pkeyutl.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576
  1. /*
  2. * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "apps.h"
  10. #include "progs.h"
  11. #include <string.h>
  12. #include <openssl/err.h>
  13. #include <openssl/pem.h>
  14. #include <openssl/evp.h>
  15. #define KEY_NONE 0
  16. #define KEY_PRIVKEY 1
  17. #define KEY_PUBKEY 2
  18. #define KEY_CERT 3
  19. static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
  20. const char *keyfile, int keyform, int key_type,
  21. char *passinarg, int pkey_op, ENGINE *e,
  22. const int impl);
  23. static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
  24. ENGINE *e);
  25. static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
  26. unsigned char *out, size_t *poutlen,
  27. const unsigned char *in, size_t inlen);
  28. typedef enum OPTION_choice {
  29. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  30. OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
  31. OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
  32. OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
  33. OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
  34. OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
  35. OPT_KDFLEN, OPT_R_ENUM
  36. } OPTION_CHOICE;
  37. const OPTIONS pkeyutl_options[] = {
  38. {"help", OPT_HELP, '-', "Display this summary"},
  39. {"in", OPT_IN, '<', "Input file - default stdin"},
  40. {"out", OPT_OUT, '>', "Output file - default stdout"},
  41. {"pubin", OPT_PUBIN, '-', "Input is a public key"},
  42. {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
  43. {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
  44. {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
  45. {"sign", OPT_SIGN, '-', "Sign input data with private key"},
  46. {"verify", OPT_VERIFY, '-', "Verify with public key"},
  47. {"verifyrecover", OPT_VERIFYRECOVER, '-',
  48. "Verify with public key, recover original data"},
  49. {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
  50. {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
  51. {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
  52. {"derive", OPT_DERIVE, '-', "Derive shared secret"},
  53. {"kdf", OPT_KDF, 's', "Use KDF algorithm"},
  54. {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
  55. {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
  56. {"inkey", OPT_INKEY, 's', "Input private key file"},
  57. {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
  58. {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
  59. {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
  60. {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
  61. {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
  62. {"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
  63. "Public key option that is read as a passphrase argument opt:passphrase"},
  64. OPT_R_OPTIONS,
  65. #ifndef OPENSSL_NO_ENGINE
  66. {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
  67. {"engine_impl", OPT_ENGINE_IMPL, '-',
  68. "Also use engine given by -engine for crypto operations"},
  69. #endif
  70. {NULL}
  71. };
  72. int pkeyutl_main(int argc, char **argv)
  73. {
  74. BIO *in = NULL, *out = NULL;
  75. ENGINE *e = NULL;
  76. EVP_PKEY_CTX *ctx = NULL;
  77. char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
  78. char hexdump = 0, asn1parse = 0, rev = 0, *prog;
  79. unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
  80. OPTION_CHOICE o;
  81. int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = FORMAT_PEM;
  82. int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
  83. int engine_impl = 0;
  84. int ret = 1, rv = -1;
  85. size_t buf_outlen;
  86. const char *inkey = NULL;
  87. const char *peerkey = NULL;
  88. const char *kdfalg = NULL;
  89. int kdflen = 0;
  90. STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
  91. STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
  92. prog = opt_init(argc, argv, pkeyutl_options);
  93. while ((o = opt_next()) != OPT_EOF) {
  94. switch (o) {
  95. case OPT_EOF:
  96. case OPT_ERR:
  97. opthelp:
  98. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  99. goto end;
  100. case OPT_HELP:
  101. opt_help(pkeyutl_options);
  102. ret = 0;
  103. goto end;
  104. case OPT_IN:
  105. infile = opt_arg();
  106. break;
  107. case OPT_OUT:
  108. outfile = opt_arg();
  109. break;
  110. case OPT_SIGFILE:
  111. sigfile = opt_arg();
  112. break;
  113. case OPT_ENGINE_IMPL:
  114. engine_impl = 1;
  115. break;
  116. case OPT_INKEY:
  117. inkey = opt_arg();
  118. break;
  119. case OPT_PEERKEY:
  120. peerkey = opt_arg();
  121. break;
  122. case OPT_PASSIN:
  123. passinarg = opt_arg();
  124. break;
  125. case OPT_PEERFORM:
  126. if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform))
  127. goto opthelp;
  128. break;
  129. case OPT_KEYFORM:
  130. if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform))
  131. goto opthelp;
  132. break;
  133. case OPT_R_CASES:
  134. if (!opt_rand(o))
  135. goto end;
  136. break;
  137. case OPT_ENGINE:
  138. e = setup_engine(opt_arg(), 0);
  139. break;
  140. case OPT_PUBIN:
  141. key_type = KEY_PUBKEY;
  142. break;
  143. case OPT_CERTIN:
  144. key_type = KEY_CERT;
  145. break;
  146. case OPT_ASN1PARSE:
  147. asn1parse = 1;
  148. break;
  149. case OPT_HEXDUMP:
  150. hexdump = 1;
  151. break;
  152. case OPT_SIGN:
  153. pkey_op = EVP_PKEY_OP_SIGN;
  154. break;
  155. case OPT_VERIFY:
  156. pkey_op = EVP_PKEY_OP_VERIFY;
  157. break;
  158. case OPT_VERIFYRECOVER:
  159. pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
  160. break;
  161. case OPT_ENCRYPT:
  162. pkey_op = EVP_PKEY_OP_ENCRYPT;
  163. break;
  164. case OPT_DECRYPT:
  165. pkey_op = EVP_PKEY_OP_DECRYPT;
  166. break;
  167. case OPT_DERIVE:
  168. pkey_op = EVP_PKEY_OP_DERIVE;
  169. break;
  170. case OPT_KDF:
  171. pkey_op = EVP_PKEY_OP_DERIVE;
  172. key_type = KEY_NONE;
  173. kdfalg = opt_arg();
  174. break;
  175. case OPT_KDFLEN:
  176. kdflen = atoi(opt_arg());
  177. break;
  178. case OPT_REV:
  179. rev = 1;
  180. break;
  181. case OPT_PKEYOPT:
  182. if ((pkeyopts == NULL &&
  183. (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
  184. sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
  185. BIO_puts(bio_err, "out of memory\n");
  186. goto end;
  187. }
  188. break;
  189. case OPT_PKEYOPT_PASSIN:
  190. if ((pkeyopts_passin == NULL &&
  191. (pkeyopts_passin = sk_OPENSSL_STRING_new_null()) == NULL) ||
  192. sk_OPENSSL_STRING_push(pkeyopts_passin, opt_arg()) == 0) {
  193. BIO_puts(bio_err, "out of memory\n");
  194. goto end;
  195. }
  196. break;
  197. }
  198. }
  199. argc = opt_num_rest();
  200. if (argc != 0)
  201. goto opthelp;
  202. if (kdfalg != NULL) {
  203. if (kdflen == 0) {
  204. BIO_printf(bio_err,
  205. "%s: no KDF length given (-kdflen parameter).\n", prog);
  206. goto opthelp;
  207. }
  208. } else if (inkey == NULL) {
  209. BIO_printf(bio_err,
  210. "%s: no private key given (-inkey parameter).\n", prog);
  211. goto opthelp;
  212. } else if (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE) {
  213. BIO_printf(bio_err,
  214. "%s: no peer key given (-peerkey parameter).\n", prog);
  215. goto opthelp;
  216. }
  217. ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
  218. passinarg, pkey_op, e, engine_impl);
  219. if (ctx == NULL) {
  220. BIO_printf(bio_err, "%s: Error initializing context\n", prog);
  221. ERR_print_errors(bio_err);
  222. goto end;
  223. }
  224. if (peerkey != NULL && !setup_peer(ctx, peerform, peerkey, e)) {
  225. BIO_printf(bio_err, "%s: Error setting up peer key\n", prog);
  226. ERR_print_errors(bio_err);
  227. goto end;
  228. }
  229. if (pkeyopts != NULL) {
  230. int num = sk_OPENSSL_STRING_num(pkeyopts);
  231. int i;
  232. for (i = 0; i < num; ++i) {
  233. const char *opt = sk_OPENSSL_STRING_value(pkeyopts, i);
  234. if (pkey_ctrl_string(ctx, opt) <= 0) {
  235. BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
  236. prog, opt);
  237. ERR_print_errors(bio_err);
  238. goto end;
  239. }
  240. }
  241. }
  242. if (pkeyopts_passin != NULL) {
  243. int num = sk_OPENSSL_STRING_num(pkeyopts_passin);
  244. int i;
  245. for (i = 0; i < num; i++) {
  246. char *opt = sk_OPENSSL_STRING_value(pkeyopts_passin, i);
  247. char *passin = strchr(opt, ':');
  248. char *passwd;
  249. if (passin == NULL) {
  250. /* Get password interactively */
  251. char passwd_buf[4096];
  252. BIO_snprintf(passwd_buf, sizeof(passwd_buf), "Enter %s: ", opt);
  253. EVP_read_pw_string(passwd_buf, sizeof(passwd_buf) - 1,
  254. passwd_buf, 0);
  255. passwd = OPENSSL_strdup(passwd_buf);
  256. if (passwd == NULL) {
  257. BIO_puts(bio_err, "out of memory\n");
  258. goto end;
  259. }
  260. } else {
  261. /* Get password as a passin argument: First split option name
  262. * and passphrase argument into two strings */
  263. *passin = 0;
  264. passin++;
  265. if (app_passwd(passin, NULL, &passwd, NULL) == 0) {
  266. BIO_printf(bio_err, "failed to get '%s'\n", opt);
  267. goto end;
  268. }
  269. }
  270. if (EVP_PKEY_CTX_ctrl_str(ctx, opt, passwd) <= 0) {
  271. BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
  272. prog, opt);
  273. goto end;
  274. }
  275. OPENSSL_free(passwd);
  276. }
  277. }
  278. if (sigfile != NULL && (pkey_op != EVP_PKEY_OP_VERIFY)) {
  279. BIO_printf(bio_err,
  280. "%s: Signature file specified for non verify\n", prog);
  281. goto end;
  282. }
  283. if (sigfile == NULL && (pkey_op == EVP_PKEY_OP_VERIFY)) {
  284. BIO_printf(bio_err,
  285. "%s: No signature file specified for verify\n", prog);
  286. goto end;
  287. }
  288. if (pkey_op != EVP_PKEY_OP_DERIVE) {
  289. in = bio_open_default(infile, 'r', FORMAT_BINARY);
  290. if (in == NULL)
  291. goto end;
  292. }
  293. out = bio_open_default(outfile, 'w', FORMAT_BINARY);
  294. if (out == NULL)
  295. goto end;
  296. if (sigfile != NULL) {
  297. BIO *sigbio = BIO_new_file(sigfile, "rb");
  298. if (sigbio == NULL) {
  299. BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
  300. goto end;
  301. }
  302. siglen = bio_to_mem(&sig, keysize * 10, sigbio);
  303. BIO_free(sigbio);
  304. if (siglen < 0) {
  305. BIO_printf(bio_err, "Error reading signature data\n");
  306. goto end;
  307. }
  308. }
  309. if (in != NULL) {
  310. /* Read the input data */
  311. buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
  312. if (buf_inlen < 0) {
  313. BIO_printf(bio_err, "Error reading input Data\n");
  314. goto end;
  315. }
  316. if (rev) {
  317. size_t i;
  318. unsigned char ctmp;
  319. size_t l = (size_t)buf_inlen;
  320. for (i = 0; i < l / 2; i++) {
  321. ctmp = buf_in[i];
  322. buf_in[i] = buf_in[l - 1 - i];
  323. buf_in[l - 1 - i] = ctmp;
  324. }
  325. }
  326. }
  327. /* Sanity check the input */
  328. if (buf_inlen > EVP_MAX_MD_SIZE
  329. && (pkey_op == EVP_PKEY_OP_SIGN
  330. || pkey_op == EVP_PKEY_OP_VERIFY
  331. || pkey_op == EVP_PKEY_OP_VERIFYRECOVER)) {
  332. BIO_printf(bio_err,
  333. "Error: The input data looks too long to be a hash\n");
  334. goto end;
  335. }
  336. if (pkey_op == EVP_PKEY_OP_VERIFY) {
  337. rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
  338. buf_in, (size_t)buf_inlen);
  339. if (rv == 1) {
  340. BIO_puts(out, "Signature Verified Successfully\n");
  341. ret = 0;
  342. } else {
  343. BIO_puts(out, "Signature Verification Failure\n");
  344. }
  345. goto end;
  346. }
  347. if (kdflen != 0) {
  348. buf_outlen = kdflen;
  349. rv = 1;
  350. } else {
  351. rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
  352. buf_in, (size_t)buf_inlen);
  353. }
  354. if (rv > 0 && buf_outlen != 0) {
  355. buf_out = app_malloc(buf_outlen, "buffer output");
  356. rv = do_keyop(ctx, pkey_op,
  357. buf_out, (size_t *)&buf_outlen,
  358. buf_in, (size_t)buf_inlen);
  359. }
  360. if (rv <= 0) {
  361. if (pkey_op != EVP_PKEY_OP_DERIVE) {
  362. BIO_puts(bio_err, "Public Key operation error\n");
  363. } else {
  364. BIO_puts(bio_err, "Key derivation failed\n");
  365. }
  366. ERR_print_errors(bio_err);
  367. goto end;
  368. }
  369. ret = 0;
  370. if (asn1parse) {
  371. if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
  372. ERR_print_errors(bio_err);
  373. } else if (hexdump) {
  374. BIO_dump(out, (char *)buf_out, buf_outlen);
  375. } else {
  376. BIO_write(out, buf_out, buf_outlen);
  377. }
  378. end:
  379. EVP_PKEY_CTX_free(ctx);
  380. release_engine(e);
  381. BIO_free(in);
  382. BIO_free_all(out);
  383. OPENSSL_free(buf_in);
  384. OPENSSL_free(buf_out);
  385. OPENSSL_free(sig);
  386. sk_OPENSSL_STRING_free(pkeyopts);
  387. sk_OPENSSL_STRING_free(pkeyopts_passin);
  388. return ret;
  389. }
  390. static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
  391. const char *keyfile, int keyform, int key_type,
  392. char *passinarg, int pkey_op, ENGINE *e,
  393. const int engine_impl)
  394. {
  395. EVP_PKEY *pkey = NULL;
  396. EVP_PKEY_CTX *ctx = NULL;
  397. ENGINE *impl = NULL;
  398. char *passin = NULL;
  399. int rv = -1;
  400. X509 *x;
  401. if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
  402. || (pkey_op == EVP_PKEY_OP_DERIVE))
  403. && (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
  404. BIO_printf(bio_err, "A private key is needed for this operation\n");
  405. goto end;
  406. }
  407. if (!app_passwd(passinarg, NULL, &passin, NULL)) {
  408. BIO_printf(bio_err, "Error getting password\n");
  409. goto end;
  410. }
  411. switch (key_type) {
  412. case KEY_PRIVKEY:
  413. pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
  414. break;
  415. case KEY_PUBKEY:
  416. pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
  417. break;
  418. case KEY_CERT:
  419. x = load_cert(keyfile, keyform, "Certificate");
  420. if (x) {
  421. pkey = X509_get_pubkey(x);
  422. X509_free(x);
  423. }
  424. break;
  425. case KEY_NONE:
  426. break;
  427. }
  428. #ifndef OPENSSL_NO_ENGINE
  429. if (engine_impl)
  430. impl = e;
  431. #endif
  432. if (kdfalg != NULL) {
  433. int kdfnid = OBJ_sn2nid(kdfalg);
  434. if (kdfnid == NID_undef) {
  435. kdfnid = OBJ_ln2nid(kdfalg);
  436. if (kdfnid == NID_undef) {
  437. BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n",
  438. kdfalg);
  439. goto end;
  440. }
  441. }
  442. ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
  443. } else {
  444. if (pkey == NULL)
  445. goto end;
  446. *pkeysize = EVP_PKEY_size(pkey);
  447. ctx = EVP_PKEY_CTX_new(pkey, impl);
  448. EVP_PKEY_free(pkey);
  449. }
  450. if (ctx == NULL)
  451. goto end;
  452. switch (pkey_op) {
  453. case EVP_PKEY_OP_SIGN:
  454. rv = EVP_PKEY_sign_init(ctx);
  455. break;
  456. case EVP_PKEY_OP_VERIFY:
  457. rv = EVP_PKEY_verify_init(ctx);
  458. break;
  459. case EVP_PKEY_OP_VERIFYRECOVER:
  460. rv = EVP_PKEY_verify_recover_init(ctx);
  461. break;
  462. case EVP_PKEY_OP_ENCRYPT:
  463. rv = EVP_PKEY_encrypt_init(ctx);
  464. break;
  465. case EVP_PKEY_OP_DECRYPT:
  466. rv = EVP_PKEY_decrypt_init(ctx);
  467. break;
  468. case EVP_PKEY_OP_DERIVE:
  469. rv = EVP_PKEY_derive_init(ctx);
  470. break;
  471. }
  472. if (rv <= 0) {
  473. EVP_PKEY_CTX_free(ctx);
  474. ctx = NULL;
  475. }
  476. end:
  477. OPENSSL_free(passin);
  478. return ctx;
  479. }
  480. static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
  481. ENGINE *e)
  482. {
  483. EVP_PKEY *peer = NULL;
  484. ENGINE *engine = NULL;
  485. int ret;
  486. if (peerform == FORMAT_ENGINE)
  487. engine = e;
  488. peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key");
  489. if (peer == NULL) {
  490. BIO_printf(bio_err, "Error reading peer key %s\n", file);
  491. ERR_print_errors(bio_err);
  492. return 0;
  493. }
  494. ret = EVP_PKEY_derive_set_peer(ctx, peer);
  495. EVP_PKEY_free(peer);
  496. if (ret <= 0)
  497. ERR_print_errors(bio_err);
  498. return ret;
  499. }
  500. static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
  501. unsigned char *out, size_t *poutlen,
  502. const unsigned char *in, size_t inlen)
  503. {
  504. int rv = 0;
  505. switch (pkey_op) {
  506. case EVP_PKEY_OP_VERIFYRECOVER:
  507. rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
  508. break;
  509. case EVP_PKEY_OP_SIGN:
  510. rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
  511. break;
  512. case EVP_PKEY_OP_ENCRYPT:
  513. rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
  514. break;
  515. case EVP_PKEY_OP_DECRYPT:
  516. rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
  517. break;
  518. case EVP_PKEY_OP_DERIVE:
  519. rv = EVP_PKEY_derive(ctx, out, poutlen);
  520. break;
  521. }
  522. return rv;
  523. }