Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (nike.apache.org: domain of ben@reser.org designates
 50.197.89.41 as permitted sender)
Message-ID: <538D2BE5.3070706@reser.org>
Date: Mon, 02 Jun 2014 18:59:01 -0700
From: Ben Reser <ben@reser.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:30.0) Gecko/20100101 Thunderbird/30.0
MIME-Version: 1.0
To: Subversion Development <dev@subversion.apache.org>
Subject: Improving gpg-agent support
Content-Type: multipart/mixed;
 boundary="------------090908040305020103000204"

This is a multi-part message in MIME format.
--------------090908040305020103000204
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Since 1.8 we've supported using gpg-agent to store passwords in memory.
http://subversion.apache.org/docs/release-notes/1.8.html#gpg-agent

Today I was getting asked about some odd behavior that a customer was seeing so
I took some time to investigate.

The behavior of this setup is very wonky and not what a user would expect.
When gpg-agent is setup the first time you connect to a realm you'll be
prompted by the Subversion client for the password.  It'll then store in our
auth cache that the password is stored in gpg-agent.  However, the agent
doesn't get this password from this action.  The next time the user connects to
this realm they are prompted by the pinentry program that is configured with
gpg-agent to get the password.  After that there is a confirmation prompt
requiring they re-enter the password.  Subsequent connections to the realm then
use the password if it is still cached in gpg-agent.  If the agent's cache has
been cleared (timeout or other actions that would clear it) then the pinentry
prompt (confirmation entry included) is repeated.

This seems like a very poor implementation from an end user perspective.  None
of the above behavior is documented in our release notes.  So the average user
is probably going to believe that things are not working properly.  There are
of course some very good reasons for this behavior.

gpg-agent and Subversion's auth system has somewhat contradictory designs.
gpg-agent takes on the responsibility of not just storing the password but also
of the user interface for the user to input the password if it is not stored.
Subversion on the other hand presumes that the cache systems are just dumb
storage and that it has to handle the UI.  Subversion independently stores that
it has a password cached in a given cache system (in a file under
~/.subversion/auth/svn.simple with the file being the MD5 hash of the realm).
It only contacts that system for the cached password if the appropriate
svn.simple entry is present.

With every other Subversion password caching mechanism Subversion would prompt
you for your password the first time you connected to the realm and then if the
password is correct it would store it in the appropriate cache and create the
svn.simple entry.  However, with gpg-agent it does not store the password with
that first use, but does store the svn.simple entry causing subsequent requests
to go to gpg-agent.  Since gpg-agent does not have the password cached it then
prompts the user.

Subversion currently tells gpg-agent when prompting the user for a password to
confirm the password by asking the user to re-enter it.  This choice appears to
have been made because gpg-agent will cache a password without knowing for sure
that the password is correct.  If an incorrect password were to be cached then
the user would have to take steps to clear the gpg-agent cache on their own
(kill -HUP, gpg-connect-agent CLEAR_PASSPHARSE).  Until they did so they would
be prompted for the password by Subversion (since the cached password failed)
on every single connection.  Since the cached password in gpg-agent would be
tried on every connection, the user may run into systems that lock them out as
well.  The choice of a confirmation entry doesn't really seem very good in my
opinion.  First, it only protects against typos, a user entering the wrong
password (though entering the same password) twice will still experience the
problem described above.  Second, the default timeout for passwords in
gpg-agent is 10 minutes.  So now a user using this setup will have to enter
their password twice every 10 minutes.  The caching feature is a convenience
feature, but having to enter the password twice seems not very convenient.

Fortunately there are some thing we can do to resolve these issues.  First
let's talk about the double prompt from pinentry.  This is entirely
unnecessary.  Subversion's API provides two functions to retrieve credentials
from the cache.  A first credential function and a next credential function.
The purpose being to allow multiple credentials to be stored for a realm and
then walked until you find the ones that work.  In practice we've never used
this for passwords because there's no point in storing more than one credential
for a password since only one will work.  However, we can use this to allow us
to drive gpg-agent as it intends.  We do a GET_PASSPHRASE in first and then if
we receive a next call we do a CLEAR_PASSPHRASE followed by a GET_PASSPHRASE
with an error text telling the user the authentication failed (if we're being
run in interactive mode).  I've attached a patch that implements this bit.  But
I haven't committed it because I'm not sure this is necessarily the best
solution.  I'm also abusing the parameters hash to avoid duplicating the
svn_auth__simple_creds_cache_get() function.

The failure to cache on the first connection to the realm issue is a little bit
harder to solve.  There is actually a PRESET_PASSPHARSE call in gpg-agent's
API.  But it only works when gpg-agent is started with
--allow-preset-passphrase.  I think we should make the save function of the
gpg-agent provider implement the PRESET_PASSPHRASE call.  We can document to
users they will have a better experience if they provide the
--allow-preset-passphrase option to gpg-agent when they start it.  We can
ignore errors if it doesn't.

There is another option and that is to use gpg-agent as a dumb store like we do
other caches by combining PRESET_PASSPHRASE in the save function and
GET_PASSPHARSE --no-ask in the first function.  This would allow us to retain
the behavior that the svn client asks for the password and thus not have to
jump through hoops to support the cache system being responsible for the UI to
request the password.  Doing this of course would rquire that
--allow-preset-passphrase be passed.  So I think it'd probably be best to have
a setting in our Subversion config that enables this mode but that then fails
if --allow-preset-passphrase is not enabled on gpg-agent.  This behavior would
give the best experience to our users, but since it's intrusive on gpg-agent's
configuration I don't think it should be default.

Because of these things I believe the patch should be applied and the later two
things should be iterated on top of that.

Thoughts?

Commit message for the patch:
[[[
Make the gpg-agent pinentry not ask for confirmation of password entries and
make it re-prompt if the password is incorrect.

* subversion/libsvn_subr/gpg_agent.c:
  (ATTEMPT_PARAMETER): New macro.
  (send_options, get_cache_id): New functions with code taken out of
    password_get_gpg_agent() so it can be reused.
  (password_get_gpg_agent): Use send_options() and get_cache_id(),
    retrieve the attempt from the parameters and use it to determine
    if we should set an error message that will be displayed in pinentry.
  (simple_gpg_agent_first_creds): Set a iter_baton so we can limit the
    retries, put the iter_baton in the parameters so password_get_gpg_agent()
    can access it.
  (simple_gpg_agent_next_creds): New function, removes the cached password
    and prompts the user again.
  (gpg_agent_simple_provider): Add simple_gpg_agent_next_creds callback.
]]]

--------------090908040305020103000204
Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0";
 name="gpg-agent-no-password-confirm.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="gpg-agent-no-password-confirm.patch"

SW5kZXg6IHN1YnZlcnNpb24vbGlic3ZuX3N1YnIvZ3BnX2FnZW50LmMKPT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PQotLS0gc3VidmVyc2lvbi9saWJzdm5fc3Vici9ncGdfYWdlbnQuYwkocmV2aXNpb24gMTU5
OTM3OSkKKysrIHN1YnZlcnNpb24vbGlic3ZuX3N1YnIvZ3BnX2FnZW50LmMJKHdvcmtpbmcg
Y29weSkKQEAgLTcyLDYgKzcyLDcgQEAKICNpbmNsdWRlICJzdm5fY21kbGluZS5oIgogI2lu
Y2x1ZGUgInN2bl9jaGVja3N1bS5oIgogI2luY2x1ZGUgInN2bl9zdHJpbmcuaCIKKyNpbmNs
dWRlICJzdm5faGFzaC5oIgogCiAjaW5jbHVkZSAiYXV0aC5oIgogI2luY2x1ZGUgInByaXZh
dGUvc3ZuX2F1dGhfcHJpdmF0ZS5oIgpAQCAtODEsNiArODIsNyBAQAogI2lmZGVmIFNWTl9I
QVZFX0dQR19BR0VOVAogCiAjZGVmaW5lIEJVRkZFUl9TSVpFIDEwMjQKKyNkZWZpbmUgQVRU
RU1QVF9QQVJBTUVURVIgInN2bi5zaW1wbGUuZ3BnX2FnZW50LmF0dGVtcHQiCiAKIC8qIE1v
ZGlmeSBTVFIgaW4tcGxhY2Ugc3VjaCB0aGF0IGJsYW5rcyBhcmUgZXNjYXBlZCBhcyByZXF1
aXJlZCBieSB0aGUKICAqIGdwZy1hZ2VudCBwcm90b2NvbC4gUmV0dXJuIGEgcG9pbnRlciB0
byBTVFIuICovCkBAIC05OSw2ICsxMDEsMjQgQEAgZXNjYXBlX2JsYW5rcyhjaGFyICpzdHIp
CiAgIHJldHVybiBzdHI7CiB9CiAKKy8qIEdlbmVyYXRlIHRoZSBzdHJpbmcgQ0FDSEVfSURf
UCBiYXNlZCBvbiB0aGUgUkVBTE1TVFJJTkcgYWxsb2NhdGVkIGluCisgKiBSRVNVTFRfUE9P
TCB1c2luZyBTQ1JBVENIX1BPT0wgZm9yIHRlbXBvcmFyeSBhbGxvY2F0aW9ucy4gIFRoaXMg
aXMgc2ltaWxhcgorICogdG8gb3RoZXIgcGFzc3dvcmQgY2FjaGluZyBtZWNoYW5pc21zLiAq
Lworc3RhdGljIHN2bl9lcnJvcl90ICoKK2dldF9jYWNoZV9pZChjb25zdCBjaGFyICoqY2Fj
aGVfaWRfcCwgY29uc3QgY2hhciAqcmVhbG1zdHJpbmcsCisgICAgICAgICAgICAgYXByX3Bv
b2xfdCAqc2NyYXRjaF9wb29sLCBhcHJfcG9vbF90ICpyZXN1bHRfcG9vbCkKK3sKKyAgY29u
c3QgY2hhciAqY2FjaGVfaWQgPSBOVUxMOworICBzdm5fY2hlY2tzdW1fdCAqZGlnZXN0ID0g
TlVMTDsKKworICBTVk5fRVJSKHN2bl9jaGVja3N1bSgmZGlnZXN0LCBzdm5fY2hlY2tzdW1f
bWQ1LCByZWFsbXN0cmluZywKKyAgICAgICAgICAgICAgICAgICAgICAgc3RybGVuKHJlYWxt
c3RyaW5nKSwgc2NyYXRjaF9wb29sKSk7CisgIGNhY2hlX2lkID0gc3ZuX2NoZWNrc3VtX3Rv
X2NzdHJpbmcoZGlnZXN0LCByZXN1bHRfcG9vbCk7CisgICpjYWNoZV9pZF9wID0gY2FjaGVf
aWQ7CisKKyAgcmV0dXJuIFNWTl9OT19FUlJPUjsKK30KKwogLyogQXR0ZW1wdCB0byByZWFk
IGEgZ3BnLWFnZW50IHJlc3BvbnNlIG1lc3NhZ2UgZnJvbSB0aGUgc29ja2V0IFNEIGludG8K
ICAqIGJ1ZmZlciBCVUYuIEJ1ZiBpcyBhc3N1bWVkIHRvIGJlIE4gYnl0ZXMgbGFyZ2UuIFJl
dHVybiBUUlVFIGlmIGEgcmVzcG9uc2UKICAqIG1lc3NhZ2UgY291bGQgYmUgcmVhZCB0aGF0
IGZpdHMgaW50byB0aGUgYnVmZmVyLiBFbHNlIHJldHVybiBGQUxTRS4KQEAgLTI2Niw0OSAr
Mjg2LDIwIEBAIGZpbmRfcnVubmluZ19ncGdfYWdlbnQoaW50ICpuZXdfc2QsIGFwcl9wb29s
X3QgKnBvCiAgIHJldHVybiBTVk5fTk9fRVJST1I7CiB9CiAKLS8qIEltcGxlbWVudGF0aW9u
IG9mIHN2bl9hdXRoX19wYXNzd29yZF9nZXRfdCB0aGF0IHJldHJpZXZlcyB0aGUgcGFzc3dv
cmQKLSAgIGZyb20gZ3BnLWFnZW50ICovCi1zdGF0aWMgc3ZuX2Vycm9yX3QgKgotcGFzc3dv
cmRfZ2V0X2dwZ19hZ2VudChzdm5fYm9vbGVhbl90ICpkb25lLAotICAgICAgICAgICAgICAg
ICAgICAgICBjb25zdCBjaGFyICoqcGFzc3dvcmQsCi0gICAgICAgICAgICAgICAgICAgICAg
IGFwcl9oYXNoX3QgKmNyZWRzLAotICAgICAgICAgICAgICAgICAgICAgICBjb25zdCBjaGFy
ICpyZWFsbXN0cmluZywKLSAgICAgICAgICAgICAgICAgICAgICAgY29uc3QgY2hhciAqdXNl
cm5hbWUsCi0gICAgICAgICAgICAgICAgICAgICAgIGFwcl9oYXNoX3QgKnBhcmFtZXRlcnMs
Ci0gICAgICAgICAgICAgICAgICAgICAgIHN2bl9ib29sZWFuX3Qgbm9uX2ludGVyYWN0aXZl
LAotICAgICAgICAgICAgICAgICAgICAgICBhcHJfcG9vbF90ICpwb29sKQorc3RhdGljIHN2
bl9ib29sZWFuX3QKK3NlbmRfb3B0aW9ucyhpbnQgc2QsIGNoYXIgKmJ1Ziwgc2l6ZV90IG4s
IGFwcl9wb29sX3QgKnNjcmF0Y2hfcG9vbCkKIHsKLSAgaW50IHNkOwotICBjb25zdCBjaGFy
ICpwID0gTlVMTDsKLSAgY2hhciAqZXAgPSBOVUxMOwotICBjaGFyICpidWZmZXI7Ci0gIGNv
bnN0IGNoYXIgKnJlcXVlc3QgPSBOVUxMOwotICBjb25zdCBjaGFyICpjYWNoZV9pZCA9IE5V
TEw7CiAgIGNvbnN0IGNoYXIgKnR0eV9uYW1lOwogICBjb25zdCBjaGFyICp0dHlfdHlwZTsK
ICAgY29uc3QgY2hhciAqbGNfY3R5cGU7CiAgIGNvbnN0IGNoYXIgKmRpc3BsYXk7Ci0gIHN2
bl9jaGVja3N1bV90ICpkaWdlc3QgPSBOVUxMOwotICBjaGFyICpwYXNzd29yZF9wcm9tcHQ7
Ci0gIGNoYXIgKnJlYWxtX3Byb21wdDsKIAotICAqZG9uZSA9IEZBTFNFOwotCi0gIFNWTl9F
UlIoZmluZF9ydW5uaW5nX2dwZ19hZ2VudCgmc2QsIHBvb2wpKTsKLSAgaWYgKHNkID09IC0x
KQotICAgIHJldHVybiBTVk5fTk9fRVJST1I7Ci0KLSAgYnVmZmVyID0gYXByX3BhbGxvYyhw
b29sLCBCVUZGRVJfU0laRSk7Ci0KICAgLyogU2VuZCBUVFlfTkFNRSB0byB0aGUgZ3BnLWFn
ZW50IGRhZW1vbi4gKi8KICAgdHR5X25hbWUgPSBnZXRlbnYoIkdQR19UVFkiKTsKICAgaWYg
KHR0eV9uYW1lICE9IE5VTEwpCiAgICAgewotICAgICAgaWYgKCFzZW5kX29wdGlvbihzZCwg
YnVmZmVyLCBCVUZGRVJfU0laRSwgInR0eW5hbWUiLCB0dHlfbmFtZSwgcG9vbCkpCi0gICAg
ICAgIHsKLSAgICAgICAgICBjbG9zZShzZCk7Ci0gICAgICAgICAgcmV0dXJuIFNWTl9OT19F
UlJPUjsKLSAgICAgICAgfQorICAgICAgaWYgKCFzZW5kX29wdGlvbihzZCwgYnVmLCBuLCAi
dHR5bmFtZSIsIHR0eV9uYW1lLCBzY3JhdGNoX3Bvb2wpKQorICAgICAgICByZXR1cm4gRkFM
U0U7CiAgICAgfQogCiAgIC8qIFNlbmQgVFRZX1RZUEUgdG8gdGhlIGdwZy1hZ2VudCBkYWVt
b24uICovCkBAIC0zMTUsMTEgKzMwNiw4IEBAIGZpbmRfcnVubmluZ19ncGdfYWdlbnQoaW50
ICpuZXdfc2QsIGFwcl9wb29sX3QgKnBvCiAgIHR0eV90eXBlID0gZ2V0ZW52KCJURVJNIik7
CiAgIGlmICh0dHlfdHlwZSAhPSBOVUxMKQogICAgIHsKLSAgICAgIGlmICghc2VuZF9vcHRp
b24oc2QsIGJ1ZmZlciwgQlVGRkVSX1NJWkUsICJ0dHl0eXBlIiwgdHR5X3R5cGUsIHBvb2wp
KQotICAgICAgICB7Ci0gICAgICAgICAgY2xvc2Uoc2QpOwotICAgICAgICAgIHJldHVybiBT
Vk5fTk9fRVJST1I7Ci0gICAgICAgIH0KKyAgICAgIGlmICghc2VuZF9vcHRpb24oc2QsIGJ1
ZiwgbiwgInR0eXR5cGUiLCB0dHlfdHlwZSwgc2NyYXRjaF9wb29sKSkKKyAgICAgICAgcmV0
dXJuIEZBTFNFOwogICAgIH0KIAogICAvKiBDb21wdXRlIExDX0NUWVBFLiAqLwpAQCAtMzMy
LDExICszMjAsOCBAQCBmaW5kX3J1bm5pbmdfZ3BnX2FnZW50KGludCAqbmV3X3NkLCBhcHJf
cG9vbF90ICpwbwogICAvKiBTZW5kIExDX0NUWVBFIHRvIHRoZSBncGctYWdlbnQgZGFlbW9u
LiAqLwogICBpZiAobGNfY3R5cGUgIT0gTlVMTCkKICAgICB7Ci0gICAgICBpZiAoIXNlbmRf
b3B0aW9uKHNkLCBidWZmZXIsIEJVRkZFUl9TSVpFLCAibGMtY3R5cGUiLCBsY19jdHlwZSwg
cG9vbCkpCi0gICAgICAgIHsKLSAgICAgICAgICBjbG9zZShzZCk7Ci0gICAgICAgICAgcmV0
dXJuIFNWTl9OT19FUlJPUjsKLSAgICAgICAgfQorICAgICAgaWYgKCFzZW5kX29wdGlvbihz
ZCwgYnVmLCBuLCAibGMtY3R5cGUiLCBsY19jdHlwZSwgc2NyYXRjaF9wb29sKSkKKyAgICAg
ICAgcmV0dXJuIEZBTFNFOwogICAgIH0KIAogICAvKiBTZW5kIERJU1BMQVkgdG8gdGhlIGdw
Zy1hZ2VudCBkYWVtb24uICovCkBAIC0zNDMsMjcgKzMyOCw2OSBAQCBmaW5kX3J1bm5pbmdf
Z3BnX2FnZW50KGludCAqbmV3X3NkLCBhcHJfcG9vbF90ICpwbwogICBkaXNwbGF5ID0gZ2V0
ZW52KCJESVNQTEFZIik7CiAgIGlmIChkaXNwbGF5ICE9IE5VTEwpCiAgICAgewotICAgICAg
aWYgKCFzZW5kX29wdGlvbihzZCwgYnVmZmVyLCBCVUZGRVJfU0laRSwgImRpc3BsYXkiLCBk
aXNwbGF5LCBwb29sKSkKLSAgICAgICAgewotICAgICAgICAgIGNsb3NlKHNkKTsKLSAgICAg
ICAgICByZXR1cm4gU1ZOX05PX0VSUk9SOwotICAgICAgICB9CisgICAgICBpZiAoIXNlbmRf
b3B0aW9uKHNkLCBidWYsIG4sICJkaXNwbGF5IiwgZGlzcGxheSwgc2NyYXRjaF9wb29sKSkK
KyAgICAgICAgcmV0dXJuIEZBTFNFOwogICAgIH0KIAotICAvKiBDcmVhdGUgdGhlIENBQ0hF
X0lEIHdoaWNoIHdpbGwgYmUgZ2VuZXJhdGVkIGJhc2VkIG9uIFJFQUxNU1RSSU5HIHNpbWls
YXIKLSAgICAgdG8gb3RoZXIgcGFzc3dvcmQgY2FjaGluZyBtZWNoYW5pc21zLiAqLwotICBT
Vk5fRVJSKHN2bl9jaGVja3N1bSgmZGlnZXN0LCBzdm5fY2hlY2tzdW1fbWQ1LCByZWFsbXN0
cmluZywKLSAgICAgICAgICAgICAgICAgICAgICAgc3RybGVuKHJlYWxtc3RyaW5nKSwgcG9v
bCkpOwotICBjYWNoZV9pZCA9IHN2bl9jaGVja3N1bV90b19jc3RyaW5nKGRpZ2VzdCwgcG9v
bCk7CisgIHJldHVybiBUUlVFOworfQogCisvKiBJbXBsZW1lbnRhdGlvbiBvZiBzdm5fYXV0
aF9fcGFzc3dvcmRfZ2V0X3QgdGhhdCByZXRyaWV2ZXMgdGhlIHBhc3N3b3JkCisgICBmcm9t
IGdwZy1hZ2VudCAqLworc3RhdGljIHN2bl9lcnJvcl90ICoKK3Bhc3N3b3JkX2dldF9ncGdf
YWdlbnQoc3ZuX2Jvb2xlYW5fdCAqZG9uZSwKKyAgICAgICAgICAgICAgICAgICAgICAgY29u
c3QgY2hhciAqKnBhc3N3b3JkLAorICAgICAgICAgICAgICAgICAgICAgICBhcHJfaGFzaF90
ICpjcmVkcywKKyAgICAgICAgICAgICAgICAgICAgICAgY29uc3QgY2hhciAqcmVhbG1zdHJp
bmcsCisgICAgICAgICAgICAgICAgICAgICAgIGNvbnN0IGNoYXIgKnVzZXJuYW1lLAorICAg
ICAgICAgICAgICAgICAgICAgICBhcHJfaGFzaF90ICpwYXJhbWV0ZXJzLAorICAgICAgICAg
ICAgICAgICAgICAgICBzdm5fYm9vbGVhbl90IG5vbl9pbnRlcmFjdGl2ZSwKKyAgICAgICAg
ICAgICAgICAgICAgICAgYXByX3Bvb2xfdCAqcG9vbCkKK3sKKyAgaW50IHNkOworICBjb25z
dCBjaGFyICpwID0gTlVMTDsKKyAgY2hhciAqZXAgPSBOVUxMOworICBjaGFyICpidWZmZXI7
CisgIGNvbnN0IGNoYXIgKnJlcXVlc3QgPSBOVUxMOworICBjb25zdCBjaGFyICpjYWNoZV9p
ZCA9IE5VTEw7CisgIGNoYXIgKnBhc3N3b3JkX3Byb21wdDsKKyAgY2hhciAqcmVhbG1fcHJv
bXB0OworICBjaGFyICplcnJvcl9wcm9tcHQ7CisgIGludCAqYXR0ZW1wdDsKKworICAqZG9u
ZSA9IEZBTFNFOworCisgIGF0dGVtcHQgPSBzdm5faGFzaF9nZXRzKHBhcmFtZXRlcnMsIEFU
VEVNUFRfUEFSQU1FVEVSKTsKKworICBTVk5fRVJSKGZpbmRfcnVubmluZ19ncGdfYWdlbnQo
JnNkLCBwb29sKSk7CisgIGlmIChzZCA9PSAtMSkKKyAgICByZXR1cm4gU1ZOX05PX0VSUk9S
OworCisgIGJ1ZmZlciA9IGFwcl9wYWxsb2MocG9vbCwgQlVGRkVSX1NJWkUpOworCisgIGlm
ICghc2VuZF9vcHRpb25zKHNkLCBidWZmZXIsIEJVRkZFUl9TSVpFLCBwb29sKSkKKyAgICB7
CisgICAgICBjbG9zZShzZCk7CisgICAgICByZXR1cm4gU1ZOX05PX0VSUk9SOworICAgIH0K
KworICBTVk5fRVJSKGdldF9jYWNoZV9pZCgmY2FjaGVfaWQsIHJlYWxtc3RyaW5nLCBwb29s
LCBwb29sKSk7CisKICAgcGFzc3dvcmRfcHJvbXB0ID0gYXByX3BzcHJpbnRmKHBvb2wsIF8o
IlBhc3N3b3JkIGZvciAnJXMnOiAiKSwgdXNlcm5hbWUpOwogICByZWFsbV9wcm9tcHQgPSBh
cHJfcHNwcmludGYocG9vbCwgXygiRW50ZXIgeW91ciBTdWJ2ZXJzaW9uIHBhc3N3b3JkIGZv
ciAlcyIpLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmVhbG1zdHJpbmcpOwor
ICBpZiAoKmF0dGVtcHQgPT0gMSkKKyAgICAvKiBYIG1lYW5zIG5vIGVycm9yIHRvIHRoZSBn
cGctYWdlbnQgcHJvdG9jb2wgKi8KKyAgICBlcnJvcl9wcm9tcHQgPSBhcHJfcHN0cmR1cChw
b29sLCAiWCIpOworICBlbHNlCisgICAgZXJyb3JfcHJvbXB0ID0gYXByX3BzdHJkdXAocG9v
bCwgXygiQXV0aGVudGljYXRpb24gZmFpbGVkIikpOworCiAgIHJlcXVlc3QgPSBhcHJfcHNw
cmludGYocG9vbCwKLSAgICAgICAgICAgICAgICAgICAgICAgICAiR0VUX1BBU1NQSFJBU0Ug
LS1kYXRhICVzLS1yZXBlYXQ9MSAiCi0gICAgICAgICAgICAgICAgICAgICAgICAgIiVzIFgg
JXMgJXNcbiIsCisgICAgICAgICAgICAgICAgICAgICAgICAgIkdFVF9QQVNTUEhSQVNFIC0t
ZGF0YSAlcyIKKyAgICAgICAgICAgICAgICAgICAgICAgICAiJXMgJXMgJXMgJXNcbiIsCiAg
ICAgICAgICAgICAgICAgICAgICAgICAgbm9uX2ludGVyYWN0aXZlID8gIi0tbm8tYXNrICIg
OiAiIiwKICAgICAgICAgICAgICAgICAgICAgICAgICBjYWNoZV9pZCwKKyAgICAgICAgICAg
ICAgICAgICAgICAgICBlc2NhcGVfYmxhbmtzKGVycm9yX3Byb21wdCksCiAgICAgICAgICAg
ICAgICAgICAgICAgICAgZXNjYXBlX2JsYW5rcyhwYXNzd29yZF9wcm9tcHQpLAogICAgICAg
ICAgICAgICAgICAgICAgICAgIGVzY2FwZV9ibGFua3MocmVhbG1fcHJvbXB0KSk7CiAKQEAg
LTQ0MSwxNCArNDY4LDExMSBAQCBzaW1wbGVfZ3BnX2FnZW50X2ZpcnN0X2NyZWRzKHZvaWQg
KipjcmVkZW50aWFscywKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY29uc3QgY2hh
ciAqcmVhbG1zdHJpbmcsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFwcl9wb29s
X3QgKnBvb2wpCiB7Ci0gIHJldHVybiBzdm5fYXV0aF9fc2ltcGxlX2NyZWRzX2NhY2hlX2dl
dChjcmVkZW50aWFscywgaXRlcl9iYXRvbiwKLSAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIHByb3ZpZGVyX2JhdG9uLCBwYXJhbWV0ZXJzLAotICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmVhbG1zdHJpbmcsIHBhc3N3b3Jk
X2dldF9ncGdfYWdlbnQsCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICBTVk5fQVVUSF9fR1BHX0FHRU5UX1BBU1NXT1JEX1RZUEUsCi0gICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb29sKTsKKyAgc3ZuX2Vycm9yX3QgKmVy
cjsKKyAgaW50ICphdHRlbXB0ID0gYXByX3BhbGxvYyhwb29sLCBzaXplb2YoKmF0dGVtcHQp
KTsKKworICAqYXR0ZW1wdCA9IDE7CisgIHN2bl9oYXNoX3NldHMocGFyYW1ldGVycywgQVRU
RU1QVF9QQVJBTUVURVIsIGF0dGVtcHQpOworICBlcnIgPSBzdm5fYXV0aF9fc2ltcGxlX2Ny
ZWRzX2NhY2hlX2dldChjcmVkZW50aWFscywgaXRlcl9iYXRvbiwKKyAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJvdmlkZXJfYmF0b24sIHBhcmFtZXRlcnMs
CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJlYWxtc3RyaW5n
LCBwYXNzd29yZF9nZXRfZ3BnX2FnZW50LAorICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICBTVk5fQVVUSF9fR1BHX0FHRU5UX1BBU1NXT1JEX1RZUEUsCisgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvb2wpOworICAqaXRlcl9i
YXRvbiA9IGF0dGVtcHQ7CisKKyAgcmV0dXJuIGVycjsKIH0KIAorLyogQW4gaW1wbGVtZW50
YXRpb24gb2Ygc3ZuX2F1dGhfcHJvdmlkZXJfdDo6bmV4dF9jcmVkZW50aWFscygpICovCitz
dGF0aWMgc3ZuX2Vycm9yX3QgKgorc2ltcGxlX2dwZ19hZ2VudF9uZXh0X2NyZWRzKHZvaWQg
KipjcmVkZW50aWFscywKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICB2b2lkICppdGVy
X2JhdG9uLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZvaWQgKnByb3ZpZGVyX2Jh
dG9uLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFwcl9oYXNoX3QgKnBhcmFtZXRl
cnMsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgY29uc3QgY2hhciAqcmVhbG1zdHJp
bmcsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXByX3Bvb2xfdCAqcG9vbCkKK3sK
KyAgaW50ICphdHRlbXB0ID0gKGludCAqKWl0ZXJfYmF0b247CisgIGludCBzZDsKKyAgY2hh
ciAqYnVmZmVyOworICBjb25zdCBjaGFyICpjYWNoZV9pZCA9IE5VTEw7CisgIGNvbnN0IGNo
YXIgKnJlcXVlc3QgPSBOVUxMOwogCisgICpjcmVkZW50aWFscyA9IE5VTEw7CisKKyAgLyog
VGhlIHVzZXJzIHByZXZpb3VzIGNyZWRlbnRpYWxzIGZhaWxlZCBzbyBmaXJzdCByZW1vdmUg
dGhlIGNhY2hlZCBlbnRyeSwKKyAgICogYmVmb3JlIHRyeWluZyB0byByZXRyaWV2ZSB0aGVt
IGFnYWluLiAgQmVjYXVzZSBncGctYWdlbnQgc3RvcmVzIGNhY2hlZAorICAgKiBjcmVkZW50
aWFscyBpbW1lZGlhdGVseSB1cG9uIHJldHJpZXZpbmcgdGhlbSwgdGhpcyBnaXZlcyB1cyB0
aGUKKyAgICogb3Bwb3J0dW5pdHkgdG8gcHJvbXB0IHJlbW92ZSB0aGUgaW52YWxpZCBjcmVk
ZW50aWFscyBhbmQgcHJvbXB0IHRoZQorICAgKiB1c2VyIGFnYWluLiAgV2hpbGUgaXQncyBw
b3NzaWJsZSB0aGF0IHNlcnZlciBzaWRlIGlzc3VlcyBjb3VsZCB0cmlnZ2VyCisgICAqIHRo
aXMsIHRoaXMgY2FjaGUgaXMgZW1waGVybWlhbCBzbyBhdCB3b3JzdCB3ZSdyZSBqdXN0IHNw
ZWVkaW5nIHVwCisgICAqIHdoZW4gdGhlIHVzZXIgd291bGQgbmVlZCB0byByZWVudGVyIHRo
ZWlyIHBhc3N3b3JkLiAqLworCisgIGlmIChzdm5faGFzaF9nZXRzKHBhcmFtZXRlcnMsIFNW
Tl9BVVRIX1BBUkFNX05PTl9JTlRFUkFDVElWRSkpCisgICAgeworICAgICAgLyogSW4gdGhp
cyBjYXNlIHNpbmNlIHdlJ3JlIHJ1bm5pbmcgbm9uLWludGVyYWN0aXZlbHkgd2UgZG8gbm90
CisgICAgICAgKiB3YW50IHRvIGNsZWFyIHRoZSBjYWNoZSBzaW5jZSB0aGUgdXNlciB3YXMg
bmV2ZXIgcHJvbXB0ZWQgYnkKKyAgICAgICAqIGdwZy1hZ2VudCB0byBzZXQgYSBwYXNzd29y
ZC4gKi8KKyAgICAgIHJldHVybiBTVk5fTk9fRVJST1I7CisgICAgfQorCisgICphdHRlbXB0
ID0gKmF0dGVtcHQgKyAxOworCisgIFNWTl9FUlIoZmluZF9ydW5uaW5nX2dwZ19hZ2VudCgm
c2QsIHBvb2wpKTsKKyAgaWYgKHNkID09IC0xKQorICAgIHJldHVybiBTVk5fTk9fRVJST1I7
CisKKyAgYnVmZmVyID0gYXByX3BhbGxvYyhwb29sLCBCVUZGRVJfU0laRSk7CisKKyAgaWYg
KCFzZW5kX29wdGlvbnMoc2QsIGJ1ZmZlciwgQlVGRkVSX1NJWkUsIHBvb2wpKQorICAgIHsK
KyAgICAgIGNsb3NlKHNkKTsKKyAgICAgIHJldHVybiBTVk5fTk9fRVJST1I7CisgICAgfQor
CisgIFNWTl9FUlIoZ2V0X2NhY2hlX2lkKCZjYWNoZV9pZCwgcmVhbG1zdHJpbmcsIHBvb2ws
IHBvb2wpKTsKKworICByZXF1ZXN0ID0gYXByX3BzcHJpbnRmKHBvb2wsICJDTEVBUl9QQVNT
UEhSQVNFICVzXG4iLCBjYWNoZV9pZCk7CisKKyAgaWYgKHdyaXRlKHNkLCByZXF1ZXN0LCBz
dHJsZW4ocmVxdWVzdCkpID09IC0xKQorICAgIHsKKyAgICAgIGNsb3NlKHNkKTsKKyAgICAg
IHJldHVybiBTVk5fTk9fRVJST1I7CisgICAgfQorCisgIGlmICghcmVjZWl2ZV9mcm9tX2dw
Z19hZ2VudChzZCwgYnVmZmVyLCBCVUZGRVJfU0laRSkpCisgICAgeworICAgICAgY2xvc2Uo
c2QpOworICAgICAgcmV0dXJuIFNWTl9OT19FUlJPUjsKKyAgICB9CisKKyAgaWYgKHN0cm5j
bXAoYnVmZmVyLCAiT0tcbiIsIDMpICE9IDApCisgICAgeworICAgICAgY2xvc2Uoc2QpOwor
ICAgICAgcmV0dXJuIFNWTl9OT19FUlJPUjsKKyAgICB9CisKKyAgLyogVE9ETzogVGhpcyBh
dHRlbXB0IGxpbWl0IGhhcmQgY29kZXMgaXQgYXQgMyBhdHRlbXB0cyAob3IgMiByZXRyaWVz
KQorICAgKiB3aGljaCBtYXRjaGVzIHRoYXQgc3ZuIGNvbW1hbmQgbGluZSBjbGllbnQncyBy
ZXRyeV9saW1pdCBhcyBzZXQgaW4KKyAgICogc3ZuX2NtZGxpbmVfY3JlYXRlX2F1dGhfYmF0
b24oKS4gIEl0IHdvdWxkIGJlIG5pY2UgdG8gaGF2ZSB0aGF0CisgICAqIGxpbWl0IHJlZmxl
Y3RlZCBoZXJlIGJ1dCB0aGF0IHZpb2xhdGVzIHRoZSBib3VuZHJ5IGJldHdlZW4gdGhlCisg
ICAqIHByb21wdCBwcm92aWRlciBhbmQgdGhlIGNhY2hlIHByb3ZpZGVyLiAgZ3BnLWFnZW50
IGlzIGFjdGluZyBhcworICAgKiBib3RoIGhlcmUgZHVlIHRvIHRoZSBwZWN1bGlhcnRpZXMg
b2YgdGhlaXIgZGVzaWduIHNvIHdlJ2xsIGhhdmUgdG8KKyAgICogbGl2ZSB3aXRoIHRoaXMg
Zm9yIG5vdy4gIE5vdGUgdGhhdCB3aGVuIHRoZXNlIGZhaWx1cmVzIGdldCBleGNlZWRlZAor
ICAgKiBpdCdsbCBldmVudHVhbGx5IGZhbGwgYmFjayBvbiB0aGUgcmV0cnkgbGltaXRzIG9m
IHdoYXRldmVyIHByb21wdAorICAgKiBwcm92aWRlciBpcyBpbiBlZmZlY3QsIHNvIHRoaXMg
ZWZmZWN0aXZlbHkgZG91YmxlcyB0aGUgbGltaXQuICovCisgIGlmICgqYXR0ZW1wdCA8IDQp
CisgICAgcmV0dXJuIHN2bl9hdXRoX19zaW1wbGVfY3JlZHNfY2FjaGVfZ2V0KGNyZWRlbnRp
YWxzLCAmaXRlcl9iYXRvbiwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgcHJvdmlkZXJfYmF0b24sIHBhcmFtZXRlcnMsCisgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHJlYWxtc3RyaW5nLAorICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwYXNzd29yZF9nZXRfZ3BnX2FnZW50
LAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTVk5fQVVU
SF9fR1BHX0FHRU5UX1BBU1NXT1JEX1RZUEUsCisgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIHBvb2wpOworCisgIHJldHVybiBTVk5fTk9fRVJST1I7Cit9
CisKKwogLyogQW4gaW1wbGVtZW50YXRpb24gb2Ygc3ZuX2F1dGhfcHJvdmlkZXJfdDo6c2F2
ZV9jcmVkZW50aWFscygpICovCiBzdGF0aWMgc3ZuX2Vycm9yX3QgKgogc2ltcGxlX2dwZ19h
Z2VudF9zYXZlX2NyZWRzKHN2bl9ib29sZWFuX3QgKnNhdmVkLApAQCAtNDY5LDcgKzU5Myw3
IEBAIHNpbXBsZV9ncGdfYWdlbnRfc2F2ZV9jcmVkcyhzdm5fYm9vbGVhbl90ICpzYXZlZCwK
IHN0YXRpYyBjb25zdCBzdm5fYXV0aF9wcm92aWRlcl90IGdwZ19hZ2VudF9zaW1wbGVfcHJv
dmlkZXIgPSB7CiAgIFNWTl9BVVRIX0NSRURfU0lNUExFLAogICBzaW1wbGVfZ3BnX2FnZW50
X2ZpcnN0X2NyZWRzLAotICBOVUxMLAorICBzaW1wbGVfZ3BnX2FnZW50X25leHRfY3JlZHMs
CiAgIHNpbXBsZV9ncGdfYWdlbnRfc2F2ZV9jcmVkcwogfTsKIAo=
--------------090908040305020103000204--