sync to unbound 1.13.2

OK sthen

diff --git a/sbin/unwind/libunbound/config.h b/sbin/unwind/libunbound/config.h
index 8043b28..435139a 100644 (file)
--- a/sbin/unwind/libunbound/config.h
+++ b/sbin/unwind/libunbound/config.h
@@ -29,6 +29,9 @@
 /* Whether daemon is deprecated */
 /* #undef DEPRECATED_DAEMON */
 
+/* Deprecate RSA 1024 bit length, makes that an unsupported key */
+/* #undef DEPRECATE_RSA_1024 */
+
 /* Define this to enable kernel based UDP source port randomization. */
 #define DISABLE_EXPLICIT_PORT_RANDOMISATION 1
 
@@ -218,7 +221,7 @@
 #define HAVE_EVP_CLEANUP 1
 
 /* Define to 1 if you have the `EVP_DigestVerify' function. */
-/* #undef HAVE_EVP_DIGESTVERIFY */
+#define HAVE_EVP_DIGESTVERIFY 1
 
 /* Define to 1 if you have the `EVP_dss1' function. */
 #define HAVE_EVP_DSS1 1
@@ -427,6 +430,9 @@
 /* Define to 1 if you have the `OPENSSL_init_ssl' function. */
 #define HAVE_OPENSSL_INIT_SSL 1
 
+/* Define to 1 if you have the <openssl/param_build.h> header file. */
+/* #undef HAVE_OPENSSL_PARAM_BUILD_H */
+
 /* Define to 1 if you have the <openssl/rand.h> header file. */
 #define HAVE_OPENSSL_RAND_H 1
 
@@ -436,6 +442,9 @@
 /* Define to 1 if you have the <openssl/ssl.h> header file. */
 #define HAVE_OPENSSL_SSL_H 1
 
+/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
+/* #undef HAVE_OSSL_PARAM_BLD_NEW */
+
 /* Define if you have POSIX threads libraries and header files. */
 /* #undef HAVE_PTHREAD */
 
@@ -517,6 +526,9 @@
 /* Define if you have the SSL libraries installed. */
 #define HAVE_SSL /**/
 
+/* Define to 1 if you have the `SSL_CTX_set_alpn_protos' function. */
+#define HAVE_SSL_CTX_SET_ALPN_PROTOS 1
+
 /* Define to 1 if you have the `SSL_CTX_set_alpn_select_cb' function. */
 #define HAVE_SSL_CTX_SET_ALPN_SELECT_CB 1
 
@@ -530,8 +542,14 @@
    function. */
 /* #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB */
 
+/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */
+#define HAVE_SSL_GET0_ALPN_SELECTED 1
+
 /* Define to 1 if you have the `SSL_get0_peername' function. */
-/* #undef HAVE_SSL_GET0_PEERNAME */
+#define HAVE_SSL_GET0_PEERNAME 1
+
+/* Define to 1 if you have the `SSL_get1_peer_certificate' function. */
+/* #undef HAVE_SSL_GET1_PEER_CERTIFICATE */
 
 /* Define to 1 if you have the `SSL_set1_host' function. */
 #define HAVE_SSL_SET1_HOST 1
@@ -730,7 +748,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.13.1"
+#define PACKAGE_STRING "unbound 1.13.2"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -739,7 +757,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.13.1"
+#define PACKAGE_VERSION "1.13.2"
 
 /* default pidfile location */
 #define PIDFILE ""
@@ -762,7 +780,7 @@
 #define ROOT_CERT_FILE "/var/unbound/etc/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,13,1,0
+#define RSRC_PACKAGE_VERSION 1,13,2,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound/etc"
@@ -848,6 +866,14 @@
 /* Define if you enable libevent */
 #define USE_LIBEVENT 1
 
+/* Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a
+   default outgoing port range. This is only for the libunbound on Linux and
+   does not affect unbound resolving daemon itself. This may severely limit
+   the number of available outgoing ports and thus decrease randomness. Define
+   this only when the target system restricts (e.g. some of SELinux enabled
+   distributions) the use of non-ephemeral ports. */
+/* #undef USE_LINUX_IP_LOCAL_PORT_RANGE */
+
 /* Define if you want to use internal select based events */
 /* #undef USE_MINI_EVENT */
 

diff --git a/sbin/unwind/libunbound/dnstap/dnstap.h b/sbin/unwind/libunbound/dnstap/dnstap.h
index 783b8c5..449fae7 100644 (file)
--- a/sbin/unwind/libunbound/dnstap/dnstap.h
+++ b/sbin/unwind/libunbound/dnstap/dnstap.h
@@ -123,12 +123,14 @@ dt_delete(struct dt_env *env);
  * Create and send a new dnstap "Message" event of type CLIENT_QUERY.
  * @param env: dnstap environment object.
  * @param qsock: address/port of client.
+ * @param rsock: local (service) address/port.
  * @param cptype: comm_udp or comm_tcp.
  * @param qmsg: query message.
  */
 void
 dt_msg_send_client_query(struct dt_env *env,
                         struct sockaddr_storage *qsock,
+                        struct sockaddr_storage *rsock,
                         enum comm_point_type cptype,
                         struct sldns_buffer *qmsg);
 
@@ -136,12 +138,14 @@ dt_msg_send_client_query(struct dt_env *env,
  * Create and send a new dnstap "Message" event of type CLIENT_RESPONSE.
  * @param env: dnstap environment object.
  * @param qsock: address/port of client.
+ * @param rsock: local (service) address/port.
  * @param cptype: comm_udp or comm_tcp.
  * @param rmsg: response message.
  */
 void
 dt_msg_send_client_response(struct dt_env *env,
                            struct sockaddr_storage *qsock,
+                           struct sockaddr_storage *rsock,
                            enum comm_point_type cptype,
                            struct sldns_buffer *rmsg);
 
@@ -150,7 +154,8 @@ dt_msg_send_client_response(struct dt_env *env,
  * FORWARDER_QUERY. The type used is dependent on the value of the RD bit
  * in the query header.
  * @param env: dnstap environment object.
- * @param rsock: address/port of server the query is being sent to.
+ * @param rsock: address/port of server (upstream) the query is being sent to.
+ * @param qsock: address/port of server (local) the query is being sent from.
  * @param cptype: comm_udp or comm_tcp.
  * @param zone: query zone.
  * @param zone_len: length of zone.
@@ -159,6 +164,7 @@ dt_msg_send_client_response(struct dt_env *env,
 void
 dt_msg_send_outside_query(struct dt_env *env,
                          struct sockaddr_storage *rsock,
+                         struct sockaddr_storage *qsock,
                          enum comm_point_type cptype,
                          uint8_t *zone, size_t zone_len,
                          struct sldns_buffer *qmsg);
@@ -168,7 +174,8 @@ dt_msg_send_outside_query(struct dt_env *env,
  * FORWARDER_RESPONSE. The type used is dependent on the value of the RD bit
  * in the query header.
  * @param env: dnstap environment object.
- * @param rsock: address/port of server the response was received from.
+ * @param rsock: address/port of server (upstream) the response was received from.
+ * @param qsock: address/port of server (local) the response was received to.
  * @param cptype: comm_udp or comm_tcp.
  * @param zone: query zone.
  * @param zone_len: length of zone.
@@ -181,6 +188,7 @@ dt_msg_send_outside_query(struct dt_env *env,
 void
 dt_msg_send_outside_response(struct dt_env *env,
                             struct sockaddr_storage *rsock,
+                            struct sockaddr_storage *qsock,
                             enum comm_point_type cptype,
                             uint8_t *zone, size_t zone_len,
                             uint8_t *qbuf, size_t qbuf_len,

diff --git a/sbin/unwind/libunbound/iterator/iter_scrub.c b/sbin/unwind/libunbound/iterator/iter_scrub.c
index aae934d..f093c1b 100644 (file)
--- a/sbin/unwind/libunbound/iterator/iter_scrub.c
+++ b/sbin/unwind/libunbound/iterator/iter_scrub.c
@@ -640,25 +640,37 @@ store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
 
 /**
  * Check if right hand name in NSEC is within zone
+ * @param pkt: the packet buffer for decompression.
  * @param rrset: the NSEC rrset
  * @param zonename: the zone name.
  * @return true if BAD.
  */
-static int sanitize_nsec_is_overreach(struct rrset_parse* rrset, 
-       uint8_t* zonename)
+static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
+       struct rrset_parse* rrset, uint8_t* zonename)
 {
        struct rr_parse* rr;
        uint8_t* rhs;
        size_t len;
        log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
        for(rr = rrset->rr_first; rr; rr = rr->next) {
+               size_t pos = sldns_buffer_position(pkt);
+               size_t rhspos;
                rhs = rr->ttl_data+4+2;
                len = sldns_read_uint16(rr->ttl_data+4);
-               if(!dname_valid(rhs, len)) {
-                       /* malformed domain name in rdata */
+               rhspos = rhs-sldns_buffer_begin(pkt);
+               sldns_buffer_set_position(pkt, rhspos);
+               if(pkt_dname_len(pkt) == 0) {
+                       /* malformed */
+                       sldns_buffer_set_position(pkt, pos);
                        return 1;
                }
-               if(!dname_subdomain_c(rhs, zonename)) {
+               if(sldns_buffer_position(pkt)-rhspos > len) {
+                       /* outside of rdata boundaries */
+                       sldns_buffer_set_position(pkt, pos);
+                       return 1;
+               }
+               sldns_buffer_set_position(pkt, pos);
+               if(!pkt_sub(pkt, rhs, zonename)) {
                        /* overreaching */
                        return 1;
                }
@@ -791,7 +803,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
                }
                /* check if right hand side of NSEC is within zone */
                if(rrset->type == LDNS_RR_TYPE_NSEC &&
-                       sanitize_nsec_is_overreach(rrset, zonename)) {
+                       sanitize_nsec_is_overreach(pkt, rrset, zonename)) {
                        remove_rrset("sanitize: removing overreaching NSEC "
                                "RRset:", pkt, msg, prev, &rrset);
                        continue;

diff --git a/sbin/unwind/libunbound/iterator/iter_utils.c b/sbin/unwind/libunbound/iterator/iter_utils.c
index 7bc67da..668f898 100644 (file)
--- a/sbin/unwind/libunbound/iterator/iter_utils.c
+++ b/sbin/unwind/libunbound/iterator/iter_utils.c
@@ -50,6 +50,7 @@
 #include "services/cache/infra.h"
 #include "services/cache/dns.h"
 #include "services/cache/rrset.h"
+#include "services/outside_network.h"
 #include "util/net_help.h"
 #include "util/module.h"
 #include "util/log.h"
@@ -439,6 +440,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
                prev = NULL;
                a = dp->result_list;
                for(i = 0; i < got_num; i++) {
+                       if(!a) break; /* robustness */
                        swap_to_front = 0;
                        if(a->addr.ss_family != AF_INET6 && attempt == -1) {
                                /* if we only have ip4 at low attempt count,
@@ -496,6 +498,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
                prev = NULL;
                a = dp->result_list;
                for(i = 0; i < got_num; i++) {
+                       if(!a) break; /* robustness */
                        swap_to_front = 0;
                        if(a->addr.ss_family != AF_INET && attempt == -1) {
                                /* if we only have ip6 at low attempt count,
@@ -1390,7 +1393,8 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp)
 }
 
 int
-iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
+iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf,
+       uint8_t** retdpname, size_t* retdpnamelen)
 {
        struct iter_hints_stub *stub;
        struct delegpt *dp;
@@ -1419,6 +1423,10 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
                        dname_str(stub->dp->name, dpname);
                        verbose(VERB_ALGO, "stub for %s %s has no_cache", qname, dpname);
                }
+               if(retdpname) {
+                       *retdpname = stub->dp->name;
+                       *retdpnamelen = stub->dp->namelen;
+               }
                return (stub->dp->no_cache);
        }
 
@@ -1431,7 +1439,31 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf)
                        dname_str(dp->name, dpname);
                        verbose(VERB_ALGO, "forward for %s %s has no_cache", qname, dpname);
                }
+               if(retdpname) {
+                       *retdpname = dp->name;
+                       *retdpnamelen = dp->namelen;
+               }
                return (dp->no_cache);
        }
+       if(retdpname) {
+               *retdpname = NULL;
+               *retdpnamelen = 0;
+       }
        return 0;
 }
+
+void iterator_set_ip46_support(struct module_stack* mods,
+       struct module_env* env, struct outside_network* outnet)
+{
+       int m = modstack_find(mods, "iterator");
+       struct iter_env* ie = NULL;
+       if(m == -1)
+               return;
+       ie = (struct iter_env*)env->modinfo[m];
+       if(outnet->pending == NULL)
+               return; /* we are in testbound, no rbtree for UDP */
+       if(outnet->num_ip4 == 0)
+               ie->supports_ipv4 = 0;
+       if(outnet->num_ip6 == 0)
+               ie->supports_ipv6 = 0;
+}

diff --git a/sbin/unwind/libunbound/iterator/iter_utils.h b/sbin/unwind/libunbound/iterator/iter_utils.h
index f771930..509d292 100644 (file)
--- a/sbin/unwind/libunbound/iterator/iter_utils.h
+++ b/sbin/unwind/libunbound/iterator/iter_utils.h
@@ -59,6 +59,8 @@ struct reply_info;
 struct module_qstate;
 struct sock_list;
 struct ub_packed_rrset_key;
+struct module_stack;
+struct outside_network;
 
 /**
  * Process config options and set iterator module state.
@@ -130,7 +132,7 @@ struct dns_msg* dns_copy_msg(struct dns_msg* from, struct regional* regional);
  *     can be prefetch-updates.
  * @param region: to copy modified (cache is better) rrs back to.
  * @param flags: with BIT_CD for dns64 AAAA translated queries.
- * @return void, because we are not interested in alloc errors,
+ * return void, because we are not interested in alloc errors,
  *     the iterator and validator can operate on the results in their
  *     scratch space (the qstate.region) and are not dependent on the cache.
  *     It is useful to log the alloc failure (for the server operator),
@@ -380,9 +382,26 @@ int iter_dp_cangodown(struct query_info* qinfo, struct delegpt* dp);
  * Lookup if no_cache is set in stub or fwd.
  * @param qstate: query state with env with hints and fwds.
  * @param qinf: query name to lookup for.
+ * @param retdpname: returns NULL or the deepest enclosing name of fwd or stub.
+ *     This is the name under which the closest lookup is going to happen.
+ *     Used for NXDOMAIN checks, above that it is an nxdomain from a
+ *     different server and zone. You can pass NULL to not get it.
+ * @param retdpnamelen: returns the length of the dpname.
  * @return true if no_cache is set in stub or fwd.
  */
 int iter_stub_fwd_no_cache(struct module_qstate *qstate,
-       struct query_info *qinf);
+       struct query_info *qinf, uint8_t** retdpname, size_t* retdpnamelen);
+
+/**
+ * Set support for IP4 and IP6 depending on outgoing interfaces
+ * in the outside network.  If none, no support, so no use to lookup
+ * the AAAA and then attempt to use it if there is no outgoing-interface
+ * for it.
+ * @param mods: modstack to find iterator module in.
+ * @param env: module env, find iterator module (if one) in there.
+ * @param outnet: outside network structure.
+ */
+void iterator_set_ip46_support(struct module_stack* mods,
+       struct module_env* env, struct outside_network* outnet);
 
 #endif /* ITERATOR_ITER_UTILS_H */

diff --git a/sbin/unwind/libunbound/iterator/iterator.c b/sbin/unwind/libunbound/iterator/iterator.c
index 99d0201..f0105ad 100644 (file)
--- a/sbin/unwind/libunbound/iterator/iterator.c
+++ b/sbin/unwind/libunbound/iterator/iterator.c
@@ -585,6 +585,60 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
        return 1;
 }
 
+/** add response specific error information for log servfail */
+static void
+errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
+{
+       if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
+               return;
+       if((qstate->reply && qstate->reply->addrlen != 0) ||
+               (iq->fail_reply && iq->fail_reply->addrlen != 0)) {
+               char from[256], frm[512];
+               if(qstate->reply && qstate->reply->addrlen != 0)
+                       addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
+                               from, sizeof(from));
+               else
+                       addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
+                               from, sizeof(from));
+               snprintf(frm, sizeof(frm), "from %s", from);
+               errinf(qstate, frm);
+       }
+       if(iq->scrub_failures || iq->parse_failures) {
+               if(iq->scrub_failures)
+                       errinf(qstate, "upstream response failed scrub");
+               if(iq->parse_failures)
+                       errinf(qstate, "could not parse upstream response");
+       } else if(iq->response == NULL && iq->timeout_count != 0) {
+               errinf(qstate, "upstream server timeout");
+       } else if(iq->response == NULL) {
+               errinf(qstate, "no server to query");
+               if(iq->dp) {
+                       if(iq->dp->target_list == NULL)
+                               errinf(qstate, "no addresses for nameservers");
+                       else    errinf(qstate, "nameserver addresses not usable");
+                       if(iq->dp->nslist == NULL)
+                               errinf(qstate, "have no nameserver names");
+                       if(iq->dp->bogus)
+                               errinf(qstate, "NS record was dnssec bogus");
+               }
+       }
+       if(iq->response && iq->response->rep) {
+               if(FLAGS_GET_RCODE(iq->response->rep->flags) != 0) {
+                       char rcode[256], rc[32];
+                       (void)sldns_wire2str_rcode_buf(
+                               FLAGS_GET_RCODE(iq->response->rep->flags),
+                               rc, sizeof(rc));
+                       snprintf(rcode, sizeof(rcode), "got %s", rc);
+                       errinf(qstate, rcode);
+               } else {
+                       /* rcode NOERROR */
+                       if(iq->response->rep->an_numrrsets == 0) {
+                               errinf(qstate, "nodata answer");
+                       }
+               }
+       }
+}
+
 /** see if last resort is possible - does config allow queries to parent */
 static int
 can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
@@ -1228,8 +1282,8 @@ static int
 processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
        struct iter_env* ie, int id)
 {
-       uint8_t* delname;
-       size_t delnamelen;
+       uint8_t* delname, *dpname=NULL;
+       size_t delnamelen, dpnamelen=0;
        struct dns_msg* msg = NULL;
 
        log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
@@ -1283,7 +1337,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
        /* This either results in a query restart (CNAME cache response), a
         * terminating response (ANSWER), or a cache miss (null). */
        
-       if (iter_stub_fwd_no_cache(qstate, &iq->qchase)) {
+       if (iter_stub_fwd_no_cache(qstate, &iq->qchase, &dpname, &dpnamelen)) {
                /* Asked to not query cache. */
                verbose(VERB_ALGO, "no-cache set, going to the network");
                qstate->no_cache_lookup = 1;
@@ -1298,7 +1352,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
                msg = dns_cache_lookup(qstate->env, iq->qchase.qname, 
                        iq->qchase.qname_len, iq->qchase.qtype, 
                        iq->qchase.qclass, qstate->query_flags,
-                       qstate->region, qstate->env->scratch, 0);
+                       qstate->region, qstate->env->scratch, 0, dpname,
+                       dpnamelen);
                if(!msg && qstate->env->neg_cache &&
                        iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
                        /* lookup in negative cache; may result in
@@ -1921,6 +1976,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
                 * of a response. */
                errinf(qstate, "all the configured stub or forward servers failed,");
                errinf_dname(qstate, "at zone", iq->dp->name);
+               errinf_reply(qstate, iq);
                verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL");
                return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
        }
@@ -2067,6 +2123,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
 
        errinf(qstate, "all servers for this domain failed,");
        errinf_dname(qstate, "at zone", iq->dp->name);
+       errinf_reply(qstate, iq);
        verbose(VERB_QUERY, "out of query targets -- returning SERVFAIL");
        /* fail -- no more targets, no more hope of targets, no hope 
         * of a response. */
@@ -2288,7 +2345,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
                                iq->qinfo_out.qname, iq->qinfo_out.qname_len, 
                                iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
                                qstate->query_flags, qstate->region, 
-                               qstate->env->scratch, 0);
+                               qstate->env->scratch, 0, iq->dp->name,
+                               iq->dp->namelen);
                        if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
                                LDNS_RCODE_NOERROR)
                                /* no need to send query if it is already 
@@ -2611,7 +2669,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
                (iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream),
                target->tls_auth_name, qstate);
        if(!outq) {
-               log_addr(VERB_DETAIL, "error sending query to auth server", 
+               log_addr(VERB_QUERY, "error sending query to auth server",
                        &target->addr, target->addrlen);
                if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok)
                    infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name,
@@ -2957,6 +3015,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
                        qstate->env->detach_subs));
                (*qstate->env->detach_subs)(qstate);
                iq->num_target_queries = 0;
+               iq->response = NULL;
+               iq->fail_reply = NULL;
                verbose(VERB_ALGO, "cleared outbound list for next round");
                return next_state(iq, QUERYTARGETS_STATE);
        } else if(type == RESPONSE_TYPE_CNAME) {
@@ -3720,6 +3780,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
        }
 
        /* parse message */
+       iq->fail_reply = qstate->reply;
        prs = (struct msg_parse*)regional_alloc(qstate->env->scratch, 
                sizeof(struct msg_parse));
        if(!prs) {
@@ -3733,12 +3794,15 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
        sldns_buffer_set_position(pkt, 0);
        if(parse_packet(pkt, prs, qstate->env->scratch) != LDNS_RCODE_NOERROR) {
                verbose(VERB_ALGO, "parse error on reply packet");
+               iq->parse_failures++;
                goto handle_it;
        }
        /* edns is not examined, but removed from message to help cache */
        if(parse_extract_edns(prs, &edns, qstate->env->scratch) !=
-               LDNS_RCODE_NOERROR)
+               LDNS_RCODE_NOERROR) {
+               iq->parse_failures++;
                goto handle_it;
+       }
 
        /* Copy the edns options we may got from the back end */
        if(edns.opt_list) {
@@ -3772,6 +3836,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
                        iq->num_current_queries--;
                        verbose(VERB_DETAIL, "Capsforid: scrub failed, starting fallback with no response");
                }
+               iq->scrub_failures++;
                goto handle_it;
        }
 

diff --git a/sbin/unwind/libunbound/iterator/iterator.h b/sbin/unwind/libunbound/iterator/iterator.h
index 342ac20..dc5e575 100644 (file)
--- a/sbin/unwind/libunbound/iterator/iterator.h
+++ b/sbin/unwind/libunbound/iterator/iterator.h
@@ -61,7 +61,7 @@ struct rbtree_type;
  * its subqueries */
 #define MAX_TARGET_NX          5
 /** max number of query restarts. Determines max number of CNAME chain. */
-#define MAX_RESTART_COUNT       8
+#define MAX_RESTART_COUNT      11
 /** max number of referrals. Makes sure resolver does not run away */
 #define MAX_REFERRAL_COUNT     130
 /** max number of queries-sent-out.  Make sure large NS set does not loop */
@@ -406,6 +406,12 @@ struct iter_qstate {
        int auth_zone_response;
        /** True if the auth_zones should not be consulted for the query */
        int auth_zone_avoid;
+       /** true if there have been scrubbing failures of reply packets */
+       int scrub_failures;
+       /** true if there have been parse failures of reply packets */
+       int parse_failures;
+       /** a failure printout address for last received answer */
+       struct comm_reply* fail_reply;
 };
 
 /**

diff --git a/sbin/unwind/libunbound/libunbound/context.c b/sbin/unwind/libunbound/libunbound/context.c
index cff2831..e589c6a 100644 (file)
--- a/sbin/unwind/libunbound/libunbound/context.c
+++ b/sbin/unwind/libunbound/libunbound/context.c
@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx)
        } else {
                log_init(cfg->logfile, cfg->use_syslog, NULL);
        }
+       cfg_apply_local_port_policy(cfg, 65536);
        config_apply(cfg);
        if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
                return UB_INITFAIL;
@@ -78,7 +79,8 @@ context_finalize(struct ub_ctx* ctx)
                return UB_NOMEM;
        if(!local_zones_apply_cfg(ctx->local_zones, cfg))
                return UB_INITFAIL;
-       if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz))
+       if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz,
+               ctx->env, &ctx->mods))
                return UB_INITFAIL;
        if(!edns_strings_apply_cfg(ctx->env->edns_strings, cfg))
                return UB_INITFAIL;

diff --git a/sbin/unwind/libunbound/libunbound/libworker.c b/sbin/unwind/libunbound/libunbound/libworker.c
index 7f46df3..8a9ca94 100644 (file)
--- a/sbin/unwind/libunbound/libunbound/libworker.c
+++ b/sbin/unwind/libunbound/libunbound/libworker.c
@@ -241,7 +241,9 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
                ports, numports, cfg->unwanted_threshold,
                cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
                cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
-               cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
+               cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect,
+               cfg->max_reuse_tcp_queries, cfg->tcp_reuse_timeout,
+               cfg->tcp_auth_query_timeout);
        w->env->outnet = w->back;
        if(!w->is_bg || w->is_bg_thread) {
                lock_basic_unlock(&ctx->cfglock);
@@ -454,8 +456,15 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
                if(rep->rrset_count != 0)
                        res->ttl = (int)rep->ttl;
                res->data = (char**)calloc(1, sizeof(char*));
+               if(!res->data)
+                       return 0; /* out of memory */
                res->len = (int*)calloc(1, sizeof(int));
-               return (res->data && res->len);
+               if(!res->len) {
+                       free(res->data);
+                       res->data = NULL;
+                       return 0; /* out of memory */
+               }
+               return 1;
        }
        data = (struct packed_rrset_data*)answer->entry.data;
        if(query_dname_compare(rq->qname, answer->rk.dname) != 0) {
@@ -463,15 +472,30 @@ fill_res(struct ub_result* res, struct ub_packed_rrset_key* answer,
                        return 0; /* out of memory */
        } else  res->canonname = NULL;
        res->data = (char**)calloc(data->count+1, sizeof(char*));
+       if(!res->data)
+               return 0; /* out of memory */
        res->len = (int*)calloc(data->count+1, sizeof(int));
-       if(!res->data || !res->len)
+       if(!res->len) {
+               free(res->data);
+               res->data = NULL;
                return 0; /* out of memory */
+       }
        for(i=0; i<data->count; i++) {
                /* remove rdlength from rdata */
                res->len[i] = (int)(data->rr_len[i] - 2);
                res->data[i] = memdup(data->rr_data[i]+2, (size_t)res->len[i]);
-               if(!res->data[i])
+               if(!res->data[i]) {
+                       size_t j;
+                       for(j=0; j<i; j++) {
+                               free(res->data[j]);
+                               res->data[j] = NULL;
+                       }
+                       free(res->data);
+                       res->data = NULL;
+                       free(res->len);
+                       res->len = NULL;
                        return 0; /* out of memory */
+               }
        }
        /* ttl for positive answers, from CNAME and answer RRs */
        if(data->count != 0) {
@@ -876,35 +900,6 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo,
        return e;
 }
 
-int 
-libworker_handle_reply(struct comm_point* c, void* arg, int error,
-        struct comm_reply* reply_info)
-{
-       struct module_qstate* q = (struct module_qstate*)arg;
-       struct libworker* lw = (struct libworker*)q->env->worker;
-       struct outbound_entry e;
-       e.qstate = q;
-       e.qsent = NULL;
-
-       if(error != 0) {
-               mesh_report_reply(lw->env->mesh, &e, reply_info, error);
-               return 0;
-       }
-       /* sanity check. */
-       if(!LDNS_QR_WIRE(sldns_buffer_begin(c->buffer))
-               || LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) !=
-                       LDNS_PACKET_QUERY
-               || LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) > 1) {
-               /* error becomes timeout for the module as if this reply
-                * never arrived. */
-               mesh_report_reply(lw->env->mesh, &e, reply_info, 
-                       NETEVENT_TIMEOUT);
-               return 0;
-       }
-       mesh_report_reply(lw->env->mesh, &e, reply_info, NETEVENT_NOERROR);
-       return 0;
-}
-
 int 
 libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
         struct comm_reply* reply_info)
@@ -947,14 +942,6 @@ int worker_handle_request(struct comm_point* ATTR_UNUSED(c),
        return 0;
 }
 
-int worker_handle_reply(struct comm_point* ATTR_UNUSED(c), 
-       void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
-        struct comm_reply* ATTR_UNUSED(reply_info))
-{
-       log_assert(0);
-       return 0;
-}
-
 int worker_handle_service_reply(struct comm_point* ATTR_UNUSED(c), 
        void* ATTR_UNUSED(arg), int ATTR_UNUSED(error),
         struct comm_reply* ATTR_UNUSED(reply_info))

diff --git a/sbin/unwind/libunbound/libunbound/worker.h b/sbin/unwind/libunbound/libunbound/worker.h
index fe1d518..bf74738 100644 (file)
--- a/sbin/unwind/libunbound/libunbound/worker.h
+++ b/sbin/unwind/libunbound/libunbound/worker.h
@@ -75,10 +75,6 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo,
        size_t zonelen, int ssl_upstream, char* tls_auth_name,
        struct module_qstate* q);
 
-/** process incoming replies from the network */
-int libworker_handle_reply(struct comm_point* c, void* arg, int error,
-        struct comm_reply* reply_info);
-
 /** process incoming serviced query replies from the network */
 int libworker_handle_service_reply(struct comm_point* c, void* arg, int error,
         struct comm_reply* reply_info);
@@ -146,10 +142,6 @@ void worker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
 int worker_handle_request(struct comm_point* c, void* arg, int error,
        struct comm_reply* repinfo);
 
-/** process incoming replies from the network */
-int worker_handle_reply(struct comm_point* c, void* arg, int error, 
-       struct comm_reply* reply_info);
-
 /** process incoming serviced query replies from the network */
 int worker_handle_service_reply(struct comm_point* c, void* arg, int error, 
        struct comm_reply* reply_info);

diff --git a/sbin/unwind/libunbound/respip/respip.c b/sbin/unwind/libunbound/respip/respip.c
index 8fe82cd..aae41f5 100644 (file)
--- a/sbin/unwind/libunbound/respip/respip.c
+++ b/sbin/unwind/libunbound/respip/respip.c
@@ -129,7 +129,7 @@ respip_sockaddr_delete(struct respip_set* set, struct resp_addr* node)
        struct resp_addr* prev;
        prev = (struct resp_addr*)rbtree_previous((struct rbnode_type*)node);   
        lock_rw_destroy(&node->lock);
-       rbtree_delete(&set->ip_tree, node);
+       (void)rbtree_delete(&set->ip_tree, node);
        /* no free'ing, all allocated in region */
        if(!prev)
                addr_tree_init_parents((rbtree_type*)set);

diff --git a/sbin/unwind/libunbound/services/authzone.c b/sbin/unwind/libunbound/services/authzone.c
index 2ef782c..e6e3a8c 100644 (file)
--- a/sbin/unwind/libunbound/services/authzone.c
+++ b/sbin/unwind/libunbound/services/authzone.c
@@ -67,7 +67,11 @@
 #include "sldns/parseutil.h"
 #include "sldns/keyraw.h"
 #include "validator/val_nsec3.h"
+#include "validator/val_nsec.h"
 #include "validator/val_secalgo.h"
+#include "validator/val_sigcrypt.h"
+#include "validator/val_anchor.h"
+#include "validator/val_utils.h"
 #include <ctype.h>
 
 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */
@@ -1741,9 +1745,45 @@ int auth_zone_write_file(struct auth_zone* z, const char* fname)
        return 1;
 }
 
+/** offline verify for zonemd, while reading a zone file to immediately
+ * spot bad hashes in zonefile as they are read.
+ * Creates temp buffers, but uses anchors and validation environment
+ * from the module_env. */
+static void
+zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
+       struct module_stack* mods)
+{
+       struct module_env env;
+       time_t now = 0;
+       if(!z->zonemd_check)
+               return;
+       env = *env_for_val;
+       env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
+       if(!env.scratch_buffer) {
+               log_err("out of memory");
+               goto clean_exit;
+       }
+       env.scratch = regional_create();
+       if(!env.now) {
+               env.now = &now;
+               now = time(NULL);
+       }
+       if(!env.scratch) {
+               log_err("out of memory");
+               goto clean_exit;
+       }
+       auth_zone_verify_zonemd(z, &env, mods, NULL, 1, 0);
+
+clean_exit:
+       /* clean up and exit */
+       sldns_buffer_free(env.scratch_buffer);
+       regional_destroy(env.scratch);
+}
+
 /** read all auth zones from file (if they have) */
 static int
-auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg)
+auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg,
+       struct module_env* env, struct module_stack* mods)
 {
        struct auth_zone* z;
        lock_rw_wrlock(&az->lock);
@@ -1754,12 +1794,162 @@ auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg)
                        lock_rw_unlock(&az->lock);
                        return 0;
                }
+               if(z->zonefile && z->zonefile[0]!=0 && env)
+                       zonemd_offline_verify(z, env, mods);
                lock_rw_unlock(&z->lock);
        }
        lock_rw_unlock(&az->lock);
        return 1;
 }
 
+/** fetch the content of a ZONEMD RR from the rdata */
+static int zonemd_fetch_parameters(struct auth_rrset* zonemd_rrset, size_t i,
+       uint32_t* serial, int* scheme, int* hashalgo, uint8_t** hash,
+       size_t* hashlen)
+{
+       size_t rr_len;
+       uint8_t* rdata;
+       if(i >= zonemd_rrset->data->count)
+               return 0;
+       rr_len = zonemd_rrset->data->rr_len[i];
+       if(rr_len < 2+4+1+1)
+               return 0; /* too short, for rdlen+serial+scheme+algo */
+       rdata = zonemd_rrset->data->rr_data[i];
+       *serial = sldns_read_uint32(rdata+2);
+       *scheme = rdata[6];
+       *hashalgo = rdata[7];
+       *hashlen = rr_len - 8;
+       if(*hashlen == 0)
+               *hash = NULL;
+       else    *hash = rdata+8;
+       return 1;
+}
+
+/**
+ * See if the ZONEMD scheme, hash occurs more than once.
+ * @param zonemd_rrset: the zonemd rrset to check with the RRs in it.
+ * @param index: index of the original, this is allowed to have that
+ *     scheme and hashalgo, but other RRs should not have it.
+ * @param scheme: the scheme to check for.
+ * @param hashalgo: the hash algorithm to check for.
+ * @return true if it occurs more than once.
+ */
+static int zonemd_is_duplicate_scheme_hash(struct auth_rrset* zonemd_rrset,
+       size_t index, int scheme, int hashalgo)
+{
+       size_t j;
+       for(j=0; j<zonemd_rrset->data->count; j++) {
+               uint32_t serial2 = 0;
+               int scheme2 = 0, hashalgo2 = 0;
+               uint8_t* hash2 = NULL;
+               size_t hashlen2 = 0;
+               if(index == j) {
+                       /* this is the original */
+                       continue;
+               }
+               if(!zonemd_fetch_parameters(zonemd_rrset, j, &serial2,
+                       &scheme2, &hashalgo2, &hash2, &hashlen2)) {
+                       /* malformed, skip it */
+                       continue;
+               }
+               if(scheme == scheme2 && hashalgo == hashalgo2) {
+                       /* duplicate scheme, hash */
+                       verbose(VERB_ALGO, "zonemd duplicate for scheme %d "
+                               "and hash %d", scheme, hashalgo);
+                       return 1;
+               }
+       }
+       return 0;
+}
+
+/**
+ * Check ZONEMDs if present for the auth zone.  Depending on config
+ * it can warn or fail on that.  Checks the hash of the ZONEMD.
+ * @param z: auth zone to check for.
+ *     caller must hold lock on zone.
+ * @param env: module env for temp buffers.
+ * @param reason: returned on failure.
+ * @return false on failure, true if hash checks out.
+ */
+static int auth_zone_zonemd_check_hash(struct auth_zone* z,
+       struct module_env* env, char** reason)
+{
+       /* loop over ZONEMDs and see which one is valid. if not print
+        * failure (depending on config) */
+       struct auth_data* apex;
+       struct auth_rrset* zonemd_rrset;
+       size_t i;
+       struct regional* region = NULL;
+       struct sldns_buffer* buf = NULL;
+       uint32_t soa_serial = 0;
+       region = env->scratch;
+       regional_free_all(region);
+       buf = env->scratch_buffer;
+       if(!auth_zone_get_serial(z, &soa_serial)) {
+               *reason = "zone has no SOA serial";
+               return 0;
+       }
+
+       apex = az_find_name(z, z->name, z->namelen);
+       if(!apex) {
+               *reason = "zone has no apex";
+               return 0;
+       }
+       zonemd_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_ZONEMD);
+       if(!zonemd_rrset || zonemd_rrset->data->count==0) {
+               *reason = "zone has no ZONEMD";
+               return 0; /* no RRset or no RRs in rrset */
+       }
+
+       /* we have a ZONEMD, check if it is correct */
+       for(i=0; i<zonemd_rrset->data->count; i++) {
+               uint32_t serial = 0;
+               int scheme = 0, hashalgo = 0;
+               uint8_t* hash = NULL;
+               size_t hashlen = 0;
+               if(!zonemd_fetch_parameters(zonemd_rrset, i, &serial, &scheme,
+                       &hashalgo, &hash, &hashlen)) {
+                       /* malformed RR */
+                       *reason = "ZONEMD rdata malformed";
+                       continue;
+               }
+               /* check for duplicates */
+               if(zonemd_is_duplicate_scheme_hash(zonemd_rrset, i, scheme,
+                       hashalgo)) {
+                       /* duplicate hash of the same scheme,hash
+                        * is not allowed. */
+                       *reason = "ZONEMD RRSet contains more than one RR "
+                               "with the same scheme and hash algorithm";
+                       continue;
+               }
+               regional_free_all(region);
+               if(serial != soa_serial) {
+                       *reason = "ZONEMD serial is wrong";
+                       continue;
+               }
+               if(auth_zone_generate_zonemd_check(z, scheme, hashalgo,
+                       hash, hashlen, region, buf, reason)) {
+                       /* success */
+                       if(verbosity >= VERB_ALGO) {
+                               char zstr[255+1];
+                               dname_str(z->name, zstr);
+                               verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
+                       }
+                       return 1;
+               }
+               /* try next one */
+       }
+       /* fail, we may have reason */
+       if(!*reason)
+               *reason = "no ZONEMD records found";
+       if(verbosity >= VERB_ALGO) {
+               char zstr[255+1];
+               dname_str(z->name, zstr);
+               verbose(VERB_ALGO, "auth-zone %s ZONEMD failed: %s", zstr, *reason);
+       }
+       return 0;
+}
+
 /** find serial number of zone or false if none */
 int
 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
@@ -1779,7 +1969,7 @@ auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
 }
 
 /** Find auth_zone SOA and populate the values in xfr(soa values). */
-static int
+int
 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr)
 {
        struct auth_data* apex;
@@ -1908,6 +2098,8 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
        z->for_downstream = c->for_downstream;
        z->for_upstream = c->for_upstream;
        z->fallback_enabled = c->fallback_enabled;
+       z->zonemd_check = c->zonemd_check;
+       z->zonemd_reject_absence = c->zonemd_reject_absence;
        if(c->isrpz && !z->rpz){
                if(!(z->rpz = rpz_create(c))){
                        fatal_exit("Could not setup RPZ zones");
@@ -2000,7 +2192,8 @@ az_delete_deleted_zones(struct auth_zones* az)
 }
 
 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
-       int setup, int* is_rpz)
+       int setup, int* is_rpz, struct module_env* env,
+       struct module_stack* mods)
 {
        struct config_auth* p;
        az_setall_deleted(az);
@@ -2016,7 +2209,7 @@ int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
                }
        }
        az_delete_deleted_zones(az);
-       if(!auth_zones_read_zones(az, cfg))
+       if(!auth_zones_read_zones(az, cfg, env, mods))
                return 0;
        if(setup) {
                if(!auth_zones_setup_zones(az))
@@ -4959,6 +5152,9 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
                lock_rw_unlock(&z->lock);
                return;
        }
+#ifdef UB_ON_WINDOWS
+       (void)unlink(zfilename); /* windows does not replace file with rename() */
+#endif
        if(rename(tmpfile, zfilename) < 0) {
                log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
                        strerror(errno));
@@ -4969,6 +5165,28 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
        lock_rw_unlock(&z->lock);
 }
 
+/** reacquire locks and structures. Starts with no locks, ends
+ * with xfr and z locks, if fail, no z lock */
+static int xfr_process_reacquire_locks(struct auth_xfer* xfr,
+       struct module_env* env, struct auth_zone** z)
+{
+       /* release xfr lock, then, while holding az->lock grab both
+        * z->lock and xfr->lock */
+       lock_rw_rdlock(&env->auth_zones->lock);
+       *z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
+               xfr->dclass);
+       if(!*z) {
+               lock_rw_unlock(&env->auth_zones->lock);
+               lock_basic_lock(&xfr->lock);
+               *z = NULL;
+               return 0;
+       }
+       lock_rw_wrlock(&(*z)->lock);
+       lock_basic_lock(&xfr->lock);
+       lock_rw_unlock(&env->auth_zones->lock);
+       return 1;
+}
+
 /** process chunk list and update zone in memory,
  * return false if it did not work */
 static int
@@ -4978,21 +5196,12 @@ xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
        struct auth_zone* z;
 
        /* obtain locks and structures */
-       /* release xfr lock, then, while holding az->lock grab both
-        * z->lock and xfr->lock */
        lock_basic_unlock(&xfr->lock);
-       lock_rw_rdlock(&env->auth_zones->lock);
-       z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
-               xfr->dclass);
-       if(!z) {
-               lock_rw_unlock(&env->auth_zones->lock);
+       if(!xfr_process_reacquire_locks(xfr, env, &z)) {
                /* the zone is gone, ignore xfr results */
-               lock_basic_lock(&xfr->lock);
                return 0;
        }
-       lock_rw_wrlock(&z->lock);
-       lock_basic_lock(&xfr->lock);
-       lock_rw_unlock(&env->auth_zones->lock);
+       /* holding xfr and z locks */
 
        /* apply data */
        if(xfr->task_transfer->master->http) {
@@ -5027,6 +5236,35 @@ xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
                        " (or malformed RR)", xfr->task_transfer->master->host);
                return 0;
        }
+
+       /* release xfr lock while verifying zonemd because it may have
+        * to spawn lookups in the state machines */
+       lock_basic_unlock(&xfr->lock);
+       /* holding z lock */
+       auth_zone_verify_zonemd(z, env, &env->mesh->mods, NULL, 0, 0);
+       if(z->zone_expired) {
+               char zname[256];
+               /* ZONEMD must have failed */
+               /* reacquire locks, so we hold xfr lock on exit of routine,
+                * and both xfr and z again after releasing xfr for potential
+                * state machine mesh callbacks */
+               lock_rw_unlock(&z->lock);
+               if(!xfr_process_reacquire_locks(xfr, env, &z))
+                       return 0;
+               dname_str(xfr->name, zname);
+               verbose(VERB_ALGO, "xfr from %s: ZONEMD failed for %s, transfer is failed", xfr->task_transfer->master->host, zname);
+               xfr->zone_expired = 1;
+               lock_rw_unlock(&z->lock);
+               return 0;
+       }
+       /* reacquire locks, so we hold xfr lock on exit of routine,
+        * and both xfr and z again after releasing xfr for potential
+        * state machine mesh callbacks */
+       lock_rw_unlock(&z->lock);
+       if(!xfr_process_reacquire_locks(xfr, env, &z))
+               return 0;
+       /* holding xfr and z locks */
+
        if(xfr->have_zone)
                xfr->lease_time = *env->now;
 
@@ -5188,7 +5426,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
                xfr->task_transfer->cp = outnet_comm_point_for_http(
                        env->outnet, auth_xfer_transfer_http_callback, xfr,
                        &addr, addrlen, -1, master->ssl, master->host,
-                       master->file);
+                       master->file, env->cfg);
                if(!xfr->task_transfer->cp) {
                        char zname[255+1], as[256];
                        dname_str(xfr->name, zname);
@@ -5210,7 +5448,7 @@ xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
        /* perform AXFR/IXFR */
        /* set the packet to be written */
        /* create new ID */
-       xfr->task_transfer->id = (uint16_t)(ub_random(env->rnd)&0xffff);
+       xfr->task_transfer->id = GET_RANDOM_ID(env->rnd);
        xfr_create_ixfr_packet(xfr, env->scratch_buffer,
                xfr->task_transfer->id, master);
 
@@ -6060,7 +6298,7 @@ xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
        /* create new ID for new probes, but not on timeout retries,
         * this means we'll accept replies to previous retries to same ip */
        if(timeout == AUTH_PROBE_TIMEOUT)
-               xfr->task_probe->id = (uint16_t)(ub_random(env->rnd)&0xffff);
+               xfr->task_probe->id = GET_RANDOM_ID(env->rnd);
        xfr_create_soa_probe_packet(xfr, env->scratch_buffer, 
                xfr->task_probe->id);
        /* we need to remove the cp if we have a different ip4/ip6 type now */
@@ -6933,12 +7171,14 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
        if(with_http)
          for(p = c->urls; p; p = p->next) {
                m = auth_master_new(&list);
+               if(!m) return 0;
                m->http = 1;
                if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
                        return 0;
        }
        for(p = c->masters; p; p = p->next) {
                m = auth_master_new(&list);
+               if(!m) return 0;
                m->ixfr = 1; /* this flag is not configurable */
                m->host = strdup(p->str);
                if(!m->host) {
@@ -6948,6 +7188,7 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
        }
        for(p = c->allow_notify; p; p = p->next) {
                m = auth_master_new(&list);
+               if(!m) return 0;
                m->allow_notify = 1;
                m->host = strdup(p->str);
                if(!m->host) {
@@ -6972,3 +7213,1131 @@ compare_serial(uint32_t a, uint32_t b)
                return 1;
        }
 }
+
+int zonemd_hashalgo_supported(int hashalgo)
+{
+       if(hashalgo == ZONEMD_ALGO_SHA384) return 1;
+       if(hashalgo == ZONEMD_ALGO_SHA512) return 1;
+       return 0;
+}
+
+int zonemd_scheme_supported(int scheme)
+{
+       if(scheme == ZONEMD_SCHEME_SIMPLE) return 1;
+       return 0;
+}
+
+/** initialize hash for hashing with zonemd hash algo */
+static struct secalgo_hash* zonemd_digest_init(int hashalgo, char** reason)
+{
+       struct secalgo_hash *h;
+       if(hashalgo == ZONEMD_ALGO_SHA384) {
+               /* sha384 */
+               h = secalgo_hash_create_sha384();
+               if(!h)
+                       *reason = "digest sha384 could not be created";
+               return h;
+       } else if(hashalgo == ZONEMD_ALGO_SHA512) {
+               /* sha512 */
+               h = secalgo_hash_create_sha512();
+               if(!h)
+                       *reason = "digest sha512 could not be created";
+               return h;
+       }
+       /* unknown hash algo */
+       *reason = "unsupported algorithm";
+       return NULL;
+}
+
+/** update the hash for zonemd */
+static int zonemd_digest_update(int hashalgo, struct secalgo_hash* h,
+       uint8_t* data, size_t len, char** reason)
+{
+       if(hashalgo == ZONEMD_ALGO_SHA384) {
+               if(!secalgo_hash_update(h, data, len)) {
+                       *reason = "digest sha384 failed";
+                       return 0;
+               }
+               return 1;
+       } else if(hashalgo == ZONEMD_ALGO_SHA512) {
+               if(!secalgo_hash_update(h, data, len)) {
+                       *reason = "digest sha512 failed";
+                       return 0;
+               }
+               return 1;
+       }
+       /* unknown hash algo */
+       *reason = "unsupported algorithm";
+       return 0;
+}
+
+/** finish the hash for zonemd */
+static int zonemd_digest_finish(int hashalgo, struct secalgo_hash* h,
+       uint8_t* result, size_t hashlen, size_t* resultlen, char** reason)
+{
+       if(hashalgo == ZONEMD_ALGO_SHA384) {
+               if(hashlen < 384/8) {
+                       *reason = "digest buffer too small for sha384";
+                       return 0;
+               }
+               if(!secalgo_hash_final(h, result, hashlen, resultlen)) {
+                       *reason = "digest sha384 finish failed";
+                       return 0;
+               }
+               return 1;
+       } else if(hashalgo == ZONEMD_ALGO_SHA512) {
+               if(hashlen < 512/8) {
+                       *reason = "digest buffer too small for sha512";
+                       return 0;
+               }
+               if(!secalgo_hash_final(h, result, hashlen, resultlen)) {
+                       *reason = "digest sha512 finish failed";
+                       return 0;
+               }
+               return 1;
+       }
+       /* unknown algo */
+       *reason = "unsupported algorithm";
+       return 0;
+}
+
+/** add rrsets from node to the list */
+static size_t authdata_rrsets_to_list(struct auth_rrset** array,
+       size_t arraysize, struct auth_rrset* first)
+{
+       struct auth_rrset* rrset = first;
+       size_t num = 0;
+       while(rrset) {
+               if(num >= arraysize)
+                       return num;
+               array[num] = rrset;
+               num++;
+               rrset = rrset->next;
+       }
+       return num;
+}
+
+/** compare rr list entries */
+static int rrlist_compare(const void* arg1, const void* arg2)
+{
+       struct auth_rrset* r1 = *(struct auth_rrset**)arg1;
+       struct auth_rrset* r2 = *(struct auth_rrset**)arg2;
+       uint16_t t1, t2;
+       if(r1 == NULL) t1 = LDNS_RR_TYPE_RRSIG;
+       else t1 = r1->type;
+       if(r2 == NULL) t2 = LDNS_RR_TYPE_RRSIG;
+       else t2 = r2->type;
+       if(t1 < t2)
+               return -1;
+       if(t1 > t2)
+               return 1;
+       return 0;
+}
+
+/** add type RRSIG to rr list if not one there already,
+ * this is to perform RRSIG collate processing at that point. */
+static void addrrsigtype_if_needed(struct auth_rrset** array,
+       size_t arraysize, size_t* rrnum, struct auth_data* node)
+{
+       if(az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
+               return; /* already one there */
+       if((*rrnum) >= arraysize)
+               return; /* array too small? */
+       array[*rrnum] = NULL; /* nothing there, but need entry in list */
+       (*rrnum)++;
+}
+
+/** collate the RRs in an RRset using the simple scheme */
+static int zonemd_simple_rrset(struct auth_zone* z, int hashalgo,
+       struct secalgo_hash* h, struct auth_data* node,
+       struct auth_rrset* rrset, struct regional* region,
+       struct sldns_buffer* buf, char** reason)
+{
+       /* canonicalize */
+       struct ub_packed_rrset_key key;
+       memset(&key, 0, sizeof(key));
+       key.entry.key = &key;
+       key.entry.data = rrset->data;
+       key.rk.dname = node->name;
+       key.rk.dname_len = node->namelen;
+       key.rk.type = htons(rrset->type);
+       key.rk.rrset_class = htons(z->dclass);
+       if(!rrset_canonicalize_to_buffer(region, buf, &key)) {
+               *reason = "out of memory";
+               return 0;
+       }
+       regional_free_all(region);
+
+       /* hash */
+       if(!zonemd_digest_update(hashalgo, h, sldns_buffer_begin(buf),
+               sldns_buffer_limit(buf), reason)) {
+               return 0;
+       }
+       return 1;
+}
+
+/** count number of RRSIGs in a domain name rrset list */
+static size_t zonemd_simple_count_rrsig(struct auth_rrset* rrset,
+       struct auth_rrset** rrlist, size_t rrnum,
+       struct auth_zone* z, struct auth_data* node)
+{
+       size_t i, count = 0;
+       if(rrset) {
+               size_t j;
+               for(j = 0; j<rrset->data->count; j++) {
+                       if(rrsig_rdata_get_type_covered(rrset->data->
+                               rr_data[j], rrset->data->rr_len[j]) ==
+                               LDNS_RR_TYPE_ZONEMD &&
+                               query_dname_compare(z->name, node->name)==0) {
+                               /* omit RRSIGs over type ZONEMD at apex */
+                               continue;
+                       }
+                       count++;
+               }
+       }
+       for(i=0; i<rrnum; i++) {
+               if(rrlist[i] && rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
+                       query_dname_compare(z->name, node->name)==0) {
+                       /* omit RRSIGs over type ZONEMD at apex */
+                       continue;
+               }
+               count += (rrlist[i]?rrlist[i]->data->rrsig_count:0);
+       }
+       return count;
+}
+
+/** allocate sparse rrset data for the number of entries in tepm region */
+static int zonemd_simple_rrsig_allocs(struct regional* region,
+       struct packed_rrset_data* data, size_t count)
+{
+       data->rr_len = regional_alloc(region, sizeof(*data->rr_len) * count);
+       if(!data->rr_len) {
+               return 0;
+       }
+       data->rr_ttl = regional_alloc(region, sizeof(*data->rr_ttl) * count);
+       if(!data->rr_ttl) {
+               return 0;
+       }
+       data->rr_data = regional_alloc(region, sizeof(*data->rr_data) * count);
+       if(!data->rr_data) {
+               return 0;
+       }
+       return 1;
+}
+
+/** add the RRSIGs from the rrs in the domain into the data */
+static void add_rrlist_rrsigs_into_data(struct packed_rrset_data* data,
+       size_t* done, struct auth_rrset** rrlist, size_t rrnum,
+       struct auth_zone* z, struct auth_data* node)
+{
+       size_t i;
+       for(i=0; i<rrnum; i++) {
+               size_t j;
+               if(!rrlist[i])
+                       continue;
+               if(rrlist[i] && rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
+                       query_dname_compare(z->name, node->name)==0) {
+                       /* omit RRSIGs over type ZONEMD at apex */
+                       continue;
+               }
+               for(j = 0; j<rrlist[i]->data->rrsig_count; j++) {
+                       data->rr_len[*done] = rrlist[i]->data->rr_len[rrlist[i]->data->count + j];
+                       data->rr_ttl[*done] = rrlist[i]->data->rr_ttl[rrlist[i]->data->count + j];
+                       /* reference the rdata in the rrset, no need to
+                        * copy it, it is no longer needed at the end of
+                        * the routine */
+                       data->rr_data[*done] = rrlist[i]->data->rr_data[rrlist[i]->data->count + j];
+                       (*done)++;
+               }
+       }
+}
+
+static void add_rrset_into_data(struct packed_rrset_data* data,
+       size_t* done, struct auth_rrset* rrset,
+       struct auth_zone* z, struct auth_data* node)
+{
+       if(rrset) {
+               size_t j;
+               for(j = 0; j<rrset->data->count; j++) {
+                       if(rrsig_rdata_get_type_covered(rrset->data->
+                               rr_data[j], rrset->data->rr_len[j]) ==
+                               LDNS_RR_TYPE_ZONEMD &&
+                               query_dname_compare(z->name, node->name)==0) {
+                               /* omit RRSIGs over type ZONEMD at apex */
+                               continue;
+                       }
+                       data->rr_len[*done] = rrset->data->rr_len[j];
+                       data->rr_ttl[*done] = rrset->data->rr_ttl[j];
+                       /* reference the rdata in the rrset, no need to
+                        * copy it, it is no longer need at the end of
+                        * the routine */
+                       data->rr_data[*done] = rrset->data->rr_data[j];
+                       (*done)++;
+               }
+       }
+}
+
+/** collate the RRSIGs using the simple scheme */
+static int zonemd_simple_rrsig(struct auth_zone* z, int hashalgo,
+       struct secalgo_hash* h, struct auth_data* node,
+       struct auth_rrset* rrset, struct auth_rrset** rrlist, size_t rrnum,
+       struct regional* region, struct sldns_buffer* buf, char** reason)
+{
+       /* the rrset pointer can be NULL, this means it is type RRSIG and
+        * there is no ordinary type RRSIG there.  The RRSIGs are stored
+        * with the RRsets in their data.
+        *
+        * The RRset pointer can be nonNULL. This happens if there is
+        * no RR that is covered by the RRSIG for the domain.  Then this
+        * RRSIG RR is stored in an rrset of type RRSIG. The other RRSIGs
+        * are stored in the rrset entries for the RRs in the rr list for
+        * the domain node.  We need to collate the rrset's data, if any, and
+        * the rrlist's rrsigs */
+       /* if this is the apex, omit RRSIGs that cover type ZONEMD */
+       /* build rrsig rrset */
+       size_t done = 0;
+       struct ub_packed_rrset_key key;
+       struct packed_rrset_data data;
+       memset(&key, 0, sizeof(key));
+       memset(&data, 0, sizeof(data));
+       key.entry.key = &key;
+       key.entry.data = &data;
+       key.rk.dname = node->name;
+       key.rk.dname_len = node->namelen;
+       key.rk.type = htons(LDNS_RR_TYPE_RRSIG);
+       key.rk.rrset_class = htons(z->dclass);
+       data.count = zonemd_simple_count_rrsig(rrset, rrlist, rrnum, z, node);
+       if(!zonemd_simple_rrsig_allocs(region, &data, data.count)) {
+               *reason = "out of memory";
+               regional_free_all(region);
+               return 0;
+       }
+       /* all the RRSIGs stored in the other rrsets for this domain node */
+       add_rrlist_rrsigs_into_data(&data, &done, rrlist, rrnum, z, node);
+       /* plus the RRSIGs stored in an rrset of type RRSIG for this node */
+       add_rrset_into_data(&data, &done, rrset, z, node);
+
+       /* canonicalize */
+       if(!rrset_canonicalize_to_buffer(region, buf, &key)) {
+               *reason = "out of memory";
+               regional_free_all(region);
+               return 0;
+       }
+       regional_free_all(region);
+
+       /* hash */
+       if(!zonemd_digest_update(hashalgo, h, sldns_buffer_begin(buf),
+               sldns_buffer_limit(buf), reason)) {
+               return 0;
+       }
+       return 1;
+}
+
+/** collate a domain's rrsets using the simple scheme */
+static int zonemd_simple_domain(struct auth_zone* z, int hashalgo,
+       struct secalgo_hash* h, struct auth_data* node,
+       struct regional* region, struct sldns_buffer* buf, char** reason)
+{
+       const size_t rrlistsize = 65536;
+       struct auth_rrset* rrlist[rrlistsize];
+       size_t i, rrnum = 0;
+       /* see if the domain is out of scope, the zone origin,
+        * that would be omitted */
+       if(!dname_subdomain_c(node->name, z->name))
+               return 1; /* continue */
+       /* loop over the rrsets in ascending order. */
+       rrnum = authdata_rrsets_to_list(rrlist, rrlistsize, node->rrsets);
+       addrrsigtype_if_needed(rrlist, rrlistsize, &rrnum, node);
+       qsort(rrlist, rrnum, sizeof(*rrlist), rrlist_compare);
+       for(i=0; i<rrnum; i++) {
+               if(rrlist[i] && rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
+                       query_dname_compare(z->name, node->name) == 0) {
+                       /* omit type ZONEMD at apex */
+                       continue;
+               }
+               if(rrlist[i] == NULL || rrlist[i]->type ==
+                       LDNS_RR_TYPE_RRSIG) {
+                       if(!zonemd_simple_rrsig(z, hashalgo, h, node,
+                               rrlist[i], rrlist, rrnum, region, buf, reason))
+                               return 0;
+               } else if(!zonemd_simple_rrset(z, hashalgo, h, node,
+                       rrlist[i], region, buf, reason)) {
+                       return 0;
+               }
+       }
+       return 1;
+}
+
+/** collate the zone using the simple scheme */
+static int zonemd_simple_collate(struct auth_zone* z, int hashalgo,
+       struct secalgo_hash* h, struct regional* region,
+       struct sldns_buffer* buf, char** reason)
+{
+       /* our tree is sorted in canonical order, so we can just loop over
+        * the tree */
+       struct auth_data* n;
+       RBTREE_FOR(n, struct auth_data*, &z->data) {
+               if(!zonemd_simple_domain(z, hashalgo, h, n, region, buf,
+                       reason))
+                       return 0;
+       }
+       return 1;
+}
+
+int auth_zone_generate_zonemd_hash(struct auth_zone* z, int scheme,
+       int hashalgo, uint8_t* hash, size_t hashlen, size_t* resultlen,
+       struct regional* region, struct sldns_buffer* buf, char** reason)
+{
+       struct secalgo_hash* h = zonemd_digest_init(hashalgo, reason);
+       if(!h) {
+               if(!*reason)
+                       *reason = "digest init fail";
+               return 0;
+       }
+       if(scheme == ZONEMD_SCHEME_SIMPLE) {
+               if(!zonemd_simple_collate(z, hashalgo, h, region, buf, reason)) {
+                       if(!*reason) *reason = "scheme simple collate fail";
+                       secalgo_hash_delete(h);
+                       return 0;
+               }
+       }
+       if(!zonemd_digest_finish(hashalgo, h, hash, hashlen, resultlen,
+               reason)) {
+               secalgo_hash_delete(h);
+               *reason = "digest finish fail";
+               return 0;
+       }
+       secalgo_hash_delete(h);
+       return 1;
+}
+
+int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
+       int hashalgo, uint8_t* hash, size_t hashlen, struct regional* region,
+       struct sldns_buffer* buf, char** reason)
+{
+       uint8_t gen[512];
+       size_t genlen = 0;
+       if(!zonemd_hashalgo_supported(hashalgo)) {
+               *reason = "unsupported algorithm";
+               return 0;
+       }
+       if(!zonemd_scheme_supported(scheme)) {
+               *reason = "unsupported scheme";
+               return 0;
+       }
+       if(hashlen < 12) {
+               /* the ZONEMD draft requires digests to fail if too small */
+               *reason = "digest length too small, less than 12";
+               return 0;
+       }
+       /* generate digest */
+       if(!auth_zone_generate_zonemd_hash(z, scheme, hashalgo, gen,
+               sizeof(gen), &genlen, region, buf, reason)) {
+               /* reason filled in by zonemd hash routine */
+               return 0;
+       }
+       /* check digest length */
+       if(hashlen != genlen) {
+               *reason = "incorrect digest length";
+               if(verbosity >= VERB_ALGO) {
+                       verbose(VERB_ALGO, "zonemd scheme=%d hashalgo=%d",
+                               scheme, hashalgo);
+                       log_hex("ZONEMD should be  ", gen, genlen);
+                       log_hex("ZONEMD to check is", hash, hashlen);
+               }
+               return 0;
+       }
+       /* check digest */
+       if(memcmp(hash, gen, genlen) != 0) {
+               *reason = "incorrect digest";
+               if(verbosity >= VERB_ALGO) {
+                       verbose(VERB_ALGO, "zonemd scheme=%d hashalgo=%d",
+                               scheme, hashalgo);
+                       log_hex("ZONEMD should be  ", gen, genlen);
+                       log_hex("ZONEMD to check is", hash, hashlen);
+               }
+               return 0;
+       }
+       return 1;
+}
+
+/** log auth zone message with zone name in front. */
+static void auth_zone_log(uint8_t* name, enum verbosity_value level,
+       const char* format, ...) ATTR_FORMAT(printf, 3, 4);
+static void auth_zone_log(uint8_t* name, enum verbosity_value level,
+       const char* format, ...)
+{
+       va_list args;
+       va_start(args, format);
+       if(verbosity >= level) {
+               char str[255+1];
+               char msg[MAXSYSLOGMSGLEN];
+               dname_str(name, str);
+               vsnprintf(msg, sizeof(msg), format, args);
+               verbose(level, "auth zone %s %s", str, msg);
+       }
+       va_end(args);
+}
+
+/** ZONEMD, dnssec verify the rrset with the dnskey */
+static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
+       struct module_env* env, struct module_stack* mods,
+       struct ub_packed_rrset_key* dnskey, struct auth_data* node,
+       struct auth_rrset* rrset, char** why_bogus)
+{
+       struct ub_packed_rrset_key pk;
+       enum sec_status sec;
+       struct val_env* ve;
+       int m;
+       m = modstack_find(mods, "validator");
+       if(m == -1) {
+               auth_zone_log(z->name, VERB_ALGO, "zonemd dnssec verify: have "
+                       "DNSKEY chain of trust, but no validator module");
+               return 0;
+       }
+       ve = (struct val_env*)env->modinfo[m];
+
+       memset(&pk, 0, sizeof(pk));
+       pk.entry.key = &pk;
+       pk.entry.data = rrset->data;
+       pk.rk.dname = node->name;
+       pk.rk.dname_len = node->namelen;
+       pk.rk.type = htons(rrset->type);
+       pk.rk.rrset_class = htons(z->dclass);
+       if(verbosity >= VERB_ALGO) {
+               char typestr[32];
+               typestr[0]=0;
+               sldns_wire2str_type_buf(rrset->type, typestr, sizeof(typestr));
+               auth_zone_log(z->name, VERB_ALGO,
+                       "zonemd: verify %s RRset with DNSKEY", typestr);
+       }
+       sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, NULL, why_bogus,
+               LDNS_SECTION_ANSWER, NULL);
+       if(sec == sec_status_secure) {
+               return 1;
+       }
+       if(why_bogus)
+               auth_zone_log(z->name, VERB_ALGO, "DNSSEC verify was bogus: %s", *why_bogus);
+       return 0;
+}
+
+/** check for nsec3, the RR with params equal, if bitmap has the type */
+static int nsec3_of_param_has_type(struct auth_rrset* nsec3, int algo,
+       size_t iter, uint8_t* salt, size_t saltlen, uint16_t rrtype)
+{
+       int i, count = (int)nsec3->data->count;
+       struct ub_packed_rrset_key pk;
+       memset(&pk, 0, sizeof(pk));
+       pk.entry.data = nsec3->data;
+       for(i=0; i<count; i++) {
+               int rralgo;
+               size_t rriter, rrsaltlen;
+               uint8_t* rrsalt;
+               if(!nsec3_get_params(&pk, i, &rralgo, &rriter, &rrsalt,
+                       &rrsaltlen))
+                       continue; /* no parameters, malformed */
+               if(rralgo != algo || rriter != iter || rrsaltlen != saltlen)
+                       continue; /* different parameters */
+               if(saltlen != 0) {
+                       if(rrsalt == NULL || salt == NULL)
+                               continue;
+                       if(memcmp(rrsalt, salt, saltlen) != 0)
+                               continue; /* different salt parameters */
+               }
+               if(nsec3_has_type(&pk, i, rrtype))
+                       return 1;
+       }
+       return 0;
+}
+
+/** Verify the absence of ZONEMD with DNSSEC by checking NSEC, NSEC3 type flag.
+ * return false on failure, reason contains description of failure. */
+static int zonemd_check_dnssec_absence(struct auth_zone* z,
+       struct module_env* env, struct module_stack* mods,
+       struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
+       char** reason, char** why_bogus)
+{
+       struct auth_rrset* nsec = NULL;
+       if(!apex) {
+               *reason = "zone has no apex domain but ZONEMD missing";
+               return 0;
+       }
+       nsec = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC);
+       if(nsec) {
+               struct ub_packed_rrset_key pk;
+               /* dnssec verify the NSEC */
+               if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
+                       nsec, why_bogus)) {
+                       *reason = "DNSSEC verify failed for NSEC RRset";
+                       return 0;
+               }
+               /* check type bitmap */
+               memset(&pk, 0, sizeof(pk));
+               pk.entry.data = nsec->data;
+               if(nsec_has_type(&pk, LDNS_RR_TYPE_ZONEMD)) {
+                       *reason = "DNSSEC NSEC bitmap says type ZONEMD exists";
+                       return 0;
+               }
+               auth_zone_log(z->name, VERB_ALGO, "zonemd DNSSEC NSEC verification of absence of ZONEMD secure");
+       } else {
+               /* NSEC3 perhaps ? */
+               int algo;
+               size_t iter, saltlen;
+               uint8_t* salt;
+               struct auth_rrset* nsec3param = az_domain_rrset(apex,
+                       LDNS_RR_TYPE_NSEC3PARAM);
+               struct auth_data* match;
+               struct auth_rrset* nsec3;
+               if(!nsec3param) {
+                       *reason = "zone has no NSEC information but ZONEMD missing";
+                       return 0;
+               }
+               if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) {
+                       *reason = "zone has no NSEC information but ZONEMD missing";
+                       return 0;
+               }
+               /* find the NSEC3 record */
+               match = az_nsec3_find_exact(z, z->name, z->namelen, algo,
+                       iter, salt, saltlen);
+               if(!match) {
+                       *reason = "zone has no NSEC3 domain for the apex but ZONEMD missing";
+                       return 0;
+               }
+               nsec3 = az_domain_rrset(match, LDNS_RR_TYPE_NSEC3);
+               if(!nsec3) {
+                       *reason = "zone has no NSEC3 RRset for the apex but ZONEMD missing";
+                       return 0;
+               }
+               /* dnssec verify the NSEC3 */
+               if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, match,
+                       nsec3, why_bogus)) {
+                       *reason = "DNSSEC verify failed for NSEC3 RRset";
+                       return 0;
+               }
+               /* check type bitmap */
+               if(nsec3_of_param_has_type(nsec3, algo, iter, salt, saltlen,
+                       LDNS_RR_TYPE_ZONEMD)) {
+                       *reason = "DNSSEC NSEC3 bitmap says type ZONEMD exists";
+                       return 0;
+               }
+               auth_zone_log(z->name, VERB_ALGO, "zonemd DNSSEC NSEC3 verification of absence of ZONEMD secure");
+       }
+
+       return 1;
+}
+
+/** Verify the SOA and ZONEMD DNSSEC signatures.
+ * return false on failure, reason contains description of failure. */
+static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
+       struct module_env* env, struct module_stack* mods,
+       struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
+       struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus)
+{
+       struct auth_rrset* soa;
+       if(!apex) {
+               *reason = "zone has no apex domain";
+               return 0;
+       }
+       soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
+       if(!soa) {
+               *reason = "zone has no SOA RRset";
+               return 0;
+       }
+       if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, soa,
+               why_bogus)) {
+               *reason = "DNSSEC verify failed for SOA RRset";
+               return 0;
+       }
+       if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
+               zonemd_rrset, why_bogus)) {
+               *reason = "DNSSEC verify failed for ZONEMD RRset";
+               return 0;
+       }
+       auth_zone_log(z->name, VERB_ALGO, "zonemd DNSSEC verification of SOA and ZONEMD RRsets secure");
+       return 1;
+}
+
+/**
+ * Fail the ZONEMD verification.
+ * @param z: auth zone that fails.
+ * @param env: environment with config, to ignore failure or not.
+ * @param reason: failure string description.
+ * @param why_bogus: failure string for DNSSEC verification failure.
+ * @param result: strdup result in here if not NULL.
+ */
+static void auth_zone_zonemd_fail(struct auth_zone* z, struct module_env* env,
+       char* reason, char* why_bogus, char** result)
+{
+       char zstr[255+1];
+       /* if fail: log reason, and depending on config also take action
+        * and drop the zone, eg. it is gone from memory, set zone_expired */
+       dname_str(z->name, zstr);
+       if(!reason) reason = "verification failed";
+       if(result) {
+               if(why_bogus) {
+                       char res[1024];
+                       snprintf(res, sizeof(res), "%s: %s", reason,
+                               why_bogus);
+                       *result = strdup(res);
+               } else {
+                       *result = strdup(reason);
+               }
+               if(!*result) log_err("out of memory");
+       } else {
+               log_warn("auth zone %s: ZONEMD verification failed: %s", zstr, reason);
+       }
+
+       if(env->cfg->zonemd_permissive_mode) {
+               verbose(VERB_ALGO, "zonemd-permissive-mode enabled, "
+                       "not blocking zone %s", zstr);
+               return;
+       }
+
+       /* expired means the zone gives servfail and is not used by
+        * lookup if fallback_enabled*/
+       z->zone_expired = 1;
+}
+
+/**
+ * Verify the zonemd with DNSSEC and hash check, with given key.
+ * @param z: auth zone.
+ * @param env: environment with config and temp buffers.
+ * @param mods: module stack with validator env for verification.
+ * @param dnskey: dnskey that we can use, or NULL.  If nonnull, the key
+ *     has been verified and is the start of the chain of trust.
+ * @param is_insecure: if true, the dnskey is not used, the zone is insecure.
+ *     And dnssec is not used.  It is DNSSEC secure insecure or not under
+ *     a trust anchor.
+ * @param result: if not NULL result reason copied here.
+ */
+static void
+auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
+       struct module_stack* mods, struct ub_packed_rrset_key* dnskey,
+       int is_insecure, char** result)
+{
+       char* reason = NULL, *why_bogus = NULL;
+       struct auth_data* apex = NULL;
+       struct auth_rrset* zonemd_rrset = NULL;
+       int zonemd_absent = 0, zonemd_absence_dnssecok = 0;
+
+       /* see if ZONEMD is present or absent. */
+       apex = az_find_name(z, z->name, z->namelen);
+       if(!apex) {
+               zonemd_absent = 1;
+       } else {
+               zonemd_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_ZONEMD);
+               if(!zonemd_rrset || zonemd_rrset->data->count==0) {
+                       zonemd_absent = 1;
+                       zonemd_rrset = NULL;
+               }
+       }
+
+       /* if no DNSSEC, done. */
+       /* if no ZONEMD, and DNSSEC, use DNSKEY to verify NSEC or NSEC3 for
+        * zone apex.  Check ZONEMD bit is turned off or else fail */
+       /* if ZONEMD, and DNSSEC, check DNSSEC signature on SOA and ZONEMD,
+        * or else fail */
+       if(!dnskey && !is_insecure) {
+               auth_zone_zonemd_fail(z, env, "DNSKEY missing", NULL, result);
+               return;
+       } else if(!zonemd_rrset && dnskey && !is_insecure) {
+               /* fetch, DNSSEC verify, and check NSEC/NSEC3 */
+               if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
+                       &reason, &why_bogus)) {
+                       auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
+                       return;
+               }
+               zonemd_absence_dnssecok = 1;
+       } else if(zonemd_rrset && dnskey && !is_insecure) {
+               /* check DNSSEC verify of SOA and ZONEMD */
+               if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
+                       zonemd_rrset, &reason, &why_bogus)) {
+                       auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
+                       return;
+               }
+       }
+
+       if(zonemd_absent && z->zonemd_reject_absence) {
+               auth_zone_zonemd_fail(z, env, "ZONEMD absent and that is not allowed by config", NULL, result);
+               return;
+       }
+       if(zonemd_absent && zonemd_absence_dnssecok) {
+               auth_zone_log(z->name, VERB_ALGO, "DNSSEC verified nonexistence of ZONEMD");
+               if(result) {
+                       *result = strdup("DNSSEC verified nonexistence of ZONEMD");
+                       if(!*result) log_err("out of memory");
+               }
+               return;
+       }
+       if(zonemd_absent) {
+               auth_zone_log(z->name, VERB_ALGO, "no ZONEMD present");
+               if(result) {
+                       *result = strdup("no ZONEMD present");
+                       if(!*result) log_err("out of memory");
+               }
+               return;
+       }
+
+       /* check ZONEMD checksum and report or else fail. */
+       if(!auth_zone_zonemd_check_hash(z, env, &reason)) {
+               auth_zone_zonemd_fail(z, env, reason, NULL, result);
+               return;
+       }
+
+       /* success! log the success */
+       auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful");
+       if(result) {
+               *result = strdup("ZONEMD verification successful");
+               if(!*result) log_err("out of memory");
+       }
+}
+
+/**
+ * verify the zone DNSKEY rrset from the trust anchor
+ * This is possible because the anchor is for the zone itself, and can
+ * thus apply straight to the zone DNSKEY set.
+ * @param z: the auth zone.
+ * @param env: environment with time and temp buffers.
+ * @param mods: module stack for validator environment for dnssec validation.
+ * @param anchor: trust anchor to use
+ * @param is_insecure: returned, true if the zone is securely insecure.
+ * @param why_bogus: if the routine fails, returns the failure reason.
+ * @param keystorage: where to store the ub_packed_rrset_key that is created
+ *     on success. A pointer to it is returned on success.
+ * @return the dnskey RRset, reference to zone data and keystorage, or
+ *     NULL on failure.
+ */
+static struct ub_packed_rrset_key*
+zonemd_get_dnskey_from_anchor(struct auth_zone* z, struct module_env* env,
+       struct module_stack* mods, struct trust_anchor* anchor,
+       int* is_insecure, char** why_bogus,
+       struct ub_packed_rrset_key* keystorage)
+{
+       struct auth_data* apex;
+       struct auth_rrset* dnskey_rrset;
+       enum sec_status sec;
+       struct val_env* ve;
+       int m;
+
+       apex = az_find_name(z, z->name, z->namelen);
+       if(!apex) {
+               *why_bogus = "have trust anchor, but zone has no apex domain for DNSKEY";
+               return 0;
+       }
+       dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY);
+       if(!dnskey_rrset || dnskey_rrset->data->count==0) {
+               *why_bogus = "have trust anchor, but zone has no DNSKEY";
+               return 0;
+       }
+
+       m = modstack_find(mods, "validator");
+       if(m == -1) {
+               *why_bogus = "have trust anchor, but no validator module";
+               return 0;
+       }
+       ve = (struct val_env*)env->modinfo[m];
+
+       memset(keystorage, 0, sizeof(*keystorage));
+       keystorage->entry.key = keystorage;
+       keystorage->entry.data = dnskey_rrset->data;
+       keystorage->rk.dname = apex->name;
+       keystorage->rk.dname_len = apex->namelen;
+       keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY);
+       keystorage->rk.rrset_class = htons(z->dclass);
+       auth_zone_log(z->name, VERB_QUERY,
+               "zonemd: verify DNSKEY RRset with trust anchor");
+       sec = val_verify_DNSKEY_with_TA(env, ve, keystorage, anchor->ds_rrset,
+               anchor->dnskey_rrset, NULL, why_bogus, NULL);
+       regional_free_all(env->scratch);
+       if(sec == sec_status_secure) {
+               /* success */
+               *is_insecure = 0;
+               return keystorage;
+       } else if(sec == sec_status_insecure) {
+               /* insecure */
+               *is_insecure = 1;
+       } else {
+               /* bogus */
+               *is_insecure = 0;
+               auth_zone_log(z->name, VERB_ALGO,
+                       "zonemd: verify DNSKEY RRset with trust anchor failed: %s", *why_bogus);
+       }
+       return NULL;
+}
+
+/** callback for ZONEMD lookup of DNSKEY */
+void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
+       enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
+{
+       struct auth_zone* z = (struct auth_zone*)arg;
+       struct module_env* env;
+       char* reason = NULL;
+       struct ub_packed_rrset_key* dnskey = NULL;
+       int is_insecure = 0;
+
+       lock_rw_wrlock(&z->lock);
+       env = z->zonemd_callback_env;
+       /* release the env variable so another worker can pick up the
+        * ZONEMD verification task if it wants to */
+       z->zonemd_callback_env = NULL;
+       if(!env || env->outnet->want_to_quit || z->zone_deleted) {
+               lock_rw_unlock(&z->lock);
+               return; /* stop on quit */
+       }
+
+       /* process result */
+       if(sec == sec_status_bogus) {
+               reason = why_bogus;
+               if(!reason)
+                       reason = "lookup of DNSKEY was bogus";
+               auth_zone_log(z->name, VERB_ALGO,
+                       "zonemd lookup of DNSKEY was bogus: %s", reason);
+       } else if(rcode == LDNS_RCODE_NOERROR) {
+               uint16_t wanted_qtype = LDNS_RR_TYPE_DNSKEY;
+               struct regional* temp = env->scratch;
+               struct query_info rq;
+               struct reply_info* rep;
+               memset(&rq, 0, sizeof(rq));
+               rep = parse_reply_in_temp_region(buf, temp, &rq);
+               if(rep && rq.qtype == wanted_qtype &&
+                       query_dname_compare(z->name, rq.qname) == 0 &&
+                       FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
+                       /* parsed successfully */
+                       struct ub_packed_rrset_key* answer =
+                               reply_find_answer_rrset(&rq, rep);
+                       if(answer && sec == sec_status_secure) {
+                               dnskey = answer;
+                               auth_zone_log(z->name, VERB_ALGO,
+                                       "zonemd lookup of DNSKEY was secure");
+                       } else if(sec == sec_status_secure && !answer) {
+                               is_insecure = 1;
+                               auth_zone_log(z->name, VERB_ALGO,
+                                       "zonemd lookup of DNSKEY has no content, but is secure, treat as insecure");
+                       } else if(sec == sec_status_insecure) {
+                               is_insecure = 1;
+                               auth_zone_log(z->name, VERB_ALGO,
+                                       "zonemd lookup of DNSKEY was insecure");
+                       } else if(sec == sec_status_indeterminate) {
+                               is_insecure = 1;
+                               auth_zone_log(z->name, VERB_ALGO,
+                                       "zonemd lookup of DNSKEY was indeterminate, treat as insecure");
+                       } else {
+                               auth_zone_log(z->name, VERB_ALGO,
+                                       "zonemd lookup of DNSKEY has nodata");
+                               reason = "lookup of DNSKEY has nodata";
+                       }
+               } else if(rep && rq.qtype == wanted_qtype &&
+                       query_dname_compare(z->name, rq.qname) == 0 &&
+                       FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+                       sec == sec_status_secure) {
+                       /* secure nxdomain, so the zone is like some RPZ zone
+                        * that does not exist in the wider internet, with
+                        * a secure nxdomain answer outside of it. So we
+                        * treat the zonemd zone without a dnssec chain of
+                        * trust, as insecure. */
+                       is_insecure = 1;
+                       auth_zone_log(z->name, VERB_ALGO,
+                               "zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+               } else if(rep && rq.qtype == wanted_qtype &&
+                       query_dname_compare(z->name, rq.qname) == 0 &&
+                       FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+                       sec == sec_status_insecure) {
+                       is_insecure = 1;
+                       auth_zone_log(z->name, VERB_ALGO,
+                               "zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+               } else if(rep && rq.qtype == wanted_qtype &&
+                       query_dname_compare(z->name, rq.qname) == 0 &&
+                       FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+                       sec == sec_status_indeterminate) {
+                       is_insecure = 1;
+                       auth_zone_log(z->name, VERB_ALGO,
+                               "zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
+               } else {
+                       auth_zone_log(z->name, VERB_ALGO,
+                               "zonemd lookup of DNSKEY has no answer");
+                       reason = "lookup of DNSKEY has no answer";
+               }
+       } else {
+               auth_zone_log(z->name, VERB_ALGO,
+                       "zonemd lookup of DNSKEY failed");
+               reason = "lookup of DNSKEY failed";
+       }
+
+       if(reason) {
+               auth_zone_zonemd_fail(z, env, reason, NULL, NULL);
+               lock_rw_unlock(&z->lock);
+               return;
+       }
+
+       auth_zone_verify_zonemd_with_key(z, env, &env->mesh->mods, dnskey,
+               is_insecure, NULL);
+       regional_free_all(env->scratch);
+       lock_rw_unlock(&z->lock);
+}
+
+/** lookup DNSKEY for ZONEMD verification */
+static int
+zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
+{
+       struct query_info qinfo;
+       uint16_t qflags = BIT_RD;
+       struct edns_data edns;
+       sldns_buffer* buf = env->scratch_buffer;
+
+       if(z->zonemd_callback_env) {
+               /* another worker is already working on the callback
+                * for the DNSKEY lookup for ZONEMD verification.
+                * We do not also have to do ZONEMD verification, let that
+                * worker do it */
+               auth_zone_log(z->name, VERB_ALGO,
+                       "zonemd needs lookup of DNSKEY and that already worked on by another worker");
+               return 1;
+       }
+
+       /* use mesh_new_callback to lookup the DNSKEY,
+        * and then wait for them to be looked up (in cache, or query) */
+       qinfo.qname_len = z->namelen;
+       qinfo.qname = z->name;
+       qinfo.qclass = z->dclass;
+       qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
+       qinfo.local_alias = NULL;
+       if(verbosity >= VERB_ALGO) {
+               char buf1[512];
+               char buf2[LDNS_MAX_DOMAINLEN+1];
+               dname_str(z->name, buf2);
+               snprintf(buf1, sizeof(buf1), "auth zone %s: lookup DNSKEY "
+                       "for zonemd verification", buf2);
+               log_query_info(VERB_ALGO, buf1, &qinfo);
+       }
+       edns.edns_present = 1;
+       edns.ext_rcode = 0;
+       edns.edns_version = 0;
+       edns.bits = EDNS_DO;
+       edns.opt_list = NULL;
+       if(sldns_buffer_capacity(buf) < 65535)
+               edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
+       else    edns.udp_size = 65535;
+
+       /* store the worker-specific module env for the callback.
+        * We can then reference this when the callback executes */
+       z->zonemd_callback_env = env;
+       /* the callback can be called straight away */
+       lock_rw_unlock(&z->lock);
+       if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
+               &auth_zonemd_dnskey_lookup_callback, z)) {
+               lock_rw_wrlock(&z->lock);
+               log_err("out of memory lookup up dnskey for zonemd");
+               return 0;
+       }
+       lock_rw_wrlock(&z->lock);
+       return 1;
+}
+
+void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
+       struct module_stack* mods, char** result, int offline, int only_online)
+{
+       char* reason = NULL, *why_bogus = NULL;
+       struct trust_anchor* anchor = NULL;
+       struct ub_packed_rrset_key* dnskey = NULL;
+       struct ub_packed_rrset_key keystorage;
+       int is_insecure = 0;
+       /* verify the ZONEMD if present.
+        * If not present check if absence is allowed by DNSSEC */
+       if(!z->zonemd_check)
+               return;
+
+       /* if zone is under a trustanchor */
+       /* is it equal to trustanchor - get dnskey's verified */
+       /* else, find chain of trust by fetching DNSKEYs lookup for zone */
+       /* result if that, if insecure, means no DNSSEC for the ZONEMD,
+        * otherwise we have the zone DNSKEY for the DNSSEC verification. */
+       if(env->anchors)
+               anchor = anchors_lookup(env->anchors, z->name, z->namelen,
+                       z->dclass);
+       if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) {
+               /* domain-insecure trust anchor for unsigned zones */
+               lock_basic_unlock(&anchor->lock);
+               if(only_online)
+                       return;
+               dnskey = NULL;
+               is_insecure = 1;
+       } else if(anchor && query_dname_compare(z->name, anchor->name) == 0) {
+               if(only_online) {
+                       lock_basic_unlock(&anchor->lock);
+                       return;
+               }
+               /* equal to trustanchor, no need for online lookups */
+               dnskey = zonemd_get_dnskey_from_anchor(z, env, mods, anchor,
+                       &is_insecure, &why_bogus, &keystorage);
+               lock_basic_unlock(&anchor->lock);
+               if(!dnskey && !reason && !is_insecure) {
+                       reason = "verify DNSKEY RRset with trust anchor failed";
+               }
+       } else if(anchor) {
+               lock_basic_unlock(&anchor->lock);
+               /* perform online lookups */
+               if(offline)
+                       return;
+               /* setup online lookups, and wait for them */
+               if(zonemd_lookup_dnskey(z, env)) {
+                       /* wait for the lookup */
+                       return;
+               }
+               reason = "could not lookup DNSKEY for chain of trust";
+       } else {
+               /* the zone is not under a trust anchor */
+               if(only_online)
+                       return;
+               dnskey = NULL;
+               is_insecure = 1;
+       }
+
+       if(reason) {
+               auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
+               return;
+       }
+
+       auth_zone_verify_zonemd_with_key(z, env, mods, dnskey, is_insecure,
+               result);
+       regional_free_all(env->scratch);
+}
+
+void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
+       struct module_env* env)
+{
+       struct auth_zone key;
+       uint8_t savezname[255+1];
+       size_t savezname_len;
+       struct auth_zone* z;
+       key.node.key = &key;
+       lock_rw_rdlock(&az->lock);
+       RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
+               lock_rw_wrlock(&z->lock);
+               if(!z->zonemd_check) {
+                       lock_rw_unlock(&z->lock);
+                       continue;
+               }
+               key.dclass = z->dclass;
+               key.namelabs = z->namelabs;
+               if(z->namelen > sizeof(savezname)) {
+                       lock_rw_unlock(&z->lock);
+                       log_err("auth_zones_pickup_zonemd_verify: zone name too long");
+                       continue;
+               }
+               savezname_len = z->namelen;
+               memmove(savezname, z->name, z->namelen);
+               lock_rw_unlock(&az->lock);
+               auth_zone_verify_zonemd(z, env, &env->mesh->mods, NULL, 0, 1);
+               lock_rw_unlock(&z->lock);
+               lock_rw_rdlock(&az->lock);
+               /* find the zone we had before, it is not deleted,
+                * because we have a flag for that that is processed at
+                * apply_cfg time */
+               key.namelen = savezname_len;
+               key.name = savezname;
+               z = (struct auth_zone*)rbtree_search(&az->ztree, &key);
+               if(!z)
+                       break;
+       }
+       lock_rw_unlock(&az->lock);
+}

diff --git a/sbin/unwind/libunbound/services/authzone.h b/sbin/unwind/libunbound/services/authzone.h
index 3d94f30..ffe234d 100644 (file)
--- a/sbin/unwind/libunbound/services/authzone.h
+++ b/sbin/unwind/libunbound/services/authzone.h
@@ -132,8 +132,17 @@ struct auth_zone {
        /** for upstream: this zone answers queries that unbound intends to
         * send upstream. */
        int for_upstream;
+       /** check ZONEMD records */
+       int zonemd_check;
+       /** reject absence of ZONEMD records */
+       int zonemd_reject_absence;
        /** RPZ zones */
        struct rpz* rpz;
+       /** store the env (worker thread specific) for the zonemd callbacks
+        * from the mesh with the results of the lookup, if nonNULL, some
+        * worker has already picked up the zonemd verification task and
+        * this worker does not have to do it as well. */
+       struct module_env* zonemd_callback_env;
        /** zone has been deleted */
        int zone_deleted;
        /** deletelist pointer, unused normally except during delete */
@@ -474,10 +483,13 @@ struct auth_zones* auth_zones_create(void);
  * @param cfg: config to apply.
  * @param setup: if true, also sets up values in the auth zones structure
  * @param is_rpz: set to 1 if at least one RPZ zone is configured.
+ * @param env: environment for offline verification.
+ * @param mods: modules in environment.
  * @return false on failure.
  */
 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
-       int setup, int* is_rpz);
+       int setup, int* is_rpz, struct module_env* env,
+       struct module_stack* mods);
 
 /** initial pick up of worker timeouts, ties events to worker event loop
  * @param az: auth zones structure
@@ -625,6 +637,9 @@ int auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg);
 /** find serial number of zone or false if none (no SOA record) */
 int auth_zone_get_serial(struct auth_zone* z, uint32_t* serial);
 
+/** Find auth_zone SOA and populate the values in xfr(soa values). */
+int xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr);
+
 /** compare auth_zones for sorted rbtree */
 int auth_zone_cmp(const void* z1, const void* z2);
 
@@ -685,4 +700,83 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
  */
 int compare_serial(uint32_t a, uint32_t b);
 
+/**
+ * Generate ZONEMD digest for the auth zone.
+ * @param z: the auth zone to digest.
+ *     omits zonemd at apex and its RRSIG from the digest.
+ * @param scheme: the collation scheme to use.  Numbers as defined for ZONEMD.
+ * @param hashalgo: the hash algo, from the registry defined for ZONEMD type.
+ * @param hash: the result buffer.
+ * @param buflen: size of the result buffer, must be large enough. or the
+ *     routine fails.
+ * @param resultlen: size of the hash in the result buffer of the result.
+ * @param region: temp region for allocs during canonicalisation.
+ * @param buf: temp buffer during canonicalisation.
+ * @param reason: failure reason, returns a string, NULL on success.
+ * @return false on failure.
+ */
+int auth_zone_generate_zonemd_hash(struct auth_zone* z, int scheme,
+       int hashalgo, uint8_t* hash, size_t buflen, size_t* resultlen,
+       struct regional* region, struct sldns_buffer* buf, char** reason);
+
+/** ZONEMD scheme definitions */
+#define ZONEMD_SCHEME_SIMPLE 1
+
+/** ZONEMD hash algorithm definition for SHA384 */
+#define ZONEMD_ALGO_SHA384 1
+/** ZONEMD hash algorithm definition for SHA512 */
+#define ZONEMD_ALGO_SHA512 2
+
+/** returns true if a zonemd hash algo is supported */
+int zonemd_hashalgo_supported(int hashalgo);
+/** returns true if a zonemd scheme is supported */
+int zonemd_scheme_supported(int scheme);
+
+/**
+ * Check ZONEMD digest for the auth zone.
+ * @param z: auth zone to digest.
+ * @param scheme: zonemd scheme.
+ * @param hashalgo: zonemd hash algorithm.
+ * @param hash: the hash to check.
+ * @param hashlen: length of hash buffer.
+ * @param region: temp region for allocs during canonicalisation.
+ * @param buf: temp buffer during canonicalisation.
+ * @param reason: string returned with failure reason.
+ * @return false on failure.
+ */
+int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
+       int hashalgo, uint8_t* hash, size_t hashlen, struct regional* region,
+       struct sldns_buffer* buf, char** reason);
+
+/**
+ * Perform ZONEMD checks and verification for the auth zone.
+ * This includes DNSSEC verification if applicable.
+ * @param z: auth zone to check.  Caller holds lock. wrlock.
+ * @param env: with temp region, buffer and config.
+ * @param mods: module stack for validator env.
+ * @param result: if not NULL, result string strdupped in here.
+ * @param offline: if true, there is no spawned lookup when online is needed.
+ *     Those zones are skipped for ZONEMD checking.
+ * @param only_online: if true, only for ZONEMD that need online lookup
+ *     of DNSKEY chain of trust are processed.
+ */
+void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
+       struct module_stack* mods, char** result, int offline,
+       int only_online);
+
+/** mesh callback for zonemd on lookup of dnskey */
+void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
+       struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
+       int was_ratelimited);
+
+/**
+ * Check the ZONEMD records that need online DNSSEC chain lookups,
+ * for them spawn the lookup process to get it checked out.
+ * Attaches the lookup process to the worker event base and mesh state.
+ * @param az: auth zones, every zones is checked.
+ * @param env: env of the worker where the task is attached.
+ */
+void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
+       struct module_env* env);
+
 #endif /* SERVICES_AUTHZONE_H */

diff --git a/sbin/unwind/libunbound/services/cache/dns.c b/sbin/unwind/libunbound/services/cache/dns.c
index f3149b6..5b64fe4 100644 (file)
--- a/sbin/unwind/libunbound/services/cache/dns.c
+++ b/sbin/unwind/libunbound/services/cache/dns.c
@@ -801,7 +801,7 @@ struct dns_msg*
 dns_cache_lookup(struct module_env* env,
        uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
        uint16_t flags, struct regional* region, struct regional* scratch,
-       int no_partial)
+       int no_partial, uint8_t* dpname, size_t dpnamelen)
 {
        struct lruhash_entry* e;
        struct query_info k;
@@ -923,6 +923,9 @@ dns_cache_lookup(struct module_env* env,
         * the same.  We search upwards for NXDOMAINs. */
        if(env->cfg->harden_below_nxdomain) {
                while(!dname_is_root(k.qname)) {
+                       if(dpname && dpnamelen
+                               && !dname_subdomain_c(k.qname, dpname))
+                               break; /* no synth nxdomain above the stub */
                        dname_remove_label(&k.qname, &k.qname_len);
                        h = query_info_hash(&k, flags);
                        e = slabhash_lookup(env->msg_cache, h, &k, 0);

diff --git a/sbin/unwind/libunbound/services/cache/dns.h b/sbin/unwind/libunbound/services/cache/dns.h
index f1b77fb..bece837 100644 (file)
--- a/sbin/unwind/libunbound/services/cache/dns.h
+++ b/sbin/unwind/libunbound/services/cache/dns.h
@@ -164,6 +164,8 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
  * @param scratch: where to allocate temporary data.
  * @param no_partial: if true, only complete messages and not a partial
  *     one (with only the start of the CNAME chain and not the rest).
+ * @param dpname: if not NULL, do not return NXDOMAIN above this name.
+ * @param dpnamelen: length of dpname.
  * @return new response message (alloced in region, rrsets do not have IDs).
  *     or NULL on error or if not found in cache.
  *     TTLs are made relative to the current time.
@@ -171,7 +173,7 @@ struct dns_msg* tomsg(struct module_env* env, struct query_info* q,
 struct dns_msg* dns_cache_lookup(struct module_env* env,
        uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
        uint16_t flags, struct regional* region, struct regional* scratch,
-       int no_partial);
+       int no_partial, uint8_t* dpname, size_t dpnamelen);
 
 /** 
  * find and add A and AAAA records for missing nameservers in delegpt 

diff --git a/sbin/unwind/libunbound/services/cache/infra.c b/sbin/unwind/libunbound/services/cache/infra.c
index 2d16bcd..518e696 100644 (file)
--- a/sbin/unwind/libunbound/services/cache/infra.c
+++ b/sbin/unwind/libunbound/services/cache/infra.c
@@ -236,6 +236,9 @@ infra_create(struct config_file* cfg)
                sizeof(struct infra_cache));
        size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
                sizeof(struct infra_data)+INFRA_BYTES_NAME);
+       if(!infra) {
+               return NULL;
+       }
        infra->hosts = slabhash_create(cfg->infra_cache_slabs,
                INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
                &infra_delkeyfunc, &infra_deldatafunc, NULL);

diff --git a/sbin/unwind/libunbound/services/listen_dnsport.c b/sbin/unwind/libunbound/services/listen_dnsport.c
index b790660..b43def5 100644 (file)
--- a/sbin/unwind/libunbound/services/listen_dnsport.c
+++ b/sbin/unwind/libunbound/services/listen_dnsport.c
@@ -133,6 +133,16 @@ verbose_print_addr(struct addrinfo *addr)
        }
 }
 
+void
+verbose_print_unbound_socket(struct unbound_socket* ub_sock)
+{
+       if(verbosity >= VERB_ALGO) {
+               log_info("listing of unbound_socket structure:");
+               verbose_print_addr(ub_sock->addr);
+               log_info("s is: %d, fam is: %s", ub_sock->s, ub_sock->fam == AF_INET?"AF_INET":"AF_INET6");
+       }
+}
+
 #ifdef HAVE_SYSTEMD
 static int
 systemd_get_activated(int family, int socktype, int listen,
@@ -442,6 +452,10 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
        if(err != NULL)
                log_warn("error setting IP DiffServ codepoint %d on UDP socket: %s", dscp, err);
        if(family == AF_INET6) {
+# if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+               int omit6_set = 0;
+               int action;
+# endif
 # if defined(IPV6_V6ONLY)
                if(v6only) {
                        int val=(v6only==2)?0:1;
@@ -490,6 +504,39 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
                        return -1;
                }
 # endif /* IPv6 MTU */
+# if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+#  if defined(IP_PMTUDISC_OMIT)
+               action = IP_PMTUDISC_OMIT;
+               if (setsockopt(s, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+                       &action, (socklen_t)sizeof(action)) < 0) {
+
+                       if (errno != EINVAL) {
+                               log_err("setsockopt(..., IPV6_MTU_DISCOVER, IP_PMTUDISC_OMIT...) failed: %s",
+                                       strerror(errno));
+                               sock_close(s);
+                               *noproto = 0;
+                               *inuse = 0;
+                               return -1;
+                       }
+               }
+               else
+               {
+                   omit6_set = 1;
+               }
+#  endif
+               if (omit6_set == 0) {
+                       action = IP_PMTUDISC_DONT;
+                       if (setsockopt(s, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+                               &action, (socklen_t)sizeof(action)) < 0) {
+                               log_err("setsockopt(..., IPV6_MTU_DISCOVER, IP_PMTUDISC_DONT...) failed: %s",
+                                       strerror(errno));
+                               sock_close(s);
+                               *noproto = 0;
+                               *inuse = 0;
+                               return -1;
+                       }
+               }
+# endif /* IPV6_MTU_DISCOVER */
        } else if(family == AF_INET) {
 #  if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
 /* linux 3.15 has IP_PMTUDISC_OMIT, Hannes Frederic Sowa made it so that
@@ -916,7 +963,7 @@ static int
 make_sock(int stype, const char* ifname, const char* port, 
        struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
        int* reuseport, int transparent, int tcp_mss, int nodelay, int freebind,
-       int use_systemd, int dscp)
+       int use_systemd, int dscp, struct unbound_socket* ub_sock)
 {
        struct addrinfo *res = NULL;
        int r, s, inuse, noproto;
@@ -958,7 +1005,11 @@ make_sock(int stype, const char* ifname, const char* port,
                        *noip6 = 1;
                }
        }
-       freeaddrinfo(res);
+
+       ub_sock->addr = res;
+       ub_sock->s = s;
+       ub_sock->fam = hints->ai_family;
+
        return s;
 }
 
@@ -967,7 +1018,7 @@ static int
 make_sock_port(int stype, const char* ifname, const char* port, 
        struct addrinfo *hints, int v6only, int* noip6, size_t rcv, size_t snd,
        int* reuseport, int transparent, int tcp_mss, int nodelay, int freebind,
-       int use_systemd, int dscp)
+       int use_systemd, int dscp, struct unbound_socket* ub_sock)
 {
        char* s = strchr(ifname, '@');
        if(s) {
@@ -990,11 +1041,11 @@ make_sock_port(int stype, const char* ifname, const char* port,
                p[strlen(s+1)]=0;
                return make_sock(stype, newif, p, hints, v6only, noip6, rcv,
                        snd, reuseport, transparent, tcp_mss, nodelay, freebind,
-                       use_systemd, dscp);
+                       use_systemd, dscp, ub_sock);
        }
        return make_sock(stype, ifname, port, hints, v6only, noip6, rcv, snd,
                reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd,
-               dscp);
+               dscp, ub_sock);
 }
 
 /**
@@ -1002,10 +1053,11 @@ make_sock_port(int stype, const char* ifname, const char* port,
  * @param list: list head. changed.
  * @param s: fd.
  * @param ftype: if fd is UDP.
+ * @param ub_sock: socket with address.
  * @return false on failure. list in unchanged then.
  */
 static int
-port_insert(struct listen_port** list, int s, enum listen_type ftype)
+port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unbound_socket* ub_sock)
 {
        struct listen_port* item = (struct listen_port*)malloc(
                sizeof(struct listen_port));
@@ -1014,6 +1066,7 @@ port_insert(struct listen_port** list, int s, enum listen_type ftype)
        item->next = *list;
        item->fd = s;
        item->ftype = ftype;
+       item->socket = ub_sock;
        *list = item;
        return 1;
 }
@@ -1043,7 +1096,7 @@ set_recvpktinfo(int s, int family)
                        return 0;
                }
 #           else
-               log_err("no IPV6_RECVPKTINFO and no IPV6_PKTINFO option, please "
+               log_err("no IPV6_RECVPKTINFO and IPV6_PKTINFO options, please "
                        "disable interface-automatic or do-ip6 in config");
                return 0;
 #           endif /* defined IPV6_RECVPKTINFO */
@@ -1093,18 +1146,6 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
        return 0;
 }
 
-/** see if interface is https, its port number == the https port number */
-static int
-if_is_https(const char* ifname, const char* port, int https_port)
-{
-       char* p = strchr(ifname, '@');
-       if(!p && atoi(port) == https_port)
-               return 1;
-       if(p && atoi(p+1) == https_port)
-               return 1;
-       return 0;
-}
-
 /**
  * Helper for ports_open. Creates one interface (or NULL for default).
  * @param ifname: The interface ip address.
@@ -1142,6 +1183,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
        int s, noip6=0;
        int is_https = if_is_https(ifname, port, https_port);
        int nodelay = is_https && http2_nodelay;
+       struct unbound_socket* ub_sock;
 #ifdef USE_DNSCRYPT
        int is_dnscrypt = ((strchr(ifname, '@') && 
                        atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
@@ -1153,10 +1195,16 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 
        if(!do_udp && !do_tcp)
                return 0;
+
        if(do_auto) {
+               ub_sock = calloc(1, sizeof(struct unbound_socket));
+               if(!ub_sock)
+                       return 0;
                if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
                        &noip6, rcv, snd, reuseport, transparent,
-                       tcp_mss, nodelay, freebind, use_systemd, dscp)) == -1) {
+                       tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) {
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        if(noip6) {
                                log_warn("IPv6 protocol not available");
                                return 1;
@@ -1166,18 +1214,27 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                /* getting source addr packet info is highly non-portable */
                if(!set_recvpktinfo(s, hints->ai_family)) {
                        sock_close(s);
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        return 0;
                }
                if(!port_insert(list, s,
-                  is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil)) {
+                  is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil, ub_sock)) {
                        sock_close(s);
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        return 0;
                }
        } else if(do_udp) {
+               ub_sock = calloc(1, sizeof(struct unbound_socket));
+               if(!ub_sock)
+                       return 0;
                /* regular udp socket */
                if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
                        &noip6, rcv, snd, reuseport, transparent,
-                       tcp_mss, nodelay, freebind, use_systemd, dscp)) == -1) {
+                       tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) {
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        if(noip6) {
                                log_warn("IPv6 protocol not available");
                                return 1;
@@ -1185,8 +1242,10 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                        return 0;
                }
                if(!port_insert(list, s,
-                  is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp)) {
+                  is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp, ub_sock)) {
                        sock_close(s);
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        return 0;
                }
        }
@@ -1194,6 +1253,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                int is_ssl = if_is_ssl(ifname, port, ssl_port,
                        tls_additional_port);
                enum listen_type port_type;
+               ub_sock = calloc(1, sizeof(struct unbound_socket));
+               if(!ub_sock)
+                       return 0;
                if(is_ssl)
                        port_type = listen_type_ssl;
                else if(is_https)
@@ -1204,7 +1266,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                        port_type = listen_type_tcp;
                if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
                        &noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay,
-                       freebind, use_systemd, dscp)) == -1) {
+                       freebind, use_systemd, dscp, ub_sock)) == -1) {
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        if(noip6) {
                                /*log_warn("IPv6 protocol not available");*/
                                return 1;
@@ -1213,8 +1277,10 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                }
                if(is_ssl)
                        verbose(VERB_ALGO, "setup TCP for SSL service");
-               if(!port_insert(list, s, port_type)) {
+               if(!port_insert(list, s, port_type, ub_sock)) {
                        sock_close(s);
+                       freeaddrinfo(ub_sock->addr);
+                       free(ub_sock);
                        return 0;
                }
        }
@@ -1280,14 +1346,14 @@ listen_create(struct comm_base* base, struct listen_port* ports,
                if(ports->ftype == listen_type_udp ||
                   ports->ftype == listen_type_udp_dnscrypt)
                        cp = comm_point_create_udp(base, ports->fd, 
-                               front->udp_buff, cb, cb_arg);
+                               front->udp_buff, cb, cb_arg, ports->socket);
                else if(ports->ftype == listen_type_tcp ||
                                ports->ftype == listen_type_tcp_dnscrypt)
                        cp = comm_point_create_tcp(base, ports->fd, 
                                tcp_accept_count, tcp_idle_timeout,
                                harden_large_queries, 0, NULL,
                                tcp_conn_limit, bufsize, front->udp_buff,
-                               ports->ftype, cb, cb_arg);
+                               ports->ftype, cb, cb_arg, ports->socket);
                else if(ports->ftype == listen_type_ssl ||
                        ports->ftype == listen_type_http) {
                        cp = comm_point_create_tcp(base, ports->fd, 
@@ -1295,7 +1361,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
                                harden_large_queries,
                                http_max_streams, http_endpoint,
                                tcp_conn_limit, bufsize, front->udp_buff,
-                               ports->ftype, cb, cb_arg);
+                               ports->ftype, cb, cb_arg, ports->socket);
                        if(http_notls && ports->ftype == listen_type_http)
                                cp->ssl = NULL;
                        else
@@ -1322,7 +1388,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
                } else if(ports->ftype == listen_type_udpancil ||
                                  ports->ftype == listen_type_udpancil_dnscrypt)
                        cp = comm_point_create_udp_ancil(base, ports->fd, 
-                               front->udp_buff, cb, cb_arg);
+                               front->udp_buff, cb, cb_arg, ports->socket);
                if(!cp) {
                        log_err("can't create commpoint");      
                        listen_delete(front);
@@ -1506,13 +1572,12 @@ resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addres
 }
 #endif /* HAVE_GETIFADDRS */
 
-int resolve_interface_names(struct config_file* cfg, char*** resif,
-       int* num_resif)
+int resolve_interface_names(char** ifs, int num_ifs,
+       struct config_strlist* list, char*** resif, int* num_resif)
 {
 #ifdef HAVE_GETIFADDRS
-       int i;
        struct ifaddrs *addrs = NULL;
-       if(cfg->num_ifs == 0) {
+       if(num_ifs == 0 && list == NULL) {
                *resif = NULL;
                *num_resif = 0;
                return 1;
@@ -1523,38 +1588,73 @@ int resolve_interface_names(struct config_file* cfg, char*** resif,
                freeifaddrs(addrs);
                return 0;
        }
-       for(i=0; i<cfg->num_ifs; i++) {
-               if(!resolve_ifa_name(addrs, cfg->ifs[i], resif, num_resif)) {
-                       freeifaddrs(addrs);
-                       config_del_strarray(*resif, *num_resif);
-                       *resif = NULL;
-                       *num_resif = 0;
-                       return 0;
+       if(ifs) {
+               int i;
+               for(i=0; i<num_ifs; i++) {
+                       if(!resolve_ifa_name(addrs, ifs[i], resif, num_resif)) {
+                               freeifaddrs(addrs);
+                               config_del_strarray(*resif, *num_resif);
+                               *resif = NULL;
+                               *num_resif = 0;
+                               return 0;
+                       }
                }
        }
+       if(list) {
+               struct config_strlist* p;
+               for(p = list; p; p = p->next) {
+                       if(!resolve_ifa_name(addrs, p->str, resif, num_resif)) {
+                               freeifaddrs(addrs);
+                               config_del_strarray(*resif, *num_resif);
+                               *resif = NULL;
+                               *num_resif = 0;
+                               return 0;
+                       }
+}
+       }
        freeifaddrs(addrs);
        return 1;
 #else
-       int i;
-       if(cfg->num_ifs == 0) {
+       struct config_strlist* p;
+       if(num_ifs == 0 && list == NULL) {
                *resif = NULL;
                *num_resif = 0;
                return 1;
        }
-       *num_resif = cfg->num_ifs;
+       *num_resif = num_ifs;
+       for(p = list; p; p = p->next) {
+               (*num_resif)++;
+       }
        *resif = calloc(*num_resif, sizeof(**resif));
        if(!*resif) {
                log_err("out of memory");
                return 0;
        }
-       for(i=0; i<*num_resif; i++) {
-               (*resif)[i] = strdup(cfg->ifs[i]);
-               if(!((*resif)[i])) {
-                       log_err("out of memory");
-                       config_del_strarray(*resif, *num_resif);
-                       *resif = NULL;
-                       *num_resif = 0;
-                       return 0;
+       if(ifs) {
+               int i;
+               for(i=0; i<num_ifs; i++) {
+                       (*resif)[i] = strdup(ifs[i]);
+                       if(!((*resif)[i])) {
+                               log_err("out of memory");
+                               config_del_strarray(*resif, *num_resif);
+                               *resif = NULL;
+                               *num_resif = 0;
+                               return 0;
+                       }
+               }
+       }
+       if(list) {
+               int idx = num_ifs;
+               for(p = list; p; p = p->next) {
+                       (*resif)[idx] = strdup(p->str);
+                       if(!((*resif)[idx])) {
+                               log_err("out of memory");
+                               config_del_strarray(*resif, *num_resif);
+                               *resif = NULL;
+                               *num_resif = 0;
+                               return 0;
+                       }
+                       idx++;
                }
        }
        return 1;
@@ -1656,6 +1756,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
                        }
                }
        }
+
        return list;
 }
 
@@ -1667,6 +1768,11 @@ void listening_ports_free(struct listen_port* list)
                if(list->fd != -1) {
                        sock_close(list->fd);
                }
+               /* rc_ports don't have ub_socket */
+               if(list->socket) {
+                       freeaddrinfo(list->socket->addr);
+                       free(list->socket);
+               }
                free(list);
                list = nx;
        }
@@ -2371,6 +2477,10 @@ static int http2_query_read_done(struct http2_session* h2_session,
                        "buffer already assigned to stream");
                return -1;
        }
+    
+    /* the c->buffer might be used by mesh_send_reply and no be cleard
+        * need to be cleared before use */
+       sldns_buffer_clear(h2_session->c->buffer);
        if(sldns_buffer_remaining(h2_session->c->buffer) <
                sldns_buffer_remaining(h2_stream->qbuffer)) {
                /* qbuffer will be free'd in frame close cb */
@@ -2572,18 +2682,45 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
                return 0;
        }
 
-       if(!(b64len = sldns_b64url_pton(
-               (char const *)start, length,
-               sldns_buffer_current(h2_stream->qbuffer),
-               expectb64len)) || b64len < 0) {
-               lock_basic_lock(&http2_query_buffer_count_lock);
-               http2_query_buffer_count -= expectb64len;
-               lock_basic_unlock(&http2_query_buffer_count_lock);
-               sldns_buffer_free(h2_stream->qbuffer);
-               h2_stream->qbuffer = NULL;
-               /* return without error, method can be an
-                * unknown POST */
-               return 1;
+       if(sldns_b64_contains_nonurl((char const*)start, length)) {
+               char buf[65536+4];
+               verbose(VERB_ALGO, "HTTP2 stream contains wrong b64 encoding");
+               /* copy to the scratch buffer temporarily to terminate the
+                * string with a zero */
+               if(length+1 > sizeof(buf)) {
+                       /* too long */
+                       lock_basic_lock(&http2_query_buffer_count_lock);
+                       http2_query_buffer_count -= expectb64len;
+                       lock_basic_unlock(&http2_query_buffer_count_lock);
+                       sldns_buffer_free(h2_stream->qbuffer);
+                       h2_stream->qbuffer = NULL;
+                       return 1;
+               }
+               memmove(buf, start, length);
+               buf[length] = 0;
+               if(!(b64len = sldns_b64_pton(buf, sldns_buffer_current(
+                       h2_stream->qbuffer), expectb64len)) || b64len < 0) {
+                       lock_basic_lock(&http2_query_buffer_count_lock);
+                       http2_query_buffer_count -= expectb64len;
+                       lock_basic_unlock(&http2_query_buffer_count_lock);
+                       sldns_buffer_free(h2_stream->qbuffer);
+                       h2_stream->qbuffer = NULL;
+                       return 1;
+               }
+       } else {
+               if(!(b64len = sldns_b64url_pton(
+                       (char const *)start, length,
+                       sldns_buffer_current(h2_stream->qbuffer),
+                       expectb64len)) || b64len < 0) {
+                       lock_basic_lock(&http2_query_buffer_count_lock);
+                       http2_query_buffer_count -= expectb64len;
+                       lock_basic_unlock(&http2_query_buffer_count_lock);
+                       sldns_buffer_free(h2_stream->qbuffer);
+                       h2_stream->qbuffer = NULL;
+                       /* return without error, method can be an
+                        * unknown POST */
+                       return 1;
+               }
        }
        sldns_buffer_skip(h2_stream->qbuffer, (size_t)b64len);
        return 1;

diff --git a/sbin/unwind/libunbound/services/listen_dnsport.h b/sbin/unwind/libunbound/services/listen_dnsport.h
index f438ff4..1e51be9 100644 (file)
--- a/sbin/unwind/libunbound/services/listen_dnsport.h
+++ b/sbin/unwind/libunbound/services/listen_dnsport.h
@@ -102,6 +102,18 @@ enum listen_type {
        listen_type_http
 };
 
+/*
+ * socket properties (just like NSD nsd_socket structure definition)
+ */
+struct unbound_socket {
+       /** socket-address structure */
+        struct addrinfo *       addr;
+       /** socket descriptor returned by socket() syscall */
+        int                     s;
+       /** address family (AF_INET/IF_INET6) */
+        int                     fam;
+};
+
 /**
  * Single linked list to store shared ports that have been 
  * opened for use by all threads.
@@ -113,6 +125,8 @@ struct listen_port {
        int fd;
        /** type of file descriptor, udp or tcp */
        enum listen_type ftype;
+       /** fill in unbpound_socket structure for every opened socket at Unbound startup */
+       struct unbound_socket* socket;
 };
 
 /**
@@ -136,16 +150,19 @@ struct listen_port* listening_ports_open(struct config_file* cfg,
  */
 void listening_ports_free(struct listen_port* list);
 
+struct config_strlist;
 /**
  * Resolve interface names in config and store result IP addresses
- * @param cfg: config
+ * @param ifs: array of interfaces.  The list of interface names, if not NULL.
+ * @param num_ifs: length of ifs array.
+ * @param list: if not NULL, this is used as the list of interface names.
  * @param resif: string array (malloced array of malloced strings) with
  *     result.  NULL if cfg has none.
  * @param num_resif: length of resif.  Zero if cfg has zero num_ifs.
  * @return 0 on failure.
  */
-int resolve_interface_names(struct config_file* cfg, char*** resif,
-       int* num_resif);
+int resolve_interface_names(char** ifs, int num_ifs,
+       struct config_strlist* list, char*** resif, int* num_resif);
 
 /**
  * Create commpoints with for this thread for the shared ports.
@@ -424,4 +441,9 @@ int http2_submit_dns_response(void* v);
 
 char* set_ip_dscp(int socket, int addrfamily, int ds);
 
+/** for debug and profiling purposes only
+ * @param ub_sock: the structure containing created socket info we want to print or log for
+ */
+void verbose_print_unbound_socket(struct unbound_socket* ub_sock);
+
 #endif /* LISTEN_DNSPORT_H */

diff --git a/sbin/unwind/libunbound/services/localzone.c b/sbin/unwind/libunbound/services/localzone.c
index fd2ff2b..54f55ab 100644 (file)
--- a/sbin/unwind/libunbound/services/localzone.c
+++ b/sbin/unwind/libunbound/services/localzone.c
@@ -745,9 +745,15 @@ static int
 lz_enter_zones(struct local_zones* zones, struct config_file* cfg)
 {
        struct config_str2list* p;
+#ifndef THREADS_DISABLED
        struct local_zone* z;
+#endif
        for(p = cfg->local_zones; p; p = p->next) {
-               if(!(z=lz_enter_zone(zones, p->str, p->str2, 
+               if(!(
+#ifndef THREADS_DISABLED
+                       z=
+#endif
+                       lz_enter_zone(zones, p->str, p->str2,
                        LDNS_RR_CLASS_IN)))
                        return 0;
                lock_rw_unlock(&z->lock);
@@ -1027,7 +1033,9 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
        }
        if(have_name) {
                uint8_t* n2;
+#ifndef THREADS_DISABLED
                struct local_zone* z;
+#endif
                /* allocate zone of smallest shared topdomain to contain em */
                n2 = nm;
                dname_remove_labels(&n2, &nmlen, nmlabs - match);
@@ -1039,7 +1047,11 @@ lz_setup_implicit(struct local_zones* zones, struct config_file* cfg)
                }
                log_nametypeclass(VERB_ALGO, "implicit transparent local-zone", 
                        n2, 0, dclass);
-               if(!(z=lz_enter_zone_dname(zones, n2, nmlen, match, 
+               if(!(
+#ifndef THREADS_DISABLED
+                       z=
+#endif
+                       lz_enter_zone_dname(zones, n2, nmlen, match,
                        local_zone_transparent, dclass))) {
                        return 0;
                }

diff --git a/sbin/unwind/libunbound/services/localzone.h b/sbin/unwind/libunbound/services/localzone.h
index 3da5c87..b52d81d 100644 (file)
--- a/sbin/unwind/libunbound/services/localzone.h
+++ b/sbin/unwind/libunbound/services/localzone.h
@@ -158,7 +158,7 @@ struct local_zone {
        rbtree_type data;
        /** if data contains zone apex SOA data, this is a ptr to it. */
        struct ub_packed_rrset_key* soa;
-       /** if data contains zone apex SOA data, this is a prt to an
+       /** if data contains zone apex SOA data, this is a ptr to an
         * artificial negative SOA rrset (TTL is the minimum of the TTL and the
         * SOA.MINIMUM). */
        struct ub_packed_rrset_key* soa_negative;

diff --git a/sbin/unwind/libunbound/services/mesh.c b/sbin/unwind/libunbound/services/mesh.c
index 91d23de..5679a8b 100644 (file)
--- a/sbin/unwind/libunbound/services/mesh.c
+++ b/sbin/unwind/libunbound/services/mesh.c
@@ -99,7 +99,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
 {
 #ifndef S_SPLINT_S
        size_t leftover;
-       if(d == 0) {
+       if(d <= 0) {
                avg->tv_sec = 0;
                avg->tv_usec = 0;
                return;
@@ -108,7 +108,13 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
        avg->tv_usec = sum->tv_usec / d;
        /* handle fraction from seconds divide */
        leftover = sum->tv_sec - avg->tv_sec*d;
-       avg->tv_usec += (leftover*1000000)/d;
+       if(leftover <= 0)
+               leftover = 0;
+       avg->tv_usec += (((long long)leftover)*((long long)1000000))/d;
+       if(avg->tv_sec < 0)
+               avg->tv_sec = 0;
+       if(avg->tv_usec < 0)
+               avg->tv_usec = 0;
 #endif
 }
 
@@ -433,7 +439,7 @@ mesh_serve_expired_init(struct mesh_state* mstate, int timeout)
        mstate->s.serve_expired_data->get_cached_answer =
                mstate->s.serve_expired_data->get_cached_answer?
                mstate->s.serve_expired_data->get_cached_answer:
-               mesh_serve_expired_lookup;
+               &mesh_serve_expired_lookup;
 
        /* In case this timer already popped, start it again */
        if(!mstate->s.serve_expired_data->timer) {
@@ -1813,8 +1819,7 @@ mesh_detect_cycle(struct module_qstate* qstate, struct query_info* qinfo,
 {
        struct mesh_area* mesh = qstate->env->mesh;
        struct mesh_state* dep_m = NULL;
-       if(!mesh_state_is_unique(qstate->mesh_info))
-               dep_m = mesh_area_find(mesh, NULL, qinfo, flags, prime, valrec);
+       dep_m = mesh_area_find(mesh, NULL, qinfo, flags, prime, valrec);
        return mesh_detect_cycle_found(qstate, dep_m);
 }
 
@@ -1941,7 +1946,7 @@ mesh_serve_expired_callback(void* arg)
        while(1) {
                fptr_ok(fptr_whitelist_serve_expired_lookup(
                        qstate->serve_expired_data->get_cached_answer));
-               msg = qstate->serve_expired_data->get_cached_answer(qstate,
+               msg = (*qstate->serve_expired_data->get_cached_answer)(qstate,
                        lookup_qinfo);
                if(!msg)
                        return;

diff --git a/sbin/unwind/libunbound/services/modstack.c b/sbin/unwind/libunbound/services/modstack.c
index a600549..da8e623 100644 (file)
--- a/sbin/unwind/libunbound/services/modstack.c
+++ b/sbin/unwind/libunbound/services/modstack.c
@@ -88,57 +88,56 @@ count_modules(const char* s)
         return num;
 }
 
-void 
+void
 modstack_init(struct module_stack* stack)
 {
        stack->num = 0;
        stack->mod = NULL;
 }
 
-int 
+int
 modstack_config(struct module_stack* stack, const char* module_conf)
 {
-        int i;
-        verbose(VERB_QUERY, "module config: \"%s\"", module_conf);
-        stack->num = count_modules(module_conf);
-        if(stack->num == 0) {
-                log_err("error: no modules specified");
-                return 0;
-        }
-        if(stack->num > MAX_MODULE) {
-                log_err("error: too many modules (%d max %d)",
-                        stack->num, MAX_MODULE);
-                return 0;
-        }
-        stack->mod = (struct module_func_block**)calloc((size_t)
-                stack->num, sizeof(struct module_func_block*));
-        if(!stack->mod) {
-                log_err("out of memory");
-                return 0;
-        }
-        for(i=0; i<stack->num; i++) {
-                stack->mod[i] = module_factory(&module_conf);
-                if(!stack->mod[i]) {
+       int i;
+       verbose(VERB_QUERY, "module config: \"%s\"", module_conf);
+       stack->num = count_modules(module_conf);
+       if(stack->num == 0) {
+               log_err("error: no modules specified");
+               return 0;
+       }
+       if(stack->num > MAX_MODULE) {
+               log_err("error: too many modules (%d max %d)",
+                       stack->num, MAX_MODULE);
+               return 0;
+       }
+       stack->mod = (struct module_func_block**)calloc((size_t)
+               stack->num, sizeof(struct module_func_block*));
+       if(!stack->mod) {
+               log_err("out of memory");
+               return 0;
+       }
+       for(i=0; i<stack->num; i++) {
+               stack->mod[i] = module_factory(&module_conf);
+               if(!stack->mod[i]) {
                        char md[256];
                        snprintf(md, sizeof(md), "%s", module_conf);
                        if(strchr(md, ' ')) *(strchr(md, ' ')) = 0;
                        if(strchr(md, '\t')) *(strchr(md, '\t')) = 0;
-                        log_err("Unknown value in module-config, module: '%s'."
+                       log_err("Unknown value in module-config, module: '%s'."
                                " This module is not present (not compiled in),"
-                               " See the list of linked modules with unbound -h",
-                                md);
-                        return 0;
-                }
-        }
-        return 1;
+                               " See the list of linked modules with unbound -V", md);
+                       return 0;
+               }
+       }
+       return 1;
 }
 
 /** The list of module names */
 const char**
 module_list_avail(void)
 {
-        /* these are the modules available */
-        static const char* names[] = {
+       /* these are the modules available */
+       static const char* names[] = {
                "dns64",
 #ifdef WITH_PYTHONMODULE
                "python",
@@ -156,7 +155,7 @@ module_list_avail(void)
                "subnetcache",
 #endif
 #ifdef USE_IPSET
-                "ipset",
+               "ipset",
 #endif
                "respip",
                "validator",

diff --git a/sbin/unwind/libunbound/services/outside_network.c b/sbin/unwind/libunbound/services/outside_network.c
index 6c6b42c..a3f982e 100644 (file)
--- a/sbin/unwind/libunbound/services/outside_network.c
+++ b/sbin/unwind/libunbound/services/outside_network.c
@@ -90,8 +90,8 @@ static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet,
 static void waiting_list_remove(struct outside_network* outnet,
        struct waiting_tcp* w);
 
-/** remove reused element from tree and lru list */
-static void reuse_tcp_remove_tree_list(struct outside_network* outnet,
+/** select a DNS ID for a TCP stream */
+static uint16_t tcp_select_id(struct outside_network* outnet,
        struct reuse_tcp* reuse);
 
 int 
@@ -198,15 +198,17 @@ waiting_tcp_delete(struct waiting_tcp* w)
  * Pick random outgoing-interface of that family, and bind it.
  * port set to 0 so OS picks a port number for us.
  * if it is the ANY address, do not bind.
+ * @param pend: pending tcp structure, for storing the local address choice.
  * @param w: tcp structure with destination address.
  * @param s: socket fd.
  * @return false on error, socket closed.
  */
 static int
-pick_outgoing_tcp(struct waiting_tcp* w, int s)
+pick_outgoing_tcp(struct pending_tcp* pend, struct waiting_tcp* w, int s)
 {
        struct port_if* pi = NULL;
        int num;
+       pend->pi = NULL;
 #ifdef INET6
        if(addr_is_ip6(&w->addr, w->addrlen))
                num = w->outnet->num_ip6;
@@ -226,6 +228,7 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
 #endif
                pi = &w->outnet->ip4_ifs[ub_random_max(w->outnet->rnd, num)];
        log_assert(pi);
+       pend->pi = pi;
        if(addr_is_any(&pi->addr, pi->addrlen)) {
                /* binding to the ANY interface is for listening sockets */
                return 1;
@@ -235,7 +238,14 @@ pick_outgoing_tcp(struct waiting_tcp* w, int s)
                ((struct sockaddr_in6*)&pi->addr)->sin6_port = 0;
        else    ((struct sockaddr_in*)&pi->addr)->sin_port = 0;
        if(bind(s, (struct sockaddr*)&pi->addr, pi->addrlen) != 0) {
-               log_err("outgoing tcp: bind: %s", sock_strerror(errno));
+#ifndef USE_WINSOCK
+#ifdef EADDRNOTAVAIL
+               if(!(verbosity < 4 && errno == EADDRNOTAVAIL))
+#endif
+#else /* USE_WINSOCK */
+               if(!(verbosity < 4 && WSAGetLastError() == WSAEADDRNOTAVAIL))
+#endif
+                   log_err("outgoing tcp: bind: %s", sock_strerror(errno));
                sock_close(s);
                return 0;
        }
@@ -337,6 +347,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse)
        uint16_t port;
        char addrbuf[128];
        if(verbosity < v) return;
+       if(!reuse || !reuse->pending || !reuse->pending->c)
+               return;
        addr_to_str(&reuse->addr, reuse->addrlen, addrbuf, sizeof(addrbuf));
        port = ntohs(((struct sockaddr_in*)&reuse->addr)->sin_port);
        verbose(v, "%s %s#%u fd %d", msg, addrbuf, (unsigned)port,
@@ -356,6 +368,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
                w->write_wait_next->write_wait_prev = NULL;
        else    reuse->write_wait_last = NULL;
        w->write_wait_queued = 0;
+       w->write_wait_next = NULL;
+       w->write_wait_prev = NULL;
        return w;
 }
 
@@ -363,6 +377,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
 static void reuse_write_wait_remove(struct reuse_tcp* reuse,
        struct waiting_tcp* w)
 {
+       log_assert(w);
+       log_assert(w->write_wait_queued);
        if(!w)
                return;
        if(!w->write_wait_queued)
@@ -370,10 +386,16 @@ static void reuse_write_wait_remove(struct reuse_tcp* reuse,
        if(w->write_wait_prev)
                w->write_wait_prev->write_wait_next = w->write_wait_next;
        else    reuse->write_wait_first = w->write_wait_next;
+       log_assert(!w->write_wait_prev ||
+               w->write_wait_prev->write_wait_next != w->write_wait_prev);
        if(w->write_wait_next)
                w->write_wait_next->write_wait_prev = w->write_wait_prev;
        else    reuse->write_wait_last = w->write_wait_prev;
+       log_assert(!w->write_wait_next
+               || w->write_wait_next->write_wait_prev != w->write_wait_next);
        w->write_wait_queued = 0;
+       w->write_wait_next = NULL;
+       w->write_wait_prev = NULL;
 }
 
 /** push the element after the last on the writewait list */
@@ -384,6 +406,8 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
        log_assert(!w->write_wait_queued);
        if(reuse->write_wait_last) {
                reuse->write_wait_last->write_wait_next = w;
+               log_assert(reuse->write_wait_last->write_wait_next !=
+                       reuse->write_wait_last);
                w->write_wait_prev = reuse->write_wait_last;
        } else {
                reuse->write_wait_first = w;
@@ -396,9 +420,18 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
 void
 reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w)
 {
+#ifdef UNBOUND_DEBUG
+       rbnode_type* added;
+#endif
        log_assert(w->id_node.key == NULL);
        w->id_node.key = w;
+#ifdef UNBOUND_DEBUG
+       added =
+#else
+       (void)
+#endif
        rbtree_insert(&reuse->tree_by_id, &w->id_node);
+       log_assert(added);  /* should have been added */
 }
 
 /** find element in tree by id */
@@ -424,34 +457,45 @@ tree_by_id_get_id(rbnode_type* node)
 }
 
 /** insert into reuse tcp tree and LRU, false on failure (duplicate) */
-static int
+int
 reuse_tcp_insert(struct outside_network* outnet, struct pending_tcp* pend_tcp)
 {
        log_reuse_tcp(VERB_CLIENT, "reuse_tcp_insert", &pend_tcp->reuse);
        if(pend_tcp->reuse.item_on_lru_list) {
                if(!pend_tcp->reuse.node.key)
-                       log_err("internal error: reuse_tcp_insert: on lru list without key");
+                       log_err("internal error: reuse_tcp_insert: "
+                               "in lru list without key");
                return 1;
        }
        pend_tcp->reuse.node.key = &pend_tcp->reuse;
        pend_tcp->reuse.pending = pend_tcp;
        if(!rbtree_insert(&outnet->tcp_reuse, &pend_tcp->reuse.node)) {
-               /* this is a duplicate connection, close this one */
-               verbose(VERB_CLIENT, "reuse_tcp_insert: duplicate connection");
-               pend_tcp->reuse.node.key = NULL;
-               return 0;
+               /* We are not in the LRU list but we are already in the
+                * tcp_reuse tree, strange.
+                * Continue to add ourselves to the LRU list. */
+               log_err("internal error: reuse_tcp_insert: in lru list but "
+                       "not in the tree");
        }
        /* insert into LRU, first is newest */
        pend_tcp->reuse.lru_prev = NULL;
        if(outnet->tcp_reuse_first) {
                pend_tcp->reuse.lru_next = outnet->tcp_reuse_first;
+               log_assert(pend_tcp->reuse.lru_next != &pend_tcp->reuse);
                outnet->tcp_reuse_first->lru_prev = &pend_tcp->reuse;
+               log_assert(outnet->tcp_reuse_first->lru_prev !=
+                       outnet->tcp_reuse_first);
        } else {
                pend_tcp->reuse.lru_next = NULL;
                outnet->tcp_reuse_last = &pend_tcp->reuse;
        }
        outnet->tcp_reuse_first = &pend_tcp->reuse;
        pend_tcp->reuse.item_on_lru_list = 1;
+       log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+               (outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+       log_assert(outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_next &&
+               outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_prev);
+       log_assert(outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_next &&
+               outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_prev);
        return 1;
 }
 
@@ -511,7 +555,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr,
        while(result && result != RBTREE_NULL &&
                reuse_cmp_addrportssl(result->key, &key_p.reuse) == 0) {
                if(((struct reuse_tcp*)result)->tree_by_id.count <
-                       MAX_REUSE_TCP_QUERIES) {
+                       outnet->max_reuse_tcp_queries) {
                        /* same address, port, ssl-yes-or-no, and has
                         * space for another query */
                        return (struct reuse_tcp*)result;
@@ -567,7 +611,7 @@ outnet_tcp_take_into_use(struct waiting_tcp* w)
        if(s == -1)
                return 0;
 
-       if(!pick_outgoing_tcp(w, s))
+       if(!pick_outgoing_tcp(pend, w, s))
                return 0;
 
        fd_set_nonblock(s);
@@ -689,28 +733,65 @@ outnet_tcp_take_into_use(struct waiting_tcp* w)
 /** Touch the lru of a reuse_tcp element, it is in use.
  * This moves it to the front of the list, where it is not likely to
  * be closed.  Items at the back of the list are closed to make space. */
-static void
+void
 reuse_tcp_lru_touch(struct outside_network* outnet, struct reuse_tcp* reuse)
 {
        if(!reuse->item_on_lru_list) {
                log_err("internal error: we need to touch the lru_list but item not in list");
                return; /* not on the list, no lru to modify */
        }
+       log_assert(reuse->lru_prev ||
+               (!reuse->lru_prev && outnet->tcp_reuse_first == reuse));
        if(!reuse->lru_prev)
                return; /* already first in the list */
        /* remove at current position */
        /* since it is not first, there is a previous element */
        reuse->lru_prev->lru_next = reuse->lru_next;
+       log_assert(reuse->lru_prev->lru_next != reuse->lru_prev);
        if(reuse->lru_next)
                reuse->lru_next->lru_prev = reuse->lru_prev;
        else    outnet->tcp_reuse_last = reuse->lru_prev;
+       log_assert(!reuse->lru_next || reuse->lru_next->lru_prev != reuse->lru_next);
+       log_assert(outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_next &&
+               outnet->tcp_reuse_last != outnet->tcp_reuse_last->lru_prev);
        /* insert at the front */
        reuse->lru_prev = NULL;
        reuse->lru_next = outnet->tcp_reuse_first;
+       if(outnet->tcp_reuse_first) {
+               outnet->tcp_reuse_first->lru_prev = reuse;
+       }
+       log_assert(reuse->lru_next != reuse);
        /* since it is not first, it is not the only element and
         * lru_next is thus not NULL and thus reuse is now not the last in
         * the list, so outnet->tcp_reuse_last does not need to be modified */
        outnet->tcp_reuse_first = reuse;
+       log_assert(outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_next &&
+               outnet->tcp_reuse_first != outnet->tcp_reuse_first->lru_prev);
+       log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+               (outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+}
+
+/** Snip the last reuse_tcp element off of the LRU list */
+struct reuse_tcp*
+reuse_tcp_lru_snip(struct outside_network* outnet)
+{
+       struct reuse_tcp* reuse = outnet->tcp_reuse_last;
+       if(!reuse) return NULL;
+       /* snip off of LRU */
+       log_assert(reuse->lru_next == NULL);
+       if(reuse->lru_prev) {
+               outnet->tcp_reuse_last = reuse->lru_prev;
+               reuse->lru_prev->lru_next = NULL;
+       } else {
+               outnet->tcp_reuse_last = NULL;
+               outnet->tcp_reuse_first = NULL;
+       }
+       log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+               (outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+       reuse->item_on_lru_list = 0;
+       reuse->lru_next = NULL;
+       reuse->lru_prev = NULL;
+       return reuse;
 }
 
 /** call callback on waiting_tcp, if not NULL */
@@ -718,30 +799,89 @@ static void
 waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error,
        struct comm_reply* reply_info)
 {
-       if(w->cb) {
+       if(w && w->cb) {
                fptr_ok(fptr_whitelist_pending_tcp(w->cb));
                (void)(*w->cb)(c, w->cb_arg, error, reply_info);
        }
 }
 
+/** add waiting_tcp element to the outnet tcp waiting list */
+static void
+outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
+{
+       struct timeval tv;
+       log_assert(!w->on_tcp_waiting_list);
+       if(w->on_tcp_waiting_list)
+               return;
+       w->next_waiting = NULL;
+       if(outnet->tcp_wait_last)
+               outnet->tcp_wait_last->next_waiting = w;
+       else    outnet->tcp_wait_first = w;
+       outnet->tcp_wait_last = w;
+       w->on_tcp_waiting_list = 1;
+#ifndef S_SPLINT_S
+       tv.tv_sec = w->timeout/1000;
+       tv.tv_usec = (w->timeout%1000)*1000;
+#endif
+       comm_timer_set(w->timer, &tv);
+}
+
+/** add waiting_tcp element as first to the outnet tcp waiting list */
+static void
+outnet_add_tcp_waiting_first(struct outside_network* outnet,
+       struct waiting_tcp* w, int reset_timer)
+{
+       struct timeval tv;
+       log_assert(!w->on_tcp_waiting_list);
+       if(w->on_tcp_waiting_list)
+               return;
+       w->next_waiting = outnet->tcp_wait_first;
+       if(!outnet->tcp_wait_last)
+               outnet->tcp_wait_last = w;
+       outnet->tcp_wait_first = w;
+       w->on_tcp_waiting_list = 1;
+       if(reset_timer) {
+#ifndef S_SPLINT_S
+               tv.tv_sec = w->timeout/1000;
+               tv.tv_usec = (w->timeout%1000)*1000;
+#endif
+               comm_timer_set(w->timer, &tv);
+       }
+       log_assert(
+               (!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+               (outnet->tcp_reuse_first && outnet->tcp_reuse_last));
+}
+
 /** see if buffers can be used to service TCP queries */
 static void
 use_free_buffer(struct outside_network* outnet)
 {
        struct waiting_tcp* w;
-       while(outnet->tcp_free && outnet->tcp_wait_first 
-               && !outnet->want_to_quit) {
+       while(outnet->tcp_wait_first && !outnet->want_to_quit) {
+#ifdef USE_DNSTAP
+               struct pending_tcp* pend_tcp = NULL;
+#endif
                struct reuse_tcp* reuse = NULL;
                w = outnet->tcp_wait_first;
+               log_assert(w->on_tcp_waiting_list);
                outnet->tcp_wait_first = w->next_waiting;
                if(outnet->tcp_wait_last == w)
                        outnet->tcp_wait_last = NULL;
+               log_assert(
+                       (!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+                       (outnet->tcp_reuse_first && outnet->tcp_reuse_last));
                w->on_tcp_waiting_list = 0;
                reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen,
                        w->ssl_upstream);
+               /* re-select an ID when moving to a new TCP buffer */
+               w->id = tcp_select_id(outnet, reuse);
+               LDNS_ID_SET(w->pkt, w->id);
                if(reuse) {
                        log_reuse_tcp(VERB_CLIENT, "use free buffer for waiting tcp: "
                                "found reuse", reuse);
+#ifdef USE_DNSTAP
+                       pend_tcp = reuse->pending;
+#endif
                        reuse_tcp_lru_touch(outnet, reuse);
                        comm_timer_disable(w->timer);
                        w->next_waiting = (void*)reuse->pending;
@@ -758,7 +898,7 @@ use_free_buffer(struct outside_network* outnet)
                                        reuse->pending->c->fd, reuse->pending,
                                        w);
                        }
-               } else {
+               } else if(outnet->tcp_free) {
                        struct pending_tcp* pend = w->outnet->tcp_free;
                        rbtree_init(&pend->reuse.tree_by_id, reuse_id_cmp);
                        pend->reuse.pending = pend;
@@ -768,37 +908,47 @@ use_free_buffer(struct outside_network* outnet)
                                waiting_tcp_callback(w, NULL, NETEVENT_CLOSED,
                                        NULL);
                                waiting_tcp_delete(w);
+#ifdef USE_DNSTAP
+                               w = NULL;
+#endif
                        }
+#ifdef USE_DNSTAP
+                       pend_tcp = pend;
+#endif
+               } else {
+                       /* no reuse and no free buffer, put back at the start */
+                       outnet_add_tcp_waiting_first(outnet, w, 0);
+                       break;
+               }
+#ifdef USE_DNSTAP
+               if(outnet->dtenv && pend_tcp && w && w->sq &&
+                       (outnet->dtenv->log_resolver_query_messages ||
+                       outnet->dtenv->log_forwarder_query_messages)) {
+                       sldns_buffer tmp;
+                       sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
+                       dt_msg_send_outside_query(outnet->dtenv, &w->sq->addr,
+                               &pend_tcp->pi->addr, comm_tcp, w->sq->zone,
+                               w->sq->zonelen, &tmp);
                }
-       }
-}
-
-/** add waiting_tcp element to the outnet tcp waiting list */
-static void
-outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
-{
-       struct timeval tv;
-       if(w->on_tcp_waiting_list)
-               return;
-       w->next_waiting = NULL;
-       if(outnet->tcp_wait_last)
-               outnet->tcp_wait_last->next_waiting = w;
-       else    outnet->tcp_wait_first = w;
-       outnet->tcp_wait_last = w;
-       w->on_tcp_waiting_list = 1;
-#ifndef S_SPLINT_S
-       tv.tv_sec = w->timeout/1000;
-       tv.tv_usec = (w->timeout%1000)*1000;
 #endif
-       comm_timer_set(w->timer, &tv);
+       }
 }
 
 /** delete element from tree by id */
 static void
 reuse_tree_by_id_delete(struct reuse_tcp* reuse, struct waiting_tcp* w)
 {
+#ifdef UNBOUND_DEBUG
+       rbnode_type* rem;
+#endif
        log_assert(w->id_node.key != NULL);
+#ifdef UNBOUND_DEBUG
+       rem =
+#else
+       (void)
+#endif
        rbtree_delete(&reuse->tree_by_id, w);
+       log_assert(rem);  /* should have been there */
        w->id_node.key = NULL;
 }
 
@@ -857,15 +1007,24 @@ reuse_move_writewait_away(struct outside_network* outnet,
 }
 
 /** remove reused element from tree and lru list */
-static void
+void
 reuse_tcp_remove_tree_list(struct outside_network* outnet,
        struct reuse_tcp* reuse)
 {
        verbose(VERB_CLIENT, "reuse_tcp_remove_tree_list");
        if(reuse->node.key) {
                /* delete it from reuse tree */
-               (void)rbtree_delete(&outnet->tcp_reuse, reuse);
+               if(!rbtree_delete(&outnet->tcp_reuse, reuse)) {
+                       /* should not be possible, it should be there */
+                       char buf[256];
+                       addr_to_str(&reuse->addr, reuse->addrlen, buf,
+                               sizeof(buf));
+                       log_err("reuse tcp delete: node not present, internal error, %s ssl %d lru %d", buf, reuse->is_ssl, reuse->item_on_lru_list);
+               }
                reuse->node.key = NULL;
+               /* defend against loops on broken tree by zeroing the
+                * rbnode structure */
+               memset(&reuse->node, 0, sizeof(reuse->node));
        }
        /* delete from reuse list */
        if(reuse->item_on_lru_list) {
@@ -874,21 +1033,38 @@ reuse_tcp_remove_tree_list(struct outside_network* outnet,
                         * and thus have a pending pointer to the struct */
                        log_assert(reuse->lru_prev->pending);
                        reuse->lru_prev->lru_next = reuse->lru_next;
+                       log_assert(reuse->lru_prev->lru_next != reuse->lru_prev);
                } else {
                        log_assert(!reuse->lru_next || reuse->lru_next->pending);
                        outnet->tcp_reuse_first = reuse->lru_next;
+                       log_assert(!outnet->tcp_reuse_first ||
+                               (outnet->tcp_reuse_first !=
+                                outnet->tcp_reuse_first->lru_next &&
+                                outnet->tcp_reuse_first !=
+                                outnet->tcp_reuse_first->lru_prev));
                }
                if(reuse->lru_next) {
                        /* assert that members of the lru list are waiting
                         * and thus have a pending pointer to the struct */
                        log_assert(reuse->lru_next->pending);
                        reuse->lru_next->lru_prev = reuse->lru_prev;
+                       log_assert(reuse->lru_next->lru_prev != reuse->lru_next);
                } else {
                        log_assert(!reuse->lru_prev || reuse->lru_prev->pending);
                        outnet->tcp_reuse_last = reuse->lru_prev;
-               }
+                       log_assert(!outnet->tcp_reuse_last ||
+                               (outnet->tcp_reuse_last !=
+                                outnet->tcp_reuse_last->lru_next &&
+                                outnet->tcp_reuse_last !=
+                                outnet->tcp_reuse_last->lru_prev));
+               }
+               log_assert((!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
+                       (outnet->tcp_reuse_first && outnet->tcp_reuse_last));
                reuse->item_on_lru_list = 0;
+               reuse->lru_next = NULL;
+               reuse->lru_prev = NULL;
        }
+       reuse->pending = NULL;
 }
 
 /** helper function that deletes an element from the tree of readwait
@@ -915,8 +1091,12 @@ decommission_pending_tcp(struct outside_network* outnet,
        struct pending_tcp* pend)
 {
        verbose(VERB_CLIENT, "decommission_pending_tcp");
-       pend->next_free = outnet->tcp_free;
-       outnet->tcp_free = pend;
+       /* A certain code path can lead here twice for the same pending_tcp
+        * creating a loop in the free pending_tcp list. */
+       if(outnet->tcp_free != pend) {
+               pend->next_free = outnet->tcp_free;
+               outnet->tcp_free = pend;
+       }
        if(pend->reuse.node.key) {
                /* needs unlink from the reuse tree to get deleted */
                reuse_tcp_remove_tree_list(outnet, &pend->reuse);
@@ -977,22 +1157,22 @@ static void reuse_cb_and_decommission(struct outside_network* outnet,
 
 /** set timeout on tcp fd and setup read event to catch incoming dns msgs */
 static void
-reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp)
+reuse_tcp_setup_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
 {
        log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_timeout", &pend_tcp->reuse);
-       comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
+       comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
 }
 
 /** set timeout on tcp fd and setup read event to catch incoming dns msgs */
 static void
-reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp)
+reuse_tcp_setup_read_and_timeout(struct pending_tcp* pend_tcp, int tcp_reuse_timeout)
 {
        log_reuse_tcp(VERB_CLIENT, "reuse_tcp_setup_readtimeout", &pend_tcp->reuse);
        sldns_buffer_clear(pend_tcp->c->buffer);
        pend_tcp->c->tcp_is_reading = 1;
        pend_tcp->c->tcp_byte_count = 0;
        comm_point_stop_listening(pend_tcp->c);
-       comm_point_start_listening(pend_tcp->c, -1, REUSE_TIMEOUT);
+       comm_point_start_listening(pend_tcp->c, -1, tcp_reuse_timeout);
 }
 
 int 
@@ -1002,6 +1182,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
        struct pending_tcp* pend = (struct pending_tcp*)arg;
        struct outside_network* outnet = pend->reuse.outnet;
        struct waiting_tcp* w = NULL;
+       log_assert(pend->reuse.item_on_lru_list && pend->reuse.node.key);
        verbose(VERB_ALGO, "outnettcp cb");
        if(error == NETEVENT_TIMEOUT) {
                if(pend->c->tcp_write_and_read) {
@@ -1048,7 +1229,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
                        pend->reuse.cp_more_write_again = 0;
                        pend->c->tcp_is_reading = 1;
                        comm_point_stop_listening(pend->c);
-                       reuse_tcp_setup_timeout(pend);
+                       reuse_tcp_setup_timeout(pend, outnet->tcp_reuse_timeout);
                }
                return 0;
        } else if(error != NETEVENT_NOERROR) {
@@ -1101,7 +1282,7 @@ outnet_tcp_cb(struct comm_point* c, void* arg, int error,
                 * and there could be more bytes to read on the input */
                if(pend->reuse.tree_by_id.count != 0)
                        pend->reuse.cp_more_read_again = 1;
-               reuse_tcp_setup_read_and_timeout(pend);
+               reuse_tcp_setup_read_and_timeout(pend, outnet->tcp_reuse_timeout);
                return 0;
        }
        verbose(VERB_CLIENT, "outnet_tcp_cb reuse after cb: decommission it");
@@ -1369,7 +1550,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
        int numavailports, size_t unwanted_threshold, int tcp_mss,
        void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
        void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv,
-       int udp_connect)
+       int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
+       int tcp_auth_query_timeout)
 {
        struct outside_network* outnet = (struct outside_network*)
                calloc(1, sizeof(struct outside_network));
@@ -1381,6 +1563,9 @@ outside_network_create(struct comm_base *base, size_t bufsize,
        comm_base_timept(base, &outnet->now_secs, &outnet->now_tv);
        outnet->base = base;
        outnet->num_tcp = num_tcp;
+       outnet->max_reuse_tcp_queries = max_reuse_tcp_queries;
+       outnet->tcp_reuse_timeout= tcp_reuse_timeout;
+       outnet->tcp_auth_query_timeout = tcp_auth_query_timeout;
        outnet->num_tcp_outgoing = 0;
        outnet->infra = infra;
        outnet->rnd = rnd;
@@ -1457,7 +1642,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
                        return NULL;
                }
                pc->cp = comm_point_create_udp(outnet->base, -1, 
-                       outnet->udp_buff, outnet_udp_cb, outnet);
+                       outnet->udp_buff, outnet_udp_cb, outnet, NULL);
                if(!pc->cp) {
                        log_err("malloc failed");
                        free(pc);
@@ -1609,22 +1794,19 @@ outside_network_delete(struct outside_network* outnet)
                size_t i;
                for(i=0; i<outnet->num_tcp; i++)
                        if(outnet->tcp_conns[i]) {
-                               if(outnet->tcp_conns[i]->query &&
-                                       !outnet->tcp_conns[i]->query->
-                                       on_tcp_waiting_list) {
+                               struct pending_tcp* pend;
+                               pend = outnet->tcp_conns[i];
+                               if(pend->reuse.item_on_lru_list) {
                                        /* delete waiting_tcp elements that
                                         * the tcp conn is working on */
-                                       struct pending_tcp* pend =
-                                               (struct pending_tcp*)outnet->
-                                               tcp_conns[i]->query->
-                                               next_waiting;
                                        decommission_pending_tcp(outnet, pend);
                                }
                                comm_point_delete(outnet->tcp_conns[i]->c);
-                               waiting_tcp_delete(outnet->tcp_conns[i]->query);
                                free(outnet->tcp_conns[i]);
+                               outnet->tcp_conns[i] = NULL;
                        }
                free(outnet->tcp_conns);
+               outnet->tcp_conns = NULL;
        }
        if(outnet->tcp_wait_first) {
                struct waiting_tcp* p = outnet->tcp_wait_first, *np;
@@ -1742,14 +1924,14 @@ select_id(struct outside_network* outnet, struct pending* pend,
        sldns_buffer* packet)
 {
        int id_tries = 0;
-       pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+       pend->id = GET_RANDOM_ID(outnet->rnd);
        LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
 
        /* insert in tree */
        pend->node.key = pend;
        while(!rbtree_insert(outnet->pending, &pend->node)) {
                /* change ID to avoid collision */
-               pend->id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+               pend->id = GET_RANDOM_ID(outnet->rnd);
                LDNS_ID_SET(sldns_buffer_begin(packet), pend->id);
                id_tries++;
                if(id_tries == MAX_ID_RETRY) {
@@ -1779,6 +1961,7 @@ static int udp_connect_needs_log(int err)
 #  ifdef ENETDOWN
        case ENETDOWN:
 #  endif
+       case EPERM:
                if(verbosity >= VERB_ALGO)
                        return 1;
                return 0;
@@ -1931,11 +2114,21 @@ randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout)
        comm_timer_set(pend->timer, &tv);
 
 #ifdef USE_DNSTAP
+       /*
+        * sending src (local service)/dst (upstream) addresses over DNSTAP
+        * There are no chances to get the src (local service) addr if unbound
+        * is not configured with specific outgoing IP-addresses. So we will
+        * pass 0.0.0.0 (::) to argument for
+        * dt_msg_send_outside_query()/dt_msg_send_outside_response() calls.
+        */
        if(outnet->dtenv &&
           (outnet->dtenv->log_resolver_query_messages ||
-           outnet->dtenv->log_forwarder_query_messages))
-               dt_msg_send_outside_query(outnet->dtenv, &pend->addr, comm_udp,
-               pend->sq->zone, pend->sq->zonelen, packet);
+               outnet->dtenv->log_forwarder_query_messages)) {
+                       log_addr(VERB_ALGO, "from local addr", &pend->pc->pif->addr, pend->pc->pif->addrlen);
+                       log_addr(VERB_ALGO, "request to upstream", &pend->addr, pend->addrlen);
+                       dt_msg_send_outside_query(outnet->dtenv, &pend->addr, &pend->pc->pif->addr, comm_udp,
+                               pend->sq->zone, pend->sq->zonelen, packet);
+       }
 #endif
        return 1;
 }
@@ -2011,24 +2204,20 @@ outnet_tcptimer(void* arg)
 static void
 reuse_tcp_close_oldest(struct outside_network* outnet)
 {
-       struct pending_tcp* pend;
+       struct reuse_tcp* reuse;
        verbose(VERB_CLIENT, "reuse_tcp_close_oldest");
-       if(!outnet->tcp_reuse_last) return;
-       pend = outnet->tcp_reuse_last->pending;
-
-       /* snip off of LRU */
-       log_assert(pend->reuse.lru_next == NULL);
-       if(pend->reuse.lru_prev) {
-               outnet->tcp_reuse_last = pend->reuse.lru_prev;
-               pend->reuse.lru_prev->lru_next = NULL;
-       } else {
-               outnet->tcp_reuse_last = NULL;
-               outnet->tcp_reuse_first = NULL;
-       }
-       pend->reuse.item_on_lru_list = 0;
-
+       reuse = reuse_tcp_lru_snip(outnet);
+       if(!reuse) return;
        /* free up */
-       reuse_cb_and_decommission(outnet, pend, NETEVENT_CLOSED);
+       reuse_cb_and_decommission(outnet, reuse->pending, NETEVENT_CLOSED);
+}
+
+static uint16_t
+tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse)
+{
+       if(reuse)
+               return reuse_tcp_select_id(reuse, outnet);
+       return GET_RANDOM_ID(outnet->rnd);
 }
 
 /** find spare ID value for reuse tcp stream.  That is random and also does
@@ -2044,13 +2233,13 @@ reuse_tcp_select_id(struct reuse_tcp* reuse, struct outside_network* outnet)
 
        /* make really sure the tree is not empty */
        if(reuse->tree_by_id.count == 0) {
-               id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+               id = GET_RANDOM_ID(outnet->rnd);
                return id;
        }
 
        /* try to find random empty spots by picking them */
        for(i = 0; i<try_random; i++) {
-               id = ((unsigned)ub_random(outnet->rnd)>>8) & 0xffff;
+               id = GET_RANDOM_ID(outnet->rnd);
                if(!reuse_tcp_by_id_find(reuse, id)) {
                        return id;
                }
@@ -2126,6 +2315,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
                reuse_tcp_lru_touch(sq->outnet, reuse);
        }
 
+       log_assert(!reuse || (reuse && pend));
        /* if !pend but we have reuse streams, close a reuse stream
         * to be able to open a new one to this target, no use waiting
         * to reuse a file descriptor while another query needs to use
@@ -2133,6 +2323,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
        if(!pend) {
                reuse_tcp_close_oldest(sq->outnet);
                pend = sq->outnet->tcp_free;
+               log_assert(!reuse || (pend == reuse->pending));
        }
 
        /* allocate space to store query */
@@ -2148,9 +2339,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
        w->pkt = (uint8_t*)w + sizeof(struct waiting_tcp);
        w->pkt_len = sldns_buffer_limit(packet);
        memmove(w->pkt, sldns_buffer_begin(packet), w->pkt_len);
-       if(reuse)
-               w->id = reuse_tcp_select_id(reuse, sq->outnet);
-       else    w->id = ((unsigned)ub_random(sq->outnet->rnd)>>8) & 0xffff;
+       w->id = tcp_select_id(sq->outnet, reuse);
        LDNS_ID_SET(w->pkt, w->id);
        memcpy(&w->addr, &sq->addr, sq->addrlen);
        w->addrlen = sq->addrlen;
@@ -2167,9 +2356,13 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
        w->write_wait_next = NULL;
        w->write_wait_queued = 0;
        w->error_count = 0;
+#ifdef USE_DNSTAP
+       w->sq = NULL;
+#endif
        if(pend) {
                /* we have a buffer available right now */
                if(reuse) {
+                       log_assert(reuse == &pend->reuse);
                        /* reuse existing fd, write query and continue */
                        /* store query in tree by id */
                        verbose(VERB_CLIENT, "pending_tcp_query: reuse, store");
@@ -2201,20 +2394,28 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
                                return NULL;
                        }
                }
+#ifdef USE_DNSTAP
+               if(sq->outnet->dtenv &&
+                  (sq->outnet->dtenv->log_resolver_query_messages ||
+                   sq->outnet->dtenv->log_forwarder_query_messages)) {
+                       /* use w->pkt, because it has the ID value */
+                       sldns_buffer tmp;
+                       sldns_buffer_init_frm_data(&tmp, w->pkt, w->pkt_len);
+                       dt_msg_send_outside_query(sq->outnet->dtenv, &sq->addr,
+                               &pend->pi->addr, comm_tcp, sq->zone,
+                               sq->zonelen, &tmp);
+               }
+#endif
        } else {
                /* queue up */
                /* waiting for a buffer on the outside network buffer wait
                 * list */
                verbose(VERB_CLIENT, "pending_tcp_query: queue to wait");
-               outnet_add_tcp_waiting(sq->outnet, w);
-       }
 #ifdef USE_DNSTAP
-       if(sq->outnet->dtenv &&
-          (sq->outnet->dtenv->log_resolver_query_messages ||
-           sq->outnet->dtenv->log_forwarder_query_messages))
-               dt_msg_send_outside_query(sq->outnet->dtenv, &sq->addr,
-                       comm_tcp, sq->zone, sq->zonelen, packet);
+               w->sq = sq;
 #endif
+               outnet_add_tcp_waiting(sq->outnet, w);
+       }
        return w;
 }
 
@@ -2348,6 +2549,9 @@ waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w)
                prev = p;
                p = p->next_waiting;
        }
+       /* waiting_list_remove is currently called only with items that are
+        * already in the waiting list. */
+       log_assert(0);
 }
 
 /** reuse tcp stream, remove serviced query from stream,
@@ -2386,7 +2590,7 @@ reuse_tcp_remove_serviced_keep(struct waiting_tcp* w,
                if(!reuse_tcp_insert(sq->outnet, pend_tcp)) {
                        return 0;
                }
-               reuse_tcp_setup_timeout(pend_tcp);
+               reuse_tcp_setup_timeout(pend_tcp, sq->outnet->tcp_reuse_timeout);
                return 1;
        }
        return 0;
@@ -2720,6 +2924,15 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 {
        struct serviced_query* sq = (struct serviced_query*)arg;
        struct comm_reply r2;
+#ifdef USE_DNSTAP
+       struct waiting_tcp* w = (struct waiting_tcp*)sq->pending;
+       struct pending_tcp* pend_tcp = NULL;
+       struct port_if* pi = NULL;
+       if(!w->on_tcp_waiting_list && w->next_waiting) {
+               pend_tcp = (struct pending_tcp*)w->next_waiting;
+               pi = pend_tcp->pi;
+       }
+#endif
        sq->pending = NULL; /* removed after this callback */
        if(error != NETEVENT_NOERROR)
                log_addr(VERB_QUERY, "tcp error for address", 
@@ -2728,12 +2941,19 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
                infra_update_tcp_works(sq->outnet->infra, &sq->addr,
                        sq->addrlen, sq->zone, sq->zonelen);
 #ifdef USE_DNSTAP
-       if(error==NETEVENT_NOERROR && sq->outnet->dtenv &&
+       /*
+        * sending src (local service)/dst (upstream) addresses over DNSTAP
+        */
+       if(error==NETEVENT_NOERROR && pi && sq->outnet->dtenv &&
           (sq->outnet->dtenv->log_resolver_response_messages ||
-           sq->outnet->dtenv->log_forwarder_response_messages))
+           sq->outnet->dtenv->log_forwarder_response_messages)) {
+               log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
+               log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
                dt_msg_send_outside_response(sq->outnet->dtenv, &sq->addr,
-               c->type, sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
-               &sq->last_sent_time, sq->outnet->now_tv, c->buffer);
+                       &pi->addr, c->type, sq->zone, sq->zonelen, sq->qbuf,
+                       sq->qbuflen, &sq->last_sent_time, sq->outnet->now_tv,
+                       c->buffer);
+       }
 #endif
        if(error==NETEVENT_NOERROR && sq->status == serviced_query_TCP_EDNS &&
                (LDNS_RCODE_WIRE(sldns_buffer_begin(c->buffer)) == 
@@ -2804,7 +3024,7 @@ serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
                sq->status==serviced_query_TCP_EDNS?"EDNS":"");
        serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);
        sq->last_sent_time = *sq->outnet->now_tv;
-       sq->pending = pending_tcp_query(sq, buff, TCP_AUTH_QUERY_TIMEOUT,
+       sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout,
                serviced_tcp_callback, sq);
        if(!sq->pending) {
                /* delete from tree so that a retry by above layer does not
@@ -2832,10 +3052,10 @@ serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff)
        sq->last_sent_time = *sq->outnet->now_tv;
        if(sq->tcp_upstream || sq->ssl_upstream) {
                timeout = rtt;
-               if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < TCP_AUTH_QUERY_TIMEOUT)
-                       timeout = TCP_AUTH_QUERY_TIMEOUT;
+               if(rtt >= UNKNOWN_SERVER_NICENESS && rtt < sq->outnet->tcp_auth_query_timeout)
+                       timeout = sq->outnet->tcp_auth_query_timeout;
        } else {
-               timeout = TCP_AUTH_QUERY_TIMEOUT;
+               timeout = sq->outnet->tcp_auth_query_timeout;
        }
        sq->pending = pending_tcp_query(sq, buff, timeout,
                serviced_tcp_callback, sq);
@@ -2887,6 +3107,10 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
        struct serviced_query* sq = (struct serviced_query*)arg;
        struct outside_network* outnet = sq->outnet;
        struct timeval now = *sq->outnet->now_tv;
+#ifdef USE_DNSTAP
+       struct pending* p = (struct pending*)sq->pending;
+       struct port_if* pi = p->pc->pif;
+#endif
 
        sq->pending = NULL; /* removed after callback */
        if(error == NETEVENT_TIMEOUT) {
@@ -2924,12 +3148,18 @@ serviced_udp_callback(struct comm_point* c, void* arg, int error,
                return 0;
        }
 #ifdef USE_DNSTAP
+       /*
+        * sending src (local service)/dst (upstream) addresses over DNSTAP
+        */
        if(error == NETEVENT_NOERROR && outnet->dtenv &&
           (outnet->dtenv->log_resolver_response_messages ||
-           outnet->dtenv->log_forwarder_response_messages))
-               dt_msg_send_outside_response(outnet->dtenv, &sq->addr, c->type,
-               sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
-               &sq->last_sent_time, sq->outnet->now_tv, c->buffer);
+           outnet->dtenv->log_forwarder_response_messages)) {
+               log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen);
+               log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen);
+               dt_msg_send_outside_response(outnet->dtenv, &sq->addr, &pi->addr, c->type,
+                 sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen,
+                 &sq->last_sent_time, sq->outnet->now_tv, c->buffer);
+       }
 #endif
        if( (sq->status == serviced_query_UDP_EDNS 
                ||sq->status == serviced_query_UDP_EDNS_FRAG)
@@ -3203,7 +3433,7 @@ outnet_comm_point_for_udp(struct outside_network* outnet,
                return NULL;
        }
        cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff,
-               cb, cb_arg);
+               cb, cb_arg, NULL);
        if(!cp) {
                log_err("malloc failure");
                close(fd);
@@ -3309,15 +3539,28 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
        return cp;
 }
 
+/** setup the User-Agent HTTP header based on http-user-agent configuration */
+static void
+setup_http_user_agent(sldns_buffer* buf, struct config_file* cfg)
+{
+       if(cfg->hide_http_user_agent) return;
+       if(cfg->http_user_agent==NULL || cfg->http_user_agent[0] == 0) {
+               sldns_buffer_printf(buf, "User-Agent: %s/%s\r\n", PACKAGE_NAME,
+                       PACKAGE_VERSION);
+       } else {
+               sldns_buffer_printf(buf, "User-Agent: %s\r\n", cfg->http_user_agent);
+       }
+}
+
 /** setup http request headers in buffer for sending query to destination */
 static int
-setup_http_request(sldns_buffer* buf, char* host, char* path)
+setup_http_request(sldns_buffer* buf, char* host, char* path,
+       struct config_file* cfg)
 {
        sldns_buffer_clear(buf);
        sldns_buffer_printf(buf, "GET /%s HTTP/1.1\r\n", path);
        sldns_buffer_printf(buf, "Host: %s\r\n", host);
-       sldns_buffer_printf(buf, "User-Agent: unbound/%s\r\n",
-               PACKAGE_VERSION);
+       setup_http_user_agent(buf, cfg);
        /* We do not really do multiple queries per connection,
         * but this header setting is also not needed.
         * sldns_buffer_printf(buf, "Connection: close\r\n") */
@@ -3333,7 +3576,7 @@ struct comm_point*
 outnet_comm_point_for_http(struct outside_network* outnet,
        comm_point_callback_type* cb, void* cb_arg,
        struct sockaddr_storage* to_addr, socklen_t to_addrlen, int timeout,
-       int ssl, char* host, char* path)
+       int ssl, char* host, char* path, struct config_file* cfg)
 {
        /* cp calls cb with err=NETEVENT_DONE when transfer is done */
        struct comm_point* cp;
@@ -3369,7 +3612,7 @@ outnet_comm_point_for_http(struct outside_network* outnet,
        comm_point_start_listening(cp, fd, timeout);
 
        /* setup http request in cp->buffer */
-       if(!setup_http_request(cp->buffer, host, path)) {
+       if(!setup_http_request(cp->buffer, host, path, cfg)) {
                log_err("error setting up http request");
                comm_point_delete(cp);
                return NULL;

diff --git a/sbin/unwind/libunbound/services/outside_network.h b/sbin/unwind/libunbound/services/outside_network.h
index fe287af..d0d532e 100644 (file)
--- a/sbin/unwind/libunbound/services/outside_network.h
+++ b/sbin/unwind/libunbound/services/outside_network.h
@@ -63,6 +63,7 @@ struct edns_option;
 struct module_env;
 struct module_qstate;
 struct query_info;
+struct config_file;
 
 /**
  * Send queries to outside servers and wait for answers from servers.
@@ -158,6 +159,12 @@ struct outside_network {
        size_t num_tcp;
        /** number of tcp communication points in use. */
        size_t num_tcp_outgoing;
+       /** max number of queries on a reuse connection */
+       size_t max_reuse_tcp_queries;
+       /** timeout for REUSE entries in milliseconds. */
+       int tcp_reuse_timeout;
+       /** timeout in milliseconds for TCP queries to auth servers. */
+       int tcp_auth_query_timeout;
        /**
         * tree of still-open and waiting tcp connections for reuse.
         * can be closed and reopened to get a new tcp connection.
@@ -295,11 +302,6 @@ struct reuse_tcp {
        struct outside_network* outnet;
 };
 
-/** max number of queries on a reuse connection */
-#define MAX_REUSE_TCP_QUERIES 200
-/** timeout for REUSE entries in milliseconds. */
-#define REUSE_TIMEOUT 60000
-
 /**
  * A query that has an answer pending for it.
  */
@@ -344,6 +346,8 @@ struct pending {
 struct pending_tcp {
        /** next in list of free tcp comm points, or NULL. */
        struct pending_tcp* next_free;
+       /** port for of the outgoing interface that is used */
+       struct port_if* pi;
        /** tcp comm point it was sent on (and reply must come back on). */
        struct comm_point* c;
        /** the query being serviced, NULL if the pending_tcp is unused. */
@@ -408,6 +412,10 @@ struct waiting_tcp {
        char* tls_auth_name;
        /** the packet was involved in an error, to stop looping errors */
        int error_count;
+#ifdef USE_DNSTAP
+       /** serviced query pointer for dnstap to get logging info, if nonNULL*/
+       struct serviced_query* sq;
+#endif
 };
 
 /**
@@ -534,6 +542,9 @@ struct serviced_query {
  * @param tls_use_sni: if SNI is used for TLS connections.
  * @param dtenv: environment to send dnstap events with (if enabled).
  * @param udp_connect: if the udp_connect option is enabled.
+ * @param max_reuse_tcp_queries: max number of queries on a reuse connection.
+ * @param tcp_reuse_timeout: timeout for REUSE entries in milliseconds.
+ * @param tcp_auth_query_timeout: timeout in milliseconds for TCP queries to auth servers.
  * @return: the new structure (with no pending answers) or NULL on error.
  */
 struct outside_network* outside_network_create(struct comm_base* base,
@@ -543,7 +554,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
        int numavailports, size_t unwanted_threshold, int tcp_mss,
        void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
        void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
-       int udp_connect);
+       int udp_connect, int max_reuse_tcp_queries, int tcp_reuse_timeout,
+       int tcp_auth_query_timeout);
 
 /**
  * Delete outside_network structure.
@@ -670,12 +682,28 @@ struct waiting_tcp* reuse_tcp_by_id_find(struct reuse_tcp* reuse, uint16_t id);
 /** insert element in tree by id */
 void reuse_tree_by_id_insert(struct reuse_tcp* reuse, struct waiting_tcp* w);
 
+/** insert element in tcp_reuse tree and LRU list */
+int reuse_tcp_insert(struct outside_network* outnet,
+       struct pending_tcp* pend_tcp);
+
+/** touch the LRU of the element */
+void reuse_tcp_lru_touch(struct outside_network* outnet,
+       struct reuse_tcp* reuse);
+
+/** remove element from tree and LRU list */
+void reuse_tcp_remove_tree_list(struct outside_network* outnet,
+       struct reuse_tcp* reuse);
+
+/** snip the last reuse_tcp element off of the LRU list if any */
+struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet);
+
 /** delete readwait waiting_tcp elements, deletes the elements in the list */
 void reuse_del_readwait(rbtree_type* tree_by_id);
 
 /** get TCP file descriptor for address, returns -1 on failure,
  * tcp_mss is 0 or maxseg size to set for TCP packets. */
-int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, int tcp_mss, int dscp);
+int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen,
+       int tcp_mss, int dscp);
 
 /**
  * Create udp commpoint suitable for sending packets to the destination.
@@ -729,12 +757,13 @@ struct comm_point* outnet_comm_point_for_tcp(struct outside_network* outnet,
  * @param ssl: set to true for https.
  * @param host: hostname to use for the destination. part of http request.
  * @param path: pathname to lookup, eg. name of the file on the destination.
+ * @param cfg: running configuration for User-Agent setup.
  * @return http_out commpoint, or NULL.
  */
 struct comm_point* outnet_comm_point_for_http(struct outside_network* outnet,
        comm_point_callback_type* cb, void* cb_arg,
        struct sockaddr_storage* to_addr, socklen_t to_addrlen, int timeout,
-       int ssl, char* host, char* path);
+       int ssl, char* host, char* path, struct config_file* cfg);
 
 /** connect tcp connection to addr, 0 on failure */
 int outnet_tcp_connect(int s, struct sockaddr_storage* addr, socklen_t addrlen);

diff --git a/sbin/unwind/libunbound/services/rpz.c b/sbin/unwind/libunbound/services/rpz.c
index 2b6b0ac..3a1ec00 100644 (file)
--- a/sbin/unwind/libunbound/services/rpz.c
+++ b/sbin/unwind/libunbound/services/rpz.c
@@ -162,6 +162,7 @@ rpz_rr_to_action(uint16_t rr_type, uint8_t* rdatawl, size_t rdatalen)
                case LDNS_RR_TYPE_RRSIG:
                case LDNS_RR_TYPE_NSEC:
                case LDNS_RR_TYPE_NSEC3:
+               case LDNS_RR_TYPE_NSEC3PARAM:
                        return RPZ_INVALID_ACTION;
                case LDNS_RR_TYPE_CNAME:
                        break;
@@ -479,8 +480,21 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
        int newzone = 0;
 
        if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) {
-               verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-                       rpz_action_to_string(a));
+               char str[255+1];
+               if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS ||
+                       rrtype == LDNS_RR_TYPE_DNAME ||
+                       rrtype == LDNS_RR_TYPE_DNSKEY ||
+                       rrtype == LDNS_RR_TYPE_RRSIG ||
+                       rrtype == LDNS_RR_TYPE_NSEC ||
+                       rrtype == LDNS_RR_TYPE_NSEC3PARAM ||
+                       rrtype == LDNS_RR_TYPE_NSEC3 ||
+                       rrtype == LDNS_RR_TYPE_DS) {
+                       free(dname);
+                       return; /* no need to log these types as unsupported */
+               }
+               dname_str(dname, str);
+               verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s",
+                       str, rpz_action_to_string(a));
                free(dname);
                return;
        }
@@ -552,8 +566,10 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 
        if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION ||
                respa == respip_invalid) {
-               verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s",
-                       rpz_action_to_string(a));
+               char str[255+1];
+               dname_str(dname, str);
+               verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s",
+                       str, rpz_action_to_string(a));
                return 0;
        }
 
@@ -702,7 +718,7 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
         * zone match, append '*' to that and do another lookup. */
 
        ce = dname_get_shared_topdomain(z->name, qname);
-       if(!ce /* should not happen */ || !*ce /* root */) {
+       if(!ce /* should not happen */) {
                lock_rw_unlock(&z->lock);
                if(zones_keep_lock) {
                        lock_rw_unlock(&r->local_zones->lock);

diff --git a/sbin/unwind/libunbound/sldns/keyraw.c b/sbin/unwind/libunbound/sldns/keyraw.c
index 2ec225b..b1e60d8 100644 (file)
--- a/sbin/unwind/libunbound/sldns/keyraw.c
+++ b/sbin/unwind/libunbound/sldns/keyraw.c
@@ -26,11 +26,15 @@
 #ifdef HAVE_OPENSSL_BN_H
 #include <openssl/bn.h>
 #endif
-#ifdef HAVE_OPENSSL_RSA_H
-#include <openssl/rsa.h>
-#endif
-#ifdef HAVE_OPENSSL_DSA_H
-#include <openssl/dsa.h>
+#ifdef HAVE_OPENSSL_PARAM_BUILD_H
+#  include <openssl/param_build.h>
+#else
+#  ifdef HAVE_OPENSSL_RSA_H
+#  include <openssl/rsa.h>
+#  endif
+#  ifdef HAVE_OPENSSL_DSA_H
+#  include <openssl/dsa.h>
+#  endif
 #endif
 #endif /* HAVE_SSL */
 
@@ -191,45 +195,59 @@ void sldns_key_EVP_unload_gost(void)
 }
 #endif /* USE_GOST */
 
-DSA *
-sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+/* Retrieve params as BIGNUM from raw buffer */
+static int
+sldns_key_dsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** p,
+       BIGNUM** q, BIGNUM** g, BIGNUM** y)
 {
        uint8_t T;
        uint16_t length;
        uint16_t offset;
-       DSA *dsa;
-       BIGNUM *Q; BIGNUM *P;
-       BIGNUM *G; BIGNUM *Y;
 
        if(len == 0)
-               return NULL;
+               return 0;
        T = (uint8_t)key[0];
        length = (64 + T * 8);
        offset = 1;
 
        if (T > 8) {
-               return NULL;
+               return 0;
        }
        if(len < (size_t)1 + SHA_DIGEST_LENGTH + 3*length)
-               return NULL;
+               return 0;
 
-       Q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
+       *q = BN_bin2bn(key+offset, SHA_DIGEST_LENGTH, NULL);
        offset += SHA_DIGEST_LENGTH;
 
-       P = BN_bin2bn(key+offset, (int)length, NULL);
+       *p = BN_bin2bn(key+offset, (int)length, NULL);
        offset += length;
 
-       G = BN_bin2bn(key+offset, (int)length, NULL);
+       *g = BN_bin2bn(key+offset, (int)length, NULL);
        offset += length;
 
-       Y = BN_bin2bn(key+offset, (int)length, NULL);
+       *y = BN_bin2bn(key+offset, (int)length, NULL);
+
+       if(!*q || !*p || !*g || !*y) {
+               BN_free(*q);
+               BN_free(*p);
+               BN_free(*g);
+               BN_free(*y);
+               return 0;
+       }
+       return 1;
+}
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+DSA *
+sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
+{
+       DSA *dsa;
+       BIGNUM *Q=NULL, *P=NULL, *G=NULL, *Y=NULL;
+       if(!sldns_key_dsa_buf_bignum(key, len, &P, &Q, &G, &Y)) {
+               return NULL;
+       }
        /* create the key and set its properties */
-       if(!Q || !P || !G || !Y || !(dsa = DSA_new())) {
-               BN_free(Q);
-               BN_free(P);
-               BN_free(G);
-               BN_free(Y);
+       if(!(dsa = DSA_new())) {
                return NULL;
        }
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
@@ -261,22 +279,111 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 
        return dsa;
 }
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 
-RSA *
-sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+       EVP_PKEY* evp_key = NULL;
+       EVP_PKEY_CTX* ctx;
+       BIGNUM *p=NULL, *q=NULL, *g=NULL, *y=NULL;
+       OSSL_PARAM_BLD* param_bld;
+       OSSL_PARAM* params = NULL;
+       if(!sldns_key_dsa_buf_bignum(key, len, &p, &q, &g, &y)) {
+               return NULL;
+       }
+
+       param_bld = OSSL_PARAM_BLD_new();
+       if(!param_bld) {
+               BN_free(p);
+               BN_free(q);
+               BN_free(g);
+               BN_free(y);
+               return NULL;
+       }
+       if(!OSSL_PARAM_BLD_push_BN(param_bld, "p", p) ||
+          !OSSL_PARAM_BLD_push_BN(param_bld, "g", g) ||
+          !OSSL_PARAM_BLD_push_BN(param_bld, "q", q) ||
+          !OSSL_PARAM_BLD_push_BN(param_bld, "pub", y)) {
+               OSSL_PARAM_BLD_free(param_bld);
+               BN_free(p);
+               BN_free(q);
+               BN_free(g);
+               BN_free(y);
+               return NULL;
+       }
+       params = OSSL_PARAM_BLD_to_param(param_bld);
+       OSSL_PARAM_BLD_free(param_bld);
+
+       ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+       if(!ctx) {
+               OSSL_PARAM_free(params);
+               BN_free(p);
+               BN_free(q);
+               BN_free(g);
+               BN_free(y);
+               return NULL;
+       }
+       if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+               EVP_PKEY_CTX_free(ctx);
+               OSSL_PARAM_free(params);
+               BN_free(p);
+               BN_free(q);
+               BN_free(g);
+               BN_free(y);
+               return NULL;
+       }
+       if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+               EVP_PKEY_CTX_free(ctx);
+               OSSL_PARAM_free(params);
+               BN_free(p);
+               BN_free(q);
+               BN_free(g);
+               BN_free(y);
+               return NULL;
+       }
+
+       EVP_PKEY_CTX_free(ctx);
+       OSSL_PARAM_free(params);
+       BN_free(p);
+       BN_free(q);
+       BN_free(g);
+       BN_free(y);
+       return evp_key;
+#else
+       DSA* dsa;
+       EVP_PKEY* evp_key = EVP_PKEY_new();
+       if(!evp_key) {
+               return NULL;
+       }
+       dsa = sldns_key_buf2dsa_raw(key, len);
+       if(!dsa) {
+               EVP_PKEY_free(evp_key);
+               return NULL;
+       }
+       if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
+               DSA_free(dsa);
+               EVP_PKEY_free(evp_key);
+               return NULL;
+       }
+       return evp_key;
+#endif
+}
+
+/* Retrieve params as BIGNUM from raw buffer, n is modulus, e is exponent */
+static int
+sldns_key_rsa_buf_bignum(unsigned char* key, size_t len, BIGNUM** n,
+       BIGNUM** e)
 {
        uint16_t offset;
        uint16_t exp;
        uint16_t int16;
-       RSA *rsa;
-       BIGNUM *modulus;
-       BIGNUM *exponent;
 
        if (len == 0)
-               return NULL;
+               return 0;
        if (key[0] == 0) {
                if(len < 3)
-                       return NULL;
+                       return 0;
                memmove(&int16, key+1, 2);
                exp = ntohs(int16);
                offset = 3;
@@ -287,23 +394,34 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 
        /* key length at least one */
        if(len < (size_t)offset + exp + 1)
-               return NULL;
+               return 0;
 
        /* Exponent */
-       exponent = BN_new();
-       if(!exponent) return NULL;
-       (void) BN_bin2bn(key+offset, (int)exp, exponent);
+       *e = BN_new();
+       if(!*e) return 0;
+       (void) BN_bin2bn(key+offset, (int)exp, *e);
        offset += exp;
 
        /* Modulus */
-       modulus = BN_new();
-       if(!modulus) {
-               BN_free(exponent);
-               return NULL;
+       *n = BN_new();
+       if(!*n) {
+               BN_free(*e);
+               return 0;
        }
        /* length of the buffer must match the key length! */
-       (void) BN_bin2bn(key+offset, (int)(len - offset), modulus);
+       (void) BN_bin2bn(key+offset, (int)(len - offset), *n);
+       return 1;
+}
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
+RSA *
+sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
+{
+       BIGNUM* modulus = NULL;
+       BIGNUM* exponent = NULL;
+       RSA *rsa;
+       if(!sldns_key_rsa_buf_bignum(key, len, &modulus, &exponent))
+               return NULL;
        rsa = RSA_new();
        if(!rsa) {
                BN_free(exponent);
@@ -327,6 +445,88 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 
        return rsa;
 }
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
+
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
+{
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+       EVP_PKEY* evp_key = NULL;
+       EVP_PKEY_CTX* ctx;
+       BIGNUM *n=NULL, *e=NULL;
+       OSSL_PARAM_BLD* param_bld;
+       OSSL_PARAM* params = NULL;
+
+       if(!sldns_key_rsa_buf_bignum(key, len, &n, &e)) {
+               return NULL;
+       }
+
+       param_bld = OSSL_PARAM_BLD_new();
+       if(!param_bld) {
+               BN_free(n);
+               BN_free(e);
+               return NULL;
+       }
+       if(!OSSL_PARAM_BLD_push_BN(param_bld, "n", n)) {
+               OSSL_PARAM_BLD_free(param_bld);
+               BN_free(n);
+               BN_free(e);
+               return NULL;
+       }
+       if(!OSSL_PARAM_BLD_push_BN(param_bld, "e", e)) {
+               OSSL_PARAM_BLD_free(param_bld);
+               BN_free(n);
+               BN_free(e);
+               return NULL;
+       }
+       params = OSSL_PARAM_BLD_to_param(param_bld);
+       OSSL_PARAM_BLD_free(param_bld);
+
+       ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+       if(!ctx) {
+               OSSL_PARAM_free(params);
+               BN_free(n);
+               BN_free(e);
+               return NULL;
+       }
+       if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+               EVP_PKEY_CTX_free(ctx);
+               OSSL_PARAM_free(params);
+               BN_free(n);
+               BN_free(e);
+               return NULL;
+       }
+       if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+               EVP_PKEY_CTX_free(ctx);
+               OSSL_PARAM_free(params);
+               BN_free(n);
+               BN_free(e);
+               return NULL;
+       }
+
+       EVP_PKEY_CTX_free(ctx);
+       OSSL_PARAM_free(params);
+       BN_free(n);
+       BN_free(e);
+       return evp_key;
+#else
+       RSA* rsa;
+       EVP_PKEY *evp_key = EVP_PKEY_new();
+       if(!evp_key) {
+               return NULL;
+       }
+       rsa = sldns_key_buf2rsa_raw(key, len);
+       if(!rsa) {
+               EVP_PKEY_free(evp_key);
+               return NULL;
+       }
+       if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+               RSA_free(rsa);
+               EVP_PKEY_free(evp_key);
+               return NULL;
+       }
+       return evp_key;
+#endif
+}
 
 #ifdef USE_GOST
 EVP_PKEY*
@@ -357,6 +557,62 @@ sldns_gost2pkey_raw(unsigned char* key, size_t keylen)
 EVP_PKEY*
 sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
 {
+#ifdef HAVE_OSSL_PARAM_BLD_NEW
+       unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
+       EVP_PKEY *evp_key = NULL;
+       EVP_PKEY_CTX* ctx;
+       OSSL_PARAM_BLD* param_bld;
+       OSSL_PARAM* params = NULL;
+       char* group = NULL;
+
+       /* check length, which uncompressed must be 2 bignums */
+       if(algo == LDNS_ECDSAP256SHA256) {
+               if(keylen != 2*256/8) return NULL;
+               group = "prime256v1";
+       } else if(algo == LDNS_ECDSAP384SHA384) {
+               if(keylen != 2*384/8) return NULL;
+               group = "P-384";
+       } else {
+               return NULL;
+       }
+       if(keylen+1 > sizeof(buf)) { /* sanity check */
+               return NULL;
+       }
+       /* prepend the 0x04 for uncompressed format */
+       buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+       memmove(buf+1, key, keylen);
+
+       param_bld = OSSL_PARAM_BLD_new();
+       if(!param_bld) {
+               return NULL;
+       }
+       if(!OSSL_PARAM_BLD_push_utf8_string(param_bld, "group", group, 0) ||
+          !OSSL_PARAM_BLD_push_octet_string(param_bld, "pub", buf, keylen+1)) {
+               OSSL_PARAM_BLD_free(param_bld);
+               return NULL;
+       }
+       params = OSSL_PARAM_BLD_to_param(param_bld);
+       OSSL_PARAM_BLD_free(param_bld);
+
+       ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+       if(!ctx) {
+               OSSL_PARAM_free(params);
+               return NULL;
+       }
+       if(EVP_PKEY_fromdata_init(ctx) <= 0) {
+               EVP_PKEY_CTX_free(ctx);
+               OSSL_PARAM_free(params);
+               return NULL;
+       }
+       if(EVP_PKEY_fromdata(ctx, &evp_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
+               EVP_PKEY_CTX_free(ctx);
+               OSSL_PARAM_free(params);
+               return NULL;
+       }
+       EVP_PKEY_CTX_free(ctx);
+       OSSL_PARAM_free(params);
+       return evp_key;
+#else
        unsigned char buf[256+2]; /* sufficient for 2*384/8+1 */
         const unsigned char* pp = buf;
         EVP_PKEY *evp_key;
@@ -393,6 +649,7 @@ sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo)
                return NULL;
        }
         return evp_key;
+#endif /* HAVE_OSSL_PARAM_BLD_NEW */
 }
 #endif /* USE_ECDSA */
 

diff --git a/sbin/unwind/libunbound/sldns/keyraw.h b/sbin/unwind/libunbound/sldns/keyraw.h
index 989b02c..b1f1974 100644 (file)
--- a/sbin/unwind/libunbound/sldns/keyraw.h
+++ b/sbin/unwind/libunbound/sldns/keyraw.h
@@ -57,6 +57,7 @@ int sldns_key_EVP_load_gost_id(void);
 /** Release the engine reference held for the GOST engine. */
 void sldns_key_EVP_unload_gost(void);
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
 /**
  * Like sldns_key_buf2dsa, but uses raw buffer.
  * \param[in] key the uncompressed wireformat of the key.
@@ -64,6 +65,15 @@ void sldns_key_EVP_unload_gost(void);
  * \return a DSA * structure with the key material
  */
 DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with DSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len);
 
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.
@@ -84,6 +94,7 @@ EVP_PKEY* sldns_gost2pkey_raw(unsigned char* key, size_t keylen);
  */
 EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
 
+#ifndef HAVE_OSSL_PARAM_BLD_NEW
 /**
  * Like sldns_key_buf2rsa, but uses raw buffer.
  * \param[in] key the uncompressed wireformat of the key.
@@ -91,6 +102,15 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
  * \return a RSA * structure with the key material
  */
 RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
+#endif
+
+/**
+ * Converts a holding buffer with RSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len);
 
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.

diff --git a/sbin/unwind/libunbound/sldns/parse.c b/sbin/unwind/libunbound/sldns/parse.c
index f4de860..491c8f5 100644 (file)
--- a/sbin/unwind/libunbound/sldns/parse.c
+++ b/sbin/unwind/libunbound/sldns/parse.c
@@ -149,6 +149,9 @@ sldns_fget_token_l(FILE *f, char *token, const char *delim, size_t limit, int *l
                if (c != '\0' && c != '\n') {
                        *t++ = c;
                }
+               if (c == '\n' && line_nr) {
+                       *line_nr = *line_nr + 1;
+               }
                if (c == '\\' && prev_c == '\\')
                        prev_c = 0;
                else    prev_c = c;

diff --git a/sbin/unwind/libunbound/sldns/parse.h b/sbin/unwind/libunbound/sldns/parse.h
index 44236bf..fa8f51a 100644 (file)
--- a/sbin/unwind/libunbound/sldns/parse.h
+++ b/sbin/unwind/libunbound/sldns/parse.h
@@ -153,7 +153,6 @@ int sldns_bgetc(struct sldns_buffer *buffer);
  * the position to the first character that is not in *s.
  * \param[in] *buffer buffer to use
  * \param[in] *s characters to skip
- * \return void
  */
 void sldns_bskipcs(struct sldns_buffer *buffer, const char *s);
 
@@ -162,7 +161,6 @@ void sldns_bskipcs(struct sldns_buffer *buffer, const char *s);
  * the position to the first character that is not in *s.
  * \param[in] *fp file to use
  * \param[in] *s characters to skip
- * \return void
  */
 void sldns_fskipcs(FILE *fp, const char *s);
 
@@ -173,7 +171,6 @@ void sldns_fskipcs(FILE *fp, const char *s);
  * \param[in] *fp file to use
  * \param[in] *s characters to skip
  * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes)
- * \return void
  */
 void sldns_fskipcs_l(FILE *fp, const char *s, int *line_nr);
 

diff --git a/sbin/unwind/libunbound/sldns/parseutil.c b/sbin/unwind/libunbound/sldns/parseutil.c
index 9f289d3..ba71df5 100644 (file)
--- a/sbin/unwind/libunbound/sldns/parseutil.c
+++ b/sbin/unwind/libunbound/sldns/parseutil.c
@@ -790,3 +790,18 @@ int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
        }
        return sldns_b64_pton_base(src, srcsize, target, targsize, 1);
 }
+
+int sldns_b64_contains_nonurl(char const *src, size_t srcsize)
+{
+       const char* s = src;
+       while(*s && srcsize) {
+               char d = *s++;
+               srcsize--;
+               /* the '+' and the '/' and padding '=' is not allowed in b64
+                * url encoding */
+               if(d == '+' || d == '/' || d == '=') {
+                       return 1;
+               }
+       }
+       return 0;
+}

diff --git a/sbin/unwind/libunbound/sldns/parseutil.h b/sbin/unwind/libunbound/sldns/parseutil.h
index 7eb2331..74d7c72 100644 (file)
--- a/sbin/unwind/libunbound/sldns/parseutil.h
+++ b/sbin/unwind/libunbound/sldns/parseutil.h
@@ -102,6 +102,7 @@ size_t sldns_b64_pton_calculate_size(size_t srcsize);
 int sldns_b64_pton(char const *src, uint8_t *target, size_t targsize);
 int sldns_b64url_pton(char const *src, size_t srcsize, uint8_t *target,
        size_t targsize);
+int sldns_b64_contains_nonurl(char const *src, size_t srcsize);
 
 /**
  * calculates the size needed to store the result of b32_ntop

diff --git a/sbin/unwind/libunbound/sldns/rrdef.c b/sbin/unwind/libunbound/sldns/rrdef.c
index 0af015f..fe5c8e1 100644 (file)
--- a/sbin/unwind/libunbound/sldns/rrdef.c
+++ b/sbin/unwind/libunbound/sldns/rrdef.c
@@ -150,6 +150,12 @@ static const sldns_rdf_type type_openpgpkey_wireformat[] = {
 static const sldns_rdf_type type_csync_wireformat[] = {
        LDNS_RDF_TYPE_INT32, LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_NSEC
 };
+static const sldns_rdf_type type_zonemd_wireformat[] = {
+       LDNS_RDF_TYPE_INT32, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_HEX
+};
+static const sldns_rdf_type type_svcb_wireformat[] = {
+       LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_DNAME
+};
 /* nsec3 is some vars, followed by same type of data of nsec */
 static const sldns_rdf_type type_nsec3_wireformat[] = {
 /*     LDNS_RDF_TYPE_NSEC3_VARS, LDNS_RDF_TYPE_NSEC3_NEXT_OWNER, LDNS_RDF_TYPE_NSEC*/
@@ -372,9 +378,12 @@ static sldns_rr_descriptor rdata_field_descriptors[] = {
 {LDNS_RR_TYPE_OPENPGPKEY, "OPENPGPKEY", 1, 1, type_openpgpkey_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
        /* 62 */
        {LDNS_RR_TYPE_CSYNC, "CSYNC", 3, 3, type_csync_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-{(enum sldns_enum_rr_type)0, "TYPE63", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-{(enum sldns_enum_rr_type)0, "TYPE64", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
-{(enum sldns_enum_rr_type)0, "TYPE65", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+       /* 63 */
+       {LDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
+       /* 64 */
+       {LDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 0 },
+       /* 65 */
+       {LDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 0 },
 {(enum sldns_enum_rr_type)0, "TYPE66", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 {(enum sldns_enum_rr_type)0, "TYPE67", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
 {(enum sldns_enum_rr_type)0, "TYPE68", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },

diff --git a/sbin/unwind/libunbound/sldns/rrdef.h b/sbin/unwind/libunbound/sldns/rrdef.h
index e084f35..42d5de0 100644 (file)
--- a/sbin/unwind/libunbound/sldns/rrdef.h
+++ b/sbin/unwind/libunbound/sldns/rrdef.h
@@ -195,6 +195,9 @@ enum sldns_enum_rr_type
        LDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
        LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
        LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
+       LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */
+    LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */
+    LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */
 
        LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
 
@@ -352,8 +355,13 @@ enum sldns_enum_rdf_type
        /** TSIG extended 16bit error value */
        LDNS_RDF_TYPE_TSIGERROR,
 
+       /* draft-ietf-dnsop-svcb-https-05:
+        * each SvcParam consisting of a SvcParamKey=SvcParamValue pair or
+        * a standalone SvcParamKey */
+       LDNS_RDF_TYPE_SVCPARAM,
+
         /* Aliases */
-        LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC
+        LDNS_RDF_TYPE_BITMAP = LDNS_RDF_TYPE_NSEC,
 };
 typedef enum sldns_enum_rdf_type sldns_rdf_type;
 

diff --git a/sbin/unwind/libunbound/sldns/sbuffer.h b/sbin/unwind/libunbound/sldns/sbuffer.h
index 5dbe988..1b7fe37 100644 (file)
--- a/sbin/unwind/libunbound/sldns/sbuffer.h
+++ b/sbin/unwind/libunbound/sldns/sbuffer.h
@@ -202,7 +202,6 @@ INLINE void sldns_buffer_clear(sldns_buffer *buffer)
  * the position is set to 0.
  *
  * \param[in] buffer the buffer to flip
- * \return void
  */
 INLINE void sldns_buffer_flip(sldns_buffer *buffer)
 {
@@ -732,7 +731,6 @@ int sldns_buffer_printf(sldns_buffer *buffer, const char *format, ...)
 /**
  * frees the buffer.
  * \param[in] *buffer the buffer to be freed
- * \return void
  */
 void sldns_buffer_free(sldns_buffer *buffer);
 

diff --git a/sbin/unwind/libunbound/sldns/str2wire.c b/sbin/unwind/libunbound/sldns/str2wire.c
index 977cda2..fbd615c 100644 (file)
--- a/sbin/unwind/libunbound/sldns/str2wire.c
+++ b/sbin/unwind/libunbound/sldns/str2wire.c
@@ -29,7 +29,6 @@
 #define RET_ERR(e, off) ((int)((e)|((off)<<LDNS_WIREPARSE_SHIFT)))
 /** Move parse error but keep its ID */
 #define RET_ERR_SHIFT(e, move) RET_ERR(LDNS_WIREPARSE_ERROR(e), LDNS_WIREPARSE_OFFSET(e)+(move));
-#define LDNS_IP6ADDRLEN      (128/8)
 
 /*
  * No special care is taken, all dots are translated into
@@ -615,6 +614,122 @@ sldns_affix_token(sldns_buffer* strbuf, char* token, size_t* token_len,
        return 1;
 }
 
+static int sldns_str2wire_svcparam_key_cmp(const void *a, const void *b)
+{
+       return sldns_read_uint16(*(uint8_t**) a)
+            - sldns_read_uint16(*(uint8_t**) b);
+}
+
+/**
+ * Add constraints to the SVCB RRs which involve the whole set
+ */
+static int sldns_str2wire_check_svcbparams(uint8_t* rdata, uint16_t rdata_len)
+{
+       size_t   nparams = 0, i;
+       uint8_t  new_rdata[LDNS_MAX_RDFLEN];
+       uint8_t* new_rdata_ptr = new_rdata;
+       uint8_t* svcparams[MAX_NUMBER_OF_SVCPARAMS];
+       uint8_t* rdata_ptr = rdata;
+       uint16_t rdata_remaining = rdata_len;
+
+       /* find the SvcParams */
+       while (rdata_remaining) {
+               uint16_t svcbparam_len;
+
+               svcparams[nparams] = rdata_ptr;
+               if (rdata_remaining < 4)
+                       return LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA;
+               svcbparam_len = sldns_read_uint16(rdata_ptr + 2);
+               rdata_remaining -= 4;
+               rdata_ptr += 4;
+
+               if (rdata_remaining < svcbparam_len)
+                       return LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA;
+               rdata_remaining -= svcbparam_len;
+               rdata_ptr += svcbparam_len;
+
+               nparams += 1;
+               if (nparams >= MAX_NUMBER_OF_SVCPARAMS)
+                       return LDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS;
+       }
+
+       /* In draft-ietf-dnsop-svcb-https-06 Section 7:
+        *
+        *     In wire format, the keys are represented by their numeric
+        *     values in network byte order, concatenated in ascending order.
+        */
+       qsort((void *)svcparams
+            ,nparams
+            ,sizeof(uint8_t*)
+            ,sldns_str2wire_svcparam_key_cmp);
+
+
+       /* The code below revolves around sematic errors in the SVCParam set.
+        * So long as we do not distinguish between running Unbound as a primary
+        * or as a secondary, we default to secondary behavior and we ignore the
+        * sematic errors. */
+
+#ifdef SVCB_SEMANTIC_ERRORS
+       {
+               uint8_t* mandatory = NULL;
+               /* In draft-ietf-dnsop-svcb-https-06 Section 7:
+                *
+                *     Keys (...) MUST NOT appear more than once.
+                *
+                * If they key has already been seen, we have a duplicate
+                */
+               for(i=0; i < nparams; i++) {
+                       uint16_t key = sldns_read_uint16(svcparams[i]);
+                       if(i + 1 < nparams && key == sldns_read_uint16(svcparams[i+1]))
+                               return LDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS;
+                       if(key == SVCB_KEY_MANDATORY)
+                               mandatory = svcparams[i];
+               }
+
+               /* 4. verify that all the SvcParamKeys in mandatory are present */
+               if(mandatory) {
+                       /* Divide by sizeof(uint16_t)*/
+                       uint16_t mandatory_nkeys = sldns_read_uint16(mandatory + 2) / sizeof(uint16_t);
+
+                       /* Guaranteed by sldns_str2wire_svcparam_key_value */
+                       assert(mandatory_nkeys > 0);
+
+                       for(i=0; i < mandatory_nkeys; i++) {
+                               uint16_t mandatory_key = sldns_read_uint16(
+                                       mandatory
+                                       + 2 * sizeof(uint16_t)
+                                       + i * sizeof(uint16_t));
+                               uint8_t found = 0;
+                               size_t j;
+
+                               for(j=0; j < nparams; j++) {
+                                       if(mandatory_key == sldns_read_uint16(svcparams[j])) {
+                                               found = 1;
+                                               break;
+                                       }
+                               }
+
+                               if(!found)
+                                       return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM;
+                       }
+               }
+       }
+#endif
+       /* Write rdata in correct order */
+       for (i = 0; i < nparams; i++) {
+               uint16_t svcparam_len = sldns_read_uint16(svcparams[i] + 2)
+                                     + 2 * sizeof(uint16_t);
+
+               if ((unsigned)(new_rdata_ptr - new_rdata) + svcparam_len > sizeof(new_rdata))
+                       return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+               memcpy(new_rdata_ptr, svcparams[i], svcparam_len);
+               new_rdata_ptr += svcparam_len;
+       }
+       memcpy(rdata, new_rdata, rdata_len);
+       return LDNS_WIREPARSE_ERR_OK;
+}
+
 /** parse rdata from string into rr buffer(-remainder after dname). */
 static int
 rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
@@ -712,6 +827,42 @@ rrinternal_parse_rdata(sldns_buffer* strbuf, char* token, size_t token_len,
        /* write rdata length */
        sldns_write_uint16(rr+dname_len+8, (uint16_t)(rr_cur_len-dname_len-10));
        *rr_len = rr_cur_len;
+       /* SVCB/HTTPS handling  */
+       if (rr_type == LDNS_RR_TYPE_SVCB || rr_type == LDNS_RR_TYPE_HTTPS) {
+               size_t rdata_len = rr_cur_len - dname_len - 10;
+               uint8_t *rdata = rr+dname_len + 10;
+               
+               /* skip 1st rdata field SvcPriority (uint16_t) */
+               if (rdata_len < sizeof(uint16_t))
+                       return LDNS_WIREPARSE_ERR_OK;
+
+               rdata_len -= sizeof(uint16_t);
+               rdata += sizeof(uint16_t);
+
+               /* skip 2nd rdata field dname */
+               while (rdata_len && *rdata != 0) {
+                       uint8_t label_len;
+
+                       if (*rdata & 0xC0)
+                               return LDNS_WIREPARSE_ERR_OK;
+
+                       label_len = *rdata + 1;
+                       if (rdata_len < label_len)
+                               return LDNS_WIREPARSE_ERR_OK;
+
+                       rdata_len -= label_len;
+                       rdata += label_len;
+               }
+               /* The root label is one more character, so smaller
+                * than 1 + 1 means no Svcparam Keys */
+               if (rdata_len < 2 || *rdata != 0)
+                       return LDNS_WIREPARSE_ERR_OK;
+
+               rdata_len -= 1;
+               rdata += 1;
+               return sldns_str2wire_check_svcbparams(rdata, rdata_len);
+
+       }
        return LDNS_WIREPARSE_ERR_OK;
 }
 
@@ -929,11 +1080,533 @@ int sldns_fp2wire_rr_buf(FILE* in, uint8_t* rr, size_t* len, size_t* dname_len,
                        memmove(parse_state->prev_rr, rr, *dname_len);
                        parse_state->prev_rr_len = (*dname_len);
                }
+               if(r == LDNS_WIREPARSE_ERR_OK && parse_state) {
+                       parse_state->default_ttl = sldns_wirerr_get_ttl(
+                               rr, *len, *dname_len);
+               }
                return r;
        }
        return LDNS_WIREPARSE_ERR_OK;
 }
 
+static int
+sldns_str2wire_svcparam_key_lookup(const char *key, size_t key_len)
+{
+       char buf[64];
+       char *endptr;
+       unsigned long int key_value;
+
+       if (key_len >= 4  && key_len <= 8 && !strncmp(key, "key", 3)) {
+               memcpy(buf, key + 3, key_len - 3);
+               buf[key_len - 3] = 0;
+               key_value = strtoul(buf, &endptr, 10);
+
+               if (endptr > buf        /* digits seen */
+               && *endptr == 0         /* no non-digit chars after digits */
+               &&  key_value <= 65535) /* no overflow */
+                       return key_value;
+
+       } else switch (key_len) {
+       case sizeof("mandatory")-1:
+               if (!strncmp(key, "mandatory", sizeof("mandatory")-1))
+                       return SVCB_KEY_MANDATORY;
+               if (!strncmp(key, "echconfig", sizeof("echconfig")-1))
+                       return SVCB_KEY_ECH; /* allow "echconfig as well as "ech" */
+               break;
+
+       case sizeof("alpn")-1:
+               if (!strncmp(key, "alpn", sizeof("alpn")-1))
+                       return SVCB_KEY_ALPN;
+               if (!strncmp(key, "port", sizeof("port")-1))
+                       return SVCB_KEY_PORT;
+               break;
+
+       case sizeof("no-default-alpn")-1:
+               if (!strncmp( key  , "no-default-alpn"
+                           , sizeof("no-default-alpn")-1))
+                       return SVCB_KEY_NO_DEFAULT_ALPN;
+               break;
+
+       case sizeof("ipv4hint")-1:
+               if (!strncmp(key, "ipv4hint", sizeof("ipv4hint")-1))
+                       return SVCB_KEY_IPV4HINT;
+               if (!strncmp(key, "ipv6hint", sizeof("ipv6hint")-1))
+                       return SVCB_KEY_IPV6HINT;
+               break;
+
+       case sizeof("ech")-1:
+               if (!strncmp(key, "ech", sizeof("ech")-1))
+                       return SVCB_KEY_ECH;
+               break;
+
+       default:
+               break;
+       }
+
+       /* Although the returned value might be used by the caller,
+        * the parser has erred, so the zone will not be loaded.
+        */
+       return -1;
+}
+
+static int
+sldns_str2wire_svcparam_port(const char* val, uint8_t* rd, size_t* rd_len)
+{
+       unsigned long int port;
+       char *endptr;
+
+       if (*rd_len < 6)
+               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+       port = strtoul(val, &endptr, 10);
+
+       if (endptr > val        /* digits seen */
+       && *endptr == 0         /* no non-digit chars after digits */
+       &&  port <= 65535) {    /* no overflow */
+
+               sldns_write_uint16(rd, SVCB_KEY_PORT);
+               sldns_write_uint16(rd + 2, sizeof(uint16_t));
+               sldns_write_uint16(rd + 4, port);
+               *rd_len = 6;
+
+               return LDNS_WIREPARSE_ERR_OK;
+       }
+
+       return LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX;
+}
+
+static int
+sldns_str2wire_svcbparam_ipv4hint(const char* val, uint8_t* rd, size_t* rd_len)
+{
+       size_t count;
+       char ip_str[INET_ADDRSTRLEN+1];
+       char *next_ip_str;
+       size_t i;
+
+       for (i = 0, count = 1; val[i]; i++) {
+               if (val[i] == ',')
+                       count += 1;
+               if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+                       return LDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES;
+               }
+       }
+
+       if (*rd_len < (LDNS_IP4ADDRLEN * count) + 4)
+               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+       /* count is number of comma's in val + 1; so the actual number of IPv4
+        * addresses in val
+        */
+       sldns_write_uint16(rd, SVCB_KEY_IPV4HINT);
+       sldns_write_uint16(rd + 2, LDNS_IP4ADDRLEN * count);
+       *rd_len = 4;
+
+       while (count) {
+               if (!(next_ip_str = strchr(val, ','))) {
+                       if (inet_pton(AF_INET, val, rd + *rd_len) != 1)
+                               break;
+                       *rd_len += LDNS_IP4ADDRLEN;
+
+                       assert(count == 1);
+
+               } else if (next_ip_str - val >= (int)sizeof(ip_str))
+                       break;
+
+               else {
+                       memcpy(ip_str, val, next_ip_str - val);
+                       ip_str[next_ip_str - val] = 0;
+                       if (inet_pton(AF_INET, ip_str, rd + *rd_len) != 1) {
+                               break;
+                       }
+                       *rd_len += LDNS_IP4ADDRLEN;
+
+                       val = next_ip_str + 1;
+               }
+               count--;
+       }
+       if (count) /* verify that we parsed all values */
+               return LDNS_WIREPARSE_ERR_SYNTAX_IP4;
+
+       return LDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+sldns_str2wire_svcbparam_ipv6hint(const char* val, uint8_t* rd, size_t* rd_len)
+{
+       size_t count;
+       char ip_str[INET6_ADDRSTRLEN+1];
+       char *next_ip_str;
+       size_t i;
+
+       for (i = 0, count = 1; val[i]; i++) {
+               if (val[i] == ',')
+                       count += 1;
+               if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+                       return LDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES;
+               }
+       }
+
+       if (*rd_len < (LDNS_IP6ADDRLEN * count) + 4)
+               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+       /* count is number of comma's in val + 1; so the actual number of IPv6
+        * addresses in val
+        */
+       sldns_write_uint16(rd, SVCB_KEY_IPV6HINT);
+       sldns_write_uint16(rd + 2, LDNS_IP6ADDRLEN * count);
+       *rd_len = 4;
+
+       while (count) {
+               if (!(next_ip_str = strchr(val, ','))) {
+                       if (inet_pton(AF_INET6, val, rd + *rd_len) != 1)
+                               break;
+                       *rd_len += LDNS_IP6ADDRLEN;
+
+                       assert(count == 1);
+
+               } else if (next_ip_str - val >= (int)sizeof(ip_str))
+                       break;
+
+               else {
+                       memcpy(ip_str, val, next_ip_str - val);
+                       ip_str[next_ip_str - val] = 0;
+                       if (inet_pton(AF_INET6, ip_str, rd + *rd_len) != 1) {
+                               break;
+                       }
+                       *rd_len += LDNS_IP6ADDRLEN;
+
+                       val = next_ip_str + 1;
+               }
+               count--;
+       }
+       if (count) /* verify that we parsed all values */
+               return LDNS_WIREPARSE_ERR_SYNTAX_IP6;
+
+       return LDNS_WIREPARSE_ERR_OK;
+}
+
+/* compare function used for sorting uint16_t's */
+static int
+sldns_network_uint16_cmp(const void *a, const void *b)
+{
+       return ((int)sldns_read_uint16(a)) - ((int)sldns_read_uint16(b));
+}
+
+static int
+sldns_str2wire_svcbparam_mandatory(const char* val, uint8_t* rd, size_t* rd_len)
+{
+       size_t i, count, val_len;
+       char* next_key;
+
+       val_len = strlen(val);
+
+       for (i = 0, count = 1; val[i]; i++) {
+               if (val[i] == ',')
+                       count += 1;
+               if (count > SVCB_MAX_COMMA_SEPARATED_VALUES) {
+                       return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS;
+               }
+       }
+       if (sizeof(uint16_t) * (count + 2) > *rd_len)
+               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+
+       sldns_write_uint16(rd, SVCB_KEY_MANDATORY);
+       sldns_write_uint16(rd + 2, sizeof(uint16_t) * count);
+       *rd_len = 4;
+
+       while (1) {
+               int svcparamkey;
+
+               if (!(next_key = strchr(val, ','))) {
+                       svcparamkey = sldns_str2wire_svcparam_key_lookup(val, val_len);
+
+                       if (svcparamkey < 0) {
+                               return LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+                       }
+
+                       sldns_write_uint16(rd + *rd_len, svcparamkey);
+                       *rd_len += 2;
+                       break;
+               } else {
+                       svcparamkey = sldns_str2wire_svcparam_key_lookup(val, next_key - val);
+
+                       if (svcparamkey < 0) {
+                               return LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+                       }
+
+                       sldns_write_uint16(rd + *rd_len,
+                               svcparamkey);
+                       *rd_len += 2;
+               }
+
+               val_len -= next_key - val + 1;
+               val = next_key + 1; /* skip the comma */
+       }
+
+       /* In draft-ietf-dnsop-svcb-https-06 Section 7:
+        *
+        *    "In wire format, the keys are represented by their numeric
+        *     values in network byte order, concatenated in ascending order."
+        */
+       qsort((void *)(rd + 4), count, sizeof(uint16_t), sldns_network_uint16_cmp);
+
+       /* The code below revolves around sematic errors in the SVCParam set.
+        * So long as we do not distinguish between running Unbound as a primary
+        * or as a secondary, we default to secondary behavior and we ignore the
+        * semantic errors. */
+#ifdef SVCB_SEMANTIC_ERRORS
+       /* In draft-ietf-dnsop-svcb-https-06 Section 8
+        * automatically mandatory MUST NOT appear in its own value-list
+        */
+       if (sldns_read_uint16(rd + 4) == SVCB_KEY_MANDATORY)
+               return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY;
+
+       /* Guarantee key uniqueness. After the sort we only need to
+        * compare neighbouring keys */
+       if (count > 1) {
+               for (i = 0; i < count - 1; i++) {
+                       uint8_t* current_pos = (rd + 4 + (sizeof(uint16_t) * i));
+                       uint16_t key = sldns_read_uint16(current_pos);
+
+                       if (key == sldns_read_uint16(current_pos + 2)) {
+                               return LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY;
+                       }
+               }
+       }
+#endif
+       return LDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+sldns_str2wire_svcbparam_ech_value(const char* val, uint8_t* rd, size_t* rd_len)
+{
+       uint8_t buffer[LDNS_MAX_RDFLEN];
+       int wire_len;
+
+       /* single 0 represents empty buffer */
+       if(strcmp(val, "0") == 0) {
+               if (*rd_len < 4)
+                       return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+               sldns_write_uint16(rd, SVCB_KEY_ECH);
+               sldns_write_uint16(rd + 2, 0);
+
+               return LDNS_WIREPARSE_ERR_OK;
+       }
+
+       wire_len = sldns_b64_pton(val, buffer, LDNS_MAX_RDFLEN);
+
+       if (wire_len <= 0) {
+               return LDNS_WIREPARSE_ERR_SYNTAX_B64;
+       } else if ((unsigned)wire_len + 4 > *rd_len) {
+               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+       } else {
+               sldns_write_uint16(rd, SVCB_KEY_ECH);
+               sldns_write_uint16(rd + 2, wire_len);
+               memcpy(rd + 4, buffer, wire_len);
+               *rd_len = 4 + wire_len;
+
+               return LDNS_WIREPARSE_ERR_OK;
+       }
+}
+
+static const char*
+sldns_str2wire_svcbparam_parse_next_unescaped_comma(const char *val)
+{
+       while (*val) {
+               /* Only return when the comma is not escaped*/
+               if (*val == '\\'){
+                       ++val;
+                       if (!*val)
+                               break;
+               } else if (*val == ',')
+                               return val;
+
+               val++;
+       }
+       return NULL;
+}
+
+/* The source is already properly unescaped, this double unescaping is purely to allow for
+ * comma's in comma seperated alpn lists.
+ * 
+ * In draft-ietf-dnsop-svcb-https-06 Section 7:
+ * To enable simpler parsing, this SvcParamValue MUST NOT contain escape sequences.
+ */
+static size_t
+sldns_str2wire_svcbparam_parse_copy_unescaped(uint8_t *dst,
+       const char *src, size_t len)
+{
+       uint8_t *orig_dst = dst;
+
+       while (len) {
+               if (*src == '\\') {
+                       src++;
+                       len--;
+                       if (!len)
+                               break;
+               }
+               *dst++ = *src++;
+               len--;
+       }
+       return (size_t)(dst - orig_dst);
+}
+
+static int
+sldns_str2wire_svcbparam_alpn_value(const char* val,
+       uint8_t* rd, size_t* rd_len)
+{
+       uint8_t     unescaped_dst[LDNS_MAX_RDFLEN];
+       uint8_t    *dst = unescaped_dst;
+       const char *next_str;
+       size_t      str_len;
+       size_t      dst_len;
+       size_t      val_len;
+       
+       val_len = strlen(val);
+
+       if (val_len > sizeof(unescaped_dst)) {
+               return LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE;
+       }
+       while (val_len) {
+               size_t key_len;
+
+               str_len = (next_str = sldns_str2wire_svcbparam_parse_next_unescaped_comma(val))
+                       ? (size_t)(next_str - val) : val_len;
+
+               if (str_len > 255) {
+                       return LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE;
+               }
+
+               key_len = sldns_str2wire_svcbparam_parse_copy_unescaped(dst + 1, val, str_len);
+               *dst++ = key_len;
+                dst  += key_len;
+
+               if (!next_str)
+                       break;
+
+               /* skip the comma in the next iteration */
+               val_len -= next_str - val + 1;
+               val = next_str + 1;
+       }
+       dst_len = dst - unescaped_dst;
+       if (*rd_len < 4 + dst_len)
+               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+       sldns_write_uint16(rd, SVCB_KEY_ALPN);
+       sldns_write_uint16(rd + 2, dst_len);
+       memcpy(rd + 4, unescaped_dst, dst_len);
+       *rd_len = 4 + dst_len;
+       
+       return LDNS_WIREPARSE_ERR_OK;
+}
+
+static int
+sldns_str2wire_svcparam_value(const char *key, size_t key_len,
+       const char *val, uint8_t* rd, size_t* rd_len)
+{
+       size_t str_len;
+       int svcparamkey = sldns_str2wire_svcparam_key_lookup(key, key_len);
+
+       if (svcparamkey < 0) {
+               return LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY;
+       }
+
+       /* key without value */
+       if (val == NULL) {
+               switch (svcparamkey) {
+#ifdef SVCB_SEMANTIC_ERRORS
+               case SVCB_KEY_MANDATORY:
+               case SVCB_KEY_ALPN:
+               case SVCB_KEY_PORT:
+               case SVCB_KEY_IPV4HINT:
+               case SVCB_KEY_IPV6HINT:
+                       return LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM;
+#endif
+               default:
+                       if (*rd_len < 4)
+                               return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+                       sldns_write_uint16(rd, svcparamkey);
+                       sldns_write_uint16(rd + 2, 0);
+                       *rd_len = 4;
+
+                       return LDNS_WIREPARSE_ERR_OK;
+               }
+       }
+
+       /* value is non-empty */
+       switch (svcparamkey) {
+       case SVCB_KEY_PORT:
+               return sldns_str2wire_svcparam_port(val, rd, rd_len);
+       case SVCB_KEY_IPV4HINT:
+               return sldns_str2wire_svcbparam_ipv4hint(val, rd, rd_len);
+       case SVCB_KEY_IPV6HINT:
+               return sldns_str2wire_svcbparam_ipv6hint(val, rd, rd_len);
+       case SVCB_KEY_MANDATORY:
+               return sldns_str2wire_svcbparam_mandatory(val, rd, rd_len);
+#ifdef SVCB_SEMANTIC_ERRORS
+       case SVCB_KEY_NO_DEFAULT_ALPN:
+               return LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE;
+#endif
+       case SVCB_KEY_ECH:
+               return sldns_str2wire_svcbparam_ech_value(val, rd, rd_len);
+       case SVCB_KEY_ALPN:
+               return sldns_str2wire_svcbparam_alpn_value(val, rd, rd_len);
+       default:
+               str_len = strlen(val);
+               if (*rd_len < 4 + str_len)
+                       return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL;
+               sldns_write_uint16(rd, svcparamkey);
+               sldns_write_uint16(rd + 2, str_len);
+               memcpy(rd + 4, val, str_len);
+               *rd_len = 4 + str_len;
+
+               return LDNS_WIREPARSE_ERR_OK;
+       }
+
+       return LDNS_WIREPARSE_ERR_GENERAL;
+}
+
+int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len)
+{
+       const char* eq_pos;
+       char unescaped_val[LDNS_MAX_RDFLEN];
+       char* val_out = unescaped_val;
+       const char* val_in;
+
+       eq_pos = strchr(str, '=');
+
+       /* case: key=value */
+       if (eq_pos != NULL && eq_pos[1]) {
+               val_in = eq_pos + 1;
+               
+               /* unescape characters and "" blocks */
+               if (*val_in == '"') {
+                       val_in++;
+                       while (*val_in != '"'
+                       && (unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+                       && sldns_parse_char( (uint8_t*) val_out, &val_in)) {
+                               val_out++;
+                       }
+               } else {
+                       while ((unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val)
+                       && sldns_parse_char( (uint8_t*) val_out, &val_in)) {
+                               val_out++;
+                       }
+               }
+               *val_out = 0;
+
+               return sldns_str2wire_svcparam_value(str, eq_pos - str, 
+                                                        unescaped_val[0] ? unescaped_val : NULL, rd, rd_len);
+       }
+       /* case: key= */
+       else if (eq_pos != NULL && !(eq_pos[1])) { 
+               return sldns_str2wire_svcparam_value(str, eq_pos - str, NULL, rd, rd_len);
+       }
+       /* case: key */
+       else {
+               return sldns_str2wire_svcparam_value(str, strlen(str), NULL, rd, rd_len);
+       }
+}
+
 int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
        sldns_rdf_type rdftype)
 {
@@ -1006,6 +1679,8 @@ int sldns_str2wire_rdf_buf(const char* str, uint8_t* rd, size_t* len,
                return sldns_str2wire_hip_buf(str, rd, len);
        case LDNS_RDF_TYPE_INT16_DATA:
                return sldns_str2wire_int16_data_buf(str, rd, len);
+       case LDNS_RDF_TYPE_SVCPARAM:
+               return sldns_str2wire_svcparam_buf(str, rd, len);
        case LDNS_RDF_TYPE_UNKNOWN:
        case LDNS_RDF_TYPE_SERVICE:
                return LDNS_WIREPARSE_ERR_NOT_IMPL;
@@ -1491,13 +2166,17 @@ static int
 loc_parse_cm(char* my_str, char** endstr, uint8_t* m, uint8_t* e)
 {
        uint32_t meters = 0, cm = 0, val;
+       char* cm_endstr;
        while (isblank((unsigned char)*my_str)) {
                my_str++;
        }
        meters = (uint32_t)strtol(my_str, &my_str, 10);
        if (*my_str == '.') {
                my_str++;
-               cm = (uint32_t)strtol(my_str, &my_str, 10);
+               cm = (uint32_t)strtol(my_str, &cm_endstr, 10);
+               if(cm_endstr == my_str + 1)
+                       cm *= 10;
+               my_str = cm_endstr;
        }
        if (meters >= 1) {
                *e = 2;

diff --git a/sbin/unwind/libunbound/sldns/str2wire.h b/sbin/unwind/libunbound/sldns/str2wire.h
index 70070e4..0c31649 100644 (file)
--- a/sbin/unwind/libunbound/sldns/str2wire.h
+++ b/sbin/unwind/libunbound/sldns/str2wire.h
@@ -23,10 +23,27 @@ extern "C" {
 #endif
 struct sldns_struct_lookup_table;
 
+#define LDNS_IP4ADDRLEN      (32/8)
+#define LDNS_IP6ADDRLEN      (128/8)
+
 /** buffer to read an RR, cannot be larger than 64K because of packet size */
 #define LDNS_RR_BUF_SIZE 65535 /* bytes */
 #define LDNS_DEFAULT_TTL       3600
 
+/* SVCB keys currently defined in draft-ietf-dnsop-svcb-https */
+#define SVCB_KEY_MANDATORY             0
+#define SVCB_KEY_ALPN                  1
+#define SVCB_KEY_NO_DEFAULT_ALPN       2
+#define SVCB_KEY_PORT                  3
+#define SVCB_KEY_IPV4HINT              4
+#define SVCB_KEY_ECH                   5
+#define SVCB_KEY_IPV6HINT              6
+#define SVCPARAMKEY_COUNT              7
+
+#define MAX_NUMBER_OF_SVCPARAMS        64
+
+#define SVCB_MAX_COMMA_SEPARATED_VALUES        1000
+
 /*
  * To convert class and type to string see
  * sldns_get_rr_class_by_name(str)
@@ -204,6 +221,20 @@ uint8_t* sldns_wirerr_get_rdatawl(uint8_t* rr, size_t len, size_t dname_len);
 #define LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW 370
 #define LDNS_WIREPARSE_ERR_INCLUDE 371
 #define LDNS_WIREPARSE_ERR_PARENTHESIS 372
+#define LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY 373
+#define LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM 374
+#define LDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS 375
+#define LDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS 376
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS 377
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM 378
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY 379
+#define LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY 380
+#define LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX 381
+#define LDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES 382
+#define LDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES 383
+#define LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE 384
+#define LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE 385
+#define LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA 386
 
 /**
  * Get reference to a constant string for the (parse) error.

diff --git a/sbin/unwind/libunbound/sldns/wire2str.c b/sbin/unwind/libunbound/sldns/wire2str.c
index d0d1632..6a177ec 100644 (file)
--- a/sbin/unwind/libunbound/sldns/wire2str.c
+++ b/sbin/unwind/libunbound/sldns/wire2str.c
@@ -149,6 +149,30 @@ static sldns_lookup_table sldns_wireparse_errors_data[] = {
        { LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW, "Syntax error, integer overflow" },
        { LDNS_WIREPARSE_ERR_INCLUDE, "$INCLUDE directive was seen in the zone" },
        { LDNS_WIREPARSE_ERR_PARENTHESIS, "Parse error, parenthesis mismatch" },
+       { LDNS_WIREPARSE_ERR_SVCB_UNKNOWN_KEY, "Unknown SvcParamKey"},
+       { LDNS_WIREPARSE_ERR_SVCB_MISSING_PARAM, "SvcParam is missing a SvcParamValue"},
+       { LDNS_WIREPARSE_ERR_SVCB_DUPLICATE_KEYS, "Duplicate SVCB key found"},
+       { LDNS_WIREPARSE_ERR_SVCB_MANDATORY_TOO_MANY_KEYS, "Too many keys in mandatory" },
+       { LDNS_WIREPARSE_ERR_SVCB_TOO_MANY_PARAMS,
+               "Too many SvcParams. Unbound only allows 63 entries" },
+       { LDNS_WIREPARSE_ERR_SVCB_MANDATORY_MISSING_PARAM,
+               "Mandatory SvcParamKey is missing"},
+       { LDNS_WIREPARSE_ERR_SVCB_MANDATORY_DUPLICATE_KEY,
+               "Keys in SvcParam mandatory MUST be unique" },
+       { LDNS_WIREPARSE_ERR_SVCB_MANDATORY_IN_MANDATORY, 
+               "mandatory MUST not be included as mandatory parameter" },
+       { LDNS_WIREPARSE_ERR_SVCB_PORT_VALUE_SYNTAX,
+               "Could not parse port SvcParamValue" },
+       { LDNS_WIREPARSE_ERR_SVCB_IPV4_TOO_MANY_ADDRESSES,
+               "Too many IPv4 addresses in ipv4hint" },
+       { LDNS_WIREPARSE_ERR_SVCB_IPV6_TOO_MANY_ADDRESSES,
+               "Too many IPv6 addresses in ipv6hint" },
+       { LDNS_WIREPARSE_ERR_SVCB_ALPN_KEY_TOO_LARGE,
+               "Alpn strings need to be smaller than 255 chars"},
+       { LDNS_WIREPARSE_ERR_SVCB_NO_DEFAULT_ALPN_VALUE,
+               "No-default-alpn should not have a value" },
+       { LDNS_WIREPARSE_ERR_SVCPARAM_BROKEN_RDATA,
+               "General SVCParam error" },
        { 0, NULL }
 };
 sldns_lookup_table* sldns_wireparse_errors = sldns_wireparse_errors_data;
@@ -196,6 +220,12 @@ static sldns_lookup_table sldns_tsig_errors_data[] = {
 };
 sldns_lookup_table* sldns_tsig_errors = sldns_tsig_errors_data;
 
+/* draft-ietf-dnsop-svcb-https-06: 6. Initial SvcParamKeys */
+const char *svcparamkey_strs[] = {
+       "mandatory", "alpn", "no-default-alpn", "port",
+       "ipv4hint", "ech", "ipv6hint"
+};
+
 char* sldns_wire2str_pkt(uint8_t* data, size_t len)
 {
        size_t slen = (size_t)sldns_wire2str_pkt_buf(data, len, NULL, 0);
@@ -940,6 +970,253 @@ int sldns_wire2str_ttl_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
        return sldns_str_print(s, slen, "%u", (unsigned)ttl);
 }
 
+static int
+sldns_print_svcparamkey(char** s, size_t* slen, uint16_t svcparamkey)
+{
+       if (svcparamkey < SVCPARAMKEY_COUNT) {
+               return sldns_str_print(s, slen, "%s", svcparamkey_strs[svcparamkey]);
+       }
+       else {
+               return sldns_str_print(s, slen, "key%d", (int)svcparamkey);
+       }
+}
+
+static int sldns_wire2str_svcparam_port2str(char** s,
+       size_t* slen, uint16_t data_len, uint8_t* data)
+{
+       int w = 0;
+
+       if (data_len != 2)
+               return -1; /* wireformat error, a short is 2 bytes */
+       w = sldns_str_print(s, slen, "=%d", (int)sldns_read_uint16(data));
+
+       return w;
+}
+
+static int sldns_wire2str_svcparam_ipv4hint2str(char** s,
+       size_t* slen, uint16_t data_len, uint8_t* data)
+{
+       char ip_str[INET_ADDRSTRLEN + 1];
+
+       int w = 0;
+
+       assert(data_len > 0);
+
+       if ((data_len % LDNS_IP4ADDRLEN) == 0) {
+               if (inet_ntop(AF_INET, data, ip_str, sizeof(ip_str)) == NULL)
+                       return -1; /* wireformat error, incorrect size or inet family */
+
+               w += sldns_str_print(s, slen, "=%s", ip_str);
+               data += LDNS_IP4ADDRLEN;
+
+               while ((data_len -= LDNS_IP4ADDRLEN) > 0) {
+                       if (inet_ntop(AF_INET, data, ip_str, sizeof(ip_str)) == NULL)
+                               return -1; /* wireformat error, incorrect size or inet family */
+
+                       w += sldns_str_print(s, slen, ",%s", ip_str);
+                       data += LDNS_IP4ADDRLEN;
+               }
+       } else
+               return -1;
+
+       return w;
+}
+
+static int sldns_wire2str_svcparam_ipv6hint2str(char** s,
+       size_t* slen, uint16_t data_len, uint8_t* data)
+{
+       char ip_str[INET6_ADDRSTRLEN + 1];
+
+       int w = 0;
+
+       assert(data_len > 0);
+
+       if ((data_len % LDNS_IP6ADDRLEN) == 0) {
+               if (inet_ntop(AF_INET6, data, ip_str, sizeof(ip_str)) == NULL)
+                       return -1; /* wireformat error, incorrect size or inet family */
+
+               w += sldns_str_print(s, slen, "=%s", ip_str);
+               data += LDNS_IP6ADDRLEN;
+
+               while ((data_len -= LDNS_IP6ADDRLEN) > 0) {
+                       if (inet_ntop(AF_INET6, data, ip_str, sizeof(ip_str)) == NULL)
+                               return -1; /* wireformat error, incorrect size or inet family */
+
+                       w += sldns_str_print(s, slen, ",%s", ip_str);
+                       data += LDNS_IP6ADDRLEN;
+               }
+       } else
+               return -1;
+
+       return w;
+}
+
+static int sldns_wire2str_svcparam_mandatory2str(char** s,
+       size_t* slen, uint16_t data_len, uint8_t* data)
+{
+       int w = 0;
+
+       assert(data_len > 0);
+
+       if (data_len % sizeof(uint16_t))
+               return -1; // wireformat error, data_len must be multiple of shorts
+       w += sldns_str_print(s, slen, "=");
+       w += sldns_print_svcparamkey(s, slen, sldns_read_uint16(data));
+       data += 2;
+
+       while ((data_len -= sizeof(uint16_t))) {
+               w += sldns_str_print(s, slen, ",");
+               w += sldns_print_svcparamkey(s, slen, sldns_read_uint16(data));
+               data += 2;
+       }
+
+       return w;
+}
+
+static int sldns_wire2str_svcparam_alpn2str(char** s,
+       size_t* slen, uint16_t data_len, uint8_t* data)
+{
+       uint8_t *dp = (void *)data;
+       int w = 0;
+
+       assert(data_len > 0); /* Guaranteed by sldns_wire2str_svcparam_scan */
+
+       w += sldns_str_print(s, slen, "=\"");
+       while (data_len) {
+               /* alpn is list of length byte (str_len) followed by a string of that size */
+               uint8_t i, str_len = *dp++;
+
+               if (str_len > --data_len)
+                       return -1;
+
+               for (i = 0; i < str_len; i++) {
+                       if (dp[i] == '"' || dp[i] == '\\')
+                               w += sldns_str_print(s, slen, "\\\\\\%c", dp[i]);
+
+                       else if (dp[i] == ',')
+                               w += sldns_str_print(s, slen, "\\\\%c", dp[i]);
+
+                       else if (!isprint(dp[i]))
+                               w += sldns_str_print(s, slen, "\\%03u", (unsigned) dp[i]);
+
+                       else
+                               w += sldns_str_print(s, slen, "%c", dp[i]);
+               }
+               dp += str_len;
+               if ((data_len -= str_len))
+                       w += sldns_str_print(s, slen, "%s", ",");
+       }
+       w += sldns_str_print(s, slen, "\"");
+       
+       return w;
+}
+
+static int sldns_wire2str_svcparam_ech2str(char** s,
+       size_t* slen, uint16_t data_len, uint8_t* data)
+{
+       int size;
+       int w = 0;
+
+       assert(data_len > 0); /* Guaranteed by sldns_wire2str_svcparam_scan */
+
+       w += sldns_str_print(s, slen, "=\"");
+
+       if ((size = sldns_b64_ntop(data, data_len, *s, *slen)) < 0)
+               return -1;
+
+       (*s) += size;
+       (*slen) -= size;
+
+       w += sldns_str_print(s, slen, "\"");    
+
+       return w + size;
+}
+
+int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen)
+{
+       uint8_t ch;
+       uint16_t svcparamkey, data_len;
+       int written_chars = 0;
+       int r, i;
+
+       /* verify that we have enough data to read svcparamkey and data_len */
+       if(*dlen < 4)
+               return -1;
+
+       svcparamkey = sldns_read_uint16(*d);
+       data_len = sldns_read_uint16(*d+2);
+       *d    += 4;
+       *dlen -= 4;
+
+       /* verify that we have data_len data */
+       if (data_len > *dlen)
+               return -1; 
+
+       written_chars += sldns_print_svcparamkey(s, slen, svcparamkey);
+       if (!data_len) {
+
+               /* Some SvcParams MUST have values */
+               switch (svcparamkey) {
+               case SVCB_KEY_ALPN:
+               case SVCB_KEY_PORT:
+               case SVCB_KEY_IPV4HINT:
+               case SVCB_KEY_IPV6HINT:
+               case SVCB_KEY_MANDATORY:
+                       return -1;
+               default:
+                       return written_chars;
+               }
+       }
+
+       switch (svcparamkey) {
+       case SVCB_KEY_PORT:
+               r = sldns_wire2str_svcparam_port2str(s, slen, data_len, *d);
+               break;
+       case SVCB_KEY_IPV4HINT:
+               r = sldns_wire2str_svcparam_ipv4hint2str(s, slen, data_len, *d);
+               break;
+       case SVCB_KEY_IPV6HINT:
+               r = sldns_wire2str_svcparam_ipv6hint2str(s, slen, data_len, *d);
+               break;
+       case SVCB_KEY_MANDATORY:
+               r = sldns_wire2str_svcparam_mandatory2str(s, slen, data_len, *d);
+               break;
+       case SVCB_KEY_NO_DEFAULT_ALPN:
+               return -1;  /* wireformat error, should not have a value */
+       case SVCB_KEY_ALPN:
+               r = sldns_wire2str_svcparam_alpn2str(s, slen, data_len, *d);
+               break;
+       case SVCB_KEY_ECH:
+               r = sldns_wire2str_svcparam_ech2str(s, slen, data_len, *d);
+               break;
+       default:
+               r = sldns_str_print(s, slen, "=\"");
+
+               for (i = 0; i < data_len; i++) {
+                       ch = (*d)[i];
+
+                       if (ch == '"' || ch == '\\')
+                               r += sldns_str_print(s, slen, "\\%c", ch);
+
+                       else if (!isprint(ch))
+                               r += sldns_str_print(s, slen, "\\%03u", (unsigned) ch);
+
+                       else
+                               r += sldns_str_print(s, slen, "%c", ch);
+
+               }
+               r += sldns_str_print(s, slen, "\"");
+               break;
+       }
+       if (r <= 0)
+               return -1; /* wireformat error */
+       
+       written_chars += r;
+       *d    += data_len;
+       *dlen -= data_len;
+       return written_chars;
+}
+
 int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
        int rdftype, uint8_t* pkt, size_t pktlen, int* comprloop)
 {
@@ -1017,6 +1294,8 @@ int sldns_wire2str_rdf_scan(uint8_t** d, size_t* dlen, char** s, size_t* slen,
                return sldns_wire2str_tag_scan(d, dlen, s, slen);
        case LDNS_RDF_TYPE_LONG_STR:
                return sldns_wire2str_long_str_scan(d, dlen, s, slen);
+       case LDNS_RDF_TYPE_SVCPARAM:
+               return sldns_wire2str_svcparam_scan(d, dlen, s, slen);
        case LDNS_RDF_TYPE_TSIGERROR:
                return sldns_wire2str_tsigerror_scan(d, dlen, s, slen);
        }

diff --git a/sbin/unwind/libunbound/sldns/wire2str.h b/sbin/unwind/libunbound/sldns/wire2str.h
index 0167fe7..b1ad459 100644 (file)
--- a/sbin/unwind/libunbound/sldns/wire2str.h
+++ b/sbin/unwind/libunbound/sldns/wire2str.h
@@ -494,6 +494,18 @@ int sldns_wire2str_opcode_buf(int opcode, char* str, size_t len);
 int sldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
        size_t len);
 
+/**
+ * Convert wire SVCB to a string with user buffer.
+ * @param d: the SVCB data in uncompressed wireformat.
+ * @param dlen: length of the SVCB data.
+ * @param s: the string to write to.
+ * @param slen: length of string.
+ * @return the number of characters for this element, excluding zerobyte.
+ *     Is larger or equal than str_len if output was truncated.
+ */
+int sldns_wire2str_svcparam_scan(uint8_t** d, size_t* dlen, char** s,
+       size_t* slen);
+
 /**
  * Scan wireformat rdf field to string, with user buffers.
  * It shifts the arguments to move along (see sldns_wire2str_pkt_scan).

diff --git a/sbin/unwind/libunbound/util/config_file.c b/sbin/unwind/libunbound/util/config_file.c
index 2fb8d0d..4725e7d 100644 (file)
--- a/sbin/unwind/libunbound/util/config_file.c
+++ b/sbin/unwind/libunbound/util/config_file.c
@@ -105,11 +105,14 @@ config_create(void)
        cfg->do_ip6 = 1;
        cfg->do_udp = 1;
        cfg->do_tcp = 1;
+       cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */
+       cfg->max_reuse_tcp_queries = 200;
        cfg->tcp_upstream = 0;
        cfg->udp_upstream_without_downstream = 0;
        cfg->tcp_mss = 0;
        cfg->outgoing_tcp_mss = 0;
        cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */
+       cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */
        cfg->do_tcp_keepalive = 0;
        cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */
        cfg->ssl_service_key = NULL;
@@ -235,8 +238,10 @@ config_create(void)
        cfg->hide_identity = 0;
        cfg->hide_version = 0;
        cfg->hide_trustanchor = 0;
+       cfg->hide_http_user_agent = 0;
        cfg->identity = NULL;
        cfg->version = NULL;
+       cfg->http_user_agent = NULL;
        cfg->nsid_cfg_str = NULL;
        cfg->nsid = NULL;
        cfg->nsid_len = 0;
@@ -250,6 +255,7 @@ config_create(void)
        cfg->val_date_override = 0;
        cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
        cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
+       cfg->val_max_restart = 5;
        cfg->val_clean_additional = 1;
        cfg->val_log_level = 0;
        cfg->val_log_squelch = 0;
@@ -262,6 +268,7 @@ config_create(void)
        cfg->serve_expired_reply_ttl = 30;
        cfg->serve_expired_client_timeout = 0;
        cfg->serve_original_ttl = 0;
+       cfg->zonemd_permissive_mode = 0;
        cfg->add_holddown = 30*24*3600;
        cfg->del_holddown = 30*24*3600;
        cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
@@ -305,7 +312,7 @@ config_create(void)
        if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit;
 #endif
        if(!(cfg->val_nsec3_key_iterations = 
-               strdup("1024 150 2048 500 4096 2500"))) goto error_exit;
+               strdup("1024 150 2048 150 4096 150"))) goto error_exit;
 #if defined(DNSTAP_SOCKET_PATH)
        if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH)))
                goto error_exit;
@@ -516,7 +523,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
                udp_upstream_without_downstream)
        else S_NUMBER_NONZERO("tcp-mss:", tcp_mss)
        else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss)
+       else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout)
        else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout)
+       else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries)
+       else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout)
        else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive)
        else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout)
        else S_YNO("ssl-upstream:", ssl_upstream)
@@ -587,8 +597,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
        else S_YNO("hide-identity:", hide_identity)
        else S_YNO("hide-version:", hide_version)
        else S_YNO("hide-trustanchor:", hide_trustanchor)
+       else S_YNO("hide-http-user-agent:", hide_http_user_agent)
        else S_STR("identity:", identity)
        else S_STR("version:", version)
+       else S_STR("http-user-agent:", http_user_agent)
        else if(strcmp(opt, "nsid:") == 0) {
                free(cfg->nsid_cfg_str);
                if (!(cfg->nsid_cfg_str = strdup(val)))
@@ -649,6 +661,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
        else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
        else S_YNO("serve-original-ttl:", serve_original_ttl)
        else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
+       else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode)
        else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
        else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
        else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing)
@@ -756,12 +769,14 @@ int config_set_option(struct config_file* cfg, const char* opt,
 #endif
        else if(strcmp(opt, "define-tag:") ==0) {
                return config_add_tag(cfg, val);
-       /* val_sig_skew_min and max are copied into val_env during init,
-        * so this does not update val_env with set_option */
+       /* val_sig_skew_min, max and val_max_restart are copied into val_env
+        * during init so this does not update val_env with set_option */
        } else if(strcmp(opt, "val-sig-skew-min:") == 0)
        { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); }
        else if(strcmp(opt, "val-sig-skew-max:") == 0)
        { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); }
+       else if(strcmp(opt, "val-max-restart:") == 0)
+       { IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); }
        else if (strcmp(opt, "outgoing-interface:") == 0) {
                char* d = strdup(val);
                char** oi = 
@@ -1005,7 +1020,10 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_YNO(opt, "udp-upstream-without-downstream", udp_upstream_without_downstream)
        else O_DEC(opt, "tcp-mss", tcp_mss)
        else O_DEC(opt, "outgoing-tcp-mss", outgoing_tcp_mss)
+       else O_DEC(opt, "tcp-auth-query-timeout", tcp_auth_query_timeout)
        else O_DEC(opt, "tcp-idle-timeout", tcp_idle_timeout)
+       else O_DEC(opt, "max-reuse-tcp-queries", max_reuse_tcp_queries)
+       else O_DEC(opt, "tcp-reuse-timeout", tcp_reuse_timeout)
        else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive)
        else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout)
        else O_YNO(opt, "ssl-upstream", ssl_upstream)
@@ -1041,8 +1059,10 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_YNO(opt, "hide-identity", hide_identity)
        else O_YNO(opt, "hide-version", hide_version)
        else O_YNO(opt, "hide-trustanchor", hide_trustanchor)
+       else O_YNO(opt, "hide-http-user-agent", hide_http_user_agent)
        else O_STR(opt, "identity", identity)
        else O_STR(opt, "version", version)
+       else O_STR(opt, "http-user-agent", http_user_agent)
        else O_STR(opt, "nsid", nsid_cfg_str)
        else O_STR(opt, "target-fetch-policy", target_fetch_policy)
        else O_YNO(opt, "harden-short-bufsize", harden_short_bufsize)
@@ -1070,6 +1090,7 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout)
        else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
        else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
+       else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode)
        else O_UNS(opt, "add-holddown", add_holddown)
        else O_UNS(opt, "del-holddown", del_holddown)
        else O_UNS(opt, "keep-missing", keep_missing)
@@ -1178,6 +1199,7 @@ config_get_option(struct config_file* cfg, const char* opt,
        else O_DEC(opt, "fast-server-permil", fast_server_permil)
        else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
        else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
+       else O_DEC(opt, "val-max-restart", val_max_restart)
        else O_YNO(opt, "qname-minimisation", qname_minimisation)
        else O_YNO(opt, "qname-minimisation-strict", qname_minimisation_strict)
        else O_IFC(opt, "define-tag", num_tags, tagname)
@@ -1516,6 +1538,7 @@ config_delete(struct config_file* cfg)
 #endif
        free(cfg->identity);
        free(cfg->version);
+       free(cfg->http_user_agent);
        free(cfg->nsid_cfg_str);
        free(cfg->nsid);
        free(cfg->module_conf);
@@ -1681,6 +1704,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail)
        return num;
 }
 
+void cfg_apply_local_port_policy(struct config_file* cfg, int num) {
+(void)cfg;
+(void)num;
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+       {
+               int i = 0;
+               FILE* range_fd;
+               if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) {
+                       int min_port = 0;
+                       int max_port = num - 1;
+                       if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) {
+                               for(i=0; i<min_port; i++) {
+                                       cfg->outgoing_avail_ports[i] = 0;
+                               }
+                               for(i=max_port+1; i<num; i++) {
+                                       cfg->outgoing_avail_ports[i] = 0;
+                               }
+                       } else {
+                               log_err("unexpected port range in %s",
+                                               LINUX_IP_LOCAL_PORT_RANGE_PATH);
+                       }
+                       fclose(range_fd);
+               } else {
+                       log_err("failed to read from file: %s (%s)",
+                                       LINUX_IP_LOCAL_PORT_RANGE_PATH,
+                                       strerror(errno));
+               }
+       }
+#endif
+}
+
 /** print error with file and line number */
 static void ub_c_error_va_list(const char *fmt, va_list args)
 {
@@ -2605,3 +2659,27 @@ int options_remote_is_address(struct config_file* cfg)
        return (cfg->control_ifs.first->str[0] != '/');
 }
 
+/** see if interface is https, its port number == the https port number */
+int
+if_is_https(const char* ifname, const char* port, int https_port)
+{
+       char* p = strchr(ifname, '@');
+       if(!p && atoi(port) == https_port)
+               return 1;
+       if(p && atoi(p+1) == https_port)
+               return 1;
+       return 0;
+}
+
+/** see if config contains https turned on */
+int cfg_has_https(struct config_file* cfg)
+{
+       int i;
+       char portbuf[32];
+       snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
+       for(i = 0; i<cfg->num_ifs; i++) {
+               if(if_is_https(cfg->ifs[i], portbuf, cfg->https_port))
+                       return 1;
+       }
+       return 0;
+}

diff --git a/sbin/unwind/libunbound/util/config_file.h b/sbin/unwind/libunbound/util/config_file.h
index 7cf27cc..aed6812 100644 (file)
--- a/sbin/unwind/libunbound/util/config_file.h
+++ b/sbin/unwind/libunbound/util/config_file.h
@@ -93,6 +93,12 @@ struct config_file {
        int do_udp;
        /** do tcp query support. */
        int do_tcp;
+       /** max number of queries on a reuse connection. */
+       size_t max_reuse_tcp_queries;
+       /** timeout for REUSE entries in milliseconds. */
+       int tcp_reuse_timeout;
+       /** timeout in milliseconds for TCP queries to auth servers. */
+       int tcp_auth_query_timeout;
        /** tcp upstream queries (no UDP upstream queries) */
        int tcp_upstream;
        /** udp upstream enabled when no UDP downstream is enabled (do_udp no)*/
@@ -334,10 +340,14 @@ struct config_file {
        int hide_version;
        /** do not report trustanchor (trustanchor.unbound) */
        int hide_trustanchor;
+       /** do not report the User-Agent HTTP header */
+       int hide_http_user_agent;
        /** identity, hostname is returned if "". */
        char* identity;
        /** version, package version returned if "". */
        char* version;
+       /** User-Agent for HTTP header */
+       char* http_user_agent;
        /** nsid */
        char *nsid_cfg_str;
        uint8_t *nsid;
@@ -367,6 +377,8 @@ struct config_file {
        int32_t val_sig_skew_min;
        /** the maximum for signature clock skew */
        int32_t val_sig_skew_max;
+       /** max number of query restarts, number of IPs to probe */
+       int32_t val_max_restart;
        /** this value sets the number of seconds before revalidating bogus */
        int bogus_ttl; 
        /** should validator clean additional section for secure msgs */
@@ -396,6 +408,8 @@ struct config_file {
        int serve_original_ttl;
        /** nsec3 maximum iterations per key size, string */
        char* val_nsec3_key_iterations;
+       /** if zonemd failures are permitted, only logged */
+       int zonemd_permissive_mode;
        /** autotrust add holddown time, in seconds */
        unsigned int add_holddown;
        /** autotrust del holddown time, in seconds */
@@ -727,6 +741,10 @@ struct config_auth {
        /** Always reply with this CNAME target if the cname override action is
         * used */
        char* rpz_cname;
+       /** Check ZONEMD records for this zone */
+       int zonemd_check;
+       /** Reject absence of ZONEMD records, zone must have one */
+       int zonemd_reject_absence;
 };
 
 /**
@@ -1172,6 +1190,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num);
  */
 int cfg_condense_ports(struct config_file* cfg, int** avail);
 
+/**
+ * Apply system specific port range policy.
+ * @param cfg: config file.
+ * @param num: size of the array (65536).
+ */
+void cfg_apply_local_port_policy(struct config_file* cfg, int num);
+
 /**
  * Scan ports available
  * @param avail: the array from cfg.
@@ -1301,5 +1326,19 @@ void w_config_adjust_directory(struct config_file* cfg);
 /** debug option for unit tests. */
 extern int fake_dsa, fake_sha1;
 
+/** see if interface is https, its port number == the https port number */
+int if_is_https(const char* ifname, const char* port, int https_port);
+
+/**
+ * Return true if the config contains settings that enable https.
+ * @param cfg: config information.
+ * @return true if https ports are used for server.
+ */
+int cfg_has_https(struct config_file* cfg);
+
+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
+#endif
+
 #endif /* UTIL_CONFIG_FILE_H */
 

diff --git a/sbin/unwind/libunbound/util/configlexer.c b/sbin/unwind/libunbound/util/configlexer.c
index 6b0f335..186860b 100644 (file)
--- a/sbin/unwind/libunbound/util/configlexer.c
+++ b/sbin/unwind/libunbound/util/configlexer.c
@@ -5,7 +5,7 @@
 
 #define  YY_INT_ALIGNED short int
 
-/*     $OpenBSD: configlexer.c,v 1.10 2021/03/16 18:38:05 florian Exp $        */
+/*     $OpenBSD: configlexer.c,v 1.11 2021/08/14 07:32:46 florian Exp $        */
 
 /* A lexical scanner generated by flex */
 
@@ -27,7 +27,7 @@
 
 /* end standard C headers. */
 
-/* $OpenBSD: configlexer.c,v 1.10 2021/03/16 18:38:05 florian Exp $ */
+/* $OpenBSD: configlexer.c,v 1.11 2021/08/14 07:32:46 florian Exp $ */
 
 /* flex integer type definitions */
 
@@ -368,8 +368,8 @@ static void yy_fatal_error (yyconst char msg[]  );
        *yy_cp = '\0'; \
        (yy_c_buf_p) = yy_cp;
 
-#define YY_NUM_RULES 343
-#define YY_END_OF_BUFFER 344
+#define YY_NUM_RULES 352
+#define YY_END_OF_BUFFER 353
 /* This struct is not used in this scanner,
    but its presence is necessary. */
 struct yy_trans_info
@@ -377,377 +377,391 @@ struct yy_trans_info
        flex_int32_t yy_verify;
        flex_int32_t yy_nxt;
        };
-static yyconst flex_int16_t yy_accept[3354] =
+static yyconst flex_int16_t yy_accept[3484] =
     {   0,
-        1,    1,  317,  317,  321,  321,  325,  325,  329,  329,
-        1,    1,  333,  333,  337,  337,  344,  341,    1,  315,
-      315,  342,    2,  342,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  317,  318,  318,  319,
-      342,  321,  322,  322,  323,  342,  328,  325,  326,  326,
-      327,  342,  329,  330,  330,  331,  342,  340,  316,    2,
-      320,  342,  340,  336,  333,  334,  334,  335,  342,  337,
-      338,  338,  339,  342,  341,    0,    1,    2,    2,    2,
-        2,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  317,
-        0,  321,    0,  328,    0,  325,  329,    0,  340,    0,
-        2,    2,  340,  336,    0,  333,  337,    0,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  340,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  125,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  134,
-      341,  341,  341,  341,  341,  341,  341,  340,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  109,  341,  314,  341,
-      341,  341,  341,  341,  341,  341,    8,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  126,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  139,  341,  340,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  307,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  340,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,   64,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      239,  341,   14,   15,  341,   19,   18,  341,  341,  223,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  132,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  221,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,    3,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      340,  341,  341,  341,  341,  341,  341,  341,  301,  341,
-      341,  300,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  324,
-      341,  341,  341,  341,  341,  341,  341,  341,   63,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,   67,  341,  270,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  308,  309,  341,  341,
-      341,  341,  341,  341,  341,   68,  341,  341,  133,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  129,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  210,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,   21,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  158,  341,  341,  340,  324,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      107,  341,  341,  341,  341,  341,  341,  341,  278,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  182,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  157,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  106,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-       32,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-       33,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,   65,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  131,  340,  341,  341,
-
-      341,  341,  341,  124,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,   66,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  243,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  183,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,   54,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  261,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,   58,  341,   59,
-      341,  341,  341,  341,  341,  110,  341,  111,  341,  341,
-      341,  341,  108,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,    7,  341,  340,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  232,  341,  341,  341,  341,  160,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  244,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,   45,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,   55,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  202,  341,  201,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,   16,   17,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,   69,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  209,  341,  341,  341,
-      341,  341,  341,  113,  341,  112,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  193,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  140,  340,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  101,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,   89,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  222,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,   94,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,   62,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  196,  197,  341,  341,  341,
-      272,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,    6,  341,  341,  341,  341,  341,  341,
-      291,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  276,  341,
-      341,  341,  341,  341,  341,  302,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,   42,  341,  341,
-      341,  341,   44,  341,  341,  341,   90,  341,  341,  341,
-
-      341,  341,   52,  341,  341,  341,  341,  341,  341,  341,
-      340,  341,  189,  341,  341,  341,  135,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  214,  341,  190,
-      341,  341,  341,  229,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,   53,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  137,  118,  341,  119,  341,
-      341,  341,  117,  341,  341,  341,  341,  341,  341,  341,
-      341,  155,  341,  341,   50,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  260,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  191,  341,  341,  341,  341,  341,  194,  341,  200,
-      341,  341,  341,  341,  341,  228,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  105,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  130,  341,  341,  341,  341,  341,  341,  341,   60,
-      341,  341,  341,   26,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,   20,  341,  341,  341,  341,  341,  341,
-       27,   36,  341,  165,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  340,  341,  341,
-      341,  341,  341,  341,   77,   79,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  280,
-      341,  341,  341,  341,  240,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  120,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  154,  341,   46,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  295,  341,  341,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      159,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  289,  341,  341,  341,  220,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  305,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  176,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  114,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  171,
-      341,  184,  341,  341,  341,  341,  340,  341,  143,  341,
-      341,  341,  341,  341,  100,  341,  341,  341,  341,  212,
-
-      341,  341,  341,  341,  341,  341,  230,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  252,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  136,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  175,
-      341,  341,  341,  341,  341,  341,   80,  341,   81,  341,
-      341,  341,  341,  341,   61,  298,  341,  341,  341,  341,
-      341,   88,  185,  341,  203,  341,  233,  341,  341,  195,
-      273,  341,  341,  341,  341,  341,   73,  341,  187,  341,
-      341,  341,  341,  341,    9,  341,  341,  341,  341,  341,
-
-      104,  341,  341,  341,  341,  265,  341,  341,  341,  341,
-      211,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  340,  341,  341,
-      341,  341,  174,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  161,  341,  279,  341,  341,  341,  341,
-      341,  251,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  224,  341,  341,  341,  341,  341,  271,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      299,  341,  186,  341,  341,  341,  341,  341,  341,  341,
-       72,   74,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  103,  341,  341,  341,  341,  263,  341,  341,  341,
-      341,  275,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  216,   34,   28,   30,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,   35,  341,   29,
-       31,  341,  341,  341,  341,  341,  341,  341,  341,   99,
-
-      341,  341,  341,  341,  341,  341,  340,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  218,  215,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,   71,  341,
-      341,  341,  138,  341,  121,  341,  341,  341,  341,  341,
-      341,  341,  341,  156,   47,  341,  341,  341,  332,   13,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      293,  341,  296,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,   12,  341,  341,   22,  341,  341,  341,
-      341,  341,  269,  341,  341,  341,  341,  277,  341,  341,
-
-      341,   75,  341,  226,  341,  341,  341,  341,  341,  217,
-      341,  341,   70,  341,  341,  341,  341,   23,  341,   43,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  170,  169,  332,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  219,  213,  341,  231,  341,  341,
-      281,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,   82,  341,  341,  341,  341,  264,  341,
-      341,  341,  341,  199,  341,  341,  341,  341,  225,  341,
-
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      303,  304,  167,  341,  341,   76,  341,  341,  341,  341,
-      177,  341,  341,  341,  115,  116,  341,  341,  341,  341,
-      162,  341,  164,  341,  204,  341,  341,  341,  341,  168,
-      341,  341,  234,  341,  341,  341,  341,  341,  341,  341,
-      145,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  242,  341,  341,  341,  341,  341,  341,
-      341,  312,  341,   24,  341,  274,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-       86,  205,  341,  341,  262,  341,  297,  341,  198,  341,
-
-      341,  341,  341,   56,  341,  341,  341,  341,  341,  341,
-        4,  341,  341,  341,  341,  128,  144,  341,  341,  341,
-      181,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  237,   37,   38,  341,
-      341,  341,  341,  341,  341,  341,  282,  341,  341,  341,
-      341,  341,  341,  341,  250,  341,  341,  341,  341,  341,
-      341,  341,  341,  208,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,   85,  341,   57,  268,
-      341,  238,  341,  341,  341,  341,   11,  341,  341,  341,
-      341,  341,  341,  341,  341,  127,  341,  341,  341,  341,
-
-      206,   91,  341,   40,  341,  341,  341,  341,  341,  341,
-      341,  341,  173,  341,  341,  341,  341,  341,  147,  341,
-      341,  341,  341,  241,  341,  341,  341,  341,  341,  249,
-      341,  341,  341,  341,  141,  341,  341,  341,  122,  123,
-      341,  341,  341,   93,   97,   92,  341,  341,  341,  341,
-       83,  341,  341,  341,  341,  341,   10,  341,  341,  341,
-      341,  341,  266,  306,  341,  341,  341,  341,  311,   39,
-      341,  341,  341,  341,  341,  172,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,   98,
-
-       96,  341,   51,  341,  341,   84,  294,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  192,  341,  341,  341,
-      341,  341,  207,  341,  341,  341,  341,  341,  341,  341,
-      341,  163,   78,  341,  341,  341,  341,  341,  283,  341,
-      341,  341,  341,  341,  341,  341,  246,  341,  341,  245,
-      142,  341,  341,   95,   48,  341,  148,  149,  152,  153,
-      150,  151,   87,  292,  341,  341,  267,  341,  341,  341,
-      341,  166,  341,  341,  341,  341,  341,  236,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  179,  178,
-
-       41,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  290,  341,  341,  341,  341,  102,  341,
-      235,  341,  259,  287,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  313,  341,   49,    5,  341,
-      341,  227,  341,  341,  288,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  247,   25,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  248,  341,
-      341,  341,  146,  341,  341,  341,  341,  341,  341,  341,
-      341,  180,  341,  188,  341,  341,  341,  341,  341,  341,
-
-      341,  341,  341,  284,  341,  341,  341,  341,  341,  341,
-      341,  341,  341,  341,  341,  341,  341,  341,  341,  341,
-      341,  310,  341,  341,  255,  341,  341,  341,  341,  341,
-      285,  341,  341,  341,  341,  341,  341,  286,  341,  341,
-      341,  253,  341,  256,  257,  341,  341,  341,  341,  341,
-      254,  258,    0
+        1,    1,  326,  326,  330,  330,  334,  334,  338,  338,
+        1,    1,  342,  342,  346,  346,  353,  350,    1,  324,
+      324,  351,    2,  351,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  326,  327,  327,  328,
+      351,  330,  331,  331,  332,  351,  337,  334,  335,  335,
+      336,  351,  338,  339,  339,  340,  351,  349,  325,    2,
+      329,  351,  349,  345,  342,  343,  343,  344,  351,  346,
+      347,  347,  348,  351,  350,    0,    1,    2,    2,    2,
+        2,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  326,
+        0,  330,    0,  337,    0,  334,  338,    0,  349,    0,
+        2,    2,  349,  345,    0,  342,  346,    0,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  349,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  128,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  137,
+      350,  350,  350,  350,  350,  350,  350,  349,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  112,  350,  323,
+      350,  350,  350,  350,  350,  350,  350,    8,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  129,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  142,  350,  350,  349,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  316,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  349,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,   67,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  248,  350,   14,   15,  350,   19,   18,  350,
+      350,  232,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  135,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      230,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+        3,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  349,
+      350,  350,  350,  350,  350,  350,  350,  310,  350,  350,
+      309,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      333,  350,  350,  350,  350,  350,  350,  350,  350,   66,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,   70,  350,  279,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  317,  318,
+      350,  350,  350,  350,  350,  350,  350,   71,  350,  350,
+      136,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  132,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  219,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,   21,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  162,
+      350,  350,  350,  350,  350,  349,  333,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  110,  350,
+      350,  350,  350,  350,  350,  350,  287,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  188,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  161,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  109,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,   35,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,   36,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,   68,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      134,  350,  350,  350,  349,  350,  350,  350,  350,  350,
+      127,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,   69,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  252,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  189,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,   57,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  270,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,   61,  350,   62,
+
+      350,  350,  350,  350,  350,  113,  350,  114,  350,  350,
+      350,  350,  111,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,    7,  350,  350,  350,  350,
+      349,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  241,
+      350,  350,  350,  350,  165,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  253,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+       48,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+       58,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  211,  350,  210,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,   16,   17,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,   72,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  218,  350,  350,  350,  350,
+      350,  350,  116,  350,  115,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  202,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  143,
+      350,  350,  350,  349,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  104,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,   92,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      231,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,   97,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,   65,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  205,  206,  350,  350,  350,  281,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,    6,  350,  350,  350,  350,  350,  350,  300,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  285,  350,  350,  350,
+      350,  350,  350,  311,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,   45,  350,  350,
+      350,  350,   47,  350,  350,  350,   93,  350,  350,  350,
+      350,  350,   55,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  349,  350,  198,  350,  350,  350,
+      138,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  223,  350,  199,  350,  350,  350,  238,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,   56,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  140,
+      121,  350,  122,  350,  350,  350,  120,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  158,  350,  350,   53,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  269,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  200,  350,  350,
+      350,  350,  350,  203,  350,  209,  350,  350,  350,  350,
+      350,  350,  237,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  108,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  133,  350,
+      350,  350,  350,  350,  350,  350,   63,  350,  350,  350,
+       29,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,   20,  350,  350,  350,  350,  350,  350,   30,
+       39,  350,  170,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  196,  350,  350,
+      349,  350,  350,  350,  350,  350,  350,   80,   82,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  289,  350,  350,  350,  350,  249,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      123,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  157,  350,   49,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  304,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  164,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  298,
+
+      350,  350,  350,  229,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  314,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  182,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  117,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  177,  350,  190,
+      350,  350,  350,  350,  350,  350,  350,  349,  350,  146,
+      350,  350,  350,  350,  350,  103,  350,  350,  350,  350,
+      221,  350,  350,  350,  350,  350,  350,  239,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  261,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  139,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  181,  350,  350,  350,  350,  350,  350,   83,
+      350,   84,  350,  350,  350,  350,  350,   64,  307,  350,
+      350,  350,  350,  350,   91,  191,  350,  212,  350,  242,
+      350,  350,  204,  282,  350,  350,  350,  350,  350,  350,
+       76,  350,  193,  350,  350,  350,  350,  350,    9,  350,
+      350,  350,  350,  350,  107,  350,  350,  350,  350,  274,
+      350,  350,  350,  350,  220,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  349,  350,  350,  350,
+      350,  180,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  166,  350,  288,  350,  350,  350,  350,  350,
+      260,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  233,  350,  350,  350,  350,  350,  280,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  163,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  308,  350,  192,  350,  350,  350,  350,  350,  350,
+      350,  350,   75,   77,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  106,  350,  350,  350,  350,  272,  350,
+      350,  350,  350,  284,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  225,   37,   31,   33,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,   38,  350,   32,   34,  350,  350,  350,  350,  350,
+      350,  350,  350,  102,  350,  176,  350,  350,  350,  350,
+
+      350,  350,  350,  349,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  227,  224,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,   74,  350,  350,  350,  141,
+      350,  124,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  159,   50,  350,  350,  350,  341,   13,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  302,  350,
+      305,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,   12,  350,  350,   22,  350,  350,  350,  350,
+      350,  278,  350,  350,  350,  350,  286,  350,  350,  350,
+
+       78,  350,  235,  350,  350,  350,  350,  350,  226,  350,
+      350,   73,  350,  350,  350,  350,  350,   23,  350,  350,
+       46,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  175,  174,  350,  350,  341,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  228,  222,  350,
+      240,  350,  350,  290,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,   85,  350,  350,
+      350,  350,  273,  350,  350,  350,  350,  208,  350,  350,
+
+      350,  350,  350,  234,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  312,  313,  172,  350,  350,
+       79,  350,  350,  350,  350,  183,  350,  350,  350,  118,
+      119,  350,  350,  350,   25,  350,  350,  167,  350,  169,
+      350,  213,  350,  350,  350,  350,  173,  350,  350,  350,
+      350,  243,  350,  350,  350,  350,  350,  350,  350,  148,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  251,  350,  350,  350,  350,  350,  350,  350,
+      321,  350,   27,  350,  283,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+
+       89,  214,  350,  350,  271,  350,  306,  350,  207,  350,
+      350,  350,  350,  350,   59,  350,  350,  350,  350,  350,
+      350,    4,  350,  350,  350,  350,  131,  147,  350,  350,
+      350,  187,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      246,   40,   41,  350,  350,  350,  350,  350,  350,  350,
+      291,  350,  350,  350,  350,  350,  350,  350,  259,  350,
+      350,  350,  350,  350,  350,  350,  350,  217,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,   88,  350,   60,  277,  350,  247,  350,  350,  350,
+
+      350,  350,   11,  350,  350,  350,  350,  350,  350,  350,
+      350,  130,  350,  350,  350,  350,  215,   94,  350,  350,
+       43,  350,  350,  350,  350,  350,  350,  350,  350,  179,
+      350,  350,  350,  350,  350,  350,  350,  150,  350,  350,
+      350,  350,  250,  350,  350,  350,  350,  350,  258,  350,
+      350,  350,  350,  144,  350,  350,  350,  125,  126,  350,
+      350,  350,   96,  100,   95,  160,  350,  350,  350,  350,
+       86,  350,  350,  350,  350,  350,  350,   10,  350,  350,
+      350,  350,  350,  275,  315,  350,  350,  350,  350,  350,
+      320,   42,  350,  350,  350,  350,  350,  178,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  101,   99,  350,   54,  350,  350,   87,
+      303,  350,  350,  350,  350,   24,  350,  350,  350,  350,
+      350,  201,  350,  350,  350,  350,  350,  216,  350,  350,
+      350,  350,  350,  350,  350,  350,  197,  350,  350,  168,
+       81,  350,  350,  350,  350,  350,  292,  350,  350,  350,
+      350,  350,  350,  350,  255,  350,  350,  254,  145,  350,
+      350,   98,   51,  350,  151,  152,  155,  156,  153,  154,
+       90,  301,  350,  350,  276,  350,  350,  350,   26,  350,
+
+      171,  350,  350,  350,  350,  195,  350,  245,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  185,  184,
+       44,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  299,  350,  350,  350,  350,  105,  350,
+      244,  350,  268,  296,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  322,  350,   52,    5,  350,
+      350,  236,  350,  350,  297,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  256,   28,  350,  350,  350,  350,
+
+      350,  350,  350,  350,  350,  350,  350,  350,  257,  350,
+      350,  350,  149,  350,  350,  350,  350,  350,  350,  350,
+      350,  186,  350,  194,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  293,  350,  350,  350,  350,  350,  350,
+      350,  350,  350,  350,  350,  350,  350,  350,  350,  350,
+      350,  319,  350,  350,  264,  350,  350,  350,  350,  350,
+      294,  350,  350,  350,  350,  350,  350,  295,  350,  350,
+      350,  262,  350,  265,  266,  350,  350,  350,  350,  350,
+      263,  267,    0
     } ;
 
 static yyconst flex_int32_t yy_ec[256] =
@@ -790,17 +804,17 @@ static yyconst flex_int32_t yy_meta[41] =
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1
     } ;
 
-static yyconst flex_int16_t yy_base[3372] =
+static yyconst flex_int16_t yy_base[3502] =
     {   0,
         0,    0,   38,   41,   44,   46,   59,   65,   71,   77,
-       90,  112,   96,  118,  124,  136, 4327, 4282,   81, 6547,
-     6547, 6547,  129,   52,  130,   63,  131,  152,   70,  140,
+       90,  112,   96,  118,  124,  136, 5204, 5022,   81, 6793,
+     6793, 6793,  129,   52,  130,   63,  131,  152,   70,  140,
       149,  156,   57,   88,   76,  173,  175,   95,  197,  145,
-      185,  199,  208,  213,  178,  123, 4186, 6547, 6547, 6547,
-      107, 4109, 6547, 6547, 6547,  154, 4045, 3722, 6547, 6547,
-     6547,  245, 3578, 6547, 6547, 6547,  163, 3220, 6547,  249,
-     6547,  253,  148, 2696, 2594, 6547, 6547, 6547,  257, 2157,
-     6547, 6547, 6547,  233, 1707,  263,  201,    0,  267,    0,
+      185,  199,  208,  213,  178,  123, 4580, 6793, 6793, 6793,
+      107, 3835, 6793, 6793, 6793,  154, 3459, 3338, 6793, 6793,
+     6793,  245, 3159, 6793, 6793, 6793,  163, 2930, 6793,  249,
+     6793,  253,  148, 2502, 2483, 6793, 6793, 6793,  257, 2236,
+     6793, 6793, 6793,  233, 1695,  263,  201,    0,  267,    0,
         0,  165,  191,  221,  252,  205,  181,  265,   92,  261,
 
       216,  263,  271,  272,  210,  279,  274,  282,  278,  291,
@@ -808,8 +822,8 @@ static yyconst flex_int16_t yy_base[3372] =
       317,  311,  315,  319,  321,  331,  327,  332,  336,  322,
       339,  337,  346,  345,  347,  348,  353,  351,  357,  284,
       358,  359,  369,  360,  380,  365,  381,  379,  375,  366,
-      367,  389,  390,  394,  393,  395,  396,  403,  404, 1665,
-      419, 1172,  422,  924,  429,  854,  832,  433,  781,  437,
+      367,  389,  390,  394,  393,  395,  396,  403,  404, 1436,
+      419, 1297,  422, 1003,  429,  930,  888,  433,  775,  437,
       441,    0,  433,  705,  447,  479,  287,  452,  411,  445,
       426,  446,  447,  448,  449,  450,  451,  453,  452,  456,
       470,  234,  463,  473,  481,  479,  476,  483,  486,  487,
@@ -828,719 +842,749 @@ static yyconst flex_int16_t yy_base[3372] =
       697,  700,  708,  704,  713,  712,  721,  716,  722,  719,
       731,  732,  727,  717,  728,  729,  733,  736,  730,  740,
       738,  741,  745,  743,  750,  752,  760,  755,  756,  771,
-      763,  766,  762,  773,  774,  769,  775,  793,  798,  799,
-      786,  800,  801,  804,  803,  805,  807,  808,  809,  818,
-      811,  823,  815,  824,  825,  829,  836,  834, 6547,  831,
-      833,  847,  848,  849,  852,  765,  856,  858,  839,  868,
-      864,  861,  870,  892,  865,  878,  869,  871,  874, 6547,
-      887,  880,  916,  882,  889,  902,  903,  900,  904,  905,
-      917,  910,  933,  850,  914,  922,  943,  939,  925,  938,
-
-      940,  907,  941,  948,  949,  946,  951,  953,  960,  952,
-      957,  959,  971,  961,  970,  972,  965,  974,  980,  985,
-      987,  992,  975,  984,  995,  978,  990,  998, 1008, 1003,
-     1001, 1009, 1012, 1015, 1023, 1019, 1027, 1028, 1002, 1029,
-     1030, 1035, 1031, 1038, 1041, 1039, 1042, 1051, 1049, 1047,
-     1048, 1054, 1055, 1056, 1058, 1061, 1064, 1063, 1068, 1072,
-     1066, 1073, 1079, 1067, 1085, 1077, 6547, 1089, 6547, 1080,
-     1083, 1087, 1092, 1093, 1094, 1095, 6547, 1097, 1100, 1102,
-     1105, 1109, 1111, 1110, 1116, 1112, 1123, 1124, 1125, 1128,
-     1135, 1130, 1133, 1138, 1137, 1140, 1141, 1144, 1142, 1147,
-
-     1149, 1148, 1154, 1155, 1158, 1175, 6547, 1157, 1167, 1162,
-     1159, 1168, 1169, 1187, 1185, 1188, 1186, 1190, 1203, 1198,
-     1204, 1206, 1207, 1160, 1210, 1212, 1214, 1216, 1217, 1218,
-     1219, 1221, 1222, 1223, 1225, 1224, 1228, 6547, 1226, 1236,
-     1247, 1242, 1245, 1246, 1248, 1249, 1161, 1251, 1250, 1106,
-      517, 1253, 1257, 1258, 1259, 1272, 1267, 1270, 1268, 1269,
-     1275, 1274, 1276, 1278, 1287, 1283, 1289, 1291, 1299, 1298,
-     1301, 1308, 1310, 1303, 1305, 1311, 1307, 1306, 1313, 1315,
-     1322, 1316, 1319, 1326, 1329, 1328, 1331, 1335, 1320, 1336,
-     1333, 1341, 1342, 1343, 1344, 1351, 1350, 1346, 1358, 1353,
-
-     1356, 1354, 1352, 1373, 1374, 1363, 1365, 6547, 1381, 1367,
-     1382, 1383, 1384, 1388, 1390, 1386, 1392, 1393, 1394, 1396,
-     1397, 1399, 1403, 1404, 1405, 1406, 1408, 1419, 1416, 1411,
-     1427, 1426, 1428, 1418, 1430, 1432, 1431, 1440, 1438, 1441,
-     1439, 1445, 1446, 1453, 1448, 1449, 1454, 1463, 1456, 1455,
-     1460, 1458, 1466, 1469, 1468, 1483, 1472, 1480, 1488, 1489,
-     1479, 1491, 1481, 1492, 1496, 1497, 1498, 1499, 1501, 1508,
-     1503, 1510, 1505, 1509, 1511, 1506, 1522, 1512, 1523, 1526,
-     1530, 1513, 1528, 1531, 1533, 1536, 1537, 1538, 1539, 1541,
-     1545, 1543, 1549, 1548, 1550, 1554, 1560, 1561, 1563, 1564,
-
-     1567, 1568, 1571, 1570, 1573, 1581, 1572, 1582, 1584, 1585,
-     1587, 1588, 1592, 1591, 1598, 1595, 1601, 1603, 1605, 1604,
-     1607, 1611, 1614, 1616, 1608, 6547, 1615, 1628, 1623, 1626,
-     1624, 1627, 1629, 1637, 1632, 1635, 1633, 1638, 1639, 1664,
-     6547, 1641, 6547, 6547, 1644, 6547, 6547, 1645, 1649, 6547,
-     1662, 1648, 1658, 1646, 1670, 1677, 1679, 1667, 1675, 1660,
-     1687, 1691, 1694, 1696, 1682, 1697, 1688, 1702, 1708, 1653,
-     1704, 1705, 1711, 1721, 1716, 1724, 1718, 1726, 1727, 1729,
-     1732, 1736, 1738, 1740, 1739, 1743, 1744, 1745, 1747, 1746,
-     1749, 1752, 1755, 1756, 1753, 1758, 1759, 1774, 1772, 1761,
-
-     1779, 6547, 1775, 1782, 1789, 1785, 1792, 1784, 1788, 1791,
-     1764, 1796, 1793, 1797, 1798, 1800, 1802, 1805, 1804, 1809,
-     1810, 1806, 1812, 1822, 1813, 6547, 1817, 1818, 1824, 1825,
-     1828, 1831, 1833, 1829, 1835, 1836, 1839, 1847, 1849, 1840,
-     1842, 1844, 1851, 1854, 1856, 6547, 1862, 1858, 1863, 1865,
-     1866, 1868, 1869, 1871, 1874, 1873, 1876, 1877, 1878, 1879,
-     1886, 1883, 1885, 1890, 1891, 1895, 1900, 1902, 1904, 1906,
-     1908, 1910, 1911, 1912, 1913, 1915, 1916, 1924, 1927, 1923,
-     1928, 1925, 1920, 1944, 1947, 1929, 1931, 1942, 1943, 1945,
-     1951, 1955, 1953, 1946, 1957, 1965, 1958, 1961, 1963, 1967,
-
-     1974, 1969, 1971, 1976, 1979, 1980, 1982, 1983, 6547, 1985,
-     1989, 6547, 1986, 1988, 1990, 2012, 1991, 1993, 1995, 2005,
-     1994, 2014, 1998, 2006, 2022, 2016, 2032, 2025, 2024, 2035,
-     2029, 2037, 2036, 2040, 2041, 2043, 2046, 2047, 2053, 2049,
-     2063, 2067, 2066, 2073, 2075, 2050, 2058, 2062, 2081, 2071,
-     2074, 2070, 2076, 2085, 2091, 2090, 2078, 2093, 2094, 2099,
-     2103, 2104, 2102, 2105, 2106, 2108, 2111, 2116, 2117, 6547,
-     2124, 2125, 2119, 2127, 2121, 2135, 2131, 2130, 6547, 2133,
-     2139, 2140, 2147, 2143, 2144, 2145, 2146, 2151, 2153, 2155,
-     2159, 2160, 2158, 2154, 2176, 6547, 2161, 6547, 2172, 2162,
-
-     2174, 2175, 2178, 2179, 2180, 2183, 6547, 6547, 2187, 2181,
-     2197, 2201, 2191, 2184, 2202, 6547, 2203, 2210, 6547, 2207,
-     2213, 2206, 2205, 2212, 2214, 2217, 2218, 2227, 2222, 2229,
-     2224, 2226, 2234, 6547, 2235, 2236, 2240, 2241, 2237, 2243,
-     2244, 2250, 2247, 6547, 2254, 2251, 2256, 2264, 2266, 2261,
-     2263, 2268, 2272, 2269, 2274, 2275, 2276, 2277, 2284, 2286,
-     2283, 2289, 2291, 2298, 6547, 2282, 2285, 2303, 2299, 2302,
-     2306, 2307, 2308, 2309, 2310, 2311, 1996, 2312, 2318, 2319,
-     2320, 2327, 2329, 2322, 2325, 2333, 2324, 2334, 2335, 2342,
-     2340, 2341, 2344, 2345, 6547, 2346, 2352, 2349,  171, 2353,
-
-     2356, 2354, 2355, 2359, 2362, 2357, 2378, 2379, 2364, 2376,
-     2382, 2383, 2375, 2385, 2386, 2387, 2374, 2390, 2392, 2394,
-     6547, 2396, 2398, 2400, 2401, 2403, 2404, 2406, 6547, 2410,
-     2426, 2423, 2430, 2408, 2405, 2431, 2417, 2421, 2432, 2433,
-     2435, 2437, 2440, 2442, 2444, 2443, 6547, 2447, 2448, 2452,
-     2450, 2458, 2460, 2459, 2451, 2461, 2465, 2467, 2471, 2473,
-     2469, 2472, 2474, 2475, 2477, 2482, 2478, 2485, 2487, 2488,
-     2489, 2490, 2492, 2494, 2499, 2500, 6547, 2507, 2506, 2504,
-     2509, 2510, 2512, 2522, 2513, 2532, 2515, 2523, 2516, 2535,
-     2538, 2540, 2524, 2548, 2544, 2549, 2541, 2558, 2555, 2559,
-
-     2562, 2556, 2565, 2567, 2568, 2569, 2571, 2573, 2574, 2575,
-     2576, 2584, 2591, 2581, 2592, 2590, 2595, 2583, 2601, 2614,
-     2598, 6547, 2603, 2605, 2613, 2615, 2622, 2617, 2618, 2623,
-     2619, 2625, 2627, 2629, 2630, 2638, 2635, 2637, 2639, 2642,
-     2641, 2643, 2649, 2650, 2651, 2654, 2658, 2660, 2662, 2663,
-     6547, 2664, 2666, 2669, 2670, 2673, 2674, 2678, 2680, 2682,
-     2683, 2684, 2686, 2689, 2690, 2691, 2692, 2698, 2699, 2695,
-     6547, 2700, 2702, 2710, 2706, 2714, 2708, 2718, 2721, 2722,
-     2725, 2728, 2712, 2729, 2731, 2732, 6547, 2740, 2742, 2739,
-     2743, 2741, 2746, 2747, 2749, 2751, 6547, 2752, 2753, 2754,
-
-     2761, 2762, 2757, 6547, 2766, 2764, 2759, 2768, 2769, 2772,
-     2774, 2775, 2770, 2780, 2782, 2789, 2796, 2783, 2793, 6547,
-     2785, 2803, 2791, 2799, 2807, 2787, 2810, 2811, 2812, 2813,
-     2814, 2818, 6547, 2827, 2819, 2824, 2834, 2830, 2831, 2836,
-     2837, 2838, 2840, 2839, 2841, 2844, 6547, 2847, 2845, 2848,
-     2850, 2852, 2853, 2855, 2868, 2860, 2865, 2867, 2870, 2873,
-     2875, 2877, 2869, 2878, 2879, 2880, 2886, 2890, 2891, 2892,
-     2895, 2899, 2904, 2901, 2903, 2907, 2906, 2908, 2909, 2916,
-     2917, 2924, 2919, 2925, 6547, 2928, 2930, 2923, 2921, 2931,
-     2933, 2935, 2937, 2940, 2936, 2938, 2948, 2945, 2942, 2955,
-
-     2958, 2951, 2962, 2960, 2964, 2965, 2967, 2966, 2968, 2969,
-     2976, 2973, 2975, 2986, 2977, 2984, 2995, 2981, 2991, 2992,
-     2993, 2994, 2982, 2998, 3004, 2999, 2997, 3006, 3007, 3015,
-     3018, 3021, 3020, 3009, 3023, 3027, 3028, 6547, 3031, 3033,
-     3029, 3035, 3036, 3042, 3043, 3045, 3046, 3037, 3051, 3053,
-     3054, 3059, 3060, 3062, 3063, 3070, 3066, 6547, 3067, 6547,
-     3068, 3069, 3072, 3081, 3076, 6547, 3087, 6547, 3077, 3091,
-     3082, 3084, 6547, 3092, 3088, 3093, 3103, 3094, 3097, 3101,
-     3105, 3099, 3106, 3112, 3111, 3115, 3114, 3116, 3122, 3117,
-     3119, 3127, 3125, 3134, 3124, 3126, 3141, 3135, 3138, 3143,
-
-     3144, 3145, 6547, 3152, 3148, 3153, 3154, 3155, 3156, 3158,
-     3159, 3161, 3162, 3165, 3173, 3167, 3179, 3169, 3178, 3181,
-     3193, 3177, 3194, 6547, 3190, 3192, 3195, 3196, 6547, 3198,
-     3199, 3200, 3205, 3207, 3208, 3209, 3210, 3211, 3215, 3216,
-     3217, 3229, 3225, 3222, 3231, 6547, 3230, 3236, 3218, 3242,
-     3249, 3244, 3246, 3251, 3252, 3254, 3263, 3259, 3258, 3260,
-     3261, 3262, 3265, 3272, 3273, 3269, 3276, 3275, 3279, 3286,
-     3283, 3277, 3281, 3287, 3289, 3290, 3291, 3292, 3293, 3296,
-     3297, 3294, 6547, 3302, 3308, 3306, 3315, 3311, 3312, 3316,
-     3321, 3317, 6547, 3323, 3324, 3325, 3327, 3332, 3326, 3329,
-
-     3334, 3337, 3340, 3342, 3345, 3347, 3346, 6547, 3348, 6547,
-     3350, 3351, 3361, 3365, 3366, 3353, 3367, 3373, 3369, 3374,
-     3376, 3379, 3377, 3383, 3380, 3385, 3386, 3388, 3400, 3391,
-     3387, 3392, 3401, 3402, 3406, 3409, 3410, 3411, 6547, 6547,
-     3412, 3413, 3417, 3414, 3420, 3421, 3424, 3432, 3428, 3427,
-     3434, 3435, 3448, 6547, 3436, 3443, 3438, 3446, 3462, 3449,
-     3464, 3465, 3452, 3440, 3472, 3468, 6547, 3461, 3469, 3476,
-     3471, 3477, 3479, 6547, 3482, 6547, 3475, 3478, 3485, 3487,
-     3488, 3489, 3491, 3492, 3499, 3509, 3510, 3495, 3512, 3507,
-     3500, 3513, 3515, 3516, 3523, 3519, 3521, 3522, 6547, 3525,
-
-     3526, 3530, 3528, 3531, 3538, 3535, 3539, 6547, 3542, 3545,
-     3548, 3549, 3551, 3550, 3553, 3556, 3557, 3555, 3559, 6547,
-     3558, 3561, 3572, 3573, 3565, 3574, 3576, 3579, 3587, 6547,
-     3584, 3588, 3596, 3592, 3593, 3598, 3599, 3594, 3595, 3601,
-     3603, 3604, 3606, 3607, 3608, 3610, 3613, 3615, 3612, 3622,
-     3623, 3626, 3630, 3639, 3631, 6547, 3635, 3636, 3640, 3638,
-     3642, 3643, 3645, 3648, 3650, 3651, 3661, 3662, 3653, 3664,
-     3666, 3668, 3673, 3675, 6547, 3676, 3669, 3683, 3679, 3681,
-     3689, 3680, 3686, 3693, 3682, 3690, 3694, 3695, 3698, 3707,
-     3702, 3705, 3706, 3708, 3718, 3709, 6547, 3723, 3713, 3719,
-
-     3730, 3720, 3726, 3739, 3735, 3736, 3737, 3743, 3738, 3745,
-     3740, 3747, 3748, 3751, 3752, 6547, 6547, 3754, 3755, 3757,
-     6547, 3759, 3761, 3771, 3763, 3767, 3770, 3774, 3775, 3773,
-     3776, 3778, 3779, 6547, 3786, 3789, 3787, 3790, 3798, 3794,
-     6547, 3793, 3806, 3802, 3803, 3805, 3809, 3811, 3810, 3813,
-     3815, 3817, 3818, 3826, 3827, 3824, 3823, 3828, 6547, 3825,
-     3831, 3834, 3836, 3837, 3840, 6547, 3841, 3842, 3849, 3851,
-     3852, 3859, 3862, 3854, 3864, 3847, 3867, 3869, 3871, 3872,
-     3873, 3880, 3875, 3877, 3879, 3883, 3885, 6547, 3886, 3887,
-     3891, 3897, 6547, 3900, 3907, 3908, 6547, 3910, 3894, 3909,
-
-     3905, 3918, 6547, 3913, 3915, 3916, 3921, 3929, 3922, 3930,
-     3926, 3927, 6547, 3933, 3932, 3935, 6547, 3934, 3941, 3948,
-     3950, 3936, 3958, 3953, 3938, 3954, 3955, 6547, 3957, 6547,
-     3963, 3961, 3967, 6547, 3965, 3969, 3970, 3972, 3974, 3979,
-     3980, 3986, 3988, 3976, 3982, 3990, 3978, 3994, 3995, 3999,
-     3992, 4002, 4001, 4003, 6547, 4004, 4006, 4009, 4007, 4012,
-     4014, 4020, 4015, 4021, 4022, 6547, 6547, 4029, 6547, 4030,
-     4025, 4031, 6547, 4034, 4037, 4044, 4039, 4042, 4046, 4053,
-     4050, 6547, 4055, 4059, 6547, 4040, 4061, 4068, 4057, 4065,
-     4066, 4069, 4071, 4072, 4073, 4076, 4074, 4078, 4075, 4077,
-
-     4091, 6547, 4079, 4081, 4082, 4084, 4095, 4096, 4100, 4102,
-     4098, 6547, 4106, 4112, 4105, 4115, 4117, 6547, 4119, 6547,
-     4108, 4121, 4122, 4125, 4129, 6547, 4131, 4132, 4136, 4137,
-     4138, 4139, 4140, 4142, 4144, 4149, 4156, 4152, 4151, 4153,
-     4160, 4158, 6547, 4155, 4161, 4168, 4170, 4172, 4173, 4182,
-     4178, 4177, 4180, 4181, 4185, 4188, 4190, 4194, 4192, 4199,
-     4196, 6547, 4203, 4205, 4202, 4217, 4206, 4210, 4208, 6547,
-     4209, 4222, 4224, 6547, 4213, 4225, 4228, 4231, 4232, 4233,
-     4236, 4234, 4238, 6547, 4235, 4242, 4239, 4241, 4244, 4255,
-     6547, 6547, 4256, 6547, 4257, 4243, 4258, 4260, 4240, 4261,
-
-     4268, 4271, 4277, 4269, 4279, 4281, 4272, 4274, 4290, 4293,
-     4297, 4292, 4294, 4298, 6547, 6547, 4300, 4304, 4301, 4307,
-     4308, 4303, 4311, 4320, 4312, 4321, 4324, 4326, 4333, 6547,
-     4328, 4316, 4334, 4325, 6547, 4335, 4337, 4339, 4340, 4341,
-     4343, 4347, 4344, 4348, 4349, 4351, 4352, 4354, 4365, 4357,
-     4358, 4366, 4367, 4368, 4359, 4374, 4380, 6547, 4377, 4375,
-     4381, 4382, 4384, 4387, 4388, 4389, 4390, 6547, 4395, 6547,
-     4391, 4393, 4396, 4397, 4413, 4398, 4414, 4415, 4416, 4418,
-     4419, 4422, 4423, 4427, 4424, 4429, 4432, 4434, 4436, 4438,
-     4440, 6547, 4444, 4441, 4447, 4448, 4451, 4453, 4454, 4456,
-
-     4457, 4459, 4462, 4463, 4465, 4470, 4466, 4472, 4471, 4474,
-     6547, 4478, 4487, 4476, 4489, 4479, 4484, 4491, 4498, 4501,
-     4492, 4502, 4503, 6547, 4504, 4496, 4507, 6547, 4508, 4509,
-     4510, 4512, 4521, 4518, 4522, 4523, 4524, 6547, 4530, 4513,
-     4534, 4526, 4531, 4535, 4536, 4542, 4545, 4544, 4547, 6547,
-     4557, 4548, 4556, 4558, 4552, 4555, 4559, 4564, 4566, 6547,
-     4570, 4571, 4572, 4579, 4574, 4584, 4581, 4583, 4582, 4585,
-     4590, 4591, 4594, 4596, 4597, 4599, 4608, 4610, 4611, 6547,
-     4589, 6547, 4612, 4616, 4620, 4618, 4623, 4622, 6547, 4624,
-     4625, 4630, 4631, 4626, 6547, 4633, 4632, 4634, 4638, 6547,
-
-     4636, 4647, 4637, 4643, 4654, 4658, 6547, 4661, 4662, 4651,
-     4669, 4670, 4666, 4668, 4671, 4672, 4674, 4676, 4677, 4678,
-     4687, 4680, 4683, 6547, 4689, 4692, 4698, 4699, 4682, 4700,
-     4701, 4702, 4708, 4703, 6547, 4705, 4711, 4712, 4713, 4714,
-     4715, 4717, 4725, 4720, 4723, 4724, 4728, 4729, 4730, 6547,
-     4733, 4736, 4737, 4744, 4740, 4753, 6547, 4749, 6547, 4746,
-     4756, 4759, 4739, 4763, 6547, 6547, 4750, 4767, 4766, 4769,
-     4770, 6547, 6547, 4772, 6547, 4773, 6547, 4774, 4776, 6547,
-     6547, 4775, 4777, 4781, 4782, 4784, 6547, 4790, 6547, 4799,
-     4794, 4785, 4796, 4797, 6547, 4798, 4804, 4800, 4808, 4806,
-
-     6547, 4810, 4815, 4811, 4813, 6547, 4822, 4823, 4814, 4816,
-     6547, 4824, 4831, 4827, 4835, 4836, 4837, 4838, 4841, 4843,
-     4839, 4844, 4846, 4847, 4854, 4861, 4863, 4865, 4869, 4858,
-     4856, 4871, 4872, 4877, 4875, 4879, 4880, 4881, 4883, 4884,
-     4886, 4889, 4890, 4892, 4895, 4893, 4894, 4906, 4896, 4898,
-     4908, 4910, 4899, 4909, 4913, 4912, 4917, 4915, 4920, 4923,
-     4922, 4924, 6547, 4928, 4930, 4933, 4935, 4934, 4940, 4942,
-     4944, 4950, 4953, 6547, 4957, 6547, 4959, 4951, 4955, 4961,
-     4962, 6547, 4963, 4964, 4965, 4968, 4967, 4970, 4848, 4971,
-     4974, 4975, 4972, 6547, 4979, 4981, 4984, 4985, 4997, 6547,
-
-     4989, 5000, 4986, 5001, 5002, 5003, 5005, 5007, 5008, 5010,
-     5012, 5014, 5015, 5016, 5020, 5022, 5028, 5036, 5031, 5017,
-     5033, 5037, 5038, 5039, 5040, 5041, 5042, 5048, 5053, 5057,
-     6547, 5045, 6547, 5054, 5050, 5058, 5061, 5062, 5065, 5068,
-     6547, 6547, 5066, 5071, 5073, 5075, 5076, 5078, 5080, 5082,
-     5079, 6547, 5084, 5088, 5096, 5089, 6547, 5093, 5098, 5100,
-     5104, 6547, 5101, 5105, 5106, 5112, 5107, 5116, 5117, 5119,
-     5109, 5121, 5123, 5130, 6547, 6547, 6547, 6547, 5131, 5124,
-     5135, 5127, 5136, 5138, 5139, 5142, 5137, 6547, 5145, 6547,
-     6547, 5150, 5151, 5153, 5154, 5157, 5158, 5160, 5162, 6547,
-
-     5161, 5163, 5166, 5164, 5173, 5175, 5181, 5178, 5182, 5183,
-     5184, 5192, 5188, 5189, 5191, 5194, 5196, 5198, 6547, 6547,
-     5200, 5204, 5205, 5215, 5207, 5211, 5210, 5223, 5218, 5220,
-     5219, 5221, 5226, 5227, 5235, 5237, 5233, 5230, 6547, 5232,
-     5240, 5241, 6547, 5243, 6547, 5246, 5247, 5249, 5250, 5253,
-     5256, 5257, 5259, 6547, 6547, 5254, 5266, 5264, 6547, 6547,
-     5261, 5269, 5271, 5274, 5275, 5276, 5277, 5278, 5284, 5279,
-     6547, 5281, 6547, 5285, 5287, 5300, 5288, 5303, 5307, 5308,
-     5310, 5304, 5306, 6547, 5314, 5315, 6547, 5322, 5317, 5321,
-     5318, 5319, 6547, 5326, 5324, 5330, 5336, 6547, 5338, 5339,
-
-     5340, 6547, 5347, 6547, 5331, 5344, 5341, 5356, 5348, 6547,
-     5352, 5357, 6547, 5362, 5364, 5365, 5354, 6547, 5359, 6547,
-     5366, 5370, 5373, 5376, 5378, 5380, 5371, 5381, 5382, 5389,
-     5388, 5390, 6547, 6547,  135, 5398, 5385, 5391, 5395, 5400,
-     5407, 5402, 5405, 5404, 6547, 6547, 5412, 6547, 5410, 5413,
-     6547, 5414, 5419, 5420, 5423, 5424, 5425, 5426, 5428, 5431,
-     5433, 5434, 5435, 5432, 5436, 5454, 5456, 5438, 5459, 5460,
-     5462, 5464, 5466, 5452, 5469, 5470, 5471, 5472, 5473, 5475,
-     5476, 5478, 5479, 6547, 5482, 5484, 5486, 5487, 6547, 5494,
-     5488, 5501, 5491, 6547, 5503, 5504, 5506, 5507, 6547, 5508,
-
-     5510, 5514, 5511, 5512, 5517, 5519, 5530, 5522, 5523, 5521,
-     6547, 6547, 6547, 5533, 5537, 6547, 5540, 5527, 5542, 5543,
-     6547, 5545, 5546, 5547, 6547, 6547, 5548, 5549, 5550, 5557,
-     6547, 5552, 6547, 5553, 6547, 5560, 5563, 5571, 5566, 6547,
-     5576, 5578, 6547, 5584, 5586, 5588, 5580, 5577, 5590, 5591,
-     6547, 5562, 5593, 5594, 5601, 5592, 5595, 5602, 5603, 5604,
-     5611, 5606, 5613, 6547, 5614, 5615, 5616, 5624, 5617, 5554,
-     5619, 6547, 5626, 6547, 5628, 6547, 5629, 5630, 5633, 5632,
-     5635, 5638, 5639, 5640, 5648, 5644, 5650, 5652, 5655, 5656,
-     6547, 6547, 5659, 5661, 6547, 5662, 6547, 5664, 6547, 5665,
-
-     5666, 5669, 5667, 6547, 5671, 5673, 5677, 5680, 5676, 5679,
-     6547, 5687, 5689, 5690, 5692, 6547, 6547, 5684, 5700, 5696,
-     6547, 5695, 5706, 5708, 5702, 5711, 5712, 5715, 5713, 5720,
-     5697, 5719, 5718, 5726, 5729, 5727, 6547, 6547, 6547, 5734,
-     5721, 5742, 5740, 5744, 5743, 5735, 6547, 5745, 5749, 5751,
-     5752, 5760, 5755, 5758, 6547, 5762, 5759, 5761, 5763, 5765,
-     5766, 5767, 5769, 6547, 5780, 5782, 5770, 5784, 5787, 5789,
-     5791, 5794, 5795, 5796, 5803, 5799, 6547, 5801, 6547, 6547,
-     5802, 6547, 5805, 5806, 5807, 5809, 6547, 5812, 5813, 5814,
-     5816, 5815, 5817, 5819, 5824, 6547, 5831, 5820, 5832, 5836,
-
-     6547, 6547, 5838, 6547, 5843, 5844, 5834, 5852, 5845, 5847,
-     5854, 5856, 6547, 5850, 5858, 5859, 5860, 5862, 6547, 5863,
-     5865, 5866, 5867, 6547, 5873, 5869, 5875, 5874, 5876, 6547,
-     5877, 5879, 5889, 5896, 6547, 5880, 5894, 5890, 6547, 6547,
-     5905, 5907, 5898, 6547, 6547, 6547, 5909, 5910, 5911, 5913,
-     6547, 5917, 5921, 5925, 5929, 5920, 6547, 5928, 5931, 5935,
-     5914, 5936, 6547, 6547, 5937, 5938, 5939, 5942, 6547, 6547,
-     5943, 5945, 5947, 5946, 5948, 6547, 5949, 5953, 5959, 5965,
-     5970, 5956, 5961, 5972, 5979, 5980, 5975, 5976, 5977, 5982,
-     5983, 5985, 5990, 5992, 5993, 5995, 5997, 6001, 6002, 6547,
-
-     6547, 6006, 6547, 6009, 6003, 6547, 6547, 6011, 6014, 6018,
-     6020, 6022, 6024, 6026, 6028, 6015, 6547, 6029, 6031, 6033,
-     6032, 6034, 6547, 6036, 6040, 6035, 6043, 6037, 6045, 6047,
-     6052, 6547, 6547, 6048, 6057, 6053, 6058, 6063, 6547, 6061,
-     6071, 6068, 6067, 6069, 6073, 6070, 6547, 6074, 6075, 6547,
-     6547, 6083, 6077, 6547, 6547, 6076, 6547, 6547, 6547, 6547,
-     6547, 6547, 6547, 6547, 6085, 6093, 6547, 6094, 6098, 6100,
-     6104, 6547, 6078, 6105, 6106, 6089, 6108, 6547, 6095, 6112,
-     6111, 5292, 6113, 6119, 6117, 6115, 6121, 6124, 6125, 6126,
-     6127, 6131, 6132, 6133, 6142, 6145, 6129, 6146, 6547, 6547,
-
-     6547, 6138, 6135, 6157, 6153, 6159, 6160, 6164, 6166, 6148,
-     6168, 6169, 6170, 6171, 6173, 6174, 6183, 6178, 6179, 6180,
-     6182, 6184, 6187, 6547, 6194, 6190, 6195, 6197, 6547, 6200,
-     6547, 6199, 6547, 6547, 6202, 6206, 6203, 6208, 6216, 6218,
-     6209, 6213, 6219, 6220, 6222, 6547, 6229, 6547, 6547, 6224,
-     6230, 6547, 6232, 6231, 6547, 6233, 6234, 6236, 6241, 6243,
-     6240, 6237, 6244, 6248, 6547, 6547, 6251, 6252, 6257, 6261,
-     6258, 6268, 6264, 6267, 6269, 6273, 6266, 6281, 6547, 6280,
-     6277, 6284, 6547, 6286, 6287, 6288, 6289, 6291, 6298, 6293,
-     6294, 6547, 6296, 6547, 6300, 6302, 6304, 6301, 6303, 6305,
-
-     6315, 6319, 6313, 6547, 6317, 6327, 6321, 6329, 6331, 6333,
-     6334, 6323, 6336, 6339, 6345, 6349, 6346, 6350, 6337, 6354,
-     6351, 6547, 6361, 6352, 6547, 6358, 6362, 6355, 6364, 6365,
-     6547, 6369, 6372, 6373, 6375, 6378, 6379, 6547, 6381, 6385,
-     6382, 6547, 6388, 6547, 6547, 6390, 6387, 6394, 6397, 6399,
-     6547, 6547, 6547, 6427, 6434, 6441, 6448, 6455, 6462, 6469,
-       88, 6476, 6483, 6490, 6497, 6504, 6511, 6518, 6525, 6532,
-     6539
+      763,  766,  762,  774,  773,  765,  769,  794,  799,  782,
+      787,  800,  801,  804,  802,  803,  806,  808,  809,  814,
+      818,  819,  823,  807,  825,  827,  834,  829, 6793,  831,
+      838,  846,  839,  847,  850,  848,  854,  856,  836,  866,
+      864,  867,  876,  898,  849,  871,  868,  878,  881, 6793,
+      884,  882,  922,  890,  891,  908,  910,  859,  909,  911,
+      904,  912,  933,  906,  920,  915,  945,  942,  930,  943,
+
+      944,  946,  952,  954,  955,  953,  957,  958,  966,  861,
+      961,  970,  981,  962,  964,  968,  971,  974,  986,  983,
+      990,  991,  993,  995,  997,  996, 1001,  999, 1022, 1004,
+     1002, 1000, 1016, 1017, 1024, 1023, 1025, 1028, 1030, 1029,
+     1037, 1041, 1038, 1046, 1047, 1048, 1049, 1059, 1054, 1055,
+     1056, 1060, 1062, 1063, 1066, 1068, 1069, 1071, 1073, 1074,
+     1080, 1081, 1085, 1089, 1075, 1090, 1082, 6793, 1097, 6793,
+     1092, 1095, 1099, 1100, 1101, 1102, 1105, 6793, 1107, 1110,
+     1109, 1112, 1120, 1115, 1136, 1111, 1118, 1123, 1135, 1119,
+     1137, 1145, 1140, 1141, 1148, 1143, 1146, 1147, 1149, 1150,
+
+     1153, 1156, 1159, 1161, 1155, 1162, 1178, 6793, 1163, 1167,
+     1165, 1168, 1176, 1182, 1173, 1181, 1191, 1190, 1201, 1193,
+     1199, 1213, 1202, 1203, 1211, 1210, 1215, 1220, 1216, 1222,
+     1224, 1225, 1227, 1228, 1226, 1230, 1231, 1234, 1232, 1238,
+     1240, 6793, 1247, 1244, 1250, 1255, 1257, 1258, 1259, 1260,
+     1261, 1262, 1263, 1264, 1266,  517, 1271, 1282, 1289, 1272,
+     1291, 1275, 1290, 1286, 1288, 1265, 1292, 1296, 1294, 1307,
+     1298, 1309, 1314, 1322, 1318, 1320, 1327, 1329, 1304, 1324,
+     1299, 1326, 1330, 1332, 1334, 1333, 1335, 1341, 1339, 1348,
+     1344, 1346, 1345, 1347, 1351, 1353, 1355, 1356, 1357, 1359,
+
+     1366, 1361, 1373, 1369, 1371, 1372, 1368, 1387, 1376, 1379,
+     1391, 1392, 1389, 1390, 6793, 1399, 1398, 1401, 1402, 1408,
+     1409, 1410, 1400, 1411, 1414, 1417, 1418, 1419, 1425, 1422,
+     1426, 1420, 1427, 1433, 1432, 1440, 1446, 1435, 1450, 1451,
+     1453, 1437, 1449, 1456, 1457, 1465, 1462, 1466, 1468, 1464,
+     1469, 1478, 1470, 1473, 1475, 1485, 1481, 1482, 1487, 1484,
+     1496, 1498, 1490, 1507, 1499, 1509, 1516, 1502, 1488, 1517,
+     1506, 1518, 1512, 1521, 1522, 1523, 1526, 1533, 1528, 1529,
+     1534, 1535, 1536, 1537, 1531, 1544, 1547, 1545, 1548, 1551,
+     1552, 1553, 1557, 1560, 1555, 1561, 1566, 1567, 1568, 1570,
+
+     1558, 1578, 1588, 1569, 1580, 1582, 1581, 1589, 1590, 1591,
+     1596, 1597, 1598, 1600, 1601, 1608, 1611, 1602, 1605, 1614,
+     1615, 1617, 1618, 1627, 1619, 1628, 1632, 1633, 1634, 1622,
+     1635, 1638, 1640, 1641, 1645, 1646, 1648, 6793, 1652, 1660,
+     1653, 1658, 1655, 1656, 1661, 1669, 1664, 1668, 1665, 1666,
+     1670, 1692, 6793, 1674, 6793, 6793, 1676, 6793, 6793, 1677,
+     1678, 6793, 1682, 1687, 1699, 1698, 1705, 1707, 1709, 1685,
+     1710, 1680, 1719, 1725, 1716, 1717, 1718, 1723, 1730, 1721,
+     1731, 1728, 1738, 1742, 1740, 1746, 1749, 1754, 1756, 1758,
+     1750, 1761, 1767, 1764, 1770, 1772, 1775, 1760, 1776, 1778,
+
+     1779, 1780, 1782, 1781, 1784, 1787, 1790, 1791, 1793, 1786,
+     1794, 1805, 1803, 1796, 1813, 6793, 1809, 1821, 1806, 1823,
+     1819, 1826, 1827, 1822, 1810, 1832, 1834, 1829, 1835, 1836,
+     1838, 1839, 1840, 1842, 1844, 1846, 1850, 1848, 1860, 1849,
+     6793, 1862, 1863, 1851, 1859, 1865, 1866, 1873, 1867, 1852,
+     1870, 1876, 1886, 1882, 1884, 1887, 1888, 1890, 1891, 1892,
+     6793, 1894, 1901, 1898, 1902, 1904, 1893, 1908, 1905, 1910,
+     1911, 1912, 1917, 1915, 1918, 1922, 1923, 1924, 1926, 1929,
+     1934, 1931, 1938, 1941, 1948, 1942, 1944, 1949, 1950, 1951,
+     1953, 1954, 1955, 1957, 1962, 1966, 1965, 1969, 1967, 1968,
+
+     1978, 1986, 1971, 1982, 1983, 1984, 1985, 1990, 1993, 1998,
+     1994, 1996, 1999, 2008, 2000, 2005, 2007, 2010, 2013, 2023,
+     2009, 2026, 2018, 2011, 2021, 2027, 2028, 6793, 2034, 2035,
+     6793, 2037, 2036, 2038, 2060, 2039, 2042, 2051, 2044, 2045,
+     2048, 2053, 2061, 2057, 2064, 2073, 2074, 2077, 2080, 2079,
+     2082, 2086, 2085, 2088, 2089, 2092, 2095, 2093, 2100, 2107,
+     2109, 2055, 2113, 2117, 2112, 2114, 2118, 2137, 2115, 2116,
+     2125, 2119, 2122, 2124, 2120, 2126, 2130, 2135, 2140, 2132,
+     2147, 2150, 2146, 2149, 2152, 2153, 2160, 2162, 2165, 2164,
+     6793, 2172, 2170, 2174, 2175, 2176, 2183, 2181, 2179, 6793,
+
+     2182, 2185, 2187, 2196, 2188, 2192, 2195, 2199, 2201, 2202,
+     2204, 2205, 2208, 2206, 2207, 2226, 6793, 2209, 6793, 2213,
+     2210, 2218, 2221, 2228, 2229, 2231, 2232, 2233, 6793, 6793,
+     2234, 2235, 2248, 2251, 2241, 2243, 2252, 6793, 2253, 2260,
+     6793, 2262, 2261, 2256, 2255, 2257, 2267, 2268, 2271, 2278,
+     2274, 2282, 2277, 2279, 2283, 6793, 2287, 2280, 2288, 2291,
+     2289, 2295, 2298, 2302, 2299, 6793, 2300, 2308, 2309, 2316,
+     2313, 2314, 2317, 2318, 2319, 2322, 2325, 2326, 2327, 2328,
+     2337, 2338, 2329, 2342, 2339, 2343, 2351, 6793, 2349, 2350,
+     2336, 2358, 2355, 2362, 2357, 2363, 2353, 2359, 2364, 2370,
+
+     2365, 2369, 2375, 2377, 2379, 2386, 2387, 2382, 2383, 2385,
+     2390, 2391, 2392, 2394, 2399, 2396, 2401, 2400, 2402, 6793,
+     2403, 2407, 2408, 2413, 2415, 2411,  171, 2421, 2417, 2424,
+     2423, 2425, 2430, 2426, 2439, 2443, 2438, 2440, 2442, 2447,
+     2441, 2448, 2451, 2449, 2450, 2453, 2457, 2458, 6793, 2466,
+     2459, 2461, 2463, 2468, 2467, 2470, 6793, 2476, 2481, 2483,
+     2491, 2485, 2493, 2494, 2495, 2498, 2496, 2499, 2500, 2501,
+     2503, 2506, 2510, 2509, 6793, 2512, 2517, 2518, 2515, 2524,
+     2526, 2525, 2527, 2531, 2532, 2533, 2537, 2536, 2538, 2539,
+     2540, 2541, 2547, 2548, 2555, 2544, 2554, 2556, 2557, 2560,
+
+     2566, 2562, 2567, 2568, 2575, 2570, 6793, 2577, 2573, 2580,
+     2576, 2582, 2585, 2586, 2587, 2604, 2589, 2593, 2596, 2605,
+     2610, 2600, 2612, 2620, 2616, 2622, 2625, 2630, 2626, 2632,
+     2635, 2628, 2638, 2640, 2641, 2642, 2650, 2646, 2647, 2648,
+     2651, 2652, 2662, 2663, 2654, 2664, 2666, 2669, 2658, 2676,
+     2681, 2683, 6793, 2685, 2673, 2687, 2690, 2697, 2692, 2671,
+     2695, 2698, 2702, 2703, 2704, 2706, 2713, 2708, 2710, 2714,
+     2716, 2715, 2717, 2724, 2719, 2725, 2727, 2734, 2730, 2736,
+     2595, 6793, 2738, 2739, 2740, 2742, 2747, 2743, 2749, 2752,
+     2755, 2754, 2756, 2758, 2761, 2762, 2764, 2765, 2772, 2768,
+
+     2769, 2774, 2770, 6793, 2780, 2771, 2782, 2784, 2789, 2791,
+     2790, 2793, 2792, 2800, 2802, 2803, 2804, 2805, 2806, 6793,
+     2814, 2815, 2811, 2813, 2823, 2820, 2822, 2824, 2826, 2827,
+     6793, 2828, 2830, 2832, 2831, 2834, 2836, 2843, 2844, 2839,
+     6793, 2855, 2850, 2840, 2851, 2853, 2852, 2856, 2857, 2861,
+     2862, 2867, 2863, 2873, 2869, 2875, 6793, 2876, 2883, 2878,
+     2879, 2886, 2884, 2889, 2890, 2901, 2891, 2897, 2893, 6793,
+     2916, 2911, 2902, 2918, 2903, 2914, 2919, 2920, 2921, 2923,
+     2924, 2927, 2928, 6793, 2929, 2931, 2933, 2934, 2938, 2936,
+     2939, 2952, 2945, 2947, 2950, 2953, 2955, 2956, 2960, 2962,
+
+     2967, 2959, 2961, 2971, 2973, 2963, 2976, 2979, 2983, 2987,
+     2992, 2988, 2989, 2994, 2991, 2995, 2996, 2998, 3006, 3007,
+     3010, 3008, 3012, 6793, 3015, 3016, 3018, 3005, 3019, 3021,
+     3022, 3025, 3028, 3024, 3026, 3033, 3036, 3030, 3046, 3048,
+     3039, 3051, 3041, 3043, 3054, 3053, 3055, 3056, 3057, 3067,
+     3064, 3065, 3066, 3077, 3068, 3072, 3079, 3070, 3080, 3081,
+     3082, 3083, 3084, 3088, 3090, 3093, 3094, 3095, 3086, 3107,
+     3109, 3110, 3112, 3104, 3102, 3118, 3119, 6793, 3122, 3123,
+     3120, 3124, 3126, 3130, 3127, 3139, 3134, 3137, 3136, 3143,
+     3148, 3145, 3146, 3151, 3153, 3161, 3157, 6793, 3154, 6793,
+
+     3158, 3162, 3168, 3176, 3163, 6793, 3175, 6793, 3177, 3182,
+     3171, 3178, 6793, 3185, 3184, 3166, 3189, 3190, 3191, 3193,
+     3195, 3196, 3197, 3199, 3200, 3203, 3204, 3206, 3207, 3209,
+     3217, 3211, 3219, 3223, 3220, 3227, 3230, 3224, 3238, 3214,
+     3231, 3240, 3241, 3233, 3242, 6793, 3249, 3243, 3253, 3254,
+     3255, 3256, 3258, 3257, 3261, 3260, 3262, 3264, 3267, 3268,
+     3279, 3273, 3265, 3280, 3281, 3284, 3292, 3290, 3297, 6793,
+     3293, 3295, 3296, 3298, 6793, 3301, 3299, 3302, 3308, 3305,
+     3311, 3312, 3313, 3317, 3314, 3321, 3320, 3325, 3330, 3334,
+     3335, 6793, 3336, 3337, 3322, 3341, 3349, 3352, 3356, 3353,
+
+     3359, 3361, 3357, 3363, 3364, 3355, 3365, 3366, 3367, 3375,
+     3378, 3371, 3380, 3379, 3382, 3389, 3385, 3381, 3383, 3391,
+     3392, 3393, 3394, 3395, 3396, 3397, 3400, 3411, 3398, 3416,
+     6793, 3406, 3415, 3419, 3426, 3401, 3424, 3405, 3428, 3429,
+     6793, 3431, 3433, 3434, 3435, 3436, 3441, 3438, 3443, 3444,
+     3445, 3446, 3448, 3451, 3449, 6793, 3457, 6793, 3458, 3466,
+     3471, 3474, 3464, 3468, 3475, 3480, 3481, 3482, 3484, 3485,
+     3487, 3490, 3491, 3493, 3495, 3496, 3497, 3504, 3500, 3503,
+     3511, 3510, 3512, 3513, 3521, 3517, 3518, 6793, 6793, 3516,
+     3519, 3531, 3527, 3525, 3533, 3535, 3539, 3540, 3542, 3544,
+
+     3546, 3553, 6793, 3549, 3554, 3555, 3556, 3568, 3557, 3559,
+     3572, 3571, 3567, 3579, 3574, 6793, 3570, 3578, 3588, 3583,
+     3584, 3591, 6793, 3586, 6793, 3589, 3595, 3597, 3598, 3600,
+     3599, 3601, 3602, 3604, 3606, 3617, 3613, 3625, 3611, 3622,
+     3623, 3626, 3627, 3629, 3632, 3636, 3631, 3633, 3634, 6793,
+     3640, 3635, 3637, 3642, 3648, 3651, 3654, 3657, 3650, 6793,
+     3658, 3661, 3660, 3662, 3664, 3672, 3665, 3675, 3667, 3677,
+     3678, 3681, 3682, 3683, 6793, 3680, 3685, 3696, 3689, 3691,
+     3697, 3707, 3708, 3713, 6793, 3693, 3710, 3720, 3716, 3717,
+     3700, 3718, 3704, 3722, 3723, 3725, 3726, 3727, 3728, 3730,
+
+     3733, 3734, 3736, 3735, 3747, 3746, 3738, 3750, 3760, 3740,
+     6793, 3756, 3757, 3762, 3763, 3764, 3765, 3767, 3770, 3772,
+     3773, 3785, 3786, 3774, 3777, 3789, 3790, 3797, 3796, 6793,
+     3806, 3792, 3807, 3803, 3780, 3809, 3814, 3782, 3811, 3818,
+     3804, 3815, 3820, 3821, 3822, 3824, 3833, 3828, 3830, 3831,
+     3832, 3843, 3834, 6793, 3845, 3846, 3838, 3855, 3848, 3851,
+     3862, 3858, 3861, 3863, 3865, 3868, 3869, 3871, 3873, 3874,
+     3877, 3872, 6793, 6793, 3879, 3880, 3887, 6793, 3888, 3882,
+     3889, 3885, 3899, 3886, 3893, 3902, 3904, 3890, 3910, 3900,
+     3906, 6793, 3912, 3920, 3915, 3918, 3927, 3928, 6793, 3919,
+
+     3929, 3932, 3934, 3924, 3936, 3940, 3937, 3941, 3942, 3943,
+     3945, 3953, 3954, 3950, 3951, 3957, 6793, 3952, 3958, 3962,
+     3964, 3955, 3968, 6793, 3965, 3971, 3978, 3976, 3981, 3986,
+     3987, 3988, 3993, 3973, 3989, 3995, 3996, 3997, 3998, 4006,
+     4002, 4007, 4005, 4008, 4012, 4015, 4009, 6793, 4019, 4023,
+     4024, 4026, 6793, 4030, 4033, 4037, 6793, 4041, 4036, 4038,
+     4040, 4048, 6793, 4045, 4046, 4047, 4053, 4049, 4061, 4051,
+     4064, 4066, 4056, 4060, 4063, 4067, 6793, 4069, 4070, 4071,
+     6793, 4082, 4077, 4084, 4087, 4072, 4094, 4090, 4093, 4091,
+     4095, 6793, 4100, 6793, 4099, 4101, 4106, 6793, 4103, 4108,
+
+     4109, 4111, 4112, 4117, 4118, 4116, 4125, 4126, 4127, 4129,
+     4130, 4128, 4133, 4137, 4134, 4135, 4139, 4140, 6793, 4141,
+     4143, 4150, 4145, 4155, 4151, 4158, 4148, 4162, 4163, 6793,
+     6793, 4172, 6793, 4174, 4164, 4166, 6793, 4168, 4173, 4181,
+     4178, 4184, 4186, 4179, 4190, 4191, 6793, 4193, 4200, 6793,
+     4194, 4196, 4204, 4205, 4203, 4206, 4207, 4208, 4211, 4212,
+     4213, 4214, 4215, 4222, 4216, 4221, 4218, 6793, 4223, 4229,
+     4232, 4239, 4231, 4235, 4245, 4241, 4240, 6793, 4251, 4257,
+     4247, 4253, 4254, 6793, 4262, 6793, 4250, 4263, 4264, 4267,
+     4266, 4279, 6793, 4275, 4270, 4281, 4274, 4278, 4286, 4282,
+
+     4289, 4290, 4291, 4298, 4296, 4293, 4295, 4303, 4304, 6793,
+     4299, 4305, 4310, 4313, 4315, 4316, 4323, 4320, 4322, 4321,
+     4326, 4328, 4329, 4331, 4337, 4335, 4340, 4333, 6793, 4343,
+     4346, 4347, 4359, 4349, 4354, 4350, 6793, 4357, 4360, 4366,
+     6793, 4364, 4356, 4370, 4373, 4367, 4374, 4375, 4378, 4380,
+     4381, 4382, 6793, 4383, 4386, 4384, 4388, 4397, 4390, 6793,
+     6793, 4400, 6793, 4401, 4389, 4405, 4408, 4409, 4413, 4411,
+     4414, 4416, 4417, 4418, 4421, 4424, 4427, 6793, 4428, 4436,
+     4431, 4439, 4448, 4449, 4441, 4446, 4432, 6793, 6793, 4451,
+     4455, 4457, 4459, 4460, 4462, 4445, 4471, 4464, 4467, 4473,
+
+     4475, 4482, 6793, 4479, 4477, 4484, 4478, 6793, 4485, 4486,
+     4489, 4487, 4490, 4493, 4492, 4494, 4496, 4499, 4504, 4505,
+     4500, 4513, 4506, 4507, 4516, 4517, 4519, 4520, 4522, 4527,
+     6793, 4523, 4529, 4530, 4534, 4535, 4537, 4539, 4538, 4541,
+     4551, 6793, 4543, 6793, 4542, 4547, 4546, 4563, 4544, 4554,
+     4566, 4567, 4568, 4569, 4572, 4573, 4576, 4577, 4587, 4578,
+     4582, 4588, 4590, 4592, 4597, 4598, 6793, 4600, 4584, 4594,
+     4601, 4607, 4609, 4610, 4612, 4615, 4617, 4619, 4618, 4621,
+     4625, 4622, 4626, 4627, 4628, 4630, 6793, 4632, 4639, 4631,
+     4641, 4643, 4645, 4652, 4646, 4654, 4648, 4656, 4657, 6793,
+
+     4658, 4660, 4664, 6793, 4665, 4666, 4668, 4670, 4676, 4669,
+     4672, 4678, 4680, 6793, 4682, 4684, 4687, 4686, 4690, 4691,
+     4692, 4696, 4698, 4699, 4702, 6793, 4712, 4703, 4711, 4714,
+     4710, 4713, 4717, 4723, 4721, 6793, 4724, 4725, 4727, 4737,
+     4739, 4732, 4734, 4746, 4736, 4743, 4744, 4745, 4751, 4750,
+     4752, 4755, 4756, 4757, 4766, 4768, 4763, 6793, 4770, 6793,
+     4772, 4773, 4774, 4783, 4778, 4776, 4780, 4784, 4786, 6793,
+     4788, 4791, 4794, 4795, 4796, 6793, 4797, 4798, 4800, 4799,
+     6793, 4813, 4812, 4801, 4818, 4803, 4819, 6793, 4823, 4824,
+     4826, 4834, 4835, 4832, 4837, 4825, 4842, 4833, 4838, 4840,
+
+     4846, 4850, 4848, 4849, 6793, 4851, 4853, 4858, 4860, 4861,
+     4863, 4864, 4867, 4869, 4866, 6793, 4873, 4874, 4875, 4876,
+     4877, 4880, 4882, 4889, 4885, 4892, 4886, 4888, 4896, 4897,
+     4898, 4906, 6793, 4899, 4901, 4903, 4916, 4912, 4921, 6793,
+     4909, 6793, 4913, 4924, 4926, 4914, 4930, 6793, 6793, 4928,
+     4939, 4922, 4936, 4937, 6793, 6793, 4942, 6793, 4938, 6793,
+     4943, 4944, 6793, 6793, 4945, 4947, 4948, 4949, 4953, 4952,
+     6793, 4962, 6793, 4965, 4963, 4955, 4966, 4967, 6793, 4968,
+     4974, 4970, 4978, 4976, 6793, 4980, 4985, 4981, 4983, 6793,
+     4992, 4993, 4984, 4986, 6793, 4994, 5001, 4997, 5005, 5006,
+
+     5007, 5008, 5011, 5013, 5009, 5014, 5016, 5017, 5024, 5031,
+     5033, 5035, 5039, 5028, 5026, 5041, 5042, 5047, 5045, 5049,
+     5050, 5051, 5052, 5054, 5056, 5053, 5059, 5061, 5063, 5064,
+     5068, 5065, 5066, 5078, 5067, 5079, 5081, 5082, 5085, 5088,
+     5089, 5090, 5092, 5093, 5095, 5018, 5094, 5096, 5101, 5098,
+     5100, 6793, 5102, 5104, 5105, 5108, 5118, 5119, 5122, 5130,
+     5134, 5135, 6793, 5137, 6793, 5139, 5123, 5131, 5125, 5143,
+     6793, 5145, 5146, 5147, 5148, 5112, 5150, 5149, 5152, 5153,
+     5155, 5156, 6793, 5160, 5161, 5154, 5174, 5163, 6793, 5177,
+     5167, 5178, 5179, 5180, 5184, 5182, 5185, 5188, 5189, 5191,
+
+     5193, 5195, 5181, 5202, 5205, 6793, 5207, 5210, 5218, 5213,
+     5214, 5215, 5216, 5217, 5219, 5221, 5223, 5224, 5233, 5225,
+     5236, 6793, 5237, 6793, 5238, 5240, 5242, 5243, 5244, 5245,
+     5246, 5248, 6793, 6793, 5251, 5252, 5258, 5253, 5260, 5262,
+     5264, 5265, 5269, 6793, 5270, 5272, 5282, 5274, 6793, 5277,
+     5279, 5283, 5289, 6793, 5284, 5286, 5290, 5298, 5291, 5301,
+     5302, 5304, 5293, 5305, 5306, 5312, 6793, 6793, 6793, 6793,
+     5314, 5308, 5319, 5316, 5320, 5322, 5323, 5325, 5328, 5321,
+     5324, 6793, 5336, 6793, 6793, 5337, 5338, 5340, 5344, 5345,
+     5346, 5347, 5350, 6793, 5348, 6793, 5352, 5355, 5351, 5362,
+
+     5368, 5359, 5369, 5371, 5372, 5373, 5374, 5375, 5382, 5380,
+     5383, 5381, 5386, 5390, 5395, 6793, 6793, 5387, 5398, 5399,
+     5407, 5403, 5404, 5405, 5416, 5411, 5412, 5413, 5414, 5418,
+     5420, 5427, 5430, 5423, 5425, 6793, 5431, 5434, 5432, 6793,
+     5433, 6793, 5442, 5443, 5436, 5440, 5446, 5449, 5450, 5452,
+     5457, 6793, 6793, 5456, 5465, 5460, 6793, 6793, 5444, 5464,
+     5467, 5469, 5470, 5471, 5472, 5473, 5476, 5478, 6793, 5479,
+     6793, 5480, 5483, 5492, 5482, 5495, 5499, 5485, 5502, 5505,
+     5498, 5508, 6793, 5501, 5509, 6793, 5517, 5512, 5514, 5516,
+     5519, 6793, 5520, 5523, 5525, 5527, 6793, 5529, 5531, 5532,
+
+     6793, 5539, 6793, 5533, 5540, 5536, 5550, 5542, 6793, 5543,
+     5546, 6793, 5552, 5556, 5557, 5558, 5559, 6793, 5562, 5564,
+     6793, 5565, 5567, 5568, 5574, 5575, 5577, 5570, 5578, 5579,
+     5586, 5588, 5591, 6793, 6793, 5598, 5584,  135, 5600, 5581,
+     5597, 5601, 5602, 5609, 5605, 5606, 5612, 6793, 6793, 5613,
+     6793, 5607, 5616, 6793, 5614, 5620, 5624, 5626, 5622, 5628,
+     5629, 5631, 5633, 5634, 5647, 5637, 5635, 5652, 5642, 5662,
+     5638, 5664, 5665, 5667, 5669, 5671, 5659, 5673, 5674, 5653,
+     5676, 5677, 5680, 5681, 5683, 5684, 5685, 6793, 5688, 5696,
+     5697, 5689, 6793, 5702, 5691, 5709, 5706, 6793, 5713, 5710,
+
+     5714, 5715, 5716, 6793, 5703, 5718, 5722, 5720, 5727, 5728,
+     5640, 5736, 5731, 5732, 5733, 6793, 6793, 6793, 5738, 5748,
+     6793, 5750, 5740, 5734, 5742, 6793, 5752, 5753, 5745, 6793,
+     6793, 5755, 5756, 5758, 6793, 5763, 5770, 6793, 5765, 6793,
+     5766, 6793, 5768, 5769, 5771, 5775, 6793, 5776, 5778, 5779,
+     5785, 6793, 5795, 5797, 5799, 5792, 5782, 5788, 5800, 6793,
+     5809, 5806, 5808, 5815, 5804, 5812, 5810, 5816, 5817, 5825,
+     5818, 5827, 6793, 5828, 5829, 5833, 5836, 5820, 5830, 5840,
+     6793, 5841, 6793, 5847, 6793, 5844, 5849, 5848, 5842, 5850,
+     5853, 5856, 5854, 5858, 5867, 5860, 5863, 5865, 5871, 5873,
+
+     6793, 6793, 5875, 5877, 6793, 5879, 6793, 5883, 6793, 5880,
+     5885, 5884, 5886, 5888, 6793, 5895, 5887, 5890, 5903, 5898,
+     5904, 6793, 5905, 5908, 5909, 5911, 6793, 6793, 5912, 5919,
+     5915, 6793, 5914, 5917, 5925, 5918, 5926, 5930, 5927, 5931,
+     5934, 5941, 5937, 5939, 5942, 5944, 5945, 5947, 5952, 5957,
+     6793, 6793, 6793, 5953, 5948, 5967, 5964, 5966, 5976, 5959,
+     6793, 5973, 5972, 5974, 5975, 5986, 5981, 5983, 6793, 5984,
+     5985, 5987, 5988, 5990, 5991, 5992, 5993, 6793, 6005, 6007,
+     5995, 5997, 6009, 6016, 6018, 6020, 6022, 6013, 6023, 6030,
+     6027, 6793, 6029, 6793, 6793, 6025, 6793, 6031, 6033, 6035,
+
+     6034, 6036, 6793, 6039, 6040, 6041, 6043, 6042, 6050, 6046,
+     6048, 6793, 6058, 6051, 6061, 6063, 6793, 6793, 6064, 6070,
+     6793, 6073, 6074, 6067, 6082, 6065, 6075, 6087, 6084, 6793,
+     6088, 6090, 6078, 6091, 6094, 6093, 6096, 6793, 6100, 6097,
+     6101, 6103, 6793, 6104, 6109, 6110, 6112, 6113, 6793, 6114,
+     6106, 6130, 6115, 6793, 6117, 6129, 6131, 6793, 6793, 6135,
+     6139, 6136, 6793, 6793, 6793, 6793, 6142, 6143, 6145, 6147,
+     6793, 6150, 6154, 6158, 6160, 6165, 6153, 6793, 6161, 6167,
+     6169, 6170, 6171, 6793, 6793, 6172, 6173, 6174, 6178, 6175,
+     6793, 6793, 6180, 6182, 6183, 6181, 6184, 6793, 6186, 6191,
+
+     6198, 6194, 6200, 6207, 6209, 6202, 6210, 6211, 6219, 6222,
+     6212, 6214, 6221, 6225, 6226, 6224, 6228, 6238, 6233, 6235,
+     6241, 6236, 6244, 6793, 6793, 6246, 6793, 6248, 6250, 6793,
+     6793, 6253, 6255, 6257, 6261, 6793, 6263, 6265, 6267, 6269,
+     6258, 6793, 6270, 6272, 6273, 6274, 6275, 6793, 6277, 6278,
+     6281, 6283, 6287, 6289, 6290, 6293, 6793, 6288, 6305, 6793,
+     6793, 6294, 6296, 6285, 6306, 6302, 6793, 6310, 6314, 6309,
+     6316, 6315, 6317, 6322, 6793, 6318, 6319, 6793, 6793, 6325,
+     6326, 6793, 6793, 6327, 6793, 6793, 6793, 6793, 6793, 6793,
+     6793, 6793, 6331, 6330, 6793, 6332, 6340, 6343, 6793, 6347,
+
+     6793, 6337, 6348, 6350, 6344, 6793, 6349, 6793, 6351, 6355,
+     6356, 6365, 6358, 6368, 6359, 6352, 6362, 6370, 6375, 6376,
+     6378, 6377, 6379, 6381, 6383, 6393, 6385, 6390, 6793, 6793,
+     6793, 6382, 6394, 6398, 6399, 6404, 6406, 6410, 6412, 6401,
+     6413, 6415, 6416, 6417, 6419, 6423, 6430, 6425, 6428, 6426,
+     6435, 6427, 6437, 6793, 6442, 6443, 6429, 6446, 6793, 6449,
+     6793, 6432, 6793, 6793, 6452, 6453, 6455, 6456, 6465, 6466,
+     6457, 6461, 6462, 6467, 6469, 6793, 6477, 6793, 6793, 6470,
+     6473, 6793, 6478, 6479, 6793, 6480, 6482, 6484, 6485, 6486,
+     6488, 6489, 6490, 6497, 6793, 6793, 6501, 6502, 6504, 6506,
+
+     6508, 6515, 6510, 6512, 6514, 6522, 6516, 6524, 6793, 6526,
+     6528, 6530, 6793, 6532, 6531, 6534, 6537, 6538, 6545, 6540,
+     6542, 6793, 6543, 6793, 6547, 6549, 6548, 6551, 6552, 6554,
+     6562, 6560, 6564, 6793, 6566, 6568, 6572, 6573, 6575, 6578,
+     6579, 6580, 6582, 6584, 6585, 6594, 6588, 6590, 6596, 6598,
+     6600, 6793, 6602, 6604, 6793, 6605, 6606, 6607, 6608, 6612,
+     6793, 6617, 6609, 6614, 6620, 6625, 6622, 6793, 6631, 6635,
+     6632, 6793, 6636, 6793, 6793, 6637, 6638, 6640, 6644, 6646,
+     6793, 6793, 6793, 6673, 6680, 6687, 6694, 6701, 6708, 6715,
+       88, 6722, 6729, 6736, 6743, 6750, 6757, 6764, 6771, 6778,
+
+     6785
     } ;
 
-static yyconst flex_int16_t yy_def[3372] =
+static yyconst flex_int16_t yy_def[3502] =
     {   0,
-     3353,    1, 3354, 3354, 3355, 3355, 3356, 3356, 3357, 3357,
-     3358, 3358, 3359, 3359, 3360, 3360, 3353, 3361, 3353, 3353,
-     3353, 3353, 3362, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3363, 3353, 3353, 3353,
-     3363, 3364, 3353, 3353, 3353, 3364, 3365, 3353, 3353, 3353,
-     3353, 3365, 3366, 3353, 3353, 3353, 3366, 3367, 3353, 3368,
-     3353, 3367, 3367, 3369, 3353, 3353, 3353, 3353, 3369, 3370,
-     3353, 3353, 3353, 3370, 3361, 3361, 3353, 3371, 3362, 3371,
-     3362, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3363,
-     3363, 3364, 3364, 3365, 3365, 3353, 3366, 3366, 3367, 3367,
-     3368, 3368, 3367, 3369, 3369, 3353, 3370, 3370, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3367, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3367, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3367,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3367, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3353, 3353, 3361, 3353, 3353, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3367, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3367, 3367, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3367, 3361, 3361,
-
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3353, 3361, 3367, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3367, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3367, 3361, 3353, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3353, 3361, 3353, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3367, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3353, 3361, 3361, 3361, 3361, 3367, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361, 3361,
-     3361, 3353, 3353, 3361, 3353, 3361, 3353, 3361, 3361, 3353,
-     3353, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-
-     3353, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3367, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3353,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3353, 3353, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3367, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361, 3353, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-
-     3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361, 3353,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3353, 3353, 3367, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3353, 3361, 3353, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361,
-
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3353, 3353, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361, 3361,
-     3353, 3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3353, 3361, 3361, 3353, 3361, 3353, 3361, 3353, 3361,
-
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3353, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3353,
-     3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-
-     3353, 3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3353,
-     3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3353, 3353,
-     3361, 3361, 3361, 3353, 3353, 3353, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3353, 3353, 3361, 3361, 3361, 3361, 3353, 3353,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353,
-
-     3353, 3361, 3353, 3361, 3361, 3353, 3353, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3353, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361, 3353,
-     3353, 3361, 3361, 3353, 3353, 3361, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3361, 3361, 3353, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3353,
-
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3353, 3361,
-     3353, 3361, 3353, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3353, 3361, 3353, 3353, 3361,
-     3361, 3353, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3353, 3353, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361,
-     3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-
-     3361, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361, 3361,
-     3361, 3353, 3361, 3361, 3353, 3361, 3361, 3361, 3361, 3361,
-     3353, 3361, 3361, 3361, 3361, 3361, 3361, 3353, 3361, 3361,
-     3361, 3353, 3361, 3353, 3353, 3361, 3361, 3361, 3361, 3361,
-     3353, 3353,    0, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353
+     3483,    1, 3484, 3484, 3485, 3485, 3486, 3486, 3487, 3487,
+     3488, 3488, 3489, 3489, 3490, 3490, 3483, 3491, 3483, 3483,
+     3483, 3483, 3492, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3493, 3483, 3483, 3483,
+     3493, 3494, 3483, 3483, 3483, 3494, 3495, 3483, 3483, 3483,
+     3483, 3495, 3496, 3483, 3483, 3483, 3496, 3497, 3483, 3498,
+     3483, 3497, 3497, 3499, 3483, 3483, 3483, 3483, 3499, 3500,
+     3483, 3483, 3483, 3500, 3491, 3491, 3483, 3501, 3492, 3501,
+     3492, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3493,
+     3493, 3494, 3494, 3495, 3495, 3483, 3496, 3496, 3497, 3497,
+     3498, 3498, 3497, 3499, 3499, 3483, 3500, 3500, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3497, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3497, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3483, 3483, 3491, 3483, 3483, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3497,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3497, 3497, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483,
+
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3497, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3483, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3497, 3491, 3483, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3483, 3491, 3491, 3491, 3483, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3483, 3491, 3483, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3497, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3497, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491,
+     3491, 3491, 3491, 3491, 3483, 3483, 3491, 3483, 3491, 3483,
+     3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3497, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3483, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3483,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3483, 3491, 3491, 3491, 3483, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+
+     3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3483, 3491, 3491, 3497, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491,
+     3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3483, 3483, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3483,
+     3483, 3491, 3491, 3491, 3483, 3491, 3491, 3483, 3491, 3483,
+     3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+
+     3483, 3483, 3491, 3491, 3483, 3491, 3483, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3483, 3483, 3491, 3483, 3491, 3491, 3491,
+
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3483, 3483, 3491,
+     3491, 3491, 3483, 3483, 3483, 3483, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491,
+     3483, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3483, 3491, 3483, 3491, 3491, 3483,
+     3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3483,
+     3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3483, 3491, 3491, 3483, 3483, 3491,
+     3491, 3483, 3483, 3491, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3483, 3491,
+
+     3483, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491,
+     3483, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3483, 3491,
+     3491, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491,
+
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491,
+     3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491,
+     3491, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491,
+     3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491,
+     3491, 3483, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491,
+     3483, 3483,    0, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+
+     3483
     } ;
 
-static yyconst flex_int16_t yy_nxt[6588] =
+static yyconst flex_int16_t yy_nxt[6834] =
     {   0,
        18,   19,   20,   21,   22,   23,   22,   18,   18,   18,
        18,   18,   22,   24,   25,   26,   27,   28,   29,   30,
@@ -1602,7 +1646,7 @@ static yyconst flex_int16_t yy_nxt[6588] =
       311,   86,   86,   86,   86,  307,   86,  318,   86,   86,
        86,  319,   86,  325,  312,  313,  315,  309,  314,  316,
        86,  320,   86,  329,  321,  328,  322,  330,  327,  326,
-      332,   86,   86,   86,  724,  334,   86,  338,  323,  331,
+      332,   86,   86,   86,  736,  334,   86,  338,  323,  331,
       324,   86,  335,   86,   86,  340,   86,  342,   86,  339,
       341,   86,  333,   86,   86,   86,  344,  336,   86,   86,
        86,  343,   86,   86,  346,   86,  348,   86,  345,   86,
@@ -1627,648 +1671,676 @@ static yyconst flex_int16_t yy_nxt[6588] =
       425,   86,  436,   86,   86,  434,   86,  438,   86,  441,
       431,  437,  433,   86,  430,   86,  443,  446,   86,   86,
       439,  447,  440,   86,  442,   86,   86,  445,   86,   86,
-      457,  448,   86,  444,   86,  455,   86,   86,   86,  458,
-      461,  459,  499,  449,  170,  462,  450,  456,  469,   86,
-
-      463,  451,  452,  453,  454,  466,   86,  460,  464,  465,
-      467,   86,   86,   86,   86,  468,   86,   86,   86,  477,
-       86,   86,   86,  479,   86,  475,  478,  476,   86,  472,
-      470,   86,  480,  471,  473,  474,   86,   86,   86,  481,
-      483,  482,   86,  487,   86,  168,   86,   86,  488,   86,
-      489,  492,   86,  505,  493,  166,  484,  486,  485,  490,
-       86,   86,   86,   86,  491,   86,  494,  495,  497,   86,
-      498,   86,  500,  496,   86,  506,  507,   86,   86,  508,
-      504,   86,   86,   86,   86,  501,  509,   86,  502,  546,
-      503,   86,  510,   86,  520,   86,  511,  522,  519,  523,
-
-       86,  524,   86,  525,  512,   86,  513,  527,  514,  537,
-      535,  536,  521,  170,  538,   86,   86,   86,   86,  526,
-       86,  515,  539,   86,  516,  556,  517,   86,  518,   86,
-       86,  528,  529,  542,  540,   86,  541,  165,   86,  543,
-      545,  530,  544,  531,  532,  533,   86,  547,  534,  548,
-      549,   86,   86,   86,   86,  558,   86,  551,  553,   86,
-      550,   86,   86,  559,   86,   86,   86,  563,  555,  557,
-       86,  554,   86,   86,   86,  552,  561,  566,   86,  560,
-      562,  567,  568,   86,   86,   86,  565,   86,   86,  573,
-      564,   86,  572,   86,  569,  574,  575,   86,   86,  570,
-
-       86,  571,  577,   86,  578,   86,  580,  581,   86,  584,
-      594,   86,  582,  576,   86,   86,   86,  585,  603,  579,
-      586,   86,   86,  595,  583,   86,  589,  596,   86,  597,
-      599,  587,   86,  588,  590,  591,   86,  598,  592,  593,
-       86,   86,   86,   86,   86,  602,  601,  604,   86,  606,
-      608,   86,   86,  600,   86,   86,  611,  607,  612,  609,
-       86,   86,   86,  605,   86,  610,  613,   86,   86,   86,
-      618,   86,  616,  617,   86,  614,   86,   86,  619,   86,
-       86,   86,  615,  620,  624,   86,   86,  627,  623,  625,
-       86,  626,   86,   86,  621,  622,   86,  628,   86,  630,
-
-       86,  629,   86,  632,  634,   86,   86,   86,   86,  635,
-       86,  637,  631,   86,  633,   86,  645,  647,   86,   86,
-      639,  723,   86,   86,   86,   86,  636,  638,  640,   86,
-      641,  642,  644,  646,  648,  643,   86,   86,   86,  649,
-      652,   86,  655,   86,  650,  658,   86,  651,   86,  657,
-       86,   86,  653,   86,   86,   86,  654,   86,  661,  664,
-       86,   86,   86,  656,  660,  665,  667,   86,   86,  659,
-       86,   86,   86,   86,   86,   86,  662,  666,  663,  681,
-       86,   86,   86,  668,  670,  163,  684,  669,   86,  671,
-      679,  682,  720,  698,  672,  680,  673,  683,   86,   86,
-
-       86,   86,  674,   86,  675,  685,  688,  676,  677,  686,
-      692,   86,  691,  687,  678,  689,   86,   86,  690,   86,
-       86,  693,  696,   86,  699,   86,  694,   86,  701,   86,
-       86,   86,   86,  695,   86,   86,   86,   86,   86,   86,
-      707,   86,  703,  697,  702,  708,  704,  711,  712,  170,
-      700,  705,  710,  713,  714,   86,  706,  709,   86,   86,
-       86,   86,   86,   86,   86,  727,   86,  715,  721,  726,
-       86,   86,   86,  716,  725,  718,  722,  719,  717,  729,
-       86,   86,   86,   86,  728,   86,  731,   86,   86,   86,
-      735,   86,  730,  734,  740,  732,   86,  733,  736,  741,
-
-       86,  743,   86,  744,   86,  737,  745,  739,  738,  742,
-      746,   86,   86,  747,   86,  748,   86,  749,   86,   86,
-       86,   86,  750,   86,   86,  754,   86,  753,   86,   86,
-      752,  757,   86,   86,  756,   86,  762,  751,  755,   86,
-      758,   86,   86,  761,   86,  763,   86,  766,   86,   86,
-      767,  760,  759,  765,   86,   86,   86,   86,  773,   86,
-      770,  768,  764,   86,   86,   86,   86,   86,  774,   86,
-      781,   86,  771,  775,  776,  769,   86,  772,   86,  777,
-       86,  783,  778,  779,  780,  782,   86,   86,  788,  789,
-      786,  784,  785,  787,   86,   86,   86,   86,  790,   86,
-
-      791,   86,  793,   86,  794,   86,   86,   86,  795,   86,
-       86,  802,   86,  798,  800,  796,   86,   86,   86,   86,
-      799,   86,  792,  797,   86,  803,  808,  810,  806,   86,
-      801,   86,   86,  807,  805,  809,  804,  811,  812,   86,
-       86,   86,  813,   86,   86,   86,  814,  819,  821,  815,
-      817,   86,   86,   86,   86,  822,  820,  816,   86,   86,
-      825,   86,   86,  818,  824,  826,   86,   86,   86,   86,
-      832,   86,  829,   86,  827,  828,   86,  834,  835,   86,
-      837,   86,   86,  823,  839,   86,  830,  831,  833,  838,
-      841,  836,   86,   86,   86,  845,   86,  842,  843,  840,
-
-      846,   86,   86,  847,   86,   86,  849,  851,  844,   86,
-       86,   86,   86,  850,   86,  857,   86,  848,   86,   86,
-      858,   86,   86,   86,   86,   86,   86,  852,  853,  854,
-      866,  855,  859,  860,  856,   86,   86,  861,  863,   86,
-      865,   86,  862,   86,   86,  869,   86,  864,  871,   86,
-       86,   86,   86,  867,   86,  868,   86,  880,   86,  878,
-      870,   86,   86,   86,  872,  873,  881,   86,  874,  875,
-      876,  877,  879,   86,   86,  882,   86,   86,  884,  886,
-       86,   86,  883,   86,   86,   86,   86,  885,  890,  891,
-      892,  893,  887,  889,   86,   86,  888,   86,   86,  894,
-
-       86,   86,  896,  895,   86,  170,  897,  902,   86,  899,
-      901,   86,  898,  900,   86,  903,   86,   86,   86,  909,
-       86,   86,  904,  905,   86,  910,  912,   86,   86,   86,
-      914,  906,  907,  911,  913,  916,   86,   86,  908,   86,
-       86,   86,   86,  918,  922,   86,   86,  915,   86,  919,
-       86,   86,   86,  923,   86,  924,  917,   86,   86,   86,
-      921,   86,   86,  942,  925,  920,   86,  937,  938,  935,
-      940,   86,  927,   86,  936,   86,  926,   86,  161,  928,
-       86,  939,  929,   86,  943,  965,  930,  941,   86,  931,
-       86,  944,   86,  948,  949,   86,  932,  933,  946,  934,
-
-       86,   86,  947,  945,   86,  950,  951,   86,  952,   86,
-       86,  953,  957,  959,  960,   86,  954,   86,   86,  962,
-       86,   86,  955,  956,   86,  961,  964,  968,  969,   86,
-      958,   86,  966,  970,   86,  963,  971,   86,  972,   86,
-       86,  975,   86,  967,  974,   86,  973,  976,  977,   86,
-      979,   86,   86,   86,  978,  980,   86,   86,   86,   86,
-       86,  983,   86,  987,  981,   86,   86,  986,   86,   86,
-      990,   86,   86,  996,   86,  982, 1007,   86,  984,  985,
-      988,  994,  989,  992,  991,   86,  997,   86,   86, 1000,
-      995,  998,   86,  999,  993,   86, 1001,   86,   86, 1003,
-
-     1004,   86,   86, 1002,   86,   86,   86, 1005, 1008,   86,
-       86,   86, 1006,   86, 1009,   86, 1011,   86,   86,   86,
-     1012, 1016,   86,   86, 1019,   86,   86, 1018, 1010, 1020,
-       86,   86, 1017, 1013, 1014,   86, 1015,   86,   86, 1022,
-     1023,   86,   86, 1025,   86, 1021,   86, 1027,   86,   86,
-     1026, 1028,   86,   86, 1033,   86, 1029,   86, 1031, 1034,
-       86, 1024,   86, 1035,   86, 1032, 1038,   86, 1036,   86,
-     1044,   86, 1041, 1030, 1037,   86,   86, 1043,   86,   86,
-     1042,   86,   86, 1046,   86, 1040,   86,   86, 1039,   86,
-       86,   86,   86, 1057, 1054, 1052,   86, 1045,   86,   86,
-
-     1047, 1048, 1049,   86,   86, 1058, 1050, 1051,   86, 1055,
-     1059, 1056, 1053,   86, 1062,   86, 1065,   86, 1061,   86,
-     1064,   86, 1060,   86,   86,   86,   86, 1063,   86,   86,
-     1067, 1074, 1069,   86, 1075, 1077,   86,   86,   86, 1066,
-       86,   86,   86, 1068,   86, 1070, 1082, 1072, 1071, 1073,
-     1076, 1080, 1078, 1079, 1081,   86,   86,   86,   86,   86,
-       86, 1086, 1089, 1083,   86, 1088,   86, 1084,   86, 1090,
-       86,   86, 1093, 1095,   86, 1085,   86, 1091,   86, 1087,
-       86, 1098,   86, 1092,   86, 1097, 1099,  170, 1101,   86,
-     1102, 1094,   86,   86, 1096,   86,   86, 1100,   86,   86,
-
-     1105,   86,   86,   86,   86, 1118,   86,   86,   86,   86,
-     1119,   86, 1109, 1104, 1103, 1106, 1108, 1121,   86,   86,
-     1278, 1110, 1107, 1120, 1111,   86, 1124,   86, 1112,   86,
-     1113, 1123, 1122, 1125, 1114,   86, 1115,   86,   86, 1128,
-     1126, 1116,   86, 1127, 1129,   86, 1117, 1130,   86,   86,
-       86, 1131, 1132,   86,   86, 1135,   86, 1134, 1138,   86,
-       86, 1137,   86,   86, 1133, 1136,   86, 1144, 1139, 1142,
-     1145,   86, 1143, 1141, 1146,   86,   86, 1140, 1147,   86,
-       86, 1148, 1149,   86,   86, 1150,   86,   86,   86,   86,
-     1151,   86, 1161, 1152,   86, 1153, 1160, 1162,   86, 1164,
-
-     1154, 1163, 1155,   86,   86, 1167,   86,   86, 1156, 1165,
-     1171, 1166,   86, 1157, 1158,   86,   86,   86,   86,   86,
-     1159,   86, 1172, 1177,   86, 1168, 1169, 1173, 1170,   86,
-       86, 1180,   86, 1178,   86, 1175, 1174,   86,   86, 1176,
-       86, 1181, 1185,   86,   86, 1183,   86, 1184,   86, 1186,
-     1179, 1182,   86,   86, 1191, 1188,   86,   86,   86,   86,
-       86, 1189, 1187, 1194,   86, 1192,   86,   86,   86, 1190,
-      178,   86,   86,   86,   86,   86, 1193, 1201, 1196, 1195,
-     1198, 1199, 1200, 1203, 1202,   86, 1197,   86,   86,   86,
-     1204,   86,   86,   86,   86, 1206,   86,   86, 1211, 1205,
-
-       86, 1212, 1208, 1214,   86, 1213, 1207, 1210, 1216, 1209,
-       86, 1215, 1218, 1217,   86,   86,   86, 1221,   86,   86,
-       86, 1223, 1222,   86, 1224,   86,   86,   86, 1219, 1225,
-       86,   86, 1220, 1226, 1232,   86, 1234,   86, 1227,   86,
-       86, 1228,   86, 1230, 1236, 1229, 1231,   86,   86,   86,
-       86, 1238, 1235,   86,   86, 1233,   86,   86, 1240, 1241,
-       86, 1237, 1244,   86,   86, 1243, 1242,   86, 1245,   86,
-     1239, 1250, 1246, 1247,   86, 1249,   86,   86, 1251,   86,
-     1248,   86,   86, 1252, 1254,   86, 1255,   86,   86,   86,
-       86, 1261, 1259, 1262, 1253,   86,   86,   86,   86,   86,
-
-     1256, 1263,   86, 1260,   86, 1266, 1257, 1264, 1258, 1265,
-     1269,   86,   86, 1267, 1271,   86,   86, 1270, 1268,   86,
-       86,   86,   86,   86,   86,   86, 1276, 1277, 1272, 1273,
-     1279,   86,   86,   86, 1283,   86, 1284,   86,   86, 1274,
-       86, 1275,   86, 1286, 1281, 1287,   86,   86,   86, 1280,
-     1285, 1291, 1282,   86,   86,   86, 1288,   86,   86,   86,
-     1290, 1289,  170, 1293, 1297,   86,   86,   86,   86,   86,
-       86, 1292,   86, 1302, 1304,   86, 1294,   86, 1296, 1301,
-     1299, 1303, 1298, 1295, 1300, 1306, 1307,   86,   86,   86,
-     1305,   86,   86, 1308, 1309,   86,   86, 1310,   86,   86,
-
-       86, 1311, 1312,   86, 1314,   86, 1316,   86, 1320,   86,
-     1317,   86, 1313,   86,   86, 1315,   86,   86,   86,   86,
-     1318,   86, 1324,   86, 1326, 1321, 1319, 1330, 1334, 1323,
-       86, 1322, 1335, 1327,   86, 1328,   86, 1325, 1329,   86,
-     1331, 1332, 1333,   86,   86,   86,   86, 1336,   86, 1337,
-       86, 1340, 1338,   86, 1339,   86,   86,   86, 1343, 1347,
-       86,   86, 1342,   86,   86,   86, 1348, 1341, 1345, 1344,
-     1349,   86,   86,   86,   86, 1346, 1351, 1352,   86, 1354,
-       86, 1353,   86, 1350,   86,   86,   86,   86,   86, 1355,
-       86,   86, 1357, 1359, 1360,   86, 1364, 1356,   86, 1358,
-
-       86,   86,   86,   86, 1361,   86, 1363,   86, 1362, 1368,
-     1365, 1366,   86,   86, 1376, 1371, 1369,   86, 1367,   86,
-       86, 1370,   86,   86, 1372,   86,   86, 1374,   86,   86,
-     1379, 1378, 1373, 1375, 1377,   86,   86,   86, 1383, 1384,
-     1382, 1381, 1388, 1380, 1385,   86, 1398, 1386,   86, 1389,
-     1387,   86, 1390,   86,   86, 1399, 1391,   86, 1400, 1392,
-     1393,   86,   86, 1402, 1394, 1403, 1397, 1401,   86,   86,
-     1395,   86,   86, 1404, 1396,   86, 1406, 1405,   86, 1408,
-       86,   86,   86, 1409,   86, 1410,   86,   86,   86,   86,
-     1407, 1418, 1415, 1413,   86,  176,   86,   86, 1419, 1420,
-
-     1412, 1411, 1416,   86,   86,   86, 1414, 1417,   86, 1421,
-     1428,   86, 1422, 1427,   86, 1429,   86, 1423,   86, 1424,
-     1433, 1425, 1432, 1426, 1430, 1431,   86,   86,   86, 1437,
-       86,   86,   86, 1434, 1438,   86,   86, 1436,   86, 1439,
-       86, 1441,   86,   86, 1435, 1447, 1442, 1443,   86, 1448,
-       86,   86,   86, 1440,   86,   86,   86, 1446, 1449, 1444,
-     1451, 1445,   86,   86,   86, 1453, 1450,   86, 1452, 1454,
-     1458,   86, 1457,   86, 1460,   86,   86,   86, 1461,   86,
-     1462, 1455,   86,   86, 1463, 1466,   86,   86, 1459, 1456,
-     1468,   86, 1465,   86, 1469,   86,   86,   86, 1473,   86,
-
-     1470, 1464,   86,   86,   86,   86, 1475, 1467,   86,  175,
-     1477,   86,   86,   86, 1479,   86, 1481, 1471, 1472,   86,
-     1478,   86, 1474,   86, 1476,   86, 1480,   86, 1483, 1486,
-     1482,   86, 1485, 1484,   86,   86, 1487, 1488,   86, 1490,
-     1489,   86,   86, 1492,   86,   86, 1491, 1496, 1493, 1497,
-     1499, 1494,   86,   86,   86,   86,   86, 1498, 1495,   86,
-       86, 1503,   86, 1500,   86,  170,   86,   86, 1508, 1509,
-       86, 1502,   86, 1511,   86,   86, 1510,   86, 1501,   86,
-     1505,   86,   86,   86, 1504,   86, 1506,   86,   86, 1519,
-     1507, 1512, 1514,   86, 1516,   86,   86, 1513,   86, 1517,
-
-       86, 1515,   86, 1520,   86, 1518,   86, 1523, 1524,   86,
-     1528, 1526,   86, 1522, 1533, 1529,   86, 1527, 1521, 1525,
-       86, 1531, 1530,   86,   86,   86,   86,   86, 1532, 1540,
-     1537,   86,   86, 1538, 1542, 1539, 1543,   86, 1534, 1535,
-       86, 1545, 1536,   86,   86, 1541, 1546,   86, 1544,   86,
-       86,   86,   86,   86,   86, 1550, 1551,   86,   86, 1554,
-       86,   86, 1547,   86, 1559,   86,   86, 1549,   86, 1560,
-     1548, 1552, 1553,   86, 1556, 1563, 1557, 1555,   86, 1558,
-       86,   86,   86,   86, 1561, 1564,   86, 1562,   86, 1571,
-       86,   86,   86,   86, 1566, 1570, 1572, 1565, 1567,   86,
-
-     1575, 1568, 1574,   86,   86,   86, 1580, 1569,   86, 1579,
-     1573, 1581,   86, 1577,   86, 1583,   86,   86, 1576,   86,
-       86,   86,   86, 1588, 1589, 1578, 1584, 1587, 1582,   86,
-       86, 1590,   86, 1591,   86, 1585,   86,   86,   86, 1592,
-     1593,   86, 1586,   86,   86, 1595,   86, 1594,   86,   86,
-       86,   86, 1596,   86, 1601,   86, 1597, 1600,   86, 1603,
-     1598,   86, 1607, 1599,   86, 1609, 1604, 1608,   86, 1602,
-     1610,   86, 1605,   86, 1606,   86, 1612,   86,   86,   86,
-       86,   86,   86, 1620, 1611, 1616,   86, 1615,   86,   86,
-       86, 1621, 1613, 1623,   86,   86, 1614,   86, 1617,   86,
-
-     1619, 1618, 1626, 1625,   86,   86,   86,   86,   86, 1624,
-       86,   86,   86, 1627, 1622, 1635, 1632,   86, 1634,   86,
-       86, 1631,   86, 1628, 1629, 1630, 1633, 1639,   86, 1636,
-     1640,   86, 1638,   86,   86, 1643,   86, 1642, 1637, 1641,
-       86,   86,   86, 1646,   86, 1644,   86, 1647,   86,   86,
-       86, 1650, 1656, 1645, 1654,   86,   86, 1651,   86,   86,
-     1648, 1655, 1649, 1658,   86, 1653,   86,   86, 1652, 1659,
-     1660, 1661,   86,   86, 1657,   86,   86, 1666, 1667,   86,
-       86,   86,   86,   86, 1664,   86, 1671, 1670, 1672,   86,
-       86, 1663, 1662, 1675,   86,   86, 1665,   86, 1668, 1674,
-
-       86,   86, 1669, 1676,   86,   86,   86,   86, 1679, 1673,
-       86, 1677,   86, 1678,   86, 1681,   86, 1682,   86,   86,
-     1688, 1680, 1683, 1686,   86,   86, 1687,   86,   86,   86,
-       86, 1684,   86, 1685, 1689,   86, 1694,   86,   86,   86,
-       86, 1700, 1690, 1691, 1695, 1697, 1699,   86,   86, 1693,
-     1696,   86, 1692, 1698,   86, 1702,   86,   86,   86, 1701,
-     1705,  170, 1704, 1707, 1708,   86,   86,   86,   86,   86,
-     1703,   86,   86, 1716,   86,   86, 1706, 1709,   86, 1717,
-       86, 1711,   86, 1714, 1710, 1720,   86, 1712, 1713, 1721,
-       86,   86,   86, 1724,   86, 1718, 1715, 1722, 1719, 1725,
-
-     1726, 1728, 1723,   86, 1730,   86,   86,   86,   86,   86,
-     1727,   86,   86,   86, 1735, 1732, 1733, 1729,   86, 1736,
-       86,   86,   86,   86,   86, 1741, 1740, 1731,   86,   86,
-       86,   86, 1748,  170, 1737,   86, 1734, 1739,   86, 1738,
-     1749, 1743,   86,   86,   86, 1745, 1742, 1750, 1746,   86,
-     1744, 1757, 1752, 1758, 1753,   86, 1754,   86, 1755,   86,
-     1747, 1756,   86, 1751,   86,   86, 1760,   86, 1761, 1759,
-     1762,   86,   86,   86,   86,   86,   86, 1763,   86, 1769,
-     1770, 1768,   86, 1772, 1764,   86,   86, 1771,   86,   86,
-       86, 1765,   86, 1766,   86, 1767,   86, 1774, 1775,   86,
-
-       86, 1776,   86,   86,   86,   86,   86,   86, 1777,   86,
-       86, 1773, 1786, 1785, 1778,   86, 1780, 1781, 1782,   86,
-     1779,   86, 1791, 1783,   86,   86, 1787, 1788,   86,   86,
-       86, 1784, 1790, 1789,   86, 1797,   86,   86,   86,   86,
-       86, 1793,   86, 1799, 1792,   86, 1801,   86, 1795, 1794,
-       86, 1796, 1800,   86, 1802,   86, 1803, 1798,   86,   86,
-       86,   86, 1806,   86,   86, 1808,   86, 1815, 1805, 1809,
-     1807, 1804, 1810, 1816,   86, 1811, 1812, 1817,   86,   86,
-       86, 1813,   86, 1820, 1819, 1821,   86,   86, 1814,   86,
-       86, 1818,   86,   86, 1824, 1822,   86, 1825,   86,   86,
-
-       86,   86, 1828, 1834,   86,   86, 1823, 1833, 1830, 1826,
-     1832, 1831, 1827,   86,   86,   86, 1840, 1829, 1836,   86,
-     1835, 1841,   86,   86,   86,   86,   86,   86, 1842, 1838,
-       86, 1846, 1837,   86,   86, 1839, 1843,   86, 1850, 1849,
-       86,   86, 1848, 1847, 1845,   86, 1854,   86,   86,   86,
-     1844,   86, 1851,   86, 1852, 1858,   86, 1853, 1855,   86,
-     1859,   86,   86, 1860, 1863,   86, 1857, 1869, 1856, 1864,
-     1868, 1861, 1867, 1862,   86,   86, 1866,   86,   86, 1870,
-     1865,   86,   86, 1874,   86,   86, 1878, 1871,   86,   86,
-       86,   86,   86, 1876, 1872,   86, 1873, 1875,   86, 1877,
-
-       86,   86,   86, 1879,   86,   86, 1882, 1880,   86, 1883,
-     1881, 1888,   86,   86, 1884, 1885, 1890, 1891, 1886, 1887,
-       86, 1892,   86,   86, 1893,   86,   86, 1897,   86,   86,
-     1899, 1895,   86, 1889,   86,   86,   86, 1903,   86,   86,
-     1894,   86, 1898,   86,   86, 1896, 1906, 1905,   86, 1907,
-     1901,   86,   86, 1902, 1900,  170, 1908, 1909,   86, 1904,
-     1913,   86,   86,   86,   86, 1917,   86, 1911,   86,   86,
-       86,   86,   86, 1912,   86, 1910, 1915, 1919,   86, 1924,
-     1920, 1914, 1916, 1918, 1921,   86,   86,   86, 1928,   86,
-     1922,  168,   86, 1927, 1923, 1929, 1926,   86, 1925, 1930,
-
-       86,   86, 1931, 1933, 1934,   86,   86,   86,   86,   86,
-     1932,   86,   86, 1936,   86, 1937,   86,   86, 1935,   86,
-       86,   86, 1942,   86, 1943,   86,   86, 1938,   86, 1944,
-     1939, 1947, 1940, 1945, 1941,   86,   86, 1948, 1946,   86,
-     1951, 1953, 1955,   86,   86, 1950, 1956, 1952,   86,   86,
-     1949,   86,   86,   86, 1954,   86,   86, 1962,   86, 1965,
-     1966,   86, 1967,   86,   86, 1957,   86, 1958, 1959, 1960,
-     1963, 1961, 1964, 1969,   86,   86, 1970,   86, 1973,   86,
-     1975,   86,   86, 1977, 1968, 1974,   86, 1971,   86,   86,
-     1979, 1976,   86,   86,   86,   86,   86, 1981, 1972,   86,
-
-     1978, 1982,   86,   86, 1984, 1985,   86,   86,   86, 1989,
-     1986,   86, 1988, 1983, 1991,   86, 1990, 1980,   86,   86,
-       86,   86,   86,  166, 1987, 1999,   86, 1992, 1993, 1994,
-     2001,   86,   86,   86, 1995, 2002,   86, 1997, 1996,   86,
-     2003, 1998, 2000,   86, 2006, 2005, 2008, 2004,   86,   86,
-       86,   86,   86,   86, 2007, 2012,   86, 2009,   86, 2014,
-       86,   86, 2017, 2018,   86,   86, 2020,   86,   86, 2010,
-       86, 2011,   86, 2015,   86, 2026,   86, 2013, 2025, 2022,
-       86, 2023, 2016,   86,   86, 2019,   86,   86,   86,   86,
-     2032,   86,   86, 2021, 2029, 2024, 2036, 2030, 2028,   86,
-
-       86, 2027,   86,   86, 2035, 2039,   86,   86, 2034, 2040,
-     2038,   86, 2031, 2042, 2043,   86,   86, 2033,   86,   86,
-     2037, 2044,   86,   86,   86, 2041,   86, 2045,   86, 2049,
-       86,   86, 2052, 2053, 2054, 2048,   86,   86,   86,   86,
-       86,   86, 2046, 2047,   86, 2057, 2050,   86, 2062,   86,
-       86, 2056, 2061,   86,   86,   86, 2051, 2055, 2059, 2066,
-       86, 2058,   86, 2067,   86,   86, 2060,   86, 2064, 2063,
-     2068, 2070,   86, 2065, 2069,   86, 2074,   86, 2072, 2071,
-       86, 2075,   86, 2073,   86,   86,   86, 2081,   86, 2078,
-       86, 2084,   86,   86, 2076, 2083,   86, 2085,   86,   86,
-
-       86, 2077, 2086, 2082,   86, 2079, 2080,   86, 2087, 2091,
-       86, 2088, 2092,   86, 2093, 2095, 2089, 2096,   86, 2094,
-       86,   86,   86,   86, 2090, 2100,   86, 2098,   86,   86,
-     2099,   86, 2102, 2097,   86,   86, 2105, 2107, 2101,  170,
-       86, 2103,   86,   86, 2108,   86,   86,   86,   86,   86,
-     2113,   86, 2109, 2112,   86, 2114, 2120, 2106, 2110, 2104,
-     2115,   86, 2116,   86, 2111, 2118,   86,   86,   86, 2117,
-       86,   86, 2119, 2121,   86, 2123,   86, 2122,   86, 2124,
-       86, 2126,   86,   86, 2130,   86, 2125,   86, 2129,   86,
-     2127,   86,   86,   86, 2128,   86, 2131, 2132, 2133,   86,
-
-     2135,   86, 2134,   86, 2137,   86, 2142,   86,   86, 2136,
-     2139, 2140,   86, 2141,   86,   86,   86,   86, 2147,   86,
-       86, 2138,   86, 2143, 2144,   86, 2152,   86,   86, 2148,
-     2146, 2150, 2145,   86,   86,   86, 2153, 2149,   86, 2156,
-     2151, 2158,   86,   86,   86, 2154, 2159,   86, 2157, 2155,
-       86, 2164,   86,   86, 2160,   86, 2166,   86,  165,   86,
-     2161, 2167, 2162,   86, 2163, 2168,   86, 2170,   86, 2165,
-       86, 2169,   86, 2171,   86, 2174, 2172, 2175,   86,   86,
-     2173,   86,   86, 2178,   86,   86,   86,   86,   86,   86,
-       86,   86,   86, 2179,   86,   86, 2192,   86, 2181, 2177,
-
-     2176, 2182, 2183, 2184,   86, 2186, 2180, 2191,   86,   86,
-     2187,   86, 2189,   86, 2185,   86, 2195, 2190,   86,   86,
-     2196,   86,  163, 2188, 2198,   86, 2193, 2199,   86, 2194,
-       86, 2197,   86, 2201,   86,   86, 2200, 2202,   86, 2204,
-     2207, 2203,   86, 2205,   86,   86, 2209, 2206, 2211,   86,
-       86,   86,   86,   86, 2214,   86, 2213,   86, 2215, 2210,
-     2216, 2208,   86, 2219,   86,   86,   86, 2223,   86,   86,
-     2220,   86, 2224,   86,   86, 2217, 2212, 2221, 2222, 2225,
-     2228,   86, 2218,   86, 2229,   86,   86, 2226, 2227, 2232,
-       86,   86, 2234,   86,   86,   86, 2233, 2238,   86,  161,
-
-     2230,   86, 2236,   86, 2240,   86, 2231,   86, 2241,   86,
-     2237, 2235,   86, 2239, 2242,   86,   86, 2243,   86,   86,
-     2247,   86,   86,   86, 2249, 2245,   86, 2244, 2246, 2250,
-       86, 2251, 2252, 2253, 2254,   86, 2248,   86,   86, 2257,
-     2255,   86, 2256, 2260,   86,   86,   86,   86,   86,   86,
-     2259,   86,   86,   86,   86,   86,   86,   86, 2258, 2269,
-     2266, 2264, 2270, 2261, 2262, 2263, 2265, 2267,   86,   86,
-       86,   86, 2268,   86,   86, 2272, 2274, 2271, 2278, 2275,
-     2280,   86,   86, 2279,   86,   86, 2276,  170, 2273, 2282,
-       86, 2277,   86, 2281,   86,   86, 2284, 2288, 2286, 2285,
-
-     2290, 2283, 2289,   86, 2291,   86,   86,   86, 2292, 2287,
-       86,   86, 2295,   86,   86, 2293,   86,   86, 2296, 2300,
-       86,   86, 2301, 2299,   86,   86, 3353, 2304, 2302,   86,
-     2305, 2294, 2297,   86,   86, 2306, 2307,   86,   86,   86,
-     2309,   86, 2303, 2298, 2308, 2310,   86,   86,   86, 2311,
-       86, 2312,   86,   86,   86, 2315,   86,   86, 2313, 2318,
-       86,   86,   86, 2324,   86,   86, 2322,   86, 2317, 2325,
-       86,   86,   86, 2314, 2319, 2316, 2320, 2321,   86,   86,
-       86,   86, 2326, 2327, 2323, 2333, 2332,   86,   86, 2329,
-       86, 2330, 2335,   86,   86,   86, 2328,   86, 2336, 2331,
-
-       86,   86,   86,   86,   86, 2334,   86, 2337,   86,   86,
-       86,   86, 2349, 2338, 2343, 2348, 2351, 2346, 2339, 2341,
-     2347, 2340, 2342, 2345, 2344, 2350,   86,   86,   86,   86,
-     2352,   86,   86, 2356, 2357,   86,   86,   86, 2358, 2359,
-       86, 2353,   86, 2354, 2355,   86, 2362,   86, 2365,   86,
-     2366,   86, 2360,   86,   86, 2361, 2363,   86, 2367, 2364,
-       86,   86, 2368, 2372,   86, 2373,   86,   86, 2375,   86,
-       86, 2377,   86, 2371, 2369,   86,   86, 2380,   86,   86,
-     2370, 2379, 2381,   86,   86,   86, 2374,   86, 2376,   86,
-     2378,   86,   86, 2382, 2383, 3353, 2386,   86, 2384, 2387,
-
-       86, 2389,   86, 2391,   86,   86, 2385, 2392, 2388,   86,
-     2390,   86, 2393, 2395,   86,   86,   86,   86, 2398, 2401,
-       86,   86,   86,   86, 2396,   86,   86, 2394, 2400, 2405,
-     2397,   86, 2399, 2406,   86,   86,   86,   86, 2404,   86,
-     2408, 2402, 2411,   86,   86, 2403, 2412,   86,   86,   86,
-     2407, 2409, 2410, 2414, 2413,   86, 2418,   86,   86, 2420,
-       86,   86, 2415, 2421, 2424,   86, 2416, 2419,   86,   86,
-       86,   86,   86, 2425, 2426, 2417, 2427,   86, 2422,   86,
-     2423, 2429, 2431,   86,   86,   86, 2436,   86, 2433, 2434,
-     2428, 2438,   86, 2430,   86,   86,   86,   86,   86, 2439,
-
-     2435, 2440,   86,   86,   86, 2432, 2443,   86, 2437,   86,
-       86, 2442,   86, 2444, 3353, 2449, 2445, 2450, 2446, 2447,
-     2441,   86, 2452,   86,   86,   86, 2448, 2455, 2451,   86,
-     2454,   86, 2456,   86, 2453,   86,  170,   86,   86,   86,
-     2457, 2458, 2463,   86,   86,   86,   86,   86, 2465,   86,
-       86,   86, 2470, 2461, 2462, 2459,   86, 2460, 2466, 2464,
-       86, 2467, 2468, 2469,   86, 2471, 2474,   86, 2473, 2478,
-     2472,   86, 2475, 2476,   86,   86, 2479, 2480, 2477,   86,
-     2482,   86,   86,   86,   86,   86, 2484,   86, 2481,   86,
-       86,   86, 2488,   86, 2489,   86,   86, 3353, 2483, 2485,
-
-       86, 2491,   86, 2486, 2496,   86, 2492, 2490, 2493, 2487,
-     2494,   86,   86,   86,   86,   86,   86, 2495,   86, 2499,
-     2500,   86, 2497, 2502,   86,   86,   86,   86,   86, 2501,
-       86, 2506, 2509,   86, 2498, 2508,   86,   86,   86, 2510,
-     2505,   86,   86,   86, 2503, 2504,   86, 2514, 2507,   86,
-       86, 2519,   86,   86, 2511, 2518, 2512,   86, 2516,   86,
-     2513, 2520,   86,   86, 2515, 2517,   86, 2528, 2521,   86,
-     2524, 2522,   86, 2523, 2529, 2525,   86, 2527, 2526,   86,
-       86, 2531,   86,   86, 2533,   86,   86,   86,   86,   86,
-       86, 2530, 2532, 2537,   86,   86, 2541,   86,   86, 2539,
-
-     2540, 2535, 2542,   86, 2534, 2536, 2543,   86, 2544,   86,
-       86,   86,   86,   86, 2545, 2547, 2538,   86, 2552,   86,
-     2549,   86, 2554,   86,   86, 2550,   86,   86,   86,   86,
-     2548, 2546, 2553, 2551, 2557,   86,   86,   86, 2561, 2558,
-       86, 2556, 2555, 2562,   86, 2563, 2559, 2560,   86,   86,
-       86,   86,   86, 2567,   86, 2566,   86,   86, 2565,   86,
-       86,   86, 2571, 2634, 2570, 3353, 2564,   86, 2568,   86,
-     2569,   86, 2574, 2575,   86, 2576,   86, 2577,   86, 2572,
-     2573, 2578,   86, 2579,   86,   86, 2582, 2580,   86, 2581,
-       86, 2583,   86,   86,   86, 2588,   86,   86, 2590,   86,
-
-     2584, 2591,   86,   86, 2585,   86,   86,   86,   86,   86,
-     2587,   86,   86, 2586, 2592, 2594, 2589, 2593, 2595,   86,
-     2600,   86,   86,   86, 2597,   86,   86, 2596,  170, 2598,
-       86, 2599, 2601,   86, 2608,   86,   86,   86, 2602, 2604,
-     2607,   86, 2603,   86, 2606, 2609,   86,   86,   86, 2605,
-     2610, 2615, 2611,   86, 3353,   86, 2619,   86, 2617, 2612,
-     2618, 2616, 2620,   86,   86, 2613,   86, 2621,   86, 2614,
-       86, 2622,   86, 2623,   86,   86,   86,   86,   86, 2625,
-       86,   86, 2624,   86,   86,   86, 2638,   86,   86, 2632,
-     2627, 2639,   86, 2626,   86, 2629, 2628,   86,   86,   86,
-
-     2630, 2631,   86, 2633, 2635, 2636, 2637, 2642, 2640, 2643,
-       86, 2644, 2645,   86,   86,   86,   86, 2646,   86, 2641,
-       86,   86, 2648,   86, 2654,   86, 2655,   86,   86,   86,
-       86, 2649, 2647,   86, 2659,   86, 2650, 2652, 2651, 2658,
-     2660,   86, 2653, 2661,   86, 2663,   86, 2657, 2656,   86,
-       86,   86,   86,   86,   86,   86, 2666, 2670,   86, 2669,
-     2671,   86, 2662,   86, 2665, 2664,   86,   86, 2672, 2673,
-       86,   86, 2667, 2668,   86,   86, 2675, 2674,   86,   86,
-     2679,   86, 2676, 2677,   86, 2684,   86, 2683,   86,   86,
-     2687,   86,   86,   86, 2678,   86, 2690,   86, 2680, 2682,
-
-     2681,   86,   86, 2685, 2688, 2692,   86, 2686, 2693,   86,
-     2689,   86, 2691,   86,   86, 2694, 2698,   86,   86,   86,
-       86, 2695,   86, 2701, 2702,   86, 2699, 2700, 2704,   86,
-       86, 2696,   86, 2697,   86, 2705,   86,   86, 2707, 2703,
-       86, 2706, 2710,   86,   86, 2711, 2708, 2713,   86,   86,
-       86,   86,   86, 2714, 2718,   86, 2709, 2720,   86, 2712,
-     2716, 2717, 2715,   86,   86, 2719,   86,   86, 2721, 2722,
-       86,   86, 2724,   86,   86,   86,   86,   86, 2725,   86,
-     2723, 2730, 2727, 2728, 2731, 2733,   86, 2734,   86, 2729,
-     2726,   86, 2732, 2735,  170,   86,   86,   86, 2736, 2740,
-
-     2737,   86,   86, 2742,   86,   86, 2741,   86, 2745,   86,
-     2746,   86, 2744,   86, 2738, 2739, 2748,   86,   86, 2743,
-       86, 2749, 2750,   86,   86, 2752, 2747, 2751,   86, 2753,
-     2755,   86,   86,   86,   86, 2756,   86, 2754, 2757,   86,
-       86, 2758, 2762,   86, 2763,   86,   86, 2760,   86, 2759,
-       86, 2764, 2766,   86,   86, 2765,   86, 2768, 2767,   86,
-       86, 2761,   86,   86, 2770, 2771,   86,   86, 2769,   86,
-       86, 2776,   86, 2779,   86, 2774, 2773,   86, 2775,   86,
-     2772, 2777,   86, 2780,   86, 2778, 2784,   86,   86,   86,
-       86,   86,   86, 2781,   86, 2785, 2789,   86,   86, 2787,
-
-       86,   86, 2782, 2783, 2793,   86, 2788, 3210, 2786, 2791,
-     2796, 2790, 2794,   86, 2797, 2798,   86,   86, 2792,   86,
-       86,   86, 2799,   86, 2801, 2800, 2795,   86,   86, 2804,
-       86,   86,   86, 2805,   86,   86, 2802,   86, 2806,   86,
-     2809, 2803, 2811,   86,   86, 2807, 3353, 2808, 2812,   86,
-     2813,   86,   86,   86,   86, 2810, 2814,   86, 2815, 2816,
-       86,   86, 2818, 2820, 2817,   86, 2819,   86, 2821,   86,
-       86, 2824,   86, 2822, 2825,   86, 2826,   86,   86,   86,
-     2828, 2827, 2831,   86,   86, 2823,   86, 2832, 2833,   86,
-     2829,   86, 2835,   86,   86,   86, 2839, 2836,   86, 2830,
-
-     2840,   86,   86,   86,   86, 2842, 2834, 2841,   86, 2838,
-     2843,   86, 2837,   86, 2848,   86, 2851,   86,   86, 2847,
-       86, 2844, 2850,   86, 2845,   86,   86,   86, 2846, 2854,
-     2852, 2853,   86,   86, 2857, 2856,   86,   86,   86,   86,
-     2849,   86, 2860, 2864,   86,   86,   86,   86,   86,   86,
-     2866,   86, 2855, 2858, 2859, 2863, 2861, 2870, 2867, 2862,
-     2865, 2871, 2868, 2873, 2869,   86, 2872,   86, 2874,   86,
-     2875, 2876,   86,   86, 2877,   86, 2878,   86, 2879,   86,
-     2880, 2881,   86,   86,   86,   86,   86, 2882,   86,   86,
-     2885,   86,   86, 2887, 2891,   86, 2892,   86, 2888,   86,
-
-       86,   86, 2893, 2883,   86, 2886, 2895,   86, 2896, 2898,
-     2884, 2889, 2890, 2897,   86, 2899,   86,   86, 2894,   86,
-       86,   86, 2904,   86,   86,   86, 2900,   86, 2901, 2902,
-       86, 2905,   86, 2906,   86,   86,   86, 2910, 2914, 2903,
-       86, 2908, 2911,   86, 2907, 2913,   86, 2909, 2912, 2916,
-       86, 2915, 2917,   86, 2918,   86,   86, 2921,   86,   86,
-       86,   86,   86,   86, 2927,   86,   86,   86, 2922, 2944,
-       86, 2925, 2923,   86, 2920,   86,   86, 2928, 2930,   86,
-     2919, 2931, 2961, 2926,   86, 2932, 2924, 2929, 2933,   86,
-       86,   86, 2935,   86, 2934, 2936, 2937,   86, 2938,   86,
-
-     2939,   86, 2940,   86,   86,   86,   86,   86,   86, 2943,
-     2941, 2945, 2946, 2947,   86,   86,   86,   86, 2953,   86,
-     2949, 2951, 2942, 2948,   86, 2955,   86,   86,   86,   86,
-       86, 2956,   86, 2957, 2958, 2952, 2950,   86, 2959,   86,
-     2964,   86,   86,   86, 2954,   86,   86, 2962,   86, 2960,
-     2967,   86,   86,   86, 2968, 2965, 2966,   86, 2972, 2963,
-     2971,   86, 2973,   86, 2969,   86, 2974, 2977,   86,   86,
-     2970, 2979,   86, 2980,   86,   86, 2982,   86,   86,   86,
-       86, 2975,   86, 2987,   86, 2986,   86, 2990, 2978,   86,
-       86, 2976,   86,   86, 2983, 2984, 2981,   86, 2985, 2989,
-
-       86, 2993,   86,   86, 2996,   86, 2988, 2998,   86,   86,
-       86, 2992, 2991,   86, 2999,   86, 2994, 2997, 3001,   86,
-     3002,   86, 2995, 3004,   86,   86,   86, 3009,   86, 3010,
-     3000,   86,   86,   86,   86, 3003, 3006, 3007, 3013,   86,
-       86, 3015,   86, 3005, 3011, 3014, 3008,   86,   86, 3018,
-     3021, 3012, 3019,   86, 3017,   86,   86,   86,   86, 3016,
-     3020, 3024,   86, 3023,   86,   86, 3022, 3027,   86, 3025,
-     3030,   86,   86,   86,   86,   86,   86, 3035,   86,   86,
-       86, 3353,   86,   86, 3026, 3028, 3029, 3031, 3041, 3034,
-     3032, 3038, 3039,   86, 3040,   86, 3037,   86, 3036, 3033,
-
-       86, 3044,   86, 3045,   86, 3043, 3046,   86,   86,   86,
-     3049, 3042,   86, 3051,   86,   86,   86, 3050,   86,   86,
-       86, 3047,   86, 3056, 3057,   86,   86,   86,   86,   86,
-       86, 3063,   86,   86, 3052, 3048, 3064,   86, 3065, 3062,
-     3053, 3054, 3055, 3060,   86,   86, 3059,   86, 3061,   86,
-     3069,   86, 3058, 3066, 3068, 3070,   86,   86,   86, 3073,
-       86, 3072, 3071,   86, 3067,   86, 3076,   86, 3075,   86,
-     3074,   86,   86,   86, 3077,   86,   86, 3080,   86,   86,
-       86, 3082,   86, 3078, 3083, 3081,   86,   86,   86,   86,
-       86, 3079,   86,   86, 3092, 3093, 3095, 3084, 3088, 3085,
-
-     3086, 3353,   86,   86, 3087, 3089, 3090,   86, 3091,   86,
-     3098,   86, 3094, 3097, 3096, 3102, 3099, 3100,   86, 3101,
-       86, 3103,   86,   86,   86, 3106,   86,   86, 3104, 3107,
-       86, 3108, 3109,   86,   86, 3110, 3111, 3114,   86, 3112,
-     3113,   86,   86, 3105,   86, 3118, 3115, 3117,   86,   86,
-       86,   86,   86, 3116, 3123,   86,   86, 3122,   86,   86,
-       86,   86,   86, 3119, 3126, 3125,   86, 3353, 3127,   86,
-     3120, 3121,   86, 3131,   86, 3130, 3128, 3132,   86, 3135,
-     3129, 3124, 3133,   86, 3134,   86, 3138, 3140,   86,   86,
-       86, 3139,   86,   86, 3136,   86,   86, 3137,   86, 3148,
-
-     3144, 3145, 3147,   86, 3142,   86,   86, 3150,   86, 3151,
-       86, 3143, 3149, 3141,   86,   86,   86, 3146, 3154,   86,
-     3153, 3155,   86, 3157,   86, 3156, 3158,   86,   86, 3152,
-     3159,   86, 3160,   86, 3161,   86, 3162,   86, 3163,   86,
-     3164,   86,   86, 3167,   86,   86,   86,   86,   86,   86,
-       86, 3166, 3172,   86, 3165, 3168,   86, 3169,   86, 3176,
-       86,   86, 3175, 3173, 3178,   86,   86, 3170, 3171, 3174,
-       86,   86, 3182, 3180,   86, 3177,   86, 3184, 3185, 3179,
-       86,   86,   86,   86,   86, 3187,   86,   86,   86,   86,
-       86,   86, 3181, 3191, 3183, 3186,   86, 3192,   86, 3190,
-
-     3193, 3188,   86, 3196, 3189, 3194,   86,   86,   86, 3197,
-     3199,   86, 3200,   86, 3202, 3195, 3201,   86,   86,   86,
-     3198,   86, 3205, 3204,   86,   86,   86, 3203,   86, 3209,
-       86, 3207,   86, 3212,   86, 3206, 3208,   86,   86,   86,
-       86, 3211,   86, 3213,   86,   86,   86, 3214,   86, 3219,
-     3221,   86, 3215, 3216, 3218,   86, 3220, 3224,   86,   86,
-     3223,   86, 3225, 3217, 3226, 3227,   86, 3222, 3228, 3229,
-       86, 3231,   86,   86, 3232, 3230, 3233,   86, 3234,   86,
-     3235,   86,   86,   86,   86, 3237,   86,   86, 3238, 3239,
-     3242,   86,   86,   86, 3246,   86,   86,   86, 3245, 3248,
-
-       86, 3236, 3241,   86, 3244, 3243, 3249,   86,   86, 3252,
-       86, 3240,   86,   86, 3255,   86,   86, 3247, 3250,   86,
-     3256,   86,   86, 3259, 3257, 3260,   86, 3251, 3253,   86,
-     3254,   86,   86,   86, 3265,   86, 3261,   86, 3264, 3262,
-     3258, 3266,   86,   86,   86,   86,   86,   86, 3270,   86,
-       86, 3263, 3272,   86,   86, 3277,   86,   86, 3267, 3269,
-     3279,   86, 3278, 3268,   86,   86, 3271, 3274, 3273, 3275,
-       86,   86, 3276, 3283,   86, 3285, 3284,   86, 3286,   86,
-       86,   86,   86, 3281, 3280, 3287,   86, 3288, 3291, 3282,
-       86, 3289, 3292,   86,   86, 3293, 3294,   86, 3290,   86,
-
-       86,   86,   86, 3295,   86, 3300,   86,   86, 3297,   86,
-     3303,   86, 3304,   86,   86,   86,   86,   86,   86, 3296,
-     3302, 3298, 3307, 3299, 3305, 3301,   86, 3306,   86, 3311,
-       86, 3310,   86, 3308,   86, 3309,   86, 3312, 3353, 3313,
-       86, 3315,   86, 3317,   86, 3318,   86,   86, 3322,   86,
-       86, 3319,   86, 3316, 3320, 3321, 3314, 3323,   86,   86,
-     3324, 3325,   86,   86,   86,   86, 3326,   86,   86, 3328,
-     3327,   86, 3329, 3331,   86,   86, 3333,   86,   86, 3337,
-     3334, 3338,   86, 3330, 3332,   86,   86, 3335,   86, 3341,
-     3342,   86,   86, 3344,   86,   86, 3336, 3345,   86, 3343,
-
-       86,   86, 3346,   86, 3339, 3340, 3347,   86, 3348, 3351,
-       86, 3352,   86, 3353, 3353, 3353, 3353, 3353, 3353, 3349,
-     3353, 3353, 3353, 3353, 3353, 3353, 3350,   47,   47,   47,
-       47,   47,   47,   47,   52,   52,   52,   52,   52,   52,
-       52,   57,   57,   57,   57,   57,   57,   57,   63,   63,
-       63,   63,   63,   63,   63,   68,   68,   68,   68,   68,
-       68,   68,   74,   74,   74,   74,   74,   74,   74,   80,
-       80,   80,   80,   80,   80,   80,   89,   89, 3353,   89,
-       89,   89,   89,  160,  160, 3353, 3353, 3353,  160,  160,
-      162,  162, 3353, 3353,  162, 3353,  162,  164, 3353, 3353,
-
-     3353, 3353, 3353,  164,  167,  167, 3353, 3353, 3353,  167,
-      167,  169, 3353, 3353, 3353, 3353, 3353,  169,  171,  171,
-     3353,  171,  171,  171,  171,  174, 3353, 3353, 3353, 3353,
-     3353,  174,  177,  177, 3353, 3353, 3353,  177,  177,   90,
-       90, 3353,   90,   90,   90,   90,   17, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353
+      457,  448,   86,  444,   86,  455,   86,   86,  170,  462,
+      458,  463,  459,  449,  464,   86,  450,  456,  469,  470,
+
+       86,  451,  452,  453,  454,  460,  467,   86,  461,  465,
+      466,  468,   86,   86,   86,   86,   86,   86,  478,   86,
+       86,   86,   86,  480,  476,  477,  479,   86,  481,  473,
+      471,   86,   86,  472,  474,  475,   86,  483,   86,  485,
+       86,  488,   86,  489,   86,  490,  482,   86,  484,   86,
+      506,   86,   86,  494,  491,  487,  493,  495,  486,   86,
+       86,   86,   86,   86,  492,  496,  498,   86,  499,   86,
+      501,  497,  170,  507,   86,  500,  508,   86,  505,   86,
+       86,   86,  522,  502,   86,  509,  503,  523,  504,   86,
+      510,   86,  511,  545,   86,   86,  525,   86,  512,  569,
+
+      528,  168,  513,   86,   86,  524,  526,  514,  527,  530,
+      515,   86,  516,  540,  517,  541,  529,   86,  539,   86,
+      542,   86,   86,   86,   86,   86,  548,  518,   86,  543,
+      519,  166,  520,   86,  521,   86,  544,  531,  532,  547,
+      550,  546,  553,   86,  549,  551,   86,  533,  534,  535,
+      536,  537,  554,  552,  538,   86,   86,   86,   86,   86,
+      556,  563,  555,  558,  561,   86,   86,   86,   86,  564,
+       86,   86,  560,  568,   86,   86,  559,   86,  557,   86,
+      562,   86,  566,   86,   86,  567,  565,   86,  571,  578,
+      570,  572,  573,  575,   86,  574,   86,  576,  577,   86,
+
+      582,  579,  580,   86,   86,  585,   86,  583,   86,   86,
+       86,  601,   86,   86,   86,   86,  165,   86,  603,  581,
+      591,  592,  584,  587,  602,  586,  588,  589,  590,   86,
+       86,  606,  593,  604,  594,   86,   86,   86,   86,  605,
+      595,   86,   86,   86,  608,  609,  610,  611,  596,  597,
+       86,   86,  598,  599,   86,  613,  600,  607,  615,   86,
+       86,   86,   86,  618,  614,  616,  619,   86,   86,   86,
+      612,  620,   86,   86,  617,   86,   86,  625,  623,   86,
+      624,   86,   86,  621,   86,  626,   86,   86,   86,  631,
+      622,  627,  632,   86,   86,   86,  630,  633,   86,  635,
+
+      629,  628,   86,   86,  638,   86,  634,  636,   86,  637,
+       86,  640,   86,   86,   86,   86,  642,  639,   86,  645,
+       86,  643,   86,   86,   86,   86,  641,  653,   86,  656,
+      647,   86,   86,   86,  644,  646,   86,  654,  648,  652,
+      649,  650,  651,  655,  658,  657,  661,  659,   86,   86,
+       86,  660,  663,   86,   86,  666,   86,  665,   86,   86,
+       86,   86,   86,   86,  669,  662,   86,  672,   86,   86,
+      668,  673,   86,  664,   86,   86,   86,  675,   86,  667,
+       86,   86,  670,  671,  674,  690,   86,  677,  678,   86,
+      676,   86,  679,  689,   86,   86,  687,  680,  694,  681,
+
+      692,  688,  693,   86,   86,  682,   86,  683,  691,  695,
+      684,  685,   86,  696,   86,   86,   86,  686,  697,  698,
+      702,  701,  699,   86,   86,  700,   86,  706,   86,   86,
+      704,  703,  705,   86,  709,   86,  711,   86,   86,   86,
+       86,   86,  715,   86,   86,   86,  707,   86,  708,  718,
+      713,   86,  712,   86,  710,  714,  719,   86,  716,  722,
+       86,  724,  726,  170,  720,  717,  721,  725,   86,  723,
+       86,   86,   86,   86,   86,   86,   86,   86,   86,   86,
+      733,  735,  727,  746,   86,   86,  728,  730,   86,  731,
+      734,  729,  737,  732,  738,   86,  739,  740,  741,   86,
+
+      742,   86,   86,   86,   86,   86,  743,   86,  747,   86,
+      163,   86,   86,  744,  752,  765,  745,   86,  748,  753,
+       86,  755,   86,  751,  754,  749,  756,   86,  750,  757,
+      758,   86,  759,   86,  760,   86,  761,   86,  763,   86,
+       86,  762,   86,   86,  766,   86,   86,   86,   86,  764,
+      769,  770,   86,  768,   86,  774,  773,   86,   86,   86,
+       86,   86,  767,  776,   86,  778,   86,  780,   86,   86,
+       86,  771,   86,  772,   86,  783,  777,  775,  779,   86,
+      787,   86,   86,  781,   86,   86,   86,  788,  790,   86,
+      782,  784,   86,  791,  786,  785,  792,  793,  789,  794,
+
+       86,  795,   86,   86,   86,   86,  802,  796,  797,  798,
+      799,   86,   86,   86,   86,   86,  800,  804,  801,  805,
+      803,   86,   86,   86,   86,  808,  807,   86,  809,  810,
+       86,   86,   86,   86,  812,   86,  814,  816,   86,   86,
+       86,  806,  811,  813,  817,   86,   86,  823,   86,  161,
+       86,  825,  815,   86,  819,  821,  820,  822,  818,   86,
+      826,  827,   86,   86,   86,  824,   86,  828,  830,   86,
+       86,  829,  834,  836,  832,   86,  831,   86,   86,   86,
+      835,   86,   86,   86,  837,  840,   86,  839,   86,  833,
+      841,   86,  847,  844,   86,   86,  842,   86,   86,  843,
+
+       86,   86,  838,   86,  849,  850,  854,  845,  846,   86,
+      852,   86,   86,  848,  856,   86,  862,  851,  853,   86,
+       86,  855,   86,  860,  857,   86,  863,  858,  861,   86,
+       86,   86,  864,  866,   86,   86,   86,  859,  865,   86,
+      872,   86,   86,  867,   86,  873,   86,   86,   86,   86,
+       86,  874,  868,  869,  881,  870,  879,   86,   86,  871,
+       86,   86,  875,  876,   86,   86,   86,  877,   86,  878,
+       86,   86,  880,   86,   86,  883,  884,  888,  882,   86,
+       86,   86,   86,   86,  885,  896,  889,  886,  895,  887,
+      890,   86,  897,   86,   86,   86,  899,  891,  892,  893,
+
+      894,   86,   86,   86,   86,  898,  901,  903,  902,   86,
+       86,   86,  900,   86,   86,   86,  908,  907,   86,  904,
+      909,   86,  906,  905,   86,  914,  911,   86,   86,  912,
+       86,   86,  170,  913,  919,   86,  915,  920,  910,  917,
+       86,   86,  916,  918,  921,   86,   86,   86,   86,  922,
+      925,   86,  928,   86,   86,  929,  924,  931,   86,   86,
+      923,   86,  926,  930,  932,   86,   86,  935,   86,   86,
+      933,   86,  927,   86,   86,  937,  941,   86,   86,   86,
+      938,   86,   86,   86,  934,  942,  936,   86,  943,   86,
+       86,   86,  940,   86,  939,   86,  944,  957,   86,  956,
+
+       86,  958,  954,  946,  945,   86,  955,  947,   86,  959,
+      948,   86,   86,  967,  949,  961,  965,  950,   86,  962,
+       86,  963,   86,   86,  951,  952,  968,  953,  960,   86,
+       86,   86,   86,  964,   86,  977,   86,  966,   86,  969,
+      970,   86,  971,   86,   86,  972,  984,  980,  982,  976,
+      973,   86,  978,   86,  979,   86,  974,  975,  981,   86,
+      986,  990,   86,   86,  983,  989,  991,   86,  987,   86,
+      985,   86,  993,   86,   86, 1001,  992,   86,  994,  995,
+       86,  996,  997,   86,  988,   86,  998, 1000,   86,   86,
+      999,   86,   86,   86,   86,   86, 1004,   86, 1008,   86,
+
+       86, 1002, 1007,   86,   86, 1011,   86,   86, 1017,   86,
+     1003, 1013, 1015, 1005, 1006, 1009,   86, 1010,   86,   86,
+     1018, 1016,   86,   86, 1012, 1019,   86, 1020, 1021, 1014,
+     1023, 1028,   86, 1025,   86,   86,   86, 1024, 1022,   86,
+       86, 1027,   86, 1026, 1029,   86, 1030,   86,   86,   86,
+     1031,   86,   86,   86, 1033,   86, 1038,   86, 1034,   86,
+     1041,   86,   86,   86,   86,   86, 1032, 1042, 1039, 1036,
+     1035, 1040,   86,   86, 1037,   86,   86, 1047,   86,   86,
+       86, 1043, 1049,   86, 1044, 1045,   86, 1048, 1046,   86,
+     1052, 1050, 1053, 1055, 1051,   86, 1057,   86, 1056,   86,
+
+       86,   86, 1054,   86,   86,   86,   86,   86, 1063, 1065,
+     1060,   86, 1058, 1066,   86,   86, 1064,   86,   86, 1059,
+     1068,   86, 1062,   86,   86,   86, 1070, 1061,   86, 1079,
+       86,   86, 1067, 1074, 1076,   86,   86,   86, 1069,   86,
+     1072, 1071,   86, 1073,   86, 1080, 1077,   86, 1075, 1081,
+     1078,   86, 1085, 1084,   86,   86, 1083,   86, 1082, 1087,
+     1088,   86,   86,   86,   86, 1086,   86,   86,   86, 1098,
+       86, 1091, 1093, 1099, 1089,   86, 1101, 1090,   86,   86,
+       86,   86,   86, 1092,   86, 1104, 1094, 1096, 1106, 1095,
+     1097,   86, 1100, 1105, 1102,   86,   86,   86,   86,   86,
+
+     1113, 1103, 1110,   86, 1112, 1114,   86,   86, 1108,   86,
+     1115,   86,   86,   86, 1107, 1118, 1109, 1120,   86, 1111,
+       86,   86,   86,   86,   86, 1117,   86, 1116, 1122, 1123,
+     1126,   86, 1130, 1119,   86, 1127,  170, 1128, 1121,   86,
+       86,   86, 1124, 1129, 1125, 1133, 1131,   86,   86,   86,
+       86,   86,   86, 1146, 1132,   86, 1149,   86,   86, 1147,
+     1134,   86, 1136, 1137,   86, 1151,   86, 1175,   86, 1138,
+       86, 1135, 1139,   86,   86, 1154, 1140,   86, 1141, 1148,
+     1156, 1152, 1142, 1150, 1143, 1157,   86,   86, 1153, 1144,
+       86, 1155,   86,   86, 1145,   86, 1158, 1160,   86,   86,
+
+     1163,   86,   86, 1166, 1159,   86,   86, 1162,   86, 1161,
+     1164, 1165, 1171,   86, 1173, 1167, 1174, 1170, 1172, 1169,
+       86, 1176,   86, 1168, 1177,   86,   86,   86,   86,   86,
+       86,   86,   86,   86, 1189,   86, 1192,   86,   86,   86,
+     1188, 1194, 1193,   86, 1191,   86, 1179, 1178,   86, 1180,
+       86, 1181, 1190,   86, 1200, 1195, 1182, 1196, 1183,   86,
+       86, 1199,   86,   86, 1184,   86,   86, 1197, 1201, 1185,
+     1186, 1202, 1198,   86, 1207,   86, 1187,   86,   86, 1210,
+     1203, 1204, 1208,   86, 1205,   86, 1211,   86,   86,   86,
+     1215, 1206,   86, 1213,   86,   86,   86, 1209,   86, 1216,
+
+       86,   86, 1214, 1221, 1218,   86, 1212, 1219,   86,   86,
+     1222, 1217,   86, 1224,   86,   86, 1220,   86,   86,   86,
+       86,   86,   86,   86, 1223, 1231,   86, 1229, 1226, 1228,
+     1230,   86, 1225, 1233,   86, 1227, 1237, 1232, 1234,   86,
+     1235,   86,   86, 1236,   86,   86,   86,   86,   86,  178,
+     1242, 1243, 1244, 1238,   86, 1239,   86, 1245, 1247, 1241,
+     1240,   86, 1246, 1248,   86,   86,   86, 1252,   86,   86,
+       86, 1249, 1253,   86,   86,   86, 1254, 1256, 1250, 1255,
+       86,   86, 1251, 1257,   86, 1263, 1259,   86, 1258, 1265,
+       86,   86,   86,   86, 1261,   86,   86, 1267, 1260, 1262,
+
+       86,   86,   86, 1269,   86, 1266, 1271, 1264,   86, 1272,
+     1268,   86,   86,   86, 1270,   86, 1275, 1274, 1273, 1278,
+     1276,   86,   86, 1281, 1277, 1282,   86,   86, 1280,   86,
+       86,   86,   86, 1286, 1285,   86, 1283, 1279,   86,   86,
+       86,   86,   86, 1290, 1292, 1293, 1296, 1294, 1284,   86,
+       86,   86,   86, 1287, 1291,   86,   86, 1288, 1298, 1289,
+     1295, 1297,   86,   86,   86, 1302,   86, 1299,   86, 1301,
+       86,   86,   86, 1303, 1304,   86,   86,   86,   86, 1305,
+     1309, 1300,   86,   86, 1307, 1306, 1310, 1312,   86, 1311,
+       86, 1308,   86, 1316, 1317,   86,   86, 1320,   86,   86,
+
+       86, 1319, 1314,   86,   86,   86, 1313,   86, 1325,   86,
+     1318, 1315,   86,   86,   86,   86,   86, 1323, 1322, 1331,
+       86,   86, 1321, 1327,  170, 1324,   86, 1326,   86, 1332,
+       86, 1333, 1328, 1334,   86, 1330,   86,   86,   86,   86,
+     1329, 1339, 1341,   86, 1335, 1337, 1343, 1340, 1336, 1338,
+     1344,   86,   86,   86,   86,   86,   86, 1347, 1346, 1342,
+       86,   86,   86,   86,   86, 1348,   86, 1345, 1349, 1351,
+       86,   86,   86, 1354,   86, 1350,   86, 1352, 1357,   86,
+       86,   86, 1353,   86,  176, 1355, 1358, 1361, 1363,   86,
+     1356, 1360, 1359, 1367,   86, 1368,   86, 1364,   86, 1365,
+
+     1362, 1369, 1366, 1370,   86, 1371,   86,   86,   86,   86,
+     1373,   86,   86,   86,   86,  175,   86, 1377, 1376,   86,
+     1372, 1380,   86,   86, 1384,   86, 1379, 1374,   86, 1375,
+       86,   86, 1378, 1381, 1382, 1385, 1386,   86,   86,   86,
+       86, 1383, 1388, 1389,   86,   86,   86, 1390, 1387,   86,
+       86,   86,   86,   86,   86, 1391, 1396,   86, 1394, 1392,
+       86,   86, 1403, 1397, 1393, 1395, 1401,   86,   86,   86,
+       86, 1398, 1400,   86, 1399,   86, 1402, 1404, 1406,   86,
+       86,   86, 1413,   86, 1415, 1407,   86, 1405,   86,   86,
+       86, 1409, 1408,   86, 1410,   86, 1412, 1418,   86,   86,
+
+       86, 1416,   86, 1414, 1421, 1411,   86, 1417,   86,   86,
+     1501, 1423, 1422,   86, 1420, 1419, 1424,   86,   86, 1428,
+     1426, 1425, 1427,   86, 1429,   86, 1436, 1438, 1430,   86,
+     1439, 1431, 1432,   86, 1437,   86, 1433, 1442,   86,   86,
+     1440,   86, 1434,   86, 1443,   86, 1435, 1441,   86, 1445,
+     1444,   86, 1447,   86,   86,   86, 1448, 1452, 1449,   86,
+       86,   86, 1446,   86,   86,   86, 1455,   86, 1453, 1458,
+     1459,   86, 1460, 1451, 1450,   86,   86,   86, 1456,   86,
+     1454, 1461,   86, 1457,   86, 1468,   86, 1467, 1462,   86,
+     1469, 1470, 1471, 1463,   86, 1464,   86, 1465,   86, 1466,
+
+       86, 1474, 1473,   86, 1477,   86, 1480, 1472,   86, 1478,
+       86,   86, 1476, 1481, 1479,   86,   86,   86, 1475,   86,
+     1487,   86, 1488,   86, 1483, 1482,   86,   86,   86,   86,
+       86, 1489,   86, 1486, 1491, 1484, 1485,   86,   86, 1493,
+       86, 1490, 1492,   86, 1494, 1497, 1498,   86, 1500,   86,
+     1495,   86,   86,   86, 1502,   86,   86, 1503, 1499, 1506,
+       86, 1508,   86, 1496, 1505,   86, 1509,   86,   86,   86,
+     1513,   86, 1504, 1510,   86,   86, 1507,   86,   86, 1518,
+     1516,   86,   86,   86,   86,   86, 1519,   86, 1511, 1521,
+     1512, 1520, 1515,   86, 1514,   86, 1523,   86, 1517, 1524,
+
+     1525, 1522,   86,   86,   86,   86,   86, 1527, 1529, 1530,
+     1531, 1526, 1528,   86, 1532,   86,   86,   86,   86,   86,
+     1533, 1538, 1539, 1535,   86, 1536,   86,   86,   86, 1540,
+     1542, 1541, 1537,   86, 1534,   86,   86,   86, 1546,   86,
+       86,   86, 1543,   86,  170,   86, 1548,   86, 1545,   86,
+     1554, 1555,   86,   86, 1544, 1550,   86,   86, 1556, 1551,
+     1547, 1549, 1557,   86,   86,   86,   86, 1552,   86,   86,
+       86, 1565, 1553, 1560,   86,   86,   86, 1558, 1562, 1563,
+       86, 1569,   86, 1559, 1561, 1570,   86, 1564,   86,   86,
+     1574,   86,   86, 1572, 1566, 1575,   86,   86, 1568,   86,
+
+     1567, 1577,   86,   86,   86, 1571,   86, 1578, 1573, 1576,
+       86, 1579, 1586, 1585,   86,   86,   86, 1580, 1581, 1583,
+     1587, 1582, 1584, 1588,   86, 1591, 1590,   86, 1589,   86,
+     1592,   86,   86,   86,   86, 1593,   86,   86, 1596, 1597,
+       86,   86,   86,  170,   86, 1600,   86,   86, 1605,   86,
+     1595,   86,   86, 1594, 1598, 1606, 1602, 1599,   86, 1609,
+       86, 1601, 1603,   86, 1604,   86,   86, 1607,   86,   86,
+     1610, 1608,   86,   86,   86,   86,   86, 1612, 1616, 1611,
+       86, 1613, 1617, 1614,   86, 1618,   86, 1622, 1615,   86,
+     1619, 1623,   86, 1621, 1627, 1620,   86, 1626, 1624, 1628,
+
+       86,   86,   86, 1630,   86,   86, 1631,   86,   86,   86,
+     1632,   86, 1625, 1636, 1637, 1629, 1635, 1638,   86,   86,
+       86,   86, 1639,   86, 1633,   86, 1640, 1641,   86,   86,
+     1634,   86,   86, 1642,   86,   86, 1644,   86,   86,   86,
+     1643,   86, 1649,   86, 1645, 1648,   86, 1651, 1646,   86,
+     1647, 1652,   86, 1655,   86, 1657,   86, 1650, 1656,   86,
+     1658,   86, 1654, 1653,   86, 1660,   86,   86,   86,   86,
+       86, 1664, 1659, 1661, 1668, 1662, 1663,   86,   86,   86,
+       86,   86, 1669,   86, 1672,   86, 1675, 1665, 1667, 1666,
+       86, 1674,   86,   86,   86,   86,   86,   86, 1670,   86,
+
+     1673,   86, 1676,   86, 1683, 1671,   86,   86,   86, 1684,
+     1680, 1687, 1677, 1678, 1679,   86, 1682,   86, 1681, 1688,
+       86, 1689,   86,   86, 1693,   86, 1685, 1686, 1690, 1691,
+     1692,   86,   86,   86, 1695,   86,   86,   86, 1696,   86,
+       86, 1699, 1703,   86, 1694, 1704, 1705,   86, 1700,   86,
+       86, 1697,   86, 1698, 1708, 1702,   86, 1701,   86,   86,
+     1709,   86, 1706, 1707,   86, 1710,   86,   86, 1715, 1716,
+       86,   86,  168, 1713,   86,   86,   86, 1712, 1711,   86,
+     1719,   86, 1720, 1721,   86, 1717, 1714, 1723,   86,   86,
+       86,   86, 1718, 1724, 1725,   86, 1722,   86,   86, 1730,
+
+     1726, 1728,   86,   86,   86, 1733,   86, 1727,   86,   86,
+       86, 1731,   86,   86, 1739, 1737,   86,   86, 1729,   86,
+       86, 1734,   86, 1732,   86, 1740, 1738,   86, 1736, 1735,
+       86, 1745,   86,   86, 1742, 1741,   86,   86, 1746, 1750,
+       86, 1748, 1744,   86,   86, 1743,   86, 1751, 1749, 1754,
+     1747,   86, 1753,   86,   86,   86,   86, 1752, 1757, 1761,
+     1759, 1760,   86, 1755, 1756, 1758,   86,   86,  170,   86,
+       86,   86, 1763,   86,   86,   86, 1771,   86,   86, 1762,
+       86,   86, 1772, 1777, 1764, 1766,   86, 1765, 1769, 1767,
+     1768, 1775,   86,   86,   86, 1776, 1779,   86, 1770, 1781,
+
+     1773, 1774, 1780,   86, 1783,   86,   86, 1785,   86,   86,
+       86,   86,   86, 1778,   86,   86, 1790, 1787,   86, 1788,
+     1784,   86, 1791, 1782,   86,   86,   86,   86, 1786, 1795,
+       86, 1796, 1792,   86,   86,   86, 1789, 1803,   86,  166,
+     1794, 1800, 1793,   86, 1801, 1797, 1798,   86,   86,   86,
+       86, 1805, 1804, 1799,   86, 1808, 1802, 1810, 1807, 1812,
+     1809, 1811,   86, 1813, 1817,   86,   86, 1806,   86,   86,
+       86, 1814,   86, 1815,   86, 1816,   86,   86,   86,   86,
+       86, 1818, 1824, 1823,   86, 1825, 1820, 1827,   86, 1826,
+     1819,   86,   86,   86,   86,   86,   86, 1821,   86, 1822,
+
+     1829, 1830,   86, 1831,   86,   86,   86,   86,   86,   86,
+       86,   86, 1832,   86,   86, 1828, 1833, 1841,   86,   86,
+     1836, 1837, 1838, 1834,   86, 1835, 1842, 1839,   86,   86,
+     1843, 1845,   86, 1848, 1849, 1840, 1844,   86, 1851,   86,
+     1846,   86,   86, 1854,   86, 1847,   86,   86,   86,   86,
+     1858,   86, 1856, 1850,   86, 1852,   86,   86,   86,   86,
+     1857,   86,   86, 1853,   86, 1860, 1855, 1863, 1865, 1859,
+       86,   86,  165, 1866, 1864, 1862, 1867,   86, 1868,   86,
+     1861,   86, 1872, 1873,   86, 1869, 1874,   86,   86, 1875,
+     1870, 1877, 1878,   86,   86,   86, 1871,   86,   86, 1876,
+
+       86, 1882, 1881,   86,   86, 1883,   86, 1879,   86,   86,
+       86, 1891, 1892,   86, 1880, 1886,   86,   86, 1888, 1890,
+     1885, 1889, 1884,   86,   86,   86,   86, 1887, 1898,   86,
+       86,   86,   86, 1899,   86, 1900, 1893, 1894,   86, 1896,
+       86, 1895, 1897, 1901,   86, 1904,   86, 1906,   86, 1908,
+     1903, 1907,   86,   86, 1902,   86, 1905,   86, 1912,   86,
+     1916, 1910,   86, 1909, 1911, 1917,   86,   86,   86,   86,
+       86, 1924,   86, 1913, 1921, 1922, 1918, 1915, 1914, 1925,
+       86,   86, 1919,   86,   86,   86, 1928,   86, 1923, 1926,
+     1920,   86,   86, 1929, 1927, 1932,   86,   86, 1936,   86,
+
+     1934,   86,   86, 1930,   86, 1931, 1935, 1937,   86, 1933,
+       86,   86,   86,   86,   86,   86, 1941,   86, 1940,   86,
+     1950, 1938, 1942, 1944,   86, 1943,   86, 1939, 1945, 1948,
+       86, 1946, 1951, 1947, 1953,   86,   86, 1952,   86,   86,
+       86, 1957,   86, 1959,   86,   86,   86,   86,   86,   86,
+       86, 1949, 1963,   86, 1965,   86, 1954, 1955, 1958, 1956,
+     1966,   86, 1961,   86,   86, 1962, 1960,   86, 1964, 1968,
+       86,   86, 1969,   86,   86,  170, 1974,   86,   86, 1970,
+       86, 1967, 1972, 1973, 1977,   86, 1971, 1975,   86, 1981,
+       86,   86, 1976,   86,   86,   86,   86, 1978,   86, 1980,
+
+     1979, 1983,   86, 1988,   86, 1982,   86, 1984, 1985,   86,
+       86, 1995, 1986,   86, 1989, 2000, 1991,   86, 1987, 1992,
+       86,   86, 1990,   86, 1993, 1994,   86, 1997, 1998,   86,
+       86,   86, 1996,   86, 2001,   86,   86, 2002,   86,   86,
+       86,   86, 1999,   86, 2006, 2007,   86,   86,   86,   86,
+     2008,   86, 2011,   86, 2004, 2009, 2005, 2003, 2012,   86,
+       86, 2010, 2019,   86, 2017, 2015, 2018, 2020, 2014,   86,
+       86, 2013, 2016,   86, 2021,   86,   86,   86,   86, 2026,
+       86, 2029, 2030,   86, 2031,   86,   86,   86, 2022, 2023,
+       86, 2024, 2027,   86, 2028,   86, 2025, 2033,   86,   86,
+
+     2034, 2037,   86,   86, 2039,   86, 2032, 2038, 2035,   86,
+       86, 2036, 2040, 2041, 2043, 2048,   86,   86, 2045,   86,
+       86, 2044,   86, 2042,   86, 2046, 2047,   86,   86, 2049,
+     2050,   86, 2051,   86,   86,   86, 2055,   86, 2053, 2054,
+     2057,   86, 2056,   86,   86,   86,   86,   86,  163, 2052,
+     2065,   86, 2067, 2058, 2059, 2060,   86, 2068,   86,   86,
+     2061,   86, 2063, 2062,   86, 2064, 2070, 2066,   86, 2074,
+     2071,   86, 2072, 2069,   86,   86,   86, 2078,   86, 2073,
+     2075,   86,   86, 2080,   86,   86,   86,   86, 2083, 2084,
+       86, 2086,   86,   86, 2076,   86, 2091, 2077,   86,   86,
+
+       86,   86,   86,   86, 2081, 2085,   86, 2079, 2082, 2088,
+     2089, 2093,   86,   86, 2092,   86, 2090,   86, 2087,   86,
+     2094, 2095, 2096,   86, 2099,   86, 2097, 2103,   86, 2098,
+     2102,   86,   86,   86, 2106, 2101, 2109,   86, 2105, 2100,
+       86,   86,   86, 2107, 2110,   86, 2112,   86, 2104,   86,
+       86, 2108, 2111,   86,   86,   86,   86, 2116,   86, 2119,
+     2120, 2121, 2115,   86,   86,   86,   86,   86,   86, 2113,
+       86,   86, 2114, 2117, 2124,   86, 2129,   86,   86, 2123,
+     2128,   86, 2118, 2122,   86, 2126,   86, 2130, 2133,   86,
+     2125,   86, 2134, 2127,   86, 2135, 2131, 2132, 2137,   86,
+
+       86,   86,   86, 2136, 2138, 2141,   86, 2142,   86,   86,
+       86,   86, 2139, 2148, 2145,   86, 2143, 2140,   86,   86,
+       86,   86,   86, 2151, 2153,   86, 2155, 2144,   86, 2154,
+     2146, 2147,   86, 2149, 2152, 2150,   86,   86, 2160,   86,
+     2162, 2156, 2161,   86, 2164, 2163,   86, 2157, 2165,   86,
+       86,   86, 2158,   86,   86, 2169, 2167, 2159,   86,   86,
+       86,   86,   86, 2171,   86, 2168,   86, 2173, 2175,   86,
+     2170, 2177, 2172,   86,   86, 2166,  170,   86, 2178,   86,
+       86, 2181,   86,   86,   86,   86, 2176, 2174, 2179, 2185,
+       86, 2187, 2182, 2180, 2183,   86, 2188,   86, 2186, 2189,
+
+       86, 2191, 2184,   86,   86, 2190,   86,   86,   86, 2192,
+     2194, 2193,   86,   86,   86, 2197,   86, 2195, 2196,   86,
+     2199,   86,   86, 2203,   86,   86, 2198, 2202, 2200,   86,
+       86,   86, 2207, 2201, 2204, 2205, 2206, 2208,   86,   86,
+       86,   86,   86,   86, 2215, 2213,   86,   86,   86, 2210,
+       86, 2214,   86,   86,   86, 2220,   86, 2217,   86, 2209,
+     2211,   86, 2212,   86,   86, 2216, 2221, 2219,   86, 2225,
+     2218,   86, 2223, 2226, 2222,   86,   86,   86, 2224,   86,
+     2229,   86, 2228, 2227, 2231,   86,   86,   86, 2237, 2230,
+     2232,   86,   86, 2233,   86, 2234, 2235,   86, 2239,   86,
+
+     2236, 2240, 2242,   86,   86, 2244,   86,   86, 2238,   86,
+     2241, 2248, 2243,   86, 2245, 2247,   86,   86,   86,   86,
+       86,   86, 2253, 2250,   86,   86,   86,   86,   86,   86,
+     2246,   86, 2249, 2254,   86,   86,   86, 2262, 2256, 2257,
+     2252, 2251,   86, 2258,   86,   86, 2255, 2259,   86, 2261,
+     2263, 2267,   86,   86,   86, 2260, 2264, 2266,   86, 2271,
+       86, 2270, 2268,   86,   86, 2265,   86,   86, 2269, 2273,
+       86, 2276, 2274, 2272, 2277,   86,   86,   86, 2275,   86,
+       86, 2279, 2282,   86, 2278, 2280, 2284,   86,   86, 2281,
+     2285,   86,   86, 2287,   86,   86, 2289, 2286, 2283,   86,
+
+     2291, 2290,   86,   86,   86, 2295,   86, 2292,   86,   86,
+     2299,   86,   86, 2288, 2296, 2300,   86,   86,   86, 2297,
+     2298, 2293, 2304,   86, 2294, 2301,   86, 2305,   86,   86,
+     2308, 2302, 2303,   86,   86,   86,   86, 2310, 2309,   86,
+     2314,   86,   86, 2306,   86, 2316,   86, 2312,   86, 2307,
+       86, 2317, 2311,   86, 2315, 2313,   86, 2318, 2319,   86,
+       86, 2323,   86,   86, 2320, 2321, 2325,   86, 2322,   86,
+       86, 2326,   86,   86, 2327, 2329, 2328,   86, 2331,   86,
+       86, 2324, 2330,   86, 2332, 2336,   86,   86,   86, 2334,
+     2333,   86, 2335,   86,   86,   86,   86,   86, 2337,   86,
+
+     2343,   86,   86,   86, 2339, 2338, 2347, 2341, 2344, 2342,
+       86, 2345, 2349,   86,   86, 2348, 2340, 2346,   86, 2350,
+     2352,   86,   86, 2358,   86, 2353,   86,   86, 2360,   86,
+       86,   86, 2351, 2354,   86, 2357, 2359,   86, 2363, 2355,
+       86,   86, 2364, 2367,  170,   86, 2369, 2356, 2361,   86,
+     2362, 2370,   86, 2365,   86, 2371, 2372, 2373,   86,   86,
+     2366,   86,   86, 2376,   86, 2375, 2368, 2374,   86, 2377,
+       86, 2381,   86,   86, 2382,   86, 2384,   86, 2385, 2380,
+       86, 2387, 2386, 2378,   86, 2388,   86, 2383,   86, 2390,
+       86,   86,   86, 2389, 2379,   86, 2391,   86,   86,   86,
+
+       86, 2393,   86,   86, 2396,   86,   86,   86, 2399,   86,
+     2392, 2394,   86,   86, 2403, 2398, 2405,   86,   86,   86,
+       86, 2401, 2406, 2395, 2400, 2397,   86, 2402, 2407,   86,
+       86, 2408,   86,   86, 2404,   86,   86, 2413, 2410, 2416,
+       86, 2411,   86,   86, 2417, 2409, 2414,   86,   86, 2412,
+       86,   86,   86, 2415,   86,   86,   86,   86, 2426,   86,
+       86, 2418, 2419, 2424,   86, 2430, 2433,   86, 2428, 2422,
+     2420, 2427, 2421, 2423, 2429, 2425,   86, 2432, 2431,   86,
+       86,   86,   86, 2435, 2434,   86,   86, 2439, 2440,   86,
+       86,   86, 2441,  161, 2436,   86, 2437,   86, 2438, 2442,
+
+       86,   86, 2445,   86, 2448,   86, 2443,   86, 2444, 2449,
+       86,   86, 2446,   86,   86, 2447, 2450, 2452, 2451, 2455,
+       86, 2456,   86,   86, 2458,   86, 2454, 2453,   86, 2460,
+       86,   86,   86, 2463,   86,   86, 2462, 2464,   86,   86,
+       86,   86, 2457,   86,   86,   86, 2459, 2461, 2466, 2465,
+     2470, 2471,   86, 2473,   86, 2468,   86, 2467,   86,   86,
+     2477,   86, 2469, 2472, 2475,   86, 2479,   86, 2476,   86,
+       86,   86, 2482,   86, 2474, 2478, 2485,   86,   86,   86,
+     2480,   86,   86,   86, 2481,   86, 2483, 2489, 2490,   86,
+     2492,   86, 2484,   86, 2495,   86, 2488,   86, 2486,   86,
+
+       86, 2491, 2487,   86,   86,   86, 2493, 2497, 2494,   86,
+     2502,   86,   86, 2498, 2504,   86,   86, 2496, 2505, 2508,
+     2503, 2499, 2500,   86,   86,   86,   86,   86, 2509, 2510,
+       86, 2501, 2511, 2506,   86, 2507,   86,   86,   86, 2513,
+       86, 2515, 2517, 2518, 2520,   86, 2521,   86, 2512,   86,
+       86, 2514,   86, 2524, 2525, 2519,   86,   86,   86,   86,
+     2516, 2526, 2523,   86,   86,   86, 2522, 2529,   86,   86,
+       86, 2528, 2530, 2535, 2531, 2536,   86, 2532, 2533,   86,
+     2537,   86, 2527,   86, 2534,   86,   86,   86, 2541,   86,
+     2542,   86, 2543,   86, 2546, 2540,   86,  170, 2545,   86,
+
+     2544,   86, 2547, 2538,   86, 2539, 2552,   86,   86,   86,
+       86,   86,   86,   86,   86, 2563,   86, 2550, 2554, 2548,
+     2551, 2549, 2555, 2553, 2558,   86,   86, 2556, 2557, 2559,
+     2560,   86,   86, 2564, 2561, 2565,   86,   86,   86,   86,
+     2566, 2568, 2569, 2562, 2567,   86,   86,   86,   86, 2571,
+       86,   86, 2572,   86, 2570,   86, 2573, 2578, 2574,   86,
+     2577,   86,   86,   86,   86, 2575,   86, 2580, 2581, 2582,
+     2583,   86, 2576,   86,   86, 2579,   86,   86, 2584,   86,
+       86, 2589,   86, 2585, 2588, 2586,   86,   86,   86,   86,
+       86, 2591, 2590,   86, 2595,   86, 2598, 2587,   86,   86,
+
+     2597,   86,   86, 2594, 2599,   86, 2600, 2592, 2593,   86,
+       86,   86,   86, 2596,   86, 2604,   86, 2601, 2606,   86,
+     2602, 2609,   86, 2610, 2607,   86,   86,   86, 2603,   86,
+     2608, 2613, 2605, 2611,   86,   86, 2612,   86, 2615,   86,
+     2614,   86, 2616,   86, 2618, 2619, 2620, 2621, 2622,   86,
+       86,   86,   86, 2617, 2624,   86,   86,   86,   86, 2623,
+       86,   86,   86, 2628, 2633,   86,   86, 2631,   86, 2625,
+     2626, 2632, 2635, 2627, 2634,   86,   86, 2636,   86,   86,
+       86,   86, 2630,   86, 2637, 2639, 2629,   86, 2644,   86,
+     2641,   86, 2646,   86,   86, 2642,   86,   86,   86,   86,
+
+     2640, 2638, 2645, 2643, 2649,   86,   86,   86, 2653, 2650,
+       86, 2648, 2647, 2654,   86, 2655, 2651, 2652,   86,   86,
+       86,   86,   86, 2659,   86, 2658,   86,   86, 2657,   86,
+       86,   86, 2663, 2703, 2662,   86, 2656,   86, 2660,   86,
+     2661,   86, 2666, 2667,   86, 2668,   86, 2669,   86, 2664,
+     2665, 2670,   86, 2671,   86,   86, 2674, 2672,   86, 2673,
+       86, 2675,   86,   86,   86,   86,   86,   86, 2682,   86,
+     2676, 2684,   86, 2685,   86, 2678,   86,   86,   86,   86,
+       86,   86, 2677, 2681, 2679, 2683, 2680, 2686, 2688, 2687,
+     2689,   86,   86, 2694,   86,   86, 2691, 2696,   86, 2690,
+
+     2692,   86,   86,   86, 2695,   86,   86,  170,   86,   86,
+     2705,   86, 2693,   86,   86,   86, 2699,   86,   86, 2704,
+     2701,   86, 2698, 2706, 2712,   86, 2707, 2697, 2708, 2700,
+     2702,   86,   86, 2709, 2729,   86,   86, 2714,   86, 2710,
+     2715, 2711, 2716,   86,   86, 2713, 2717,   86,   86, 2718,
+       86, 2719,   86, 2720, 2721, 2722,   86, 2723,   86,   86,
+       86,   86,   86,   86, 2731,   86,   86,   86,   86,   86,
+     2735, 2724, 2736,   86,   86, 2740,   86, 2726, 2725, 2742,
+       86, 2728, 2727, 2730, 2733, 2732, 2734,   86, 2737, 2738,
+       86,   86,   86,   86,   86,   86, 2739,   86,   86, 2741,
+
+     2745,   86,   86, 3483,   86, 2752,   86, 2753,   86, 2743,
+     2744, 2751, 2746, 2747, 2754,   86, 2748, 2749,   86, 2757,
+       86, 2750, 2758,   86, 2756, 2759,   86,   86,   86,   86,
+       86,   86,   86, 2755,   86, 2764,   86,   86,   86, 2768,
+     2770, 2767, 2761, 2763, 2760, 2769,   86, 2762, 2771,   86,
+       86,   86, 2765,   86, 2766,   86,   86,   86,   86,   86,
+     2773,   86, 2777, 2778,   86,   86,   86, 2775, 2782, 2772,
+     2783,   86, 2774,   86, 2786,   86, 2776,   86,   86, 2779,
+     2780, 2784,   86,   86, 2781,   86, 2789,   86, 2787, 2791,
+       86, 2785,   86, 2788, 2792,   86,   86,   86, 2790,   86,
+
+     2793, 2797,   86,   86,   86, 2794,   86, 2800, 2799, 2798,
+     2801,   86, 2795, 2803,   86,   86, 2796,   86,   86,   86,
+     2804,   86, 2806, 2802, 2809,   86, 2805,   86, 2810,   86,
+     2807, 2812,   86,   86,   86,   86,   86,   86,   86, 2808,
+     2818,   86, 2813, 2811, 2815, 2816, 2814, 2817, 2821,   86,
+       86,   86, 2820,   86, 2819, 2822, 2823,   86,   86,   86,
+       86,   86, 2825,   86,   86,   86, 2826, 2824,   86, 2828,
+     2831, 2829,   86, 2832, 2834,   86, 2830, 2836, 2827, 2833,
+     2835,   86,   86, 2838,  170,   86,   86,   86,   86, 2843,
+     3483, 2840, 2839,   86,   86,   86,   86, 2845, 2844,   86,
+
+       86, 2837, 2848,   86, 2847, 2841, 2842, 2849,   86, 2846,
+     2851,   86,   86, 2850, 2853, 2852,   86,   86,   86, 2854,
+       86, 2855, 2856, 2858,   86,   86,   86,   86, 2859,   86,
+     2860,   86, 2857,   86, 2865, 2861,   86, 2866,   86, 2863,
+       86, 2867, 2862,   86,   86,   86,   86,   86, 2871,   86,
+     2868, 2869, 2870,   86, 2864,   86,   86,   86, 2872,   86,
+     2873, 2874,   86,   86, 2879,   86, 2876, 2875, 2877,   86,
+       86, 2878, 2883,   86, 2880, 2881, 2885,   86,   86, 2884,
+       86, 2888,   86,   86,   86,   86,   86, 2882, 2893,   86,
+     2889,   86,   86,   86, 2891,   86,   86, 2886,   86, 2887,
+
+     2897, 2892, 2900, 2890, 2898,   86, 2901, 2895,   86, 2903,
+     2894,   86,   86, 2896,   86,   86, 2902, 2904,   86, 2905,
+     2899,   86,   86, 2907, 2909,   86, 2906,   86, 2910,   86,
+       86, 2911,   86,   86, 2914, 2908,   86, 2916,   86, 2917,
+       86, 2918,   86, 2912,   86,   86,   86, 2913, 2919,   86,
+     2920, 2921,   86,   86, 2915,   86,   86, 2925, 2923,   86,
+     2929, 2924, 2926,   86, 2930,   86, 2922, 2927, 2931,   86,
+       86,   86,   86, 2932, 2935,   86, 2928,   86,   86, 2938,
+       86,   86, 2939,   86, 2933, 2934, 2940,   86,   86, 2942,
+       86,   86,   86, 2946,   86, 2936, 2943,   86, 2937,   86,
+
+     2947,   86, 2950, 2941,   86, 2949, 2945, 2951, 2948, 2944,
+       86,   86, 2952,   86,   86,   86, 2957, 2953,   86,   86,
+       86, 2956,   86, 2959, 2960,   86,   86,   86, 2962,   86,
+     2954, 2961, 2963,   86, 2955,   86, 2965,   86, 2966,   86,
+     2969,   86,   86, 2958,   86, 2973,   86,   86,   86, 2980,
+       86,   86, 2964,   86, 2981,   86, 2967, 2968, 2972, 2970,
+       86, 2974, 2971, 2975, 2977,   86,   86, 2978, 3020, 2982,
+     2984, 2976,   86, 2979, 2983,   86, 2985,   86,   86, 2986,
+       86, 2987,   86, 2988,   86, 2989,   86,   86, 2990,   86,
+       86, 2991, 2993,   86,   86, 2995,   86,   86,   86, 2997,
+
+     3001,   86,   86, 2994,   86, 2998, 3483, 2992, 3002,   86,
+       86, 3006, 2996, 3003, 3005,   86,   86, 2999, 3000,   86,
+     3004, 3007,   86,   86, 3008, 3009,   86,   86,   86,   86,
+     3015,   86, 3010,   86, 3014,   86, 3011, 3012, 3013, 3016,
+       86,   86, 3017, 3021,   86,   86,   86,   86, 3022,   86,
+     3025,   86, 3019,   86, 3024,   86, 3026, 3023,   86, 3018,
+     3027,   86, 3028,   86, 3032,   86,   86, 3029,   86,   86,
+     3034,   86, 3030, 3031, 3036, 3033,   86, 3039,   86,   86,
+     3037,   86,   86,   86,   86, 3044, 3042, 3043,   86,   86,
+     3040,   86,   86, 3035, 3046,   86, 3038, 3045,   86, 3049,
+
+     3041,   86, 3050, 3483, 3047,   86, 3048, 3051,   86, 3052,
+       86, 3053,   86,   86, 3054, 3055, 3058,   86, 3057,   86,
+     3056,   86,   86,   86, 3059,   86, 3060, 3061,   86,   86,
+       86,   86, 3067,   86, 3065, 3062, 3483, 3063,   86, 3069,
+       86,   86,   86,   86, 3064, 3070,   86, 3071, 3066,   86,
+     3073, 3072, 3074,   86,   86,   86, 3068,   86, 3075, 3078,
+       86,   86,   86,   86, 3082, 3081,   86,   86, 3076,   86,
+     3079,   86, 3086,   86, 3077, 3080,   86, 3085,   86, 3083,
+       86, 3088, 3089, 3092,   86, 3084,   86, 3094,   86, 3095,
+       86, 3087,   86,   86, 3090, 3097,   86,   86,   86,   86,
+
+       86,   86, 3100,   86, 3091, 3093, 3102, 3103,   86, 3098,
+     3106,   86, 3105, 3096, 3099, 3101,   86,   86,   86, 3109,
+     3104,   86,   86, 3112,   86,   86, 3114,   86,   86, 3117,
+       86,   86,   86, 3115, 3107, 3110, 3108, 3118,   86,   86,
+       86, 3111, 3121,   86,   86, 3113, 3119,   86, 3126, 3116,
+       86, 3123,   86, 3124,   86,   86, 3130,   86,   86, 3120,
+       86,   86, 3122, 3132, 3128,   86,   86, 3125, 3133, 3127,
+       86, 3134,   86, 3131, 3137, 3129, 3138,   86, 3135,   86,
+       86, 3136, 3139, 3140, 3143,   86,   86,   86,   86,   86,
+     3141, 3142, 3144, 3146,   86, 3149,   86,   86,   86,   86,
+
+       86,   86, 3154,   86,   86,   86,   86, 3145,   86, 3150,
+       86, 3147, 3148, 3160, 3153, 3157, 3151, 3158,   86, 3159,
+       86, 3156,   86, 3155, 3161, 3152,   86, 3162, 3163,   86,
+     3164,   86, 3165,   86, 3166,   86,   86, 3169,   86, 3167,
+       86, 3171,   86,   86,   86, 3170,   86,   86,   86,   86,
+     3177, 3178,   86,   86,   86,   86,   86, 3172, 3184,   86,
+     3185,   86, 3168,   86,   86, 3186, 3173, 3175, 3174, 3176,
+     3181,   86, 3183, 3180,   86, 3182,   86,   86,   86, 3179,
+       86, 3189, 3191,   86, 3187, 3192,   86,   86,   86, 3195,
+     3196,   86, 3193, 3188, 3194,   86, 3197,   86, 3190, 3198,
+
+       86,   86, 3199,   86,   86, 3200,   86,   86, 3201,   86,
+       86, 3202, 3204,   86,   86, 3206,   86,   86, 3205,   86,
+     3483, 3207,   86,   86, 3203,   86,   86,   86,   86, 3208,
+       86, 3216, 3217, 3220, 3209, 3211, 3210, 3219, 3212, 3218,
+     3213, 3214,   86,   86,   86, 3222, 3215, 3224,   86,   86,
+     3221, 3225,   86, 3226, 3227,   86,   86, 3223,   86, 3230,
+       86, 3228, 3231,   86, 3232, 3233,   86,   86, 3234, 3235,
+     3239,   86, 3236,   86,   86, 3237, 3238, 3229,   86, 3240,
+       86, 3242,   86,   86,   86,   86,   86,   86,   86, 3241,
+     3248,   86, 3247,   86,   86,   86,   86,   86, 3244,   86,
+
+     3252, 3243, 3251, 3253,   86, 3245, 3246,   86, 3249, 3256,
+     3257,   86, 3254,   86, 3259,   86, 3258, 3255, 3250, 3260,
+       86, 3261,   86,   86,   86,   86, 3266,   86, 3263, 3268,
+     3262, 3267,   86, 3264,   86,   86, 3265,   86,   86,   86,
+     3275,   86, 3270, 3272, 3273, 3276,   86, 3278,   86,   86,
+     3269,   86, 3277, 3279,   86, 3271, 3274,   86, 3282,   86,
+     3283,   86, 3281,   86, 3280, 3285,   86, 3286,   86, 3287,
+       86,   86, 3284, 3288,   86, 3289,   86, 3290,   86, 3291,
+       86, 3292,   86,   86, 3295,   86,   86,   86,   86, 3299,
+       86,   86, 3294, 3301,   86, 3296,   86, 3293,   86, 3297,
+
+       86,   86,   86,   86, 3305, 3306,   86,   86, 3298,   86,
+     3300, 3302, 3310, 3303, 3304,   86, 3307, 3308,   86,   86,
+     3312, 3315,   86,   86, 3311, 3309, 3314,   86,   86,   86,
+       86,   86,   86, 3313, 3317,   86, 3316, 3321,   86,   86,
+       86, 3322, 3323,   86,   86,   86, 3327, 3318, 3319, 3326,
+       86, 3320, 3329,   86, 3324, 3330,   86,   86, 3328, 3331,
+       86,   86,   86,   86,   86,   86, 3325, 3334,   86,   86,
+     3333,   86,   86, 3332, 3339,   86, 3336, 3335,   86, 3338,
+     3340,   86, 3342,   86, 3344, 3343, 3341, 3337,   86,   86,
+       86,   86,   86, 3345,   86,   86,   86, 3351,   86, 3346,
+
+     3349, 3353, 3350,   86, 3348, 3354,   86,   86, 3356, 3357,
+     3359,   86,   86, 3347,   86, 3352, 3361,   86, 3355,   86,
+     3362, 3360, 3363,   86, 3364,   86,   86, 3358,   86,   86,
+       86, 3367,   86, 3365, 3368, 3369,   86, 3372,   86,   86,
+       86,   86,   86,   86, 3375,   86, 3366, 3376,   86, 3378,
+       86, 3371, 3373, 3374, 3379,   86,   86, 3370, 3382,   86,
+     3377, 3381,   86, 3384, 3385,   86,   86, 3386,   86,   86,
+       86, 3380, 3389, 3390,   86,   86, 3387, 3383,   86,   86,
+       86, 3395,   86,   86, 3391, 3394,   86, 3392, 3388, 3396,
+       86,   86,   86,   86, 3393,   86, 3400,   86,   86,   86,
+
+     3402,   86,   86,   86, 3397, 3399, 3398, 3407, 3408, 3409,
+       86, 3404, 3405, 3401,   86,   86, 3403,   86, 3413,   86,
+     3406,   86, 3415,   86, 3416,   86, 3414,   86,   86,   86,
+     3417, 3421, 3418, 3411, 3410,   86, 3412,   86, 3422,   86,
+     3419,   86, 3424,   86,   86,   86, 3423,   86, 3420, 3425,
+       86,   86, 3430,   86, 3427,   86,   86, 3433,   86, 3434,
+       86,   86,   86, 3426,   86,   86, 3437,   86, 3432, 3428,
+     3429, 3435, 3431,   86, 3436,   86, 3441,   86, 3442,   86,
+     3440,   86, 3445, 3438, 3439,   86,   86, 3447,   86, 3448,
+     3443,   86,   86,   86, 3452,   86, 3449,   86,   86, 3450,
+
+     3454,   86, 3453,   86, 3446, 3444, 3455,   86, 3456,   86,
+     3457,   86, 3451,   86, 3461,   86, 3459,   86,   86,   86,
+       86,   86,   86, 3463, 3464,   86, 3467,   86, 3458, 3468,
+       86, 3483, 3460,   86, 3471,   86, 3462, 3472,   86, 3465,
+     3466, 3469, 3473, 3474,   86,   86, 3470, 3475,   86,   86,
+       86,   86, 3476,   86, 3477, 3478, 3481,   86, 3482,   86,
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3479, 3483, 3480,   47,   47,   47,   47,   47,   47,   47,
+       52,   52,   52,   52,   52,   52,   52,   57,   57,   57,
+       57,   57,   57,   57,   63,   63,   63,   63,   63,   63,
+
+       63,   68,   68,   68,   68,   68,   68,   68,   74,   74,
+       74,   74,   74,   74,   74,   80,   80,   80,   80,   80,
+       80,   80,   89,   89, 3483,   89,   89,   89,   89,  160,
+      160, 3483, 3483, 3483,  160,  160,  162,  162, 3483, 3483,
+      162, 3483,  162,  164, 3483, 3483, 3483, 3483, 3483,  164,
+      167,  167, 3483, 3483, 3483,  167,  167,  169, 3483, 3483,
+     3483, 3483, 3483,  169,  171,  171, 3483,  171,  171,  171,
+      171,  174, 3483, 3483, 3483, 3483, 3483,  174,  177,  177,
+     3483, 3483, 3483,  177,  177,   90,   90, 3483,   90,   90,
+       90,   90,   17, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483
     } ;
 
-static yyconst flex_int16_t yy_chk[6588] =
+static yyconst flex_int16_t yy_chk[6834] =
     {   0,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
         1,    1,    1,    1,    1,    1,    1,    1,    1,    1,
@@ -2278,18 +2350,18 @@ static yyconst flex_int16_t yy_chk[6588] =
         5,    3,    6,   24,    4,   24,   24,    5,   24,    6,
         7,    7,    7,    7,   24,    7,    8,    8,    8,    8,
        33,    8,    7,    9,    9,    9,   26,   26,    8,   10,
-       10,   10,   19,   29,    9,   33,   19,   29, 3361,   35,
+       10,   10,   19,   29,    9,   33,   19,   29, 3491,   35,
        10,   11,   11,   11,   11,   11,   11,   13,   13,   13,
 
        13,   34,   13,   11,   35,   99,   34,   29,   38,   13,
        51,   51,   11,   12,   12,   12,   12,   12,   12,   14,
        14,   14,   14,   99,   14,   12,   15,   15,   15,   38,
        23,   14,   23,   23,   12,   23,   46,   15,   16,   16,
-       16,   23,   23,   25,   27,   27,   25,   25, 2735,   16,
+       16,   23,   23,   25,   27,   27,   25,   25, 2838,   16,
        25,   46,   27,   30,   30,   25,   27,   56,   40,   27,
        56,   73,   31,   31,   25,   28,   67,   67,   30,   32,
        28,   31,   40,   32,   28,   73,   32,   28,   92,   28,
-       28,   92,   31,   32, 1099,   32,   36,   36,   37,   37,
+       28,   92,   31,   32, 1127,   32,   36,   36,   37,   37,
        28,   45,   45,   37,   97,   36,   45,   97,   41,   41,
 
        45,   36,   87,   41,   93,   36,   87,   37,   93,   37,
@@ -2328,9 +2400,9 @@ static yyconst flex_int16_t yy_chk[6588] =
       200,  201,  202,  197,  203,  204,  201,  202,  205,  197,
       197,  199,  196,  206,  205,  207,  203,  206,  208,  200,
       207,  209,  213,  210,  211,  204,  214,  213,  216,  217,
-      551,  214,  218,  216,  208,  209,  211,  205,  210,  211,
+      556,  214,  218,  216,  208,  209,  211,  205,  210,  211,
       215,  215,  220,  220,  215,  219,  215,  221,  218,  217,
-      222,  219,  223,  221,  551,  224,  222,  227,  215,  221,
+      222,  219,  223,  221,  556,  224,  222,  227,  215,  221,
       215,  224,  225,  227,  228,  229,  230,  231,  225,  228,
       230,  229,  223,  231,  232,  234,  233,  225,  235,  236,
       237,  232,  233,  238,  235,  239,  237,  240,  234,  241,
@@ -2354,646 +2426,674 @@ static yyconst flex_int16_t yy_chk[6588] =
       313,  315,  316,  319,  311,  312,  317,  317,  314,  318,
       308,  321,  318,  320,  322,  316,  324,  320,  323,  323,
       313,  319,  315,  325,  312,  326,  325,  327,  328,  329,
-      321,  328,  322,  327,  324,  333,  331,  326,  366,  332,
-      333,  329,  336,  325,  330,  331,  334,  335,  337,  334,
-      335,  334,  366,  330,  169,  336,  330,  332,  341,  341,
-
-      337,  330,  330,  330,  330,  339,  338,  334,  338,  338,
-      339,  339,  340,  342,  343,  340,  345,  344,  346,  347,
-      347,  348,  349,  349,  351,  345,  348,  346,  353,  343,
-      342,  350,  350,  342,  344,  344,  352,  354,  355,  351,
-      353,  352,  356,  357,  360,  167,  361,  358,  358,  357,
-      358,  361,  369,  369,  362,  166,  354,  356,  355,  358,
-      362,  363,  364,  394,  360,  365,  363,  364,  365,  367,
-      365,  368,  367,  364,  372,  370,  371,  371,  375,  372,
-      368,  370,  377,  373,  378,  367,  373,  379,  367,  394,
-      367,  376,  373,  382,  376,  384,  373,  377,  375,  378,
-
-      381,  379,  385,  381,  373,  374,  374,  382,  374,  386,
-      384,  385,  376,  388,  386,  386,  387,  389,  390,  381,
-      402,  374,  387,  392,  374,  402,  374,  395,  374,  383,
-      391,  383,  383,  390,  388,  396,  389,  164,  399,  391,
-      393,  383,  392,  383,  383,  383,  393,  395,  383,  396,
-      397,  400,  398,  401,  403,  404,  397,  398,  399,  406,
-      397,  404,  405,  405,  407,  410,  408,  409,  401,  403,
-      411,  400,  412,  409,  414,  398,  407,  412,  417,  406,
-      408,  413,  413,  415,  413,  416,  411,  418,  423,  418,
-      410,  426,  417,  419,  414,  419,  419,  424,  420,  415,
-
-      421,  416,  420,  427,  421,  422,  422,  423,  425,  426,
-      430,  428,  424,  419,  431,  439,  430,  427,  439,  421,
-      428,  429,  432,  431,  425,  433,  429,  432,  434,  433,
-      435,  428,  436,  428,  429,  429,  435,  434,  429,  429,
-      437,  438,  440,  441,  443,  438,  437,  440,  442,  442,
-      444,  444,  446,  436,  445,  447,  447,  443,  448,  445,
-      450,  451,  449,  441,  448,  446,  449,  452,  453,  454,
-      454,  455,  452,  453,  456,  450,  458,  457,  454,  461,
-      464,  459,  451,  455,  459,  460,  462,  462,  458,  460,
-      466,  461,  463,  470,  456,  457,  471,  463,  465,  465,
-
-      472,  464,  468,  468,  471,  473,  474,  475,  476,  472,
-      478,  474,  466,  479,  470,  480,  482,  484,  481,  550,
-      476,  550,  482,  484,  483,  486,  473,  475,  478,  485,
-      478,  479,  481,  483,  485,  480,  487,  488,  489,  486,
-      488,  490,  491,  492,  487,  494,  493,  487,  491,  493,
-      495,  494,  489,  496,  497,  499,  490,  498,  496,  499,
-      500,  502,  501,  492,  495,  500,  502,  503,  504,  494,
-      508,  505,  511,  524,  547,  510,  497,  501,  498,  510,
-      509,  512,  513,  503,  505,  162,  513,  504,  506,  506,
-      508,  511,  547,  524,  506,  509,  506,  512,  515,  517,
-
-      514,  516,  506,  518,  506,  514,  516,  506,  506,  514,
-      519,  520,  518,  515,  506,  517,  519,  521,  517,  522,
-      523,  519,  522,  525,  525,  526,  520,  527,  527,  528,
-      529,  530,  531,  521,  532,  533,  534,  536,  535,  539,
-      533,  537,  529,  523,  528,  534,  530,  537,  539,  540,
-      526,  531,  536,  540,  541,  542,  532,  535,  543,  544,
-      541,  545,  546,  549,  548,  554,  552,  542,  548,  553,
-      553,  554,  555,  543,  552,  545,  549,  546,  544,  556,
-      557,  559,  560,  558,  555,  556,  558,  562,  561,  563,
-      562,  564,  557,  561,  565,  559,  566,  560,  563,  565,
-
-      565,  567,  567,  568,  568,  563,  569,  564,  563,  566,
-      570,  570,  569,  571,  571,  572,  574,  573,  575,  578,
-      577,  572,  573,  573,  576,  577,  579,  576,  580,  582,
-      575,  580,  583,  589,  579,  581,  585,  574,  578,  584,
-      581,  586,  585,  584,  587,  586,  591,  589,  588,  590,
-      590,  583,  582,  588,  592,  593,  594,  595,  596,  598,
-      593,  591,  587,  597,  596,  603,  600,  602,  597,  601,
-      601,  599,  594,  598,  599,  592,  606,  595,  607,  599,
-      610,  603,  599,  599,  600,  602,  604,  605,  609,  610,
-      606,  604,  605,  607,  609,  611,  612,  613,  611,  616,
-
-      612,  614,  613,  615,  614,  617,  618,  619,  615,  620,
-      621,  622,  622,  618,  620,  616,  623,  624,  625,  626,
-      619,  627,  612,  617,  630,  623,  628,  630,  626,  629,
-      621,  634,  628,  627,  625,  629,  624,  631,  631,  632,
-      631,  633,  632,  635,  637,  636,  633,  638,  640,  634,
-      636,  639,  641,  638,  640,  641,  639,  635,  642,  643,
-      644,  645,  646,  637,  643,  644,  644,  647,  650,  649,
-      648,  652,  647,  651,  645,  646,  648,  650,  651,  653,
-      653,  655,  654,  642,  655,  657,  647,  647,  649,  654,
-      656,  652,  661,  658,  663,  659,  656,  657,  658,  655,
-
-      659,  659,  660,  660,  662,  664,  662,  664,  658,  665,
-      666,  667,  668,  663,  669,  670,  671,  661,  673,  676,
-      671,  670,  674,  672,  675,  678,  682,  665,  666,  667,
-      679,  668,  672,  673,  669,  677,  679,  674,  676,  680,
-      678,  683,  675,  681,  684,  682,  685,  677,  684,  686,
-      687,  688,  689,  680,  690,  681,  692,  692,  691,  690,
-      683,  694,  693,  695,  685,  686,  693,  696,  687,  688,
-      688,  689,  691,  697,  698,  694,  699,  700,  696,  698,
-      701,  702,  695,  704,  703,  707,  705,  697,  702,  703,
-      704,  705,  699,  701,  706,  708,  700,  709,  710,  706,
-
-      711,  712,  708,  707,  714,  713,  709,  714,  716,  711,
-      713,  715,  710,  712,  717,  715,  718,  720,  719,  721,
-      721,  725,  716,  717,  722,  722,  723,  723,  727,  724,
-      725,  718,  719,  722,  724,  728,  729,  731,  720,  730,
-      732,  728,  733,  730,  734,  735,  737,  727,  736,  731,
-      734,  738,  739,  735,  742,  736,  729,  745,  748,  754,
-      733,  752,  749,  754,  737,  732,  770,  748,  749,  742,
-      752,  753,  739,  760,  745,  751,  738,  740,  160,  740,
-      758,  751,  740,  755,  755,  770,  740,  753,  759,  740,
-      756,  756,  757,  760,  761,  765,  740,  740,  758,  740,
-
-      761,  767,  759,  757,  762,  762,  762,  763,  762,  764,
-      766,  762,  763,  765,  766,  768,  762,  771,  772,  768,
-       85,  769,  762,  762,  773,  767,  769,  773,  774,  775,
-      764,  777,  771,  774,  774,  768,  775,  776,  776,  778,
-      779,  779,  780,  772,  778,  781,  777,  780,  781,  782,
-      783,  783,  785,  784,  782,  784,  786,  787,  788,  790,
-      789,  787,  791,  791,  785,  792,  795,  790,  793,  794,
-      794,  796,  797,  800,  800,  786,  811,  811,  788,  789,
-      792,  798,  793,  796,  795,  799,  801,  798,  803,  804,
-      799,  801,  801,  803,  797,  804,  805,  808,  806,  807,
-
-      808,  809,  805,  806,  810,  807,  813,  809,  812,  812,
-      814,  815,  810,  816,  813,  817,  815,  819,  818,  822,
-      816,  820,  820,  821,  823,  823,  825,  822,  814,  824,
-      827,  828,  821,  817,  818,  824,  819,  829,  830,  827,
-      828,  831,  834,  830,  832,  825,  833,  832,  835,  836,
-      831,  833,  837,  840,  838,  841,  834,  842,  836,  838,
-      838,  829,  839,  839,  843,  837,  842,  844,  840,  845,
-      848,  848,  845,  835,  841,  847,  849,  847,  850,  851,
-      845,  852,  853,  850,  854,  844,  856,  855,  843,  857,
-      858,  859,  860,  861,  858,  856,  862,  849,  863,  861,
-
-      851,  852,  853,  864,  865,  862,  854,  855,  866,  859,
-      863,  860,  857,  867,  866,  868,  869,  869,  865,  870,
-      868,  871,  864,  872,  873,  874,  875,  867,  876,  877,
-      871,  878,  873,  883,  879,  881,  880,  878,  882,  870,
-      879,  881,  886,  872,  887,  874,  886,  876,  875,  877,
-      880,  884,  882,  883,  885,  888,  889,  884,  890,  894,
-      885,  889,  892,  887,  891,  891,  893,  888,  892,  893,
-      895,  897,  896,  898,  898,  888,  899,  894,  896,  890,
-      900,  901,  902,  895,  903,  900,  901,  901,  903,  904,
-      904,  897,  905,  906,  899,  907,  908,  902,  910,  913,
-
-      907,  914,  911,  915,  917,  917,  918,  921,  919, 1077,
-      918,  923,  913,  906,  905,  908,  911,  920,  920,  924,
-     1077,  914,  910,  919,  915,  916,  923,  922,  916,  926,
-      916,  922,  921,  924,  916,  925,  916,  929,  928,  927,
-      925,  916,  931,  926,  927,  927,  916,  928,  930,  933,
-      932,  929,  930,  934,  935,  932,  936,  931,  934,  937,
-      938,  933,  940,  946,  930,  932,  939,  940,  935,  938,
-      941,  947,  939,  937,  942,  948,  941,  936,  943,  943,
-      942,  944,  945,  952,  950,  946,  944,  951,  945,  953,
-      947,  957,  951,  948,  949,  949,  950,  952,  954,  954,
-
-      949,  953,  949,  956,  955,  957,  958,  959,  949,  955,
-      961,  956,  960,  949,  949,  963,  961,  962,  964,  965,
-      949,  966,  962,  967,  967,  958,  959,  963,  960,  968,
-      969,  971,  973,  968,  975,  965,  964,  971,  972,  966,
-      974,  972,  976,  978,  977,  974,  980,  975,  976,  977,
-      969,  973,  981,  982,  983,  980,  984,  985,  986,  987,
-      983,  981,  978,  986,  988,  984,  989,  994,  990,  982,
-       80,  993,  991,  992,  997, 1000,  985,  993,  988,  987,
-      990,  991,  992,  995,  994,  999,  989, 1001, 1002,  995,
-      997, 1003, 1004, 1005, 1010, 1000, 1006, 1014, 1005,  999,
-
-     1009, 1006, 1002, 1010, 1013, 1009, 1001, 1004, 1012, 1003,
-     1011, 1011, 1014, 1013, 1012, 1015, 1017, 1018, 1023, 1022,
-     1020, 1020, 1018, 1018, 1020, 1024, 1021, 1025, 1015, 1021,
-     1026, 1027, 1017, 1022, 1028, 1029, 1030, 1031, 1023, 1032,
-     1028, 1024, 1030, 1026, 1032, 1025, 1027, 1033, 1035, 1036,
-     1039, 1035, 1031, 1037, 1038, 1029, 1040, 1041, 1037, 1038,
-     1043, 1033, 1041, 1042, 1046, 1040, 1039, 1045, 1042, 1047,
-     1036, 1048, 1043, 1045, 1050, 1047, 1051, 1048, 1049, 1049,
-     1046, 1052, 1054, 1050, 1052, 1053, 1053, 1055, 1056, 1057,
-     1058, 1059, 1057, 1060, 1051, 1066, 1061, 1059, 1067, 1060,
-
-     1054, 1061, 1062, 1058, 1063, 1064, 1055, 1062, 1056, 1063,
-     1068, 1064, 1069, 1066, 1070, 1070, 1068, 1069, 1067, 1071,
-     1072, 1073, 1074, 1075, 1076, 1078, 1075, 1076, 1071, 1072,
-     1078, 1079, 1080, 1081, 1082, 1084, 1083, 1087, 1085, 1073,
-     1082, 1074, 1083, 1085, 1080, 1086, 1086, 1088, 1089, 1079,
-     1084, 1090, 1081, 1091, 1092, 1090, 1087, 1093, 1094, 1096,
-     1089, 1088, 1098, 1092, 1097, 1097, 1100, 1102, 1103, 1101,
-     1106, 1091, 1104, 1103, 1105, 1105, 1093, 1109, 1096, 1102,
-     1100, 1104, 1098, 1094, 1101, 1107, 1108, 1117, 1113, 1110,
-     1106, 1107, 1108, 1109, 1110, 1111, 1112, 1111, 1114, 1115,
-
-     1116, 1112, 1113, 1118, 1115, 1119, 1117, 1120, 1122, 1122,
-     1118, 1123, 1114, 1124, 1125, 1116, 1126, 1127, 1135, 1128,
-     1119, 1134, 1126, 1130, 1128, 1123, 1120, 1130, 1134, 1125,
-     1137, 1124, 1135, 1128, 1138, 1128, 1132, 1127, 1128, 1131,
-     1131, 1132, 1133, 1133, 1136, 1139, 1140, 1136, 1141, 1137,
-     1142, 1140, 1138, 1143, 1139, 1144, 1146, 1145, 1143, 1148,
-     1148, 1149, 1142, 1151, 1155, 1150, 1149, 1141, 1145, 1144,
-     1150, 1152, 1154, 1153, 1156, 1146, 1152, 1153, 1157, 1155,
-     1158, 1154, 1161, 1151, 1159, 1162, 1160, 1163, 1164, 1156,
-     1165, 1167, 1158, 1160, 1161, 1166, 1165, 1157, 1168, 1159,
-
-     1169, 1170, 1171, 1172, 1162, 1173, 1164, 1174, 1163, 1169,
-     1166, 1167, 1175, 1176, 1178, 1172, 1170, 1180, 1168, 1179,
-     1178, 1171, 1181, 1182, 1173, 1183, 1185, 1175, 1187, 1189,
-     1181, 1180, 1174, 1176, 1179, 1184, 1188, 1193, 1185, 1186,
-     1184, 1183, 1189, 1182, 1186, 1186, 1193, 1187, 1190, 1190,
-     1188, 1191, 1191, 1192, 1197, 1194, 1191, 1195, 1195, 1191,
-     1191, 1194, 1196, 1197, 1191, 1198, 1192, 1196, 1199, 1202,
-     1191, 1198, 1200, 1199, 1191, 1201, 1201, 1200, 1203, 1203,
-     1204, 1205, 1206, 1204, 1207, 1204, 1208, 1209, 1210, 1211,
-     1202, 1212, 1209, 1207, 1214,   75, 1218, 1212, 1213, 1214,
-
-     1206, 1205, 1210, 1216, 1213, 1215, 1208, 1211, 1217, 1215,
-     1218, 1221, 1216, 1217, 1219, 1219, 1223, 1216, 1224, 1216,
-     1223, 1216, 1221, 1216, 1220, 1220, 1225, 1220, 1226, 1227,
-     1228, 1229, 1231, 1224, 1227, 1227, 1230, 1226, 1232, 1228,
-     1233, 1230, 1234, 1235, 1225, 1236, 1231, 1232, 1237, 1237,
-     1238, 1236, 1239, 1229, 1241, 1240, 1242, 1235, 1238, 1233,
-     1240, 1234, 1243, 1244, 1245, 1242, 1239, 1246, 1241, 1243,
-     1247, 1247, 1246, 1248, 1249, 1249, 1250, 1252, 1250, 1253,
-     1252, 1244, 1254, 1255, 1253, 1256, 1256, 1257, 1248, 1245,
-     1258, 1258, 1255, 1259, 1259, 1260, 1261, 1262, 1263, 1263,
-
-     1260, 1254, 1264, 1265, 1266, 1267, 1265, 1257, 1270,   74,
-     1267, 1268, 1269, 1272, 1269, 1273, 1272, 1261, 1262, 1275,
-     1268, 1277, 1264, 1274, 1266, 1283, 1270, 1276, 1274, 1277,
-     1273, 1278, 1276, 1275, 1279, 1280, 1278, 1279, 1281, 1281,
-     1280, 1282, 1284, 1283, 1285, 1286, 1282, 1288, 1284, 1289,
-     1291, 1285, 1290, 1288, 1292, 1289, 1291, 1290, 1286, 1293,
-     1294, 1295, 1295, 1292, 1296, 1298, 1299, 1300, 1301, 1302,
-     1303, 1294, 1307, 1305, 1301, 1302, 1303, 1306, 1293, 1305,
-     1298, 1308, 1309, 1313, 1296, 1310, 1299, 1311, 1312, 1312,
-     1300, 1306, 1307, 1314, 1309, 1315, 1318, 1306, 1321, 1310,
-
-     1326, 1308, 1316, 1313, 1323, 1311, 1319, 1316, 1317, 1317,
-     1322, 1319, 1324, 1315, 1326, 1322, 1322, 1321, 1314, 1318,
-     1325, 1324, 1323, 1327, 1328, 1329, 1330, 1331, 1325, 1331,
-     1329, 1332, 1335, 1329, 1334, 1330, 1335, 1336, 1327, 1328,
-     1334, 1337, 1328, 1338, 1339, 1332, 1337, 1337, 1336, 1340,
-     1341, 1342, 1344, 1343, 1345, 1341, 1342, 1346, 1349, 1345,
-     1348, 1350, 1338, 1351, 1351, 1352, 1353, 1340, 1354, 1352,
-     1339, 1343, 1344, 1356, 1348, 1355, 1349, 1346, 1357, 1350,
-     1358, 1355, 1363, 1359, 1353, 1356, 1360, 1354, 1361, 1363,
-     1362, 1364, 1365, 1366, 1358, 1362, 1364, 1357, 1359, 1367,
-
-     1367, 1360, 1366, 1368, 1369, 1370, 1372, 1361, 1371, 1371,
-     1365, 1373, 1372, 1369, 1374, 1375, 1375, 1373, 1368, 1377,
-     1376, 1378, 1379, 1380, 1381, 1370, 1376, 1379, 1374, 1380,
-     1381, 1382, 1383, 1383, 1389, 1377, 1388, 1382, 1384, 1384,
-     1386, 1386, 1378, 1387, 1390, 1388, 1391, 1387, 1392, 1395,
-     1393, 1396, 1389, 1394, 1394, 1399, 1390, 1393, 1398, 1396,
-     1391, 1397, 1400, 1392, 1402, 1401, 1397, 1400, 1400, 1395,
-     1401, 1401, 1398, 1404, 1399, 1403, 1403, 1405, 1406, 1408,
-     1407, 1409, 1410, 1411, 1402, 1407, 1412, 1406, 1413, 1411,
-     1415, 1412, 1404, 1414, 1418, 1423, 1405, 1416, 1408, 1414,
-
-     1410, 1409, 1417, 1416, 1419, 1420, 1421, 1422, 1417, 1415,
-     1427, 1424, 1426, 1418, 1413, 1426, 1423, 1425, 1425, 1428,
-     1429, 1422, 1434, 1419, 1420, 1421, 1424, 1430, 1430, 1427,
-     1431, 1431, 1429, 1433, 1432, 1434, 1435, 1433, 1428, 1432,
-     1436, 1437, 1441, 1437, 1439, 1435, 1440, 1437, 1442, 1443,
-     1448, 1440, 1446, 1436, 1444, 1444, 1445, 1441, 1446, 1447,
-     1437, 1445, 1439, 1448, 1449, 1443, 1450, 1451, 1442, 1449,
-     1450, 1451, 1452, 1453, 1447, 1454, 1455, 1456, 1457, 1457,
-     1459, 1461, 1462, 1456, 1454, 1463, 1463, 1462, 1464, 1465,
-     1469, 1453, 1452, 1469, 1464, 1471, 1455, 1472, 1459, 1467,
-
-     1467, 1475, 1461, 1470, 1470, 1474, 1476, 1478, 1474, 1465,
-     1479, 1471, 1482, 1472, 1480, 1476, 1477, 1477, 1481, 1483,
-     1483, 1475, 1478, 1481, 1485, 1484, 1482, 1487, 1486, 1488,
-     1490, 1479, 1491, 1480, 1484, 1489, 1489, 1495, 1493, 1496,
-     1492, 1495, 1485, 1486, 1490, 1492, 1494, 1494, 1498, 1488,
-     1491, 1499, 1487, 1493, 1497, 1497, 1500, 1501, 1502, 1496,
-     1500, 1505, 1499, 1502, 1504, 1504, 1506, 1507, 1508, 1509,
-     1498, 1510, 1511, 1511, 1512, 1513, 1501, 1505, 1514, 1512,
-     1516, 1507, 1518, 1509, 1506, 1515, 1515, 1508, 1508, 1516,
-     1522, 1519, 1517, 1519, 1520, 1513, 1510, 1517, 1514, 1520,
-
-     1521, 1523, 1518, 1525, 1526, 1526, 1521, 1523, 1527, 1528,
-     1522, 1530, 1531, 1532, 1532, 1528, 1530, 1525, 1533, 1533,
-     1534, 1535, 1536, 1537, 1538, 1538, 1537, 1527, 1539, 1540,
-     1541, 1549, 1543,   68, 1534, 1544, 1531, 1536, 1543, 1535,
-     1544, 1540, 1542, 1547, 1545, 1542, 1539, 1545, 1542, 1548,
-     1541, 1552, 1547, 1553, 1548, 1550, 1549, 1552, 1550, 1553,
-     1542, 1551, 1551, 1545, 1554, 1555, 1555, 1556, 1556, 1554,
-     1557, 1559, 1558, 1560, 1561, 1562, 1557, 1558, 1563, 1564,
-     1565, 1563, 1566, 1567, 1559, 1564, 1565, 1566, 1568, 1567,
-     1572, 1560, 1569, 1561, 1573, 1562, 1571, 1569, 1570, 1570,
-
-     1574, 1571, 1575, 1576, 1577, 1578, 1579, 1582, 1572, 1580,
-     1581, 1568, 1581, 1580, 1573, 1584, 1575, 1576, 1577, 1586,
-     1574, 1585, 1587, 1578, 1588, 1589, 1582, 1584, 1587, 1590,
-     1592, 1579, 1586, 1585, 1591, 1594, 1594, 1595, 1596, 1599,
-     1597, 1589, 1600, 1596, 1588, 1598, 1598, 1601, 1591, 1590,
-     1602, 1592, 1597, 1603, 1599, 1604, 1600, 1595, 1605, 1607,
-     1606, 1609, 1603, 1611, 1612, 1605, 1616, 1612, 1602, 1606,
-     1604, 1601, 1606, 1613, 1613, 1607, 1609, 1614, 1614, 1615,
-     1617, 1609, 1619, 1617, 1616, 1618, 1618, 1620, 1611, 1621,
-     1623, 1615, 1622, 1625, 1621, 1619, 1624, 1622, 1626, 1627,
-
-     1631, 1628, 1625, 1630, 1630, 1632, 1620, 1629, 1627, 1623,
-     1628, 1627, 1624, 1629, 1633, 1634, 1636, 1626, 1632, 1635,
-     1631, 1636, 1636, 1637, 1638, 1641, 1642, 1644, 1637, 1634,
-     1643, 1643, 1633, 1645, 1646, 1635, 1638, 1647, 1647, 1646,
-     1650, 1649, 1645, 1644, 1642, 1648, 1649, 1651, 1652, 1655,
-     1641, 1657, 1647, 1664, 1648, 1653, 1656, 1648, 1650, 1658,
-     1653, 1653, 1660, 1655, 1658, 1663, 1652, 1664, 1651, 1659,
-     1663, 1656, 1662, 1657, 1668, 1659, 1661, 1661, 1662, 1665,
-     1660, 1666, 1669, 1670, 1671, 1665, 1673, 1666, 1677, 1670,
-     1672, 1678, 1673, 1672, 1668, 1675, 1669, 1671, 1679, 1672,
-
-     1680, 1681, 1682, 1675, 1683, 1684, 1679, 1677, 1688, 1680,
-     1678, 1685, 1685, 1691, 1681, 1682, 1686, 1687, 1683, 1684,
-     1690, 1688, 1686, 1687, 1689, 1689, 1692, 1693, 1693, 1694,
-     1695, 1691, 1696, 1685, 1697, 1698, 1695, 1700, 1700, 1701,
-     1690, 1703, 1694, 1702, 1704, 1692, 1703, 1702, 1706, 1704,
-     1697, 1705, 1707, 1698, 1696, 1709, 1705, 1706, 1710, 1701,
-     1711, 1711, 1712, 1714, 1713, 1715, 1715, 1709, 1718, 1716,
-     1717, 1721, 1719, 1710, 1722, 1707, 1713, 1717, 1725, 1723,
-     1718, 1712, 1714, 1716, 1719, 1723, 1724, 1726, 1727, 1727,
-     1721,   63, 1728, 1726, 1722, 1728, 1725, 1731, 1724, 1729,
-
-     1729, 1732, 1731, 1733, 1734, 1734, 1735, 1738, 1739, 1733,
-     1732, 1736, 1737, 1736, 1740, 1737, 1741, 1742, 1735, 1743,
-     1744, 1745, 1742, 1746, 1743, 1749, 1747, 1738, 1748, 1744,
-     1739, 1747, 1740, 1745, 1741, 1750, 1751, 1748, 1746, 1752,
-     1750, 1751, 1753, 1753, 1755, 1749, 1754, 1750, 1757, 1758,
-     1748, 1760, 1754, 1759, 1752, 1761, 1762, 1761, 1763, 1763,
-     1764, 1764, 1765, 1765, 1766, 1755, 1769, 1757, 1758, 1759,
-     1762, 1760, 1762, 1767, 1767, 1768, 1768, 1770, 1771, 1771,
-     1773, 1772, 1777, 1776, 1766, 1772, 1773, 1769, 1774, 1776,
-     1778, 1774, 1779, 1782, 1780, 1785, 1778, 1780, 1770, 1783,
-
-     1777, 1781, 1781, 1786, 1783, 1784, 1784, 1787, 1788, 1788,
-     1785, 1789, 1787, 1782, 1790, 1791, 1789, 1779, 1792, 1793,
-     1790, 1794, 1796,   58, 1786, 1795, 1799, 1791, 1791, 1791,
-     1798, 1795, 1800, 1802, 1791, 1798, 1798, 1793, 1792, 1803,
-     1799, 1794, 1796, 1801, 1802, 1801, 1804, 1800, 1805, 1806,
-     1807, 1809, 1804, 1811, 1803, 1808, 1808, 1805, 1810, 1810,
-     1812, 1813, 1813, 1814, 1814, 1815, 1818, 1818, 1819, 1806,
-     1820, 1807, 1822, 1811, 1823, 1825, 1825, 1809, 1824, 1820,
-     1826, 1822, 1812, 1827, 1824, 1815, 1830, 1828, 1829, 1831,
-     1831, 1832, 1833, 1819, 1828, 1823, 1836, 1829, 1827, 1835,
-
-     1837, 1826, 1836, 1838, 1835, 1839, 1842, 1840, 1833, 1840,
-     1838, 1839, 1830, 1843, 1844, 1844, 1845, 1832, 1846, 1843,
-     1837, 1845, 1847, 1849, 1848, 1842, 1850, 1846, 1851, 1850,
-     1852, 1853, 1853, 1854, 1855, 1849, 1857, 1856, 1860, 1854,
-     1855, 1858, 1847, 1848, 1861, 1858, 1851, 1862, 1863, 1863,
-     1864, 1857, 1862, 1865, 1867, 1868, 1852, 1856, 1860, 1868,
-     1876, 1858, 1869, 1869, 1870, 1871, 1861, 1874, 1865, 1864,
-     1870, 1872, 1872, 1867, 1871, 1873, 1875, 1875, 1874, 1873,
-     1877, 1876, 1878, 1874, 1879, 1880, 1881, 1882, 1883, 1879,
-     1884, 1885, 1885, 1882, 1877, 1884, 1886, 1886, 1887, 1889,
-
-     1890, 1878, 1887, 1883, 1891, 1880, 1881, 1899, 1889, 1892,
-     1892, 1890, 1894, 1894, 1895, 1896, 1890, 1898, 1901, 1895,
-     1895, 1896, 1900, 1898, 1891, 1902, 1904, 1900, 1905, 1906,
-     1901, 1902, 1905, 1899, 1907, 1909, 1908, 1910, 1904, 1911,
-     1912, 1906, 1908, 1910, 1911, 1915, 1914, 1918, 1916, 1922,
-     1918, 1925, 1912, 1916, 1919, 1919, 1925, 1909, 1914, 1907,
-     1920, 1920, 1921, 1921, 1915, 1923, 1924, 1926, 1927, 1922,
-     1929, 1923, 1924, 1926, 1932, 1929, 1931, 1927, 1935, 1931,
-     1933, 1933, 1936, 1937, 1938, 1938, 1932, 1939, 1937, 1944,
-     1935, 1947, 1940, 1941, 1936, 1945, 1939, 1940, 1941, 1942,
-
-     1943, 1943, 1942, 1946, 1945, 1951, 1950, 1948, 1949, 1944,
-     1947, 1948, 1950, 1949, 1953, 1952, 1954, 1956, 1956, 1957,
-     1959, 1946, 1958, 1951, 1952, 1960, 1960, 1961, 1963, 1956,
-     1954, 1958, 1953, 1962, 1964, 1965, 1961, 1957, 1971, 1964,
-     1959, 1968, 1968, 1970, 1972, 1962, 1970, 1974, 1965, 1963,
-     1975, 1976, 1977, 1986, 1971, 1978, 1978, 1976,   57, 1979,
-     1972, 1979, 1974, 1981, 1975, 1980, 1980, 1983, 1983, 1977,
-     1989, 1981, 1984, 1984, 1987, 1988, 1986, 1989, 1990, 1991,
-     1987, 1988, 1992, 1992, 1993, 1994, 1995, 1997, 1999, 1996,
-     2000, 1998, 2003, 1993, 2004, 2005, 2006, 2006, 1995, 1991,
-
-     1990, 1996, 1997, 1998, 2001, 2000, 1994, 2005, 2007, 2008,
-     2001, 2011, 2003, 2009, 1999, 2010, 2009, 2004, 2015, 2013,
-     2010, 2021,   52, 2001, 2013, 2014, 2007, 2014, 2016, 2008,
-     2017, 2011, 2019, 2016, 2022, 2023, 2015, 2017, 2024, 2021,
-     2024, 2019, 2025, 2022, 2027, 2028, 2027, 2023, 2029, 2029,
-     2030, 2031, 2032, 2033, 2032, 2034, 2031, 2035, 2033, 2028,
-     2034, 2025, 2036, 2037, 2039, 2038, 2040, 2041, 2044, 2037,
-     2038, 2042, 2041, 2041, 2045, 2035, 2030, 2039, 2040, 2042,
-     2046, 2046, 2036, 2047, 2047, 2048, 2049, 2044, 2045, 2050,
-     2052, 2051, 2052, 2053, 2054, 2050, 2051, 2055, 2055,   47,
-
-     2048, 2056, 2054, 2057, 2057, 2059, 2049, 2058, 2058, 2061,
-     2054, 2053, 2060, 2056, 2059, 2065, 2063, 2060, 2064, 2067,
-     2064, 2069, 2071, 2068, 2066, 2063, 2075, 2061, 2063, 2066,
-     2066, 2067, 2068, 2069, 2071, 2072, 2065, 2073, 2076, 2075,
-     2072, 2077, 2073, 2078, 2078, 2079, 2080, 2082, 2085, 2081,
-     2077, 2083, 2087, 2099, 2088, 2086, 2096, 2089, 2076, 2088,
-     2085, 2082, 2089, 2079, 2080, 2081, 2083, 2086, 2090, 2093,
-     2095, 2097, 2087, 2098, 2100, 2093, 2095, 2090, 2099, 2096,
-     2101, 2101, 2104, 2100, 2102, 2107, 2097, 2108, 2093, 2103,
-     2103, 2098, 2105, 2102, 2106,   18, 2105, 2109, 2107, 2106,
-
-     2110, 2104, 2109, 2109, 2111, 2112, 2110, 2113, 2112, 2108,
-     2111, 2114, 2117, 2117, 2119, 2113, 2122, 2118, 2118, 2120,
-     2120, 2121, 2121, 2119, 2123, 2125,   17, 2124, 2122, 2132,
-     2125, 2114, 2118, 2124, 2126, 2126, 2127, 2127, 2134, 2128,
-     2129, 2131, 2123, 2118, 2128, 2131, 2129, 2133, 2136, 2132,
-     2137, 2133, 2138, 2139, 2140, 2137, 2141, 2143, 2134, 2140,
-     2142, 2144, 2145, 2146, 2146, 2147, 2144, 2148, 2139, 2147,
-     2150, 2151, 2155, 2136, 2141, 2138, 2142, 2143, 2149, 2152,
-     2153, 2154, 2148, 2149, 2145, 2155, 2154, 2156, 2160, 2151,
-     2159, 2152, 2157, 2157, 2161, 2162, 2150, 2163, 2159, 2153,
-
-     2164, 2165, 2166, 2167, 2171, 2156, 2172, 2160, 2169, 2173,
-     2174, 2176, 2174, 2161, 2166, 2173, 2176, 2171, 2162, 2164,
-     2172, 2163, 2165, 2169, 2167, 2175, 2175, 2177, 2178, 2179,
-     2177, 2180, 2181, 2181, 2182, 2182, 2183, 2185, 2183, 2184,
-     2184, 2178, 2186, 2179, 2180, 2187, 2187, 2188, 2189, 2189,
-     2190, 2190, 2185, 2191, 2194, 2186, 2188, 2193, 2191, 2188,
-     2195, 2196, 2193, 2197, 2197, 2198, 2198, 2199, 2200, 2200,
-     2201, 2202, 2202, 2196, 2194, 2203, 2204, 2205, 2205, 2207,
-     2195, 2204, 2206, 2206, 2209, 2208, 2199, 2210, 2201, 2214,
-     2203, 2212, 2216, 2207, 2208,    0, 2212, 2217, 2209, 2213,
-
-     2213, 2215, 2215, 2217, 2218, 2221, 2210, 2218, 2214, 2226,
-     2216, 2219, 2219, 2220, 2220, 2222, 2223, 2225, 2223, 2227,
-     2227, 2229, 2230, 2231, 2221, 2232, 2240, 2219, 2226, 2232,
-     2222, 2234, 2225, 2233, 2233, 2235, 2236, 2237, 2231, 2242,
-     2235, 2229, 2239, 2239, 2243, 2230, 2240, 2241, 2244, 2245,
-     2234, 2236, 2237, 2242, 2241, 2246, 2246, 2248, 2247, 2248,
-     2249, 2252, 2243, 2249, 2251, 2255, 2244, 2247, 2256, 2253,
-     2251, 2254, 2257, 2252, 2253, 2245, 2254, 2258, 2249, 2259,
-     2249, 2256, 2258, 2261, 2262, 2263, 2264, 2265, 2261, 2262,
-     2255, 2266, 2264, 2257, 2267, 2269, 2268, 2266, 2270, 2267,
-
-     2263, 2268, 2281, 2271, 2272, 2259, 2271, 2273, 2265, 2274,
-     2275, 2270, 2276, 2272,    0, 2277, 2273, 2278, 2274, 2275,
-     2269, 2277, 2281, 2278, 2279, 2283, 2276, 2285, 2279, 2284,
-     2284, 2286, 2286, 2285, 2283, 2288, 2287, 2290, 2291, 2294,
-     2286, 2287, 2292, 2292, 2293, 2297, 2296, 2298, 2294, 2301,
-     2303, 2299, 2301, 2290, 2291, 2288, 2304, 2288, 2296, 2293,
-     2302, 2297, 2298, 2299, 2310, 2302, 2305, 2305, 2304, 2310,
-     2303, 2306, 2306, 2308, 2308, 2309, 2311, 2312, 2309, 2313,
-     2314, 2314, 2311, 2312, 2315, 2316, 2316, 2317, 2313, 2318,
-     2319, 2320, 2320, 2322, 2321, 2329, 2323,    0, 2315, 2317,
-
-     2321, 2323, 2325, 2318, 2329, 2326, 2325, 2322, 2326, 2319,
-     2327, 2327, 2328, 2330, 2331, 2332, 2334, 2328, 2336, 2332,
-     2333, 2333, 2330, 2336, 2337, 2338, 2339, 2340, 2341, 2334,
-     2342, 2340, 2343, 2344, 2331, 2342, 2345, 2346, 2343, 2344,
-     2339, 2347, 2348, 2349, 2337, 2338, 2351, 2348, 2341, 2352,
-     2353, 2354, 2363, 2355, 2345, 2353, 2346, 2354, 2351, 2360,
-     2347, 2355, 2358, 2367, 2349, 2352, 2356, 2367, 2356, 2361,
-     2361, 2358, 2362, 2360, 2368, 2362, 2364, 2364, 2363, 2369,
-     2368, 2370, 2370, 2371, 2374, 2374, 2376, 2378, 2382, 2379,
-     2383, 2369, 2371, 2382, 2384, 2385, 2386, 2386, 2392, 2384,
-
-     2385, 2378, 2388, 2388, 2376, 2379, 2390, 2391, 2391, 2393,
-     2394, 2396, 2390, 2398, 2392, 2394, 2383, 2397, 2400, 2400,
-     2397, 2399, 2403, 2402, 2404, 2398, 2405, 2409, 2403, 2410,
-     2396, 2393, 2402, 2399, 2407, 2407, 2408, 2412, 2412, 2408,
-     2414, 2405, 2404, 2413, 2413, 2414, 2409, 2410, 2415, 2416,
-     2417, 2418, 2421, 2418, 2419, 2417, 2420, 2422, 2416, 2423,
-     2424, 2489, 2422, 2489, 2421,    0, 2415, 2425, 2419, 2431,
-     2420, 2430, 2425, 2426, 2426, 2427, 2427, 2428, 2428, 2423,
-     2424, 2429, 2429, 2430, 2432, 2433, 2433, 2431, 2435, 2432,
-     2434, 2434, 2436, 2437, 2438, 2439, 2439, 2440, 2441, 2441,
-
-     2435, 2442, 2442, 2443, 2436, 2444, 2446, 2447, 2445, 2449,
-     2438, 2450, 2453, 2437, 2443, 2445, 2440, 2444, 2446, 2448,
-     2451, 2451, 2454, 2452, 2448, 2456, 2455, 2447, 2458, 2449,
-     2457, 2450, 2452, 2459, 2459, 2461, 2460, 2462, 2453, 2455,
-     2458, 2464, 2454, 2465, 2457, 2460, 2466, 2468, 2467, 2456,
-     2461, 2467, 2462, 2469,    0, 2470, 2471, 2471, 2469, 2464,
-     2470, 2468, 2472, 2472, 2478, 2465, 2473, 2473, 2479, 2466,
-     2475, 2475, 2477, 2477, 2480, 2481, 2483, 2484, 2485, 2479,
-     2487, 2486, 2478, 2488, 2490, 2493, 2493, 2491, 2492, 2487,
-     2481, 2495, 2495, 2480, 2496, 2484, 2483, 2497, 2498, 2503,
-
-     2485, 2486, 2501, 2488, 2490, 2491, 2492, 2498, 2496, 2499,
-     2499, 2501, 2502, 2502, 2504, 2505, 2506, 2503, 2507, 2497,
-     2508, 2509, 2505, 2510, 2511, 2511, 2512, 2512, 2513, 2514,
-     2520, 2506, 2504, 2515, 2516, 2516, 2507, 2509, 2508, 2515,
-     2517, 2517, 2510, 2518, 2519, 2520, 2521, 2514, 2513, 2518,
-     2522, 2523, 2524, 2525, 2526, 2527, 2523, 2527, 2532, 2526,
-     2528, 2528, 2519, 2535, 2522, 2521, 2529, 2534, 2529, 2530,
-     2530, 2536, 2524, 2525, 2537, 2538, 2534, 2532, 2539, 2543,
-     2538, 2540, 2535, 2536, 2544, 2545, 2545, 2544, 2546, 2547,
-     2548, 2548, 2551, 2549, 2537, 2550, 2551, 2553, 2539, 2543,
-
-     2540, 2554, 2556, 2546, 2549, 2554, 2558, 2547, 2555, 2555,
-     2550, 2559, 2553, 2560, 2563, 2556, 2561, 2561, 2564, 2565,
-     2567, 2558, 2571, 2565, 2566, 2566, 2563, 2564, 2568, 2568,
-     2569, 2559, 2570, 2560, 2572, 2569, 2573, 2580, 2571, 2567,
-     2582, 2570, 2574, 2574, 2579, 2579, 2572, 2581, 2581, 2583,
-     2587, 2584, 2585, 2582, 2586, 2586, 2573, 2589, 2589, 2580,
-     2584, 2585, 2583, 2592, 2593, 2587, 2594, 2595, 2592, 2593,
-     2596, 2597, 2595, 2598, 2601, 2599, 2602, 2604, 2596, 2603,
-     2594, 2602, 2598, 2599, 2603, 2605, 2605, 2606, 2606, 2601,
-     2597, 2608, 2604, 2607, 2607, 2609, 2610, 2611, 2608, 2612,
-
-     2609, 2613, 2614, 2614, 2615, 2612, 2613, 2616, 2617, 2617,
-     2618, 2618, 2616, 2621, 2610, 2611, 2622, 2622, 2623, 2615,
-     2625, 2623, 2624, 2627, 2626, 2625, 2621, 2624, 2624, 2626,
-     2628, 2629, 2631, 2630, 2632, 2629, 2628, 2627, 2630, 2633,
-     2634, 2631, 2635, 2638, 2636, 2640, 2637, 2633, 2635, 2632,
-     2636, 2637, 2640, 2641, 2642, 2638, 2644, 2642, 2641, 2646,
-     2647, 2634, 2648, 2649, 2646, 2647, 2650, 2656, 2644, 2651,
-     2652, 2652, 2653, 2657, 2661, 2650, 2649, 2658, 2651, 2657,
-     2648, 2653, 2662, 2658, 2663, 2656, 2664, 2664, 2665, 2666,
-     2667, 2668, 2670, 2661, 2672, 2665, 2669, 2669, 2674, 2667,
-
-     2675, 2677, 2662, 2663, 2675, 3182, 2668, 3182, 2666, 2672,
-     2678, 2670, 2676, 2676, 2679, 2680, 2678, 2682, 2674, 2683,
-     2679, 2680, 2681, 2681, 2683, 2682, 2677, 2685, 2686, 2688,
-     2689, 2691, 2692, 2689, 2690, 2688, 2685, 2695, 2690, 2694,
-     2694, 2686, 2696, 2696, 2705, 2691,    0, 2692, 2697, 2697,
-     2699, 2699, 2700, 2701, 2707, 2695, 2700, 2706, 2701, 2703,
-     2703, 2709, 2706, 2708, 2705, 2711, 2707, 2717, 2708, 2708,
-     2712, 2712, 2719, 2709, 2714, 2714, 2715, 2715, 2716, 2721,
-     2717, 2716, 2722, 2722, 2727, 2711, 2723, 2723, 2724, 2724,
-     2719, 2725, 2726, 2726, 2728, 2729, 2730, 2727, 2737, 2721,
-
-     2731, 2731, 2730, 2732, 2738, 2736, 2725, 2732, 2739, 2729,
-     2736, 2736, 2728, 2740, 2741, 2742, 2744, 2744, 2743, 2740,
-     2741, 2737, 2743, 2749, 2738, 2747, 2750, 2752, 2739, 2750,
-     2747, 2749, 2753, 2754, 2754, 2753, 2755, 2756, 2757, 2758,
-     2742, 2759, 2756, 2760, 2760, 2764, 2761, 2762, 2763, 2765,
-     2762, 2768, 2752, 2755, 2755, 2759, 2757, 2765, 2762, 2758,
-     2761, 2766, 2763, 2767, 2764, 2774, 2766, 2766, 2767, 2767,
-     2768, 2769, 2769, 2770, 2770, 2771, 2771, 2772, 2772, 2773,
-     2773, 2774, 2775, 2776, 2777, 2778, 2779, 2775, 2780, 2781,
-     2778, 2782, 2783, 2780, 2785, 2785, 2786, 2786, 2781, 2787,
-
-     2788, 2791, 2787, 2776, 2793, 2779, 2790, 2790, 2791, 2793,
-     2777, 2782, 2783, 2792, 2792, 2795, 2795, 2796, 2788, 2797,
-     2798, 2800, 2801, 2801, 2803, 2804, 2796, 2802, 2797, 2798,
-     2805, 2802, 2806, 2803, 2810, 2808, 2809, 2807, 2810, 2800,
-     2818, 2805, 2807, 2807, 2804, 2809, 2814, 2806, 2808, 2815,
-     2815, 2814, 2817, 2817, 2818, 2819, 2820, 2822, 2822, 2823,
-     2824, 2827, 2828, 2829, 2830, 2832, 2834, 2870, 2823, 2852,
-     2830, 2828, 2824, 2836, 2820, 2852, 2837, 2832, 2836, 2839,
-     2819, 2837, 2870, 2829, 2838, 2838, 2827, 2834, 2839, 2841,
-     2848, 2842, 2842, 2847, 2841, 2842, 2844, 2844, 2845, 2845,
-
-     2846, 2846, 2847, 2849, 2850, 2856, 2853, 2854, 2857, 2850,
-     2848, 2853, 2854, 2855, 2855, 2858, 2859, 2860, 2861, 2862,
-     2857, 2859, 2849, 2856, 2861, 2863, 2863, 2865, 2866, 2867,
-     2869, 2865, 2871, 2866, 2867, 2860, 2858, 2868, 2868, 2873,
-     2875, 2875, 2877, 2878, 2862, 2880, 2879, 2871, 2881, 2869,
-     2879, 2882, 2883, 2884, 2880, 2877, 2878, 2886, 2884, 2873,
-     2883, 2885, 2885, 2887, 2881, 2888, 2886, 2889, 2889, 2890,
-     2882, 2893, 2893, 2894, 2894, 2896, 2898, 2898, 2900, 2901,
-     2903, 2887, 2902, 2905, 2905, 2903, 2906, 2908, 2890, 2909,
-     2907, 2888, 2910, 2908, 2900, 2901, 2896, 2918, 2902, 2907,
-
-     2912, 2912, 2913, 2914, 2915, 2915, 2906, 2919, 2922, 2920,
-     2931, 2910, 2909, 2919, 2920, 2925, 2913, 2918, 2923, 2923,
-     2924, 2924, 2914, 2926, 2926, 2927, 2929, 2930, 2928, 2931,
-     2922, 2933, 2932, 2930, 2941, 2925, 2927, 2928, 2934, 2934,
-     2936, 2936, 2935, 2926, 2932, 2935, 2929, 2940, 2946, 2942,
-     2945, 2933, 2943, 2943, 2941, 2942, 2945, 2944, 2948, 2940,
-     2944, 2949, 2949, 2948, 2950, 2951, 2946, 2952, 2953, 2950,
-     2954, 2954, 2957, 2952, 2958, 2956, 2959, 2960, 2960, 2961,
-     2962,    0, 2963, 2967, 2951, 2953, 2953, 2956, 2967, 2959,
-     2957, 2963, 2965, 2965, 2966, 2966, 2962, 2968, 2961, 2958,
-
-     2969, 2970, 2970, 2971, 2971, 2969, 2972, 2972, 2973, 2974,
-     2975, 2968, 2976, 2978, 2978, 2981, 2975, 2976, 2983, 2984,
-     2985, 2973, 2986, 2986, 2988, 2988, 2989, 2990, 2992, 2991,
-     2993, 2994, 2994, 2998, 2981, 2974, 2995, 2995, 2997, 2993,
-     2983, 2984, 2985, 2991, 2997, 2999, 2990, 3007, 2992, 3000,
-     3003, 3003, 2989, 2998, 3000, 3005, 3005, 3006, 3009, 3008,
-     3010, 3007, 3006, 3014, 2999, 3008, 3011, 3011, 3010, 3012,
-     3009, 3015, 3016, 3017, 3012, 3018, 3020, 3016, 3021, 3022,
-     3023, 3018, 3026, 3014, 3020, 3017, 3025, 3028, 3027, 3029,
-     3031, 3015, 3032, 3036, 3029, 3031, 3033, 3021, 3026, 3022,
-
-     3023,    0, 3033, 3038, 3025, 3027, 3027, 3037, 3028, 3034,
-     3037, 3043, 3032, 3036, 3034, 3043, 3038, 3041, 3041, 3042,
-     3042, 3047, 3047, 3048, 3049, 3050, 3050, 3061, 3048, 3052,
-     3052, 3053, 3053, 3056, 3053, 3054, 3054, 3056, 3054, 3055,
-     3055, 3058, 3055, 3049, 3059, 3061, 3058, 3060, 3060, 3062,
-     3065, 3066, 3067, 3059, 3068, 3068, 3071, 3067, 3072, 3074,
-     3073, 3075, 3077, 3062, 3073, 3072, 3078,    0, 3074, 3082,
-     3065, 3066, 3079, 3079, 3083, 3078, 3075, 3080, 3080, 3083,
-     3077, 3071, 3081, 3081, 3082, 3084, 3085, 3086, 3087, 3088,
-     3089, 3085, 3085, 3086, 3084, 3090, 3091, 3084, 3092, 3094,
-
-     3090, 3091, 3093, 3093, 3088, 3094, 3095, 3096, 3096, 3097,
-     3097, 3089, 3095, 3087, 3098, 3099, 3105, 3092, 3102, 3102,
-     3099, 3104, 3104, 3108, 3108, 3105, 3109, 3109, 3116, 3098,
-     3110, 3110, 3111, 3111, 3112, 3112, 3113, 3113, 3114, 3114,
-     3115, 3115, 3118, 3119, 3119, 3121, 3120, 3122, 3126, 3124,
-     3128, 3118, 3125, 3125, 3116, 3120, 3127, 3121, 3129, 3129,
-     3130, 3134, 3128, 3126, 3131, 3131, 3136, 3122, 3124, 3127,
-     3135, 3137, 3137, 3135, 3140, 3130, 3138, 3140, 3141, 3134,
-     3143, 3142, 3144, 3146, 3141, 3143, 3145, 3148, 3149, 3156,
-     3153, 3173, 3136, 3148, 3138, 3142, 3152, 3149, 3165, 3146,
-
-     3152, 3144, 3176, 3165, 3145, 3153, 3166, 3168, 3179, 3166,
-     3169, 3169, 3170, 3170, 3173, 3156, 3171, 3171, 3174, 3175,
-     3168, 3177, 3176, 3175, 3181, 3180, 3183, 3174, 3186, 3181,
-     3185, 3179, 3184, 3184, 3187, 3177, 3180, 3188, 3189, 3190,
-     3191, 3183, 3197, 3185, 3192, 3193, 3194, 3186, 3203, 3191,
-     3193, 3202, 3187, 3188, 3190, 3195, 3192, 3196, 3196, 3198,
-     3195, 3210, 3197, 3189, 3198, 3202, 3205, 3194, 3203, 3204,
-     3204, 3206, 3206, 3207, 3207, 3205, 3208, 3208, 3209, 3209,
-     3210, 3211, 3212, 3213, 3214, 3212, 3215, 3216, 3213, 3214,
-     3217, 3218, 3219, 3220, 3221, 3221, 3217, 3222, 3220, 3223,
-
-     3223, 3211, 3216, 3226, 3219, 3218, 3225, 3225, 3227, 3228,
-     3228, 3215, 3232, 3230, 3235, 3235, 3237, 3222, 3226, 3236,
-     3236, 3238, 3241, 3239, 3237, 3240, 3242, 3227, 3230, 3239,
-     3232, 3240, 3243, 3244, 3245, 3245, 3241, 3250, 3244, 3242,
-     3238, 3247, 3247, 3251, 3254, 3253, 3256, 3257, 3254, 3258,
-     3262, 3243, 3257, 3261, 3259, 3262, 3260, 3263, 3250, 3253,
-     3264, 3264, 3263, 3251, 3267, 3268, 3256, 3259, 3258, 3260,
-     3269, 3271, 3261, 3270, 3270, 3272, 3271, 3273, 3273, 3277,
-     3274, 3272, 3275, 3268, 3267, 3274, 3276, 3275, 3278, 3269,
-     3281, 3276, 3280, 3280, 3278, 3281, 3282, 3282, 3277, 3284,
-
-     3285, 3286, 3287, 3284, 3288, 3289, 3290, 3291, 3286, 3293,
-     3293, 3289, 3295, 3295, 3298, 3296, 3299, 3297, 3300, 3285,
-     3291, 3287, 3297, 3288, 3296, 3290, 3303, 3296, 3301, 3301,
-     3305, 3300, 3302, 3298, 3307, 3299, 3312, 3302,    0, 3303,
-     3306, 3306, 3308, 3308, 3309, 3309, 3310, 3311, 3313, 3313,
-     3319, 3310, 3314, 3307, 3311, 3312, 3305, 3314, 3315, 3317,
-     3315, 3316, 3316, 3318, 3321, 3324, 3317, 3320, 3328, 3319,
-     3318, 3326, 3320, 3323, 3323, 3327, 3326, 3329, 3330, 3330,
-     3327, 3332, 3332, 3321, 3324, 3333, 3334, 3328, 3335, 3335,
-     3336, 3336, 3337, 3339, 3339, 3341, 3329, 3340, 3340, 3337,
-
-     3347, 3343, 3341, 3346, 3333, 3334, 3343, 3348, 3346, 3349,
-     3349, 3350, 3350,    0,    0,    0,    0,    0,    0, 3347,
-        0,    0,    0,    0,    0,    0, 3348, 3354, 3354, 3354,
-     3354, 3354, 3354, 3354, 3355, 3355, 3355, 3355, 3355, 3355,
-     3355, 3356, 3356, 3356, 3356, 3356, 3356, 3356, 3357, 3357,
-     3357, 3357, 3357, 3357, 3357, 3358, 3358, 3358, 3358, 3358,
-     3358, 3358, 3359, 3359, 3359, 3359, 3359, 3359, 3359, 3360,
-     3360, 3360, 3360, 3360, 3360, 3360, 3362, 3362,    0, 3362,
-     3362, 3362, 3362, 3363, 3363,    0,    0,    0, 3363, 3363,
-     3364, 3364,    0,    0, 3364,    0, 3364, 3365,    0,    0,
-
-        0,    0,    0, 3365, 3366, 3366,    0,    0,    0, 3366,
-     3366, 3367,    0,    0,    0,    0,    0, 3367, 3368, 3368,
-        0, 3368, 3368, 3368, 3368, 3369,    0,    0,    0,    0,
-        0, 3369, 3370, 3370,    0,    0,    0, 3370, 3370, 3371,
-     3371,    0, 3371, 3371, 3371, 3371, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353, 3353,
-     3353, 3353, 3353, 3353, 3353, 3353, 3353
+      321,  328,  322,  327,  324,  333,  331,  326,  336,  332,
+      333,  329,  337,  325,  330,  331,  335,  334,  169,  335,
+      334,  336,  334,  330,  337,  340,  330,  332,  340,  341,
+
+      341,  330,  330,  330,  330,  334,  339,  338,  334,  338,
+      338,  339,  339,  342,  343,  345,  346,  344,  347,  347,
+      354,  348,  349,  349,  345,  346,  348,  350,  350,  343,
+      342,  351,  352,  342,  344,  344,  353,  352,  355,  354,
+      356,  357,  358,  358,  360,  358,  351,  357,  353,  369,
+      369,  361,  363,  362,  358,  356,  361,  363,  355,  362,
+      364,  366,  375,  365,  360,  364,  365,  367,  365,  368,
+      367,  364,  388,  370,  410,  366,  371,  371,  368,  370,
+      372,  377,  375,  367,  376,  372,  367,  376,  367,  373,
+      373,  378,  373,  388,  379,  382,  377,  381,  373,  410,
+
+      381,  167,  373,  384,  385,  376,  378,  373,  379,  382,
+      373,  374,  374,  385,  374,  386,  381,  391,  384,  394,
+      386,  386,  389,  387,  390,  392,  391,  374,  396,  387,
+      374,  166,  374,  395,  374,  383,  387,  383,  383,  390,
+      393,  389,  396,  399,  392,  394,  393,  383,  383,  383,
+      383,  383,  397,  395,  383,  398,  400,  401,  397,  402,
+      398,  404,  397,  399,  402,  403,  406,  404,  405,  405,
+      407,  408,  401,  409,  411,  414,  400,  415,  398,  409,
+      403,  416,  407,  412,  417,  408,  406,  418,  412,  418,
+      411,  413,  413,  415,  413,  414,  420,  416,  417,  419,
+
+      420,  419,  419,  421,  422,  422,  423,  421,  424,  426,
+      425,  430,  428,  432,  427,  431,  164,  430,  432,  419,
+      428,  428,  421,  424,  431,  423,  425,  426,  427,  433,
+      434,  435,  428,  433,  428,  429,  436,  435,  437,  434,
+      429,  438,  440,  439,  437,  438,  439,  440,  429,  429,
+      441,  443,  429,  429,  442,  442,  429,  436,  444,  444,
+      445,  446,  447,  447,  443,  445,  448,  449,  450,  451,
+      441,  449,  448,  452,  446,  453,  454,  454,  452,  455,
+      453,  456,  457,  450,  458,  454,  459,  460,  465,  459,
+      451,  455,  460,  461,  462,  467,  458,  461,  463,  463,
+
+      457,  456,  464,  466,  466,  471,  462,  464,  472,  465,
+      469,  469,  473,  474,  475,  476,  472,  467,  477,  475,
+      479,  473,  481,  480,  486,  482,  471,  483,  484,  486,
+      477,  487,  490,  483,  474,  476,  488,  484,  479,  482,
+      479,  480,  481,  485,  488,  487,  490,  488,  489,  485,
+      491,  489,  492,  493,  494,  495,  496,  494,  492,  497,
+      498,  495,  499,  500,  497,  491,  501,  500,  505,  502,
+      496,  501,  503,  493,  504,  506,  509,  503,  511,  495,
+      510,  512,  498,  499,  502,  512,  515,  505,  506,  513,
+      504,  507,  507,  511,  516,  514,  509,  507,  516,  507,
+
+      514,  510,  515,  518,  517,  507,  520,  507,  513,  517,
+      507,  507,  521,  517,  519,  523,  524,  507,  518,  519,
+      522,  521,  520,  526,  525,  520,  522,  525,  527,  529,
+      523,  522,  524,  528,  528,  530,  530,  531,  532,  535,
+      533,  534,  534,  536,  537,  539,  526,  538,  527,  537,
+      532,  540,  531,  541,  529,  533,  538,  544,  535,  541,
+      543,  544,  546,  545,  539,  536,  540,  545,  546,  543,
+      547,  548,  549,  550,  551,  552,  553,  554,  566,  555,
+      553,  555,  547,  566,  557,  560,  548,  550,  562,  551,
+      554,  549,  557,  552,  558,  558,  559,  560,  561,  564,
+
+      562,  565,  559,  563,  561,  567,  563,  569,  567,  568,
+      162,  571,  581,  564,  570,  581,  565,  579,  568,  570,
+      570,  572,  572,  569,  571,  568,  573,  573,  568,  574,
+      575,  575,  576,  576,  577,  574,  578,  580,  579,  582,
+      577,  578,  578,  583,  582,  584,  586,  585,  587,  580,
+      585,  586,  589,  584,  588,  590,  589,  591,  593,  592,
+      594,  590,  583,  592,  595,  594,  596,  596,  597,  598,
+      599,  587,  600,  588,  602,  599,  593,  591,  595,  601,
+      603,  607,  604,  597,  605,  606,  603,  604,  606,  609,
+      598,  600,  610,  606,  602,  601,  606,  606,  605,  607,
+
+      608,  608,  613,  614,  611,  612,  616,  609,  610,  611,
+      612,  617,  616,  623,  618,  619,  613,  618,  614,  619,
+      617,  620,  621,  622,  624,  621,  620,  625,  622,  623,
+      626,  627,  628,  632,  625,  630,  627,  629,  629,  631,
+      633,  619,  624,  626,  630,  635,  634,  636,  638,  160,
+      642,  638,  628,  636,  632,  634,  633,  635,  631,  637,
+      639,  639,  643,  639,  640,  637,  641,  640,  642,  644,
+      645,  641,  646,  648,  644,  647,  643,  650,  646,  648,
+      647,  649,  651,  653,  649,  652,  654,  651,  655,  645,
+      652,  652,  656,  655,  657,  658,  653,  660,  656,  654,
+
+      659,  669,  650,  663,  658,  659,  663,  655,  655,  661,
+      661,  662,  665,  657,  664,  668,  668,  660,  662,  671,
+      664,  663,  666,  667,  665,  673,  669,  666,  667,  667,
+      670,  672,  670,  672,  674,  675,  676,  666,  671,  677,
+      678,  679,  680,  673,  685,  679,  678,  681,  682,  683,
+      684,  680,  674,  675,  687,  676,  685,  686,  688,  677,
+      687,  689,  681,  682,  690,  691,  692,  683,  695,  684,
+      693,  701,  686,  694,  696,  689,  690,  694,  688,  697,
+      698,  699,  704,  700,  691,  701,  695,  692,  700,  693,
+      696,  702,  702,  705,  707,  706,  704,  697,  698,  698,
+
+      699,  703,  708,  709,  710,  703,  706,  708,  707,  711,
+      712,  713,  705,  714,  715,  718,  713,  712,  719,  709,
+      714,  716,  711,  710,  717,  719,  716,  720,  721,  717,
+      722,  723,  725,  718,  724,  730,  720,  725,  715,  722,
+      724,  726,  721,  723,  726,  727,  728,  729,  731,  727,
+      730,  732,  733,  733,  734,  734,  729,  735,  735,  736,
+      728,  737,  731,  734,  736,  739,  741,  740,  743,  744,
+      737,  742,  732,  740,  745,  742,  746,  747,  749,  750,
+      743,  748,  746,  751,  739,  747,  741,  754,  748,  757,
+      760,  761,  745,  772,  744,  763,  749,  761,  770,  760,
+
+      764,  763,  754,  751,  750,  752,  757,  752,   85,  764,
+      752,  766,  765,  772,  752,  766,  770,  752,  767,  767,
+      768,  768,  769,  771,  752,  752,  773,  752,  765,  775,
+      776,  777,  773,  769,  780,  776,  778,  771,  774,  774,
+      774,  782,  774,  779,  781,  774,  782,  779,  781,  775,
+      774,  783,  777,  785,  778,  784,  774,  774,  780,  786,
+      784,  788,  787,  791,  781,  787,  788,  788,  785,  789,
+      783,  790,  790,  798,  792,  798,  789,  794,  791,  792,
+      793,  793,  794,  795,  786,  796,  795,  797,  797,  799,
+      796,  800,  801,  802,  804,  803,  801,  805,  805,  810,
+
+      806,  799,  804,  807,  808,  808,  809,  811,  814,  814,
+      800,  810,  812,  802,  803,  806,  813,  807,  812,  819,
+      815,  813,  817,  825,  809,  815,  815,  817,  818,  811,
+      820,  825,  821,  822,  818,  824,  820,  821,  819,  822,
+      823,  824,  828,  823,  826,  826,  827,  827,  829,  830,
+      828,  831,  832,  833,  830,  834,  835,  835,  831,  836,
+      838,  838,  840,  837,  844,  850,  829,  839,  836,  833,
+      832,  837,  845,  839,  834,  842,  843,  845,  846,  847,
+      849,  840,  847,  851,  842,  843,  848,  846,  844,  852,
+      850,  848,  851,  853,  849,  854,  854,  855,  853,  853,
+
+      856,  857,  852,  858,  859,  860,  867,  862,  860,  862,
+      857,  864,  855,  863,  863,  865,  860,  866,  869,  856,
+      865,  868,  859,  870,  871,  872,  867,  858,  874,  876,
+      873,  875,  864,  871,  873,  876,  877,  878,  866,  879,
+      869,  868,  880,  870,  882,  877,  874,  881,  872,  878,
+      875,  883,  882,  881,  884,  886,  880,  887,  879,  884,
+      885,  885,  888,  889,  890,  883,  891,  892,  893,  895,
+      894,  888,  890,  896,  886,  895,  898,  887,  897,  896,
+      899,  900,  898,  889,  903,  901,  891,  893,  903,  892,
+      894,  901,  897,  902,  899,  904,  905,  906,  907,  902,
+
+      909,  900,  906,  908,  908,  910,  909,  911,  905,  912,
+      911,  910,  913,  915,  904,  914,  905,  916,  916,  907,
+      917,  914,  921,  918,  924,  913,  919,  912,  918,  919,
+      920,  923,  923,  915,  925,  920,  920,  921,  917,  922,
+      926,  927,  919,  922,  919,  926,  924,  929,  930,  933,
+      932,  934,  936,  936,  925,  937,  939,  939,  940,  937,
+      927,  941,  930,  932,  938,  941,  942,  962,  962,  933,
+      944,  929,  934,  935,  943,  944,  935,  945,  935,  938,
+      946,  942,  935,  940,  935,  946,  946,  947,  943,  935,
+      948,  945,  950,  949,  935,  951,  947,  949,  953,  952,
+
+      951,  954,  955,  953,  948,  956,  958,  950,  957,  949,
+      951,  952,  958,  959,  960,  954,  961,  957,  959,  956,
+      960,  963,  961,  955,  964,  965,  963,  966,  969,  970,
+      964,  967,  972,  975,  970,  973,  973,  974,  971,  976,
+      969,  975,  974,  977,  972,  980,  966,  965,  978,  967,
+      968,  968,  971,  979,  981,  976,  968,  977,  968,  983,
+      981,  980,  984,  982,  968,  985,  986,  978,  982,  968,
+      968,  983,  979,  987,  988,  988,  968,  990,  989,  992,
+      984,  985,  989,  993,  986,  992,  993,  994,  995,  996,
+      997,  987,  999,  995,  998, 1001,  997,  990, 1002,  998,
+
+     1003, 1005,  996, 1004, 1001, 1006,  994, 1002, 1007, 1004,
+     1005,  999, 1008, 1007, 1009, 1010, 1003, 1011, 1012, 1014,
+     1015, 1013, 1018, 1021, 1006, 1014, 1020, 1012, 1009, 1011,
+     1013, 1022, 1008, 1016, 1023, 1010, 1022, 1015, 1018, 1016,
+     1020, 1024, 1025, 1021, 1026, 1027, 1028, 1031, 1032,   80,
+     1027, 1028, 1031, 1023, 1035, 1024, 1036, 1032, 1034, 1026,
+     1025, 1033, 1033, 1035, 1034, 1037, 1039, 1040, 1045, 1044,
+     1046, 1036, 1040, 1040, 1043, 1042, 1042, 1043, 1037, 1042,
+     1047, 1048, 1039, 1044, 1049, 1050, 1046, 1051, 1045, 1052,
+     1053, 1050, 1054, 1058, 1048, 1052, 1055, 1054, 1047, 1049,
+
+     1057, 1059, 1061, 1057, 1060, 1053, 1059, 1051, 1062, 1060,
+     1055, 1063, 1065, 1067, 1058, 1064, 1063, 1062, 1061, 1067,
+     1064, 1068, 1069, 1070, 1065, 1071, 1071, 1072, 1069, 1070,
+     1073, 1074, 1075, 1075, 1074, 1076, 1072, 1068, 1077, 1078,
+     1079, 1080, 1083, 1079, 1081, 1082, 1085, 1083, 1073, 1091,
+     1081, 1082, 1085, 1076, 1080, 1084, 1086, 1077, 1087, 1078,
+     1084, 1086, 1089, 1090, 1087, 1092, 1097, 1089, 1093, 1091,
+     1095, 1092, 1098, 1093, 1094, 1094, 1096, 1099, 1101, 1095,
+     1099, 1090, 1102, 1100, 1097, 1096, 1100, 1102, 1103, 1101,
+     1104, 1098, 1105, 1106, 1107, 1108, 1109, 1110, 1110, 1106,
+
+     1107, 1109, 1104, 1111, 1112, 1113, 1103, 1114, 1115, 1116,
+     1108, 1105, 1115, 1118, 1117, 1119, 1121, 1113, 1112, 1122,
+     1122, 1123, 1111, 1117, 1126, 1114, 1124, 1116, 1125, 1123,
+     1129, 1124, 1118, 1125, 1128, 1121, 1131, 1130, 1132, 1134,
+     1119, 1131, 1133, 1133, 1126, 1129, 1135, 1132, 1128, 1130,
+     1136, 1137, 1135, 1138, 1141, 1139, 1136, 1139, 1138, 1134,
+     1140, 1142, 1144, 1145, 1143, 1140, 1146, 1137, 1141, 1143,
+     1147, 1148, 1151, 1146, 1152, 1142, 1153, 1144, 1150, 1150,
+     1155, 1154, 1145, 1156,   75, 1147, 1151, 1154, 1156, 1158,
+     1148, 1153, 1152, 1158, 1159, 1159, 1160, 1156, 1162, 1156,
+
+     1155, 1160, 1156, 1161, 1161, 1162, 1163, 1164, 1165, 1167,
+     1164, 1166, 1168, 1169, 1170,   74, 1171, 1168, 1167, 1172,
+     1163, 1171, 1174, 1173, 1176, 1176, 1170, 1165, 1179, 1166,
+     1177, 1178, 1169, 1172, 1173, 1177, 1178, 1180, 1182, 1181,
+     1183, 1174, 1180, 1181, 1184, 1185, 1186, 1182, 1179, 1188,
+     1187, 1189, 1190, 1191, 1192, 1183, 1188, 1196, 1186, 1184,
+     1193, 1194, 1195, 1189, 1185, 1187, 1193, 1197, 1195, 1198,
+     1199, 1190, 1192, 1200, 1191, 1202, 1194, 1196, 1198, 1201,
+     1203, 1204, 1205, 1206, 1208, 1199, 1209, 1197, 1205, 1211,
+     1208, 1201, 1200, 1210, 1202, 1212, 1204, 1211, 1213, 1214,
+
+     1215, 1209, 1217, 1206, 1214, 1203, 1218, 1210, 1281, 1219,
+     1281, 1216, 1215, 1222, 1213, 1212, 1216, 1216, 1220, 1220,
+     1218, 1217, 1219, 1221, 1221, 1223, 1222, 1224, 1221, 1225,
+     1225, 1221, 1221, 1224, 1223, 1226, 1221, 1228, 1227, 1229,
+     1226, 1232, 1221, 1228, 1229, 1230, 1221, 1227, 1231, 1231,
+     1230, 1233, 1233, 1234, 1235, 1236, 1234, 1237, 1234, 1238,
+     1239, 1240, 1232, 1237, 1241, 1242, 1240, 1245, 1238, 1243,
+     1244, 1249, 1245, 1236, 1235, 1243, 1244, 1246, 1241, 1247,
+     1239, 1246, 1248, 1242, 1260, 1249, 1255, 1248, 1247, 1250,
+     1250, 1251, 1251, 1247, 1251, 1247, 1252, 1247, 1254, 1247,
+
+     1256, 1255, 1254, 1257, 1258, 1259, 1260, 1252, 1261, 1258,
+     1258, 1262, 1257, 1261, 1259, 1263, 1264, 1265, 1256, 1266,
+     1267, 1268, 1268, 1269, 1263, 1262, 1267, 1270, 1272, 1271,
+     1273, 1269, 1275, 1266, 1271, 1264, 1265, 1274, 1276, 1273,
+     1277, 1270, 1272, 1279, 1274, 1277, 1278, 1278, 1280, 1280,
+     1275, 1283, 1284, 1285, 1283, 1286, 1288, 1284, 1279, 1287,
+     1287, 1289, 1289, 1276, 1286, 1290, 1290, 1292, 1291, 1293,
+     1294, 1294, 1285, 1291, 1295, 1296, 1288, 1297, 1298, 1299,
+     1297, 1300, 1301, 1303, 1306, 1299, 1300, 1302, 1292, 1302,
+     1293, 1301, 1296, 1305, 1295, 1307, 1305, 1308, 1298, 1306,
+
+     1307, 1303, 1309, 1311, 1310, 1313, 1312, 1309, 1311, 1312,
+     1313, 1308, 1310, 1314, 1314, 1315, 1316, 1317, 1318, 1319,
+     1315, 1321, 1322, 1317, 1323, 1318, 1324, 1321, 1322, 1323,
+     1325, 1324, 1319, 1326, 1316, 1327, 1325, 1328, 1329, 1329,
+     1330, 1332, 1326, 1333, 1335, 1334, 1332, 1336, 1328, 1337,
+     1338, 1339, 1340, 1344, 1327, 1334, 1338, 1339, 1340, 1335,
+     1330, 1333, 1342, 1343, 1345, 1347, 1346, 1336, 1342, 1348,
+     1349, 1349, 1337, 1344, 1350, 1351, 1353, 1343, 1346, 1347,
+     1352, 1353, 1355, 1343, 1345, 1354, 1354, 1348, 1356, 1358,
+     1359, 1360, 1361, 1356, 1350, 1359, 1359, 1363, 1352, 1362,
+
+     1351, 1361, 1364, 1365, 1367, 1355, 1369, 1362, 1358, 1360,
+     1368, 1363, 1368, 1367, 1366, 1373, 1375, 1364, 1365, 1366,
+     1369, 1365, 1366, 1371, 1372, 1374, 1373, 1376, 1372, 1371,
+     1374, 1374, 1377, 1378, 1379, 1375, 1380, 1381, 1378, 1379,
+     1382, 1383, 1385,   68, 1386, 1382, 1387, 1388, 1388, 1390,
+     1377, 1389, 1391, 1376, 1380, 1389, 1385, 1381, 1393, 1392,
+     1394, 1383, 1386, 1395, 1387, 1392, 1396, 1390, 1397, 1398,
+     1393, 1391, 1402, 1399, 1403, 1400, 1406, 1395, 1399, 1394,
+     1401, 1396, 1400, 1397, 1404, 1401, 1405, 1405, 1398, 1407,
+     1402, 1406, 1408, 1404, 1410, 1403, 1409, 1409, 1407, 1411,
+
+     1410, 1412, 1413, 1413, 1415, 1411, 1414, 1414, 1416, 1417,
+     1415, 1418, 1408, 1419, 1420, 1412, 1418, 1421, 1428, 1419,
+     1420, 1422, 1422, 1421, 1416, 1423, 1423, 1425, 1425, 1426,
+     1417, 1427, 1429, 1426, 1430, 1431, 1428, 1434, 1432, 1435,
+     1427, 1433, 1433, 1438, 1429, 1432, 1436, 1435, 1430, 1437,
+     1431, 1436, 1441, 1439, 1443, 1440, 1444, 1434, 1439, 1439,
+     1440, 1440, 1438, 1437, 1442, 1442, 1446, 1445, 1447, 1448,
+     1449, 1446, 1441, 1443, 1450, 1444, 1445, 1451, 1452, 1453,
+     1450, 1455, 1451, 1458, 1454, 1456, 1457, 1447, 1449, 1448,
+     1454, 1456, 1457, 1459, 1460, 1461, 1462, 1463, 1452, 1469,
+
+     1455, 1464, 1458, 1465, 1465, 1453, 1466, 1467, 1468, 1466,
+     1462, 1469, 1459, 1460, 1461, 1475, 1464, 1474, 1463, 1470,
+     1470, 1471, 1471, 1472, 1475, 1473, 1467, 1468, 1472, 1473,
+     1474, 1476, 1477, 1481, 1477, 1479, 1480, 1482, 1477, 1483,
+     1485, 1480, 1484, 1484, 1476, 1485, 1486, 1487, 1481, 1489,
+     1488, 1477, 1486, 1479, 1489, 1483, 1490, 1482, 1492, 1493,
+     1490, 1491, 1487, 1488, 1494, 1491, 1495, 1499, 1496, 1497,
+     1497, 1501,   63, 1494, 1496, 1502, 1505, 1493, 1492, 1516,
+     1502, 1503, 1503, 1504, 1511, 1499, 1495, 1507, 1507, 1504,
+     1509, 1512, 1501, 1509, 1510, 1510, 1505, 1515, 1514, 1516,
+
+     1511, 1514, 1517, 1518, 1519, 1519, 1520, 1512, 1521, 1522,
+     1523, 1517, 1524, 1525, 1525, 1523, 1526, 1527, 1515, 1528,
+     1529, 1520, 1530, 1518, 1532, 1526, 1524, 1540, 1522, 1521,
+     1531, 1531, 1533, 1535, 1528, 1527, 1534, 1538, 1532, 1536,
+     1536, 1534, 1530, 1537, 1541, 1529, 1544, 1537, 1535, 1540,
+     1533, 1539, 1539, 1542, 1543, 1545, 1548, 1538, 1543, 1548,
+     1545, 1547, 1547, 1541, 1542, 1544, 1549, 1550, 1551, 1552,
+     1554, 1553, 1550, 1556, 1555, 1557, 1557, 1558, 1563, 1549,
+     1559, 1560, 1558, 1563, 1551, 1553, 1562, 1552, 1555, 1554,
+     1554, 1561, 1561, 1564, 1565, 1562, 1565, 1566, 1556, 1567,
+
+     1559, 1560, 1566, 1568, 1569, 1567, 1571, 1572, 1572, 1573,
+     1569, 1574, 1577, 1564, 1576, 1578, 1578, 1574, 1580, 1576,
+     1571, 1579, 1579, 1568, 1581, 1582, 1583, 1585, 1573, 1583,
+     1584, 1584, 1580, 1587, 1586, 1595, 1577, 1589, 1588,   58,
+     1582, 1588, 1581, 1589, 1588, 1585, 1586, 1590, 1591, 1593,
+     1594, 1591, 1590, 1587, 1596, 1594, 1588, 1596, 1593, 1598,
+     1595, 1597, 1597, 1599, 1603, 1598, 1600, 1591, 1606, 1599,
+     1603, 1600, 1601, 1601, 1602, 1602, 1604, 1605, 1607, 1608,
+     1609, 1604, 1610, 1609, 1612, 1611, 1606, 1613, 1610, 1612,
+     1605, 1611, 1614, 1613, 1618, 1615, 1619, 1607, 1617, 1608,
+
+     1615, 1616, 1616, 1617, 1620, 1621, 1622, 1623, 1624, 1625,
+     1626, 1629, 1618, 1627, 1636, 1614, 1619, 1627, 1638, 1632,
+     1622, 1623, 1624, 1620, 1628, 1621, 1628, 1625, 1633, 1630,
+     1629, 1632, 1634, 1635, 1636, 1626, 1630, 1637, 1638, 1635,
+     1633, 1639, 1640, 1642, 1642, 1634, 1643, 1644, 1645, 1646,
+     1646, 1648, 1644, 1637, 1647, 1639, 1649, 1650, 1651, 1652,
+     1645, 1653, 1655, 1640, 1654, 1648, 1643, 1651, 1653, 1647,
+     1657, 1659,   57, 1654, 1652, 1650, 1654, 1663, 1655, 1660,
+     1649, 1664, 1660, 1661, 1661, 1657, 1662, 1662, 1665, 1663,
+     1657, 1665, 1666, 1666, 1667, 1668, 1659, 1669, 1670, 1664,
+
+     1671, 1670, 1669, 1672, 1673, 1671, 1674, 1667, 1675, 1676,
+     1677, 1678, 1679, 1679, 1668, 1674, 1680, 1678, 1676, 1677,
+     1673, 1676, 1672, 1682, 1681, 1683, 1684, 1675, 1685, 1690,
+     1686, 1687, 1691, 1685, 1685, 1686, 1680, 1681, 1694, 1683,
+     1693, 1682, 1684, 1687, 1692, 1692, 1695, 1694, 1696, 1696,
+     1691, 1695, 1697, 1698, 1690, 1699, 1693, 1700, 1698, 1701,
+     1702, 1697, 1704, 1696, 1697, 1702, 1702, 1705, 1706, 1707,
+     1709, 1710, 1710, 1699, 1707, 1708, 1704, 1701, 1700, 1711,
+     1713, 1708, 1705, 1717, 1712, 1711, 1714, 1715, 1709, 1712,
+     1706, 1718, 1714, 1715, 1713, 1719, 1720, 1721, 1722, 1724,
+
+     1721, 1719, 1726, 1717, 1722, 1718, 1721, 1724, 1727, 1720,
+     1728, 1729, 1731, 1730, 1732, 1733, 1729, 1734, 1728, 1735,
+     1737, 1726, 1730, 1732, 1739, 1731, 1737, 1727, 1733, 1736,
+     1736, 1734, 1738, 1735, 1740, 1740, 1741, 1739, 1738, 1742,
+     1743, 1744, 1744, 1746, 1747, 1745, 1748, 1749, 1752, 1746,
+     1753, 1736, 1751, 1751, 1753, 1754, 1741, 1742, 1745, 1743,
+     1754, 1755, 1748, 1759, 1756, 1749, 1747, 1757, 1752, 1756,
+     1758, 1761, 1757, 1763, 1762, 1764, 1763, 1765, 1767, 1758,
+     1769, 1755, 1761, 1762, 1766, 1766, 1759, 1764, 1768, 1770,
+     1770, 1771, 1765, 1776, 1772, 1773, 1774, 1767, 1777, 1769,
+
+     1768, 1772, 1779, 1778, 1780, 1771, 1786, 1773, 1774, 1778,
+     1781, 1786, 1776, 1791, 1779, 1791, 1781, 1793, 1777, 1782,
+     1782, 1783, 1780, 1787, 1783, 1784, 1784, 1788, 1789, 1789,
+     1790, 1792, 1787, 1788, 1792, 1794, 1795, 1793, 1796, 1797,
+     1798, 1799, 1790, 1800, 1797, 1798, 1801, 1802, 1804, 1803,
+     1799, 1807, 1802, 1810, 1795, 1800, 1796, 1794, 1803, 1806,
+     1805, 1801, 1808, 1808, 1806, 1805, 1807, 1809, 1804, 1812,
+     1813, 1803, 1805, 1809, 1810, 1814, 1815, 1816, 1817, 1816,
+     1818, 1818, 1819, 1819, 1820, 1820, 1821, 1824, 1812, 1813,
+     1825, 1814, 1817, 1835, 1817, 1838, 1815, 1822, 1822, 1823,
+
+     1823, 1826, 1826, 1827, 1828, 1832, 1821, 1827, 1824, 1829,
+     1828, 1825, 1829, 1831, 1833, 1838, 1834, 1841, 1835, 1831,
+     1833, 1834, 1836, 1832, 1839, 1836, 1837, 1837, 1842, 1839,
+     1840, 1840, 1841, 1843, 1844, 1845, 1845, 1846, 1843, 1844,
+     1847, 1848, 1846, 1849, 1850, 1851, 1847, 1853,   52, 1842,
+     1852, 1857, 1855, 1848, 1848, 1848, 1852, 1855, 1855, 1856,
+     1848, 1859, 1850, 1849, 1860, 1851, 1857, 1853, 1858, 1861,
+     1858, 1862, 1859, 1856, 1863, 1861, 1864, 1865, 1865, 1860,
+     1862, 1866, 1867, 1867, 1868, 1872, 1869, 1870, 1870, 1871,
+     1871, 1875, 1875, 1876, 1863, 1880, 1881, 1864, 1882, 1884,
+
+     1877, 1879, 1881, 1888, 1868, 1872, 1885, 1866, 1869, 1877,
+     1879, 1883, 1883, 1890, 1882, 1886, 1880, 1887, 1876, 1891,
+     1884, 1885, 1886, 1889, 1889, 1893, 1887, 1894, 1895, 1888,
+     1893, 1896, 1900, 1894, 1897, 1891, 1901, 1904, 1896, 1890,
+     1897, 1898, 1901, 1898, 1902, 1902, 1904, 1903, 1895, 1905,
+     1907, 1900, 1903, 1906, 1908, 1909, 1910, 1908, 1911, 1911,
+     1912, 1913, 1907, 1914, 1915, 1918, 1912, 1913, 1922, 1905,
+     1916, 1919, 1906, 1909, 1916, 1920, 1921, 1921, 1925, 1915,
+     1920, 1923, 1910, 1914, 1926, 1918, 1934, 1922, 1926, 1928,
+     1916, 1927, 1927, 1919, 1929, 1928, 1923, 1925, 1930, 1930,
+
+     1931, 1932, 1935, 1929, 1931, 1933, 1933, 1934, 1936, 1937,
+     1938, 1939, 1932, 1940, 1937, 1941, 1935, 1932, 1943, 1940,
+     1942, 1944, 1947, 1943, 1945, 1945, 1947, 1936, 1946, 1946,
+     1938, 1939, 1949, 1941, 1944, 1942, 1950, 1951, 1952, 1952,
+     1955, 1949, 1954, 1954, 1956, 1955, 1955, 1950, 1958, 1959,
+     1956, 1960, 1950, 1961, 1958, 1962, 1960, 1951, 1964, 1965,
+     1966, 1962, 1968, 1965, 1970, 1961, 1967, 1967, 1969, 1973,
+     1964, 1971, 1966, 1974, 1969, 1959, 1975, 1971, 1972, 1972,
+     1976, 1975, 1978, 1979, 1980, 1986, 1970, 1968, 1973, 1980,
+     1983, 1983, 1976, 1974, 1978, 1982, 1984, 1984, 1982, 1985,
+
+     1985, 1987, 1979, 1988, 1990, 1986, 1989, 1987, 1991, 1988,
+     1990, 1989, 1995, 1993, 1996, 1995, 1999, 1991, 1993, 1997,
+     1997, 2000, 2001, 2002, 2002, 2003, 1996, 2001, 1999, 2006,
+     2004, 2005, 2006, 2000, 2003, 2004, 2005, 2007, 2007, 2008,
+     2009, 2012, 2010, 2011, 2014, 2012, 2013, 2015, 2016, 2009,
+     2014, 2013, 2017, 2018, 2020, 2020, 2021, 2016, 2023, 2008,
+     2010, 2027, 2011, 2022, 2025, 2015, 2020, 2018, 2024, 2024,
+     2017, 2026, 2022, 2025, 2021, 2028, 2029, 2035, 2023, 2036,
+     2028, 2038, 2027, 2026, 2032, 2032, 2039, 2034, 2040, 2029,
+     2034, 2041, 2044, 2035, 2040, 2036, 2038, 2042, 2042, 2043,
+
+     2039, 2043, 2045, 2045, 2046, 2048, 2048, 2051, 2041, 2052,
+     2044, 2053, 2046, 2049, 2049, 2052, 2055, 2053, 2054, 2056,
+     2057, 2058, 2058, 2055, 2059, 2060, 2061, 2062, 2063, 2065,
+     2051, 2067, 2054, 2059, 2066, 2064, 2069, 2067, 2061, 2062,
+     2057, 2056, 2070, 2063, 2073, 2071, 2060, 2064, 2074, 2066,
+     2067, 2072, 2072, 2077, 2076, 2065, 2069, 2071, 2075, 2076,
+     2081, 2075, 2073, 2087, 2079, 2070, 2082, 2083, 2074, 2079,
+     2080, 2082, 2080, 2077, 2083, 2085, 2088, 2089, 2081, 2091,
+     2090, 2087, 2090, 2095, 2085, 2088, 2092, 2097, 2094, 2089,
+     2094, 2098, 2092, 2096, 2096, 2100, 2098, 2095, 2091, 2099,
+
+     2100, 2099, 2101, 2102, 2103, 2104, 2106, 2101, 2107, 2105,
+     2108, 2104, 2111, 2097, 2105, 2108, 2108, 2109, 2112, 2106,
+     2107, 2102, 2113, 2113, 2103, 2109, 2114, 2114, 2115, 2116,
+     2117, 2111, 2112, 2118, 2120, 2119, 2117, 2119, 2118, 2121,
+     2122, 2122, 2123, 2115, 2124, 2124, 2128, 2121, 2126, 2116,
+     2125, 2125, 2120, 2127, 2123, 2121, 2130, 2126, 2127, 2131,
+     2132, 2131, 2134, 2136, 2128, 2130, 2133, 2135, 2130, 2143,
+     2138, 2133, 2133, 2139, 2134, 2136, 2135, 2142, 2139, 2140,
+     2146, 2132, 2138, 2144, 2140, 2145, 2145, 2147, 2148, 2143,
+     2142, 2149, 2144, 2150, 2151, 2152, 2154, 2156, 2146, 2155,
+
+     2152, 2157, 2165, 2159, 2148, 2147, 2157, 2150, 2154, 2151,
+     2158, 2155, 2159, 2162, 2164, 2158, 2149, 2156, 2166, 2162,
+     2164, 2167, 2168, 2170, 2170, 2165, 2169, 2171, 2172, 2172,
+     2173, 2174, 2162, 2166, 2175, 2169, 2171, 2176, 2175, 2167,
+     2177, 2179, 2176, 2180, 2181, 2187, 2182, 2168, 2173, 2180,
+     2174, 2182, 2182, 2177, 2185, 2183, 2184, 2185, 2196, 2186,
+     2179, 2183, 2184, 2190, 2190, 2187, 2181, 2186, 2191, 2191,
+     2192, 2193, 2193, 2194, 2194, 2195, 2196, 2198, 2197, 2192,
+     2199, 2199, 2198, 2191, 2197, 2200, 2200, 2195, 2201, 2202,
+     2205, 2207, 2204, 2201, 2191, 2202, 2204, 2206, 2209, 2210,
+
+     2212, 2206, 2211, 2213, 2210, 2215, 2214, 2216, 2213, 2217,
+     2205, 2207, 2218, 2221, 2217, 2212, 2219, 2219, 2220, 2223,
+     2224, 2215, 2220, 2209, 2214, 2211, 2222, 2216, 2221, 2225,
+     2226, 2222, 2227, 2228, 2218, 2229, 2232, 2227, 2224, 2230,
+     2230, 2225, 2233, 2234, 2232, 2223, 2228, 2235, 2236, 2226,
+     2237, 2239, 2238, 2229, 2240, 2245, 2243, 2249, 2241, 2247,
+     2246, 2233, 2234, 2239, 2241, 2247, 2250, 2250, 2245, 2237,
+     2235, 2243, 2236, 2238, 2246, 2240, 2248, 2249, 2248, 2251,
+     2252, 2253, 2254, 2252, 2251, 2255, 2256, 2256, 2257, 2257,
+     2258, 2260, 2258,   47, 2253, 2261, 2254, 2269, 2255, 2259,
+
+     2259, 2262, 2262, 2263, 2264, 2264, 2260, 2270, 2261, 2265,
+     2265, 2266, 2263, 2268, 2271, 2263, 2266, 2269, 2268, 2272,
+     2272, 2273, 2273, 2274, 2275, 2275, 2271, 2270, 2276, 2277,
+     2277, 2279, 2278, 2280, 2280, 2282, 2279, 2281, 2281, 2283,
+     2284, 2285, 2274, 2286, 2290, 2288, 2276, 2278, 2283, 2282,
+     2288, 2289, 2289, 2291, 2291, 2285, 2292, 2284, 2293, 2295,
+     2295, 2297, 2286, 2290, 2293, 2294, 2296, 2296, 2294, 2298,
+     2299, 2301, 2299, 2302, 2292, 2295, 2303, 2303, 2305, 2306,
+     2297, 2307, 2310, 2308, 2298, 2311, 2301, 2308, 2309, 2309,
+     2311, 2312, 2302, 2313, 2315, 2315, 2307, 2316, 2305, 2318,
+
+     2317, 2310, 2306, 2319, 2320, 2321, 2312, 2317, 2313, 2322,
+     2322, 2323, 2324, 2318, 2324, 2325, 2328, 2316, 2325, 2327,
+     2323, 2319, 2320, 2331, 2329, 2327, 2332, 2330, 2328, 2329,
+     2333, 2321, 2330, 2325, 2335, 2325, 2334, 2337, 2338, 2332,
+     2339, 2334, 2337, 2338, 2340, 2342, 2341, 2343, 2331, 2345,
+     2340, 2333, 2341, 2344, 2345, 2339, 2346, 2347, 2348, 2344,
+     2335, 2346, 2343, 2350, 2349, 2351, 2342, 2349, 2352, 2353,
+     2354, 2348, 2350, 2355, 2351, 2356, 2357, 2352, 2353, 2355,
+     2357, 2356, 2347, 2359, 2354, 2361, 2362, 2363, 2363, 2366,
+     2364, 2365, 2365, 2367, 2367, 2362, 2364, 2368, 2366, 2369,
+
+     2365, 2371, 2368, 2359, 2372, 2361, 2373, 2373, 2374, 2375,
+     2377, 2378, 2380, 2379, 2384, 2386, 2386, 2371, 2375, 2369,
+     2372, 2369, 2377, 2374, 2380, 2383, 2382, 2378, 2379, 2382,
+     2383, 2385, 2387, 2387, 2384, 2389, 2389, 2390, 2396, 2391,
+     2390, 2392, 2393, 2385, 2391, 2394, 2398, 2392, 2393, 2395,
+     2395, 2399, 2396, 2400, 2394, 2397, 2397, 2402, 2398, 2401,
+     2401, 2403, 2404, 2402, 2406, 2399, 2407, 2404, 2406, 2407,
+     2408, 2408, 2400, 2409, 2410, 2403, 2411, 2412, 2409, 2415,
+     2413, 2414, 2414, 2410, 2413, 2411, 2417, 2418, 2419, 2420,
+     2421, 2417, 2415, 2422, 2421, 2423, 2424, 2412, 2425, 2427,
+
+     2423, 2428, 2424, 2420, 2425, 2426, 2426, 2418, 2419, 2429,
+     2430, 2431, 2434, 2422, 2435, 2430, 2436, 2427, 2432, 2432,
+     2428, 2436, 2441, 2437, 2434, 2438, 2443, 2446, 2429, 2437,
+     2435, 2441, 2431, 2438, 2439, 2452, 2439, 2444, 2444, 2445,
+     2443, 2450, 2445, 2447, 2447, 2450, 2451, 2452, 2453, 2453,
+     2454, 2459, 2451, 2446, 2457, 2457, 2461, 2462, 2465, 2454,
+     2466, 2467, 2468, 2465, 2470, 2470, 2469, 2468, 2476, 2459,
+     2461, 2469, 2474, 2462, 2472, 2472, 2475, 2475, 2474, 2477,
+     2478, 2480, 2467, 2482, 2476, 2478, 2466, 2481, 2484, 2484,
+     2481, 2483, 2487, 2486, 2488, 2482, 2489, 2493, 2487, 2494,
+
+     2480, 2477, 2486, 2483, 2491, 2491, 2492, 2496, 2496, 2492,
+     2498, 2489, 2488, 2497, 2497, 2498, 2493, 2494, 2499, 2500,
+     2501, 2502, 2505, 2502, 2503, 2501, 2504, 2506, 2500, 2507,
+     2508, 2546, 2506, 2546, 2505,   18, 2499, 2509, 2503, 2515,
+     2504, 2514, 2509, 2510, 2510, 2511, 2511, 2512, 2512, 2507,
+     2508, 2513, 2513, 2514, 2516, 2517, 2517, 2515, 2519, 2516,
+     2518, 2518, 2520, 2521, 2522, 2523, 2526, 2524, 2525, 2525,
+     2519, 2527, 2527, 2528, 2528, 2521, 2529, 2530, 2532, 2533,
+     2535, 2531, 2520, 2524, 2522, 2526, 2523, 2529, 2531, 2530,
+     2532, 2534, 2536, 2537, 2537, 2538, 2534, 2539, 2539, 2533,
+
+     2535, 2540, 2541, 2542, 2538, 2543, 2544, 2547, 2545, 2548,
+     2548, 2550, 2536, 2551, 2549, 2553, 2542, 2554, 2555, 2547,
+     2544, 2556, 2541, 2549, 2556, 2576, 2550, 2540, 2551, 2543,
+     2545, 2557, 2558, 2553, 2576, 2559, 2567, 2558, 2569, 2554,
+     2559, 2555, 2560, 2560, 2568, 2557, 2561, 2561, 2562, 2562,
+     2564, 2564, 2566, 2566, 2567, 2568, 2570, 2569, 2572, 2573,
+     2574, 2575, 2578, 2577, 2578, 2579, 2580, 2586, 2581, 2582,
+     2582, 2570, 2584, 2584, 2585, 2588, 2588, 2573, 2572, 2591,
+     2591, 2575, 2574, 2577, 2580, 2579, 2581, 2587, 2585, 2586,
+     2590, 2592, 2593, 2594, 2603, 2596, 2587, 2595, 2597, 2590,
+
+     2594, 2598, 2599,   17, 2600, 2601, 2601, 2602, 2602, 2592,
+     2593, 2600, 2595, 2596, 2603, 2604, 2597, 2598, 2605, 2607,
+     2607, 2599, 2608, 2608, 2605, 2609, 2610, 2611, 2612, 2613,
+     2614, 2609, 2615, 2604, 2616, 2614, 2617, 2618, 2620, 2618,
+     2620, 2617, 2611, 2613, 2610, 2619, 2619, 2612, 2621, 2621,
+     2623, 2625, 2615, 2626, 2616, 2627, 2628, 2629, 2630, 2631,
+     2625, 2632, 2629, 2630, 2635, 2636, 2638, 2627, 2636, 2623,
+     2637, 2637, 2626, 2639, 2640, 2640, 2628, 2641, 2642, 2631,
+     2632, 2638, 2643, 2645, 2635, 2646, 2643, 2648, 2641, 2646,
+     2650, 2639, 2651, 2642, 2647, 2647, 2652, 2655, 2645, 2656,
+
+     2648, 2653, 2653, 2657, 2659, 2650, 2663, 2657, 2656, 2655,
+     2658, 2658, 2651, 2660, 2660, 2661, 2652, 2662, 2664, 2665,
+     2661, 2672, 2663, 2659, 2666, 2666, 2662, 2671, 2671, 2674,
+     2664, 2673, 2673, 2675, 2680, 2676, 2677, 2681, 2678, 2665,
+     2679, 2679, 2674, 2672, 2676, 2677, 2675, 2678, 2683, 2683,
+     2686, 2687, 2681, 2688, 2680, 2686, 2687, 2689, 2690, 2691,
+     2692, 2695, 2689, 2693, 2699, 2697, 2690, 2688, 2698, 2692,
+     2697, 2693, 2702, 2698, 2700, 2700, 2695, 2702, 2691, 2699,
+     2701, 2701, 2703, 2704, 2704, 2705, 2706, 2707, 2708, 2709,
+        0, 2706, 2705, 2710, 2712, 2709, 2711, 2711, 2710, 2713,
+
+     2718, 2703, 2714, 2714, 2713, 2707, 2708, 2715, 2715, 2712,
+     2719, 2719, 2720, 2718, 2721, 2720, 2722, 2723, 2724, 2721,
+     2721, 2722, 2723, 2725, 2726, 2727, 2728, 2729, 2726, 2725,
+     2727, 2730, 2724, 2731, 2732, 2728, 2734, 2733, 2735, 2730,
+     2732, 2734, 2729, 2733, 2737, 2739, 2741, 2738, 2739, 2745,
+     2735, 2737, 2738, 2746, 2731, 2743, 2744, 2759, 2741, 2747,
+     2743, 2744, 2748, 2749, 2749, 2750, 2746, 2745, 2747, 2754,
+     2751, 2748, 2755, 2756, 2750, 2751, 2759, 2760, 2755, 2756,
+     2761, 2762, 2762, 2763, 2764, 2765, 2766, 2754, 2767, 2767,
+     2763, 2768, 2770, 2772, 2765, 2775, 2773, 2760, 2778, 2761,
+
+     2773, 2766, 2776, 2764, 2774, 2774, 2777, 2770, 2776, 2779,
+     2768, 2781, 2777, 2772, 2784, 2779, 2778, 2780, 2780, 2781,
+     2775, 2782, 2785, 2784, 2787, 2788, 2782, 2789, 2788, 2790,
+     2787, 2789, 2791, 2793, 2793, 2785, 2794, 2795, 2795, 2796,
+     2796, 2798, 2798, 2790, 2799, 2800, 2804, 2791, 2799, 2806,
+     2800, 2802, 2802, 2805, 2794, 2808, 2810, 2807, 2805, 2811,
+     2811, 2806, 2807, 2807, 2813, 2813, 2804, 2808, 2814, 2814,
+     2815, 2816, 2817, 2815, 2819, 2819, 2810, 2820, 2822, 2823,
+     2823, 2824, 2824, 2828, 2816, 2817, 2825, 2825, 2826, 2827,
+     2827, 2829, 2830, 2831, 2840, 2820, 2828, 2837, 2822, 2831,
+
+     2832, 2832, 2837, 2826, 2833, 2836, 2830, 2839, 2833, 2829,
+     2841, 2836, 2839, 2839, 2842, 2843, 2844, 2840, 2845, 2846,
+     2852, 2843, 2844, 2846, 2847, 2847, 2850, 2855, 2852, 2853,
+     2841, 2850, 2853, 2856, 2842, 2859, 2856, 2857, 2857, 2858,
+     2859, 2860, 2861, 2845, 2862, 2863, 2863, 2864, 2867, 2869,
+     2866, 2871, 2855, 2911, 2869, 2869, 2858, 2858, 2862, 2860,
+     2865, 2864, 2861, 2865, 2866, 2868, 2880, 2867, 2911, 2870,
+     2871, 2865, 2877, 2868, 2870, 2870, 2872, 2872, 2873, 2873,
+     2874, 2874, 2875, 2875, 2876, 2876, 2878, 2879, 2877, 2881,
+     2882, 2878, 2880, 2883, 2884, 2882, 2885, 2886, 2887, 2884,
+
+     2889, 2889, 2892, 2881, 2895, 2885,    0, 2879, 2890, 2890,
+     2891, 2895, 2883, 2891, 2894, 2894, 2905, 2886, 2887, 2897,
+     2892, 2896, 2896, 2900, 2897, 2899, 2899, 2901, 2902, 2903,
+     2906, 2906, 2900, 2908, 2905, 2907, 2901, 2902, 2903, 2907,
+     2909, 2910, 2908, 2912, 2913, 2914, 2915, 2924, 2912, 2912,
+     2915, 2919, 2910, 2923, 2914, 2925, 2919, 2913, 2929, 2909,
+     2920, 2920, 2922, 2922, 2927, 2927, 2928, 2923, 2932, 2933,
+     2929, 2934, 2924, 2925, 2933, 2928, 2936, 2937, 2939, 2941,
+     2934, 2943, 2944, 2937, 2945, 2945, 2943, 2944, 2946, 2948,
+     2939, 2949, 2950, 2932, 2948, 2957, 2936, 2946, 2951, 2951,
+
+     2941, 2958, 2951,    0, 2949, 2956, 2950, 2953, 2953, 2954,
+     2954, 2955, 2955, 2959, 2956, 2957, 2961, 2965, 2959, 2962,
+     2958, 2963, 2961, 2967, 2962, 2966, 2963, 2964, 2964, 2968,
+     2969, 2971, 2970, 2978, 2968, 2965,    0, 2966, 2970, 2972,
+     2972, 2974, 2975, 2979, 2967, 2974, 2976, 2975, 2969, 2977,
+     2977, 2976, 2978, 2980, 2982, 2989, 2971, 2986, 2979, 2984,
+     2984, 2988, 2987, 2990, 2989, 2988, 2991, 2993, 2980, 2992,
+     2986, 2994, 2993, 2996, 2982, 2987, 2997, 2992, 2998, 2990,
+     2995, 2995, 2996, 2999, 2999, 2991, 3000, 3003, 3003, 3004,
+     3004, 2994, 3006, 3010, 2997, 3008, 3008, 3012, 3011, 3013,
+
+     3017, 3014, 3012, 3018, 2998, 3000, 3014, 3016, 3016, 3010,
+     3019, 3020, 3018, 3006, 3011, 3013, 3019, 3021, 3023, 3023,
+     3017, 3024, 3025, 3026, 3026, 3029, 3030, 3033, 3031, 3034,
+     3034, 3036, 3030, 3031, 3020, 3024, 3021, 3035, 3035, 3037,
+     3039, 3025, 3038, 3038, 3040, 3029, 3036, 3041, 3042, 3033,
+     3043, 3039, 3044, 3040, 3042, 3045, 3046, 3046, 3047, 3037,
+     3048, 3055, 3038, 3048, 3044, 3049, 3054, 3041, 3049, 3043,
+     3050, 3050, 3060, 3047, 3056, 3045, 3057, 3057, 3054, 3058,
+     3056, 3055, 3058, 3059, 3063, 3063, 3062, 3064, 3065, 3059,
+     3060, 3062, 3064, 3066, 3067, 3068, 3068, 3070, 3071, 3066,
+
+     3072, 3073, 3074, 3074, 3075, 3076, 3077, 3065, 3081, 3070,
+     3082, 3067, 3067, 3081, 3073, 3077, 3071, 3079, 3079, 3080,
+     3080, 3076, 3083, 3075, 3082, 3072, 3088, 3083, 3084, 3084,
+     3085, 3085, 3086, 3086, 3087, 3087, 3089, 3090, 3096, 3088,
+     3091, 3093, 3093, 3090, 3098, 3091, 3099, 3101, 3100, 3102,
+     3102, 3104, 3104, 3105, 3106, 3108, 3107, 3096, 3110, 3110,
+     3111, 3111, 3089, 3109, 3114, 3113, 3098, 3100, 3099, 3101,
+     3107, 3113, 3109, 3106, 3115, 3108, 3116, 3119, 3126, 3105,
+     3124, 3116, 3120, 3120, 3114, 3122, 3122, 3123, 3127, 3125,
+     3126, 3133, 3123, 3115, 3124, 3125, 3127, 3129, 3119, 3128,
+
+     3128, 3131, 3129, 3132, 3134, 3131, 3136, 3135, 3132, 3137,
+     3140, 3133, 3135, 3139, 3141, 3137, 3142, 3144, 3136, 3151,
+        0, 3139, 3145, 3146, 3134, 3147, 3148, 3150, 3153, 3140,
+     3155, 3148, 3150, 3153, 3141, 3144, 3142, 3152, 3145, 3151,
+     3146, 3146, 3156, 3152, 3157, 3156, 3147, 3160, 3160, 3162,
+     3155, 3161, 3161, 3162, 3167, 3167, 3168, 3157, 3169, 3170,
+     3170, 3168, 3172, 3172, 3173, 3173, 3177, 3173, 3174, 3174,
+     3177, 3174, 3175, 3175, 3179, 3176, 3176, 3169, 3176, 3179,
+     3180, 3181, 3181, 3182, 3183, 3186, 3187, 3188, 3190, 3180,
+     3189, 3189, 3188, 3193, 3196, 3194, 3195, 3197, 3183, 3199,
+
+     3195, 3182, 3194, 3196, 3200, 3186, 3187, 3202, 3190, 3200,
+     3201, 3201, 3197, 3203, 3203, 3206, 3202, 3199, 3193, 3204,
+     3204, 3205, 3205, 3207, 3208, 3211, 3209, 3212, 3207, 3210,
+     3206, 3209, 3209, 3208, 3213, 3210, 3208, 3216, 3214, 3215,
+     3217, 3217, 3212, 3214, 3215, 3218, 3219, 3220, 3220, 3222,
+     3211, 3218, 3219, 3221, 3221, 3213, 3216, 3223, 3226, 3226,
+     3228, 3228, 3223, 3229, 3222, 3232, 3232, 3233, 3233, 3234,
+     3234, 3241, 3229, 3235, 3235, 3237, 3237, 3238, 3238, 3239,
+     3239, 3240, 3240, 3243, 3244, 3244, 3245, 3246, 3247, 3249,
+     3249, 3250, 3243, 3251, 3251, 3245, 3252, 3241, 3264, 3246,
+
+     3253, 3258, 3254, 3255, 3255, 3256, 3256, 3262, 3247, 3263,
+     3250, 3252, 3263, 3253, 3254, 3266, 3258, 3259, 3259, 3265,
+     3265, 3269, 3270, 3268, 3264, 3262, 3268, 3269, 3272, 3271,
+     3273, 3276, 3277, 3266, 3271, 3274, 3270, 3276, 3280, 3281,
+     3284, 3277, 3280, 3294, 3293, 3296, 3294, 3272, 3273, 3293,
+     3302, 3274, 3297, 3297, 3281, 3298, 3298, 3305, 3296, 3300,
+     3300, 3303, 3307, 3304, 3309, 3316, 3284, 3304, 3310, 3311,
+     3303, 3313, 3315, 3302, 3311, 3317, 3307, 3305, 3312, 3310,
+     3312, 3314, 3314, 3318, 3316, 3315, 3313, 3309, 3319, 3320,
+     3322, 3321, 3323, 3317, 3324, 3332, 3325, 3323, 3327, 3318,
+
+     3321, 3325, 3322, 3328, 3320, 3326, 3326, 3333, 3328, 3332,
+     3334, 3334, 3335, 3319, 3340, 3324, 3336, 3336, 3327, 3337,
+     3337, 3335, 3338, 3338, 3339, 3339, 3341, 3333, 3342, 3343,
+     3344, 3342, 3345, 3340, 3343, 3344, 3346, 3347, 3348, 3350,
+     3352, 3349, 3357, 3347, 3350, 3362, 3341, 3351, 3351, 3353,
+     3353, 3346, 3348, 3349, 3355, 3355, 3356, 3345, 3358, 3358,
+     3352, 3357, 3360, 3362, 3365, 3365, 3366, 3366, 3367, 3368,
+     3371, 3356, 3369, 3370, 3372, 3373, 3367, 3360, 3369, 3370,
+     3374, 3375, 3375, 3380, 3371, 3374, 3381, 3372, 3368, 3377,
+     3377, 3383, 3384, 3386, 3373, 3387, 3384, 3388, 3389, 3390,
+
+     3387, 3391, 3392, 3393, 3380, 3383, 3381, 3392, 3393, 3394,
+     3394, 3389, 3390, 3386, 3397, 3398, 3388, 3399, 3400, 3400,
+     3391, 3401, 3402, 3403, 3403, 3404, 3401, 3405, 3402, 3407,
+     3404, 3408, 3405, 3398, 3397, 3406, 3399, 3408, 3410, 3410,
+     3406, 3411, 3412, 3412, 3415, 3414, 3411, 3416, 3407, 3414,
+     3417, 3418, 3419, 3420, 3416, 3421, 3423, 3423, 3419, 3425,
+     3425, 3427, 3426, 3415, 3428, 3429, 3427, 3430, 3421, 3417,
+     3418, 3426, 3420, 3432, 3426, 3431, 3431, 3433, 3432, 3435,
+     3430, 3436, 3436, 3428, 3429, 3437, 3438, 3438, 3439, 3439,
+     3433, 3440, 3441, 3442, 3443, 3443, 3440, 3444, 3445, 3441,
+
+     3445, 3447, 3444, 3448, 3437, 3435, 3446, 3446, 3447, 3449,
+     3448, 3450, 3442, 3451, 3453, 3453, 3450, 3454, 3456, 3457,
+     3458, 3459, 3463, 3456, 3457, 3460, 3460, 3464, 3449, 3462,
+     3462,    0, 3451, 3465, 3465, 3467, 3454, 3466, 3466, 3458,
+     3459, 3463, 3467, 3469, 3469, 3471, 3464, 3470, 3470, 3473,
+     3476, 3477, 3471, 3478, 3473, 3476, 3479, 3479, 3480, 3480,
+        0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
+     3477,    0, 3478, 3484, 3484, 3484, 3484, 3484, 3484, 3484,
+     3485, 3485, 3485, 3485, 3485, 3485, 3485, 3486, 3486, 3486,
+     3486, 3486, 3486, 3486, 3487, 3487, 3487, 3487, 3487, 3487,
+
+     3487, 3488, 3488, 3488, 3488, 3488, 3488, 3488, 3489, 3489,
+     3489, 3489, 3489, 3489, 3489, 3490, 3490, 3490, 3490, 3490,
+     3490, 3490, 3492, 3492,    0, 3492, 3492, 3492, 3492, 3493,
+     3493,    0,    0,    0, 3493, 3493, 3494, 3494,    0,    0,
+     3494,    0, 3494, 3495,    0,    0,    0,    0,    0, 3495,
+     3496, 3496,    0,    0,    0, 3496, 3496, 3497,    0,    0,
+        0,    0,    0, 3497, 3498, 3498,    0, 3498, 3498, 3498,
+     3498, 3499,    0,    0,    0,    0,    0, 3499, 3500, 3500,
+        0,    0,    0, 3500, 3500, 3501, 3501,    0, 3501, 3501,
+     3501, 3501, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483,
+     3483, 3483, 3483
     } ;
 
 static yy_state_type yy_last_accepting_state;
@@ -3208,7 +3308,7 @@ static void config_end_include(void)
 #define YY_NO_INPUT 1
 #endif
 
-#line 3210 "<stdout>"
+#line 3310 "<stdout>"
 
 #define INITIAL 0
 #define quotedstring 1
@@ -3426,7 +3526,7 @@ YY_DECL
        {
 #line 211 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 
-#line 3428 "<stdout>"
+#line 3528 "<stdout>"
 
        while ( 1 )             /* loops until end-of-file is reached */
                {
@@ -3459,13 +3559,13 @@ yy_match:
                        while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
                                {
                                yy_current_state = (int) yy_def[yy_current_state];
-                               if ( yy_current_state >= 3354 )
+                               if ( yy_current_state >= 3484 )
                                        yy_c = yy_meta[(unsigned int) yy_c];
                                }
                        yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
                        ++yy_cp;
                        }
-               while ( yy_base[yy_current_state] != 6547 );
+               while ( yy_base[yy_current_state] != 6793 );
 
 yy_find_action:
                yy_act = yy_accept[yy_current_state];
@@ -3610,82 +3710,82 @@ YY_RULE_SETUP
 case 24:
 YY_RULE_SETUP
 #line 238 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
+{ YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) }
        YY_BREAK
 case 25:
 YY_RULE_SETUP
 #line 239 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
+{ YDVAR(1, VAR_TCP_REUSE_TIMEOUT) }
        YY_BREAK
 case 26:
 YY_RULE_SETUP
 #line 240 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) }
        YY_BREAK
 case 27:
 YY_RULE_SETUP
 #line 241 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
        YY_BREAK
 case 28:
 YY_RULE_SETUP
 #line 242 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
+{ YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
        YY_BREAK
 case 29:
 YY_RULE_SETUP
 #line 243 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
+{ YDVAR(1, VAR_SSL_UPSTREAM) }
        YY_BREAK
 case 30:
 YY_RULE_SETUP
 #line 244 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
+{ YDVAR(1, VAR_SSL_UPSTREAM) }
        YY_BREAK
 case 31:
 YY_RULE_SETUP
 #line 245 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
+{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
        YY_BREAK
 case 32:
 YY_RULE_SETUP
 #line 246 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_PORT) }
+{ YDVAR(1, VAR_SSL_SERVICE_KEY) }
        YY_BREAK
 case 33:
 YY_RULE_SETUP
 #line 247 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SSL_PORT) }
+{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
        YY_BREAK
 case 34:
 YY_RULE_SETUP
 #line 248 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
+{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
        YY_BREAK
 case 35:
 YY_RULE_SETUP
 #line 249 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
+{ YDVAR(1, VAR_SSL_PORT) }
        YY_BREAK
 case 36:
 YY_RULE_SETUP
 #line 250 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_WIN_CERT) }
+{ YDVAR(1, VAR_SSL_PORT) }
        YY_BREAK
 case 37:
 YY_RULE_SETUP
 #line 251 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
        YY_BREAK
 case 38:
 YY_RULE_SETUP
 #line 252 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
        YY_BREAK
 case 39:
 YY_RULE_SETUP
 #line 253 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
+{ YDVAR(1, VAR_TLS_WIN_CERT) }
        YY_BREAK
 case 40:
 YY_RULE_SETUP
@@ -3695,1419 +3795,1464 @@ YY_RULE_SETUP
 case 41:
 YY_RULE_SETUP
 #line 255 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
+{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
        YY_BREAK
 case 42:
 YY_RULE_SETUP
 #line 256 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CIPHERS) }
+{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
        YY_BREAK
 case 43:
 YY_RULE_SETUP
 #line 257 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_CIPHERSUITES) }
+{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
        YY_BREAK
 case 44:
 YY_RULE_SETUP
 #line 258 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TLS_USE_SNI) }
+{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
        YY_BREAK
 case 45:
 YY_RULE_SETUP
 #line 259 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTPS_PORT) }
+{ YDVAR(1, VAR_TLS_CIPHERS) }
        YY_BREAK
 case 46:
 YY_RULE_SETUP
 #line 260 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_ENDPOINT) }
+{ YDVAR(1, VAR_TLS_CIPHERSUITES) }
        YY_BREAK
 case 47:
 YY_RULE_SETUP
 #line 261 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
+{ YDVAR(1, VAR_TLS_USE_SNI) }
        YY_BREAK
 case 48:
 YY_RULE_SETUP
 #line 262 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
+{ YDVAR(1, VAR_HTTPS_PORT) }
        YY_BREAK
 case 49:
 YY_RULE_SETUP
 #line 263 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
+{ YDVAR(1, VAR_HTTP_ENDPOINT) }
        YY_BREAK
 case 50:
 YY_RULE_SETUP
 #line 264 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_NODELAY) }
+{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
        YY_BREAK
 case 51:
 YY_RULE_SETUP
 #line 265 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
+{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
        YY_BREAK
 case 52:
 YY_RULE_SETUP
 #line 266 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_USE_SYSTEMD) }
+{ YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
        YY_BREAK
 case 53:
 YY_RULE_SETUP
 #line 267 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DO_DAEMONIZE) }
+{ YDVAR(1, VAR_HTTP_NODELAY) }
        YY_BREAK
 case 54:
 YY_RULE_SETUP
 #line 268 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INTERFACE) }
+{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
        YY_BREAK
 case 55:
 YY_RULE_SETUP
 #line 269 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INTERFACE) }
+{ YDVAR(1, VAR_USE_SYSTEMD) }
        YY_BREAK
 case 56:
 YY_RULE_SETUP
 #line 270 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_OUTGOING_INTERFACE) }
+{ YDVAR(1, VAR_DO_DAEMONIZE) }
        YY_BREAK
 case 57:
 YY_RULE_SETUP
 #line 271 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
+{ YDVAR(1, VAR_INTERFACE) }
        YY_BREAK
 case 58:
 YY_RULE_SETUP
 #line 272 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SO_RCVBUF) }
+{ YDVAR(1, VAR_INTERFACE) }
        YY_BREAK
 case 59:
 YY_RULE_SETUP
 #line 273 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SO_SNDBUF) }
+{ YDVAR(1, VAR_OUTGOING_INTERFACE) }
        YY_BREAK
 case 60:
 YY_RULE_SETUP
 #line 274 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SO_REUSEPORT) }
+{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) }
        YY_BREAK
 case 61:
 YY_RULE_SETUP
 #line 275 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_TRANSPARENT) }
+{ YDVAR(1, VAR_SO_RCVBUF) }
        YY_BREAK
 case 62:
 YY_RULE_SETUP
 #line 276 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_FREEBIND) }
+{ YDVAR(1, VAR_SO_SNDBUF) }
        YY_BREAK
 case 63:
 YY_RULE_SETUP
 #line 277 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_DSCP) }
+{ YDVAR(1, VAR_SO_REUSEPORT) }
        YY_BREAK
 case 64:
 YY_RULE_SETUP
 #line 278 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CHROOT) }
+{ YDVAR(1, VAR_IP_TRANSPARENT) }
        YY_BREAK
 case 65:
 YY_RULE_SETUP
 #line 279 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_USERNAME) }
+{ YDVAR(1, VAR_IP_FREEBIND) }
        YY_BREAK
 case 66:
 YY_RULE_SETUP
 #line 280 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DIRECTORY) }
+{ YDVAR(1, VAR_IP_DSCP) }
        YY_BREAK
 case 67:
 YY_RULE_SETUP
 #line 281 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOGFILE) }
+{ YDVAR(1, VAR_CHROOT) }
        YY_BREAK
 case 68:
 YY_RULE_SETUP
 #line 282 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PIDFILE) }
+{ YDVAR(1, VAR_USERNAME) }
        YY_BREAK
 case 69:
 YY_RULE_SETUP
 #line 283 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_ROOT_HINTS) }
+{ YDVAR(1, VAR_DIRECTORY) }
        YY_BREAK
 case 70:
 YY_RULE_SETUP
 #line 284 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STREAM_WAIT_SIZE) }
+{ YDVAR(1, VAR_LOGFILE) }
        YY_BREAK
 case 71:
 YY_RULE_SETUP
 #line 285 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_BUFFER_SIZE) }
+{ YDVAR(1, VAR_PIDFILE) }
        YY_BREAK
 case 72:
 YY_RULE_SETUP
 #line 286 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MSG_BUFFER_SIZE) }
+{ YDVAR(1, VAR_ROOT_HINTS) }
        YY_BREAK
 case 73:
 YY_RULE_SETUP
 #line 287 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MSG_CACHE_SIZE) }
+{ YDVAR(1, VAR_STREAM_WAIT_SIZE) }
        YY_BREAK
 case 74:
 YY_RULE_SETUP
 #line 288 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MSG_CACHE_SLABS) }
+{ YDVAR(1, VAR_EDNS_BUFFER_SIZE) }
        YY_BREAK
 case 75:
 YY_RULE_SETUP
 #line 289 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_CACHE_SIZE) }
+{ YDVAR(1, VAR_MSG_BUFFER_SIZE) }
        YY_BREAK
 case 76:
 YY_RULE_SETUP
 #line 290 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_CACHE_SLABS) }
+{ YDVAR(1, VAR_MSG_CACHE_SIZE) }
        YY_BREAK
 case 77:
 YY_RULE_SETUP
 #line 291 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHE_MAX_TTL) }
+{ YDVAR(1, VAR_MSG_CACHE_SLABS) }
        YY_BREAK
 case 78:
 YY_RULE_SETUP
 #line 292 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) }
+{ YDVAR(1, VAR_RRSET_CACHE_SIZE) }
        YY_BREAK
 case 79:
 YY_RULE_SETUP
 #line 293 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHE_MIN_TTL) }
+{ YDVAR(1, VAR_RRSET_CACHE_SLABS) }
        YY_BREAK
 case 80:
 YY_RULE_SETUP
 #line 294 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_HOST_TTL) }
+{ YDVAR(1, VAR_CACHE_MAX_TTL) }
        YY_BREAK
 case 81:
 YY_RULE_SETUP
 #line 295 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_LAME_TTL) }
+{ YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) }
        YY_BREAK
 case 82:
 YY_RULE_SETUP
 #line 296 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_SLABS) }
+{ YDVAR(1, VAR_CACHE_MIN_TTL) }
        YY_BREAK
 case 83:
 YY_RULE_SETUP
 #line 297 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
+{ YDVAR(1, VAR_INFRA_HOST_TTL) }
        YY_BREAK
 case 84:
 YY_RULE_SETUP
 #line 298 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
+{ YDVAR(1, VAR_INFRA_LAME_TTL) }
        YY_BREAK
 case 85:
 YY_RULE_SETUP
 #line 299 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) }
+{ YDVAR(1, VAR_INFRA_CACHE_SLABS) }
        YY_BREAK
 case 86:
 YY_RULE_SETUP
 #line 300 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
+{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) }
        YY_BREAK
 case 87:
 YY_RULE_SETUP
 #line 301 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
+{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) }
        YY_BREAK
 case 88:
 YY_RULE_SETUP
 #line 302 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
+{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) }
        YY_BREAK
 case 89:
 YY_RULE_SETUP
 #line 303 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DELAY_CLOSE) }
+{ YDVAR(1, VAR_INFRA_KEEP_PROBING) }
        YY_BREAK
 case 90:
 YY_RULE_SETUP
 #line 304 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_UDP_CONNECT) }
+{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
        YY_BREAK
 case 91:
 YY_RULE_SETUP
 #line 305 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TARGET_FETCH_POLICY) }
+{ YDVAR(1, VAR_JOSTLE_TIMEOUT) }
        YY_BREAK
 case 92:
 YY_RULE_SETUP
 #line 306 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
+{ YDVAR(1, VAR_DELAY_CLOSE) }
        YY_BREAK
 case 93:
 YY_RULE_SETUP
 #line 307 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
+{ YDVAR(1, VAR_UDP_CONNECT) }
        YY_BREAK
 case 94:
 YY_RULE_SETUP
 #line 308 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_GLUE) }
+{ YDVAR(1, VAR_TARGET_FETCH_POLICY) }
        YY_BREAK
 case 95:
 YY_RULE_SETUP
 #line 309 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) }
+{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
        YY_BREAK
 case 96:
 YY_RULE_SETUP
 #line 310 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) }
+{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
        YY_BREAK
 case 97:
 YY_RULE_SETUP
 #line 311 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
+{ YDVAR(1, VAR_HARDEN_GLUE) }
        YY_BREAK
 case 98:
 YY_RULE_SETUP
 #line 312 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
+{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) }
        YY_BREAK
 case 99:
 YY_RULE_SETUP
 #line 313 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
+{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) }
        YY_BREAK
 case 100:
 YY_RULE_SETUP
 #line 314 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CAPS_WHITELIST) }
+{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
        YY_BREAK
 case 101:
 YY_RULE_SETUP
 #line 315 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CAPS_WHITELIST) }
+{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) }
        YY_BREAK
 case 102:
 YY_RULE_SETUP
 #line 316 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
+{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
        YY_BREAK
 case 103:
 YY_RULE_SETUP
 #line 317 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
+{ YDVAR(1, VAR_CAPS_WHITELIST) }
        YY_BREAK
 case 104:
 YY_RULE_SETUP
 #line 318 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
+{ YDVAR(1, VAR_CAPS_WHITELIST) }
        YY_BREAK
 case 105:
 YY_RULE_SETUP
 #line 319 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PREFETCH_KEY) }
+{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }
        YY_BREAK
 case 106:
 YY_RULE_SETUP
 #line 320 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PREFETCH) }
+{ YDVAR(1, VAR_PRIVATE_ADDRESS) }
        YY_BREAK
 case 107:
 YY_RULE_SETUP
 #line 321 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DENY_ANY) }
+{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
        YY_BREAK
 case 108:
 YY_RULE_SETUP
 #line 322 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_STUB_ZONE) }
+{ YDVAR(1, VAR_PREFETCH_KEY) }
        YY_BREAK
 case 109:
 YY_RULE_SETUP
 #line 323 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_NAME) }
+{ YDVAR(1, VAR_PREFETCH) }
        YY_BREAK
 case 110:
 YY_RULE_SETUP
 #line 324 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_ADDR) }
+{ YDVAR(1, VAR_DENY_ANY) }
        YY_BREAK
 case 111:
 YY_RULE_SETUP
 #line 325 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_HOST) }
+{ YDVAR(0, VAR_STUB_ZONE) }
        YY_BREAK
 case 112:
 YY_RULE_SETUP
 #line 326 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_PRIME) }
+{ YDVAR(1, VAR_NAME) }
        YY_BREAK
 case 113:
 YY_RULE_SETUP
 #line 327 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_FIRST) }
+{ YDVAR(1, VAR_STUB_ADDR) }
        YY_BREAK
 case 114:
 YY_RULE_SETUP
 #line 328 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_NO_CACHE) }
+{ YDVAR(1, VAR_STUB_HOST) }
        YY_BREAK
 case 115:
 YY_RULE_SETUP
 #line 329 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_STUB_PRIME) }
        YY_BREAK
 case 116:
 YY_RULE_SETUP
 #line 330 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_STUB_FIRST) }
        YY_BREAK
 case 117:
 YY_RULE_SETUP
 #line 331 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_FORWARD_ZONE) }
+{ YDVAR(1, VAR_STUB_NO_CACHE) }
        YY_BREAK
 case 118:
 YY_RULE_SETUP
 #line 332 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_ADDR) }
+{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
        YY_BREAK
 case 119:
 YY_RULE_SETUP
 #line 333 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_HOST) }
+{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) }
        YY_BREAK
 case 120:
 YY_RULE_SETUP
 #line 334 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_FIRST) }
+{ YDVAR(0, VAR_FORWARD_ZONE) }
        YY_BREAK
 case 121:
 YY_RULE_SETUP
 #line 335 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_NO_CACHE) }
+{ YDVAR(1, VAR_FORWARD_ADDR) }
        YY_BREAK
 case 122:
 YY_RULE_SETUP
 #line 336 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_FORWARD_HOST) }
        YY_BREAK
 case 123:
 YY_RULE_SETUP
 #line 337 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
+{ YDVAR(1, VAR_FORWARD_FIRST) }
        YY_BREAK
 case 124:
 YY_RULE_SETUP
 #line 338 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_AUTH_ZONE) }
+{ YDVAR(1, VAR_FORWARD_NO_CACHE) }
        YY_BREAK
 case 125:
 YY_RULE_SETUP
 #line 339 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_RPZ) }
+{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
        YY_BREAK
 case 126:
 YY_RULE_SETUP
 #line 340 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TAGS) }
+{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) }
        YY_BREAK
 case 127:
 YY_RULE_SETUP
 #line 341 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
+{ YDVAR(0, VAR_AUTH_ZONE) }
        YY_BREAK
 case 128:
 YY_RULE_SETUP
 #line 342 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
+{ YDVAR(0, VAR_RPZ) }
        YY_BREAK
 case 129:
 YY_RULE_SETUP
 #line 343 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_LOG) }
+{ YDVAR(1, VAR_TAGS) }
        YY_BREAK
 case 130:
 YY_RULE_SETUP
 #line 344 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RPZ_LOG_NAME) }
+{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
        YY_BREAK
 case 131:
 YY_RULE_SETUP
 #line 345 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_ZONEFILE) }
+{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
        YY_BREAK
 case 132:
 YY_RULE_SETUP
 #line 346 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MASTER) }
+{ YDVAR(1, VAR_RPZ_LOG) }
        YY_BREAK
 case 133:
 YY_RULE_SETUP
 #line 347 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MASTER) }
+{ YDVAR(1, VAR_RPZ_LOG_NAME) }
        YY_BREAK
 case 134:
 YY_RULE_SETUP
 #line 348 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_URL) }
+{ YDVAR(1, VAR_ZONEFILE) }
        YY_BREAK
 case 135:
 YY_RULE_SETUP
 #line 349 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_ALLOW_NOTIFY) }
+{ YDVAR(1, VAR_MASTER) }
        YY_BREAK
 case 136:
 YY_RULE_SETUP
 #line 350 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FOR_DOWNSTREAM) }
+{ YDVAR(1, VAR_MASTER) }
        YY_BREAK
 case 137:
 YY_RULE_SETUP
 #line 351 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FOR_UPSTREAM) }
+{ YDVAR(1, VAR_URL) }
        YY_BREAK
 case 138:
 YY_RULE_SETUP
 #line 352 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FALLBACK_ENABLED) }
+{ YDVAR(1, VAR_ALLOW_NOTIFY) }
        YY_BREAK
 case 139:
 YY_RULE_SETUP
 #line 353 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_VIEW) }
+{ YDVAR(1, VAR_FOR_DOWNSTREAM) }
        YY_BREAK
 case 140:
 YY_RULE_SETUP
 #line 354 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VIEW_FIRST) }
+{ YDVAR(1, VAR_FOR_UPSTREAM) }
        YY_BREAK
 case 141:
 YY_RULE_SETUP
 #line 355 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
+{ YDVAR(1, VAR_FALLBACK_ENABLED) }
        YY_BREAK
 case 142:
 YY_RULE_SETUP
 #line 356 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
+{ YDVAR(0, VAR_VIEW) }
        YY_BREAK
 case 143:
 YY_RULE_SETUP
 #line 357 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL) }
+{ YDVAR(1, VAR_VIEW_FIRST) }
        YY_BREAK
 case 144:
 YY_RULE_SETUP
 #line 358 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
+{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
        YY_BREAK
 case 145:
 YY_RULE_SETUP
 #line 359 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
+{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
        YY_BREAK
 case 146:
 YY_RULE_SETUP
 #line 360 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
+{ YDVAR(2, VAR_ACCESS_CONTROL) }
        YY_BREAK
 case 147:
 YY_RULE_SETUP
 #line 361 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
+{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
        YY_BREAK
 case 148:
 YY_RULE_SETUP
 #line 362 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
        YY_BREAK
 case 149:
 YY_RULE_SETUP
 #line 363 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
        YY_BREAK
 case 150:
 YY_RULE_SETUP
 #line 364 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) }
+{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
        YY_BREAK
 case 151:
 YY_RULE_SETUP
 #line 365 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) }
+{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
        YY_BREAK
 case 152:
 YY_RULE_SETUP
 #line 366 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
+{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
        YY_BREAK
 case 153:
 YY_RULE_SETUP
 #line 367 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
+{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) }
        YY_BREAK
 case 154:
 YY_RULE_SETUP
 #line 368 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_IDENTITY) }
+{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) }
        YY_BREAK
 case 155:
 YY_RULE_SETUP
 #line 369 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_VERSION) }
+{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
        YY_BREAK
 case 156:
 YY_RULE_SETUP
 #line 370 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
+{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
        YY_BREAK
 case 157:
 YY_RULE_SETUP
 #line 371 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IDENTITY) }
+{ YDVAR(1, VAR_HIDE_IDENTITY) }
        YY_BREAK
 case 158:
 YY_RULE_SETUP
 #line 372 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VERSION) }
+{ YDVAR(1, VAR_HIDE_VERSION) }
        YY_BREAK
 case 159:
 YY_RULE_SETUP
 #line 373 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MODULE_CONF) }
+{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
        YY_BREAK
 case 160:
 YY_RULE_SETUP
 #line 374 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DLV_ANCHOR) }
+{ YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) }
        YY_BREAK
 case 161:
 YY_RULE_SETUP
 #line 375 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
+{ YDVAR(1, VAR_IDENTITY) }
        YY_BREAK
 case 162:
 YY_RULE_SETUP
 #line 376 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
+{ YDVAR(1, VAR_VERSION) }
        YY_BREAK
 case 163:
 YY_RULE_SETUP
 #line 377 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
+{ YDVAR(1, VAR_HTTP_USER_AGENT) }
        YY_BREAK
 case 164:
 YY_RULE_SETUP
 #line 378 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
+{ YDVAR(1, VAR_MODULE_CONF) }
        YY_BREAK
 case 165:
 YY_RULE_SETUP
 #line 379 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR) }
+{ YDVAR(1, VAR_DLV_ANCHOR) }
        YY_BREAK
 case 166:
 YY_RULE_SETUP
 #line 380 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
+{ YDVAR(1, VAR_DLV_ANCHOR_FILE) }
        YY_BREAK
 case 167:
 YY_RULE_SETUP
 #line 381 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
+{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) }
        YY_BREAK
 case 168:
 YY_RULE_SETUP
 #line 382 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
+{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) }
        YY_BREAK
 case 169:
 YY_RULE_SETUP
 #line 383 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
+{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) }
        YY_BREAK
 case 170:
 YY_RULE_SETUP
 #line 384 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
+{ YDVAR(1, VAR_TRUST_ANCHOR) }
        YY_BREAK
 case 171:
 YY_RULE_SETUP
 #line 385 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_BOGUS_TTL) }
+{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) }
        YY_BREAK
 case 172:
 YY_RULE_SETUP
 #line 386 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
+{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
        YY_BREAK
 case 173:
 YY_RULE_SETUP
 #line 387 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
+{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
        YY_BREAK
 case 174:
 YY_RULE_SETUP
 #line 388 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_AGGRESSIVE_NSEC) }
+{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
        YY_BREAK
 case 175:
 YY_RULE_SETUP
 #line 389 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
+{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
        YY_BREAK
 case 176:
 YY_RULE_SETUP
 #line 390 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED) }
+{ YDVAR(1, VAR_VAL_MAX_RESTART) }
        YY_BREAK
 case 177:
 YY_RULE_SETUP
 #line 391 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
+{ YDVAR(1, VAR_BOGUS_TTL) }
        YY_BREAK
 case 178:
 YY_RULE_SETUP
 #line 392 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
+{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
        YY_BREAK
 case 179:
 YY_RULE_SETUP
 #line 393 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
+{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
        YY_BREAK
 case 180:
 YY_RULE_SETUP
 #line 394 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
+{ YDVAR(1, VAR_AGGRESSIVE_NSEC) }
        YY_BREAK
 case 181:
 YY_RULE_SETUP
 #line 395 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
+{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
        YY_BREAK
 case 182:
 YY_RULE_SETUP
 #line 396 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FAKE_DSA) }
+{ YDVAR(1, VAR_SERVE_EXPIRED) }
        YY_BREAK
 case 183:
 YY_RULE_SETUP
 #line 397 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FAKE_SHA1) }
+{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
        YY_BREAK
 case 184:
 YY_RULE_SETUP
 #line 398 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
+{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
        YY_BREAK
 case 185:
 YY_RULE_SETUP
 #line 399 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
+{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) }
        YY_BREAK
 case 186:
 YY_RULE_SETUP
 #line 400 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_KEY_CACHE_SLABS) }
+{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) }
        YY_BREAK
 case 187:
 YY_RULE_SETUP
 #line 401 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
+{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) }
        YY_BREAK
 case 188:
 YY_RULE_SETUP
 #line 402 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ 
-                                 YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
+{ YDVAR(1, VAR_FAKE_DSA) }
        YY_BREAK
 case 189:
 YY_RULE_SETUP
-#line 404 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_ADD_HOLDDOWN) }
+#line 403 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_FAKE_SHA1) }
        YY_BREAK
 case 190:
 YY_RULE_SETUP
-#line 405 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DEL_HOLDDOWN) }
+#line 404 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
        YY_BREAK
 case 191:
 YY_RULE_SETUP
-#line 406 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_KEEP_MISSING) }
+#line 405 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
        YY_BREAK
 case 192:
 YY_RULE_SETUP
-#line 407 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
+#line 406 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_KEY_CACHE_SLABS) }
        YY_BREAK
 case 193:
 YY_RULE_SETUP
-#line 408 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_USE_SYSLOG) }
+#line 407 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_NEG_CACHE_SIZE) }
        YY_BREAK
 case 194:
 YY_RULE_SETUP
-#line 409 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_IDENTITY) }
+#line 408 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ 
+                                 YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
        YY_BREAK
 case 195:
 YY_RULE_SETUP
 #line 410 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_TIME_ASCII) }
+{ YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
        YY_BREAK
 case 196:
 YY_RULE_SETUP
 #line 411 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_QUERIES) }
+{ YDVAR(1, VAR_ZONEMD_CHECK) }
        YY_BREAK
 case 197:
 YY_RULE_SETUP
 #line 412 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_REPLIES) }
+{ YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
        YY_BREAK
 case 198:
 YY_RULE_SETUP
 #line 413 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
+{ YDVAR(1, VAR_ADD_HOLDDOWN) }
        YY_BREAK
 case 199:
 YY_RULE_SETUP
 #line 414 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
+{ YDVAR(1, VAR_DEL_HOLDDOWN) }
        YY_BREAK
 case 200:
 YY_RULE_SETUP
 #line 415 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOG_SERVFAIL) }
+{ YDVAR(1, VAR_KEEP_MISSING) }
        YY_BREAK
 case 201:
 YY_RULE_SETUP
 #line 416 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_LOCAL_ZONE) }
+{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) }
        YY_BREAK
 case 202:
 YY_RULE_SETUP
 #line 417 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOCAL_DATA) }
+{ YDVAR(1, VAR_USE_SYSLOG) }
        YY_BREAK
 case 203:
 YY_RULE_SETUP
 #line 418 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
+{ YDVAR(1, VAR_LOG_IDENTITY) }
        YY_BREAK
 case 204:
 YY_RULE_SETUP
 #line 419 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
+{ YDVAR(1, VAR_LOG_TIME_ASCII) }
        YY_BREAK
 case 205:
 YY_RULE_SETUP
 #line 420 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
+{ YDVAR(1, VAR_LOG_QUERIES) }
        YY_BREAK
 case 206:
 YY_RULE_SETUP
 #line 421 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
+{ YDVAR(1, VAR_LOG_REPLIES) }
        YY_BREAK
 case 207:
 YY_RULE_SETUP
 #line 422 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
+{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) }
        YY_BREAK
 case 208:
 YY_RULE_SETUP
 #line 423 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
+{ YDVAR(1, VAR_LOG_LOCAL_ACTIONS) }
        YY_BREAK
 case 209:
 YY_RULE_SETUP
 #line 424 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SHM_ENABLE) }
+{ YDVAR(1, VAR_LOG_SERVFAIL) }
        YY_BREAK
 case 210:
 YY_RULE_SETUP
 #line 425 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SHM_KEY) }
+{ YDVAR(2, VAR_LOCAL_ZONE) }
        YY_BREAK
 case 211:
 YY_RULE_SETUP
 #line 426 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_REMOTE_CONTROL) }
+{ YDVAR(1, VAR_LOCAL_DATA) }
        YY_BREAK
 case 212:
 YY_RULE_SETUP
 #line 427 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_ENABLE) }
+{ YDVAR(1, VAR_LOCAL_DATA_PTR) }
        YY_BREAK
 case 213:
 YY_RULE_SETUP
 #line 428 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_INTERFACE) }
+{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) }
        YY_BREAK
 case 214:
 YY_RULE_SETUP
 #line 429 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_PORT) }
+{ YDVAR(1, VAR_INSECURE_LAN_ZONES) }
        YY_BREAK
 case 215:
 YY_RULE_SETUP
 #line 430 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_USE_CERT) }
+{ YDVAR(1, VAR_STATISTICS_INTERVAL) }
        YY_BREAK
 case 216:
 YY_RULE_SETUP
 #line 431 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVER_KEY_FILE) }
+{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) }
        YY_BREAK
 case 217:
 YY_RULE_SETUP
 #line 432 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_SERVER_CERT_FILE) }
+{ YDVAR(1, VAR_EXTENDED_STATISTICS) }
        YY_BREAK
 case 218:
 YY_RULE_SETUP
 #line 433 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_KEY_FILE) }
+{ YDVAR(1, VAR_SHM_ENABLE) }
        YY_BREAK
 case 219:
 YY_RULE_SETUP
 #line 434 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CONTROL_CERT_FILE) }
+{ YDVAR(1, VAR_SHM_KEY) }
        YY_BREAK
 case 220:
 YY_RULE_SETUP
 #line 435 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PYTHON_SCRIPT) }
+{ YDVAR(0, VAR_REMOTE_CONTROL) }
        YY_BREAK
 case 221:
 YY_RULE_SETUP
 #line 436 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_PYTHON) }
+{ YDVAR(1, VAR_CONTROL_ENABLE) }
        YY_BREAK
 case 222:
 YY_RULE_SETUP
 #line 437 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DYNLIB_FILE) }
+{ YDVAR(1, VAR_CONTROL_INTERFACE) }
        YY_BREAK
 case 223:
 YY_RULE_SETUP
 #line 438 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_DYNLIB) }
+{ YDVAR(1, VAR_CONTROL_PORT) }
        YY_BREAK
 case 224:
 YY_RULE_SETUP
 #line 439 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DOMAIN_INSECURE) }
+{ YDVAR(1, VAR_CONTROL_USE_CERT) }
        YY_BREAK
 case 225:
 YY_RULE_SETUP
 #line 440 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
+{ YDVAR(1, VAR_SERVER_KEY_FILE) }
        YY_BREAK
 case 226:
 YY_RULE_SETUP
 #line 441 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
+{ YDVAR(1, VAR_SERVER_CERT_FILE) }
        YY_BREAK
 case 227:
 YY_RULE_SETUP
 #line 442 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
+{ YDVAR(1, VAR_CONTROL_KEY_FILE) }
        YY_BREAK
 case 228:
 YY_RULE_SETUP
 #line 443 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_MAX_UDP_SIZE) }
+{ YDVAR(1, VAR_CONTROL_CERT_FILE) }
        YY_BREAK
 case 229:
 YY_RULE_SETUP
 #line 444 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_PREFIX) }
+{ YDVAR(1, VAR_PYTHON_SCRIPT) }
        YY_BREAK
 case 230:
 YY_RULE_SETUP
 #line 445 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_SYNTHALL) }
+{ YDVAR(0, VAR_PYTHON) }
        YY_BREAK
 case 231:
 YY_RULE_SETUP
 #line 446 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) }
+{ YDVAR(1, VAR_DYNLIB_FILE) }
        YY_BREAK
 case 232:
 YY_RULE_SETUP
 #line 447 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DEFINE_TAG) }
+{ YDVAR(0, VAR_DYNLIB) }
        YY_BREAK
 case 233:
 YY_RULE_SETUP
 #line 448 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
+{ YDVAR(1, VAR_DOMAIN_INSECURE) }
        YY_BREAK
 case 234:
 YY_RULE_SETUP
 #line 449 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
+{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
        YY_BREAK
 case 235:
 YY_RULE_SETUP
 #line 450 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
+{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
        YY_BREAK
 case 236:
 YY_RULE_SETUP
 #line 451 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
+{ YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
        YY_BREAK
 case 237:
 YY_RULE_SETUP
 #line 452 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
+{ YDVAR(1, VAR_MAX_UDP_SIZE) }
        YY_BREAK
 case 238:
 YY_RULE_SETUP
 #line 453 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
+{ YDVAR(1, VAR_DNS64_PREFIX) }
        YY_BREAK
 case 239:
 YY_RULE_SETUP
 #line 454 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_DNSTAP) }
+{ YDVAR(1, VAR_DNS64_SYNTHALL) }
        YY_BREAK
 case 240:
 YY_RULE_SETUP
 #line 455 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_ENABLE) }
+{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) }
        YY_BREAK
 case 241:
 YY_RULE_SETUP
 #line 456 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }
+{ YDVAR(1, VAR_DEFINE_TAG) }
        YY_BREAK
 case 242:
 YY_RULE_SETUP
 #line 457 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
+{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
        YY_BREAK
 case 243:
 YY_RULE_SETUP
 #line 458 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_IP) }
+{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
        YY_BREAK
 case 244:
 YY_RULE_SETUP
 #line 459 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_TLS) }
+{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
        YY_BREAK
 case 245:
 YY_RULE_SETUP
 #line 460 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) }
+{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
        YY_BREAK
 case 246:
 YY_RULE_SETUP
 #line 461 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) }
+{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
        YY_BREAK
 case 247:
 YY_RULE_SETUP
 #line 462 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) }
+{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
        YY_BREAK
 case 248:
 YY_RULE_SETUP
-#line 464 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) }
+#line 463 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(0, VAR_DNSTAP) }
        YY_BREAK
 case 249:
 YY_RULE_SETUP
-#line 466 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) }
+#line 464 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_ENABLE) }
        YY_BREAK
 case 250:
 YY_RULE_SETUP
-#line 467 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) }
+#line 465 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) }
        YY_BREAK
 case 251:
 YY_RULE_SETUP
-#line 468 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_IDENTITY) }
+#line 466 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) }
        YY_BREAK
 case 252:
 YY_RULE_SETUP
-#line 469 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSTAP_VERSION) }
+#line 467 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_IP) }
        YY_BREAK
 case 253:
 YY_RULE_SETUP
-#line 470 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) }
+#line 468 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_TLS) }
        YY_BREAK
 case 254:
 YY_RULE_SETUP
-#line 472 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) }
+#line 469 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) }
        YY_BREAK
 case 255:
 YY_RULE_SETUP
-#line 474 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) }
+#line 470 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) }
        YY_BREAK
 case 256:
 YY_RULE_SETUP
-#line 476 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 471 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
-               YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) }
+               YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) }
        YY_BREAK
 case 257:
 YY_RULE_SETUP
-#line 478 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 473 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
-               YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
+               YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) }
        YY_BREAK
 case 258:
 YY_RULE_SETUP
-#line 480 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
+#line 475 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) }
        YY_BREAK
 case 259:
 YY_RULE_SETUP
-#line 482 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
+#line 476 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) }
        YY_BREAK
 case 260:
 YY_RULE_SETUP
-#line 483 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT) }
+#line 477 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_IDENTITY) }
        YY_BREAK
 case 261:
 YY_RULE_SETUP
-#line 484 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT) }
+#line 478 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSTAP_VERSION) }
        YY_BREAK
 case 262:
 YY_RULE_SETUP
-#line 485 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
+#line 479 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) }
        YY_BREAK
 case 263:
 YY_RULE_SETUP
-#line 486 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_SLABS) }
+#line 481 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) }
        YY_BREAK
 case 264:
 YY_RULE_SETUP
-#line 487 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) }
+#line 483 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) }
        YY_BREAK
 case 265:
 YY_RULE_SETUP
-#line 488 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_SIZE) }
+#line 485 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) }
        YY_BREAK
 case 266:
 YY_RULE_SETUP
-#line 489 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
+#line 487 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
        YY_BREAK
 case 267:
 YY_RULE_SETUP
-#line 490 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
+#line 489 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
        YY_BREAK
 case 268:
 YY_RULE_SETUP
 #line 491 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
+{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
        YY_BREAK
 case 269:
 YY_RULE_SETUP
 #line 492 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
+{ YDVAR(1, VAR_IP_RATELIMIT) }
        YY_BREAK
 case 270:
 YY_RULE_SETUP
 #line 493 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_LOW_RTT) }
+{ YDVAR(1, VAR_RATELIMIT) }
        YY_BREAK
 case 271:
 YY_RULE_SETUP
 #line 494 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_NUM) }
+{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
        YY_BREAK
 case 272:
 YY_RULE_SETUP
 #line 495 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
+{ YDVAR(1, VAR_RATELIMIT_SLABS) }
        YY_BREAK
 case 273:
 YY_RULE_SETUP
 #line 496 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
+{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) }
        YY_BREAK
 case 274:
 YY_RULE_SETUP
 #line 497 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
+{ YDVAR(1, VAR_RATELIMIT_SIZE) }
        YY_BREAK
 case 275:
 YY_RULE_SETUP
 #line 498 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
+{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
        YY_BREAK
 case 276:
 YY_RULE_SETUP
 #line 499 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP) }
+{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
        YY_BREAK
 case 277:
 YY_RULE_SETUP
 #line 500 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
+{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
        YY_BREAK
 case 278:
 YY_RULE_SETUP
 #line 501 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_DNSCRYPT) }
+{ YDVAR(1, VAR_RATELIMIT_FACTOR) }
        YY_BREAK
 case 279:
 YY_RULE_SETUP
 #line 502 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
+{ YDVAR(1, VAR_LOW_RTT) }
        YY_BREAK
 case 280:
 YY_RULE_SETUP
 #line 503 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PORT) }
+{ YDVAR(1, VAR_FAST_SERVER_NUM) }
        YY_BREAK
 case 281:
 YY_RULE_SETUP
 #line 504 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
+{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
        YY_BREAK
 case 282:
 YY_RULE_SETUP
 #line 505 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
+{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
        YY_BREAK
 case 283:
 YY_RULE_SETUP
 #line 506 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
+{ YDVAR(1, VAR_FAST_SERVER_PERMIL) }
        YY_BREAK
 case 284:
 YY_RULE_SETUP
 #line 507 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT_ROTATED) }
+{ YDVAR(2, VAR_RESPONSE_IP_TAG) }
        YY_BREAK
 case 285:
 YY_RULE_SETUP
 #line 508 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
+{ YDVAR(2, VAR_RESPONSE_IP) }
        YY_BREAK
 case 286:
 YY_RULE_SETUP
-#line 510 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{
-               YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
+#line 509 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(2, VAR_RESPONSE_IP_DATA) }
        YY_BREAK
 case 287:
 YY_RULE_SETUP
-#line 512 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
+#line 510 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(0, VAR_DNSCRYPT) }
        YY_BREAK
 case 288:
 YY_RULE_SETUP
-#line 513 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
+#line 511 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_ENABLE) }
        YY_BREAK
 case 289:
 YY_RULE_SETUP
-#line 514 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_RESPONSES) }
+#line 512 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PORT) }
        YY_BREAK
 case 290:
 YY_RULE_SETUP
-#line 515 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
+#line 513 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
        YY_BREAK
 case 291:
 YY_RULE_SETUP
-#line 516 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_QUERIES) }
+#line 514 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
        YY_BREAK
 case 292:
 YY_RULE_SETUP
-#line 517 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
+#line 515 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
        YY_BREAK
 case 293:
 YY_RULE_SETUP
-#line 518 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
+#line 516 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT_ROTATED) }
        YY_BREAK
 case 294:
 YY_RULE_SETUP
-#line 519 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
+#line 517 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
        YY_BREAK
 case 295:
 YY_RULE_SETUP
-#line 520 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_HOOK) }
+#line 519 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{
+               YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
        YY_BREAK
 case 296:
 YY_RULE_SETUP
 #line 521 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
+{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) }
        YY_BREAK
 case 297:
 YY_RULE_SETUP
 #line 522 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) }
        YY_BREAK
 case 298:
 YY_RULE_SETUP
 #line 523 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
+{ YDVAR(1, VAR_PAD_RESPONSES) }
        YY_BREAK
 case 299:
 YY_RULE_SETUP
 #line 524 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSECMOD_STRICT) }
+{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) }
        YY_BREAK
 case 300:
 YY_RULE_SETUP
 #line 525 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_CACHEDB) }
+{ YDVAR(1, VAR_PAD_QUERIES) }
        YY_BREAK
 case 301:
 YY_RULE_SETUP
 #line 526 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_BACKEND) }
+{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) }
        YY_BREAK
 case 302:
 YY_RULE_SETUP
 #line 527 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_SECRETSEED) }
+{ YDVAR(1, VAR_IPSECMOD_ENABLED) }
        YY_BREAK
 case 303:
 YY_RULE_SETUP
 #line 528 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISHOST) }
+{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
        YY_BREAK
 case 304:
 YY_RULE_SETUP
 #line 529 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISPORT) }
+{ YDVAR(1, VAR_IPSECMOD_HOOK) }
        YY_BREAK
 case 305:
 YY_RULE_SETUP
 #line 530 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
+{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) }
        YY_BREAK
 case 306:
 YY_RULE_SETUP
 #line 531 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
+{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
        YY_BREAK
 case 307:
 YY_RULE_SETUP
 #line 532 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(0, VAR_IPSET) }
+{ YDVAR(1, VAR_IPSECMOD_WHITELIST) }
        YY_BREAK
 case 308:
 YY_RULE_SETUP
 #line 533 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSET_NAME_V4) }
+{ YDVAR(1, VAR_IPSECMOD_STRICT) }
        YY_BREAK
 case 309:
 YY_RULE_SETUP
 #line 534 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_IPSET_NAME_V6) }
+{ YDVAR(0, VAR_CACHEDB) }
        YY_BREAK
 case 310:
 YY_RULE_SETUP
 #line 535 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
+{ YDVAR(1, VAR_CACHEDB_BACKEND) }
        YY_BREAK
 case 311:
 YY_RULE_SETUP
 #line 536 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
+{ YDVAR(1, VAR_CACHEDB_SECRETSEED) }
        YY_BREAK
 case 312:
 YY_RULE_SETUP
 #line 537 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
+{ YDVAR(1, VAR_CACHEDB_REDISHOST) }
        YY_BREAK
 case 313:
 YY_RULE_SETUP
 #line 538 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
+{ YDVAR(1, VAR_CACHEDB_REDISPORT) }
        YY_BREAK
 case 314:
 YY_RULE_SETUP
 #line 539 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ YDVAR(1, VAR_NSID ) }
+{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
        YY_BREAK
 case 315:
-/* rule 315 can match eol */
 YY_RULE_SETUP
 #line 540 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
-{ LEXOUT(("NL\n")); cfg_parser->line++; }
+{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) }
        YY_BREAK
-/* Quoted strings. Strip leading and ending quotes */
 case 316:
 YY_RULE_SETUP
+#line 541 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(0, VAR_IPSET) }
+       YY_BREAK
+case 317:
+YY_RULE_SETUP
+#line 542 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_IPSET_NAME_V4) }
+       YY_BREAK
+case 318:
+YY_RULE_SETUP
 #line 543 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_IPSET_NAME_V6) }
+       YY_BREAK
+case 319:
+YY_RULE_SETUP
+#line 544 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
+       YY_BREAK
+case 320:
+YY_RULE_SETUP
+#line 545 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
+       YY_BREAK
+case 321:
+YY_RULE_SETUP
+#line 546 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
+       YY_BREAK
+case 322:
+YY_RULE_SETUP
+#line 547 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
+       YY_BREAK
+case 323:
+YY_RULE_SETUP
+#line 548 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ YDVAR(1, VAR_NSID ) }
+       YY_BREAK
+case 324:
+/* rule 324 can match eol */
+YY_RULE_SETUP
+#line 549 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+{ LEXOUT(("NL\n")); cfg_parser->line++; }
+       YY_BREAK
+/* Quoted strings. Strip leading and ending quotes */
+case 325:
+YY_RULE_SETUP
+#line 552 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { BEGIN(quotedstring); LEXOUT(("QS ")); }
        YY_BREAK
 case YY_STATE_EOF(quotedstring):
-#line 544 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 553 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
        if(--num_args == 0) { BEGIN(INITIAL); }
        else                { BEGIN(val); }
 }
        YY_BREAK
-case 317:
+case 326:
 YY_RULE_SETUP
-#line 549 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 558 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("STR(%s) ", yytext)); yymore(); }
        YY_BREAK
-case 318:
-/* rule 318 can match eol */
+case 327:
+/* rule 327 can match eol */
 YY_RULE_SETUP
-#line 550 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 559 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { yyerror("newline inside quoted string, no end \""); 
                          cfg_parser->line++; BEGIN(INITIAL); }
        YY_BREAK
-case 319:
+case 328:
 YY_RULE_SETUP
-#line 552 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 561 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
         LEXOUT(("QE "));
        if(--num_args == 0) { BEGIN(INITIAL); }
@@ -5120,34 +5265,34 @@ YY_RULE_SETUP
 }
        YY_BREAK
 /* Single Quoted strings. Strip leading and ending quotes */
-case 320:
+case 329:
 YY_RULE_SETUP
-#line 564 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 573 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { BEGIN(singlequotedstr); LEXOUT(("SQS ")); }
        YY_BREAK
 case YY_STATE_EOF(singlequotedstr):
-#line 565 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 574 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
        if(--num_args == 0) { BEGIN(INITIAL); }
        else                { BEGIN(val); }
 }
        YY_BREAK
-case 321:
+case 330:
 YY_RULE_SETUP
-#line 570 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 579 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("STR(%s) ", yytext)); yymore(); }
        YY_BREAK
-case 322:
-/* rule 322 can match eol */
+case 331:
+/* rule 331 can match eol */
 YY_RULE_SETUP
-#line 571 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 580 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { yyerror("newline inside quoted string, no end '"); 
                             cfg_parser->line++; BEGIN(INITIAL); }
        YY_BREAK
-case 323:
+case 332:
 YY_RULE_SETUP
-#line 573 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 582 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
         LEXOUT(("SQE "));
        if(--num_args == 0) { BEGIN(INITIAL); }
@@ -5160,38 +5305,38 @@ YY_RULE_SETUP
 }
        YY_BREAK
 /* include: directive */
-case 324:
+case 333:
 YY_RULE_SETUP
-#line 585 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 594 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { 
        LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include); }
        YY_BREAK
 case YY_STATE_EOF(include):
-#line 587 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 596 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
         yyerror("EOF inside include directive");
         BEGIN(inc_prev);
 }
        YY_BREAK
-case 325:
+case 334:
 YY_RULE_SETUP
-#line 591 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 600 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("ISP ")); /* ignore */ }
        YY_BREAK
-case 326:
-/* rule 326 can match eol */
+case 335:
+/* rule 335 can match eol */
 YY_RULE_SETUP
-#line 592 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 601 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++;}
        YY_BREAK
-case 327:
+case 336:
 YY_RULE_SETUP
-#line 593 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 602 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("IQS ")); BEGIN(include_quoted); }
        YY_BREAK
-case 328:
+case 337:
 YY_RULE_SETUP
-#line 594 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 603 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        LEXOUT(("Iunquotedstr(%s) ", yytext));
        config_start_include_glob(yytext, 0);
@@ -5199,27 +5344,27 @@ YY_RULE_SETUP
 }
        YY_BREAK
 case YY_STATE_EOF(include_quoted):
-#line 599 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 608 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
         yyerror("EOF inside quoted string");
         BEGIN(inc_prev);
 }
        YY_BREAK
-case 329:
+case 338:
 YY_RULE_SETUP
-#line 603 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 612 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("ISTR(%s) ", yytext)); yymore(); }
        YY_BREAK
-case 330:
-/* rule 330 can match eol */
+case 339:
+/* rule 339 can match eol */
 YY_RULE_SETUP
-#line 604 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 613 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { yyerror("newline before \" in include name"); 
                                  cfg_parser->line++; BEGIN(inc_prev); }
        YY_BREAK
-case 331:
+case 340:
 YY_RULE_SETUP
-#line 606 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 615 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        LEXOUT(("IQE "));
        yytext[yyleng - 1] = '\0';
@@ -5229,7 +5374,7 @@ YY_RULE_SETUP
        YY_BREAK
 case YY_STATE_EOF(INITIAL):
 case YY_STATE_EOF(val):
-#line 612 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 621 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        LEXOUT(("LEXEOF "));
        yy_set_bol(1); /* Set beginning of line, so "^" rules match.  */
@@ -5244,39 +5389,39 @@ case YY_STATE_EOF(val):
 }
        YY_BREAK
 /* include-toplevel: directive */
-case 332:
+case 341:
 YY_RULE_SETUP
-#line 626 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 635 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include_toplevel);
 }
        YY_BREAK
 case YY_STATE_EOF(include_toplevel):
-#line 629 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 638 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        yyerror("EOF inside include_toplevel directive");
        BEGIN(inc_prev);
 }
        YY_BREAK
-case 333:
+case 342:
 YY_RULE_SETUP
-#line 633 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 642 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("ITSP ")); /* ignore */ }
        YY_BREAK
-case 334:
-/* rule 334 can match eol */
+case 343:
+/* rule 343 can match eol */
 YY_RULE_SETUP
-#line 634 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 643 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("NL\n")); cfg_parser->line++; }
        YY_BREAK
-case 335:
+case 344:
 YY_RULE_SETUP
-#line 635 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 644 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("ITQS ")); BEGIN(include_toplevel_quoted); }
        YY_BREAK
-case 336:
+case 345:
 YY_RULE_SETUP
-#line 636 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 645 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        LEXOUT(("ITunquotedstr(%s) ", yytext));
        config_start_include_glob(yytext, 1);
@@ -5285,29 +5430,29 @@ YY_RULE_SETUP
 }
        YY_BREAK
 case YY_STATE_EOF(include_toplevel_quoted):
-#line 642 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 651 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        yyerror("EOF inside quoted string");
        BEGIN(inc_prev);
 }
        YY_BREAK
-case 337:
+case 346:
 YY_RULE_SETUP
-#line 646 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 655 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("ITSTR(%s) ", yytext)); yymore(); }
        YY_BREAK
-case 338:
-/* rule 338 can match eol */
+case 347:
+/* rule 347 can match eol */
 YY_RULE_SETUP
-#line 647 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 656 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        yyerror("newline before \" in include name");
        cfg_parser->line++; BEGIN(inc_prev);
 }
        YY_BREAK
-case 339:
+case 348:
 YY_RULE_SETUP
-#line 651 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 660 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        LEXOUT(("ITQE "));
        yytext[yyleng - 1] = '\0';
@@ -5316,33 +5461,33 @@ YY_RULE_SETUP
        return (VAR_FORCE_TOPLEVEL);
 }
        YY_BREAK
-case 340:
+case 349:
 YY_RULE_SETUP
-#line 659 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 668 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 { LEXOUT(("unquotedstr(%s) ", yytext)); 
                        if(--num_args == 0) { BEGIN(INITIAL); }
                        yylval.str = strdup(yytext); return STRING_ARG; }
        YY_BREAK
-case 341:
+case 350:
 YY_RULE_SETUP
-#line 663 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 672 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        ub_c_error_msg("unknown keyword '%s'", yytext);
        }
        YY_BREAK
-case 342:
+case 351:
 YY_RULE_SETUP
-#line 667 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 676 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 {
        ub_c_error_msg("stray '%s'", yytext);
        }
        YY_BREAK
-case 343:
+case 352:
 YY_RULE_SETUP
-#line 671 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 680 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 ECHO;
        YY_BREAK
-#line 5344 "<stdout>"
+#line 5489 "<stdout>"
 
        case YY_END_OF_BUFFER:
                {
@@ -5635,7 +5780,7 @@ static int yy_get_next_buffer (void)
                while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
                        {
                        yy_current_state = (int) yy_def[yy_current_state];
-                       if ( yy_current_state >= 3354 )
+                       if ( yy_current_state >= 3484 )
                                yy_c = yy_meta[(unsigned int) yy_c];
                        }
                yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -5663,11 +5808,11 @@ static int yy_get_next_buffer (void)
        while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
                {
                yy_current_state = (int) yy_def[yy_current_state];
-               if ( yy_current_state >= 3354 )
+               if ( yy_current_state >= 3484 )
                        yy_c = yy_meta[(unsigned int) yy_c];
                }
        yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
-       yy_is_jam = (yy_current_state == 3353);
+       yy_is_jam = (yy_current_state == 3483);
 
                return yy_is_jam ? 0 : yy_current_state;
 }
@@ -6300,7 +6445,7 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 671 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
+#line 680 "/usr/src/usr.sbin/unbound/util/configlexer.lex"
 
 
 

diff --git a/sbin/unwind/libunbound/util/configlexer.lex b/sbin/unwind/libunbound/util/configlexer.lex
index bc4e92c..dbfc17d 100644 (file)
--- a/sbin/unwind/libunbound/util/configlexer.lex
+++ b/sbin/unwind/libunbound/util/configlexer.lex
@@ -235,6 +235,9 @@ tcp-upstream{COLON}         { YDVAR(1, VAR_TCP_UPSTREAM) }
 tcp-mss{COLON}                 { YDVAR(1, VAR_TCP_MSS) }
 outgoing-tcp-mss{COLON}                { YDVAR(1, VAR_OUTGOING_TCP_MSS) }
 tcp-idle-timeout{COLON}                { YDVAR(1, VAR_TCP_IDLE_TIMEOUT) }
+max-reuse-tcp-queries{COLON}   { YDVAR(1, VAR_MAX_REUSE_TCP_QUERIES) }
+tcp-reuse-timeout{COLON}       { YDVAR(1, VAR_TCP_REUSE_TIMEOUT) }
+tcp-auth-query-timeout{COLON}  { YDVAR(1, VAR_TCP_AUTH_QUERY_TIMEOUT) }
 edns-tcp-keepalive{COLON}      { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE) }
 edns-tcp-keepalive-timeout{COLON} { YDVAR(1, VAR_EDNS_TCP_KEEPALIVE_TIMEOUT) }
 ssl-upstream{COLON}            { YDVAR(1, VAR_SSL_UPSTREAM) }
@@ -368,8 +371,10 @@ max-ecs-tree-size-ipv6{COLON}      { YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
 hide-identity{COLON}           { YDVAR(1, VAR_HIDE_IDENTITY) }
 hide-version{COLON}            { YDVAR(1, VAR_HIDE_VERSION) }
 hide-trustanchor{COLON}                { YDVAR(1, VAR_HIDE_TRUSTANCHOR) }
+hide-http-user-agent{COLON}            { YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) }
 identity{COLON}                        { YDVAR(1, VAR_IDENTITY) }
 version{COLON}                 { YDVAR(1, VAR_VERSION) }
+http-user-agent{COLON}                 { YDVAR(1, VAR_HTTP_USER_AGENT) }
 module-config{COLON}           { YDVAR(1, VAR_MODULE_CONF) }
 dlv-anchor{COLON}              { YDVAR(1, VAR_DLV_ANCHOR) }
 dlv-anchor-file{COLON}         { YDVAR(1, VAR_DLV_ANCHOR_FILE) }
@@ -382,6 +387,7 @@ root-key-sentinel{COLON}    { YDVAR(1, VAR_ROOT_KEY_SENTINEL) }
 val-override-date{COLON}       { YDVAR(1, VAR_VAL_OVERRIDE_DATE) }
 val-sig-skew-min{COLON}                { YDVAR(1, VAR_VAL_SIG_SKEW_MIN) }
 val-sig-skew-max{COLON}                { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
+val-max-restart{COLON}         { YDVAR(1, VAR_VAL_MAX_RESTART) }
 val-bogus-ttl{COLON}           { YDVAR(1, VAR_BOGUS_TTL) }
 val-clean-additional{COLON}    { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
 val-permissive-mode{COLON}     { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
@@ -401,6 +407,9 @@ key-cache-slabs{COLON}              { YDVAR(1, VAR_KEY_CACHE_SLABS) }
 neg-cache-size{COLON}          { YDVAR(1, VAR_NEG_CACHE_SIZE) }
 val-nsec3-keysize-iterations{COLON}    { 
                                  YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) }
+zonemd-permissive-mode{COLON}  { YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) }
+zonemd-check{COLON}            { YDVAR(1, VAR_ZONEMD_CHECK) }
+zonemd-reject-absence{COLON}   { YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) }
 add-holddown{COLON}            { YDVAR(1, VAR_ADD_HOLDDOWN) }
 del-holddown{COLON}            { YDVAR(1, VAR_DEL_HOLDDOWN) }
 keep-missing{COLON}            { YDVAR(1, VAR_KEEP_MISSING) }

diff --git a/sbin/unwind/libunbound/util/configparser.h b/sbin/unwind/libunbound/util/configparser.h
index d9c4cbc..5760334 100644 (file)
--- a/sbin/unwind/libunbound/util/configparser.h
+++ b/sbin/unwind/libunbound/util/configparser.h
@@ -100,210 +100,219 @@
 #define VAR_CONTROL_KEY_FILE 356
 #define VAR_CONTROL_CERT_FILE 357
 #define VAR_CONTROL_USE_CERT 358
-#define VAR_EXTENDED_STATISTICS 359
-#define VAR_LOCAL_DATA_PTR 360
-#define VAR_JOSTLE_TIMEOUT 361
-#define VAR_STUB_PRIME 362
-#define VAR_UNWANTED_REPLY_THRESHOLD 363
-#define VAR_LOG_TIME_ASCII 364
-#define VAR_DOMAIN_INSECURE 365
-#define VAR_PYTHON 366
-#define VAR_PYTHON_SCRIPT 367
-#define VAR_VAL_SIG_SKEW_MIN 368
-#define VAR_VAL_SIG_SKEW_MAX 369
-#define VAR_CACHE_MIN_TTL 370
-#define VAR_VAL_LOG_LEVEL 371
-#define VAR_AUTO_TRUST_ANCHOR_FILE 372
-#define VAR_KEEP_MISSING 373
-#define VAR_ADD_HOLDDOWN 374
-#define VAR_DEL_HOLDDOWN 375
-#define VAR_SO_RCVBUF 376
-#define VAR_EDNS_BUFFER_SIZE 377
-#define VAR_PREFETCH 378
-#define VAR_PREFETCH_KEY 379
-#define VAR_SO_SNDBUF 380
-#define VAR_SO_REUSEPORT 381
-#define VAR_HARDEN_BELOW_NXDOMAIN 382
-#define VAR_IGNORE_CD_FLAG 383
-#define VAR_LOG_QUERIES 384
-#define VAR_LOG_REPLIES 385
-#define VAR_LOG_LOCAL_ACTIONS 386
-#define VAR_TCP_UPSTREAM 387
-#define VAR_SSL_UPSTREAM 388
-#define VAR_SSL_SERVICE_KEY 389
-#define VAR_SSL_SERVICE_PEM 390
-#define VAR_SSL_PORT 391
-#define VAR_FORWARD_FIRST 392
-#define VAR_STUB_SSL_UPSTREAM 393
-#define VAR_FORWARD_SSL_UPSTREAM 394
-#define VAR_TLS_CERT_BUNDLE 395
-#define VAR_HTTPS_PORT 396
-#define VAR_HTTP_ENDPOINT 397
-#define VAR_HTTP_MAX_STREAMS 398
-#define VAR_HTTP_QUERY_BUFFER_SIZE 399
-#define VAR_HTTP_RESPONSE_BUFFER_SIZE 400
-#define VAR_HTTP_NODELAY 401
-#define VAR_HTTP_NOTLS_DOWNSTREAM 402
-#define VAR_STUB_FIRST 403
-#define VAR_MINIMAL_RESPONSES 404
-#define VAR_RRSET_ROUNDROBIN 405
-#define VAR_MAX_UDP_SIZE 406
-#define VAR_DELAY_CLOSE 407
-#define VAR_UDP_CONNECT 408
-#define VAR_UNBLOCK_LAN_ZONES 409
-#define VAR_INSECURE_LAN_ZONES 410
-#define VAR_INFRA_CACHE_MIN_RTT 411
-#define VAR_INFRA_KEEP_PROBING 412
-#define VAR_DNS64_PREFIX 413
-#define VAR_DNS64_SYNTHALL 414
-#define VAR_DNS64_IGNORE_AAAA 415
-#define VAR_DNSTAP 416
-#define VAR_DNSTAP_ENABLE 417
-#define VAR_DNSTAP_SOCKET_PATH 418
-#define VAR_DNSTAP_IP 419
-#define VAR_DNSTAP_TLS 420
-#define VAR_DNSTAP_TLS_SERVER_NAME 421
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 422
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 423
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 424
-#define VAR_DNSTAP_SEND_IDENTITY 425
-#define VAR_DNSTAP_SEND_VERSION 426
-#define VAR_DNSTAP_BIDIRECTIONAL 427
-#define VAR_DNSTAP_IDENTITY 428
-#define VAR_DNSTAP_VERSION 429
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 430
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 431
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 432
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 433
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 434
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 435
-#define VAR_RESPONSE_IP_TAG 436
-#define VAR_RESPONSE_IP 437
-#define VAR_RESPONSE_IP_DATA 438
-#define VAR_HARDEN_ALGO_DOWNGRADE 439
-#define VAR_IP_TRANSPARENT 440
-#define VAR_IP_DSCP 441
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 442
-#define VAR_IP_RATELIMIT 443
-#define VAR_IP_RATELIMIT_SLABS 444
-#define VAR_IP_RATELIMIT_SIZE 445
-#define VAR_RATELIMIT 446
-#define VAR_RATELIMIT_SLABS 447
-#define VAR_RATELIMIT_SIZE 448
-#define VAR_RATELIMIT_FOR_DOMAIN 449
-#define VAR_RATELIMIT_BELOW_DOMAIN 450
-#define VAR_IP_RATELIMIT_FACTOR 451
-#define VAR_RATELIMIT_FACTOR 452
-#define VAR_SEND_CLIENT_SUBNET 453
-#define VAR_CLIENT_SUBNET_ZONE 454
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 455
-#define VAR_CLIENT_SUBNET_OPCODE 456
-#define VAR_MAX_CLIENT_SUBNET_IPV4 457
-#define VAR_MAX_CLIENT_SUBNET_IPV6 458
-#define VAR_MIN_CLIENT_SUBNET_IPV4 459
-#define VAR_MIN_CLIENT_SUBNET_IPV6 460
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 461
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 462
-#define VAR_CAPS_WHITELIST 463
-#define VAR_CACHE_MAX_NEGATIVE_TTL 464
-#define VAR_PERMIT_SMALL_HOLDDOWN 465
-#define VAR_QNAME_MINIMISATION 466
-#define VAR_QNAME_MINIMISATION_STRICT 467
-#define VAR_IP_FREEBIND 468
-#define VAR_DEFINE_TAG 469
-#define VAR_LOCAL_ZONE_TAG 470
-#define VAR_ACCESS_CONTROL_TAG 471
-#define VAR_LOCAL_ZONE_OVERRIDE 472
-#define VAR_ACCESS_CONTROL_TAG_ACTION 473
-#define VAR_ACCESS_CONTROL_TAG_DATA 474
-#define VAR_VIEW 475
-#define VAR_ACCESS_CONTROL_VIEW 476
-#define VAR_VIEW_FIRST 477
-#define VAR_SERVE_EXPIRED 478
-#define VAR_SERVE_EXPIRED_TTL 479
-#define VAR_SERVE_EXPIRED_TTL_RESET 480
-#define VAR_SERVE_EXPIRED_REPLY_TTL 481
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 482
-#define VAR_SERVE_ORIGINAL_TTL 483
-#define VAR_FAKE_DSA 484
-#define VAR_FAKE_SHA1 485
-#define VAR_LOG_IDENTITY 486
-#define VAR_HIDE_TRUSTANCHOR 487
-#define VAR_TRUST_ANCHOR_SIGNALING 488
-#define VAR_AGGRESSIVE_NSEC 489
-#define VAR_USE_SYSTEMD 490
-#define VAR_SHM_ENABLE 491
-#define VAR_SHM_KEY 492
-#define VAR_ROOT_KEY_SENTINEL 493
-#define VAR_DNSCRYPT 494
-#define VAR_DNSCRYPT_ENABLE 495
-#define VAR_DNSCRYPT_PORT 496
-#define VAR_DNSCRYPT_PROVIDER 497
-#define VAR_DNSCRYPT_SECRET_KEY 498
-#define VAR_DNSCRYPT_PROVIDER_CERT 499
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 500
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 501
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 502
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 503
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 504
-#define VAR_PAD_RESPONSES 505
-#define VAR_PAD_RESPONSES_BLOCK_SIZE 506
-#define VAR_PAD_QUERIES 507
-#define VAR_PAD_QUERIES_BLOCK_SIZE 508
-#define VAR_IPSECMOD_ENABLED 509
-#define VAR_IPSECMOD_HOOK 510
-#define VAR_IPSECMOD_IGNORE_BOGUS 511
-#define VAR_IPSECMOD_MAX_TTL 512
-#define VAR_IPSECMOD_WHITELIST 513
-#define VAR_IPSECMOD_STRICT 514
-#define VAR_CACHEDB 515
-#define VAR_CACHEDB_BACKEND 516
-#define VAR_CACHEDB_SECRETSEED 517
-#define VAR_CACHEDB_REDISHOST 518
-#define VAR_CACHEDB_REDISPORT 519
-#define VAR_CACHEDB_REDISTIMEOUT 520
-#define VAR_CACHEDB_REDISEXPIRERECORDS 521
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 522
-#define VAR_FOR_UPSTREAM 523
-#define VAR_AUTH_ZONE 524
-#define VAR_ZONEFILE 525
-#define VAR_MASTER 526
-#define VAR_URL 527
-#define VAR_FOR_DOWNSTREAM 528
-#define VAR_FALLBACK_ENABLED 529
-#define VAR_TLS_ADDITIONAL_PORT 530
-#define VAR_LOW_RTT 531
-#define VAR_LOW_RTT_PERMIL 532
-#define VAR_FAST_SERVER_PERMIL 533
-#define VAR_FAST_SERVER_NUM 534
-#define VAR_ALLOW_NOTIFY 535
-#define VAR_TLS_WIN_CERT 536
-#define VAR_TCP_CONNECTION_LIMIT 537
-#define VAR_FORWARD_NO_CACHE 538
-#define VAR_STUB_NO_CACHE 539
-#define VAR_LOG_SERVFAIL 540
-#define VAR_DENY_ANY 541
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 542
-#define VAR_LOG_TAG_QUERYREPLY 543
-#define VAR_STREAM_WAIT_SIZE 544
-#define VAR_TLS_CIPHERS 545
-#define VAR_TLS_CIPHERSUITES 546
-#define VAR_TLS_USE_SNI 547
-#define VAR_IPSET 548
-#define VAR_IPSET_NAME_V4 549
-#define VAR_IPSET_NAME_V6 550
-#define VAR_TLS_SESSION_TICKET_KEYS 551
-#define VAR_RPZ 552
-#define VAR_TAGS 553
-#define VAR_RPZ_ACTION_OVERRIDE 554
-#define VAR_RPZ_CNAME_OVERRIDE 555
-#define VAR_RPZ_LOG 556
-#define VAR_RPZ_LOG_NAME 557
-#define VAR_DYNLIB 558
-#define VAR_DYNLIB_FILE 559
-#define VAR_EDNS_CLIENT_STRING 560
-#define VAR_EDNS_CLIENT_STRING_OPCODE 561
-#define VAR_NSID 562
+#define VAR_TCP_REUSE_TIMEOUT 359
+#define VAR_MAX_REUSE_TCP_QUERIES 360
+#define VAR_EXTENDED_STATISTICS 361
+#define VAR_LOCAL_DATA_PTR 362
+#define VAR_JOSTLE_TIMEOUT 363
+#define VAR_STUB_PRIME 364
+#define VAR_UNWANTED_REPLY_THRESHOLD 365
+#define VAR_LOG_TIME_ASCII 366
+#define VAR_DOMAIN_INSECURE 367
+#define VAR_PYTHON 368
+#define VAR_PYTHON_SCRIPT 369
+#define VAR_VAL_SIG_SKEW_MIN 370
+#define VAR_VAL_SIG_SKEW_MAX 371
+#define VAR_VAL_MAX_RESTART 372
+#define VAR_CACHE_MIN_TTL 373
+#define VAR_VAL_LOG_LEVEL 374
+#define VAR_AUTO_TRUST_ANCHOR_FILE 375
+#define VAR_KEEP_MISSING 376
+#define VAR_ADD_HOLDDOWN 377
+#define VAR_DEL_HOLDDOWN 378
+#define VAR_SO_RCVBUF 379
+#define VAR_EDNS_BUFFER_SIZE 380
+#define VAR_PREFETCH 381
+#define VAR_PREFETCH_KEY 382
+#define VAR_SO_SNDBUF 383
+#define VAR_SO_REUSEPORT 384
+#define VAR_HARDEN_BELOW_NXDOMAIN 385
+#define VAR_IGNORE_CD_FLAG 386
+#define VAR_LOG_QUERIES 387
+#define VAR_LOG_REPLIES 388
+#define VAR_LOG_LOCAL_ACTIONS 389
+#define VAR_TCP_UPSTREAM 390
+#define VAR_SSL_UPSTREAM 391
+#define VAR_TCP_AUTH_QUERY_TIMEOUT 392
+#define VAR_SSL_SERVICE_KEY 393
+#define VAR_SSL_SERVICE_PEM 394
+#define VAR_SSL_PORT 395
+#define VAR_FORWARD_FIRST 396
+#define VAR_STUB_SSL_UPSTREAM 397
+#define VAR_FORWARD_SSL_UPSTREAM 398
+#define VAR_TLS_CERT_BUNDLE 399
+#define VAR_HTTPS_PORT 400
+#define VAR_HTTP_ENDPOINT 401
+#define VAR_HTTP_MAX_STREAMS 402
+#define VAR_HTTP_QUERY_BUFFER_SIZE 403
+#define VAR_HTTP_RESPONSE_BUFFER_SIZE 404
+#define VAR_HTTP_NODELAY 405
+#define VAR_HTTP_NOTLS_DOWNSTREAM 406
+#define VAR_STUB_FIRST 407
+#define VAR_MINIMAL_RESPONSES 408
+#define VAR_RRSET_ROUNDROBIN 409
+#define VAR_MAX_UDP_SIZE 410
+#define VAR_DELAY_CLOSE 411
+#define VAR_UDP_CONNECT 412
+#define VAR_UNBLOCK_LAN_ZONES 413
+#define VAR_INSECURE_LAN_ZONES 414
+#define VAR_INFRA_CACHE_MIN_RTT 415
+#define VAR_INFRA_KEEP_PROBING 416
+#define VAR_DNS64_PREFIX 417
+#define VAR_DNS64_SYNTHALL 418
+#define VAR_DNS64_IGNORE_AAAA 419
+#define VAR_DNSTAP 420
+#define VAR_DNSTAP_ENABLE 421
+#define VAR_DNSTAP_SOCKET_PATH 422
+#define VAR_DNSTAP_IP 423
+#define VAR_DNSTAP_TLS 424
+#define VAR_DNSTAP_TLS_SERVER_NAME 425
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 426
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 427
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 428
+#define VAR_DNSTAP_SEND_IDENTITY 429
+#define VAR_DNSTAP_SEND_VERSION 430
+#define VAR_DNSTAP_BIDIRECTIONAL 431
+#define VAR_DNSTAP_IDENTITY 432
+#define VAR_DNSTAP_VERSION 433
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 434
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 435
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 436
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 437
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 438
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 439
+#define VAR_RESPONSE_IP_TAG 440
+#define VAR_RESPONSE_IP 441
+#define VAR_RESPONSE_IP_DATA 442
+#define VAR_HARDEN_ALGO_DOWNGRADE 443
+#define VAR_IP_TRANSPARENT 444
+#define VAR_IP_DSCP 445
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 446
+#define VAR_IP_RATELIMIT 447
+#define VAR_IP_RATELIMIT_SLABS 448
+#define VAR_IP_RATELIMIT_SIZE 449
+#define VAR_RATELIMIT 450
+#define VAR_RATELIMIT_SLABS 451
+#define VAR_RATELIMIT_SIZE 452
+#define VAR_RATELIMIT_FOR_DOMAIN 453
+#define VAR_RATELIMIT_BELOW_DOMAIN 454
+#define VAR_IP_RATELIMIT_FACTOR 455
+#define VAR_RATELIMIT_FACTOR 456
+#define VAR_SEND_CLIENT_SUBNET 457
+#define VAR_CLIENT_SUBNET_ZONE 458
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 459
+#define VAR_CLIENT_SUBNET_OPCODE 460
+#define VAR_MAX_CLIENT_SUBNET_IPV4 461
+#define VAR_MAX_CLIENT_SUBNET_IPV6 462
+#define VAR_MIN_CLIENT_SUBNET_IPV4 463
+#define VAR_MIN_CLIENT_SUBNET_IPV6 464
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 465
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 466
+#define VAR_CAPS_WHITELIST 467
+#define VAR_CACHE_MAX_NEGATIVE_TTL 468
+#define VAR_PERMIT_SMALL_HOLDDOWN 469
+#define VAR_QNAME_MINIMISATION 470
+#define VAR_QNAME_MINIMISATION_STRICT 471
+#define VAR_IP_FREEBIND 472
+#define VAR_DEFINE_TAG 473
+#define VAR_LOCAL_ZONE_TAG 474
+#define VAR_ACCESS_CONTROL_TAG 475
+#define VAR_LOCAL_ZONE_OVERRIDE 476
+#define VAR_ACCESS_CONTROL_TAG_ACTION 477
+#define VAR_ACCESS_CONTROL_TAG_DATA 478
+#define VAR_VIEW 479
+#define VAR_ACCESS_CONTROL_VIEW 480
+#define VAR_VIEW_FIRST 481
+#define VAR_SERVE_EXPIRED 482
+#define VAR_SERVE_EXPIRED_TTL 483
+#define VAR_SERVE_EXPIRED_TTL_RESET 484
+#define VAR_SERVE_EXPIRED_REPLY_TTL 485
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 486
+#define VAR_SERVE_ORIGINAL_TTL 487
+#define VAR_FAKE_DSA 488
+#define VAR_FAKE_SHA1 489
+#define VAR_LOG_IDENTITY 490
+#define VAR_HIDE_TRUSTANCHOR 491
+#define VAR_HIDE_HTTP_USER_AGENT 492
+#define VAR_HTTP_USER_AGENT 493
+#define VAR_TRUST_ANCHOR_SIGNALING 494
+#define VAR_AGGRESSIVE_NSEC 495
+#define VAR_USE_SYSTEMD 496
+#define VAR_SHM_ENABLE 497
+#define VAR_SHM_KEY 498
+#define VAR_ROOT_KEY_SENTINEL 499
+#define VAR_DNSCRYPT 500
+#define VAR_DNSCRYPT_ENABLE 501
+#define VAR_DNSCRYPT_PORT 502
+#define VAR_DNSCRYPT_PROVIDER 503
+#define VAR_DNSCRYPT_SECRET_KEY 504
+#define VAR_DNSCRYPT_PROVIDER_CERT 505
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 506
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 507
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 508
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 509
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 510
+#define VAR_PAD_RESPONSES 511
+#define VAR_PAD_RESPONSES_BLOCK_SIZE 512
+#define VAR_PAD_QUERIES 513
+#define VAR_PAD_QUERIES_BLOCK_SIZE 514
+#define VAR_IPSECMOD_ENABLED 515
+#define VAR_IPSECMOD_HOOK 516
+#define VAR_IPSECMOD_IGNORE_BOGUS 517
+#define VAR_IPSECMOD_MAX_TTL 518
+#define VAR_IPSECMOD_WHITELIST 519
+#define VAR_IPSECMOD_STRICT 520
+#define VAR_CACHEDB 521
+#define VAR_CACHEDB_BACKEND 522
+#define VAR_CACHEDB_SECRETSEED 523
+#define VAR_CACHEDB_REDISHOST 524
+#define VAR_CACHEDB_REDISPORT 525
+#define VAR_CACHEDB_REDISTIMEOUT 526
+#define VAR_CACHEDB_REDISEXPIRERECORDS 527
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 528
+#define VAR_FOR_UPSTREAM 529
+#define VAR_AUTH_ZONE 530
+#define VAR_ZONEFILE 531
+#define VAR_MASTER 532
+#define VAR_URL 533
+#define VAR_FOR_DOWNSTREAM 534
+#define VAR_FALLBACK_ENABLED 535
+#define VAR_TLS_ADDITIONAL_PORT 536
+#define VAR_LOW_RTT 537
+#define VAR_LOW_RTT_PERMIL 538
+#define VAR_FAST_SERVER_PERMIL 539
+#define VAR_FAST_SERVER_NUM 540
+#define VAR_ALLOW_NOTIFY 541
+#define VAR_TLS_WIN_CERT 542
+#define VAR_TCP_CONNECTION_LIMIT 543
+#define VAR_FORWARD_NO_CACHE 544
+#define VAR_STUB_NO_CACHE 545
+#define VAR_LOG_SERVFAIL 546
+#define VAR_DENY_ANY 547
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 548
+#define VAR_LOG_TAG_QUERYREPLY 549
+#define VAR_STREAM_WAIT_SIZE 550
+#define VAR_TLS_CIPHERS 551
+#define VAR_TLS_CIPHERSUITES 552
+#define VAR_TLS_USE_SNI 553
+#define VAR_IPSET 554
+#define VAR_IPSET_NAME_V4 555
+#define VAR_IPSET_NAME_V6 556
+#define VAR_TLS_SESSION_TICKET_KEYS 557
+#define VAR_RPZ 558
+#define VAR_TAGS 559
+#define VAR_RPZ_ACTION_OVERRIDE 560
+#define VAR_RPZ_CNAME_OVERRIDE 561
+#define VAR_RPZ_LOG 562
+#define VAR_RPZ_LOG_NAME 563
+#define VAR_DYNLIB 564
+#define VAR_DYNLIB_FILE 565
+#define VAR_EDNS_CLIENT_STRING 566
+#define VAR_EDNS_CLIENT_STRING_OPCODE 567
+#define VAR_NSID 568
+#define VAR_ZONEMD_PERMISSIVE_MODE 569
+#define VAR_ZONEMD_CHECK 570
+#define VAR_ZONEMD_REJECT_ABSENCE 571
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {

diff --git a/sbin/unwind/libunbound/util/configparser.y b/sbin/unwind/libunbound/util/configparser.y
index 272a979..e22d48d 100644 (file)
--- a/sbin/unwind/libunbound/util/configparser.y
+++ b/sbin/unwind/libunbound/util/configparser.y
@@ -100,17 +100,18 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE
 %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE
 %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE
-%token VAR_CONTROL_USE_CERT
+%token VAR_CONTROL_USE_CERT VAR_TCP_REUSE_TIMEOUT VAR_MAX_REUSE_TCP_QUERIES
 %token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT
 %token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII
 %token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN
-%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL
-%token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN 
-%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
-%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT VAR_HARDEN_BELOW_NXDOMAIN
-%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS
-%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
-%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
+%token VAR_VAL_SIG_SKEW_MAX VAR_VAL_MAX_RESTART VAR_CACHE_MIN_TTL
+%token VAR_VAL_LOG_LEVEL VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING
+%token VAR_ADD_HOLDDOWN VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE
+%token VAR_PREFETCH VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_SO_REUSEPORT
+%token VAR_HARDEN_BELOW_NXDOMAIN VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES
+%token VAR_LOG_REPLIES VAR_LOG_LOCAL_ACTIONS VAR_TCP_UPSTREAM
+%token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY
+%token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
 %token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
 %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
@@ -153,6 +154,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL
 %token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA
 %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR
+%token VAR_HIDE_HTTP_USER_AGENT VAR_HTTP_USER_AGENT
 %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD
 %token VAR_SHM_ENABLE VAR_SHM_KEY VAR_ROOT_KEY_SENTINEL
 %token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
@@ -182,6 +184,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
 %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
 %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
+%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -223,6 +226,7 @@ content_server: server_num_threads | server_verbosity | server_port |
        server_harden_short_bufsize | server_harden_large_queries |
        server_do_not_query_address | server_hide_identity |
        server_hide_version | server_identity | server_version |
+       server_hide_http_user_agent | server_http_user_agent |
        server_harden_glue | server_module_conf | server_trust_anchor_file |
        server_trust_anchor | server_val_override_date | server_bogus_ttl |
        server_val_clean_additional | server_val_permissive_mode |
@@ -242,8 +246,9 @@ content_server: server_num_threads | server_verbosity | server_port |
        server_local_data_ptr | server_jostle_timeout | 
        server_unwanted_reply_threshold | server_log_time_ascii | 
        server_domain_insecure | server_val_sig_skew_min | 
-       server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level |
-       server_auto_trust_anchor_file | server_add_holddown | 
+       server_val_sig_skew_max | server_val_max_restart |
+       server_cache_min_ttl | server_val_log_level |
+       server_auto_trust_anchor_file | server_add_holddown |
        server_del_holddown | server_keep_missing | server_so_rcvbuf |
        server_edns_buffer_size | server_prefetch | server_prefetch_key |
        server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
@@ -299,7 +304,10 @@ content_server: server_num_threads | server_verbosity | server_port |
        server_stream_wait_size | server_tls_ciphers |
        server_tls_ciphersuites | server_tls_session_ticket_keys |
        server_tls_use_sni | server_edns_client_string |
-       server_edns_client_string_opcode | server_nsid
+       server_edns_client_string_opcode | server_nsid |
+       server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
+       server_tcp_reuse_timeout | server_tcp_auth_query_timeout
+
        ;
 stubstart: VAR_STUB_ZONE
        {
@@ -366,6 +374,8 @@ authstart: VAR_AUTH_ZONE
                        s->for_downstream = 1;
                        s->for_upstream = 1;
                        s->fallback_enabled = 0;
+                       s->zonemd_check = 0;
+                       s->zonemd_reject_absence = 0;
                        s->isrpz = 0;
                } else 
                        yyerror("out of memory");
@@ -375,7 +385,7 @@ contents_auth: contents_auth content_auth
        | ;
 content_auth: auth_name | auth_zonefile | auth_master | auth_url |
        auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
-       auth_allow_notify
+       auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence
        ;
 
 rpz_tag: VAR_TAGS STRING_ARG
@@ -856,6 +866,39 @@ server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG
                free($2);
        }
        ;
+server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG
+       {
+               OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", $2));
+               if(atoi($2) == 0 && strcmp($2, "0") != 0)
+                       yyerror("number expected");
+               else if (atoi($2) < 1)
+                       cfg_parser->cfg->max_reuse_tcp_queries = 0;
+               else cfg_parser->cfg->max_reuse_tcp_queries = atoi($2);
+               free($2);
+       }
+       ;
+server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG
+       {
+               OUTYY(("P(server_tcp_reuse_timeout:%s)\n", $2));
+               if(atoi($2) == 0 && strcmp($2, "0") != 0)
+                       yyerror("number expected");
+               else if (atoi($2) < 1)
+                       cfg_parser->cfg->tcp_reuse_timeout = 0;
+               else cfg_parser->cfg->tcp_reuse_timeout = atoi($2);
+               free($2);
+       }
+       ;
+server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG
+       {
+               OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", $2));
+               if(atoi($2) == 0 && strcmp($2, "0") != 0)
+                       yyerror("number expected");
+               else if (atoi($2) < 1)
+                       cfg_parser->cfg->tcp_auth_query_timeout = 0;
+               else cfg_parser->cfg->tcp_auth_query_timeout = atoi($2);
+               free($2);
+       }
+       ;
 server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG
        {
                OUTYY(("P(server_tcp_keepalive:%s)\n", $2));
@@ -1296,6 +1339,15 @@ server_hide_trustanchor: VAR_HIDE_TRUSTANCHOR STRING_ARG
                free($2);
        }
        ;
+server_hide_http_user_agent: VAR_HIDE_HTTP_USER_AGENT STRING_ARG
+       {
+               OUTYY(("P(server_hide_user_agent:%s)\n", $2));
+               if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                       yyerror("expected yes or no.");
+               else cfg_parser->cfg->hide_http_user_agent = (strcmp($2, "yes")==0);
+               free($2);
+       }
+       ;
 server_identity: VAR_IDENTITY STRING_ARG
        {
                OUTYY(("P(server_identity:%s)\n", $2));
@@ -1310,6 +1362,13 @@ server_version: VAR_VERSION STRING_ARG
                cfg_parser->cfg->version = $2;
        }
        ;
+server_http_user_agent: VAR_HTTP_USER_AGENT STRING_ARG
+       {
+               OUTYY(("P(server_http_user_agent:%s)\n", $2));
+               free(cfg_parser->cfg->http_user_agent);
+               cfg_parser->cfg->http_user_agent = $2;
+       }
+       ;
 server_nsid: VAR_NSID STRING_ARG
        {
                OUTYY(("P(server_nsid:%s)\n", $2));
@@ -1814,6 +1873,19 @@ server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG
                free($2);
        }
        ;
+server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG
+       {
+               OUTYY(("P(server_val_max_restart:%s)\n", $2));
+               if(*$2 == '\0' || strcmp($2, "0") == 0) {
+                       cfg_parser->cfg->val_max_restart = 0;
+               } else {
+                       cfg_parser->cfg->val_max_restart = atoi($2);
+                       if(!cfg_parser->cfg->val_max_restart)
+                               yyerror("number expected");
+               }
+               free($2);
+       }
+       ;
 server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG
        {
                OUTYY(("P(server_cache_max_ttl:%s)\n", $2));
@@ -1986,6 +2058,15 @@ server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG
                cfg_parser->cfg->val_nsec3_key_iterations = $2;
        }
        ;
+server_zonemd_permissive_mode: VAR_ZONEMD_PERMISSIVE_MODE STRING_ARG
+       {
+               OUTYY(("P(server_zonemd_permissive_mode:%s)\n", $2));
+               if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                       yyerror("expected yes or no.");
+               else    cfg_parser->cfg->zonemd_permissive_mode = (strcmp($2, "yes")==0);
+               free($2);
+       }
+       ;
 server_add_holddown: VAR_ADD_HOLDDOWN STRING_ARG
        {
                OUTYY(("P(server_add_holddown:%s)\n", $2));
@@ -2741,6 +2822,26 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG
                        yyerror("out of memory");
        }
        ;
+auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG
+       {
+               OUTYY(("P(zonemd-check:%s)\n", $2));
+               if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                       yyerror("expected yes or no.");
+               else cfg_parser->cfg->auths->zonemd_check =
+                       (strcmp($2, "yes")==0);
+               free($2);
+       }
+       ;
+auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG
+       {
+               OUTYY(("P(zonemd-reject-absence:%s)\n", $2));
+               if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                       yyerror("expected yes or no.");
+               else cfg_parser->cfg->auths->zonemd_reject_absence =
+                       (strcmp($2, "yes")==0);
+               free($2);
+       }
+       ;
 auth_for_downstream: VAR_FOR_DOWNSTREAM STRING_ARG
        {
                OUTYY(("P(for-downstream:%s)\n", $2));
@@ -2791,13 +2892,20 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
                   && strcmp($3, "always_transparent")!=0
                   && strcmp($3, "always_refuse")!=0
                   && strcmp($3, "always_nxdomain")!=0
+                  && strcmp($3, "always_nodata")!=0
+                  && strcmp($3, "always_deny")!=0
+                  && strcmp($3, "always_null")!=0
                   && strcmp($3, "noview")!=0
-                  && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0) {
+                  && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
+                  && strcmp($3, "inform_redirect") != 0
+                  && strcmp($3, "ipset") != 0) {
                        yyerror("local-zone type: expected static, deny, "
                                "refuse, redirect, transparent, "
                                "typetransparent, inform, inform_deny, "
-                               "always_transparent, always_refuse, "
-                               "always_nxdomain, noview or nodefault");
+                               "inform_redirect, always_transparent, "
+                               "always_refuse, always_nxdomain, "
+                               "always_nodata, always_deny, always_null, "
+                               "noview, nodefault or ipset");
                        free($2);
                        free($3);
                } else if(strcmp($3, "nodefault")==0) {

diff --git a/sbin/unwind/libunbound/util/data/dname.h b/sbin/unwind/libunbound/util/data/dname.h
index e37c118..cb0f673 100644 (file)
--- a/sbin/unwind/libunbound/util/data/dname.h
+++ b/sbin/unwind/libunbound/util/data/dname.h
@@ -261,7 +261,7 @@ int dname_is_root(uint8_t* dname);
  * Snip off first label from a dname, returning the parent zone.
  * @param dname: from what to strip off. uncompressed wireformat.
  * @param len: length, adjusted to become less.
- * @return stripped off, or "." if input was ".".
+ * return stripped off, or "." if input was ".".
  */
 void dname_remove_label(uint8_t** dname, size_t* len);
 
@@ -271,7 +271,7 @@ void dname_remove_label(uint8_t** dname, size_t* len);
  * @param len: length, adjusted to become less.
  * @param n: number of labels to strip off (from the left).
  *     if 0, nothing happens.
- * @return stripped off, or "." if input was ".".
+ * return stripped off, or "." if input was ".".
  */
 void dname_remove_labels(uint8_t** dname, size_t* len, int n);
 

diff --git a/sbin/unwind/libunbound/util/data/msgreply.c b/sbin/unwind/libunbound/util/data/msgreply.c
index 4830b34..00272fd 100644 (file)
--- a/sbin/unwind/libunbound/util/data/msgreply.c
+++ b/sbin/unwind/libunbound/util/data/msgreply.c
@@ -329,7 +329,10 @@ parse_create_rrset(sldns_buffer* pkt, struct rrset_parse* pset,
                return 0;
        /* copy & decompress */
        if(!parse_rr_copy(pkt, pset, *data)) {
-               if(!region) free(*data);
+               if(!region) {
+                       free(*data);
+                       *data = NULL;
+               }
                return 0;
        }
        return 1;
@@ -394,8 +397,13 @@ parse_copy_decompress_rrset(sldns_buffer* pkt, struct msg_parse* msg,
        pk->rk.type = htons(pset->type);
        pk->rk.rrset_class = pset->rrset_class;
        /** read data part. */
-       if(!parse_create_rrset(pkt, pset, &data, region))
+       if(!parse_create_rrset(pkt, pset, &data, region)) {
+               if(!region) {
+                       free(pk->rk.dname);
+                       pk->rk.dname = NULL;
+               }
                return 0;
+       }
        pk->entry.data = (void*)data;
        pk->entry.key = (void*)pk;
        pk->entry.hash = pset->hash;
@@ -825,9 +833,15 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep)
        /* not particularly fast but flexible, make wireformat and print */
        sldns_buffer* buf = sldns_buffer_new(65535);
        struct regional* region = regional_create();
-       if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0, 
+       if(!(buf && region)) {
+               log_err("%s: log_dns_msg: out of memory", str);
+               sldns_buffer_free(buf);
+               regional_destroy(region);
+               return;
+       }
+       if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
                region, 65535, 1, 0)) {
-               log_info("%s: log_dns_msg: out of memory", str);
+               log_err("%s: log_dns_msg: out of memory", str);
        } else {
                char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf),
                        sldns_buffer_limit(buf));

diff --git a/sbin/unwind/libunbound/util/fptr_wlist.c b/sbin/unwind/libunbound/util/fptr_wlist.c
index a9e9d3a..de6dbd0 100644 (file)
--- a/sbin/unwind/libunbound/util/fptr_wlist.c
+++ b/sbin/unwind/libunbound/util/fptr_wlist.c
@@ -196,8 +196,6 @@ int
 fptr_whitelist_pending_udp(comm_point_callback_type *fptr)
 {
        if(fptr == &serviced_udp_callback) return 1;
-       else if(fptr == &worker_handle_reply) return 1;
-       else if(fptr == &libworker_handle_reply) return 1;
        return 0;
 }
 
@@ -205,8 +203,6 @@ int
 fptr_whitelist_pending_tcp(comm_point_callback_type *fptr)
 {
        if(fptr == &serviced_tcp_callback) return 1;
-       else if(fptr == &worker_handle_reply) return 1;
-       else if(fptr == &libworker_handle_reply) return 1;
        return 0;
 }
 
@@ -583,6 +579,7 @@ int fptr_whitelist_mesh_cb(mesh_cb_func_type fptr)
        else if(fptr == &probe_answer_cb) return 1;
        else if(fptr == &auth_xfer_probe_lookup_callback) return 1;
        else if(fptr == &auth_xfer_transfer_lookup_callback) return 1;
+       else if(fptr == &auth_zonemd_dnskey_lookup_callback) return 1;
        return 0;
 }
 

diff --git a/sbin/unwind/libunbound/util/iana_ports.inc b/sbin/unwind/libunbound/util/iana_ports.inc
index 875851e..b93af01 100644 (file)
--- a/sbin/unwind/libunbound/util/iana_ports.inc
+++ b/sbin/unwind/libunbound/util/iana_ports.inc
@@ -118,7 +118,6 @@
 140,
 141,
 142,
-143,
 144,
 145,
 146,
@@ -679,7 +678,6 @@
 990,
 991,
 992,
-993,
 995,
 996,
 997,
@@ -4246,6 +4244,7 @@
 5504,
 5505,
 5506,
+5540,
 5553,
 5554,
 5555,
@@ -4738,6 +4737,7 @@
 8006,
 8007,
 8008,
+8017,
 8019,
 8020,
 8021,
@@ -5378,6 +5378,7 @@
 30999,
 31016,
 31029,
+31337,
 31416,
 31457,
 31620,

diff --git a/sbin/unwind/libunbound/util/net_help.c b/sbin/unwind/libunbound/util/net_help.c
index 3b5527a..06bc1f5 100644 (file)
--- a/sbin/unwind/libunbound/util/net_help.c
+++ b/sbin/unwind/libunbound/util/net_help.c
@@ -887,7 +887,7 @@ log_cert(unsigned level, const char* str, void* cert)
 }
 #endif /* HAVE_SSL */
 
-#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2)
+#if defined(HAVE_SSL) && defined(HAVE_NGHTTP2) && defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
 static int alpn_select_cb(SSL* ATTR_UNUSED(ssl), const unsigned char** out,
        unsigned char* outlen, const unsigned char* in, unsigned int inlen,
        void* ATTR_UNUSED(arg))
@@ -1609,5 +1609,4 @@ sock_close(int socket)
 {
        closesocket(socket);
 }
-
 #  endif /* USE_WINSOCK */

diff --git a/sbin/unwind/libunbound/util/net_help.h b/sbin/unwind/libunbound/util/net_help.h
index 45b607a..7983527 100644 (file)
--- a/sbin/unwind/libunbound/util/net_help.h
+++ b/sbin/unwind/libunbound/util/net_help.h
@@ -42,6 +42,7 @@
 #ifndef NET_HELP_H
 #define NET_HELP_H
 #include "util/log.h"
+#include "util/random.h"
 struct sock_list;
 struct regional;
 struct config_strlist;
@@ -76,8 +77,6 @@ struct config_strlist;
 
 /** timeout in milliseconds for UDP queries to auth servers. */
 #define UDP_AUTH_QUERY_TIMEOUT 3000
-/** timeout in milliseconds for TCP queries to auth servers. */
-#define TCP_AUTH_QUERY_TIMEOUT 3000
 /** Advertised version of EDNS capabilities */
 #define EDNS_ADVERTISED_VERSION         0
 /** Advertised size of EDNS capabilities */
@@ -94,6 +93,9 @@ extern uint16_t EDNS_ADVERTISED_SIZE;
 /** DNSKEY secure entry point, KSK flag */
 #define DNSKEY_BIT_SEP 0x0001
 
+/** return a random 16-bit number given a random source */
+#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
+
 /** minimal responses when positive answer */
 extern int MINIMAL_RESPONSES;
 

diff --git a/sbin/unwind/libunbound/util/netevent.c b/sbin/unwind/libunbound/util/netevent.c
index a2c0e60..11c642a 100644 (file)
--- a/sbin/unwind/libunbound/util/netevent.c
+++ b/sbin/unwind/libunbound/util/netevent.c
@@ -51,6 +51,16 @@
 #include "dnstap/dnstap.h"
 #include "dnscrypt/dnscrypt.h"
 #include "services/listen_dnsport.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
 #ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
 #endif
@@ -152,7 +162,7 @@ struct internal_signal {
 static struct comm_point* comm_point_create_tcp_handler(
        struct comm_base *base, struct comm_point* parent, size_t bufsize,
        struct sldns_buffer* spoolbuf, comm_point_callback_type* callback,
-       void* callback_arg);
+       void* callback_arg, struct unbound_socket* socket);
 
 /* -------- End of local definitions -------- */
 
@@ -289,6 +299,7 @@ udp_send_errno_needs_log(struct sockaddr* addr, socklen_t addrlen)
 #  ifdef ENETDOWN
                case ENETDOWN:
 #  endif
+               case EPERM:
                        if(verbosity < VERB_ALGO)
                                return 0;
                default:
@@ -302,7 +313,7 @@ udp_send_errno_needs_log(struct sockaddr* addr, socklen_t addrlen)
                /* 'Cannot assign requested address' also when disconnected */
                || (errno == EADDRNOTAVAIL)
 #  endif
-               ) && verbosity < VERB_DETAIL)
+               ) && verbosity < VERB_ALGO)
                return 0;
 #  ifdef EADDRINUSE
        /* If SO_REUSEADDR is set, we could try to connect to the same server
@@ -408,7 +419,9 @@ static void p_ancil(const char* str, struct comm_reply* r)
                log_info("%s: unknown srctype %d", str, r->srctype);
                return;
        }
+
        if(r->srctype == 6) {
+#ifdef IPV6_PKTINFO
                char buf[1024];
                if(inet_ntop(AF_INET6, &r->pktinfo.v6info.ipi6_addr, 
                        buf, (socklen_t)sizeof(buf)) == 0) {
@@ -416,6 +429,7 @@ static void p_ancil(const char* str, struct comm_reply* r)
                }
                buf[sizeof(buf)-1]=0;
                log_info("%s: %s %d", str, buf, r->pktinfo.v6info.ipi6_ifindex);
+#endif
        } else if(r->srctype == 4) {
 #ifdef IP_PKTINFO
                char buf1[1024], buf2[1024];
@@ -1200,7 +1214,7 @@ ssl_handshake(struct comm_point* c)
        int r;
        if(c->ssl_shake_state == comm_ssl_shake_hs_read) {
                /* read condition satisfied back to writing */
-               comm_point_listen_for_rw(c, 1, 1);
+               comm_point_listen_for_rw(c, 0, 1);
                c->ssl_shake_state = comm_ssl_shake_none;
                return 1;
        }
@@ -1257,7 +1271,11 @@ ssl_handshake(struct comm_point* c)
        if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) {
                /* verification */
                if(SSL_get_verify_result(c->ssl) == X509_V_OK) {
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+                       X509* x = SSL_get1_peer_certificate(c->ssl);
+#else
                        X509* x = SSL_get_peer_certificate(c->ssl);
+#endif
                        if(!x) {
                                log_addr(VERB_ALGO, "SSL connection failed: "
                                        "no certificate",
@@ -1283,7 +1301,11 @@ ssl_handshake(struct comm_point* c)
 #endif
                        X509_free(x);
                } else {
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+                       X509* x = SSL_get1_peer_certificate(c->ssl);
+#else
                        X509* x = SSL_get_peer_certificate(c->ssl);
+#endif
                        if(x) {
                                log_cert(VERB_ALGO, "peer certificate", x);
                                X509_free(x);
@@ -1300,6 +1322,7 @@ ssl_handshake(struct comm_point* c)
                        c->repinfo.addrlen);
        }
 
+#ifdef HAVE_SSL_GET0_ALPN_SELECTED
        /* check if http2 use is negotiated */
        if(c->type == comm_http && c->h2_session) {
                const unsigned char *alpn;
@@ -1311,13 +1334,14 @@ ssl_handshake(struct comm_point* c)
                        c->use_h2 = 1;
                }
        }
+#endif
 
        /* setup listen rw correctly */
        if(c->tcp_is_reading) {
                if(c->ssl_shake_state != comm_ssl_shake_read)
                        comm_point_listen_for_rw(c, 1, 0);
        } else {
-               comm_point_listen_for_rw(c, 1, 1);
+               comm_point_listen_for_rw(c, 0, 1);
        }
        c->ssl_shake_state = comm_ssl_shake_none;
        return 1;
@@ -1348,7 +1372,9 @@ ssl_handle_read(struct comm_point* c)
                                        return tcp_req_info_handle_read_close(c->tcp_req_info);
                                return 0; /* shutdown, closed */
                        } else if(want == SSL_ERROR_WANT_READ) {
+#ifdef USE_WINSOCK
                                ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
+#endif
                                return 1; /* read more later */
                        } else if(want == SSL_ERROR_WANT_WRITE) {
                                c->ssl_shake_state = comm_ssl_shake_hs_write;
@@ -1396,7 +1422,9 @@ ssl_handle_read(struct comm_point* c)
                                        return tcp_req_info_handle_read_close(c->tcp_req_info);
                                return 0; /* shutdown, closed */
                        } else if(want == SSL_ERROR_WANT_READ) {
+#ifdef USE_WINSOCK
                                ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
+#endif
                                return 1; /* read more later */
                        } else if(want == SSL_ERROR_WANT_WRITE) {
                                c->ssl_shake_state = comm_ssl_shake_hs_write;
@@ -1489,7 +1517,9 @@ ssl_handle_write(struct comm_point* c)
                                comm_point_listen_for_rw(c, 1, 0);
                                return 1; /* wait for read condition */
                        } else if(want == SSL_ERROR_WANT_WRITE) {
+#ifdef USE_WINSOCK
                                ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
+#endif
                                return 1; /* write more later */
                        } else if(want == SSL_ERROR_SYSCALL) {
 #ifdef EPIPE
@@ -1539,7 +1569,9 @@ ssl_handle_write(struct comm_point* c)
                        comm_point_listen_for_rw(c, 1, 0);
                        return 1; /* wait for read condition */
                } else if(want == SSL_ERROR_WANT_WRITE) {
+#ifdef USE_WINSOCK
                        ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
+#endif
                        return 1; /* write more later */
                } else if(want == SSL_ERROR_SYSCALL) {
 #ifdef EPIPE
@@ -1620,6 +1652,10 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
                        if(errno == ECONNRESET && verbosity < 2)
                                return 0; /* silence reset by peer */
 #endif
+#ifdef ECONNREFUSED
+                       if(errno == ECONNREFUSED && verbosity < 2)
+                               return 0; /* silence reset by peer */
+#endif
 #ifdef ENETUNREACH
                        if(errno == ENETUNREACH && verbosity < 2)
                                return 0; /* silence it */
@@ -1648,6 +1684,16 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
                        }
 #endif
 #else /* USE_WINSOCK */
+                       if(WSAGetLastError() == WSAECONNREFUSED && verbosity < 2)
+                               return 0;
+                       if(WSAGetLastError() == WSAEHOSTDOWN && verbosity < 2)
+                               return 0;
+                       if(WSAGetLastError() == WSAEHOSTUNREACH && verbosity < 2)
+                               return 0;
+                       if(WSAGetLastError() == WSAENETDOWN && verbosity < 2)
+                               return 0;
+                       if(WSAGetLastError() == WSAENETUNREACH && verbosity < 2)
+                               return 0;
                        if(WSAGetLastError() == WSAECONNRESET)
                                return 0;
                        if(WSAGetLastError() == WSAEINPROGRESS)
@@ -1681,7 +1727,8 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok)
                        (int)sldns_buffer_limit(c->buffer));
        }
 
-       log_assert(sldns_buffer_remaining(c->buffer) > 0);
+       if(sldns_buffer_remaining(c->buffer) == 0)
+               log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv");
        r = recv(fd, (void*)sldns_buffer_current(c->buffer), 
                sldns_buffer_remaining(c->buffer), 0);
        if(r == 0) {
@@ -2197,6 +2244,8 @@ ssl_http_read_more(struct comm_point* c)
                log_crypto_err("could not SSL_read");
                return 0;
        }
+       verbose(VERB_ALGO, "ssl http read more skip to %d + %d",
+               (int)sldns_buffer_position(c->buffer), (int)r);
        sldns_buffer_skip(c->buffer, (ssize_t)r);
        return 1;
 #else
@@ -2233,6 +2282,8 @@ http_read_more(int fd, struct comm_point* c)
                        &c->repinfo.addr, c->repinfo.addrlen);
                return 0;
        }
+       verbose(VERB_ALGO, "http read more skip to %d + %d",
+               (int)sldns_buffer_position(c->buffer), (int)r);
        sldns_buffer_skip(c->buffer, r);
        return 1;
 }
@@ -2370,7 +2421,7 @@ http_process_chunk_header(struct comm_point* c)
        return 1;
 }
 
-/** handle nonchunked data segment */
+/** handle nonchunked data segment, 0=fail, 1=wait */
 static int
 http_nonchunk_segment(struct comm_point* c)
 {
@@ -2379,7 +2430,7 @@ http_nonchunk_segment(struct comm_point* c)
         * we are looking to read tcp_byte_count more data
         * and then the transfer is done. */
        size_t remainbufferlen;
-       size_t got_now = sldns_buffer_limit(c->buffer) - c->http_stored;
+       size_t got_now = sldns_buffer_limit(c->buffer);
        if(c->tcp_byte_count <= got_now) {
                /* done, this is the last data fragment */
                c->http_stored = 0;
@@ -2388,13 +2439,12 @@ http_nonchunk_segment(struct comm_point* c)
                (void)(*c->callback)(c, c->cb_arg, NETEVENT_DONE, NULL);
                return 1;
        }
-       c->tcp_byte_count -= got_now;
        /* if we have the buffer space,
         * read more data collected into the buffer */
        remainbufferlen = sldns_buffer_capacity(c->buffer) -
                sldns_buffer_limit(c->buffer);
-       if(remainbufferlen >= c->tcp_byte_count ||
-               remainbufferlen >= 2048) {
+       if(remainbufferlen+got_now >= c->tcp_byte_count ||
+               remainbufferlen >= (c->ssl?16384:2048)) {
                size_t total = sldns_buffer_limit(c->buffer);
                sldns_buffer_clear(c->buffer);
                sldns_buffer_set_position(c->buffer, total);
@@ -2404,6 +2454,7 @@ http_nonchunk_segment(struct comm_point* c)
        }
        /* call callback with this data amount, then
         * wait for more */
+       c->tcp_byte_count -= got_now;
        c->http_stored = 0;
        sldns_buffer_set_position(c->buffer, 0);
        fptr_ok(fptr_whitelist_comm_point(c->callback));
@@ -2762,6 +2813,11 @@ comm_point_http_handle_read(int fd, struct comm_point* c)
                        return 0;
        }
 
+       if(c->http_stored >= sldns_buffer_position(c->buffer)) {
+               /* read did not work but we wanted more data, there is
+                * no bytes to process now. */
+               return 1;
+       }
        sldns_buffer_flip(c->buffer);
        /* if we are partway in a segment of data, position us at the point
         * where we left off previously */
@@ -3184,7 +3240,7 @@ void comm_point_raw_handle_callback(int ATTR_UNUSED(fd),
 
 struct comm_point* 
 comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
-       comm_point_callback_type* callback, void* callback_arg)
+       comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket)
 {
        struct comm_point* c = (struct comm_point*)calloc(1,
                sizeof(struct comm_point));
@@ -3223,6 +3279,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
        c->inuse = 0;
        c->callback = callback;
        c->cb_arg = callback_arg;
+       c->socket = socket;
        evbits = UB_EV_READ | UB_EV_PERSIST;
        /* ub_event stuff */
        c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
@@ -3244,7 +3301,7 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer,
 struct comm_point* 
 comm_point_create_udp_ancil(struct comm_base *base, int fd, 
        sldns_buffer* buffer, 
-       comm_point_callback_type* callback, void* callback_arg)
+       comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket)
 {
        struct comm_point* c = (struct comm_point*)calloc(1,
                sizeof(struct comm_point));
@@ -3283,6 +3340,7 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd,
 #endif
        c->callback = callback;
        c->cb_arg = callback_arg;
+       c->socket = socket;
        evbits = UB_EV_READ | UB_EV_PERSIST;
        /* ub_event stuff */
        c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
@@ -3305,7 +3363,7 @@ static struct comm_point*
 comm_point_create_tcp_handler(struct comm_base *base, 
        struct comm_point* parent, size_t bufsize,
        struct sldns_buffer* spoolbuf, comm_point_callback_type* callback,
-       void* callback_arg)
+       void* callback_arg, struct unbound_socket* socket)
 {
        struct comm_point* c = (struct comm_point*)calloc(1,
                sizeof(struct comm_point));
@@ -3361,6 +3419,7 @@ comm_point_create_tcp_handler(struct comm_base *base,
        c->repinfo.c = c;
        c->callback = callback;
        c->cb_arg = callback_arg;
+       c->socket = socket;
        if(spoolbuf) {
                c->tcp_req_info = tcp_req_info_create(spoolbuf);
                if(!c->tcp_req_info) {
@@ -3400,7 +3459,8 @@ static struct comm_point*
 comm_point_create_http_handler(struct comm_base *base, 
        struct comm_point* parent, size_t bufsize, int harden_large_queries,
        uint32_t http_max_streams, char* http_endpoint,
-       comm_point_callback_type* callback, void* callback_arg)
+       comm_point_callback_type* callback, void* callback_arg,
+       struct unbound_socket* socket)
 {
        struct comm_point* c = (struct comm_point*)calloc(1,
                sizeof(struct comm_point));
@@ -3454,6 +3514,7 @@ comm_point_create_http_handler(struct comm_base *base,
        c->repinfo.c = c;
        c->callback = callback;
        c->cb_arg = callback_arg;
+       c->socket = socket;
 
        c->http_min_version = http_version_2;
        c->http2_stream_max_qbuffer_size = bufsize;
@@ -3518,7 +3579,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num,
        uint32_t http_max_streams, char* http_endpoint,
        struct tcl_list* tcp_conn_limit, size_t bufsize,
        struct sldns_buffer* spoolbuf, enum listen_type port_type,
-       comm_point_callback_type* callback, void* callback_arg)
+       comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket)
 {
        struct comm_point* c = (struct comm_point*)calloc(1,
                sizeof(struct comm_point));
@@ -3568,6 +3629,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num,
 #endif
        c->callback = NULL;
        c->cb_arg = NULL;
+       c->socket = socket;
        evbits = UB_EV_READ | UB_EV_PERSIST;
        /* ub_event stuff */
        c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits,
@@ -3589,12 +3651,12 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num,
                        port_type == listen_type_ssl ||
                        port_type == listen_type_tcp_dnscrypt) {
                        c->tcp_handlers[i] = comm_point_create_tcp_handler(base,
-                               c, bufsize, spoolbuf, callback, callback_arg);
+                               c, bufsize, spoolbuf, callback, callback_arg, socket);
                } else if(port_type == listen_type_http) {
                        c->tcp_handlers[i] = comm_point_create_http_handler(
                                base, c, bufsize, harden_large_queries,
                                http_max_streams, http_endpoint,
-                               callback, callback_arg);
+                               callback, callback_arg, socket);
                }
                else {
                        log_err("could not create tcp handler, unknown listen "
@@ -3895,11 +3957,13 @@ comm_point_close(struct comm_point* c)
 
        /* close fd after removing from event lists, or epoll.. is messed up */
        if(c->fd != -1 && !c->do_not_close) {
+#ifdef USE_WINSOCK
                if(c->type == comm_tcp || c->type == comm_http) {
                        /* delete sticky events for the fd, it gets closed */
                        ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ);
                        ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_WRITE);
                }
+#endif
                verbose(VERB_ALGO, "close fd %d", c->fd);
                sock_close(c->fd);
        }
@@ -3970,20 +4034,26 @@ comm_point_send_reply(struct comm_reply *repinfo)
                        comm_point_send_udp_msg(repinfo->c, buffer,
                        (struct sockaddr*)&repinfo->addr, repinfo->addrlen, 0);
 #ifdef USE_DNSTAP
-               if(repinfo->c->dtenv != NULL &&
-                  repinfo->c->dtenv->log_client_response_messages)
-                       dt_msg_send_client_response(repinfo->c->dtenv,
-                       &repinfo->addr, repinfo->c->type, repinfo->c->buffer);
+               /*
+                * sending src (client)/dst (local service) addresses over DNSTAP from udp callback
+                */
+               if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) {
+                       log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
+                       log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen);
+                       dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer);
+               }
 #endif
        } else {
 #ifdef USE_DNSTAP
-               if(repinfo->c->tcp_parent->dtenv != NULL &&
-                  repinfo->c->tcp_parent->dtenv->log_client_response_messages)
-                       dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv,
-                       &repinfo->addr, repinfo->c->type,
-                       ( repinfo->c->tcp_req_info
-                       ? repinfo->c->tcp_req_info->spool_buffer
-                       : repinfo->c->buffer ));
+               /*
+                * sending src (client)/dst (local service) addresses over DNSTAP from TCP callback
+                */
+               if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) {
+                       log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
+                       log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen);
+                       dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type,
+                               ( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer ));
+               }
 #endif
                if(repinfo->c->tcp_req_info) {
                        tcp_req_info_send_reply(repinfo->c->tcp_req_info);

diff --git a/sbin/unwind/libunbound/util/netevent.h b/sbin/unwind/libunbound/util/netevent.h
index 4a2aa16..c79f99b 100644 (file)
--- a/sbin/unwind/libunbound/util/netevent.h
+++ b/sbin/unwind/libunbound/util/netevent.h
@@ -70,6 +70,7 @@ struct comm_point;
 struct comm_reply;
 struct tcl_list;
 struct ub_event_base;
+struct unbound_socket;
 
 struct mesh_state;
 struct mesh_area;
@@ -169,6 +170,8 @@ struct comm_point {
        /** if the event is added or not */
        int event_added;
 
+       struct unbound_socket* socket;
+
        /** file descriptor for communication point */
        int fd;
 
@@ -495,12 +498,13 @@ struct ub_event_base* comm_base_internal(struct comm_base* b);
  * @param buffer: shared buffer by UDP sockets from this thread.
  * @param callback: callback function pointer.
  * @param callback_arg: will be passed to your callback function.
+ * @param socket: and opened socket properties will be passed to your callback function.
  * @return: returns the allocated communication point. NULL on error.
  * Sets timeout to NULL. Turns off TCP options.
  */
 struct comm_point* comm_point_create_udp(struct comm_base* base,
        int fd, struct sldns_buffer* buffer, 
-       comm_point_callback_type* callback, void* callback_arg);
+       comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
 
 /**
  * Create an UDP with ancillary data comm point. Calls malloc.
@@ -511,12 +515,13 @@ struct comm_point* comm_point_create_udp(struct comm_base* base,
  * @param buffer: shared buffer by UDP sockets from this thread.
  * @param callback: callback function pointer.
  * @param callback_arg: will be passed to your callback function.
+ * @param socket: and opened socket properties will be passed to your callback function.
  * @return: returns the allocated communication point. NULL on error.
  * Sets timeout to NULL. Turns off TCP options.
  */
 struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
        int fd, struct sldns_buffer* buffer, 
-       comm_point_callback_type* callback, void* callback_arg);
+       comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
 
 /**
  * Create a TCP listener comm point. Calls malloc.
@@ -539,6 +544,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
  *     to select handler type to use.
  * @param callback: callback function pointer for TCP handlers.
  * @param callback_arg: will be passed to your callback function.
+ * @param socket: and opened socket properties will be passed to your callback function.
  * @return: returns the TCP listener commpoint. You can find the
  *     TCP handlers in the array inside the listener commpoint.
  *     returns NULL on error.
@@ -550,7 +556,7 @@ struct comm_point* comm_point_create_tcp(struct comm_base* base,
        struct tcl_list* tcp_conn_limit,
        size_t bufsize, struct sldns_buffer* spoolbuf,
        enum listen_type port_type,
-       comm_point_callback_type* callback, void* callback_arg);
+       comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
 
 /**
  * Create an outgoing TCP commpoint. No file descriptor is opened, left at -1.

diff --git a/sbin/unwind/libunbound/util/shm_side/shm_main.c b/sbin/unwind/libunbound/util/shm_side/shm_main.c
index af8c5bc..51039ab 100644 (file)
--- a/sbin/unwind/libunbound/util/shm_side/shm_main.c
+++ b/sbin/unwind/libunbound/util/shm_side/shm_main.c
@@ -130,6 +130,7 @@ int shm_main_init(struct daemon* daemon)
 
                /* Just release memory unused */
                free(daemon->shm_info);
+               daemon->shm_info = NULL;
 
                return 0;
        }
@@ -143,6 +144,7 @@ int shm_main_init(struct daemon* daemon)
 
                /* Just release memory unused */
                free(daemon->shm_info);
+               daemon->shm_info = NULL;
 
                return 0;
        }
@@ -156,6 +158,7 @@ int shm_main_init(struct daemon* daemon)
 
                /* Just release memory unused */
                free(daemon->shm_info);
+               daemon->shm_info = NULL;
 
                return 0;
        }
@@ -170,6 +173,7 @@ int shm_main_init(struct daemon* daemon)
 
                /* Just release memory unused */
                free(daemon->shm_info);
+               daemon->shm_info = NULL;
 
                return 0;
        }
@@ -210,6 +214,8 @@ void shm_main_shutdown(struct daemon* daemon)
        if (daemon->shm_info->ptr_arr)
                shmdt(daemon->shm_info->ptr_arr);
 
+       free(daemon->shm_info);
+       daemon->shm_info = NULL;
 #else
        (void)daemon;
 #endif /* HAVE_SHMGET */

diff --git a/sbin/unwind/libunbound/util/storage/lookup3.c b/sbin/unwind/libunbound/util/storage/lookup3.c
index bb25eb4..c402662 100644 (file)
--- a/sbin/unwind/libunbound/util/storage/lookup3.c
+++ b/sbin/unwind/libunbound/util/storage/lookup3.c
@@ -53,21 +53,69 @@ on 1 byte), but shoehorning those bytes into integers efficiently is messy.
 #include "util/storage/lookup3.h"
 #include <stdio.h>      /* defines printf for tests */
 #include <time.h>       /* defines time_t for timings in the test */
-/*#include <stdint.h>     defines uint32_t etc  (from config.h) */
-#include <sys/param.h>  /* attempt to define endianness */
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h> /* attempt to define endianness (solaris) */
-#endif
-#if defined(linux) || defined(__OpenBSD__)
+
+/*
+ * If our build system provides endianness info, signalled by
+ * HAVE_TARGET_ENDIANNESS and the presence or absence of TARGET_IS_BIG_ENDIAN,
+ * use that. Otherwise try to work out the endianness.
+ */
+#if defined(HAVE_TARGET_ENDIANNESS)
+# if defined(TARGET_IS_BIG_ENDIAN)
+#  define HASH_LITTLE_ENDIAN 0
+#  define HASH_BIG_ENDIAN 1
+# else
+#  define HASH_LITTLE_ENDIAN 1
+#  define HASH_BIG_ENDIAN 0
+# endif
+#else
+# include <sys/param.h>  /* attempt to define endianness */
+# ifdef HAVE_SYS_TYPES_H
+#  include <sys/types.h> /* attempt to define endianness (solaris) */
+# endif
+# if defined(linux) || defined(__OpenBSD__)
 #  ifdef HAVE_ENDIAN_H
 #    include <endian.h>    /* attempt to define endianness */
 #  else
 #    include <machine/endian.h> /* on older OpenBSD */
 #  endif
-#endif
-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
-#include <sys/endian.h> /* attempt to define endianness */
-#endif
+# endif
+# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
+#  include <sys/endian.h> /* attempt to define endianness */
+# endif
+  /*
+   * My best guess at if you are big-endian or little-endian.  This may
+   * need adjustment.
+   */
+# if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
+      __BYTE_ORDER == __LITTLE_ENDIAN) || \
+     (defined(i386) || defined(__i386__) || defined(__i486__) || \
+      defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
+#  define HASH_LITTLE_ENDIAN 1
+#  define HASH_BIG_ENDIAN 0
+# elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
+        __BYTE_ORDER == __BIG_ENDIAN) || \
+       (defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
+#  define HASH_LITTLE_ENDIAN 0
+#  define HASH_BIG_ENDIAN 1
+# elif defined(_MACHINE_ENDIAN_H_)
+  /* test for machine_endian_h protects failure if some are empty strings */
+#  if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
+#   define HASH_LITTLE_ENDIAN 0
+#   define HASH_BIG_ENDIAN 1
+#  endif
+#  if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
+#   define HASH_LITTLE_ENDIAN 1
+#   define HASH_BIG_ENDIAN 0
+#  endif /* _MACHINE_ENDIAN_H_ */
+# else
+#  define HASH_LITTLE_ENDIAN 0
+#  define HASH_BIG_ENDIAN 0
+# endif
+#endif /* defined(HAVE_TARGET_ENDIANNESS) */
+
+#define hashsize(n) ((uint32_t)1<<(n))
+#define hashmask(n) (hashsize(n)-1)
+#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
 
 /* random initial value */
 static uint32_t raninit = (uint32_t)0xdeadbeef;
@@ -78,40 +126,6 @@ hash_set_raninit(uint32_t v)
        raninit = v;
 }
 
-/*
- * My best guess at if you are big-endian or little-endian.  This may
- * need adjustment.
- */
-#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
-     __BYTE_ORDER == __LITTLE_ENDIAN) || \
-    (defined(i386) || defined(__i386__) || defined(__i486__) || \
-     defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL) || defined(__x86))
-# define HASH_LITTLE_ENDIAN 1
-# define HASH_BIG_ENDIAN 0
-#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
-       __BYTE_ORDER == __BIG_ENDIAN) || \
-      (defined(sparc) || defined(__sparc) || defined(__sparc__) || defined(POWERPC) || defined(mc68000) || defined(sel))
-# define HASH_LITTLE_ENDIAN 0
-# define HASH_BIG_ENDIAN 1
-#elif defined(_MACHINE_ENDIAN_H_)
-/* test for machine_endian_h protects failure if some are empty strings */
-# if defined(_BYTE_ORDER) && defined(_BIG_ENDIAN) && _BYTE_ORDER == _BIG_ENDIAN
-#  define HASH_LITTLE_ENDIAN 0
-#  define HASH_BIG_ENDIAN 1
-# endif
-# if defined(_BYTE_ORDER) && defined(_LITTLE_ENDIAN) && _BYTE_ORDER == _LITTLE_ENDIAN
-#  define HASH_LITTLE_ENDIAN 1
-#  define HASH_BIG_ENDIAN 0
-# endif /* _MACHINE_ENDIAN_H_ */
-#else
-# define HASH_LITTLE_ENDIAN 0
-# define HASH_BIG_ENDIAN 0
-#endif
-
-#define hashsize(n) ((uint32_t)1<<(n))
-#define hashmask(n) (hashsize(n)-1)
-#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
-
 /*
 -------------------------------------------------------------------------------
 mix -- mix 3 32-bit values reversibly.

diff --git a/sbin/unwind/libunbound/util/ub_event_pluggable.c b/sbin/unwind/libunbound/util/ub_event_pluggable.c
index 235bba6..4280d4d 100644 (file)
--- a/sbin/unwind/libunbound/util/ub_event_pluggable.c
+++ b/sbin/unwind/libunbound/util/ub_event_pluggable.c
@@ -666,7 +666,8 @@ ub_winsock_tcp_wouldblock(struct ub_event* ev, int eventbits)
                fptr_ok(ev->vmt != &default_event_vmt ||
                        ev->vmt->winsock_tcp_wouldblock ==
                        my_winsock_tcp_wouldblock);
-               (*ev->vmt->winsock_tcp_wouldblock)(ev, eventbits);
+               if (ev->vmt->winsock_tcp_wouldblock)
+                       (*ev->vmt->winsock_tcp_wouldblock)(ev, eventbits);
        }
 }
 

diff --git a/sbin/unwind/libunbound/validator/autotrust.c b/sbin/unwind/libunbound/validator/autotrust.c
index 7ce07e0..9643a3d 100644 (file)
--- a/sbin/unwind/libunbound/validator/autotrust.c
+++ b/sbin/unwind/libunbound/validator/autotrust.c
@@ -1077,6 +1077,17 @@ trustanchor_state2str(autr_state_type s)
         return " UNKNOWN ";
 }
 
+/** ctime r for autotrust */
+static char* autr_ctime_r(time_t* t, char* s)
+{
+       ctime_r(t, s);
+#ifdef USE_WINSOCK
+       if(strlen(s) > 10 && s[7]==' ' && s[8]=='0')
+               s[8]=' '; /* fix error in windows ctime */
+#endif
+       return s;
+}
+
 /** print ID to file */
 static int
 print_id(FILE* out, char* fname, uint8_t* nm, size_t nmlen, uint16_t dclass)
@@ -1123,13 +1134,13 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
        }
        if(fprintf(out, ";;last_queried: %u ;;%s", 
                (unsigned int)tp->autr->last_queried, 
-               ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
+               autr_ctime_r(&(tp->autr->last_queried), tmi)) < 0 ||
           fprintf(out, ";;last_success: %u ;;%s", 
                (unsigned int)tp->autr->last_success,
-               ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
+               autr_ctime_r(&(tp->autr->last_success), tmi)) < 0 ||
           fprintf(out, ";;next_probe_time: %u ;;%s", 
                (unsigned int)tp->autr->next_probe_time,
-               ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
+               autr_ctime_r(&(tp->autr->next_probe_time), tmi)) < 0 ||
           fprintf(out, ";;query_failed: %d\n", (int)tp->autr->query_failed)<0
           || fprintf(out, ";;query_interval: %d\n", 
           (int)tp->autr->query_interval) < 0 ||
@@ -1160,7 +1171,7 @@ autr_write_contents(FILE* out, char* fn, struct trust_anchor* tp)
                        ";;lastchange=%u ;;%s", str, (int)ta->s, 
                        trustanchor_state2str(ta->s), (int)ta->pending_count,
                        (unsigned int)ta->last_change, 
-                       ctime_r(&(ta->last_change), tmi)) < 0) {
+                       autr_ctime_r(&(ta->last_change), tmi)) < 0) {
                   log_err("could not write to %s: %s", fn, strerror(errno));
                   free(str);
                   return 0;
@@ -1579,6 +1590,7 @@ key_matches_a_ds(struct module_env* env, struct val_env* ve,
        for(ds_idx=0; ds_idx<num; ds_idx++) {
                if(!ds_digest_algo_is_supported(ds_rrset, ds_idx) ||
                        !ds_key_algo_is_supported(ds_rrset, ds_idx) ||
+                       !dnskey_size_is_supported(dnskey_rrset, key_idx) ||
                        ds_get_digest_algo(ds_rrset, ds_idx) != d)
                        continue;
                if(ds_get_key_algo(ds_rrset, ds_idx)
@@ -1633,7 +1645,8 @@ update_events(struct module_env* env, struct val_env* ve,
                }
                /* is a key of this type supported?. Note rr_list and
                 * packed_rrset are in the same order. */
-               if(!dnskey_algo_is_supported(dnskey_rrset, i)) {
+               if(!dnskey_algo_is_supported(dnskey_rrset, i) ||
+                       !dnskey_size_is_supported(dnskey_rrset, i)) {
                        /* skip unknown algorithm key, it is useless to us */
                        log_nametypeclass(VERB_DETAIL, "trust point has "
                                "unsupported algorithm at", 
@@ -2262,7 +2275,7 @@ autr_debug_print_ta(struct autr_ta* ta)
                return;
        }
        if(str[0]) str[strlen(str)-1]=0; /* remove newline */
-       ctime_r(&ta->last_change, buf);
+       (void)autr_ctime_r(&ta->last_change, buf);
        if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
        log_info("[%s] %s ;;state:%d ;;pending_count:%d%s%s last:%s",
                trustanchor_state2str(ta->s), str, ta->s, ta->pending_count,
@@ -2289,13 +2302,13 @@ autr_debug_print_tp(struct trust_anchor* tp)
                log_packed_rrset(NO_VERBOSE, "DNSKEY:", tp->dnskey_rrset);
        }
        log_info("file %s", tp->autr->file);
-       ctime_r(&tp->autr->last_queried, buf);
+       (void)autr_ctime_r(&tp->autr->last_queried, buf);
        if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
        log_info("last_queried: %u %s", (unsigned)tp->autr->last_queried, buf);
-       ctime_r(&tp->autr->last_success, buf);
+       (void)autr_ctime_r(&tp->autr->last_success, buf);
        if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
        log_info("last_success: %u %s", (unsigned)tp->autr->last_success, buf);
-       ctime_r(&tp->autr->next_probe_time, buf);
+       (void)autr_ctime_r(&tp->autr->next_probe_time, buf);
        if(buf[0]) buf[strlen(buf)-1]=0; /* remove newline */
        log_info("next_probe_time: %u %s", (unsigned)tp->autr->next_probe_time,
                buf);

diff --git a/sbin/unwind/libunbound/validator/val_anchor.c b/sbin/unwind/libunbound/validator/val_anchor.c
index 9b6574c..b1a54e1 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_anchor.c
+++ b/sbin/unwind/libunbound/validator/val_anchor.c
@@ -971,7 +971,8 @@ anchors_dnskey_unsupported(struct trust_anchor* ta)
 {
        size_t i, num = 0;
        for(i=0; i<ta->numDNSKEY; i++) {
-               if(!dnskey_algo_is_supported(ta->dnskey_rrset, i))
+               if(!dnskey_algo_is_supported(ta->dnskey_rrset, i) ||
+                       !dnskey_size_is_supported(ta->dnskey_rrset, i))
                        num++;
        }
        return num;
@@ -1048,6 +1049,10 @@ anchors_apply_cfg(struct val_anchors* anchors, struct config_file* cfg)
        const char** zstr;
        char* nm;
        sldns_buffer* parsebuf = sldns_buffer_new(65535);
+       if(!parsebuf) {
+               log_err("malloc error in anchors_apply_cfg.");
+               return 0;
+       }
        if(cfg->insecure_lan_zones) {
                for(zstr = as112_zones; *zstr; zstr++) {
                        if(!anchor_insert_insecure(anchors, *zstr)) {

diff --git a/sbin/unwind/libunbound/validator/val_nsec.c b/sbin/unwind/libunbound/validator/val_nsec.c
index 032d2ae..a4e5b31 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_nsec.c
+++ b/sbin/unwind/libunbound/validator/val_nsec.c
@@ -180,6 +180,7 @@ nsec_verify_rrset(struct module_env* env, struct val_env* ve,
 {
        struct packed_rrset_data* d = (struct packed_rrset_data*)
                nsec->entry.data;
+       if(!d) return 0;
        if(d->security == sec_status_secure)
                return 1;
        rrset_check_sec_status(env->rrset_cache, nsec, *env->now);

diff --git a/sbin/unwind/libunbound/validator/val_secalgo.c b/sbin/unwind/libunbound/validator/val_secalgo.c
index 15cccf0..7abf66f 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_secalgo.c
+++ b/sbin/unwind/libunbound/validator/val_secalgo.c
@@ -141,6 +141,69 @@ secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 #endif
 }
 
+/** hash structure for keeping track of running hashes */
+struct secalgo_hash {
+       /** the openssl message digest context */
+       EVP_MD_CTX* ctx;
+};
+
+/** create secalgo hash with hash type */
+static struct secalgo_hash* secalgo_hash_create_md(const EVP_MD* md)
+{
+       struct secalgo_hash* h;
+       if(!md)
+               return NULL;
+       h = calloc(1, sizeof(*h));
+       if(!h)
+               return NULL;
+       h->ctx = EVP_MD_CTX_create();
+       if(!h->ctx) {
+               free(h);
+               return NULL;
+       }
+       if(!EVP_DigestInit_ex(h->ctx, md, NULL)) {
+               EVP_MD_CTX_destroy(h->ctx);
+               free(h);
+               return NULL;
+       }
+       return h;
+}
+
+struct secalgo_hash* secalgo_hash_create_sha384(void)
+{
+       return secalgo_hash_create_md(EVP_sha384());
+}
+
+struct secalgo_hash* secalgo_hash_create_sha512(void)
+{
+       return secalgo_hash_create_md(EVP_sha512());
+}
+
+int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
+{
+       return EVP_DigestUpdate(hash->ctx, (unsigned char*)data,
+               (unsigned int)len);
+}
+
+int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
+        size_t maxlen, size_t* resultlen)
+{
+       if(EVP_MD_CTX_size(hash->ctx) > (int)maxlen) {
+               *resultlen = 0;
+               log_err("secalgo_hash_final: hash buffer too small");
+               return 0;
+       }
+       *resultlen = EVP_MD_CTX_size(hash->ctx);
+       return EVP_DigestFinal_ex(hash->ctx, result, NULL);
+}
+
+void secalgo_hash_delete(struct secalgo_hash* hash)
+{
+       if(!hash) return;
+       EVP_MD_CTX_destroy(hash->ctx);
+       free(hash);
+}
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.
@@ -450,29 +513,13 @@ static int
 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 
        unsigned char* key, size_t keylen)
 {
-#if defined(USE_DSA) && defined(USE_SHA1)
-       DSA* dsa;
-#endif
-       RSA* rsa;
-
        switch(algo) {
 #if defined(USE_DSA) && defined(USE_SHA1)
                case LDNS_DSA:
                case LDNS_DSA_NSEC3:
-                       *evp_key = EVP_PKEY_new();
+                       *evp_key = sldns_key_dsa2pkey_raw(key, keylen);
                        if(!*evp_key) {
-                               log_err("verify: malloc failure in crypto");
-                               return 0;
-                       }
-                       dsa = sldns_key_buf2dsa_raw(key, keylen);
-                       if(!dsa) {
-                               verbose(VERB_QUERY, "verify: "
-                                       "sldns_key_buf2dsa_raw failed");
-                               return 0;
-                       }
-                       if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
-                               verbose(VERB_QUERY, "verify: "
-                                       "EVP_PKEY_assign_DSA failed");
+                               verbose(VERB_QUERY, "verify: sldns_key_dsa2pkey failed");
                                return 0;
                        }
 #ifdef HAVE_EVP_DSS1
@@ -495,20 +542,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
                case LDNS_RSASHA512:
 #endif
-                       *evp_key = EVP_PKEY_new();
+                       *evp_key = sldns_key_rsa2pkey_raw(key, keylen);
                        if(!*evp_key) {
-                               log_err("verify: malloc failure in crypto");
-                               return 0;
-                       }
-                       rsa = sldns_key_buf2rsa_raw(key, keylen);
-                       if(!rsa) {
-                               verbose(VERB_QUERY, "verify: "
-                                       "sldns_key_buf2rsa_raw SHA failed");
-                               return 0;
-                       }
-                       if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-                               verbose(VERB_QUERY, "verify: "
-                                       "EVP_PKEY_assign_RSA SHA failed");
+                               verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey SHA failed");
                                return 0;
                        }
 
@@ -532,20 +568,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
 
                case LDNS_RSAMD5:
-                       *evp_key = EVP_PKEY_new();
+                       *evp_key = sldns_key_rsa2pkey_raw(key, keylen);
                        if(!*evp_key) {
-                               log_err("verify: malloc failure in crypto");
-                               return 0;
-                       }
-                       rsa = sldns_key_buf2rsa_raw(key, keylen);
-                       if(!rsa) {
-                               verbose(VERB_QUERY, "verify: "
-                                       "sldns_key_buf2rsa_raw MD5 failed");
-                               return 0;
-                       }
-                       if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-                               verbose(VERB_QUERY, "verify: "
-                                       "EVP_PKEY_assign_RSA MD5 failed");
+                               verbose(VERB_QUERY, "verify: sldns_key_rsa2pkey MD5 failed");
                                return 0;
                        }
                        *digest_type = EVP_md5();
@@ -823,6 +848,64 @@ secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
        (void)HASH_HashBuf(HASH_AlgSHA256, res, buf, (unsigned long)len);
 }
 
+/** the secalgo hash structure */
+struct secalgo_hash {
+       /** hash context */
+       HASHContext* ctx;
+};
+
+/** create hash struct of type */
+static struct secalgo_hash* secalgo_hash_create_type(HASH_HashType tp)
+{
+       struct secalgo_hash* h = calloc(1, sizeof(*h));
+       if(!h)
+               return NULL;
+       h->ctx = HASH_Create(tp);
+       if(!h->ctx) {
+               free(h);
+               return NULL;
+       }
+       return h;
+}
+
+struct secalgo_hash* secalgo_hash_create_sha384(void)
+{
+       return secalgo_hash_create_type(HASH_AlgSHA384);
+}
+
+struct secalgo_hash* secalgo_hash_create_sha512(void)
+{
+       return secalgo_hash_create_type(HASH_AlgSHA512);
+}
+
+int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
+{
+       HASH_Update(hash->ctx, (unsigned char*)data, (unsigned int)len);
+       return 1;
+}
+
+int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
+        size_t maxlen, size_t* resultlen)
+{
+       unsigned int reslen = 0;
+       if(HASH_ResultLenContext(hash->ctx) > (unsigned int)maxlen) {
+               *resultlen = 0;
+               log_err("secalgo_hash_final: hash buffer too small");
+               return 0;
+       }
+       HASH_End(hash->ctx, (unsigned char*)result, &reslen,
+               (unsigned int)maxlen);
+       *resultlen = (size_t)reslen;
+       return 1;
+}
+
+void secalgo_hash_delete(struct secalgo_hash* hash)
+{
+       if(!hash) return;
+       HASH_Destroy(hash->ctx);
+       free(hash);
+}
+
 size_t
 ds_digest_size_supported(int algo)
 {
@@ -1451,6 +1534,82 @@ secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
        _digest_nettle(SHA256_DIGEST_SIZE, (uint8_t*)buf, len, res);
 }
 
+/** secalgo hash structure */
+struct secalgo_hash {
+       /** if it is 384 or 512 */
+       int active;
+       /** context for sha384 */
+       struct sha384_ctx ctx384;
+       /** context for sha512 */
+       struct sha512_ctx ctx512;
+};
+
+struct secalgo_hash* secalgo_hash_create_sha384(void)
+{
+       struct secalgo_hash* h = calloc(1, sizeof(*h));
+       if(!h)
+               return NULL;
+       h->active = 384;
+       sha384_init(&h->ctx384);
+       return h;
+}
+
+struct secalgo_hash* secalgo_hash_create_sha512(void)
+{
+       struct secalgo_hash* h = calloc(1, sizeof(*h));
+       if(!h)
+               return NULL;
+       h->active = 512;
+       sha512_init(&h->ctx512);
+       return h;
+}
+
+int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len)
+{
+       if(hash->active == 384) {
+               sha384_update(&hash->ctx384, len, data);
+       } else if(hash->active == 512) {
+               sha512_update(&hash->ctx512, len, data);
+       } else {
+               return 0;
+       }
+       return 1;
+}
+
+int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
+        size_t maxlen, size_t* resultlen)
+{
+       if(hash->active == 384) {
+               if(SHA384_DIGEST_SIZE > maxlen) {
+                       *resultlen = 0;
+                       log_err("secalgo_hash_final: hash buffer too small");
+                       return 0;
+               }
+               *resultlen = SHA384_DIGEST_SIZE;
+               sha384_digest(&hash->ctx384, SHA384_DIGEST_SIZE,
+                       (unsigned char*)result);
+       } else if(hash->active == 512) {
+               if(SHA512_DIGEST_SIZE > maxlen) {
+                       *resultlen = 0;
+                       log_err("secalgo_hash_final: hash buffer too small");
+                       return 0;
+               }
+               *resultlen = SHA512_DIGEST_SIZE;
+               sha512_digest(&hash->ctx512, SHA512_DIGEST_SIZE,
+                       (unsigned char*)result);
+       } else {
+               *resultlen = 0;
+               return 0;
+       }
+       return 1;
+}
+
+void secalgo_hash_delete(struct secalgo_hash* hash)
+{
+       if(!hash) return;
+       free(hash);
+}
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.

diff --git a/sbin/unwind/libunbound/validator/val_secalgo.h b/sbin/unwind/libunbound/validator/val_secalgo.h
index 52aaeb9..8b6080d 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_secalgo.h
+++ b/sbin/unwind/libunbound/validator/val_secalgo.h
@@ -43,6 +43,7 @@
 #ifndef VALIDATOR_VAL_SECALGO_H
 #define VALIDATOR_VAL_SECALGO_H
 struct sldns_buffer;
+struct secalgo_hash;
 
 /** Return size of nsec3 hash algorithm, 0 if not supported */
 size_t nsec3_hash_algo_size_supported(int id);
@@ -67,6 +68,48 @@ int secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
  */
 void secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res);
 
+/**
+ * Start a hash of type sha384. Allocates structure, then inits it,
+ * so that a series of updates can be performed, before the final result.
+ * @return hash structure.  NULL on malloc failure or no support.
+ */
+struct secalgo_hash* secalgo_hash_create_sha384(void);
+
+/**
+ * Start a hash of type sha512. Allocates structure, then inits it,
+ * so that a series of updates can be performed, before the final result.
+ * @return hash structure.  NULL on malloc failure or no support.
+ */
+struct secalgo_hash* secalgo_hash_create_sha512(void);
+
+/**
+ * Update a hash with more information to add to it.
+ * @param hash: the hash that is updated.
+ * @param data: data to add.
+ * @param len: length of data.
+ * @return false on failure.
+ */
+int secalgo_hash_update(struct secalgo_hash* hash, uint8_t* data, size_t len);
+
+/**
+ * Get the final result of the hash.
+ * @param hash: the hash that has had updates to it.
+ * @param result: where to store the result.
+ * @param maxlen: length of the result buffer, eg. size of the allocation.
+ *     If not large enough the routine fails.
+ * @param resultlen: the length of the result, returned to the caller.
+ *     How much of maxlen is used.
+ * @return false on failure.
+ */
+int secalgo_hash_final(struct secalgo_hash* hash, uint8_t* result,
+       size_t maxlen, size_t* resultlen);
+
+/**
+ * Delete the hash structure.
+ * @param hash: the hash to delete.
+ */
+void secalgo_hash_delete(struct secalgo_hash* hash);
+
 /**
  * Return size of DS digest according to its hash algorithm.
  * @param algo: DS digest algo.

diff --git a/sbin/unwind/libunbound/validator/val_sigcrypt.c b/sbin/unwind/libunbound/validator/val_sigcrypt.c
index de730f6..b15fba3 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_sigcrypt.c
+++ b/sbin/unwind/libunbound/validator/val_sigcrypt.c
@@ -386,6 +386,49 @@ int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
                dnskey_idx));
 }
 
+int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
+       size_t dnskey_idx)
+{
+#ifdef DEPRECATE_RSA_1024
+       uint8_t* rdata;
+       size_t len;
+       int alg = dnskey_get_algo(dnskey_rrset, dnskey_idx);
+       size_t keysize;
+
+       rrset_get_rdata(dnskey_rrset, dnskey_idx, &rdata, &len);
+       if(len < 2+4)
+               return 0;
+       keysize = sldns_rr_dnskey_key_size_raw(rdata+2+4, len-2-4, alg);
+
+       switch((sldns_algorithm)alg) {
+       case LDNS_RSAMD5:
+       case LDNS_RSASHA1:
+       case LDNS_RSASHA1_NSEC3:
+       case LDNS_RSASHA256:
+       case LDNS_RSASHA512:
+               /* reject RSA keys of 1024 bits and shorter */
+               if(keysize <= 1024)
+                       return 0;
+               break;
+       default:
+               break;
+       }
+#else
+       (void)dnskey_rrset; (void)dnskey_idx;
+#endif /* DEPRECATE_RSA_1024 */
+       return 1;
+}
+
+int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset)
+{
+       size_t i, num = rrset_get_count(dnskey_rrset);
+       for(i=0; i<num; i++) {
+               if(!dnskey_size_is_supported(dnskey_rrset, i))
+                       return 0;
+       }
+       return 1;
+}
+
 void algo_needs_init_dnskey_add(struct algo_needs* n,
         struct ub_packed_rrset_key* dnskey, uint8_t* sigalg)
 {
@@ -1187,7 +1230,7 @@ rrset_canonical(struct regional* region, sldns_buffer* buf,
         * section, to prevent that a wildcard synthesized NSEC can be used in
         * the non-existence proves. */
        if(ntohs(k->rk.type) == LDNS_RR_TYPE_NSEC &&
-               section == LDNS_SECTION_AUTHORITY) {
+               section == LDNS_SECTION_AUTHORITY && qstate) {
                k->rk.dname = regional_alloc_init(qstate->region, can_owner,
                        can_owner_len);
                if(!k->rk.dname)
@@ -1199,6 +1242,59 @@ rrset_canonical(struct regional* region, sldns_buffer* buf,
        return 1;
 }
 
+int
+rrset_canonicalize_to_buffer(struct regional* region, sldns_buffer* buf,
+       struct ub_packed_rrset_key* k)
+{
+       struct rbtree_type* sortree = NULL;
+       struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data;
+       uint8_t* can_owner = NULL;
+       size_t can_owner_len = 0;
+       struct canon_rr* walk;
+       struct canon_rr* rrs;
+
+       sortree = (struct rbtree_type*)regional_alloc(region,
+               sizeof(rbtree_type));
+       if(!sortree)
+               return 0;
+       if(d->count > RR_COUNT_MAX)
+               return 0; /* integer overflow protection */
+       rrs = regional_alloc(region, sizeof(struct canon_rr)*d->count);
+       if(!rrs) {
+               return 0;
+       }
+       rbtree_init(sortree, &canonical_tree_compare);
+       canonical_sort(k, d, sortree, rrs);
+
+       sldns_buffer_clear(buf);
+       RBTREE_FOR(walk, struct canon_rr*, sortree) {
+               /* see if there is enough space left in the buffer */
+               if(sldns_buffer_remaining(buf) < can_owner_len + 2 + 2 + 4
+                       + d->rr_len[walk->rr_idx]) {
+                       log_err("verify: failed to canonicalize, "
+                               "rrset too big");
+                       return 0;
+               }
+               /* determine canonical owner name */
+               if(can_owner)
+                       sldns_buffer_write(buf, can_owner, can_owner_len);
+               else    {
+                       can_owner = sldns_buffer_current(buf);
+                       sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
+                       query_dname_tolower(can_owner);
+                       can_owner_len = k->rk.dname_len;
+               }
+               sldns_buffer_write(buf, &k->rk.type, 2);
+               sldns_buffer_write(buf, &k->rk.rrset_class, 2);
+               sldns_buffer_write_u32(buf, d->rr_ttl[walk->rr_idx]);
+               sldns_buffer_write(buf, d->rr_data[walk->rr_idx],
+                       d->rr_len[walk->rr_idx]);
+               canonicalize_rdata(buf, k, d->rr_len[walk->rr_idx]);
+       }
+       sldns_buffer_flip(buf);
+       return 1;
+}
+
 /** pretty print rrsig error with dates */
 static void
 sigdate_error(const char* str, int32_t expi, int32_t incep, int32_t now)

diff --git a/sbin/unwind/libunbound/validator/val_sigcrypt.h b/sbin/unwind/libunbound/validator/val_sigcrypt.h
index 755a1d6..bbb9578 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_sigcrypt.h
+++ b/sbin/unwind/libunbound/validator/val_sigcrypt.h
@@ -180,6 +180,23 @@ uint16_t ds_get_keytag(struct ub_packed_rrset_key* ds_rrset, size_t ds_idx);
 int dnskey_algo_is_supported(struct ub_packed_rrset_key* dnskey_rrset, 
        size_t dnskey_idx);
 
+/**
+ * See if the DNSKEY size at that algorithm is supported.
+ * @param dnskey_rrset: DNSKEY rrset.
+ * @param dnskey_idx: index of RR in rrset.
+ * @return true if supported.
+ */
+int dnskey_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset,
+       size_t dnskey_idx);
+
+/**
+ * See if the DNSKEY size at that algorithm is supported for all the
+ * RRs in the DNSKEY RRset.
+ * @param dnskey_rrset: DNSKEY rrset.
+ * @return true if supported.
+ */
+int dnskeyset_size_is_supported(struct ub_packed_rrset_key* dnskey_rrset);
+
 /** 
  * See if DS digest algorithm is supported 
  * @param ds_rrset: DS rrset
@@ -334,4 +351,16 @@ int canonical_tree_compare(const void* k1, const void* k2);
 int rrset_canonical_equal(struct regional* region,
        struct ub_packed_rrset_key* k1, struct ub_packed_rrset_key* k2);
 
+/**
+ * Canonicalize an rrset into the buffer.  For an auth zone record, so
+ * this does not use a signature, or the RRSIG TTL or the wildcard label
+ * count from the RRSIG.
+ * @param region: temporary region.
+ * @param buf: the buffer to use.
+ * @param k: the rrset to insert.
+ * @return false on alloc error.
+ */
+int rrset_canonicalize_to_buffer(struct regional* region,
+       struct sldns_buffer* buf, struct ub_packed_rrset_key* k);
+
 #endif /* VALIDATOR_VAL_SIGCRYPT_H */

diff --git a/sbin/unwind/libunbound/validator/val_utils.c b/sbin/unwind/libunbound/validator/val_utils.c
index 2f36fcc..dd8d320 100644 (file)
--- a/sbin/unwind/libunbound/validator/val_utils.c
+++ b/sbin/unwind/libunbound/validator/val_utils.c
@@ -418,7 +418,7 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
        struct module_qstate* qstate)
 {
        enum sec_status sec = sec_status_bogus;
-       size_t i, num, numchecked = 0, numhashok = 0;
+       size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0;
        num = rrset_get_count(dnskey_rrset);
        for(i=0; i<num; i++) {
                /* Skip DNSKEYs that don't match the basic criteria. */
@@ -441,6 +441,11 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
                        continue;
                }
                numhashok++;
+               if(!dnskey_size_is_supported(dnskey_rrset, i)) {
+                       verbose(VERB_ALGO, "DS okay but that DNSKEY size is not supported");
+                       numsizesupp++;
+                       continue;
+               }
                verbose(VERB_ALGO, "DS match digest ok, trying signature");
 
                /* Otherwise, we have a match! Make sure that the DNSKEY 
@@ -452,6 +457,10 @@ verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve,
                }
                /* If it didn't validate with the DNSKEY, try the next one! */
        }
+       if(numsizesupp != 0) {
+               /* there is a working DS, but that DNSKEY is not supported */
+               return sec_status_insecure;
+       }
        if(numchecked == 0)
                algo_needs_reason(env, ds_get_key_algo(ds_rrset, ds_idx),
                        reason, "no keys have a DS");
@@ -519,17 +528,24 @@ val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve,
                        continue;
                }
 
+               sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
+                       ds_rrset, i, reason, qstate);
+               if(sec == sec_status_insecure)
+                       continue;
+
                /* Once we see a single DS with a known digestID and 
                 * algorithm, we cannot return INSECURE (with a 
                 * "null" KeyEntry). */
                has_useful_ds = 1;
 
-               sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 
-                       ds_rrset, i, reason, qstate);
                if(sec == sec_status_secure) {
                        if(!sigalg || algo_needs_set_secure(&needs,
                                (uint8_t)ds_get_key_algo(ds_rrset, i))) {
                                verbose(VERB_ALGO, "DS matched DNSKEY.");
+                               if(!dnskeyset_size_is_supported(dnskey_rrset)) {
+                                       verbose(VERB_ALGO, "DS works, but dnskeyset contain keys that are unsupported, treat as insecure");
+                                       return sec_status_insecure;
+                               }
                                return sec_status_secure;
                        }
                } else if(sigalg && sec == sec_status_bogus) {
@@ -631,17 +647,24 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
                        ds_get_digest_algo(ta_ds, i) != digest_algo)
                        continue;
 
+               sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset,
+                       ta_ds, i, reason, qstate);
+               if(sec == sec_status_insecure)
+                       continue;
+
                /* Once we see a single DS with a known digestID and 
                 * algorithm, we cannot return INSECURE (with a 
                 * "null" KeyEntry). */
                has_useful_ta = 1;
 
-               sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, 
-                       ta_ds, i, reason, qstate);
                if(sec == sec_status_secure) {
                        if(!sigalg || algo_needs_set_secure(&needs,
                                (uint8_t)ds_get_key_algo(ta_ds, i))) {
                                verbose(VERB_ALGO, "DS matched DNSKEY.");
+                               if(!dnskeyset_size_is_supported(dnskey_rrset)) {
+                                       verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
+                                       return sec_status_insecure;
+                               }
                                return sec_status_secure;
                        }
                } else if(sigalg && sec == sec_status_bogus) {
@@ -658,6 +681,8 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
                /* Check to see if we can understand this DNSKEY */
                if(!dnskey_algo_is_supported(ta_dnskey, i))
                        continue;
+               if(!dnskey_size_is_supported(ta_dnskey, i))
+                       continue;
 
                /* we saw a useful TA */
                has_useful_ta = 1;
@@ -668,6 +693,10 @@ val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve,
                        if(!sigalg || algo_needs_set_secure(&needs,
                                (uint8_t)dnskey_get_algo(ta_dnskey, i))) {
                                verbose(VERB_ALGO, "anchor matched DNSKEY.");
+                               if(!dnskeyset_size_is_supported(dnskey_rrset)) {
+                                       verbose(VERB_ALGO, "trustanchor works, but dnskeyset contain keys that are unsupported, treat as insecure");
+                                       return sec_status_insecure;
+                               }
                                return sec_status_secure;
                        }
                } else if(sigalg && sec == sec_status_bogus) {

diff --git a/sbin/unwind/libunbound/validator/validator.c b/sbin/unwind/libunbound/validator/validator.c
index e12180b..d4d48d9 100644 (file)
--- a/sbin/unwind/libunbound/validator/validator.c
+++ b/sbin/unwind/libunbound/validator/validator.c
@@ -137,6 +137,7 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env,
        val_env->date_override = cfg->val_date_override;
        val_env->skew_min = cfg->val_sig_skew_min;
        val_env->skew_max = cfg->val_sig_skew_max;
+       val_env->max_restart = cfg->val_max_restart;
        c = cfg_count_numbers(cfg->val_nsec3_key_iterations);
        if(c < 1 || (c&1)) {
                log_err("validator: unparseable or odd nsec3 key "
@@ -1487,7 +1488,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
        enum val_classification subtype = val_classify_response(
                qstate->query_flags, &qstate->qinfo, &vq->qchase, 
                vq->orig_msg->rep, vq->rrset_skip);
-       if(vq->restart_count > VAL_MAX_RESTART_COUNT) {
+       if(vq->restart_count > ve->max_restart) {
                verbose(VERB_ALGO, "restart count exceeded");
                return val_error(qstate, id);
        }
@@ -1640,7 +1641,7 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
                        errinf(qstate, key_entry_get_reason(vq->key_entry));
                }
                /* no retries, stop bothering the authority until timeout */
-               vq->restart_count = VAL_MAX_RESTART_COUNT;
+               vq->restart_count = ve->max_restart;
                vq->chase_reply->security = sec_status_bogus;
                vq->state = VAL_FINISHED_STATE;
                return 1;
@@ -1848,7 +1849,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
                        LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class);
                vq->chase_reply->security = sec_status_bogus;
                errinf(qstate, "while building chain of trust");
-               if(vq->restart_count >= VAL_MAX_RESTART_COUNT)
+               if(vq->restart_count >= ve->max_restart)
                        key_cache_insert(ve->kcache, vq->key_entry, qstate);
                return 1;
        }
@@ -2064,7 +2065,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
         * endless bogus revalidation */
        if(vq->orig_msg->rep->security == sec_status_bogus) {
                /* see if we can try again to fetch data */
-               if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
+               if(vq->restart_count < ve->max_restart) {
                        int restart_count = vq->restart_count+1;
                        verbose(VERB_ALGO, "validation failed, "
                                "blacklist and retry to fetch data");
@@ -2605,6 +2606,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
        int id, int rcode, struct dns_msg* msg, struct query_info* qinfo,
        struct sock_list* origin)
 {
+       struct val_env* ve = (struct val_env*)qstate->env->modinfo[id];
        struct key_entry_key* dske = NULL;
        uint8_t* olds = vq->empty_DS_name;
        vq->empty_DS_name = NULL;
@@ -2638,7 +2640,7 @@ process_ds_response(struct module_qstate* qstate, struct val_qstate* vq,
                vq->chain_blacklist = NULL; /* fresh blacklist for next part*/
                /* Keep the forState.state on FINDKEY. */
        } else if(key_entry_isbad(dske) 
-               && vq->restart_count < VAL_MAX_RESTART_COUNT) {
+               && vq->restart_count < ve->max_restart) {
                vq->empty_DS_name = olds;
                val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1);
                qstate->errinf = NULL;
@@ -2691,7 +2693,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
                /* bad response */
                verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to "
                        "DNSKEY query.");
-               if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
+               if(vq->restart_count < ve->max_restart) {
                        val_blacklist(&vq->chain_blacklist, qstate->region,
                                origin, 1);
                        qstate->errinf = NULL;
@@ -2730,7 +2732,7 @@ process_dnskey_response(struct module_qstate* qstate, struct val_qstate* vq,
         * state. */
        if(!key_entry_isgood(vq->key_entry)) {
                if(key_entry_isbad(vq->key_entry)) {
-                       if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
+                       if(vq->restart_count < ve->max_restart) {
                                val_blacklist(&vq->chain_blacklist, 
                                        qstate->region, origin, 1);
                                qstate->errinf = NULL;
@@ -2807,7 +2809,7 @@ process_prime_response(struct module_qstate* qstate, struct val_qstate* vq,
        lock_basic_unlock(&ta->lock);
        if(vq->key_entry) {
                if(key_entry_isbad(vq->key_entry) 
-                       && vq->restart_count < VAL_MAX_RESTART_COUNT) {
+                       && vq->restart_count < ve->max_restart) {
                        val_blacklist(&vq->chain_blacklist, qstate->region, 
                                origin, 1);
                        qstate->errinf = NULL;

diff --git a/sbin/unwind/libunbound/validator/validator.h b/sbin/unwind/libunbound/validator/validator.h
index 35da192..a928e10 100644 (file)
--- a/sbin/unwind/libunbound/validator/validator.h
+++ b/sbin/unwind/libunbound/validator/validator.h
@@ -64,9 +64,6 @@ struct config_strlist;
  */
 #define BOGUS_KEY_TTL  60 /* seconds */
 
-/** max number of query restarts, number of IPs to probe */
-#define VAL_MAX_RESTART_COUNT 5
-
 /** Root key sentinel is ta preamble */
 #define SENTINEL_IS            "root-key-sentinel-is-ta-"
 /** Root key sentinel is not ta preamble */
@@ -95,6 +92,9 @@ struct val_env {
        /** clock skew max for signatures */
        int32_t skew_max;
 
+       /** max number of query restarts, number of IPs to probe */
+       int32_t max_restart;
+
        /** TTL for bogus data; used instead of untrusted TTL from data.
         * Bogus data will not be verified more often than this interval. 
         * seconds. */