Commit caa84613 authored by Kolbjørn Barmen's avatar Kolbjørn Barmen

Ryddet og klargjort for noe som virker

parent 6bfc632b
radsecproxy (1.6.5-1) unstable; urgency=medium
* New upstream release.
* Bump Standards-Version to 3.9.6.
* Verify upstream's GPG signatures; add debian/upstream/signing-key.asc and
modify debian/watch accordingly.
* Minor adjustment to the long description. (Closes: #542454)
* Add --retry to --stop to fix spurious restart issue. Thanks to Michael
Vogt for the fix. (Closes: #711313)
* Add build dependency on dh-autoreconf and autoreconf during build time, as
it helps when adding new architectures to the archive. (Closes: #727952,
#744500)
* Add systemd unit file, along with the corresponding dh-systemd
integration.
* Switch pid file from /var/run to /run on both init script & systemd unit.
* Rewrite debian/copyright to the machine-parseable format.
-- Faidon Liambotis <paravoid@debian.org> Wed, 22 Oct 2014 23:50:56 +0300
radsecproxy (1.6.2-1) unstable; urgency=high
* Urgency set to high for a security release.
* New upstream release, fixing two security issues:
- When verifying clients, don't consider config blocks with CA settings
('tls') which differ from the one used for verifying the certificate
chain (RADSECPROXY-43, CVE-2012-4523). Reported by Ralf Paffrath.
- Fix the issue with verification of clients when using multiple 'tls'
config blocks for DTLS too (RADSECPROXY-43, CVE-2012-4566). Reported by
Raphael Geissert.
* Drop most of debian/patches/fix_manpages, merged upstream.
-- Faidon Liambotis <paravoid@debian.org> Tue, 06 Nov 2012 12:56:27 +0200
radsecproxy (1.6-1) unstable; urgency=low
* New upstream release.
* Enable F-Ticks, a new upstream feature.
- Add build dependency on nettle-dev.
* Ship upstream's manpages.
- Add build dependency on docbook2x.
- Add debian/patches/fix_manpages to adapt the manpage to our filepaths.
* Ship the radsecproxy-hash binary, used to calculate hashed CSI values.
* Use unapply-patches & abort-on-upstream-changes local-options.
* Bump debhelper compat to 9, mainly to enable hardening flags.
* Bump Standards-Version to 3.9.3, no changes needed.
* Add NORDUnet A/S copyright notice to debian/copyright.
-- Faidon Liambotis <paravoid@debian.org> Mon, 28 May 2012 15:56:52 +0300
radsecproxy (1.5-1) unstable; urgency=low
* New upstream release.
-- Faidon Liambotis <paravoid@debian.org> Wed, 16 Nov 2011 20:49:19 +0200
radsecproxy (1.4.3-1) unstable; urgency=low
* New upstream release.
* Change upstream author to Linus Nordberg in debian/copyright.
* Switch to 3.0 (quilt) source package format.
* Bump debhelper compatibility level to 8.
* Update Standards-Version to 3.9.2, no changes needed.
-- Faidon Liambotis <paravoid@debian.org> Fri, 22 Jul 2011 20:04:47 +0300
radsecproxy (1.4-1) unstable; urgency=low
* New upstream release.
* Add $remote_fs and $syslog to init script's Required-Start and $named to
Should-Start.
* Ship naptr-eduroam.sh script along with the README in examples.
-- Faidon Liambotis <paravoid@debian.org> Sat, 12 Jun 2010 18:30:04 +0300
radsecproxy (1.3.1-1) unstable; urgency=low
* New upstream release.
* Bump Standards-Version to 3.8.2, no changed needed.
* Build-Depend on debhelper >= 7.0.50 because of the use of overrides in dh.
-- Faidon Liambotis <paravoid@debian.org> Wed, 05 Aug 2009 12:49:20 +0300
radsecproxy (1.3-1) unstable; urgency=low
* Initial release. (Closes: #532481)
-- Faidon Liambotis <paravoid@debian.org> Tue, 16 Jun 2009 05:13:48 +0300
Source: radsecproxy
Section: net
Priority: optional
Maintainer: Faidon Liambotis <paravoid@debian.org>
Build-Depends: debhelper (>= 9), dh-autoreconf, dh-systemd,
autotools-dev,
libssl-dev,
nettle-dev,
docbook2x
Standards-Version: 3.9.6
Homepage: http://software.uninett.no/radsecproxy/
Package: radsecproxy
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Provides: radius-server
Description: RADIUS protocol proxy supporting RadSec
radsecproxy is a generic RADIUS proxy that in addition to usual RADIUS UDP
transport also supports TLS (RadSec). It aims to be flexible while at the same
time small in size and memory footprint, efficient and easy to configure.
.
It can be useful as a proxy on site boundaries or in other complex RADIUS
routing topologies. It supports both IPv4 and IPv6.
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: radsecproxy
Source: http://software.uninett.no/radsecproxy/
Files: *
Copyright: 2006-2009 Stig Venaas <venaas@uninett.no>
2006-2010 UNINETT AS
2010-2012 NORDUnet A/S
License: GPL-2+ or BSD-3-clause
Comment: for this binary distribution, only the BSD applies, as it links against OpenSSL
Files: debian/*
Copyright: 2009-2014, Faidon Liambotis <paravoid@debian.org>
License: GPL-2+ or BSD-3-clause
License: GPL-2+
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General
Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
License: BSD-3-clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with distribution.
* Neither the name of the UNINETT AS nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY UNINETT AS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL UNINETT AS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
radsecproxy.conf-example
tools/*
#! /bin/sh
### BEGIN INIT INFO
# Provides: radsecproxy
# Required-Start: $remote_fs $syslog $network
# Required-Stop: $remote_fs $syslog
# Should-Start: $time $named
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: RADIUS proxy
# Description: RADIUS protocol proxy supporting RadSec
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/radsecproxy
NAME="radsecproxy"
DESC="RadSec proxy"
PIDFILE=/run/$NAME.pid
. /lib/lsb/init-functions
test -x $DAEMON || exit 0
DAEMON_OPTS="-i $PIDFILE"
case "$1" in
start)
if pidofproc -p $PIDFILE $DAEMON > /dev/null; then
log_failure_msg "Starting $DESC (already started)"
exit 0
fi
if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then
log_failure_msg "Checking $DESC config syntax"
exit 1
fi
log_daemon_msg "Starting $DESC" "$NAME"
start-stop-daemon --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- $DAEMON_OPTS
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --retry 5 --quiet --pidfile $PIDFILE \
--exec $DAEMON
case "$?" in
0) log_end_msg 0 ;;
1) log_progress_msg "(already stopped)"
log_end_msg 0 ;;
*) log_end_msg 1 ;;
esac
;;
force-reload|restart)
if ! $DAEMON -p $DAEMON_OPTS 2> /dev/null; then
log_failure_msg "Checking $DESC config syntax"
exit 1
fi
$0 stop
$0 start
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
;;
*)
echo "Usage: ${0} {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
radsecproxy: possible-gpl-code-linked-with-openssl
radsecproxy.1
radsecproxy.conf.5
Description: Minor fixes to the manpages (paths)
Author: Faidon Liambotis <paravoid@debian.org>
Last-Update: 2012-11-06
--- a/radsecproxy.conf.5.xml
+++ b/radsecproxy.conf.5.xml
@@ -23,7 +23,7 @@
When the proxy server starts, it will first check the command
line arguments, and then read the configuration file. Normally
radsecproxy will read the configuration file
- <filename>/usr/local/etc/radsecproxy.conf</filename>. The command line
+ <filename>/etc/radsecproxy.conf</filename>. The command line
<option>-c</option> option can be used to instead read an
alternate file (see
<citerefentry>
@@ -103,7 +103,7 @@ blocktype name {
shell globbing to specify multiple files, e.g.:
<blockquote>
<para>
- include /usr/local/etc/radsecproxy.conf.d/*.conf
+ include /etc/radsecproxy.conf.d/*.conf
</para>
</blockquote>
The files are sorted alphabetically. Included files are read in
patch-aa
patch-ab
patch-ac
patch-ad
# Master config file for radsecproxy
# First you may define any global options, these are:
#
# You can optionally specify addresses and ports to listen on
# Multiple statements can be used for multiple ports/addresses
#ListenUDP *:1814
#ListenUDP localhost
#ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812
#ListenTLS 10.10.10.10:2084
#ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
#ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084
# To specify a certain address/port for UDP/TLS requests you can use e.g.
#SourceUDP 127.0.0.1:33000
#SourceTCP *:33000
#SourceTLS *:33001
#SourceDTLS *:33001
# Optional log level. 3 is default, 1 is less, 5 is more
#LogLevel 3
# Optional LogDestination, else stderr used for logging
# Logging to file
#LogDestination file:///tmp/rp.log
# Or logging with Syslog. LOG_DAEMON used if facility not specified
# The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and
# LOG_LOCAL0, ..., LOG_LOCAL7
#LogDestination x-syslog:///
#LogDestination x-syslog:///log_local2
# For generating log entries conforming to the F-Ticks system, specify
# FTicksReporting with one of the following values.
# None -- Do not log in F-Ticks format. This is the default.
# Basic -- Do log in F-Ticks format but do not log VISINST.
# Full -- Do log in F-Ticks format and do log VISINST.
# Please note that in order to get F-Ticks logging for a given client,
# its matching client configuration block has to contain the
# fticksVISCOUNTRY option.
# You can optionally specify FTicksMAC in order to determine if and
# how Calling-Station-Id (users Ethernet MAC address) is being logged.
# Static -- Use a static string as a placeholder for
# Calling-Station-Id.
# Original -- Log Calling-Station-Id as-is.
# VendorHashed -- Keep first three segments as-is, hash the rest.
# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This
# is the default.
# FullyHashed -- Hash the entire string.
# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key.
# In order to use FTicksMAC with one of VendorKeyHashed or
# FullyKeyHashed, specify a key with FTicksKey.
# FTicksKey <key>
# Default F-Ticks configuration:
#FTicksReporting None
#FTicksMAC Static
# You can optionally specify FTicksSyslogFacility to use a dedicated
# syslog facility for F-Ticks messages. This allows for easier filtering
# of F-Ticks messages.
# F-Ticks messages are always logged using the log level LOG_DEBUG.
# Note that specifying a file (using the file:/// prefix) is not supported.
#FTicksSyslogFacility log_local1
#FTicksSyslogFacility x-syslog:///log_local1
# There is an option for doing some simple loop prevention. Note that
# the LoopPrevention directive can be used in server blocks too,
# overriding what's set here in the basic settings.
#LoopPrevention on
# Add TTL attribute with value 20 if not present (prevents endless loops)
#AddTTL 20
# If we have TLS clients or servers we must define at least one tls block.
# You can name them whatever you like and then reference them by name when
# specifying clients or servers later. There are however three special names
# "default", "defaultclient" and "defaultserver". If no name is defined for
# a client, the "defaultclient" block will be used if it exists, if not the
# "default" will be used. For a server, "defaultserver" followed by "default"
# will be checked.
#
# The simplest configuration you can do is:
#tls default {
# You must specify at least one of CACertificateFile or CACertificatePath
# for TLS to work. We always verify peer certificate (client and server)
# CACertificateFile /etc/ssl/certs/ca-certificates.crt
# CACertificatePath /etc/ssl/certs
# You must specify the below for TLS, we always present our certificate
# CertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# CertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Optionally specify password if key is encrypted (not very secure)
# CertificateKeyPassword "follow the white rabbit"
#
# Optionally enable CRL checking
# CRLCheck on
# Optionally specify how long CAs and CRLs are cached, default forever
# CacheExpiry 3600
#
# Optionally require that peer certs have one of the specified policyOIDs
# policyoid 1.2.3 # this option can be used multiple times
# policyoid 1.3.4
#}
# If you want one cert for all clients and another for all servers, use
# defaultclient and defaultserver instead of default. If we wanted some
# particular server to use something else you could specify a block
# "tls myserver" and then reference that for that server. If you always
# name the tls block in the client/server config you don't need a default
# Now we configure clients, servers and realms. Note that these and
# also the lines above may be in any order, except that a realm
# can only be configured to use a server that is previously configured.
# A realm can be a literal domain name, * which matches all, or a
# regexp. A regexp is specified by the character prefix /
# For regexp we do case insensitive matching of the entire username string.
# The matching of realms is done in the order they are specified, using the
# first match found. Some examples are
# "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
# To treat local users separately you might try first specifying "@"
# and after that "*".
# Configure a rewrite block if you want to add/remove/modify attributes
# rewrite example {
# # Remove NAS-Port.
# removeAttribute 5
# # Remove vendor attribute 100.
# removeVendorAttribute 99:100
# # Called-Station-Id = "123456"
# addAttribute 30:123456
# # Vendor-99-Attr-101 = 0x0f
# addVendorAttribute 99:101:%0f
# # Change users @local to @example.com.
# modifyAttribute 1:/^(.*)@local$/\1@example.com/
# }
# An example client
#client [2001:db8::1] {
# # type can be one of tcp, udp, tls, dtls
# type udp
# # secret is optional for TLS/DTLS
# secret secret
# # Might do rewriting of incoming messages using rewrite block example
# rewriteIn example
# # Can also do rewriting of outgoing messages
# rewriteOut example
# # if also want to use this server for accounting, specify
# accountingServer 127.0.0.1
# # statusserver is optional, can be on or off. Off is default
# StatusServer on
#}
# Equivalent to example.com
#realm /@example\.com$ {
# server 2001:db8::1
#}
# One can define a realm without servers, the proxy will then reject
# and requests matching this. Optionally one can specify ReplyMessage
# attribute to be included in the reject message. One can also use
# AccountingResponse option to specify that the proxy should send such.
#realm /\.com$ {
#}
#
#realm /^anonymous$ {
# replymessage "No Access"
# AccountingResponse On
#}
# example config for localhost, rejecting all users
client 127.0.0.1 {
type udp
secret testing123
}
realm * {
replymessage "User unknown"
}
#!/usr/bin/make -f
#export DH_VERBOSE=1
%:
dh $@ --with autoreconf,systemd
override_dh_auto_configure:
dh_auto_configure -- --enable-fticks
override_dh_auto_install:
dh_auto_install
# remove useless/sparsely used binary
rm -f debian/radsecproxy/usr/bin/radsecproxy-conf
# while they don't need root, they're not really users' material
mv -n debian/radsecproxy/usr/bin/* debian/radsecproxy/usr/sbin/
rmdir --ignore-fail-on-non-empty debian/radsecproxy/usr/bin
# remove the example config with the wrong filename
# and install a prepared config that works by default
rm -f debian/radsecproxy/etc/radsecproxy.conf-example
cp debian/radsecproxy.conf debian/radsecproxy/etc/radsecproxy.conf
.PHONY: override_dh_auto_configure override_dh_auto_install
[Unit]
Description=radsecproxy
ConditionPathExists=/etc/radsecproxy.conf
After=network.target
Documentation=man:radsecproxy(1)
[Service]
Type=forking
ExecStart=/usr/sbin/radsecproxy -i /run/radsecproxy.pid
PIDFile=/run/radsecproxy.pid
[Install]
WantedBy=multi-user.target
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBEvkLEUBEAD4uY8jq6Fs1ICli39K5VwGu8PmB/GtSUfcFFzKFkJD19Xdggr6
pYPE0QgaN0pw7uB4JH8NKX9RXQqnj7JrhQjxBZhQ9kPvROfmY4RaKYw6IlWTrdtn
IyQTW7lw0hrjHTPCNh9tiWeHqZchO/S5MNffCsobBO9e2es9EJsw6qjHElowg25H
gfnpYffh/CSXHgv4IFFGenrPdp7d8TfoJ4E8rfeuFpoRzrBeRm73HpUiP7FmxrFZ
Tx9R4fkq8yYKxh7zNHi0yLfc0vyAYLqmr0puPOLsAx/mQwOJh47C8wXK15ONPdx2
eF+N1ACtD78cXIltTXHUTNgOj6TIpb7ZAWogra7RaBlNgvwUroHWmLtsTWDW9L/p
xa6I8x5Wx7yjGIpmIClybDIhoZLPFLakAvaI1x2hOIzXUwKyc2Pn9+padzrUtmDK
AvXvZULkaqvWap2RMkqgnLo5WX7z+tzBjV/TlMc5+3DRQFhNrMB9OwI6thy2yZKV
JgNj2bWm7mkM2ywYyrfAD0i7HJ4OT2Hy41rMsK3hK+QXn63SJt+MbqL/lM7Igm75
1J4ofg9gyjetI2gwXee7UiQruT7Oir6mC5wkyZUd31dDifnEQ3GnAeRrtKVKDjLo
PAP0byktnK/bFTyDSrPuUSMsCkL4rWDfyZK42XfFu92rHB6TCJ7X1FmJAwARAQAB
tCBMaW51cyBOb3JkYmVyZyA8bGludXNAbm9yZHUubmV0PohGBBARAgAGBQJL7UGq
AAoJECotsX2kXgURRvcAniJWeeN49HVNNmzHMCtr7Xiu+INoAJ9c5hIz0BLb5iwl
BtB5PQ9hzqwOOohGBBARAgAGBQJMRGAZAAoJEJ0xSpp1dGW8DPAAnRzkrxLr55Mf
ikS7S6ip6FfwqA83AKDyUI341tv4mCur2DUJblboi9YkdohGBBARAgAGBQJMTv3J
AAoJEARFt6uau+7GpS8An1xNmrDeDvDzMC8y4ZOLIYBrA/pXAJsE/x+oDbwlpjyR
CVHU9Z4sS42c94hGBBARAgAGBQJMUBEXAAoJELrrotdFbK1R9EEAn3Saa/D6ZPfL
Yx3gKMNd8g37O43rAJ9MbetWHreTGnrbmpn5Otrb19tmMIhGBBARAgAGBQJNO7uv
AAoJEAvgqvm1LMtS2r4Anjqbrbv74XaYJ0lTxGb0bszL3tjcAJ9zDL3yg6H0cyJI
Tfn8s0pUuf/e8IhGBBARAgAGBQJNVRGAAAoJEBqEifY8XO5KGtwAn2YhclWMuurX
5oJ2N/P7ktU2kzcJAKCU43hdQjh7qHQDPVQxc3PPQpNBo4hGBBARCAAGBQJL5DJq
AAoJEFAL8wLOLN8eRrYAn3qULX2zzErRHwAzME57Pb4bOVcUAKDP5dTsw6P05Hwi
JSmWNs/vCcpG2IhGBBARCAAGBQJL5De0AAoJEOtaiWoomIv1duAAnRQX8lcUM20W
eBZz+JyZi3zl/s/8AJ9AeEfFA3SPgOsoOhW7oBe8eLOJmYhGBBARCAAGBQJNO9lo
AAoJEDlgZk+V6iPdTpEAn002dP9lFJIz5UPc3HaVSG8JPOUzAKDUpHbjsijvwRbf
nUAJLlrQwRtMG4hGBBIRAgAGBQJMdVvIAAoJEN56r26UwJx/OKkAn1pcj6/Cu+qj
JMolfKlKbTuQIjiNAJ0SCJGIDtwTLTKfhg8AtiHA7S8MS4hGBBIRAgAGBQJM3QC1
AAoJEJBqhWdksk1TSGYAoIbECc7OAWMBDxK7gxmq6mW8PwflAJwK0DyKrFhxWjcf
++RxcHs4V+mpkYhGBBMRAgAGBQJMSWJHAAoJEDCYHQslAMApxx0AoPpBlH3LAxmg
TNo6VvJnd4ecUokPAKDMYm6wKlVSXR2RLuoMV+dSyaTtDYhGBBMRAgAGBQJMT8w5
AAoJENDPlj33wRJlmGEAnRrc+OBOqM67nioTCcS3pSaGR81ZAJ4hhDC4sHB0nNnC
WwszlaLah0caMYhGBBMRAgAGBQJMX8N9AAoJEPCcfBbWzGZ3EzUAn3nMs0XOKRQZ
kd79i0sZkM4ambtxAKDBz1JGe78X3qD4Jo9Zr4MA4AwF+okBHAQQAQgABgUCTTu7
RwAKCRD37mFu4MIM/2f2CACV142kUhAycWtcSgE6cJSRlpH24ZHFWBBjOgIOpOgh
HOAOkiThCzf4Jd0xlrxLw6xh9oTKE+Gwmzb03jUsCddDz2pewPKmKq/GBtrJ4dSt
FiYXFOyFF/exM0MbpK/zywbg7p3IIwvzwnIIM6T2tImV/W2r8Bc/24MoVLz0q7hF
hiOTwUbU5VLAAgLjzmXYFJMroL5jOqgia8LK4t5KZ5RB8noxRE9DuI508VuM3LTK
h/Rn3XOp7l0IGxLahl0yzzqqvfjOG8vHT8JzQP5sBan5LDq/wD0tC3dNmADvGsBv
D4djUcx1/zUV/TbPGDyl3TFT7zYmjphUVmaV00r5usddiQEcBBMBAgAGBQJN1lq+
AAoJEMzMBey4OgLtvR8H+wT8CgiQxKTJ2+t67xLKhUBZrlks8+0pZ2DJZJHU3pUF
OvzYgfaBfjYYV+Z2PRDkwE1/Gmf9DUOrLMXfTs9jKrCPqhxOFqmF9VHn9hajnaJd
qFW4m+qBcCAG2wtuNEyI/UEnIcenie4e7BCQ905b9Yq0feEIliDZKslIgnL9i8YT
VPQyZ7oQQkjcIpbTVvUlz4bhlC6+3VcImwdFW/Cfa00WFbZiymBCj94f/pBLWVP1
oFz2akLnyEA+T6lg2vXl8bXTu8zRe8VteTmqo2SBbg5icga2tprxIYbo2gvX42NA
BCelCT2EA/hcRKQItJARUa7PrTDTN1iJKveY8TwsqN6JAZwEEAECAAYFAk10H6YA
CgkQ4H5YygcT/clREAv+Om0X9oDoDcUdSrNUDTzsoNorn8TRZfbUnu04PDevVIp7
ZS1tmg4PnzsKnaOOE/vXxQOIKuURLenOzjHSwuPZtz9gis15gNz6p1GCVa9aYcrq
Y5+qyC6NEVDJ+eWvQILvTwNo4jd5ZNDdkjG6CEojO+ZCJkw1ieh66t1N0D9WnRfy
a54tpjDqj6Igu/qNLlaIMPBo9J7PfXGM9U6Nojj6qB5OvxsSPK4G70uNls191ObQ
kh2cP6nDHLIziQDLxobytE0crdCNMLqpN3eiVyre+22ixiYPhxW2e2oErZRJqhwy
AqXdzFQ+rxcc9QBeRe0ulMIOxt5gassbXVzLfVFzSdGwwEo+yQLkJB45tswI0dan
tV3SQF1h6z8ZxxixdQU8uon1vEYhxSLeTybow+8t49WomBgN4GvnJcceswSypKnu
M3pwdoblSUqmjm8l0kJa1SshPAnjoasQuJ1kgbKWDybBmhIHiKc4/nFMfpjdhAui
Dtgcqr/ttwoxXldpM0d3iQIcBBABAgAGBQJMSWGlAAoJECUXirS5Rm+0XV8QANSH
vluMqcLc3I5LKwtgrlj7mM7hmRFfRcmRIjNyTIbd3jfl/rV+2o7ChB2OdLn5TRSb
tLHDyc3OFpL+AUKIcttHUKxTY+mAT/ZtqU5c+U1pYWI2Lar2Hef6kD1LaeUtFs+u
oQhicb5t+0QLPcplNF9FiCp9c0uihZJwICQPqiDlESnNhoZBT1E5Tqi7mswZ/xCH
wrzbgFG4jnr9PjpVdICgWeEBf/JhguQfk4HwQQLrwTWLEb0zg1YUGvNf7Vk1hzEg
Hf+MEXx3nobR8b7ORxxsd1R2nDnFlNPC02wirb1a4JhuhWuvVjVDwADqtxJpmq+J
vnWJsQUSrWR4D0d9KK+xcsJ1M1Y5Y9VWbtXXLGLpu8Vq1oV3R84O2PpkwbsAjWRU
kG+eIFuoAEumf7/Pz57IAZcxz3sa3cnDzTWwp9Z5OhRRzoiAQj1WpIbJsL3x317O
cRfbto4O/grfr2jojsuMLTGuMguqs0nQCx3+vuGPIYs9fpORmHtstdNkWCTE/D57
vykcaQ6MKFHq8VjoUU2I13A8Mg+fnROK2UfngroGj7OGBzV88XBOZwhDQAYAWkUY
wrN+QgXDJcjzdGVstO9kVwWptZhPBrdf+9eTVCy3c4H3P2PGmoe7MoQ96AofxzA4
bxxOzcwPOGzZO4ltc05hXxwmZs8ffVW5/LY+9xPqiQIcBBABAgAGBQJMT3tmAAoJ
EGbIwtfFqkRtv4oP/RVkYDlQTqqC6QOOwtvKyn3P3owiMR1Y9bMvkZGR6dQkiDRX
ZI8axgf4ag7EkJI+Tb2WVCW5FTHAjhY4bKnFceBSrEP+/nMhgBqSbp3qD3M3beHf
AJKggO73V32QHw8+irYsHpgD2MOgb9Sg/TxWIntzsabUzWKPnVhbiJK2gwueJdO/
4weBQaCNYyOnpeGDkUS58OU3O77wOa8ZT7S2r5pZnOeTKTC2XioWvyz5fd7EOsDw
NdUch8XfJr+qomHJlfd0GhCe2cszL7Jy/hHeo/gSZ3m8WUmjplA53A0gaPIORDgw
MosOYg2Q+nfdvSGWPNtM1W9vUQJtdrhuqrdYxZrlzrYvYNEaf2sBS6Cx5nPKfTBz
VFDipyaNNUmENydskclLkkCYpF1skNtmNkL7XdtYe5H7UIv+cJJ/lYDeCQ4Ec2Ty
OSXJ0sRNk+1nrKar+HJJTNLd0+sLT1fTj9SmcH8dFJGytKnBPA9UBozb+yH1KTdQ
T8VuVTXPhSN6i/ZvKNNT66o1UKAL8RuBqXCCHO8Iq/cWVv8zZhfiVcKSg+xFAaGB
bQpMrzG5w0yjFl9LdekVVi+XM2ix/5ToMZSzYVGojYtWTv4W6PZKQVXOzpFi2FkQ
PnDsaYwaRc2GZwqDci11PI5qI89JgQpluyymJnHtYZiEF9xHxOrjErCqNazQiQIc
BBABAgAGBQJNVFzuAAoJEKgraNdZrwxMAboP/jiBX2mPXfKtUQ3JHus7RwHTU8Nw
OCX2VsmXlt05daSfd38nK6ICE76jbSMw6rEee+azvCDDHYfnAzwSFJ/ijCFcjNBF
/dbep3gQM9/2wwCP7lvBSqUy0OqSo2oalWdK0Xp2/Lq8YJiihJ60uGQeU81BTF1K
iwVhTEAPbyBIlHIHKrLzad5qr5W7YoDsG4ClHdxh1Lfbthmn60K9bKuqCJqrsxlD
Ybbi2Y2nMyEqUIbNO1L1TganMHLpvsJbvVndMyPwmKsFPQy1udnZ1XuM/VmSjJyY
ECB6egQKeQkDei40qr5sNj1bLm0Q2CoCTcgjbmIaMoyCJRCu+AfvH4vjgxGMYHnR
ivCklBTPSNzdnhZbDAzPAHiltD9WFO10w4x8z8NgZSmlvTXYo2xfH1AQyV0TPisO
L5fTWMZoRxyM/TAjn2b27EhR39efTTH+ptsHmwhK4cP+eGZ0OL2CZYOUIR5cg0+g
hRfV6q0ULT0afMWWI88szclMG32ZNXiOYhL83ecjiDevNX/9akrm6hCgfqNOFODC
JG86oODxsOaLBwE6nwBS05AadzAzpL6eGGKNzWUnfe9iJVSIvLQgnYr1Az5dvPra
D69lqlAm68Yzyx6J7oz6YSkZH4Hu20vYKzEsc40OOjNSYMZqeYoSHtIf6WN62nrS
2yVRZXq/TtODrwBYiQIcBBABCAAGBQJL5DfMAAoJEMIYUlgZ94RR+40QAKJrPIjm
neXm4pbG/Zq3ia60LOWhp4tVZkNPhnrmZ4MYP3FuqBGg3eFRTe/BZexzhp3xKJ6d
p/xObyK93SMsuhFST/xjxGda6F08KPYYPa3o/vsxt/jFDWvRYWp+3bKBLlN309Fx
WDHCI4PIHknrorVTllSbv3YK9Y/AFDhfUmiUIeFleOwuFzIGfxivi7Kb/IEilOxZ
kfHmUxur0pw/Fh8BHmMb+xKnhbNNidpRjXwqSQWxci6MJzTipaCPQvYSBU/jHdzD
9s0t4VWetFrlCUKDqfreQwaS6QPOV6hygdobkkSptT0uYnTLMqiI5alFK0OwiIMk
86P2YUNOA6lpgla+v5Az3HhF0o9igDdawWRx1yG9Ppl02lVkJYKjyzyXbCv5LTi6
SFWTZonEmbgFzWkmSO+t5VenKMY0L97c8sdTHfaboN357ZfaafT78K60Eoh6wqMH
vFQicJJjWoRLesB2sR6q6nFDNzBOFLG8JzUrKZAYj8I+gqYCiz5cKVTuBnMxd8rO
oJ6xQKMrYRQttxQRNZL4y9AQoNEFwclrX35ZJqwt96DvkmkR728rjmPJpygeafro
vnGXZPn7KKaW2fTJW201jg8+mnVGISk6wL3Yujmr5vfIa7GsBgLnqpYa+l/8EFus
KJjT1jtOXwzVxQgzOoQodNEzUSXwbGdKNODDiQIcBBABCAAGBQJL5DogAAoJEOFf
5ch5L7E4jkwP/RwiZa9Kx6YODqI568ifioxg/45BAU0NM9J11+gNhYhTzSXDJpzF
kgqTyaTnDhE5Y5K7pLHz9MvxFowchXxLMqjt6uX0ahaRW45pMcEkcYdI/sNWMR1R
HC4B9svoAI7l3zWpMhT71rlK+VuJCj8ay8mVsPomb+Fw5XmCgFJ+yMCaDqw+gJSH
m6hjnnnBWvf7X0OdmeEgXDD0SvTaEpvNDf7Up9xzolv0zlVN/DIeevyqTndVI8P6
F4MmIN74AMidSeCqKT5MG3NTz4o5dqSBk3+6fffca47vi5Pic5IOHZXbzVhdOcWO
DVVa0YGjNBQ1lqzcVBDK4iyBB6e4DOQXDI8w2AuGG1SR3zIexhDjZ48h4Kuyjz3T
AOCe/cuejUWmi7QvLjeZrHifeCrxUEcpxPqBbSrNGqnxTf7bQL2fENDJDgDqWPql
NZ7jee9jXHeQMEORedKnwWi0jUQ5HKpK0IlYDDbdZBokJP/KnEOmKRacMynw1ty3
4M9HXplRZQNhrswyw2cqKCXQuS/k69zu/RGyV3HfM9Ay5rXUVb5GKKFqhUZ5qzaV
A2sQIsde1ThnbwSINyfES13Xn+0OKXtxx3czB1JTC7IV9rTiw6867S7YadSa9QbP
vdFFnFurfFDM8x4iHJv3QJCdrVmLXB2sKSrWXHwFYEK3phsmulBGa+r6iQIcBBAB
CAAGBQJL5EIpAAoJEKNPp0XgErQtuMQP/1g4RipsKQTg/K1vAysFGEPR46foDnL5
6lYDP2uo0oVO7QTOgejj4+/948mqVz7p7BmoeYLZDfSSdnMVarxcruenbMwAehsR
vJNROxWFVtp7ufRsA44LRykGP0VLlRUKfGAsdlkCPt19Ves5BDIKwFXfGTcsM85g
+6iXfLNXy2mkWtaNswv+gG7meq7A2GbGPqv4ZKD7HmM5tkMJmMCyNIi90/NcbyZp
WlmQmhkWBVDdrv8azxDykMNHsoubFZ6uNo5zz7nzutEY/HKr/AXgotWPDCFu6VX0
snGPZiw+D4VYGh6x8duJyjpz4HeIP4p5qo+XNsZAJXccuTFMgdqKR07qXZx7Yhy/
GC7iZrNiyamV7Bw807JkPSjSG+0bZr+lEy2dN7OHbKveG7o4gvi6GxBQyR7q7/GC
/K2CJ4jZh2oyFJtxCGOpGSs6kXriTF8g4W6CzWcMPBn1moimM8KmaFFmbfgBmMr5
N2jdo6tfLU91oRv1ag9ekDqt2XzVs8sRT/G9XNObK89sMUuVkeVQZftTQapKTsJo
o7EenjaFwg+x3ZcP+QViYV70SbR+EgPE3a8AD0mOZ7PTPzDtLBv85B0HGkVa5A8h
UhwEm9cCkWoggoRYPD54ZuGomp6AyHMjiIBLShYCRwWFPqA5w9yj1H3ruWja5sda
YHjsiyFOn48PiQI3BBMBCAAhAhsDAh4BAheABQJL5C5nBQsJCAcDBRUKCQgLBRYC
AwEAAAoJEB6L80kjKRJlUbwQAJVvc71usutn3glF73y0n4vRoo/FjDXPT/I27gsD
w3fGnrdh8CtztEIVOrI7W5KfEMGmSoHyEqdLsNrHwvqe+FYPCT9G3LNd+IXGBm/W