_debug_module(optarg_s, 1); + if (status) { + fprintf(stderr, "error: set debug module (%s) failed\n", + optarg_s); + exit(1); + } + break; + case 'f': + if (strlen(optarg_s) > MAX_FILTER) { + fprintf(stderr, "error: filter bigger than %d characters\n", + MAX_FILTER); + exit(1); + } + fprintf(stderr, "Setting filter as %s\n", optarg_s); + strcpy(filter_exp, optarg_s); + break; + case 'l': + do_list_mods = 1; + break; + case 's': + for (i_scsp = &srtp_crypto_suites[0]; i_scsp->can_name != NULL; + i_scsp++) { + if (strcasecmp(i_scsp->can_name, optarg_s) == 0) { + break; + } + } + if (i_scsp->can_name == NULL) { + fprintf(stderr, "Unknown/unsupported crypto suite name %s\n", + optarg_s); + exit(1); + } + scs = *i_scsp; + input_key = malloc(scs.key_size); + sec_servs |= sec_serv_conf | sec_serv_auth; + break; + default: + usage(argv[0]); + } + } + + if (gcm_on && scs.tag_size != 8 && scs.tag_size != 16) { + fprintf(stderr, "error: GCM tag size must be 8 or 16 (%d)\n", + scs.tag_size); + // exit(1); } - } - if (gcm_on && scs.tag_size != 8 && scs.tag_size != 16) { - fprintf(stderr, "error: GCM tag size must be 8 or 16 (%d)\n", scs.tag_size); - //exit(1); - } + if (do_list_mods) { + status = srtp_crypto_kernel_list_debug_modules(); + if (status) { + fprintf(stderr, "error: list of debug modules failed\n"); + exit(1); + } + return 0; + } - if (do_list_mods) { - status = srtp_crypto_kernel_list_debug_modules(); - if (status) { - fprintf(stderr, "error: list of debug modules failed\n"); - exit(1); + if ((sec_servs && !input_key) || (!sec_servs && input_key)) { + /* + * a key must be provided if and only if security services have + * been requested + */ + if (input_key == NULL) { + fprintf(stderr, "key not provided\n"); + } + if (!sec_servs) { + fprintf(stderr, "no secservs\n"); + } + fprintf(stderr, "provided\n"); + usage(argv[0]); } - return 0; - } - - if ((sec_servs && !input_key) || (!sec_servs && input_key)) { - /* - * a key must be provided if and only if security services have - * been requested - */ - if(input_key == NULL){ - fprintf(stderr, "key not provided\n"); - } - if(!sec_servs){ - fprintf(stderr, "no secservs\n"); - } - fprintf(stderr, "provided\n"); - usage(argv[0]); - } - - - - /* report security services selected on the command line */ - fprintf(stderr, "security services: "); - if (sec_servs & sec_serv_conf) - fprintf(stderr, "confidentiality "); - if (sec_servs & sec_serv_auth) - fprintf(stderr, "message authentication"); - if (sec_servs == sec_serv_none) - fprintf(stderr, "none"); - fprintf(stderr, "\n"); - - /* set up the srtp policy and master key */ - if (sec_servs) { - /* - * create policy structure, using the default mechanisms but - * with only the security services requested on the command line, - * using the right SSRC value - */ - switch (sec_servs) { - case sec_serv_conf_and_auth: - if (gcm_on) { + + /* report security services selected on the command line */ + fprintf(stderr, "security services: "); + if (sec_servs & sec_serv_conf) + fprintf(stderr, "confidentiality "); + if (sec_servs & sec_serv_auth) + fprintf(stderr, "message authentication"); + if (sec_servs == sec_serv_none) + fprintf(stderr, "none"); + fprintf(stderr, "\n"); + + /* set up the srtp policy and master key */ + if (sec_servs) { + /* + * create policy structure, using the default mechanisms but + * with only the security services requested on the command line, + * using the right SSRC value + */ + switch (sec_servs) { + case sec_serv_conf_and_auth: + if (gcm_on) { #ifdef OPENSSL - switch (scs.key_size) { - case 128: - srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp); - break; - } + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp); + break; + } #else - fprintf(stderr, "error: GCM mode only supported when using the OpenSSL crypto engine.\n"); - return 0; + fprintf(stderr, "error: GCM mode only supported when using the " + "OpenSSL crypto engine.\n"); + return 0; #endif - } else { - switch (scs.key_size) { - case 128: - srtp_crypto_policy_set_rtp_default(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - } - } - break; - case sec_serv_conf: - if (gcm_on) { - fprintf(stderr, "error: GCM mode must always be used with auth enabled\n"); - return -1; - } else { - switch (scs.key_size) { - case 128: - srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - } - } - break; - case sec_serv_auth: - if (gcm_on) { + } else { + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_conf: + if (gcm_on) { + fprintf( + stderr, + "error: GCM mode must always be used with auth enabled\n"); + return -1; + } else { + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_auth: + if (gcm_on) { #ifdef OPENSSL - switch (scs.key_size) { - case 128: - srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtcp); - break; - } + switch (scs.key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_only_auth( + &policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_only_auth( + &policy.rtcp); + break; + } #else - printf("error: GCM mode only supported when using the OpenSSL crypto engine.\n"); - return 0; + printf("error: GCM mode only supported when using the OpenSSL " + "crypto engine.\n"); + return 0; #endif - } else { - srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - } - break; - default: - fprintf(stderr, "error: unknown security service requested\n"); - return -1; - } + } else { + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + } + break; + default: + fprintf(stderr, "error: unknown security service requested\n"); + return -1; + } + + policy.key = (uint8_t *)key; + policy.ekt = NULL; + policy.next = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.rtp.sec_serv = sec_servs; + policy.rtcp.sec_serv = + sec_servs; // sec_serv_none; /* we don't do RTCP anyway */ + fprintf(stderr, "setting tag len %d\n", scs.tag_size); + policy.rtp.auth_tag_len = scs.tag_size; + + if (gcm_on && scs.tag_size != 8) { + fprintf(stderr, "setted tag len %d\n", scs.tag_size); + policy.rtp.auth_tag_len = scs.tag_size; + } + + /* + * read key from hexadecimal or base64 on command line into an octet + * string + */ + if (b64_input) { + int pad; + expected_len = policy.rtp.cipher_key_len * 4 / 3; + len = base64_string_to_octet_string(key, &pad, input_key, + expected_len); + if (pad != 0) { + fprintf(stderr, "error: padding in base64 unexpected\n"); + exit(1); + } + } else { + expected_len = policy.rtp.cipher_key_len * 2; + len = hex_string_to_octet_string(key, input_key, expected_len); + } + /* check that hex string is the right length */ + if (len < expected_len) { + fprintf(stderr, "error: too few digits in key/salt " + "(should be %d digits, found %d)\n", + expected_len, len); + exit(1); + } + if (strlen(input_key) > policy.rtp.cipher_key_len * 2) { + fprintf(stderr, "error: too many digits in key/salt " + "(should be %d hexadecimal digits, found %u)\n", + policy.rtp.cipher_key_len * 2, (unsigned)strlen(input_key)); + exit(1); + } - policy.key = (uint8_t *) key; - policy.ekt = NULL; - policy.next = NULL; - policy.window_size = 128; - policy.allow_repeat_tx = 0; - policy.rtp.sec_serv = sec_servs; - policy.rtcp.sec_serv = sec_servs; //sec_serv_none; /* we don't do RTCP anyway */ - fprintf(stderr, "setting tag len %d\n", scs.tag_size); - policy.rtp.auth_tag_len = scs.tag_size; - - if (gcm_on && scs.tag_size != 8) { - fprintf(stderr, "setted tag len %d\n", scs.tag_size); - policy.rtp.auth_tag_len = scs.tag_size; + fprintf(stderr, "set master key/salt to %s/", + octet_string_hex_string(key, 16)); + fprintf(stderr, "%s\n", octet_string_hex_string(key + 16, 14)); + + } else { + fprintf(stderr, + "error: neither encryption or authentication were selected"); + exit(1); } - /* - * read key from hexadecimal or base64 on command line into an octet string - */ - if (b64_input) { - int pad; - expected_len = policy.rtp.cipher_key_len*4/3; - len = base64_string_to_octet_string(key, &pad, input_key, expected_len); - if (pad != 0) { - fprintf(stderr, "error: padding in base64 unexpected\n"); + pcap_handle = pcap_open_offline("-", errbuf); + + if (!pcap_handle) { + fprintf(stderr, "libpcap failed to open file '%s'\n", errbuf); exit(1); - } - } else { - expected_len = policy.rtp.cipher_key_len*2; - len = hex_string_to_octet_string(key, input_key, expected_len); } - /* check that hex string is the right length */ - if (len < expected_len) { - fprintf(stderr, - "error: too few digits in key/salt " - "(should be %d digits, found %d)\n", - expected_len, len); - exit(1); + assert(pcap_handle != NULL); + if ((pcap_compile(pcap_handle, &fp, filter_exp, 1, pcap_net)) == -1) { + fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, + pcap_geterr(pcap_handle)); + return (2); } - if (strlen(input_key) > policy.rtp.cipher_key_len*2) { - fprintf(stderr, - "error: too many digits in key/salt " - "(should be %d hexadecimal digits, found %u)\n", - policy.rtp.cipher_key_len*2, (unsigned)strlen(input_key)); - exit(1); + if (pcap_setfilter(pcap_handle, &fp) == -1) { + fprintf(stderr, "couldn't install filter %s: %s\n", filter_exp, + pcap_geterr(pcap_handle)); + return (2); } + dec = rtp_decoder_alloc(); + if (dec == NULL) { + fprintf(stderr, "error: malloc() failed\n"); + exit(1); + } + fprintf(stderr, "Starting decoder\n"); + rtp_decoder_init(dec, policy); - fprintf(stderr, "set master key/salt to %s/", octet_string_hex_string(key, 16)); - fprintf(stderr, "%s\n", octet_string_hex_string(key+16, 14)); - - } else { - fprintf(stderr, "error: neither encryption or authentication were selected"); - exit(1); - } - - pcap_handle = pcap_open_offline("-", errbuf); - - if (!pcap_handle) { - fprintf(stderr, "libpcap failed to open file '%s'\n", errbuf); - exit(1); - } - assert(pcap_handle != NULL); - if ((pcap_compile(pcap_handle, &fp, filter_exp, 1, pcap_net)) == -1) { - fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp, - pcap_geterr(pcap_handle)); - return (2); - } - if (pcap_setfilter(pcap_handle, &fp) == -1) { - fprintf(stderr, "couldn't install filter %s: %s\n", filter_exp, - pcap_geterr(pcap_handle)); - return (2); - } - dec = rtp_decoder_alloc(); - if (dec == NULL) { - fprintf(stderr, "error: malloc() failed\n"); - exit(1); - } - fprintf(stderr, "Starting decoder\n"); - rtp_decoder_init(dec, policy); - - pcap_loop(pcap_handle, 0, rtp_decoder_handle_pkt, (u_char *)dec); - - rtp_decoder_deinit_srtp(dec); - rtp_decoder_dealloc(dec); - - status = srtp_shutdown(); - if (status) { - fprintf(stderr, "error: srtp shutdown failed with error code %d\n", status); - exit(1); - } + pcap_loop(pcap_handle, 0, rtp_decoder_handle_pkt, (u_char *)dec); - return 0; -} + rtp_decoder_deinit_srtp(dec); + rtp_decoder_dealloc(dec); + status = srtp_shutdown(); + if (status) { + fprintf(stderr, "error: srtp shutdown failed with error code %d\n", + status); + exit(1); + } -void -usage(char *string) { - - fprintf(stderr, "usage: %s [-d <debug>]* [[-k][-b] <key> [-a][-e]]\n" - "or %s -l\n" - "where -a use message authentication\n" - " -e <key size> use encryption (use 128 or 256 for key size)\n" - " -g Use AES-GCM mode (must be used with -e)\n" - " -t <tag size> Tag size to use (in GCM mode use 8 or 16)\n" - " -k <key> sets the srtp master key given in hexadecimal\n" - " -b <key> sets the srtp master key given in base64\n" - " -l list debug modules\n" - " -f \"<pcap filter>\" to filter only the desired SRTP packets\n" - " -d <debug> turn on debugging for module <debug>\n" - " -s \"<srtp-crypto-suite>\" to set both key and tag size based\n" - " on RFC4568-style crypto suite specification\n", - string, string); - exit(1); + return 0; +} +void usage(char *string) +{ + fprintf( + stderr, + "usage: %s [-d <debug>]* [[-k][-b] <key> [-a][-e]]\n" + "or %s -l\n" + "where -a use message authentication\n" + " -e <key size> use encryption (use 128 or 256 for key size)\n" + " -g Use AES-GCM mode (must be used with -e)\n" + " -t <tag size> Tag size to use (in GCM mode use 8 or 16)\n" + " -k <key> sets the srtp master key given in hexadecimal\n" + " -b <key> sets the srtp master key given in base64\n" + " -l list debug modules\n" + " -f \"<pcap filter>\" to filter only the desired SRTP packets\n" + " -d <debug> turn on debugging for module <debug>\n" + " -s \"<srtp-crypto-suite>\" to set both key and tag size based\n" + " on RFC4568-style crypto suite specification\n", + string, string); + exit(1); } -rtp_decoder_t -rtp_decoder_alloc(void) { - return (rtp_decoder_t)malloc(sizeof(rtp_decoder_ctx_t)); +rtp_decoder_t rtp_decoder_alloc(void) +{ + return (rtp_decoder_t)malloc(sizeof(rtp_decoder_ctx_t)); } -void -rtp_decoder_dealloc(rtp_decoder_t rtp_ctx) { - free(rtp_ctx); +void rtp_decoder_dealloc(rtp_decoder_t rtp_ctx) +{ + free(rtp_ctx); } -srtp_err_status_t -rtp_decoder_init_srtp(rtp_decoder_t decoder, unsigned int ssrc) { - decoder->policy.ssrc.value = htonl(ssrc); - return srtp_create(&decoder->srtp_ctx, &decoder->policy); +srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder, + unsigned int ssrc) +{ + decoder->policy.ssrc.value = htonl(ssrc); + return srtp_create(&decoder->srtp_ctx, &decoder->policy); } -int -rtp_decoder_deinit_srtp(rtp_decoder_t decoder) { - return srtp_dealloc(decoder->srtp_ctx); +int rtp_decoder_deinit_srtp(rtp_decoder_t decoder) +{ + return srtp_dealloc(decoder->srtp_ctx); } -int -rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy) { - dcdr->rtp_offset = DEFAULT_RTP_OFFSET; - dcdr->srtp_ctx = NULL; - dcdr->start_tv.tv_usec = 0; - dcdr->start_tv.tv_sec = 0; - dcdr->frame_nr = -1; - dcdr->policy = policy; - dcdr->policy.ssrc.type = ssrc_specific; - return 0; +int rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy) +{ + dcdr->rtp_offset = DEFAULT_RTP_OFFSET; + dcdr->srtp_ctx = NULL; + dcdr->start_tv.tv_usec = 0; + dcdr->start_tv.tv_sec = 0; + dcdr->frame_nr = -1; + dcdr->policy = policy; + dcdr->policy.ssrc.type = ssrc_specific; + return 0; } /* * decodes key as base64 */ -void hexdump(const void *ptr, size_t size) { - int i, j; - const unsigned char *cptr = ptr; +void hexdump(const void *ptr, size_t size) +{ + int i, j; + const unsigned char *cptr = ptr; - for (i = 0; i < size; i += 16) { - fprintf(stdout, "%04x ", i); - for (j = 0; j < 16 && i+j < size; j++) { - fprintf(stdout, "%02x ", cptr[i+j]); + for (i = 0; i < size; i += 16) { + fprintf(stdout, "%04x ", i); + for (j = 0; j < 16 && i + j < size; j++) { + fprintf(stdout, "%02x ", cptr[i + j]); + } + fprintf(stdout, "\n"); } - fprintf(stdout, "\n"); - } } -void -rtp_decoder_handle_pkt(u_char *arg, const struct pcap_pkthdr *hdr, - const u_char *bytes) { - rtp_decoder_t dcdr = (rtp_decoder_t)arg; - int pktsize; - struct timeval delta; - int octets_recvd; - srtp_err_status_t status; - dcdr->frame_nr++; - - if ((dcdr->start_tv.tv_sec == 0) && (dcdr->start_tv.tv_usec == 0)) { - dcdr->start_tv = hdr->ts; - } - - if (hdr->caplen < dcdr->rtp_offset) { - return; - } - const void *rtp_packet = bytes + dcdr->rtp_offset; - - memcpy((void *)&dcdr->message, rtp_packet, hdr->caplen - dcdr->rtp_offset); - pktsize = hdr->caplen - dcdr->rtp_offset; - octets_recvd = pktsize; - - if (octets_recvd == -1) { - return; - } - - /* verify rtp header */ - if (dcdr->message.header.version != 2) { - return; - } - if(dcdr->srtp_ctx == NULL) { - status = rtp_decoder_init_srtp(dcdr, dcdr->message.header.ssrc); +void rtp_decoder_handle_pkt(u_char *arg, + const struct pcap_pkthdr *hdr, + const u_char *bytes) +{ + rtp_decoder_t dcdr = (rtp_decoder_t)arg; + int pktsize; + struct timeval delta; + int octets_recvd; + srtp_err_status_t status; + dcdr->frame_nr++; + + if ((dcdr->start_tv.tv_sec == 0) && (dcdr->start_tv.tv_usec == 0)) { + dcdr->start_tv = hdr->ts; + } + + if (hdr->caplen < dcdr->rtp_offset) { + return; + } + const void *rtp_packet = bytes + dcdr->rtp_offset; + + memcpy((void *)&dcdr->message, rtp_packet, hdr->caplen - dcdr->rtp_offset); + pktsize = hdr->caplen - dcdr->rtp_offset; + octets_recvd = pktsize; + + if (octets_recvd == -1) { + return; + } + + /* verify rtp header */ + if (dcdr->message.header.version != 2) { + return; + } + if (dcdr->srtp_ctx == NULL) { + status = rtp_decoder_init_srtp(dcdr, dcdr->message.header.ssrc); + if (status) { + exit(1); + } + } + status = srtp_unprotect(dcdr->srtp_ctx, &dcdr->message, &octets_recvd); if (status) { - exit(1); + return; } - } - status = srtp_unprotect(dcdr->srtp_ctx, &dcdr->message, &octets_recvd); - if (status) { - return; - } - timersub(&hdr->ts, &dcdr->start_tv, &delta); - fprintf(stdout, "%02ld:%02ld.%06ld\n", delta.tv_sec/60, delta.tv_sec%60, (long)delta.tv_usec); - hexdump(&dcdr->message, octets_recvd); + timersub(&hdr->ts, &dcdr->start_tv, &delta); + fprintf(stdout, "%02ld:%02ld.%06ld\n", delta.tv_sec / 60, delta.tv_sec % 60, + (long)delta.tv_usec); + hexdump(&dcdr->message, octets_recvd); } -void rtp_print_error(srtp_err_status_t status, char *message) { +void rtp_print_error(srtp_err_status_t status, char *message) +{ + // clang-format off fprintf(stderr, "error: %s %d%s\n", message, status, status == srtp_err_status_replay_fail ? " (replay check failed)" : @@ -530,4 +570,5 @@ void rtp_print_error(srtp_err_status_t status, char *message) { status == srtp_err_status_cipher_fail ? " (cipher failed)" : status == srtp_err_status_key_expired ? " (key expired)" : status == srtp_err_status_auth_fail ? " (auth check failed)" : ""); + // clang-format on } diff --git a/libs/srtp/test/rtp_decoder.h b/libs/srtp/test/rtp_decoder.h index 604ff3efea..c8c31dd773 100644 --- a/libs/srtp/test/rtp_decoder.h +++ b/libs/srtp/test/rtp_decoder.h @@ -9,26 +9,26 @@ * */ /* - * + * * Copyright (c) 2001-2017 Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -44,7 +44,6 @@ * */ - #ifndef RTP_DECODER_H #define RTP_DECODER_H @@ -54,12 +53,12 @@ #define DEFAULT_RTP_OFFSET 42 typedef struct rtp_decoder_ctx_t { - srtp_policy_t policy; - srtp_ctx_t *srtp_ctx; - int rtp_offset; - struct timeval start_tv; - int frame_nr; - rtp_msg_t message; + srtp_policy_t policy; + srtp_ctx_t *srtp_ctx; + int rtp_offset; + struct timeval start_tv; + int frame_nr; + rtp_msg_t message; } rtp_decoder_ctx_t; typedef struct rtp_decoder_ctx_t *rtp_decoder_t; @@ -69,7 +68,7 @@ typedef struct rtp_decoder_ctx_t *rtp_decoder_t; */ void rtp_print_error(srtp_err_status_t status, char *message); -/* +/* * prints the output of a random buffer in hexadecimal */ void hexdump(const void *ptr, size_t size); @@ -85,10 +84,12 @@ void usage(char *prog_name); */ char *decode_sdes(char *in, char *out); -/* +/* * pcap handling */ -void rtp_decoder_handle_pkt(u_char *arg, const struct pcap_pkthdr *hdr, const u_char *bytes); +void rtp_decoder_handle_pkt(u_char *arg, + const struct pcap_pkthdr *hdr, + const u_char *bytes); rtp_decoder_t rtp_decoder_alloc(void); @@ -96,9 +97,9 @@ void rtp_decoder_dealloc(rtp_decoder_t rtp_ctx); int rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy); -srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder, unsigned int ssrc); +srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder, + unsigned int ssrc); -int -rtp_decoder_deinit_srtp(rtp_decoder_t decoder); +int rtp_decoder_deinit_srtp(rtp_decoder_t decoder); #endif /* RTP_DECODER_H */ diff --git a/libs/srtp/test/rtpw.c b/libs/srtp/test/rtpw.c index 3b7ac6700b..6e7416c7f5 100644 --- a/libs/srtp/test/rtpw.c +++ b/libs/srtp/test/rtpw.c @@ -8,33 +8,33 @@ * * This app is a simple RTP application intended only for testing * libsrtp. It reads one word at a time from words.txt (or - * whatever file is specified as DICT_FILE), and sends one word out + * whatever file is specified as DICT_FILE or with -w), and sends one word out * each USEC_RATE microseconds. Secure RTP protections can be * applied. See the usage() function for more details. * */ /* - * + * * Copyright (c) 2001-2017, Cisco Systems, Inc. * All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. - * + * * Neither the name of the Cisco Systems, Inc. nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS @@ -50,82 +50,76 @@ * */ - #ifdef HAVE_CONFIG_H - #include <config.h> +#include <config.h> #endif -#include "getopt_s.h" /* for local getopt() */ +#include "getopt_s.h" /* for local getopt() */ -#include <stdio.h> /* for printf, fprintf */ -#include <stdlib.h> /* for atoi() */ +#include <stdio.h> /* for printf, fprintf */ +#include <stdlib.h> /* for atoi() */ #include <errno.h> -#include <signal.h> /* for signal() */ +#include <signal.h> /* for signal() */ -#include <string.h> /* for strncpy() */ -#include <time.h> /* for usleep() */ +#include <string.h> /* for strncpy() */ +#include <time.h> /* for usleep() */ #ifdef HAVE_UNISTD_H -#include <unistd.h> /* for close() */ +#include <unistd.h> /* for close() */ #elif defined(_MSC_VER) -#include <io.h> /* for _close() */ +#include <io.h> /* for _close() */ #define close _close #endif #ifdef HAVE_SYS_SOCKET_H -# include <sys/socket.h> +#include <sys/socket.h> #endif #ifdef HAVE_NETINET_IN_H -# include <netinet/in.h> +#include <netinet/in.h> #elif defined HAVE_WINSOCK2_H -# include <winsock2.h> -# include <ws2tcpip.h> -# define RTPW_USE_WINSOCK2 1 +#include <winsock2.h> +#include <ws2tcpip.h> +#define RTPW_USE_WINSOCK2 1 #endif #ifdef HAVE_ARPA_INET_H -# include <arpa/inet.h> +#include <arpa/inet.h> #endif -#include "srtp.h" +#include "srtp.h" #include "rtp.h" #include "util.h" -#define DICT_FILE "words.txt" -#define USEC_RATE (5e5) -#define MAX_WORD_LEN 128 +#define DICT_FILE "words.txt" +#define USEC_RATE (5e5) +#define MAX_WORD_LEN 128 #define ADDR_IS_MULTICAST(a) IN_MULTICAST(htonl(a)) -#define MAX_KEY_LEN 96 - +#define MAX_KEY_LEN 96 #ifndef HAVE_USLEEP -# ifdef HAVE_WINDOWS_H -# define usleep(us) Sleep((us)/1000) -# else -# define usleep(us) sleep((us)/1000000) -# endif +#ifdef HAVE_WINDOWS_H +#define usleep(us) Sleep((us) / 1000) +#else +#define usleep(us) sleep((us) / 1000000) +#endif #endif - /* * the function usage() prints an error message describing how this * program should be called, then calls exit() */ -void -usage(char *prog_name); +void usage(char *prog_name); /* * leave_group(...) de-registers from a multicast group */ -void -leave_group(int sock, struct ip_mreq mreq, char *name); - +void leave_group(int sock, struct ip_mreq mreq, char *name); /* * setup_signal_handler() sets up a signal handler to trigger * cleanups after an interrupt */ -int setup_signal_handler(char* name); +int setup_signal_handler(char *name); /* * handle_signal(...) handles interrupt signal to trigger cleanups @@ -139,561 +133,568 @@ volatile int interrupted = 0; typedef enum { sender, receiver, unknown } program_type; -int -main (int argc, char *argv[]) { - char *dictfile = DICT_FILE; - FILE *dict; - char word[MAX_WORD_LEN]; - int sock, ret; - struct in_addr rcvr_addr; - struct sockaddr_in name; - struct ip_mreq mreq; +int main(int argc, char *argv[]) +{ + char *dictfile = DICT_FILE; + FILE *dict; + char word[MAX_WORD_LEN]; + int sock, ret; + struct in_addr rcvr_addr; + struct sockaddr_in name; + struct ip_mreq mreq; #if BEW - struct sockaddr_in local; -#endif - program_type prog_type = unknown; - srtp_sec_serv_t sec_servs = sec_serv_none; - unsigned char ttl = 5; - int c; - int key_size = 128; - int tag_size = 8; - int gcm_on = 0; - char *input_key = NULL; - int b64_input = 0; - char *address = NULL; - char key[MAX_KEY_LEN]; - unsigned short port = 0; - rtp_sender_t snd; - srtp_policy_t policy; - srtp_err_status_t status; - int len; - int expected_len; - int do_list_mods = 0; - uint32_t ssrc = 0xdeadbeef; /* ssrc value hardcoded for now */ + struct sockaddr_in local; +#endif + program_type prog_type = unknown; + srtp_sec_serv_t sec_servs = sec_serv_none; + unsigned char ttl = 5; + int c; + int key_size = 128; + int tag_size = 8; + int gcm_on = 0; + char *input_key = NULL; + int b64_input = 0; + char *address = NULL; + char key[MAX_KEY_LEN]; + unsigned short port = 0; + rtp_sender_t snd; + srtp_policy_t policy; + srtp_err_status_t status; + int len; + int expected_len; + int do_list_mods = 0; + uint32_t ssrc = 0xdeadbeef; /* ssrc value hardcoded for now */ #ifdef RTPW_USE_WINSOCK2 - WORD wVersionRequested = MAKEWORD(2, 0); - WSADATA wsaData; + WORD wVersionRequested = MAKEWORD(2, 0); + WSADATA wsaData; - ret = WSAStartup(wVersionRequested, &wsaData); - if (ret != 0) { - fprintf(stderr, "error: WSAStartup() failed: %d\n", ret); - exit(1); - } + ret = WSAStartup(wVersionRequested, &wsaData); + if (ret != 0) { + fprintf(stderr, "error: WSAStartup() failed: %d\n", ret); + exit(1); + } #endif - memset(&policy, 0x0, sizeof(srtp_policy_t)); + memset(&policy, 0x0, sizeof(srtp_policy_t)); - printf("Using %s [0x%x]\n", srtp_get_version_string(), srtp_get_version()); + printf("Using %s [0x%x]\n", srtp_get_version_string(), srtp_get_version()); - if (setup_signal_handler(argv[0]) != 0) { - exit(1); - } + if (setup_signal_handler(argv[0]) != 0) { + exit(1); + } - /* initialize srtp library */ - status = srtp_init(); - if (status) { - printf("error: srtp initialization failed with error code %d\n", status); - exit(1); - } + /* initialize srtp library */ + status = srtp_init(); + if (status) { + printf("error: srtp initialization failed with error code %d\n", + status); + exit(1); + } + + /* check args */ + while (1) { + c = getopt_s(argc, argv, "b:k:rsgt:ae:ld:w:"); + if (c == -1) { + break; + } + switch (c) { + case 'b': + b64_input = 1; + /* fall thru */ + case 'k': + input_key = optarg_s; + break; + case 'e': + key_size = atoi(optarg_s); + if (key_size != 128 && key_size != 256) { + printf("error: encryption key size must be 128 or 256 (%d)\n", + key_size); + exit(1); + } + sec_servs |= sec_serv_conf; + break; + case 't': + tag_size = atoi(optarg_s); + if (tag_size != 8 && tag_size != 16) { + printf("error: GCM tag size must be 8 or 16 (%d)\n", tag_size); + exit(1); + } + break; + case 'a': + sec_servs |= sec_serv_auth; + break; + case 'g': + gcm_on = 1; + sec_servs |= sec_serv_auth; + break; + case 'r': + prog_type = receiver; + break; + case 's': + prog_type = sender; + break; + case 'd': + status = srtp_set_debug_module(optarg_s, 1); + if (status) { + printf("error: set debug module (%s) failed\n", optarg_s); + exit(1); + } + break; + case 'l': + do_list_mods = 1; + break; + case 'w': + dictfile = optarg_s; + break; + default: + usage(argv[0]); + } + } - /* check args */ - while (1) { - c = getopt_s(argc, argv, "b:k:rsgt:ae:ld:"); - if (c == -1) { - break; + if (prog_type == unknown) { + if (do_list_mods) { + status = srtp_list_debug_modules(); + if (status) { + printf("error: list of debug modules failed\n"); + exit(1); + } + return 0; + } else { + printf("error: neither sender [-s] nor receiver [-r] specified\n"); + usage(argv[0]); + } } - switch (c) { - case 'b': - b64_input = 1; - /* fall thru */ - case 'k': - input_key = optarg_s; - break; - case 'e': - key_size = atoi(optarg_s); - if (key_size != 128 && key_size != 256) { - printf("error: encryption key size must be 128 or 256 (%d)\n", key_size); - exit(1); - } - sec_servs |= sec_serv_conf; - break; - case 't': - tag_size = atoi(optarg_s); - if (tag_size != 8 && tag_size != 16) { - printf("error: GCM tag size must be 8 or 16 (%d)\n", tag_size); - exit(1); - } - break; - case 'a': - sec_servs |= sec_serv_auth; - break; - case 'g': - gcm_on = 1; - sec_servs |= sec_serv_auth; - break; - case 'r': - prog_type = receiver; - break; - case 's': - prog_type = sender; - break; - case 'd': - status = srtp_set_debug_module(optarg_s, 1); - if (status) { - printf("error: set debug module (%s) failed\n", optarg_s); - exit(1); - } - break; - case 'l': - do_list_mods = 1; - break; - default: - usage(argv[0]); + + if ((sec_servs && !input_key) || (!sec_servs && input_key)) { + /* + * a key must be provided if and only if security services have + * been requested + */ + usage(argv[0]); } - } - - if (prog_type == unknown) { - if (do_list_mods) { - status = srtp_list_debug_modules(); - if (status) { - printf("error: list of debug modules failed\n"); - exit(1); - } - return 0; - } else { - printf("error: neither sender [-s] nor receiver [-r] specified\n"); - usage(argv[0]); + + if (argc != optind_s + 2) { + /* wrong number of arguments */ + usage(argv[0]); } - } - - if ((sec_servs && !input_key) || (!sec_servs && input_key)) { - /* - * a key must be provided if and only if security services have - * been requested - */ - usage(argv[0]); - } - - if (argc != optind_s + 2) { - /* wrong number of arguments */ - usage(argv[0]); - } - - /* get address from arg */ - address = argv[optind_s++]; - - /* get port from arg */ - port = atoi(argv[optind_s++]); - - /* set address */ + + /* get address from arg */ + address = argv[optind_s++]; + + /* get port from arg */ + port = atoi(argv[optind_s++]); + +/* set address */ #ifdef HAVE_INET_ATON - if (0 == inet_aton(address, &rcvr_addr)) { - fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0], address); - exit(1); - } - if (rcvr_addr.s_addr == INADDR_NONE) { - fprintf(stderr, "%s: address error", argv[0]); - exit(1); - } + if (0 == inet_aton(address, &rcvr_addr)) { + fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0], + address); + exit(1); + } + if (rcvr_addr.s_addr == INADDR_NONE) { + fprintf(stderr, "%s: address error", argv[0]); + exit(1); + } #else - rcvr_addr.s_addr = inet_addr(address); - if (0xffffffff == rcvr_addr.s_addr) { - fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0], address); - exit(1); - } + rcvr_addr.s_addr = inet_addr(address); + if (0xffffffff == rcvr_addr.s_addr) { + fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0], + address); + exit(1); + } #endif - /* open socket */ - sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); - if (sock < 0) { - int err; + /* open socket */ + sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (sock < 0) { + int err; #ifdef RTPW_USE_WINSOCK2 - err = WSAGetLastError(); + err = WSAGetLastError(); #else - err = errno; + err = errno; #endif - fprintf(stderr, "%s: couldn't open socket: %d\n", argv[0], err); - exit(1); - } - - name.sin_addr = rcvr_addr; - name.sin_family = PF_INET; - name.sin_port = htons(port); - - if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { - if (prog_type == sender) { - ret = setsockopt(sock, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, - sizeof(ttl)); - if (ret < 0) { - fprintf(stderr, "%s: Failed to set TTL for multicast group", argv[0]); - perror(""); - exit(1); - } + fprintf(stderr, "%s: couldn't open socket: %d\n", argv[0], err); + exit(1); } - mreq.imr_multiaddr.s_addr = rcvr_addr.s_addr; - mreq.imr_interface.s_addr = htonl(INADDR_ANY); - ret = setsockopt(sock, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void*)&mreq, - sizeof(mreq)); - if (ret < 0) { - fprintf(stderr, "%s: Failed to join multicast group", argv[0]); - perror(""); - exit(1); + name.sin_addr = rcvr_addr; + name.sin_family = PF_INET; + name.sin_port = htons(port); + + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + if (prog_type == sender) { + ret = setsockopt(sock, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, + sizeof(ttl)); + if (ret < 0) { + fprintf(stderr, "%s: Failed to set TTL for multicast group", + argv[0]); + perror(""); + exit(1); + } + } + + mreq.imr_multiaddr.s_addr = rcvr_addr.s_addr; + mreq.imr_interface.s_addr = htonl(INADDR_ANY); + ret = setsockopt(sock, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq, + sizeof(mreq)); + if (ret < 0) { + fprintf(stderr, "%s: Failed to join multicast group", argv[0]); + perror(""); + exit(1); + } } - } - - /* report security services selected on the command line */ - printf("security services: "); - if (sec_servs & sec_serv_conf) - printf("confidentiality "); - if (sec_servs & sec_serv_auth) - printf("message authentication"); - if (sec_servs == sec_serv_none) - printf("none"); - printf("\n"); - - /* set up the srtp policy and master key */ - if (sec_servs) { - /* - * create policy structure, using the default mechanisms but - * with only the security services requested on the command line, - * using the right SSRC value - */ - switch (sec_servs) { - case sec_serv_conf_and_auth: - if (gcm_on) { + + /* report security services selected on the command line */ + printf("security services: "); + if (sec_servs & sec_serv_conf) + printf("confidentiality "); + if (sec_servs & sec_serv_auth) + printf("message authentication"); + if (sec_servs == sec_serv_none) + printf("none"); + printf("\n"); + + /* set up the srtp policy and master key */ + if (sec_servs) { + /* + * create policy structure, using the default mechanisms but + * with only the security services requested on the command line, + * using the right SSRC value + */ + switch (sec_servs) { + case sec_serv_conf_and_auth: + if (gcm_on) { #ifdef OPENSSL - switch (key_size) { - case 128: - srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp); - break; - } + switch (key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp); + break; + } #else - printf("error: GCM mode only supported when using the OpenSSL crypto engine.\n"); - return 0; + printf("error: GCM mode only supported when using the OpenSSL " + "crypto engine.\n"); + return 0; #endif - } else { - switch (key_size) { - case 128: - srtp_crypto_policy_set_rtp_default(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - } - } - break; - case sec_serv_conf: - if (gcm_on) { - printf("error: GCM mode must always be used with auth enabled\n"); - return -1; - } else { - switch (key_size) { - case 128: - srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - break; - } - } - break; - case sec_serv_auth: - if (gcm_on) { + } else { + switch (key_size) { + case 128: + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_conf: + if (gcm_on) { + printf( + "error: GCM mode must always be used with auth enabled\n"); + return -1; + } else { + switch (key_size) { + case 128: + srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + break; + } + } + break; + case sec_serv_auth: + if (gcm_on) { #ifdef OPENSSL - switch (key_size) { - case 128: - srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtcp); - break; - case 256: - srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp); - srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtcp); - break; - } + switch (key_size) { + case 128: + srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_128_8_only_auth( + &policy.rtcp); + break; + case 256: + srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp); + srtp_crypto_policy_set_aes_gcm_256_8_only_auth( + &policy.rtcp); + break; + } #else - printf("error: GCM mode only supported when using the OpenSSL crypto engine.\n"); - return 0; + printf("error: GCM mode only supported when using the OpenSSL " + "crypto engine.\n"); + return 0; #endif - } else { - srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - } - break; - default: - printf("error: unknown security service requested\n"); - return -1; - } - policy.ssrc.type = ssrc_specific; - policy.ssrc.value = ssrc; - policy.key = (uint8_t *)key; - policy.ekt = NULL; - policy.next = NULL; - policy.window_size = 128; - policy.allow_repeat_tx = 0; - policy.rtp.sec_serv = sec_servs; - policy.rtcp.sec_serv = sec_serv_none; /* we don't do RTCP anyway */ - - if (gcm_on && tag_size != 8) { - policy.rtp.auth_tag_len = tag_size; - } + } else { + srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + } + break; + default: + printf("error: unknown security service requested\n"); + return -1; + } + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = ssrc; + policy.key = (uint8_t *)key; + policy.ekt = NULL; + policy.next = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.rtp.sec_serv = sec_servs; + policy.rtcp.sec_serv = sec_serv_none; /* we don't do RTCP anyway */ + + if (gcm_on && tag_size != 8) { + policy.rtp.auth_tag_len = tag_size; + } - /* - * read key from hexadecimal or base64 on command line into an octet string - */ - if (b64_input) { - int pad; - expected_len = (policy.rtp.cipher_key_len*4)/3; - len = base64_string_to_octet_string(key, &pad, input_key, expected_len); - if (pad != 0) { - fprintf(stderr, "error: padding in base64 unexpected\n"); - exit(1); + /* + * read key from hexadecimal or base64 on command line into an octet + * string + */ + if (b64_input) { + int pad; + expected_len = (policy.rtp.cipher_key_len * 4) / 3; + len = base64_string_to_octet_string(key, &pad, input_key, + expected_len); + if (pad != 0) { + fprintf(stderr, "error: padding in base64 unexpected\n"); + exit(1); + } + } else { + expected_len = policy.rtp.cipher_key_len * 2; + len = hex_string_to_octet_string(key, input_key, expected_len); + } + /* check that hex string is the right length */ + if (len < expected_len) { + fprintf(stderr, "error: too few digits in key/salt " + "(should be %d digits, found %d)\n", + expected_len, len); + exit(1); + } + if ((int)strlen(input_key) > policy.rtp.cipher_key_len * 2) { + fprintf(stderr, "error: too many digits in key/salt " + "(should be %d hexadecimal digits, found %u)\n", + policy.rtp.cipher_key_len * 2, (unsigned)strlen(input_key)); + exit(1); } + + printf("set master key/salt to %s/", octet_string_hex_string(key, 16)); + printf("%s\n", octet_string_hex_string(key + 16, 14)); + } else { - expected_len = policy.rtp.cipher_key_len*2; - len = hex_string_to_octet_string(key, input_key, expected_len); - } - /* check that hex string is the right length */ - if (len < expected_len) { - fprintf(stderr, - "error: too few digits in key/salt " - "(should be %d digits, found %d)\n", - expected_len, len); - exit(1); - } - if ((int) strlen(input_key) > policy.rtp.cipher_key_len*2) { - fprintf(stderr, - "error: too many digits in key/salt " - "(should be %d hexadecimal digits, found %u)\n", - policy.rtp.cipher_key_len*2, (unsigned)strlen(input_key)); - exit(1); + /* + * we're not providing security services, so set the policy to the + * null policy + * + * Note that this policy does not conform to the SRTP + * specification, since RTCP authentication is required. However, + * the effect of this policy is to turn off SRTP, so that this + * application is now a vanilla-flavored RTP application. + */ + srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtp); + srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtcp); + policy.key = (uint8_t *)key; + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = ssrc; + policy.window_size = 0; + policy.allow_repeat_tx = 0; + policy.ekt = NULL; + policy.next = NULL; } - - printf("set master key/salt to %s/", octet_string_hex_string(key, 16)); - printf("%s\n", octet_string_hex_string(key+16, 14)); - - } else { - /* - * we're not providing security services, so set the policy to the - * null policy - * - * Note that this policy does not conform to the SRTP - * specification, since RTCP authentication is required. However, - * the effect of this policy is to turn off SRTP, so that this - * application is now a vanilla-flavored RTP application. - */ - srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtp); - srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtcp); - policy.key = (uint8_t *)key; - policy.ssrc.type = ssrc_specific; - policy.ssrc.value = ssrc; - policy.window_size = 0; - policy.allow_repeat_tx = 0; - policy.ekt = NULL; - policy.next = NULL; - } - - if (prog_type == sender) { + if (prog_type == sender) { #if BEW - /* bind to local socket (to match crypto policy, if need be) */ - memset(&local, 0, sizeof(struct sockaddr_in)); - local.sin_addr.s_addr = htonl(INADDR_ANY); - local.sin_port = htons(port); - ret = bind(sock, (struct sockaddr *) &local, sizeof(struct sockaddr_in)); - if (ret < 0) { - fprintf(stderr, "%s: bind failed\n", argv[0]); - perror(""); - exit(1); - } + /* bind to local socket (to match crypto policy, if need be) */ + memset(&local, 0, sizeof(struct sockaddr_in)); + local.sin_addr.s_addr = htonl(INADDR_ANY); + local.sin_port = htons(port); + ret = bind(sock, (struct sockaddr *)&local, sizeof(struct sockaddr_in)); + if (ret < 0) { + fprintf(stderr, "%s: bind failed\n", argv[0]); + perror(""); + exit(1); + } #endif /* BEW */ - /* initialize sender's rtp and srtp contexts */ - snd = rtp_sender_alloc(); - if (snd == NULL) { - fprintf(stderr, "error: malloc() failed\n"); - exit(1); - } - rtp_sender_init(snd, sock, name, ssrc); - status = rtp_sender_init_srtp(snd, &policy); - if (status) { - fprintf(stderr, - "error: srtp_create() failed with code %d\n", - status); - exit(1); - } - - /* open dictionary */ - dict = fopen (dictfile, "r"); - if (dict == NULL) { - fprintf(stderr, "%s: couldn't open file %s\n", argv[0], dictfile); - if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { - leave_group(sock, mreq, argv[0]); - } - exit(1); - } - - /* read words from dictionary, then send them off */ - while (!interrupted && fgets(word, MAX_WORD_LEN, dict) != NULL) { - len = strlen(word) + 1; /* plus one for null */ - - if (len > MAX_WORD_LEN) - printf("error: word %s too large to send\n", word); - else { - rtp_sendto(snd, word, len); - printf("sending word: %s", word); - } - usleep(USEC_RATE); - } + /* initialize sender's rtp and srtp contexts */ + snd = rtp_sender_alloc(); + if (snd == NULL) { + fprintf(stderr, "error: malloc() failed\n"); + exit(1); + } + rtp_sender_init(snd, sock, name, ssrc); + status = rtp_sender_init_srtp(snd, &policy); + if (status) { + fprintf(stderr, "error: srtp_create() failed with code %d\n", + status); + exit(1); + } - rtp_sender_deinit_srtp(snd); - rtp_sender_dealloc(snd); - - fclose(dict); - } else { /* prog_type == receiver */ - rtp_receiver_t rcvr; - - if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0) { - close(sock); - fprintf(stderr, "%s: socket bind error\n", argv[0]); - perror(NULL); - if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { - leave_group(sock, mreq, argv[0]); - } - exit(1); - } + /* open dictionary */ + dict = fopen(dictfile, "r"); + if (dict == NULL) { + fprintf(stderr, "%s: couldn't open file %s\n", argv[0], dictfile); + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + leave_group(sock, mreq, argv[0]); + } + exit(1); + } - rcvr = rtp_receiver_alloc(); - if (rcvr == NULL) { - fprintf(stderr, "error: malloc() failed\n"); - exit(1); - } - rtp_receiver_init(rcvr, sock, name, ssrc); - status = rtp_receiver_init_srtp(rcvr, &policy); - if (status) { - fprintf(stderr, - "error: srtp_create() failed with code %d\n", - status); - exit(1); - } + /* read words from dictionary, then send them off */ + while (!interrupted && fgets(word, MAX_WORD_LEN, dict) != NULL) { + len = strlen(word) + 1; /* plus one for null */ + + if (len > MAX_WORD_LEN) + printf("error: word %s too large to send\n", word); + else { + rtp_sendto(snd, word, len); + printf("sending word: %s", word); + } + usleep(USEC_RATE); + } + + rtp_sender_deinit_srtp(snd); + rtp_sender_dealloc(snd); + + fclose(dict); + } else { /* prog_type == receiver */ + rtp_receiver_t rcvr; + + if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0) { + close(sock); + fprintf(stderr, "%s: socket bind error\n", argv[0]); + perror(NULL); + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + leave_group(sock, mreq, argv[0]); + } + exit(1); + } - /* get next word and loop */ - while (!interrupted) { - len = MAX_WORD_LEN; - if (rtp_recvfrom(rcvr, word, &len) > -1) - printf("\tword: %s\n", word); + rcvr = rtp_receiver_alloc(); + if (rcvr == NULL) { + fprintf(stderr, "error: malloc() failed\n"); + exit(1); + } + rtp_receiver_init(rcvr, sock, name, ssrc); + status = rtp_receiver_init_srtp(rcvr, &policy); + if (status) { + fprintf(stderr, "error: srtp_create() failed with code %d\n", + status); + exit(1); + } + + /* get next word and loop */ + while (!interrupted) { + len = MAX_WORD_LEN; + if (rtp_recvfrom(rcvr, word, &len) > -1) + printf("\tword: %s\n", word); + } + + rtp_receiver_deinit_srtp(rcvr); + rtp_receiver_dealloc(rcvr); } - - rtp_receiver_deinit_srtp(rcvr); - rtp_receiver_dealloc(rcvr); - } - if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { - leave_group(sock, mreq, argv[0]); - } + if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) { + leave_group(sock, mreq, argv[0]); + } #ifdef RTPW_USE_WINSOCK2 - ret = closesocket(sock); + ret = closesocket(sock); #else - ret = close(sock); + ret = close(sock); #endif - if (ret < 0) { - fprintf(stderr, "%s: Failed to close socket", argv[0]); - perror(""); - } - - status = srtp_shutdown(); - if (status) { - printf("error: srtp shutdown failed with error code %d\n", status); - exit(1); - } + if (ret < 0) { + fprintf(stderr, "%s: Failed to close socket", argv[0]); + perror(""); + } + + status = srtp_shutdown(); + if (status) { + printf("error: srtp shutdown failed with error code %d\n", status); + exit(1); + } #ifdef RTPW_USE_WINSOCK2 - WSACleanup(); + WSACleanup(); #endif - return 0; + return 0; } - -void -usage(char *string) { - - printf("usage: %s [-d <debug>]* [-k <key> [-a][-e]] " - "[-s | -r] dest_ip dest_port\n" - "or %s -l\n" - "where -a use message authentication\n" - " -e <key size> use encryption (use 128 or 256 for key size)\n" - " -g Use AES-GCM mode (must be used with -e)\n" - " -t <tag size> Tag size to use in GCM mode (use 8 or 16)\n" - " -k <key> sets the srtp master key given in hexadecimal\n" - " -b <key> sets the srtp master key given in base64\n" - " -s act as rtp sender\n" - " -r act as rtp receiver\n" - " -l list debug modules\n" - " -d <debug> turn on debugging for module <debug>\n", - string, string); - exit(1); - +void usage(char *string) +{ + printf("usage: %s [-d <debug>]* [-k <key> [-a][-e]] " + "[-s | -r] dest_ip dest_port\n" + "or %s -l\n" + "where -a use message authentication\n" + " -e <key size> use encryption (use 128 or 256 for key size)\n" + " -g Use AES-GCM mode (must be used with -e)\n" + " -t <tag size> Tag size to use in GCM mode (use 8 or 16)\n" + " -k <key> sets the srtp master key given in hexadecimal\n" + " -b <key> sets the srtp master key given in base64\n" + " -s act as rtp sender\n" + " -r act as rtp receiver\n" + " -l list debug modules\n" + " -d <debug> turn on debugging for module <debug>\n" + " -w <wordsfile> use <wordsfile> for input, rather than %s\n", + string, string, DICT_FILE); + exit(1); } +void leave_group(int sock, struct ip_mreq mreq, char *name) +{ + int ret; -void -leave_group(int sock, struct ip_mreq mreq, char *name) { - int ret; - - ret = setsockopt(sock, IPPROTO_IP, IP_DROP_MEMBERSHIP, (void*)&mreq, - sizeof(mreq)); - if (ret < 0) { - fprintf(stderr, "%s: Failed to leave multicast group", name); - perror(""); - } + ret = setsockopt(sock, IPPROTO_IP, IP_DROP_MEMBERSHIP, (void *)&mreq, + sizeof(mreq)); + if (ret < 0) { + fprintf(stderr, "%s: Failed to leave multicast group", name); + perror(""); + } } void handle_signal(int signum) { - interrupted = 1; - /* Reset handler explicitly, in case we don't have sigaction() (and signal() - has BSD semantics), or we don't have SA_RESETHAND */ - signal(signum, SIG_DFL); + interrupted = 1; + /* Reset handler explicitly, in case we don't have sigaction() (and signal() + has BSD semantics), or we don't have SA_RESETHAND */ + signal(signum, SIG_DFL); } -int setup_signal_handler(char* name) +int setup_signal_handler(char *name) { #if HAVE_SIGACTION - struct sigaction act; - memset(&act, 0, sizeof(act)); + struct sigaction act; + memset(&act, 0, sizeof(act)); - act.sa_handler = handle_signal; - sigemptyset(&act.sa_mask); + act.sa_handler = handle_signal; + sigemptyset(&act.sa_mask); #if defined(SA_RESETHAND) - act.sa_flags = SA_RESETHAND; + act.sa_flags = SA_RESETHAND; #else - act.sa_flags = 0; + act.sa_flags = 0; #endif - /* Note that we're not setting SA_RESTART; we want recvfrom to return - * EINTR when we signal the receiver. */ - - if (sigaction(SIGTERM, &act, NULL) != 0) { - fprintf(stderr, "%s: error setting up signal handler", name); - perror(""); - return -1; - } + /* Note that we're not setting SA_RESTART; we want recvfrom to return + * EINTR when we signal the receiver. */ + + if (sigaction(SIGTERM, &act, NULL) != 0) { + fprintf(stderr, "%s: error setting up signal handler", name); + perror(""); + return -1; + } #else - if (signal(SIGTERM, handle_signal) == SIG_ERR) { - fprintf(stderr, "%s: error setting up signal handler", name); - perror(""); - return -1; - } + if (signal(SIGTERM, handle_signal) == SIG_ERR) { + fprintf(stderr, "%s: error setting up signal handler", name); + perror(""); + return -1; + } #endif - return 0; + return 0; } diff --git a/libs/srtp/test/srtp_driver.c b/libs/srtp/test/srtp_driver.c index 56052a6321..4ea8fe5302 100644 --- a/libs/srtp/test/srtp_driver.c +++ b/libs/srtp/test/srtp_driver.c @@ -1,5 +1,3 @@ - - /* * srtp_driver.c * @@ -44,7 +42,6 @@ * */ - #include <string.h> /* for memcpy() */ #include <time.h> /* for clock() */ #include <stdlib.h> /* for malloc(), free() */ @@ -55,96 +52,73 @@ #include "util.h" #ifdef HAVE_NETINET_IN_H -# include <netinet/in.h> +#include <netinet/in.h> #elif defined HAVE_WINSOCK2_H -# include <winsock2.h> +#include <winsock2.h> #endif #define PRINT_REFERENCE_PACKET 1 -srtp_err_status_t -srtp_validate(void); +srtp_err_status_t srtp_validate(void); #ifdef OPENSSL -srtp_err_status_t -srtp_validate_gcm(void); +srtp_err_status_t srtp_validate_gcm(void); #endif -srtp_err_status_t -srtp_validate_encrypted_extensions_headers(void); +srtp_err_status_t srtp_validate_encrypted_extensions_headers(void); #ifdef OPENSSL -srtp_err_status_t -srtp_validate_encrypted_extensions_headers_gcm(void); +srtp_err_status_t srtp_validate_encrypted_extensions_headers_gcm(void); #endif -srtp_err_status_t -srtp_validate_aes_256(void); +srtp_err_status_t srtp_validate_aes_256(void); -srtp_err_status_t -srtp_create_big_policy(srtp_policy_t **list); +srtp_err_status_t srtp_create_big_policy(srtp_policy_t **list); -srtp_err_status_t -srtp_dealloc_big_policy(srtp_policy_t *list); +srtp_err_status_t srtp_dealloc_big_policy(srtp_policy_t *list); -srtp_err_status_t -srtp_test_empty_payload(void); +srtp_err_status_t srtp_test_empty_payload(void); #ifdef OPENSSL -srtp_err_status_t -srtp_test_empty_payload_gcm(void); +srtp_err_status_t srtp_test_empty_payload_gcm(void); #endif -srtp_err_status_t -srtp_test_remove_stream(void); +srtp_err_status_t srtp_test_remove_stream(void); -srtp_err_status_t -srtp_test_update(void); +srtp_err_status_t srtp_test_update(void); -srtp_err_status_t -srtp_test_protect_trailer_length(void); +srtp_err_status_t srtp_test_protect_trailer_length(void); -srtp_err_status_t -srtp_test_protect_rtcp_trailer_length(void); +srtp_err_status_t srtp_test_protect_rtcp_trailer_length(void); -srtp_err_status_t -srtp_test_get_roc(void); +srtp_err_status_t srtp_test_get_roc(void); -srtp_err_status_t -srtp_test_set_receiver_roc(void); +srtp_err_status_t srtp_test_set_receiver_roc(void); -srtp_err_status_t -srtp_test_set_sender_roc(void); +srtp_err_status_t srtp_test_set_sender_roc(void); -double -srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy); +double srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy); -double -srtp_rejections_per_second(int msg_len_octets, const srtp_policy_t *policy); +double srtp_rejections_per_second(int msg_len_octets, + const srtp_policy_t *policy); -void -srtp_do_timing(const srtp_policy_t *policy); +void srtp_do_timing(const srtp_policy_t *policy); -void -srtp_do_rejection_timing(const srtp_policy_t *policy); +void srtp_do_rejection_timing(const srtp_policy_t *policy); -srtp_err_status_t -srtp_test(const srtp_policy_t *policy, int extension_header, int mki_index); +srtp_err_status_t srtp_test(const srtp_policy_t *policy, + int extension_header, + int mki_index); -srtp_err_status_t -srtcp_test(const srtp_policy_t *policy, int mki_index); +srtp_err_status_t srtcp_test(const srtp_policy_t *policy, int mki_index); -srtp_err_status_t -srtp_session_print_policy(srtp_t srtp); +srtp_err_status_t srtp_session_print_policy(srtp_t srtp); -srtp_err_status_t -srtp_print_policy(const srtp_policy_t *policy); +srtp_err_status_t srtp_print_policy(const srtp_policy_t *policy); -char * -srtp_packet_to_string(srtp_hdr_t *hdr, int packet_len); +char *srtp_packet_to_string(srtp_hdr_t *hdr, int packet_len); -double -mips_estimate(int num_trials, int *ignore); +double mips_estimate(int num_trials, int *ignore); #define TEST_MKI_ID_SIZE 4 @@ -153,6 +127,7 @@ extern uint8_t test_key_2[46]; extern uint8_t test_mki_id[TEST_MKI_ID_SIZE]; extern uint8_t test_mki_id_2[TEST_MKI_ID_SIZE]; +// clang-format off srtp_master_key_t master_key_1 = { test_key, test_mki_id, @@ -169,9 +144,9 @@ srtp_master_key_t *test_keys[2] = { &master_key_1, &master_key_2 }; +// clang-format on -void -usage (char *prog_name) +void usage(char *prog_name) { printf("usage: %s [ -t ][ -c ][ -v ][ -o ][-d <debug_module> ]* [ -l ]\n" " -t run timing test\n" @@ -180,19 +155,27 @@ usage (char *prog_name) " -v run validation tests\n" " -o output logging to stdout\n" " -d <mod> turn on debugging module <mod>\n" - " -l list debugging modules\n", prog_name); + " -l list debugging modules\n", + prog_name); exit(1); } -void -log_handler (srtp_log_level_t level, const char * msg, void * data) +void log_handler(srtp_log_level_t level, const char *msg, void *data) { char level_char = '?'; - switch(level) { - case srtp_log_level_error: level_char = 'e'; break; - case srtp_log_level_warning: level_char = 'w'; break; - case srtp_log_level_info: level_char = 'i'; break; - case srtp_log_level_debug: level_char = 'd'; break; + switch (level) { + case srtp_log_level_error: + level_char = 'e'; + break; + case srtp_log_level_warning: + level_char = 'w'; + break; + case srtp_log_level_info: + level_char = 'i'; + break; + case srtp_log_level_debug: + level_char = 'd'; + break; } printf("SRTP-LOG [%c]: %s\n", level_char, msg); } @@ -204,7 +187,6 @@ log_handler (srtp_log_level_t level, const char * msg, void * data) extern const srtp_policy_t *policy_array[]; - /* the wildcard_policy is declared below; it has a wildcard ssrc */ extern const srtp_policy_t wildcard_policy; @@ -217,20 +199,19 @@ extern const srtp_policy_t wildcard_policy; */ srtp_debug_module_t mod_driver = { - 0, /* debugging is off by default */ - "driver" /* printable name for module */ + 0, /* debugging is off by default */ + "driver" /* printable name for module */ }; -int -main (int argc, char *argv[]) +int main(int argc, char *argv[]) { int q; - unsigned do_timing_test = 0; + unsigned do_timing_test = 0; unsigned do_rejection_test = 0; - unsigned do_codec_timing = 0; - unsigned do_validation = 0; - unsigned do_list_mods = 0; - unsigned do_log_stdout = 0; + unsigned do_codec_timing = 0; + unsigned do_validation = 0; + unsigned do_list_mods = 0; + unsigned do_log_stdout = 0; srtp_err_status_t status; /* @@ -255,7 +236,8 @@ main (int argc, char *argv[]) status = srtp_crypto_kernel_load_debug_module(&mod_driver); if (status) { printf("error: load of srtp_driver debug module failed " - "with error code %d\n", status); + "with error code %d\n", + status); exit(1); } @@ -296,8 +278,8 @@ main (int argc, char *argv[]) } } - if (!do_validation && !do_timing_test && !do_codec_timing - && !do_list_mods && !do_rejection_test) { + if (!do_validation && !do_timing_test && !do_codec_timing && + !do_list_mods && !do_rejection_test) { usage(argv[0]); } @@ -326,51 +308,56 @@ main (int argc, char *argv[]) printf("testing srtp_protect and srtp_unprotect\n"); if (srtp_test(*policy, 0, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } - printf("testing srtp_protect and srtp_unprotect with encrypted extensions headers\n"); + printf("testing srtp_protect and srtp_unprotect with encrypted " + "extensions headers\n"); if (srtp_test(*policy, 1, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp\n"); if (srtcp_test(*policy, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } - printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI index set to 0\n"); + printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI " + "index set to 0\n"); if (srtp_test(*policy, 0, 0) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } - printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI index set to 1\n"); + printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI " + "index set to 1\n"); if (srtp_test(*policy, 0, 1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } - printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI index set to 0\n"); + printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI " + "index set to 0\n"); if (srtcp_test(*policy, 0) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } - printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI index set to 1\n"); + printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI " + "index set to 1\n"); if (srtcp_test(*policy, 1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -386,14 +373,15 @@ main (int argc, char *argv[]) printf("testing srtp_protect and srtp_unprotect with big policy\n"); if (srtp_test(big_policy, 0, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } - printf("testing srtp_protect and srtp_unprotect with big policy and encrypted extensions headers\n"); + printf("testing srtp_protect and srtp_unprotect with big policy and " + "encrypted extensions headers\n"); if (srtp_test(big_policy, 1, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -408,7 +396,7 @@ main (int argc, char *argv[]) "wildcard ssrc policy\n"); if (srtp_test(&wildcard_policy, 0, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -416,7 +404,7 @@ main (int argc, char *argv[]) "wildcard ssrc policy and encrypted extensions headers\n"); if (srtp_test(&wildcard_policy, 1, -1) == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -429,7 +417,7 @@ main (int argc, char *argv[]) "reference packet\n"); if (srtp_validate() == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -439,7 +427,7 @@ main (int argc, char *argv[]) "reference packet using GCM\n"); if (srtp_validate_gcm() == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -457,9 +445,10 @@ main (int argc, char *argv[]) #ifdef OPENSSL printf("testing srtp_protect and srtp_unprotect against " "reference packet with encrypted extension headers (GCM)\n"); - if (srtp_validate_encrypted_extensions_headers_gcm() == srtp_err_status_ok) { + if (srtp_validate_encrypted_extensions_headers_gcm() == + srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -473,7 +462,7 @@ main (int argc, char *argv[]) "reference packet (AES-256)\n"); if (srtp_validate_aes_256() == srtp_err_status_ok) { printf("passed\n\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -485,7 +474,7 @@ main (int argc, char *argv[]) "packet with empty payload\n"); if (srtp_test_empty_payload() == srtp_err_status_ok) { printf("passed\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -494,7 +483,7 @@ main (int argc, char *argv[]) "packet with empty payload (GCM)\n"); if (srtp_test_empty_payload_gcm() == srtp_err_status_ok) { printf("passed\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -506,7 +495,7 @@ main (int argc, char *argv[]) printf("testing srtp_remove_stream()..."); if (srtp_test_remove_stream() == srtp_err_status_ok) { printf("passed\n"); - } else{ + } else { printf("failed\n"); exit(1); } @@ -565,7 +554,6 @@ main (int argc, char *argv[]) printf("failed\n"); exit(1); } - } if (do_timing_test) { @@ -598,7 +586,7 @@ main (int argc, char *argv[]) memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_rtp_default(&policy.rtp); srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xdecafbad; policy.key = test_key; policy.ekt = NULL; @@ -612,28 +600,28 @@ main (int argc, char *argv[]) printf("codec\t\tlength (octets)\t\tsrtp instructions/second\n"); printf("G.711\t\t%d\t\t\t%e\n", 80, (double)mips_value * (80 * 8) / - srtp_bits_per_second(80, &policy) / .01 ); + srtp_bits_per_second(80, &policy) / .01); printf("G.711\t\t%d\t\t\t%e\n", 160, (double)mips_value * (160 * 8) / - srtp_bits_per_second(160, &policy) / .02); + srtp_bits_per_second(160, &policy) / .02); printf("G.726-32\t%d\t\t\t%e\n", 40, (double)mips_value * (40 * 8) / - srtp_bits_per_second(40, &policy) / .01 ); + srtp_bits_per_second(40, &policy) / .01); printf("G.726-32\t%d\t\t\t%e\n", 80, (double)mips_value * (80 * 8) / - srtp_bits_per_second(80, &policy) / .02); + srtp_bits_per_second(80, &policy) / .02); printf("G.729\t\t%d\t\t\t%e\n", 10, (double)mips_value * (10 * 8) / - srtp_bits_per_second(10, &policy) / .01 ); + srtp_bits_per_second(10, &policy) / .01); printf("G.729\t\t%d\t\t\t%e\n", 20, (double)mips_value * (20 * 8) / - srtp_bits_per_second(20, &policy) / .02 ); + srtp_bits_per_second(20, &policy) / .02); printf("Wideband\t%d\t\t\t%e\n", 320, (double)mips_value * (320 * 8) / - srtp_bits_per_second(320, &policy) / .01 ); + srtp_bits_per_second(320, &policy) / .01); printf("Wideband\t%d\t\t\t%e\n", 640, (double)mips_value * (640 * 8) / - srtp_bits_per_second(640, &policy) / .02 ); + srtp_bits_per_second(640, &policy) / .02); } status = srtp_shutdown(); @@ -645,8 +633,6 @@ main (int argc, char *argv[]) return 0; } - - /* * srtp_create_test_packet(len, ssrc) returns a pointer to a * (malloced) example RTP packet whose data field has the length given @@ -660,8 +646,9 @@ main (int argc, char *argv[]) * deallocated with the free() call once it is no longer needed. */ -srtp_hdr_t * -srtp_create_test_packet (int pkt_octet_len, uint32_t ssrc) +srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, + uint32_t ssrc, + int *pkt_len) { int i; uint8_t *buffer; @@ -669,23 +656,23 @@ srtp_create_test_packet (int pkt_octet_len, uint32_t ssrc) int bytes_in_hdr = 12; /* allocate memory for test packet */ - hdr = (srtp_hdr_t*)malloc(pkt_octet_len + bytes_in_hdr - + SRTP_MAX_TRAILER_LEN + 4); + hdr = (srtp_hdr_t *)malloc(pkt_octet_len + bytes_in_hdr + + SRTP_MAX_TRAILER_LEN + 4); if (!hdr) { return NULL; } - hdr->version = 2; /* RTP version two */ - hdr->p = 0; /* no padding needed */ - hdr->x = 0; /* no header extension */ - hdr->cc = 0; /* no CSRCs */ - hdr->m = 0; /* marker bit */ - hdr->pt = 0xf; /* payload type */ - hdr->seq = htons(0x1234); /* sequence number */ - hdr->ts = htonl(0xdecafbad); /* timestamp */ - hdr->ssrc = htonl(ssrc); /* synch. source */ + hdr->version = 2; /* RTP version two */ + hdr->p = 0; /* no padding needed */ + hdr->x = 0; /* no header extension */ + hdr->cc = 0; /* no CSRCs */ + hdr->m = 0; /* marker bit */ + hdr->pt = 0xf; /* payload type */ + hdr->seq = htons(0x1234); /* sequence number */ + hdr->ts = htonl(0xdecafbad); /* timestamp */ + hdr->ssrc = htonl(ssrc); /* synch. source */ - buffer = (uint8_t*)hdr; + buffer = (uint8_t *)hdr; buffer += bytes_in_hdr; /* set RTP data to 0xab */ @@ -698,85 +685,91 @@ srtp_create_test_packet (int pkt_octet_len, uint32_t ssrc) *buffer++ = 0xff; } + *pkt_len = bytes_in_hdr + pkt_octet_len; + return hdr; } -static srtp_hdr_t * -srtp_create_test_packet_extended (int pkt_octet_len, uint32_t ssrc, uint16_t seq, uint32_t ts) +static srtp_hdr_t *srtp_create_test_packet_extended(int pkt_octet_len, + uint32_t ssrc, + uint16_t seq, + uint32_t ts, + int *pkt_len) { - srtp_hdr_t *hdr; + srtp_hdr_t *hdr; - hdr = srtp_create_test_packet(pkt_octet_len, ssrc); - if (hdr == NULL) - return hdr; + hdr = srtp_create_test_packet(pkt_octet_len, ssrc, pkt_len); + if (hdr == NULL) + return hdr; - hdr->seq = htons(seq); - hdr->ts = htonl(ts); - return hdr; + hdr->seq = htons(seq); + hdr->ts = htonl(ts); + return hdr; } -srtp_hdr_t * -srtp_create_test_packet_ext_hdr(int pkt_octet_len, uint32_t ssrc) { - int i; - uint8_t *buffer; - srtp_hdr_t *hdr; - int bytes_in_hdr = 12; - uint8_t extension_header[12] = { - /* one-byte header */ - 0xbe, 0xde, - /* size */ - 0x00, 0x02, - /* id 1, length 1 (i.e. 2 bytes) */ - 0x11, - /* payload */ - 0xca, - 0xfe, - /* padding */ - 0x00, - /* id 2, length 0 (i.e. 1 byte) */ - 0x20, - /* payload */ - 0xba, - /* padding */ - 0x00, - 0x00 - }; - - /* allocate memory for test packet */ - hdr = (srtp_hdr_t*) malloc(pkt_octet_len + bytes_in_hdr - + sizeof(extension_header) + SRTP_MAX_TRAILER_LEN + 4); - if (!hdr) - return NULL; - - hdr->version = 2; /* RTP version two */ - hdr->p = 0; /* no padding needed */ - hdr->x = 1; /* no header extension */ - hdr->cc = 0; /* no CSRCs */ - hdr->m = 0; /* marker bit */ - hdr->pt = 0xf; /* payload type */ - hdr->seq = htons(0x1234); /* sequence number */ - hdr->ts = htonl(0xdecafbad); /* timestamp */ - hdr->ssrc = htonl(ssrc); /* synch. source */ - - buffer = (uint8_t *)hdr; - buffer += bytes_in_hdr; - - memcpy(buffer, extension_header, sizeof(extension_header)); - buffer += sizeof(extension_header); - - /* set RTP data to 0xab */ - for (i=0; i < pkt_octet_len; i++) - *buffer++ = 0xab; - - /* set post-data value to 0xffff to enable overrun checking */ - for (i=0; i < SRTP_MAX_TRAILER_LEN+4; i++) - *buffer++ = 0xff; - - return hdr; +srtp_hdr_t *srtp_create_test_packet_ext_hdr(int pkt_octet_len, + uint32_t ssrc, + int *pkt_len) +{ + int i; + uint8_t *buffer; + srtp_hdr_t *hdr; + int bytes_in_hdr = 12; + uint8_t extension_header[12] = { /* one-byte header */ + 0xbe, 0xde, + /* size */ + 0x00, 0x02, + /* id 1, length 1 (i.e. 2 bytes) */ + 0x11, + /* payload */ + 0xca, 0xfe, + /* padding */ + 0x00, + /* id 2, length 0 (i.e. 1 byte) */ + 0x20, + /* payload */ + 0xba, + /* padding */ + 0x00, 0x00 + }; + + /* allocate memory for test packet */ + hdr = (srtp_hdr_t *)malloc(pkt_octet_len + bytes_in_hdr + + sizeof(extension_header) + SRTP_MAX_TRAILER_LEN + + 4); + if (!hdr) + return NULL; + + hdr->version = 2; /* RTP version two */ + hdr->p = 0; /* no padding needed */ + hdr->x = 1; /* no header extension */ + hdr->cc = 0; /* no CSRCs */ + hdr->m = 0; /* marker bit */ + hdr->pt = 0xf; /* payload type */ + hdr->seq = htons(0x1234); /* sequence number */ + hdr->ts = htonl(0xdecafbad); /* timestamp */ + hdr->ssrc = htonl(ssrc); /* synch. source */ + + buffer = (uint8_t *)hdr; + buffer += bytes_in_hdr; + + memcpy(buffer, extension_header, sizeof(extension_header)); + buffer += sizeof(extension_header); + + /* set RTP data to 0xab */ + for (i = 0; i < pkt_octet_len; i++) + *buffer++ = 0xab; + + /* set post-data value to 0xffff to enable overrun checking */ + for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++) + *buffer++ = 0xff; + + *pkt_len = bytes_in_hdr + sizeof(extension_header) + pkt_octet_len; + + return hdr; } -void -srtp_do_timing (const srtp_policy_t *policy) +void srtp_do_timing(const srtp_policy_t *policy) { int len; @@ -796,11 +789,9 @@ srtp_do_timing (const srtp_policy_t *policy) /* these extra linefeeds let gnuplot know that a dataset is done */ printf("\r\n\r\n"); - } -void -srtp_do_rejection_timing (const srtp_policy_t *policy) +void srtp_do_rejection_timing(const srtp_policy_t *policy) { int len; @@ -819,21 +810,18 @@ srtp_do_rejection_timing (const srtp_policy_t *policy) /* these extra linefeeds let gnuplot know that a dataset is done */ printf("\r\n\r\n"); - } - #define MAX_MSG_LEN 1024 -double -srtp_bits_per_second (int msg_len_octets, const srtp_policy_t *policy) +double srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy) { srtp_t srtp; srtp_hdr_t *mesg; int i; clock_t timer; int num_trials = 100000; - int len; + int input_len, len; uint32_t ssrc; srtp_err_status_t status; @@ -858,15 +846,13 @@ srtp_bits_per_second (int msg_len_octets, const srtp_policy_t *policy) /* * create a test packet */ - mesg = srtp_create_test_packet(msg_len_octets, ssrc); + mesg = srtp_create_test_packet(msg_len_octets, ssrc, &input_len); if (mesg == NULL) { return 0.0; /* indicate failure by returning zero */ - } timer = clock(); for (i = 0; i < num_trials; i++) { - len = msg_len_octets + 12; /* add in rtp header length */ - + len = input_len; /* srtp protect message */ status = srtp_protect(srtp, mesg, &len); if (status) { @@ -876,7 +862,8 @@ srtp_bits_per_second (int msg_len_octets, const srtp_policy_t *policy) /* increment message number */ { - /* hack sequence to avoid problems with macros for htons/ntohs on some systems */ + /* hack sequence to avoid problems with macros for htons/ntohs on + * some systems */ short new_seq = ntohs(mesg->seq) + 1; mesg->seq = htons(new_seq); } @@ -891,12 +878,11 @@ srtp_bits_per_second (int msg_len_octets, const srtp_policy_t *policy) exit(1); } - return (double)(msg_len_octets) * 8 * - num_trials * CLOCKS_PER_SEC / timer; + return (double)(msg_len_octets)*8 * num_trials * CLOCKS_PER_SEC / timer; } -double -srtp_rejections_per_second (int msg_len_octets, const srtp_policy_t *policy) +double srtp_rejections_per_second(int msg_len_octets, + const srtp_policy_t *policy) { srtp_ctx_t *srtp; srtp_hdr_t *mesg; @@ -916,18 +902,16 @@ srtp_rejections_per_second (int msg_len_octets, const srtp_policy_t *policy) exit(1); } - mesg = srtp_create_test_packet(msg_len_octets, ssrc); + mesg = srtp_create_test_packet(msg_len_octets, ssrc, &len); if (mesg == NULL) { return 0.0; /* indicate failure by returning zero */ - } - len = msg_len_octets; - srtp_protect(srtp, (srtp_hdr_t*)mesg, &len); + srtp_protect(srtp, (srtp_hdr_t *)mesg, &len); timer = clock(); for (i = 0; i < num_trials; i++) { len = msg_len_octets; - srtp_unprotect(srtp, (srtp_hdr_t*)mesg, &len); + srtp_unprotect(srtp, (srtp_hdr_t *)mesg, &len); } timer = clock() - timer; @@ -942,56 +926,67 @@ srtp_rejections_per_second (int msg_len_octets, const srtp_policy_t *policy) return (double)num_trials * CLOCKS_PER_SEC / timer; } - -void -err_check (srtp_err_status_t s) +void err_check(srtp_err_status_t s) { if (s == srtp_err_status_ok) { return; - } else{ + } else { fprintf(stderr, "error: unexpected srtp failure (code %d)\n", s); } exit(1); } -srtp_err_status_t -srtp_test_call_protect(srtp_t srtp_sender, srtp_hdr_t *hdr, int *len, int mki_index) { +srtp_err_status_t srtp_test_call_protect(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int mki_index) +{ if (mki_index == -1) { - return srtp_protect(srtp_sender, hdr, len); + return srtp_protect(srtp_sender, hdr, len); } else { - return srtp_protect_mki(srtp_sender, hdr, len, 1, mki_index); + return srtp_protect_mki(srtp_sender, hdr, len, 1, mki_index); } } -srtp_err_status_t -srtp_test_call_protect_rtcp(srtp_t srtp_sender, srtp_hdr_t *hdr, int *len, int mki_index) { +srtp_err_status_t srtp_test_call_protect_rtcp(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int mki_index) +{ if (mki_index == -1) { - return srtp_protect_rtcp(srtp_sender, hdr, len); + return srtp_protect_rtcp(srtp_sender, hdr, len); } else { - return srtp_protect_rtcp_mki(srtp_sender, hdr, len, 1, mki_index); + return srtp_protect_rtcp_mki(srtp_sender, hdr, len, 1, mki_index); } } -srtp_err_status_t -srtp_test_call_unprotect(srtp_t srtp_sender, srtp_hdr_t *hdr, int *len, int use_mki) { +srtp_err_status_t srtp_test_call_unprotect(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int use_mki) +{ if (use_mki == -1) { - return srtp_unprotect(srtp_sender, hdr, len); + return srtp_unprotect(srtp_sender, hdr, len); } else { - return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki); + return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki); } } -srtp_err_status_t -srtp_test_call_unprotect_rtcp(srtp_t srtp_sender, srtp_hdr_t *hdr, int *len, int use_mki) { +srtp_err_status_t srtp_test_call_unprotect_rtcp(srtp_t srtp_sender, + srtp_hdr_t *hdr, + int *len, + int use_mki) +{ if (use_mki == -1) { - return srtp_unprotect_rtcp(srtp_sender, hdr, len); + return srtp_unprotect_rtcp(srtp_sender, hdr, len); } else { - return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki); + return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki); } } -srtp_err_status_t -srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) +srtp_err_status_t srtp_test(const srtp_policy_t *policy, + int extension_header, + int mki_index) { int i; srtp_t srtp_sender; @@ -1000,9 +995,9 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) srtp_hdr_t *hdr, *hdr2; uint8_t hdr_enc[64]; uint8_t *pkt_end; - int msg_len_octets, msg_len_enc; - int len; - int tag_length = policy->rtp.auth_tag_len; + int msg_len_octets, msg_len_enc, msg_len; + int len, len2; + uint32_t tag_length; uint32_t ssrc; srtp_policy_t *rcvr_policy; srtp_policy_t tmp_policy; @@ -1010,7 +1005,7 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) int use_mki = 0; if (mki_index >= 0) - use_mki = 1; + use_mki = 1; if (extension_header) { memcpy(&tmp_policy, policy, sizeof(srtp_policy_t)); @@ -1031,18 +1026,21 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) */ if (policy->ssrc.type != ssrc_specific) { ssrc = 0xdecafbad; - } else{ + } else { ssrc = policy->ssrc.value; } msg_len_octets = 28; if (extension_header) { - hdr = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc); - hdr2 = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc); + hdr = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc, &len); + hdr2 = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc, &len2); } else { - hdr = srtp_create_test_packet(msg_len_octets, ssrc); - hdr2 = srtp_create_test_packet(msg_len_octets, ssrc); + hdr = srtp_create_test_packet(msg_len_octets, ssrc, &len); + hdr2 = srtp_create_test_packet(msg_len_octets, ssrc, &len2); } + /* save original msg len */ + msg_len = len; + if (hdr == NULL) { free(hdr2); return srtp_err_status_alloc_fail; @@ -1052,18 +1050,12 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) return srtp_err_status_alloc_fail; } - /* set message length */ - len = msg_len_octets; - if (extension_header) { - len += 12; - } - debug_print(mod_driver, "before protection:\n%s", srtp_packet_to_string(hdr, len)); #if PRINT_REFERENCE_PACKET debug_print(mod_driver, "reference packet before protection:\n%s", - octet_string_hex_string((uint8_t*)hdr, len)); + octet_string_hex_string((uint8_t *)hdr, len)); #endif err_check(srtp_test_call_protect(srtp_sender, hdr, &len, mki_index)); @@ -1071,7 +1063,7 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) srtp_packet_to_string(hdr, len)); #if PRINT_REFERENCE_PACKET debug_print(mod_driver, "after protection:\n%s", - octet_string_hex_string((uint8_t*)hdr, len)); + octet_string_hex_string((uint8_t *)hdr, len)); #endif /* save protected message and length */ @@ -1085,16 +1077,14 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) * data following the packet is different, then we know that the * protect function is overwriting the end of the packet. */ - pkt_end = (uint8_t*)hdr + sizeof(srtp_hdr_t) - + msg_len_octets + tag_length; - if (extension_header) { - pkt_end += 12; - } + err_check(srtp_get_protect_trailer_length(srtp_sender, use_mki, mki_index, + &tag_length)); + pkt_end = (uint8_t *)hdr + msg_len + tag_length; for (i = 0; i < 4; i++) { if (pkt_end[i] != 0xff) { fprintf(stdout, "overwrite in srtp_protect() function " - "(expected %x, found %x in trailing octet %d)\n", - 0xff, ((uint8_t*)hdr)[i], i); + "(expected %x, found %x in trailing octet %d)\n", + 0xff, ((uint8_t *)hdr)[i], i); free(hdr); free(hdr2); return srtp_err_status_algo_fail; @@ -1114,7 +1104,7 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) printf("testing that ciphertext is distinct from plaintext..."); status = srtp_err_status_algo_fail; for (i = 12; i < msg_len_octets + 12; i++) { - if (((uint8_t*)hdr)[i] != ((uint8_t*)hdr2)[i]) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { status = srtp_err_status_ok; } } @@ -1134,7 +1124,7 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) * we always copy the policy into the rcvr_policy, since otherwise * the compiler would fret about the constness of the policy */ - rcvr_policy = (srtp_policy_t*)malloc(sizeof(srtp_policy_t)); + rcvr_policy = (srtp_policy_t *)malloc(sizeof(srtp_policy_t)); if (rcvr_policy == NULL) { free(hdr); free(hdr2); @@ -1160,8 +1150,8 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) srtp_packet_to_string(hdr, len)); /* verify that the unprotected packet matches the origial one */ - for (i = 0; i < msg_len_octets; i++) { - if (((uint8_t*)hdr)[i] != ((uint8_t*)hdr2)[i]) { + for (i = 0; i < len; i++) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { fprintf(stdout, "mismatch at octet %d\n", i); status = srtp_err_status_algo_fail; } @@ -1177,15 +1167,13 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) * if the policy includes authentication, then test for false positives */ if (policy->rtp.sec_serv & sec_serv_auth) { - char *data = ((char*)hdr) + 12; + char *data = ((char *)hdr) + (extension_header ? 24 : 12); printf("testing for false positives in replay check..."); - /* set message length */ - len = msg_len_enc; - /* unprotect a second time - should fail with a replay error */ - status = srtp_test_call_unprotect(srtp_rcvr, hdr, &len, use_mki); + status = + srtp_test_call_unprotect(srtp_rcvr, hdr, &msg_len_enc, use_mki); if (status != srtp_err_status_replay_fail) { printf("failed with error code %d\n", status); free(hdr); @@ -1201,17 +1189,11 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) /* increment sequence number in header */ hdr->seq++; - /* set message length */ - len = msg_len_octets; - if (extension_header) { - len += 12; - } - /* apply protection */ err_check(srtp_test_call_protect(srtp_sender, hdr, &len, mki_index)); /* flip bits in packet */ - data[extension_header ? 12 : 0] ^= 0xff; + data[0] ^= 0xff; /* unprotect, and check for authentication failure */ status = srtp_test_call_unprotect(srtp_rcvr, hdr, &len, use_mki); @@ -1224,7 +1206,6 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) } else { printf("passed\n"); } - } err_check(srtp_dealloc(srtp_sender)); @@ -1236,9 +1217,7 @@ srtp_test (const srtp_policy_t *policy, int extension_header, int mki_index) return srtp_err_status_ok; } - -srtp_err_status_t -srtcp_test (const srtp_policy_t *policy, int mki_index) +srtp_err_status_t srtcp_test(const srtp_policy_t *policy, int mki_index) { int i; srtp_t srtcp_sender; @@ -1247,9 +1226,9 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) srtp_hdr_t *hdr, *hdr2; uint8_t hdr_enc[64]; uint8_t *pkt_end; - int msg_len_octets, msg_len_enc; - int len; - int tag_length = policy->rtp.auth_tag_len; + int msg_len_octets, msg_len_enc, msg_len; + int len, len2; + uint32_t tag_length; uint32_t ssrc; srtp_policy_t *rcvr_policy; int use_mki = 0; @@ -1269,30 +1248,29 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) */ if (policy->ssrc.type != ssrc_specific) { ssrc = 0xdecafbad; - } else{ + } else { ssrc = policy->ssrc.value; } msg_len_octets = 28; - hdr = srtp_create_test_packet(msg_len_octets, ssrc); + hdr = srtp_create_test_packet(msg_len_octets, ssrc, &len); + /* save message len */ + msg_len = len; if (hdr == NULL) { return srtp_err_status_alloc_fail; } - hdr2 = srtp_create_test_packet(msg_len_octets, ssrc); + hdr2 = srtp_create_test_packet(msg_len_octets, ssrc, &len2); if (hdr2 == NULL) { free(hdr); return srtp_err_status_alloc_fail; } - /* set message length */ - len = msg_len_octets; - debug_print(mod_driver, "before protection:\n%s", srtp_packet_to_string(hdr, len)); #if PRINT_REFERENCE_PACKET debug_print(mod_driver, "reference packet before protection:\n%s", - octet_string_hex_string((uint8_t*)hdr, len)); + octet_string_hex_string((uint8_t *)hdr, len)); #endif err_check(srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index)); @@ -1300,7 +1278,7 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) srtp_packet_to_string(hdr, len)); #if PRINT_REFERENCE_PACKET debug_print(mod_driver, "after protection:\n%s", - octet_string_hex_string((uint8_t*)hdr, len)); + octet_string_hex_string((uint8_t *)hdr, len)); #endif /* save protected message and length */ @@ -1314,13 +1292,14 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) * data following the packet is different, then we know that the * protect function is overwriting the end of the packet. */ - pkt_end = (uint8_t*)hdr + sizeof(srtp_hdr_t) - + msg_len_octets + tag_length; + srtp_get_protect_rtcp_trailer_length(srtcp_sender, use_mki, mki_index, + &tag_length); + pkt_end = (uint8_t *)hdr + msg_len + tag_length; for (i = 0; i < 4; i++) { if (pkt_end[i] != 0xff) { fprintf(stdout, "overwrite in srtp_protect_rtcp() function " - "(expected %x, found %x in trailing octet %d)\n", - 0xff, ((uint8_t*)hdr)[i], i); + "(expected %x, found %x in trailing octet %d)\n", + 0xff, ((uint8_t *)hdr)[i], i); free(hdr); free(hdr2); return srtp_err_status_algo_fail; @@ -1336,11 +1315,11 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) * reason, we skip this check if the plaintext is less than four * octets long. */ - if ((policy->rtp.sec_serv & sec_serv_conf) && (msg_len_octets >= 4)) { + if ((policy->rtcp.sec_serv & sec_serv_conf) && (msg_len_octets >= 4)) { printf("testing that ciphertext is distinct from plaintext..."); status = srtp_err_status_algo_fail; for (i = 12; i < msg_len_octets + 12; i++) { - if (((uint8_t*)hdr)[i] != ((uint8_t*)hdr2)[i]) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { status = srtp_err_status_ok; } } @@ -1360,7 +1339,7 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) * we always copy the policy into the rcvr_policy, since otherwise * the compiler would fret about the constness of the policy */ - rcvr_policy = (srtp_policy_t*)malloc(sizeof(srtp_policy_t)); + rcvr_policy = (srtp_policy_t *)malloc(sizeof(srtp_policy_t)); if (rcvr_policy == NULL) { return srtp_err_status_alloc_fail; } @@ -1377,8 +1356,8 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) srtp_packet_to_string(hdr, len)); /* verify that the unprotected packet matches the origial one */ - for (i = 0; i < msg_len_octets; i++) { - if (((uint8_t*)hdr)[i] != ((uint8_t*)hdr2)[i]) { + for (i = 0; i < len; i++) { + if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) { fprintf(stdout, "mismatch at octet %d\n", i); status = srtp_err_status_algo_fail; } @@ -1394,15 +1373,13 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) * if the policy includes authentication, then test for false positives */ if (policy->rtp.sec_serv & sec_serv_auth) { - char *data = ((char*)hdr) + 12; + char *data = ((char *)hdr) + 12; printf("testing for false positives in replay check..."); - /* set message length */ - len = msg_len_enc; - /* unprotect a second time - should fail with a replay error */ - status = srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &len, use_mki); + status = srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &msg_len_enc, + use_mki); if (status != srtp_err_status_replay_fail) { printf("failed with error code %d\n", status); free(hdr); @@ -1418,11 +1395,9 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) /* increment sequence number in header */ hdr->seq++; - /* set message length */ - len = msg_len_octets; - /* apply protection */ - err_check(srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index)); + err_check( + srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index)); /* flip bits in packet */ data[0] ^= 0xff; @@ -1438,7 +1413,6 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) } else { printf("passed\n"); } - } err_check(srtp_dealloc(srtcp_sender)); @@ -1450,21 +1424,11 @@ srtcp_test (const srtp_policy_t *policy, int mki_index) return srtp_err_status_ok; } - -srtp_err_status_t -srtp_session_print_policy (srtp_t srtp) +srtp_err_status_t srtp_session_print_policy(srtp_t srtp) { - char *serv_descr[4] = { - "none", - "confidentiality", - "authentication", - "confidentiality and authentication" - }; - char *direction[3] = { - "unknown", - "outbound", - "inbound" - }; + char *serv_descr[4] = { "none", "confidentiality", "authentication", + "confidentiality and authentication" }; + char *direction[3] = { "unknown", "outbound", "inbound" }; srtp_stream_t stream; srtp_session_keys_t *session_keys = NULL; @@ -1498,7 +1462,7 @@ srtp_session_print_policy (srtp_t srtp) printf("# Encrypted extension headers: "); if (stream->enc_xtn_hdr && stream->enc_xtn_hdr_count > 0) { - int* enc_xtn_hdr = stream->enc_xtn_hdr; + int *enc_xtn_hdr = stream->enc_xtn_hdr; int count = stream->enc_xtn_hdr_count; while (count > 0) { printf("%d ", *enc_xtn_hdr); @@ -1528,8 +1492,7 @@ srtp_session_print_policy (srtp_t srtp) "# rtcp services: %s\r\n" "# window size: %lu\r\n" "# tx rtx allowed:%s\r\n", - stream->ssrc, - session_keys->rtp_cipher->type->description, + stream->ssrc, session_keys->rtp_cipher->type->description, session_keys->rtp_auth->type->description, serv_descr[stream->rtp_services], session_keys->rtcp_cipher->type->description, @@ -1540,7 +1503,7 @@ srtp_session_print_policy (srtp_t srtp) printf("# Encrypted extension headers: "); if (stream->enc_xtn_hdr && stream->enc_xtn_hdr_count > 0) { - int* enc_xtn_hdr = stream->enc_xtn_hdr; + int *enc_xtn_hdr = stream->enc_xtn_hdr; int count = stream->enc_xtn_hdr_count; while (count > 0) { printf("%d ", *enc_xtn_hdr); @@ -1558,8 +1521,7 @@ srtp_session_print_policy (srtp_t srtp) return srtp_err_status_ok; } -srtp_err_status_t -srtp_print_policy (const srtp_policy_t *policy) +srtp_err_status_t srtp_print_policy(const srtp_policy_t *policy) { srtp_err_status_t status; srtp_t session; @@ -1592,11 +1554,10 @@ srtp_print_policy (const srtp_policy_t *policy) char packet_string[MTU]; -char * -srtp_packet_to_string (srtp_hdr_t *hdr, int pkt_octet_len) +char *srtp_packet_to_string(srtp_hdr_t *hdr, int pkt_octet_len) { int octets_in_rtp_header = 12; - uint8_t *data = ((uint8_t*)hdr) + octets_in_rtp_header; + uint8_t *data = ((uint8_t *)hdr) + octets_in_rtp_header; int hex_len = pkt_octet_len - octets_in_rtp_header; /* sanity checking */ @@ -1605,29 +1566,20 @@ srtp_packet_to_string (srtp_hdr_t *hdr, int pkt_octet_len) } /* write packet into string */ - sprintf(packet_string, - "(s)rtp packet: {\n" - " version:\t%d\n" - " p:\t\t%d\n" - " x:\t\t%d\n" - " cc:\t\t%d\n" - " m:\t\t%d\n" - " pt:\t\t%x\n" - " seq:\t\t%x\n" - " ts:\t\t%x\n" - " ssrc:\t%x\n" - " data:\t%s\n" - "} (%d octets in total)\n", - hdr->version, - hdr->p, - hdr->x, - hdr->cc, - hdr->m, - hdr->pt, - hdr->seq, - hdr->ts, - hdr->ssrc, - octet_string_hex_string(data, hex_len), + sprintf(packet_string, "(s)rtp packet: {\n" + " version:\t%d\n" + " p:\t\t%d\n" + " x:\t\t%d\n" + " cc:\t\t%d\n" + " m:\t\t%d\n" + " pt:\t\t%x\n" + " seq:\t\t%x\n" + " ts:\t\t%x\n" + " ssrc:\t%x\n" + " data:\t%s\n" + "} (%d octets in total)\n", + hdr->version, hdr->p, hdr->x, hdr->cc, hdr->m, hdr->pt, hdr->seq, + hdr->ts, hdr->ssrc, octet_string_hex_string(data, hex_len), pkt_octet_len); return packet_string; @@ -1643,8 +1595,7 @@ srtp_packet_to_string (srtp_hdr_t *hdr, int pkt_octet_len) * optimize away the function */ -double -mips_estimate (int num_trials, int *ignore) +double mips_estimate(int num_trials, int *ignore) { clock_t t; volatile int i, sum; @@ -1656,23 +1607,21 @@ mips_estimate (int num_trials, int *ignore) } t = clock() - t; -/* printf("%d\n", sum); */ + /* printf("%d\n", sum); */ *ignore = sum; return (double)num_trials * CLOCKS_PER_SEC / t; } - /* * srtp_validate() verifies the correctness of libsrtp by comparing * some computed packets against some pre-computed reference values. * These packets were made with the default SRTP policy. */ - -srtp_err_status_t -srtp_validate () +srtp_err_status_t srtp_validate() { + // clang-format off uint8_t srtp_plaintext_ref[28] = { 0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad, 0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab, @@ -1712,6 +1661,8 @@ srtp_validate () 0x80, 0x00, 0x00, 0x01, 0x99, 0x3e, 0x08, 0xcd, 0x54, 0xd6, 0xc1, 0x23, 0x07, 0x98 }; + // clang-format on + srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; int len; @@ -1724,7 +1675,7 @@ srtp_validate () memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_rtp_default(&policy.rtp); srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = test_key; policy.ekt = NULL; @@ -1826,9 +1777,9 @@ srtp_validate () * srtp_validate_gcm() verifies the correctness of libsrtp by comparing * an computed packet against the known ciphertext for the plaintext. */ -srtp_err_status_t -srtp_validate_gcm () +srtp_err_status_t srtp_validate_gcm() { + // clang-format off unsigned char test_key_gcm[28] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, @@ -1878,6 +1829,7 @@ srtp_validate_gcm () 0xea, 0x31, 0x12, 0x3b, 0xa8, 0x8c, 0xe6, 0x1e, 0x80, 0x00, 0x00, 0x01 }; + // clang-format on srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; @@ -1891,9 +1843,9 @@ srtp_validate_gcm () memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp); srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; - policy.key = test_key_gcm; + policy.key = test_key_gcm; policy.ekt = NULL; policy.window_size = 128; policy.allow_repeat_tx = 0; @@ -1993,8 +1945,9 @@ srtp_validate_gcm () /* * Test vectors taken from RFC 6904, Appendix A */ -srtp_err_status_t -srtp_validate_encrypted_extensions_headers() { +srtp_err_status_t srtp_validate_encrypted_extensions_headers() +{ + // clang-format off unsigned char test_key_ext_headers[30] = { 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, @@ -2032,11 +1985,13 @@ srtp_validate_encrypted_extensions_headers() { 0x5a, 0x46, 0xb3, 0xca, 0x35, 0xc5, 0x35, 0xa8, 0x91, 0xc7 }; + // clang-format on + srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; int len; srtp_policy_t policy; - int headers[3] = {1, 3, 4}; + int headers[3] = { 1, 3, 4 }; /* * create a session with a single stream using the default srtp @@ -2045,7 +2000,7 @@ srtp_validate_encrypted_extensions_headers() { memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_rtp_default(&policy.rtp); srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = test_key_ext_headers; policy.ekt = NULL; @@ -2108,14 +2063,14 @@ srtp_validate_encrypted_extensions_headers() { return srtp_err_status_ok; } - #ifdef OPENSSL /* * Headers of test vectors taken from RFC 6904, Appendix A */ -srtp_err_status_t -srtp_validate_encrypted_extensions_headers_gcm() { +srtp_err_status_t srtp_validate_encrypted_extensions_headers_gcm() +{ + // clang-format off unsigned char test_key_ext_headers[30] = { 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, @@ -2151,11 +2106,13 @@ srtp_validate_encrypted_extensions_headers_gcm() { 0x6c, 0xd3, 0xd2, 0x88, 0xb4, 0x9f, 0x6c, 0xa9, 0xf4, 0xb1, 0xb7, 0x59, 0x71, 0x9e, 0xb5, 0xbc }; + // clang-format on + srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; int len; srtp_policy_t policy; - int headers[3] = {1, 3, 4}; + int headers[3] = { 1, 3, 4 }; /* * create a session with a single stream using the default srtp @@ -2164,7 +2121,7 @@ srtp_validate_encrypted_extensions_headers_gcm() { memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = test_key_ext_headers; policy.ekt = NULL; @@ -2234,10 +2191,9 @@ srtp_validate_encrypted_extensions_headers_gcm() { * These packets were made with the AES-CM-256/HMAC-SHA-1-80 policy. */ - -srtp_err_status_t -srtp_validate_aes_256 () +srtp_err_status_t srtp_validate_aes_256() { + // clang-format off unsigned char aes_256_test_key[46] = { 0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76, 0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29, @@ -2267,6 +2223,8 @@ srtp_validate_aes_256 () 0xb0, 0xb4, 0xb4, 0x0d, 0xa0, 0x8d, 0x9d, 0x9a, 0x5b, 0x3a, 0x55, 0xd8, 0x87, 0x3b }; + // clang-format on + srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; int len; @@ -2279,7 +2237,7 @@ srtp_validate_aes_256 () memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp); srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = aes_256_test_key; policy.ekt = NULL; @@ -2345,9 +2303,7 @@ srtp_validate_aes_256 () return srtp_err_status_ok; } - -srtp_err_status_t -srtp_create_big_policy (srtp_policy_t **list) +srtp_err_status_t srtp_create_big_policy(srtp_policy_t **list) { extern const srtp_policy_t *policy_array[]; srtp_policy_t *p, *tmp; @@ -2365,7 +2321,7 @@ srtp_create_big_policy (srtp_policy_t **list) */ tmp = NULL; while (policy_array[i] != NULL) { - p = (srtp_policy_t*)malloc(sizeof(srtp_policy_t)); + p = (srtp_policy_t *)malloc(sizeof(srtp_policy_t)); if (p == NULL) { return srtp_err_status_bad_param; } @@ -2381,8 +2337,7 @@ srtp_create_big_policy (srtp_policy_t **list) return srtp_err_status_ok; } -srtp_err_status_t -srtp_dealloc_big_policy (srtp_policy_t *list) +srtp_err_status_t srtp_dealloc_big_policy(srtp_policy_t *list) { srtp_policy_t *p, *next; @@ -2394,8 +2349,7 @@ srtp_dealloc_big_policy (srtp_policy_t *list) return srtp_err_status_ok; } -srtp_err_status_t -srtp_test_empty_payload() +srtp_err_status_t srtp_test_empty_payload() { srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; @@ -2410,7 +2364,7 @@ srtp_test_empty_payload() memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_rtp_default(&policy.rtp); srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = test_key; policy.ekt = NULL; @@ -2423,12 +2377,11 @@ srtp_test_empty_payload() return status; } - mesg = srtp_create_test_packet(0, policy.ssrc.value); + mesg = srtp_create_test_packet(0, policy.ssrc.value, &len); if (mesg == NULL) { return srtp_err_status_fail; } - len = 12; /* only the header */ status = srtp_protect(srtp_snd, mesg, &len); if (status) { return status; @@ -2472,8 +2425,7 @@ srtp_test_empty_payload() } #ifdef OPENSSL -srtp_err_status_t -srtp_test_empty_payload_gcm() +srtp_err_status_t srtp_test_empty_payload_gcm() { srtp_t srtp_snd, srtp_recv; srtp_err_status_t status; @@ -2488,7 +2440,7 @@ srtp_test_empty_payload_gcm() memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp); srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = test_key; policy.ekt = NULL; @@ -2501,12 +2453,11 @@ srtp_test_empty_payload_gcm() return status; } - mesg = srtp_create_test_packet(0, policy.ssrc.value); + mesg = srtp_create_test_packet(0, policy.ssrc.value, &len); if (mesg == NULL) { return srtp_err_status_fail; } - len = 12; /* only the header */ status = srtp_protect(srtp_snd, mesg, &len); if (status) { return status; @@ -2548,10 +2499,9 @@ srtp_test_empty_payload_gcm() return srtp_err_status_ok; } -#endif // OPENSSL +#endif // OPENSSL -srtp_err_status_t -srtp_test_remove_stream () +srtp_err_status_t srtp_test_remove_stream() { srtp_err_status_t status; srtp_policy_t *policy_list, policy; @@ -2565,7 +2515,6 @@ srtp_test_remove_stream () */ extern srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc); - status = srtp_create_big_policy(&policy_list); if (status) { return status; @@ -2616,7 +2565,7 @@ srtp_test_remove_stream () memset(&policy, 0, sizeof(policy)); srtp_crypto_policy_set_rtp_default(&policy.rtp); srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ssrc.type = ssrc_specific; + policy.ssrc.type = ssrc_specific; policy.ssrc.value = 0xcafebabe; policy.key = test_key; policy.ekt = NULL; @@ -2647,7 +2596,7 @@ srtp_test_remove_stream () return srtp_err_status_ok; } - +// clang-format off unsigned char test_alt_key[46] = { 0xe5, 0x19, 0x6f, 0x01, 0x5e, 0xf1, 0x9b, 0xe1, 0xd7, 0x47, 0xa7, 0x27, 0x07, 0xd7, 0x47, 0x33, @@ -2656,6 +2605,7 @@ unsigned char test_alt_key[46] = { 0xc7, 0x15, 0xe2, 0xea, 0xfe, 0x55, 0x67, 0x96, 0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6 }; +// clang-format on /* * srtp_test_update() verifies updating/rekeying exsisting streams. @@ -2664,748 +2614,776 @@ unsigned char test_alt_key[46] = { * atempts to prove that srtp_update does not reset the ROC. */ -srtp_err_status_t -srtp_test_update() { - - srtp_err_status_t status; - uint32_t ssrc = 0x12121212; - int msg_len_octets = 32; - int protected_msg_len_octets; - srtp_hdr_t * msg; - srtp_t srtp_snd, srtp_recv; - srtp_policy_t policy; - - memset(&policy, 0, sizeof(policy)); - srtp_crypto_policy_set_rtp_default(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ekt = NULL; - policy.window_size = 128; - policy.allow_repeat_tx = 0; - policy.next = NULL; - policy.ssrc.type = ssrc_any_outbound; - policy.key = test_key; - - /* create a send and recive ctx with defualt profile and test_key */ - status = srtp_create(&srtp_recv, &policy); - if (status) - return status; - - policy.ssrc.type = ssrc_any_inbound; - status = srtp_create(&srtp_snd, &policy); - if (status) - return status; - - /* protect and unprotect two msg's that will cause the ROC to be equal to 1 */ - msg = srtp_create_test_packet(msg_len_octets, ssrc); - if (msg == NULL) - return srtp_err_status_alloc_fail; - msg->seq = htons(65535); - - protected_msg_len_octets = msg_len_octets; - status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); - if (status) - return srtp_err_status_fail; - - status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); - if (status) - return status; - - free(msg); - - msg = srtp_create_test_packet(msg_len_octets, ssrc); - if (msg == NULL) - return srtp_err_status_alloc_fail; - msg->seq = htons(1); - - protected_msg_len_octets = msg_len_octets; - status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); - if (status) - return srtp_err_status_fail; - - status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); - if (status) - return status; - - free(msg); - - /* update send ctx with same test_key t verify update works*/ - policy.ssrc.type = ssrc_any_outbound; - policy.key = test_key; - status = srtp_update(srtp_snd, &policy); - if (status) - return status; - - msg = srtp_create_test_packet(msg_len_octets, ssrc); - if (msg == NULL) - return srtp_err_status_alloc_fail; - msg->seq = htons(2); - - protected_msg_len_octets = msg_len_octets; - status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); - if (status) - return srtp_err_status_fail; - - status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); - if (status) - return status; - - free(msg); - - - /* update send ctx to use test_alt_key */ - policy.ssrc.type = ssrc_any_outbound; - policy.key = test_alt_key; - status = srtp_update(srtp_snd, &policy); - if (status) - return status; - - /* create and protect msg with new key and ROC still equal to 1 */ - msg = srtp_create_test_packet(msg_len_octets, ssrc); - if (msg == NULL) - return srtp_err_status_alloc_fail; - msg->seq = htons(3); - - protected_msg_len_octets = msg_len_octets; - status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); - if (status) - return srtp_err_status_fail; - - /* verify that recive ctx will fail to unprotect as it still uses test_key */ - status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); - if (status == srtp_err_status_ok) - return srtp_err_status_fail; - - /* create a new recvieve ctx with test_alt_key but since it is new it will have ROC equal to 1 - * and therefore should fail to unprotected */ - { - srtp_t srtp_recv_roc_0; - - policy.ssrc.type = ssrc_any_inbound; +srtp_err_status_t srtp_test_update() +{ + srtp_err_status_t status; + uint32_t ssrc = 0x12121212; + int msg_len_octets = 32; + int protected_msg_len_octets; + srtp_hdr_t *msg; + srtp_t srtp_snd, srtp_recv; + srtp_policy_t policy; + + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_key; + + /* create a send and recive ctx with defualt profile and test_key */ + status = srtp_create(&srtp_recv, &policy); + if (status) + return status; + + policy.ssrc.type = ssrc_any_inbound; + status = srtp_create(&srtp_snd, &policy); + if (status) + return status; + + /* protect and unprotect two msg's that will cause the ROC to be equal to 1 + */ + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(65535); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(1); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + /* update send ctx with same test_key t verify update works*/ + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_key; + status = srtp_update(srtp_snd, &policy); + if (status) + return status; + + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(2); + + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); + if (status) + return srtp_err_status_fail; + + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; + + free(msg); + + /* update send ctx to use test_alt_key */ + policy.ssrc.type = ssrc_any_outbound; policy.key = test_alt_key; - status = srtp_create(&srtp_recv_roc_0, &policy); + status = srtp_update(srtp_snd, &policy); if (status) - return status; + return status; - status = srtp_unprotect(srtp_recv_roc_0, msg, &protected_msg_len_octets); - if (status == srtp_err_status_ok) - return srtp_err_status_fail; + /* create and protect msg with new key and ROC still equal to 1 */ + msg = srtp_create_test_packet(msg_len_octets, ssrc, + &protected_msg_len_octets); + if (msg == NULL) + return srtp_err_status_alloc_fail; + msg->seq = htons(3); - status = srtp_dealloc(srtp_recv_roc_0); + status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets); if (status) - return status; - } + return srtp_err_status_fail; - /* update recive ctx to use test_alt_key */ - policy.ssrc.type = ssrc_any_inbound; - policy.key = test_alt_key; - status = srtp_update(srtp_recv, &policy); - if (status) - return status; + /* verify that recive ctx will fail to unprotect as it still uses test_key + */ + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status == srtp_err_status_ok) + return srtp_err_status_fail; + + /* create a new recvieve ctx with test_alt_key but since it is new it will + * have ROC equal to 1 + * and therefore should fail to unprotected */ + { + srtp_t srtp_recv_roc_0; + + policy.ssrc.type = ssrc_any_inbound; + policy.key = test_alt_key; + status = srtp_create(&srtp_recv_roc_0, &policy); + if (status) + return status; + + status = + srtp_unprotect(srtp_recv_roc_0, msg, &protected_msg_len_octets); + if (status == srtp_err_status_ok) + return srtp_err_status_fail; + + status = srtp_dealloc(srtp_recv_roc_0); + if (status) + return status; + } + + /* update recive ctx to use test_alt_key */ + policy.ssrc.type = ssrc_any_inbound; + policy.key = test_alt_key; + status = srtp_update(srtp_recv, &policy); + if (status) + return status; - /* verify that can still unprotect, therfore key is updated and ROC value is preserved */ - status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); - if (status) - return status; + /* verify that can still unprotect, therfore key is updated and ROC value is + * preserved */ + status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets); + if (status) + return status; - free(msg); + free(msg); - status = srtp_dealloc(srtp_snd); - if (status) - return status; + status = srtp_dealloc(srtp_snd); + if (status) + return status; - status = srtp_dealloc(srtp_recv); - if (status) - return status; + status = srtp_dealloc(srtp_recv); + if (status) + return status; - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -srtp_test_setup_protect_trailer_streams(srtp_t *srtp_send, srtp_t *srtp_send_mki, - srtp_t *srtp_send_aes_gcm, srtp_t *srtp_send_aes_gcm_mki) { +srtp_err_status_t srtp_test_setup_protect_trailer_streams( + srtp_t *srtp_send, + srtp_t *srtp_send_mki, + srtp_t *srtp_send_aes_gcm, + srtp_t *srtp_send_aes_gcm_mki) +{ + srtp_err_status_t status; + srtp_policy_t policy; + srtp_policy_t policy_mki; - srtp_err_status_t status; - srtp_policy_t policy; - srtp_policy_t policy_mki; #ifdef OPENSSL - srtp_policy_t policy_aes_gcm; - srtp_policy_t policy_aes_gcm_mki; + srtp_policy_t policy_aes_gcm; + srtp_policy_t policy_aes_gcm_mki; #endif // OPENSSL - memset(&policy, 0, sizeof(policy)); - srtp_crypto_policy_set_rtp_default(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ekt = NULL; - policy.window_size = 128; - policy.allow_repeat_tx = 0; - policy.next = NULL; - policy.ssrc.type = ssrc_any_outbound; - policy.key = test_key; - - memset(&policy_mki, 0, sizeof(policy_mki)); - srtp_crypto_policy_set_rtp_default(&policy_mki.rtp); - srtp_crypto_policy_set_rtcp_default(&policy_mki.rtcp); - policy_mki.ekt = NULL; - policy_mki.window_size = 128; - policy_mki.allow_repeat_tx = 0; - policy_mki.next = NULL; - policy_mki.ssrc.type = ssrc_any_outbound; - policy_mki.key = NULL; - policy_mki.keys = test_keys; - policy_mki.num_master_keys = 2; + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ekt = NULL; + policy.window_size = 128; + policy.allow_repeat_tx = 0; + policy.next = NULL; + policy.ssrc.type = ssrc_any_outbound; + policy.key = test_key; -#ifdef OPENSSL - memset(&policy_aes_gcm, 0, sizeof(policy_aes_gcm)); - srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtp); - srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtcp); - policy_aes_gcm.ekt = NULL; - policy_aes_gcm.window_size = 128; - policy_aes_gcm.allow_repeat_tx = 0; - policy_aes_gcm.next = NULL; - policy_aes_gcm.ssrc.type = ssrc_any_outbound; - policy_aes_gcm.key = test_key; - - memset(&policy_aes_gcm_mki, 0, sizeof(policy_aes_gcm_mki)); - srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtp); - srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtcp); - policy_aes_gcm_mki.ekt = NULL; - policy_aes_gcm_mki.window_size = 128; - policy_aes_gcm_mki.allow_repeat_tx = 0; - policy_aes_gcm_mki.next = NULL; - policy_aes_gcm_mki.ssrc.type = ssrc_any_outbound; - policy_aes_gcm_mki.key = NULL; - policy_aes_gcm_mki.keys = test_keys; - policy_aes_gcm_mki.num_master_keys = 2; + memset(&policy_mki, 0, sizeof(policy_mki)); + srtp_crypto_policy_set_rtp_default(&policy_mki.rtp); + srtp_crypto_policy_set_rtcp_default(&policy_mki.rtcp); + policy_mki.ekt = NULL; + policy_mki.window_size = 128; + policy_mki.allow_repeat_tx = 0; + policy_mki.next = NULL; + policy_mki.ssrc.type = ssrc_any_outbound; + policy_mki.key = NULL; + policy_mki.keys = test_keys; + policy_mki.num_master_keys = 2; +#ifdef OPENSSL + memset(&policy_aes_gcm, 0, sizeof(policy_aes_gcm)); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtp); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtcp); + policy_aes_gcm.ekt = NULL; + policy_aes_gcm.window_size = 128; + policy_aes_gcm.allow_repeat_tx = 0; + policy_aes_gcm.next = NULL; + policy_aes_gcm.ssrc.type = ssrc_any_outbound; + policy_aes_gcm.key = test_key; + + memset(&policy_aes_gcm_mki, 0, sizeof(policy_aes_gcm_mki)); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtp); + srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtcp); + policy_aes_gcm_mki.ekt = NULL; + policy_aes_gcm_mki.window_size = 128; + policy_aes_gcm_mki.allow_repeat_tx = 0; + policy_aes_gcm_mki.next = NULL; + policy_aes_gcm_mki.ssrc.type = ssrc_any_outbound; + policy_aes_gcm_mki.key = NULL; + policy_aes_gcm_mki.keys = test_keys; + policy_aes_gcm_mki.num_master_keys = 2; #endif - /* create a send ctx with defualt profile and test_key */ - status = srtp_create(srtp_send, &policy); - if (status) - return status; + /* create a send ctx with defualt profile and test_key */ + status = srtp_create(srtp_send, &policy); + if (status) + return status; - status = srtp_create(srtp_send_mki, &policy_mki); - if (status) - return status; + status = srtp_create(srtp_send_mki, &policy_mki); + if (status) + return status; #ifdef OPENSSL - status = srtp_create(srtp_send_aes_gcm, &policy_aes_gcm); - if (status) - return status; + status = srtp_create(srtp_send_aes_gcm, &policy_aes_gcm); + if (status) + return status; - status = srtp_create(srtp_send_aes_gcm_mki, &policy_aes_gcm_mki); - if (status) - return status; -#endif //OPENSSL + status = srtp_create(srtp_send_aes_gcm_mki, &policy_aes_gcm_mki); + if (status) + return status; +#endif // OPENSSL - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -srtp_test_protect_trailer_length() { - - srtp_t srtp_send; - srtp_t srtp_send_mki; - srtp_t srtp_send_aes_gcm; - srtp_t srtp_send_aes_gcm_mki; - uint32_t length = 0; - srtp_err_status_t status; +srtp_err_status_t srtp_test_protect_trailer_length() +{ + srtp_t srtp_send; + srtp_t srtp_send_mki; + srtp_t srtp_send_aes_gcm; + srtp_t srtp_send_aes_gcm_mki; + uint32_t length = 0; + srtp_err_status_t status; - srtp_test_setup_protect_trailer_streams(&srtp_send, &srtp_send_mki, - &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki); + srtp_test_setup_protect_trailer_streams( + &srtp_send, &srtp_send_mki, &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki); - status = srtp_get_protect_trailer_length(srtp_send, 0, 0, &length); - if (status) - return status; + status = srtp_get_protect_trailer_length(srtp_send, 0, 0, &length); + if (status) + return status; - /* TAG Length: 10 bytes */ - if (length != 10) - return srtp_err_status_fail; + /* TAG Length: 10 bytes */ + if (length != 10) + return srtp_err_status_fail; - status = srtp_get_protect_trailer_length(srtp_send_mki, 1, 1, &length); - if (status) - return status; + status = srtp_get_protect_trailer_length(srtp_send_mki, 1, 1, &length); + if (status) + return status; - /* TAG Length: 10 bytes + MKI length: 4 bytes*/ - if (length != 14) - return srtp_err_status_fail; + /* TAG Length: 10 bytes + MKI length: 4 bytes*/ + if (length != 14) + return srtp_err_status_fail; #ifdef OPENSSL - status = srtp_get_protect_trailer_length(srtp_send_aes_gcm, 0, 0, &length); - if (status) - return status; + status = srtp_get_protect_trailer_length(srtp_send_aes_gcm, 0, 0, &length); + if (status) + return status; - /* TAG Length: 16 bytes */ - if (length != 16) - return srtp_err_status_fail; + /* TAG Length: 16 bytes */ + if (length != 16) + return srtp_err_status_fail; + status = + srtp_get_protect_trailer_length(srtp_send_aes_gcm_mki, 1, 1, &length); + if (status) + return status; - status = srtp_get_protect_trailer_length(srtp_send_aes_gcm_mki, 1, 1, &length); - if (status) - return status; + /* TAG Length: 16 bytes + MKI length: 4 bytes*/ + if (length != 20) + return srtp_err_status_fail; +#endif // OPENSSL - /* TAG Length: 16 bytes + MKI length: 4 bytes*/ - if (length != 20) - return srtp_err_status_fail; + srtp_dealloc(srtp_send); + srtp_dealloc(srtp_send_mki); +#ifdef OPENSSL + srtp_dealloc(srtp_send_aes_gcm); + srtp_dealloc(srtp_send_aes_gcm_mki); +#endif -#endif //OPENSSL - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -srtp_test_protect_rtcp_trailer_length() { - - srtp_t srtp_send; - srtp_t srtp_send_mki; - srtp_t srtp_send_aes_gcm; - srtp_t srtp_send_aes_gcm_mki; - uint32_t length = 0; - srtp_err_status_t status; +srtp_err_status_t srtp_test_protect_rtcp_trailer_length() +{ + srtp_t srtp_send; + srtp_t srtp_send_mki; + srtp_t srtp_send_aes_gcm; + srtp_t srtp_send_aes_gcm_mki; + uint32_t length = 0; + srtp_err_status_t status; - srtp_test_setup_protect_trailer_streams(&srtp_send, &srtp_send_mki, - &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki); + srtp_test_setup_protect_trailer_streams( + &srtp_send, &srtp_send_mki, &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki); - status = srtp_get_protect_rtcp_trailer_length(srtp_send, 0, 0, &length); - if (status) - return status; + status = srtp_get_protect_rtcp_trailer_length(srtp_send, 0, 0, &length); + if (status) + return status; - /* TAG Length: 10 bytes + SRTCP Trailer 4 bytes*/ - if (length != 14) - return srtp_err_status_fail; + /* TAG Length: 10 bytes + SRTCP Trailer 4 bytes*/ + if (length != 14) + return srtp_err_status_fail; - status = srtp_get_protect_rtcp_trailer_length(srtp_send_mki, 1, 1, &length); - if (status) - return status; + status = srtp_get_protect_rtcp_trailer_length(srtp_send_mki, 1, 1, &length); + if (status) + return status; - /* TAG Length: 10 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/ - if (length != 18) - return srtp_err_status_fail; + /* TAG Length: 10 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/ + if (length != 18) + return srtp_err_status_fail; #ifdef OPENSSL - status = srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm, 0, 0, &length); - if (status) - return status; + status = + srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm, 0, 0, &length); + if (status) + return status; - /* TAG Length: 16 bytes + SRTCP Trailer 4 bytes*/ - if (length != 20) - return srtp_err_status_fail; + /* TAG Length: 16 bytes + SRTCP Trailer 4 bytes*/ + if (length != 20) + return srtp_err_status_fail; + status = srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm_mki, 1, 1, + &length); + if (status) + return status; - status = srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm_mki, 1, 1, &length); - if (status) - return status; + /* TAG Length: 16 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/ + if (length != 24) + return srtp_err_status_fail; +#endif // OPENSSL - /* TAG Length: 16 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/ - if (length != 24) - return srtp_err_status_fail; + srtp_dealloc(srtp_send); + srtp_dealloc(srtp_send_mki); +#ifdef OPENSSL + srtp_dealloc(srtp_send_aes_gcm); + srtp_dealloc(srtp_send_aes_gcm_mki); +#endif -#endif //OPENSSL - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -srtp_test_get_roc() { - srtp_err_status_t status; - srtp_policy_t policy; - srtp_t session; - srtp_hdr_t *pkt; - uint32_t i; - uint32_t roc; - uint32_t ts; - uint16_t seq; - - int msg_len_octets = 32; - int protected_msg_len_octets; - - memset(&policy, 0, sizeof(policy)); - srtp_crypto_policy_set_rtp_default(&policy.rtp); - srtp_crypto_policy_set_rtcp_default(&policy.rtcp); - policy.ssrc.type = ssrc_specific; - policy.ssrc.value = 0xcafebabe; - policy.key = test_key; - policy.window_size = 128; - - /* Create a sender session */ - status = srtp_create(&session, &policy); - if (status) { - return status; - } - - /* Set start sequence so we roll over */ - seq = 65535; - ts = 0; - - for (i = 0; i < 2; i++) { - pkt = srtp_create_test_packet_extended(msg_len_octets, policy.ssrc.value, seq, ts); - protected_msg_len_octets = msg_len_octets; - status = srtp_protect(session, pkt, &protected_msg_len_octets); - free(pkt); +srtp_err_status_t srtp_test_get_roc() +{ + srtp_err_status_t status; + srtp_policy_t policy; + srtp_t session; + srtp_hdr_t *pkt; + uint32_t i; + uint32_t roc; + uint32_t ts; + uint16_t seq; + + int msg_len_octets = 32; + int protected_msg_len_octets; + + memset(&policy, 0, sizeof(policy)); + srtp_crypto_policy_set_rtp_default(&policy.rtp); + srtp_crypto_policy_set_rtcp_default(&policy.rtcp); + policy.ssrc.type = ssrc_specific; + policy.ssrc.value = 0xcafebabe; + policy.key = test_key; + policy.window_size = 128; + + /* Create a sender session */ + status = srtp_create(&session, &policy); if (status) { - return status; + return status; } - status = srtp_get_stream_roc(session, policy.ssrc.value, &roc); + /* Set start sequence so we roll over */ + seq = 65535; + ts = 0; + + for (i = 0; i < 2; i++) { + pkt = srtp_create_test_packet_extended(msg_len_octets, + policy.ssrc.value, seq, ts, + &protected_msg_len_octets); + status = srtp_protect(session, pkt, &protected_msg_len_octets); + free(pkt); + if (status) { + return status; + } + + status = srtp_get_stream_roc(session, policy.ssrc.value, &roc); + if (status) { + return status; + } + + if (roc != i) { + return srtp_err_status_fail; + } + + seq++; + ts++; + } + + /* Cleanup */ + status = srtp_dealloc(session); + if (status) { + return status; + } + + return srtp_err_status_ok; +} + +static srtp_err_status_t test_set_receiver_roc(uint32_t packets, + uint32_t roc_to_set) +{ + srtp_err_status_t status; + + srtp_policy_t sender_policy; + srtp_t sender_session; + + srtp_policy_t receiver_policy; + srtp_t receiver_session; + + srtp_hdr_t *pkt_1; + unsigned char *recv_pkt_1; + + srtp_hdr_t *pkt_2; + unsigned char *recv_pkt_2; + + uint32_t i; + uint32_t ts; + uint16_t seq; + + int msg_len_octets = 32; + int protected_msg_len_octets_1; + int protected_msg_len_octets_2; + + /* Create sender */ + memset(&sender_policy, 0, sizeof(sender_policy)); + srtp_crypto_policy_set_rtp_default(&sender_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp); + sender_policy.ssrc.type = ssrc_specific; + sender_policy.ssrc.value = 0xcafebabe; + sender_policy.key = test_key; + sender_policy.window_size = 128; + + status = srtp_create(&sender_session, &sender_policy); if (status) { - return status; + return status; } - if (roc != i) { - return srtp_err_status_fail; + /* Create and protect packets */ + seq = 0; + ts = 0; + for (i = 0; i < packets; i++) { + srtp_hdr_t *tmp_pkt; + int tmp_len; + + tmp_pkt = srtp_create_test_packet_extended( + msg_len_octets, sender_policy.ssrc.value, seq, ts, &tmp_len); + status = srtp_protect(sender_session, tmp_pkt, &tmp_len); + free(tmp_pkt); + if (status) { + return status; + } + seq++; + ts++; } + /* Create the first packet to decrypt and test for ROC change */ + pkt_1 = srtp_create_test_packet_extended(msg_len_octets, + sender_policy.ssrc.value, seq, ts, + &protected_msg_len_octets_1); + status = srtp_protect(sender_session, pkt_1, &protected_msg_len_octets_1); + if (status) { + return status; + } + + /* Create the second packet to decrypt and test for ROC change */ seq++; ts++; - } + pkt_2 = srtp_create_test_packet_extended(msg_len_octets, + sender_policy.ssrc.value, seq, ts, + &protected_msg_len_octets_2); + status = srtp_protect(sender_session, pkt_2, &protected_msg_len_octets_2); + if (status) { + return status; + } - /* Cleanup */ - status = srtp_dealloc(session); - if (status) { - return status; - } + /* Create the receiver */ + memset(&receiver_policy, 0, sizeof(receiver_policy)); + srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp); + receiver_policy.ssrc.type = ssrc_specific; + receiver_policy.ssrc.value = sender_policy.ssrc.value; + receiver_policy.key = test_key; + receiver_policy.window_size = 128; + + status = srtp_create(&receiver_session, &receiver_policy); + if (status) { + return status; + } + + /* Make a copy of the first sent protected packet */ + recv_pkt_1 = malloc(protected_msg_len_octets_1); + if (recv_pkt_1 == NULL) { + return srtp_err_status_fail; + } + memcpy(recv_pkt_1, pkt_1, protected_msg_len_octets_1); + + /* Make a copy of the second sent protected packet */ + recv_pkt_2 = malloc(protected_msg_len_octets_2); + if (recv_pkt_2 == NULL) { + return srtp_err_status_fail; + } + memcpy(recv_pkt_2, pkt_2, protected_msg_len_octets_2); + + /* Set the ROC to the wanted value */ + status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value, + roc_to_set); + if (status) { + return status; + } - return srtp_err_status_ok; + /* Unprotect the first packet */ + status = srtp_unprotect(receiver_session, recv_pkt_1, + &protected_msg_len_octets_1); + if (status) { + return status; + } + + /* Unprotect the second packet */ + status = srtp_unprotect(receiver_session, recv_pkt_2, + &protected_msg_len_octets_2); + if (status) { + return status; + } + + /* Cleanup */ + status = srtp_dealloc(sender_session); + if (status) { + return status; + } + + status = srtp_dealloc(receiver_session); + if (status) { + return status; + } + + free(pkt_1); + free(recv_pkt_1); + free(pkt_2); + free(recv_pkt_2); + + return srtp_err_status_ok; } -static srtp_err_status_t -test_set_receiver_roc(uint32_t packets, uint32_t roc_to_set) +static srtp_err_status_t test_set_sender_roc(uint16_t seq, uint32_t roc_to_set) { - srtp_err_status_t status; + srtp_err_status_t status; + + srtp_policy_t sender_policy; + srtp_t sender_session; + + srtp_policy_t receiver_policy; + srtp_t receiver_session; - srtp_policy_t sender_policy; - srtp_t sender_session; + srtp_hdr_t *pkt; + unsigned char *recv_pkt; + + uint32_t ts; + + int msg_len_octets = 32; + int protected_msg_len_octets; + + /* Create sender */ + memset(&sender_policy, 0, sizeof(sender_policy)); + srtp_crypto_policy_set_rtp_default(&sender_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp); + sender_policy.ssrc.type = ssrc_specific; + sender_policy.ssrc.value = 0xcafebabe; + sender_policy.key = test_key; + sender_policy.window_size = 128; + + status = srtp_create(&sender_session, &sender_policy); + if (status) { + return status; + } - srtp_policy_t receiver_policy; - srtp_t receiver_session; + /* Set the ROC before encrypting the first packet */ + status = srtp_set_stream_roc(sender_session, sender_policy.ssrc.value, + roc_to_set); + if (status != srtp_err_status_ok) { + return status; + } - srtp_hdr_t *pkt_1; - unsigned char *recv_pkt_1; + /* Create the packet to decrypt */ + ts = 0; + pkt = srtp_create_test_packet_extended(msg_len_octets, + sender_policy.ssrc.value, seq, ts, + &protected_msg_len_octets); + status = srtp_protect(sender_session, pkt, &protected_msg_len_octets); + if (status) { + return status; + } - srtp_hdr_t *pkt_2; - unsigned char *recv_pkt_2; + /* Create the receiver */ + memset(&receiver_policy, 0, sizeof(receiver_policy)); + srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp); + srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp); + receiver_policy.ssrc.type = ssrc_specific; + receiver_policy.ssrc.value = sender_policy.ssrc.value; + receiver_policy.key = test_key; + receiver_policy.window_size = 128; - uint32_t i; - uint32_t ts; - uint16_t seq; + status = srtp_create(&receiver_session, &receiver_policy); + if (status) { + return status; + } - int msg_len_octets = 32; - int protected_msg_len_octets_1; - int protected_msg_len_octets_2; + /* Make a copy of the sent protected packet */ + recv_pkt = malloc(protected_msg_len_octets); + if (recv_pkt == NULL) { + return srtp_err_status_fail; + } + memcpy(recv_pkt, pkt, protected_msg_len_octets); - /* Create sender */ - memset(&sender_policy, 0, sizeof(sender_policy)); - srtp_crypto_policy_set_rtp_default(&sender_policy.rtp); - srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp); - sender_policy.ssrc.type = ssrc_specific; - sender_policy.ssrc.value = 0xcafebabe; - sender_policy.key = test_key; - sender_policy.window_size = 128; + /* Set the ROC to the wanted value */ + status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value, + roc_to_set); + if (status) { + return status; + } - status = srtp_create(&sender_session, &sender_policy); - if (status) { - return status; - } + status = + srtp_unprotect(receiver_session, recv_pkt, &protected_msg_len_octets); + if (status) { + return status; + } - /* Create and protect packets */ - seq = 0; - ts = 0; - for (i = 0; i < packets; i++) { - srtp_hdr_t *tmp_pkt; - int tmp_len; + /* Cleanup */ + status = srtp_dealloc(sender_session); + if (status) { + return status; + } - tmp_pkt = srtp_create_test_packet_extended(msg_len_octets, sender_policy.ssrc.value, seq, ts); - tmp_len = msg_len_octets; - status = srtp_protect(sender_session, tmp_pkt, &tmp_len); - free(tmp_pkt); + status = srtp_dealloc(receiver_session); if (status) { - return status; + return status; } - seq++; - ts++; - } - - /* Create the first packet to decrypt and test for ROC change */ - pkt_1 = srtp_create_test_packet_extended(msg_len_octets, sender_policy.ssrc.value, seq, ts); - protected_msg_len_octets_1 = msg_len_octets; - status = srtp_protect(sender_session, pkt_1, &protected_msg_len_octets_1); - if (status) { - return status; - } - - /* Create the second packet to decrypt and test for ROC change */ - seq++; - ts++; - pkt_2 = srtp_create_test_packet_extended(msg_len_octets, sender_policy.ssrc.value, seq, ts); - protected_msg_len_octets_2 = msg_len_octets; - status = srtp_protect(sender_session, pkt_2, &protected_msg_len_octets_2); - if (status) { - return status; - } - - /* Create the receiver */ - memset(&receiver_policy, 0, sizeof(receiver_policy)); - srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp); - srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp); - receiver_policy.ssrc.type = ssrc_specific; - receiver_policy.ssrc.value = sender_policy.ssrc.value; - receiver_policy.key = test_key; - receiver_policy.window_size = 128; - - status = srtp_create(&receiver_session, &receiver_policy); - if (status) { - return status; - } - - /* Make a copy of the first sent protected packet */ - recv_pkt_1 = malloc(protected_msg_len_octets_1); - if (recv_pkt_1 == NULL) { - return srtp_err_status_fail; - } - memcpy(recv_pkt_1, pkt_1, protected_msg_len_octets_1); - - /* Make a copy of the second sent protected packet */ - recv_pkt_2 = malloc(protected_msg_len_octets_2); - if (recv_pkt_2 == NULL) { - return srtp_err_status_fail; - } - memcpy(recv_pkt_2, pkt_2, protected_msg_len_octets_2); - - /* Set the ROC to the wanted value */ - status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value, roc_to_set); - if (status) { - return status; - } - - /* Unprotect the first packet */ - status = srtp_unprotect(receiver_session, recv_pkt_1, &protected_msg_len_octets_1); - if (status) { - return status; - } - - /* Unprotect the second packet */ - status = srtp_unprotect(receiver_session, recv_pkt_2, &protected_msg_len_octets_2); - if (status) { - return status; - } - - /* Cleanup */ - status = srtp_dealloc(sender_session); - if (status) { - return status; - } - - status = srtp_dealloc(receiver_session); - if (status) { - return status; - } - - free(pkt_1); - free(recv_pkt_1); - free(pkt_2); - free(recv_pkt_2); - - return srtp_err_status_ok; + + free(pkt); + free(recv_pkt); + + return srtp_err_status_ok; } -static srtp_err_status_t -test_set_sender_roc(uint16_t seq, uint32_t roc_to_set) +srtp_err_status_t srtp_test_set_receiver_roc() { - srtp_err_status_t status; - - srtp_policy_t sender_policy; - srtp_t sender_session; - - srtp_policy_t receiver_policy; - srtp_t receiver_session; - - srtp_hdr_t *pkt; - unsigned char *recv_pkt; - - uint32_t ts; - - int msg_len_octets = 32; - int protected_msg_len_octets; - - /* Create sender */ - memset(&sender_policy, 0, sizeof(sender_policy)); - srtp_crypto_policy_set_rtp_default(&sender_policy.rtp); - srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp); - sender_policy.ssrc.type = ssrc_specific; - sender_policy.ssrc.value = 0xcafebabe; - sender_policy.key = test_key; - sender_policy.window_size = 128; - - status = srtp_create(&sender_session, &sender_policy); - if (status) { - return status; - } - - /* Set the ROC before encrypting the first packet */ - status = srtp_set_stream_roc(sender_session, sender_policy.ssrc.value, roc_to_set); - if (status != srtp_err_status_ok) { - return status; - } - - /* Create the packet to decrypt */ - ts = 0; - pkt = srtp_create_test_packet_extended(msg_len_octets, sender_policy.ssrc.value, seq, ts); - protected_msg_len_octets = msg_len_octets; - status = srtp_protect(sender_session, pkt, &protected_msg_len_octets); - if (status) { - return status; - } - - /* Create the receiver */ - memset(&receiver_policy, 0, sizeof(receiver_policy)); - srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp); - srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp); - receiver_policy.ssrc.type = ssrc_specific; - receiver_policy.ssrc.value = sender_policy.ssrc.value; - receiver_policy.key = test_key; - receiver_policy.window_size = 128; - - status = srtp_create(&receiver_session, &receiver_policy); - if (status) { - return status; - } - - /* Make a copy of the sent protected packet */ - recv_pkt = malloc(protected_msg_len_octets); - if (recv_pkt == NULL) { - return srtp_err_status_fail; - } - memcpy(recv_pkt, pkt, protected_msg_len_octets); - - /* Set the ROC to the wanted value */ - status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value, roc_to_set); - if (status) { - return status; - } - - status = srtp_unprotect(receiver_session, recv_pkt, &protected_msg_len_octets); - if (status) { - return status; - } - - /* Cleanup */ - status = srtp_dealloc(sender_session); - if (status) { - return status; - } - - status = srtp_dealloc(receiver_session); - if (status) { - return status; - } - - free(pkt); - free(recv_pkt); - - return srtp_err_status_ok; -} + int packets; + uint32_t roc; + srtp_err_status_t status; + + /* First test does not rollover */ + packets = 1; + roc = 0; + + status = test_set_receiver_roc(packets - 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets + 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets + 60000, roc); + if (status) { + return status; + } + + /* Second test should rollover */ + packets = 65535; + roc = 0; + + status = test_set_receiver_roc(packets - 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets, roc); + if (status) { + return status; + } + + /* Now the rollover counter should be 1 */ + roc = 1; + status = test_set_receiver_roc(packets + 1, roc); + if (status) { + return status; + } + + status = test_set_receiver_roc(packets + 60000, roc); + if (status) { + return status; + } -srtp_err_status_t -srtp_test_set_receiver_roc() { - int packets; - uint32_t roc; - srtp_err_status_t status; - - /* First test does not rollover */ - packets = 1; - roc = 0; - - status = test_set_receiver_roc(packets - 1, roc); - if (status) { - return status; - } - - status = test_set_receiver_roc(packets, roc); - if (status) { - return status; - } - - status = test_set_receiver_roc(packets + 1, roc); - if (status) { - return status; - } - - status = test_set_receiver_roc(packets + 60000, roc); - if (status) { - return status; - } - - /* Second test should rollover */ - packets = 65535; - roc = 0; - - status = test_set_receiver_roc(packets - 1, roc); - if (status) { - return status; - } - - status = test_set_receiver_roc(packets, roc); - if (status) { - return status; - } - - /* Now the rollover counter should be 1 */ - roc = 1; - status = test_set_receiver_roc(packets + 1, roc); - if (status) { - return status; - } - - status = test_set_receiver_roc(packets + 60000, roc); - if (status) { - return status; - } - - return srtp_err_status_ok; + return srtp_err_status_ok; } -srtp_err_status_t -srtp_test_set_sender_roc() { - uint32_t roc; - uint16_t seq; - srtp_err_status_t status; - - seq = 43210; - roc = 0; - status = test_set_sender_roc(seq, roc); - if (status) { - return status; - } - - roc = 65535; - status = test_set_sender_roc(seq, roc); - if (status) { - return status; - } - - roc = 0xffff; - status = test_set_sender_roc(seq, roc); - if (status) { - return status; - } - - roc = 0xffff00; - status = test_set_sender_roc(seq, roc); - if (status) { - return status; - } - - roc = 0xfffffff0; - status = test_set_sender_roc(seq, roc); - if (status) { - return status; - } - - return srtp_err_status_ok; +srtp_err_status_t srtp_test_set_sender_roc() +{ + uint32_t roc; + uint16_t seq; + srtp_err_status_t status; + + seq = 43210; + roc = 0; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 65535; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 0xffff; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 0xffff00; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + roc = 0xfffffff0; + status = test_set_sender_roc(seq, roc); + if (status) { + return status; + } + + return srtp_err_status_ok; } /* * srtp policy definitions - these definitions are used above */ +// clang-format off unsigned char test_key[46] = { 0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0, 0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39, @@ -3431,241 +3409,253 @@ unsigned char test_mki_id[TEST_MKI_ID_SIZE] = { unsigned char test_mki_id_2[TEST_MKI_ID_SIZE] = { 0xf3, 0xa1, 0x46, 0x71 }; +// clang-format on const srtp_policy_t default_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ - SRTP_AES_ICM_128, /* cipher type */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_ICM_128, /* cipher type */ SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 16, /* auth key length in octets */ - 10, /* auth tag length in octets */ - sec_serv_conf_and_auth /* security services flag */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ - SRTP_AES_ICM_128, /* cipher type */ + { + /* SRTCP policy */ + SRTP_AES_ICM_128, /* cipher type */ SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 16, /* auth key length in octets */ - 10, /* auth tag length in octets */ - sec_serv_conf_and_auth /* security services flag */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; const srtp_policy_t aes_only_policy = { { ssrc_any_outbound, 0 }, /* SSRC */ { - SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128, /* cipher type */ SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ - 0, /* auth key length in octets */ - 0, /* auth tag length in octets */ - sec_serv_conf /* security services flag */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_conf /* security services flag */ }, { - SRTP_AES_ICM_128, /* cipher type */ + SRTP_AES_ICM_128, /* cipher type */ SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ - 0, /* auth key length in octets */ - 0, /* auth tag length in octets */ - sec_serv_conf /* security services flag */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_conf /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; const srtp_policy_t hmac_only_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ + { ssrc_any_outbound, 0 }, /* SSRC */ { - SRTP_NULL_CIPHER, /* cipher type */ - 0, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 20, /* auth key length in octets */ - 4, /* auth tag length in octets */ - sec_serv_auth /* security services flag */ + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ }, { - SRTP_NULL_CIPHER, /* cipher type */ - 0, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 20, /* auth key length in octets */ - 4, /* auth tag length in octets */ - sec_serv_auth /* security services flag */ + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* Number of Master keys associated with the policy */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* Number of Master keys associated with the policy */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; #ifdef OPENSSL const srtp_policy_t aes128_gcm_8_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ - SRTP_AES_GCM_128, /* cipher type */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_128, /* cipher type */ SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ - SRTP_AES_GCM_128, /* cipher type */ + { + /* SRTCP policy */ + SRTP_AES_GCM_128, /* cipher type */ SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_conf_and_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; const srtp_policy_t aes128_gcm_8_cauth_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ - SRTP_AES_GCM_128, /* cipher type */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_128, /* cipher type */ SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ - SRTP_AES_GCM_128, /* cipher type */ + { + /* SRTCP policy */ + SRTP_AES_GCM_128, /* cipher type */ SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; const srtp_policy_t aes256_gcm_8_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ - SRTP_AES_GCM_256, /* cipher type */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_256, /* cipher type */ SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ - SRTP_AES_GCM_256, /* cipher type */ + { + /* SRTCP policy */ + SRTP_AES_GCM_256, /* cipher type */ SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_conf_and_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; const srtp_policy_t aes256_gcm_8_cauth_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ - SRTP_AES_GCM_256, /* cipher type */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_GCM_256, /* cipher type */ SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ - SRTP_AES_GCM_256, /* cipher type */ + { + /* SRTCP policy */ + SRTP_AES_GCM_256, /* cipher type */ SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ + SRTP_NULL_AUTH, /* authentication func type */ 0, /* auth key length in octets */ 8, /* auth tag length in octets */ sec_serv_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; #endif const srtp_policy_t null_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ + { ssrc_any_outbound, 0 }, /* SSRC */ { - SRTP_NULL_CIPHER, /* cipher type */ - 0, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ - 0, /* auth key length in octets */ - 0, /* auth tag length in octets */ - sec_serv_none /* security services flag */ + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_none /* security services flag */ }, { - SRTP_NULL_CIPHER, /* cipher type */ - 0, /* cipher key length in octets */ - SRTP_NULL_AUTH, /* authentication func type */ - 0, /* auth key length in octets */ - 0, /* auth tag length in octets */ - sec_serv_none /* security services flag */ + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_NULL_AUTH, /* authentication func type */ + 0, /* auth key length in octets */ + 0, /* auth tag length in octets */ + sec_serv_none /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; +// clang-format off unsigned char test_256_key[46] = { 0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76, 0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29, @@ -3701,80 +3691,86 @@ srtp_master_key_t *test_256_keys[2] = { &master_key_1, &master_key_2 }; +// clang-format on const srtp_policy_t aes_256_hmac_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ SRTP_AES_ICM_256, /* cipher type */ SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 20, /* auth key length in octets */ - 10, /* auth tag length in octets */ - sec_serv_conf_and_auth /* security services flag */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ + { + /* SRTCP policy */ SRTP_AES_ICM_256, /* cipher type */ SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 20, /* auth key length in octets */ - 10, /* auth tag length in octets */ - sec_serv_conf_and_auth /* security services flag */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_256_keys, - 2, /* indicates the number of Master keys */ - NULL, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + NULL, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; +// clang-format off uint8_t ekt_test_key[16] = { 0x77, 0x26, 0x9d, 0xac, 0x16, 0xa3, 0x28, 0xca, 0x8e, 0xc9, 0x68, 0x4b, 0xcc, 0xc4, 0xd2, 0x1b }; +// clang-format on #include "ekt.h" +// clang-format off srtp_ekt_policy_ctx_t ekt_test_policy = { 0xa5a5, /* SPI */ SRTP_EKT_CIPHER_AES_128_ECB, ekt_test_key, NULL }; +// clang-format on const srtp_policy_t hmac_only_with_ekt_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ + { ssrc_any_outbound, 0 }, /* SSRC */ { - SRTP_NULL_CIPHER, /* cipher type */ - 0, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 20, /* auth key length in octets */ - 4, /* auth tag length in octets */ - sec_serv_auth /* security services flag */ + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ }, { - SRTP_NULL_CIPHER, /* cipher type */ - 0, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 20, /* auth key length in octets */ - 4, /* auth tag length in octets */ - sec_serv_auth /* security services flag */ + SRTP_NULL_CIPHER, /* cipher type */ + 0, /* cipher key length in octets */ + SRTP_HMAC_SHA1, /* authentication func type */ + 20, /* auth key length in octets */ + 4, /* auth tag length in octets */ + sec_serv_auth /* security services flag */ }, NULL, (srtp_master_key_t **)test_keys, - 2, /* indicates the number of Master keys */ - &ekt_test_policy, /* indicates that EKT is not in use */ - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 2, /* indicates the number of Master keys */ + &ekt_test_policy, /* indicates that EKT is not in use */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; - /* * an array of pointers to the policies listed above * @@ -3785,8 +3781,8 @@ const srtp_policy_t hmac_only_with_ekt_policy = { * add to this list, you should do it at the end. */ -const srtp_policy_t * -policy_array[] = { +// clang-format off +const srtp_policy_t *policy_array[] = { &hmac_only_policy, &aes_only_policy, &default_policy, @@ -3801,32 +3797,35 @@ policy_array[] = { &hmac_only_with_ekt_policy, NULL }; +// clang-format on const srtp_policy_t wildcard_policy = { - { ssrc_any_outbound, 0 }, /* SSRC */ - { /* SRTP policy */ - SRTP_AES_ICM_128, /* cipher type */ + { ssrc_any_outbound, 0 }, /* SSRC */ + { + /* SRTP policy */ + SRTP_AES_ICM_128, /* cipher type */ SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 16, /* auth key length in octets */ - 10, /* auth tag length in octets */ - sec_serv_conf_and_auth /* security services flag */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ }, - { /* SRTCP policy */ - SRTP_AES_ICM_128, /* cipher type */ + { + /* SRTCP policy */ + SRTP_AES_ICM_128, /* cipher type */ SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */ - SRTP_HMAC_SHA1, /* authentication func type */ - 16, /* auth key length in octets */ - 10, /* auth tag length in octets */ - sec_serv_conf_and_auth /* security services flag */ + SRTP_HMAC_SHA1, /* authentication func type */ + 16, /* auth key length in octets */ + 10, /* auth tag length in octets */ + sec_serv_conf_and_auth /* security services flag */ }, test_key, NULL, 0, NULL, - 128, /* replay window size */ - 0, /* retransmission not allowed */ - NULL, /* no encrypted extension headers */ - 0, /* list of encrypted extension headers is empty */ + 128, /* replay window size */ + 0, /* retransmission not allowed */ + NULL, /* no encrypted extension headers */ + 0, /* list of encrypted extension headers is empty */ NULL }; diff --git a/libs/srtp/test/test_srtp.c b/libs/srtp/test/test_srtp.c index 22565573dc..cdc9b5d5b7 100644 --- a/libs/srtp/test/test_srtp.c +++ b/libs/srtp/test/test_srtp.c @@ -72,13 +72,13 @@ void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number(void); * item is the test function. */ -TEST_LIST = {{"srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output()", - srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output}, - {"srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param()", - srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param}, - {"srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number()", - srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number}, - {NULL} /* End of tests */}; +TEST_LIST = { { "srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output()", + srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output }, + { "srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param()", + srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param }, + { "srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number()", + srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number }, + { NULL } /* End of tests */ }; /* * Implementation. @@ -146,9 +146,9 @@ void srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param() */ void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number() { +#define SAMPLE_COUNT (3) // Preconditions // Test each significant bit high in each full byte. - #define SAMPLE_COUNT (3) srtp_session_keys_t session_keys; srtcp_hdr_t header; v128_t output_iv[SAMPLE_COUNT]; @@ -173,13 +173,13 @@ void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number() size_t i = 0; for (i = 0; i < SAMPLE_COUNT; i++) { TEST_CHECK(srtp_calc_aead_iv_srtcp(&session_keys, &output_iv[i], - sequence_num[i], &header) - == srtp_err_status_ok); + sequence_num[i], + &header) == srtp_err_status_ok); } // Then all IVs are as expected for (i = 0; i < SAMPLE_COUNT; i++) { TEST_CHECK(memcmp(&final_iv[i], &output_iv[i], sizeof(v128_t)) == 0); } - #undef SAMPLE_COUNT +#undef SAMPLE_COUNT } diff --git a/libs/srtp/test/util.c b/libs/srtp/test/util.c index 752a6a4c7a..eb203f4c4a 100644 --- a/libs/srtp/test/util.c +++ b/libs/srtp/test/util.c @@ -49,38 +49,61 @@ char bit_string[MAX_PRINT_STRING_LEN]; -static inline int hex_char_to_nibble (uint8_t c) +static inline int hex_char_to_nibble(uint8_t c) { switch (c) { - case ('0'): return 0x0; - case ('1'): return 0x1; - case ('2'): return 0x2; - case ('3'): return 0x3; - case ('4'): return 0x4; - case ('5'): return 0x5; - case ('6'): return 0x6; - case ('7'): return 0x7; - case ('8'): return 0x8; - case ('9'): return 0x9; - case ('a'): return 0xa; - case ('A'): return 0xa; - case ('b'): return 0xb; - case ('B'): return 0xb; - case ('c'): return 0xc; - case ('C'): return 0xc; - case ('d'): return 0xd; - case ('D'): return 0xd; - case ('e'): return 0xe; - case ('E'): return 0xe; - case ('f'): return 0xf; - case ('F'): return 0xf; - default: return -1; /* this flags an error */ + case ('0'): + return 0x0; + case ('1'): + return 0x1; + case ('2'): + return 0x2; + case ('3'): + return 0x3; + case ('4'): + return 0x4; + case ('5'): + return 0x5; + case ('6'): + return 0x6; + case ('7'): + return 0x7; + case ('8'): + return 0x8; + case ('9'): + return 0x9; + case ('a'): + return 0xa; + case ('A'): + return 0xa; + case ('b'): + return 0xb; + case ('B'): + return 0xb; + case ('c'): + return 0xc; + case ('C'): + return 0xc; + case ('d'): + return 0xd; + case ('D'): + return 0xd; + case ('e'): + return 0xe; + case ('E'): + return 0xe; + case ('f'): + return 0xf; + case ('F'): + return 0xf; + default: + return -1; /* this flags an error */ } /* NOTREACHED */ return -1; /* this keeps compilers from complaining */ } -uint8_t nibble_to_hex_char (uint8_t nibble) +uint8_t nibble_to_hex_char(uint8_t nibble) { char buf[16] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; @@ -92,7 +115,7 @@ uint8_t nibble_to_hex_char (uint8_t nibble) * hex_string_to_octet_string converts a hexadecimal string * of length 2 * len to a raw octet string of length len */ -int hex_string_to_octet_string (char *raw, char *hex, int len) +int hex_string_to_octet_string(char *raw, char *hex, int len) { uint8_t x; int tmp; @@ -118,9 +141,9 @@ int hex_string_to_octet_string (char *raw, char *hex, int len) return hex_len; } -char * octet_string_hex_string (const void *s, int length) +char *octet_string_hex_string(const void *s, int length) { - const uint8_t *str = (const uint8_t*)s; + const uint8_t *str = (const uint8_t *)s; int i; /* double length, since one octet takes two hex characters */ @@ -132,7 +155,7 @@ char * octet_string_hex_string (const void *s, int length) } for (i = 0; i < length; i += 2) { - bit_string[i] = nibble_to_hex_char(*str >> 4); + bit_string[i] = nibble_to_hex_char(*str >> 4); bit_string[i + 1] = nibble_to_hex_char(*str++ & 0xF); } bit_string[i] = 0; /* null terminate string */ @@ -142,9 +165,9 @@ char * octet_string_hex_string (const void *s, int length) static const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789+/"; -static int base64_block_to_octet_triple (char *out, char *in) +static int base64_block_to_octet_triple(char *out, char *in) { - unsigned char sextets[4] = {0}; + unsigned char sextets[4] = { 0 }; int j = 0; int i; @@ -152,7 +175,9 @@ static int base64_block_to_octet_triple (char *out, char *in) char *p = strchr(b64chars, in[i]); if (p != NULL) { sextets[i] = p - b64chars; - } else{ j++; } + } else { + j++; + } } out[0] = (sextets[0] << 2) | (sextets[1] >> 4); @@ -165,7 +190,7 @@ static int base64_block_to_octet_triple (char *out, char *in) return j; } -int base64_string_to_octet_string (char *out, int *pad, char *in, int len) +int base64_string_to_octet_string(char *out, int *pad, char *in, int len) { int k = 0; int i = 0; diff --git a/libs/srtp/test/util.h b/libs/srtp/test/util.h index db58c24661..d04b279b3a 100644 --- a/libs/srtp/test/util.h +++ b/libs/srtp/test/util.h @@ -47,7 +47,7 @@ #define MAX_PRINT_STRING_LEN 1024 int hex_string_to_octet_string(char *raw, char *hex, int len); -char * octet_string_hex_string(const void *s, int length); +char *octet_string_hex_string(const void *s, int length); int base64_string_to_octet_string(char *raw, int *pad, char *base64, int len); #endif diff --git a/w32/Library/FreeSwitchCore.2017.vcxproj b/w32/Library/FreeSwitchCore.2017.vcxproj index 6bd0c5d7af..ad130400aa 100644 --- a/w32/Library/FreeSwitchCore.2017.vcxproj +++ b/w32/Library/FreeSwitchCore.2017.vcxproj @@ -112,6 +112,7 @@ <ItemDefinitionGroup> <ClCompile> <AdditionalIncludeDirectories>..\..\libs\apr\include\arch\win32;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> + <PreprocessorDefinitions>HAVE_WINSOCK2_H;%(PreprocessorDefinitions)</PreprocessorDefinitions> </ClCompile> <PostBuildEvent> <Command>if not exist "$(OutDir)conf" xcopy "$(SolutionDir)conf\vanilla\*.*" "$(OutDir)conf\" /C /D /Y /S diff --git a/w32/openssl.props b/w32/openssl.props index 0d927cce7a..1e2040b7d6 100644 --- a/w32/openssl.props +++ b/w32/openssl.props @@ -68,7 +68,7 @@ <AdditionalIncludeDirectories>$(OpenSSLLibDir)\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> <AdditionalIncludeDirectories Condition="'$(Platform)'=='Win32'">$(OpenSSLLibDir)\include_x86;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> <AdditionalIncludeDirectories Condition="'$(Platform)'=='x64'">$(OpenSSLLibDir)\include_x64;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories> - <PreprocessorDefinitions>HAVE_OPENSSL;HAVE_OPENSSL_DTLS_SRTP;HAVE_OPENSSL_DTLS;%(PreprocessorDefinitions)</PreprocessorDefinitions> + <PreprocessorDefinitions>OPENSSL;HAVE_OPENSSL;HAVE_OPENSSL_DTLS_SRTP;HAVE_OPENSSL_DTLS;%(PreprocessorDefinitions)</PreprocessorDefinitions> </ClCompile> <Link> <AdditionalLibraryDirectories>$(OpenSSLLibDir)\binaries\$(Platform)\$(LibraryConfiguration)\;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories> -- 2.47.2