author | weijun |
Wed, 28 Oct 2009 15:32:30 +0800 | |
changeset 4168 | 1a8d21bb898c |
parent 3483 | a16fce1820ef |
child 5506 | 202f599c92aa |
permissions | -rw-r--r-- |
2 | 1 |
/* |
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
2 |
* Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Sun designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Sun in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or |
|
23 |
* have any questions. |
|
24 |
*/ |
|
25 |
||
26 |
/* |
|
27 |
* |
|
28 |
* (C) Copyright IBM Corp. 1999 All Rights Reserved. |
|
29 |
* Copyright 1997 The Open Group Research Institute. All rights reserved. |
|
30 |
*/ |
|
31 |
||
32 |
package sun.security.krb5; |
|
33 |
||
34 |
import sun.security.krb5.internal.*; |
|
35 |
import sun.security.krb5.internal.crypto.*; |
|
36 |
import sun.security.krb5.internal.rcache.*; |
|
37 |
import java.net.InetAddress; |
|
38 |
import sun.security.util.*; |
|
39 |
import java.io.IOException; |
|
40 |
||
41 |
/** |
|
42 |
* This class encapsulates a KRB-AP-REQ that a client sends to a |
|
43 |
* server for authentication. |
|
44 |
*/ |
|
45 |
public class KrbApReq { |
|
46 |
||
47 |
private byte[] obuf; |
|
48 |
private KerberosTime ctime; |
|
49 |
private int cusec; |
|
50 |
private Authenticator authenticator; |
|
51 |
private Credentials creds; |
|
52 |
private APReq apReqMessg; |
|
53 |
||
54 |
private static CacheTable table = new CacheTable(); |
|
55 |
private static boolean DEBUG = Krb5.DEBUG; |
|
56 |
||
57 |
// default is address-less tickets |
|
58 |
private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true; |
|
59 |
||
60 |
/** |
|
61 |
* Contructs a AP-REQ message to send to the peer. |
|
62 |
* @param tgsCred the <code>Credentials</code> to be used to construct the |
|
63 |
* AP Request protocol message. |
|
64 |
* @param mutualRequired Whether mutual authentication is required |
|
65 |
* @param useSubkey Whether the subkey is to be used to protect this |
|
66 |
* specific application session. If this is not set then the |
|
67 |
* session key from the ticket will be used. |
|
68 |
* @throws KrbException for any Kerberos protocol specific error |
|
69 |
* @throws IOException for any IO related errors |
|
70 |
* (e.g. socket operations) |
|
71 |
*/ |
|
72 |
/* |
|
73 |
// Not Used |
|
74 |
public KrbApReq(Credentials tgsCred, |
|
75 |
boolean mutualRequired, |
|
76 |
boolean useSubKey, |
|
77 |
boolean useSeqNumber) throws Asn1Exception, |
|
78 |
KrbCryptoException, KrbException, IOException { |
|
79 |
||
80 |
this(tgsCred, mutualRequired, useSubKey, useSeqNumber, null); |
|
81 |
} |
|
82 |
*/ |
|
83 |
||
84 |
/** |
|
85 |
* Contructs a AP-REQ message to send to the peer. |
|
86 |
* @param tgsCred the <code>Credentials</code> to be used to construct the |
|
87 |
* AP Request protocol message. |
|
88 |
* @param mutualRequired Whether mutual authentication is required |
|
89 |
* @param useSubkey Whether the subkey is to be used to protect this |
|
90 |
* specific application session. If this is not set then the |
|
91 |
* session key from the ticket will be used. |
|
92 |
* @param checksum checksum of the the application data that accompanies |
|
93 |
* the KRB_AP_REQ. |
|
94 |
* @throws KrbException for any Kerberos protocol specific error |
|
95 |
* @throws IOException for any IO related errors |
|
96 |
* (e.g. socket operations) |
|
97 |
*/ |
|
98 |
// Used in InitSecContextToken |
|
99 |
public KrbApReq(Credentials tgsCred, |
|
100 |
boolean mutualRequired, |
|
101 |
boolean useSubKey, |
|
102 |
boolean useSeqNumber, |
|
103 |
Checksum cksum) throws Asn1Exception, |
|
104 |
KrbCryptoException, KrbException, IOException { |
|
105 |
||
106 |
APOptions apOptions = (mutualRequired? |
|
107 |
new APOptions(Krb5.AP_OPTS_MUTUAL_REQUIRED): |
|
108 |
new APOptions()); |
|
109 |
if (DEBUG) |
|
110 |
System.out.println(">>> KrbApReq: APOptions are " + apOptions); |
|
111 |
||
112 |
EncryptionKey subKey = (useSubKey? |
|
113 |
new EncryptionKey(tgsCred.getSessionKey()): |
|
114 |
null); |
|
115 |
||
116 |
SeqNumber seqNum = new LocalSeqNumber(); |
|
117 |
||
118 |
init(apOptions, |
|
119 |
tgsCred, |
|
120 |
cksum, |
|
121 |
subKey, |
|
122 |
seqNum, |
|
123 |
null, // AuthorizationData authzData |
|
124 |
KeyUsage.KU_AP_REQ_AUTHENTICATOR); |
|
125 |
||
126 |
} |
|
127 |
||
128 |
/** |
|
129 |
* Contructs a AP-REQ message from the bytes received from the |
|
130 |
* peer. |
|
131 |
* @param message The message received from the peer |
|
132 |
* @param keys <code>EncrtyptionKey</code>s to decrypt the message; |
|
133 |
* key selected will depend on etype used to encrypte data |
|
134 |
* @throws KrbException for any Kerberos protocol specific error |
|
135 |
* @throws IOException for any IO related errors |
|
136 |
* (e.g. socket operations) |
|
137 |
*/ |
|
138 |
// Used in InitSecContextToken (for AP_REQ and not TGS REQ) |
|
139 |
public KrbApReq(byte[] message, |
|
140 |
EncryptionKey[] keys, |
|
141 |
InetAddress initiator) |
|
142 |
throws KrbException, IOException { |
|
143 |
obuf = message; |
|
144 |
if (apReqMessg == null) |
|
145 |
decode(); |
|
146 |
authenticate(keys, initiator); |
|
147 |
} |
|
148 |
||
149 |
/** |
|
150 |
* Contructs a AP-REQ message from the bytes received from the |
|
151 |
* peer. |
|
152 |
* @param value The <code>DerValue</code> that contains the |
|
153 |
* DER enoded AP-REQ protocol message |
|
154 |
* @param keys <code>EncrtyptionKey</code>s to decrypt the message; |
|
155 |
* |
|
156 |
* @throws KrbException for any Kerberos protocol specific error |
|
157 |
* @throws IOException for any IO related errors |
|
158 |
* (e.g. socket operations) |
|
159 |
*/ |
|
160 |
/* |
|
161 |
public KrbApReq(DerValue value, EncryptionKey[] key, InetAddress initiator) |
|
162 |
throws KrbException, IOException { |
|
163 |
obuf = value.toByteArray(); |
|
164 |
if (apReqMessg == null) |
|
165 |
decode(value); |
|
166 |
authenticate(keys, initiator); |
|
167 |
} |
|
168 |
||
169 |
KrbApReq(APOptions options, |
|
170 |
Credentials tgs_creds, |
|
171 |
Checksum cksum, |
|
172 |
EncryptionKey subKey, |
|
173 |
SeqNumber seqNumber, |
|
174 |
AuthorizationData authorizationData) |
|
175 |
throws KrbException, IOException { |
|
176 |
init(options, tgs_creds, cksum, subKey, seqNumber, authorizationData); |
|
177 |
} |
|
178 |
*/ |
|
179 |
||
180 |
/** used by KrbTgsReq **/ |
|
181 |
KrbApReq(APOptions apOptions, |
|
182 |
Ticket ticket, |
|
183 |
EncryptionKey key, |
|
184 |
Realm crealm, |
|
185 |
PrincipalName cname, |
|
186 |
Checksum cksum, |
|
187 |
KerberosTime ctime, |
|
188 |
EncryptionKey subKey, |
|
189 |
SeqNumber seqNumber, |
|
190 |
AuthorizationData authorizationData) |
|
191 |
throws Asn1Exception, IOException, |
|
192 |
KdcErrException, KrbCryptoException { |
|
193 |
||
194 |
init(apOptions, ticket, key, crealm, cname, |
|
195 |
cksum, ctime, subKey, seqNumber, authorizationData, |
|
196 |
KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR); |
|
197 |
||
198 |
} |
|
199 |
||
200 |
private void init(APOptions options, |
|
201 |
Credentials tgs_creds, |
|
202 |
Checksum cksum, |
|
203 |
EncryptionKey subKey, |
|
204 |
SeqNumber seqNumber, |
|
205 |
AuthorizationData authorizationData, |
|
206 |
int usage) |
|
207 |
throws KrbException, IOException { |
|
208 |
||
209 |
ctime = new KerberosTime(KerberosTime.NOW); |
|
210 |
init(options, |
|
211 |
tgs_creds.ticket, |
|
212 |
tgs_creds.key, |
|
213 |
tgs_creds.client.getRealm(), |
|
214 |
tgs_creds.client, |
|
215 |
cksum, |
|
216 |
ctime, |
|
217 |
subKey, |
|
218 |
seqNumber, |
|
219 |
authorizationData, |
|
220 |
usage); |
|
221 |
} |
|
222 |
||
223 |
private void init(APOptions apOptions, |
|
224 |
Ticket ticket, |
|
225 |
EncryptionKey key, |
|
226 |
Realm crealm, |
|
227 |
PrincipalName cname, |
|
228 |
Checksum cksum, |
|
229 |
KerberosTime ctime, |
|
230 |
EncryptionKey subKey, |
|
231 |
SeqNumber seqNumber, |
|
232 |
AuthorizationData authorizationData, |
|
233 |
int usage) |
|
234 |
throws Asn1Exception, IOException, |
|
235 |
KdcErrException, KrbCryptoException { |
|
236 |
||
237 |
createMessage(apOptions, ticket, key, crealm, cname, |
|
238 |
cksum, ctime, subKey, seqNumber, authorizationData, |
|
239 |
usage); |
|
240 |
obuf = apReqMessg.asn1Encode(); |
|
241 |
} |
|
242 |
||
243 |
||
244 |
void decode() throws KrbException, IOException { |
|
245 |
DerValue encoding = new DerValue(obuf); |
|
246 |
decode(encoding); |
|
247 |
} |
|
248 |
||
249 |
void decode(DerValue encoding) throws KrbException, IOException { |
|
250 |
apReqMessg = null; |
|
251 |
try { |
|
252 |
apReqMessg = new APReq(encoding); |
|
253 |
} catch (Asn1Exception e) { |
|
254 |
apReqMessg = null; |
|
255 |
KRBError err = new KRBError(encoding); |
|
256 |
String errStr = err.getErrorString(); |
|
257 |
String eText; |
|
258 |
if (errStr.charAt(errStr.length() - 1) == 0) |
|
259 |
eText = errStr.substring(0, errStr.length() - 1); |
|
260 |
else |
|
261 |
eText = errStr; |
|
262 |
KrbException ke = new KrbException(err.getErrorCode(), eText); |
|
263 |
ke.initCause(e); |
|
264 |
throw ke; |
|
265 |
} |
|
266 |
} |
|
267 |
||
268 |
private void authenticate(EncryptionKey[] keys, InetAddress initiator) |
|
269 |
throws KrbException, IOException { |
|
270 |
int encPartKeyType = apReqMessg.ticket.encPart.getEType(); |
|
4168
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3483
diff
changeset
|
271 |
Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber(); |
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3483
diff
changeset
|
272 |
EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys); |
2 | 273 |
|
274 |
if (dkey == null) { |
|
275 |
throw new KrbException(Krb5.API_INVALID_ARG, |
|
276 |
"Cannot find key of appropriate type to decrypt AP REP - " + |
|
277 |
EType.toString(encPartKeyType)); |
|
278 |
} |
|
279 |
||
280 |
byte[] bytes = apReqMessg.ticket.encPart.decrypt(dkey, |
|
281 |
KeyUsage.KU_TICKET); |
|
282 |
byte[] temp = apReqMessg.ticket.encPart.reset(bytes, true); |
|
283 |
EncTicketPart enc_ticketPart = new EncTicketPart(temp); |
|
284 |
||
285 |
checkPermittedEType(enc_ticketPart.key.getEType()); |
|
286 |
||
287 |
byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key, |
|
288 |
KeyUsage.KU_AP_REQ_AUTHENTICATOR); |
|
289 |
byte[] temp2 = apReqMessg.authenticator.reset(bytes2, true); |
|
290 |
authenticator = new Authenticator(temp2); |
|
291 |
ctime = authenticator.ctime; |
|
292 |
cusec = authenticator.cusec; |
|
293 |
authenticator.ctime.setMicroSeconds(authenticator.cusec); |
|
294 |
authenticator.cname.setRealm(authenticator.crealm); |
|
295 |
apReqMessg.ticket.sname.setRealm(apReqMessg.ticket.realm); |
|
296 |
enc_ticketPart.cname.setRealm(enc_ticketPart.crealm); |
|
297 |
||
298 |
if (!authenticator.cname.equals(enc_ticketPart.cname)) |
|
299 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH); |
|
300 |
||
301 |
KerberosTime currTime = new KerberosTime(KerberosTime.NOW); |
|
302 |
if (!authenticator.ctime.inClockSkew(currTime)) |
|
303 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW); |
|
304 |
||
305 |
// start to check if it is a replay attack. |
|
306 |
AuthTime time = |
|
307 |
new AuthTime(authenticator.ctime.getTime(), authenticator.cusec); |
|
308 |
String client = authenticator.cname.toString(); |
|
309 |
if (table.get(time, authenticator.cname.toString()) != null) { |
|
310 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT); |
|
311 |
} else { |
|
312 |
table.put(client, time, currTime.getTime()); |
|
313 |
} |
|
314 |
||
315 |
// check to use addresses in tickets |
|
316 |
if (Config.getInstance().useAddresses()) { |
|
317 |
KDC_EMPTY_ADDRESSES_ALLOWED = false; |
|
318 |
} |
|
319 |
||
320 |
// sender host address |
|
321 |
HostAddress sender = null; |
|
322 |
if (initiator != null) { |
|
323 |
sender = new HostAddress(initiator); |
|
324 |
} |
|
325 |
||
326 |
if (sender != null || !KDC_EMPTY_ADDRESSES_ALLOWED) { |
|
327 |
if (enc_ticketPart.caddr != null) { |
|
328 |
if (sender == null) |
|
329 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR); |
|
330 |
if (!enc_ticketPart.caddr.inList(sender)) |
|
331 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR); |
|
332 |
} |
|
333 |
} |
|
334 |
||
335 |
// XXX check for repeated authenticator |
|
336 |
// if found |
|
337 |
// throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT); |
|
338 |
// else |
|
339 |
// save authenticator to check for later |
|
340 |
||
341 |
KerberosTime now = new KerberosTime(KerberosTime.NOW); |
|
342 |
||
343 |
if ((enc_ticketPart.starttime != null && |
|
344 |
enc_ticketPart.starttime.greaterThanWRTClockSkew(now)) || |
|
345 |
enc_ticketPart.flags.get(Krb5.TKT_OPTS_INVALID)) |
|
346 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_NYV); |
|
347 |
||
348 |
// if the current time is later than end time by more |
|
349 |
// than the allowable clock skew, throws ticket expired exception. |
|
350 |
if (enc_ticketPart.endtime != null && |
|
351 |
now.greaterThanWRTClockSkew(enc_ticketPart.endtime)) { |
|
352 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_TKT_EXPIRED); |
|
353 |
} |
|
354 |
||
355 |
creds = new Credentials( |
|
356 |
apReqMessg.ticket, |
|
357 |
authenticator.cname, |
|
358 |
apReqMessg.ticket.sname, |
|
359 |
enc_ticketPart.key, |
|
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
360 |
enc_ticketPart.flags, |
2 | 361 |
enc_ticketPart.authtime, |
362 |
enc_ticketPart.starttime, |
|
363 |
enc_ticketPart.endtime, |
|
364 |
enc_ticketPart.renewTill, |
|
3483
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
365 |
enc_ticketPart.caddr, |
a16fce1820ef
6821190: more InquireType values for ExtendedGSSContext
weijun
parents:
3315
diff
changeset
|
366 |
enc_ticketPart.authorizationData); |
2 | 367 |
if (DEBUG) { |
368 |
System.out.println(">>> KrbApReq: authenticate succeed."); |
|
369 |
} |
|
370 |
} |
|
371 |
||
372 |
/** |
|
373 |
* Returns the credentials that are contained in the ticket that |
|
374 |
* is part of this this AP-REP. |
|
375 |
*/ |
|
376 |
public Credentials getCreds() { |
|
377 |
return creds; |
|
378 |
} |
|
379 |
||
380 |
KerberosTime getCtime() { |
|
381 |
if (ctime != null) |
|
382 |
return ctime; |
|
383 |
return authenticator.ctime; |
|
384 |
} |
|
385 |
||
386 |
int cusec() { |
|
387 |
return cusec; |
|
388 |
} |
|
389 |
||
390 |
APOptions getAPOptions() throws KrbException, IOException { |
|
391 |
if (apReqMessg == null) |
|
392 |
decode(); |
|
393 |
if (apReqMessg != null) |
|
394 |
return apReqMessg.apOptions; |
|
395 |
return null; |
|
396 |
} |
|
397 |
||
398 |
/** |
|
399 |
* Returns true if mutual authentication is required and hence an |
|
400 |
* AP-REP will need to be generated. |
|
401 |
* @throws KrbException |
|
402 |
* @throws IOException |
|
403 |
*/ |
|
404 |
public boolean getMutualAuthRequired() throws KrbException, IOException { |
|
405 |
if (apReqMessg == null) |
|
406 |
decode(); |
|
407 |
if (apReqMessg != null) |
|
408 |
return apReqMessg.apOptions.get(Krb5.AP_OPTS_MUTUAL_REQUIRED); |
|
409 |
return false; |
|
410 |
} |
|
411 |
||
412 |
boolean useSessionKey() throws KrbException, IOException { |
|
413 |
if (apReqMessg == null) |
|
414 |
decode(); |
|
415 |
if (apReqMessg != null) |
|
416 |
return apReqMessg.apOptions.get(Krb5.AP_OPTS_USE_SESSION_KEY); |
|
417 |
return false; |
|
418 |
} |
|
419 |
||
420 |
/** |
|
421 |
* Returns the optional subkey stored in the Authenticator for |
|
422 |
* this message. Returns null if none is stored. |
|
423 |
*/ |
|
424 |
public EncryptionKey getSubKey() { |
|
425 |
// XXX Can authenticator be null |
|
426 |
return authenticator.getSubKey(); |
|
427 |
} |
|
428 |
||
429 |
/** |
|
430 |
* Returns the optional sequence number stored in the |
|
431 |
* Authenticator for this message. Returns null if none is |
|
432 |
* stored. |
|
433 |
*/ |
|
434 |
public Integer getSeqNumber() { |
|
435 |
// XXX Can authenticator be null |
|
436 |
return authenticator.getSeqNumber(); |
|
437 |
} |
|
438 |
||
439 |
/** |
|
440 |
* Returns the optional Checksum stored in the |
|
441 |
* Authenticator for this message. Returns null if none is |
|
442 |
* stored. |
|
443 |
*/ |
|
444 |
public Checksum getChecksum() { |
|
445 |
return authenticator.getChecksum(); |
|
446 |
} |
|
447 |
||
448 |
/** |
|
449 |
* Returns the ASN.1 encoding that should be sent to the peer. |
|
450 |
*/ |
|
451 |
public byte[] getMessage() { |
|
452 |
return obuf; |
|
453 |
} |
|
454 |
||
455 |
/** |
|
456 |
* Returns the principal name of the client that generated this |
|
457 |
* message. |
|
458 |
*/ |
|
459 |
public PrincipalName getClient() { |
|
460 |
return creds.getClient(); |
|
461 |
} |
|
462 |
||
463 |
private void createMessage(APOptions apOptions, |
|
464 |
Ticket ticket, |
|
465 |
EncryptionKey key, |
|
466 |
Realm crealm, |
|
467 |
PrincipalName cname, |
|
468 |
Checksum cksum, |
|
469 |
KerberosTime ctime, |
|
470 |
EncryptionKey subKey, |
|
471 |
SeqNumber seqNumber, |
|
472 |
AuthorizationData authorizationData, |
|
473 |
int usage) |
|
474 |
throws Asn1Exception, IOException, |
|
475 |
KdcErrException, KrbCryptoException { |
|
476 |
||
477 |
Integer seqno = null; |
|
478 |
||
479 |
if (seqNumber != null) |
|
480 |
seqno = new Integer(seqNumber.current()); |
|
481 |
||
482 |
authenticator = |
|
483 |
new Authenticator(crealm, |
|
484 |
cname, |
|
485 |
cksum, |
|
486 |
ctime.getMicroSeconds(), |
|
487 |
ctime, |
|
488 |
subKey, |
|
489 |
seqno, |
|
490 |
authorizationData); |
|
491 |
||
492 |
byte[] temp = authenticator.asn1Encode(); |
|
493 |
||
494 |
EncryptedData encAuthenticator = |
|
495 |
new EncryptedData(key, temp, usage); |
|
496 |
||
497 |
apReqMessg = |
|
498 |
new APReq(apOptions, ticket, encAuthenticator); |
|
499 |
} |
|
500 |
||
501 |
// Check that key is one of the permitted types |
|
502 |
private static void checkPermittedEType(int target) throws KrbException { |
|
503 |
int[] etypes = EType.getDefaults("permitted_enctypes"); |
|
504 |
if (etypes == null) { |
|
505 |
throw new KrbException( |
|
506 |
"No supported encryption types listed in permitted_enctypes"); |
|
507 |
} |
|
508 |
if (!EType.isSupported(target, etypes)) { |
|
509 |
throw new KrbException(EType.toString(target) + |
|
510 |
" encryption type not in permitted_enctypes list"); |
|
511 |
} |
|
512 |
} |
|
513 |
} |