diff options
Diffstat (limited to 'lib/dns/ssu.c')
-rw-r--r-- | lib/dns/ssu.c | 711 |
1 files changed, 711 insertions, 0 deletions
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c new file mode 100644 index 0000000..71ded66 --- /dev/null +++ b/lib/dns/ssu.c @@ -0,0 +1,711 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/*! \file */ + +#include <config.h> + +#include <stdbool.h> + +#include <isc/magic.h> +#include <isc/mem.h> +#include <isc/netaddr.h> +#include <isc/result.h> +#include <isc/string.h> +#include <isc/util.h> + +#include <dns/dlz.h> +#include <dns/fixedname.h> +#include <dns/name.h> +#include <dns/ssu.h> + +#include <dst/gssapi.h> +#include <dst/dst.h> + +#define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T') +#define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC) + +#define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R') +#define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC) + +struct dns_ssurule { + unsigned int magic; + bool grant; /*%< is this a grant or a deny? */ + unsigned int matchtype; /*%< which type of pattern match? */ + dns_name_t *identity; /*%< the identity to match */ + dns_name_t *name; /*%< the name being updated */ + unsigned int ntypes; /*%< number of data types covered */ + dns_rdatatype_t *types; /*%< the data types. Can include ANY, */ + /*%< defaults to all but SIG,SOA,NS if NULL */ + ISC_LINK(dns_ssurule_t) link; +}; + +struct dns_ssutable { + unsigned int magic; + isc_mem_t *mctx; + unsigned int references; + isc_mutex_t lock; + dns_dlzdb_t *dlzdatabase; + ISC_LIST(dns_ssurule_t) rules; +}; + +isc_result_t +dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) { + isc_result_t result; + dns_ssutable_t *table; + + REQUIRE(tablep != NULL && *tablep == NULL); + REQUIRE(mctx != NULL); + + table = isc_mem_get(mctx, sizeof(dns_ssutable_t)); + if (table == NULL) + return (ISC_R_NOMEMORY); + result = isc_mutex_init(&table->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, table, sizeof(dns_ssutable_t)); + return (result); + } + table->references = 1; + table->mctx = NULL; + isc_mem_attach(mctx, &table->mctx); + ISC_LIST_INIT(table->rules); + table->magic = SSUTABLEMAGIC; + *tablep = table; + return (ISC_R_SUCCESS); +} + +static inline void +destroy(dns_ssutable_t *table) { + isc_mem_t *mctx; + + REQUIRE(VALID_SSUTABLE(table)); + + mctx = table->mctx; + while (!ISC_LIST_EMPTY(table->rules)) { + dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules); + if (rule->identity != NULL) { + dns_name_free(rule->identity, mctx); + isc_mem_put(mctx, rule->identity, sizeof(dns_name_t)); + } + if (rule->name != NULL) { + dns_name_free(rule->name, mctx); + isc_mem_put(mctx, rule->name, sizeof(dns_name_t)); + } + if (rule->types != NULL) + isc_mem_put(mctx, rule->types, + rule->ntypes * sizeof(dns_rdatatype_t)); + ISC_LIST_UNLINK(table->rules, rule, link); + rule->magic = 0; + isc_mem_put(mctx, rule, sizeof(dns_ssurule_t)); + } + DESTROYLOCK(&table->lock); + table->magic = 0; + isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t)); +} + +void +dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) { + REQUIRE(VALID_SSUTABLE(source)); + REQUIRE(targetp != NULL && *targetp == NULL); + + LOCK(&source->lock); + + INSIST(source->references > 0); + source->references++; + INSIST(source->references != 0); + + UNLOCK(&source->lock); + + *targetp = source; +} + +void +dns_ssutable_detach(dns_ssutable_t **tablep) { + dns_ssutable_t *table; + bool done = false; + + REQUIRE(tablep != NULL); + table = *tablep; + REQUIRE(VALID_SSUTABLE(table)); + + LOCK(&table->lock); + + INSIST(table->references > 0); + if (--table->references == 0) + done = true; + UNLOCK(&table->lock); + + *tablep = NULL; + + if (done) + destroy(table); +} + +isc_result_t +dns_ssutable_addrule(dns_ssutable_t *table, bool grant, + dns_name_t *identity, unsigned int matchtype, + dns_name_t *name, unsigned int ntypes, + dns_rdatatype_t *types) +{ + dns_ssurule_t *rule; + isc_mem_t *mctx; + isc_result_t result; + + REQUIRE(VALID_SSUTABLE(table)); + REQUIRE(dns_name_isabsolute(identity)); + REQUIRE(dns_name_isabsolute(name)); + REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX); + if (matchtype == DNS_SSUMATCHTYPE_WILDCARD) + REQUIRE(dns_name_iswildcard(name)); + if (ntypes > 0) + REQUIRE(types != NULL); + + mctx = table->mctx; + rule = isc_mem_get(mctx, sizeof(dns_ssurule_t)); + if (rule == NULL) + return (ISC_R_NOMEMORY); + + rule->identity = NULL; + rule->name = NULL; + rule->types = NULL; + + rule->grant = grant; + + rule->identity = isc_mem_get(mctx, sizeof(dns_name_t)); + if (rule->identity == NULL) { + result = ISC_R_NOMEMORY; + goto failure; + } + dns_name_init(rule->identity, NULL); + result = dns_name_dup(identity, mctx, rule->identity); + if (result != ISC_R_SUCCESS) + goto failure; + + rule->name = isc_mem_get(mctx, sizeof(dns_name_t)); + if (rule->name == NULL) { + result = ISC_R_NOMEMORY; + goto failure; + } + dns_name_init(rule->name, NULL); + result = dns_name_dup(name, mctx, rule->name); + if (result != ISC_R_SUCCESS) + goto failure; + + rule->matchtype = matchtype; + + rule->ntypes = ntypes; + if (ntypes > 0) { + rule->types = isc_mem_get(mctx, + ntypes * sizeof(dns_rdatatype_t)); + if (rule->types == NULL) { + result = ISC_R_NOMEMORY; + goto failure; + } + memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t)); + } else + rule->types = NULL; + + rule->magic = SSURULEMAGIC; + ISC_LIST_INITANDAPPEND(table->rules, rule, link); + + return (ISC_R_SUCCESS); + + failure: + if (rule->identity != NULL) { + if (dns_name_dynamic(rule->identity)) + dns_name_free(rule->identity, mctx); + isc_mem_put(mctx, rule->identity, sizeof(dns_name_t)); + } + if (rule->name != NULL) { + if (dns_name_dynamic(rule->name)) + dns_name_free(rule->name, mctx); + isc_mem_put(mctx, rule->name, sizeof(dns_name_t)); + } + if (rule->types != NULL) + isc_mem_put(mctx, rule->types, + ntypes * sizeof(dns_rdatatype_t)); + isc_mem_put(mctx, rule, sizeof(dns_ssurule_t)); + + return (result); +} + +static inline bool +isusertype(dns_rdatatype_t type) { + return (type != dns_rdatatype_ns && + type != dns_rdatatype_soa && + type != dns_rdatatype_rrsig); +} + +static void +reverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) { + char buf[16 * 4 + sizeof("IP6.ARPA.")]; + isc_result_t result; + unsigned char *ap; + isc_buffer_t b; + unsigned long l; + + switch (tcpaddr->family) { + case AF_INET: + l = ntohl(tcpaddr->type.in.s_addr); + result = isc_string_printf(buf, sizeof(buf), + "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.", + (l >> 0) & 0xff, (l >> 8) & 0xff, + (l >> 16) & 0xff, (l >> 24) & 0xff); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + case AF_INET6: + ap = tcpaddr->type.in6.s6_addr; + result = isc_string_printf(buf, sizeof(buf), + "%x.%x.%x.%x.%x.%x.%x.%x." + "%x.%x.%x.%x.%x.%x.%x.%x." + "%x.%x.%x.%x.%x.%x.%x.%x." + "%x.%x.%x.%x.%x.%x.%x.%x." + "IP6.ARPA.", + ap[15] & 0x0f, (ap[15] >> 4) & 0x0f, + ap[14] & 0x0f, (ap[14] >> 4) & 0x0f, + ap[13] & 0x0f, (ap[13] >> 4) & 0x0f, + ap[12] & 0x0f, (ap[12] >> 4) & 0x0f, + ap[11] & 0x0f, (ap[11] >> 4) & 0x0f, + ap[10] & 0x0f, (ap[10] >> 4) & 0x0f, + ap[9] & 0x0f, (ap[9] >> 4) & 0x0f, + ap[8] & 0x0f, (ap[8] >> 4) & 0x0f, + ap[7] & 0x0f, (ap[7] >> 4) & 0x0f, + ap[6] & 0x0f, (ap[6] >> 4) & 0x0f, + ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, + ap[4] & 0x0f, (ap[4] >> 4) & 0x0f, + ap[3] & 0x0f, (ap[3] >> 4) & 0x0f, + ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, + ap[1] & 0x0f, (ap[1] >> 4) & 0x0f, + ap[0] & 0x0f, (ap[0] >> 4) & 0x0f); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: + INSIST(0); + } + isc_buffer_init(&b, buf, strlen(buf)); + isc_buffer_add(&b, strlen(buf)); + result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); +} + +static void +stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) { + char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")]; + isc_result_t result; + unsigned char *ap; + isc_buffer_t b; + unsigned long l; + + switch(tcpaddr->family) { + case AF_INET: + l = ntohl(tcpaddr->type.in.s_addr); + result = isc_string_printf(buf, sizeof(buf), + "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx" + "2.0.0.2.IP6.ARPA.", + l & 0xf, (l >> 4) & 0xf, + (l >> 8) & 0xf, (l >> 12) & 0xf, + (l >> 16) & 0xf, (l >> 20) & 0xf, + (l >> 24) & 0xf, (l >> 28) & 0xf); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + case AF_INET6: + ap = tcpaddr->type.in6.s6_addr; + result = isc_string_printf(buf, sizeof(buf), + "%x.%x.%x.%x.%x.%x.%x.%x." + "%x.%x.%x.%x.IP6.ARPA.", + ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, + ap[4] & 0x0f, (ap[4] >> 4) & 0x0f, + ap[3] & 0x0f, (ap[3] >> 4) & 0x0f, + ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, + ap[1] & 0x0f, (ap[1] >> 4) & 0x0f, + ap[0] & 0x0f, (ap[0] >> 4) & 0x0f); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: + INSIST(0); + } + isc_buffer_init(&b, buf, strlen(buf)); + isc_buffer_add(&b, strlen(buf)); + result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); +} + +bool +dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer, + dns_name_t *name, isc_netaddr_t *addr, + dns_rdatatype_t type, const dst_key_t *key) +{ + return (dns_ssutable_checkrules2 + (table, signer, name, addr, + addr == NULL ? false : true, + NULL, type, key)); +} + +bool +dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer, + dns_name_t *name, isc_netaddr_t *addr, + bool tcp, const dns_aclenv_t *env, + dns_rdatatype_t type, const dst_key_t *key) +{ + dns_ssurule_t *rule; + unsigned int i; + dns_fixedname_t fixed; + dns_name_t *wildcard; + dns_name_t *tcpself; + dns_name_t *stfself; + isc_result_t result; + int match; + + REQUIRE(VALID_SSUTABLE(table)); + REQUIRE(signer == NULL || dns_name_isabsolute(signer)); + REQUIRE(dns_name_isabsolute(name)); + REQUIRE(addr == NULL || env != NULL); + + if (signer == NULL && addr == NULL) + return (false); + + for (rule = ISC_LIST_HEAD(table->rules); + rule != NULL; + rule = ISC_LIST_NEXT(rule, link)) + { + switch (rule->matchtype) { + case DNS_SSUMATCHTYPE_NAME: + case DNS_SSUMATCHTYPE_LOCAL: + case DNS_SSUMATCHTYPE_SUBDOMAIN: + case DNS_SSUMATCHTYPE_WILDCARD: + case DNS_SSUMATCHTYPE_SELF: + case DNS_SSUMATCHTYPE_SELFSUB: + case DNS_SSUMATCHTYPE_SELFWILD: + if (signer == NULL) + continue; + if (dns_name_iswildcard(rule->identity)) { + if (!dns_name_matcheswildcard(signer, + rule->identity)) + continue; + } else { + if (!dns_name_equal(signer, rule->identity)) + continue; + } + break; + case dns_ssumatchtype_selfkrb5: + case dns_ssumatchtype_selfms: + case dns_ssumatchtype_selfsubkrb5: + case dns_ssumatchtype_selfsubms: + case dns_ssumatchtype_subdomainkrb5: + case dns_ssumatchtype_subdomainms: + if (signer == NULL) + continue; + break; + case DNS_SSUMATCHTYPE_TCPSELF: + case DNS_SSUMATCHTYPE_6TO4SELF: + if (!tcp || addr == NULL) + continue; + break; + } + + switch (rule->matchtype) { + case DNS_SSUMATCHTYPE_NAME: + if (!dns_name_equal(name, rule->name)) + continue; + break; + case DNS_SSUMATCHTYPE_SUBDOMAIN: + if (!dns_name_issubdomain(name, rule->name)) + continue; + break; + case DNS_SSUMATCHTYPE_LOCAL: + if (addr == NULL) { + continue; + } + if (!dns_name_issubdomain(name, rule->name)) { + continue; + } + dns_acl_match(addr, NULL, env->localhost, + NULL, &match, NULL); + if (match == 0) { + if (signer != NULL) { + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_SSU, + ISC_LOG_WARNING, + "update-policy local: " + "match on session " + "key not from " + "localhost"); + } + continue; + } + break; + case DNS_SSUMATCHTYPE_WILDCARD: + if (!dns_name_matcheswildcard(name, rule->name)) + continue; + break; + case DNS_SSUMATCHTYPE_SELF: + if (!dns_name_equal(signer, name)) + continue; + break; + case DNS_SSUMATCHTYPE_SELFSUB: + if (!dns_name_issubdomain(name, signer)) + continue; + break; + case DNS_SSUMATCHTYPE_SELFWILD: + wildcard = dns_fixedname_initname(&fixed); + result = dns_name_concatenate(dns_wildcardname, signer, + wildcard, NULL); + if (result != ISC_R_SUCCESS) + continue; + if (!dns_name_matcheswildcard(name, wildcard)) + continue; + break; + case dns_ssumatchtype_selfkrb5: + if (dst_gssapi_identitymatchesrealmkrb5(signer, name, + rule->identity, + false)) + { + break; + } + continue; + case dns_ssumatchtype_selfms: + if (dst_gssapi_identitymatchesrealmms(signer, name, + rule->identity, + false)) + { + break; + } + continue; + case dns_ssumatchtype_selfsubkrb5: + if (dst_gssapi_identitymatchesrealmkrb5(signer, name, + rule->identity, + true)) + { + break; + } + continue; + case dns_ssumatchtype_selfsubms: + if (dst_gssapi_identitymatchesrealmms(signer, name, + rule->identity, + true)) + break; + continue; + case dns_ssumatchtype_subdomainkrb5: + if (!dns_name_issubdomain(name, rule->name)) + continue; + if (dst_gssapi_identitymatchesrealmkrb5(signer, NULL, + rule->identity, + false)) + { + break; + } + continue; + case dns_ssumatchtype_subdomainms: + if (!dns_name_issubdomain(name, rule->name)) + continue; + if (dst_gssapi_identitymatchesrealmms(signer, NULL, + rule->identity, + false)) + { + break; + } + continue; + case DNS_SSUMATCHTYPE_TCPSELF: + tcpself = dns_fixedname_initname(&fixed); + reverse_from_address(tcpself, addr); + if (dns_name_iswildcard(rule->identity)) { + if (!dns_name_matcheswildcard(tcpself, + rule->identity)) + continue; + } else { + if (!dns_name_equal(tcpself, rule->identity)) + continue; + } + if (!dns_name_equal(tcpself, name)) + continue; + break; + case DNS_SSUMATCHTYPE_6TO4SELF: + stfself = dns_fixedname_initname(&fixed); + stf_from_address(stfself, addr); + if (dns_name_iswildcard(rule->identity)) { + if (!dns_name_matcheswildcard(stfself, + rule->identity)) + continue; + } else { + if (!dns_name_equal(stfself, rule->identity)) + continue; + } + if (!dns_name_equal(stfself, name)) + continue; + break; + case DNS_SSUMATCHTYPE_EXTERNAL: + if (!dns_ssu_external_match(rule->identity, signer, + name, addr, type, key, + table->mctx)) + continue; + break; + case DNS_SSUMATCHTYPE_DLZ: + if (!dns_dlz_ssumatch(table->dlzdatabase, signer, + name, addr, type, key)) + continue; + break; + } + + if (rule->ntypes == 0) { + /* + * If this is a DLZ rule, then the DLZ ssu + * checks will have already checked + * the type. + */ + if (rule->matchtype != DNS_SSUMATCHTYPE_DLZ && + !isusertype(type)) + continue; + } else { + for (i = 0; i < rule->ntypes; i++) { + if (rule->types[i] == dns_rdatatype_any || + rule->types[i] == type) + break; + } + if (i == rule->ntypes) + continue; + } + return (rule->grant); + } + + return (false); +} + +bool +dns_ssurule_isgrant(const dns_ssurule_t *rule) { + REQUIRE(VALID_SSURULE(rule)); + return (rule->grant); +} + +dns_name_t * +dns_ssurule_identity(const dns_ssurule_t *rule) { + REQUIRE(VALID_SSURULE(rule)); + return (rule->identity); +} + +unsigned int +dns_ssurule_matchtype(const dns_ssurule_t *rule) { + REQUIRE(VALID_SSURULE(rule)); + return (rule->matchtype); +} + +dns_name_t * +dns_ssurule_name(const dns_ssurule_t *rule) { + REQUIRE(VALID_SSURULE(rule)); + return (rule->name); +} + +unsigned int +dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) { + REQUIRE(VALID_SSURULE(rule)); + REQUIRE(types != NULL && *types != NULL); + *types = rule->types; + return (rule->ntypes); +} + +isc_result_t +dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) { + REQUIRE(VALID_SSUTABLE(table)); + REQUIRE(rule != NULL && *rule == NULL); + *rule = ISC_LIST_HEAD(table->rules); + return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE); +} + +isc_result_t +dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) { + REQUIRE(VALID_SSURULE(rule)); + REQUIRE(nextrule != NULL && *nextrule == NULL); + *nextrule = ISC_LIST_NEXT(rule, link); + return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE); +} + +/* + * Create a specialised SSU table that points at an external DLZ database + */ +isc_result_t +dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, + dns_dlzdb_t *dlzdatabase) +{ + isc_result_t result; + dns_ssurule_t *rule; + dns_ssutable_t *table = NULL; + + REQUIRE(tablep != NULL && *tablep == NULL); + + result = dns_ssutable_create(mctx, &table); + if (result != ISC_R_SUCCESS) + return (result); + + table->dlzdatabase = dlzdatabase; + + rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t)); + if (rule == NULL) { + dns_ssutable_detach(&table); + return (ISC_R_NOMEMORY); + } + + rule->identity = NULL; + rule->name = NULL; + rule->types = NULL; + rule->grant = true; + rule->matchtype = DNS_SSUMATCHTYPE_DLZ; + rule->ntypes = 0; + rule->types = NULL; + rule->magic = SSURULEMAGIC; + + ISC_LIST_INITANDAPPEND(table->rules, rule, link); + *tablep = table; + return (ISC_R_SUCCESS); +} + +isc_result_t +dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) { + + REQUIRE(str != NULL); + REQUIRE(mtype != NULL); + + if (strcasecmp(str, "name") == 0) { + *mtype = dns_ssumatchtype_name; + } else if (strcasecmp(str, "subdomain") == 0) { + *mtype = dns_ssumatchtype_subdomain; + } else if (strcasecmp(str, "wildcard") == 0) { + *mtype = dns_ssumatchtype_wildcard; + } else if (strcasecmp(str, "self") == 0) { + *mtype = dns_ssumatchtype_self; + } else if (strcasecmp(str, "selfsub") == 0) { + *mtype = dns_ssumatchtype_selfsub; + } else if (strcasecmp(str, "selfwild") == 0) { + *mtype = dns_ssumatchtype_selfwild; + } else if (strcasecmp(str, "ms-self") == 0) { + *mtype = dns_ssumatchtype_selfms; + } else if (strcasecmp(str, "ms-selfsub") == 0) { + *mtype = dns_ssumatchtype_selfsubms; + } else if (strcasecmp(str, "krb5-self") == 0) { + *mtype = dns_ssumatchtype_selfkrb5; + } else if (strcasecmp(str, "krb5-selfsub") == 0) { + *mtype = dns_ssumatchtype_selfsubkrb5; + } else if (strcasecmp(str, "ms-subdomain") == 0) { + *mtype = dns_ssumatchtype_subdomainms; + } else if (strcasecmp(str, "krb5-subdomain") == 0) { + *mtype = dns_ssumatchtype_subdomainkrb5; + } else if (strcasecmp(str, "tcp-self") == 0) { + *mtype = dns_ssumatchtype_tcpself; + } else if (strcasecmp(str, "6to4-self") == 0) { + *mtype = dns_ssumatchtype_6to4self; + } else if (strcasecmp(str, "zonesub") == 0) { + *mtype = dns_ssumatchtype_subdomain; + } else if (strcasecmp(str, "external") == 0) { + *mtype = dns_ssumatchtype_external; + } else { + return (ISC_R_NOTFOUND); + } + return (ISC_R_SUCCESS); +} |