diff -durP mailman-2.1.15/bin/update mailman-2.1.15-pgp-smime_2010-09-08/bin/update --- mailman-2.1.15/bin/update 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/bin/update 2010-09-08 14:41:10.000000000 +0200 @@ -198,6 +198,25 @@ '%(listname)s') return 1 + # Check for new GPG options + def add_only_if_missing(attr, initval, l=mlist): + if not hasattr(l, attr): + print _("""Adding attribute %(attr)s to list.""") + setattr(l, attr, initval) + + print _("""Checking and adding PGP and S/MIME properties.""") + # 1.2.5-gpg + add_only_if_missing('gpg_public_key', "") + add_only_if_missing('gpg_secret_key', "") + add_only_if_missing('gpg_passphrase', "") + add_only_if_missing('gpgkeys', {}) + add_only_if_missing('gpgkeyids', {}) + add_only_if_missing('sign_policy', mm_cfg.DEFAULT_SIGN_POLICY) + add_only_if_missing('encrypt_policy', mm_cfg.DEFAULT_ENCRYPT_POLICY) + + mlist.Save() + + # Sanity check the invariant that every BYBOUNCE disabled member must have # bounce information. Some earlier betas broke this. BAW: we're # submerging below the MemberAdaptor interface, so skip this if we're not diff -durP mailman-2.1.15/Mailman/Cgi/options.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Cgi/options.py --- mailman-2.1.15/Mailman/Cgi/options.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Cgi/options.py 2010-09-08 14:41:10.000000000 +0200 @@ -32,6 +32,8 @@ from Mailman import i18n from Mailman.htmlformat import * from Mailman.Logging.Syslog import syslog +from Mailman import GPGUtils +from Mailman import SMIMEUtils SLASH = '/' SETLANGUAGE = -1 @@ -478,6 +482,51 @@ print doc.Format() return + if cgidata.has_key('submitgpgkey'): + gpgkey = cgidata.getvalue('gpgkey') + + # Check wether user tries to replace old key + # (One has to unsubscribe and subscribe, so that listmaster gets + # notification) + oldkeyids = mlist.getGPGKeyIDs(user) + if oldkeyids: + syslog('gpg','Disallowing replacing public key of user %s, list %s', user, mlist.real_name) + # display error, exit + doc.addError(_("""For security reasons, it is not allowed to change an + already set public key. Either contact the list administrator or + unsubscribe and subscribe again.""")) + print doc.Format() + return + + # See if the user wants to change their gpg keys globally + mlists = [mlist] + if cgidata.getvalue('gpgkey-globally'): + mlists.extend(lists_of_member(mlist, user)) + for gmlist in mlists: + set_gpgkey(gmlist, user, gpgkey) + + if cgidata.has_key('submitsmimekey'): + smimekey = cgidata.getvalue('smimekey') + + # check wether user tries to replace old key + sm = SMIMEUtils.SMIMEHelper(mlist) + keyfile = sm.getSMIMEMemberCertFile(user) + if keyfile <> None: + syslog('gpg','Disallowing replacing public key of user %s, list %s', user, mlist.real_name) + # display error, exit + doc.addError(_("""For security reasons, it is not allowed to change an + already set public key. Either contact the list administrator or + unsubscribe and subscribe again.""")) + print doc.Format() + return + + # See if the user wants to change their keys globally + mlists = [mlist] + if cgidata.getvalue('smimekey-globally'): + mlists.extend(lists_of_member(mlist, user)) + for gmlist in mlists: + set_smimekey(gmlist, user, smimekey) + if cgidata.has_key('unsub'): # Was the confirming check box turned on? if not cgidata.getvalue('unsubconfirm'): @@ -812,6 +861,26 @@ replacements[''] = mlist.FormatBox( 'fullname', value=fullname) + gpgkey = mlist.getGPGKey(user) + if gpgkey==None: + gpgkey="" + replacements[''] = ( + '' % gpgkey) + replacements[''] = ( + CheckBox('gpgkey-globally', 1, checked=0).Format()) + replacements[''] = ( + mlist.FormatButton('submitgpgkey', _('Submit GPG key'))) + + smimekey = mlist.getSMIMEKey(user) + if not smimekey: + smimekey="" + replacements[''] = ( + '' % smimekey) + replacements[''] = ( + CheckBox('smimekey-globally', 1, checked=0).Format()) + replacements[''] = ( + mlist.FormatButton('submitsmimekey', _('Submit S/MIME key'))) + # Create the topics radios. BAW: what if the list admin deletes a topic, # but the user still wants to get that topic message? usertopics = mlist.getMemberTopics(user) @@ -979,6 +1048,95 @@ +def set_gpgkey(mlist, user, key): + # This operation requires the list lock, so let's set up the signal + # handling so the list lock will get released when the user hits the + # browser stop button. + def sigterm_handler(signum, frame, mlist=mlist): + # Make sure the list gets unlocked... + mlist.Unlock() + # ...and ensure we exit, otherwise race conditions could cause us to + # enter MailList.Save() while we're in the unlocked state, and that + # could be bad! + sys.exit(0) + + # Must own the list lock! + mlist.Lock() + try: + # Install the emergency shutdown signal handler + signal.signal(signal.SIGTERM, sigterm_handler) + # change the user's key. + gh = GPGUtils.GPGHelper(mlist) + if len(key)==0: + key=None + if key!=None: + # adjust the keyring on the filesystem + keyids=gh.importKey(key) + if keyids: + syslog('gpg','Key %s for user %s imported.', + ",".join(keyids),user) + else: + syslog('gpg','Import of key for user %s failed',user) + else: + keyids=['nonexistent'] + syslog('gpg','Removing keys from user %s',user) + if keyids: + oldkeyids = mlist.getGPGKeyIDs(user) + # adjust the in-memory copy of the list + mlist.setGPGKey(user, key, keyids) + # Remove old keys; check if oldkeyids and keyids overlap + if oldkeyids: + for i in keyids: + try: + oldkeyids.remove(i) + except ValueError: + pass + if len(oldkeyids)>0: + syslog('gpg','Removing keys %s',",".join(oldkeyids)) + gh.removeKeys(oldkeyids) + mlist.Save() + finally: + mlist.Unlock() + +def set_smimekey(mlist, user, key): + # Like set_gpgkey, this operation requires the list lock, so let's set + # up the signal + # handling so the list lock will get released when the user hits the + # browser stop button. + def sigterm_handler(signum, frame, mlist=mlist): + # Make sure the list gets unlocked... + mlist.Unlock() + # ...and ensure we exit, otherwise race conditions could cause us to + # enter MailList.Save() while we're in the unlocked state, and that + # could be bad! + sys.exit(0) + + # Must own the list lock! + mlist.Lock() + try: + # Install the emergency shutdown signal handler + signal.signal(signal.SIGTERM, sigterm_handler) + # change the user's key. + sm = SMIMEUtils.SMIMEHelper(mlist) + if len(key)==0: + key=None + if key!=None: + if sm.importKey(user, key): + syslog('gpg','Key %s for user %s imported', key, user) + else: + syslog('gpg','Import of key for user %s failed',user) + else: + # FIXME : should support removing a key here + pass + + # Unlike the GPG case, we support just one S/MIME key per + # subscriber. We don't have + # an in-memory view of the keys per list. So we're done now. + mlist.Save() + finally: + mlist.Unlock() + + def global_options(mlist, user, globalopts): # Is there anything to do? for attr in dir(globalopts): diff -durP mailman-2.1.15/Mailman/Defaults.py.in mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Defaults.py.in --- mailman-2.1.15/Mailman/Defaults.py.in 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Defaults.py.in 2010-09-08 14:41:10.000000000 +0200 @@ -245,11 +245,11 @@ PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s' # Are archives on or off by default? -DEFAULT_ARCHIVE = On +DEFAULT_ARCHIVE = Off # Are archives public or private by default? # 0=public, 1=private -DEFAULT_ARCHIVE_PRIVATE = 0 +DEFAULT_ARCHIVE_PRIVATE = 1 # ARCHIVE_TO_MBOX #-1 - do not do any archiving @@ -391,6 +391,14 @@ ##### +# GPG and S/MIME defaults +##### + +DEFAULT_SIGN_POLICY = No +DEFAULT_ENCRYPT_POLICY = No + + +##### # Delivery defaults ##### @@ -960,7 +968,7 @@ # These format strings will be expanded w.r.t. the dictionary for the # mailing list instance. DEFAULT_SUBJECT_PREFIX = "[%(real_name)s] " -# DEFAULT_SUBJECT_PREFIX = "[%(real_name)s %%d]" # for numbering +# DEFAULT_SUBJECT_PREFIX = "[%(real_name)s %%d] " # for numbering DEFAULT_MSG_HEADER = "" DEFAULT_MSG_FOOTER = """_______________________________________________ %(real_name)s mailing list @@ -1086,7 +1094,7 @@ DEFAULT_UNSUBSCRIBE_POLICY = 0 # Private_roster == 0: anyone can see, 1: members only, 2: admin only. -DEFAULT_PRIVATE_ROSTER = 1 +DEFAULT_PRIVATE_ROSTER = 2 # When exposing members, make them unrecognizable as email addrs, so # web-spiders can't pick up addrs for spam purposes. diff -durP mailman-2.1.15/Mailman/GPGUtils.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/GPGUtils.py --- mailman-2.1.15/Mailman/GPGUtils.py 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/GPGUtils.py 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,389 @@ +# Copyright (C) 2005 by Tilburg University, http://www.uvt.nl/. +# Copyright (C) 2005 by Stefan Schlott +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +"""This is a interface to the GnuPGInterface library. It eases the +creation of instances of the interface and handles deadlock problems +using threads. Furthermore, in this way it should be possible to +replace GnuPGInterface with a different one (if ever needed).""" + + +import re +import os +import tempfile +import threading + +from Mailman import Errors +from Mailman.Logging.Syslog import syslog +from Mailman import mm_cfg +import GnuPGInterface + + +class AsyncRead(threading.Thread): + def __init__(self,infile): + threading.Thread.__init__(self) + self.infile=infile + self.data=None + def run(self): + self.data = self.infile.read() + self.infile.close() + +class AsyncWrite(threading.Thread): + def __init__(self,outfile,data): + threading.Thread.__init__(self) + self.outfile=outfile + self.data=data + def run(self): + self.outfile.write(self.data) + self.outfile.close() + + +class GPGHelper: + def __init__(self, mlist): + self.mlist = mlist + self.gpgdir="%s/%s/gpg" % (mm_cfg.LIST_DATA_DIR,mlist.internal_name()) + self.pubkeyfile="%s/pubring.gpg" % self.gpgdir + self.seckeyfile="%s/secring.gpg" % self.gpgdir + self.trustdbfile="%s/trustdb.gpg" % self.gpgdir + + def getGPGObject(self): + gpg = GnuPGInterface.GnuPG() + gpg.options.armor = 1 + gpg.options.meta_interactive = 0 + gpg.options.extra_args.append('--no-secmem-warning') + gpg.options.homedir = self.gpgdir + gpg.options.quiet = 0 + return gpg + + def cleanListKeyring(self): + success = True + if not os.path.isdir(self.gpgdir): + try: + os.mkdir(self.gpgdir) + os.chmod(self.gpgdir,((7*8)+7)*8) + except IOError, (errno, strerror): + syslog('error','Could not create gpg dir: %s',strerror) + success = False + for fname in (self.pubkeyfile,self.seckeyfile,self.trustdbfile): + if os.path.exists(fname): + try: + os.unlink(fname) + except: + syslog('error','Unable to remove %s',fname) + success = False + return success + + + def checkPerms(self): + success = True + if os.path.exists(self.gpgdir): + try: + os.chmod(self.gpgdir,((7*8)+7)*8) + except: + syslog('error','Unable to set mode on %s',self.gpgdir) + success = False + for fname in (self.pubkeyfile,self.seckeyfile,self.trustdbfile): + if os.path.exists(fname): + try: + os.chmod(fname,((6*8)+6)*8) + except: + syslog('error','Unable to set mode on %s',fname) + success = False + return success + + + def importKey(self,key): + gpg = self.getGPGObject() + p = gpg.run(['--import'],create_fhs=['stdin','stdout','stderr']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_err = AsyncRead(p.handles['stderr']) + t_err.start() + p.handles['stdin'].write(key) + p.handles['stdin'].close() + t_out.join() + t_err.join() + # Ignore date from t_out + result = t_err.data + try: + p.wait() + except IOError: + syslog('gpg','Error importing keys: %s' % result) + return None + self.checkPerms() + pre_key_ids= [] + key_ids= [] + for line in result.lower().splitlines(): + g = re.search('key ([0-9a-f]+):',line) + if g!=None: + pre_key_ids.append('0x%s' % g.groups()[0]) + for key in pre_key_ids: + p = gpg.run(['--list-keys',key],create_fhs=['stdin','stdout','stderr']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_out.join() + result = t_out.data + try: + p.wait() + except IOError: + syslog('gpg','Error importing keys: %s' % result) + return None + for line in result.lower().splitlines(): + g = re.search('[ps]ub +[0-9a-z]+/([0-9a-f]{8}) ',line) + if g!=None: + key_ids.append('0x%s' % g.groups()[0]) + return key_ids + + + def importAllSubscriberKeys(self): + gpg = self.getGPGObject() + p = gpg.run(['--import'],create_fhs=['stdin','stdout','stderr']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_err = AsyncRead(p.handles['stderr']) + t_err.start() + for user in self.mlist.getMembers(): + key = self.mlist.getGPGKey(user) + if key: + p.handles['stdin'].write(key) + p.handles['stdin'].close() + t_out.join() + t_err.join() + # Ignore date from t_out + result = t_err.data + try: + p.wait() + except IOError: + syslog('gpg','Error importing keys: %s' % result) + return None + self.checkPerms() + key_ids= [] + for line in result.lower().splitlines(): + g = re.search('key ([0-9a-f]+):',line) + if g!=None: + key_ids.append('0x%s' % g.groups()[0]) + return key_ids + + + def removeKeys(self,keyids): + gpg = self.getGPGObject() + params = ['--batch','--yes','--delete-keys'] + for i in keyids: + params.append(i) + p = gpg.run(params,create_fhs=['stdin','stdout','stderr']) + result = p.handles['stderr'].read() + p.handles['stderr'].close() + try: + p.wait() + except IOError: + syslog('gpg','Error removing keys: %s' % result) + return False + self.checkPerms() + return True + + + def getMailaddrs(self,keyid): + gpg = self.getGPGObject() + p = gpg.run(['--list-keys',keyid],create_fhs=['stdin','stdout','stderr']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_out.join() + result = t_out.data + try: + p.wait() + except IOError: + syslog('gpg','Error listing keys: %s' % result) + return None + mailaddrs = [] + for line in result.lower().splitlines(): + # uid Joost van Baal (foo bar) + g = re.search('uid +[^<]+<([^>]+)>',line) + if g!=None: + mailaddrs.append(g.groups()[0]) + return mailaddrs + + + def decryptMessage(self,msg): + gpg = self.getGPGObject() + plaintext = None + p = gpg.run(['--decrypt','--no-permission-warning'], + create_fhs=['stdin','stdout','stderr','status','passphrase']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_err = AsyncRead(p.handles['stderr']) + t_err.start() + t_status = AsyncRead(p.handles['status']) + t_status.start() + p.handles['passphrase'].write(self.mlist.gpg_passphrase) + p.handles['passphrase'].close() + p.handles['stdin'].write(msg) + p.handles['stdin'].close() + t_out.join() + t_err.join() + t_status.join() + plaintext = t_out.data + status = t_status.data + result = t_err.data + try: + p.wait() + except IOError: + if (plaintext==None) or (len(plaintext)==0): + syslog('gpg',"Error decrypting message: %s",result) + return (None,None) + else: + syslog('gpg',"Return code non-zero, but plaintext received: %s",result) + + # Check signature + key_ids = [] + for line in status.splitlines(): + # example status output: + # + #[GNUPG:] NEED_PASSPHRASE D044CC7F450B4EE8 5F76E17A88C6EDF6 16 0 + #[GNUPG:] GOOD_PASSPHRASE + #[GNUPG:] BEGIN_DECRYPTION + #[GNUPG:] PLAINTEXT 62 1113571634 issue + #[GNUPG:] PLAINTEXT_LENGTH 1914 + #[GNUPG:] SIG_ID H2clD0wU6w1QYPF38D7wAYzyy9s 2005-03-14 1110797362 + #[GNUPG:] GOODSIG 5F76E17A88C6EDF6 Joost van Baal + #[GNUPG:] VALIDSIG 7177F40B051B57938A0BE2195F76E17A88C6EDF6 2005-03-14 1110797362 0 3 0 17 2 00 7177F40B051B57938A0BE2195F76E17A88C6EDF6 + #[GNUPG:] TRUST_ULTIMATE + # + # we are using short keyid to pinpoint keys: last 8 hexbytes of long key id + g = re.search('^\[GNUPG:\] GOODSIG [0-9A-F]{8}([0-9A-F]{8}) ',line) + if g!=None: + key_ids.append('0x%s' % g.groups()[0].lower()) + + return (plaintext,key_ids) + + + def encryptMessage(self,msg,recipients): + gpg = self.getGPGObject() + params = ['--encrypt','--always-trust','--batch','--no-permission-warning'] + for i in recipients: + params.append('-r') + params.append(i) + p = gpg.run(params, create_fhs=['stdin','stdout','stderr']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_err = AsyncRead(p.handles['stderr']) + t_err.start() + p.handles['stdin'].write(msg) + p.handles['stdin'].close() + t_out.join() + t_err.join() + ciphertext = t_out.data + result = t_err.data + try: + p.wait() + except IOError: + syslog('gpg',"Error encrypting message: %s",result) + return None + return ciphertext + + + def encryptSignMessage(self,msg,recipients): + gpg = self.getGPGObject() + params = ['--encrypt','--sign','--always-trust','--batch','--no-permission-warning'] + for i in recipients: + params.append('-r') + params.append(i) + p = gpg.run(params, create_fhs=['stdin','stdout','stderr','passphrase']) + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_err = AsyncRead(p.handles['stderr']) + t_err.start() + p.handles['passphrase'].write(self.mlist.gpg_passphrase) + p.handles['passphrase'].close() + p.handles['stdin'].write(msg) + p.handles['stdin'].close() + t_out.join() + t_err.join() + ciphertext = t_out.data + result = t_err.data + try: + p.wait() + except IOError: + syslog('gpg',"Error encrypting message: %s",result) + return None + return ciphertext + + + def verifyMessage(self,msg,signature): + gpg = self.getGPGObject() + + if signature: + # signature is not None but a non-empty string: we are dealing with + # a detached signature + + # our gpg call will look something like + # gpg --verify sigfile - < msg + # we'll need a tmpfile for signature + + # mkstemp is available in python >= 2.3 + # FIXME check errors + # + # fd is the file descriptor returned by os.open (NOT a python + # file object!) (python-Bugs-922922) + (fd, sigfilename) = tempfile.mkstemp('.GPGUtils') + + os.write(fd, signature) + os.close(fd) + args = [sigfilename, '-'] + else: + # signature == None in case complete signature + # no args to gpg call, read from stdin + args = [] + + params = ['--verify','--always-trust','--batch','--no-permission-warning'] + # specify stdout too: we don't want to clutter this proces's stdout + p = gpg.run(params, args=args, create_fhs=['stdin', 'stdout','stderr','status']) + # see gnupg/DETAILS in the gnupg package for info on status fd + t_out = AsyncRead(p.handles['stdout']) + t_out.start() + t_err = AsyncRead(p.handles['stderr']) + t_err.start() + t_status = AsyncRead(p.handles['status']) + t_status.start() + p.handles['stdin'].write(msg) + p.handles['stdin'].close() + t_out.join() + t_err.join() + t_status.join() + result = t_err.data + status = t_status.data + try: + p.wait() + except IOError: + syslog('gpg',"Error verifying message: %s",result) + return [] + + # clean up tmpfile + if sigfilename: + os.remove(sigfilename) # FIXME check errors + + key_ids = [] + for line in status.splitlines(): + # we are using short keyid to pinpoint keys: last 8 hexbytes of long key id + g = re.search('^\[GNUPG:\] GOODSIG [0-9A-F]{8}([0-9A-F]{8}) ',line) + if g!=None: + key_ids.append('0x%s' % g.groups()[0].lower()) + + if not key_ids: + syslog('gpg',"No good signature found on message: %s (%s)",status,result) + else: + syslog('gpg',"Valid signature from key(s) %s found on message",key_ids) + return key_ids + diff -durP mailman-2.1.15/Mailman/Gui/Privacy.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Gui/Privacy.py --- mailman-2.1.15/Mailman/Gui/Privacy.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Gui/Privacy.py 2010-09-08 14:41:10.000000000 +0200 @@ -18,11 +18,15 @@ """MailList mixin class managing the privacy options.""" import re +import os from Mailman import mm_cfg from Mailman import Utils from Mailman.i18n import _ from Mailman.Gui.GUIBase import GUIBase +from Mailman.Logging.Syslog import syslog +from Mailman import GPGUtils +from Mailman import SMIMEUtils try: True, False @@ -42,6 +46,7 @@ ('sender', _('Sender filters')), ('recipient', _('Recipient filters')), ('spam', _('Spam filters')), + ('pgpsmime', _('PGP-S/MIME options')), ] return None @@ -423,6 +428,62 @@ can be circumvented in a number of ways, e.g. by escaping or bracketing it.""")), ] + + pgpsmime_rtn = [ + _("""This section allows you to configure the PGP and S/MIME + policies for this list."""), + + ('sign_policy', mm_cfg.Radio, + (_('None'), _('Voluntary'), _('Mandatory')), 0, + _("""Signing policy"""), + _("""When set to none, the list does not check or add + signatures. When set to voluntary, signatures are + checked, and if an incoming message is signed, the outgoing + message will be signed as well, otherwise it will not be + signed. When set to mandatory, both incoming messages must + and outgoing messages will be signed.""")), + + ('encrypt_policy', mm_cfg.Radio, + (_('None'), _('Voluntary'), _('Mandatory')), 0, + _("""Encryption policy"""), + _("""When set to none, the list does not try to decrypt or + encrypt messages. When set to voluntary, encrypted messages + are decrypted, and if an incoming message was encrypted, + the outgoing message will be encrypted as well, otherwise + it will not be encrypted. When set to mandatory, both + incoming messages must and outgoing messages will be + encrypted.""")), + + ('gpg_public_key', mm_cfg.Text, + (10, WIDTH), 0, + _("""Public key for mailing list"""), + + _("""Please export your list public key in ASCII-armored + format and paste it here. This can be done using the following + command:
+ gpg --homedir your_tmpdir -a --export
+ It is recomended that you publish the list public key in the + list info, too.""")), + + ('gpg_secret_key', mm_cfg.Text, + (10, WIDTH), 0, + _("""Secret key for mailing list"""), + + _("""Please export your list secret key in ASCII-armored + format and paste it here. This can be done using the following + command:
+ gpg --homedir your_tmpdir + -a --export-secret-key""")), + + ('gpg_passphrase', mm_cfg.String, + WIDTH, 0, + _("""Enter the passphrase for the secret key"""), + + _("""Please enter the passphrase for the secret key. + Note that the passphrase will be stored in plain in the + server configuration, so don't use a passphrase which you + use for other, important keys.""")), + ] if subcat == 'sender': return sender_rtn @@ -430,6 +491,8 @@ return recip_rtn elif subcat == 'spam': return spam_rtn + elif subcat == 'pgpsmime': + return pgpsmime_rtn else: return subscribing_rtn @@ -539,3 +602,26 @@ self._handleForm(mlist, category, subcat, cgidata, doc) # Everything else is dealt with by the base handler GUIBase.handleForm(self, mlist, category, subcat, cgidata, doc) + # GPG keys.. + if subcat == 'pgpsmime': + syslog('gpg','New list keys uploaded') + gh = GPGUtils.GPGHelper(mlist) + gh.cleanListKeyring() + if mlist.gpg_secret_key!=None and len(mlist.gpg_secret_key)==0: + mlist.gpg_secret_key = None + if mlist.gpg_secret_key: + syslog('gpg',' Importing secret key...') + keyids = gh.importKey(mlist.gpg_secret_key) + if not keyids: + mlist.gpg_secret_key = None + if mlist.gpg_public_key!=None and len(mlist.gpg_public_key)==0: + mlist.gpg_public_key = None + if mlist.gpg_public_key: + syslog('gpg',' Importing public key...') + keyids = gh.importKey(mlist.gpg_public_key) + if not keyids: + mlist.gpg_public_key = None + syslog('gpg',' Importing subscriber public keys...') + keyids=gh.importAllSubscriberKeys() + + diff -durP mailman-2.1.15/Mailman/Handlers/GpgDecrypt.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/GpgDecrypt.py --- mailman-2.1.15/Mailman/Handlers/GpgDecrypt.py 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/GpgDecrypt.py 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,183 @@ +# Copyright (C) 2005 by Stefan Schlott +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +"""Decrypt the incoming message using the list key + +""" + +from Mailman import Errors +from Mailman.Logging.Syslog import syslog +from Mailman import mm_cfg +from Mailman import GPGUtils +from Mailman import Utils +from email.Parser import Parser +from email.MIMEText import MIMEText + + +def isAdministrativeMail(mlist, msg, msgdata): + result = False + if msgdata.get('torequest') or msgdata.get('toleave') \ + or msgdata.get('tojoin') or msgdata.get('toconfirm'): + result = True + return result + +def enforceEncryptPolicy(mlist, msg, msgdata): + result = True + if msgdata.get('toowner') or msgdata.get('toleave') \ + or msgdata.get('tojoin') or msgdata.get('toconfirm'): + result = False + if msgdata.get('torequest'): + # This could be more sophisticated: + # Parse message, enforce if commands containing passwords are used + # These would be: password, subscribe, unsubscribe, who + result = False + return result + +def process(mlist, msg, msgdata): + #syslog('gpg','GPG decryption module called') + # Nothing to do when all encryption has been disabled. + if mlist.encrypt_policy == 0: + return + + plaintext = None + ciphertext = None + sigid = None + sigmsg = None + is_pgpmime = False + + # Check: Is inline pgp? + if msg.get_content_type()=='application/pgp' or msg.get_param('x-action')=='pgp-encrypted': + ciphertext = msg.get_payload() + is_pgpmime = False + # Check: Is pgp/mime? + if msg.get_content_type()=='multipart/encrypted' and msg.get_param('protocol')=='application/pgp-encrypted': + if msg.is_multipart(): + for submsg in msg.get_payload(): + if submsg.get_content_type()=='application/octet-stream': + is_pgpmime = True + ciphertext=submsg.get_payload() + else: + ciphertext = msg.get_payload() + # Some clients send text/plain messages containing PGP-encrypted data :-( + if not msg.is_multipart() and (ciphertext==None) and \ + (len(msg.get_payload())>10): + firstline = msg.get_payload().splitlines()[0] + if firstline=='-----BEGIN PGP MESSAGE-----': + syslog('gpg','Encrypted message detected, although MIME type is %s',msg.get_content_type()) + is_pgpmime = False + ciphertext = msg.get_payload() + # Ciphertext present? Decode + if ciphertext: + gh = GPGUtils.GPGHelper(mlist) + (plaintext,sigid) = gh.decryptMessage(ciphertext) + if plaintext is None: + syslog('gpg','Unable to decrypt GPG data') + raise Errors.RejectMessage, "Unable to decrypt mail!" + # Check decryption result + if plaintext: + # Good signature message + if (not isAdministrativeMail(mlist,msg,msgdata)): + if (not sigid is None): + sigmsg = 'Message had a good signature from sender' + if mlist.anonymous_list==0 or mlist.anonymous_list=='No': + sigmsg += ' (key id %s)'%sigid + else: + sigmsg = 'Posting had no valid signature' + # Check transfer type + parser = Parser() + #syslog('gpg','Test: plaintext=%s',plaintext) + tmpmsg = parser.parsestr(plaintext) + #syslog('gpg','Test: plaintext is\n%s\n',plaintext) + #syslog('gpg','Test: Parsed inner message is\n%s\n',tmpmsg.as_string()) + if msg.get_content_type()=='application/pgp': + msg.set_type("text/plain") + msg.del_param("x-action") + for i in ('Content-Type','Content-Disposition','Content-Transfer-Encoding'): + if tmpmsg.has_key(i): + if msg.has_key(i): + msg.replace_header(i,tmpmsg.get(i)) + else: + msg.add_header(i,tmpmsg.get(i)) + #syslog('gpg','Test: Sigline=%s',sigmsg) + if tmpmsg.is_multipart(): + #syslog('gpg','Test: Multipart') + msg.set_payload(None) + for i in tmpmsg.get_payload(): + msg.attach(i) + if not sigmsg is None: + sigfooter = MIMEText(sigmsg, 'plain', Utils.GetCharSet(mlist.preferred_language)) + sigfooter['Content-Disposition'] = 'inline' + msg.attach(sigfooter) + else: + #syslog('gpg','Test: Not multipart') + tmppayload = tmpmsg.get_payload() + if not sigmsg is None: + if not tmppayload.endswith('\n'): + tmppayload += '\n' + tmppayload += '-- \n%s\n' % sigmsg + msg.set_payload(tmppayload) + if not is_pgpmime: + mailclient = '' + if msg.has_key('User-Agent'): + mailclient = msg.get('User-Agent').lower() + # Content-Transfer-Encoding and charset are not standardized... + if mailclient.startswith('mutt'): + msg.set_param('charset','utf-8') + if msg.has_key('Content-Transfer-Encoding'): + msg.replace_header('Content-Transfer-Encoding','utf-8') + else: + msg.add_header('Content-Transfer-Encoding','utf-8') + else: + # Just a wild guess... + msg.set_param('charset','iso-8859-1') + if msg.has_key('Content-Transfer-Encoding'): + msg.replace_header('Content-Transfer-Encoding','8bit') + else: + msg.add_header('Content-Transfer-Encoding','8bit') + + #syslog('gpg','Test: Message is now\n%s\n',msg.as_string()) + # --- Old Code --- + #if is_pgpmime: + # if tmpmsg.is_multipart(): + # msg.set_payload(None) + # for i in tmpmsg.get_payload(): + # msg.attach(i) + # if not sigid is None: + # sigfooter = MIMEText(sigmsg, 'plain', Utils.GetCharSet(mlist.preferred_language)) + # sigfooter['Content-Disposition'] = 'inline' + # msg.attach(sigfooter) + # else: + # tmppayload = tmpmsg.get_payload() + # if not sigid is None: + # tmppayload += '\n-- \n%s\n' % sigmsg + # msg.set_payload(tmppayload) + #else: + # # Set content header + # #if msg.get_content_type()=='application/pgp': + # # msg.set_type("text/plain") + # #msg.del_param("x-action") + # # Whole decrypted text is content + # tmppayload = tmpmsg.get_payload() + # if not sigid is None: + # tmppayload += '\n-- \n%s\n' % sigmsg + # msg.set_payload(tmppayload) + elif mlist.encrypt_policy==2: + if enforceEncryptPolicy(mlist,msg,msgdata): + syslog('gpg','Throwing RejectMessage exception: Message has to be encrypted') + raise Errors.RejectMessage, "Message has to be encrypted!" + else: + syslog('gpg','Accepting unencrypted message') + diff -durP mailman-2.1.15/Mailman/Handlers/Hold.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/Hold.py --- mailman-2.1.15/Mailman/Handlers/Hold.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/Hold.py 2010-09-08 14:41:10.000000000 +0200 @@ -61,6 +61,22 @@ reason = _('Post by non-member to a members-only list') rejection = _('Non-members are not allowed to post messages to this list.') +class NonGPGSignedPost(Errors.HoldMessage): + reason = _('Unsigned post to Secure list') + rejection = _('Only messages which are PGP signed with an approved key are allowed on this list.') + +class WrongGPGSignedPost(Errors.HoldMessage): + reason = _('Post to Secure list signed by unapproved key' ) + rejection = _('Only messages which are PGP signed with an approved key are allowed on this list. Upload your PGP public key.') + +class NonSMIMESignedPost(Errors.HoldMessage): + reason = _('Unsigned post to S/MIME Secure list') + rejection = _('Only messages which are S/MIME signed with a key, signed with the listkey are allowed on this list.') + +class WrongSMIMESignedPost(Errors.HoldMessage): + reason = _('Post to S/MIME Secure list signed by unapproved key' ) + rejection = _('Only messages which are S/MIME signed with an approved key are allowed on this list. Get your key signed by the listkey.') + class NotExplicitlyAllowed(Errors.HoldMessage): reason = _('Posting to a restricted list by sender requires approval') rejection = _('This list is restricted; your message was not approved.') @@ -283,7 +299,18 @@ dmsg['Date'] = email.Utils.formatdate(localtime=True) dmsg['Message-ID'] = Utils.unique_message_id(mlist) nmsg.attach(text) - nmsg.attach(MIMEMessage(msg)) + + decrypted = msg.get('X-Mailman-SLS-decrypted', '').lower() + if decrypted == 'yes': + syslog('gpg', + 'forwarding only headers of message from %s to listmaster of %s to get approval since message was decrypted', + sender, listname) + msgtext = msg.as_string() + (header, body) = msgtext.split("\n\n", 1) + nmsg.attach(MIMEText(header)) + else: + nmsg.attach(MIMEMessage(msg)) + nmsg.attach(MIMEMessage(dmsg)) nmsg.send(mlist, **{'tomoderators': 1}) finally: diff -durP mailman-2.1.15/Mailman/Handlers/Moderate.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/Moderate.py --- mailman-2.1.15/Mailman/Handlers/Moderate.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/Moderate.py 2010-09-08 14:41:10.000000000 +0200 @@ -1,3 +1,5 @@ +# Copyright (C) 2005 by Stefan Schlott +# Copyright (C) 2005 by Tilburg University, http://www.uvt.nl/. # Copyright (C) 2001-2011 by the Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or @@ -15,14 +17,17 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, # USA. -"""Posting moderation filter. +"""Posting moderation filter, if appropriate takes care of decrypting using list key """ import re +from email.Parser import Parser from email.MIMEMessage import MIMEMessage from email.MIMEText import MIMEText from Mailman import mm_cfg +from Mailman import GPGUtils +from Mailman import SMIMEUtils from Mailman import Utils from Mailman import Message from Mailman import Errors @@ -33,6 +38,157 @@ +def enforceEncryptPolicy(mlist, msg, msgdata): + result = True + if msgdata.get('toowner') or msgdata.get('toleave') \ + or msgdata.get('tojoin') or msgdata.get('toconfirm'): + result = False + if msgdata.get('torequest'): + # This could be more sophisticated: + # Parse message, enforce if commands containing passwords are used + # These would be: password, subscribe, unsubscribe, who + result = False + return result + + + +def decryptGpg(mlist, msg, msgdata): + + """Returns (encrypted (bool), signed (bool), key_ids), msg is replaced with + decrypted msg""" + + encrypted = False + signed = False + key_ids = [] + plaintext = None + ciphertext = None + is_pgpmime = False + + # Check: Is inline pgp? + if msg.get_content_type()=='application/pgp' or msg.get_param('x-action')=='pgp-encrypted': + ciphertext = msg.get_payload() + is_pgpmime = False + # Check: Is pgp/mime? + if msg.get_content_type()=='multipart/encrypted' and msg.get_param('protocol')=='application/pgp-encrypted': + if msg.is_multipart(): + for submsg in msg.get_payload(): + if submsg.get_content_type()=='application/octet-stream': + is_pgpmime = True + ciphertext = submsg.get_payload() + else: + ciphertext = msg.get_payload() + # Some clients send text/plain messages containing PGP-encrypted data :-( + if not msg.is_multipart() and (ciphertext==None) and \ + (len(msg.get_payload())>10): + firstline = msg.get_payload().splitlines()[0] + if firstline=='-----BEGIN PGP MESSAGE-----': + syslog('gpg','Encrypted message detected, although MIME type is %s',msg.get_content_type()) + is_pgpmime = False + ciphertext = msg.get_payload() + # Ciphertext present? Decode + if ciphertext: + gh = GPGUtils.GPGHelper(mlist) + (plaintext,key_ids) = gh.decryptMessage(ciphertext) + if plaintext is None: + syslog('gpg','Unable to decrypt GPG data') + raise Errors.RejectMessage, "Unable to decrypt mail!" + else: + encrypted = True + + if key_ids: + signed = True + + if not encrypted: + return (encrypted, signed, key_ids) + + # Check decryption result + + # Check transfer type + parser = Parser() + tmpmsg = parser.parsestr(plaintext) + if msg.get_content_type()=='application/pgp': + msg.set_type("text/plain") + msg.del_param("x-action") + for i in ('Content-Type','Content-Disposition','Content-Transfer-Encoding'): + if tmpmsg.has_key(i): + if msg.has_key(i): + msg.replace_header(i,tmpmsg.get(i)) + else: + msg.add_header(i,tmpmsg.get(i)) + if tmpmsg.is_multipart(): + msg.set_payload(None) + for i in tmpmsg.get_payload(): + msg.attach(i) + else: + tmppayload = tmpmsg.get_payload() + msg.set_payload(tmppayload) + + if not is_pgpmime: + mailclient = '' + if msg.has_key('User-Agent'): + mailclient = msg.get('User-Agent').lower() + # Content-Transfer-Encoding and charset are not standardized... + if mailclient.startswith('mutt'): + msg.set_param('charset','utf-8') + if msg.has_key('Content-Transfer-Encoding'): + msg.replace_header('Content-Transfer-Encoding','utf-8') + else: + msg.add_header('Content-Transfer-Encoding','utf-8') + else: + # Just a wild guess... + msg.set_param('charset','iso-8859-1') + if msg.has_key('Content-Transfer-Encoding'): + msg.replace_header('Content-Transfer-Encoding','8bit') + else: + msg.add_header('Content-Transfer-Encoding','8bit') + + if encrypted: + msg.add_header('X-Mailman-SLS-decrypted', 'Yes') + + return (encrypted, signed, key_ids) + + +def decryptSmime(mlist, msg, msgdata): + """Returns (encrypted (bool), signed (bool)), msg is replaced with + decrypted msg""" + + # FIXME this implementation is _very_ crude. + # merge some stuff with decryptGpg + + encrypted = False + signed = False + plaintext = None + ciphertext = None + + if msg.get_content_type()=="application/x-pkcs7-mime": + sm = SMIMEUtils.SMIMEHelper(mlist) + ciphertext = msg.as_string() + (plaintext, signed) = sm.decryptMessage(ciphertext) + else: + # don't touch the message if it's no S/MIME + return (encrypted, signed) + + parser = Parser() + tmpmsg = parser.parsestr(plaintext) + + msg.del_param("x-action") + + for i in ('Content-Type','Content-Disposition','Content-Transfer-Encoding'): + if tmpmsg.has_key(i): + if msg.has_key(i): + msg.replace_header(i,tmpmsg.get(i)) + else: + msg.add_header(i,tmpmsg.get(i)) + + tmppayload = tmpmsg.get_payload() + msg.set_payload(tmppayload) + + if encrypted: + msg.add_header('X-Mailman-SLS-decrypted', 'Yes') + + return (encrypted, signed) + + class ModeratedMemberPost(Hold.ModeratedPost): # BAW: I wanted to use the reason below to differentiate between this # situation and normal ModeratedPost reasons. Greg Ward and Stonewall @@ -49,13 +205,186 @@ def process(mlist, msg, msgdata): if msgdata.get('approved') or msgdata.get('fromusenet'): return - # First of all, is the poster a member or not? + + # Deal with encrypted messages + + encrypted_gpg = False + encrypted_smime = False + signed = False + key_ids = [] + signedByMember = False + # To record with which properties we received this message. + # This will be important later when distributing it: we want + # to be able to support policies like "was incoming signed? + # then distribute signed." + msgdata['encrypted_gpg'] = False + msgdata['encrypted_smime'] = False + msgdata['signed_gpg'] = False + msgdata['signed_smime'] = False + + # legal values are: + # 0 = "No" + # 1 = "Voluntary" + # 2 = "Mandatory" + if mlist.encrypt_policy!=0: + # if msg is encrypted, we should decrypt. Try both supported types. + (encrypted_gpg, signed, key_ids) = decryptGpg(mlist, msg, msgdata) + (encrypted_smime, signedByMember) = decryptSmime(mlist, msg, msgdata) + if encrypted_gpg: + msgdata['encrypted_gpg'] = True + if encrypted_smime: + msgdata['encrypted_smime'] = True + + if mlist.encrypt_policy==2 and not encrypted_gpg and not encrypted_smime: + syslog('gpg','Throwing RejectMessage exception: Message has to be GPG encrypted') + raise Errors.RejectMessage, "Message has to be encrypted!" + + if mlist.sign_policy!=0 and not signed: + # PGP signature matters, we have not checked while decrypting + gh = GPGUtils.GPGHelper(mlist) + payload = '' + signatures = [] + if msg.get_content_type()=='multipart/signed' and msg.get_param('protocol')=='application/pgp-signature' and msg.is_multipart(): + # handle detached signatures, these look like: + # + # Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="x0ZPnva+gsdVsg/k" + # Content-Disposition: inline + # + # + # --x0ZPnva+gsdVsg/k + # Content-Type: text/plain; charset=us-ascii + # Content-Disposition: inline + # + # hello + # + # --x0ZPnva+gsdVsg/k + # Content-Type: application/pgp-signature; name="signature.asc" + # Content-Description: Digital signature + # Content-Disposition: inline + # + # -----BEGIN PGP SIGNATURE----- + # Version: GnuPG v1.2.5 (GNU/Linux) + # + # iD8DBQFCQDTGPSnqOAwU/4wRAsoZAKDtN6Pn1dXjC/DAQhqOLHNI6VfNigCfaDPs + # FRJlhlGvyhkpx4soGR+CLxE= + # =AmS5 + # -----END PGP SIGNATURE----- + # + # --x0ZPnva+gsdVsg/k-- + # + # for verification, use payload INCLUDING MIME header: + # + # 'Content-Type: text/plain; charset=us-ascii + # Content-Disposition: inline + # + # hello + # ' + # Thanks Wessel Dankers for hint. + + for submsg in msg.get_payload(): + if submsg.get_content_type()=='application/pgp-signature': + signatures.append(submsg.get_payload()) + else: + if not payload: + # yes, including headers + payload = submsg.as_string() + else: + # we only deal with exactly one payload part and one or more signatures parts + syslog('gpg','multipart/signed message with more than one body') + do_discard(mlist, msg) + elif msg.get_content_type()=='text/plain' and not msg.is_multipart(): + # handle inline signature; message looks like e.g. + # + # Content-Type: text/plain; charset=iso-8859-1 + # Content-Disposition: inline + # Content-Transfer-Encoding: 8bit + # MIME-Version: 1.0 + # + # -----BEGIN PGP SIGNED MESSAGE----- + # Hash: SHA1 + # + # blah blah + # + # -----BEGIN PGP SIGNATURE----- + # Version: GnuPG v1.4.0 (GNU/Linux) + # + # iD8DBQFCPtWXW5ql+IAeqTIRAirPAK.... + # -----END PGP SIGNATURE----- + signatures = [None] + payload = msg.get_payload() + + for signature in signatures: + syslog('gpg', "gonna verify payload with signature '%s'", signature) + key_ids.extend(gh.verifyMessage(payload, signature)) + + + if mlist.sign_policy!=0 and not signedByMember: + # S/MIME signature matters, we have not checked while decrypting + sm = SMIMEUtils.SMIMEHelper(mlist) + payload = '' + signature = '' + + syslog('gpg', "gonna verify SMIME message") + signedByMember = sm.verifyMessage(msg) + # raise Errors.NotYetImplemented, "SMIMEUtils doesn't yet do verifyMessage" + + # By now we know whether we have any valid signatures on the message. + if signedByMember: + msgdata['signed_smime'] = True + if key_ids: + msgdata['signed_gpg'] = True + + if mlist.sign_policy!=0: + if not key_ids and not signedByMember and mlist.sign_policy==2: + syslog('gpg','No valid signatures on message') + do_discard(mlist, msg) + + if key_ids: + gh = GPGUtils.GPGHelper(mlist) + senderMatchesKey = False + for key_id in key_ids: + key_addrs = gh.getMailaddrs(key_id) + for sender in msg.get_senders(): + for key_addr in key_addrs: + if sender==key_addr: + senderMatchesKey = True + break + if not senderMatchesKey: + syslog('gpg','Message signed by key which does not match message sender address') + do_discard(mlist, msg) + + for user in mlist.getMembers(): + syslog('gpg','Checking signature: listmember %s',user) + for key_id in key_ids: + syslog('gpg','Checking signature: key_id %s',key_id) + try: + ks=mlist.getGPGKeyIDs(user) + except: + ks=None + if ks: + for k in mlist.getGPGKeyIDs(user): + syslog('gpg','Checking signature: keyid of listmember is %s',k) + if k==key_id: + signedByMember = True + break + + # done dealing with most of gpg stuff + + # Is the poster a member or not? for sender in msg.get_senders(): if mlist.isMember(sender): break else: sender = None if sender: + # If posts need to be PGP signed, process signature. + if mlist.sign_policy==2: + if signedByMember==True: + syslog('gpg','Message properly signed: distribute') + return + else: + do_discard(mlist, msg) + # If the member's moderation flag is on, then perform the moderation # action. if mlist.getMemberOption(sender, mm_cfg.Moderate): @@ -183,7 +512,18 @@ 'The attached message has been automatically discarded.')), _charset=Utils.GetCharSet(lang)) nmsg.attach(text) - nmsg.attach(MIMEMessage(msg)) + + decrypted = msg.get('X-Mailman-SLS-decrypted', '').lower() + if decrypted == 'yes': + syslog('gpg', + 'forwarding only headers of message from %s to listmaster to notify discard since message was decrypted', + sender) + msgtext = msg.as_string() + (header, body) = msgtext.split("\n\n", 1) + nmsg.attach(MIMEText(header)) + else: + nmsg.attach(MIMEMessage(msg)) + nmsg.send(mlist) # Discard this sucker raise Errors.DiscardMessage diff -durP mailman-2.1.15/Mailman/Handlers/SMTPDirect.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/SMTPDirect.py --- mailman-2.1.15/Mailman/Handlers/SMTPDirect.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/Handlers/SMTPDirect.py 2010-09-08 14:41:10.000000000 +0200 @@ -1,5 +1,10 @@ +# This file is a moderately patched version of SMTPDirect.py which has: +# # Copyright (C) 1998-2011 by the Free Software Foundation, Inc. # +# GPG modifications: +# Copyright (C) 2005 by Stefan Schlott +# # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 @@ -15,7 +20,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, # USA. -"""Local SMTP direct drop-off. +"""Local SMTP direct drop-off - after GPG encryption. This module delivers messages via SMTP to a locally specified daemon. This should be compatible with any modern SMTP server. It is expected that the MTA @@ -38,10 +43,14 @@ from Mailman.Handlers import Decorate from Mailman.Logging.Syslog import syslog from Mailman.SafeDict import MsgSafeDict +from Mailman import GPGUtils +from Mailman import SMIMEUtils import email from email.Utils import formataddr from email.Header import Header +from email.Parser import HeaderParser +from email.Message import Message from email.Charset import Charset DOT = '.' @@ -95,6 +104,7 @@ def process(mlist, msg, msgdata): + syslog('gpg','GPG SMTP module called') recips = msgdata.get('recips') if not recips: # Nobody to deliver to! @@ -106,22 +116,10 @@ envsender = mlist.GetBouncesEmail() else: envsender = Utils.get_site_email(extra='bounces') - # Time to split up the recipient list. If we're personalizing or VERPing - # then each chunk will have exactly one recipient. We'll then hand craft - # an envelope sender and stitch a message together in memory for each one - # separately. If we're not VERPing, then we'll chunkify based on - # SMTP_MAX_RCPTS. Note that most MTAs have a limit on the number of - # recipients they'll swallow in a single transaction. - deliveryfunc = None - if (not msgdata.has_key('personalize') or msgdata['personalize']) and ( - msgdata.get('verp') or mlist.personalize): - chunks = [[recip] for recip in recips] - msgdata['personalize'] = 1 - deliveryfunc = verpdeliver - elif mm_cfg.SMTP_MAX_RCPTS <= 0: - chunks = [recips] - else: - chunks = chunkify(recips, mm_cfg.SMTP_MAX_RCPTS) + # Encryption has to be done on per-mail basis. Chunking is not possible. + chunks = [[recip] for recip in recips] + msgdata['personalize'] = 1 + deliveryfunc = verpdeliver # See if this is an unshunted message for which some were undelivered if msgdata.has_key('undelivered'): chunks = msgdata['undelivered'] @@ -276,6 +274,13 @@ +def enforceEncryptPolicy(mlist, msg, msgdata): + if msgdata.get('tolist'): + return True + return False + + + def verpdeliver(mlist, msg, msgdata, envsender, failures, conn): for recip in msgdata['recips']: # We now need to stitch together the message with its header and @@ -340,6 +345,140 @@ del msgcopy['x-mailman-copy'] if msgdata.get('add-dup-header', {}).has_key(recip): msgcopy['X-Mailman-Copy'] = 'yes' + # GPG encryption + if 'encrypted_gpg' in msgdata and msgdata['encrypted_gpg'] and mlist.encrypt_policy!=0: + # Encryption is not forbidden in config + try: + keyids=mlist.getGPGKeyIDs(recip) + except: + keyids=None + if enforceEncryptPolicy(mlist,msg,msgdata) and keyids==None: + syslog('gpg','Encryption mandatory, but no keys found for %s: '\ + 'Discarding message',recip) + failures[recip]=(550,'Encryption mandatory, but no keys found') + return + gh = GPGUtils.GPGHelper(mlist) + # Extract / generate plaintext + gpg_use_inlineformat = False # TODO: Create config setting + if not msgcopy.is_multipart() and gpg_use_inlineformat: + plaintext=msgcopy.get_payload() + else: + if not msgcopy.is_multipart(): + plaintext = 'Content-Type: %s\n' \ + 'Content-Disposition: inline\n' \ + % msgcopy.get('Content-Type') + if not msgcopy.get('Content-Transfer-Encoding') is None: + plaintext += 'Content-Transfer-Encoding: %s\n' \ + % msgcopy.get('Content-Transfer-Encoding') + plaintext += '\n%s' % msgcopy.get_payload() + else: + hp = HeaderParser() + tmp = msgcopy.as_string() + tmpmsg = hp.parsestr(tmp) + plaintext = 'Content-Type: %s\n' \ + 'Content-Disposition: inline\n\n%s' \ + % (msgcopy.get('Content-Type'),tmpmsg.get_payload()) + # Do encryption, report errors + ciphertext = None + if not keyids is None: + # Can encrypt. + # No signing policy, or voluntary and original wasn't signed: just encrypt + if mlist.sign_policy == 0 or \ + (mlist.sign_policy==1 and not msgdata['signed_gpg']): + ciphertext = gh.encryptMessage(plaintext,keyids) + else: + ciphertext = gh.encryptSignMessage(plaintext,keyids) + if ciphertext==None: + # Must always encrypt, since if we arrived here encrypt_policy + # is either Mantatory or (Voluntary and incoming msg was encrypted). + syslog('gpg',"Can't encrypt message to %s: " \ + "Discarding message",keyids) + failures[recip]=(550,'Unable to encrypt message') + return + # Compile encrypted message + if not ciphertext is None: + if msgcopy.has_key('Content-Transfer-Encoding'): + msgcopy.replace_header('Content-Transfer-Encoding','7bit') + else: + msgcopy.add_header('Content-Transfer-Encoding','7bit') + if not msgcopy.is_multipart() and gpg_use_inlineformat: + msgcopy.set_payload(ciphertext) + msgcopy.set_param('x-action','pgp-encrypted') + else: + msgcopy.replace_header('Content-Type','multipart/encrypted') + msgcopy.set_param('protocol','application/pgp-encrypted') + msgcopy.set_payload(None) + submsg = Message() + submsg.add_header('Content-Type','application/pgp-encrypted') + submsg.set_payload('Version: 1\n') + msgcopy.attach(submsg) + submsg = Message() + submsg.add_header('Content-Type','application/octet-stream; name="encrypted.asc"') + submsg.add_header('Content-Disposition','inline; filename="encrypted.asc"') + submsg.set_payload(ciphertext) + msgcopy.attach(submsg) + syslog('gpg','Sending encrypted message to %s',recip) + else: + syslog('gpg','Sending unencrypted message to %s',recip) + + if 'encrypted_smime' in msgdata and msgdata['encrypted_smime'] and mlist.encrypt_policy != 0: + # FIXME: this is as crude as can be + sm = SMIMEUtils.SMIMEHelper(mlist) + recipfile = sm.getSMIMEMemberCertFile(recip) + + if not recipfile: + failures[recip]=(550,'No S/MIME key found') + return + else: + plaintext=msgcopy.get_payload() + if not msgcopy.is_multipart(): + plaintext = msgcopy.get_payload() + syslog('gpg', "About to S/MIME encrypt plaintext from singlepart") + else: + # message contains e.g. signature? + # FIXME we fetch only the first attachment. We search for + # attachments only 2 levels deep. That's suboptimal... + # perhaps the PGP way (invoking + # hp = HeaderParser() + # ) is better. + submsgs = msgcopy.get_payload() + submsg = submsgs[0] + if not submsg.is_multipart(): + plaintext = submsg.get_payload() + else: + subsubmsgs = submsg.get_payload() + subsubmsg = subsubmsgs[0] + plaintext = subsubmsg.get_payload() + + syslog('gpg', "About to S/MIME encrypt plaintext from multipart") + + if mlist.sign_policy == 0 or \ + (mlist.sign_policy==1 and not msgdata['signed_smime']): + ciphertext = sm.encryptMessage(plaintext,recipfile) + else: + ciphertext = sm.encryptSignMessage(plaintext,recipfile) + + # deal with both header and body-part of ciphertext + (header, body) = ciphertext.split("\n\n", 1) + for l in header.split("\n"): + (k, v) = l.split(": ", 1) + + # behave sane with borken openssl like 0.9.7e (e.g. Debian's 0.9.7e-3sarge1) + # openssl 0.9.8a-4a0.sarge.1 is known to work OK. + # A borken openssl (and therefore sm.encryptMessage) returns + # Content-Type: application/x-pkcs7-mime; name="smime.p7m" + # while we need a + # Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" + if v == 'application/x-pkcs7-mime; name="smime.p7m"': + v = 'application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"' + + try: + msgcopy.replace_header(k, v) + except KeyError: + msgcopy.add_header(k, v) + + msgcopy.set_payload(body) + # For the final delivery stage, we can just bulk deliver to a party of # one. ;) bulkdeliver(mlist, msgcopy, msgdata, envsender, failures, conn) diff -durP mailman-2.1.15/Mailman/MailList.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/MailList.py --- mailman-2.1.15/Mailman/MailList.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/MailList.py 2010-09-08 14:41:10.000000000 +0200 @@ -311,6 +312,8 @@ self.language = {} self.usernames = {} self.passwords = {} + self.gpgkeys = {} + self.gpgkeyids = {} self.new_member_options = mm_cfg.DEFAULT_NEW_MEMBER_OPTIONS # This stuff is configurable @@ -348,6 +351,13 @@ mm_cfg.DEFAULT_BOUNCE_MATCHING_HEADERS self.header_filter_rules = [] self.anonymous_list = mm_cfg.DEFAULT_ANONYMOUS_LIST + + self.sign_policy = mm_cfg.DEFAULT_SIGN_POLICY + self.encrypt_policy = mm_cfg.DEFAULT_ENCRYPT_POLICY + self.gpg_public_key = '' + self.gpg_secret_key = '' + self.gpg_passphrase = '' + internalname = self.internal_name() self.real_name = internalname[0].upper() + internalname[1:] self.description = '' diff -durP mailman-2.1.15/Mailman/MemberAdaptor.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/MemberAdaptor.py --- mailman-2.1.15/Mailman/MemberAdaptor.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/MemberAdaptor.py 2010-09-08 14:41:10.000000000 +0200 @@ -219,6 +219,25 @@ """ raise NotImplementedError + def getGPGKey(self, member): + """Return the member's GPG key. + + The key will be ASCII-armored (as it was uploaded). + + If no key was uploaded, None is returned. + If a member is not a member of the list, raise NotAMemberError. + """ + raise NotImplementedError + + def getGPGKeyIDs(self, member): + """Return the member's GPG key ID(s). + + The return value will contain an array of Strings. + If no key was uploaded, None is returned. + If a member is not a member of the list, raise NotAMemberError. + """ + raise NotImplementedError + # # The writeable interface @@ -347,3 +366,14 @@ and returned by getBounceInfo() without modification. """ raise NotImplementedError + + def setGPGKey(self, member, key, keyids): + """Set the member's GPG key. + + The key should be ASCII-armored (as it was uploaded). + + To erase a key, set key to None. + If a member is not a member of the list, raise NotAMemberError. + """ + raise NotImplementedError + diff -durP mailman-2.1.15/Mailman/OldStyleMemberships.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/OldStyleMemberships.py --- mailman-2.1.15/Mailman/OldStyleMemberships.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/OldStyleMemberships.py 2010-09-08 14:41:10.000000000 +0200 @@ -31,6 +31,7 @@ from Mailman import Utils from Mailman import Errors from Mailman import MemberAdaptor +from Mailman import SMIMEUtils ISREGULAR = 1 ISDIGEST = 2 @@ -166,6 +167,24 @@ self.__assertIsMember(member) return self.__mlist.bounce_info.get(member.lower()) + def getGPGKey(self, member): + self.__assertIsMember(member) + return self.__mlist.gpgkeys.get(member.lower()) + + def getGPGKeyIDs(self, member): + self.__assertIsMember(member) + return self.__mlist.gpgkeyids.get(member.lower()) + + def getSMIMEKey(self, member): + self.__assertIsMember(member) + sm = SMIMEUtils.SMIMEHelper(self.__mlist) + recipfile = sm.getSMIMEMemberCertFile(member) + if recipfile: + f = file(recipfile) + return f.read() + else: + return None + # # Write interface # @@ -368,3 +387,19 @@ del self.__mlist.delivery_status[member] else: self.__mlist.bounce_info[member] = info + + def setGPGKey(self, member, key, keyids): + assert self.__mlist.Locked() + self.__assertIsMember(member) + member = member.lower() + if key!=None and len(key)==0: + key = None + if key is None: + if self.__mlist.gpgkeys.has_key(member): + del self.__mlist.gpgkeys[member] + if self.__mlist.gpgkeyids.has_key(member): + del self.__mlist.gpgkeyids[member] + else: + self.__mlist.gpgkeys[member] = key + self.__mlist.gpgkeyids[member] = keyids + diff -durP mailman-2.1.15/Mailman/SMIMEUtils.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/SMIMEUtils.py --- mailman-2.1.15/Mailman/SMIMEUtils.py 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/SMIMEUtils.py 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,322 @@ +# Copyright (C) 2005 Tilburg University, http://www.uvt.nl/. +# Author: Joost van Baal +# Inspired by Stefan Schlott's GPGUtils.py +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +"""This is a interface to the openssl command line tool, dealing with +SMIME email messages.""" + +# It should handle deadlock problems using threads. +# It should be merged with GPGUtils.py and use the pyme GPGME interface. + +# It should implement +# key_ids = sm.verifyMessage(payload, signature) + +# import re +import os +# import tempfile +# import threading +import errno + +import tempfile + +from Mailman import Errors +from Mailman.Logging.Syslog import syslog +from Mailman import mm_cfg + + +class SMIMEHelper: + def __init__(self, mlist): + self.mlist = mlist + + # /var/lib/mailman/lists/test-secure/gpg is ~/.gnupg/ for list + # test-secure + # use /var/lib/mailman/lists//smime/{key,cert}.pem + + # FIXME die when these files are not present. As of 2005-11-28, we behave + # very bad when these are missing... + # + # self.smimedir = "/home/joostvb/smime" + self.smimedir = "%s/%s/smime" % (mm_cfg.LIST_DATA_DIR,mlist.internal_name()) + self.certfile = "%s/cert.pem" % self.smimedir + self.keyfile = "%s/key.pem" % self.smimedir + self.cafile = "%s/ca.pem" % self.smimedir + + def _getSMIMEMemberCertFile(self, member): + return "%s/%s.cert.pem" % (self.smimedir, member.lower()) + + def getSMIMEMemberCertFile(self, member): + recipfile = self._getSMIMEMemberCertFile(member) + + if not os.access(recipfile,os.F_OK): + syslog('gpg', "No Member SMIME Certfile '%s' found", recipfile) + return None + + syslog('gpg', "Using Member SMIME Certfile '%s'", recipfile) + return recipfile + + def importKey(self, member, key): + """beware! this routine does _not_ check wether member is a member of the list""" + recipfile = self._getSMIMEMemberCertFile(member) + try: + f = open(recipfile, 'w') + f.write(key) + f.close() + return True + except IOError: + syslog('gpg', "Troubles writing S/MIME key for '%s'", member) + return False + + def decryptMessage(self,msg): + """Typical invokation: (plaintext,signed) = + sm.decryptMessage(ciphertext) + signed is a Bool""" + + # cmd may be a sequence, in which case arguments will be passed + # directly to the program without shell intervention (as with + # os.spawnv()). If cmd is a string it will be passed to the shell (as + # with os.system()). + + # we don't give a password + # decrypt doesn't need -certfile, doesn't use /etc/ssl/certs/ + cmd = ("openssl", "smime" , "-decrypt", "-recip", self.certfile, "-inkey", self.keyfile) + # + # if we _want_ to fork an extra shell, run something like: + # cmd = "openssl smime -decrypt -recip %s -inkey %s" % (self.certfile, self.keyfile) + c_in, c_out, c_err = os.popen3(cmd) + + # hrm, we might need to do threading stuff here, like in + # Mailman/GPGUtils.py + # for now, the order in which we read and close different file handles + # _does_ matter! (does it?) + + c_in.write(msg) + c_in.close() + + out = c_out.read() + c_out.close() + + err = c_err.read() + c_err.close() + + # don't drag along children in zombie status + # FIXME check return status: actually do something with pid and status. + # see also Mailman/Utils.py + pid, status = os.waitpid(-1, os.WNOHANG) + + syslog('gpg',"openssl decrypt stderr: '%s'",err) + # syslog('gpg',"openssl decrypt stdout: %s",out) + + if out.startswith('Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";'): + + cmd = ("openssl", "smime" , "-verify", "-CAfile", self.cafile) + c_in, c_out, c_err = os.popen3(cmd) + c_in.write(out) + c_in.flush() # FIXME is this needed? + c_in.close() + err = c_err.read() + plaintext = c_out.read() + c_out.close() + c_err.close() + + pid, status = os.waitpid(-1, os.WNOHANG) + syslog('gpg',"openssl verify stderr: '%s'",err) + + if err.startswith('Verification successful'): + syslog('gpg',"Valid smime signature found on message") + return (plaintext,True) + # return (plaintext,key_ids) FIXME: bool in key_ids? + else: + syslog('gpg',"No good smime signature found on message") + return (plaintext,False) + else: + syslog('gpg',"No good smime signature found on message: no x-pkcs7-signature MIME part in message") + return (out,False) + + def encryptMessage(self,msg,recipfile): + """msg: string holding plaintext. recipfile: .pem file holding + recipient certificate. returns ciphertext with leading MIME + headers""" + + # openssl smime -encrypt %a -outform DER -in %f %c + # %c One or more certificate IDs. + + # openssl smime -encrypt -in in.txt -from steve@openssl.org \ + # -to someone@somewhere -subject "Encrypted message" \ + # -des3 user.pem -out mail.msg + + +# beware : openssl smime -encrypt from 0.9.7e (like Debian's 0.9.7e-3sarge1) gives us +# Content-Type: application/x-pkcs7-mime; name="smime.p7m" +# while we need a +# Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" +# . +# openssl_0.9.8a-4a0.sarge.1 gives us this. + +# this works: +# +# % openssl smime -encrypt ~/.smime/certificates/joostvb-test-banach.crt < /etc/motd.old > ~/tmp/c +# joostvb@banach:~% openssl smime -decrypt -recip ~/.smime/certificates/joostvb-test-banach.crt -inkey ~/.smime/keys/joostvb-test-banach.key < ~/tmp/c + + syslog('gpg',"running encryptMessage on '%s'", recipfile) + + # cmd = ("openssl", "smime" , "-encrypt", recipfile) + + # poor man's bfr(1) + (tmpfd, intmpfilename) = tempfile.mkstemp('.mailman') + os.write(tmpfd, msg) + os.close(tmpfd) + + (tmpfd, outtmpfilename) = tempfile.mkstemp('.mailman') + os.close(tmpfd) + + # "openssl -encrypt" reads and writes at same time. + # bfr(1) in Debian bfr package would help. + cmd = "openssl smime -encrypt -in %s %s > %s" % (intmpfilename, recipfile, outtmpfilename) + + syslog('gpg',"encryptMessage: invoking openssl as '%s'", cmd) + + c_in, c_out, c_err = os.popen3(cmd) + + # import popen2 + # c_out, c_in, c_err = popen2.popen3(cmd) # although this is what's suggested in + # Python Library Reference - 6.9.2 Flow Control Issues, it doesn't do the trick + + c_in.close() + err = c_err.read() + out = c_out.read() + c_out.close() + c_err.close() + + # FIXME would (0, os.WNOHANG) be better? + pid, status = os.waitpid(-1, os.WNOHANG) + + os.remove(intmpfilename) + + tmp = file(outtmpfilename) + ciphertext = tmp.read() + tmp.close() + os.remove(outtmpfilename) + + syslog('gpg',"openssl encrypt stderr: '%s'",err) + # syslog('gpg',"openssl encrypt stdout: %s",ciphertext) + + return ciphertext + + + def encryptSignMessage(self,msg,recipfile): + """signs as current list""" + + # Sign and encrypt mail: + # openssl smime -sign -in ml.txt -signer my.pem -text \ + # | openssl smime -encrypt -out mail.msg \ + # -from steve@openssl.org -to someone@somewhere \ + # -subject "Signed and Encrypted message" -des3 user.pem + + # does something like + # openssl smime -sign -signer ~/.smime/certificates/joostvb+20051121.crt -inkey ~/.smime/keys/joostvb+20051121.key -text < /etc/motd.old | openssl smime -encrypt ~/.smime/certificates/joostvb+20051121.crt > ~/tmp/mail.signed+encrypt + # uses encryptMessage + + syslog('gpg',"running encryptSignMessage on '%s'", recipfile) + + (tmpfd, intmpfilename) = tempfile.mkstemp('.mailman') + os.write(tmpfd, msg) + os.close(tmpfd) + + (tmpfd, outtmpfilename) = tempfile.mkstemp('.mailman') + os.close(tmpfd) + + (tmpfd, errtmpfilename) = tempfile.mkstemp('.mailman') + os.close(tmpfd) + + # cmd = ("openssl", "smime", "-sign", "-signer", crtfile, "-inkey", keyfile, "text", "-in", intmpfilename, "-out", outtmpfilename) + cmd = "openssl smime -sign -signer %s -inkey %s -text < %s > %s 2> %s" % \ + (self.certfile, self.keyfile, intmpfilename, outtmpfilename, errtmpfilename) + # -sign NEEDS to read from stdin. "-in" won't work. + + syslog('gpg',"encryptSignMessage: invoking openssl as '%s'", cmd) + + c_in, c_out, c_err = os.popen3(cmd) + + c_in.close() + err = c_err.read() # empty + out = c_out.read() # empty + c_out.close() + c_err.close() + + pid, status = os.waitpid(-1, os.WNOHANG) + + os.remove(intmpfilename) + + o = open(outtmpfilename) + signeddata = o.read() + o.close() + os.remove(outtmpfilename) + + e = open(errtmpfilename) + err = e.read() + e.close() + syslog('gpg',"openssl smime -sign returned '%s'",err) + os.remove(errtmpfilename) + + # syslog('gpg',"openssl smime -sign returned signed data '%s'", signeddata) + + ciphertext = self.encryptMessage(signeddata, recipfile) + return ciphertext + + # def verifyMessage(self,msg,signature): + def verifyMessage(self,msg): + if msg.is_multipart(): + for submsg in msg.get_payload(): + if submsg.get_content_type()=="application/x-pkcs7-signature": + + (tmpfd, intmpfilename) = tempfile.mkstemp('.mailman') + os.write(tmpfd, msg.as_string()) + os.close(tmpfd) + + (tmpfd, outtmpfilename) = tempfile.mkstemp('.mailman') + os.close(tmpfd) + + # specify cmd as a sequence: no shell needed + # cmd = ("openssl", "smime", "-verify", "-CAfile", self.cafile) + # cmd = "openssl smime -verify -CAfile self.cafile -out %s" % tmpfilename + cmd = ("openssl", "smime", "-verify", "-CAfile", self.cafile, "-in", intmpfilename, "-out", outtmpfilename) + + c_in, c_out, c_err = os.popen3(cmd) + + c_in.close() + err = c_err.read() + out = c_out.read() # empty + c_out.close() + c_err.close() + + pid, status = os.waitpid(-1, os.WNOHANG) + syslog('gpg',"openssl returned '%s'",err) + + os.remove(intmpfilename) + + # holds a copy of payload + os.remove(outtmpfilename) + + if err.startswith('Verification successful'): + syslog('gpg',"Valid smime signature found on message") + return True + else: + syslog('gpg',"Invalid smime signature found on message") + + return False + # return key_ids + diff -durP mailman-2.1.15/Mailman/versions.py mailman-2.1.15-pgp-smime_2010-09-08/Mailman/versions.py --- mailman-2.1.15/Mailman/versions.py 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/Mailman/versions.py 2010-09-08 14:41:10.000000000 +0200 @@ -321,6 +321,14 @@ def add_only_if_missing(attr, initval, l=l): if not hasattr(l, attr): setattr(l, attr, initval) + # 1.2.5-gpg + add_only_if_missing('sign_policy', mm_cfg.DEFAULT_SIGN_POLICY) + add_only_if_missing('gpg_post_encrypt', mm_cfg.DEFAULT_ENCRYPT_POLICY) + add_only_if_missing('gpg_public_key', "") + add_only_if_missing('gpg_secret_key', "") + add_only_if_missing('gpg_passphrase', "") + add_only_if_missing('gpgkeys', {}) + add_only_if_missing('gpgkeyids', {}) # 1.2 beta 1, baw 18-Feb-2000 # Autoresponder mixin class attributes add_only_if_missing('autorespond_postings', 0) diff -durP mailman-2.1.15/NEWS.PGP-SMIME mailman-2.1.15-pgp-smime_2010-09-08/NEWS.PGP-SMIME --- mailman-2.1.15/NEWS.PGP-SMIME 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/NEWS.PGP-SMIME 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,449 @@ +ChangeLog for the Mailman Secure List Server Patch +-------------------------------------------------- + +2010-09-08 Joost van Baal + + * pgp-smime/report-2010-03.tex: added Sixth Secure List Server project + report. + * Mailman/Defaults.py.in, Mailman/MailList.py, Mailman/versions.py, + Mailman/Gui/Privacy.py, Mailman/Handlers/GpgDecrypt.py, + Mailman/Handlers/Moderate.py, Mailman/Handlers/SMTPDirect.py, bin/update: + Apply patch contributed by Thijs Kinkhorst in Message-Id: + <201008160723.51729.thijs@kinkhorst.com>, Mon, 16 Aug 2010 07:23:47 +0200: + Unify gpg and smime sign and encrypt options into two. There were two + sets of options, one for PGP and one for S/MIME. Now there's one set of + options for encryption and signing that is independent of the protocols + used for them, as suggested by Guus Sliepen in his 2009 "Security Audit + of the Secure List Server, Part II". Relevant quote: " + + After reviewing the code, I believe that afterwards, the most important + task for the developers is to seriously reduce the number of + configuration options available to the list administrator. Options that + inherently compromise security, such as attachment scrubbing, archiving + and support for Usenet, should be permanently disabled and removed from + the list administrator pages. The duplicate sets of options for PGP and + S/MIME, and the code duplication behind it, should be unified into two + options: + + sign policy None, voluntary, mandatory. + + When set to none, the list should not check or add signatures. When + set to voluntary, signatures should be checked, and if an incoming + message is signed, the outgoing message must be signed as well, + otherwise it should not be signed. When set to mandatory, both + incoming and outgoing messages must be signed. + + encrypt policy None, voluntary, mandatory. + + When set to none, the list should not try to decrypt or encrypt + messages. When set to voluntary, encrypted messages should be + decrypted, and if an incoming message was encrypted, the outgoing + message must be encrypted as well, otherwise it should not be + encrypted. When set to mandatory, both incoming and outgoing messages + must be encrypted. + + The reduction in options will make it easier for list administrators to + make the right choice, and will simplify code and remove many possibly + dangerous code paths. For list members, the semantics of these options + follow the principle of least surprise; signed messages in are signed + messages out, encrypted messages in are encrypted messages out. " + +2010-03-01 Joost van Baal + + * pgp-smime/report-2010-02.txt: added Fifth Secure List Server project + report. + * TODO.PGP-SMIME: updated + * doc/mailman-install/site-list.html, Mailman/Archiver/HyperArch.py, + Mailman/Archiver/HyperDatabase.py, Mailman/Archiver/pipermail.py, + Mailman/Cgi/Auth.py, Mailman/Cgi/admindb.py, Mailman/Cgi/confirm.py, + Mailman/Cgi/create.py, Mailman/Cgi/options.py, Mailman/Cgi/private.py, + Mailman/Defaults.py.in, Mailman/Handlers/Approve.py, + Mailman/Handlers/Replybot.py, Mailman/Handlers/Scrubber.py, + Mailman/ListAdmin.py, Mailman/MailList.py, Mailman/Version.py, NEWS, + bin/check_perms, bin/mailmanctl, bin/newlist, configure, configure.in, + contrib/mmdsr, doc/mailman-admin*, doc/mailman-install*, + doc/mailman-member*, messages/, misc/Makefile.in, templates/: + merged with upstream (for upcoming release 2.1.14) up until 2010-03-01 by + Mark Sapiro; see NEWS for details. (We missed upstream release 2.1.13, + 2009-12-22) + +2009-09-05 Joost van Baal + + * BUGS, NEWS, Mailman/Defaults.py.in, Mailman/ListAdmin.py, + Mailman/Mailbox.py, Mailman/Message.py, Mailman/Pending.py, + Mailman/SecurityManager.py, Mailman/Utils.py, Mailman/mm_cfg.py.dist.in, + Mailman/Archiver/pipermail.py, Mailman/Bouncers/AOL.py, + Mailman/Bouncers/BouncerAPI.py, Mailman/Bouncers/SimpleMatch.py, + Mailman/Cgi/admin.py, Mailman/Cgi/listinfo.py, + Mailman/Handlers/Cleanse.py, Mailman/Handlers/MimeDel.py, + Mailman/Handlers/SMTPDirect.py, Mailman/Handlers/Scrubber.py, + Mailman/Queue/CommandRunner.py, bin/newlist, bin/update, + contrib/check_perms_grsecurity.py, contrib/mmdsr, misc/Makefile.in, + templates/es/admlogin.html, tests/test_bounces.py, + tests/bounces/aol_01.txt, tests/bounces/simple_37.txt: merged with + upstream (for upcoming release 2.1.13) up until 2009-09-05 by + Mark Sapiro; see NEWS for details. + +2009-07-18 Joost van Baal + + * Mailman/Handlers/Moderate.py, Mailman/GPGUtils.py: patch supplied by Guus + Sliepen in private communication, Mon, 22 Jun 2009 22:50:26 +0200, + Message-ID: <20090622205026.GS6540@sliepen.org>. Deal sane with pgp signed + messages with more than 2 parts: regard one part as body and rest as + signatures. If more than one body present, discard the message as + gibberish. + * pgp-smime/audit2/{audit2.tex,fourpartmime.txt,mailflow.dia}{,.asc}: Added + Security Audit of the Secure List Server Part II by Guus Sliepen + +2009-04-02 Joost van Baal + + * README.PGP-SMIME.html, Mailman/Gui/Privacy.py + improve description of {gpg,smime}_distrib_sign and + {gpg,smime}_{post,distrib}_encrypt + * pgp-smime/report-2009-01.tex,report-2009-03.tex: added Third and Fourth + Secure List Server bi-monthly project reports. + * Mailman/Archiver/HyperArch.py, Mailman/Bouncer.py, + Mailman/Bouncers/Qmail.py, Mailman/Bouncers/SimpleMatch.py, + Mailman/Cgi/admin.py, Mailman/Cgi/admindb.py, Mailman/Cgi/subscribe.py, + Mailman/Errors.py, Mailman/Gui/Privacy.py, Mailman/Gui/Topics.py, + Mailman/Handlers/Scrubber.py, Mailman/Utils.py, Mailman/Version.py, + doc/mailman-admin*, doc/mailman-install*, doc/mailman-member-es*, + doc/mailman-member*, + messages/*/LC_MESSAGES/mailman.po, messages/ja/doc/mailman-member.tex, + messages/mailman.pot, templates/*/headfoot.html, + bin/find_member, misc/sitelist.cfg, scripts/driver, tests/test_bounces.py; + New Files: contrib/README.courier_to_mailman, + contrib/README.redhat_fhs.patch, contrib/courier-to-mailman.py, + contrib/redhat_fhs.patch, tests/bounces/qmail_06.txt, + tests/bounces/simple_34.txt: + merged with upstream (for release >= 2.1.12) up until 2009-04-02 by + Mark Sapiro; see NEWS for details. + * 2.1.12 was released 2009-02-23. + +2009-01-02 Joost van Baal + + * Enforce confidentiality: + - Mailman/GPGUtils.py, Mailman/Handlers/Moderate.py: Emails with a valid + signature of a known subscriber are now accepted only if the address in + the From header matches one of the email addresses associated with the + key. Since the original signature is removed before the mail is sent to + the other subscribers, this did allow one subscriber to impersonate + another subscriber or even an outsider. + * pgp-smime/mailman-pgp-smime-talk.tex: talk added (still empty). + * Mailman/Archiver/HyperArch.py, Mailman/Gui/Privacy.py, + Mailman/Defaults.py.in, NEWS, messages/*/LC_MESSAGES/mailman.po, + messages/mailman.pot: merged with upstream (for release > 2.1.11) up + until 2008-12-29 by Mark Sapiro. + - Corrected a typo in Mailman/Gui/Privacy.py. Bug #309757. + - Fixed an issue where in some circumstances HyperArch.py would translate + ' at ' into the wrong language ultimately throwing a UnicodeDecodeError + when the translation was decoded with a different character set. + Bug #308152. + - Lots of other changes, see NEWS. + +2008-12-14 Joost van Baal + + * Enforce confidentiality: + - Mailman/Handlers/{Hold.py,Moderate.py}: in case message was decrypted + and should be held or discarded, forward only headers to listmaster, not + decrypted content + - Mailman/GPGUtils.py, Mailman/Handlers/{Moderate.py,SMTPDirect.py}: make + sure we never write unencrypted payload of message to syslog. + * Better user interface: + - Mailman/Gui/Privacy.py: add more descriptions of various SLS options. + Setting {gpg,smime}_distrib_sign to Force has the same effect as + setting it to Yes. Drop support for this bogus (and confusing) option + value. + - Mailman/Handlers/SMTPDirect.py: bugfix: do not inspect + {gpg,smime}_distrib_sign but {gpg,smime}_distrib_encrypt when deciding + to discard message which can't be encrypted before distributing. + - Mailman/Cgi/options.py: improve security: no longer allow a member to + change an already set public key using the password authenticated web UI. + * pgp-smime/report-2008-11.tex: added Second Secure List Server bi-monthly + project report. + * FAQ, NEWS, configure, configure.in, Mailman/Errors.py, Mailman/LockFile.py, + Mailman/MailList.py, Mailman/Pending.py, Mailman/SecurityManager.py, + Mailman/Utils.py, Mailman/Bouncers/Caiwireless.py, + Mailman/Bouncers/GroupWise.py, Mailman/Bouncers/Microsoft.py, + Mailman/Bouncers/Netscape.py, Mailman/Bouncers/Postfix.py, + Mailman/Cgi/admin.py, Mailman/Cgi/create.py, Mailman/Cgi/edithtml.py, + Mailman/Cgi/roster.py, Mailman/Handlers/Decorate.py, + Mailman/Handlers/Scrubber.py, Mailman/Handlers/Tagger.py, + Mailman/Queue/Switchboard.py, bin/change_pw, bin/export.py, bin/newlist, + bin/update, contrib/mmdsr, cron/gate_news, misc/Makefile.in, + misc/paths.py.in, tests/test_handlers.py, tests/test_message.py, + tests/test_security_mgr.py: + merged with upstream (for release > 2.1.11) up until Mon, 08 Dec 2008 + 12:11:40 +0100: + - Now Python >= 2.4 is required, and Python 2.6 is supported. + - Lot of other changes by Mark Sapiro e.a. + So, next to pgp-smime stuff, this patch includes work by + upstream for upcoming official Mailman release (2.1.12, likely). + +2008-11-16 Joost van Baal + + * Mailman/{Defaults.py.in,MailList.py,versions.py}, Mailman/Gui/Privacy.py, + Mailman/Handlers/{SMTPDirect.py,GpgDecrypt.py,Moderate.py}, + README.PGP-SMIME.html, TODO.PGP-SMIME, bin/update, + pgp-smime/pgp-smime-testsuite.sh: WARNING! Incompatible change! Names + of configuration variables have changed. + + old name new name + -------- -------- + gpg_postings_allowed gpg_post_encrypt + gpg_msg_distribution gpg_distrib_encrypt + gpg_msg_sign gpg_distrib_sign + + DEFAULT_GPG_POSTINGS_ALLOWED DEFAULT_GPG_POST_ENCRYPT + DEFAULT_GPG_MSG_DISTRIBUTION DEFAULT_GPG_DISTRIB_ENCRYPT + DEFAULT_GPG_MSG_SIGN DEFAULT_GPG_DISTRIB_SIGN + + (The name of gpg_post_sign and DEFAULT_GPG_POST_SIGN is not changed.) + This is done for consistency reasons: naming is now similar to the + smime_ variables. If you're upgrading from a previous mailman-pgp-smime + version, you'll have to reconfigure all your lists. The bin/update + script might help. (If you're upgrading from non-pgp-smime Mailman, this + change has no impact on your system.) + * pgp-smime/{changeoption.py,pgp-smime-testsuite.sh}: implement test suite + as a shell script. (changeoption.py is a yet unfinished attempt at + another implementation) + * Mailman/SMIMEUtils.py: fix bug: NameError: global name strerror is not + defined, found when uploading S/MIME member key using webui. + * README.PGP-SMIME.html: add link to directory pgp-smime/, holding reports; + updates to list of alternative secure list implementations, thanks to Lars + Kruse. + * TODO.PGP-SMIME: add detailed timeschedule, as published in project report. + * NEWS, Mailman/Handlers/AvoidDuplicates.py, bin/arch, bin/check_perms, + templates/ru/userpass.txt, Mailman/Handlers/Decorate.py: merged with + upstream (for release > 2.1.11) up until Sun, 16 Nov 2008 10:11:17 +0100: + Fixes for Launchpad bugs #280418, #284802 and #297795 and other changes by + Mark Sapiro. So, next to pgp-smime stuff, this patch includes work by + upstream for upcoming official Mailman release (2.1.12, likely). + +2008-09-25 Joost van Baal + + * TODO.PGP-SMIME: added description of test suite. + * pgp-smime/pgp-smime-testsuite.sh: added (not yet completed) test suite + script. + * pgp-smime/audit.tex: added Security Audit of the Secure List Server part I + by Guus Sliepen. + * pgp-smime/report-2008-09.tex: added First Secure List Server bi-monthly + project report. + * merged with upstream (for release > 2.1.11) up until Sun 2008-09-21 + 12:12:52 -0700: noteworthy changes in Mailman/ListAdmin.py, + Mailman/Cgi/admin.py, Mailman/MTA/Postfix.py, cron/gate_news. See NEWS. + So, next to pgp-smime stuff, this patch includes work by Mark Sapiro e.a. + for upcoming official Mailman release (2.1.12, likely). + +2008-07-26 Joost van Baal + + * The patch for Mailman/Handlers/SMTPDirect.py was missing from + some previous releases. This made the patch totally unusable. + Restored it, using the copy from + mailman-2.1.9-ssls_2008-01-10.patch.gz. + +2008-07-03 Joost van Baal + + * 2.1.11 was released 2008-06-30. + +2008-06-28 Joost van Baal + + * Mailman/GPGUtils.py: Apply patch contributed by Tonnerre Lombard in + + Date: Sat, 14 Jun 2008 23:32:40 +0200 + To: ssls-dev /a/ ulm.ccc.de + Message-ID: <20080614233240.444cb283@silence.pas-un-geek-en-tant-que-tel.ch> + Subject: [Ssls-dev] Subkey support for ssls + + "I modified the SSLS patch somewhat to add support for PGP subkeys. It + appears to work so far." + + This might have fixed Bug #0069. + +2008-06-25 Joost van Baal + + * Renamed and updated: + NEWS.SSLS => NEWS.PGP-SMIME + README.SSLS.html => README.PGP-SMIME.html + TODO.SSLS => TODO.PGP-SMIME + - This code is no longer maintained using darcs at non-gnu.uvt.nl, but + using bzr at Launchpad. + - The project and code is renamed from SURFnet Secure List Server + (mailman-ssls) to Mailman Secure List Server (mailman-pgp-smime). + - The project now is sponsored by the NLnet foundation + (http://www.nlnet.nl/). + * TODO.PGP-SMIME: record current roadmap. + +2008-01-10 Mike Gerber + + * The patch for 2.1.7 applies fine on 2.1.9. Just a little repacked for + 2.1.9. The package works fine for me. See + + Date: Wed, 16 Jan 2008 00:39:40 +0100 + From: Mike Gerber + To: ssls-dev /a/ ulm.ccc.de + Message-ID: <20080115233940.GA13244@nin.lan.rwsr-xr-x.de> + Subject: [Ssls-dev] ssls for mailman 2.1.9 + +2006-01-30 Joost van Baal + + * Mailman/Cgi/options.py, Mailman/{Defaults.py.in,MailList.py}, + Mailman/Gui/Privacy.py, Mailman/Handlers/{Hold.py,SMTPDirect.py}, + bin/update: Updated to apply to upstream 2.1.7: merged 2.1.6 -> 2.1.7 + changes. + * Mailman/Gui/Privacy.py: more hints on how to import PGP key using webgui. + * Mailman/Handlers/SMTPDirect.py: fix Content-Transfer-Encodings: be nice to + those who don't use us-ascii. Thanks to Michael Feiri for this patch. + * TODO.SSLSL: bugs #0067, #0068, #0069 added. + +2006-01-09 Joost van Baal + + * Split TODO.SSLS and NEWS.SSLS off README.GPG; convert README.GPG to + README.SSLS.html. + * README.SSLS.html: This project has a new homepage; added more notes on how + to contribute patches. + * TODO.SSLS: Roadmap and long-term wishes added. + * Mailman/Handlers/GpgSMTPDirect.py: removed. This stuff is now maintained + as a patch on SMTPDirect.py. + * Mailman/Defaults.py.in: no longer calls GpgSMTPDirect.py as + DELIVERY_MODULE, but uses patched SMTPDirect.py. + * Mailman/Handlers/GpgSMTPDirect.py: bugfixes; sanitize encrypted message's + MIME structure before distributing. Don't sent out S/MIME mails with + bogus MIME structure. + * Mailman/Cgi/options.py: fix bug in uploading S/MIME key via webinterface. + * Mailman/SMIMEUtils: make verifyMessage more robust: no more broken pipe; + implemented encryptSignMessage + * Mailman/SMIMEUtils, Mailman/Handlers/GpgSMTPDirect.py: document issue with + openssl 0.9.7e (we have implemented a workaround for this issue). + * Mailman/SMIMEUtils: encryptSignMessage no longer strips off first bodyline. + +2005-11-21 Joost van Baal + + * Another extremely unstable bleeding edge known-broken release. + * Mailman/Gui/Privacy.py: add notes on new list properties, so that + config_list gets aware of these. + * Mailman/SMIMEUtils.py: now implements verifyMessage; honors per-list + ca.pem. Work around I/O deadlocks while encrypting by using tempfile + module. Thanks to Wessel Dankers for hint. Of course, this should + get reimplemented using threads. + * Mailman/Handlers/Hold.py: added classes NonSMIMESignedPost and + WrongSMIMESignedPost. + * Mailman/Handlers/Moderate.py: deal with unsigned S/MIME posts which + should be have been signed, deal with signed+encrypted posts. + * Mailman/Cgi/options.py, Mailman/Gui/Privacy.py, + Mailman/{OldStyleMemberships.py,SMIMEUtils.py}, + templates/en/options.html: added webgui for uploading subscriber + S/MIME keys; new routines SMIMEUtils.importKey() and + mlist.getSMIMEKey() added. + * Mailman/Handlers/GpgSMTPDirect.py: now creates sane S/MIME-encrypted + messages (no longer produces corrupt MIME) + * Added bunch of S/MIME-related things left to do to TODO-list in this + file. + +2005-10-28 Joost van Baal + + * Extremely unstable bleeding edge known-broken release. + * S/MIME stuff added: + - Mailman/MailList.py, Mailman/Defaults.py.in, bin/update: new list + properties: + self.smime_post_encrypt = mm_cfg.DEFAULT_SMIME_POST_ENCRYPT + self.smime_post_sign = mm_cfg.DEFAULT_SMIME_POST_SIGN + self.smime_distrib_encrypt = mm_cfg.DEFAULT_SMIME_DISTRIB_ENCRYPT + self.smime_distrib_sign = mm_cft.DEFAULT_SMIME_DISTRIB_SIGN + - Mailman/SMIMEUtils.py: added + * Fixed FSF snail mail address. + * Updated TODO-list, added note on copyright in this file. + * Numbered outstanding bugs in TODO-list. + * Advertised ssls-devel list in this file. + * Advertise version control access in this file. Thanks Laurent Fousse and + Wessel Dankers for help in setting this up. + +2005-07-01 Joost van Baal + + * Mailman/Defaults.py.in, Mailman/Gui/Privacy.py, Mailman/Handlers/Hold.py, + Mailman/Handlers/Moderate.py, Mailman/MailList.py, + templates/en/options.html: + Updated to apply to upstream 2.1.6: merged 2.1.5 -> 2.1.6 changes. + * REAME.GPG: lots of (wishlist) bugs added, assigned priorities. No longer + present this as a patch on Stefan Schlott's patch: adapted intro text. + * Mailman/GPGUtils.py: fix fatal bug: global name 'result' is not defined. + Triggered under some circumstances when decrypting fails. + * Mailman/GPGUtils.py, Mailman/Handlers/GpgSMTPDirect.py: fixed copyright + statements (taken from Stefan's mailman-2.1.5-gpg_2005-05-03.diff.gz) + +2005-04-21 Joost van Baal + + * Mailman/Handlers/Moderate.py: Force settings of + gpg_postings_allowed/gpg_post_sign were mixed: bugfix. + * Mailman/Defaults.py.in: More strict defaults: No web archive: + (DEFAULT_ARCHIVE), if archive defined, not public + (DEFAULT_ARCHIVE_PRIVATE), don't archive in mbox format (ARCHIVE_TO_MBOX), + show list of subscribers to admin only (DEFAULT_PRIVATE_ROSTER). + * README.GPG: Stefan's todo list merged. + +2005-04-18 Joost van Baal + + * Mailman/MailList.py, Mailman/versions.py, bin/update: gpg_secret_key and + gpg_public_key are of type string, even if unset. Otherwise, config_list + might choke: it tries to invoke splitlines() on these settings. + * Mailman/Handlers/Moderate.py: behave more sane on strange messages: code + robustness fix. + * Mailman/Handlers/GpgDecrypt.py, Mailman/Handlers/Moderate.py: GpgDecrypt + is merged with Moderate: we need to share data about valid signatures + among these things; adapting the Message type for passing this data is too + intrusive. + * Mailman/Handlers/Moderate.py: no longer adds valid-signature info to body. + * Mailman/mm_cfg.py.in: this file is no longer patched, all config patching + (i.e. DELIVERY_MODULE = 'GpgSMTPDirect') is done in Defaults.py + * Mailman/GPGUtils.py: decryptMessage now uses more stable status fd + interface from gnupg. Now returns _all_ key_ids of signers. + +2005-03-24 Joost van Baal + + * Mailman/GPGUtils.py, Mailman/Handlers/Moderate.py: more fixes in copyright + blurbs. + * README.GPG: warnings on gotcha's added. + * Mailman/Handlers/Moderate.py: fixed bug in code (TypeError) which would + show up if some members didn't supply their public key. + +2005-03-22 Joost van Baal + + * Updated this README.GPG file: more pointers. + * Mailman/GPGUtils.py: fixed verifyMessage (it was unusable.) + * Mailman/Handlers/Moderate.py: new verifyMessage interface: we now deal + with both inline signatures and detached signatures. + +2005-03-21 Joost van Baal + + * Mailman/Handlers/Moderate.py: fix bug in handling of gpg_post_sign (it + was unusable.) + * bin/update: add gpg_post_sign. + * Mailman/Handlers/GpgDecrypt.py: Fixed copyright blurb, after consulting + Stefan. (Mailman/GPGUtils.py will get fixed eventually.) + +2005-03-15 Joost van Baal + + * Mailman/Handlers/Moderate.py: fix syntax error and missing import. Oops. + * Mailman/GPGUtils.py: make sure verifyMessage returns a sequence, make + sure it's not waiting on stdin. Add --no-permission-warning to gpg + options: typically, we have a group-writable GnuPG homedirectory since + both the webserver and the Mailman user interface with us. + * Mailman/versions.py: add gpg_post_sign to list attributes, in order to fix + AttributeError + +2005-03-14 17:01:10 +0100 Joost van Baal + + * Mailman/Defaults.py.in, Mailman/GPGUtils.py, Mailman/Gui/Privacy.py, + Mailman/Handlers/Hold.py, Mailman/Handlers/Moderate.py, + Mailman/MailList.py: first shot at adding signature-verification + support as a moderation criterium. + +2005-02-11 Stefan Schlott (mailman-2.1.5-gpg_2005-02-22.diff.gz) + + - hide the key ID in the "good signature" info of the list server in + the case of "anonymous lists" + - change "Message had a good signature" into something more useful (if + detached signatures aren't possible) that's not so easy to spoof + (Thanks, Nicolas!) + - typo in the section about mailclients (Thanks, Sebastian!) + diff -durP mailman-2.1.15/pgp-smime/audit2/audit2.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/audit2.tex --- mailman-2.1.15/pgp-smime/audit2/audit2.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/audit2.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,699 @@ +%Copyright (C) 2009 Guus Sliepen +%This document is released under the GPLv2 or later. + +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage[colorlinks]{hyperref} +\usepackage{url} +\usepackage{graphicx} +\usepackage{verbatim} + +\newcommand{\iquote}[1]{``\textit{#1}''} +\newcommand{\file}[1]{\texttt{#1}} +\newcommand{\var}[1]{\texttt{#1}} +\newcommand{\val}[1]{\texttt{#1}} +\newcommand{\tag}[1]{\texttt{#1}} +\newcommand{\func}[1]{\texttt{#1()}} +\newcommand{\hdr}[1]{\texttt{#1}} +\newcommand{\cmd}[1]{\texttt{#1}} +\newcommand{\handler}[1]{\texttt{#1}} +\newcommand{\mime}[1]{\texttt{#1}} +\newcommand{\page}[1]{\nolinkurl{#1}} +\newcommand{\env}[1]{\texttt{\$#1}} +\newcommand{\email}[1]{\href{mailto:#1}{\nolinkurl{<#1>}}} + +\title{Security Audit of the Secure List Server\\ +Part II} + +\author{Guus Sliepen \email{guus@sliepen.org}} + +\makeindex + +\begin{document} + +\maketitle + +\begin{abstract} +The subject of this audit is Mailman 2.1.12 patched with the pgp-smime patch of 2009-04-02, +and follows the progress since the previous audit. +The changes in the list of known, open issues are reviewed. +A test setup was created and the code and its behaviour were reviewed. +A number of new issues were found in the Secure List Server (SLS). +Most importantly, although the default settings are reasonably safe, +if the administrator enables more list options +there are many possibilities for decrypted messages to be bounced, forward or stored without being re-encrypted. +The developers should reduce the number of options available to list administrators, +and continue to work on strict integrity and confidentiality enforcement. +\end{abstract} + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section{Introduction}\label{sec:intro} + +\subsection{Subject of the security audit}\label{sec:subject} + +The subject of this security audit is the Secure List Server (SLS), +which consists of the Mailman mailing list server +augmented with the pgp+smime patch which allows Mailman to handle emails +which are signed and/or encrypted with OpenPGP or S/MIME in a meaningful way. + +Part I of the audit covered a coarse code audit, and was focused more on usage aspects of SLS. +After reviewing the TODO list and NEWS in section \ref{sec:todolist}, +the flow of mail through the SLS codebase and the issues found therein will be looked at in detail in section \ref{sec:audit}. +In section \ref{sec:sha1} I will remark on the impliciations of the recent vulnerabilities found in the SHA-1 algorithm for SLS. +In section \ref{sec:recommendations} I will give recommendations for future work on SLS. + +\subsection{Test setup}\label{sec:setup} + +To test the functionality and behaviour of SLS, the following test setup was created: +\begin{itemize} +\item Asus EeePC 901 with 2 GB RAM and 20 GB storage +\item Debian unstable (last update on 2009-03-25) +\item Mailman 2.1.12 patched with \file{mailman-2.1.12-pgp-smime\_2009-04-02.patch} +\item Postfix 2.5.5-1.1 mail server +\item Mutt 1.5.18-6 mail client +\item Lighttpd 1.4.19-4 light-weight web server +\item GnuPG 1.4.19-5 +\item OpenSSL 0.9.8g-15 +\item Python-GnuPGinterface 0.3.2-9 +\end{itemize} + +\section{Review of TODO list and NEWS since 2008-07-03}\label{sec:todolist} + +According to the \file{NEWS.PGP-SMIME} file, the following items have changed since the patch from 2008-07-03, which was reviewed in part I of the audit: + +\begin{itemize} +\item A test suite has been added. + +At this moment, the test suite consists of a shell script that creates two sets of three mailing lists: +one set for PGP and one for S/MIME, each set containing three lists with different security levels. +It subscribes one member to each list, and can send a number of prepared messages to each list. + +There are no prepared messages included in SLS however, so one has to create them oneself. +The test suite also does not check the result of sending the messages to the list. +The test suite is still far from an automated tool for checking regressions. + +\item Names and description of security settings have been changed. + +Some previously confusing options for allowing or requiring encryption and/or signatures have been renamed +to be more consistent, and the descriptions of those options in the web GUI have been clarified. +This will reduce the chance of an administrator misconfiguring secure lists. + +The problem that there are two sets of options, one for PGP and one for S/MIME, +remains. Again, it would be better to have one set of options for encryption +and signing that is independent of the protocols used for them. + +\item Members cannot change their public key once set. + +This prevents an attacker who can get the password, which is assumed to be much easier than getting the private key, +to replace a subscriber's public key with its own. + +\item Bounces, moderator notifications and logs of encrypted emails no longer contain the decrypted bodies. + +Previously, a decrypted copy of an encrypted email was sent without re-encryption to moderators, or sent to the syslog, +which could result in unintended information disclosure. +SLS now only sends the headers of the original encrypted email in those cases. + +\item From address must now match one of the signature's uids. + +Since SLS strips the original signature from emails and adds its own, +the other recipients can only determine the original sender by looking at the \hdr{From} header. +SLS now rejects incoming emails whose From-address does not match an uid of the PGP key which signed the post. +\end{itemize} + +The file \file{TODO.PGP-SMIME} has been updated, the following items have changed: + +\begin{enumerate} +\item[0024]\iquote{If a post is properly signed, accept it, no matter whether the From-address is subscribed and no matter the sender moderation policy. However: +Although that is possible and perhaps desirable, +one should remember that only the body of an email is signed and/or encrypted, but not the headers. +If a subscriber is allowed to change the From header at will, +he can try to impersonate another person when sending an email to the list. +It is best to restrict the contents of the From header to the email address(es) listed in the subscriber's public key.} + +SLS now indeed restricts the contents of the \hdr{From} header, so this item can be removed from the TODO list. + +\item[0050]\iquote{Make sure posts get encrypted and signed if needed. +Perhaps it is best determine whether an incoming email as signed or encrypted, +and mark this somewhere in its headers, such that the marking does not get +removed while the email is being processed by SLS. When sending outgoing +emails, preferably right before the email is sent to the SMTP server, it should +be verified that if the message is marked signed, the outgoing email is indeed +signed. The same goes for encryption (and PGP).} + +SLS now adds a \hdr{X-Mailman-SLS-decrypted} header to emails that have been decrypted. +It is however only used to strip the body from emails that are being bounced in plaintext to the list administrator. + +\item[0059]\iquote{Don't use openssl and GnuPGInterface, but pyme. +KMail is said to use GPGME for S/MIME. Study its source. +SMScrypto.py from \url{http://smallsister.org/git/SmallMail.git} implements +crypto in python using pyme. Study its source.} + +Indeed, if there is an external library that can encrypt, decrypt, sign and verify emails, +and it provides all the functionality that SLS needs, +it is better to use that instead of keeping a (different) private implementation. + +Using pyme would remove the need for SLS to use temporary files and to manually start external programs such as \cmd{gpg} and \cmd{openssl}. This removes potential security problems from the SLS code. + +\end{enumerate} + +\section{Code audit, part II}\label{sec:audit} + +In this second part of the code audit, I have followed +the lifetime of an email, as it is processed by SLS. +I have done a line-by-line review of the points in the code where emails are decrypted and re-encrypted. +First I will give an overview of the various subsystems of mailman and how email flows through them. +Then I will look at the possible issues with the handling of decrypted, but not yet re-encrypted, emails by SLS. +Finally I will describe my findings of the code dealing with decryption and encryption. + +\subsection{Mail flow}\label{sec:mailflow} + +When a mailing list is created with SLS, +a list of email aliases is updated. +This list of aliases can be read by the mail transfer agent (MTA), +and tells the MTA what to do with emails for all the relevant mailing list addresses. +The email aliases generated by SLS for the Postfix MTA look like this: + +\begin{verbatim} +listname: "|/var/lib/mailman/mail/mailman post listname" +listname-admin: "|/var/lib/mailman/mail/mailman admin listname" +listname-bounces: "|/var/lib/mailman/mail/mailman bounces listname" +listname-confirm: "|/var/lib/mailman/mail/mailman confirm listname" +listname-join: "|/var/lib/mailman/mail/mailman join listname" +listname-leave: "|/var/lib/mailman/mail/mailman leave listname" +listname-owner: "|/var/lib/mailman/mail/mailman owner listname" +listname-request: "|/var/lib/mailman/mail/mailman request listname" +listname-subscribe: "|/var/lib/mailman/mail/mailman subscribe listname" +listname-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe listname" +\end{verbatim} + +Where \verb|listname| is replaced with the name of the mailing list. +These aliases instruct the MTA to pipe the emails it through the \file{/var/lib/mailman/mail/mailman} command. +That command in turn is a simple wrapper that runs a Python script from \file{/var/lib/mailman/scripts/} with the same name as the first argument. +So in effect, posts to the mailing list address without any suffix will be piped through \cmd{/var/lib/mailman/scripts/post listname}. + +In turn, these Python scripts themselves only put the messages in so-called switchboard queues. +Messages posted to the mailing list address without a suffix will be put in the Incoming queue, +which normally resides in \file{/var/lib/mailman/qfiles/in}. + +For each switchboard a \file{/var/lib/mailman/bin/qrunner} process is running. +These processes are normally started at boot time by the \file{/etc/init.d/mailman} script. +Each \cmd{qrunner} has a loop in which it dequeues messages from its switchboard. +Each dequeued message is handled by the \func{\_dispose} function. +For the Incoming queue, it is \func{IncomingRunner.\_dispose}. +This function in turn puts the message in a message processing pipeline. + +The pipeline consists of a number of handler objects, each of which have a \func{process} function which deals with the email. +Each handler can change the message before it is passed on to the next handler. +A handler can also raise an exception, in which case the rest of the pipeline will be skipped and the message will +be either discarded, rejected, or held. +By default, the pipeline consists of the following handlers, in order of execution: + +\handler{SpamDetect}, +\handler{Approve}, +\handler{Replybot}, +\handler{Moderate}, +\handler{Hold}, +\handler{MimeDel}, +\handler{Scrubber}, +\handler{Emergency}, +\handler{Tagger}, +\handler{CalcRecips}, +\handler{AvoidDuplicates}, +\handler{Cleanse}, +\handler{CleanseDKIM}, +\handler{CookHeaders}, +\handler{ToDigest}, +\handler{ToArchive}, +\handler{ToUsenet}, +\handler{AfterDelivery}, +\handler{Acknowledge}, +\handler{ToOutgoing}. + +The pipeline will be described in more detail later. +If no exception is raised by any of the handlers, +then the last handler, \handler{ToOutgoing}, will enqueue the message in the Outgoing switchboard. +The Outgoing queue is handled by \func{OutgoingRunner.\_dispose}. +By default, it processes the message with just the \handler{SMTPDirect} handler. + +\begin{figure} +\begin{center} +\includegraphics[width=\textwidth]{mailflow} +\end{center} +\caption{\small Representation of the Incoming and Outgoing queues. +Encryption and decryption happens in the orange boxes, +red boxes process decrypted messages, +red arrows signify decrypted messages being sent in plaintext. +Several handlers in the Incoming queue leak plaintext to local storage or to the Internet. +} +\label{fig:mailflow} +\end{figure} +Decryption and encryption is taking place in the \handler{Moderate} and \handler{SMTPDirect} handlers respectively. +This means that decrypted content is handled by all the handlers in-between, +and SLS must take special care that decrypted content is not inadvertently leaked in these handlers. +Even so, due to the flexibility of the pipeline architecture, an administrator or an add-on package can easily change existing handlers or insert new handlers. + +\subsubsection{Incoming message pipeline}\label{sec:incomingpipeline} + +\begin{description} +\item[\tt SpamDetect] +This handler uses regular expressions on the message header to classify a message as spam or not. +It can either discard, reject or hold spam. It is configured using the \page{privacy/spam} page on the list admin site. + +\item[\tt Approve] +This handler checks if the message is pre-approved or if the list admin has added an approval header. +If so, the message tag `approved' is set. +The message is otherwise unaltered and will always pass to the next handler. + +\item[\tt Replybot] +This handler will send an automated reply in response to an incoming message. +It is configured using the \page{autoreply} admin page. +The incoming message itself is unaltered and will always pass to the next handler. + +\item[\tt Moderate] +This handler originally only discarded, rejected, held, or allowed a message based on whether the sender was a list member or not, +or if Mailman was explicitly configured to discard, reject, hold or allow messages from that sender. +It was configured using the \page{privacy/sender} admin page. +In SLS, message decryption and signature verification has been spliced into this handler. +Decryption and verification is done first, +then messages are rejected, held or approved depending on the state of the encryption and signature, +as configured using the \page{privacy/gpg} and \page{privacy/smime} admin pages. +After that the original moderation rules are applied. +Note that if messages are held in this and later handlers, they have already been decrypted. + +A detailed description of the decryption and signature verification code is given in section \ref{sec:crypto}. + +\item[\tt Hold] +Unless the message has already been tagged as `approved', +this handler holds messages if they contain administrativia that were erroneously sent to the mailing list address, +if it has too many recipients, if it contains suspicious headers or if it is too large, +as configured using some of the options on the \page{general} admin page. + +\item[\tt MimeDel] +This handler can remove MIME parts as configured on the \page{contentfilter} admin page, +or can discard, reject or forward messages to the list owner if it contains forbidden parts. + +\item[\tt Scrubber] +If configured so on the \page{nondigest} admin page, +this handler ``scrubs'' attachments from messages and stores them in a web-accessible archive. +The attachment is then replaced with a URL to the archived copy. + +\item[\tt Emergency] +If the ``Emergency moderation of all list traffic'' option on the \page{general} admin page is set, +this handler will hold all messages unless they have been approved. + +\item[\tt Tagger] +This handler uses regular expressions to categorise messages into ``topic buckets'', as configured on the \page{topics} admin page. +Messages are always passed unaltered, except for the possible addition of an \hdr{X-Topics} header if it matches any topics. + +\item[\tt CalcRecips] +This handler determines which list members to forward this message to, +based on their individual settings for delivery. + +\item[\tt AvoidDuplicates] +This handler culls duplicates from the list determined in the \handler{CalcRecips} handler, +if these recipients have configured duplicate message removal. + +\item[\tt Cleanse] +This handler removes certain headers that should not occur in outgoing messages, +such as approval passwords. +If the list has been configured as anonymous on the \page{general} admin page, +it will also remove the original \hdr{From}, \hdr{Reply-To}, \hdr{Sender} and \hdr{X-Originating-Mail} headers, +and replace the first two with the mailing list address. + +\item[\tt CleanseDKIM] +This handler removes DomainKeys headers. + +\item[\tt CookHeaders] +This handler adds \hdr{X-BeenThere}, \hdr{X-Mailman-Version}, \hdr{Precedence}, \hdr{Reply-To}, \hdr{List-Id} +and some other mailing list related headers to the message, +and possibly changes the \hdr{Subject} header to add a list prefix. + +\item[\tt ToDigest] +If the mailing list is configured to be digestible on the \page{digest} admin page, +this appends the message to the list's \file{digest.mbox} file. +If the digest file exceeds the size threshold, it creates a digest email and puts it in the Virgin queue, +which in turn pipes it through the \handler{CookHeaders} and \handler{ToOutgoing} handlers. + +\item[\tt ToArchive] +If the message is not a digest, does not contain a \hdr{X-No-Archive} or \hdr{X-Archive: no} header, +and the mailing list is configured on the \page{archive} admin page to archive messages, +this handler will put a copy of the message in the Archive queue, +which in turn passes it to the archiver. + +\item[\tt ToUsenet] +If the list had been configured on the \page{gateway} admin page to send copies to a Usenet group, +this handler will put a copy of the message in the News queue, +which in turn will forward the message via NNTP. + +\item[\tt AfterDelivery] +This handler updates the statistics about the last post time and number of posts received on the list. + +\item[\tt Acknowledge] +This handler sends an acknowledgement to the sender if he has configured so. + +\item[\tt ToOutgoing] +This handler puts the message in the Outgoing queue. +\end{description} + +There are many handlers which can, if the mailing list is configured to do so, +hold, reject, forward or otherwise store decrypted messages without re-encrypting them first. +Unless measures are taken to keep the confidentiality of previously encrypted messages, +SLS must either drop the message in those situations, send back a rejection notification with just the original headers, +or just permanently disable features that interfere with the confidentiality of messages. +This is a list of issues in the Incoming pipeline that should be addressed: + +\begin{itemize} +\item Decrypted messages being held in the \handler{Hold} handler. +\item Rejected, held and forwarded messages in the \handler{MimeDel} handler. +\item Decrypted, scrubbed attachments being made web-accessible in the \handler{Scrubber} handler. +\item Messages being stored unencrypted for extensive periods and re-sent time-delayed in the \handler{ToDigest} handler. +\item Messages being archived unencrypted in the \handler{ToArchive} handler. +\item Messages being forwarded unencrypted to Usenet groups in the \handler{ToUsenet} handler. +\end{itemize} + +As a safeguard, the functions \func{BounceMessage} and \func{HoldMessage} +should check for the presence of the \hdr{X-Mailman-SLS-decrypted} header and +prevent decrypted message bodies from being stored or sent. + +\subsubsection{Outgoing message pipeline}\label{sec:outgoingpipeline} + +\begin{description} +\item[SMTPDirect] +This handler sends a copy of the message to each of the recipients, +possibly signed and/or encrypted +as configured using the \page{privacy/gpg} and \page{privacy/smime} admin pages. + +A detailed description of the signature generation and encryption code is given in section \ref{sec:crypto}. +\end{description} + +\subsection{Decryption and encryption}\label{sec:crypto} + +I will now describe the code dealing with the decryption, encryption and signature verification and generation in detail, +pointing out issues where I found them. + +\subsubsection{\func{Moderate.process}}\label{sec:moderate} + +Incoming posts to lists are handled by \func{process} in \file{Moderate.py}. +The variable \var{msg} contains the incoming message, and is modified in a number of places. +First decryption of messages is tried: + +\begin{itemize} +\item If the \var{gpg\_post\_encrypt} option is set, \func{decryptGpg} is called. + \begin{itemize} + \item If \var{gpg\_post\_encrypt} is set to \val{2}, + and the message was not encrypted or if decryption failed, + the message is rejected. + \end{itemize} + Afterwards \var{msg} contains the decrypted message. + +\item If the \var{smime\_post\_encrypt} option is set, \func{decryptSmime} is called. + \begin{itemize} + \item If \var{smime\_post\_encrypt} is set to \val{2}, + and the message was not encrypted or if decryption failed, + the message is rejected. + \end{itemize} + Afterwards \var{msg} contains the decrypted message. +\end{itemize} + +The fact that there are different settings for PGP and S/MIME can lead to strange, inconsistent behaviour: +\begin{itemize} +\item \var{gpg\_post\_encrypt} = \var{smime\_post\_encrypt} = \val{1}: + Accepts mail that is S/MIME encrypted first and then PGP encrypted, + or mail that is either S/MIME or PGP encrypted, + but not mail that is first PGP encrypted and then S/MIME encrypted. +\item \var{gpg\_post\_encrypt} = \var{smime\_post\_encrypt} = \val{2}: + Accepts mail that is S/MIME encrypted first and then PGP encrypted, + but rejects the reverse order and rejects mail that is either S/MIME or PGP encrypted. +\end{itemize} +There are only a few combinations of \var{gpg\_post\_encrypt} and \var{smime\_post\_encrypt} that make sense. +As mentioned in part I of the audit, it would be better to have one option, \var{post\_encrypt}, +and allow PGP and/or S/MIME encrypted emails based on whether PGP and/or S/MIME keys have been set for the list. + +The decryption functions also check signatures if present, but only for encrypted+signed messages. +The next part in the code handles messages that are only signed: + +\begin{itemize} +\item If \var{gpg\_post\_sign} is set, but the variable \var{signed} is not set: + \begin{itemize} + \item If the message is of type \mime{multipart/signed}, + the last MIME part with type \mime{application/pgp-signature} + is used as the signature, and the last MIME part with any other type is used as the payload. + \item Else, if the message is of type \mime{text/plain} and not multipart, + it is assumed that the message is inline PGP, and the entire message is used as the payload. + \item The \func{gh.verifyMessage} function is called. + \end{itemize} + +\item If \var{smime\_post\_sign} is set, but the variable \var{signedByMember} is not set: + \begin{itemize} + \item The \func{sm.verifyMessage} function is called. + \end{itemize} + +\item If \var{gpg\_post\_sign} is set: + \begin{itemize} + \item If the variable \var{key\_ids} is empty, hold or discard the message. + \item Else, check if any sender matches any uid of the key. + \begin{itemize} + \item If not, hold or discard the message. + \item Else, if the signature belongs to any of the keyids of any list member, set \var{signedByMember}. + \end{itemize} + \end{itemize} + +\item If \var{smime\_post\_sign} is set, but the variable \var{signedByMember} is still not set: + \begin{itemize} + \item Hold or discard the message. + \end{itemize} +\end{itemize} + +Here also there are some issues: +\begin{itemize} +\item Just as with the \var{gpg\_post\_encrypt} and \var{smime\_post\_encrypt} options, +there are many nonsensical combinations of \var{gpg\_post\_sign} and \var{smime\_post\_sign} possible. +\item Although SLS now checks the sender against PGP key's uids, +it only checks if \emph{any} of the senders match any uid. +This allows a list member to send a signed email with himself plus other addresses in the \hdr{From} header. +Since the original signature is stripped, other mailing list members cannot know which of the senders signed and sent the email. +\item For S/MIME, there are still no checks if the sender is the same as the signer. +For X.509 certificates, the \hdr{emailAddress} field in the subject DN could be used in the same way as the uid of a PGP key. +Another option would be to check only the key(s) of the sender instead of checking the signature against all members' certificates in \func{sm.verifyMessage}. +\item For \mime{multipart/signed} messages, it is assumed by SLS that the body consists of exactly two parts, +but this assumption is not \emph{asserted}. +\end{itemize} + +\begin{figure} +\begin{center} +\verbatiminput{fourpartmime.txt} +\end{center} +\caption{\small Layout of \mime{multipart/signed} message with four parts. +In SLS, only the last two parts are verified. +In Mutt, the first part and a ``Good signature'' message is shown. +} +\label{fig:fourpartmime} +\end{figure} +The last issue allows an attacker to reuse another member's post to send any message he wants. +The variable \var{payload} is set to the last part that is not of type \mime{application/pgp-signature}, +and \var{signature} is set to the last part that is of that type. +The function \func{gh.verifyMessage} is then called with these variables. +This means that an attacker can construct a \mime{multipart/signed} message with four parts (see figure \ref{fig:fourpartmime}): +the first two with his own message and signature, which can be made with any key. +The last two parts are copied from a valid message previously sent to the list. +SLS accepts such a message if the \hdr{From} header matches any uid of the key of the copied message's signature. + +Mutt, a widely used Mail User Agent (MUA), +handlers \mime{multipart/signed} messages with more than two parts in a different way. +It expects the first part to be the message body, and the other parts to be signatures. +It will honour the \hdr{Content-Length} header though, and will only read that amount of bytes from the message, +so it is possible to make it read only the first two parts. + +When given the attacker's four-part message, +it will display the first part in-line, and will print a ``Good signature from'' message above it. +If the other parts are not ignored due to the \hdr{Content-Length} header, +it will display an additional ``Bad signature'' message for the second \hdr{application/pgp-signature} part. + +SLS must either discard those parts it does not check, or reject the whole message. + +\subsubsection{\func{Moderate.decryptGpg}}\label{sec:decryptgpg} + +The \func{decryptGpg} function tries to find the ciphertext to pass to the \func{gh.decryptMessage} function. +If the message is of type \mime{multipart/encrypted}, +it assumes there is one part of type \mime{application/octet-stream} that contains the ciphertext. +If there are more parts, it only uses the last of that specific type as the ciphertext, +and will discard the other parts. + +Although there is no information leak here, it would be better to assert that the message only contains one part, +and otherwise treat it as unencrypted at all, to prevent silent removal of MIME parts. + +\subsubsection{\func{SMTPDirect.verpdeliver}}\label{sec:smtpdirect} + +Outgoing messages are ultimately handled by \func{verpdeliver} in \file{SMTPDirect.py}. +The following happens: + +\begin{itemize} +\item If the \var{gpg\_distrib\_encrypt} option is set, try to encrypt the message for each recipient. + \begin{itemize} + \item Also sign the message if \var{gpg\_distrib\_sign} is set. + \item If no key is known for the recipient or encryption fails, and \var{gpg\_distrib\_encrypt} = \val{1}, send plaintext. + \item Else, discard the message. + \end{itemize} + +\item If the \var{smime\_distrib\_encrypt} option is set, try to encrypt the message for each recipient. + \begin{itemize} + \item Also sign the message if \var{smime\_distrib\_sign} is set. + \item If no key is known for the recipient or encryption fails, and \var{smime\_distrib\_encrypt} = \val{1}, send plaintext. + \item Else, discard the message. + \end{itemize} +\end{itemize} + +The issues found here are: +\begin{itemize} +\item Again, there are possible but nonsensical combinations of \var{gpg\_distrib\_*} and \var{smime\_distrib\_*} options. +\item The extraction of plaintext before it is passed to the encryption functions is different between the PGP and S/MIME cases. +This should be unified. +\item If \var{*\_distrib\_encrypt} = \val{1}, +SLS's behaviour allows one to send an unencrypted message to the list and have it distributed encrypted, +or allows an encrypted message send to the list be distributed unencrypted, +depending one whether subscribers have uploaded their public keys or not. +It would be better to always distribute messages encrypted if they were posted encrypted, +and unencrypted if they were posted unencrypted. +To handle the case of a +dissident\footnote{See \url{http://en.wikipedia.org/wiki/Debian_Free_Software_Guidelines\#debian-legal_tests_for_DFSG_compliance} +for a description applied to software, +but which equally applies to any kind of information a person would want to spread.} + who wants to ensure emails are always sent to him encrypted, +a per-subscriber option, like \var{always\_encrypt}, could be added. +\end{itemize} + +\subsubsection{\file{GPGUtils.py}}\label{sec:gpgutils} + +The following issues were found in \file{GPGUtils.py}: + +\begin{itemize} +\item The function \func{checkPerms} is called three times, +but the return value is never checked. +\item In \func{getMailaddrs}, the regular expression used to extract the email address part from the uids is flawed. +It matches the first string between angular brackets, however this means an uid like +``\texttt{Mallory () }'' would yield the wrong address, +allowing Mallory to use ``\texttt{Alice }'' in the \hdr{From} header. +Of course, the list administrator should check all uids carefully anyway, +since one can add any uid he wants to his key. +\item In \func{decryptMessage}, the short key id from the \verb|GOODSIG| response is used. +However, it would be better to use the long key id from the \verb|VALIDSIG| response, +to reduce the chance of a hash collision which would allow an attacker to fake the signature of a list member. +\item In \func{decryptMessage}, the \verb|SIG_ID| response should be checked: +the date should not be too far in the past or future, +and it should not match any previously found \verb|SIG_ID|. +This would prevent replay attacks and time delay attacks. +\item In \func{decryptMessage}, properly encrypted messages but which contain bad signatures are still accepted, +even though \var{key\_ids} is left empty. It would be better to outright reject such questionable messages. +\item There is a lot of code duplication between \func{encryptMessage} and \func{encryptSignMessage}. +\item In \func{verifyMessage}, \verb|VALIDSIG| and \verb|SIG_ID| should be used as mentioned above. +\end{itemize} + +\subsubsection{\file{SMIMEUtils.py}}\label{sec:smimeutils} + +The following issues were found in \file{SMIMEUtils.py}: + +\begin{itemize} +\item In all cases, \file{openssl} is called without an absolute pathname. +This allows an attacker who can create an arbitrary file in the \env{PATH} of the SLS process to insert a fake OpenSSL binary. +\item In \func{decryptMessage}, +a encrypted+signed message that is decrypted properly but whose signature verification failed is accepted anyway, +just as in the GPGUtils case. It would be better to reject such messages. +\item In \func{decryptMessage}, if decryption failed an empty message is returned instead of \val{None}. +\item Message signatures are checked against the list of all known certificates, +but there is no information about which certificate signed the message. +This makes it difficult to check signatures against \hdr{From} headers. +\item In \func{encryptMessage}, both plaintext and ciphertext are stored in temporary files created with \func{mkstemp}. +This allows an attacker who can read files from \file{/tmp} owned by the SLS process +to acquire the plaintext of encrypted messages. +It also allows plaintext to stay indefinitely on disk. +Furthermore, according to the Python documentation, +\iquote{there is thus no guarantee that the generated filename will have any nice properties, +such as not requiring quoting when passed to external commands via \func{os.popen}}. +It is better to use the \var{c\_in} handle to pipe the plaintext into \cmd{openssl}, +having the ciphertext on disk is not a risk. +\item In \func{encryptSignMessage}, temporary files are used as in \func{encryptMessage}. +It would be better to use the \var{c\_in} and \var{c\_out} handles to pipe plaintext into and out of \cmd{openssl}, +but if this does not work due to blocking of the pipes, +then the \func{AsyncRead} and \func{AsyncWrite} functions from \file{GPGUtils.py} should be used. +\item In \func{decryptMessage}, the \var{cmd} variable is a tuple of strings, in \func{encryptMessage} it is just a string. +If there are spaces in any paths or in \var{recipfile}, +these will be interpreted as argument separators in \func{encryptMessage}. +The tuple form should be used here as well. +\item Nowhere is the \var{status} variable checked to see if the \cmd{openssl} command succeeded. +\item There is code duplication between \func{decryptMessage} and \func{verifyMessage}. +\end{itemize} + +\section{Weaknesses in SHA-1 and its impact on SLS}\label{sec:sha1} + +Recent advances in cryptography have led to the discovery of attacks against the SHA-1 +algorithm\footnote{\url{http://eprint.iacr.org/2009/259.pdf}}. +The SHA-1 algorithm is used to derive fingerprints (and hence, keyids) from PGP keys, +and is used to generate signatures made with those keys. +Many X.509 certificates also specify the SHA-1 algorithm for creating signatures. +The recently discovered attack reduces the complexity of breaking SHA-1 from $2^{79}$ to $2^{52}$ operations, +and many believe that further research will result in even better attacks which will further reduce the complexity. +Therefore, many cryptographers recommend moving away from SHA-1 to the SHA-2 suite of hash algorithms, +and to SHA-3 in the future. +At the moment, the free software community is still evaluating how to deal with the +situation\footnote{\url{http://lwn.net/Articles/337091/}}. +SLS is calling external programs to deal with keys and signatures, +so there is little that will need to change. +However, once migration to new keys and certificates which use stronger hash algorithms is common, +SLS should disallow members to upload keys and certificates which specify the use deprecated algorithms, +and should disallow emails with signatures that were created using deprecated algorithms. + +\section{Recommendations}\label{sec:recommendations} + +The lax checking of \mime{multipart/signed} messages should be fixed first, +since it allows an attacker to pass his own message to the list if he can obtain a signed message from a list member. + +After reviewing the code, I believe that afterwards, the most important task for the developers is to +seriously reduce the number of configuration options available to the list administrator. +Options that inherently compromise security, such as attachment scrubbing, archiving and support for Usenet, +should be permanently disabled and removed from the list administrator pages. +The duplicate sets of options for PGP and S/MIME, and the code duplication behind it, +should be unified into two options: +\begin{description} +\item[sign\_policy] None, voluntary, mandatory. + +When set to none, the list should not check or add signatures. +When set to voluntary, signatures should be checked, +and if an incoming message is signed, the outgoing message must be signed as well, +otherwise it should not be signed. +When set to mandatory, both incoming and outgoing messages must be signed. + +\item[encrypt\_policy] None, voluntary, mandatory. + +When set to none, the list should not try to decrypt or encrypt messages. +When set to voluntary, encrypted messages should be decrypted, +and if an incoming message was encrypted, the outgoing message must be encrypted as well, +otherwise it should not be encrypted. +When set to mandatory, both incoming and outgoing messages must be encrypted. +\end{description} +The reduction in options will make it easier for list administrators to make the right choice, +and will simplify code and remove many possibly dangerous code paths. +For list members, the semantics of these options follow the principle of least +surprise\footnote{\url{http://en.wikipedia.org/wiki/Principle_of_least_surprise}}; +signed messages in are signed messages out, encrypted messages in are encrypted messages out. + +The next most important task is to continue developing the test suite as mentioned in part I of the audit. + +Then I would recommend fixing the processing of status and return codes from external \file{gpg} and \file{openssl} processes. +An attacker might craft malformed PGP and S/MIME messages which could trigger unexpected behaviour if left unchecked. + +Also important, but for now I believe of lesser importance than the above, +are the issues found with plaintext being stored on the host running SLS +and possible attacks by local users on that host. + +\section{Conclusion}\label{sec:conclusion} + +The security of SLS has improved since the previous audit. +However, a large number of options available to list administrators +allow unsafe behaviour to be enabled. +The developers should remove those options, +and continue work on providing strict integrity and confidentiality enforcement. + +\end{document} + diff -durP mailman-2.1.15/pgp-smime/audit2/audit2.tex.asc mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/audit2.tex.asc --- mailman-2.1.15/pgp-smime/audit2/audit2.tex.asc 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/audit2.tex.asc 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iEYEABECAAYFAko9NWMACgkQAxLow12M2nss9QCffnBZjbP4+gi49kU7hz23vLW/ +vacAoKMkOLH6SV6CrX5ZYYpoT/jVkf0X +=SdK8 +-----END PGP SIGNATURE----- diff -durP mailman-2.1.15/pgp-smime/audit2/fourpartmime.txt mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/fourpartmime.txt --- mailman-2.1.15/pgp-smime/audit2/fourpartmime.txt 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/fourpartmime.txt 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,42 @@ +From: Alice +To: list@example.org +Mime-version: 1.0 +Content-Type: multipart/signed; micalg=pgp-sha1; + protocol="application/pgp-signature"; + boundary="boundary" +Content-Disposition: inline + + +--boundary +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +Content-Transfer-Encoding: quoted-printable + +Mallory's message goes here. + +--boundary +Content-Type: application/pgp-signature; name="signature.asc" +Content-Description: Digital signature +Content-Disposition: inline + +-----BEGIN PGP SIGNATURE----- +Mallory's signature goes here. +-----END PGP SIGNATURE----- + +--boundary +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +Content-Transfer-Encoding: quoted-printable + +Email copied from Alice, a list member, goes here. + +--boundary +Content-Type: application/pgp-signature; name="signature.asc" +Content-Description: Digital signature +Content-Disposition: inline + +-----BEGIN PGP SIGNATURE----- +Alice's signature goes here. +-----END PGP SIGNATURE----- + +--boundary-- diff -durP mailman-2.1.15/pgp-smime/audit2/fourpartmime.txt.asc mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/fourpartmime.txt.asc --- mailman-2.1.15/pgp-smime/audit2/fourpartmime.txt.asc 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/fourpartmime.txt.asc 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iEYEABECAAYFAko9NXQACgkQAxLow12M2nseIwCgivkd+aUsFc5+2daPA1zcVpnx +UvMAn1jZxw5ESY+lMS+6JX5tAy02OObq +=9Vg8 +-----END PGP SIGNATURE----- Les fichiers binaires mailman-2.1.15/pgp-smime/audit2/mailflow.dia et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/mailflow.dia sont différents. diff -durP mailman-2.1.15/pgp-smime/audit2/mailflow.dia.asc mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/mailflow.dia.asc --- mailman-2.1.15/pgp-smime/audit2/mailflow.dia.asc 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit2/mailflow.dia.asc 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iEYEABECAAYFAko9NW4ACgkQAxLow12M2ntHOACfcRn0EGI9EJWJYiqYLn0acn5Z +fX8An0Z9qG5kl2ZI13l8txN9f2LfmHON +=cdAe +-----END PGP SIGNATURE----- diff -durP mailman-2.1.15/pgp-smime/audit.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit.tex --- mailman-2.1.15/pgp-smime/audit.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/audit.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,390 @@ +% Security Audit of the Secure List Server part I +% +% Copyright (c) 2008 Guus Sliepen +% +% This program is free software; you can redistribute it and/or modify +% it under the terms of the GNU General Public License as published by +% the Free Software Foundation; either version 2 of the License, or +% (at your option) any later version. +% +% This program is distributed in the hope that it will be useful, +% but WITHOUT ANY WARRANTY; without even the implied warranty of +% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +% GNU General Public License for more details. +% +% You should have received a copy of the GNU General Public License +% along with this program; if not, write to the Free Software +% Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +% USA. +% +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage{url} + +\title{Security Audit of the Secure List Server\\ +Part I} + +\author{Guus Sliepen \url{}} + +\begin{document} + +\maketitle + +\begin{abstract} +The subject of this audit is +Mailman 2.1.11-2 with the pgp-smime patch of 2008-07-03. +The list of known, open issues was reviewed. +The code provided in the patch was also reviewed. +A test setup was created and the administration and usage of secure lists were reviewed. +A number of issues were found with this version of the Secure List Server. +Although the bare functionality of a secure list server is implemented, +there is still some way to go before it can be called robust and fool-proof. +The developers should work first on providing strict integrity and confidentiality enforcement. +\end{abstract} + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section{Introduction} + +\subsection{Subject of the security audit} + +The subject of this security audit is the Secure List Server (SLS), +which consists of the Mailman mailing list server +augmented with the pgp-smime patch which allows Mailman to handle emails +which are signed and/or encrypted with OpenPGP or S/MIME in a meaningful way. + +Before looking at the cryptographic functionality offered by SLS, +I will describe the basic functionality of a mailing list manager (hereafter called a list manager). +A mailing list manager manages zero or more mailing lists (hereafter called a list). +Each list can have zero or more subscribers. +Both lists and subscribers are associated with email addresses. +If a subscriber of a certain list sends an email to the list's address (herafter called posting), +the list manager will forward a copy of that email to all the other subscribers. +In some cases, a person not subscribed to a particular list (a non-subscriber), +is allowed to post to that list, in other cases it is not allowed. +The list manager generally allows people to subscribe themselves to the lists of their choice. +A list manager can hold messages for moderation by a list moderator. +A list manager can maintain archives of the emails sent to the list. + +The original Mailman is not aware of OpenPGP or S/MIME signatures or encryption, +and will forward messages that are signed and/or encrypted verbatim, +without checking signatures or performing decryption. +The pgp-smime patch brings awareness of signatures and encryption to Mailman. +If SLS knows the public keys of the subscribers for a list, +it can verify the OpenPGP or S/MIME signatures on incoming emails, +and reject emails without proper signatures, if so configured. +If a list is associated with a given public/private keypair, +SLS can optionally sign outgoing emails with the list key, +allowing subscribers to verify that the emails they receive really were sent via the list manager. +If a subscriber posts a message encrypted with the list's public key, +SLS can decrypt the message and optionally re-encrypt it with the receivers' +public keys before forwarding the message, +allowing messages to be exchanged in confidentiality within the group of subscribers. + +It is important to realise that subscribers have certain expectations from secure lists, +and that not all of those expectations can simply be met by throwing some cryptography at the list manager. +The scope of this security audit therefore does not only include the use of the GNU Privacy Guard (GnuPG) and OpenSSL in the pgp-smime patch, but the whole functionality SLS offers to the list administrators and subscribers. + +\subsection{Test setup} + +To test the functionality and behaviour of SLS, the following test setup was created: +\begin{itemize} +\item Asus EeePC 701 with 2 GB RAM and 20 GB storage +\item Debian unstable (last update on 2008-07-21) +\item Mailman 2.1.11-2 patched with \verb|mailman-2.1.11-pgp-smime_2008-07-03.patch| +\item Postfix 2.5.2-2 mail server +\item Mutt 1.5.18-3 mail client +\item Lighttpd 1.4.19-4 light-weight web server +\item GnuPG 1.4.9-2 +\item OpenSSL 0.9.8g-11 +\item Python-GnuPGinterface 0.3.2-9 +\end{itemize} + +Prior to this setup, an almost identical one was used, except that \verb|mailman-2.1.11-pgp-smime_2008-06-25.patch| was used. +That particular version of the patch lacked the ability to encrypt or sign outgoing messages, +and would always send messages in plaintext, even on lists where encryption was mandatory. +This gross oversight was fixed in the next patch, +but could have been prevented by having a test suite +that the developers can use to determine the correct functioning of SLS before new patches are released. + +%Users and admins expect sane behaviour, and want everything to work (unless +%something is not possible at all) +%- member expects error message when something isn't configured right +%- messages signed by member should keep signature (if possible) +%- messages encrypted to list should never be viewable by non-members +%- messages encrypted should never be forwarded unencrypted +%- archive should keep original messages (ie, those encrypted to the list +% server) +%- handle encrypted but unsigned emails? +%- do not allow stupid behaviour + +\section{Review of TODO list} + +SLS contains a list of open items in the file \verb|TODO.PGP-SMIME|. +I have reviewed this list, and have the following remarks for some of the items: + +\begin{enumerate} +\item[0006]\textit{Using the web roster, any subscriber can view any subscribers' preferences, including public key. And maybe even change.} +\\ +The web roster should normally only be accessible by the list administrator, not by individual subscribers. + +\item[0009]\textit{Harden this thing: re-encrypt immediately after decrypting.} +\\ +The best way to ensure confidential information is not leaked is indeed to keep the time the decrypted information is present to a minimum. +Although normally memory that is freed by an application is discarded or reused for other purposes, it is possible that temporarily used memory is stored more permanently, outside the control of the application. +If the list manager runs on a system with swap enabled, it is possible that parts of the memory are copied to disk, where it can remain indefinetely. +This risk can be avoided by using the mlock() call to prevent memory from being swapped out to disk. +The list manager should also immediately overwrite sensitive information with zeroes or random bits. +The list manager should also avoid writing decrypted information to temporary files, as it is even harder to manage sensitive information on disk than in memory. + +\item[0012]\textit{When creating a list, make sure the listadmin password is not sent via plain email.} +\\ +A chain is only as strong as its weakest link. +For lists that require confidentiality, and hence only accepts and forwards encrypted emails, +the management of that list should also go via an encrypted channel, +either via encrypted emails from the list admin to the list manager, +or via an SSL encrypted connection to the web interface of the list manager. +It would also be better to use signed emails or client certificates than to use passwords. + +\item[0013] \textit{Perhaps we should suggest an empty passphrase for list keys in our interface.} +\\ +Passphrases only improve the security of key material for human interaction. +Perhaps it is better to {\em require} empty passphrases for list keys, +so as not to give the false impression that a passphrase would enhance security. + +\item[0015]\textit{We should refuse to create an html list archive for secure lists.} +\\ +It should be possible to create archives of secure lists while still preserving the intended integrity and/or confidentiality of the list. +Lists that just require integrity can maintain an archive provided that the signature of archived emails is kept. +Lists that require confidentiality can either store the incoming emails in the archive without decrypting them, and then re-encrypt them to another subscriber when they request old emails from the archive. +Another option is to decrypt incoming emails, and store a copy in the archive that is encrypted to {\em all} current subscribers. +Both options have their own advantages and disadvantages, perhaps this could be a configurable setting. + +\item[0024]\textit{If a post is properly signed, accept it, no matter wether the From-adress is subscribed and no matter the sender moderation policy.} +\\ +Although that is possible and perhaps desirable, +one should remember that only the body of an email is signed and/or encrypted, but not the headers. +If a subscriber is allowed to change the From header at will, +he can try to impersonate another person when sending an email to the list. +It is best to restrict the contents of the From header to the email address(es) listed in the subscriber's public key. + +\item[0030]\textit{Deal with subscribers without public keys.} +\\ +The best way to deal with this issue is not to allow someone to subscribe without providing a public key for lists that require one. +For subscription via email, require that the subscription request is properly signed, +and automatically store the public key along with other subscriber's details. +For subscription via the web, require that the subscriber uploads his public key +in the same form as the subscription request. +In both cases, require that the subscriber's response to the verification email is also signed. + +\item[0031]\textit{When bouncing e-mail because list policy was violated [\dots] only bounce the headers, not the complete e-mail message.} +\\ +Indeed, by allowing the body of an email to be included in the bounce, an attacker can send emails containing viruses or other unwanted payloads to a list, and can forge the From header so the bounce will be sent to a victim of choosing. +This item was marked as difficult to implement, wishlist severity. +I cannot believe it would be difficult to strip the body from an email, +and preventing SLS from being used as a spam or virus redistributer should be high priority. + +\item[0033]\textit{All defaults should be strict.} +\\ +Indeed, for SLS the defaults {\em must} be as strict as possible +to prevent a list being accidentally less secure that intended. + +\item[0036]\textit{When re-encrypting a signed message, the original signature + gets lost: this makes it possible for one list member to pose as another list + member. In theory, it should be possible to keep the original signature after + decryption.} +\\ +Indeed, since GnuPG has no option to decrypt a message without removing its signature, +SLS currently cannot preserve the original signature, but rather adds its own when forwarding an email. +One should ask (and perhaps sponsor) the GnuPG developers to implement this missing feature. +In the mean time, one should not allow messages to be posted where the From header does not match one of the email addresses associated with the public key used to sign the email (see also item 0024 above). + +\item[0050]\textit{Make sure posts get encrypted and signed if needed.} +\\ +Although this item was marked as being S/MIME specific, this statement also applies to GnuPG of course. +Perhaps it is best determine whether an incoming email as signed or encrypted, and mark this somewhere in its headers, such that the marking does not get removed while the email is being processed by SLS. +When sending outgoing emails, preferably right before the email is sent to the SMTP server, +it should be verified that if the message is marked signed, the outgoing email is indeed signed. +The same goes for encryption. + +\item[0060]\textit{emailf00f by Guus Sliepen deals with PGP. Study its source.} +\\ +The most relevant feature in emailf00f for SLS is that by sending it a single signed email, +it can setup an association between the public key and an identity, +and automatically retrieves and stores the public key for further communication. +See also the suggestions in item 0030. +\end{enumerate} + +\section{Code audit} + +I have reviewed the PGP and S/MIME related source code files of the patched Mailman to some extent +(a line-by-line analysis of the whole Mailman code base is not possible in the scope of this security audit). +The patch makes an effort to put most PGP and S/MIME related functionality into their own Python classes, most notably in GPGUtils.py and SMIMEUtils.py. +These classes are well structured, and contain clearly defined functions to process the various cryptography-related aspects of messages. +However, the source code files that handle reception and sending of emails, most notably Handlers/Moderate.py and Handlers/SMTPDirect.py, contain all the glue logic for PGP and S/MIME handling interspersed with the original mail handling functions. +In these files, the code is harder to read, and it is probable that (future) errors are more easily made. +For the code quality it would be better if the GnuPG and S/MIME related functionality in these files were moved to their own files, and that this functionality would be called from the incoming and outgoing email handlers by callbacks. + +The following issues were found in the code: +\begin{itemize} +\item +The GnuPGInterface library, by default, does not use a full path when calling the gpg binary. +This can allow someone with access to environment or to a local bin directory to divert calls to gpg to a subverted binary. +SLS should override the call variable of the GnuPG object with the full path to the gpg binary. + +\item +SMIMEUtils.py calls openssl without a full path. +See the above item. + +\item +SMIMEUtils.py makes heavy use of temporary files. +In particular, plaintext copies of messages are written to temporary files. +Although the temporary files are removed directly after use, +this allows some with read access to the temporary files to obtain copies of the plaintext. +It also allows the plaintext to end up on a storage device, +where it may stay indefinitely +(removing a file normally does not actually remove the contents from disk). + +\item +The logic of handling signatures and encryption is such +that if both \texttt{gpg\_post\_sign} and \texttt{smime\_post\_sign} are set to Force, +that only emails are accepted which have both an OpenPGP and an S/MIME signature at the same time. +The same logic applies to \texttt{gpg\_posting\_allowed} and \texttt{smime\_post\_encrypt} for encryption, and for the other combinations of signing and encryption of outgoing messages. +It is clearly not desirable behaviour. +If a list administrator enables both OpenPGP and S/MIME, +he means that people can use {\em either} OpenPGP {\em or} S/MIME. +It also makes perfect sense to allow some subscribers of a list to use OpenPGP, and the others S/MIME, as it's not the technology that is used that is important, but rather just the integrity and confidentiality guarantees they provide. + +\item +Poor error handling in GPGUtils.py. When calling gpg, only the statement +\verb|p.wait()| is surrounded by a \verb|try..catch| block. However, when gpg is called +with wrong arguments, it will terminate before accepting input from stdin, +resulting in an unhandled Broken Pipe exception. +\end{itemize} + +\section{Usage audit} + +SLS was set up from scratch together with a mail server (Postfix) and a web server (Lighttpd). +A test list was created and subscribtions were made from various email addresses. +Various settings for the test list have been tried and in each case plaintext, signed, encrypted and signed+encrypted emails have been sent to the test list, from both subscriber and non-subscriber addresses. +The following issues were found: +\begin{itemize} +\item +The list administrator interface is not very clear. +For example, one of the options is: +\textit{``Should messages be GPG signed? Yes means: hold for approval. (No, Yes, Force)''}. +It is unclear from just this question what the difference between Yes and Force is. +Will Force add a signature if there is none present, or twist the subscriber's arm until he does? +If I answer Yes, does that mean that signed messaged are held for approval? +It takes a while before one guesses the true meaning of the choices. +It is better to rephrase the question to +\textit{``Allow unsigned messages? (Yes, Hold, No)''}, or +to elaborate the choices in the original question: \textit{``No, Yes (hold unsigned), Force (drop unsigned)''}. +The sames goes for all the other three-choice option. + +\item +OpenPGP and S/MIME are treated as two completely different things. +One can configure a list to require OpenPGP signatures, but S/MIME encryption. +This does not make much sense. +It would be better if the options were made technology agnostic: +\textit{``Require emails to be signed?''}, \textit{``Require emails to be encrypted?''}, etcetera, +and to enable OpenPGP and/or S/MIME based on whether the relevant keys were provided. + +\item +Although one can easily upload OpenPGP keys via the website, +there is no way to upload an S/MIME list key. +With the current patch, the list administrator somehow has to put the S/MIME list key +in \verb|/var/lib/mailman| on server running SLS. + +\item +SLS requires the list administrator to generate a public/private keypair and to upload both to the list manager. +Uploading via unencrypted HTTP to the web interface severily compromises the secrecy of the private key. +Although this problem can be solved by enforcing SSL for the web administration interface, +it might be even better to allow the list manager to generate public/private keypairs for lists. +This simplifies setting up new lists and obviates the need for the private key to be moved around. + +\item +SLS does not allow minimum requirements set for key sizes, cipher and digest algorithms. +Instead, the defaults of GnuPG and OpenSSL are used, which may be quite liberal. +A list administrator might want to enforce stricter security to limit the chances of compromising communication on a secure list. + +\item +Once someone is subscribed to the list (possibly only after getting permission from the list administrator), +he can log in to the list manager web interface with just a password and change his settings. +This also allows him to change his public key. +Since a public key is a much stronger credential of someones identity than just an email address, +and since it is much easier to guess a password than to crack a key, +it should not be allowed to change the public key without explicit permission from the list administrator. + +\item +Sending unencrypted emails to a list for which encryption is mandatory +always results in an ``Encryption required'' email being sent to the email address mentioned in the From header of the original email. +The complete original message is attached to the response. +This allows an attacker to use SLS as an anonimising remailer for spam or viruses. + +\item +If an encrypted message sent to a list is for some reason automatically discarded, +the auto-discard notification is sent to the list administrator, +but it contains an decrypted copy of the original message. +This breaches the confidentiality of the original message. +An encrypted message should either be forwarded encrypted or not at all. + +\item +SLS does not check the serial number or timestamps of a signature. +Therefore it is possible to resend old messages to the list, and +an attacker who can get hold of one message sent to the list does not need to be able to decrypt it or alter its signature +to cause a denial of service (DoS) attack by sending this same message to the list over and over again, +causing SLS to forward the message to the other subscribers over and over again. + +\item +Emails with a valid signature of a known subscriber are accepted regardless of whether +the address in the From header matches one of the email addresses associated with the key. +Since the original signature is removed before the mail is sent to the other subscribers, +this allows one subscriber to impersonate another subscriber or even an outsider. + +\item +SLS can be misused as a so-called oracle. +It does not care about the contents of a message, but will happily decrypt and sign messages sent to it and forward them. +A subscriber can get a signature with the list key on any message it wants, just by sending that message to the list. +A subscriber can also resend to the list any old message that was sent encrypted to that list, +and receive a copy that has been decrypted and re-encrypted for the subscriber. +Care must be taken that a list key is unique and used only for that list, +and that timestamps on signatures are verified to prevent new subscribers to be able to decrypt old emails sent to the list, if that is undesirable. +\end{itemize} + +\section{Priority of security-related issues} + +Most important is to implement a test suite so the developers can check for regressions before publishing new versions of SLS. +The administrators who install SLS will probably not check every aspect of SLS before upgrading their installation, +so it would be best for the developers to prevent the situation from the patch of 2008-06-25 from happening again. +The test suite does not necessarily have to be a fully automated set of scripts that perform various checks, +it can be a checklist that a developer manually works through to check the functionality of SLS, +as long as it works correctly. + +Second most important is to make sure that when a list is set up for integrity and/or confidentiality, these aspects are {\em always} enforced. +This means that an encrypted message sent to a list {\em never} leaves SLS unencrypted. +I also strongly recommend to try to keep the original signature of messages sent to a list, +but in case of OpenPGP this might not be possible without support from the GnuPG developers. + +Third most important is the simplicity and consistency of the user interface. +The harder it is for administrators or subscribers it is to understand certain settings, +the more mistakes will be made. +The more hoops one has to jump through to upload a key, +the more mistakes will be made. +Mistakes can cause SLS to be configured with lesser security than intended, and might inadvertently compromise communications. + +Then there are a number of issues dealing with aspects of SLS that are not as secure as OpenPGP and S/MIME are, +like the rather simple password protected access to the list settings. +Again, a chain is only as strong as its weakest link, so try to remove or strengthen any link weaker than the OpenPGP and S/MIME part. + +The source code revealed some possibly insecure uses of pathnames and temporary files, +but these issues are less important if SLS is run on a reasonably secured server. + +\section{Conclusion} + +Although the bare functionality of a secure list server is implemented, +there is still some way to go before SLS can be called robust and fool-proof. +The developers should work first on providing strict integrity and confidentiality enforcement. + +\end{document} diff -durP mailman-2.1.15/pgp-smime/changeoption.py mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/changeoption.py --- mailman-2.1.15/pgp-smime/changeoption.py 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/changeoption.py 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,74 @@ +# Copyright (C) 2008 Joost van Baal joostvb-mailman-pgp-smime/a/mdcc.cx +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. + +# WARNING +# This code was written to get used in pgp-smime-testsuite.sh, but +# never made it. + +# list@bruhat:/% /opt/mailman/bin/withlist testlist +# >>> mlist=m +# >>> categories = mlist.GetConfigCategories() +# >>> privacy=categories['privacy'] +# >>> print privacy + +import paths +from Mailman import mm_cfg +from Mailman import MailList + +# stolen from bin/configlist +def getPropertyMap(mlist): + guibyprop = {} + categories = mlist.GetConfigCategories() + for category, (label, gui) in categories.items(): + if not hasattr(gui, 'GetConfigInfo'): + continue + subcats = mlist.GetConfigSubCategories(category) + if subcats is None: + subcats = [(None, None)] + for subcat, sclabel in subcats: + for element in gui.GetConfigInfo(mlist, category, subcat): + if not isinstance(element, TupleType): + continue + propname = element[0] + wtype = element[1] + guibyprop[propname] = (gui, wtype) + return guibyprop + +class FakeDoc: + # Fake the error reporting API for the htmlformat.Document class + def addError(self, s, tag=None, *args): + if tag: + print >> sys.stderr, tag + print >> sys.stderr, s % args + + def set_language(self, val): + pass + +# value is 0, 1, 2 +def changeoption(mlist, option, value): + fakedoc = FakeDoc() + + guibyprop = getPropertyMap(mlist) + + missing = [] + gui, wtype = guibyprop.get(k, (missing, missing)) + + gui._setValue(mlist, option, value, fakedoc) + + mlist.Save() + mlist.Unlock() + diff -durP mailman-2.1.15/pgp-smime/Makefile mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/Makefile --- mailman-2.1.15/pgp-smime/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/Makefile 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,2 @@ +%.pdf: %.tex + pdflatex $< diff -durP mailman-2.1.15/pgp-smime/Makefile.docbook mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/Makefile.docbook --- mailman-2.1.15/pgp-smime/Makefile.docbook 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/Makefile.docbook 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,24 @@ +# this Makefile needs caspar-20020313.tar.gz (or higher). caspar 20030716 makes +# it look even better. get it from http://mdcc.cx/caspar/ . + +# based upon http://non-gnu.uvt.nl/pub/uvt-unix-doc/packaging/Makefile + +# +# usage: +# make typeset; make install +# + +# force utf-8 support. the environment-variable is needed: we've tested +# that... +JADE = SP_ENCODING="utf-8" jade -b utf-8 +# ps and pdf work fine with é and stuff + +# html typesetting will yield a utf-8-encoded html file. the html source +# will _not_ have a header stating so. therefore, likely your webserver +# needs to publish in utf-8 by default. + +# FIXME +# PRINT_DSL = print.dsl +# HTML_DSL = html.dsl +include caspar/mk/docbook.mk + diff -durP mailman-2.1.15/pgp-smime/pgp-smime-testsuite.sh mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/pgp-smime-testsuite.sh --- mailman-2.1.15/pgp-smime/pgp-smime-testsuite.sh 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/pgp-smime-testsuite.sh 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,178 @@ +#!/bin/sh + +# Copyright (C) 2008 Joost van Baal joostvb-mailman-pgp-smime/a/mdcc.cx +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. + + +# Create 3 lists. The test vanilla (named test-gpg-vanilla) list has settings: +# +# gpg_post_encrypt No +# gpg_distrib_encrypt No +# gpg_post_sign No +# gpg_distrib_sign No +# +# smime_-settings are the same. +# +# The test-gpg-medium list has settings: +# +# gpg_post_encrypt Yes +# gpg_distrib_encrypt Yes +# gpg_post_sign Force +# gpg_distrib_sign No +# +# A similar list test-smime-medium should be created. +# +# The test-gpg-secure list has settings: +# +# gpg_post_encrypt Yes (encrypt post to listkey) +# gpg_distrib_encrypt Force (distribute encypted) +# gpg_post_sign Force (should posts be signed) +# gpg_distrib_sign Yes (distribute signed) +# +# A similar list test-smime-secure should be created. +# + +# +# Conduct tests by posting various messages to various lists and make sure all +# tests are passed. Send as +# +# subscriber with uploaded key +# subscriber without uploaded key +# non-subscriber +# +# . +# +# plain to test-vanilla: (plain) +# signed to test-vanilla: (signed) +# encrypted to test-vanilla: (encrypted to same (unkown) key) +# +# For both pgp and s/mime: +# +# plain to test-medium: (discard) +# signed to test-medium: (crypt) +# encrypted to test-medium: (crypt) +# signed+encrypted to test-medium: +# +# For both pgp and s/mime: +# +# plain to test-secure: (discard) +# signed to test-secure: (discard) +# encrypted to test-secure: (crypt) +# signed+encrypted to test-secure: + + + + +# TODO FIXME +# some test messages are in +# joostvb@bruhat:~/var/lib% mkdir -p mailman-pgp-smime/testmails + +# Example usage: +# +# pgp-smime-testsuite.sh joostvb-mailman-pgp-smime-test@bruhat.mdcc.cx SeCrEt joostvb-testlist-member@bruhat.mdcc.cx +# + +set -ex + +listadmin_addr="$1" +admin_password="$2" +member_addr="$3" # just one testmember, the same for all lists joostvb-testlist-member@bruhat.mdcc.cx + +tmpdir=`mktemp -d` +trap 'rm -rf $tmpdir' EXIT + +for s in vanilla medium secure +do + for e in gpg smime + do + l=test-$e-$s + + if list_lists --bare | grep "^$l" + then + echo list $l already exists, skipping creation + else + # list@bruhat:/% /opt/mailman/bin/newlist + newlist --quiet $l $listadmin_addr $admin_password + + mktemp -d + + touch $tmpdir/$l.isnew + fi + done +done + + +{ cat <$conffile + + option=${e}_${o} + grep -v ${option} $conffile >$conffile,new + echo "${option} = $v" >>$conffile,new + + config_list -i $conffile,new $l + + fi + done + # test-vanilla test-gpg-medium +done + +# subscribe test user to lists +for s in vanilla medium secure +do + for e in gpg smime + do + l=test-$e-$s + echo $member_addr | add_members -r - $l + # this behaves sane if already a member + done +done + +# test emails should be in the current directory +for m in *.msg +do + # -f sender Set the envelope sender address. + sendmail -oi -t < $m +done + diff -durP mailman-2.1.15/pgp-smime/report-2008-09.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2008-09.tex --- mailman-2.1.15/pgp-smime/report-2008-09.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2008-09.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,111 @@ +% $Id: report-2008-09.tex 3642 2008-09-25 07:55:43Z joostvb $ +% $URL: svn+ssh://nagy/data/vc/svn/trunk/doc/nlnet-mailman-pgp-smime/report-2008-09.tex $ +% +% Copyright © 2008 Joost van Baal +% + +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage{url} + +\title{First Secure List Server bi-monthly project report} + +\author{Joost van Baal \url{}} + +\begin{document} + +\maketitle + +%\begin{abstract} +%foo +%\end{abstract} + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section*{Introduction} + +As agreed upon in the June 13, 2008 document ``Memorandum of Understanding +Secure List Server Project'', this report documents work done by the author for +the Secure List Server project +(\url{http://non-gnu.uvt.nl/mailman-pgp-smime/}), as funded by the NLnet +Foundation. It also lists the current plans for the project. + +\section{Completed tasks} + +Work on the project was started on 2008-06-24. This was ahead of schedule: +the start was planned for 2008-07-01. + +Here's a condensed overview of the progress made thus far. + +\begin{tabular}{lll} + Task & Planned & Delivered \\ \cline{1-3} + Announce the project & 08-07-15 & 08-07-03 \\ + Create a bzr repository & 08-07-15 & 08-06-25 \\ + Merge the latest patch update & 08-08-01 & 08-06-25 \\ + Port patch to latest release & 08-08-01 & 08-07-26 \\ + Discuss Auditor's report & 08-08-15 & 08-08-09 \\ + Publish first project report & 08-09-01 & 08-08-31 \\ +\end{tabular} + +The project was announced in \url{Message-ID: +<20080703145455.GQ12960@bruhat.mdcc.cx>}, posted Thu, 3 Jul 2008 on the Mailman +Developers list +(\url{http://www.mail-archive.com/mailman-developers%40python.org/msg11056.html}) +as well as on the PGP/SMIME Mailman devel list +(\url{http://ulm.ccc.de/pipermail/ssls-dev/2008-July/000019.html}). + +The public Bazaar Revision Control repository is available from +\url{https://code.launchpad.net/~joostvb/mailman/2.1-pgp-smime}. + +A patch for the latest Mailman release is available from +\url{http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.11-pgp-smime_2008-07-26.patch.gz}. + +Some extra time was spent on giving user support (using the PGP/SMIME Mailman +devel list) and setting up a test system. + +\section{Planned tasks} + +\begin{tabular}{lll} + Task & Planned \\ \cline{1-2} + Bug: Implement test suite & 08-12-15 \\ + Publish second project report & 08-11-01 \\ + Bug: Enforce confidentiality & 08-12-15 \\ + Bug: Better user interface & 08-12-15 \\ + Publish third project report & 09-01-01 \\ + Write and publish documentation & 09-01-15 \\ + Create a package of SLS & 09-03-01 \\ + Publish fourth project report & 09-03-01 \\ + Disseminate results & 09-03-01 \\ + Try get SLS shipped w/ distros & 09-03-01 \\ + Act upon auditors final report & 09-04-01 \\ + Fifth and final project report & 09-04-01 \\ + +\end{tabular} + +The 3 Bug-tasks are the critical open bugs as found by Security Auditor Guus +Sliepen and published in ``Security Audit of the Secure List Server, Part I'', +August 1, 2008. While fixing these bugs, the patch will be kept as +non-intrusive and minimal as possible. + +The implementation of a test suite currently is in progress. + +The documentation will be written for users, for list admins, for site admins, +as well as for developers. + +Both a Debian and an RPM package for SLS will get build and published. + +The dissemination of results will be done by announcing the achievements on +relevant mailing lists, and by giving a presentation at e.g. the FOSDEM +conference (will probably happen february 2009 in Brussels). + +In order to get SLS shipped with Free Software operating system distibutions, +maintainers of Mailman packages for e.g. GNU/Linux distributions will get asked +(and offered help) to include the patch. The author will work with the Debian +Mailman package maintainer to try to get the patched Mailman shipped with +Debian and Ubuntu, as discussed in a private conversation with the maintainer, +Tilburg, 2008-06-06. The decision on wether or not to include this patch is +under control of the package maintainer (not the patch author). + +\end{document} + diff -durP mailman-2.1.15/pgp-smime/report-2008-11.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2008-11.tex --- mailman-2.1.15/pgp-smime/report-2008-11.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2008-11.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,123 @@ +% $Id: report-2008-11.tex 3767 2008-11-01 18:05:18Z joostvb $ +% $URL: svn+ssh://nagy/data/vc/svn/trunk/doc/nlnet-mailman-pgp-smime/report-2008-11.tex $ +% +% Copyright © 2008 Joost van Baal +% + +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage{url} + +% \title{First Secure List Server bi-monthly project report\\September 1, 2008} +\title{Second Secure List Server bi-monthly project report} +% November 1, 2008 + +\author{Joost van Baal \url{}} + +\begin{document} + +\maketitle + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section*{Introduction} + +As agreed upon in the June 13, 2008 document ``Memorandum of Understanding +Secure List Server Project'', this report documents work done by the author for +the Secure List Server project +(\url{http://non-gnu.uvt.nl/mailman-pgp-smime/}), as funded by the NLnet +Foundation. It also lists the current plans for the project. + +This document is a follow-up to the First Secure List Server bi-monthly project +report, as sent to Valer Mischenko on Aug 31, 2008. + +\section{Completed tasks} + +Here's a condensed overview of the progress made thus far. + +\begin{tabular}{lll} + Task & Planned & Delivered \\ \cline{1-3} + (Start project) & 08-07-01 & 08-06-24 \\ + (Milestone 1) & 08-08-15 & 08-08-09 \\ + Publish first project report & 08-09-01 & 08-08-31 \\ + Bug: Implement test suite & 08-10-15 & 08-10-30 \\ + Publish second project report & 08-11-01 & 08-11-01 \\ +\end{tabular} + +See the first report for details on the tasks completed for Milestone 1. + +The test suite consists of two parts: first a simple script +pgp-smime/pgp-smime-testsuite.sh, which was finished with bzr commit revno: 460 +on branch nick 2.1-pgp-smime. See the Mailman pgp-smime bzr branch in +Launchpad at \url{https://code.launchpad.net/~joostvb/mailman/2.1-pgp-smime}. +The second part of the suite is a running SLS installation on the author's +workstation, hosting several test lists with additional PGP and S/MIME key +pairs. Work on documenting the setup of such a system is currently in progress +(to be completed with other documentation on 09-01-15). + +Some extra time was spent on releasing version 2008-09-25 of the patch, +available from +\url{http://non-gnu.uvt.nl/pub/mailman/mailman-2.1.11-pgp-smime_2008-09-25.patch.gz}, +announced in \url{Message-ID: <20080925084757.GK14261@bruhat.mdcc.cx>} on the +GPG/SMIME mailman devel list at Thu, 25 Sep 2008. Work on shipping a new +release is currently in progress, it'll likely get shipped this month. + +Contacting Sabayon's Fabio Erculiani took some time (15 Oct 2008). There has +also been contact with Brenno de Winter (the Smallsister project, 13 Oct 2008). + +A minor status update on SLS has been posted to the Mailman Developers (28 Sep +2008, \url{Message-ID: <20080928110912.GT11325@bruhat.mdcc.cx>}, archived at +\url{http://www.mail-archive.com/mailman-developers%40python.org/msg11143.html}. + +Finally, I've acted upon helpful feedback from Lars Kruse about the SLS +website. + +\section{Planned tasks} + +\begin{tabular}{lll} + Task & Planned \\ \cline{1-2} + Bug: Enforce confidentiality & 08-11-15 \\ + Bug: Better user interface & 08-12-15 \\ + (Milestone 2) & 08-12-15 \\ + Publish third project report & 09-01-01 \\ + Write and publish documentation & 09-01-15 \\ + Create a package of SLS & 09-03-01 \\ + Publish fourth project report & 09-03-01 \\ + Disseminate results & 09-03-01 \\ + Try get SLS shipped w/ distros & 09-03-01 \\ + (Milestone 3) & 09-03-01 \\ + Act upon auditors final report & 09-04-01 \\ + (Milestone 4) & 09-04-01 \\ + Fifth and final project report & 09-04-01 \\ +\end{tabular} + +The 2 open Bug-tasks are critical open bugs as found by Security Auditor +Guus Sliepen and published in ``Security Audit of the Secure List Server, Part +I'', August 1, 2008. While fixing these bugs, the patch will be kept as +non-intrusive and minimal as possible. + +Once these bugs are fixed, I'll contact Mailman developer Barry Warsaw and ask +him to perform his review he has offered via the Mailman Developers list. + +The documentation will be written for users, for list admins, for site admins, +as well as for developers. + +Both a Debian and an RPM package for SLS will get build and published. + +The dissemination of results will be done by announcing the achievements on +relevant mailing lists, and by giving a presentation at e.g. the FOSDEM +conference (will probably happen february 2009 in Brussels), and/or +a meeting of CCC Ulm, and/or Chemnitz Linuxtage. + +In order to get SLS shipped with Free Software operating system distibutions, +maintainers of Mailman packages for e.g. GNU/Linux distributions (and the +Sabayon and Smallsister projects) will get asked (and offered help) to include +the patch. The author will work with the Debian Mailman package maintainer to +try to get the patched Mailman shipped with Debian and Ubuntu, as discussed in +a private conversation with the maintainer, Tilburg, 2008-06-06. The decision +on wether or not to include this patch is under control of the package +maintainer (not the patch author). + +\end{document} + diff -durP mailman-2.1.15/pgp-smime/report-2009-01.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2009-01.tex --- mailman-2.1.15/pgp-smime/report-2009-01.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2009-01.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,213 @@ +% Copyright © 2008, 2009 Joost van Baal + +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage{url} + +\title{Third Secure List Server bi-monthly project report} + +\author{Joost van Baal \url{}} + +\begin{document} + +\maketitle + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section*{Introduction} + +As agreed upon in the June 13, 2008 document ``Memorandum of Understanding +Secure List Server Project'', this report documents work done by the author for +the Secure List Server project +(\url{http://non-gnu.uvt.nl/mailman-pgp-smime/}), as funded by the NLnet +Foundation. It also lists the current plans for the project. + +This document is a follow-up to the Second Secure List Server bi-monthly +project report, as sent to Valer Mischenko on November 1, 2008. + +\section{Completed tasks} + +Here's a condensed overview of the progress made thus far. + +\begin{tabular}{lll} + Task & Planned & Delivered \\ \cline{1-3} + (Start project) & 08-07-01 & 08-06-24 \\ + (Milestone 1) & 08-08-15 & 08-08-09 \\ + Publish first project report & 08-09-01 & 08-08-31 \\ + Bug: Implement test suite & 08-10-15 & 08-10-30 \\ + Publish second project report & 08-11-01 & 08-11-01 \\ + Bug: Enforce confidentiality & 08-11-15 & 09-01-02 \\ + Bug: Better user interface & 08-12-15 & 09-01-02 \\ + (Milestone 2) & 08-12-15 & 09-01-06 \\ + Publish third project report & 09-01-01 & 09-01-26 \\ +\end{tabular} + +See the first and second reports for details on the tasks completed for +Milestone 1, as well as for details about the test suite. + +The 2 Bug-tasks (``Enforce confidentiality'' and ``Better user interface'') are +found by Security Auditor Guus Sliepen and published in ``Security Audit of the +Secure List Server, Part I'', August 1, 2008. + +About ``Enforce confidentiality'', Guus wrote (paraphrased): + +``If an encrypted message sent to a list is for some reason automatically +discarded, the auto-discard notification is sent to the list administrator, but +it contains an decrypted copy of the original message. This breaches the +confidentiality of the original message. An encrypted message should either be +forwarded encrypted or not at all. + +``Emails with a valid signature of a known subscriber are accepted regardless of +whether the address in the From header matches one of the email addresses +associated with the key. Since the original signature is removed before the +mail is sent to the other subscribers, this allows one subscriber to +impersonate another subscriber or even an outsider. + +``When a list is set up for integrity and/or confidentiality, these aspects +should {\em always} be enforced. This means that an encrypted message sent to +a list {\em never} leaves SLS unencrypted. It is also strongly recommended to +try to keep the original signature of messages sent to a list, but in case of +OpenPGP this might not be possible without support from the GnuPG developers.'' + +About ``Better user interface'', Guus wrote (paraphrased): + +``The list administrator interface is not very clear. For example, one of the +options is: "Should messages be GPG signed? Yes means: hold for approval. (No, +Yes, Force)". It is unclear from just this question what the difference between +Yes and Force is. Will Force add a signature if there is none present, or twist +the subscriber's arm until he does? If I answer Yes, does that mean that signed +messaged are held for approval? It takes a while before one guesses the true +meaning of the choices. It is better to rephrase the question to "Allow +unsigned messages? (Yes, Hold, No)", or to elaborate the choices in the +original question: "No, Yes (hold unsigned), Force (drop unsigned)". The sames +goes for all the other three-choice option. + +``Although one can easily upload OpenPGP keys via the website, there is no way to +upload an S/MIME list key. With the current patch, the list administrator +somehow has to put the S/MIME list key in /var/lib/mailman on server running +SLS. + +``Once someone is subscribed to the list (possibly only after getting permission +from the list administrator), he can log in to the list manager web interface +with just a password and change his settings. This also allows him to change +his public key. Since a public key is a much stronger credential of someones +identity than just an email address, and since it is much easier to guess a +password than to crack a key, it should not be allowed to change the public key +without explicit permission from the list administrator.'' + +Some extra time was spent on keeping our code in sync with upstream by merging +it, by upgrading our test environment and by releasing versions 2008-11-16, +2008-12-14 and 2009-01-02 of the patch, available from +\url{http://non-gnu.uvt.nl/pub/mailman/}, announced on the GPG/SMIME mailman +devel list at Sun, 16 Nov 2008 and later. + +Feedback has been given to Brad Borevitz and Hanno B\"{o}ck on the GPG/SMIME +mailman devel list at Nov 3, 2008. + +Work on task ``Disseminate results'', scheduled for completion at 09-03-01, has +been started: A lightning talk request for fosdem has been submitted on +08-11-06 and got accepted, see +\url{http://fosdem.org/2009/schedule/events/secure_list_server}. The fosdem +conference (see \url{http://fosdem.org/}) will take place Saturday 7 and Sunday +8 February 2009 in Brussels. + +Futhermore, a talk request for the Chaosseminar in Ulm has been submitted +08-11-24. The talk took place at 09-01-12, see +\url{http://ulm.ccc.de/ChaosSeminar/2009/01_Mailman_PGP_SMIME}. The talk has +been recorded on video, the recordings will get published 2009-02. About 17 +Free Software developers (featuring Stefan Schlott, the original SLS-patch +author) attended the talk, which started at 20:00. A lively discussion went on +till 21:30. + +Work on task ``Write and publish documentation'', scheduled for completion at +09-01-15, has been started: An article has been handed out to the Ulm talk +audience, it's available from +\url{http://non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/talk/}. + +The talk was announced as: + +``\textit{About the project} + +``The Secure List Server, mailman-pgp-smime, is an effort to add support for +encryption and authentication to Mailman, the GNU mailing list software. This +enhancement enables groups of people to safely cooperate and communicate using +email. The patch includes support for both RFC 2633 (S/MIME) and RFC 2440 +(OpenPGP) email messages. + +``Work on this software was started by Stefan Schlott, in 2005 (or earlier). +Development of the patch currently is made possible by the NLnet foundation. + +``A post to a secure list will be distributed only if the PGP (or S/MIME) +signature on the post is from one of the list members. For sending encrypted +email, a list member encrypts to the public key of the list. The post will be +decrypted and re-encrypted to the public keys of all list members. + +``The software is GPLv2 licensed. More information is available from +\url{http://non-gnu.uvt.nl/mailman-pgp-smime}. + +``\textit{About the talk} + +``The talk will start with a very short overview of the history of Mailman and +the mailman-pgp-smime project. Some remarks will be made on how to install and +configure the software, so that one can try it. Currently supported features +will be mentioned, as well as an overview of development plans. One will learn +how to contribute to the project; an overview of the revision control system +used will be given. Some remarks on the future of the patch will be made: will +it be shipped with Mailman itself? + +``If you have used Mailman, both as a subscriber and as a list admin, and if +you know what PGP and S/MIME are, you should definitely attend this talk. + +``The talk will be given in English. + +``\textit{About the speaker} + +Joost van Baal is a DJ since 1995. Debian +developer since 2000. Working on Lire, LogReport's log analyzer, since 2000. +Free software advocate since 2001. Hacking on Mailman since 2005. Pugilist +since 2007. Owner of ad 1810 since 2008. Joost works and lives in Eindhoven, +The Netherlands. See \url{http://mdcc.cx/}.'' + + +\section{Planned tasks} + +As requested by Valer Mischenko on Tue, 18 Nov 2008, the planning has been +adjusted. ``Try get SLS shipped w/ distros'' is postponed from 09-03-01; +``Fifth and final project report'' and ``(Milestone 4)'' are postponed from +09-04-01. Current plans are: + +\begin{tabular}{lll} + Task & Planned \\ \cline{1-2} + Write and publish documentation & 09-01-15 \\ + Create a package of SLS & 09-03-01 \\ + Publish fourth project report & 09-03-01 \\ + Disseminate results & 09-03-01 \\ + (Milestone 3) & 09-03-01 \\ + Act upon auditors final report & 09-04-01 \\ + Try get SLS shipped w/ distros & 09-04-15 \\ + Fifth and final project report & 09-04-15 \\ + (Milestone 4) & 09-04-15 \\ +\end{tabular} + +I'll also contact Mailman developer Barry Warsaw and ask him to perform his +review he has offered via the Mailman Developers list. + +The documentation will be written for users, for list admins, for site admins, +as well as for developers. + +Both a Debian and an RPM package for SLS will get build and published. + +Currently, Guus Sliepen is working on his final security audit report. + +In order to get SLS shipped with Free Software operating system distibutions, +maintainers of Mailman packages for e.g. GNU/Linux distributions (and the +Sabayon and Smallsister projects) will get asked (and offered help) to include +the patch. The author will work with the Debian Mailman package maintainer to +try to get the patched Mailman shipped with Debian and Ubuntu, as discussed in +a private conversation with the maintainer, Tilburg, 2008-06-06. The decision +on wether or not to include this patch is under control of the package +maintainer (not the patch author). + +\end{document} + diff -durP mailman-2.1.15/pgp-smime/report-2009-03.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2009-03.tex --- mailman-2.1.15/pgp-smime/report-2009-03.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2009-03.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,130 @@ +% $Id: report-2009-03.tex 4103 2009-03-18 11:58:46Z joostvb $ +% $URL: svn+ssh://nagy/data/vc/svn/trunk/doc/nlnet-mailman-pgp-smime/report-2009-03.tex $ +% +% Copyright © 2008, 2009 Joost van Baal +% + +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage{url} + +% \title{First Secure List Server bi-monthly project report\\September 1, 2008} +\title{Fourth Secure List Server bi-monthly project report} +% Jan 1, 2009 + +\author{Joost van Baal \url{}} + +\begin{document} + +\maketitle + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section*{Introduction} + +As agreed upon in the June 13, 2008 document ``Memorandum of Understanding +Secure List Server Project'', this report documents work done by the author for +the Secure List Server project +(\url{http://non-gnu.uvt.nl/mailman-pgp-smime/}), as funded by the NLnet +Foundation. It also lists the current plans for the project. + +This document is a follow-up to the Third Secure List Server bi-monthly +project report, as sent to Valer Mischenko on January 26, 2009. + +%downloads, list traffic, commits + +\section{Completed tasks} + +Here's a condensed overview of the progress made thus far. + +\begin{tabular}{lll} + Task & Planned & Delivered \\ \cline{1-3} + (Start project) & 08-07-01 & 08-06-24 \\ + (Milestone 1) & 08-08-15 & 08-08-09 \\ + (Milestone 2) & 08-12-15 & 09-01-06 \\ + Publish third project report & 09-01-01 & 09-01-26 \\ + Write and publish documentation & 09-01-15 & 09-01-12 \\ + Create a package of SLS & 09-03-01 & in progress \\ + Publish fourth project report & 09-03-01 & 09-03-18 \\ + Disseminate results & 09-03-01 & 09-02-08 \\ + (Milestone 3) & 09-03-01 & in progress \\ +\end{tabular} + +See the previous reports for details on the tasks completed for +Milestones 1 and 2. + +Some documentation has been written and published. The article ``Secure List +Server: Mailman, PGP and S/MIME - Support for encryption and authentication for +the GNU mailing list software'' from january 2009 is maintained using the SLS +version control system, and available from +\url{http://non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/talk/mailman-pgp-smime-talk.txt}. +This article was printed on paper and handed out at the 2 presentations in Ulm +and Brussels. This documentation still needs to get integrated with the +documentation which comes with Mailman itself. The current documentation +focusses on list and site admins; user oriented documentation still needs to be +written. + +A lightning talk request for fosdem has been submitted on 08-11-06 and got +accepted, see \url{http://fosdem.org/2009/schedule/events/secure_list_server}. +The fosdem conference (see \url{http://fosdem.org/}) took place February 2009 +at ULB Campus Solbosch in Brussels. The talk ( +http://fosdem.org/2009/node/164) took place on sunday February 8th, 10:20, and +lasted for 15 minutes. The talk has been recorded on video; see +\url{http://ftp.heanet.ie/mirrors/fosdem-video/2009/lightningtalks/}. (At +fosdem, the author also organised the PGP KeySigning Party, see +\url{http://fosdem.org/2009/keysigning}.) + +Futhermore, a talk request for the Chaosseminar in Ulm has been submitted +08-11-24. The talk took place at 09-01-12, see +\url{http://ulm.ccc.de/ChaosSeminar/2009/01_Mailman_PGP_SMIME}. The talk has +been recorded on video; see +\url{http://ftp.ccc.de/regional/ulm/chaosseminar/200901-mailman/}. About 17 +Free Software developers (featuring Stefan Schlott, the original SLS-patch +author) attended the talk, which started at 20:00. A lively discussion went on +till 21:30. More information about this talk is in the Third Secure List +Server report. + +All talk recordings are available from +\url{http://non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/talk/} also. + +Some extra time was spent on keeping our code in sync with upstream by merging +it. Feedback has been given to users on the GPG/SMIME Mailman development +list. + +(Also, a Debian package for the Small Sister client was build; available from +\url{http://mdcc.cx/tmp/SmallMailClient/}.) + + +\section{Planned tasks} + +Current plans are: + +\begin{tabular}{lll} + Task & Planned \\ \cline{1-2} + Create a package of SLS & 09-03-01 \\ + (Milestone 3) & 09-03-01 \\ + Act upon auditors final report & 09-04-01 \\ + Try get SLS shipped w/ distros & 09-04-15 \\ + Fifth and final project report & 09-04-15 \\ + (Milestone 4) & 09-04-15 \\ +\end{tabular} + +I'll also contact Mailman developer Barry Warsaw and ask him to perform his +review he has offered via the Mailman Developers list. + +Both a Debian and an RPM package for SLS will get build and published. + +Currently, Guus Sliepen is working on his final security audit report. + +In order to get SLS shipped with Free Software operating system distibutions, +maintainers of Mailman packages for e.g. GNU/Linux distributions (and the +Sabayon and Smallsister projects) will get asked (and offered help) to include +the patch. The author will work with the Debian Mailman package maintainer to +try to get the patched Mailman shipped with Debian and Ubuntu, as discussed in +a private conversation with the maintainer, Tilburg, 2008-06-06. The decision +on wether or not to include this patch is under control of the package +maintainer (not the patch author). + +\end{document} + diff -durP mailman-2.1.15/pgp-smime/report-2010-02.txt mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2010-02.txt --- mailman-2.1.15/pgp-smime/report-2010-02.txt 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2010-02.txt 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,59 @@ + + Fifth Secure List Server project report + + Joost van Baal + February 24th, 2010 + +This report documents work done by the author for the Secure List Server +project, as funded by the NLnet foundation. It also lists the current plans +for the project. This document is a follow-up to the Fourth Secure List Server +bi-monthly project report, which was published March 2009. + +Here's a condensed overview of the progress made thus far. + + Task Planned Delivered + (Start project) 08-07-01 08-06-24 + (Milestone 1) 08-08-15 08-08-09 + (Milestone 2) 08-12-15 09-01-06 + + Publish third project report 09-01-01 09-01-26 + Write and publish documentation 09-01-15 09-01-12 + Publish fourth project report 09-03-01 09-03-18 + Disseminate results 09-03-01 09-02-08 + Create a package of SLS 09-03-01 09-09-09 + (Milestone 3) 09-03-01 09-09-09 + +Releases of the patch have been shipped on 09-04-02, 09-07-18 and 09-09-05 (all +for upstream release 2.1.12). + +A Debian package for the patch has been shipped on 09-04-02 +(2.1.12-1+pgpsmime1) and 09-09-06 (2.1.12-2+pgpsmime1). + +An RPM package (for Fedora Core 11) for the patch was shipped on 09-09-09 +(2.1.12-4+pgpsmime1.fc11). + +The final audit report mentioned the lax checking of multipart/signed messages. +This has been fixed. Furthermore, it suggested to reduce the number of +configuration options available to the list administrator. I'll work on this. + +The current plan is: + Planned + Act upon auditors final report 10-03-18 + Try get SLS shipped w/ distros 10-03-29 + Fifth and final project report 10-03-29 + (Milestone 4) 10-03-29 + +Originally, completion of Milestone 4 was planned for April 15, 2009. + +Next to the listed tasks, I'll port the patch to upstream mailman 2.1.13 +(released 09-12-22). Furthermore, I'll update the RPM and .deb packages to +this new upstream release. + +I'll contact Mailman developer Barry Warsaw and ask him to perform his review +he has offered via the Mailman Developers list. + +I'll contact responsible parties and try to get SLS shipped with Debian, Ubuntu +and an RPM-based distribution (like Fedora) as well as the Sabayon and +Smallsister projects. + + diff -durP mailman-2.1.15/pgp-smime/report-2010-03.tex mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2010-03.tex --- mailman-2.1.15/pgp-smime/report-2010-03.tex 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/report-2010-03.tex 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,146 @@ +% $Id: report-2009-03.tex 4103 2009-03-18 11:58:46Z joostvb $ +% $URL: svn+ssh://nagy/data/vc/svn/trunk/doc/nlnet-mailman-pgp-smime/report-2009-03.tex $ +% +% Copyright © 2009, 2010 Joost van Baal +% + +\documentclass[a4]{article} +\usepackage{a4wide} +\usepackage{url} + +% \title{First Secure List Server bi-monthly project report\\September 1, 2008} +\title{Sixth Secure List Server project report} +% Jan 1, 2009 + +\author{Joost van Baal \url{}} + +\begin{document} + +\maketitle + +\setlength{\parindent}{0pt} +\setlength{\parskip}{1.5ex} + +\section*{Introduction} + +As agreed upon in the June 13, 2008 document ``Memorandum of Understanding +Secure List Server Project'', this report documents work done by the author for +the Secure List Server project +(\url{http://non-gnu.uvt.nl/mailman-pgp-smime/}), as funded by the NLnet +Foundation. It also lists the current plans for the project. + +This document is a follow-up to the Fifth Secure List Server +project report, as sent to Valer Mischenko on 24 February 2010. + +%downloads, list traffic, commits + +\section{Completed tasks} + +Here's a condensed overview of the progress made thus far. + +\begin{tabular}{lll} + + + Task Planned Delivered + (Start project) 08-07-01 08-06-24 + (Milestone 1) 08-08-15 08-08-09 + (Milestone 2) 08-12-15 09-01-06 + (Milestone 3) 09-03-01 09-09-09 + + + Task & Planned & Delivered \\ \cline{1-3} + (Start project) & 08-07-01 & 08-06-24 \\ + (Milestone 1) & 08-08-15 & 08-08-09 \\ + (Milestone 2) & 08-12-15 & 09-01-06 \\ + Publish third project report & 09-01-01 & 09-01-26 \\ + Write and publish documentation & 09-01-15 & 09-01-12 \\ + Create a package of SLS & 09-03-01 & in progress \\ + Publish fourth project report & 09-03-01 & 09-03-18 \\ + Disseminate results & 09-03-01 & 09-02-08 \\ + (Milestone 3) & 09-03-01 & in progress \\ +\end{tabular} + +See the previous reports for details on the tasks completed for +Milestones 1, 2 and 3. + + + +Some extra time was spent on keeping our code in sync with upstream by merging +it. Feedback has been given to users on the GPG/SMIME Mailman development +list. + + +\section{Planned tasks} + +Current plans are: + +merge datenritter patches! + +Date: Tue, 06 Oct 2009 13:34:37 +0200 +From: datenritter +To: joostvb-mailman-developers +Subject: Re: [Ssls-dev] missed a patch in last release +Message-ID: <4ACB2B4D.5090604@datenritter.de> + + + + Planned + Act upon auditors final report 10-03-18 + Try get SLS shipped w/ distros 10-03-29 + Fifth and final project report 10-03-29 + (Milestone 4) 10-03-29 + + + +\begin{tabular}{lll} + Task & Planned \\ \cline{1-2} + Create a package of SLS & 09-03-01 \\ + (Milestone 3) & 09-03-01 \\ +\end{tabular} + +The final audit report mentioned the lax checking of multipart/signed messages. +This has been fixed. Furthermore, it suggested to reduce the number of +configuration options available to the list administrator. I'll work on this. + +The current plan is: + Planned + Act upon auditors final report 10-03-18 + Try get SLS shipped w/ distros 10-03-29 + Fifth and final project report 10-03-29 + (Milestone 4) 10-03-29 + +Originally, completion of Milestone 4 was planned for April 15, 2009. + +Next to the listed tasks, I'll port the patch to upstream mailman 2.1.13 +(released 09-12-22). Furthermore, I'll update the RPM and .deb packages to +this new upstream release. + +I'll contact Mailman developer Barry Warsaw and ask him to perform his review +he has offered via the Mailman Developers list. + +-------------- + +Message-ID: +Date: Tue, 2 Mar 2010 20:41:10 -0800 +From: Mark Sapiro +To: mailman-developers@python.org +In-Reply-To: <4f6fd0b11003022002u34652a5bnb86decfa0102568b@mail.gmail.com> +Subject: Re: [Mailman-Developers] Implementing a new feature, first steps + +>I am interested in implementing a new feature in Mailman + +>Of course, any code I write (and which you find useful) will go right back +>upstream! + +Thank you. However, it won't go in 2.1.x, because that's bug fix only +and it probably won't be applicable, at least directly, to MM 3. + +-------------- + +I'll contact responsible parties and try to get SLS shipped with Debian, Ubuntu +and an RPM-based distribution (like Fedora) as well as the Sabayon and +Smallsister projects. + + +\end{document} + diff -durP mailman-2.1.15/pgp-smime/talk/feedback.txt mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/feedback.txt --- mailman-2.1.15/pgp-smime/talk/feedback.txt 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/feedback.txt 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,25 @@ +About 17 people attended, including Stefan Schlott and Michael Feiri. +Talk + discussion from 20:00 till about 21:30. + +Feedback given by CCC-Ulm audience: + +Since signed S/MIME messages generally contain complete public key of +sender, use first post of sender to a list to collect key of sender. +No need for webui upload. Generally, S/MIME users don't even know how +to save their public key in a file. + +Generate list keypair on server; don't upload keypair of list via +webui. Get rid of passphrase box in webui: don't use a passphrase (or +pinentry-stuff with gpg-agent, admin should give passphrase when +mailserver software starts up.) Passphrase-box was added since some pgp +libraries refuse to work with a passphrase-less key, in 2005. + +S/MIME signed and encrypted messages are encrypted first, signature is +added to the encrypted stuff. PGP messages are signed first, the +signed sttuff is encrypted. So, SLS could keep the signature on +encrypted messages in the PGP-case. This would make communication more +like end-to-end secure communication; one would make the system less +dependent on a trusted listserver. + +Video of lecture like will get uploaded at about early february. + diff -durP mailman-2.1.15/pgp-smime/talk/mailman-pgp-smime-talk.txt mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/mailman-pgp-smime-talk.txt --- mailman-2.1.15/pgp-smime/talk/mailman-pgp-smime-talk.txt 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/mailman-pgp-smime-talk.txt 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,631 @@ + + Secure List Server: Mailman, PGP and S/MIME + + Support for encryption and authentication for the GNU mailing list software + + by + + Joost van Baal + + Februari 6, 2009 + + +About this document +=================== + +This document is published on +http://non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/talk/. + +Copyright and license +--------------------- +Copyright © 2009 Joost van Baal, ad 1810 + +This document is free; you can redistribute it and/or modify it under the terms +of the GNU GPL, either version 3 or any later one, see +http://www.gnu.org/copyleft/gpl.html . There is NO WARRANTY. + +Revision control +---------------- +Maintained at http://bazaar.launchpad.net/~joostvb/mailman/2.1-pgp-smime/files + +About the author +---------------- +Joost van Baal is hacking on Mailman since 2005. Debian developer since 2000. +Working on Lire, LogReport's log analyzer, since 2000. Free software advocate +since 2001. Pugilist since 2007 and active as a DJ since 1995. Owner of ad +1810 since 2008. Joost works and lives in Eindhoven, The Netherlands. See +http://mdcc.cx/. + + +Motto +===== + +Users and other ``soft'' factors (economy, psychology, sociology) are the +reasons why security often fails; not errors in logic or in the application of +mathematics. --Adam Shostack and Andrew Stewart, + ``The New School of Information Security'', Pearson USA 2008 + +His dismissal notice stated that he was being removed from production on +account of a situation of [...] thoughtfulness amid the general tempo of +labour. "If we all would start thinking, who would get the work done?" + --Андрей Плато́нов, ``The Foundation Pit'', 1930 +(See also http://www.litencyc.com/php/sworks.php?rec=true&UID=14435) + + +Introduction +============ + +The Secure List Server, mailman-pgp-smime, is an effort to add support for +encryption and authentication to Mailman, enabling groups of people to safely +cooperate and communicate using email. The project currently is made possible +by the NLnet foundation. + +This article will start with a very short overview of the history of Mailman and +the mailman-pgp-smime project. Some remarks will be made on how to install and +configure the software, so that one can try it. Currently supported features +will be mentioned, as well as an overview of development plans. One will learn +how to contribute to the project; an overview of the revision control system +used will be given. Some remarks on the future of the patch will be made: will +it be shipped with Mailman itself? + +The reader is assumed to have some knowledge of Mailman, e.g. by being +subscribed to a Mailman managed list and by administrating such a list. +Furthermore, some knowledge of PGP and/or S/MIME is assumed. + + +GNU Mailman and other mailing list software +=========================================== + +GNU Mailman is mailing list management software. It allows you to create and +manage electronic mail mailing lists. It provides a web front-end for easy +administration, both for list owners and list members. It supports digests, +archiving, spam protection, bounce detection, Usenet gateways, and many more +features. Mailman is licensed under the GNU GPL and is written in Python. +Is is likely the most popular Open Source mailing list manager. + +Other popular mailing list managers are (names of packages available with +Debian GNU/Linux): + +- sympa (written in Perl) +- mlmmj (relatively new, styled after the ezmlm mailing list manager) +- smartlist (based upon the procmail MDA) + +Other alternatives are: + +- minimalist (small and easy, no web ui) +- enemies-of-carlotta (another ezmlm-like one, new) +- ecartis (the free listserv) +- courier-mlm (part of Courier mail framework) + +See http://popcon.debian.org/ for a comparison of the popularity of these +packages withing Debian. + +See the pictures popcon.png, retreived from +http://qa.debian.org/popcon-png.php?packages=minimalist+mailman+smartlist+sympa+courier-mlm+enemies-of-carlotta+ecartis+ezmlm-idx+mlmmj&show_installed=on +, as well as the picture popcon-non-mailman.png. + +Popular mailing list managers not shipped with Debian are + +- ezmlm-idx (a fork of the original ezmlm) +- phplist + +Other ones worth mentioning are: + +- listserv (not Open Source) +- majordomo (popular in early 1990ies, development stalled since 2000, the + first popular mailing list software) + +Mailman development was started in the late 1990ies by John Viega. The first +release was in 1996. Barry Warsaw, who joined late 1990ies, currently leads +the development. Mark Sapiro currently maintains the stable branches of the +code; Tokio Kikuchi is another one of the main contributors. In total about 20 +people have contributed substantially to the code. (And in total about 200 get +explicitly thanked for their contributions to the project.) + + +Secure List Server +================== + +The Secure List Server, mailman-pgp-smime, is an addition to Mailman, enabling +groups of people to safely cooperate and communicate using email. The patch +includes support for both RFC 2633 (S/MIME) and RFC 2440 (OpenPGP) email +messages. + +A post to a secure list will be distributed only if the PGP (or S/MIME) +signature on the post is from one of the list members. For sending encrypted +email, a list member encrypts to the public key of the list. The post will be +decrypted and re-encrypted to the public keys of all list members. + +The mailman-pgp-smime project has its roots in work by Stefan Schlott, probably +from 2004. In 2005, this project was known as the SURFnet Secure List Server +(mailman-ssls). SURFnet and Tilburg University made the project possible. Since +2008, the project is known as Secure List Server (mailman-pgp-smime) and made +possible by the NLnet foundation. + + +Installing mailman-pgp-smime +============================ + +As of 2009-01, the mailman-pgp-smime software is offered as a patch only. +(Shipping a Debian and RPM package is planned.) + +Patch and install +----------------- +For installation, one has to download +both the original GNU Mailman source tarball as well as the mailman-pgp-smime +patch. Once that's done, apply the patch: + +% tar zxf mailman-2.1.11.tgz +% cd mailman-2.1.11 +% zcat ../mailman-2.1.11-pgp-smime_2009-01-02.patch.gz | patch -p1 + +Now that the Mailman software is patched, continue following the instructions +in the GNU Mailman Installation Manual. (Including something like: + +# aptitude install python-dev apache2 + +# mkdir /opt/mailman +# chgrp list /opt/mailman +# chmod a+rx,g+ws /opt/mailman + +# su - list +% ./confire --prefix=/opt/mailman --with-groupname=list --with-username=list +% make +% make install +% /opt/mailman/bin/check_perms -f + +Configure webserver, MTA and Mailman +------------------------------------ +Configure webserver. This will include e.g. + +# echo 'ScriptAlias /mailman/ /opt/mailman/cgi-bin/' > /etc/apache2/conf.d/mailman + +Add FollowSymLinks to the Options-line for Directory +"/usr/share/apache2/icons" in /etc/apache2/mods-enabled/alias.conf, and create +symlinks from /usr/share/apache2/icons/ to the icons in /opt/mailman/icons/. + +Configure your MTA, see the GNU Mailman Installation Manual. + +Set up list "mailman": + +% /opt/mailman/bin/newlist mailman + +and configure it. Set up cronjobs: + +# crontab -u list /opt/mailman/cron/crontab.in + + +Debian and SLS specific stuff +----------------------------- +Adjust the cronjobs: strip the python-option "-S". + +% crontab -e + +For pgp-smime: + +# aptitude install python-gnupginterface + +Work around python path issues: + +% ln -s /var/lib/python-support/python2.5/GnuPGInterface.py \ + /opt/mailman/GnuPGInterface.py + +Start Mailman +------------- +% /opt/mailman/bin/mailmanctl start + + +Create a PGP-list +----------------- +After creating a normal list called test-gpg, and having subscribed to it, run + +$ gpg --gen-key +$ gpg --armor --export DEADBEEF +$ gpg --export-secret-keys --armor DEADBEEF + +Upload public and secret listkeys using +https://your.web.server/mailman/admin/test-gpg/privacy/gpg + +Upload your member key using +https://your.web.server/mailman/options/test-gpg/you@your.dom.ain + + +Check results +------------- +You can peek at current settings running: + +% /opt/mailman/bin/config_list -o - test-gpg | grep \^gpg +% GNUPGHOME=/opt/mailman/lists/test-gpg/gpg gpg --list-keys + +The PGP listkey is stored in /opt/mailman/lists/test-gpg/gpg/*.gpg (and in +config.pck as well). + +If you'd like to quickly change some (gpg, smime) settings, run + +% config_list -o - testlist >/tmp/dump +% vi /tmp/dump +% config_list -i /tmp/dump testlist + + +Create an S/MIME-list +--------------------- +First create your own SSL CA: + +$ /usr/lib/ssl/misc/CA.pl -newca + +Create your member S/MIME keypair: + +$ openssl genrsa -out test-member.key 2048 + +Create a Certificate Signing Request: + +$ cat <test-member.cfg +[ req ] +default_bits = 2048 +default_keyfile = you-testlist-member.key +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no + +[ req_distinguished_name ] +C = NL +O = Yoyodyne +OU = Secure List Server project +CN = Joe Random Hacker (testlist member) +emailAddress = you-testlist-member@your.dom.ain + +[ req_attributes ] +EOT + +$ openssl req -new -newhdr -config test-member.cfg -key test-member.key \ + -days 1000 -sha1 -verify -out newreq.pem + +Sign our member key with our CA: + +$ /usr/lib/ssl/misc/CA.pl -signreq + +Configure our emailclient (mutt) to work with this CA and keypair: + +$ smime_keys init +$ smime_keys add_root ~/.smime/cacert.pem +$ smime_keys add_chain ~/.smime/test-member.key ~/.smime/newcert.pem \ + ~/.smime/cacert.pem + +Now create an S/MIME list called test-smime, and subscribe +you-testlist-member@your.dom.ain to it. + +Create a keypair for the S/MIME list (use e.g.: + +[ req ] +default_bits = 2048 +default_keyfile = key.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +prompt = no + +[ req_distinguished_name ] +C = NL +O = ad 1810 +CN = Testlist SMIME +emailAddress = test-smime@your.dom.ain + +[ req_attributes ] + +as list.cfg): + +% openssl genrsa -out key.pem 2048 +% openssl req -new -newhdr -config list.cfg -key key.pem -days 365 -sha1 \ + -verify -out list.csr + +Sign this listkey. + +Store this key: + +% mkdir /opt/mailman/lists/test-smime/smime + +Make sure permissions and ownership are: + +drwxrwx--- 2 www-data list 138 okt 29 15:59 smime/ + +Move (or copy) key.pem, cert.pem and ca.pem (and optionally list.cfg and +list.csr) to this directory: install the signed certificate as smime/list.crt, +and install the root CA certificate as smime/cert.pem. + +Make the lists' public key known to our emailclient: + +$ smime_keys add_cert cert.pem + +Upload the member .pem using +https://your.web.server/mailman/options/test-smime/you-testlist-member@your.dom.ain . + +NB: for S/MIME lists, the listkey is not kept in config.pck; there's no +interface (yet) for uploading the listkeypair via the webserver. + + +What can you do with it? +======================== + +PGP and S/MIME offer Integrity and Authenticity (by signing messages) and +Confidentiality (by encrypting messages). These are nice features, also when +working with Mailing lists. However, traditionally achieving such +functionality for lists means each subscriber would have to know and trust (or +setup some trustpath to) each other subscriber. This means lots of work, and +requires quite some clue for each subscriber. + +The Secure List Server, mailman-pgp-smime, makes this easier. When using this +software, each subscriber (optionally) has a personal keypair, and (optionally) +there's a public key for each list. Managing trustpaths is fully delegated to +the list administrator. + +SLS caters lots of different security requirements: for each list, there are +more than 100 ways to configure it (2 * 3 * 3 * 3 * 2), using 8 configuration +settings {gpg,smime}_{distrib,post}_{encrypt,sign}. (For each list either all +gpg_-settings should be set to No (such a list is called an S/MIME list) or all +smime_-settings should be No (a PGP list).) + +We'll give some example use cases. It's useful to realise the server works +like this: + + .-----. --> subscriber + poster --> | | --> subscriber + poster --> | SLS | --> subscriber + `-----' --> subscriber + +Example: Mailman vanilla +------------------------ +You can run the software without any PGP or S/MIME configuration. This way, +the software works just like stock Mailman. Care has been taken in most +circumstances the SLS-code even won't get executed. + +Example: SLS light: gpg_distrib_encrypt, subscriber keys +-------------------------------------------------------- +Suppose you want to set up a list where some subscribers want some +confidentiality: they want to receive posts while being protected from +eavesdroppers within their own network. Suppose these subscribers know how to +decrypt messages encrypted to their personal PGP public key. In such a setup, +these subscribers should upload their public key. The list will be a PGP-list, +option gpg_distrib_encrypt will be set to Yes; all other gpg_ and +smime_-options will be set to No. No listkey is needed. + + +Example: SLS as anti-spam tool: smime_post_sign, subscriber keys +---------------------------------------------------------------- +Suppose you want to make sure no spam ever gets posted to your list. (Allowing +posting only for subscribers can get circumvented by spammers.) Suppose the +subscribers know how to sent an S/MIME signed message. In such a setup, all +subscribers should upload their public key. The list will be an S/MIME-list, +option smime_post_sign will be set to Force; all other gpg_ and smime_-options +will be set to No. No listkey is needed. + +(One could also choose to use the listkey as anti-spam measure; allowing only +encrypted posts. This way, subscribers don't need to fiddle with personal +keys. It'll likely take a while before spammers start running encryption +software. It would be possible though.) + +Example: SLS for dissidents: smime_post_encrypt, list key +--------------------------------------------------------- +Suppose you want to set up a list where some people want some confidentiality: +they want to be able to post while being protected (by S/MIME) from +eavesdroppers within their own network. (Like a "Chinese dissident" scenario, +a non-member posting anonymously.) This poster would need to have a copy of +the lists S/MIME public key. The list will be an S/MIME list, option +smime_post_encrypt will be set to Yes; all other gpg_ and smime_-options will +be set to No. No subscriber keys are needed. + +Example: full SLS +----------------- +Suppose you want to set up a list where full integrity, authenticity and +confidentiality is needed. Suppose the audience knows how to use PGP. In such +a setup the list administrator should generate a PGP keypair for the list, and +configure the list to use it. Each subscriber should get a copy of the lists' +public key and import it to their keyring. Furthermore, all subscribers should +upload their personal PGP public key. + +The lists settings will be: + +gpg_post_encrypt Force: only posts encrypted to the list key will get +distributed. + +gpg_post_sign Force: only posts with a valid subscriber key will get +distributed. + +gpg_distrib_encrypt Force: all posts will get encrypted to the subscribers key +bfore being distributed. + +gpg_distrib_sign Yes: all posts will get signed with the listkey before being +distributed. + +This way, the post is encrypted (so kept confidential) both when in transit +from the poster to the server, as well as while in transit from the server to +the various subscribers. Integrity and authenticity are guaranteed also by +keeping the message signed while on the network. + +Overview of settings +-------------------- +- gpg_post_encrypt (No, Yes, Force): Are postings which are encrypted with the + GPG list key decrypted? Are subcribers forced to encrypt their posts? + Such messages will get decrypted and (possibly) re-encrypted. A header + "X-Mailman-SLS-decrypted: Yes" will get added to the messages. + +- gpg_distrib_encrypt (No, Yes, Force): Are posts encrypted to the subscribers + GPG public key before being distributed? Is such encryption (and uploading + of a public key) mandatory? + +- gpg_post_sign (No, Yes, Force): Should posts be GPG signed with an + acknowledged subscriber key before being distributed? (Yes means: hold for + approval, Force means: discard unsigned messages.) + +- gpg_distrib_sign (No, Yes): Should the server sign messages before + distributing? + + +Latest Changes +============== + +We give a summary of the changes since the patch was published by Stefan +Schlott (2005-02). + +Security was improved, thanks to suggestions made by Security Auditor Guus +Sliepen: +- No longer allow a member to change an already set public key using the + password authenticated web UI. +- In case a message was decrypted and should be held or discarded, forward only + the headers to the listmaster, not the decrypted content. +- Emails with a valid signature of a known subscriber are now accepted only if + the address in the From header matches one of the email addresses associated + with the key. Since the original signature is removed before the mail is sent + to the other subscribers, this did allow one subscriber to impersonate another + subscriber or even an outsider. + +Thanks to Stefan Schlott, a mailinglist is available for discussing development +of the patch. The patch now is maintained using a public Version Control +system (first darcs, now bzr at Launchpad). Some documentation got added, in +README.PGP-SMIME.html, TODO.PGP-SMIME and NEWS.PGP-SMIME. + +The patch got stepwise ported from upstream 2.1.5 to 2.1.11. + +Support for PGP subkeys got added (contributed by Tonnerre Lombard). The patch +now deals with both inline signatures and detached signatures. +Signature-verification support (via new options {gpg,smime}_post_sign) as a +moderation criterium got added. + +The patch now supports S/MIME (next to PGP). + + +Development Plans +================= + +NLnet agreed to support the following future work: + + Write and publish documentation 2009-01-15 + Create a package of SLS 2009-03-01 + Disseminate results 2009-03-01 + Act upon auditors final report 2009-04-01 + Try get SLS shipped w/ distros 2009-04-15 + +That is: + +1) Writing documentation for users, for list admins, for site admins, as well as +for developers. + +2) Building and publishing both a Debian and an RPM package for SLS. + +3) Disseminate the results by giving presentations: at CCC Ulm, Mon January +12th, and a lightning talk at Fosdem, Sun February 8th, 10h20, ULB Campus +Solbosch, Brussels (http://fosdem.org/2009/node/164). + +Guus Sliepen has performed a security audit; results are online at +http://non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/audit.pdf. Guus is now +performing a second and final audit, on the latest SLS release +(mailman-2.1.11-pgp-smime_2009-01-02.patch.gz). + +Next to the 3 mentioned jobs, NLnet agreed to support: + +4) Act upon finding of Security Auditors final report. + +5) Try to get Secure List Server shipped with Free Software distributions. + +The last job consists of: Ask and help maintainers of Mailman packages for e.g. +GNU/Linux distributions to include the patch. Work with the Debian Mailman +package maintainer to try to get the patched Mailman shipped with Debian and +Ubuntu. Next to Debian/Ubuntu, people within the Sabayon +(http://www.sabayonlinux.org/) and Small Sister (http://smallsister.org/) [1] +projects will get asked (and offered help) to include the patched Mailman +system. NB: The decision on wether or not to include this patch is under +control of the package maintainer (not the patch author). + + +Contributing to the project +=========================== + +If you'd like to contribute patches, check out the code using Bazaar: + + $ bzr branch lp:~joostvb/mailman/2.1-pgp-smime + $ vi Mailman/GPGUtils.py + $ bzr commit -m 'fixed all bugs' + $ vi Mailman/Handlers/Moderate.py + $ bzr commit -m 'added the missing feature' + $ bzr send --output=/tmp/merge + $ mutt -a /tmp/merge -s '[patch] bugfix, feature' \ + joostvb-mailman-pgp-smime/a/mdcc.cx I expect to ship the final 2.1.12 release by the end of January. +[...] +> After January, my focus will be on Mailman 2.2. I hope to be able to +> release a 2.2 beta before the end of March, 2009. + +Latest news for 3: + +On Sat, 3 Jan 2009 Barry Warsaw wrote: +> Released 3.0 alpha 2 +[...] +> still an alpha snapshot and not suitable for production systems, functional +> enough to create mailing lists, add and remove members, send email from and to +> lists. [...] +> The web interface is still not functional, so for now you have to interact +> with Mailman via the command line. + +It is not known when a stable Mailman 3 will get released. (As Free Software +hackers say: that's up to _you_ !) + +I've requested NLnet to support the project on 4 Mar 2008. At that time it +seemed wisest to focus on patching 2.1. I would like to port the patch to 2.2, +once there's a stable 2.2 release. However, I don't think the Mailman +developers would like to ship a 2.2 including the patch. I haven't yet +investigated about the feasability of porting the patch to 3. It for sure +would be a very useful project! (And it might be easy: being pluggable is one +of the design decisions for Mailman 3.) + + +Contact, questions +================== + +If you're interested in helping with the work, you might like to subscribe to +the developer list for SLS: ssls-dev /a/ ulm.ccc.de. (Yes, that's sSls. +Backwards compatibility :). (Thanks a lot to Stefan Schlott for hosting this +list.) + +If you'd like to contact the author directly, mail Joost van Baal on +. I'm on IRC too: +joostvb@{OFTC,freenode}. + + +Thanks +====== + +Jeroen Hoppenbrouwers ( http://hoppie.nl/ ) for helping translating the +Platonov quote. The Mailman community, for giving valuable feedback and making +Mailman possible. Guus Sliepen, for guarding the patch's security. The NLnet +foundation, for making the work on this patch possible. + + +Notes +===== + +[1]: The Small Sister Project aims to increase your privacy by delivering +SmallMailServer and SmallMailClient, creating a privacy-friendly system where +personal data is properly secured. Using Tor and GnupG, it enables (optionally +anonymous) e-mail without the burden of data retention and eavesdropping. + Les fichiers binaires mailman-2.1.15/pgp-smime/talk/mailman-pgp-smime-talk-ulm-2009-01-12.pdf et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/mailman-pgp-smime-talk-ulm-2009-01-12.pdf sont différents. diff -durP mailman-2.1.15/pgp-smime/talk/mailman-pgp-smime-talk-ulm-2009-01-12.ps mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/mailman-pgp-smime-talk-ulm-2009-01-12.ps --- mailman-2.1.15/pgp-smime/talk/mailman-pgp-smime-talk-ulm-2009-01-12.ps 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/mailman-pgp-smime-talk-ulm-2009-01-12.ps 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,3177 @@ +%!PS-Adobe-3.0 +%%Title: stdin +%%Creator: paps version 0.6.7 by Dov Grobgeld +%%Pages: (atend) +%%BoundingBox: 0 0 595 841 +%%BeginProlog +%%Orientation: Portrait +/papsdict 1 dict def +papsdict begin + +/inch {72 mul} bind def +/mm {1 inch 25.4 div mul} bind def + +% override setpagedevice if it is not defined +/setpagedevice where { + pop % get rid of its dictionary + /setpagesize { + 3 dict begin + /pageheight exch def + /pagewidth exch def + /orientation 0 def + % Exchange pagewidth and pageheight so that pagewidth is bigger + pagewidth pageheight gt { + pagewidth + /pagewidth pageheight def + /pageheight exch def + /orientation 3 def + } if + 2 dict + dup /PageSize [pagewidth pageheight] put + dup /Orientation orientation put + setpagedevice + end + } def +} +{ + /setpagesize { pop pop } def +} ifelse +/duplex { + statusdict /setduplexmode known + { statusdict begin setduplexmode end } {pop} ifelse +} def +/tumble { + statusdict /settumble known + { statusdict begin settumble end } {pop} ifelse +} def +% Turn the page around +/turnpage { + 90 rotate + 0 pageheight neg translate +} def +% User settings +/pagewidth 595 def +/pageheight 841 def +pagewidth pageheight setpagesize +/column_width 523 def +/bodyheight 769 def +/lmarg 36 def +/ytop 805 def +/do_separation_line true def +/do_landscape false def +/do_tumble true def +/do_duplex true def +% Procedures to translate position to first and second column +/lw 20 def % whatever +/setnumcolumns { + /numcolumns exch def + /firstcolumn { /xpos lmarg def /ypos ytop def} def + /nextcolumn { + do_separation_line { + xpos column_width add gutter_width 2 div add % x start + ytop lw add moveto % y start + 0 bodyheight lw add neg rlineto 0 setlinewidth stroke + } if + /xpos xpos column_width add gutter_width add def + /ypos ytop def + } def +} def + +1 setnumcolumns +/showline { + /y exch def + /s exch def + xpos y moveto + column_width 0 rlineto stroke + xpos y moveto /Helvetica findfont 20 scalefont setfont s show +} def +/paps_bop { % Beginning of page definitions + papsdict begin + gsave + do_landscape {turnpage} if + % ps2pdf gets wrong orientation without this! + /Helvetica findfont setfont 100 100 moveto ( ) show + firstcolumn + end +} def + +/paps_eop { % End of page cleanups + grestore +} def +%%BeginProlog +/papsdict 1 dict def +papsdict begin + +/conicto { + /to_y exch def + /to_x exch def + /conic_cntrl_y exch def + /conic_cntrl_x exch def + currentpoint + /p0_y exch def + /p0_x exch def + /p1_x p0_x conic_cntrl_x p0_x sub 2 3 div mul add def + /p1_y p0_y conic_cntrl_y p0_y sub 2 3 div mul add def + /p2_x p1_x to_x p0_x sub 1 3 div mul add def + /p2_y p1_y to_y p0_y sub 1 3 div mul add def + p1_x p1_y p2_x p2_y to_x to_y curveto +} bind def +/start_ol { gsave } bind def +/end_ol { closepath fill grestore } bind def +/draw_char { fontdict begin gsave 0.001000 dup scale last_x last_y translate load exec end grestore} def +/goto_xy { fontdict begin /last_y exch def /last_x exch def end } def +/goto_x { fontdict begin /last_x exch def end } def +/fwd_x { fontdict begin /last_x exch last_x add def end } def +/c /curveto load def +/x /conicto load def +/l /lineto load def +/m /moveto load def +end +/paps_exec { + 1 dict begin + /ps exch def + /len ps length def + /pos 0 def + + % Loop over all the characters of the string + { + pos len eq {exit} if + + % Get character at pos + /ch ps pos 1 getinterval def + + % check for + + (+) ch eq { + /pos 1 pos add def + /xp ps pos 8 getinterval cvi def + /yp ps pos 8 add 8 getinterval cvi def + /pos 16 pos add def + papsdict begin xp yp goto_xy end + } { + (*) ch eq { + /pos 1 pos add def + /xp ps pos 8 getinterval cvi def + /pos 8 pos add def + papsdict begin xp goto_x end + } { (>) ch eq { + /pos 1 pos add def + /xp ps pos 4 getinterval cvi def + /pos 4 pos add def + papsdict begin xp 2 mul fwd_x end + } { (-) ch eq { + /pos 1 pos add def + /xp ps pos 4 getinterval cvi def + /pos 4 pos add def + papsdict begin xp neg 2 mul fwd_x end + } { + % Must be a 3 char sym. Load and exec + /name ps pos 3 getinterval def + papsdict begin name draw_char end + /pos 3 pos add def + } ifelse + } ifelse + } ifelse + } ifelse + } loop + end +} def +/fontdict 1 dict def +papsdict begin fontdict begin +/BAA { start_ol +4896 7056 m +4896 6048 l +4448 6333 3997 6478 x +3547 6624 3089 6624 x +2392 6624 1987 6300 x +1584 5977 1584 5428 x +1584 4946 1850 4693 x +2118 4440 2848 4270 x +3368 4153 l +4392 3913 4860 3398 x +5328 2884 5328 1996 x +5328 954 4681 405 x +4034 -144 2799 -144 x +2283 -144 1764 -36 x +1244 72 720 288 x +720 1368 l +1284 995 1788 821 x +2292 648 2804 648 x +3556 648 3973 985 x +4392 1324 4392 1930 x +4392 2482 4105 2774 x +3818 3065 3108 3223 x +2578 3345 l +1564 3574 1105 4035 x +648 4496 648 5274 x +648 6246 1302 6831 x +1957 7416 3042 7416 x +3460 7416 3922 7326 x +4385 7236 4896 7056 x +6048 fwd_x +end_ol + } def +/CAA { start_ol +5400 2970 m +5400 2520 l +1479 2520 l +1479 2491 l +1479 1611 1948 1129 x +2417 648 3272 648 x +3704 648 4176 790 x +4648 933 5184 1224 x +5184 360 l +4672 108 4197 -18 x +3722 -144 3279 -144 x +2008 -144 1291 622 x +576 1389 576 2736 x +576 4048 1278 4831 x +1981 5616 3151 5616 x +4195 5616 4797 4906 x +5400 4197 5400 2970 x +4536 3240 m +4515 4015 4153 4419 x +3792 4824 3114 4824 x +2450 4824 2020 4402 x +1591 3981 1512 3235 x +4536 3240 l +6048 fwd_x +end_ol + } def +/DAA { start_ol +5184 288 m +4820 72 4435 -36 x +4051 -144 3648 -144 x +2373 -144 1654 619 x +936 1383 936 2736 x +936 4088 1654 4852 x +2373 5616 3648 5616 x +4045 5616 4423 5510 x +4801 5404 5184 5184 x +5184 4248 l +4824 4552 4461 4687 x +4099 4824 3641 4824 x +2788 4824 2329 4282 x +1872 3741 1872 2736 x +1872 1735 2332 1191 x +2793 648 3641 648 x +4114 648 4488 788 x +4863 929 5184 1224 x +5184 288 l +6048 fwd_x +end_ol + } def +/EAA { start_ol +936 2080 m +936 5472 l +1800 5472 l +1800 2080 l +1800 1342 2068 994 x +2337 648 2901 648 x +3553 648 3900 1094 x +4248 1542 4248 2378 x +4248 5472 l +5112 5472 l +5112 0 l +4248 0 l +4248 829 l +4006 349 3588 102 x +3172 -144 2614 -144 x +1765 -144 1350 408 x +936 960 936 2080 x +6048 fwd_x +end_ol + } def +/FAA { start_ol +5688 4320 m +5394 4583 5090 4703 x +4788 4824 4424 4824 x +3569 4824 3116 4279 x +2664 3735 2664 2706 x +2664 0 l +1800 0 l +1800 5472 l +2664 5472 l +2664 4388 l +2892 4982 3367 5298 x +3843 5616 4494 5616 x +4833 5616 5125 5528 x +5419 5441 5688 5256 x +5688 4320 l +6048 fwd_x +end_ol + } def +/GAA { start_ol +1080 7272 m +2088 7272 l +2088 792 l +5616 792 l +5616 0 l +1080 0 l +1080 7272 l +6048 fwd_x +end_ol + } def +/HAA { start_ol +1296 5472 m +3528 5472 l +3528 720 l +5328 720 l +5328 0 l +864 0 l +864 720 l +2664 720 l +2664 4752 l +1296 4752 l +1296 5472 l +2664 7632 m +3528 7632 l +3528 6480 l +2664 6480 l +2664 7632 l +6048 fwd_x +end_ol + } def +/IAA { start_ol +4752 5328 m +4752 4464 l +4362 4680 3967 4788 x +3574 4896 3165 4896 x +2550 4896 2246 4694 x +1944 4494 1944 4083 x +1944 3711 2176 3528 x +2409 3344 3335 3171 x +3710 3100 l +4365 2972 4702 2588 x +5040 2206 5040 1591 x +5040 775 4467 315 x +3895 -144 2877 -144 x +2476 -144 2035 -72 x +1594 0 1080 144 x +1080 1080 l +1585 828 2046 702 x +2507 576 2919 576 x +3519 576 3847 821 x +4176 1067 4176 1509 x +4176 2145 2936 2388 x +2895 2398 l +2545 2469 l +1782 2621 1431 2982 x +1080 3343 1080 3966 x +1080 4756 1608 5186 x +2138 5616 3119 5616 x +3557 5616 3960 5544 x +4363 5472 4752 5328 x +6048 fwd_x +end_ol + } def +/JAA { start_ol +2952 7056 m +2952 5472 l +4968 5472 l +4968 4752 l +2952 4752 l +2952 1798 l +2952 1195 3178 957 x +3405 720 3970 720 x +4968 720 l +4968 0 l +3882 0 l +2896 0 2491 403 x +2088 808 2088 1798 x +2088 4752 l +648 4752 l +648 5472 l +2088 5472 l +2088 7056 l +2952 7056 l +6048 fwd_x +end_ol + } def +/KAA { start_ol +504 5472 m +1435 5472 l +3021 879 l +4612 5472 l +5544 5472 l +3602 0 l +2445 0 l +504 5472 l +6048 fwd_x +end_ol + } def +/LAA { start_ol +2376 5184 m +3600 5184 l +3600 3672 l +2376 3672 l +2376 5184 l +2376 1512 m +3600 1512 l +3600 0 l +2376 0 l +2376 1512 l +6048 fwd_x +end_ol + } def +/MAA { start_ol +432 7272 m +1719 7272 l +3019 3570 l +4329 7272 l +5616 7272 l +5616 0 l +4752 0 l +4752 6424 l +3412 2592 l +2641 2592 l +1296 6424 l +1296 0 l +432 0 l +432 7272 l +6048 fwd_x +end_ol + } def +/NAA { start_ol +3452 2736 m +3145 2736 l +2333 2736 1922 2457 x +1512 2179 1512 1626 x +1512 1128 1819 851 x +2127 576 2671 576 x +3438 576 3876 1095 x +4315 1616 4320 2533 x +4320 2736 l +3452 2736 l +5184 3116 m +5184 0 l +4320 0 l +4320 778 l +4027 304 3584 79 x +3141 -144 2506 -144 x +1659 -144 1153 327 x +648 799 648 1591 x +648 2507 1264 2981 x +1881 3456 3074 3456 x +4320 3456 l +4320 3596 l +4315 4241 3985 4532 x +3656 4824 2934 4824 x +2471 4824 1999 4695 x +1527 4567 1080 4320 x +1080 5184 l +1576 5400 2030 5508 x +2485 5616 2912 5616 x +3588 5616 4068 5413 x +4547 5212 4843 4809 x +5028 4563 5106 4200 x +5184 3839 5184 3116 x +6048 fwd_x +end_ol + } def +/OAA { start_ol +3096 1941 m +3096 1335 3319 1027 x +3543 720 3981 720 x +5040 720 l +5040 0 l +3893 0 l +3101 0 2666 506 x +2232 1013 2232 1941 x +2232 6912 l +432 6912 l +432 7632 l +3096 7632 l +3096 1941 l +6048 fwd_x +end_ol + } def +/PAA { start_ol +3246 4954 m +3412 5292 3666 5454 x +3920 5616 4279 5616 x +4934 5616 5203 5108 x +5472 4602 5472 3199 x +5472 0 l +4680 0 l +4680 3160 l +4680 4329 4548 4612 x +4417 4896 4071 4896 x +3675 4896 3529 4592 x +3384 4289 3384 3160 x +3384 0 l +2592 0 l +2592 3160 l +2592 4343 2450 4619 x +2308 4896 1941 4896 x +1579 4896 1437 4592 x +1296 4289 1296 3160 x +1296 0 l +504 0 l +504 5472 l +1296 5472 l +1296 5036 l +1456 5319 1697 5467 x +1939 5616 2246 5616 x +2617 5616 2864 5451 x +3110 5287 3246 4954 x +6048 fwd_x +end_ol + } def +/QAA { start_ol +5112 3391 m +5112 0 l +4248 0 l +4248 3391 l +4248 4129 3981 4476 x +3714 4824 3146 4824 x +2498 4824 2148 4376 x +1800 3929 1800 3093 x +1800 0 l +936 0 l +936 5472 l +1800 5472 l +1800 4653 l +2041 5126 2455 5370 x +2869 5616 3435 5616 x +4279 5616 4695 5063 x +5112 4511 5112 3391 x +6048 fwd_x +end_ol + } def +/RAA { start_ol +2448 1512 m +3672 1512 l +3672 501 l +2664 -1368 l +1944 -1368 l +2448 501 l +2448 1512 l +6048 fwd_x +end_ol + } def +/SAA { start_ol +2016 6480 m +2016 3672 l +3157 3672 l +3841 3672 4224 4042 x +4608 4412 4608 5078 x +4608 5744 4226 6112 x +3846 6480 3157 6480 x +2016 6480 l +1008 7272 m +3157 7272 l +4367 7272 4991 6714 x +5616 6156 5616 5078 x +5616 3991 4993 3435 x +4372 2880 3157 2880 x +2016 2880 l +2016 0 l +1008 0 l +1008 7272 l +6048 fwd_x +end_ol + } def +/TAA { start_ol +5400 589 m +5004 227 4507 41 x +4011 -144 3435 -144 x +2047 -144 1275 849 x +504 1842 504 3633 x +504 5420 1291 6418 x +2079 7416 3480 7416 x +3944 7416 4367 7291 x +4790 7166 5184 6912 x +5184 5904 l +4782 6274 4360 6448 x +3938 6624 3467 6624 x +2489 6624 2000 5877 x +1512 5131 1512 3633 x +1512 2111 1972 1379 x +2432 648 3385 648 x +3708 648 3951 724 x +4194 802 4392 965 x +4392 2952 l +3312 2952 l +3312 3744 l +5400 3744 l +5400 589 l +6048 fwd_x +end_ol + } def +/UAA { start_ol +4176 4756 m +4176 7632 l +5040 7632 l +5040 0 l +4176 0 l +4176 715 l +3951 295 3576 75 x +3201 -144 2711 -144 x +1716 -144 1146 626 x +576 1398 576 2755 x +576 4092 1148 4854 x +1722 5616 2711 5616 x +3206 5616 3583 5395 x +3960 5176 4176 4756 x +1512 2736 m +1512 1702 1846 1174 x +2181 648 2836 648 x +3492 648 3834 1179 x +4176 1711 4176 2736 x +4176 3765 3834 4294 x +3492 4824 2836 4824 x +2181 4824 1846 4296 x +1512 3769 1512 2736 x +6048 fwd_x +end_ol + } def +/VAA { start_ol +4320 7272 m +5328 7272 l +1512 -936 l +504 -936 l +4320 7272 l +6048 fwd_x +end_ol + } def +/WAA { start_ol +1008 7272 m +5040 7272 l +5040 6480 l +3528 6480 l +3528 792 l +5040 792 l +5040 0 l +1008 0 l +1008 792 l +2520 792 l +2520 6480 l +1008 6480 l +1008 7272 l +6048 fwd_x +end_ol + } def +/XAA { start_ol +1008 7272 m +5328 7272 l +5328 6480 l +2016 6480 l +2016 4320 l +5184 4320 l +5184 3528 l +2016 3528 l +2016 792 l +5400 792 l +5400 0 l +1008 0 l +1008 7272 l +6048 fwd_x +end_ol + } def +/YAA { start_ol +1800 715 m +1800 -2088 l +936 -2088 l +936 5472 l +1800 5472 l +1800 4756 l +2026 5176 2401 5395 x +2777 5616 3268 5616 x +4266 5616 4833 4846 x +5400 4078 5400 2716 x +5400 1379 4829 617 x +4260 -144 3268 -144 x +2767 -144 2391 75 x +2016 295 1800 715 x +4464 2736 m +4464 3769 4131 4296 x +3798 4824 3142 4824 x +2480 4824 2139 4294 x +1800 3765 1800 2736 x +1800 1711 2139 1179 x +2480 648 3142 648 x +3798 648 4131 1174 x +4464 1702 4464 2736 x +6048 fwd_x +end_ol + } def +/ZAA { start_ol +2985 4824 m +2295 4824 1939 4296 x +1584 3769 1584 2736 x +1584 1706 1939 1176 x +2295 648 2985 648 x +3681 648 4036 1176 x +4392 1706 4392 2736 x +4392 3769 4036 4296 x +3681 4824 2985 4824 x +2985 5616 m +4123 5616 4725 4875 x +5328 4136 5328 2736 x +5328 1329 4727 592 x +4127 -144 2985 -144 x +1848 -144 1247 592 x +648 1329 648 2736 x +648 4136 1247 4875 x +1848 5616 2985 5616 x +6048 fwd_x +end_ol + } def +/aAA { start_ol +5184 7632 m +5184 6912 l +4168 6912 l +3686 6912 3498 6706 x +3312 6500 3312 5976 x +3312 5472 l +5184 5472 l +5184 4752 l +3312 4752 l +3312 0 l +2448 0 l +2448 4752 l +1008 4752 l +1008 5472 l +2448 5472 l +2448 5869 l +2448 6774 2850 7203 x +3254 7632 4109 7632 x +5184 7632 l +6048 fwd_x +end_ol + } def +/bAA { start_ol +4169 1737 m +3943 1167 3595 238 x +3109 -1046 2943 -1328 x +2718 -1708 2379 -1897 x +2040 -2088 1589 -2088 x +864 -2088 l +864 -1368 l +1398 -1368 l +1795 -1368 2020 -1136 x +2246 -905 2595 57 x +504 5472 l +1427 5472 l +3056 1192 l +4659 5472 l +5616 5472 l +4169 1737 l +6048 fwd_x +end_ol + } def +/cAA { start_ol +5112 3391 m +5112 0 l +4248 0 l +4248 3391 l +4248 4129 3981 4476 x +3714 4824 3146 4824 x +2498 4824 2148 4376 x +1800 3929 1800 3093 x +1800 0 l +936 0 l +936 7632 l +1800 7632 l +1800 4653 l +2041 5126 2455 5370 x +2869 5616 3435 5616 x +4279 5616 4695 5063 x +5112 4511 5112 3391 x +6048 fwd_x +end_ol + } def +/dAA { start_ol +648 7272 m +1886 7272 l +4392 1285 l +4392 7272 l +5328 7272 l +5328 0 l +4089 0 l +1584 5986 l +1584 0 l +648 0 l +648 7272 l +6048 fwd_x +end_ol + } def +/eAA { start_ol +720 2784 m +720 7272 l +1728 7272 l +1728 2335 l +1728 1803 1757 1576 x +1786 1350 1859 1228 x +2014 940 2308 794 x +2603 648 3021 648 x +3444 648 3736 794 x +4028 940 4188 1228 x +4261 1351 4290 1575 x +4320 1800 4320 2326 x +4320 7272 l +5328 7272 l +5328 2784 l +5328 1670 5187 1200 x +5047 731 4703 425 x +4379 138 3962 -2 x +3544 -144 3024 -144 x +2507 -144 2090 -2 x +1672 138 1344 425 x +1004 726 861 1206 x +720 1685 720 2784 x +6048 fwd_x +end_ol + } def +/fAA { start_ol +4176 2740 m +4176 3763 3843 4293 x +3511 4824 2875 4824 x +2211 4824 1861 4293 x +1512 3763 1512 2740 x +1512 1719 1864 1183 x +2216 648 2885 648 x +3511 648 3843 1185 x +4176 1724 4176 2740 x +5040 304 m +5040 -873 4457 -1480 x +3874 -2088 2743 -2088 x +2371 -2088 1964 -2014 x +1558 -1941 1152 -1800 x +1152 -936 l +1638 -1156 2034 -1262 x +2431 -1368 2763 -1368 x +3502 -1368 3838 -996 x +4176 -626 4176 177 x +4176 216 l +4176 811 l +3960 364 3587 146 x +3216 -72 2682 -72 x +1722 -72 1148 700 x +576 1474 576 2769 x +576 4069 1148 4842 x +1722 5616 2682 5616 x +3210 5616 3577 5397 x +3945 5180 4176 4725 x +4176 5472 l +5040 5472 l +5040 304 l +6048 fwd_x +end_ol + } def +/gAA { start_ol +0 5472 m +893 5472 l +1849 1054 l +2633 3888 l +3404 3888 l +4198 1054 l +5154 5472 l +6048 5472 l +4763 0 l +3899 0 l +3021 3010 l +2148 0 l +1284 0 l +0 5472 l +6048 fwd_x +end_ol + } def +/hAA { start_ol +4464 2736 m +4464 3769 4128 4296 x +3794 4824 3139 4824 x +2479 4824 2139 4294 x +1800 3765 1800 2736 x +1800 1711 2139 1179 x +2479 648 3139 648 x +3794 648 4128 1174 x +4464 1702 4464 2736 x +1800 4756 m +2016 5171 2395 5393 x +2774 5616 3273 5616 x +4263 5616 4831 4854 x +5400 4092 5400 2755 x +5400 1398 4829 626 x +4259 -144 3264 -144 x +2774 -144 2399 75 x +2025 295 1800 715 x +1800 0 l +936 0 l +936 7632 l +1800 7632 l +1800 4756 l +6048 fwd_x +end_ol + } def +/iAA { start_ol +504 288 m +504 1440 l +940 1044 1406 846 x +1872 648 2371 648 x +3057 648 3328 1012 x +3600 1378 3600 2373 x +3600 6480 l +1728 6480 l +1728 7272 l +4608 7272 l +4608 2373 l +4608 997 4096 426 x +3585 -144 2388 -144 x +1923 -144 1463 -38 x +1003 67 504 288 x +6048 fwd_x +end_ol + } def +/jAA { start_ol +1800 3528 m +1800 792 l +2943 792 l +3802 792 4169 1099 x +4536 1407 4536 2112 x +4536 2842 4150 3184 x +3764 3528 2943 3528 x +1800 3528 l +1800 6480 m +1800 4320 l +2923 4320 l +3621 4320 3934 4588 x +4248 4857 4248 5457 x +4248 5999 3939 6239 x +3631 6480 2923 6480 x +1800 6480 l +792 7272 m +2943 7272 l +4053 7272 4654 6797 x +5256 6322 5256 5454 x +5256 4797 4934 4417 x +4613 4038 3971 3943 x +4707 3834 5125 3323 x +5544 2812 5544 2023 x +5544 1021 4889 510 x +4235 0 2943 0 x +792 0 l +792 7272 l +6048 fwd_x +end_ol + } def +/kAA { start_ol +1368 792 m +2880 792 l +2880 6480 l +1224 6120 l +1224 6912 l +2887 7272 l +3888 7272 l +3888 792 l +5400 792 l +5400 0 l +1368 0 l +1368 792 l +6048 fwd_x +end_ol + } def +/lAA { start_ol +1923 792 m +5520 792 l +5520 0 l +720 0 l +720 792 l +1734 1765 2494 2511 x +3253 3258 3541 3565 x +4083 4168 4273 4540 x +4464 4914 4464 5304 x +4464 5922 4065 6273 x +3667 6624 2974 6624 x +2481 6624 1939 6445 x +1398 6266 792 5904 x +792 6912 l +1336 7161 1863 7288 x +2389 7416 2902 7416 x +4060 7416 4765 6844 x +5472 6273 5472 5344 x +5472 4874 5238 4403 x +5005 3931 4479 3362 x +4186 3044 3627 2479 x +3067 1915 1923 792 x +6048 fwd_x +end_ol + } def +/mAA { start_ol +2376 3669 m +2376 3934 2562 4126 x +2749 4320 3011 4320 x +3283 4320 3477 4126 x +3672 3934 3672 3669 x +3672 3399 3479 3211 x +3288 3024 3011 3024 x +2740 3024 2558 3206 x +2376 3389 2376 3669 x +3021 6624 m +2334 6624 1994 5884 x +1656 5145 1656 3633 x +1656 2126 1994 1387 x +2334 648 3021 648 x +3713 648 4052 1387 x +4392 2126 4392 3633 x +4392 5145 4052 5884 x +3713 6624 3021 6624 x +3021 7416 m +4196 7416 4798 6458 x +5400 5502 5400 3633 x +5400 1769 4798 812 x +4196 -144 3021 -144 x +1847 -144 1247 812 x +648 1769 648 3633 x +648 5502 1247 6458 x +1847 7416 3021 7416 x +6048 fwd_x +end_ol + } def +/nAA { start_ol +2973 3240 m +3602 3240 3961 3688 x +4320 4138 4320 4932 x +4320 5725 3961 6174 x +3602 6624 2973 6624 x +2319 6624 1987 6195 x +1656 5767 1656 4932 x +1656 4090 1984 3665 x +2314 3240 2973 3240 x +1152 144 m +1152 1080 l +1469 869 1827 758 x +2185 648 2574 648 x +3542 648 4038 1364 x +4536 2082 4536 3477 x +4302 2980 3877 2713 x +3454 2448 2905 2448 x +1829 2448 1238 3098 x +648 3748 648 4942 x +648 6120 1244 6768 x +1841 7416 2932 7416 x +4210 7416 4804 6502 x +5400 5590 5400 3633 x +5400 1793 4678 824 x +3958 -144 2587 -144 x +2226 -144 1859 -69 x +1494 4 1152 144 x +6048 fwd_x +end_ol + } def +/oAA { start_ol +3057 6401 m +2012 2664 l +4102 2664 l +3057 6401 l +2459 7272 m +3660 7272 l +5904 0 l +4878 0 l +4338 1872 l +1771 1872 l +1242 0 l +216 0 l +2459 7272 l +6048 fwd_x +end_ol + } def +/pAA { start_ol +432 2592 m +5616 2592 l +5616 1728 l +432 1728 l +432 2592 l +432 4608 m +5616 4608 l +5616 3744 l +432 3744 l +432 4608 l +6048 fwd_x +end_ol + } def +/qAA { start_ol +216 7272 m +5832 7272 l +5832 6480 l +3528 6480 l +3528 0 l +2520 0 l +2520 6480 l +216 6480 l +216 7272 l +6048 fwd_x +end_ol + } def +/rAA { start_ol +1728 3168 m +4248 3168 l +4248 2376 l +1728 2376 l +1728 3168 l +6048 fwd_x +end_ol + } def +/sAA { start_ol +2376 1512 m +3600 1512 l +3600 0 l +2376 0 l +2376 1512 l +6048 fwd_x +end_ol + } def +/tAA { start_ol +1152 7632 m +2016 7632 l +2016 3200 l +4435 5472 l +5558 5472 l +3349 3409 l +5904 0 l +4776 0 l +2702 2823 l +2016 2193 l +2016 0 l +1152 0 l +1152 7632 l +6048 fwd_x +end_ol + } def +/uAA { start_ol +5184 288 m +4810 72 4416 -36 x +4023 -144 3580 -144 x +2187 -144 1417 846 x +648 1837 648 3633 x +648 5420 1422 6418 x +2197 7416 3580 7416 x +4023 7416 4416 7308 x +4810 7200 5184 6984 x +5184 5976 l +4822 6292 4407 6457 x +3993 6624 3574 6624 x +2612 6624 2134 5879 x +1656 5135 1656 3633 x +1656 2136 2134 1391 x +2612 648 3574 648 x +4002 648 4414 813 x +4827 979 5184 1296 x +5184 288 l +6048 fwd_x +end_ol + } def +/vAA { start_ol +4248 5184 m +4248 4680 l +3960 4790 3684 4843 x +3409 4896 3121 4896 x +2541 4896 2206 4545 x +1872 4195 1872 3593 x +1872 2972 2218 2638 x +2566 2304 3210 2304 x +3488 2304 3744 2356 x +4000 2409 4248 2520 x +4248 2016 l +3991 1905 3710 1852 x +3430 1800 3129 1800 x +2243 1800 1733 2281 x +1224 2764 1224 3593 x +1224 4426 1735 4912 x +2248 5400 3129 5400 x +3430 5400 3710 5347 x +3991 5294 4248 5184 x +3024 6120 m +2504 6120 2059 5938 x +1616 5757 1248 5389 x +882 5022 693 4570 x +504 4119 504 3600 x +504 3090 693 2641 x +882 2192 1248 1824 x +1622 1452 2065 1265 x +2508 1080 3024 1080 x +3543 1080 3987 1265 x +4431 1452 4803 1824 x +5176 2198 5359 2641 x +5544 3084 5544 3600 x +5544 4119 5357 4570 x +5171 5022 4803 5389 x +4435 5757 3991 5938 x +3548 6120 3024 6120 x +3021 6624 m +3645 6624 4179 6403 x +4713 6183 5154 5740 x +5596 5294 5821 4754 x +6048 4215 6048 3597 x +6048 2984 5824 2449 x +5601 1914 5154 1469 x +4709 1022 4173 798 x +3639 576 3021 576 x +2408 576 1873 798 x +1338 1022 893 1469 x +446 1914 222 2449 x +0 2984 0 3597 x +0 4215 225 4754 x +451 5294 893 5740 x +1334 6183 1868 6403 x +2403 6624 3021 6624 x +6048 fwd_x +end_ol + } def +/wAA { start_ol +3021 3456 m +2368 3456 2011 3090 x +1656 2724 1656 2056 x +1656 1388 2016 1018 x +2377 648 3021 648 x +3679 648 4035 1013 x +4392 1379 4392 2056 x +4392 2720 4030 3088 x +3670 3456 3021 3456 x +2157 3874 m +1514 4035 1153 4473 x +792 4911 792 5530 x +792 6397 1391 6906 x +1991 7416 3021 7416 x +4056 7416 4656 6906 x +5256 6397 5256 5530 x +5256 4911 4894 4473 x +4533 4035 3890 3874 x +4622 3713 5010 3224 x +5400 2736 5400 1958 x +5400 970 4768 412 x +4137 -144 3021 -144 x +1905 -144 1276 410 x +648 965 648 1948 x +648 2730 1036 3222 x +1425 3713 2157 3874 x +1800 5425 m +1800 4852 2113 4549 x +2427 4248 3021 4248 x +3620 4248 3934 4549 x +4248 4852 4248 5425 x +4248 6010 3936 6316 x +3624 6624 3021 6624 x +2427 6624 2113 6314 x +1800 6006 1800 5425 x +6048 fwd_x +end_ol + } def +/xAA { start_ol +5616 4727 m +1446 3163 l +5616 1614 l +5616 720 l +432 2763 l +432 3573 l +5616 5616 l +5616 4727 l +6048 fwd_x +end_ol + } def +/yAA { start_ol +2952 -83 m +2952 4752 l +1368 4752 l +1368 5472 l +3816 5472 l +3816 -83 l +3816 -1046 3382 -1567 x +2949 -2088 2152 -2088 x +936 -2088 l +936 -1296 l +2053 -1296 l +2502 -1296 2727 -992 x +2952 -689 2952 -83 x +2952 7632 m +3816 7632 l +3816 6480 l +2952 6480 l +2952 7632 l +6048 fwd_x +end_ol + } def +/zAA { start_ol +5400 5472 m +3471 2853 l +5616 0 l +4579 0 l +2985 2193 l +1396 0 l +360 0 l +2504 2853 l +576 5472 l +1557 5472 l +2985 3493 l +4404 5472 l +5400 5472 l +6048 fwd_x +end_ol + } def +/ABA { start_ol +432 4727 m +432 5616 l +5616 3573 l +5616 2763 l +432 720 l +432 1614 l +4601 3163 l +432 4727 l +6048 fwd_x +end_ol + } def +/BBA { start_ol +2448 1512 m +3672 1512 l +3672 501 l +2664 -1368 l +1944 -1368 l +2448 501 l +2448 1512 l +2376 5184 m +3600 5184 l +3600 3672 l +2376 3672 l +2376 5184 l +6048 fwd_x +end_ol + } def +/CBA { start_ol +3899 3928 m +4627 3736 5013 3246 x +5400 2757 5400 2025 x +5400 1011 4701 433 x +4002 -144 2766 -144 x +2246 -144 1706 -51 x +1167 40 648 216 x +648 1224 l +1162 933 1661 790 x +2162 648 2656 648 x +3494 648 3943 1023 x +4392 1400 4392 2108 x +4392 2760 3944 3144 x +3497 3528 2733 3528 x +1944 3528 l +1944 4320 l +2733 4320 l +3447 4320 3847 4619 x +4248 4919 4248 5455 x +4248 6019 3876 6321 x +3506 6624 2821 6624 x +2367 6624 1881 6516 x +1396 6408 864 6192 x +864 7128 l +1480 7272 1962 7344 x +2443 7416 2815 7416 x +3926 7416 4591 6886 x +5256 6356 5256 5481 x +5256 4885 4909 4488 x +4563 4092 3899 3928 x +6048 fwd_x +end_ol + } def +/DBA { start_ol +4464 3633 m +4464 5243 4126 5933 x +3790 6624 3021 6624 x +2257 6624 1920 5933 x +1584 5243 1584 3633 x +1584 2028 1920 1337 x +2257 648 3021 648 x +3790 648 4126 1335 x +4464 2022 4464 3633 x +5472 3633 m +5472 1730 4866 793 x +4261 -144 3021 -144 x +1782 -144 1179 787 x +576 1720 576 3633 x +576 5541 1181 6478 x +1786 7416 3021 7416 x +4261 7416 4866 6478 x +5472 5541 5472 3633 x +6048 fwd_x +end_ol + } def +/EBA { start_ol +0 7272 m +966 7272 l +1667 1363 l +2502 5256 l +3537 5256 l +4380 1354 l +5081 7272 l +6048 7272 l +4954 0 l +4017 0 l +3021 4304 l +2030 0 l +1093 0 l +0 7272 l +6048 fwd_x +end_ol + } def +/FBA { start_ol +3782 3377 m +4156 3281 4421 3015 x +4686 2749 5080 1955 x +6048 0 l +5014 0 l +4168 1806 l +3786 2578 3480 2801 x +3175 3024 2685 3024 x +1728 3024 l +1728 0 l +720 0 l +720 7272 l +2784 7272 l +3981 7272 4618 6723 x +5256 6175 5256 5136 x +5256 4405 4869 3943 x +4483 3480 3782 3377 x +1728 6480 m +1728 3816 l +2823 3816 l +3543 3816 3895 4142 x +4248 4469 4248 5143 x +4248 5791 3873 6135 x +3498 6480 2784 6480 x +1728 6480 l +6048 fwd_x +end_ol + } def +/GBA { start_ol +144 7272 m +1215 7272 l +3026 4062 l +4827 7272 l +5904 7272 l +3528 3263 l +3528 0 l +2520 0 l +2520 3263 l +144 7272 l +6048 fwd_x +end_ol + } def +/HBA { start_ol +1152 5472 m +5112 5472 l +5112 4650 l +1980 720 l +5112 720 l +5112 0 l +1008 0 l +1008 828 l +4167 4752 l +1152 4752 l +1152 5472 l +6048 fwd_x +end_ol + } def +/IBA { start_ol +5616 3816 m +5616 2985 l +5248 2707 4897 2577 x +4547 2448 4159 2448 x +3718 2448 3163 2688 x +3055 2736 3001 2755 x +2624 2910 2371 2966 x +2119 3024 1868 3024 x +1481 3024 1135 2884 x +789 2745 432 2448 x +432 3281 l +814 3562 1172 3688 x +1531 3816 1937 3816 x +2197 3816 2442 3764 x +2687 3712 3051 3567 x +3109 3544 3213 3497 x +3782 3240 4237 3240 x +4581 3240 4916 3382 x +5252 3525 5616 3816 x +6048 fwd_x +end_ol + } def +/JBA { start_ol +1008 7272 m +4968 7272 l +4968 6480 l +2016 6480 l +2016 4680 l +2235 4754 2457 4789 x +2678 4824 2902 4824 x +4086 4824 4779 4153 x +5472 3484 5472 2340 x +5472 1185 4740 520 x +4009 -144 2741 -144 x +2130 -144 1625 -72 x +1120 0 720 144 x +720 1152 l +1195 897 1677 772 x +2160 648 2661 648 x +3526 648 3994 1087 x +4464 1528 4464 2340 x +4464 3141 3973 3586 x +3483 4032 2607 4032 x +2182 4032 1778 3942 x +1374 3852 1008 3672 x +1008 7272 l +6048 fwd_x +end_ol + } def +/KBA { start_ol +2130 792 m +3393 792 3892 1406 x +4392 2021 4392 3628 x +4392 5250 3894 5864 x +3397 6480 2130 6480 x +1656 6480 l +1656 792 l +2130 792 l +2151 7272 m +3819 7272 4609 6385 x +5400 5499 5400 3629 x +5400 1768 4609 884 x +3819 0 2151 0 x +648 0 l +648 7272 l +2151 7272 l +6048 fwd_x +end_ol + } def +/LBA { start_ol +3456 7272 m +3456 4536 l +2592 4536 l +2592 7272 l +3456 7272 l +6048 fwd_x +end_ol + } def +/MBA { start_ol +1152 7272 m +5472 7272 l +5472 6480 l +2160 6480 l +2160 4320 l +5184 4320 l +5184 3528 l +2160 3528 l +2160 0 l +1152 0 l +1152 7272 l +6048 fwd_x +end_ol + } def +/NBA { start_ol +648 7272 m +5400 7272 l +5400 6853 l +2665 0 l +1584 0 l +4248 6480 l +648 6480 l +648 7272 l +6048 fwd_x +end_ol + } def +/OBA { start_ol +2350 7992 m +3744 6120 l +2980 6120 l +1368 7992 l +2350 7992 l +6048 fwd_x +end_ol + } def +/PBA { start_ol +4320 7632 m +3667 6516 3345 5406 x +3024 4298 3024 3172 x +3024 2052 3345 940 x +3667 -169 4320 -1296 x +3534 -1296 l +2804 -130 2445 973 x +2088 2076 2088 3172 x +2088 4264 2445 5370 x +2804 6476 3534 7632 x +4320 7632 l +6048 fwd_x +end_ol + } def +/QBA { start_ol +1728 7632 m +2513 7632 l +3243 6476 3601 5370 x +3960 4264 3960 3172 x +3960 2071 3601 965 x +3243 -140 2513 -1296 x +1728 -1296 l +2380 -160 2702 950 x +3024 2062 3024 3172 x +3024 4288 2702 5400 x +2380 6511 1728 7632 x +6048 fwd_x +end_ol + } def +/RBA { start_ol +648 7272 m +1656 7272 l +1656 4320 l +4320 4320 l +4320 7272 l +5328 7272 l +5328 0 l +4320 0 l +4320 3528 l +1656 3528 l +1656 0 l +648 0 l +648 7272 l +6048 fwd_x +end_ol + } def +/SBA { start_ol +2232 7632 m +4248 7632 l +4248 6912 l +3096 6912 l +3096 -576 l +4248 -576 l +4248 -1296 l +2232 -1296 l +2232 7632 l +6048 fwd_x +end_ol + } def +/TBA { start_ol +3744 7632 m +3744 -1296 l +1728 -1296 l +1728 -576 l +2880 -576 l +2880 6912 l +1728 6912 l +1728 7632 l +3744 7632 l +6048 fwd_x +end_ol + } def +/UBA { start_ol +4392 7272 m +4392 4536 l +3528 4536 l +3528 7272 l +4392 7272 l +2520 7272 m +2520 4536 l +1656 4536 l +1656 7272 l +2520 7272 l +6048 fwd_x +end_ol + } def +/VBA { start_ol +3384 1944 m +2376 1944 l +2376 2703 l +2376 3186 2538 3523 x +2700 3862 3145 4266 x +3555 4704 l +3826 4991 3928 5205 x +4032 5419 4032 5657 x +4032 6089 3713 6356 x +3396 6624 2868 6624 x +2489 6624 2057 6460 x +1626 6297 1152 5976 x +1152 6912 l +1611 7166 2076 7291 x +2543 7416 3052 7416 x +3960 7416 4500 6949 x +5040 6482 5040 5699 x +5040 5330 4872 5011 x +4705 4693 4236 4245 x +3826 3821 l +3541 3496 3462 3289 x +3384 3082 3384 2782 x +3384 2550 l +3384 1944 l +2376 1224 m +3384 1224 l +3384 0 l +2376 0 l +2376 1224 l +6048 fwd_x +end_ol + } def +/WBA { start_ol +3057 6401 m +2012 2664 l +4102 2664 l +3057 6401 l +2459 7272 m +3660 7272 l +5904 0 l +4878 0 l +4338 1872 l +1771 1872 l +1242 0 l +216 0 l +2459 7272 l +6048 fwd_x +end_ol + } def +/XBA { start_ol +4248 2520 m +1800 2520 l +1800 0 l +936 0 l +936 5472 l +1800 5472 l +1800 3240 l +4248 3240 l +4248 5472 l +5112 5472 l +5112 0 l +4248 0 l +4248 2520 l +6048 fwd_x +end_ol + } def +/YBA { start_ol +4896 720 m +5472 720 l +5472 -1368 l +4608 -1368 l +4608 0 l +1368 0 l +1368 -1368 l +504 -1368 l +504 720 l +816 720 l +1074 720 1148 1831 x +1224 2944 1224 3433 x +1224 5472 l +4896 5472 l +4896 720 l +4032 720 m +4032 4752 l +2088 4752 l +2088 3424 l +2088 2932 1990 1717 x +1950 1010 1917 929 x +1883 848 1883 784 x +1883 720 2048 720 x +4032 720 l +6048 fwd_x +end_ol + } def +/ZBA { start_ol +1800 715 m +1800 -2088 l +936 -2088 l +936 5472 l +1800 5472 l +1800 4756 l +2026 5176 2401 5395 x +2777 5616 3268 5616 x +4266 5616 4833 4846 x +5400 4078 5400 2716 x +5400 1379 4829 617 x +4260 -144 3268 -144 x +2767 -144 2391 75 x +2016 295 1800 715 x +4464 2736 m +4464 3769 4131 4296 x +3798 4824 3142 4824 x +2480 4824 2139 4294 x +1800 3765 1800 2736 x +1800 1711 2139 1179 x +2480 648 3142 648 x +3798 648 4131 1174 x +4464 1702 4464 2736 x +6048 fwd_x +end_ol + } def +/aBA { start_ol +5400 2970 m +5400 2520 l +1479 2520 l +1479 2491 l +1479 1611 1948 1129 x +2417 648 3272 648 x +3704 648 4176 790 x +4648 933 5184 1224 x +5184 360 l +4672 108 4197 -18 x +3722 -144 3279 -144 x +2008 -144 1291 622 x +576 1389 576 2736 x +576 4048 1278 4831 x +1981 5616 3151 5616 x +4195 5616 4797 4906 x +5400 4197 5400 2970 x +4536 3240 m +4515 4015 4153 4419 x +3792 4824 3114 4824 x +2450 4824 2020 4402 x +1591 3981 1512 3235 x +4536 3240 l +6048 fwd_x +end_ol + } def +/bBA { start_ol +1512 7992 m +2088 7992 l +2143 7627 2382 7449 x +2622 7272 3057 7272 x +3481 7272 3721 7449 x +3962 7627 4032 7992 x +4608 7992 l +4554 7310 4163 6967 x +3773 6624 3057 6624 x +2346 6624 1956 6967 x +1566 7310 1512 7992 x +4248 3952 m +1800 0 l +936 0 l +936 5472 l +1800 5472 l +1800 1519 l +4248 5472 l +5112 5472 l +5112 0 l +4248 0 l +4248 3952 l +6048 fwd_x +end_ol + } def +/cBA { start_ol +648 7272 m +5328 7272 l +5328 0 l +4320 0 l +4320 6480 l +1656 6480 l +1656 0 l +648 0 l +648 7272 l +6048 fwd_x +end_ol + } def +/dBA { start_ol +1296 5472 m +5112 5472 l +5112 0 l +4248 0 l +4248 4752 l +2160 4752 l +2160 3551 l +2160 2625 2094 1883 x +2030 1141 1667 570 x +1303 0 408 0 x +144 0 l +144 720 l +316 720 l +732 720 961 1009 x +1192 1298 1244 1983 x +1296 2669 1296 3522 x +1296 5472 l +6048 fwd_x +end_ol + } def +/eBA { start_ol +3452 2736 m +3145 2736 l +2333 2736 1922 2457 x +1512 2179 1512 1626 x +1512 1128 1819 851 x +2127 576 2671 576 x +3438 576 3876 1095 x +4315 1616 4320 2533 x +4320 2736 l +3452 2736 l +5184 3116 m +5184 0 l +4320 0 l +4320 778 l +4027 304 3584 79 x +3141 -144 2506 -144 x +1659 -144 1153 327 x +648 799 648 1591 x +648 2507 1264 2981 x +1881 3456 3074 3456 x +4320 3456 l +4320 3596 l +4315 4241 3985 4532 x +3656 4824 2934 4824 x +2471 4824 1999 4695 x +1527 4567 1080 4320 x +1080 5184 l +1576 5400 2030 5508 x +2485 5616 2912 5616 x +3588 5616 4068 5413 x +4547 5212 4843 4809 x +5028 4563 5106 4200 x +5184 3839 5184 3116 x +6048 fwd_x +end_ol + } def +/fBA { start_ol +3528 4752 m +3528 0 l +2664 0 l +2664 4752 l +1152 4752 l +1152 5472 l +5040 5472 l +5040 4752 l +3528 4752 l +6048 fwd_x +end_ol + } def +/gBA { start_ol +2985 4824 m +2295 4824 1939 4296 x +1584 3769 1584 2736 x +1584 1706 1939 1176 x +2295 648 2985 648 x +3681 648 4036 1176 x +4392 1706 4392 2736 x +4392 3769 4036 4296 x +3681 4824 2985 4824 x +2985 5616 m +4123 5616 4725 4875 x +5328 4136 5328 2736 x +5328 1329 4727 592 x +4127 -144 2985 -144 x +1848 -144 1247 592 x +648 1329 648 2736 x +648 4136 1247 4875 x +1848 5616 2985 5616 x +6048 fwd_x +end_ol + } def +/hBA { start_ol +3697 7992 m +4680 7992 l +3067 6120 l +2304 6120 l +3697 7992 l +0 fwd_x +end_ol + } def +/iBA { start_ol +1800 2520 m +1800 720 l +2986 720 l +3458 720 3709 995 x +3960 1272 3960 1667 x +3960 2056 3748 2288 x +3538 2520 3007 2520 x +1800 2520 l +1800 4752 m +1800 3240 l +2916 3240 l +3332 3240 3538 3450 x +3744 3661 3744 3993 x +3744 4325 3538 4538 x +3332 4752 2911 4752 x +1800 4752 l +936 5472 m +2874 5472 l +3703 5472 4191 5095 x +4680 4718 4680 4170 x +4680 3628 4447 3312 x +4215 2997 3731 2928 x +4381 2806 4638 2475 x +4896 2143 4896 1571 x +4896 820 4387 409 x +3880 0 2943 0 x +936 0 l +936 5472 l +6048 fwd_x +end_ol + } def +/jBA { start_ol +2719 4462 m +4711 1734 l +4914 1973 5013 2338 x +5112 2705 5112 3213 x +5112 3368 5096 3710 x +5090 3744 l +5904 3744 l +5904 3553 l +5904 2768 5720 2175 x +5537 1584 5166 1155 x +5976 0 l +4924 0 l +4539 564 l +4135 204 3682 30 x +3229 -144 2713 -144 x +1661 -144 974 517 x +288 1180 288 2183 x +288 2858 632 3434 x +977 4010 1672 4502 x +1407 4848 1279 5180 x +1152 5513 1152 5855 x +1152 6577 1634 6996 x +2117 7416 2957 7416 x +3272 7416 3589 7360 x +3908 7305 4248 7200 x +4248 6336 l +3972 6483 3679 6553 x +3387 6624 3065 6624 x +2611 6624 2349 6409 x +2088 6195 2088 5833 x +2088 5555 2223 5251 x +2359 4947 2719 4462 x +2107 3954 m +1662 3598 1443 3200 x +1224 2803 1224 2354 x +1224 1618 1695 1132 x +2167 648 2899 648 x +3097 648 3314 706 x +3531 765 3739 877 x +3866 950 3948 1006 x +4032 1063 4107 1126 x +2107 3954 l +6048 fwd_x +end_ol + } def +/kBA { start_ol +3528 6373 m +1278 2520 l +3528 2520 l +3528 6373 l +3404 7272 m +4536 7272 l +4536 2520 l +5544 2520 l +5544 1728 l +4536 1728 l +4536 0 l +3528 0 l +3528 1728 l +504 1728 l +504 2659 l +3404 7272 l +6048 fwd_x +end_ol + } def +/lBA { start_ol +1584 2736 m +1584 1702 1918 1174 x +2252 648 2911 648 x +3569 648 3908 1176 x +4248 1706 4248 2736 x +4248 3765 3908 4294 x +3569 4824 2911 4824 x +2252 4824 1918 4296 x +1584 3769 1584 2736 x +4248 725 m +4027 306 3651 81 x +3276 -144 2779 -144 x +1792 -144 1219 617 x +648 1379 648 2716 x +648 4078 1217 4846 x +1787 5616 2779 5616 x +3270 5616 3646 5395 x +4021 5176 4248 4756 x +4248 5472 l +5112 5472 l +5112 -2088 l +4248 -2088 l +4248 725 l +6048 fwd_x +end_ol + } def +/mBA { start_ol +3384 5760 m +3384 3600 l +5544 3600 l +5544 2736 l +3384 2736 l +3384 576 l +2592 576 l +2592 2736 l +432 2736 l +432 3600 l +2592 3600 l +2592 5760 l +3384 5760 l +6048 fwd_x +end_ol + } def +/nBA { start_ol +6048 -1656 m +6048 -2376 l +0 -2376 l +0 -1656 l +6048 -1656 l +6048 fwd_x +end_ol + } def +/oBA { start_ol +3021 828 m +4738 7272 l +5760 7272 l +3622 0 l +2425 0 l +288 7272 l +1309 7272 l +3021 828 l +6048 fwd_x +end_ol + } def +/pBA { start_ol +4896 7128 m +4896 6192 l +4578 6402 4221 6512 x +3863 6624 3476 6624 x +2508 6624 2010 5906 x +1512 5189 1512 3794 x +1750 4291 2173 4557 x +2597 4824 3144 4824 x +4219 4824 4809 4176 x +5400 3528 5400 2340 x +5400 1156 4800 506 x +4200 -144 3115 -144 x +1837 -144 1242 766 x +648 1676 648 3633 x +648 5478 1368 6447 x +2089 7416 3454 7416 x +3821 7416 4187 7341 x +4554 7267 4896 7128 x +3076 4032 m +2449 4032 2088 3582 x +1728 3133 1728 2340 x +1728 1546 2088 1096 x +2449 648 3076 648 x +3729 648 4060 1075 x +4392 1504 4392 2340 x +4392 3181 4060 3606 x +3729 4032 3076 4032 x +6048 fwd_x +end_ol + } def +/qBA { start_ol +648 7272 m +1656 7272 l +1656 4037 l +4739 7272 l +5897 7272 l +3058 4300 l +5980 0 l +4788 0 l +2408 3642 l +1656 2844 l +1656 0 l +648 0 l +648 7272 l +6048 fwd_x +end_ol + } def +/rBA { start_ol +3384 1545 m +3384 1165 3641 906 x +3899 648 4281 648 x +4659 648 4921 909 x +5184 1170 5184 1545 x +5184 1921 4918 2184 x +4654 2448 4281 2448 x +3899 2448 3641 2189 x +3384 1930 3384 1545 x +2736 1545 m +2736 2199 3181 2647 x +3627 3096 4277 3096 x +4586 3096 4864 2979 x +5143 2863 5367 2640 x +5590 2413 5710 2131 x +5832 1850 5832 1545 x +5832 901 5380 450 x +4930 0 4277 0 x +3618 0 3177 443 x +2736 886 2736 1545 x +565 2257 m +398 2721 l +5491 4785 l +5685 4320 l +565 2257 l +792 5436 m +792 5050 1047 4792 x +1303 4536 1689 4536 x +2065 4536 2328 4797 x +2592 5059 2592 5436 x +2592 5812 2328 6073 x +2065 6336 1689 6336 x +1314 6336 1053 6076 x +792 5817 792 5436 x +144 5433 m +144 6087 589 6535 x +1035 6984 1689 6984 x +1999 6984 2282 6867 x +2566 6751 2784 6532 x +3002 6315 3120 6032 x +3240 5748 3240 5433 x +3240 4784 2788 4335 x +2338 3888 1689 3888 x +1035 3888 589 4333 x +144 4779 144 5433 x +6048 fwd_x +end_ol + } def +/sBA { start_ol +3456 7632 m +3456 -2376 l +2592 -2376 l +2592 7632 l +3456 7632 l +6048 fwd_x +end_ol + } def +/tBA { start_ol +3322 7128 m +2814 5112 l +4008 5112 l +4520 7128 l +5298 7128 l +4788 5112 l +5976 5112 l +5976 4392 l +4606 4392 l +4198 2736 l +5415 2736 l +5415 2016 l +4008 2016 l +3502 0 l +2722 0 l +3234 2016 l +2036 2016 l +1524 0 l +750 0 l +1256 2016 l +0 2016 l +0 2736 l +1446 2736 l +1855 4392 l +560 4392 l +560 5112 l +2036 5112 l +2542 7128 l +3322 7128 l +3828 4392 m +2634 4392 l +2225 2736 l +3423 2736 l +3828 4392 l +6048 fwd_x +end_ol + } def +/uBA { start_ol +1512 7272 m +5328 -936 l +4320 -936 l +504 7272 l +1512 7272 l +6048 fwd_x +end_ol + } def +/vBA { start_ol +3384 2819 m +3384 720 l +3958 734 4282 1014 x +4608 1296 4608 1779 x +4608 2228 4314 2477 x +4021 2727 3384 2819 x +2880 3759 m +2880 5771 l +2371 5752 2085 5478 x +1800 5206 1800 4748 x +1800 4330 2065 4086 x +2332 3843 2880 3759 x +3384 -1440 m +2880 -1440 l +2875 0 l +2381 23 1895 131 x +1409 239 936 432 x +936 1296 l +1419 1011 1910 859 x +2400 707 2880 698 x +2880 2918 l +1912 3071 1424 3520 x +936 3970 936 4711 x +936 5486 1445 5949 x +1956 6411 2880 6480 x +2880 7632 l +3384 7632 l +3388 6480 l +3773 6456 4165 6385 x +4559 6314 4968 6192 x +4968 5328 l +4555 5526 4163 5634 x +3773 5742 3384 5760 x +3384 3660 l +4403 3508 4937 3035 x +5472 2562 5472 1810 x +5472 1058 4894 555 x +4318 52 3388 9 x +3384 -1440 l +6048 fwd_x +end_ol + } def +/wBA { start_ol +5040 2666 m +5040 3287 4746 3659 x +4452 4032 3962 4032 x +3471 4032 3175 3659 x +2880 3287 2880 2666 x +2880 2040 3175 1668 x +3471 1296 3962 1296 x +4452 1296 4746 1668 x +5040 2040 5040 2666 x +5760 648 m +5040 648 l +5040 1222 l +4864 911 4552 743 x +4242 576 3853 576 x +3089 576 2588 1163 x +2088 1751 2088 2664 x +2088 3576 2588 4163 x +3089 4752 3853 4752 x +4233 4752 4550 4578 x +4869 4406 5040 4106 x +5040 4416 l +5040 5185 4619 5652 x +4198 6120 3504 6120 x +2327 6120 1631 5184 x +936 4248 936 2650 x +936 1041 1725 88 x +2516 -864 3829 -864 x +4088 -864 4345 -811 x +4604 -758 4878 -648 x +5086 -1337 l +4781 -1463 4483 -1523 x +4185 -1584 3903 -1584 x +2174 -1584 1158 -438 x +144 706 144 2652 x +144 4569 1060 5704 x +1978 6840 3520 6840 x +4540 6840 5150 6179 x +5760 5519 5760 4406 x +5760 648 l +6048 fwd_x +end_ol + } def +/xBA { start_ol +3457 7272 m +5688 4536 l +4817 4536 l +3021 6476 l +1230 4536 l +360 4536 l +2590 7272 l +3457 7272 l +6048 fwd_x +end_ol + } def +/yBA { start_ol +5256 6066 m +3485 5112 l +5256 4153 l +4973 3672 l +3312 4669 l +3312 2808 l +2736 2808 l +2736 4669 l +1074 3672 l +792 4153 l +2562 5112 l +792 6066 l +1074 6552 l +2736 5554 l +2736 7416 l +3312 7416 l +3312 5554 l +4973 6552 l +5256 6066 l +6048 fwd_x +end_ol + } def +/zBA { start_ol +4896 -864 m +4896 -1584 l +4583 -1584 l +3397 -1584 2994 -1221 x +2592 -859 2592 221 x +2592 1348 l +2592 2092 2329 2378 x +2068 2664 1383 2664 x +1080 2664 l +1080 3384 l +1383 3384 l +2073 3384 2332 3659 x +2592 3936 2592 4662 x +2592 5823 l +2592 6909 2994 7270 x +3397 7632 4583 7632 x +4896 7632 l +4896 6912 l +4554 6912 l +3871 6912 3663 6701 x +3456 6491 3456 5803 x +3456 4603 l +3456 3837 3244 3489 x +3034 3143 2523 3021 x +3038 2890 3246 2543 x +3456 2198 3456 1437 x +3456 240 l +3456 -448 3663 -655 x +3871 -864 4554 -864 x +4896 -864 l +6048 fwd_x +end_ol + } def +/ACA { start_ol +1080 -864 m +1411 -864 l +2100 -864 2309 -651 x +2520 -439 2520 240 x +2520 1437 l +2520 2198 2731 2543 x +2944 2890 3466 3021 x +2948 3143 2733 3489 x +2520 3837 2520 4603 x +2520 5803 l +2520 6485 2309 6698 x +2100 6912 1411 6912 x +1080 6912 l +1080 7632 l +1382 7632 l +2577 7632 2980 7270 x +3384 6909 3384 5823 x +3384 4662 l +3384 3936 3642 3659 x +3902 3384 4585 3384 x +4896 3384 l +4896 2664 l +4585 2664 l +3902 2664 3642 2378 x +3384 2092 3384 1348 x +3384 221 l +3384 -859 2980 -1221 x +2577 -1584 1382 -1584 x +1080 -1584 l +1080 -864 l +6048 fwd_x +end_ol + } def +/BCA { start_ol +432 7272 m +1487 7272 l +3081 4529 l +4704 7272 l +5760 7272 l +3586 3853 l +5904 0 l +4861 0 l +3081 3132 l +1141 0 l +72 0 l +2532 3853 l +432 7272 l +6048 fwd_x +end_ol + } def +/CCA { start_ol +2520 7272 m +3528 7272 l +3528 4056 l +3423 2304 l +2624 2304 l +2520 4056 l +2520 7272 l +2520 1224 m +3528 1224 l +3528 0 l +2520 0 l +2520 1224 l +6048 fwd_x +end_ol + } def +end end +%%EndPrologue +%%EndPrologue +%%Page: 1 1 +paps_bop +()paps_exec +(+ 144864 781672BAACAADAAEAAFAACAA+ 187200 781672GAAHAAIAAJAA+ 217440 781672BAACAAFAAKAACAAFAALAA+ 265824 781672MAANAAHAAOAAPAANAAQAARAA+ 320256 781672SAATAASAA+ 344448 781672NAAQAAUAA+ 368640 781672BAAVAAMAAWAAMAAXAA)paps_exec +()paps_exec +(+ 54144 758344BAAEAAYAAYAAZAAFAAJAA+ 102528 758344aAAZAAFAA+ 126720 758344CAAQAADAAFAAbAAYAAJAAHAAZAAQAA+ 193248 758344NAAQAAUAA+ 217440 758344NAAEAAJAAcAACAAQAAJAAHAADAANAAJAAHAAZAAQAA+ 308160 758344aAAZAAFAA+ 332352 758344JAAcAACAA+ 356544 758344TAAdAAeAA+ 380736 758344PAANAAHAAOAAHAAQAAfAA+ 429120 758344OAAHAAIAAJAA+ 459360 758344IAAZAAaAAJAAgAANAAFAACAA)paps_exec +()paps_exec +(+ 265824 735016hAAbAA)paps_exec +()paps_exec +(+ 229536 711688iAAZAAZAAIAAJAA+ 265824 711688KAANAAQAA+ 290016 711688jAANAANAAOAA)paps_exec +()paps_exec +(+ 223488 688360iAANAAQAAEAANAAFAAHAA+ 271872 688360kAAlAARAA+ 296064 688360lAAmAAmAAnAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 653368oAAhAAZAAEAAJAA+ 72288 653368JAAcAAHAAIAA+ 102528 653368UAAZAADAAEAAPAACAAQAAJAA)paps_exec +(+ 36000 641704pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 618376qAAcAAHAAIAA+ 66240 618376UAAZAADAAEAAPAACAAQAAJAA+ 120672 618376HAAIAA+ 138816 618376YAAEAAhAAOAAHAAIAAcAACAAUAA+ 199296 618376ZAAQAA)paps_exec +(+ 36000 606712cAAJAAJAAYAALAAVAAVAAQAAZAAQAArAAfAAQAAEAAsAAEAAKAAJAAsAAQAAOAAVAAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAAVAAYAAfAAYAArAAIAAPAAHAAPAACAAVAAJAANAAOAAtAAVAAsAA)paps_exec +()paps_exec +(+ 36000 583384uAAZAAYAAbAAFAAHAAfAAcAAJAA+ 96480 583384NAAQAAUAA+ 120672 583384OAAHAADAACAAQAAIAACAA)paps_exec +(+ 36000 571720rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 560056uAAZAAYAAbAAFAAHAAfAAcAAJAA+ 96480 560056vAA+ 108576 560056lAAmAAmAAnAA+ 138816 560056iAAZAAZAAIAAJAA+ 175104 560056KAANAAQAA+ 199296 560056jAANAANAAOAARAA+ 235584 560056NAAUAA+ 253728 560056kAAwAAkAAmAA+ 283968 560056xAAyAAZAAZAAIAAJAAKAAhAArAAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAAVAANAAVAAPAAUAADAADAAsAADAAzAAABA)paps_exec +()paps_exec +(+ 36000 536728qAAcAAHAAIAA+ 66240 536728UAAZAADAAEAAPAACAAQAAJAA+ 120672 536728HAAIAA+ 138816 536728aAAFAACAACAABBA+ 175104 536728bAAZAAEAA+ 199296 536728DAANAAQAA+ 223488 536728FAACAAUAAHAAIAAJAAFAAHAAhAAEAAJAACAA+ 302112 536728HAAJAA+ 320256 536728NAAQAAUAAVAAZAAFAA+ 362592 536728PAAZAAUAAHAAaAAbAA+ 404928 536728HAAJAA+ 423072 536728EAAQAAUAACAAFAA+ 459360 536728JAAcAACAA+ 483552 536728JAACAAFAAPAAIAA)paps_exec +(+ 36000 525064ZAAaAA+ 54144 525064JAAcAACAA+ 78336 525064TAAdAAeAA+ 102528 525064TAASAAGAARAA+ 132768 525064CAAHAAJAAcAACAAFAA+ 175104 525064KAACAAFAAIAAHAAZAAQAA+ 223488 525064CBA+ 235584 525064ZAAFAA+ 253728 525064NAAQAAbAA+ 277920 525064OAANAAJAACAAFAA+ 314208 525064ZAAQAACAARAA+ 344448 525064IAACAACAA)paps_exec +(+ 36000 513400cAAJAAJAAYAALAAVAAVAAgAAgAAgAAsAAfAAQAAEAAsAAZAAFAAfAAVAADAAZAAYAAbAAOAACAAaAAJAAVAAfAAYAAOAAsAAcAAJAAPAAOAA+ 259776 513400sAA+ 277920 513400qAAcAACAAFAACAA+ 314208 513400HAAIAA+ 332352 513400dAADBA+ 350496 513400EBAoAAFBAFBAoAAdAAqAAGBAsAA)paps_exec +()paps_exec +(+ 36000 490072FBACAAKAAHAAIAAHAAZAAQAA+ 90432 490072DAAZAAQAAJAAFAAZAAOAA)paps_exec +(+ 36000 478408rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 466744MAANAAHAAQAAJAANAAHAAQAACAAUAA+ 102528 466744NAAJAA+ 120672 466744cAAJAAJAAYAALAAVAAVAAhAANAAHBANAANAAFAAsAAOAANAAEAAQAADAAcAAYAANAAUAAsAAQAACAAJAAVAAIBAyAAZAAZAAIAAJAAKAAhAAVAAPAANAAHAAOAAPAANAAQAAVAAlAAsAAkAArAAYAAfAAYAArAAIAAPAAHAAPAACAAVAAaAAHAAOAACAAIAA)paps_exec +()paps_exec +(+ 36000 443416oAAhAAZAAEAAJAA+ 72288 443416JAAcAACAA+ 96480 443416NAAEAAJAAcAAZAAFAA)paps_exec +(+ 36000 431752rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 420088iAAZAAZAAIAAJAA+ 72288 420088KAANAAQAA+ 96480 420088jAANAANAAOAA+ 126720 420088HAAIAA+ 144864 420088cAANAADAAtAAHAAQAAfAA+ 193248 420088ZAAQAA+ 211392 420088MAANAAHAAOAAPAANAAQAA+ 259776 420088IAAHAAQAADAACAA+ 296064 420088lAAmAAmAAJBAsAA+ 338400 420088KBACAAhAAHAANAAQAA+ 380736 420088UAACAAKAACAAOAAZAAYAACAAFAA+ 441216 420088IAAHAAQAADAACAA+ 477504 420088lAAmAAmAAmAAsAA)paps_exec +(+ 36000 408424EBAZAAFAAtAAHAAQAAfAA+ 84384 408424ZAAQAA+ 102528 408424GAAHAAFAACAARAA+ 138816 408424GAAZAAfAAFBACAAYAAZAAFAAJAALBAIAA+ 211392 408424OAAZAAfAA+ 235584 408424NAAQAANAAOAAbAAHBACAAFAARAA+ 296064 408424IAAHAAQAADAACAA+ 332352 408424lAAmAAmAAmAAsAA+ 374688 408424MBAFAACAACAA+ 404928 408424IAAZAAaAAJAAgAANAAFAACAA+ 459360 408424NAAUAAKAAZAADAANAAJAACAA)paps_exec +(+ 36000 396760IAAHAAQAADAACAA+ 72288 396760lAAmAAmAAkAAsAA+ 114624 396760SAAEAAfAAHAAOAAHAAIAAJAA+ 169056 396760IAAHAAQAADAACAA+ 205344 396760lAAmAAmAANBA+ 235584 396760NAAQAAUAA+ 259776 396760NAADAAJAAHAAKAACAA+ 302112 396760NAAIAA+ 320256 396760NAA+ 332352 396760KBAiAA+ 350496 396760IAAHAAQAADAACAA+ 386784 396760kAAnAAnAAJBAsAA+ 429120 396760DBAgAAQAACAAFAA+ 465408 396760ZAAaAA+ 483552 396760NAAUAA)paps_exec +(+ 36000 385096kAAwAAkAAmAA+ 66240 385096IAAHAAQAADAACAA+ 102528 385096lAAmAAmAAwAAsAA+ 144864 385096iAAZAAZAAIAAJAA+ 181152 385096gAAZAAFAAtAAIAA+ 217440 385096NAAQAAUAA+ 241632 385096OAAHAAKAACAAIAA+ 277920 385096HAAQAA+ 296064 385096XAAHAAQAAUAAcAAZAAKAACAAQAARAA+ 362592 385096qAAcAACAA+ 386784 385096dAACAAJAAcAACAAFAAOAANAAQAAUAAIAAsAA+ 471456 385096BAACAACAA)paps_exec +(+ 36000 373432cAAJAAJAAYAALAAVAAVAAPAAUAADAADAAsAADAAzAAVAAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 338440MAAZAAJAAJAAZAA)paps_exec +(+ 36000 326776pAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 303448eAAIAACAAFAAIAA+ 72288 303448NAAQAAUAA+ 96480 303448ZAAJAAcAACAAFAA+ 132768 303448OBAOBAIAAZAAaAAJAALBALBA+ 187200 303448aAANAADAAJAAZAAFAAIAA+ 235584 303448PBACAADAAZAAQAAZAAPAAbAARAA+ 296064 303448YAAIAAbAADAAcAAZAAOAAZAAfAAbAARAA+ 368640 303448IAAZAADAAHAAZAAOAAZAAfAAbAAQBA+ 435168 303448NAAFAACAA+ 459360 303448JAAcAACAA)paps_exec +(+ 36000 291784FAACAANAAIAAZAAQAAIAA+ 84384 291784gAAcAAbAA+ 108576 291784IAACAADAAEAAFAAHAAJAAbAA+ 163008 291784ZAAaAAJAACAAQAA+ 199296 291784aAANAAHAAOAAIAABBA+ 241632 291784QAAZAAJAA+ 265824 291784CAAFAAFAAZAAFAAIAA+ 308160 291784HAAQAA+ 326304 291784OAAZAAfAAHAADAA+ 362592 291784ZAAFAA+ 380736 291784HAAQAA+ 398880 291784JAAcAACAA+ 423072 291784NAAYAAYAAOAAHAADAANAAJAAHAAZAAQAA+ 495648 291784ZAAaAA)paps_exec +(+ 36000 280120PAANAAJAAcAACAAPAANAAJAAHAADAAIAAsAA+ 302112 280120rAArAAoAAUAANAAPAA+ 344448 280120BAAcAAZAAIAAJAANAADAAtAA+ 398880 280120NAAQAAUAA+ 423072 280120oAAQAAUAAFAACAAgAA+ 465408 280120BAAJAACAAgAANAAFAAJAARAA)paps_exec +(+ 150912 268456OBAOBAqAAcAACAA+ 187200 268456dAACAAgAA+ 211392 268456BAADAAcAAZAAZAAOAA+ 253728 268456ZAAaAA+ 271872 268456WAAQAAaAAZAAFAAPAANAAJAAHAAZAAQAA+ 344448 268456BAACAADAAEAAFAAHAAJAAbAALBALBARAA+ 417024 268456SAACAANAAFAAIAAZAAQAA+ 465408 268456eAABAAoAA+ 489600 268456lAAmAAmAAwAA)paps_exec +()paps_exec +(+ 36000 245128RBAHAAIAA+ 60192 245128UAAHAAIAAPAAHAAIAAIAANAAOAA+ 120672 245128QAAZAAJAAHAADAACAA+ 163008 245128IAAJAANAAJAACAAUAA+ 205344 245128JAAcAANAAJAA+ 235584 245128cAACAA+ 253728 245128gAANAAIAA+ 277920 245128hAACAAHAAQAAfAA+ 314208 245128FAACAAPAAZAAKAACAAUAA+ 362592 245128aAAFAAZAAPAA+ 392832 245128YAAFAAZAAUAAEAADAAJAAHAAZAAQAA+ 459360 245128ZAAQAA)paps_exec +(+ 36000 233464NAADAADAAZAAEAAQAAJAA+ 84384 233464ZAAaAA+ 102528 233464NAA+ 114624 233464IAAHAAJAAEAANAAJAAHAAZAAQAA+ 175104 233464ZAAaAA+ 193248 233464SBAsAAsAAsAATBA+ 229536 233464JAAcAAZAAEAAfAAcAAJAAaAAEAAOAAQAACAAIAAIAA+ 320256 233464NAAPAAHAAUAA+ 350496 233464JAAcAACAA+ 374688 233464fAACAAQAACAAFAANAAOAA+ 423072 233464JAACAAPAAYAAZAA+ 459360 233464ZAAaAA)paps_exec +(+ 36000 221800OAANAAhAAZAAEAAFAAsAA+ 90432 221800UBAWAAaAA+ 114624 221800gAACAA+ 132768 221800NAAOAAOAA+ 156960 221800gAAZAAEAAOAAUAA+ 193248 221800IAAJAANAAFAAJAA+ 229536 221800JAAcAAHAAQAAtAAHAAQAAfAARAA+ 290016 221800gAAcAAZAA+ 314208 221800gAAZAAEAAOAAUAA+ 350496 221800fAACAAJAA+ 374688 221800JAAcAACAA+ 398880 221800gAAZAAFAAtAA+ 429120 221800UAAZAAQAACAAVBAUBA)paps_exec +(+ 229536 210136rAArAAWBAXBAYBAZBAaBAbBA+ 283968 210136cBAdBAeBAfBAgBAhBAXBAgBAiBARAA+ 344448 210136OBAOBAqAAcAACAA+ 380736 210136MBAZAAEAAQAAUAANAAJAAHAAZAAQAA+ 447264 210136SAAHAAJAALBALBARAA+ 489600 210136kAAnAACBAmAA)paps_exec +(+ 36000 198472PBABAACAACAA+ 66240 198472NAAOAAIAAZAA+ 96480 198472cAAJAAJAAYAALAAVAAVAAgAAgAAgAAsAAOAAHAAJAACAAQAADAAbAADAAsAADAAZAAPAAVAAYAAcAAYAAVAAIAAgAAZAAFAAtAAIAAsAAYAAcAAYAAVBAFAACAADAApAAJAAFAAEAACAAjBAeAAWAAKBApAAkAAkBAkBACBAJBAQBA)paps_exec +()paps_exec +()paps_exec +(+ 36000 163480WAAQAAJAAFAAZAAUAAEAADAAJAAHAAZAAQAA)paps_exec +(+ 36000 151816pAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 128488qAAcAACAA+ 60192 128488BAACAADAAEAAFAACAA+ 102528 128488GAAHAAIAAJAA+ 132768 128488BAACAAFAAKAACAAFAARAA+ 181152 128488PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAARAA+ 296064 128488HAAIAA+ 314208 128488NAAQAA+ 332352 128488CAAaAAaAAZAAFAAJAA+ 374688 128488JAAZAA+ 392832 128488NAAUAAUAA+ 417024 128488IAAEAAYAAYAAZAAFAAJAA+ 465408 128488aAAZAAFAA)paps_exec +(+ 36000 116824CAAQAADAAFAAbAAYAAJAAHAAZAAQAA+ 102528 116824NAAQAAUAA+ 126720 116824NAAEAAJAAcAACAAQAAJAAHAADAANAAJAAHAAZAAQAA+ 217440 116824JAAZAA+ 235584 116824MAANAAHAAOAAPAANAAQAARAA+ 290016 116824CAAQAANAAhAAOAAHAAQAAfAA+ 344448 116824fAAFAAZAAEAAYAAIAA+ 386784 116824ZAAaAA+ 404928 116824YAACAAZAAYAAOAACAA+ 447264 116824JAAZAA+ 465408 116824IAANAAaAACAAOAAbAA)paps_exec +(+ 36000 105160DAAZAAZAAYAACAAFAANAAJAACAA+ 96480 105160NAAQAAUAA+ 120672 105160DAAZAAPAAPAAEAAQAAHAADAANAAJAACAA+ 193248 105160EAAIAAHAAQAAfAA+ 229536 105160CAAPAANAAHAAOAAsAA+ 277920 105160qAAcAACAA+ 302112 105160YAAFAAZAAyAACAADAAJAA+ 350496 105160DAAEAAFAAFAACAAQAAJAAOAAbAA+ 410976 105160HAAIAA+ 429120 105160PAANAAUAACAA+ 459360 105160YAAZAAIAAIAAHAAhAAOAACAA)paps_exec +(+ 36000 93496hAAbAA+ 54144 93496JAAcAACAA+ 78336 93496dAAGAAQAACAAJAA+ 114624 93496aAAZAAEAAQAAUAANAAJAAHAAZAAQAAsAA)paps_exec +()paps_exec +(+ 36000 70168qAAcAAHAAIAA+ 66240 70168NAAFAAJAAHAADAAOAACAA+ 114624 70168gAAHAAOAAOAA+ 144864 70168IAAJAANAAFAAJAA+ 181152 70168gAAHAAJAAcAA+ 211392 70168NAA+ 223488 70168KAACAAFAAbAA+ 253728 70168IAAcAAZAAFAAJAA+ 290016 70168ZAAKAACAAFAAKAAHAACAAgAA+ 344448 70168ZAAaAA+ 362592 70168JAAcAACAA+ 386784 70168cAAHAAIAAJAAZAAFAAbAA+ 435168 70168ZAAaAA+ 453312 70168MAANAAHAAOAAPAANAAQAA+ 501696 70168NAAQAAUAA)paps_exec +(+ 36000 58504JAAcAACAA+ 60192 58504PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAA+ 169056 58504YAAFAAZAAyAACAADAAJAAsAA+ 229536 58504BAAZAAPAACAA+ 259776 58504FAACAAPAANAAFAAtAAIAA+ 308160 58504gAAHAAOAAOAA+ 338400 58504hAACAA+ 356544 58504PAANAAUAACAA+ 386784 58504ZAAQAA+ 404928 58504cAAZAAgAA+ 429120 58504JAAZAA+ 447264 58504HAAQAAIAAJAANAAOAAOAA+ 495648 58504NAAQAAUAA)paps_exec +(+ 36000 46840DAAZAAQAAaAAHAAfAAEAAFAACAA+ 96480 46840JAAcAACAA+ 120672 46840IAAZAAaAAJAAgAANAAFAACAARAA+ 181152 46840IAAZAA+ 199296 46840JAAcAANAAJAA+ 229536 46840ZAAQAACAA+ 253728 46840DAANAAQAA+ 277920 46840JAAFAAbAA+ 302112 46840HAAJAAsAA+ 332352 46840uAAEAAFAAFAACAAQAAJAAOAAbAA+ 392832 46840IAAEAAYAAYAAZAAFAAJAACAAUAA+ 453312 46840aAACAANAAJAAEAAFAACAAIAA)paps_exec +paps_eop +showpage +%%Page: 2 2 +paps_bop +(+ 36000 793336gAAHAAOAAOAA+ 66240 793336hAACAA+ 84384 793336PAACAAQAAJAAHAAZAAQAACAAUAARAA+ 150912 793336NAAIAA+ 169056 793336gAACAAOAAOAA+ 199296 793336NAAIAA+ 217440 793336NAAQAA+ 235584 793336ZAAKAACAAFAAKAAHAACAAgAA+ 290016 793336ZAAaAA+ 308160 793336UAACAAKAACAAOAAZAAYAAPAACAAQAAJAA+ 380736 793336YAAOAANAAQAAIAAsAA+ 429120 793336DBAQAACAA+ 453312 793336gAAHAAOAAOAA+ 483552 793336OAACAANAAFAAQAA)paps_exec +(+ 36000 781672cAAZAAgAA+ 60192 781672JAAZAA+ 78336 781672DAAZAAQAAJAAFAAHAAhAAEAAJAACAA+ 144864 781672JAAZAA+ 163008 781672JAAcAACAA+ 187200 781672YAAFAAZAAyAACAADAAJAABBA+ 241632 781672NAAQAA+ 259776 781672ZAAKAACAAFAAKAAHAACAAgAA+ 314208 781672ZAAaAA+ 332352 781672JAAcAACAA+ 356544 781672FAACAAKAAHAAIAAHAAZAAQAA+ 410976 781672DAAZAAQAAJAAFAAZAAOAA+ 459360 781672IAAbAAIAAJAACAAPAA)paps_exec +(+ 36000 770008EAAIAACAAUAA+ 66240 770008gAAHAAOAAOAA+ 96480 770008hAACAA+ 114624 770008fAAHAAKAACAAQAAsAA+ 163008 770008BAAZAAPAACAA+ 193248 770008FAACAAPAANAAFAAtAAIAA+ 241632 770008ZAAQAA+ 259776 770008JAAcAACAA+ 283968 770008aAAEAAJAAEAAFAACAA+ 326304 770008ZAAaAA+ 344448 770008JAAcAACAA+ 368640 770008YAANAAJAADAAcAA+ 404928 770008gAAHAAOAAOAA+ 435168 770008hAACAA+ 453312 770008PAANAAUAACAALAA+ 489600 770008gAAHAAOAAOAA)paps_exec +(+ 36000 758344HAAJAA+ 54144 758344hAACAA+ 72288 758344IAAcAAHAAYAAYAACAAUAA+ 120672 758344gAAHAAJAAcAA+ 150912 758344MAANAAHAAOAAPAANAAQAA+ 199296 758344HAAJAAIAACAAOAAaAAVBA)paps_exec +()paps_exec +(+ 36000 735016qAAcAACAA+ 60192 735016FAACAANAAUAACAAFAA+ 102528 735016HAAIAA+ 120672 735016NAAIAAIAAEAAPAACAAUAA+ 169056 735016JAAZAA+ 187200 735016cAANAAKAACAA+ 217440 735016IAAZAAPAACAA+ 247680 735016tAAQAAZAAgAAOAACAAUAAfAACAA+ 308160 735016ZAAaAA+ 326304 735016MAANAAHAAOAAPAANAAQAARAA+ 380736 735016CAAsAAfAAsAA+ 410976 735016hAAbAA+ 429120 735016hAACAAHAAQAAfAA)paps_exec +(+ 36000 723352IAAEAAhAAIAADAAFAAHAAhAACAAUAA+ 102528 723352JAAZAA+ 120672 723352NAA+ 132768 723352MAANAAHAAOAAPAANAAQAA+ 181152 723352PAANAAQAANAAfAACAAUAA+ 229536 723352OAAHAAIAAJAA+ 259776 723352NAAQAAUAA+ 283968 723352hAAbAA+ 302112 723352NAAUAAPAAHAAQAAHAAIAAJAAFAANAAJAAHAAQAAfAA+ 392832 723352IAAEAADAAcAA+ 423072 723352NAA+ 435168 723352OAAHAAIAAJAAsAA)paps_exec +(+ 36000 711688MBAEAAFAAJAAcAACAAFAAPAAZAAFAACAARAA+ 114624 711688IAAZAAPAACAA+ 144864 711688tAAQAAZAAgAAOAACAAUAAfAACAA+ 205344 711688ZAAaAA+ 223488 711688SAATAASAA+ 247680 711688NAAQAAUAAVAAZAAFAA+ 290016 711688BAAVAAMAAWAAMAAXAA+ 332352 711688HAAIAA+ 350496 711688NAAIAAIAAEAAPAACAAUAAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 676696TAAdAAeAA+ 60192 676696MAANAAHAAOAAPAANAAQAA+ 108576 676696NAAQAAUAA+ 132768 676696ZAAJAAcAACAAFAA+ 169056 676696PAANAAHAAOAAHAAQAAfAA+ 217440 676696OAAHAAIAAJAA+ 247680 676696IAAZAAaAAJAAgAANAAFAACAA)paps_exec +(+ 36000 665032pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 641704TAAdAAeAA+ 60192 641704MAANAAHAAOAAPAANAAQAA+ 108576 641704HAAIAA+ 126720 641704PAANAAHAAOAAHAAQAAfAA+ 175104 641704OAAHAAIAAJAA+ 205344 641704PAANAAQAANAAfAACAAPAACAAQAAJAA+ 271872 641704IAAZAAaAAJAAgAANAAFAACAAsAA+ 332352 641704WAAJAA+ 350496 641704NAAOAAOAAZAAgAAIAA+ 392832 641704bAAZAAEAA+ 417024 641704JAAZAA+ 435168 641704DAAFAACAANAAJAACAA+ 477504 641704NAAQAAUAA)paps_exec +(+ 36000 630040PAANAAQAANAAfAACAA+ 78336 630040CAAOAACAADAAJAAFAAZAAQAAHAADAA+ 144864 630040PAANAAHAAOAA+ 175104 630040PAANAAHAAOAAHAAQAAfAA+ 223488 630040OAAHAAIAAJAAIAAsAA+ 265824 630040WAAJAA+ 283968 630040YAAFAAZAAKAAHAAUAACAAIAA+ 338400 630040NAA+ 350496 630040gAACAAhAA+ 374688 630040aAAFAAZAAQAAJAArAACAAQAAUAA+ 435168 630040aAAZAAFAA+ 459360 630040CAANAAIAAbAA)paps_exec +(+ 36000 618376NAAUAAPAAHAAQAAHAAIAAJAAFAANAAJAAHAAZAAQAARAA+ 132768 618376hAAZAAJAAcAA+ 163008 618376aAAZAAFAA+ 187200 618376OAAHAAIAAJAA+ 217440 618376ZAAgAAQAACAAFAAIAA+ 259776 618376NAAQAAUAA+ 283968 618376OAAHAAIAAJAA+ 314208 618376PAACAAPAAhAACAAFAAIAAsAA+ 368640 618376WAAJAA+ 386784 618376IAAEAAYAAYAAZAAFAAJAAIAA+ 441216 618376UAAHAAfAACAAIAAJAAIAARAA)paps_exec +(+ 36000 606712NAAFAADAAcAAHAAKAAHAAQAAfAARAA+ 102528 606712IAAYAANAAPAA+ 132768 606712YAAFAAZAAJAACAADAAJAAHAAZAAQAARAA+ 205344 606712hAAZAAEAAQAADAACAA+ 247680 606712UAACAAJAACAADAAJAAHAAZAAQAARAA+ 314208 606712eAAIAACAAQAACAAJAA+ 356544 606712fAANAAJAACAAgAANAAbAAIAARAA+ 417024 606712NAAQAAUAA+ 441216 606712PAANAAQAAbAA+ 471456 606712PAAZAAFAACAA)paps_exec +(+ 36000 595048aAACAANAAJAAEAAFAACAAIAAsAA+ 102528 595048MAANAAHAAOAAPAANAAQAA+ 150912 595048HAAIAA+ 169056 595048OAAHAADAACAAQAAIAACAAUAA+ 223488 595048EAAQAAUAACAAFAA+ 259776 595048JAAcAACAA+ 283968 595048TAAdAAeAA+ 308160 595048TAASAAGAA+ 332352 595048NAAQAAUAA+ 356544 595048HAAIAA+ 374688 595048gAAFAAHAAJAAJAACAAQAA+ 423072 595048HAAQAA+ 441216 595048SAAbAAJAAcAAZAAQAAsAA)paps_exec +(+ 36000 583384WAAIAA+ 54144 583384HAAIAA+ 72288 583384OAAHAAtAACAAOAAbAA+ 114624 583384JAAcAACAA+ 138816 583384PAAZAAIAAJAA+ 169056 583384YAAZAAYAAEAAOAANAAFAA+ 217440 583384DBAYAACAAQAA+ 247680 583384BAAZAAEAAFAADAACAA+ 290016 583384PAANAAHAAOAAHAAQAAfAA+ 338400 583384OAAHAAIAAJAA+ 368640 583384PAANAAQAANAAfAACAAFAAsAA)paps_exec +()paps_exec +(+ 36000 560056DBAJAAcAACAAFAA+ 72288 560056YAAZAAYAAEAAOAANAAFAA+ 120672 560056PAANAAHAAOAAHAAQAAfAA+ 169056 560056OAAHAAIAAJAA+ 199296 560056PAANAAQAANAAfAACAAFAAIAA+ 253728 560056NAAFAACAA+ 277920 560056PBAQAANAAPAACAAIAA+ 320256 560056ZAAaAA+ 338400 560056YAANAADAAtAANAAfAACAAIAA+ 392832 560056NAAKAANAAHAAOAANAAhAAOAACAA+ 453312 560056gAAHAAJAAcAA)paps_exec +(+ 36000 548392KBACAAhAAHAANAAQAA+ 78336 548392TAAdAAeAAVAAGAAHAAQAAEAAzAAQBALAA)paps_exec +()paps_exec +(+ 36000 525064rAA+ 48096 525064IAAbAAPAAYAANAA+ 84384 525064PBAgAAFAAHAAJAAJAACAAQAA+ 138816 525064HAAQAA+ 156960 525064SAACAAFAAOAAQBA)paps_exec +(+ 36000 513400rAA+ 48096 513400PAAOAAPAAPAAyAA+ 84384 513400PBAFAACAAOAANAAJAAHAAKAACAAOAAbAA+ 156960 513400QAACAAgAARAA+ 187200 513400IAAJAAbAAOAACAAUAA+ 229536 513400NAAaAAJAACAAFAA+ 265824 513400JAAcAACAA+ 290016 513400CAAHBAPAAOAAPAA+ 326304 513400PAANAAHAAOAAHAAQAAfAA+ 374688 513400OAAHAAIAAJAA+ 404928 513400PAANAAQAANAAfAACAAFAAQBA)paps_exec +(+ 36000 501736rAA+ 48096 501736IAAPAANAAFAAJAAOAAHAAIAAJAA+ 108576 501736PBAhAANAAIAACAAUAA+ 150912 501736EAAYAAZAAQAA+ 181152 501736JAAcAACAA+ 205344 501736YAAFAAZAADAAPAANAAHAAOAA+ 259776 501736MAAKBAoAAQBA)paps_exec +()paps_exec +(+ 36000 478408DBAJAAcAACAAFAA+ 72288 478408NAAOAAJAACAAFAAQAANAAJAAHAAKAACAAIAA+ 150912 478408NAAFAACAALAA)paps_exec +()paps_exec +(+ 36000 455080rAA+ 48096 455080PAAHAAQAAHAAPAANAAOAAHAAIAAJAA+ 114624 455080PBAIAAPAANAAOAAOAA+ 156960 455080NAAQAAUAA+ 181152 455080CAANAAIAAbAARAA+ 217440 455080QAAZAA+ 235584 455080gAACAAhAA+ 259776 455080EAAHAAQBA)paps_exec +(+ 36000 443416rAA+ 48096 443416CAAQAACAAPAAHAACAAIAArAAZAAaAArAADAANAAFAAOAAZAAJAAJAANAA+ 169056 443416PBANAAQAAZAAJAAcAACAAFAA+ 223488 443416CAAHBAPAAOAAPAArAAOAAHAAtAACAA+ 290016 443416ZAAQAACAARAA+ 320256 443416QAACAAgAAQBA)paps_exec +(+ 36000 431752rAA+ 48096 431752CAADAANAAFAAJAAHAAIAA+ 96480 431752PBAJAAcAACAA+ 126720 431752aAAFAACAACAA+ 156960 431752OAAHAAIAAJAAIAACAAFAAKAAQBA)paps_exec +(+ 36000 420088rAA+ 48096 420088DAAZAAEAAFAAHAACAAFAArAAPAAOAAPAA+ 120672 420088PBAYAANAAFAAJAA+ 156960 420088ZAAaAA+ 175104 420088uAAZAAEAAFAAHAACAAFAA+ 223488 420088PAANAAHAAOAA+ 253728 420088aAAFAANAAPAACAAgAAZAAFAAtAAQBA)paps_exec +()paps_exec +(+ 36000 396760BAACAACAA+ 60192 396760cAAJAAJAAYAALAAVAAVAAYAAZAAYAADAAZAAQAAsAAUAACAAhAAHAANAAQAAsAAZAAFAAfAAVAA+ 217440 396760aAAZAAFAA+ 241632 396760NAA+ 253728 396760DAAZAAPAAYAANAAFAAHAAIAAZAAQAA+ 320256 396760ZAAaAA+ 338400 396760JAAcAACAA+ 362592 396760YAAZAAYAAEAAOAANAAFAAHAAJAAbAA+ 429120 396760ZAAaAA+ 447264 396760JAAcAACAAIAACAA)paps_exec +(+ 36000 385096YAANAADAAtAANAAfAACAAIAA+ 90432 385096gAAHAAJAAcAAHAAQAAfAA+ 138816 385096KBACAAhAAHAANAAQAAsAA)paps_exec +()paps_exec +(+ 36000 361768BAACAACAA+ 60192 361768JAAcAACAA+ 84384 361768YAAHAADAAJAAEAAFAACAAIAA+ 138816 361768YAAZAAYAADAAZAAQAAsAAYAAQAAfAARAA+ 211392 361768FAACAAJAAFAACAAHAAKAACAAUAA+ 271872 361768aAAFAAZAAPAA)paps_exec +(+ 36000 350104cAAJAAJAAYAALAAVAAVAAlBANAAsAAUAACAAhAAHAANAAQAAsAAZAAFAAfAAVAAYAAZAAYAADAAZAAQAArAAYAAQAAfAAsAAYAAcAAYAAVBAYAANAADAAtAANAAfAACAAIAApAAPAAHAAQAAHAAPAANAAOAAHAAIAAJAAmBAPAANAAHAAOAAPAANAAQAAmBAIAAPAANAAFAAJAAOAAHAAIAAJAAmBAIAAbAAPAAYAANAA)paps_exec +(+ 36000 338440mBADAAZAAEAAFAAHAACAAFAArAAPAAOAAPAAmBACAAQAACAAPAAHAACAAIAArAAZAAaAArAADAANAAFAAOAAZAAJAAJAANAAmBACAADAANAAFAAJAAHAAIAAmBACAAHBAPAAOAAPAArAAHAAUAAzAAmBAPAAOAAPAAPAAyAAjBAIAAcAAZAAgAAnBAHAAQAAIAAJAANAAOAAOAACAAUAApAAZAAQAA)paps_exec +(+ 36000 326776RAA+ 48096 326776NAAIAA+ 66240 326776gAACAAOAAOAA+ 96480 326776NAAIAA+ 114624 326776JAAcAACAA+ 138816 326776YAAHAADAAJAAEAAFAACAA+ 187200 326776YAAZAAYAADAAZAAQAArAAQAAZAAQAArAAPAANAAHAAOAAPAANAAQAAsAAYAAQAAfAAsAA)paps_exec +()paps_exec +(+ 36000 303448SAAZAAYAAEAAOAANAAFAA+ 84384 303448PAANAAHAAOAAHAAQAAfAA+ 132768 303448OAAHAAIAAJAA+ 163008 303448PAANAAQAANAAfAACAAFAAIAA+ 217440 303448QAAZAAJAA+ 241632 303448IAAcAAHAAYAAYAACAAUAA+ 290016 303448gAAHAAJAAcAA+ 320256 303448KBACAAhAAHAANAAQAA+ 362592 303448NAAFAACAA)paps_exec +()paps_exec +(+ 36000 280120rAA+ 48096 280120CAAHBAPAAOAAPAArAAHAAUAAzAA+ 108576 280120PBANAA+ 126720 280120aAAZAAFAAtAA+ 156960 280120ZAAaAA+ 175104 280120JAAcAACAA+ 199296 280120ZAAFAAHAAfAAHAAQAANAAOAA+ 253728 280120CAAHBAPAAOAAPAAQBA)paps_exec +(+ 36000 268456rAA+ 48096 268456YAAcAAYAAOAAHAAIAAJAA)paps_exec +()paps_exec +(+ 36000 245128DBAJAAcAACAAFAA+ 72288 245128ZAAQAACAAIAA+ 102528 245128gAAZAAFAAJAAcAA+ 138816 245128PAACAAQAAJAAHAAZAAQAAHAAQAAfAA+ 205344 245128NAAFAACAALAA)paps_exec +()paps_exec +(+ 36000 221800rAA+ 48096 221800OAAHAAIAAJAAIAACAAFAAKAA+ 102528 221800PBAQAAZAAJAA+ 132768 221800DBAYAACAAQAA+ 163008 221800BAAZAAEAAFAADAACAAQBA)paps_exec +(+ 36000 210136rAA+ 48096 210136PAANAAyAAZAAFAAUAAZAAPAAZAA+ 108576 210136PBAYAAZAAYAAEAAOAANAAFAA+ 163008 210136HAAQAA+ 181152 210136CAANAAFAAOAAbAA+ 217440 210136kAAnAAnAAmAAHAACAAIAARAA+ 271872 210136UAACAAKAACAAOAAZAAYAAPAACAAQAAJAA+ 344448 210136IAAJAANAAOAAOAACAAUAA+ 392832 210136IAAHAAQAADAACAA+ 429120 210136lAAmAAmAAmAARAA+ 465408 210136JAAcAACAA)paps_exec +(+ 54144 198472aAAHAAFAAIAAJAA+ 90432 198472YAAZAAYAAEAAOAANAAFAA+ 138816 198472PAANAAHAAOAAHAAQAAfAA+ 187200 198472OAAHAAIAAJAA+ 217440 198472IAAZAAaAAJAAgAANAAFAACAAQBA)paps_exec +()paps_exec +(+ 36000 175144MAANAAHAAOAAPAANAAQAA+ 84384 175144UAACAAKAACAAOAAZAAYAAPAACAAQAAJAA+ 156960 175144gAANAAIAA+ 181152 175144IAAJAANAAFAAJAACAAUAA+ 229536 175144HAAQAA+ 247680 175144JAAcAACAA+ 271872 175144OAANAAJAACAA+ 302112 175144kAAnAAnAAmAAHAACAAIAA+ 350496 175144hAAbAA+ 368640 175144iAAZAAcAAQAA+ 398880 175144oBAHAACAAfAANAAsAA+ 447264 175144qAAcAACAA+ 471456 175144aAAHAAFAAIAAJAA)paps_exec +(+ 36000 163480FAACAAOAACAANAAIAACAA+ 84384 163480gAANAAIAA+ 108576 163480HAAQAA+ 126720 163480kAAnAAnAApBAsAA+ 169056 163480jAANAAFAAFAAbAA+ 205344 163480EBANAAFAAIAANAAgAARAA+ 253728 163480gAAcAAZAA+ 277920 163480yAAZAAHAAQAACAAUAA+ 320256 163480OAANAAJAACAA+ 350496 163480kAAnAAnAAmAAHAACAAIAARAA+ 404928 163480DAAEAAFAAFAACAAQAAJAAOAAbAA+ 465408 163480OAACAANAAUAAIAA)paps_exec +(+ 36000 151816JAAcAACAA+ 60192 151816UAACAAKAACAAOAAZAAYAAPAACAAQAAJAAsAA+ 144864 151816MAANAAFAAtAA+ 175104 151816BAANAAYAAHAAFAAZAA+ 217440 151816DAAEAAFAAFAACAAQAAJAAOAAbAA+ 277920 151816PAANAAHAAQAAJAANAAHAAQAAIAA+ 338400 151816JAAcAACAA+ 362592 151816IAAJAANAAhAAOAACAA+ 404928 151816hAAFAANAAQAADAAcAACAAIAA+ 459360 151816ZAAaAA+ 477504 151816JAAcAACAA)paps_exec +(+ 36000 140152DAAZAAUAACAABBA+ 72288 140152qAAZAAtAAHAAZAA+ 108576 140152qBAHAAtAAEAADAAcAAHAA+ 156960 140152HAAIAA+ 175104 140152NAAQAAZAAJAAcAACAAFAA+ 223488 140152ZAAQAACAA+ 247680 140152ZAAaAA+ 265824 140152JAAcAACAA+ 290016 140152PAANAAHAAQAA+ 320256 140152DAAZAAQAAJAAFAAHAAhAAEAAJAAZAAFAAIAAsAA+ 410976 140152WAAQAA+ 429120 140152JAAZAAJAANAAOAA+ 465408 140152NAAhAAZAAEAAJAA+ 501696 140152lAAmAA)paps_exec +(+ 36000 128488YAACAAZAAYAAOAACAA+ 78336 128488cAANAAKAACAA+ 108576 128488DAAZAAQAAJAAFAAHAAhAAEAAJAACAAUAA+ 181152 128488IAAEAAhAAIAAJAANAAQAAJAAHAANAAOAAOAAbAA+ 265824 128488JAAZAA+ 283968 128488JAAcAACAA+ 308160 128488DAAZAAUAACAAsAA+ 350496 128488PBAoAAQAAUAA+ 380736 128488HAAQAA+ 398880 128488JAAZAAJAANAAOAA+ 435168 128488NAAhAAZAAEAAJAA+ 471456 128488lAAmAAmAA+ 495648 128488fAACAAJAA)paps_exec +(+ 36000 116824CAAzAAYAAOAAHAADAAHAAJAAOAAbAA+ 102528 116824JAAcAANAAQAAtAACAAUAA+ 150912 116824aAAZAAFAA+ 175104 116824JAAcAACAAHAAFAA+ 211392 116824DAAZAAQAAJAAFAAHAAhAAEAAJAAHAAZAAQAAIAA+ 296064 116824JAAZAA+ 314208 116824JAAcAACAA+ 338400 116824YAAFAAZAAyAACAADAAJAAsAAQBA)paps_exec +()paps_exec +()paps_exec +(+ 36000 81832BAACAADAAEAAFAACAA+ 78336 81832GAAHAAIAAJAA+ 108576 81832BAACAAFAAKAACAAFAA)paps_exec +(+ 36000 70168pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 46840qAAcAACAA+ 60192 46840BAACAADAAEAAFAACAA+ 102528 46840GAAHAAIAAJAA+ 132768 46840BAACAAFAAKAACAAFAARAA+ 181152 46840PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAARAA+ 296064 46840HAAIAA+ 314208 46840NAAQAA+ 332352 46840NAAUAAUAAHAAJAAHAAZAAQAA+ 386784 46840JAAZAA+ 404928 46840MAANAAHAAOAAPAANAAQAARAA+ 459360 46840CAAQAANAAhAAOAAHAAQAAfAA)paps_exec +paps_eop +showpage +%%Page: 3 3 +paps_bop +(+ 36000 793336fAAFAAZAAEAAYAAIAA+ 78336 793336ZAAaAA+ 96480 793336YAACAAZAAYAAOAACAA+ 138816 793336JAAZAA+ 156960 793336IAANAAaAACAAOAAbAA+ 199296 793336DAAZAAZAAYAACAAFAANAAJAACAA+ 259776 793336NAAQAAUAA+ 283968 793336DAAZAAPAAPAAEAAQAAHAADAANAAJAACAA+ 356544 793336EAAIAAHAAQAAfAA+ 392832 793336CAAPAANAAHAAOAAsAA+ 441216 793336qAAcAACAA+ 465408 793336YAANAAJAADAAcAA)paps_exec +(+ 36000 781672HAAQAADAAOAAEAAUAACAAIAA+ 90432 781672IAAEAAYAAYAAZAAFAAJAA+ 138816 781672aAAZAAFAA+ 163008 781672hAAZAAJAAcAA+ 193248 781672FBAMBAuAA+ 217440 781672lAApBACBACBA+ 247680 781672PBABAAVAAMAAWAAMAAXAAQBA+ 302112 781672NAAQAAUAA+ 326304 781672FBAMBAuAA+ 350496 781672lAAkBAkBAmAA+ 380736 781672PBADBAYAACAAQAASAATAASAAQBA+ 441216 781672CAAPAANAAHAAOAA)paps_exec +(+ 36000 770008PAACAAIAAIAANAAfAACAAIAAsAA)paps_exec +()paps_exec +(+ 36000 746680oAA+ 48096 746680YAAZAAIAAJAA+ 78336 746680JAAZAA+ 96480 746680NAA+ 108576 746680IAACAADAAEAAFAACAA+ 150912 746680OAAHAAIAAJAA+ 181152 746680gAAHAAOAAOAA+ 211392 746680hAACAA+ 229536 746680UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAA+ 302112 746680ZAAQAAOAAbAA+ 332352 746680HAAaAA+ 350496 746680JAAcAACAA+ 374688 746680SAATAASAA+ 398880 746680PBAZAAFAA+ 423072 746680BAAVAAMAAWAAMAAXAAQBA)paps_exec +(+ 36000 735016IAAHAAfAAQAANAAJAAEAAFAACAA+ 96480 735016ZAAQAA+ 114624 735016JAAcAACAA+ 138816 735016YAAZAAIAAJAA+ 169056 735016HAAIAA+ 187200 735016aAAFAAZAAPAA+ 217440 735016ZAAQAACAA+ 241632 735016ZAAaAA+ 259776 735016JAAcAACAA+ 283968 735016OAAHAAIAAJAA+ 314208 735016PAACAAPAAhAACAAFAAIAAsAA+ 374688 735016MBAZAAFAA+ 398880 735016IAACAAQAAUAAHAAQAAfAA+ 447264 735016CAAQAADAAFAAbAAYAAJAACAAUAA)paps_exec +(+ 36000 723352CAAPAANAAHAAOAARAA+ 78336 723352NAA+ 90432 723352OAAHAAIAAJAA+ 120672 723352PAACAAPAAhAACAAFAA+ 163008 723352CAAQAADAAFAAbAAYAAJAAIAA+ 217440 723352JAAZAA+ 235584 723352JAAcAACAA+ 259776 723352YAAEAAhAAOAAHAADAA+ 302112 723352tAACAAbAA+ 326304 723352ZAAaAA+ 344448 723352JAAcAACAA+ 368640 723352OAAHAAIAAJAAsAA+ 410976 723352qAAcAACAA+ 435168 723352YAAZAAIAAJAA+ 465408 723352gAAHAAOAAOAA+ 495648 723352hAACAA)paps_exec +(+ 36000 711688UAACAADAAFAAbAAYAAJAACAAUAA+ 96480 711688NAAQAAUAA+ 120672 711688FAACAArAACAAQAADAAFAAbAAYAAJAACAAUAA+ 199296 711688JAAZAA+ 217440 711688JAAcAACAA+ 241632 711688YAAEAAhAAOAAHAADAA+ 283968 711688tAACAAbAAIAA+ 314208 711688ZAAaAA+ 332352 711688NAAOAAOAA+ 356544 711688OAAHAAIAAJAA+ 386784 711688PAACAAPAAhAACAAFAAIAAsAA)paps_exec +()paps_exec +(+ 36000 688360qAAcAACAA+ 60192 688360PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAA+ 169056 688360YAAFAAZAAyAACAADAAJAA+ 217440 688360cAANAAIAA+ 241632 688360HAAJAAIAA+ 265824 688360FAAZAAZAAJAAIAA+ 302112 688360HAAQAA+ 320256 688360gAAZAAFAAtAA+ 350496 688360hAAbAA+ 368640 688360BAAJAACAAaAANAAQAA+ 410976 688360BAADAAcAAOAAZAAJAAJAARAA+ 465408 688360YAAFAAZAAhAANAAhAAOAAbAA)paps_exec +(+ 36000 676696aAAFAAZAAPAA+ 66240 676696lAAmAAmAAkBAsAA+ 108576 676696WAAQAA+ 126720 676696lAAmAAmAAJBARAA+ 163008 676696JAAcAAHAAIAA+ 193248 676696YAAFAAZAAyAACAADAAJAA+ 241632 676696gAANAAIAA+ 265824 676696tAAQAAZAAgAAQAA+ 302112 676696NAAIAA+ 320256 676696JAAcAACAA+ 344448 676696BAAeAAFBAMBAQAACAAJAA+ 392832 676696BAACAADAAEAAFAACAA+ 435168 676696GAAHAAIAAJAA+ 465408 676696BAACAAFAAKAACAAFAA)paps_exec +(+ 36000 665032PBAPAANAAHAAOAAPAANAAQAArAAIAAIAAOAAIAAQBAsAA+ 132768 665032BAAeAAFBAMBAQAACAAJAA+ 181152 665032NAAQAAUAA+ 205344 665032qAAHAAOAAhAAEAAFAAfAA+ 253728 665032eAAQAAHAAKAACAAFAAIAAHAAJAAbAA+ 320256 665032PAANAAUAACAA+ 350496 665032JAAcAACAA+ 374688 665032YAAFAAZAAyAACAADAAJAA+ 423072 665032YAAZAAIAAIAAHAAhAAOAACAAsAA+ 483552 665032BAAHAAQAADAACAA)paps_exec +(+ 36000 653368lAAmAAmAAwAARAA+ 72288 653368JAAcAACAA+ 96480 653368YAAFAAZAAyAACAADAAJAA+ 144864 653368HAAIAA+ 163008 653368tAAQAAZAAgAAQAA+ 199296 653368NAAIAA+ 217440 653368BAACAADAAEAAFAACAA+ 259776 653368GAAHAAIAAJAA+ 290016 653368BAACAAFAAKAACAAFAA+ 332352 653368PBAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAAQBA+ 453312 653368NAAQAAUAA+ 477504 653368PAANAAUAACAA)paps_exec +(+ 36000 641704YAAZAAIAAIAAHAAhAAOAACAA+ 90432 641704hAAbAA+ 108576 641704JAAcAACAA+ 132768 641704dAAGAAQAACAAJAA+ 169056 641704aAAZAAEAAQAAUAANAAJAAHAAZAAQAAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 606712WAAQAAIAAJAANAAOAAOAAHAAQAAfAA+ 102528 606712PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAA)paps_exec +(+ 36000 595048pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 571720oAAIAA+ 54144 571720ZAAaAA+ 72288 571720lAAmAAmAAnAArAAmAAkAARAA+ 126720 571720JAAcAACAA+ 150912 571720PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAA+ 259776 571720IAAZAAaAAJAAgAANAAFAACAA+ 314208 571720HAAIAA+ 332352 571720ZAAaAAaAACAAFAACAAUAA+ 380736 571720NAAIAA+ 398880 571720NAA+ 410976 571720YAANAAJAADAAcAA+ 447264 571720ZAAQAAOAAbAAsAA)paps_exec +(+ 36000 560056PBABAAcAAHAAYAAYAAHAAQAAfAA+ 96480 560056NAA+ 108576 560056KBACAAhAAHAANAAQAA+ 150912 560056NAAQAAUAA+ 175104 560056FBASAAMAA+ 199296 560056YAANAADAAtAANAAfAACAA+ 247680 560056HAAIAA+ 265824 560056YAAOAANAAQAAQAACAAUAAsAAQBA)paps_exec +()paps_exec +(+ 36000 536728SAANAAJAADAAcAA+ 72288 536728NAAQAAUAA+ 96480 536728HAAQAAIAAJAANAAOAAOAA)paps_exec +(+ 36000 525064rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 513400MBAZAAFAA+ 60192 513400HAAQAAIAAJAANAAOAAOAANAAJAAHAAZAAQAARAA+ 144864 513400ZAAQAACAA+ 169056 513400cAANAAIAA+ 193248 513400JAAZAA+ 211392 513400UAAZAAgAAQAAOAAZAANAAUAA)paps_exec +(+ 36000 501736hAAZAAJAAcAA+ 66240 501736JAAcAACAA+ 90432 501736ZAAFAAHAAfAAHAAQAANAAOAA+ 144864 501736TAAdAAeAA+ 169056 501736MAANAAHAAOAAPAANAAQAA+ 217440 501736IAAZAAEAAFAADAACAA+ 259776 501736JAANAAFAAhAANAAOAAOAA+ 308160 501736NAAIAA+ 326304 501736gAACAAOAAOAA+ 356544 501736NAAIAA+ 374688 501736JAAcAACAA+ 398880 501736PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAA)paps_exec +(+ 36000 490072YAANAAJAADAAcAAsAA+ 84384 490072DBAQAADAACAA+ 114624 490072JAAcAANAAJAALBAIAA+ 156960 490072UAAZAAQAACAARAA+ 193248 490072NAAYAAYAAOAAbAA+ 229536 490072JAAcAACAA+ 253728 490072YAANAAJAADAAcAALAA)paps_exec +()paps_exec +(+ 36000 466744rBA+ 48096 466744JAANAAFAA+ 72288 466744HBAzAAaAA+ 96480 466744PAANAAHAAOAAPAANAAQAArAAlAAsAAkAAsAAkAAkAAsAAJAAfAAHBA)paps_exec +(+ 36000 455080rBA+ 48096 455080DAAUAA+ 66240 455080PAANAAHAAOAAPAANAAQAArAAlAAsAAkAAsAAkAAkAA)paps_exec +(+ 36000 443416rBA+ 48096 443416HBADAANAAJAA+ 78336 443416sAAsAAVAAPAANAAHAAOAAPAANAAQAArAAlAAsAAkAAsAAkAAkAArAAYAAfAAYAArAAIAAPAAHAAPAACAAnBAlAAmAAmAAnAArAAmAAkAArAAmAAlAAsAAYAANAAJAADAAcAAsAAfAAHBA+ 368640 443416sBA+ 380736 443416YAANAAJAADAAcAA+ 417024 443416rAAYAAkAA)paps_exec +()paps_exec +(+ 36000 420088dAAZAAgAA+ 60192 420088JAAcAANAAJAA+ 90432 420088JAAcAACAA+ 114624 420088MAANAAHAAOAAPAANAAQAA+ 163008 420088IAAZAAaAAJAAgAANAAFAACAA+ 217440 420088HAAIAA+ 235584 420088YAANAAJAADAAcAACAAUAARAA+ 290016 420088DAAZAAQAAJAAHAAQAAEAACAA+ 344448 420088aAAZAAOAAOAAZAAgAAHAAQAAfAA+ 404928 420088JAAcAACAA+ 429120 420088HAAQAAIAAJAAFAAEAADAAJAAHAAZAAQAAIAA)paps_exec +(+ 36000 408424HAAQAA+ 54144 408424JAAcAACAA+ 78336 408424TAAdAAeAA+ 102528 408424MAANAAHAAOAAPAANAAQAA+ 150912 408424WAAQAAIAAJAANAAOAAOAANAAJAAHAAZAAQAA+ 229536 408424MAANAAQAAEAANAAOAAsAA+ 283968 408424PBAWAAQAADAAOAAEAAUAAHAAQAAfAA+ 350496 408424IAAZAAPAACAAJAAcAAHAAQAAfAA+ 410976 408424OAAHAAtAACAALAA)paps_exec +()paps_exec +(+ 36000 385096tBA+ 48096 385096NAAYAAJAAHAAJAAEAAUAACAA+ 102528 385096HAAQAAIAAJAANAAOAAOAA+ 150912 385096YAAbAAJAAcAAZAAQAArAAUAACAAKAA+ 217440 385096NAAYAANAADAAcAACAAlAA)paps_exec +()paps_exec +(+ 36000 361768tBA+ 48096 361768PAAtAAUAAHAAFAA+ 84384 361768VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAA)paps_exec +(+ 36000 350104tBA+ 48096 350104DAAcAAfAAFAAYAA+ 84384 350104OAAHAAIAAJAA+ 114624 350104VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAA)paps_exec +(+ 36000 338440tBA+ 48096 338440DAAcAAPAAZAAUAA+ 84384 338440NAAmBAFAAzAARAAfAAmBAgAAIAA+ 144864 338440VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAA)paps_exec +()paps_exec +(+ 36000 315112tBA+ 48096 315112IAAEAA+ 66240 315112rAA+ 78336 315112OAAHAAIAAJAA)paps_exec +(+ 36000 303448rBA+ 48096 303448sAAVAADAAZAAQAAaAAHAAFAACAA+ 108576 303448rAArAAYAAFAACAAaAAHAAzAApAAVAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAA+ 241632 303448rAArAAgAAHAAJAAcAArAAfAAFAAZAAEAAYAAQAANAAPAACAApAAOAAHAAIAAJAA+ 374688 303448rAArAAgAAHAAJAAcAArAAEAAIAACAAFAAQAANAAPAACAApAAOAAHAAIAAJAA)paps_exec +(+ 36000 291784rBA+ 48096 291784PAANAAtAACAA)paps_exec +(+ 36000 280120rBA+ 48096 280120PAANAAtAACAA+ 78336 280120HAAQAAIAAJAANAAOAAOAA)paps_exec +(+ 36000 268456rBA+ 48096 268456VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAhAAHAAQAAVAADAAcAACAADAAtAAnBAYAACAAFAAPAAIAA+ 223488 268456rAAaAA)paps_exec +()paps_exec +(+ 36000 245128uAAZAAQAAaAAHAAfAAEAAFAACAA+ 96480 245128gAACAAhAAIAACAAFAAKAACAAFAARAA+ 163008 245128MAAqAAoAA+ 187200 245128NAAQAAUAA+ 211392 245128MAANAAHAAOAAPAANAAQAA)paps_exec +(+ 36000 233464rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 221800uAAZAAQAAaAAHAAfAAEAAFAACAA+ 96480 221800gAACAAhAAIAACAAFAAKAACAAFAAsAA+ 169056 221800qAAcAAHAAIAA+ 199296 221800gAAHAAOAAOAA+ 229536 221800HAAQAADAAOAAEAAUAACAA+ 277920 221800CAAsAAfAAsAA)paps_exec +()paps_exec +(+ 36000 198472tBA+ 48096 198472CAADAAcAAZAA+ 78336 198472LBABAADAAFAAHAAYAAJAAoAAOAAHAANAAIAA+ 156960 198472VAAPAANAAHAAOAAPAANAAQAAVAA+ 217440 198472VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAADAAfAAHAArAAhAAHAAQAAVAALBA+ 356544 198472ABA+ 368640 198472VAACAAJAADAAVAANAAYAANAADAAcAACAAlAAVAADAAZAAQAAaAAsAAUAAVAAPAANAAHAAOAAPAANAAQAA)paps_exec +()paps_exec +(+ 36000 175144oAAUAAUAA+ 60192 175144MBAZAAOAAOAAZAAgAABAAbAAPAAGAAHAAQAAtAAIAA+ 150912 175144JAAZAA+ 169056 175144JAAcAACAA+ 193248 175144DBAYAAJAAHAAZAAQAAIAArAAOAAHAAQAACAA+ 271872 175144aAAZAAFAA+ 296064 175144KBAHAAFAACAADAAJAAZAAFAAbAA)paps_exec +(+ 36000 163480UBAVAAEAAIAAFAAVAAIAAcAANAAFAACAAVAANAAYAANAADAAcAACAAlAAVAAHAADAAZAAQAAIAAUBA+ 199296 163480HAAQAA+ 217440 163480VAACAAJAADAAVAANAAYAANAADAAcAACAAlAAVAAPAAZAAUAAIAArAACAAQAANAAhAAOAACAAUAAVAANAAOAAHAANAAIAAsAADAAZAAQAAaAARAA+ 447264 163480NAAQAAUAA+ 471456 163480DAAFAACAANAAJAACAA)paps_exec +(+ 36000 151816IAAbAAPAAOAAHAAQAAtAAIAA+ 90432 151816aAAFAAZAAPAA+ 120672 151816VAAEAAIAAFAAVAAIAAcAANAAFAACAAVAANAAYAANAADAAcAACAAlAAVAAHAADAAZAAQAAIAAVAA+ 277920 151816JAAZAA+ 296064 151816JAAcAACAA+ 320256 151816HAADAAZAAQAAIAA+ 356544 151816HAAQAA+ 374688 151816VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAHAADAAZAAQAAIAAVAAsAA)paps_exec +()paps_exec +(+ 36000 128488uAAZAAQAAaAAHAAfAAEAAFAACAA+ 96480 128488bAAZAAEAAFAA+ 126720 128488MAAqAAoAARAA+ 156960 128488IAACAACAA+ 181152 128488JAAcAACAA+ 205344 128488TAAdAAeAA+ 229536 128488MAANAAHAAOAAPAANAAQAA+ 277920 128488WAAQAAIAAJAANAAOAAOAANAAJAAHAAZAAQAA+ 356544 128488MAANAAQAAEAANAAOAAsAA)paps_exec +()paps_exec +(+ 36000 105160BAACAAJAA+ 60192 105160EAAYAA+ 78336 105160OAAHAAIAAJAA+ 108576 105160UBAPAANAAHAAOAAPAANAAQAAUBALAA)paps_exec +()paps_exec +(+ 36000 81832rBA+ 48096 81832VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAhAAHAAQAAVAAQAACAAgAAOAAHAAIAAJAA+ 199296 81832PAANAAHAAOAAPAANAAQAA)paps_exec +()paps_exec +(+ 36000 58504NAAQAAUAA+ 60192 58504DAAZAAQAAaAAHAAfAAEAAFAACAA+ 120672 58504HAAJAAsAA+ 150912 58504BAACAAJAA+ 175104 58504EAAYAA+ 193248 58504DAAFAAZAAQAAyAAZAAhAAIAALAA)paps_exec +()paps_exec +paps_eop +showpage +%%Page: 4 4 +paps_bop +(+ 36000 793336tBA+ 48096 793336DAAFAAZAAQAAJAANAAhAA+ 96480 793336rAAEAA+ 114624 793336OAAHAAIAAJAA+ 144864 793336VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAADAAFAAZAAQAAVAADAAFAAZAAQAAJAANAAhAAsAAHAAQAA)paps_exec +()paps_exec +(+ 36000 770008KBACAAhAAHAANAAQAA+ 78336 770008NAAQAAUAA+ 102528 770008BAAGAABAA+ 126720 770008IAAYAACAADAAHAAaAAHAADAA+ 181152 770008IAAJAAEAAaAAaAA)paps_exec +(+ 36000 758344rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 746680oAAUAAyAAEAAIAAJAA+ 78336 746680JAAcAACAA+ 102528 746680DAAFAAZAAQAAyAAZAAhAAIAALAA+ 163008 746680IAAJAAFAAHAAYAA+ 199296 746680JAAcAACAA+ 223488 746680YAAbAAJAAcAAZAAQAArAAZAAYAAJAAHAAZAAQAA+ 308160 746680UBArAABAAUBAsAA)paps_exec +()paps_exec +(+ 36000 723352rBA+ 48096 723352DAAFAAZAAQAAJAANAAhAA+ 96480 723352rAACAA)paps_exec +()paps_exec +(+ 36000 700024MBAZAAFAA+ 60192 700024YAAfAAYAArAAIAAPAAHAAPAACAALAA)paps_exec +()paps_exec +(+ 36000 676696tBA+ 48096 676696NAAYAAJAAHAAJAAEAAUAACAA+ 102528 676696HAAQAAIAAJAANAAOAAOAA+ 150912 676696YAAbAAJAAcAAZAAQAArAAfAAQAAEAAYAAfAAHAAQAAJAACAAFAAaAANAADAACAA)paps_exec +()paps_exec +(+ 36000 653368EBAZAAFAAtAA+ 66240 653368NAAFAAZAAEAAQAAUAA+ 108576 653368YAAbAAJAAcAAZAAQAA+ 150912 653368YAANAAJAAcAA+ 181152 653368HAAIAAIAAEAACAAIAALAA)paps_exec +()paps_exec +(+ 36000 630040rBA+ 48096 630040OAAQAA+ 66240 630040rAAIAA+ 84384 630040VAAKAANAAFAAVAAOAAHAAhAAVAAYAAbAAJAAcAAZAAQAArAAIAAEAAYAAYAAZAAFAAJAAVAAYAAbAAJAAcAAZAAQAAlAAsAAJBAVAATAAQAAEAASAATAAWAAQAAJAACAAFAAaAANAADAACAAsAAYAAbAA+ 398880 630040uBA)paps_exec +(+ 54144 618376VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAATAAQAAEAASAATAAWAAQAAJAACAAFAAaAANAADAACAAsAAYAAbAA)paps_exec +()paps_exec +(+ 36000 595048BAAJAANAAFAAJAA+ 72288 595048MAANAAHAAOAAPAANAAQAA)paps_exec +(+ 36000 583384rAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 571720rBA+ 48096 571720VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAhAAHAAQAAVAAPAANAAHAAOAAPAANAAQAADAAJAAOAA+ 217440 571720IAAJAANAAFAAJAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 536728uAAFAACAANAAJAACAA+ 78336 536728NAA+ 90432 536728SAATAASAArAAOAAHAAIAAJAA)paps_exec +(+ 36000 525064rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 513400oAAaAAJAACAAFAA+ 72288 513400DAAFAACAANAAJAAHAAQAAfAA+ 126720 513400NAA+ 138816 513400QAAZAAFAAPAANAAOAA+ 181152 513400OAAHAAIAAJAA+ 211392 513400DAANAAOAAOAACAAUAA+ 253728 513400JAACAAIAAJAArAAfAAYAAfAARAA+ 314208 513400NAAQAAUAA+ 338400 513400cAANAAKAAHAAQAAfAA+ 380736 513400IAAEAAhAAIAADAAFAAHAAhAACAAUAA+ 447264 513400JAAZAA+ 465408 513400HAAJAARAA+ 489600 513400FAAEAAQAA)paps_exec +()paps_exec +(+ 36000 490072vBA+ 48096 490072fAAYAAfAA+ 72288 490072rAArAAfAACAAQAArAAtAACAAbAA)paps_exec +(+ 36000 478408vBA+ 48096 478408fAAYAAfAA+ 72288 478408rAArAANAAFAAPAAZAAFAA+ 120672 478408rAArAACAAzAAYAAZAAFAAJAA+ 175104 478408KBAXAAoAAKBAjAAXAAXAAMBA)paps_exec +(+ 36000 466744vBA+ 48096 466744fAAYAAfAA+ 72288 466744rAArAACAAzAAYAAZAAFAAJAArAAIAACAADAAFAACAAJAArAAtAACAAbAAIAA+ 199296 466744rAArAANAAFAAPAAZAAFAA+ 247680 466744KBAXAAoAAKBAjAAXAAXAAMBA)paps_exec +()paps_exec +(+ 36000 443416eAAYAAOAAZAANAAUAA+ 78336 443416YAAEAAhAAOAAHAADAA+ 120672 443416NAAQAAUAA+ 144864 443416IAACAADAAFAACAAJAA+ 187200 443416OAAHAAIAAJAAtAACAAbAAIAA+ 241632 443416EAAIAAHAAQAAfAA)paps_exec +(+ 36000 431752cAAJAAJAAYAAIAALAAVAAVAAbAAZAAEAAFAAsAAgAACAAhAAsAAIAACAAFAAKAACAAFAAVAAPAANAAHAAOAAPAANAAQAAVAANAAUAAPAAHAAQAAVAAJAACAAIAAJAArAAfAAYAAfAAVAAYAAFAAHAAKAANAADAAbAAVAAfAAYAAfAA)paps_exec +()paps_exec +(+ 36000 408424eAAYAAOAAZAANAAUAA+ 78336 408424bAAZAAEAAFAA+ 108576 408424PAACAAPAAhAACAAFAA+ 150912 408424tAACAAbAA+ 175104 408424EAAIAAHAAQAAfAA)paps_exec +(+ 36000 396760cAAJAAJAAYAAIAALAAVAAVAAbAAZAAEAAFAAsAAgAACAAhAAsAAIAACAAFAAKAACAAFAAVAAPAANAAHAAOAAPAANAAQAAVAAZAAYAAJAAHAAZAAQAAIAAVAAJAACAAIAAJAArAAfAAYAAfAAVAAbAAZAAEAAwBAbAAZAAEAAFAAsAAUAAZAAPAAsAANAAHAAQAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 361768uAAcAACAADAAtAA+ 72288 361768FAACAAIAAEAAOAAJAAIAA)paps_exec +(+ 36000 350104rAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 338440GBAZAAEAA+ 60192 338440DAANAAQAA+ 84384 338440YAACAACAAtAA+ 114624 338440NAAJAA+ 132768 338440DAAEAAFAAFAACAAQAAJAA+ 181152 338440IAACAAJAAJAAHAAQAAfAAIAA+ 235584 338440FAAEAAQAAQAAHAAQAAfAALAA)paps_exec +()paps_exec +(+ 36000 315112rBA+ 48096 315112VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAhAAHAAQAAVAADAAZAAQAAaAAHAAfAAnBAOAAHAAIAAJAA+ 223488 315112rAAZAA+ 241632 315112rAA+ 253728 315112JAACAAIAAJAArAAfAAYAAfAA+ 308160 315112sBA+ 320256 315112fAAFAACAAYAA+ 350496 315112uBAxBAfAAYAAfAA)paps_exec +(+ 36000 303448rBA+ 48096 303448TAAdAAeAASAATAARBADBAMAAXAApAAVAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAOAAHAAIAAJAAIAAVAAJAACAAIAAJAArAAfAAYAAfAAVAAfAAYAAfAA+ 302112 303448fAAYAAfAA+ 326304 303448rAArAAOAAHAAIAAJAArAAtAACAAbAAIAA)paps_exec +()paps_exec +(+ 36000 280120qAAcAACAA+ 60192 280120SAATAASAA+ 84384 280120OAAHAAIAAJAAtAACAAbAA+ 132768 280120HAAIAA+ 150912 280120IAAJAAZAAFAACAAUAA+ 193248 280120HAAQAA+ 211392 280120VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAOAAHAAIAAJAAIAAVAAJAACAAIAAJAArAAfAAYAAfAAVAAfAAYAAfAAVAAyBAsAAfAAYAAfAA+ 441216 280120PBANAAQAAUAA+ 471456 280120HAAQAA)paps_exec +(+ 36000 268456DAAZAAQAAaAAHAAfAAsAAYAADAAtAA+ 102528 268456NAAIAA+ 120672 268456gAACAAOAAOAAQBAsAA)paps_exec +()paps_exec +(+ 36000 245128WAAaAA+ 54144 245128bAAZAAEAALBAUAA+ 90432 245128OAAHAAtAACAA+ 120672 245128JAAZAA+ 138816 245128lBAEAAHAADAAtAAOAAbAA+ 187200 245128DAAcAANAAQAAfAACAA+ 229536 245128IAAZAAPAACAA+ 259776 245128PBAfAAYAAfAARAA+ 296064 245128IAAPAAHAAPAACAAQBA+ 338400 245128IAACAAJAAJAAHAAQAAfAAIAARAA+ 398880 245128FAAEAAQAA)paps_exec +()paps_exec +(+ 36000 221800rBA+ 48096 221800DAAZAAQAAaAAHAAfAAnBAOAAHAAIAAJAA+ 120672 221800rAAZAA+ 138816 221800rAA+ 150912 221800JAACAAIAAJAAOAAHAAIAAJAA+ 205344 221800ABAVAAJAAPAAYAAVAAUAAEAAPAAYAA)paps_exec +(+ 36000 210136rBA+ 48096 210136KAAHAA+ 66240 210136VAAJAAPAAYAAVAAUAAEAAPAAYAA)paps_exec +(+ 36000 198472rBA+ 48096 198472DAAZAAQAAaAAHAAfAAnBAOAAHAAIAAJAA+ 120672 198472rAAHAA+ 138816 198472VAAJAAPAAYAAVAAUAAEAAPAAYAA+ 199296 198472JAACAAIAAJAAOAAHAAIAAJAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 163480uAAFAACAANAAJAACAA+ 78336 163480NAAQAA+ 96480 163480BAAVAAMAAWAAMAAXAArAAOAAHAAIAAJAA)paps_exec +(+ 36000 151816rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 140152MBAHAAFAAIAAJAA+ 72288 140152DAAFAACAANAAJAACAA+ 114624 140152bAAZAAEAAFAA+ 144864 140152ZAAgAAQAA+ 169056 140152BAABAAGAA+ 193248 140152uAAoAALAA)paps_exec +()paps_exec +(+ 36000 116824vBA+ 48096 116824VAAEAAIAAFAAVAAOAAHAAhAAVAAIAAIAAOAAVAAPAAHAAIAADAAVAAuAAoAAsAAYAAOAA+ 193248 116824rAAQAACAAgAADAANAA)paps_exec +()paps_exec +(+ 36000 93496uAAFAACAANAAJAACAA+ 78336 93496bAAZAAEAAFAA+ 108576 93496PAACAAPAAhAACAAFAA+ 150912 93496BAAVAAMAAWAAMAAXAA+ 193248 93496tAACAAbAAYAANAAHAAFAALAA)paps_exec +()paps_exec +(+ 36000 70168vBA+ 48096 70168ZAAYAACAAQAAIAAIAAOAA+ 96480 70168fAACAAQAAFAAIAANAA+ 138816 70168rAAZAAEAAJAA+ 169056 70168JAACAAIAAJAArAAPAACAAPAAhAACAAFAAsAAtAACAAbAA+ 265824 70168lAAmAAkBAwAA)paps_exec +()paps_exec +(+ 36000 46840uAAFAACAANAAJAACAA+ 78336 46840NAA+ 90432 46840uAACAAFAAJAAHAAaAAHAADAANAAJAACAA+ 163008 46840BAAHAAfAAQAAHAAQAAfAA+ 211392 46840FBACAAlBAEAACAAIAAJAALAA)paps_exec +paps_eop +showpage +%%Page: 5 5 +paps_bop +()paps_exec +(+ 36000 781672vBA+ 48096 781672DAANAAJAA+ 72288 781672xAAxAAXAADBAqAA+ 108576 781672ABAJAACAAIAAJAArAAPAACAAPAAhAACAAFAAsAADAAaAAfAA)paps_exec +(+ 36000 770008SBA+ 48096 770008FAACAAlBA+ 72288 770008TBA)paps_exec +(+ 36000 758344UAACAAaAANAAEAAOAAJAAnBAhAAHAAJAAIAA+ 181152 758344pAA+ 193248 758344lAAmAAkBAwAA)paps_exec +(+ 36000 746680UAACAAaAANAAEAAOAAJAAnBAtAACAAbAAaAAHAAOAACAA+ 181152 746680pAA+ 193248 746680bAAZAAEAArAAJAACAAIAAJAAOAAHAAIAAJAArAAPAACAAPAAhAACAAFAAsAAtAACAAbAA)paps_exec +(+ 36000 735016UAAHAAIAAJAAHAAQAAfAAEAAHAAIAAcAACAAUAAnBAQAANAAPAACAA+ 181152 735016pAA+ 193248 735016FAACAAlBAnBAUAAHAAIAAJAAHAAQAAfAAEAAHAAIAAcAACAAUAAnBAQAANAAPAACAA)paps_exec +(+ 36000 723352NAAJAAJAAFAAHAAhAAEAAJAACAAIAA+ 181152 723352pAA+ 193248 723352FAACAAlBAnBANAAJAAJAAFAAHAAhAAEAAJAACAAIAA)paps_exec +(+ 36000 711688YAAFAAZAAPAAYAAJAA+ 181152 711688pAA+ 193248 711688QAAZAA)paps_exec +()paps_exec +(+ 36000 688360SBA+ 48096 688360FAACAAlBAnBAUAAHAAIAAJAAHAAQAAfAAEAAHAAIAAcAACAAUAAnBAQAANAAPAACAA+ 187200 688360TBA)paps_exec +(+ 36000 676696uAA+ 181152 676696pAA+ 193248 676696dAAGAA)paps_exec +(+ 36000 665032DBA+ 181152 665032pAA+ 193248 665032GBAZAAbAAZAAUAAbAAQAACAA)paps_exec +(+ 36000 653368DBAeAA+ 181152 653368pAA+ 193248 653368BAACAADAAEAAFAACAA+ 235584 653368GAAHAAIAAJAA+ 265824 653368BAACAAFAAKAACAAFAA+ 308160 653368YAAFAAZAAyAACAADAAJAA)paps_exec +(+ 36000 641704uAAdAA+ 181152 641704pAA+ 193248 641704iAAZAACAA+ 217440 641704FBANAAQAAUAAZAAPAA+ 259776 641704RBANAADAAtAACAAFAA+ 302112 641704PBAJAACAAIAAJAAOAAHAAIAAJAA+ 362592 641704PAACAAPAAhAACAAFAAQBA)paps_exec +(+ 36000 630040CAAPAANAAHAAOAAoAAUAAUAAFAACAAIAAIAA+ 181152 630040pAA+ 193248 630040bAAZAAEAArAAJAACAAIAAJAAOAAHAAIAAJAArAAPAACAAPAAhAACAAFAAwBAbAAZAAEAAFAAsAAUAAZAAPAAsAANAAHAAQAA)paps_exec +()paps_exec +(+ 36000 606712SBA+ 48096 606712FAACAAlBAnBANAAJAAJAAFAAHAAhAAEAAJAACAAIAA+ 138816 606712TBA)paps_exec +(+ 36000 595048XAADBAqAA)paps_exec +()paps_exec +(+ 36000 571720vBA+ 48096 571720ZAAYAACAAQAAIAAIAAOAA+ 96480 571720FAACAAlBA+ 120672 571720rAAQAACAAgAA+ 150912 571720rAAQAACAAgAAcAAUAAFAA+ 199296 571720rAADAAZAAQAAaAAHAAfAA+ 247680 571720JAACAAIAAJAArAAPAACAAPAAhAACAAFAAsAADAAaAAfAA+ 344448 571720rAAtAACAAbAA+ 374688 571720JAACAAIAAJAArAAPAACAAPAAhAACAAFAAsAAtAACAAbAA+ 471456 571720uBA)paps_exec +(+ 54144 560056rAAUAANAAbAAIAA+ 90432 560056kAAmAAmAAmAA+ 120672 560056rAAIAAcAANAAkAA+ 156960 560056rAAKAACAAFAAHAAaAAbAA+ 205344 560056rAAZAAEAAJAA+ 235584 560056QAACAAgAAFAACAAlBAsAAYAACAAPAA)paps_exec +()paps_exec +(+ 36000 536728BAAHAAfAAQAA+ 66240 536728ZAAEAAFAA+ 90432 536728PAACAAPAAhAACAAFAA+ 132768 536728tAACAAbAA+ 156960 536728gAAHAAJAAcAA+ 187200 536728ZAAEAAFAA+ 211392 536728uAAoAALAA)paps_exec +()paps_exec +(+ 36000 513400vBA+ 48096 513400VAAEAAIAAFAAVAAOAAHAAhAAVAAIAAIAAOAAVAAPAAHAAIAADAAVAAuAAoAAsAAYAAOAA+ 193248 513400rAAIAAHAAfAAQAAFAACAAlBA)paps_exec +()paps_exec +(+ 36000 490072uAAZAAQAAaAAHAAfAAEAAFAACAA+ 96480 490072ZAAEAAFAA+ 120672 490072CAAPAANAAHAAOAADAAOAAHAACAAQAAJAA+ 193248 490072PBAPAAEAAJAAJAAQBA+ 235584 490072JAAZAA+ 253728 490072gAAZAAFAAtAA+ 283968 490072gAAHAAJAAcAA+ 314208 490072JAAcAAHAAIAA+ 344448 490072uAAoAA+ 362592 490072NAAQAAUAA+ 386784 490072tAACAAbAAYAANAAHAAFAALAA)paps_exec +()paps_exec +(+ 36000 466744vBA+ 48096 466744IAAPAAHAAPAACAAnBAtAACAAbAAIAA+ 114624 466744HAAQAAHAAJAA)paps_exec +(+ 36000 455080vBA+ 48096 455080IAAPAAHAAPAACAAnBAtAACAAbAAIAA+ 114624 455080NAAUAAUAAnBAFAAZAAZAAJAA+ 169056 455080IBAVAAsAAIAAPAAHAAPAACAAVAADAANAADAACAAFAAJAAsAAYAACAAPAA)paps_exec +(+ 36000 443416vBA+ 48096 443416IAAPAAHAAPAACAAnBAtAACAAbAAIAA+ 114624 443416NAAUAAUAAnBADAAcAANAAHAAQAA+ 175104 443416IBAVAAsAAIAAPAAHAAPAACAAVAAJAACAAIAAJAArAAPAACAAPAAhAACAAFAAsAAtAACAAbAA+ 326304 443416IBAVAAsAAIAAPAAHAAPAACAAVAAQAACAAgAADAACAAFAAJAAsAAYAACAAPAA+ 453312 443416uBA)paps_exec +(+ 54144 431752IBAVAAsAAIAAPAAHAAPAACAAVAADAANAADAACAAFAAJAAsAAYAACAAPAA)paps_exec +()paps_exec +(+ 36000 408424dAAZAAgAA+ 60192 408424DAAFAACAANAAJAACAA+ 102528 408424NAAQAA+ 120672 408424BAAVAAMAAWAAMAAXAA+ 163008 408424OAAHAAIAAJAA+ 193248 408424DAANAAOAAOAACAAUAA+ 235584 408424JAACAAIAAJAArAAIAAPAAHAAPAACAARAA+ 308160 408424NAAQAAUAA+ 332352 408424IAAEAAhAAIAADAAFAAHAAhAACAA)paps_exec +(+ 36000 396760bAAZAAEAArAAJAACAAIAAJAAOAAHAAIAAJAArAAPAACAAPAAhAACAAFAAwBAbAAZAAEAAFAAsAAUAAZAAPAAsAANAAHAAQAA+ 235584 396760JAAZAA+ 253728 396760HAAJAAsAA)paps_exec +()paps_exec +(+ 36000 373432uAAFAACAANAAJAACAA+ 78336 373432NAA+ 90432 373432tAACAAbAAYAANAAHAAFAA+ 138816 373432aAAZAAFAA+ 163008 373432JAAcAACAA+ 187200 373432BAAVAAMAAWAAMAAXAA+ 229536 373432OAAHAAIAAJAA+ 259776 373432PBAEAAIAACAA+ 290016 373432CAAsAAfAAsAALAA)paps_exec +()paps_exec +(+ 36000 350104SBA+ 48096 350104FAACAAlBA+ 72288 350104TBA)paps_exec +(+ 36000 338440UAACAAaAANAAEAAOAAJAAnBAhAAHAAJAAIAA+ 181152 338440pAA+ 193248 338440lAAmAAkBAwAA)paps_exec +(+ 36000 326776UAACAAaAANAAEAAOAAJAAnBAtAACAAbAAaAAHAAOAACAA+ 181152 326776pAA+ 193248 326776tAACAAbAAsAAYAACAAPAA)paps_exec +(+ 36000 315112UAAHAAIAAJAAHAAQAAfAAEAAHAAIAAcAACAAUAAnBAQAANAAPAACAA+ 181152 315112pAA+ 193248 315112FAACAAlBAnBAUAAHAAIAAJAAHAAQAAfAAEAAHAAIAAcAACAAUAAnBAQAANAAPAACAA)paps_exec +(+ 36000 303448NAAJAAJAAFAAHAAhAAEAAJAACAAIAA+ 181152 303448pAA+ 193248 303448FAACAAlBAnBANAAJAAJAAFAAHAAhAAEAAJAACAAIAA)paps_exec +(+ 36000 291784YAAFAAZAAPAAYAAJAA+ 181152 291784pAA+ 193248 291784QAAZAA)paps_exec +()paps_exec +(+ 36000 268456SBA+ 48096 268456FAACAAlBAnBAUAAHAAIAAJAAHAAQAAfAAEAAHAAIAAcAACAAUAAnBAQAANAAPAACAA+ 187200 268456TBA)paps_exec +(+ 36000 256792uAA+ 181152 256792pAA+ 193248 256792dAAGAA)paps_exec +(+ 36000 245128DBA+ 181152 245128pAA+ 193248 245128NAAUAA+ 211392 245128kAAwAAkAAmAA)paps_exec +(+ 36000 233464uAAdAA+ 181152 233464pAA+ 193248 233464qAACAAIAAJAAOAAHAAIAAJAA+ 247680 233464BAAMAAWAAMAAXAA)paps_exec +(+ 36000 221800CAAPAANAAHAAOAAoAAUAAUAAFAACAAIAAIAA+ 181152 221800pAA+ 193248 221800JAACAAIAAJAArAAIAAPAAHAAPAACAAwBAbAAZAAEAAFAAsAAUAAZAAPAAsAANAAHAAQAA)paps_exec +()paps_exec +(+ 36000 198472SBA+ 48096 198472FAACAAlBAnBANAAJAAJAAFAAHAAhAAEAAJAACAAIAA+ 138816 198472TBA)paps_exec +()paps_exec +(+ 36000 175144NAAIAA+ 54144 175144OAAHAAIAAJAAsAADAAaAAfAAQBALAA)paps_exec +()paps_exec +(+ 36000 151816rBA+ 48096 151816ZAAYAACAAQAAIAAIAAOAA+ 96480 151816fAACAAQAAFAAIAANAA+ 138816 151816rAAZAAEAAJAA+ 169056 151816tAACAAbAAsAAYAACAAPAA+ 217440 151816lAAmAAkBAwAA)paps_exec +(+ 36000 140152rBA+ 48096 140152ZAAYAACAAQAAIAAIAAOAA+ 96480 140152FAACAAlBA+ 120672 140152rAAQAACAAgAA+ 150912 140152rAAQAACAAgAAcAAUAAFAA+ 199296 140152rAADAAZAAQAAaAAHAAfAA+ 247680 140152OAAHAAIAAJAAsAADAAaAAfAA+ 302112 140152rAAtAACAAbAA+ 332352 140152tAACAAbAAsAAYAACAAPAA+ 380736 140152rAAUAANAAbAAIAA+ 417024 140152CBApBAJBA+ 441216 140152rAAIAAcAANAAkAA+ 477504 140152uBA)paps_exec +(+ 54144 128488rAAKAACAAFAAHAAaAAbAA+ 102528 128488rAAZAAEAAJAA+ 132768 128488OAAHAAIAAJAAsAADAAIAAFAA)paps_exec +()paps_exec +(+ 36000 105160BAAHAAfAAQAA+ 66240 105160JAAcAAHAAIAA+ 96480 105160OAAHAAIAAJAAtAACAAbAAsAA)paps_exec +()paps_exec +(+ 36000 81832BAAJAAZAAFAACAA+ 72288 81832JAAcAAHAAIAA+ 102528 81832tAACAAbAALAA)paps_exec +()paps_exec +(+ 36000 58504rBA+ 48096 58504PAAtAAUAAHAAFAA+ 84384 58504VAAZAAYAAJAAVAAPAANAAHAAOAAPAANAAQAAVAAOAAHAAIAAJAAIAAVAAJAACAAIAAJAArAAIAAPAAHAAPAACAAVAAIAAPAAHAAPAACAA)paps_exec +()paps_exec +paps_eop +showpage +%%Page: 6 6 +paps_bop +(+ 36000 793336MAANAAtAACAA+ 66240 793336IAAEAAFAACAA+ 96480 793336YAACAAFAAPAAHAAIAAIAAHAAZAAQAAIAA+ 169056 793336NAAQAAUAA+ 193248 793336ZAAgAAQAACAAFAAIAAcAAHAAYAA+ 253728 793336NAAFAACAALAA)paps_exec +()paps_exec +(+ 36000 770008UAAFAAgAAzAAFAAgAAzAArAArAArAA+ 102528 770008lAA+ 114624 770008gAAgAAgAArAAUAANAAJAANAA+ 169056 770008OAAHAAIAAJAA+ 199296 770008kAACBAwAA+ 223488 770008ZAAtAAJAA+ 247680 770008lAAnAA+ 265824 770008kAAJBALAAJBAnAA+ 302112 770008IAAPAAHAAPAACAAVAA)paps_exec +()paps_exec +(+ 36000 746680MAAZAAKAACAA+ 66240 746680PBAZAAFAA+ 90432 746680DAAZAAYAAbAAQBA+ 126720 746680tAACAAbAAsAAYAACAAPAARAA+ 181152 746680DAACAAFAAJAAsAAYAACAAPAA+ 235584 746680NAAQAAUAA+ 259776 746680DAANAAsAAYAACAAPAA+ 302112 746680PBANAAQAAUAA+ 332352 746680ZAAYAAJAAHAAZAAQAANAAOAAOAAbAA+ 398880 746680OAAHAAIAAJAAsAADAAaAAfAA+ 453312 746680NAAQAAUAA)paps_exec +(+ 36000 735016OAAHAAIAAJAAsAADAAIAAFAAQBA+ 96480 735016JAAZAA+ 114624 735016JAAcAAHAAIAA+ 144864 735016UAAHAAFAACAADAAJAAZAAFAAbAALAA+ 211392 735016HAAQAAIAAJAANAAOAAOAA+ 259776 735016JAAcAACAA+ 283968 735016IAAHAAfAAQAACAAUAA+ 326304 735016DAACAAFAAJAAHAAaAAHAADAANAAJAACAA+ 398880 735016NAAIAA+ 417024 735016IAAPAAHAAPAACAAVAAOAAHAAIAAJAAsAADAAFAAJAARAA)paps_exec +(+ 36000 723352NAAQAAUAA+ 60192 723352HAAQAAIAAJAANAAOAAOAA+ 108576 723352JAAcAACAA+ 132768 723352FAAZAAZAAJAA+ 163008 723352uAAoAA+ 181152 723352DAACAAFAAJAAHAAaAAHAADAANAAJAACAA+ 253728 723352NAAIAA+ 271872 723352IAAPAAHAAPAACAAVAADAACAAFAAJAAsAAYAACAAPAAsAA)paps_exec +()paps_exec +(+ 36000 700024MAANAAtAACAA+ 66240 700024JAAcAACAA+ 90432 700024OAAHAAIAAJAAIAALBA+ 132768 700024YAAEAAhAAOAAHAADAA+ 175104 700024tAACAAbAA+ 199296 700024tAAQAAZAAgAAQAA+ 235584 700024JAAZAA+ 253728 700024ZAAEAAFAA+ 277920 700024CAAPAANAAHAAOAADAAOAAHAACAAQAAJAALAA)paps_exec +()paps_exec +(+ 36000 676696vBA+ 48096 676696IAAPAAHAAPAACAAnBAtAACAAbAAIAA+ 114624 676696NAAUAAUAAnBADAACAAFAAJAA+ 169056 676696DAACAAFAAJAAsAAYAACAAPAA)paps_exec +()paps_exec +(+ 36000 653368eAAYAAOAAZAANAAUAA+ 78336 653368JAAcAACAA+ 102528 653368PAACAAPAAhAACAAFAA+ 144864 653368sAAYAACAAPAA+ 175104 653368EAAIAAHAAQAAfAA)paps_exec +(+ 36000 641704cAAJAAJAAYAAIAALAAVAAVAAbAAZAAEAAFAAsAAgAACAAhAAsAAIAACAAFAAKAACAAFAAVAAPAANAAHAAOAAPAANAAQAAVAAZAAYAAJAAHAAZAAQAAIAAVAAJAACAAIAAJAArAAIAAPAAHAAPAACAAVAAbAAZAAEAArAAJAACAAIAAJAAOAAHAAIAAJAArAAPAACAAPAAhAACAAFAAwBAbAAZAAEAAFAAsAAUAAZAAPAAsAANAAHAAQAA+ 544032 641704sAA)paps_exec +()paps_exec +(+ 36000 618376dAAjAALAA+ 60192 618376aAAZAAFAA+ 84384 618376BAAVAAMAAWAAMAAXAA+ 126720 618376OAAHAAIAAJAAIAARAA+ 169056 618376JAAcAACAA+ 193248 618376OAAHAAIAAJAAtAACAAbAA+ 241632 618376HAAIAA+ 259776 618376QAAZAAJAA+ 283968 618376tAACAAYAAJAA+ 314208 618376HAAQAA+ 332352 618376DAAZAAQAAaAAHAAfAAsAAYAADAAtAABBA+ 404928 618376JAAcAACAAFAACAALBAIAA+ 453312 618376QAAZAA)paps_exec +(+ 36000 606712HAAQAAJAACAAFAAaAANAADAACAA+ 96480 606712PBAbAACAAJAAQBA+ 132768 606712aAAZAAFAA+ 156960 606712EAAYAAOAAZAANAAUAAHAAQAAfAA+ 217440 606712JAAcAACAA+ 241632 606712OAAHAAIAAJAAtAACAAbAAYAANAAHAAFAA+ 314208 606712KAAHAANAA+ 338400 606712JAAcAACAA+ 362592 606712gAACAAhAAIAACAAFAAKAACAAFAAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 571720EBAcAANAAJAA+ 66240 571720DAANAAQAA+ 90432 571720bAAZAAEAA+ 114624 571720UAAZAA+ 132768 571720gAAHAAJAAcAA+ 163008 571720HAAJAAVBA)paps_exec +(+ 36000 560056pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 536728SAATAASAA+ 60192 536728NAAQAAUAA+ 84384 536728BAAVAAMAAWAAMAAXAA+ 126720 536728ZAAaAAaAACAAFAA+ 163008 536728WAAQAAJAACAAfAAFAAHAAJAAbAA+ 223488 536728NAAQAAUAA+ 247680 536728oAAEAAJAAcAACAAQAAJAAHAADAAHAAJAAbAA+ 326304 536728PBAhAAbAA+ 350496 536728IAAHAAfAAQAAHAAQAAfAA+ 398880 536728PAACAAIAAIAANAAfAACAAIAAQBA+ 459360 536728NAAQAAUAA)paps_exec +(+ 36000 525064uAAZAAQAAaAAHAAUAACAAQAAJAAHAANAAOAAHAAJAAbAA+ 132768 525064PBAhAAbAA+ 156960 525064CAAQAADAAFAAbAAYAAJAAHAAQAAfAA+ 223488 525064PAACAAIAAIAANAAfAACAAIAAQBAsAA+ 296064 525064qAAcAACAAIAACAA+ 332352 525064NAAFAACAA+ 356544 525064QAAHAADAACAA+ 386784 525064aAACAANAAJAAEAAFAACAAIAARAA+ 447264 525064NAAOAAIAAZAA+ 477504 525064gAAcAACAAQAA)paps_exec +(+ 36000 513400gAAZAAFAAtAAHAAQAAfAA+ 84384 513400gAAHAAJAAcAA+ 114624 513400MAANAAHAAOAAHAAQAAfAA+ 163008 513400OAAHAAIAAJAAIAAsAA+ 211392 513400RBAZAAgAACAAKAACAAFAARAA+ 265824 513400JAAFAANAAUAAHAAJAAHAAZAAQAANAAOAAOAAbAA+ 350496 513400NAADAAcAAHAACAAKAAHAAQAAfAA+ 410976 513400IAAEAADAAcAA)paps_exec +(+ 36000 501736aAAEAAQAADAAJAAHAAZAAQAANAAOAAHAAJAAbAA+ 120672 501736aAAZAAFAA+ 144864 501736OAAHAAIAAJAAIAA+ 181152 501736PAACAANAAQAAIAA+ 217440 501736CAANAADAAcAA+ 247680 501736IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 314208 501736gAAZAAEAAOAAUAA+ 350496 501736cAANAAKAACAA+ 380736 501736JAAZAA+ 398880 501736tAAQAAZAAgAA+ 429120 501736NAAQAAUAA+ 453312 501736JAAFAAEAAIAAJAA+ 489600 501736PBAZAAFAA)paps_exec +(+ 36000 490072IAACAAJAAEAAYAA+ 72288 490072IAAZAAPAACAA+ 102528 490072JAAFAAEAAIAAJAAYAANAAJAAcAA+ 163008 490072JAAZAAQBA+ 187200 490072CAANAADAAcAA+ 217440 490072ZAAJAAcAACAAFAA+ 253728 490072IAAEAAhAAIAADAAFAAHAAhAACAAFAAsAA+ 332352 490072qAAcAAHAAIAA+ 362592 490072PAACAANAAQAAIAA+ 398880 490072OAAZAAJAAIAA+ 429120 490072ZAAaAA+ 447264 490072gAAZAAFAAtAARAA+ 483552 490072NAAQAAUAA)paps_exec +(+ 36000 478408FAACAAlBAEAAHAAFAACAAIAA+ 90432 478408lBAEAAHAAJAACAA+ 126720 478408IAAZAAPAACAA+ 156960 478408DAAOAAEAACAA+ 187200 478408aAAZAAFAA+ 211392 478408CAANAADAAcAA+ 241632 478408IAAEAAhAAIAADAAFAAHAAhAACAAFAAsAA)paps_exec +()paps_exec +(+ 36000 455080qAAcAACAA+ 60192 455080BAACAADAAEAAFAACAA+ 102528 455080GAAHAAIAAJAA+ 132768 455080BAACAAFAAKAACAAFAARAA+ 181152 455080PAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAARAA+ 296064 455080PAANAAtAACAAIAA+ 332352 455080JAAcAAHAAIAA+ 362592 455080CAANAAIAAHAACAAFAAsAA+ 417024 455080EBAcAACAAQAA+ 447264 455080EAAIAAHAAQAAfAA+ 483552 455080JAAcAAHAAIAA)paps_exec +(+ 36000 443416IAAZAAaAAJAAgAANAAFAACAARAA+ 96480 443416CAANAADAAcAA+ 126720 443416IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 193248 443416PBAZAAYAAJAAHAAZAAQAANAAOAAOAAbAAQBA+ 271872 443416cAANAAIAA+ 296064 443416NAA+ 308160 443416YAACAAFAAIAAZAAQAANAAOAA+ 362592 443416tAACAAbAAYAANAAHAAFAARAA+ 417024 443416NAAQAAUAA+ 441216 443416PBAZAAYAAJAAHAAZAAQAANAAOAAOAAbAAQBA)paps_exec +(+ 36000 431752JAAcAACAAFAACAALBAIAA+ 84384 431752NAA+ 96480 431752YAAEAAhAAOAAHAADAA+ 138816 431752tAACAAbAA+ 163008 431752aAAZAAFAA+ 187200 431752CAANAADAAcAA+ 217440 431752OAAHAAIAAJAAsAA+ 259776 431752MAANAAQAANAAfAAHAAQAAfAA+ 314208 431752JAAFAAEAAIAAJAAYAANAAJAAcAAIAA+ 380736 431752HAAIAA+ 398880 431752aAAEAAOAAOAAbAA+ 435168 431752UAACAAOAACAAfAANAAJAACAAUAA+ 495648 431752JAAZAA)paps_exec +(+ 36000 420088JAAcAACAA+ 60192 420088OAAHAAIAAJAA+ 90432 420088NAAUAAPAAHAAQAAHAAIAAJAAFAANAAJAAZAAFAAsAA)paps_exec +()paps_exec +(+ 36000 396760BAAGAABAA+ 60192 396760DAANAAJAACAAFAAIAA+ 102528 396760OAAZAAJAAIAA+ 132768 396760ZAAaAA+ 150912 396760UAAHAAaAAaAACAAFAACAAQAAJAA+ 211392 396760IAACAADAAEAAFAAHAAJAAbAA+ 265824 396760FAACAAlBAEAAHAAFAACAAPAACAAQAAJAAIAALAA+ 350496 396760aAAZAAFAA+ 374688 396760CAANAADAAcAA+ 404928 396760OAAHAAIAAJAARAA+ 441216 396760JAAcAACAAFAACAA+ 477504 396760NAAFAACAA)paps_exec +(+ 36000 385096PAAZAAFAACAA+ 66240 385096JAAcAANAAQAA+ 96480 385096kAAmAAmAA+ 120672 385096gAANAAbAAIAA+ 150912 385096JAAZAA+ 169056 385096DAAZAAQAAaAAHAAfAAEAAFAACAA+ 229536 385096HAAJAA+ 247680 385096PBAlAA+ 265824 385096yBA+ 277920 385096CBA+ 290016 385096yBA+ 302112 385096CBA+ 314208 385096yBA+ 326304 385096CBA+ 338400 385096yBA+ 350496 385096lAAQBARAA+ 374688 385096EAAIAAHAAQAAfAA+ 410976 385096wAA+ 423072 385096DAAZAAQAAaAAHAAfAAEAAFAANAAJAAHAAZAAQAA)paps_exec +(+ 36000 373432IAACAAJAAJAAHAAQAAfAAIAA+ 90432 373432zBAfAAYAAfAARAAIAAPAAHAAPAACAAACAnBAzBAUAAHAAIAAJAAFAAHAAhAARAAYAAZAAIAAJAAACAnBAzBACAAQAADAAFAAbAAYAAJAARAAIAAHAAfAAQAAACAsAA+ 356544 373432PBAMBAZAAFAA+ 386784 373432CAANAADAAcAA+ 417024 373432OAAHAAIAAJAA+ 447264 373432CAAHAAJAAcAACAAFAA+ 489600 373432NAAOAAOAA)paps_exec +(+ 36000 361768fAAYAAfAAnBArAAIAACAAJAAJAAHAAQAAfAAIAA+ 120672 361768IAAcAAZAAEAAOAAUAA+ 163008 361768hAACAA+ 181152 361768IAACAAJAA+ 205344 361768JAAZAA+ 223488 361768dAAZAA+ 241632 361768PBAIAAEAADAAcAA+ 277920 361768NAA+ 290016 361768OAAHAAIAAJAA+ 320256 361768HAAIAA+ 338400 361768DAANAAOAAOAACAAUAA+ 380736 361768NAAQAA+ 398880 361768BAAVAAMAAWAAMAAXAA+ 441216 361768OAAHAAIAAJAAQBA+ 477504 361768ZAAFAA+ 495648 361768NAAOAAOAA)paps_exec +(+ 36000 350104IAAPAAHAAPAACAAnBArAAIAACAAJAAJAAHAAQAAfAAIAA+ 132768 350104IAAcAAZAAEAAOAAUAA+ 175104 350104hAACAA+ 193248 350104dAAZAA+ 211392 350104PBANAA+ 229536 350104SAATAASAA+ 253728 350104OAAHAAIAAJAAQBAsAAQBA)paps_exec +()paps_exec +(+ 36000 326776EBACAALBAOAAOAA+ 72288 326776fAAHAAKAACAA+ 102528 326776IAAZAAPAACAA+ 132768 326776CAAzAANAAPAAYAAOAACAA+ 181152 326776EAAIAACAA+ 205344 326776DAANAAIAACAAIAAsAA+ 253728 326776WAAJAALBAIAA+ 283968 326776EAAIAACAAaAAEAAOAA+ 326304 326776JAAZAA+ 344448 326776FAACAANAAOAAHAAIAACAA+ 392832 326776JAAcAACAA+ 417024 326776IAACAAFAAKAACAAFAA+ 459360 326776gAAZAAFAAtAAIAA)paps_exec +(+ 36000 315112OAAHAAtAACAA+ 66240 315112JAAcAAHAAIAALAA)paps_exec +()paps_exec +(+ 108576 291784sAArAArAArAArAArAAsAA+ 163008 291784rAArAAABA+ 187200 291784IAAEAAhAAIAADAAFAAHAAhAACAAFAA)paps_exec +(+ 42048 280120YAAZAAIAAJAACAAFAA+ 84384 280120rAArAAABA+ 108576 280120sBA+ 144864 280120sBA+ 163008 280120rAArAAABA+ 187200 280120IAAEAAhAAIAADAAFAAHAAhAACAAFAA)paps_exec +(+ 42048 268456YAAZAAIAAJAACAAFAA+ 84384 268456rAArAAABA+ 108576 268456sBA+ 120672 268456BAAGAABAA+ 144864 268456sBA+ 163008 268456rAArAAABA+ 187200 268456IAAEAAhAAIAADAAFAAHAAhAACAAFAA)paps_exec +(+ 108576 256792OBArAArAArAArAArAALBA+ 163008 256792rAArAAABA+ 187200 256792IAAEAAhAAIAADAAFAAHAAhAACAAFAA)paps_exec +()paps_exec +(+ 36000 233464XAAzAANAAPAAYAAOAACAALAA+ 90432 233464MAANAAHAAOAAPAANAAQAA+ 138816 233464KAANAAQAAHAAOAAOAANAA)paps_exec +(+ 36000 221800rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 210136GBAZAAEAA+ 60192 210136DAANAAQAA+ 84384 210136FAAEAAQAA+ 108576 210136JAAcAACAA+ 132768 210136IAAZAAaAAJAAgAANAAFAACAA+ 187200 210136gAAHAAJAAcAAZAAEAAJAA+ 235584 210136NAAQAAbAA+ 259776 210136SAATAASAA+ 283968 210136ZAAFAA+ 302112 210136BAAVAAMAAWAAMAAXAA+ 344448 210136DAAZAAQAAaAAHAAfAAEAAFAANAAJAAHAAZAAQAAsAA+ 441216 210136qAAcAAHAAIAA+ 471456 210136gAANAAbAARAA)paps_exec +(+ 36000 198472JAAcAACAA+ 60192 198472IAAZAAaAAJAAgAANAAFAACAA+ 114624 198472gAAZAAFAAtAAIAA+ 150912 198472yAAEAAIAAJAA+ 181152 198472OAAHAAtAACAA+ 211392 198472IAAJAAZAADAAtAA+ 247680 198472MAANAAHAAOAAPAANAAQAAsAA+ 308160 198472uAANAAFAACAA+ 338400 198472cAANAAIAA+ 362592 198472hAACAACAAQAA+ 392832 198472JAANAAtAACAAQAA+ 429120 198472HAAQAA+ 447264 198472PAAZAAIAAJAA)paps_exec +(+ 36000 186808DAAHAAFAADAAEAAPAAIAAJAANAAQAADAACAAIAA+ 120672 186808JAAcAACAA+ 144864 186808BAAGAABAArAADAAZAAUAACAA+ 199296 186808CAAKAACAAQAA+ 229536 186808gAAZAAQAALBAJAA+ 265824 186808fAACAAJAA+ 290016 186808CAAzAACAADAAEAAJAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 163480XAAzAANAAPAAYAAOAACAALAA+ 90432 163480BAAGAABAA+ 114624 163480OAAHAAfAAcAAJAALAA+ 156960 163480fAAYAAfAAnBAUAAHAAIAAJAAFAAHAAhAAnBACAAQAADAAFAAbAAYAAJAARAA+ 283968 163480IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 350496 163480tAACAAbAAIAA)paps_exec +(+ 36000 151816rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 140152BAAEAAYAAYAAZAAIAACAA+ 84384 140152bAAZAAEAA+ 108576 140152gAANAAQAAJAA+ 138816 140152JAAZAA+ 156960 140152IAACAAJAA+ 181152 140152EAAYAA+ 199296 140152NAA+ 211392 140152OAAHAAIAAJAA+ 241632 140152gAAcAACAAFAACAA+ 277920 140152IAAZAAPAACAA+ 308160 140152IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 380736 140152gAANAAQAAJAA+ 410976 140152IAAZAAPAACAA)paps_exec +(+ 36000 128488DAAZAAQAAaAAHAAUAACAAQAAJAAHAANAAOAAHAAJAAbAALAA+ 138816 128488JAAcAACAAbAA+ 169056 128488gAANAAQAAJAA+ 199296 128488JAAZAA+ 217440 128488FAACAADAACAAHAAKAACAA+ 265824 128488YAAZAAIAAJAAIAA+ 302112 128488gAAcAAHAAOAACAA+ 338400 128488hAACAAHAAQAAfAA+ 374688 128488YAAFAAZAAJAACAADAAJAACAAUAA+ 435168 128488aAAFAAZAAPAA)paps_exec +(+ 36000 116824CAANAAKAACAAIAAUAAFAAZAAYAAYAACAAFAAIAA+ 120672 116824gAAHAAJAAcAAHAAQAA+ 163008 116824JAAcAACAAHAAFAA+ 199296 116824ZAAgAAQAA+ 223488 116824QAACAAJAAgAAZAAFAAtAAsAA+ 283968 116824BAAEAAYAAYAAZAAIAACAA+ 332352 116824JAAcAACAAIAACAA+ 368640 116824IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 441216 116824tAAQAAZAAgAA+ 471456 116824cAAZAAgAA+ 495648 116824JAAZAA)paps_exec +(+ 36000 105160UAACAADAAFAAbAAYAAJAA+ 84384 105160PAACAAIAAIAANAAfAACAAIAA+ 138816 105160CAAQAADAAFAAbAAYAAJAACAAUAA+ 199296 105160JAAZAA+ 217440 105160JAAcAACAAHAAFAA+ 253728 105160YAACAAFAAIAAZAAQAANAAOAA+ 308160 105160SAATAASAA+ 332352 105160YAAEAAhAAOAAHAADAA+ 374688 105160tAACAAbAAsAA+ 410976 105160WAAQAA+ 429120 105160IAAEAADAAcAA+ 459360 105160NAA+ 471456 105160IAACAAJAAEAAYAARAA)paps_exec +(+ 36000 93496JAAcAACAAIAACAA+ 72288 93496IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 144864 93496IAAcAAZAAEAAOAAUAA+ 187200 93496EAAYAAOAAZAANAAUAA+ 229536 93496JAAcAACAAHAAFAA+ 265824 93496YAAEAAhAAOAAHAADAA+ 308160 93496tAACAAbAAsAA+ 344448 93496qAAcAACAA+ 368640 93496OAAHAAIAAJAA+ 398880 93496gAAHAAOAAOAA+ 429120 93496hAACAA+ 447264 93496NAA+ 459360 93496SAATAASAArAAOAAHAAIAAJAARAA)paps_exec +(+ 36000 81832ZAAYAAJAAHAAZAAQAA+ 78336 81832fAAYAAfAAnBAUAAHAAIAAJAAFAAHAAhAAnBACAAQAADAAFAAbAAYAAJAA+ 199296 81832gAAHAAOAAOAA+ 229536 81832hAACAA+ 247680 81832IAACAAJAA+ 271872 81832JAAZAA+ 290016 81832GBACAAIAABBA+ 320256 81832NAAOAAOAA+ 344448 81832ZAAJAAcAACAAFAA+ 380736 81832fAAYAAfAAnBA+ 410976 81832NAAQAAUAA)paps_exec +(+ 36000 70168IAAPAAHAAPAACAAnBArAAZAAYAAJAAHAAZAAQAAIAA+ 126720 70168gAAHAAOAAOAA+ 156960 70168hAACAA+ 175104 70168IAACAAJAA+ 199296 70168JAAZAA+ 217440 70168dAAZAAsAA+ 247680 70168dAAZAA+ 265824 70168OAAHAAIAAJAAtAACAAbAA+ 314208 70168HAAIAA+ 332352 70168QAACAACAAUAACAAUAAsAA)paps_exec +()paps_exec +()paps_exec +paps_eop +showpage +%%Page: 7 7 +paps_bop +(+ 36000 793336XAAzAANAAPAAYAAOAACAALAA+ 90432 793336BAAGAABAA+ 114624 793336NAAIAA+ 132768 793336NAAQAAJAAHAArAAIAAYAANAAPAA+ 193248 793336JAAZAAZAAOAALAA+ 229536 793336IAAPAAHAAPAACAAnBAYAAZAAIAAJAAnBAIAAHAAfAAQAARAA+ 332352 793336IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 398880 793336tAACAAbAAIAA)paps_exec +(+ 36000 781672rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 770008BAAEAAYAAYAAZAAIAACAA+ 84384 770008bAAZAAEAA+ 108576 770008gAANAAQAAJAA+ 138816 770008JAAZAA+ 156960 770008PAANAAtAACAA+ 187200 770008IAAEAAFAACAA+ 217440 770008QAAZAA+ 235584 770008IAAYAANAAPAA+ 265824 770008CAAKAACAAFAA+ 296064 770008fAACAAJAAIAA+ 326304 770008YAAZAAIAAJAACAAUAA+ 368640 770008JAAZAA+ 386784 770008bAAZAAEAAFAA+ 417024 770008OAAHAAIAAJAAsAA+ 459360 770008PBAoAAOAAOAAZAAgAAHAAQAAfAA)paps_exec +(+ 36000 758344YAAZAAIAAJAAHAAQAAfAA+ 84384 758344ZAAQAAOAAbAA+ 114624 758344aAAZAAFAA+ 138816 758344IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 211392 758344DAANAAQAA+ 235584 758344fAACAAJAA+ 259776 758344DAAHAAFAADAAEAAPAAKAACAAQAAJAACAAUAA+ 338400 758344hAAbAA+ 356544 758344IAAYAANAAPAAPAACAAFAAIAAsAAQBA+ 429120 758344BAAEAAYAAYAAZAAIAACAA+ 477504 758344JAAcAACAA)paps_exec +(+ 36000 746680IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 108576 746680tAAQAAZAAgAA+ 138816 746680cAAZAAgAA+ 163008 746680JAAZAA+ 181152 746680IAACAAQAAJAA+ 211392 746680NAAQAA+ 229536 746680BAAVAAMAAWAAMAAXAA+ 271872 746680IAAHAAfAAQAACAAUAA+ 314208 746680PAACAAIAAIAANAAfAACAAsAA+ 374688 746680WAAQAA+ 392832 746680IAAEAADAAcAA+ 423072 746680NAA+ 435168 746680IAACAAJAAEAAYAARAA+ 477504 746680NAAOAAOAA)paps_exec +(+ 36000 735016IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 108576 735016IAAcAAZAAEAAOAAUAA+ 150912 735016EAAYAAOAAZAANAAUAA+ 193248 735016JAAcAACAAHAAFAA+ 229536 735016YAAEAAhAAOAAHAADAA+ 271872 735016tAACAAbAAsAA+ 308160 735016qAAcAACAA+ 332352 735016OAAHAAIAAJAA+ 362592 735016gAAHAAOAAOAA+ 392832 735016hAACAA+ 410976 735016NAAQAA+ 429120 735016BAAVAAMAAWAAMAAXAArAAOAAHAAIAAJAARAA)paps_exec +(+ 36000 723352ZAAYAAJAAHAAZAAQAA+ 78336 723352IAAPAAHAAPAACAAnBAYAAZAAIAAJAAnBAIAAHAAfAAQAA+ 175104 723352gAAHAAOAAOAA+ 205344 723352hAACAA+ 223488 723352IAACAAJAA+ 247680 723352JAAZAA+ 265824 723352MBAZAAFAADAACAABBA+ 308160 723352NAAOAAOAA+ 332352 723352ZAAJAAcAACAAFAA+ 368640 723352fAAYAAfAAnBA+ 398880 723352NAAQAAUAA+ 423072 723352IAAPAAHAAPAACAAnBArAAZAAYAAJAAHAAZAAQAAIAA)paps_exec +(+ 36000 711688gAAHAAOAAOAA+ 66240 711688hAACAA+ 84384 711688IAACAAJAA+ 108576 711688JAAZAA+ 126720 711688dAAZAAsAA+ 156960 711688dAAZAA+ 175104 711688OAAHAAIAAJAAtAACAAbAA+ 223488 711688HAAIAA+ 241632 711688QAACAACAAUAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 688360PBADBAQAACAA+ 66240 688360DAAZAAEAAOAAUAA+ 102528 688360NAAOAAIAAZAA+ 132768 688360DAAcAAZAAZAAIAACAA+ 175104 688360JAAZAA+ 193248 688360EAAIAACAA+ 217440 688360JAAcAACAA+ 241632 688360OAAHAAIAAJAAtAACAAbAA+ 290016 688360NAAIAA+ 308160 688360NAAQAAJAAHAArAAIAAYAANAAPAA+ 368640 688360PAACAANAAIAAEAAFAACAABBA+ 423072 688360NAAOAAOAAZAAgAAHAAQAAfAA+ 477504 688360ZAAQAAOAAbAA)paps_exec +(+ 36000 676696CAAQAADAAFAAbAAYAAJAACAAUAA+ 96480 676696YAAZAAIAAJAAIAAsAA+ 144864 676696qAAcAAHAAIAA+ 175104 676696gAANAAbAARAA+ 205344 676696IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 277920 676696UAAZAAQAALBAJAA+ 314208 676696QAACAACAAUAA+ 344448 676696JAAZAA+ 362592 676696aAAHAAUAAUAAOAACAA+ 404928 676696gAAHAAJAAcAA+ 435168 676696YAACAAFAAIAAZAAQAANAAOAA)paps_exec +(+ 36000 665032tAACAAbAAIAAsAA+ 78336 665032WAAJAALBAOAAOAA+ 114624 665032OAAHAAtAACAAOAAbAA+ 156960 665032JAANAAtAACAA+ 187200 665032NAA+ 199296 665032gAAcAAHAAOAACAA+ 235584 665032hAACAAaAAZAAFAACAA+ 277920 665032IAAYAANAAPAAPAACAAFAAIAA+ 332352 665032IAAJAANAAFAAJAA+ 368640 665032FAAEAAQAAQAAHAAQAAfAA+ 417024 665032CAAQAADAAFAAbAAYAAJAAHAAZAAQAA)paps_exec +(+ 36000 653368IAAZAAaAAJAAgAANAAFAACAAsAA+ 102528 653368WAAJAA+ 120672 653368gAAZAAEAAOAAUAA+ 156960 653368hAACAA+ 175104 653368YAAZAAIAAIAAHAAhAAOAACAA+ 229536 653368JAAcAAZAAEAAfAAcAAsAAQBA)paps_exec +()paps_exec +(+ 36000 630040XAAzAANAAPAAYAAOAACAALAA+ 90432 630040BAAGAABAA+ 114624 630040aAAZAAFAA+ 138816 630040UAAHAAIAAIAAHAAUAACAAQAAJAAIAALAA+ 211392 630040IAAPAAHAAPAACAAnBAYAAZAAIAAJAAnBACAAQAADAAFAAbAAYAAJAARAA+ 332352 630040OAAHAAIAAJAA+ 362592 630040tAACAAbAA)paps_exec +(+ 36000 618376rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 606712BAAEAAYAAYAAZAAIAACAA+ 84384 606712bAAZAAEAA+ 108576 606712gAANAAQAAJAA+ 138816 606712JAAZAA+ 156960 606712IAACAAJAA+ 181152 606712EAAYAA+ 199296 606712NAA+ 211392 606712OAAHAAIAAJAA+ 241632 606712gAAcAACAAFAACAA+ 277920 606712IAAZAAPAACAA+ 308160 606712YAACAAZAAYAAOAACAA+ 350496 606712gAANAAQAAJAA+ 380736 606712IAAZAAPAACAA+ 410976 606712DAAZAAQAAaAAHAAUAACAAQAAJAAHAANAAOAAHAAJAAbAALAA)paps_exec +(+ 36000 595048JAAcAACAAbAA+ 66240 595048gAANAAQAAJAA+ 96480 595048JAAZAA+ 114624 595048hAACAA+ 132768 595048NAAhAAOAACAA+ 163008 595048JAAZAA+ 181152 595048YAAZAAIAAJAA+ 211392 595048gAAcAAHAAOAACAA+ 247680 595048hAACAAHAAQAAfAA+ 283968 595048YAAFAAZAAJAACAADAAJAACAAUAA+ 344448 595048PBAhAAbAA+ 368640 595048BAAVAAMAAWAAMAAXAAQBA+ 417024 595048aAAFAAZAAPAA)paps_exec +(+ 36000 583384CAANAAKAACAAIAAUAAFAAZAAYAAYAACAAFAAIAA+ 120672 583384gAAHAAJAAcAAHAAQAA+ 163008 583384JAAcAACAAHAAFAA+ 199296 583384ZAAgAAQAA+ 223488 583384QAACAAJAAgAAZAAFAAtAAsAA+ 283968 583384PBAGAAHAAtAACAA+ 320256 583384NAA+ 332352 583384UBAuAAcAAHAAQAACAAIAACAA+ 386784 583384UAAHAAIAAIAAHAAUAACAAQAAJAAUBA+ 453312 583384IAADAACAAQAANAAFAAHAAZAARAA)paps_exec +(+ 36000 571720NAA+ 48096 571720QAAZAAQAArAAPAACAAPAAhAACAAFAA+ 114624 571720YAAZAAIAAJAAHAAQAAfAA+ 163008 571720NAAQAAZAAQAAbAAPAAZAAEAAIAAOAAbAAsAAQBA+ 253728 571720qAAcAAHAAIAA+ 283968 571720YAAZAAIAAJAACAAFAA+ 326304 571720gAAZAAEAAOAAUAA+ 362592 571720QAACAACAAUAA+ 392832 571720JAAZAA+ 410976 571720cAANAAKAACAA+ 441216 571720NAA+ 453312 571720DAAZAAYAAbAA+ 483552 571720ZAAaAA)paps_exec +(+ 36000 560056JAAcAACAA+ 60192 560056OAAHAAIAAJAAIAA+ 96480 560056BAAVAAMAAWAAMAAXAA+ 138816 560056YAAEAAhAAOAAHAADAA+ 181152 560056tAACAAbAAsAA+ 217440 560056qAAcAACAA+ 241632 560056OAAHAAIAAJAA+ 271872 560056gAAHAAOAAOAA+ 302112 560056hAACAA+ 320256 560056NAAQAA+ 338400 560056BAAVAAMAAWAAMAAXAA+ 380736 560056OAAHAAIAAJAARAA+ 417024 560056ZAAYAAJAAHAAZAAQAA)paps_exec +(+ 36000 548392IAAPAAHAAPAACAAnBAYAAZAAIAAJAAnBACAAQAADAAFAAbAAYAAJAA+ 150912 548392gAAHAAOAAOAA+ 181152 548392hAACAA+ 199296 548392IAACAAJAA+ 223488 548392JAAZAA+ 241632 548392GBACAAIAABBA+ 271872 548392NAAOAAOAA+ 296064 548392ZAAJAAcAACAAFAA+ 332352 548392fAAYAAfAAnBA+ 362592 548392NAAQAAUAA+ 386784 548392IAAPAAHAAPAACAAnBArAAZAAYAAJAAHAAZAAQAAIAA+ 477504 548392gAAHAAOAAOAA)paps_exec +(+ 36000 536728hAACAA+ 54144 536728IAACAAJAA+ 78336 536728JAAZAA+ 96480 536728dAAZAAsAA+ 126720 536728dAAZAA+ 144864 536728IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 211392 536728tAACAAbAAIAA+ 241632 536728NAAFAACAA+ 265824 536728QAACAACAAUAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 513400XAAzAANAAPAAYAAOAACAALAA+ 90432 513400aAAEAAOAAOAA+ 120672 513400BAAGAABAA)paps_exec +(+ 36000 501736rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 490072BAAEAAYAAYAAZAAIAACAA+ 84384 490072bAAZAAEAA+ 108576 490072gAANAAQAAJAA+ 138816 490072JAAZAA+ 156960 490072IAACAAJAA+ 181152 490072EAAYAA+ 199296 490072NAA+ 211392 490072OAAHAAIAAJAA+ 241632 490072gAAcAACAAFAACAA+ 277920 490072aAAEAAOAAOAA+ 308160 490072HAAQAAJAACAAfAAFAAHAAJAAbAARAA+ 374688 490072NAAEAAJAAcAACAAQAAJAAHAADAAHAAJAAbAA+ 453312 490072NAAQAAUAA)paps_exec +(+ 36000 478408DAAZAAQAAaAAHAAUAACAAQAAJAAHAANAAOAAHAAJAAbAA+ 132768 478408HAAIAA+ 150912 478408QAACAACAAUAACAAUAAsAA+ 205344 478408BAAEAAYAAYAAZAAIAACAA+ 253728 478408JAAcAACAA+ 277920 478408NAAEAAUAAHAACAAQAADAACAA+ 332352 478408tAAQAAZAAgAAIAA+ 368640 478408cAAZAAgAA+ 392832 478408JAAZAA+ 410976 478408EAAIAACAA+ 435168 478408SAATAASAAsAA+ 471456 478408WAAQAA+ 489600 478408IAAEAADAAcAA)paps_exec +(+ 36000 466744NAA+ 48096 466744IAACAAJAAEAAYAA+ 84384 466744JAAcAACAA+ 108576 466744OAAHAAIAAJAA+ 138816 466744NAAUAAPAAHAAQAAHAAIAAJAAFAANAAJAAZAAFAA+ 223488 466744IAAcAAZAAEAAOAAUAA+ 265824 466744fAACAAQAACAAFAANAAJAACAA+ 320256 466744NAA+ 332352 466744SAATAASAA+ 356544 466744tAACAAbAAYAANAAHAAFAA+ 404928 466744aAAZAAFAA+ 429120 466744JAAcAACAA+ 453312 466744OAAHAAIAAJAARAA+ 489600 466744NAAQAAUAA)paps_exec +(+ 36000 455080DAAZAAQAAaAAHAAfAAEAAFAACAA+ 96480 455080JAAcAACAA+ 120672 455080OAAHAAIAAJAA+ 150912 455080JAAZAA+ 169056 455080EAAIAACAA+ 193248 455080HAAJAAsAA+ 223488 455080XAANAADAAcAA+ 253728 455080IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 320256 455080IAAcAAZAAEAAOAAUAA+ 362592 455080fAACAAJAA+ 386784 455080NAA+ 398880 455080DAAZAAYAAbAA+ 429120 455080ZAAaAA+ 447264 455080JAAcAACAA+ 471456 455080OAAHAAIAAJAAIAALBA)paps_exec +(+ 36000 443416YAAEAAhAAOAAHAADAA+ 78336 443416tAACAAbAA+ 102528 443416NAAQAAUAA+ 126720 443416HAAPAAYAAZAAFAAJAA+ 169056 443416HAAJAA+ 187200 443416JAAZAA+ 205344 443416JAAcAACAAHAAFAA+ 241632 443416tAACAAbAAFAAHAAQAAfAAsAA+ 302112 443416MBAEAAFAAJAAcAACAAFAAPAAZAAFAACAARAA+ 380736 443416NAAOAAOAA+ 404928 443416IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 477504 443416IAAcAAZAAEAAOAAUAA)paps_exec +(+ 36000 431752EAAYAAOAAZAANAAUAA+ 78336 431752JAAcAACAAHAAFAA+ 114624 431752YAACAAFAAIAAZAAQAANAAOAA+ 169056 431752SAATAASAA+ 193248 431752YAAEAAhAAOAAHAADAA+ 235584 431752tAACAAbAAsAA)paps_exec +()paps_exec +(+ 36000 408424qAAcAACAA+ 60192 408424OAAHAAIAAJAAIAA+ 96480 408424IAACAAJAAJAAHAAQAAfAAIAA+ 150912 408424gAAHAAOAAOAA+ 181152 408424hAACAALAA)paps_exec +()paps_exec +(+ 36000 385096fAAYAAfAAnBAYAAZAAIAAJAAnBACAAQAADAAFAAbAAYAAJAA+ 138816 385096MBAZAAFAADAACAALAA+ 181152 385096ZAAQAAOAAbAA+ 211392 385096YAAZAAIAAJAAIAA+ 247680 385096CAAQAADAAFAAbAAYAAJAACAAUAA+ 308160 385096JAAZAA+ 326304 385096JAAcAACAA+ 350496 385096OAAHAAIAAJAA+ 380736 385096tAACAAbAA+ 404928 385096gAAHAAOAAOAA+ 435168 385096fAACAAJAA)paps_exec +(+ 36000 373432UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 350104fAAYAAfAAnBAYAAZAAIAAJAAnBAIAAHAAfAAQAA+ 120672 350104MBAZAAFAADAACAALAA+ 163008 350104ZAAQAAOAAbAA+ 193248 350104YAAZAAIAAJAAIAA+ 229536 350104gAAHAAJAAcAA+ 259776 350104NAA+ 271872 350104KAANAAOAAHAAUAA+ 308160 350104IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 374688 350104tAACAAbAA+ 398880 350104gAAHAAOAAOAA+ 429120 350104fAACAAJAA)paps_exec +(+ 36000 338440UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 315112fAAYAAfAAnBAUAAHAAIAAJAAFAAHAAhAAnBACAAQAADAAFAAbAAYAAJAA+ 156960 315112MBAZAAFAADAACAALAA+ 199296 315112NAAOAAOAA+ 223488 315112YAAZAAIAAJAAIAA+ 259776 315112gAAHAAOAAOAA+ 290016 315112fAACAAJAA+ 314208 315112CAAQAADAAFAAbAAYAAJAACAAUAA+ 374688 315112JAAZAA+ 392832 315112JAAcAACAA+ 417024 315112IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA+ 489600 315112tAACAAbAA)paps_exec +(+ 36000 303448hAAaAAZAAFAACAA+ 72288 303448hAACAAHAAQAAfAA+ 108576 303448UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 280120fAAYAAfAAnBAUAAHAAIAAJAAFAAHAAhAAnBAIAAHAAfAAQAA+ 138816 280120GBACAAIAALAA+ 169056 280120NAAOAAOAA+ 193248 280120YAAZAAIAAJAAIAA+ 229536 280120gAAHAAOAAOAA+ 259776 280120fAACAAJAA+ 283968 280120IAAHAAfAAQAACAAUAA+ 326304 280120gAAHAAJAAcAA+ 356544 280120JAAcAACAA+ 380736 280120OAAHAAIAAJAAtAACAAbAA+ 429120 280120hAACAAaAAZAAFAACAA+ 471456 280120hAACAAHAAQAAfAA)paps_exec +(+ 36000 268456UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 245128qAAcAAHAAIAA+ 66240 245128gAANAAbAARAA+ 96480 245128JAAcAACAA+ 120672 245128YAAZAAIAAJAA+ 150912 245128HAAIAA+ 169056 245128CAAQAADAAFAAbAAYAAJAACAAUAA+ 229536 245128PBAIAAZAA+ 253728 245128tAACAAYAAJAA+ 283968 245128DAAZAAQAAaAAHAAUAACAAQAAJAAHAANAAOAAQBA+ 368640 245128hAAZAAJAAcAA+ 398880 245128gAAcAACAAQAA+ 429120 245128HAAQAA+ 447264 245128JAAFAANAAQAAIAAHAAJAA)paps_exec +(+ 36000 233464aAAFAAZAAPAA+ 66240 233464JAAcAACAA+ 90432 233464YAAZAAIAAJAACAAFAA+ 132768 233464JAAZAA+ 150912 233464JAAcAACAA+ 175104 233464IAACAAFAAKAACAAFAARAA+ 223488 233464NAAIAA+ 241632 233464gAACAAOAAOAA+ 271872 233464NAAIAA+ 290016 233464gAAcAAHAAOAACAA+ 326304 233464HAAQAA+ 344448 233464JAAFAANAAQAAIAAHAAJAA+ 392832 233464aAAFAAZAAPAA+ 423072 233464JAAcAACAA+ 447264 233464IAACAAFAAKAACAAFAA+ 489600 233464JAAZAA)paps_exec +(+ 36000 221800JAAcAACAA+ 60192 221800KAANAAFAAHAAZAAEAAIAA+ 108576 221800IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAAsAA+ 193248 221800WAAQAAJAACAAfAAFAAHAAJAAbAA+ 253728 221800NAAQAAUAA+ 277920 221800NAAEAAJAAcAACAAQAAJAAHAADAAHAAJAAbAA+ 356544 221800NAAFAACAA+ 380736 221800fAAEAANAAFAANAAQAAJAACAACAAUAA+ 447264 221800NAAOAAIAAZAA+ 477504 221800hAAbAA)paps_exec +(+ 36000 210136tAACAACAAYAAHAAQAAfAA+ 84384 210136JAAcAACAA+ 108576 210136PAACAAIAAIAANAAfAACAA+ 156960 210136IAAHAAfAAQAACAAUAA+ 199296 210136gAAcAAHAAOAACAA+ 235584 210136ZAAQAA+ 253728 210136JAAcAACAA+ 277920 210136QAACAAJAAgAAZAAFAAtAAsAA)paps_exec +()paps_exec +(+ 36000 186808DBAKAACAAFAAKAAHAACAAgAA+ 90432 186808ZAAaAA+ 108576 186808IAACAAJAAJAAHAAQAAfAAIAA)paps_exec +(+ 36000 175144rAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAArAA)paps_exec +(+ 36000 163480rAA+ 48096 163480fAAYAAfAAnBAYAAZAAIAAJAAnBACAAQAADAAFAAbAAYAAJAA+ 150912 163480PBAdAAZAARAA+ 181152 163480GBACAAIAARAA+ 211392 163480MBAZAAFAADAACAAQBALAA+ 259776 163480oAAFAACAA+ 283968 163480YAAZAAIAAJAAHAAQAAfAAIAA+ 338400 163480gAAcAAHAADAAcAA+ 374688 163480NAAFAACAA+ 398880 163480CAAQAADAAFAAbAAYAAJAACAAUAA+ 459360 163480gAAHAAJAAcAA+ 489600 163480JAAcAACAA)paps_exec +(+ 48096 151816TAASAATAA+ 72288 151816OAAHAAIAAJAA+ 102528 151816tAACAAbAA+ 126720 151816UAACAADAAFAAbAAYAAJAACAAUAAVBA+ 199296 151816oAAFAACAA+ 223488 151816IAAEAAhAADAAFAAHAAhAACAAFAAIAA+ 290016 151816aAAZAAFAADAACAAUAA+ 332352 151816JAAZAA+ 350496 151816CAAQAADAAFAAbAAYAAJAA+ 398880 151816JAAcAACAAHAAFAA+ 435168 151816YAAZAAIAAJAAIAAVBA)paps_exec +(+ 48096 140152BAAEAADAAcAA+ 78336 140152PAACAAIAAIAANAAfAACAAIAA+ 132768 140152gAAHAAOAAOAA+ 163008 140152fAACAAJAA+ 187200 140152UAACAADAAFAAbAAYAAJAACAAUAA+ 247680 140152NAAQAAUAA+ 271872 140152PBAYAAZAAIAAIAAHAAhAAOAAbAAQBA+ 338400 140152FAACAArAACAAQAADAAFAAbAAYAAJAACAAUAAsAA+ 429120 140152oAA+ 441216 140152cAACAANAAUAACAAFAA)paps_exec +(+ 48096 128488UBABCArAAMAANAAHAAOAAPAANAAQAArAABAAGAABAArAAUAACAADAAFAAbAAYAAJAACAAUAALAA+ 205344 128488GBACAAIAAUBA+ 235584 128488gAAHAAOAAOAA+ 265824 128488fAACAAJAA+ 290016 128488NAAUAAUAACAAUAA+ 326304 128488JAAZAA+ 344448 128488JAAcAACAA+ 368640 128488PAACAAIAAIAANAAfAACAAIAAsAA)paps_exec +()paps_exec +(+ 36000 105160rAA+ 48096 105160fAAYAAfAAnBAUAAHAAIAAJAAFAAHAAhAAnBACAAQAADAAFAAbAAYAAJAA+ 169056 105160PBAdAAZAARAA+ 199296 105160GBACAAIAARAA+ 229536 105160MBAZAAFAADAACAAQBALAA+ 277920 105160oAAFAACAA+ 302112 105160YAAZAAIAAJAAIAA+ 338400 105160CAAQAADAAFAAbAAYAAJAACAAUAA+ 398880 105160JAAZAA+ 417024 105160JAAcAACAA+ 441216 105160IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAA)paps_exec +(+ 48096 93496TAASAATAA+ 72288 93496YAAEAAhAAOAAHAADAA+ 114624 93496tAACAAbAA+ 138816 93496hAACAAaAAZAAFAACAA+ 181152 93496hAACAAHAAQAAfAA+ 217440 93496UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAAVBA+ 302112 93496WAAIAA+ 320256 93496IAAEAADAAcAA+ 350496 93496CAAQAADAAFAAbAAYAAJAAHAAZAAQAA+ 417024 93496PBANAAQAAUAA+ 447264 93496EAAYAAOAAZAANAAUAAHAAQAAfAA)paps_exec +(+ 48096 81832ZAAaAA+ 66240 81832NAA+ 78336 81832YAAEAAhAAOAAHAADAA+ 120672 81832tAACAAbAAQBA+ 150912 81832PAANAAQAAUAANAAJAAZAAFAAbAAVBA)paps_exec +()paps_exec +(+ 36000 58504rAA+ 48096 58504fAAYAAfAAnBAYAAZAAIAAJAAnBAIAAHAAfAAQAA+ 132768 58504PBAdAAZAARAA+ 163008 58504GBACAAIAARAA+ 193248 58504MBAZAAFAADAACAAQBALAA+ 241632 58504BAAcAAZAAEAAOAAUAA+ 283968 58504YAAZAAIAAJAAIAA+ 320256 58504hAACAA+ 338400 58504TAASAATAA+ 362592 58504IAAHAAfAAQAACAAUAA+ 404928 58504gAAHAAJAAcAA+ 435168 58504NAAQAA)paps_exec +(+ 48096 46840NAADAAtAAQAAZAAgAAOAACAAUAAfAACAAUAA+ 126720 46840IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 193248 46840tAACAAbAA+ 217440 46840hAACAAaAAZAAFAACAA+ 259776 46840hAACAAHAAQAAfAA+ 296064 46840UAAHAAIAAJAAFAAHAAhAAEAAJAACAAUAAVBA+ 374688 46840PBAGBACAAIAA+ 404928 46840PAACAANAAQAAIAALAA+ 447264 46840cAAZAAOAAUAA+ 477504 46840aAAZAAFAA)paps_exec +paps_eop +showpage +%%Page: 8 8 +paps_bop +(+ 48096 793336NAAYAAYAAFAAZAAKAANAAOAARAA+ 108576 793336MBAZAAFAADAACAA+ 144864 793336PAACAANAAQAAIAALAA+ 187200 793336UAAHAAIAADAANAAFAAUAA+ 235584 793336EAAQAAIAAHAAfAAQAACAAUAA+ 290016 793336PAACAAIAAIAANAAfAACAAIAAsAAQBA)paps_exec +()paps_exec +(+ 36000 770008rAA+ 48096 770008fAAYAAfAAnBAUAAHAAIAAJAAFAAHAAhAAnBAIAAHAAfAAQAA+ 150912 770008PBAdAAZAARAA+ 181152 770008GBACAAIAAQBALAA+ 217440 770008BAAcAAZAAEAAOAAUAA+ 259776 770008JAAcAACAA+ 283968 770008IAACAAFAAKAACAAFAA+ 326304 770008IAAHAAfAAQAA+ 356544 770008PAACAAIAAIAANAAfAACAAIAA+ 410976 770008hAACAAaAAZAAFAACAA)paps_exec +(+ 48096 758344UAAHAAIAAJAAFAAHAAhAAEAAJAAHAAQAAfAAVBA)paps_exec +()paps_exec +()paps_exec +(+ 36000 723352GAANAAJAACAAIAAJAA+ 78336 723352uAAcAANAAQAAfAACAAIAA)paps_exec +(+ 36000 711688pAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 688360EBACAA+ 54144 688360fAAHAAKAACAA+ 84384 688360NAA+ 96480 688360IAAEAAPAAPAANAAFAAbAA+ 144864 688360ZAAaAA+ 163008 688360JAAcAACAA+ 187200 688360DAAcAANAAQAAfAACAAIAA+ 235584 688360IAAHAAQAADAACAA+ 271872 688360JAAcAACAA+ 296064 688360YAANAAJAADAAcAA+ 332352 688360gAANAAIAA+ 356544 688360YAAEAAhAAOAAHAAIAAcAACAAUAA+ 417024 688360hAAbAA+ 435168 688360BAAJAACAAaAANAAQAA)paps_exec +(+ 36000 676696BAADAAcAAOAAZAAJAAJAA+ 84384 676696PBAlAAmAAmAAJBArAAmAAlAAQBAsAA)paps_exec +()paps_exec +(+ 36000 653368BAACAADAAEAAFAAHAAJAAbAA+ 90432 653368gAANAAIAA+ 114624 653368HAAPAAYAAFAAZAAKAACAAUAARAA+ 175104 653368JAAcAANAAQAAtAAIAA+ 217440 653368JAAZAA+ 235584 653368IAAEAAfAAfAACAAIAAJAAHAAZAAQAAIAA+ 308160 653368PAANAAUAACAA+ 338400 653368hAAbAA+ 356544 653368BAACAADAAEAAFAAHAAJAAbAA+ 410976 653368oAAEAAUAAHAAJAAZAAFAA+ 459360 653368TAAEAAEAAIAA)paps_exec +(+ 36000 641704BAAOAAHAACAAYAACAAQAALAA)paps_exec +(+ 36000 630040rAA+ 48096 630040dAAZAA+ 66240 630040OAAZAAQAAfAACAAFAA+ 108576 630040NAAOAAOAAZAAgAA+ 144864 630040NAA+ 156960 630040PAACAAPAAhAACAAFAA+ 199296 630040JAAZAA+ 217440 630040DAAcAANAAQAAfAACAA+ 259776 630040NAAQAA+ 277920 630040NAAOAAFAACAANAAUAAbAA+ 326304 630040IAACAAJAA+ 350496 630040YAAEAAhAAOAAHAADAA+ 392832 630040tAACAAbAA+ 417024 630040EAAIAAHAAQAAfAA+ 453312 630040JAAcAACAA)paps_exec +(+ 48096 618376YAANAAIAAIAAgAAZAAFAAUAA+ 102528 618376NAAEAAJAAcAACAAQAAJAAHAADAANAAJAACAAUAA+ 187200 618376gAACAAhAA+ 211392 618376eAAWAAsAA)paps_exec +(+ 36000 606712rAA+ 48096 606712WAAQAA+ 66240 606712DAANAAIAACAA+ 96480 606712NAA+ 108576 606712PAACAAIAAIAANAAfAACAA+ 156960 606712gAANAAIAA+ 181152 606712UAACAADAAFAAbAAYAAJAACAAUAA+ 241632 606712NAAQAAUAA+ 265824 606712IAAcAAZAAEAAOAAUAA+ 308160 606712hAACAA+ 326304 606712cAACAAOAAUAA+ 356544 606712ZAAFAA+ 374688 606712UAAHAAIAADAANAAFAAUAACAAUAARAA+ 441216 606712aAAZAAFAAgAANAAFAAUAA+ 489600 606712ZAAQAAOAAbAA)paps_exec +(+ 48096 595048JAAcAACAA+ 72288 595048cAACAANAAUAACAAFAAIAA+ 120672 595048JAAZAA+ 138816 595048JAAcAACAA+ 163008 595048OAAHAAIAAJAAPAANAAIAAJAACAAFAARAA+ 235584 595048QAAZAAJAA+ 259776 595048JAAcAACAA+ 283968 595048UAACAADAAFAAbAAYAAJAACAAUAA+ 344448 595048DAAZAAQAAJAACAAQAAJAAsAA)paps_exec +(+ 36000 583384rAA+ 48096 583384XAAPAANAAHAAOAAIAA+ 90432 583384gAAHAAJAAcAA+ 120672 583384NAA+ 132768 583384KAANAAOAAHAAUAA+ 169056 583384IAAHAAfAAQAANAAJAAEAAFAACAA+ 229536 583384ZAAaAA+ 247680 583384NAA+ 259776 583384tAAQAAZAAgAAQAA+ 296064 583384IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 362592 583384NAAFAACAA+ 386784 583384QAAZAAgAA+ 410976 583384NAADAADAACAAYAAJAACAAUAA+ 465408 583384ZAAQAAOAAbAA+ 495648 583384HAAaAA)paps_exec +(+ 48096 571720JAAcAACAA+ 72288 571720NAAUAAUAAFAACAAIAAIAA+ 120672 571720HAAQAA+ 138816 571720JAAcAACAA+ 163008 571720MBAFAAZAAPAA+ 193248 571720cAACAANAAUAACAAFAA+ 235584 571720PAANAAJAADAAcAACAAIAA+ 283968 571720ZAAQAACAA+ 308160 571720ZAAaAA+ 326304 571720JAAcAACAA+ 350496 571720CAAPAANAAHAAOAA+ 386784 571720NAAUAAUAAFAACAAIAAIAACAAIAA+ 447264 571720NAAIAAIAAZAADAAHAANAAJAACAAUAA)paps_exec +(+ 48096 560056gAAHAAJAAcAA+ 78336 560056JAAcAACAA+ 102528 560056tAACAAbAAsAA+ 138816 560056BAAHAAQAADAACAA+ 175104 560056JAAcAACAA+ 199296 560056ZAAFAAHAAfAAHAAQAANAAOAA+ 253728 560056IAAHAAfAAQAANAAJAAEAAFAACAA+ 314208 560056HAAIAA+ 332352 560056FAACAAPAAZAAKAACAAUAA+ 380736 560056hAACAAaAAZAAFAACAA+ 423072 560056JAAcAACAA+ 447264 560056PAANAAHAAOAA+ 477504 560056HAAIAA+ 495648 560056IAACAAQAAJAA)paps_exec +(+ 48096 548392JAAZAA+ 66240 548392JAAcAACAA+ 90432 548392ZAAJAAcAACAAFAA+ 126720 548392IAAEAAhAAIAADAAFAAHAAhAACAAFAAIAARAA+ 205344 548392JAAcAAHAAIAA+ 235584 548392UAAHAAUAA+ 259776 548392NAAOAAOAAZAAgAA+ 296064 548392ZAAQAACAA+ 320256 548392IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 386784 548392JAAZAA+ 404928 548392HAAPAAYAACAAFAAIAAZAAQAANAAJAACAA+ 477504 548392NAAQAAZAAJAAcAACAAFAA)paps_exec +(+ 48096 536728IAAEAAhAAIAADAAFAAHAAhAACAAFAA+ 114624 536728ZAAFAA+ 132768 536728CAAKAACAAQAA+ 163008 536728NAAQAA+ 181152 536728ZAAEAAJAAIAAHAAUAACAAFAAsAA)paps_exec +()paps_exec +(+ 36000 513400qAAcAANAAQAAtAAIAA+ 78336 513400JAAZAA+ 96480 513400BAAJAACAAaAANAAQAA+ 138816 513400BAADAAcAAOAAZAAJAAJAARAA+ 193248 513400NAA+ 205344 513400PAANAAHAAOAAHAAQAAfAAOAAHAAIAAJAA+ 277920 513400HAAIAA+ 296064 513400NAAKAANAAHAAOAANAAhAAOAACAA+ 356544 513400aAAZAAFAA+ 380736 513400UAAHAAIAADAAEAAIAAIAAHAAQAAfAA+ 447264 513400UAACAAKAACAAOAAZAAYAAPAACAAQAAJAA)paps_exec +(+ 36000 501736ZAAaAA+ 54144 501736JAAcAACAA+ 78336 501736YAANAAJAADAAcAAsAA+ 126720 501736qAAcAACAA+ 150912 501736YAANAAJAADAAcAA+ 187200 501736QAAZAAgAA+ 211392 501736HAAIAA+ 229536 501736PAANAAHAAQAAJAANAAHAAQAACAAUAA+ 296064 501736EAAIAAHAAQAAfAA+ 332352 501736NAA+ 344448 501736YAAEAAhAAOAAHAADAA+ 386784 501736oBACAAFAAIAAHAAZAAQAA+ 435168 501736uAAZAAQAAJAAFAAZAAOAA)paps_exec +(+ 36000 490072IAAbAAIAAJAACAAPAA+ 78336 490072PBAaAAHAAFAAIAAJAA+ 120672 490072UAANAAFAADAAIAARAA+ 163008 490072QAAZAAgAA+ 187200 490072hAAHBAFAA+ 211392 490072NAAJAA+ 229536 490072GAANAAEAAQAADAAcAAYAANAAUAAQBAsAA+ 308160 490072BAAZAAPAACAA+ 338400 490072UAAZAADAAEAAPAACAAQAAJAANAAJAAHAAZAAQAA+ 423072 490072fAAZAAJAA+ 447264 490072NAAUAAUAACAAUAARAA+ 489600 490072HAAQAA)paps_exec +(+ 36000 478408FBAXAAoAAKBAMAAXAAsAASAATAASAArAABAAMAAWAAMAAXAAsAAcAAJAAPAAOAARAA+ 175104 478408qAADBAKBADBAsAASAATAASAArAABAAMAAWAAMAAXAA+ 265824 478408NAAQAAUAA+ 290016 478408dAAXAAEBABAAsAASAATAASAArAABAAMAAWAAMAAXAAsAA)paps_exec +()paps_exec +(+ 36000 455080qAAcAACAA+ 60192 455080YAANAAJAADAAcAA+ 96480 455080fAAZAAJAA+ 120672 455080IAAJAACAAYAAgAAHAAIAACAA+ 175104 455080YAAZAAFAAJAACAAUAA+ 217440 455080aAAFAAZAAPAA+ 247680 455080EAAYAAIAAJAAFAACAANAAPAA+ 302112 455080lAAsAAkAAsAAJBA+ 338400 455080JAAZAA+ 356544 455080lAAsAAkAAsAAkAAkAAsAA)paps_exec +()paps_exec +(+ 36000 431752BAAEAAYAAYAAZAAFAAJAA+ 84384 431752aAAZAAFAA+ 108576 431752SAATAASAA+ 132768 431752IAAEAAhAAtAACAAbAAIAA+ 181152 431752fAAZAAJAA+ 205344 431752NAAUAAUAACAAUAA+ 241632 431752PBADAAZAAQAAJAAFAAHAAhAAEAAJAACAAUAA+ 320256 431752hAAbAA+ 338400 431752qAAZAAQAAQAACAAFAAFAACAA+ 392832 431752GAAZAAPAAhAANAAFAAUAAQBAsAA+ 459360 431752qAAcAACAA+ 483552 431752YAANAAJAADAAcAA)paps_exec +(+ 36000 420088QAAZAAgAA+ 60192 420088UAACAANAAOAAIAA+ 96480 420088gAAHAAJAAcAA+ 126720 420088hAAZAAJAAcAA+ 156960 420088HAAQAAOAAHAAQAACAA+ 199296 420088IAAHAAfAAQAANAAJAAEAAFAACAAIAA+ 265824 420088NAAQAAUAA+ 290016 420088UAACAAJAANAADAAcAACAAUAA+ 344448 420088IAAHAAfAAQAANAAJAAEAAFAACAAIAAsAA)paps_exec +(+ 36000 408424BAAHAAfAAQAANAAJAAEAAFAACAArAAKAACAAFAAHAAaAAHAADAANAAJAAHAAZAAQAA+ 175104 408424IAAEAAYAAYAAZAAFAAJAA+ 223488 408424PBAKAAHAANAA+ 253728 408424QAACAAgAA+ 277920 408424ZAAYAAJAAHAAZAAQAAIAA+ 326304 408424zBAfAAYAAfAARAAIAAPAAHAAPAACAAACAnBAYAAZAAIAAJAAnBAIAAHAAfAAQAAQBA+ 465408 408424NAAIAA+ 483552 408424NAA)paps_exec +(+ 36000 396760PAAZAAUAACAAFAANAAJAAHAAZAAQAA+ 102528 396760DAAFAAHAAJAACAAFAAHAAEAAPAA+ 163008 396760fAAZAAJAA+ 187200 396760NAAUAAUAACAAUAAsAA)paps_exec +()paps_exec +(+ 36000 373432qAAcAACAA+ 60192 373432YAANAAJAADAAcAA+ 96480 373432QAAZAAgAA+ 120672 373432IAAEAAYAAYAAZAAFAAJAAIAA+ 175104 373432BAAVAAMAAWAAMAAXAA+ 217440 373432PBAQAACAAzAAJAA+ 253728 373432JAAZAA+ 271872 373432SAATAASAAQBAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 338440KBACAAKAACAAOAAZAAYAAPAACAAQAAJAA+ 108576 338440SAAOAANAAQAAIAA)paps_exec +(+ 36000 326776pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 303448dAAGAAQAACAAJAA+ 72288 303448NAAfAAFAACAACAAUAA+ 114624 303448JAAZAA+ 132768 303448IAAEAAYAAYAAZAAFAAJAA+ 181152 303448JAAcAACAA+ 205344 303448aAAZAAOAAOAAZAAgAAHAAQAAfAA+ 265824 303448aAAEAAJAAEAAFAACAA+ 308160 303448gAAZAAFAAtAALAA)paps_exec +()paps_exec +(+ 42048 280120EBAFAAHAAJAACAA+ 78336 280120NAAQAAUAA+ 102528 280120YAAEAAhAAOAAHAAIAAcAA+ 150912 280120UAAZAADAAEAAPAACAAQAAJAANAAJAAHAAZAAQAA+ 241632 280120lAAmAAmAAnAArAAmAAkAArAAkAAJBA)paps_exec +(+ 42048 268456uAAFAACAANAAJAACAA+ 84384 268456NAA+ 96480 268456YAANAADAAtAANAAfAACAA+ 144864 268456ZAAaAA+ 163008 268456BAAGAABAA+ 241632 268456lAAmAAmAAnAArAAmAACBArAAmAAkAA)paps_exec +(+ 42048 256792KBAHAAIAAIAACAAPAAHAAQAANAAJAACAA+ 114624 256792FAACAAIAAEAAOAAJAAIAA+ 241632 256792lAAmAAmAAnAArAAmAACBArAAmAAkAA)paps_exec +(+ 42048 245128oAADAAJAA+ 66240 245128EAAYAAZAAQAA+ 96480 245128NAAEAAUAAHAAJAAZAAFAAIAA+ 150912 245128aAAHAAQAANAAOAA+ 187200 245128FAACAAYAAZAAFAAJAA+ 241632 245128lAAmAAmAAnAArAAmAAkBArAAmAAkAA)paps_exec +(+ 42048 233464qAAFAAbAA+ 66240 233464fAACAAJAA+ 90432 233464BAAGAABAA+ 114624 233464IAAcAAHAAYAAYAACAAUAA+ 163008 233464gAAVAA+ 181152 233464UAAHAAIAAJAAFAAZAAIAA+ 241632 233464lAAmAAmAAnAArAAmAAkBArAAkAAJBA)paps_exec +()paps_exec +(+ 36000 210136qAAcAANAAJAA+ 66240 210136HAAIAALAA)paps_exec +()paps_exec +(+ 36000 186808kAAQBA+ 54144 186808EBAFAAHAAJAAHAAQAAfAA+ 102528 186808UAAZAADAAEAAPAACAAQAAJAANAAJAAHAAZAAQAA+ 187200 186808aAAZAAFAA+ 211392 186808EAAIAACAAFAAIAARAA+ 253728 186808aAAZAAFAA+ 277920 186808OAAHAAIAAJAA+ 308160 186808NAAUAAPAAHAAQAAIAARAA+ 356544 186808aAAZAAFAA+ 380736 186808IAAHAAJAACAA+ 410976 186808NAAUAAPAAHAAQAAIAARAA+ 459360 186808NAAIAA+ 477504 186808gAACAAOAAOAA+ 507744 186808NAAIAA)paps_exec +(+ 36000 175144aAAZAAFAA+ 60192 175144UAACAAKAACAAOAAZAAYAACAAFAAIAAsAA)paps_exec +()paps_exec +(+ 36000 151816lAAQBA+ 54144 151816jAAEAAHAAOAAUAAHAAQAAfAA+ 108576 151816NAAQAAUAA+ 132768 151816YAAEAAhAAOAAHAAIAAcAAHAAQAAfAA+ 199296 151816hAAZAAJAAcAA+ 229536 151816NAA+ 241632 151816KBACAAhAAHAANAAQAA+ 283968 151816NAAQAAUAA+ 308160 151816NAAQAA+ 326304 151816FBASAAMAA+ 350496 151816YAANAADAAtAANAAfAACAA+ 398880 151816aAAZAAFAA+ 423072 151816BAAGAABAAsAA)paps_exec +()paps_exec +(+ 36000 128488CBAQBA+ 54144 128488KBAHAAIAAIAACAAPAAHAAQAANAAJAACAA+ 126720 128488JAAcAACAA+ 150912 128488FAACAAIAAEAAOAAJAAIAA+ 199296 128488hAAbAA+ 217440 128488fAAHAAKAAHAAQAAfAA+ 259776 128488YAAFAACAAIAACAAQAAJAANAAJAAHAAZAAQAAIAALAA+ 350496 128488NAAJAA+ 368640 128488uAAuAAuAA+ 392832 128488eAAOAAPAARAA+ 423072 128488MAAZAAQAA+ 447264 128488iAANAAQAAEAANAAFAAbAA)paps_exec +(+ 36000 116824kAAlAAJAAcAARAA+ 72288 116824NAAQAAUAA+ 96480 116824NAA+ 108576 116824OAAHAAfAAcAAJAAQAAHAAQAAfAA+ 169056 116824JAANAAOAAtAA+ 199296 116824NAAJAA+ 217440 116824MBAZAAIAAUAACAAPAARAA+ 265824 116824BAAEAAQAA+ 290016 116824MBACAAhAAFAAEAANAAFAAbAA+ 344448 116824wAAJAAcAARAA+ 374688 116824kAAmAAcAAlAAmAARAA+ 417024 116824eAAGAAjAA+ 441216 116824uAANAAPAAYAAEAAIAA)paps_exec +(+ 36000 105160BAAZAAOAAhAAZAAIAADAAcAARAA+ 96480 105160jAAFAAEAAIAAIAACAAOAAIAA+ 150912 105160PBAcAAJAAJAAYAALAAVAAVAAaAAZAAIAAUAACAAPAAsAAZAAFAAfAAVAAlAAmAAmAAnAAVAAQAAZAAUAACAAVAAkAApBAkBAQBAsAA)paps_exec +()paps_exec +(+ 36000 81832TAAEAAEAAIAA+ 66240 81832BAAOAAHAACAAYAACAAQAA+ 114624 81832cAANAAIAA+ 138816 81832YAACAAFAAaAAZAAFAAPAACAAUAA+ 199296 81832NAA+ 211392 81832IAACAADAAEAAFAAHAAJAAbAA+ 265824 81832NAAEAAUAAHAAJAABBA+ 308160 81832FAACAAIAAEAAOAAJAAIAA+ 356544 81832NAAFAACAA+ 380736 81832ZAAQAAOAAHAAQAACAA+ 423072 81832NAAJAA)paps_exec +(+ 36000 70168cAAJAAJAAYAALAAVAAVAAQAAZAAQAArAAfAAQAAEAAsAAEAAKAAJAAsAAQAAOAAVAAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAAVAAYAAfAAYAArAAIAAPAAHAAPAACAAVAANAAEAAUAAHAAJAAsAAYAAUAAaAAsAA+ 410976 70168TAAEAAEAAIAA+ 441216 70168HAAIAA+ 459360 70168QAAZAAgAA)paps_exec +(+ 36000 58504YAACAAFAAaAAZAAFAAPAAHAAQAAfAA+ 102528 58504NAA+ 114624 58504IAACAADAAZAAQAAUAA+ 156960 58504NAAQAAUAA+ 181152 58504aAAHAAQAANAAOAA+ 217440 58504NAAEAAUAAHAAJAARAA+ 259776 58504ZAAQAA+ 277920 58504JAAcAACAA+ 302112 58504OAANAAJAACAAIAAJAA+ 344448 58504BAAGAABAA+ 368640 58504FAACAAOAACAANAAIAACAA)paps_exec +(+ 36000 46840PBAPAANAAHAAOAAPAANAAQAArAAlAAsAAkAAsAAkAAkAArAAYAAfAAYAArAAIAAPAAHAAPAACAAnBAlAAmAAmAAnAArAAmAAkAArAAmAAlAAsAAYAANAAJAADAAcAAsAAfAAHBAQBAsAA)paps_exec +paps_eop +showpage +%%Page: 9 9 +paps_bop +()paps_exec +(+ 36000 781672dAACAAzAAJAA+ 66240 781672JAAZAA+ 84384 781672JAAcAACAA+ 108576 781672CBA+ 120672 781672PAACAAQAAJAAHAAZAAQAACAAUAA+ 181152 781672yAAZAAhAAIAARAA+ 217440 781672dAAGAAQAACAAJAA+ 253728 781672NAAfAAFAACAACAAUAA+ 296064 781672JAAZAA+ 314208 781672IAAEAAYAAYAAZAAFAAJAALAA)paps_exec +()paps_exec +(+ 36000 758344kBAQBA+ 54144 758344oAADAAJAA+ 78336 758344EAAYAAZAAQAA+ 108576 758344aAAHAAQAAUAAHAAQAAfAA+ 156960 758344ZAAaAA+ 175104 758344BAACAADAAEAAFAAHAAJAAbAA+ 229536 758344oAAEAAUAAHAAJAAZAAFAAIAA+ 283968 758344aAAHAAQAANAAOAA+ 320256 758344FAACAAYAAZAAFAAJAAsAA)paps_exec +()paps_exec +(+ 36000 735016JBAQBA+ 54144 735016qAAFAAbAA+ 78336 735016JAAZAA+ 96480 735016fAACAAJAA+ 120672 735016BAACAADAAEAAFAACAA+ 163008 735016GAAHAAIAAJAA+ 193248 735016BAACAAFAAKAACAAFAA+ 235584 735016IAAcAAHAAYAAYAACAAUAA+ 283968 735016gAAHAAJAAcAA+ 314208 735016MBAFAACAACAA+ 344448 735016BAAZAAaAAJAAgAANAAFAACAA+ 398880 735016UAAHAAIAAJAAFAAHAAhAAEAAJAAHAAZAAQAAIAAsAA)paps_exec +()paps_exec +(+ 36000 711688qAAcAACAA+ 60192 711688OAANAAIAAJAA+ 90432 711688yAAZAAhAA+ 114624 711688DAAZAAQAAIAAHAAIAAJAAIAA+ 169056 711688ZAAaAALAA+ 193248 711688oAAIAAtAA+ 217440 711688NAAQAAUAA+ 241632 711688cAACAAOAAYAA+ 271872 711688PAANAAHAAQAAJAANAAHAAQAACAAFAAIAA+ 344448 711688ZAAaAA+ 362592 711688MAANAAHAAOAAPAANAAQAA+ 410976 711688YAANAADAAtAANAAfAACAAIAA+ 465408 711688aAAZAAFAA+ 489600 711688CAAsAAfAAsAA)paps_exec +(+ 36000 700024TAAdAAeAAVAAGAAHAAQAAEAAzAA+ 96480 700024UAAHAAIAAJAAFAAHAAhAAEAAJAAHAAZAAQAAIAA+ 181152 700024JAAZAA+ 199296 700024HAAQAADAAOAAEAAUAACAA+ 247680 700024JAAcAACAA+ 271872 700024YAANAAJAADAAcAAsAA+ 320256 700024EBAZAAFAAtAA+ 350496 700024gAAHAAJAAcAA+ 380736 700024JAAcAACAA+ 404928 700024KBACAAhAAHAANAAQAA+ 447264 700024MAANAAHAAOAAPAANAAQAA)paps_exec +(+ 36000 688360YAANAADAAtAANAAfAACAA+ 84384 688360PAANAAHAAQAAJAANAAHAAQAACAAFAA+ 150912 688360JAAZAA+ 169056 688360JAAFAAbAA+ 193248 688360JAAZAA+ 211392 688360fAACAAJAA+ 235584 688360JAAcAACAA+ 259776 688360YAANAAJAADAAcAACAAUAA+ 308160 688360MAANAAHAAOAAPAANAAQAA+ 356544 688360IAAcAAHAAYAAYAACAAUAA+ 404928 688360gAAHAAJAAcAA+ 435168 688360KBACAAhAAHAANAAQAA+ 477504 688360NAAQAAUAA)paps_exec +(+ 36000 676696eAAhAAEAAQAAJAAEAAsAA+ 90432 676696dAACAAzAAJAA+ 120672 676696JAAZAA+ 138816 676696KBACAAhAAHAANAAQAAVAAeAAhAAEAAQAAJAAEAARAA+ 229536 676696YAACAAZAAYAAOAACAA+ 271872 676696gAAHAAJAAcAAHAAQAA+ 314208 676696JAAcAACAA+ 338400 676696BAANAAhAANAAbAAZAAQAA)paps_exec +(+ 36000 665032PBAcAAJAAJAAYAALAAVAAVAAgAAgAAgAAsAAIAANAAhAANAAbAAZAAQAAOAAHAAQAAEAAzAAsAAZAAFAAfAAVAAQBA+ 223488 665032NAAQAAUAA+ 247680 665032BAAPAANAAOAAOAA+ 283968 665032BAAHAAIAAJAACAAFAA+ 326304 665032PBAcAAJAAJAAYAALAAVAAVAAIAAPAANAAOAAOAAIAAHAAIAAJAACAAFAAsAAZAAFAAfAAVAAQBA+ 483552 665032SBAkAATBA)paps_exec +(+ 36000 653368YAAFAAZAAyAACAADAAJAAIAA+ 90432 653368gAAHAAOAAOAA+ 120672 653368fAACAAJAA+ 144864 653368NAAIAAtAACAAUAA+ 181152 653368PBANAAQAAUAA+ 211392 653368ZAAaAAaAACAAFAACAAUAA+ 259776 653368cAACAAOAAYAAQBA+ 296064 653368JAAZAA+ 314208 653368HAAQAADAAOAAEAAUAACAA+ 362592 653368JAAcAACAA+ 386784 653368YAANAAJAADAAcAACAAUAA+ 435168 653368MAANAAHAAOAAPAANAAQAA)paps_exec +(+ 36000 641704IAAbAAIAAJAACAAPAAsAA+ 90432 641704dAAjAALAA+ 114624 641704qAAcAACAA+ 138816 641704UAACAADAAHAAIAAHAAZAAQAA+ 193248 641704ZAAQAA+ 211392 641704gAACAAJAAcAACAAFAA+ 253728 641704ZAAFAA+ 271872 641704QAAZAAJAA+ 296064 641704JAAZAA+ 314208 641704HAAQAADAAOAAEAAUAACAA+ 362592 641704JAAcAAHAAIAA+ 392832 641704YAANAAJAADAAcAA+ 429120 641704HAAIAA+ 447264 641704EAAQAAUAACAAFAA)paps_exec +(+ 36000 630040DAAZAAQAAJAAFAAZAAOAA+ 84384 630040ZAAaAA+ 102528 630040JAAcAACAA+ 126720 630040YAANAADAAtAANAAfAACAA+ 175104 630040PAANAAHAAQAAJAANAAHAAQAACAAFAA+ 241632 630040PBAQAAZAAJAA+ 271872 630040JAAcAACAA+ 296064 630040YAANAAJAADAAcAA+ 332352 630040NAAEAAJAAcAAZAAFAAQBAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 595048uAAZAAQAAJAAFAAHAAhAAEAAJAAHAAQAAfAA+ 114624 595048JAAZAA+ 132768 595048JAAcAACAA+ 156960 595048YAAFAAZAAyAACAADAAJAA)paps_exec +(+ 36000 583384pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 560056WAAaAA+ 54144 560056bAAZAAEAALBAUAA+ 90432 560056OAAHAAtAACAA+ 120672 560056JAAZAA+ 138816 560056DAAZAAQAAJAAFAAHAAhAAEAAJAACAA+ 205344 560056YAANAAJAADAAcAACAAIAARAA+ 259776 560056DAAcAACAADAAtAA+ 296064 560056ZAAEAAJAA+ 320256 560056JAAcAACAA+ 344448 560056DAAZAAUAACAA+ 374688 560056EAAIAAHAAQAAfAA+ 410976 560056jAANAAHBANAANAAFAALAA)paps_exec +()paps_exec +(+ 42048 536728vBA+ 54144 536728hAAHBAFAA+ 78336 536728hAAFAANAAQAADAAcAA+ 120672 536728OAAYAALAAIBAyAAZAAZAAIAAJAAKAAhAAVAAPAANAAHAAOAAPAANAAQAAVAAlAAsAAkAArAAYAAfAAYAArAAIAAPAAHAAPAACAA)paps_exec +(+ 42048 525064vBA+ 54144 525064KAAHAA+ 72288 525064MAANAAHAAOAAPAANAAQAAVAATAASAATAAeAAJAAHAAOAAIAAsAAYAAbAA)paps_exec +(+ 42048 513400vBA+ 54144 513400hAAHBAFAA+ 78336 513400DAAZAAPAAPAAHAAJAA+ 120672 513400rAAPAA+ 138816 513400LBAaAAHAAzAACAAUAA+ 181152 513400NAAOAAOAA+ 205344 513400hAAEAAfAAIAALBA)paps_exec +(+ 42048 501736vBA+ 54144 501736KAAHAA+ 72288 501736MAANAAHAAOAAPAANAAQAAVAARBANAAQAAUAAOAACAAFAAIAAVAAMAAZAAUAACAAFAANAAJAACAAsAAYAAbAA)paps_exec +(+ 42048 490072vBA+ 54144 490072hAAHBAFAA+ 78336 490072DAAZAAPAAPAAHAAJAA+ 120672 490072rAAPAA+ 138816 490072LBANAAUAAUAACAAUAA+ 181152 490072JAAcAACAA+ 205344 490072PAAHAAIAAIAAHAAQAAfAA+ 253728 490072aAACAANAAJAAEAAFAACAALBA)paps_exec +(+ 42048 478408vBA+ 54144 478408hAAHBAFAA+ 78336 478408IAACAAQAAUAA+ 108576 478408rAArAAZAAEAAJAAYAAEAAJAApAAVAAJAAPAAYAAVAAPAACAAFAAfAACAA)paps_exec +(+ 42048 466744vBA+ 54144 466744PAAEAAJAAJAA+ 84384 466744rAANAA+ 102528 466744VAAJAAPAAYAAVAAPAACAAFAAfAACAA+ 169056 466744rAAIAA+ 187200 466744LBASBAYAANAAJAADAAcAATBA+ 241632 466744hAAEAAfAAaAAHAAzAARAA+ 290016 466744aAACAANAAJAAEAAFAACAALBA+ 344448 466744uBA)paps_exec +(+ 60192 455080yAAZAAZAAIAAJAAKAAhAArAAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAAVAANAAVAAPAAUAADAADAAsAADAAzAA+ 277920 455080xAAVAAUAACAAKAAVAAQAAEAAOAAOAA)paps_exec +()paps_exec +(+ 36000 431752BAACAACAA+ 60192 431752cAAJAAJAAYAAIAALAAVAAVAADAAZAAUAACAAsAAOAANAAEAAQAADAAcAAYAANAAUAAsAAQAACAAJAAVAAIBAyAAZAAZAAIAAJAAKAAhAAVAAPAANAAHAAOAAPAANAAQAAVAAlAAsAAkAArAAYAAfAAYAArAAIAAPAAHAAPAACAA+ 410976 431752aAAZAAFAA+ 435168 431752HAAQAAIAAJAAFAAEAADAAJAAHAAZAAQAAIAAsAA)paps_exec +(+ 36000 420088oAA+ 48096 420088aAANAAQAADAAbAA+ 84384 420088gAACAAhAAHAAQAAJAACAAFAAaAANAADAACAA+ 163008 420088JAAZAA+ 181152 420088JAAcAAHAAIAA+ 211392 420088KAACAAFAAIAAHAAZAAQAA+ 259776 420088DAAZAAQAAJAAFAAZAAOAA+ 308160 420088IAAbAAIAAJAACAAPAA+ 350496 420088HAAIAA+ 368640 420088NAAKAANAAHAAOAANAAhAAOAACAA+ 429120 420088NAAJAA+ 447264 420088GAANAAEAAQAADAAcAAYAANAAUAALBAIAA)paps_exec +(+ 36000 408424jAANAAHBANAANAAFAA+ 78336 408424YAANAAfAACAAsAA)paps_exec +()paps_exec +(+ 36000 385096qAAcAACAAFAACAA+ 72288 385096HAAIAA+ 90432 385096NAA+ 102528 385096PBAcAAEAAfAACAAQBA+ 144864 385096qAADBAKBADBArAAOAAHAAIAAJAARAA+ 211392 385096NAAJAA)paps_exec +(+ 36000 373432cAAJAAJAAYAALAAVAAVAAQAAZAAQAArAAfAAQAAEAAsAAEAAKAAJAAsAAQAAOAAVAAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAAVAAqAADBAKBADBAsAASAATAASAArAABAAMAAWAAMAAXAA+ 368640 373432sAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 338440qAAcAACAA+ 60192 338440aAAEAAJAAEAAFAACAA)paps_exec +(+ 36000 326776pAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 303448uAAEAAFAAFAACAAQAAJAAOAAbAA+ 96480 303448PBAlAAmAAmAAnAArAAmAAkAArAAkAAlAAQBA+ 175104 303448JAAcAACAAFAACAA+ 211392 303448NAAFAACAA+ 235584 303448CBA+ 247680 303448MAANAAHAAOAAPAANAAQAA+ 296064 303448hAAFAANAAQAADAAcAACAAIAALAA+ 356544 303448lAAsAAkAARAA+ 386784 303448lAAsAAlAA+ 410976 303448NAAQAAUAA+ 435168 303448CBAsAA+ 459360 303448eAAYAA+ 477504 303448JAAZAA)paps_exec +(+ 36000 291784QAAZAAgAARAA+ 66240 291784ZAAQAAOAAbAA+ 96480 291784aAAZAAFAA+ 120672 291784lAAsAAkAA+ 144864 291784JAAcAACAAFAACAA+ 181152 291784cAANAAKAACAA+ 211392 291784hAACAACAAQAA+ 241632 291784IAAJAANAAhAAOAACAA+ 283968 291784FAACAAOAACAANAAIAACAAIAAsAA+ 350496 291784dAAZAA+ 368640 291784aAANAAQAADAAbAA+ 404928 291784QAACAAgAA+ 429120 291784IAAJAAEAAaAAaAA+ 465408 291784gAAHAAOAAOAA+ 495648 291784hAACAA)paps_exec +(+ 36000 280120HAAQAAJAAFAAZAAUAAEAADAACAAUAA+ 102528 280120HAAQAA+ 120672 280120lAAsAAkAA+ 144864 280120ZAAFAA+ 163008 280120lAAsAAlAAsAA+ 199296 280120oAAOAAOAA+ 223488 280120CAAzAADAAHAAJAAHAAQAAfAA+ 277920 280120QAACAAgAA+ 302112 280120UAACAAKAACAAOAAZAAYAAPAACAAQAAJAA+ 374688 280120gAAHAAOAAOAA+ 404928 280120JAANAAtAACAA+ 435168 280120YAAOAANAADAACAA+ 471456 280120HAAQAA+ 489600 280120JAAcAACAA)paps_exec +(+ 36000 268456CBArAAhAAFAANAAQAADAAcAAsAA)paps_exec +()paps_exec +(+ 36000 245128GAANAAJAACAAIAAJAA+ 78336 245128QAACAAgAAIAA+ 108576 245128aAAZAAFAA+ 132768 245128lAAsAAkAA+ 156960 245128NAAQAAUAA+ 181152 245128lAAsAAlAALAA)paps_exec +()paps_exec +(+ 36000 221800DBAQAA+ 54144 221800BAAEAAQAAUAANAAbAA+ 96480 221800iAANAAQAAEAANAAFAAbAA+ 144864 221800kAAkAARAA+ 169056 221800MAANAAFAAtAA+ 199296 221800BAANAAYAAHAAFAAZAA+ 241632 221800FAACAAOAACAANAAIAACAAUAA+ 296064 221800lAAsAAkAAsAAkAAlAAFAADAAkAALAA+ 362592 221800NAA+ 374688 221800hAAEAAfAAaAAHAAzAA+ 417024 221800NAAQAAUAA+ 441216 221800YAAbAAJAAcAAZAAQAA+ 483552 221800lAAsAApBA)paps_exec +(+ 36000 210136DAAZAAPAAYAANAAJAAHAAhAAHAAOAAHAAJAAbAA+ 120672 210136FAACAAOAACAANAAIAACAAsAA)paps_exec +()paps_exec +(+ 36000 186808DBAQAA+ 54144 186808iAANAAQAA+ 78336 186808CBARAA+ 96480 186808lAAmAAmAAnAARAA+ 132768 186808NAAJAA+ 150912 186808lAALAAJBAkAA+ 181152 186808SAAMAARAA+ 205344 186808MAANAAFAAtAA+ 235584 186808BAANAAYAAHAAFAAZAA+ 277920 186808gAAFAAZAAJAACAALAA)paps_exec +(+ 36000 175144ABA+ 48096 175144WAA+ 60192 175144CAAzAAYAACAADAAJAA+ 102528 175144JAAZAA+ 120672 175144IAAcAAHAAYAA+ 150912 175144JAAcAACAA+ 175104 175144aAAHAAQAANAAOAA+ 211392 175144lAAsAAkAAsAAkAAlAA+ 253728 175144FAACAAOAACAANAAIAACAA+ 302112 175144hAAbAA+ 320256 175144JAAcAACAA+ 344448 175144CAAQAAUAA+ 368640 175144ZAAaAA+ 386784 175144iAANAAQAAEAANAAFAAbAAsAA)paps_exec +(+ 36000 163480SBAsAAsAAsAATBA)paps_exec +(+ 36000 151816ABA+ 48096 151816oAAaAAJAACAAFAA+ 84384 151816iAANAAQAAEAANAAFAAbAARAA+ 138816 151816PAAbAA+ 156960 151816aAAZAADAAEAAIAA+ 193248 151816gAAHAAOAAOAA+ 223488 151816hAACAA+ 241632 151816ZAAQAA+ 259776 151816MAANAAHAAOAAPAANAAQAA+ 308160 151816lAAsAAlAAsAA+ 344448 151816WAA+ 356544 151816cAAZAAYAACAA+ 386784 151816JAAZAA+ 404928 151816hAACAA+ 423072 151816NAAhAAOAACAA+ 453312 151816JAAZAA)paps_exec +(+ 36000 140152ABA+ 48096 140152FAACAAOAACAANAAIAACAA+ 96480 140152NAA+ 108576 140152lAAsAAlAA+ 132768 140152hAACAAJAANAA+ 163008 140152hAACAAaAAZAAFAACAA+ 205344 140152JAAcAACAA+ 229536 140152CAAQAAUAA+ 253728 140152ZAAaAA+ 271872 140152MAANAAFAADAAcAARAA+ 314208 140152lAAmAAmAAnAAsAA)paps_exec +()paps_exec +(+ 36000 116824GAANAAJAACAAIAAJAA+ 78336 116824QAACAAgAAIAA+ 108576 116824aAAZAAFAA+ 132768 116824CBALAA)paps_exec +()paps_exec +(+ 36000 93496DBAQAA+ 54144 93496BAANAAJAARAA+ 84384 93496CBA+ 96480 93496iAANAAQAA+ 120672 93496lAAmAAmAAnAA+ 150912 93496jAANAAFAAFAAbAA+ 187200 93496EBANAAFAAIAANAAgAA+ 229536 93496gAAFAAZAAJAACAALAA)paps_exec +(+ 36000 81832ABA+ 48096 81832FBACAAOAACAANAAIAACAAUAA+ 102528 81832CBAsAAmAA+ 126720 81832NAAOAAYAAcAANAA+ 163008 81832lAA)paps_exec +(+ 36000 70168SBAsAAsAAsAATBA)paps_exec +(+ 36000 58504ABA+ 48096 58504IAAJAAHAAOAAOAA+ 84384 58504NAAQAA+ 102528 58504NAAOAAYAAcAANAA+ 138816 58504IAAQAANAAYAAIAAcAAZAAJAA+ 193248 58504NAAQAAUAA+ 217440 58504QAAZAAJAA+ 241632 58504IAAEAAHAAJAANAAhAAOAACAA+ 296064 58504aAAZAAFAA+ 320256 58504YAAFAAZAAUAAEAADAAJAAHAAZAAQAA+ 386784 58504IAAbAAIAAJAACAAPAAIAARAA+ 441216 58504aAAEAAQAADAAJAAHAAZAAQAANAAOAA)paps_exec +(+ 36000 46840ABA+ 48096 46840CAAQAAZAAEAAfAAcAA+ 90432 46840JAAZAA+ 108576 46840DAAFAACAANAAJAACAA+ 150912 46840PAANAAHAAOAAHAAQAAfAA+ 199296 46840OAAHAAIAAJAAIAARAA+ 241632 46840NAAUAAUAA+ 265824 46840NAAQAAUAA+ 290016 46840FAACAAPAAZAAKAACAA+ 332352 46840PAACAAPAAhAACAAFAAIAARAA+ 386784 46840IAACAAQAAUAA+ 417024 46840CAAPAANAAHAAOAA+ 453312 46840aAAFAAZAAPAA+ 483552 46840NAAQAAUAA+ 507744 46840JAAZAA)paps_exec +paps_eop +showpage +%%Page: 10 10 +paps_bop +(+ 36000 793336ABA+ 48096 793336OAAHAAIAAJAAIAAsAA+ 90432 793336SBAsAAsAAsAATBA)paps_exec +(+ 36000 781672ABA+ 48096 781672qAAcAACAA+ 72288 781672gAACAAhAA+ 96480 781672HAAQAAJAACAAFAAaAANAADAACAA+ 156960 781672HAAIAA+ 175104 781672IAAJAAHAAOAAOAA+ 211392 781672QAAZAAJAA+ 235584 781672aAAEAAQAADAAJAAHAAZAAQAANAAOAARAA+ 308160 781672IAAZAA+ 326304 781672aAAZAAFAA+ 350496 781672QAAZAAgAA+ 374688 781672bAAZAAEAA+ 398880 781672cAANAAKAACAA+ 429120 781672JAAZAA+ 447264 781672HAAQAAJAACAAFAANAADAAJAA)paps_exec +(+ 36000 770008ABA+ 48096 770008gAAHAAJAAcAA+ 78336 770008MAANAAHAAOAAPAANAAQAA+ 126720 770008KAAHAANAA+ 150912 770008JAAcAACAA+ 175104 770008DAAZAAPAAPAANAAQAAUAA+ 223488 770008OAAHAAQAACAAsAA)paps_exec +()paps_exec +(+ 36000 746680WAAJAA+ 54144 746680HAAIAA+ 72288 746680QAAZAAJAA+ 96480 746680tAAQAAZAAgAAQAA+ 132768 746680gAAcAACAAQAA+ 163008 746680NAA+ 175104 746680IAAJAANAAhAAOAACAA+ 217440 746680MAANAAHAAOAAPAANAAQAA+ 265824 746680CBA+ 277920 746680gAAHAAOAAOAA+ 308160 746680fAACAAJAA+ 332352 746680FAACAAOAACAANAAIAACAAUAAsAA+ 398880 746680PBAoAAIAA+ 423072 746680MBAFAACAACAA+ 453312 746680BAAZAAaAAJAAgAANAAFAACAA)paps_exec +(+ 36000 735016cAANAADAAtAACAAFAAIAA+ 84384 735016IAANAAbAALAA+ 114624 735016JAAcAANAAJAALBAIAA+ 156960 735016EAAYAA+ 175104 735016JAAZAA+ 193248 735016nBAbAAZAAEAAnBA+ 229536 735016CCAQBA)paps_exec +()paps_exec +(+ 36000 711688WAALBAKAACAA+ 66240 711688FAACAAlBAEAACAAIAAJAACAAUAA+ 126720 711688IAAEAAYAAYAAZAAFAAJAA+ 175104 711688aAAZAAFAA+ 199296 711688JAAcAACAA+ 223488 711688YAAFAAZAAyAACAADAAJAA+ 271872 711688ZAAQAA+ 290016 711688kBA+ 302112 711688MAANAAFAA+ 326304 711688lAAmAAmAAwAAsAA+ 368640 711688oAAJAA+ 386784 711688JAAcAANAAJAA+ 417024 711688JAAHAAPAACAA+ 447264 711688HAAJAA+ 465408 711688IAACAACAAPAACAAUAA)paps_exec +(+ 36000 700024gAAHAAIAACAAIAAJAA+ 78336 700024JAAZAA+ 96480 700024aAAZAADAAEAAIAA+ 132768 700024ZAAQAA+ 150912 700024YAANAAJAADAAcAAHAAQAAfAA+ 205344 700024lAAsAAkAAsAA+ 241632 700024WAA+ 253728 700024gAAZAAEAAOAAUAA+ 290016 700024OAAHAAtAACAA+ 320256 700024JAAZAA+ 338400 700024YAAZAAFAAJAA+ 368640 700024JAAcAACAA+ 392832 700024YAANAAJAADAAcAA+ 429120 700024JAAZAA+ 447264 700024lAAsAAlAARAA+ 477504 700024ZAAQAADAACAA)paps_exec +(+ 36000 688360JAAcAACAAFAACAALBAIAA+ 84384 688360NAA+ 96480 688360IAAJAANAAhAAOAACAA+ 138816 688360lAAsAAlAA+ 163008 688360FAACAAOAACAANAAIAACAAsAA+ 223488 688360RBAZAAgAACAAKAACAAFAARAA+ 277920 688360WAA+ 290016 688360UAAZAAQAALBAJAA+ 326304 688360JAAcAAHAAQAAtAA+ 362592 688360JAAcAACAA+ 386784 688360MAANAAHAAOAAPAANAAQAA+ 435168 688360UAACAAKAACAAOAAZAAYAACAAFAAIAA)paps_exec +(+ 36000 676696gAAZAAEAAOAAUAA+ 72288 676696OAAHAAtAACAA+ 102528 676696JAAZAA+ 120672 676696IAAcAAHAAYAA+ 150912 676696NAA+ 163008 676696lAAsAAlAA+ 187200 676696HAAQAADAAOAAEAAUAAHAAQAAfAA+ 247680 676696JAAcAACAA+ 271872 676696YAANAAJAADAAcAAsAA+ 320256 676696WAA+ 332352 676696cAANAAKAACAAQAALBAJAA+ 380736 676696bAACAAJAA+ 404928 676696HAAQAAKAACAAIAAJAAHAAfAANAAJAACAAUAA+ 483552 676696NAAhAAZAAEAAJAA)paps_exec +(+ 36000 665032JAAcAACAA+ 60192 665032aAACAANAAIAANAAhAAHAAOAAHAAJAAbAA+ 132768 665032ZAAaAA+ 150912 665032YAAZAAFAAJAAHAAQAAfAA+ 199296 665032JAAcAACAA+ 223488 665032YAANAAJAADAAcAA+ 259776 665032JAAZAA+ 277920 665032CBAsAA+ 302112 665032WAAJAA+ 320256 665032aAAZAAFAA+ 344448 665032IAAEAAFAACAA+ 374688 665032gAAZAAEAAOAAUAA+ 410976 665032hAACAA+ 429120 665032NAA+ 441216 665032KAACAAFAAbAA+ 471456 665032EAAIAACAAaAAEAAOAA)paps_exec +(+ 36000 653368YAAFAAZAAyAACAADAAJAACCA+ 96480 653368PBAoAAQAAUAA+ 126720 653368HAAJAA+ 144864 653368PAAHAAfAAcAAJAA+ 181152 653368hAACAA+ 199296 653368CAANAAIAAbAALAA+ 235584 653368hAACAAHAAQAAfAA+ 271872 653368YAAOAAEAAfAAfAANAAhAAOAACAA+ 332352 653368HAAIAA+ 350496 653368ZAAQAACAA+ 374688 653368ZAAaAA+ 392832 653368JAAcAACAA+ 417024 653368UAACAAIAAHAAfAAQAA+ 459360 653368UAACAADAAHAAIAAHAAZAAQAAIAA)paps_exec +(+ 36000 641704aAAZAAFAA+ 60192 641704MAANAAHAAOAAPAANAAQAA+ 108576 641704CBAsAAQBA)paps_exec +()paps_exec +()paps_exec +(+ 36000 606712uAAZAAQAAJAANAADAAJAARAA+ 90432 606712lBAEAACAAIAAJAAHAAZAAQAAIAA)paps_exec +(+ 36000 595048pAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 571720WAAaAA+ 54144 571720bAAZAAEAALBAFAACAA+ 96480 571720HAAQAAJAACAAFAACAAIAAJAACAAUAA+ 163008 571720HAAQAA+ 181152 571720cAACAAOAAYAAHAAQAAfAA+ 229536 571720gAAHAAJAAcAA+ 259776 571720JAAcAACAA+ 283968 571720gAAZAAFAAtAARAA+ 320256 571720bAAZAAEAA+ 344448 571720PAAHAAfAAcAAJAA+ 380736 571720OAAHAAtAACAA+ 410976 571720JAAZAA+ 429120 571720IAAEAAhAAIAADAAFAAHAAhAACAA+ 489600 571720JAAZAA)paps_exec +(+ 36000 560056JAAcAACAA+ 60192 560056UAACAAKAACAAOAAZAAYAACAAFAA+ 120672 560056OAAHAAIAAJAA+ 150912 560056aAAZAAFAA+ 175104 560056BAAGAABAALAA+ 205344 560056IAAIAAOAAIAArAAUAACAAKAA+ 259776 560056VAANAAVAA+ 283968 560056EAAOAAPAAsAADAADAADAAsAAUAACAAsAA+ 362592 560056PBAGBACAAIAARAA+ 398880 560056JAAcAANAAJAALBAIAA+ 441216 560056IAABAAOAAIAAsAA)paps_exec +(+ 36000 548392jAANAADAAtAAgAANAAFAAUAAIAA+ 96480 548392DAAZAAPAAYAANAAJAAHAAhAAHAAOAAHAAJAAbAA+ 181152 548392LAAQBAsAA+ 211392 548392PBAqAAcAANAAQAAtAAIAA+ 259776 548392NAA+ 271872 548392OAAZAAJAA+ 296064 548392JAAZAA+ 314208 548392BAAJAACAAaAANAAQAA+ 356544 548392BAADAAcAAOAAZAAJAAJAA+ 404928 548392aAAZAAFAA+ 429120 548392cAAZAAIAAJAAHAAQAAfAA+ 477504 548392JAAcAAHAAIAA)paps_exec +(+ 36000 536728OAAHAAIAAJAAsAAQBA)paps_exec +()paps_exec +(+ 36000 513400WAAaAA+ 54144 513400bAAZAAEAALBAUAA+ 90432 513400OAAHAAtAACAA+ 120672 513400JAAZAA+ 138816 513400DAAZAAQAAJAANAADAAJAA+ 187200 513400JAAcAACAA+ 211392 513400NAAEAAJAAcAAZAAFAA+ 253728 513400UAAHAAFAACAADAAJAAOAAbAARAA+ 314208 513400PAANAAHAAOAA+ 344448 513400iAAZAAZAAIAAJAA+ 380736 513400KAANAAQAA+ 404928 513400jAANAANAAOAA+ 435168 513400ZAAQAA)paps_exec +(+ 36000 501736xAAyAAZAAZAAIAAJAAKAAhAArAAPAANAAHAAOAAPAANAAQAArAAYAAfAAYAArAAIAAPAAHAAPAACAA+ 199296 501736VAANAAVAA+ 223488 501736PAAUAADAADAAsAADAAzAAABAsAA+ 290016 501736WAALBAPAA+ 314208 501736ZAAQAA+ 332352 501736WAAFBAuAA+ 356544 501736JAAZAAZAALAA)paps_exec +(+ 36000 490072yAAZAAZAAIAAJAAKAAhAAwBAzBADBAMBAqAAuAARAAaAAFAACAACAAQAAZAAUAACAAACAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 455080qAAcAANAAQAAtAAIAA)paps_exec +(+ 36000 443416pAApAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 420088iAACAAFAAZAACAAQAA+ 78336 420088RBAZAAYAAYAACAAQAAhAAFAAZAAEAAgAACAAFAAIAA+ 169056 420088PBA+ 181152 420088cAAJAAJAAYAALAAVAAVAAcAAZAAYAAYAAHAACAAsAAQAAOAAVAA+ 290016 420088QBA+ 302112 420088aAAZAAFAA+ 326304 420088cAACAAOAAYAAHAAQAAfAA+ 374688 420088JAAFAANAAQAAIAAOAANAAJAAHAAQAAfAA+ 447264 420088JAAcAACAA)paps_exec +(+ 36000 408424SAAOAANAAJAAZAAQAAZAAKAA+ 90432 408424lBAEAAZAAJAACAAsAA+ 138816 408424qAAcAACAA+ 163008 408424MAANAAHAAOAAPAANAAQAA+ 211392 408424DAAZAAPAAPAAEAAQAAHAAJAAbAARAA+ 277920 408424aAAZAAFAA+ 302112 408424fAAHAAKAAHAAQAAfAA+ 344448 408424KAANAAOAAEAANAAhAAOAACAA+ 398880 408424aAACAACAAUAAhAANAADAAtAA+ 453312 408424NAAQAAUAA+ 477504 408424PAANAAtAAHAAQAAfAA)paps_exec +(+ 36000 396760MAANAAHAAOAAPAANAAQAA+ 84384 396760YAAZAAIAAIAAHAAhAAOAACAAsAA+ 150912 396760TAAEAAEAAIAA+ 181152 396760BAAOAAHAACAAYAACAAQAARAA+ 235584 396760aAAZAAFAA+ 259776 396760fAAEAANAAFAAUAAHAAQAAfAA+ 314208 396760JAAcAACAA+ 338400 396760YAANAAJAADAAcAALBAIAA+ 386784 396760IAACAADAAEAAFAAHAAJAAbAAsAA+ 453312 396760qAAcAACAA+ 477504 396760dAAGAAQAACAAJAA)paps_exec +(+ 36000 385096aAAZAAEAAQAAUAANAAJAAHAAZAAQAARAA+ 108576 385096aAAZAAFAA+ 132768 385096PAANAAtAAHAAQAAfAA+ 175104 385096JAAcAACAA+ 199296 385096gAAZAAFAAtAA+ 229536 385096ZAAQAA+ 247680 385096JAAcAAHAAIAA+ 277920 385096YAANAAJAADAAcAA+ 314208 385096YAAZAAIAAIAAHAAhAAOAACAAsAA)paps_exec +()paps_exec +()paps_exec +(+ 36000 350104dAAZAAJAACAAIAA)paps_exec +(+ 36000 338440pAApAApAApAApAA)paps_exec +()paps_exec +(+ 36000 315112SBAkAATBALAA+ 66240 315112qAAcAACAA+ 90432 315112BAAPAANAAOAAOAA+ 126720 315112BAAHAAIAAJAACAAFAA+ 169056 315112SAAFAAZAAyAACAADAAJAA+ 217440 315112NAAHAAPAAIAA+ 247680 315112JAAZAA+ 265824 315112HAAQAADAAFAACAANAAIAACAA+ 320256 315112bAAZAAEAAFAA+ 350496 315112YAAFAAHAAKAANAADAAbAA+ 398880 315112hAAbAA+ 417024 315112UAACAAOAAHAAKAACAAFAAHAAQAAfAA)paps_exec +(+ 36000 303448BAAPAANAAOAAOAAMAANAAHAAOAABAACAAFAAKAACAAFAA+ 132768 303448NAAQAAUAA+ 156960 303448BAAPAANAAOAAOAAMAANAAHAAOAAuAAOAAHAACAAQAAJAARAA+ 259776 303448DAAFAACAANAAJAAHAAQAAfAA+ 314208 303448NAA+ 326304 303448YAAFAAHAAKAANAADAAbAArAAaAAFAAHAACAAQAAUAAOAAbAA+ 429120 303448IAAbAAIAAJAACAAPAA+ 471456 303448gAAcAACAAFAACAA)paps_exec +(+ 36000 291784YAACAAFAAIAAZAAQAANAAOAA+ 90432 291784UAANAAJAANAA+ 120672 291784HAAIAA+ 138816 291784YAAFAAZAAYAACAAFAAOAAbAA+ 193248 291784IAACAADAAEAAFAACAAUAAsAA+ 253728 291784eAAIAAHAAQAAfAA+ 290016 291784qAAZAAFAA+ 314208 291784NAAQAAUAA+ 338400 291784TAAQAAEAAYAATAARAA+ 380736 291784HAAJAA+ 398880 291784CAAQAANAAhAAOAACAAIAA+ 447264 291784PBAZAAYAAJAAHAAZAAQAANAAOAAOAAbAA)paps_exec +(+ 36000 280120NAAQAAZAAQAAbAAPAAZAAEAAIAAQBA+ 102528 280120CAArAAPAANAAHAAOAA+ 144864 280120gAAHAAJAAcAAZAAEAAJAA+ 193248 280120JAAcAACAA+ 217440 280120hAAEAAFAAUAACAAQAA+ 259776 280120ZAAaAA+ 277920 280120UAANAAJAANAA+ 308160 280120FAACAAJAACAAQAAJAAHAAZAAQAA+ 368640 280120NAAQAAUAA+ 392832 280120CAANAAKAACAAIAAUAAFAAZAAYAAYAAHAAQAAfAAsAA)paps_exec +()paps_exec +paps_eop +showpage +%%Pages: 10 +%%Trailer +%%EOF diff -durP mailman-2.1.15/pgp-smime/talk/Makefile mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/Makefile --- mailman-2.1.15/pgp-smime/talk/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/Makefile 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,12 @@ +# joostvb@bruhat:~/bz.../2.1-pgp-smime/pgp-smime% a2ps -o mailman-pgp-smime-talk.ps mailman-pgp-smime-talk.txt + +mailman-pgp-smime-talk.ps: mailman-pgp-smime-talk.txt + paps --font='Monospace 10' < $< > $@ + +%.pdf: %.ps + ps2pdf $< $@ + +install: + scp mailman* freitag:/srv/www/non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/talk/ + +.PHONY: install Les fichiers binaires mailman-2.1.15/pgp-smime/talk/membership-configuration.png et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/membership-configuration.png sont différents. Les fichiers binaires mailman-2.1.15/pgp-smime/talk/popcon-non-mailman.png et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/popcon-non-mailman.png sont différents. Les fichiers binaires mailman-2.1.15/pgp-smime/talk/popcon.png et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/popcon.png sont différents. Les fichiers binaires mailman-2.1.15/pgp-smime/talk/privacy-options-gpg.png et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/privacy-options-gpg.png sont différents. Les fichiers binaires mailman-2.1.15/pgp-smime/talk/privacy-options.png et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/privacy-options.png sont différents. Les fichiers binaires mailman-2.1.15/pgp-smime/talk/privacy-options-smime.png et mailman-2.1.15-pgp-smime_2010-09-08/pgp-smime/talk/privacy-options-smime.png sont différents. diff -durP mailman-2.1.15/README.PGP-SMIME.html mailman-2.1.15-pgp-smime_2010-09-08/README.PGP-SMIME.html --- mailman-2.1.15/README.PGP-SMIME.html 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/README.PGP-SMIME.html 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,270 @@ + + + + The Secure List Server: an OpenPGP and S/MIME aware Mailman + +

The Secure List Server: an OpenPGP and S/MIME aware Mailman

+
+ +

This patch is an effort to include OpenPGP and S/MIME support in Mailman, as +part of the Secure List Server project. The project is made possible by NLnet.

+ +

The Secure List Server project's home is at +http://non-gnu.uvt.nl/mailman-pgp-smime/. Sources are available from http://non-gnu.uvt.nl/pub/mailman/.

+ +

New versions of this patch will be announced on the Mailman +developers list

+ +

This is Mailman patch +#1167696.

+ +

Beware! This code is not mature, and not yet suitable for production use. +Inspect the code to find out if it's good enough for you.

+ + +

Specs

+ +

This patch handles both RFC 2633 (S/MIME) and RFC 2440 (OpenPGP) email +messages.

+ +

A post will be distributed only if the PGP (or S/MIME) signature on the post +is from one of the list members.

+ +

For sending encrypted email, a list member encrypts to the public key of the +list. The post will be decrypted and re-encrypted to the public keys of all +list members.

+ +

In order to achieve this, each list has a public and private key. (These +private keys can optionally be protected by passphrases.) Furthermore, new list +settings are defined:

+ +
    +
  • gpg_post_encrypt: Are postings which are encrypted with the GPG list key + decrypted? Are subcribers forced to encrypt their posts?
    • +
  • gpg_distrib_encrypt: Are posts encrypted to the subscribers GPG public key + before being distributed? Is such encryption (and uploading of a public + key) mandatory?
    • +
  • gpg_post_sign: Should posts be GPG signed with an acknowledged subscriber + key before being distributed?
    • +
  • gpg_distrib_sign: Should the server sign messages with the list key + before distributing?
    • +
+ +

Similar settings are defined for S/MIME.

+ +

Finally, each subscriber can upload her PGP and S/MIME public key using the +webinterface.

+ + +

Installation

+ +

Additional requirements: gpg binary in path of qrunner, GnuPGInterface +python library from http://py-gnupg.sourceforge.net/ +and (for now) openssl.

+ + +

upgrading from earlier and/or unpatched versions

+ +

PGP and S/MIME support needs to store additional information for the mailing +lists, thus new variables were introduced. Have a look at bin/update and search +for "GPG" and "smime".

+ +

The automatic upgrade procedure occuring on a change of the version number +is implemented yet untested. You can either modify the version number in +Version.py to trigger the automatic patch, or run bin/update --force (worked +for me, but I won't give any guarantees).

+ +

fresh installs

+ +

If you're installing on a Debian(-based) hosts, you can "apt-get install" +the patched package from

+ +
+deb http://non-gnu.uvt.nl/debian sarge mailman
+
+ +

If you're on another platform, you can apply the patch to a pristine official +mailman tarball, and install using the official installation instructions.

+ +

setting up lists

+ +

Create a list. Go to the admin menu. Open "Privacy options", select "GPG +options" and "S/MIME options". Make the settings appropriate for your list +(yes, there is some help text!). Create a keypair for your list. Make sure +the list-posting-address is in one of the keys identities. Publish the public +key for your list, e.g. on the list info page. Ask all subscribers to upload +their public key. A good idea is to set up the web interface to only run over +https.

+ +

Very likely, you'd prefer "Confirm and approve" as subscribe_policy (Privacy +Options; Subscribtion Rules).

+ +

Very likely, you'd prefer "No" for archive (Archiving Options): no effort +was made to do something "sane" w.r.t. the archiving of encrypted posts. Just +don't archive.

+ +

Subscribers who do not upload their public keys will miss posts. Errors +show up in /var/log/mailman/smtp-failure:

+ +
Mar 24 15:29:28 2005 (5267) delivery to joe@example.com failed with
+  code 550: Encryption forced, but no keys found
+ +

Tell your subscribers where to upload their keys: list Info Page, +Subscribers section. Visit "Subscriber List", choose your address, list +membership configuration, "Your GPG key for postings".

+ +

Distribute the list public key to your subscribers, e.g. by posting it to +the list after they've subscribed, or by pasting it in "[General Options], +info" in the list admin webinterface.

+ +

l10n

+ +

I only updated the english html template for the user preferences; +that means that users using a different language setting will be unable +to upload their public key. Either allow English only, or make the +patches to other language templates (and send the diff to me).

+ +

lost emails

+ +

Users won't get warnings when mails are not delivered to them due +to the encryption send policy. Failures to send due to a missing public key +will be treated like bounces.

+ + +

Hacking

+ +

If you're interested in helping with the work, you might like to subscribe +to the developer list for a GPG/SMIME-enhanced mailman ssls-dev /a/ +ulm.ccc.de. (Thanks a lot to Stefan +Schlott for hosting this list.) If you'd like to contact the author +directly, mail Joost van Baal on <joostvb-mailman-pgp-smime /a/ mdcc.cx>.

+ +

If you'd like to contribute patches, check out the code using Bazaar: See https://code.launchpad.net/~joostvb/mailman/2.1-pgp-smime +for instructions.

+ +

A fancy webinterface to this version control system is available at Launchpad's +Bazaar page.

+ + + + +

History, credits, copyright

+ +

This patch is based upon prior work +by Stefan Schlott in mailman-2.1.5-gpg_2005-02-22.diff.gz. Copyright on +the code is held by Stefan Schlott (stuff from +mailman-2.1.5-gpg_2005-02-22.diff.gz) and Tilburg +University (stuff written by Joost van Baal), see the individual files for +details. Some contributions are from Michael +Feiri.

+ +

Biggest lumps of changes by Joost van Baal are in Mailman/GPGUtils.py +(function verifyMessage added) and in Mailman/Handlers/Moderate.py (code which +deals with gpg_post_sign added). These are likely nontrivial so +copyright-able. Check with a specialist if you'd like to know for sure. +Likely, Mailman upstream wants a copyright assignment to FSF before patch gets +included.

+ +

In 2005, this project was known as the SURFnet Secure List Server +(mailman-ssls). SURFnet and Tilburg University made the project possible. +Since 2008, the project is made possible by NLnet.

+ +

See also

+ +

There are some alternative approaches on building a general re-encrypting +secure list server (e.g. by integrating PGP and/or S/MIME with Mailman):

+ +
    + +
  • mmreencrypt, +dating from 2000-10.
    • + +
  • mailman.patch.645297.tar.gz, Mailman patch +#645297 by Ben Laurie, +dating from 2002-11.
    • + +
  • secure-list-10-212.patch.gz, the NAH6 secure list patch, patch +#646989, dating from 2002-12
    • + +
  • Sympa is a mailing list manager with +support for S/MIME, no PGP.
    • + +
  • gpg-ezmlm +enhances the ezmlm mailing list manager with PGP. Latest release 2005-04 +(first release 2002-05). No S/MIME. Since 2008-10, a webinterface (for both +ezmlm and gpg-ezmlm) is supplied by Lars Kruse's ezmlm-web v3.3.
    • + +
  • Shibboleth is a mailing +list manager optimized for privacy and security. No significant work after +2001: project seems abandoned. Support for PGP, not S/MIME.
    • + +
  • gpgmailalias is not a +mailing list system, but a semi-static list of aliases with PGP support. +Probably no support for S/MIME. Was active in 2004-09. The tarball +seems no longer published.
    • + +
  • firma is a "gnupg +mailing list manager", written in bash. As of 2008-10, the last code update in +the revision control system happened 2008-01.
    • + +
  • Parlement is a general +purpose direct democracy framework, with likely some limited support for +PGP-enabled mailing lists. Not S/MIME.
    • + +
  • MMReencrypt, +another Mailman patch. No longer maintained (reported Mar 2008).
    • + +
  • Schleuder, a +standalone 'crypto mailinglist'. Still maintained (according to their +versioning system), but last release (as of Mar 2008) dates back to 2006.
    • + +
+ + +

ChangeLog, BUGS, Roadmap and Reports

+ +

See NEWS.PGP-SMIME for user visible (and some +other) changes. See TODO.PGP-SMIME for known bugs +and plans for improvement. See the pgp-smime directory +for some extra project documents (Security Audit reports, project reports).

+ + diff -durP mailman-2.1.15/templates/en/options.html mailman-2.1.15-pgp-smime_2010-09-08/templates/en/options.html --- mailman-2.1.15/templates/en/options.html 2009-12-22 19:00:43.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/templates/en/options.html 2010-09-08 14:41:10.000000000 +0200 @@ -144,6 +144,38 @@

+ + + + +
+ Your GPG key for postings to the list +
+ + +
+ + Change globally. +
+ +

+ + + + + +
+ Your S/MIME key for postings to the list +
+ + +
+ + Change globally. +
+ +

+ diff -durP mailman-2.1.15/TODO.PGP-SMIME mailman-2.1.15-pgp-smime_2010-09-08/TODO.PGP-SMIME --- mailman-2.1.15/TODO.PGP-SMIME 1970-01-01 01:00:00.000000000 +0100 +++ mailman-2.1.15-pgp-smime_2010-09-08/TODO.PGP-SMIME 2010-09-08 14:41:10.000000000 +0200 @@ -0,0 +1,422 @@ +TODO file for the Mailman Secure List Server Patch +================================================== + +This file lists a roadmap, bugs and wishes. A description of a test-suite +is included. + +Goals +----- + +The Secure List Server project has 5 main targets: + + 1) Make sure the patch applies cleanly to latest stable Mailman + release + 2) Perform a security audit on the mailman-ssls codebase, and fix + found issues + 3) Make the patch non-intrusive and minimal + 4) Write and publish documentation + 5) Disseminate results + +details: + +2) Security Audit +See also bugs #0009 #0012 #0013 #0030 #0033. Optional fix critical bugs as +listed on http://non-gnu.uvt.nl/mailman-pgp-smime/TODO.SSLS + +3) Make patch non-intrusive and minimal +Default Mailman behavious should be the same as unpatched Mailman. +Use one library for all crypto-operations, e.g. GPGME. +See also bug #0015. + +4) Documentation +Documentation is needed for: + - endusers (list subscribers: html helpfiles in webfrontend) + - list admins (html helpfiles in webfrontend) + - site admins (TeX documentation in tarball) + - developers (python docstrings in code) +See also: #0011 #0012 #0020 #0034 + +5) Disseminate + - Create a Debian and an RPM package of patched Mailman. + +See the project reports in the pgp-smime directory (online at +http://non-gnu.uvt.nl/mailman-pgp-smime/pgp-smime/) for details. + + +Bugs and Wishes +--------------- + +This is a detailed list of known bugs and of current wishes/tasks. + +- Do more testing. + +work /severity work is: easy, normal, difficult. + severity is: wishlist, normal, critical. + +#0001 normal/crit Fatal error: + shamir:/var/log/mailman/error + Apr 26 13:22:11 2005 (23365) Uncaught runner exception: [Errno 32] Broken pipe + Apr 26 13:22:11 2005 (23365) Traceback (most recent call last): + File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 111, in _oneloop + self._onefile(msg, msgdata) + File "/usr/lib/mailman/Mailman/Queue/Runner.py", line 167, in _onefile + keepqueued = self._dispose(mlist, msg, msgdata) + File "/usr/lib/mailman/Mailman/Queue/OutgoingRunner.py", line 73, in _dispose + self._func(mlist, msg, msgdata) + File "/usr/lib/mailman/Mailman/Handlers/GpgSMTPDirect.py", line 146, in process + deliveryfunc(mlist, msg, msgdata, envsender, refused, conn) + File "/usr/lib/mailman/Mailman/Handlers/GpgSMTPDirect.py", line 378, in verpdeliver + ciphertext = gh.encryptSignMessage(plaintext,keyids) + File "/var/lib/mailman/Mailman/GPGUtils.py", line 281, in encryptSignMessage + p.handles['stdin'].close() + IOError: [Errno 32] Broken pipe + Apr 26 13:22:11 2005 (23365) SHUNTING: 1114514530.3134+8c6726072985dc472532b1f538236a4365743440 + . + Probably occurs when private key for list is missing, and: + gpg_postings-allowed: Yes + gpg_distrib_encrypt: Yes + gpg_post_sign: Yes + gpg_distrib_sign: Yes +#0002 normal/crit The "change global" toggle in the subscribers + upload-your-public-key webgui box is broken: + joostvb@shamir:~% gpg --homedir /var/lib/mailman/lists/ssls-private/gpg + --fingerprint + doesn't show the key. See also #0066. +#0003 easy /normal Prepare translations for the 'upload pgp key' web thingie. + Especially Dutch is needed. Users who have a non-english preferred language + won't see this option now. +#0005 normal/wish Bounce messages to posters ("Message has to be encrypted!") + have same subject as post. That's better be: "Subject: Message rejected + (was: foo)". +#0006 ? /? Using the web roster, any subscriber can view any + subscribers' preferences, including public key. And maybe even change. Can + it? +#0007 easy /normal Under some circumstances, uploading a bogus public + subscriber key leads to posts being silently discarded (even the admin does + not get a notification) if list has gpg_distrib_encrypt Force. +#0008 easy /crit Remove all debug code: currently, it sends way to much + stuff to syslog. +#0009 diffic/? Harden this thing: re-encrypt immediately after decrypting. + This patch (re)encrypts _just_ before sending. +#0011 normal/normal Merge more of my own docs (doc/secure-list-patch.pod, + doc/mutt.txt, doc/smime.pod) with this patch. +#0012 easy /crit Fix documentation: when creating a list, make sure the + listadmin password is _not_ sent via plain email: Someone stealing the list + admin password has access to the list private key. Therefore, create the list + using the CLI, and transport password manually via secure channel. +#0013 easy /normal Perhaps we should suggest an empty passphrase for list + keys in our interface: The passphrase is stored in clear-text anyway. + Perhaps even just remove the passphare textbox in the webgui. gpg warns when + creating such a key: "You need a Passphrase to protect your secret key. + [...] You don't want a passphrase - this is probably a *bad* idea! I will + do it anyway. You can change your passphrase at any time, using this program + with the option "--edit-key"." +#0014 ? /normal Passphrase as supplied to webinterface cannot contain + stuff which needs html-escaping. Workaround: use [:alphanum:] only. +#0015 diffic/normal We should refuse to create an html list archive for secure + lists. (Currently, the default for new lists is changed by this patch from + do-archive to don't-archive.) +#0016 normal/wish Perhaps we should enable fetching public keys from + subscribers from OpenPGP keyservers. Pasting huge public keys can be a pita. +#0017 ? /crit It seems we need a symlink + /usr/lib/mailman/Mailman/GnuPGInterface.py -> + /usr/lib/site-python/GnuPGInterface.py + We might have to hack paths.py to fix this. +#0018 normal/? It'd be nice if commandline interfaces and email interfaces + could be used for configuring (some of the) gpg stuff too, e.g. for uploading + public keys. +#0019 ? /crit Member public keys should be importable from a + database; therefore write CLI's. +#0020 easy /crit Add ^L-thingies and other stuff from Mailman coders + styleguide to this patch. +#0021 diffic/? Add extra configuration toggle: some users might want to + post signed, but receive unencrypted posts unencrypted. Currently, this is + not possible. +#0022 easy /crit (Perhaps a problem in the Debian package only: ) + /var/log/mailman/gpg is not rotated. +#0023 ? /wish If a list has: + gpg_post_encrypt Yes (encrypt post to listkey) + gpg_distrib_encrypt Force (distribute encypted) + gpg_post_sign Force (should posts be signed) + gpg_distrib_sign Yes (distribute signed) + and someone is subcribed without having uploaded her public key, then + this person receives posts mangled: content-type header says us-ascii, + while body is quoted-printable. +#0024 diffic/? If a post is properly signed, accept it, no matter wether + the From-adress is subscribed and no matter the sender moderation policy. + However: Although this is possible and perhaps desirable, one should + remember that only the body of an email is signed and/or encrypted, but + not the headers. If a subscriber is allowed to change the From header at + will, he can try to impersonate another person when sending an email to the + list. It is best to restrict the contents of the From header to the email + address(es) listed in the subscriber's public key. +#0025 ? /? Problems with umlauts aka inline-pgp-trouble - seems to be + fixed, but requires additional testing +#0026 ? /wish Inline PGP-mail with attachments - undefined results. Some + mailers can produce this. :-( +#0027 ? /? Deal with both inline (aka traditional) pgp signed/encrypted + posts as well as pgpg/mime; test this. +#0028 diffic/wish If the "force" policy is in effect: reject plaintext control + e-mails that contain a command with a password - currently all unsigned + control e-mails are accepted without question because subscribe requests are + handled over this channel as well +#0029 diffic/wish If the "force" policy is in effect: "fuzzy checking", that + is, if only part of the e-mail is encrypted (with cleartext underneath the PGP + block). Is there a need for this? +#0030 diffic/crit Deal with subscribers without public keys: Notification + e-mail to those who haven't uploaded a key; and/or: make a (CLI) interface + to check for subscibers without keys, to be used by site- or list-admin. + Under some circumstances, these subscribers receive all mail in clear-text, + even the encrypted ones. (The best way to deal with this issue is not to + allow someone to subscribe without providing a public key for lists that + require one. For subscription via email, require that the subscription + request is properly signed, and automatically store the public key along + with other subscriber's details. For subscription via the web, require + that the subscriber uploads his public key in the same form as the + subscription request. In both cases, require that the subscriber's + response to the verification email is also signed.) +#0031 ? /normal When bouncing e-mail because list policy was violated + (e.g., someone sent unencrypted e-mail to mailman even though + encryption-policy="force"): only bounce the headers, not the complete e-mail + message. By allowing the body of an email to be included in the bounce, an + attacker can send emails containing viruses or other unwanted payloads to a + list, and can forge the From header so the bounce will be sent to a victim + of choosing. +#0032 diffic/wish Fix the way mails are sent out over SMTP: do chunking for + encrypted e-mail too. see also + http://mail.python.org/pipermail/mailman-developers/2005-February/017910.html + . +#0033 ? /crit All defaults should be strict: lists not visible on + listinfo page, + no roster, only listadmin can add members. Perhaps it's best to add + this to install manual: system-admin, you should hack mm_cfg.py! +#0034 normal/crit Write proper documentation for listadmins and subscribers. + Ideally distribute this in a patch to the official Mailman docs. We'd possibly + need to fix upstream Makefile for this: how is documentation being typesetted + before being distributed? Should we include patches for both .tex and .ps in + our patch? Or hack installation instructions and recommend running "make doc" + manually? See thread: + Date: Wed, 4 Jan 2006 16:57:33 +0100 + From: Joost van Baal + To: Maiman Developers + Subject: preferred documentation format, sources for documentation in admin/www + Message-ID: <20060104155733.GA29152@banach.uvt.nl> +#0035 diff /crit Try to make this patch clean (i.e.: default behaviour for + non-ssls lists should be the same; minimize the amount of ssls code executed + for such lists), in order to get it into upstream Mailman (or the Mailman + Debian package). +#0036 diff /wish When re-encrypting a signed message, the original signature + gets lost: this makes it possible for one list member to pose as another list + member. In theory, it should be possible to keep the original signature after + decryption. (Since GnuPG has no option to decrypt a message without removing + its signature, SLS currently cannot preserve the original signature, but rather + adds its own when forwarding an email. One should ask (and perhaps sponsor) + the GnuPG developers to implement this missing feature. In the mean time, + one should not allow messages to be posted where the From header does not + match one of the email addresses associated with the public key used to sign + the email (see also item 0024 above).) +#0037 normal/wish Merge stuff from Stefan's 2005-05-03 patch in this patch. +#0038 normal/normal Create a commit list for the darcs repository and announce + it. See the thread following + Date: Fri, 12 Aug 2005 11:26:30 +0200 + From: Joost van Baal + To: SURFnet Secure List Server Development List + Message-ID: <20050812092630.GA16126@banach.uvt.nl> + Subject: [Ssls-devel] current status and plans of Mailman SSLS: S/MIME and + other stuff + . Possibly we can use the RSS feed from the darcs webinterface for this. +#0039 easy/normal Bounce message: "Unsigned post to Secure list" is + misleading, and should be rephrased to "Post to Secure List not signed + with registered subscriber PGP key". + +#0040 Tag work and severity of all bugs listed below. + +#0041 (smime) Check if trouble with "broken pipe" problem is really fixed now. + use 2 tmpfiles for each popen3-call in SMIMEUtils.py, to be sure no + deadlocking will occur. ideas: use os.system, not popen3. Clean up code. + +#0042 (smime) Check signing and signing-and-encrypting. + + sending signed as j.e.vanbaal+20051121@uvt.nl to + test-smime@securelist.surfnet.nl: OK (recheck!) + sending bare as j.e.vanbaal+20051121@uvt.nl to + test-smime@securelist.surfnet.nl: OK (recheck!) + +#0043 (smime) In the webgui, add an interface to upload a list-key (or one to + create one). + +#0044 (smime) Clean up comments in Mailman/SMIMEUtils.py + +#0045 Check all FIXME's and TODO's in all files. + +#0046 Value tests are crap, for both gpg and smime. Very often " =='1' " is + written where " == 1 " should have been written. Very often tests for 'Force' + ' and 'No' are done. Just test for int.s. + +#0047 Use os.path.join , not "/". + +#0048 (smime) Clean up and make more robust: decryptSmime(mlist, msg, msgdata) in +Mailman/Handlers/Moderate.py + +#0049 (smime) In Mailman/SMIMEUtils.py, implement +encryptSignMessage(self,msg,recipients) + +#0050 (smime) make sure posts get encrypted and signed if needed + Perhaps it is best determine whether an incoming email as signed or encrypted, + and mark this somewhere in its headers, such that the marking does not get + removed while the email is being processed by SLS. When sending outgoing + emails, preferably right before the email is sent to the SMTP server, it should + be verified that if the message is marked signed, the outgoing email is indeed + signed. The same goes for encryption (and PGP). + +#0051 (smime) reimplement specifying recipient for encrypting, check +Handlers/GpgSMTPDirect.py: having one .pem-file for each member is suboptimal, +but that's how it's done in sympa-5.1: use email adress in filename! + +#0052 for both GPG and S/MIME: the list never sends out a list-key-signed message which + is not encrypted, no matter the list-privacy-settings. It should! + +#0053 (smime) Make sure SMIMEUtils.py behaves sane when smime/*pem is lacking. + +#0054 (smime) Deal with + + From: Werner Koch + To: Joost van Baal + Cc: GnuPG Users + Subject: Re: handling S/MIME messages with gpgsm + Date: Mon, 24 Oct 2005 09:13:51 +0200 + Message-ID: <8764rnbd5c.fsf@wheatstone.g10code.de> + + Find out how to make + gpgsm --verify signed.CMS signed.body + succeed: how to create signed.CMS and signed.body for an S/MIME + detached-signed message? + +#0055 Deal with stuff in thread + + Date: Fri, 12 Aug 2005 11:26:30 +0200 + From: Joost van Baal + To: SURFnet Secure List Server Development List + Message-ID: <20050812092630.GA16126@banach.uvt.nl> + +#0056 shamir's gpgsm and gnupg-agent is from gnupg2 (1.9.18-0.1); 9.19 is + available. Upgrade shamir from stuff at non-gnu. + Install 1.9.19 stuff from http://non-gnu.uvt.nl/debian/scratch/ on shamir. + +#0057 Ask Stefan Schlott to acknowledge the added comment with a link to + http://non-gnu.uvt.nl/mailman-ssls on + http://medien.informatik.uni-ulm.de/~stefan/linux/gpg-mailman . + +#0058 The sympa ( http://www.sympa.org/, GPL ) mailing list manager calls the + openssl binary from within Perl. Check out the smime_* functions in + sympa-4.1.5/src/tools.pl. (Or use the 5.1 sources) + +#0059 Don't use openssl and GnuPGInterface, but pyme. + KMail is said to use GPGME for S/MIME. Study its source. + SMScrypto.py from http://smallsister.org/git/SmallMail.git implements + crypto in python using pyme. Study (steal?) its source. + +#0060 emailf00f by Guus Sliepen deals with PGP. Study its source. + +#0061 (smime) study RFC 2630 [CMS] and RFC 2315 [PKCS7] + +#0062 (smime) _robustly_ identify incoming S/MIME posts: + + RFC 3851 3.9. Identifying an S/MIME Message + + MIME type: application/pkcs7-mime + parameters: any + file suffix: any + + MIME type: multipart/signed + parameters: protocol="application/pkcs7-signature" + file suffix: any + + MIME type: application/octet-stream + parameters: any + file suffix: p7m, p7s, p7c, p7z + +#0063 (smime) Integrate all other useful private notes in + <20050913155839.GQ8055@banach.uvt.nl>. + +#0064 (smime) Finish our small test scripts: + + Document genkey.py, so that our action is reproducable. + + Document decrypt.py, so that our action is reproducable. + + Write a script like descrypt.py which performs verification. + + Tidy up section "importing a secret key". Find out wether we can do this + without using CA.pl. Tidy up the description in scratch/simple.py . + + adjust documentation of scripts in scratch/ (simple.py) to no longer + use precooked keys from gpgme1.0_1.0.3/tests/gpgsm/. + + Send our hacked example scripts to pyme upstream. + + Merge decrypt.py and simple.py in mailman-smime.py. + +#0065 (smime) In GpgSMTPDirect.py we fetch only the first attachment when + dealing with S/MIME. We search for attachments only 2 levels deep. That's + suboptimal... + +#0066 It seems to be impossible to remove (or change) a public + key for a subscriber. Even after unsubscribing, the key seems to be kept. + Currently, one needs to do something like + # GNUPGHOME=/var/lib/mailman/lists/test-secure/gpg gpg --delete-key 88C6EDF6 + Under some circumstances (member is subscribed, key was purged later), + uploading a public key using the webgui fails. One might have to do: + # GNUPGHOME=/var/lib/mailman/lists/test-secure/gpg gpg --import < /tmp/a + It seems the list gets confused about the keyid belonging to the subscriber. + See also #0002. + . + When fixing this, be sure to get rid of the gpgkeyids and gpgkeys properties + of a MailList object. Store all this stuff in _one_ dictionary, keyed by + member-email-adresses. Be sure to adjust the unsubscribtion hook: currently, + the dictionaries are not cleaned after unsubscription. + +#0067 If permissions on pubring.gpg are borked, Mailman gets hit by a Broken + pipe, and messages get shunted. + +#0068 We are vulnerable for replay attacks. Likely it's useful to protect against + those: likely our subscribers will silently assume we're not vulnerable. + + Fri 13 13:48 < guus> joostvb: heeft SSLS al replay protection? + Fri 13 13:58 < joostvb> guus: is OpenPGP kwetsbaar voor replay-attacks? + Fri 13 13:58 < Fruit> alleen als je de datum niet controleert + Fri 13 13:59 < guus> joostvb: ja, maar S/MIME ook voor zover ik weet. + Fri 13 13:59 < guus> Je moet controleren dat niet twee keer hetzelfde mailtje + verwerkt wordt. + Fri 13 13:59 < joostvb> hrm, ik schat zo in dat SSLS niet kwetsbaarderder is + voor die aanvallen dan OpenPGP en S/MIME + Fri 13 13:59 < guus> OpenPGP en S/MIME zijn protocollen, SSLS is een listserver. + Fri 13 14:00 < joostvb> guus: hrm, mensen kunnen toch een oude post bouncen + naar een lijst + Fri 13 14:00 < joostvb> guus: ik weet eigenlijk niet wat dan het beste is + Fri 13 14:01 < guus> Met OpenPGP is het iig zo dat er een uniek nummertje in + elke signature zit. + Fri 13 14:01 < joostvb> hm hm hm + Fri 13 14:01 < guus> Dus je moet die nummertjes onthouden. + Fri 13 14:01 < joostvb> misschien dat er inderdaad wel iets in zit ja, en dat + je zo'n bounce wilt weigeren + Fri 13 14:01 < guus> Zeg, een dag ofzo. En als je mailtjes krijgt wiens + signature ouder is dan een dag, dan moet je die sowieso + bouncen. + + Thanks Guus Sliepen for bug report. + +#0069 We choke on keys with subkeys for signing. E.g, when uploading a key + + pub 4096R/0B86B067 2005-10-12 + Key fingerprint = B8FA C2E2 5047 5B8C E940 A919 5793 0DAB 0B86 B067 + uid Joost E. van Baal (Nederland, 1970) + uid Joost van Baal + sub 4096R/24525E9E 2005-10-12 [expires: 2008-10-11] + sub 4096R/43FF7C14 2005-10-12 [expires: 2008-10-11] + + it is stored as 0x0b86b067. However, when verifying the signature on a post, + 0x24525e9e is found. The test wether the signature is from a member fails on this. + + This might have been fixed in revno: 433, timestamp: Thu 2008-06-26 23:26:02 +0200 + + +Test Suite +---------- + +Before shipping a new release, test it. Obviously. + +FIXME: finish the script for this: pgp-smime/pgp-smime-testsuite.sh +
Your Subscription Options