From c24629abf4490a59a60e0579ce0eb6d6fc5855d8 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 24 Apr 2014 12:36:05 -0700
Subject: [PATCH] Add very basic ocsp stapling support.

This only allows access to the ocsp stapling response data. No verification
or anything else at the moment.
---
 scripts/site/local.bro                           |   5 +++--
 src/analyzer/protocol/ssl/events.bif             |  14 ++++++++++++++
 src/analyzer/protocol/ssl/ssl-analyzer.pac       |  15 +++++++++++++++
 src/analyzer/protocol/ssl/ssl-protocol.pac       |   1 +
 .../.stdout                                      |   1 +
 testing/btest/Traces/tls/ocsp-stapling.trace     | Bin 0 -> 9427 bytes
 .../base/protocols/ssl/ocsp-stapling.test        |   7 +++++++
 7 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
 create mode 100644 testing/btest/Traces/tls/ocsp-stapling.trace
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test

diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index bb2cc73a53..afe1d9d4f2 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -81,5 +81,6 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
-# Load heartbleed detection. Only superficially tested, might contain bugs.
-@load policy/protocols/ssl/heartbleed
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
+# this might impact performance a bit.
+# @load policy/protocols/ssl/heartbleed
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 5106552740..f32649403b 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
+## is_orig: True if event is raised for originator side of the connection.
+##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
+## This event contains the OCSP response contained in a Certificate Status Request
+## message, when the client requested OCSP stapling and the server supports it. See
+## description in :rfc:`6066`
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## response: OCSP data.
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 66224bf45a..e9d29675c3 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
+	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
+		%{
+		 if ( status_type == 1 ) // ocsp
+			{
+			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
+			  bro_analyzer()->Conn(), ${rec.is_orig},
+			  new StringVal(response.length(), (const char*) response.data()));
+			}
+
+		return true;
+		%}
 };
 
 refine typeattr Alert += &let {
@@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
+
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+};
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 857bd01f26..a8b9975eb5 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {
 
 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
 	response: bytestring &restofdata;
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
new file mode 100644
index 0000000000..a8735f6d41
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@@ -0,0 +1 @@
+F, 1995
diff --git a/testing/btest/Traces/tls/ocsp-stapling.trace b/testing/btest/Traces/tls/ocsp-stapling.trace
new file mode 100644
index 0000000000000000000000000000000000000000..8b66f7288d11316bcea20d3ca91066cf167391c4
GIT binary patch
literal 9427
zcmds72~-o=wyjD+2s0sJkTEFu6eLt2D5xl-fGD8IWP=hQK$I~FvrM5G1rZ0F70~WR
z#i`Lo6g5ICsEDE<2!e_@gEF<K2>e^YpbXFV-hc0}zy5cvyG-4xyYIQ@+}it|Q#4fl
zUWkEkknrE=C<MXa!rb4(xuj7Xasa>42F=cRnUh>h@wdIXiU3(dkeRZX8DxfsAbv4!
zXUeeY>efr}#aU7NU!xD7#*B`pU4bABPUI|%#o}O?AWq5ZBck_km@)M8Qj*YeaE-Px
z+_5<X=!<P%nn84Ylr4&k&H!I*z2s3I-UMcNQy@oyl4gyg6L1)UI5c!*F**Zkw}Z4K
zWC2joHpOl_Pib1a-vIRHBw31XS}E|rn7s@X6-Dfkk%aVtThKNc5!NhO^8-XBif($r
zL_`HF47~zKomkjGyEHbZ^0d>*Txa+6t}JY;m4wEz!x<|5yc&gd$s6xMP#~Yo7w6C9
zYeFWFF_ZzN^JVxVkP-AVUye`UtMXMK1&G9#;$tCkK8Y{J*Wjx|hL8cY7uo~DWW|@}
z;~;$~A2NqT`9!`bUy_f3L_omhAvs74B11%o0O27lG>QQht%f8Z92SBxkT^sKAkvT&
zGz0WWLQ3FaaWIvl;BiqfP#%DY01y(`FBkwI1IYp~5EjrYg8B&pT`-Kg?-*MOdLse}
z+T>7+JhI!4hC1xaq)<1{iaOAgBn#tCRgbw31j8DHm;v0U;sG|%DlF{m;cvdhH)gBr
zfcW{^bx~KiDxX4L9>1E_@FveDENst9N&^A7*=%@E&q2G!ruDG>&)y*ntG8?8rT4DY
z=x9qV=93|?Fksp!43;4Q5idi;ix9pA;o%=3Jdw)<SPYE8$ogPCp{NZEhf|i48$4Y*
zE+JBQF`YEqv_UBt77>Av<jXV(L=2C0!Qn|57iXFxB9C5(lcZglY?d=CAY>lJF2t8g
z(?HbF8xkZ1;SI_fb_9n@abR+zLfIQ>ix88s2MpFQ*})u2s6Qow!=x~{lt3;wjI&T*
zKPoDU8VOK20F~++8m!L_V^HS!&PC?ajFI{1U@S?09NjXA!QoI0Db~?kW{4ltkK)P*
zV)-$+tk4jOv-1jyvyCOi(i~A&l%g5Z5CcO*@NX@+q@$MxhDIhvCTkHMEKVaKM7)G9
z9>&4E1&c8-R<KePWXAWM7?QXfgA>RK3E+l?(9{qW)E*fU*@?}HWN?`jM|J=sgcU28
zpC*UMqPImzV)GG%PBWw%8%=bhG$M&UKqQNp7$Zgo0t>)3VZtP`h&1|;C|Pth(=RwQ
z#E+(gD4;!JWEmP|CCir`$_e%7Qrs9ZG<8H3y(3PR|JH9A$_@)<k69#%h@<x<$k>(6
z=E5jq$<jfg0jv;e5G#_2dK`FT=Jz`Q7J;xlSO!A9gyF$3bljk>c(~N=XjyD&0Vc8a
z*8cP^$~#NhLuETkn%i8yv_Ep#H}|Z@x?a6ggOZDu9M;W*pGRMM5)d4Ej+xs0+N+Di
z^7<oXsMhmKxp%2S;nOeoj~-ZpP!7gxkzzb$wZ0(FV?Bo+66HcIw!U_+d1Y!bP!rn5
zO8H&uimJbiSNP-npG@-{eAX7%2X)VrO4%=|cx7M+(fDMAKY&k)8}yBVL-MQ=q>tWj
z@<tTzUJna9aQ8YgYu?(#jqH}Ex0oYyS$d3kb?RefvpJzp9DjKqsC>Mn&vJeH2K{-<
z8jc4k6(#<p;*vMK*d)R`>Vz9Uo4&r=f^Xt)ovYO5Q^I)r`)&ygAUOCi50i-SFmXuo
zYv5BgA};wUlHAUd7x*%S$)$#Yoe4b8MP14x2XjJL4C+Kj^C)2)E;U#fLg4^TM3`V4
z0O83o!dR0>O$rx}%nc0<;!J)@E;=}9N?!;wI)XFNGPyCEgp&)bRTNk|^@e~0)JQlC
z0tt4dnhXq&;&51uNC84ey`YWLLv-;3@D_=Ph+^UKUl_cYcbYAn_R#_d<Hf(eWa3yX
zVug;P;7k#e7$nA?v4%wz@rVvGM>re<E2#cmdhiY72uMdw8mE9GbKmxPt86M-_1P+o
zBH1i;n@h64hiIUa%)){9CW-7|S)&&Det~nWW1oBIj(+2g#!HWpCFlbhxCMw2Vpu>c
z&`;AtrvqeU?P?do4bt;v2TkN8v>#>u@*gw*4gvEIO=SM4Bq8(Pu9?XE+#mx4nNJ0?
zA(6th!!T|G68O!j2%M%d(YR1wPS^zNfG5930KrUN2?K1x3G6zy!m)Xo?C)QDK>Xmf
zhaux@>9&Plu^S3Y8g^=`yyvfU?3doqkg}^|aofU-?!&)zIG(pl%T{oU{=l>k*i-3T
zsr<xY`Mr@X0TqG7fwI$;!+CF?eOVoU<z0<*O<=_eV#2MH$`8)W+gn;W|M$<LSxe}W
zjGezRb{23h9UqbPvdGfnj?~X5nba(}VyIi!>2^vbzeYD>i@VleqFRZI1Fp6ypII&L
z>Ubohn<IBG^8L%sbe*cEyd789X}afbDz(<GexW<?>$|P>9^y3?7R8M6lGh{FU1n;V
z>uvRv4`?*x&z^C7W3Nh=mDSd)>->@M^N%=NGGw-Qt;yH={2{gLRluxc>n^``T2S$(
zfSSH&2h?#J!b=0W6i0ZtzOQmg)PaH*JeLi9aC1}D`wO*7le~r`-<-(v|9!b!h!}&d
z3G|c(6p(^Oi6WG~F~z0mQI>_WDU1kiU?`gv3j`3A)6kHh7@9R=iH^mR77K?^glg#&
z;S<F2r2y3mX0T%@mP|I6<<IgRlTGt6EN%?IwlPAb6G$%&G5#i<=;Z>TbpD?|8~h`+
zyX2a2A%pJccjxxa)9+r+;9O%ryl7o<u6Q)%vMRQ<JF|=`tE^q&a?`x<ki?xC>%z*{
znb;qssjg2ysdKDYw@77??5y>qGi`)y2XaeF^0RZ<&jP!(0_t4<DA~u!w`$GGE`87w
zzI{t;_?qQ!IUXBw!&c419@<r3ON_1Xk=m(qLp8$f^<UL*F8pkCt2%XULg&h-#9i^y
z6uNb5Z;{yBx26Zr=Uc9$+Y_|aEtQKNmSw?o)2ffpPdR3f-e&g9a=5mu)U#!)Dlb(E
zFLib1A8~VzV5?R**SlA+D+nfE3L=Y(U)zUdm_93|X=iih+DaS5;JZyN2R?MZ{t|zA
z3!zcttJ=W>K>vHbquObiR1RfQ5~>OW1P}fLr*6a)?W5r4BXq<7j{`rUe~H`$!!^c+
z7a#@Hw0YzF=gjntU^A!EbC@r~P%pqpz@!v(c5U1YL~()!38jVrPgF7(4~~ICu>#}^
z#0_)>3mFxb#4!+*`B!qJevpJc@|!MYI?&`%9zQ2ZRwMGeB&-5G_oIjrCDK30B9<oz
zw1hZOOXBAUwWPjzTuWAhETUq4p;y6AhzH_^xG0E$*F1o!AHecQG!YF%6fdGHjm0SA
z$hpt&E2ov@Y}r_KCuu{2t<t=>8B|1DVb)g%g9AY5M74<I2>MW@xu{=>xS0s$2sn1q
zlo2J+0oaBpAQ?kTa|48KtVh$M8-oq-RgZu_X^1|eC%gt?ra3v7Q|0V?`A)pg{H?OB
z>tYWg)^BO@8FR{zW;ls{1){aK=**S3ISt0eN$ko;#?+GE!awOAzG!nXm=!8Je|L7Z
zEA?W<@#XtsAN29IKOv7~)uoiBv~Ev7Uc!vA8+JQ-rcO-bf~@?XV$wd(K8b5L`t9!N
zE0&2gNXUDk^seG%%Uy?@=!+c(_#V3ax}8#5lI)xGbzw6zb(f#+4NUKUXO%O@EXpLr
zmTgV*+Grx3hI!+^XFE;iaX|a8hq4c>s0$BWsQICszVuT_^WMQFE&a*sV?Bd&H+|T{
zEgS7r^y+4;J8pY1KgZwN<gA?dhp^ZCBWK!szt&Nq+YJ^q1n|$yK0&(h@Mrky@uypY
z!xR=pmE`TcsI1ZA{#&QxRmRDRq7i!tcM}NKb<p&`ik8tXT6%x_LQ#W+I(Nx^2`!Vn
zhOGZ5H47Y)&_GL&sQ;RpOd}))v<X7;|4B9fk*J)~A`s@r8XfeOJoeIlk;9`+6^pG^
zFX}!SnTz@4MmX%3D*v~?dQa5QGQDQL(mD34MQQHGa+k6*W%i{bxe20fUGFVh{e9#a
zcf6&JG`D|zQsqN1T|;_nchh4{>g?ybxhjX={#BS)X=vAM>APXI{k_~*VXIcwXR_j|
z!#<QglH<0<dD*+(&%YucRd{-!NW1Tp>b3x-=L2}$`>o}jP-ol1b2COU7X}u;d$RfM
zg3Vn6O(lIFdQ4BXMdTUIP*XL##nqajx&0w|q(o<Rb#5cht~1BiCSx%x<<^MJCEWza
zYdcR$A84qz<Ogt`kqHUUmmcDrHx$3)wUnNopY_i9mA1T4RPunR<RCIAmk3lt1i=E;
zKxk-(1`gx^$m{~Gf|+T8@&GuHPdSOBR4?FpG)o@OM*wC2o2rA>F~(AgX({KsY)2>-
zXlC<GRfH7xeG)WDMg$a%GJo!mnLkm${IV07pLbWt{Aa&RWd8q2(x(fT1(+O!2GJ5;
z114Ac%H&fCd}1{To16^EXrHw0RxwOnA$hK{X=LStlsPNRnck2@lx;X~B(Zg^G^O_5
z8=DG03x*Y)izFw{&RRZb<&{8BDn6gmA=VT;t1Yv84&jpTTA~}_&x0);fpbo^IW6wu
zX*NTZE>=!q<|k4VV=fT-b=$k?YE}pD;kFOl5>eC>)6?^P|6#U7oB||z2Zls%Aw1D)
zaTqG#iSohE3cT1@=8Ayj@kCF6uA^Xo{)93pRG57GKX|bJx9VV4hy~c4Kx-FGIobcH
z4(4d->_l131Vsr@DPt?i7$7t{LN`E<_MjNH7U3Y_h#g4r$4&>Jh)Om&rF2#mqhTVO
z?>c<_zWaM_>gGMTX;bK_HN+%n$_xd>@h)TGq?7grns6GWcP9kisFip7G_-V3&Us1v
z+{P8r2}Md38=rr=-?1+(O|Ly&J>8vC<m*>uv;DK$k*%Y}YQ1+=qFrj;R%mVA_{-U<
z#*KP+)P|@>j5fr)_^XL^Ohqlu$UP?5S3cij#PQZPIdRGDwuRyC3(Bd3_YbUa4R%O;
zyiI<&0pgzJs1sfD2%F*Ox{S2woJH}AkX)^<LQ|VfzT0tXM`x@@a_5;!&6T|Oi|&!9
z!PQ5G{p7CN(s$pF<R<<pafPtA_n`W=9#1E$VLW$};lkPl@lOZs^J*fD!}DuWUmfz7
z={MgNptDQYV}GY(0G~COAEVZDxv$>1#r5eQCmEx7t2v+VK2a;+i5P(5EEO~zAmDOe
z1stlgx~biuSkBCquU+!-jpAeh|39CIp+#CcVn|!?Ez_if)YE7@)BKMe5dQbyK0qrd
z^KS>tkCx}rHu=i|u5WpgfcZa7Wd4k30rM-txWM*_%>U!6?TJ@QUbt!2-ECJ|^3anP
zr_{5|kD&0UWurp_dw%1~4D2!u^GEGx%OOfe)2KQrCcXE_IzMOfqkFq-uI2rKY|-DB
z)FT^Eu|AuxvS_zqWPn_^;les`|B`#<%`OjYl+%lJ)N3`kS%ncAdA+vVFFMN`&!f!T
zuUt`o*u(mjS&gNoU1tqWsSM|r5xIHzh=>JA>2cEBmSkP6KDUOEk_YEC$lRSXtgi1}
zSMS}repGU2zgyC%=w6++y2R|Wu60_+Jg-^0eaUWLSN9^mx_-^FuyX1pq6*(x?oq?i
zgiUR?hhJ&BZOeUJ`|-K){Br9a^LFAFmza?ztszV4KxnT?$J1)zk%J6;FZ+EZGr0uS
zdI~Q22$EcgBp>{~4v9sQxBQcZNJ}SY#7C%y7!2Zy$SX|xK7s%tft5{#to=6*1q`CF
zLVQ7uo=WkFp|F|$Og1ybmq`g?F?^_$Ag&)3{rF+BV7%^wkWg#2acC`HSZEbPB+yP7
zG+Px-0>`Ow9TUM}!1o(X^ezzxa<n4~2wC`H0!tEGW8<o4p=ShMxoLQK$G}`-R9e+M
zy@0r_wy_D!hdsNCjihu+=!wS%U-_nb?+)zUX7{|$@Nsn{(WB;uZ%@&-$W(S=k8e+D
zob?<@r~8_ixHMCLtz+k$DHbkXy}X64i$*L&BtLIl=}I$Wnv<AxRebco=&JAyyYKXc
z7!52v)Oou}yhDSV`F@VkV<%mUvo8s;e>-9B7;K%j*7b(EzZX2)q*CqXiG+*?G25)&
z{o~H+n!VIqel_;qKA*~u9f1`|n}_RPEF@9Lo5P=X#*NyL=kW?R8sxO>xLFyw<w?JK
z!s*Y42h=47JlFH2pKE@+v3dW@pB!!PcV!;cIVtkAIVtR|kL+&06Z#Dd?=lrh2oAtP
zN(>zJGv2h?DOSH~$+BB3%8sl&|FX=owq)mDzbuvN*cYw;^vS*z90ykdzd1Q*NWIJq
zeu@dF4KS&8o}_3iKk-XLr|UCCv%{?q*3oPEw<VXxiw%dkNd;?f2=&?ZP{n%bQW!d>
z@#n6`H$Lw+p!~%<7Pw0FmkmF2MEbAK_^r@?)3$n-e3hf7xdjiRpSbiUu`n%Ga~rh0
zqz(_sdWLvkUX?RXVd&nrRd+1H7U=gW`5%k^(&KWEEwN~LRnNoC_RteOzRP|4fg1(s
zthxdj-u|C+nk7>o#cE|1vSofHh+P*qE@$u3-DGkh_NvjZ%c|DrJi!<EiOM>f8JfK8
z5s`R0dq_T3;@VY-kiq3k`A7u+x9+<S+s`fg9OZN+ySGv4xiMMcegEEBS~)7a^S94G
z{N$Ly)x{laLazh`EA3?;Wi%p**9z0q2saiJu$rFX9@|#EV-F5pTIyjy%wCc-Sgs6v
zuG>feEGYOSpLs(12UV4<*uPg*$%qD375i^hm3|3ORauEL?7kl&?q~f7kpfMJc;JVK
zk~V)2F=sxo@$7Vnq*`g{74QJsCVzg1S{5z+0iqHGO7|F30ZLZC9J*@s^Si$+1o<#<
zMcGAEnGYCAY2!nk9xbz1G+&FS`I2L)`}+GWPu|tCXjOgH_4vl1ZODeekGh`HN`nsu
ze2O*sacgtrR=3Z#4~%s=s;YiHdGHrW53@gJCz*><(=?hZ_x&={tXGQIcCeF-eh7on
z36ae<bI)l%Yu%;8R=c#Qim{~1)?y>odvhhh+Rva%UB2Uey|F3#%gq&9dCH|^|EKmA
zAU3o{2#N<wM%!fdgF@{iQ1#=cPgK90`Lm)9#wRJk*tXPh^>ann{+%&80lCR(72fcT
z#xom_{=6q($4vJ8>&r~8Wjf{7Tcwo6u1-v;HQ_)DpIPTUYdXKs3^j)MVC*j{ET#(r
z{bS>FK{y!iQJxbH!usXAurfgqTrB~jb2|)W12nWv32VZApC2HCu%-<Q!#bFWA}Rte
zQyx31ytO-Psjb~HThr<TZ|2USH-zxDFG|~sl+A}X#l8?cv{W>MZ_w*_L9}Dd*}aXc
zDsO0v?pd%#d*PnP_*9)0iK(b<-SXJ+7j25`>24=c*9T@!a(y^(eRUEM#vThFcl`}Y
z)?g-zSf%g{ams4x+tjCBZ8h*88~jzucQ4vtGg$2n6!C*17775aL)#QY4~J_%Kt%ob
zwIB-Y6Clc?{u2{nUbUCL;vVF*qt)m5t&~;99h*Ky$0g*`0;8$-jvAuV4ufgYO)&jN
waQ$Q2X}bgqAx^)LCI{R&;#6n5XQ0jwI5o-HY~bu}@b@9uqXXm4u16R1Uo6+Q(*OVf

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
new file mode 100644
index 0000000000..b50f04a92e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	print is_orig, |response|;
+	}