ldap: Support customer dialer for Kerberos connections

Author: rtpt-erikgeiser

compat/compat.go

@@ -0,0 +1,101 @@
+// Package compat holds compatibility functions for interoperability between
+// forks or different libraries for the same purpose.
+package compat
+
+import (
+	"github.com/jcmturner/gokrb5/v8/config"
+	"github.com/jcmturner/gokrb5/v8/credentials"
+	"github.com/jcmturner/gokrb5/v8/keytab"
+	gokrb5ForkConfig "github.com/oiweiwei/gokrb5.fork/v9/config"
+	gokrb5ForkCredentials "github.com/oiweiwei/gokrb5.fork/v9/credentials"
+	gokrb5ForkKeytab "github.com/oiweiwei/gokrb5.fork/v9/keytab"
+	gokrb5ForkTypes "github.com/oiweiwei/gokrb5.fork/v9/types"
+
+	"github.com/jcmturner/gokrb5/v8/types"
+)
+
+func Gokrb5ForkV9KerberosConfig(cfg *config.Config) *gokrb5ForkConfig.Config {
+	realms := make([]gokrb5ForkConfig.Realm, 0, len(cfg.Realms))
+
+	for _, realm := range cfg.Realms {
+		realms = append(realms, gokrb5ForkConfig.Realm(realm))
+	}
+
+	return &gokrb5ForkConfig.Config{
+		LibDefaults: gokrb5ForkConfig.LibDefaults(cfg.LibDefaults),
+		Realms:      realms,
+		DomainRealm: gokrb5ForkConfig.DomainRealm(cfg.DomainRealm),
+	}
+}
+
+func Gokrb5ForkV9CCache(ccache *credentials.CCache) *gokrb5ForkCredentials.CCache {
+	creds := make([]*gokrb5ForkCredentials.Credential, 0, len(ccache.Credentials))
+
+	for _, cred := range ccache.Credentials {
+		addrs := make([]gokrb5ForkTypes.HostAddress, 0, len(cred.Addresses))
+
+		for _, addr := range cred.Addresses {
+			addrs = append(addrs, gokrb5ForkTypes.HostAddress(addr))
+		}
+
+		adEntries := make([]gokrb5ForkTypes.AuthorizationDataEntry, 0, len(cred.AuthData))
+
+		for _, adEntry := range cred.AuthData {
+			adEntries = append(adEntries, gokrb5ForkTypes.AuthorizationDataEntry(adEntry))
+		}
+
+		creds = append(creds, &gokrb5ForkCredentials.Credential{
+			Client:       Gokrb5ForkV9Principal(cred.Client.Realm, cred.Client.PrincipalName),
+			Server:       Gokrb5ForkV9Principal(cred.Server.Realm, cred.Server.PrincipalName),
+			Key:          gokrb5ForkTypes.EncryptionKey(cred.Key),
+			AuthTime:     cred.AuthTime,
+			StartTime:    cred.StartTime,
+			EndTime:      cred.EndTime,
+			RenewTill:    cred.RenewTill,
+			IsSKey:       cred.IsSKey,
+			TicketFlags:  cred.TicketFlags,
+			Addresses:    addrs,
+			AuthData:     adEntries,
+			Ticket:       cred.Ticket,
+			SecondTicket: cred.SecondTicket,
+		})
+	}
+
+	return &gokrb5ForkCredentials.CCache{
+		Version:          ccache.Version,
+		DefaultPrincipal: Gokrb5ForkV9Principal(ccache.DefaultPrincipal.Realm, ccache.DefaultPrincipal.PrincipalName),
+		Credentials:      creds,
+		Path:             ccache.Path,
+	}
+}
+
+func Gokrb5ForkV9Principal(realm string, principalName types.PrincipalName) gokrb5ForkCredentials.Principal {
+	return gokrb5ForkCredentials.Principal{
+		Realm:         realm,
+		PrincipalName: gokrb5ForkTypes.PrincipalName(principalName),
+	}
+}
+
+func Gokrb5ForkV9Keytab(keytab *keytab.Keytab) *gokrb5ForkKeytab.Keytab {
+	entries := make([]gokrb5ForkKeytab.Entry, 0, len(keytab.Entries))
+
+	for _, entry := range keytab.Entries {
+		entries = append(entries, gokrb5ForkKeytab.Entry{
+			Principal: gokrb5ForkKeytab.Principal{
+				NumComponents: entry.Principal.NumComponents,
+				Realm:         entry.Principal.Realm,
+				Components:    entry.Principal.Components,
+				NameType:      entry.Principal.NameType,
+			},
+			Timestamp: entry.Timestamp,
+			KVNO8:     entry.KVNO8,
+			Key:       gokrb5ForkTypes.EncryptionKey(entry.Key),
+			KVNO:      entry.KVNO,
+		})
+	}
+
+	return &gokrb5ForkKeytab.Keytab{
+		Version: 2,
+		Entries: entries,
+	}
+}

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/oiweiwei/go-msrpc v1.2.1
 	github.com/oiweiwei/gokrb5.fork/v9 v9.0.2
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/pflag v1.0.6
 	github.com/vadimi/go-ntlm v1.2.1
 	software.sslmate.com/src/go-pkcs12 v0.5.0
 )
@@ -28,8 +28,8 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/oiweiwei/go-smb2.fork v1.0.0 // indirect
 	github.com/rs/zerolog v1.33.0 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
-	golang.org/x/net v0.34.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 )

go.sum

@@ -58,8 +58,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -79,8 +79,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -97,8 +97,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
-golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -119,8 +119,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -138,8 +138,9 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

ldapauth/gssapi.go

@@ -9,26 +9,29 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"net"
 	"strings"
 
+	"github.com/RedTeamPentesting/adauth/compat"
 	"github.com/RedTeamPentesting/adauth/pkinit"
-	"github.com/jcmturner/gokrb5/v8/client"
 	"github.com/jcmturner/gokrb5/v8/config"
-	"github.com/jcmturner/gokrb5/v8/iana/chksumtype"
-	"github.com/jcmturner/gokrb5/v8/iana/etypeID"
-	"github.com/jcmturner/gokrb5/v8/iana/flags"
-	"github.com/jcmturner/gokrb5/v8/iana/nametype"
-	"github.com/jcmturner/gokrb5/v8/krberror"
-	"github.com/jcmturner/gokrb5/v8/types"
 
-	krb5GSSAPI "github.com/jcmturner/gokrb5/v8/gssapi"
-	"github.com/jcmturner/gokrb5/v8/spnego"
+	"github.com/oiweiwei/gokrb5.fork/v9/client"
+	"github.com/oiweiwei/gokrb5.fork/v9/iana/chksumtype"
+	"github.com/oiweiwei/gokrb5.fork/v9/iana/etypeID"
+	"github.com/oiweiwei/gokrb5.fork/v9/iana/flags"
+	"github.com/oiweiwei/gokrb5.fork/v9/iana/nametype"
+	"github.com/oiweiwei/gokrb5.fork/v9/krberror"
+	"github.com/oiweiwei/gokrb5.fork/v9/types"
 
-	krb5Crypto "github.com/jcmturner/gokrb5/v8/crypto"
-	"github.com/jcmturner/gokrb5/v8/iana/keyusage"
-	"github.com/jcmturner/gokrb5/v8/messages"
+	krb5GSSAPI "github.com/oiweiwei/gokrb5.fork/v9/gssapi"
+	"github.com/oiweiwei/gokrb5.fork/v9/spnego"
 
-	"github.com/jcmturner/gokrb5/v8/credentials"
+	krb5Crypto "github.com/oiweiwei/gokrb5.fork/v9/crypto"
+	"github.com/oiweiwei/gokrb5.fork/v9/iana/keyusage"
+	"github.com/oiweiwei/gokrb5.fork/v9/messages"
+
+	"github.com/oiweiwei/gokrb5.fork/v9/credentials"
 )
 
 type gssapiClient struct {
@@ -42,21 +45,24 @@ type gssapiClient struct {
 }
 
 func newClientFromCCache(
-	username string, domain string, ccachePath string, krb5Conf *config.Config,
+	username string, domain string, ccachePath string, krb5Conf *config.Config, dialer Dialer,
 ) (*gssapiClient, error) {
 	ccache, err := credentials.LoadCCache(ccachePath)
 	if err != nil {
 		return nil, err
 	}
 
-	c, err := client.NewFromCCache(ccache, krb5Conf, client.DisablePAFXFAST(true))
-	if err != nil && strings.Contains(strings.ToLower(err.Error()), "tgt not found") {
-		// client.NewFromCCache only accepts ccaches that contain at least one
-		// TGT, however, we want to support ccaches that only contain a service
+	c, err := client.NewFromCCache(
+		ccache, compat.Gokrb5ForkV9KerberosConfig(krb5Conf),
+		client.DisablePAFXFAST(true), client.Dialer(dialer))
+	if err != nil && strings.Contains(strings.ToLower(err.Error()), "tgt") {
+		// client.NewFromCCache only accepts CCaches that contain at least one
+		// TGT, however, we want to support CCaches that only contain a service
 		// ticket. Therefore, we use a dummy client, and pull the service ticket
 		// from the ccache ourselves instead of asking the client.
 		return &gssapiClient{
-			Client: client.NewWithPassword(username, domain, "", krb5Conf, client.DisablePAFXFAST(true)),
+			Client: client.NewWithPassword(
+				username, domain, "", compat.Gokrb5ForkV9KerberosConfig(krb5Conf), client.DisablePAFXFAST(true)),
 			ccache: ccache,
 		}, nil
 	}
@@ -70,14 +76,21 @@ func newClientFromCCache(
 
 func newPKINITClient(
 	ctx context.Context, username string, domain string, cert *x509.Certificate, key *rsa.PrivateKey,
-	krb5Conf *config.Config, opts ...pkinit.Option,
+	krb5Conf *config.Config, dialer Dialer,
 ) (*gssapiClient, error) {
-	ccache, err := pkinit.Authenticate(ctx, username, domain, cert, key, krb5Conf, opts...)
+	ctxDialer, ok := dialer.(pkinit.ContextDialer)
+	if !ok {
+		ctxDialer = nopContextDialer(dialer.Dial)
+	}
+
+	ccache, err := pkinit.Authenticate(ctx, username, domain, cert, key, krb5Conf, pkinit.WithDialer(ctxDialer))
 	if err != nil {
 		return nil, fmt.Errorf("pkinit: %w", err)
 	}
 
-	c, err := client.NewFromCCache(ccache, krb5Conf, client.DisablePAFXFAST(true))
+	c, err := client.NewFromCCache(
+		compat.Gokrb5ForkV9CCache(ccache), compat.Gokrb5ForkV9KerberosConfig(krb5Conf),
+		client.DisablePAFXFAST(true), client.Dialer(dialer))
 	if err != nil {
 		return nil, fmt.Errorf("initialize Kerberos client from PKINIT ccache: %w", err)
 	}
@@ -364,3 +377,9 @@ func krb5TokenAuthenticator(
 
 	return auth, nil
 }
+
+type nopContextDialer func(string, string) (net.Conn, error)
+
+func (f nopContextDialer) DialContext(ctx context.Context, net string, addr string) (net.Conn, error) {
+	return f(net, addr)
+}

ldapauth/ldap.go

@@ -19,12 +19,13 @@ import (
 	"time"
 
 	"github.com/RedTeamPentesting/adauth"
+	"github.com/RedTeamPentesting/adauth/compat"
 	"github.com/RedTeamPentesting/adauth/othername"
 	"github.com/RedTeamPentesting/adauth/pkinit"
 	"software.sslmate.com/src/go-pkcs12"
 
 	"github.com/go-ldap/ldap/v3"
-	"github.com/jcmturner/gokrb5/v8/client"
+	"github.com/oiweiwei/gokrb5.fork/v9/client"
 	"github.com/spf13/pflag"
 )
 
@@ -57,11 +58,12 @@ type Options struct {
 	StartTLS bool
 	// DialOptions can be used to customize the connection. However
 	// ldap.DialWithTLSConfig will be ignored, because TLS setup is handled
-	// internally.
+	// internally. Note that setting a custom dialer with DialOptions only
+	// affects LDAP/LDAPS connections, not Kerberos connections. A custom dialer
+	// for Kerberos connections can be set with KerberosDialer.
 	DialOptions []ldap.DialOpt
-	// PKINITOptions can be used to modify the behavior of PKINIT when it is
-	// used.
-	PKINITOptions []pkinit.Option
+	// KerberosDialer is the dialer that is used to request Kerberos tickets.
+	KerberosDialer Dialer
 }
 
 // RegisterFlags registers LDAP specific flags to a pflag.FlagSet such as the
@@ -273,6 +275,10 @@ func kerberosClient(
 		return nil, fmt.Errorf("configure Kerberos: %w", err)
 	}
 
+	if opts.KerberosDialer == nil {
+		opts.KerberosDialer = &net.Dialer{Timeout: pkinit.DefaultKerberosRoundtripDeadline}
+	}
+
 	var (
 		authClient *gssapiClient
 		cert       *x509.Certificate
@@ -292,8 +298,9 @@ func kerberosClient(
 				creds.Username,
 				strings.ToUpper(creds.Domain),
 				creds.Password,
-				krbConf,
+				compat.Gokrb5ForkV9KerberosConfig(krbConf),
 				client.DisablePAFXFAST(true),
+				client.Dialer(opts.KerberosDialer),
 			),
 		}
 
@@ -310,9 +317,10 @@ func kerberosClient(
 			Client: client.NewWithKeytab(
 				creds.Username,
 				strings.ToUpper(creds.Domain),
-				keyTab,
-				krbConf,
+				compat.Gokrb5ForkV9Keytab(keyTab),
+				compat.Gokrb5ForkV9KerberosConfig(krbConf),
 				client.DisablePAFXFAST(true),
+				client.Dialer(opts.KerberosDialer),
 			),
 			BindCertificate: cert,
 		}
@@ -322,12 +330,12 @@ func kerberosClient(
 		opts.Debug("authenticating using GSSAPI bind (PKINIT)")
 
 		return newPKINITClient(ctx, creds.Username, strings.ToUpper(creds.Domain),
-			creds.ClientCert, creds.ClientCertKey, krbConf, opts.PKINITOptions...)
+			creds.ClientCert, creds.ClientCertKey, krbConf, opts.KerberosDialer)
 	case creds.CCache != "":
 		opts.Debug("authenticating using GSSAPI bind (ccache)")
 
 		authClient, err = newClientFromCCache(
-			creds.Username, strings.ToUpper(creds.Domain), creds.CCache, krbConf)
+			creds.Username, strings.ToUpper(creds.Domain), creds.CCache, krbConf, opts.KerberosDialer)
 		if err != nil {
 			return nil, fmt.Errorf("create GSSAPI client from CCACHE: %w", err)
 		}
@@ -489,3 +497,7 @@ func ChannelBindingHash(cert *x509.Certificate) []byte {
 
 	return hash
 }
+
+type Dialer interface {
+	Dial(net string, addr string) (net.Conn, error)
+}