From nobody Sun Apr 28 21:37:47 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1516900813361533.2275254242293;
 Thu, 25 Jan 2018 09:20:13 -0800 (PST)
Received: from localhost ([::1]:52525 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1eelC7-0000ES-Ex
	for importer@patchew.org; Thu, 25 Jan 2018 12:20:11 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58516)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1eel1w-0000VW-S6
	for qemu-devel@nongnu.org; Thu, 25 Jan 2018 12:09:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1eel1s-00014Q-M9
	for qemu-devel@nongnu.org; Thu, 25 Jan 2018 12:09:40 -0500
Received: from mx1.redhat.com ([209.132.183.28]:47108)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <berrange@redhat.com>) id 1eel1s-00014E-DF
	for qemu-devel@nongnu.org; Thu, 25 Jan 2018 12:09:36 -0500
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A88DDD5538
	for <qemu-devel@nongnu.org>; Thu, 25 Jan 2018 17:09:35 +0000 (UTC)
Received: from t460.redhat.com (unknown [10.33.36.65])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 4123C600D1;
	Thu, 25 Jan 2018 17:09:34 +0000 (UTC)
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: qemu-devel@nongnu.org
Date: Thu, 25 Jan 2018 17:09:30 +0000
Message-Id: <20180125170930.20009-1-berrange@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.38]);
	Thu, 25 Jan 2018 17:09:35 +0000 (UTC)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 209.132.183.28
Subject: [Qemu-devel] [PATCH v2] docs: update information for TLS
 certificate management
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

From: "Daniel P. Berrange" <berrange@redhat.com>

The current docs for TLS assume only VNC is using TLS. Some of the informat=
ion
is also outdated (ie lacking subject alt name info for certs). Rewrite it to
more accurately reflect the current situation.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---

Changed in v2:

 - Much content editting  / fixes (Eric)

 qemu-doc.texi | 364 +++++++++++++++++++++++++++++++++++++++++++-----------=
----
 1 file changed, 273 insertions(+), 91 deletions(-)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 3e9eb819a6..8ef7754f80 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -140,6 +140,7 @@ accelerator is required to use more than one host CPU f=
or emulation.
 * direct_linux_boot::  Direct Linux Boot
 * pcsys_usb::          USB emulation
 * vnc_security::       VNC security
+* network_tls::        TLS setup for network services
 * gdb_usage::          GDB usage
 * pcsys_os_specific::  Target OS specific information
 @end menu
@@ -1160,25 +1161,104 @@ with the aforementioned TLS + x509 options:
 qemu-system-i386 [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio
 @end example
=20
+@node vnc_setup_sasl
+
+@subsection Configuring SASL mechanisms
+
+The following documentation assumes use of the Cyrus SASL implementation o=
n a
+Linux host, but the principals should apply to any other SASL implementati=
on
+or host. When SASL is enabled, the mechanism configuration will be loaded =
from
+system default SASL service config /etc/sasl2/qemu.conf. If running QEMU a=
s an
+unprivileged user, an environment variable SASL_CONF_PATH can be used to m=
ake
+behaviour suddenly changedit search alternate locations for the service co=
nfig.
+
+If the TLS option is enabled for VNC, then it will provide session encrypt=
ion,
+otherwise the SASL mechanism will have to provide encryption. In the latter
+case the list of possible plugins that can be used is drastically reduced.=
 In
+fact only the GSSAPI SASL mechanism provides an acceptable level of securi=
ty
+by modern standards. Previous versions of QEMU referred to the DIGEST-MD5
+mechanism, however, it has multiple serious flaws described in detail in
+RFC 6331 and thus should never be used any more. The SCRAM-SHA-1 mechanism
+provides a simple username/password auth facility similar to DIGEST-MD5, b=
ut
+does not support session encryption, so can only be used in combination wi=
th
+TLS.
+
+When not using TLS the recommended configuration is
+
+@example
+mech_list: gssapi
+keytab: /etc/qemu/krb5.tab
+@end example
+
+This says to use the 'GSSAPI' mechanism with the Kerberos v5 protocol, with
+the server principal stored in /etc/qemu/krb5.tab. For this to work the
+administrator of your KDC must generate a Kerberos principal for the serve=
r,
+with a name of 'qemu/somehost.example.com@@EXAMPLE.COM' replacing
+'somehost.example.com' with the fully qualified host name of the machine
+running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.
+
+When using TLS, if username+password authentication is desired, then a
+reasonable configuration is
+
+@example
+mech_list: scram-sha-1
+sasldb_path: /etc/qemu/passwd.db
+@end example
+
+The saslpasswd2 program can be used to populate the passwd.db file with
+accounts.
+
+Other SASL configurations will be left as an exercise for the reader. Note=
 that
+all mechanisms except GSSAPI, should be combined with use of TLS to ensure=
 a
+secure data channel.
=20
-@node vnc_generate_cert
-@subsection Generating certificates for VNC
=20
-The GNU TLS packages provides a command called @code{certtool} which can
-be used to generate certificates and keys in PEM format. At a minimum it
-is necessary to setup a certificate authority, and issue certificates to
-each server. If using certificates for authentication, then each client
-will also need to be issued a certificate. The recommendation is for the
-server to keep its certificates in either @code{/etc/pki/qemu} or for
-unprivileged users in @code{$HOME/.pki/qemu}.
+@node network_tls
+@section TLS setup for network services
+
+Almost all network services in QEMU have the ability to use TLS for
+session data encryption, along with x509 certificates for simple
+client authentication. What follows is a description of how to
+generate certificates suitable for usage with QEMU, and applies to
+the VNC server, character devices with the TCP backend, NBD server
+and client, and migration sever and client.
+
+At a high level, QEMU requires certificates and private keys to be
+provided in PEM format. Aside from the core fields, the certificates
+should include various extension data sets, including v3 basic
+constraints data, key purpose, key usage and subject alt name.
+
+The GNUTLS package includes a command called @code{certtool} which can
+be used to easily generate certificates and keys in the required format
+with expected data present. Alternatively a certificate management
+service may be used.
+
+At a minimum it is necessary to setup a certificate authority, and
+issue certificates to each server. If using x509 certificates for
+authentication, then each client will also need to be issued a
+certificate.
+
+Assuming that the QEMU network services will only ever be exposed to
+clients on a private intranet, there is no need to use a commercial
+certificate authority to create certificates. A self-signed CA is
+sufficient, and in fact likely to be more secure since it removes
+the ability of malicious 3rd parties to trick the CA into mis-issuing
+certs for impersonating your services. The only likely exception
+where a commercial CA might be desirable is if enabling the VNC
+websockets server and exposing it directly to remote browser clients.
+In such a case it might be useful to use a commercial CA to avoid
+needing to install custom CA certs in the web browsers.
+
+The recommendation is for the server to keep its certificates in either
+@code{/etc/pki/qemu} or for unprivileged users in @code{$HOME/.pki/qemu}.
=20
 @menu
-* vnc_generate_ca::
-* vnc_generate_server::
-* vnc_generate_client::
+* network_generate_ca::
+* network_generate_server::
+* network_generate_client::
 @end menu
-@node vnc_generate_ca
-@subsubsection Setup the Certificate Authority
+@node network_generate_ca
+@subsection Setup the Certificate Authority
=20
 This step only needs to be performed once per organization / organizational
 unit. First the CA needs a private key. This key must be kept VERY secret
@@ -1189,11 +1269,10 @@ issued with it is lost.
 # certtool --generate-privkey > ca-key.pem
 @end example
=20
-A CA needs to have a public certificate. For simplicity it can be a self-s=
igned
-certificate, or one issue by a commercial certificate issuing authority. To
-generate a self-signed certificate requires one core piece of information,=
 the
-name of the organization.
-
+To generate a self-signed certificate requires one core piece of informati=
on,
+the name of the organization. A template file @code{ca.info} should be
+populated with the desired data to avoid having to deal with interactive
+prompts from certtool:
 @example
 # cat > ca.info <<EOF
 cn =3D Name of your organization
@@ -1206,123 +1285,226 @@ EOF
            --outfile ca-cert.pem
 @end example
=20
-The @code{ca-cert.pem} file should be copied to all servers and clients wi=
shing to utilize
-TLS support in the VNC server. The @code{ca-key.pem} must not be disclosed=
/copied at all.
+The @code{ca} keyword in the template sets the v3 basic constraints extens=
ion
+to indicate this certificate is for a CA, while @code{cert_signing_key} se=
ts
+the key usage extension to indicate this will be used for signing other ke=
ys.
+The generated @code{ca-cert.pem} file should be copied to all servers and
+clients wishing to utilize TLS support in the VNC server. The @code{ca-key=
.pem}
+must not be disclosed/copied anywhere except the host responsible for issu=
ing
+certificates.
=20
-@node vnc_generate_server
-@subsubsection Issuing server certificates
+@node tls_generate_server
+@subsection Issuing server certificates
=20
 Each server (or host) needs to be issued with a key and certificate. When =
connecting
 the certificate is sent to the client which validates it against the CA ce=
rtificate.
-The core piece of information for a server certificate is the hostname. Th=
is should
-be the fully qualified hostname that the client will connect with, since t=
he client
-will typically also verify the hostname in the certificate. On the host ho=
lding the
-secure CA private key:
-
-@example
-# cat > server.info <<EOF
+The core pieces of information for a server certificate are the hostnames =
and/or IP
+addresses that will be used by clients when connecting. The hostname / IP =
address
+that the client specifies when connecting will be validated against the ho=
stname(s)
+and IP address(es) recorded in the server certificate, and if no match is =
found
+the client will close the connection.
+
+Thus it is recommended that the server certificate include both the fully =
qualified
+and unqualified hostnames. If the server will have permanently assigned IP=
 address(es),
+and clients are likely to use them when connecting, they may also be inclu=
ded in the
+certificate. Both IPv4 and IPv6 addresses are supported. Historically cert=
ificates
+only included 1 hostname in the @code{CN} field, however, usage of this fi=
eld for
+validation is now deprecated. Instead modern TLS clients will validate aga=
inst the
+Subject Alt Name extension data, which allows for multiple entries. In the=
 future
+usage of the @code{CN} field may be discontinued entirely, so providing SAN
+extension data is strongly recommended.
+
+On the host holding the CA, create template files containing the informati=
on
+for each server, and use it to issue server certificates.
+
+@example
+# cat > server-hostNNN.info <<EOF
 organization =3D Name  of your organization
-cn =3D server.foo.example.com
+cn =3D hostNNN.foo.example.com
+dns_name =3D hostNNN
+dns_name =3D hostNNN.foo.example.com
+ip_address =3D 10.0.1.87
+ip_address =3D 192.8.0.92
+ip_address =3D 2620:0:cafe::87
+ip_address =3D 2001:24::92
 tls_www_server
 encryption_key
 signing_key
 EOF
-# certtool --generate-privkey > server-key.pem
+# certtool --generate-privkey > server-hostNNN-key.pem
 # certtool --generate-certificate \
            --load-ca-certificate ca-cert.pem \
            --load-ca-privkey ca-key.pem \
-           --load-privkey server-key.pem \
-           --template server.info \
-           --outfile server-cert.pem
+           --load-privkey server-hostNNN-key.pem \
+           --template server-hostNNN.info \
+           --outfile server-hostNNN-cert.pem
 @end example
=20
-The @code{server-key.pem} and @code{server-cert.pem} files should now be s=
ecurely copied
-to the server for which they were generated. The @code{server-key.pem} is =
security
-sensitive and should be kept protected with file mode 0600 to prevent disc=
losure.
+The @code{dns_name} and @code{ip_address} fields in the template are setti=
ng
+the subject alt name extension data. The @code{tls_www_server} keyword is =
the
+key purpose extension to indicate this certificate is intended for usage in
+a web server. Although QEMU network services are not in fact HTTP servers
+(except for VNC websockets), setting this key purpose is still recommended.
+The @code{encryption_key} and @code{signing_key} keyword is the key usage
+extension to indicate this certificate is intended for usage in the data
+session.
=20
-@node vnc_generate_client
-@subsubsection Issuing client certificates
+The @code{server-hostNNN-key.pem} and @code{server-hostNNN-cert.pem} files
+should now be securely copied to the server for which they were generated,
+and renamed to @code{server-key.pem} and @code{server-cert.pem} when added
+to the @code{/etc/pki/qemu} directory on the target host. The @code{server=
-key.pem}
+file is security sensitive and should be kept protected with file mode 0600
+to prevent disclosure.
+
+@node tls_generate_client
+@subsection Issuing client certificates
+
+The QEMU x509 TLS credential setup defaults to enabling client verification
+using certificates, providing a simple authentication mechanism. If this
+default is used, each client also needs to be issued a certificate. The cl=
ient
+certificate contains enough metadata to uniquely identify the client with =
the
+scope of the certificate authority. The client certificate would typically
+include fields for organization, state, city, building, etc.
+
+Once again on the host holding the CA, create template files containing the
+information for each client, and use it to issue client certificates.
=20
-If the QEMU VNC server is to use the @code{x509verify} option to validate =
client
-certificates as its authentication mechanism, each client also needs to be=
 issued
-a certificate. The client certificate contains enough metadata to uniquely=
 identify
-the client, typically organization, state, city, building, etc. On the hos=
t holding
-the secure CA private key:
=20
 @example
-# cat > client.info <<EOF
+# cat > client-hostNNN.info <<EOF
+country =3D GB
+state =3D London
+locality =3D City Of London
+organization =3D Name of your organization
+cn =3D hostNNN.foo.example.com
+tls_www_client
+encryption_key
+signing_key
+EOF
+# certtool --generate-privkey > client-hostNNN-key.pem
+# certtool --generate-certificate \
+           --load-ca-certificate ca-cert.pem \
+           --load-ca-privkey ca-key.pem \
+           --load-privkey client-hostNNN-key.pem \
+           --template client-hostNNN.info \
+           --outfile client-hostNNN-cert.pem
+@end example
+
+The subject alt name extension data is not required for clients, so the
+the @code{dns_name} and @code{ip_address} fields are not included.
+The @code{tls_www_client} keyword is the key purpose extension to indicate
+this certificate is intended for usage in a web client. Although QEMU
+network clients are not in fact HTTP clients, setting this key purpose is
+still recommended. The @code{encryption_key} and @code{signing_key} keyword
+is the key usage extension to indicate this certificate is intended for
+usage in the data session.
+
+The @code{client-hostNNN-key.pem} and @code{client-hostNNN-cert.pem} files
+should now be securely copied to the client for which they were generated,
+and renamed to @code{client-key.pem} and @code{client-cert.pem} when added
+to the @code{/etc/pki/qemu} directory on the target host. The @code{client=
-key.pem}
+file is security sensitive and should be kept protected with file mode 0600
+to prevent disclosure.
+
+If a single host is going to be using TLS in both a client and server
+role, it is possible to create a single certificate to cover both roles.
+This would be quite common for the migration and NBD services, where a
+QEMU process will be started by accepting a TLS protected incoming migrati=
on,
+and later itself be migrated out to another host. To generate a single
+certificate, simply include the template data from both the client and ser=
ver
+instructions in one.
+
+@example
+# cat > both-hostNNN.info <<EOF
 country =3D GB
 state =3D London
-locality =3D London
+locality =3D City Of London
 organization =3D Name of your organization
-cn =3D client.foo.example.com
+cn =3D hostNNN.foo.example.com
+dns_name =3D hostNNN
+dns_name =3D hostNNN.foo.example.com
+ip_address =3D 10.0.1.87
+ip_address =3D 192.8.0.92
+ip_address =3D 2620:0:cafe::87
+ip_address =3D 2001:24::92
+tls_www_server
 tls_www_client
 encryption_key
 signing_key
 EOF
-# certtool --generate-privkey > client-key.pem
+# certtool --generate-privkey > both-hostNNN-key.pem
 # certtool --generate-certificate \
            --load-ca-certificate ca-cert.pem \
            --load-ca-privkey ca-key.pem \
-           --load-privkey client-key.pem \
-           --template client.info \
-           --outfile client-cert.pem
+           --load-privkey both-hostNNN-key.pem \
+           --template both-hostNNN.info \
+           --outfile both-hostNNN-cert.pem
 @end example
=20
-The @code{client-key.pem} and @code{client-cert.pem} files should now be s=
ecurely
-copied to the client for which they were generated.
+When copying the PEM files to the target host, save them twice,
+once as @code{server-cert.pem} and @code{server-key.pem}, and
+again as @code{client-cert.pem} and @code{client-key.pem}.
=20
+@node tls_creds_setup
+@subsection TLS x509 credential configuration
=20
-@node vnc_setup_sasl
+QEMU has a standard mechanism for loading x509 credentials that will be
+used for network services and clients. It requires specifying the
+@code{tls-creds-x509} class name to the @code{-object} command line
+argument for the system emulators. This also works for the helper tools
+like @code{qemu-nbd} and @code{qemu-img}, but is named @code{--object}.
+Each set of credentials loaded should be given a unique string identifier
+via the @code{id} parameter. A single set of TLS credentials can be used
+for multiple network backends, so VNC, migration, NBD, character devices
+can all share the same credentials. Note, however, that credentials for
+use in a client endpoint must be loaded separately from those used in
+a server endpoint.
=20
-@subsection Configuring SASL mechanisms
+When specifying the object, the @code{dir} parameters specifies which
+directory contains the credential files. This directory is expected to
+contain files with the names mentioned previously, @code{ca-cert.pem},
+@code{server-key.pem}, @code{server-cert.pem}, @code{client-key.pem}
+and @code{client-cert.pem} as appropriate. It is also possible to
+include a set of pre-generated diffie-hellman parameters in a file
+@code{dh-params.pem}, which can be created using the
+@code{certtool --generate-dh-params} command. If omitted, QEMU will
+dynamically generate DH parameters when loading the credentials.
=20
-The following documentation assumes use of the Cyrus SASL implementation o=
n a
-Linux host, but the principals should apply to any other SASL impl. When S=
ASL
-is enabled, the mechanism configuration will be loaded from system default
-SASL service config /etc/sasl2/qemu.conf. If running QEMU as an
-unprivileged user, an environment variable SASL_CONF_PATH can be used
-to make it search alternate locations for the service config.
+The @code{endpoint} parameter indicates whether the credentials will
+be used for a network client or server, and determines which PEM
+files are loaded.
=20
-If the TLS option is enabled for VNC, then it will provide session encrypt=
ion,
-otherwise the SASL mechanism will have to provide encryption. In the latter
-case the list of possible plugins that can be used is drastically reduced.=
 In
-fact only the GSSAPI SASL mechanism provides an acceptable level of securi=
ty
-by modern standards. Previous versions of QEMU referred to the DIGEST-MD5
-mechanism, however, it has multiple serious flaws described in detail in
-RFC 6331 and thus should never be used any more. The SCRAM-SHA-1 mechanism
-provides a simple username/password auth facility similar to DIGEST-MD5, b=
ut
-does not support session encryption, so can only be used in combination wi=
th
-TLS.
+The @code{verify} parameter determines whether x509 certificate
+validation should be performed. This defaults to enabled, meaning
+clients will always validate the server hostname against the
+certificate subject alt name fields and/or CN field. It also
+means that servers will request that clients provide a certificate
+and validate them. Verification should never be turned off for
+client endpoints, however, it may be turned off for server endpoints
+if an alternative mechanism is used to authenticate clients. For
+example, the VNC server can use SASL to authenticate clients
+instead.
=20
-When not using TLS the recommended configuration is
+To load server credentials with client certificate validation
+enabled
=20
 @example
-mech_list: gssapi
-keytab: /etc/qemu/krb5.tab
+$QEMU -object tls-creds-x509,id=3Dtls0,dir=3D/etc/pki/qemu,endpoint=3Dserv=
er
 @end example
=20
-This says to use the 'GSSAPI' mechanism with the Kerberos v5 protocol, with
-the server principal stored in /etc/qemu/krb5.tab. For this to work the
-administrator of your KDC must generate a Kerberos principal for the serve=
r,
-with a name of 'qemu/somehost.example.com@@EXAMPLE.COM' replacing
-'somehost.example.com' with the fully qualified host name of the machine
-running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.
-
-When using TLS, if username+password authentication is desired, then a
-reasonable configuration is
+while to load client credentials use
=20
 @example
-mech_list: scram-sha-1
-sasldb_path: /etc/qemu/passwd.db
+$QEMU -object tls-creds-x509,id=3Dtls0,dir=3D/etc/pki/qemu,endpoint=3Dclie=
nt
 @end example
=20
-The saslpasswd2 program can be used to populate the passwd.db file with
-accounts.
+Network services which support TLS will all have a @code{tls-creds}
+parameter which expects the ID of the tls credentials object. For
+example with VNC:
=20
-Other SASL configurations will be left as an exercise for the reader. Note=
 that
-all mechanisms except GSSAPI, should be combined with use of TLS to ensure=
 a
-secure data channel.
+@example
+$QEMU -vnc 0.0.0.0:0,tls-creds=3Dtls0
+@end example
=20
 @node gdb_usage
 @section GDB usage
--=20
2.14.3