diff options
834 files changed, 68518 insertions, 1838 deletions
diff --git a/contrib/pw-am.sh b/contrib/pw-am.sh index 8987eee8eb..d9d1187b0b 100755 --- a/contrib/pw-am.sh +++ b/contrib/pw-am.sh @@ -9,7 +9,7 @@ for patchnumber in $@; do - wget -nv http://patches.openembedded.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch + wget -nv http://patchwork.yoctoproject.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch git am -s pw-am-$patchnumber.patch rm pw-am-$patchnumber.patch done diff --git a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb index d9864ac3e8..e4a0f95692 100644 --- a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb +++ b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://fsck.c;md5=3859dc73da97909ff1d0125e88a27e02" DEPENDS = "zlib" -SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git \ +SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git;branch=master;protocol=https \ file://0001-Add-LDFLAGS-to-linker-cmdline.patch \ file://0001-btree-Avoid-conflicts-with-libc-namespace-about-setk.patch \ file://0001-include-sys-sysmacros.h-for-major-minor-definition.patch \ diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb index 6f5cb6cee9..efb331d7b2 100644 --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb @@ -10,8 +10,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \ file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \ " S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c" -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5" +SRC_URI[sha256sum] = "f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c" UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/" UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz" @@ -50,3 +49,5 @@ do_install_append() { # Satisfy the -dev runtime dependency ALLOW_EMPTY_${PN} = "1" + +CVE_PRODUCT = "tuxera:ntfs-3g" diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb index 414084449f..9e546e8a39 100644 --- a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb +++ b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=628b867016631792781a8735a04760e5 \ DEPENDS = "fuse virtual/libusb0" # v3.2p3 SRCREV = "3744375dfaa350e31c9b360eb1e1a517bbeb5c47" -SRC_URI = "git://github.com/owfs/owfs \ +SRC_URI = "git://github.com/owfs/owfs;branch=master;protocol=https \ file://0001-Add-build-rule-for-README.patch \ file://owhttpd \ file://owserver \ diff --git a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb index bf9c34dc97..9b776e9dc7 100644 --- a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb +++ b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2" DEPENDS = "glib-2.0 fuse3" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/libfuse/sshfs" +SRC_URI = "git://github.com/libfuse/sshfs;branch=master;protocol=https" SRCREV = "a7e1038203c856cc7e052d439d1da49fe131339f" S = "${WORKDIR}/git" diff --git a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb index 3dd5c82ee5..13273f7bc8 100644 --- a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb +++ b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/unionfs.c;beginline=3;endline=8;md5=30fa8de70fd8a file://LICENSE;md5=7e5a37fce17307066eec6b23546da3b3 \ " -SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master \ +SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master;protocol=https \ file://0001-support-cross-compiling.patch \ " SRCREV = "8d732962423c3ca5be1f14b7ec139ff464e10a51" diff --git a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb index 24b17fc93b..dc9132a82e 100644 --- a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb +++ b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb @@ -22,6 +22,8 @@ UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>3(\.\d+)+).tar.xz" inherit meson pkgconfig +CVE_PRODUCT = "fuse_project:fuse" + DEPENDS = "udev" PACKAGES =+ "fuse3-utils" diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb index 95e870691c..4ec1213519 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb @@ -19,9 +19,16 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar. SRC_URI[md5sum] = "8000410aadc9231fd48495f7642f3312" SRC_URI[sha256sum] = "d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5" +# CVE-2019-14860 is a REDHAT specific issue and was addressed for REDHAT Fuse products on Red Hat Fuse 7.4.1 and Red Hat Fuse 7.5.0. +# REDHAT has also released the fix and updated their security advisories after significant releases. +CVE_PRODUCT = "fuse" +CVE_CHECK_WHITELIST += "CVE-2019-14860" + UPSTREAM_CHECK_URI = "https://github.com/libfuse/libfuse/releases" UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>2(\.\d+)+).tar.gz" +CVE_PRODUCT = "fuse_project:fuse" + inherit autotools pkgconfig update-rc.d systemd INITSCRIPT_NAME = "fuse" diff --git a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb index 98bd478f32..2c5a9e16b3 100644 --- a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb +++ b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb @@ -9,7 +9,7 @@ DEPENDS = "util-linux" # v1.13.0 SRCREV = "284f77f0075a16a2ad1f3b0fb89b7f64a1bc755d" -SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git \ +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git;branch=master \ file://0001-f2fs-tools-Use-srcdir-prefix-to-denote-include-path.patch \ " S = "${WORKDIR}/git" diff --git a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb index c72671739d..c90a7ecc2b 100644 --- a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb +++ b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb @@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Gregwar/fatcat" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=57fbbfebd0dd1d6ff21b8cecb552a03f" -SRC_URI = "git://github.com/Gregwar/fatcat.git \ +SRC_URI = "git://github.com/Gregwar/fatcat.git;branch=master;protocol=https \ file://0001-Use-unistd.h-not-argp.h-for-all-POSIX-systems.patch \ " diff --git a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb index 88d495b685..c258a128ee 100644 --- a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb +++ b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb @@ -3,7 +3,7 @@ SECTION = "console/tools" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https" +SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https;branch=master" SRCREV = "3f80afc76ad82d4a1b852a6c8dea24cd9f5e7a24" PV = "1.0.2-11" diff --git a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb index 23583650b8..ed003ee7be 100644 --- a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb +++ b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb @@ -8,7 +8,7 @@ BRANCH ?= "dev" SRCREV = "a3cf93b66f4606a46354cf884d24aa966661f848" -SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=git;branch=${BRANCH} \ +SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=https;branch=${BRANCH} \ file://0001-Replace-u_intXX_t-with-kernel-typedefs.patch \ " diff --git a/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb b/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb index a47bf6fcf8..b10efbedc5 100644 --- a/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb +++ b/meta-gnome/recipes-gnome/gdm/gdm_3.34.1.bb @@ -10,7 +10,7 @@ DEPENDS = " \ libpam \ " -REQUIRED_DISTRO_FEATURES = "x11 systemd pam" +REQUIRED_DISTRO_FEATURES = "x11 systemd pam polkit" inherit gnomebase gsettings gobject-introspection gettext systemd useradd upstream-version-is-even features_check diff --git a/meta-gnome/recipes-gnome/gedit/gedit_3.34.1.bb b/meta-gnome/recipes-gnome/gedit/gedit_3.34.1.bb index 850ba4df98..d6c8957dc1 100644 --- a/meta-gnome/recipes-gnome/gedit/gedit_3.34.1.bb +++ b/meta-gnome/recipes-gnome/gedit/gedit_3.34.1.bb @@ -19,7 +19,7 @@ DEPENDS = " \ gtksourceview4 \ " -inherit gnomebase gsettings itstool gnome-help gobject-introspection gtk-doc vala gettext features_check upstream-version-is-even mime-xdg +inherit gnomebase gsettings itstool gnome-help gobject-introspection gtk-doc vala gettext features_check upstream-version-is-even mime-xdg python3targetconfig REQUIRED_DISTRO_FEATURES = "x11" diff --git a/meta-gnome/recipes-gnome/gvfs/gvfs_1.42.2.bb b/meta-gnome/recipes-gnome/gvfs/gvfs_1.42.2.bb index f04246f168..4f5784f26d 100644 --- a/meta-gnome/recipes-gnome/gvfs/gvfs_1.42.2.bb +++ b/meta-gnome/recipes-gnome/gvfs/gvfs_1.42.2.bb @@ -62,7 +62,7 @@ PACKAGECONFIG[samba] = "-Dsmb=true, -Dsmb=false, samba" PACKAGECONFIG[systemd] = "-Dsystemduserunitdir=${systemd_user_unitdir} -Dtmpfilesdir=${libdir}/tmpfiles.d, -Dsystemduserunitdir=no -Dtmpfilesdir=no, systemd" # needs meta-filesystems -PACKAGECONFIG[fuse] = "-Dfuse=true, -Dfuse=false, fuse" +PACKAGECONFIG[fuse] = "-Dfuse=true, -Dfuse=false, fuse3" # libcdio-paranoia recipe doesn't exist yet PACKAGECONFIG[cdda] = "-Dcdda=true, -Dcdda=false, libcdio-paranoia" diff --git a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb index 90e5533015..7564275668 100644 --- a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb +++ b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb @@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 gtk+3 gdk-pixbuf clutter-1.0 clutter-gtk-1.0 libsoup-2.4" inherit meson gobject-introspection SRCREV = "145e417f32e507b63c21ad4e915b808a6174099e" -SRC_URI = "git://github.com/gnome/libchamplain.git" +SRC_URI = "git://github.com/gnome/libchamplain.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb b/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb index e2ced395c1..aa6492de4c 100644 --- a/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb +++ b/meta-gnome/recipes-gnome/tracker/tracker-miners_2.3.3.bb @@ -24,7 +24,7 @@ REQUIRED_DISTRO_FEATURES = "gobject-introspection-data" UNKNOWN_CONFIGURE_WHITELIST_append = " introspection" PACKAGECONFIG ??= " \ - ffmpeg \ + ${@bb.utils.contains("LICENSE_FLAGS_WHITELIST", "commercial", "ffmpeg", "", d)} \ flac \ gexiv2 \ gstreamer \ diff --git a/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb b/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb index ad69ab68c3..cee4ed497e 100644 --- a/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb +++ b/meta-gnome/recipes-kernel/sysprof/sysprof_3.34.1.bb @@ -16,7 +16,9 @@ SRC_URI += "file://0001-sysprof-Define-NT_GNU_BUILD_ID-if-undefined.patch \ file://0001-libsysprof-ui-Rename-environ-to-sys_environ.patch \ " -PACKAGECONFIG ?= "sysprofd libsysprof ${@bb.utils.contains_any('DISTRO_FEATURES', '${GTK3DISTROFEATURES}', 'gtk', '', d)}" +PACKAGECONFIG ?= "${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'sysprofd', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'polkit', 'libsysprof', '', d)} \ + ${@bb.utils.contains_any('DISTRO_FEATURES', '${GTK3DISTROFEATURES}', 'gtk', '', d)}" PACKAGECONFIG[gtk] = "-Denable_gtk=true,-Denable_gtk=false,gtk+3 libdazzle" PACKAGECONFIG[sysprofd] = "-Dwith_sysprofd=bundled,-Dwith_sysprofd=none,polkit" PACKAGECONFIG[libsysprof] = "-Dlibsysprof=true,-Dlibsysprof=false,polkit" diff --git a/meta-gnome/recipes-support/ibus/ibus.inc b/meta-gnome/recipes-support/ibus/ibus.inc index 1bbeb2c481..2e03f7c6a7 100644 --- a/meta-gnome/recipes-support/ibus/ibus.inc +++ b/meta-gnome/recipes-support/ibus/ibus.inc @@ -10,7 +10,7 @@ PV = "1.5.22" DEPENDS = "unicode-ucd" SRC_URI = " \ - git://github.com/ibus/ibus.git \ + git://github.com/ibus/ibus.git;branch=main;protocol=https \ file://0001-Do-not-try-to-start-dbus-we-do-not-have-dbus-lauch.patch \ " SRCREV = "e3262f08b9e3efc57808700823b0622ec03a1b5f" diff --git a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb index d567d00d3f..fb4c816729 100644 --- a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb +++ b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb @@ -13,7 +13,7 @@ B = "${S}" SRCREV = "736ccef40d39603b8111c8a3a0bca0319bbafdc0" PV = "3.0+git${SRCPV}" -SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0 \ +SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0;protocol=https \ " RDEPENDS_${PN} = "gtk+" diff --git a/meta-gnome/recipes-support/libhandy/libhandy_git.bb b/meta-gnome/recipes-support/libhandy/libhandy_git.bb index 8c6159f998..6d63ddb86a 100644 --- a/meta-gnome/recipes-support/libhandy/libhandy_git.bb +++ b/meta-gnome/recipes-support/libhandy/libhandy_git.bb @@ -2,7 +2,7 @@ SUMMARY = "A library full of GTK+ widgets for mobile phones" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https" +SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https;branch=master" SRCREV = "ef7c4bf75ae239495141ada83d2fbaf034315563" S = "${WORKDIR}/git" PV = "0.0.12" diff --git a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb index 96dd880b6a..837807ccf9 100644 --- a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb +++ b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2750797da77c1d784e7626b3f7d7ff3e" DEPENDS_class-target = "${BPN}-native" SRC_URI = "\ - git://github.com/snowballstem/snowball.git \ + git://github.com/snowballstem/snowball.git;branch=master;protocol=https \ file://0001-Build-so-lib.patch \ file://0002-snowball-stemwords-do-link-with-LDFLAGS-set-by-build.patch \ " diff --git a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb index 6fb3b82ef1..5db78b7cf7 100644 --- a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb +++ b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb @@ -9,6 +9,6 @@ DEPENDS = " \ inherit autotools pkgconfig -SRC_URI = "git://github.com/linuxwacom/libwacom.git" +SRC_URI = "git://github.com/linuxwacom/libwacom.git;branch=master;protocol=https" SRCREV = "87cc710e21a6220e267dd08936bbec2932aa3658" S = "${WORKDIR}/git" diff --git a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb index ed3dece3f6..ee05045320 100644 --- a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb +++ b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" PV = "0.6+git${SRCPV}" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/kexecboot/kexecboot.git" +SRC_URI = "git://github.com/kexecboot/kexecboot.git;branch=master;protocol=https" SRC_URI_append_libc-klibc = " file://0001-kexecboot-Use-new-reboot-API-with-klibc.patch " SRCREV = "5a5e04be206140059f42ac786d424da1afaa04b6" diff --git a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb index 13cf5f6ded..dd22b196fa 100644 --- a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb +++ b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb @@ -10,7 +10,7 @@ PV = "049" # v048 tag SRCREV = "225e4b94cbdb702cf512490dcd2ad9ca5f5b22c1" -SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http \ +SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http;branch=master \ file://0001-util.h-include-sys-reg.h-when-libc-glibc.patch \ file://0001-dracut.sh-improve-udevdir.patch \ file://0001-set-viriable-_drv-not-local.patch \ diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb index 7403cf64f7..c890165b6a 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "79c5cfa02c567efdc5bb18cdd584789e2e35aa23" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb index 7248147a5c..9d3d7b55cc 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "a1d2ae93408c3408e672d7eba4550fdf27fb0201" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=main \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb index 0475cbeaee..fe5898a903 100644 --- a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb +++ b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ inherit autotools pkgconfig klibc SRCREV = "64f61a9dc71b158c7084006cbce4ea23886f0b47" -SRC_URI = "git://git.infradead.org/mtd-utils.git \ +SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \ file://0001-libmissing.h-fix-klibc-build-when-using-glibc-toolch.patch \ file://0002-Instead-of-doing-preprocessor-magic-just-output-off_.patch \ file://0003-Makefile.am-only-build-ubi-utils.patch \ @@ -18,7 +18,7 @@ SRC_URI = "git://git.infradead.org/mtd-utils.git \ file://0005-common.h-replace-getline-with-fgets.patch \ " -S = "${WORKDIR}/git/" +S = "${WORKDIR}/git" EXTRA_OECONF += "--disable-tests --without-jffs --without-ubifs" diff --git a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb index 7ad55d8b8c..143ac6f433 100644 --- a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb +++ b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb @@ -12,7 +12,7 @@ DEPENDS = "zlib xz" inherit klibc autotools -SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git" +SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git;branch=master" SRCREV = "5750980cdbbc33ef75bfba6660295b932376ce15" BUILD_PATCHES = "file://0001-force-static-build.patch \ diff --git a/meta-multimedia/README b/meta-multimedia/README index 1c08f9d9ff..96910a94de 100644 --- a/meta-multimedia/README +++ b/meta-multimedia/README @@ -14,6 +14,6 @@ Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-mult When sending single patches, please use something like: 'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-multimedia][dunfell][PATCH -You are encouraged to fork the mirror on github https://github.com/openembedded/meta-oe/ to share your patches, this is preferred for patch sets consisting of more than one patch. Other services like gitorious, repo.or.cz or self hosted setups are of course accepted as well, 'git fetch <remote>' works the same on all of them. We recommend github because it is free, easy to use, has been proven to be reliable and has a really good web GUI. +You are encouraged to fork the mirror on github https://github.com/openembedded/meta-openembedded to share your patches, this is preferred for patch sets consisting of more than one patch. Other services like GitLab, repo.or.cz or self hosted setups are of course accepted as well, 'git fetch <remote>' works the same on all of them. We recommend github because it is free, easy to use, has been proven to be reliable and has a really good web GUI. dunfell maintainer: Armin Kuster <akuster808@gmail.com> diff --git a/meta-multimedia/recipes-connectivity/gupnp/gssdp_1.2.2.bb b/meta-multimedia/recipes-connectivity/gupnp/gssdp_1.2.3.bb index ddaddd2094..7d82c3e2e6 100644 --- a/meta-multimedia/recipes-connectivity/gupnp/gssdp_1.2.2.bb +++ b/meta-multimedia/recipes-connectivity/gupnp/gssdp_1.2.3.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7" DEPENDS = "glib-2.0 libsoup-2.4" SRC_URI = "${GNOME_MIRROR}/${BPN}/1.2/${BPN}-${PV}.tar.xz" -SRC_URI[md5sum] = "f00a470ebcba96f34def8f83ac5891ed" -SRC_URI[sha256sum] = "cabb9e3b456b8354a55e23eb0207545d974643cda6d623523470ebbc4188b0a4" +SRC_URI[md5sum] = "ef3295a965c06ce0f683522391fbb910" +SRC_URI[sha256sum] = "a263dcb6730e3b3dc4bbbff80cf3fab4cd364021981d419db6dd5a8e148aa7e8" GTKDOC_MESON_OPTION = 'gtk_doc' diff --git a/meta-multimedia/recipes-connectivity/gupnp/gupnp_1.2.2.bb b/meta-multimedia/recipes-connectivity/gupnp/gupnp_1.2.4.bb index e603497161..c7b330fa00 100644 --- a/meta-multimedia/recipes-connectivity/gupnp/gupnp_1.2.2.bb +++ b/meta-multimedia/recipes-connectivity/gupnp/gupnp_1.2.4.bb @@ -1,8 +1,8 @@ require gupnp.inc SRC_URI = "${GNOME_MIRROR}/${BPN}/1.2/${BPN}-${PV}.tar.xz" -SRC_URI[md5sum] = "2ade3d29c624ad98d70113e6e93908a5" -SRC_URI[sha256sum] = "9a80bd953e5c8772ad26b72f8da01cbe7241a113edd6084903f413ce751c9989" +SRC_URI[md5sum] = "7c9c7cd80e36d9fb1e5b0267571fc17d" +SRC_URI[sha256sum] = "f7a0307ea51f5e44d1b832f493dd9045444a3a4e211ef85dfd9aa5dd6eaea7d1" LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7 \ file://libgupnp/gupnp.h;beginline=1;endline=20;md5=d78a69d9b6e63ee2dc72e7b674d97520" diff --git a/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch new file mode 100644 index 0000000000..695a2c94f0 --- /dev/null +++ b/meta-multimedia/recipes-connectivity/libupnp/files/CVE-2020-13848.patch @@ -0,0 +1,75 @@ +From c805c1de1141cb22f74c0d94dd5664bda37398e0 Mon Sep 17 00:00:00 2001 +From: Marcelo Roberto Jimenez <marcelo.jimenez@gmail.com> +Date: Thu, 4 Jun 2020 12:03:03 -0300 +Subject: [PATCH] Fixes #177: NULL pointer dereference in + FindServiceControlURLPath + +Also fixes its dual bug in FindServiceEventURLPath. + +Reference: +https://nvd.nist.gov/vuln/detail/CVE-2020-13848 + +Upstream-Status: Accepted [https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0] +CVE: CVE-2020-13848 +Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> + +--- + ChangeLog | 6 ++++++ + upnp/src/genlib/service_table/service_table.c | 16 ++++++++++------ + 2 files changed, 16 insertions(+), 6 deletions(-) +diff --git a/ChangeLog b/ChangeLog +index 4a956fc..265d268 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -2,6 +2,12 @@ + Version 1.8.4 + ******************************************************************************* + ++2020-06-04 Patrik Lantz pjlantz(at)github ++ ++ Fixes #177 ++ ++ NULL pointer dereference in FindServiceControlURLPath ++ + 2017-11-17 Marcelo Jimenez <mroberto(at)users.sourceforge.net> + + GitHub #57 - 1.8.3 broke ABI without changing SONAME +diff --git a/upnp/src/genlib/service_table/service_table.c b/upnp/src/genlib/service_table/service_table.c +index 98c2c0f..f3ee4e5 100644 +--- a/upnp/src/genlib/service_table/service_table.c ++++ b/upnp/src/genlib/service_table/service_table.c +@@ -300,12 +300,11 @@ FindServiceEventURLPath( service_table * table, + uri_type parsed_url; + uri_type parsed_url_in; + +- if( ( table ) +- && +- ( parse_uri( eventURLPath, +- strlen( eventURLPath ), +- &parsed_url_in ) == HTTP_SUCCESS ) ) { +- ++ if (!table || !eventURLPath) { ++ return NULL; ++ } ++ if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) == ++ HTTP_SUCCESS) { + finger = table->serviceList; + while( finger ) { + if( finger->eventURL ) +@@ -352,11 +351,11 @@ FindServiceControlURLPath( service_table * table, + uri_type parsed_url; + uri_type parsed_url_in; + +- if( ( table ) +- && +- ( parse_uri +- ( controlURLPath, strlen( controlURLPath ), +- &parsed_url_in ) == HTTP_SUCCESS ) ) { ++ if (!table || !controlURLPath) { ++ return NULL; ++ } ++ if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) == ++ HTTP_SUCCESS) { + finger = table->serviceList; + while( finger ) { + if( finger->controlURL ) diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb index 339c07cd96..ef473c4896 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb @@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434" PV = "1.8.4+git${SRCPV}" # release-1.8.4 SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d" -SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https" +SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https;branch=master \ + file://CVE-2020-13848.patch" S="${WORKDIR}/git" diff --git a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb index 20faef047e..32e74f08c3 100644 --- a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb +++ b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb @@ -8,7 +8,7 @@ DEPENDS = "avahi cmake-native dvb-apps libdvbcsa libpcre2 openssl uriparser zlib LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=9cae5acac2e9ee2fc3aec01ac88ce5db" -SRC_URI = "git://github.com/tvheadend/tvheadend.git \ +SRC_URI = "git://github.com/tvheadend/tvheadend.git;branch=master;protocol=https \ file://0001-adjust-for-64bit-time_t.patch \ file://0001-allocate-space-for-buf-on-heap.patch \ " diff --git a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb index 1a51abc360..343b9d7915 100644 --- a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb +++ b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb @@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c" SRCREV = "b93deed1a231dd6dd7e39b9fe7d2abe05aa00158" -SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https \ +SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https;branch=master \ file://0001-define-BASELIB-make-variable.patch \ " diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb index f23bc6ca81..c89156dcf8 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0 dbus dleyna-core" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "de913c35e5c936e2d40ddbd276ee902cd802bd3a" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb index 8939cd36e2..647532d9fa 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb @@ -13,7 +13,7 @@ DEPENDS = "glib-2.0 gupnp" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "1c6853f5bc697dc0a8774fd70dbc915c4dbe7c5b" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb index 642f21bd53..4b53763440 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 dleyna-core" RDEPENDS_${PN} = "dleyna-connector-dbus" -SRC_URI = "git://github.com/01org/${BPN}.git \ +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https \ file://0001-add-gupnp-1.2-API-support.patch \ " SRCREV = "50fd1ec9d51328e7dea98874129dc8d6fe3ea1dd" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb index e31b7aea2a..5fa3e2373a 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb @@ -12,7 +12,7 @@ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 libxml2 dleyna-c RDEPENDS_${PN} = "dleyna-connector-dbus" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "eb895ae82715e9889a948ffa810c0f828b4f4c76" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb index d7911681c7..c499119c6f 100644 --- a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb +++ b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb @@ -11,7 +11,7 @@ LICENSE = "Fraunhofer_FDK_AAC_Codec_Library_for_Android" LICENSE_FLAGS = "commercial" LIC_FILES_CHKSUM = "file://NOTICE;md5=5985e1e12f4afa710d64ed7bfd291875" -SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=git;branch=master" +SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=https;branch=master" SRCREV = "d387d3b6ed79ff9a82c60440bdd86e6e5e324bec" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc index fcc9df8c30..ee3e38cd93 100644 --- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc +++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc @@ -4,7 +4,7 @@ SECTION = "libs/multimedia" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594" -SRC_URI = "git://github.com/FluidSynth/fluidsynth.git" +SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https" SRCREV = "19a20eb8526465fdf940b740b13462d71e190a1a" S = "${WORKDIR}/git" PV = "2.1.3" diff --git a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb index c96e4c52e9..2f9ceffab7 100644 --- a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb +++ b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb @@ -3,7 +3,7 @@ Description = "Gerbera - An UPnP media server" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=25cdec9afe3f1f26212ead6bd2f7fac8" -SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https \ +SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https;branch=master \ " PV = "1.3.2" diff --git a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb index d047caef5f..19d43a4b74 100644 --- a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb +++ b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb @@ -14,10 +14,10 @@ PV = "0.6.1" SRCREV_base = "c41a05cc9e2310c2f73eda4b4f0b4477bf4479c5" SRCREV_common = "88e512ca7197a45c4114f7fa993108f23245bf50" - +SRCREV_FORMAT = "base_common" SRC_URI = " \ git://github.com/RidgeRun/gst-shark.git;protocol=https;branch=${SRCBRANCH};name=base \ - git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common; \ + git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb index 3f8fe2f360..e16fd25962 100644 --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "\ " SRC_URI = " \ - git://linuxtv.org/libcamera.git;protocol=git \ + git://linuxtv.org/libcamera.git;protocol=git;branch=master \ " SRCREV = "a8be6e94e79f602d543a15afd44ef60e378b138f" diff --git a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb index 7f042c382f..4cf8e2effc 100644 --- a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb +++ b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "bc6c0b164a87ce05e9925785cc6fb3f54c02b026" -SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https \ +SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https;branch=master \ file://libdvbcsa.pc \ " diff --git a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb index f060f1e80d..cb42d943fc 100644 --- a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb +++ b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://alpha.cpp;beginline=3;endline=22;md5=6665e479f71feb92 PV = "1.10+git${SRCPV}" SRCREV = "52e7d93c5947f72380521116c05d97c528863ba8" -SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https" +SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb index b313b110cc..4631b037be 100644 --- a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb +++ b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb @@ -20,7 +20,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=416ef1ca5167707fe381d7be33664a33" DEPENDS = "curl-native icu" SRCREV = "67e43bf0fa56008276b878ec3790aa5f32eb2a16" -SRC_URI = "git://github.com/MycroftAI/mimic.git" +SRC_URI = "git://github.com/MycroftAI/mimic.git;branch=master;protocol=https" inherit autotools diff --git a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb index ca9d94a19c..253f995d88 100644 --- a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb +++ b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb @@ -8,7 +8,7 @@ DEPENDS = "expat libxml2 libxml2-native neon neon-native" PV = "5.1.0+git${SRCPV}" SRCREV = "44c05779dd996035758f5ec426766aeedce29cc3" -SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git \ +SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git;branch=master;protocol=https \ file://allow-libdir-override.patch " S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb index 235e63e481..84b7baab23 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://www.musicpd.org/libs/libmpdclient/" inherit meson SRC_URI = " \ - git://github.com/MusicPlayerDaemon/libmpdclient \ + git://github.com/MusicPlayerDaemon/libmpdclient;branch=master;protocol=https \ " SRCREV = "4e8d990eb5239566ee948f1cd79b7248e008620a" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb index 41abe7108a..b4fce35df7 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb @@ -10,7 +10,7 @@ DEPENDS += " \ " SRC_URI = " \ - git://github.com/MusicPlayerDaemon/mpc \ + git://github.com/MusicPlayerDaemon/mpc;branch=master;protocol=https \ " SRCREV = "59875acdf34e5f0eac0c11453c49daef54f78413" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb index 133ee6e792..3f20515993 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb @@ -17,7 +17,7 @@ DEPENDS += " \ " SRC_URI = " \ - git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x \ + git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x;protocol=https \ file://mpd.conf.in \ file://0001-StringBuffer-Include-cstddef-for-size_t.patch \ file://0002-Include-stdexcept-for-runtime_error.patch \ diff --git a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb index 0c99c7c698..c92a4421a3 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb @@ -31,7 +31,7 @@ PACKAGECONFIG[outputs_screen] = "-Doutputs_screen=true,-Doutputs_screen=false" PACKAGECONFIG[chat_screen] = "-Dchat_screen=true,-Dchat_screen=false" SRC_URI = " \ - git://github.com/MusicPlayerDaemon/ncmpc \ + git://github.com/MusicPlayerDaemon/ncmpc;branch=master;protocol=https \ " SRCREV = "79cf9905355f25bc5cc6d5a05d2846d75342f554" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb index 62d1ad7f74..e71cb87014 100644 --- a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb +++ b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb @@ -7,7 +7,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=79aa497b11564d1d419ee889e7b498f6" SRCREV = "913f29d3d550637934f9abf43a097eb2c30d76fc" -SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master \ +SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master;protocol=https \ file://0001-Remove-python-venv.patch \ file://0002-dev_setup.sh-Remove-the-git-dependency.patch \ file://0003-dev_setup.sh-Remove-the-TERM-dependency.patch \ diff --git a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb index a9cdfac8a9..5787f22036 100644 --- a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb +++ b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb @@ -7,7 +7,7 @@ inherit cmake pkgconfig # openal-soft-1.19.1 SRCREV = "6761218e51699f46bf25c377e65b3e9ea5e434b9" -SRC_URI = "git://github.com/kcat/openal-soft \ +SRC_URI = "git://github.com/kcat/openal-soft;branch=master;protocol=https \ file://0001-Use-BUILD_CC-to-compile-native-tools.patch \ file://0002-makehrtf-Disable-Wstringop-truncation.patch \ " diff --git a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb index 5f78be4f51..53ee2a82fb 100644 --- a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb +++ b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb @@ -9,7 +9,7 @@ DEPENDS = "gnutls zlib" SRCREV = "fa8646daeb19dfd12c181f7d19de708d623704c0" SRC_URI = " \ - git://git.ffmpeg.org/rtmpdump \ + git://git.ffmpeg.org/rtmpdump;branch=master \ file://fix-racing-build-issue.patch" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb index 70eb6e4be7..47f7af46bd 100644 --- a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb +++ b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb @@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0" # http://www.bigbuckbunny.org/index.php/about/ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7" -SRC_URI = "http://themazzone.com/big_buck_bunny_1080p_surround.avi" +SRC_URI = "http://www.peach.themazzone.com/big_buck_bunny_1080p_surround.avi" SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a" SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea" diff --git a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb index 062096892e..68cf8795a6 100644 --- a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb +++ b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://NOTICE;md5=dbdefe400d894b510a9de14813181d0b" SRCREV = "8449529c7e50f432091539ba7b438e79b04059b5" -SRC_URI = "git://github.com/tinyalsa/tinyalsa \ +SRC_URI = "git://github.com/tinyalsa/tinyalsa;branch=master;protocol=https \ file://0001-Use-CMAKE_INSTALL_-path-instead-of-hardcoding-bin-li.patch \ " PV = "1.1.1+git${SRCPV}" diff --git a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb index 6abf6080bd..f8ab1bf680 100644 --- a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb +++ b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=db1b7a668b2a6f47b2af88fb008ad555 \ file://os.h;beginline=3;endline=14;md5=5c0af5e1bedef3ce8178c89f48cd6f1f" DEPENDS = "libogg" -SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https \ +SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https;branch=master \ file://obsolete_automake_macros.patch;striplevel=0 \ file://tremor-arm-thumb2.patch \ " diff --git a/meta-multimedia/recipes-support/crossguid/crossguid.bb b/meta-multimedia/recipes-support/crossguid/crossguid.bb index 228b8b6540..f2d6e7a241 100644 --- a/meta-multimedia/recipes-support/crossguid/crossguid.bb +++ b/meta-multimedia/recipes-support/crossguid/crossguid.bb @@ -10,7 +10,7 @@ DEPENDS += "util-linux" PV = "0.0+git${SRCPV}" SRCREV = "b56957ac453575e91ca1b63a80c0077c2b0d011a" -SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https" +SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb index feffa9fe19..50c69a9a08 100644 --- a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb +++ b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb @@ -9,7 +9,7 @@ DEPENDS = "gstreamer1.0" S = "${WORKDIR}/git" SRCREV = "3b862e52e5c53ad1023dc6808effa4cb75572c4b" -SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;" +SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;branch=master" FILES_${PN}-staticdev += "${libdir}/gstreamer-1.0/*a" FILES_${PN} += "${libdir}/*" diff --git a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb index d4a62bd92d..4cb85f8151 100644 --- a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb +++ b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb @@ -2,7 +2,7 @@ SUMMARY = "a SocketCAN over Ethernet tunnel" HOMEPAGE = "https://github.com/mguentner/cannelloni" LICENSE = "GPLv2" -SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https \ +SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https;branch=master \ file://0001-Use-GNUInstallDirs-instead-of-hard-coding-paths.patch \ file://0002-include-missing-stdexcept-for-runtime_error.patch \ " diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb index 2820f9fa6d..e9c2056180 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=50bd1d7f135b50d7e218996ba28d0d88" SRCREV = "4b440a339979852d5a51fb11a822952712231c23" PV = "1.12+git${SRCPV}" -SRC_URI = "git://github.com/civetweb/civetweb.git \ +SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ " diff --git a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb index 90051a319a..f856655904 100644 --- a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb +++ b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7236695bb6d4461c105d685a8b61c4e3" SRCREV = "c4b0ed52e751da7823dd9a36e91f93a6310e5525" -SRC_URI = "git://github.com/tomaszmrugalski/dibbler \ +SRC_URI = "git://github.com/tomaszmrugalski/dibbler;branch=master;protocol=https \ file://dibbler_fix_getSize_crash.patch \ file://0001-linux-port-Rename-pthread_mutex_t-variable-lock.patch \ " diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb index 2c39c4c443..1ea0cb16d3 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb @@ -13,7 +13,7 @@ LICENSE = "GPLv2 & LGPLv2+" LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" -SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0; \ +SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;protocol=https \ file://freeradius \ file://volatiles.58_radiusd \ file://freeradius-enble-user-in-conf.patch \ diff --git a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb index 5b27cfe155..c1a8146119 100644 --- a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb +++ b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0036c1b155f4e999f3e0a373490b5db9" -SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1" +SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1;protocol=https" SRCREV = "12fca29a6d4e99d1b923d6820887fe7b24226904" UPSTREAM_CHECK_GITTAGREGEX = "libdnet-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb index 8444f0b739..66a7aaa6b2 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=587b3fd7fd291e418ff4d2b8f3904755" SECTION = "libs/networking" -SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https" +SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https;branch=master" SRCREV = "1749fd7b039165a91b8d556b4df18e3e632ad830" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb index 77be27ffaa..6d035f4039 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb @@ -8,7 +8,7 @@ SECTION = "libs/networking" SRCREV = "53ae1a5ab37fdfc9ad5c236df3eaf4dd63f0fee9" -SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x" +SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb index 9f123c70fb..d91fc752e2 100644 --- a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb +++ b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb @@ -15,7 +15,7 @@ SRCREV = "5d22e9d22c4a3724d27b80b0cd9b898ae8f59d2b" PV = "0.98+git${SRCPV}" SRC_URI = " \ - git://github.com/CanonicalLtd/netplan.git \ + git://github.com/CanonicalLtd/netplan.git;branch=master;protocol=https \ " DEPENDS = "glib-2.0 libyaml ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb index 33a2b7c0ce..a28372dd1f 100644 --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb @@ -33,11 +33,12 @@ SRC_URI_append_libc-musl = " \ file://musl/0003-Fix-build-with-musl-for-n-dhcp4.patch \ file://musl/0004-Fix-build-with-musl-systemd-specific.patch \ " -SRC_URI[sha256sum] = "2b29ccc1531ba7ebba95a97f40c22b963838e8b6833745efe8e6fb71fd8fca77" +SRC_URI[sha256sum] = "377aa053752eaa304b72c9906f9efcd9fbd5f7f6cb4cd4ad72425a68982cffc6" S = "${WORKDIR}/NetworkManager-${PV}" EXTRA_OECONF = " \ + --disable-firewalld-zone \ --disable-ifcfg-rh \ --disable-more-warnings \ --with-iptables=${sbindir}/iptables \ diff --git a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb index 597c1920cf..144afb4843 100644 --- a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb +++ b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb @@ -3,7 +3,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=243b725d71bb5df4a1e5920b344b86ad" SRC_URI = " \ - git://git.infradead.org/users/dwmw2/openconnect.git \ + git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \ file://0001-trojans-tncc-wrapper.py-convert-to-python3.patch \ " SRCREV = "ea73851969ae7a6ea54fdd2d2b8c94776af24b2a" diff --git a/meta-networking/recipes-connectivity/relayd/relayd_git.bb b/meta-networking/recipes-connectivity/relayd/relayd_git.bb index e3134e41fc..a75b43e062 100644 --- a/meta-networking/recipes-connectivity/relayd/relayd_git.bb +++ b/meta-networking/recipes-connectivity/relayd/relayd_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=17;md5=86aad799085683e0a2e1c2684a20bab DEPENDS = "libubox" -SRC_URI = "git://git.openwrt.org/project/relayd.git \ +SRC_URI = "git://git.openwrt.org/project/relayd.git;branch=master \ file://0001-rtnl_flush-Error-on-failed-write.patch \ " diff --git a/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch b/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch deleted file mode 100644 index e724c04bcd..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch +++ /dev/null @@ -1,59 +0,0 @@ -From f9d9ba6cd06aca053c747c399ba700db80b1623c Mon Sep 17 00:00:00 2001 -From: Martin Schwenke <martin@meltin.net> -Date: Tue, 9 Jun 2020 11:52:50 +1000 -Subject: [PATCH 1/3] util: Simplify input validation - -It appears that snprintf(3) is being used for input validation. -However, this seems like overkill because it causes szPath to be -copied an extra time. The mostly likely protections being sought -here, according to https://cwe.mitre.org/data/definitions/20.html, -look to be DoS attacks involving CPU and memory usage. A simpler -check that uses strnlen(3) can mitigate against both of these and is -simpler. - -Signed-off-by: Martin Schwenke <martin@meltin.net> -Reviewed-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Bjoern Jacke <bjacke@samba.org> -(cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229) - -Upstream-Status:Backport -[https://gitlab.com/samba-team/samba/-/commit/f9d9ba6cd06aca053c747c399ba700db80b1623c] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - lib/util/util_paths.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c -index c0ee5c32c30..dec91772d9e 100644 ---- a/lib/util/util_paths.c -+++ b/lib/util/util_paths.c -@@ -69,21 +69,20 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) - struct passwd pwd = {0}; - struct passwd *pwdbuf = NULL; - char buf[NSS_BUFLEN_PASSWD] = {0}; -+ size_t len; - int rc; - - rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); - if (rc != 0 || pwdbuf == NULL ) { -- int len_written; - const char *szPath = getenv("HOME"); - if (szPath == NULL) { - return NULL; - } -- len_written = snprintf(buf, sizeof(buf), "%s", szPath); -- if (len_written >= sizeof(buf) || len_written < 0) { -- /* Output was truncated or an error. */ -+ len = strnlen(szPath, PATH_MAX); -+ if (len >= PATH_MAX) { - return NULL; - } -- return talloc_strdup(mem_ctx, buf); -+ return talloc_strdup(mem_ctx, szPath); - } - - return talloc_strdup(mem_ctx, pwd.pw_dir); --- -2.17.1 - diff --git a/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch b/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch deleted file mode 100644 index dcd79044ae..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 57bd719af1f138f44f71b2078995452582da0da6 Mon Sep 17 00:00:00 2001 -From: Martin Schwenke <martin@meltin.net> -Date: Fri, 5 Jun 2020 21:52:23 +1000 -Subject: [PATCH 2/3] util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWD - -NSS_BUFLEN_PASSWD is not defined on FreeBSD. Use -sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX. - -Use a dynamically allocated buffer instead of trying to cram all of -the logic into the declarations. This will come in useful later -anyway. - -Signed-off-by: Martin Schwenke <martin@meltin.net> -Reviewed-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Bjoern Jacke <bjacke@samba.org> -(cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b) - -Upstream-Status:Backport -[https://gitlab.com/samba-team/samba/-/commit/57bd719af1f138f44f71b2078995452582da0da6] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - lib/util/util_paths.c | 27 ++++++++++++++++++++++----- - 1 file changed, 22 insertions(+), 5 deletions(-) - -diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c -index dec91772d9e..9bc6df37e5d 100644 ---- a/lib/util/util_paths.c -+++ b/lib/util/util_paths.c -@@ -68,24 +68,41 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) - { - struct passwd pwd = {0}; - struct passwd *pwdbuf = NULL; -- char buf[NSS_BUFLEN_PASSWD] = {0}; -+ char *buf = NULL; -+ char *out = NULL; -+ long int initlen; - size_t len; - int rc; - -- rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); -+ initlen = sysconf(_SC_GETPW_R_SIZE_MAX); -+ if (initlen == -1) { -+ len = 1024; -+ } else { -+ len = (size_t)initlen; -+ } -+ buf = talloc_size(mem_ctx, len); -+ if (buf == NULL) { -+ return NULL; -+ } -+ -+ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); - if (rc != 0 || pwdbuf == NULL ) { - const char *szPath = getenv("HOME"); - if (szPath == NULL) { -- return NULL; -+ goto done; - } - len = strnlen(szPath, PATH_MAX); - if (len >= PATH_MAX) { - return NULL; - } -- return talloc_strdup(mem_ctx, szPath); -+ out = talloc_strdup(mem_ctx, szPath); -+ goto done; - } - -- return talloc_strdup(mem_ctx, pwd.pw_dir); -+ out = talloc_strdup(mem_ctx, pwd.pw_dir); -+done: -+ TALLOC_FREE(buf); -+ return out; - } - - char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d) --- -2.17.1 - diff --git a/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch b/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch deleted file mode 100644 index 53a3f67814..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 016e08ca07f86af9e0131a908a2df116bcb9a48e Mon Sep 17 00:00:00 2001 -From: Martin Schwenke <martin@meltin.net> -Date: Fri, 5 Jun 2020 22:05:42 +1000 -Subject: [PATCH 3/3] util: Reallocate larger buffer if getpwuid_r() returns - ERANGE - -Signed-off-by: Martin Schwenke <martin@meltin.net> -Reviewed-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Bjoern Jacke <bjacke@samba.org> - -Autobuild-User(master): Martin Schwenke <martins@samba.org> -Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184 - -(cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c) - -Upstream-Status:Backport -[https://gitlab.com/samba-team/samba/-/commit/016e08ca07f86af9e0131a908a2df116bcb9a48e] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - lib/util/util_paths.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c -index 9bc6df37e5d..72cc0aab8de 100644 ---- a/lib/util/util_paths.c -+++ b/lib/util/util_paths.c -@@ -86,6 +86,19 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) - } - - rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); -+ while (rc == ERANGE) { -+ size_t newlen = 2 * len; -+ if (newlen < len) { -+ /* Overflow */ -+ goto done; -+ } -+ len = newlen; -+ buf = talloc_realloc_size(mem_ctx, buf, len); -+ if (buf == NULL) { -+ goto done; -+ } -+ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); -+ } - if (rc != 0 || pwdbuf == NULL ) { - const char *szPath = getenv("HOME"); - if (szPath == NULL) { --- -2.17.1 - diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch new file mode 100644 index 0000000000..ff1225db07 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch @@ -0,0 +1,142 @@ +From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001 +From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +Date: Fri, 11 Dec 2020 11:32:44 +0900 +Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test. + +s3: smbd: Ensure change notifies can't get set unless the + directory handle is open for SEC_DIR_LIST. + +CVE-2020-14318 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 + +Signed-off-by: Jeremy Allison <jra@samba.org> + +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + source3/smbd/notify.c | 8 ++++ + source4/torture/smb2/notify.c | 82 ++++++++++++++++++++++++++++++++++- + 2 files changed, 89 insertions(+), 1 deletion(-) + +diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c +index 44c0b09..d23c03b 100644 +--- a/source3/smbd/notify.c ++++ b/source3/smbd/notify.c +@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter, + char fullpath[len+1]; + NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; + ++ /* ++ * Setting a changenotify needs READ/LIST access ++ * on the directory handle. ++ */ ++ if (!(fsp->access_mask & SEC_DIR_LIST)) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ + if (fsp->notify != NULL) { + DEBUG(1, ("change_notify_create: fsp->notify != NULL, " + "fname = %s\n", fsp->fsp_name->base_name)); +diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c +index ebb4f8a..a5c9b94 100644 +--- a/source4/torture/smb2/notify.c ++++ b/source4/torture/smb2/notify.c +@@ -2569,6 +2569,83 @@ done: + return ok; + } + ++/* ++ Test asking for a change notify on a handle without permissions. ++*/ ++ ++#define BASEDIR_HPERM BASEDIR "_HPERM" ++ ++static bool torture_smb2_notify_handle_permissions( ++ struct torture_context *torture, ++ struct smb2_tree *tree) ++{ ++ bool ret = true; ++ NTSTATUS status; ++ union smb_notify notify; ++ union smb_open io; ++ struct smb2_handle h1 = {{0}}; ++ struct smb2_request *req; ++ ++ smb2_deltree(tree, BASEDIR_HPERM); ++ smb2_util_rmdir(tree, BASEDIR_HPERM); ++ ++ torture_comment(torture, ++ "TESTING CHANGE NOTIFY " ++ "ON A HANDLE WITHOUT PERMISSIONS\n"); ++ ++ /* ++ get a handle on the directory ++ */ ++ ZERO_STRUCT(io.smb2); ++ io.generic.level = RAW_OPEN_SMB2; ++ io.smb2.in.create_flags = 0; ++ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE; ++ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; ++ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; ++ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | ++ NTCREATEX_SHARE_ACCESS_WRITE; ++ io.smb2.in.alloc_size = 0; ++ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; ++ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; ++ io.smb2.in.security_flags = 0; ++ io.smb2.in.fname = BASEDIR_HPERM; ++ ++ status = smb2_create(tree, torture, &io.smb2); ++ CHECK_STATUS(status, NT_STATUS_OK); ++ h1 = io.smb2.out.file.handle; ++ ++ /* ask for a change notify, ++ on file or directory name changes */ ++ ZERO_STRUCT(notify.smb2); ++ notify.smb2.level = RAW_NOTIFY_SMB2; ++ notify.smb2.in.buffer_size = 1000; ++ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; ++ notify.smb2.in.file.handle = h1; ++ notify.smb2.in.recursive = true; ++ ++ req = smb2_notify_send(tree, ¬ify.smb2); ++ torture_assert_goto(torture, ++ req != NULL, ++ ret, ++ done, ++ "smb2_notify_send failed\n"); ++ ++ /* ++ * Cancel it, we don't really want to wait. ++ */ ++ smb2_cancel(req); ++ status = smb2_notify_recv(req, torture, ¬ify.smb2); ++ /* Handle h1 doesn't have permissions for ChangeNotify. */ ++ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); ++ ++done: ++ if (!smb2_util_handle_empty(h1)) { ++ smb2_util_close(tree, h1); ++ } ++ smb2_deltree(tree, BASEDIR_HPERM); ++ return ret; ++} ++ + /* + basic testing of SMB2 change notify + */ +@@ -2602,7 +2679,10 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx) + torture_smb2_notify_rmdir3); + torture_suite_add_2smb2_test(suite, "rmdir4", + torture_smb2_notify_rmdir4); +- ++ torture_suite_add_1smb2_test(suite, ++ "handle-permissions", ++ torture_smb2_notify_handle_permissions); ++ + suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); + + return suite; +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch new file mode 100644 index 0000000000..3341b80a38 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch @@ -0,0 +1,112 @@ +From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001 +From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +Date: Fri, 11 Dec 2020 14:34:31 +0900 +Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with + NULL. do not crash when additional data not found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Found by Francis Brosnan Blázquez <francis@aspl.es>. +Based on patches from Francis Brosnan Blázquez <francis@aspl.es> +and Jeremy Allison <jra@samba.org> + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 + +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> +Reviewed-by: Jeremy Allison <jra@samba.org> + +Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> +Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 + +(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) +(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e + +Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> +--- + .../rpc_server/dnsserver/dcerpc_dnsserver.c | 31 ++++++++++--------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +index 910de9a1..618c7096 100644 +--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + TALLOC_CTX *tmp_ctx; + char *name; + const char * const attrs[] = { "name", "dnsRecord", NULL }; +- struct ldb_result *res; +- struct DNS_RPC_RECORDS_ARRAY *recs; ++ struct ldb_result *res = NULL; ++ struct DNS_RPC_RECORDS_ARRAY *recs = NULL; + char **add_names = NULL; +- char *rname; ++ char *rname = NULL; + const char *preference_name = NULL; + int add_count = 0; + int i, ret, len; + WERROR status; +- struct dns_tree *tree, *base, *node; ++ struct dns_tree *tree = NULL; ++ struct dns_tree *base = NULL; ++ struct dns_tree *node = NULL; + + tmp_ctx = talloc_new(mem_ctx); + W_ERROR_HAVE_NO_MEMORY(tmp_ctx); +@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + } + } + +- talloc_free(res); +- talloc_free(tree); +- talloc_free(name); ++ TALLOC_FREE(res); ++ TALLOC_FREE(tree); ++ TALLOC_FREE(name); + + /* Add any additional records */ + if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { + for (i=0; i<add_count; i++) { +- struct dnsserver_zone *z2; +- ++ struct dnsserver_zone *z2 = NULL; ++ struct ldb_message *msg = NULL; + /* Search all the available zones for additional name */ + for (z2 = dsstate->zones; z2; z2 = z2->next) { + char *encoded_name; +@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + LDB_SCOPE_ONELEVEL, attrs, + "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", + encoded_name); +- talloc_free(name); ++ TALLOC_FREE(name); + if (ret != LDB_SUCCESS) { + continue; + } + if (res->count == 1) { ++ msg = res->msgs[0]; + break; + } else { +- talloc_free(res); ++ TALLOC_FREE(res); + continue; + } + } +@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, + } + status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, + select_flag, rname, +- res->msgs[0], 0, recs, ++ msg, 0, recs, + NULL, NULL); +- talloc_free(rname); +- talloc_free(res); ++ TALLOC_FREE(rname); ++ TALLOC_FREE(res); + } + } + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch new file mode 100644 index 0000000000..0d1cbe5ad4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch @@ -0,0 +1,93 @@ +From 3f62a590b02bf4c888a995017e2575d3b2ec6ac9 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://www.samba.org/samba/ftp/patches/security/samba-4.17.12-security-2023-10-10.patch] +CVE: CVE-2023-42669 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc..c6642b7 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + <para>Specifies which DCE/RPC endpoint servers should be run.</para> + </description> + +-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> ++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> + <value type="example">rpcecho</value> + </samba:parameter> +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 4c3dfff..db4ae5e 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index a7a6c4c..ffa4b95 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -773,7 +773,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 0db44e9..b052d42 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -877,7 +877,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 510335a..a95e070 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -36,7 +36,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + +-- +2.25.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index 3ae5afbe95..3b8da2b1cb 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb @@ -28,9 +28,9 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \ file://0001-Add-options-to-configure-the-use-of-libbsd.patch \ file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \ - file://0001-util-Simplify-input-validation.patch \ - file://0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch \ - file://0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch \ + file://CVE-2020-14318.patch \ + file://CVE-2020-14383.patch \ + file://CVE-2023-42669.patch \ " SRC_URI_append_libc-musl = " \ file://samba-pam.patch \ @@ -39,12 +39,16 @@ SRC_URI_append_libc-musl = " \ file://0001-samba-fix-musl-lib-without-innetgr.patch \ " -SRC_URI[md5sum] = "f69cac9ba5035ee60257520a209a0a83" -SRC_URI[sha256sum] = "03dc9758e7bfa2faf7cdeb45b4d40997e2ee16a41e71996aa666bc069e70ba3e" +SRC_URI[md5sum] = "f006a3d1876113e4a049015969d20fe6" +SRC_URI[sha256sum] = "7dcfc2aaaac565b959068788e6a43fc79ce2a03e7d523f5843f7a9fddffc7c2c" UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz" inherit systemd waf-samba cpan-base perlnative update-rc.d + +# CVE-2011-2411 is valnerble only on HP NonStop Servers. +CVE_CHECK_WHITELIST += "CVE-2011-2411" + # remove default added RDEPENDS on perl RDEPENDS_${PN}_remove = "perl" diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch b/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch new file mode 100644 index 0000000000..9c268599ff --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0006-check-requirements-get-error.patch @@ -0,0 +1,36 @@ + * check-requirements now gives iptables output on failure. Patch thanks to + S. Nizio. + +Written by Jamie Strandboge <jamie@canonical.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id 9a6d8beb4cb1d1646c7d2a19e4aea9898f4571bb + +Removed ChangeLog patch due to backport status of this patch. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +--- check-requirements.orig 2012-12-03 16:37:20.214274095 +0100 ++++ ufw-0.33/tests/check-requirements 2012-12-03 16:40:16.298728133 +0100 +@@ -29,14 +29,19 @@ + runtime="yes" + shift 1 + fi +- if $@ >/dev/null 2>&1 ; then ++ local output ret=0 ++ # make sure to always return success below because of set -e ++ output=$( "$@" 2>&1 ) || ret=$? ++ if [ $ret -eq 0 ]; then + echo pass + else + if [ "$runtime" = "yes" ]; then + echo "FAIL (no runtime support)" ++ echo "error was: $output" + error_runtime="yes" + else + echo FAIL ++ echo "error was: $output" + error="yes" + fi + fi diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch b/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch new file mode 100644 index 0000000000..7a97773de0 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0007-use-conntrack-instead-of-state-module.patch @@ -0,0 +1,14903 @@ +use conntrack instead of state module. Patch based on work by S. Nizio. + +https://bugs.launchpad.net/ufw/+bug/1065297 + +The patch was imported from git://git.launchpad.net/ufw +commit id 2a24ab2c46a1370d230d380a7b794ac3f8296799 + +Removed ChangeLog patch due to backport status of this patch. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/README b/README +index 0cc2b2f..fead7c0 100644 +--- a/README ++++ b/README +@@ -24,13 +24,14 @@ Linux kernel configured with the following modules (not exhaustive): + limit + multiport + recent +- state +- +-* python2.5 is no longer supported +-** Systems with iptables below 1.4 will not have IPv6 application rule support. +- ufw will give a warning when users try to use this functionality, but ufw +- will otherwise work fine. ufw is known to work with iptables 1.3.8 in this +- degraded mode. ++ conntrack*** ++ ++* python2.5 is no longer supported ++** Systems with iptables below 1.4 will not have IPv6 application rule ++ support. ufw will give a warning when users try to use this functionality, ++ but ufw will otherwise work fine. ufw is known to work with iptables 1.3.8 ++ in this degraded mode. ++*** As of 0.34, the 'conntrack' modules is used instead of 'state' + + ufw has been widely tested on Linux 2.6.24 and higher kernels. You may also + use the check-requirements script in the tests/ directory to see if your +diff --git a/conf/before.rules b/conf/before.rules +index bc11f36..9917b87 100644 +--- a/conf/before.rules ++++ b/conf/before.rules +@@ -22,12 +22,12 @@ + -A ufw-before-output -o lo -j ACCEPT + + # quickly process packets for which we already have a connection +--A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT +--A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ++-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # drop INVALID packets (logs these in loglevel medium and higher) +--A ufw-before-input -m state --state INVALID -j ufw-logging-deny +--A ufw-before-input -m state --state INVALID -j DROP ++-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny ++-A ufw-before-input -m conntrack --ctstate INVALID -j DROP + + # ok icmp codes + -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT +diff --git a/conf/before6.rules b/conf/before6.rules +index fb1a8f1..8b7e4ff 100644 +--- a/conf/before6.rules ++++ b/conf/before6.rules +@@ -34,16 +34,16 @@ + -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT + + # quickly process packets for which we already have a connection +--A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT +--A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT ++-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT ++-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + + # for multicast ping replies from link-local addresses (these don't have an + # associated connection and would otherwise be marked INVALID) + -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT + + # drop INVALID packets (logs these in loglevel medium and higher) +--A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny +--A ufw6-before-input -m state --state INVALID -j DROP ++-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny ++-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP + + # ok icmp codes + -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index d9e3d5a..76403d6 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: + net.ipv4.ip_forward=1 + .TP + Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: +- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ +- \-j ACCEPT +- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ ++ \-A ufw\-before\-forward \-m conntrack \\ ++ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT ++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ + \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT + .TP + Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section: +@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to have: + net.ipv4.ip_forward=1 + .TP + Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules: +- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\ +- \-j ACCEPT ++ \-A ufw\-before\-forward \-m conntrack \\ ++ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT + +- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\ +- \-\-state NEW \-j ACCEPT ++ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \\ ++ \-m conntrack \-\-ctstate NEW \-j ACCEPT + +- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\ ++ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\ + \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT + + \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT +diff --git a/locales/po/ufw.pot b/locales/po/ufw.pot +index fc56838..dc4b8e9 100644 +--- a/locales/po/ufw.pot ++++ b/locales/po/ufw.pot +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: \n" +-"POT-Creation-Date: 2012-08-12 10:55-0500\n" ++"POT-Creation-Date: 2012-12-03 14:33-0600\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" + "Language-Team: LANGUAGE <LL@li.org>\n" +@@ -21,7 +21,7 @@ msgstr "" + msgid ": Need at least python 2.6)\n" + msgstr "" + +-#: src/ufw:109 src/frontend.py:575 src/frontend.py:877 ++#: src/ufw:109 src/frontend.py:577 src/frontend.py:879 + msgid "Aborted" + msgstr "" + +@@ -103,7 +103,7 @@ msgstr "" + msgid "New profiles:" + msgstr "" + +-#: src/backend_iptables.py:88 src/backend.py:322 ++#: src/backend_iptables.py:88 src/backend.py:339 + #, python-format + msgid "Unsupported policy '%s'" + msgstr "" +@@ -130,44 +130,44 @@ msgstr "" + msgid "Checking raw ip6tables\n" + msgstr "" + +-#: src/backend_iptables.py:250 ++#: src/backend_iptables.py:253 + msgid "Checking iptables\n" + msgstr "" + +-#: src/backend_iptables.py:252 ++#: src/backend_iptables.py:255 + msgid "Checking ip6tables\n" + msgstr "" + +-#: src/backend_iptables.py:255 src/backend_iptables.py:495 ++#: src/backend_iptables.py:258 src/backend_iptables.py:501 + msgid "problem running" + msgstr "" + +-#: src/backend_iptables.py:261 ++#: src/backend_iptables.py:264 + msgid "Status: inactive" + msgstr "" + +-#: src/backend_iptables.py:397 ++#: src/backend_iptables.py:400 + msgid "To" + msgstr "" + +-#: src/backend_iptables.py:398 ++#: src/backend_iptables.py:401 + msgid "From" + msgstr "" + +-#: src/backend_iptables.py:399 ++#: src/backend_iptables.py:402 + msgid "Action" + msgstr "" + +-#: src/backend_iptables.py:415 ++#: src/backend_iptables.py:418 + msgid "\n" + msgstr "" + +-#: src/backend_iptables.py:423 ++#: src/backend_iptables.py:426 + #, python-format + msgid "Default: %(in)s (incoming), %(out)s (outgoing)" + msgstr "" + +-#: src/backend_iptables.py:427 ++#: src/backend_iptables.py:430 + #, python-format + msgid "" + "Status: active\n" +@@ -176,174 +176,174 @@ msgid "" + "%(app)s%(status)s" + msgstr "" + +-#: src/backend_iptables.py:431 ++#: src/backend_iptables.py:434 + #, python-format + msgid "Status: active%s" + msgstr "" + +-#: src/backend_iptables.py:436 src/backend_iptables.py:446 ++#: src/backend_iptables.py:439 src/backend_iptables.py:449 + msgid "running ufw-init" + msgstr "" + +-#: src/backend_iptables.py:440 src/backend_iptables.py:450 ++#: src/backend_iptables.py:443 src/backend_iptables.py:453 + #, python-format + msgid "" + "problem running ufw-init\n" + "%s" + msgstr "" + +-#: src/backend_iptables.py:459 ++#: src/backend_iptables.py:462 + msgid "Could not set LOGLEVEL" + msgstr "" + +-#: src/backend_iptables.py:465 ++#: src/backend_iptables.py:468 + msgid "Could not load logging rules" + msgstr "" + +-#: src/backend_iptables.py:617 src/backend.py:229 ++#: src/backend_iptables.py:623 src/backend.py:246 + #, python-format + msgid "Couldn't open '%s' for reading" + msgstr "" + +-#: src/backend_iptables.py:626 ++#: src/backend_iptables.py:632 + #, python-format + msgid "Skipping malformed tuple (bad length): %s" + msgstr "" + +-#: src/backend_iptables.py:657 ++#: src/backend_iptables.py:663 + #, python-format + msgid "Skipping malformed tuple: %s" + msgstr "" + +-#: src/backend_iptables.py:679 src/backend.py:260 ++#: src/backend_iptables.py:685 src/backend.py:277 + #, python-format + msgid "'%s' is not writable" + msgstr "" + +-#: src/backend_iptables.py:837 ++#: src/backend_iptables.py:850 + msgid "Adding IPv6 rule failed: IPv6 not enabled" + msgstr "" + +-#: src/backend_iptables.py:841 ++#: src/backend_iptables.py:854 + #, python-format + msgid "Skipping unsupported IPv6 '%s' rule" + msgstr "" + +-#: src/backend_iptables.py:845 ++#: src/backend_iptables.py:858 + #, python-format + msgid "Skipping unsupported IPv4 '%s' rule" + msgstr "" + +-#: src/backend_iptables.py:848 ++#: src/backend_iptables.py:861 + msgid "Must specify 'tcp' or 'udp' with multiple ports" + msgstr "" + +-#: src/backend_iptables.py:860 ++#: src/backend_iptables.py:873 + msgid "Skipping IPv6 application rule. Need at least iptables 1.4" + msgstr "" + +-#: src/backend_iptables.py:865 ++#: src/backend_iptables.py:878 + #, python-format + msgid "Invalid position '%d'" + msgstr "" + +-#: src/backend_iptables.py:869 ++#: src/backend_iptables.py:882 + msgid "Cannot specify insert and delete" + msgstr "" + +-#: src/backend_iptables.py:872 ++#: src/backend_iptables.py:885 + #, python-format + msgid "Cannot insert rule at position '%d'" + msgstr "" + +-#: src/backend_iptables.py:930 ++#: src/backend_iptables.py:943 + msgid "Skipping inserting existing rule" + msgstr "" + +-#: src/backend_iptables.py:941 src/frontend.py:386 ++#: src/backend_iptables.py:954 src/frontend.py:388 + msgid "Could not delete non-existent rule" + msgstr "" + +-#: src/backend_iptables.py:946 ++#: src/backend_iptables.py:959 + msgid "Skipping adding existing rule" + msgstr "" + +-#: src/backend_iptables.py:962 ++#: src/backend_iptables.py:975 + msgid "Couldn't update rules file" + msgstr "" + +-#: src/backend_iptables.py:967 ++#: src/backend_iptables.py:980 + msgid "Rules updated" + msgstr "" + +-#: src/backend_iptables.py:969 ++#: src/backend_iptables.py:982 + msgid "Rules updated (v6)" + msgstr "" + +-#: src/backend_iptables.py:977 ++#: src/backend_iptables.py:990 + msgid "Rule inserted" + msgstr "" + +-#: src/backend_iptables.py:979 ++#: src/backend_iptables.py:992 + msgid "Rule updated" + msgstr "" + +-#: src/backend_iptables.py:989 ++#: src/backend_iptables.py:1002 + msgid " (skipped reloading firewall)" + msgstr "" + +-#: src/backend_iptables.py:992 ++#: src/backend_iptables.py:1005 + msgid "Rule deleted" + msgstr "" + +-#: src/backend_iptables.py:995 ++#: src/backend_iptables.py:1008 + msgid "Rule added" + msgstr "" + +-#: src/backend_iptables.py:1010 src/backend_iptables.py:1098 ++#: src/backend_iptables.py:1023 src/backend_iptables.py:1114 + msgid "Could not update running firewall" + msgstr "" + +-#: src/backend_iptables.py:1065 ++#: src/backend_iptables.py:1078 + #, python-format + msgid "Could not perform '%s'" + msgstr "" + +-#: src/backend_iptables.py:1089 ++#: src/backend_iptables.py:1105 + msgid "Couldn't update rules file for logging" + msgstr "" + +-#: src/backend_iptables.py:1147 src/backend.py:578 ++#: src/backend_iptables.py:1163 src/backend.py:595 + #, python-format + msgid "Invalid log level '%s'" + msgstr "" + +-#: src/backend_iptables.py:1244 ++#: src/backend_iptables.py:1260 + #, python-format + msgid "Could not find '%s'. Aborting" + msgstr "" + +-#: src/backend_iptables.py:1256 ++#: src/backend_iptables.py:1272 + #, python-format + msgid "'%s' already exists. Aborting" + msgstr "" + +-#: src/backend_iptables.py:1262 ++#: src/backend_iptables.py:1278 + #, python-format + msgid "Backing up '%(old)s' to '%(new)s'\n" + msgstr "" + +-#: src/backend_iptables.py:1278 src/backend.py:185 ++#: src/backend_iptables.py:1294 src/backend.py:202 + #, python-format + msgid "Couldn't stat '%s'" + msgstr "" + +-#: src/backend_iptables.py:1283 ++#: src/backend_iptables.py:1299 + #, python-format + msgid "WARN: '%s' is world writable" + msgstr "" + +-#: src/backend_iptables.py:1285 ++#: src/backend_iptables.py:1301 + #, python-format + msgid "WARN: '%s' is world readable" + msgstr "" +@@ -352,102 +352,102 @@ msgstr "" + msgid "Couldn't determine iptables version" + msgstr "" + +-#: src/backend.py:138 ++#: src/backend.py:155 + msgid "Checks disabled" + msgstr "" + +-#: src/backend.py:144 ++#: src/backend.py:161 + msgid "ERROR: this script should not be SUID" + msgstr "" + +-#: src/backend.py:147 ++#: src/backend.py:164 + msgid "ERROR: this script should not be SGID" + msgstr "" + +-#: src/backend.py:152 ++#: src/backend.py:169 + msgid "You need to be root to run this script" + msgstr "" + +-#: src/backend.py:162 ++#: src/backend.py:179 + #, python-format + msgid "'%s' does not exist" + msgstr "" + +-#: src/backend.py:191 ++#: src/backend.py:208 + #, python-format + msgid "uid is %(uid)s but '%(path)s' is owned by %(st_uid)s" + msgstr "" + +-#: src/backend.py:198 ++#: src/backend.py:215 + #, python-format + msgid "%s is world writable!" + msgstr "" + +-#: src/backend.py:202 ++#: src/backend.py:219 + #, python-format + msgid "%s is group writable!" + msgstr "" + +-#: src/backend.py:218 ++#: src/backend.py:235 + #, python-format + msgid "'%(f)s' file '%(name)s' does not exist" + msgstr "" + +-#: src/backend.py:243 ++#: src/backend.py:260 + #, python-format + msgid "Missing policy for '%s'" + msgstr "" + +-#: src/backend.py:247 ++#: src/backend.py:264 + #, python-format + msgid "Invalid policy '%(policy)s' for '%(chain)s'" + msgstr "" + +-#: src/backend.py:254 ++#: src/backend.py:271 + msgid "Invalid option" + msgstr "" + +-#: src/backend.py:325 ++#: src/backend.py:342 + #, python-format + msgid "Default application policy changed to '%s'" + msgstr "" + +-#: src/backend.py:407 ++#: src/backend.py:424 + msgid "No rules found for application profile" + msgstr "" + +-#: src/backend.py:466 ++#: src/backend.py:483 + #, python-format + msgid "Rules updated for profile '%s'" + msgstr "" + +-#: src/backend.py:472 ++#: src/backend.py:489 + msgid "Couldn't update application rules" + msgstr "" + +-#: src/backend.py:494 ++#: src/backend.py:511 + #, python-format + msgid "Found multiple matches for '%s'. Please use exact profile name" + msgstr "" + +-#: src/backend.py:496 ++#: src/backend.py:513 + #, python-format + msgid "Could not find a profile matching '%s'" + msgstr "" + +-#: src/backend.py:562 ++#: src/backend.py:579 + msgid "Logging: " + msgstr "" + +-#: src/backend.py:566 ++#: src/backend.py:583 + msgid "unknown" + msgstr "" + +-#: src/backend.py:596 ++#: src/backend.py:613 + msgid "Logging disabled" + msgstr "" + +-#: src/backend.py:598 ++#: src/backend.py:615 + msgid "Logging enabled" + msgstr "" + +@@ -526,6 +526,7 @@ msgid "" + " %(limit)-31s add limit %(rule)s\n" + " %(delete)-31s delete %(urule)s\n" + " %(insert)-31s insert %(urule)s at %(number)s\n" ++" %(reload)-31s reload firewall\n" + " %(reset)-31s reset firewall\n" + " %(status)-31s show firewall status\n" + " %(statusnum)-31s show firewall status as numbered list of %(rules)s\n" +@@ -540,87 +541,87 @@ msgid "" + " %(appdefault)-31s set default application policy\n" + msgstr "" + +-#: src/frontend.py:160 ++#: src/frontend.py:162 + msgid "n" + msgstr "" + +-#: src/frontend.py:161 ++#: src/frontend.py:163 + msgid "y" + msgstr "" + +-#: src/frontend.py:162 ++#: src/frontend.py:164 + msgid "yes" + msgstr "" + +-#: src/frontend.py:207 ++#: src/frontend.py:209 + msgid "Firewall is active and enabled on system startup" + msgstr "" + +-#: src/frontend.py:214 ++#: src/frontend.py:216 + msgid "Firewall stopped and disabled on system startup" + msgstr "" + +-#: src/frontend.py:265 ++#: src/frontend.py:267 + msgid "Could not get listening status" + msgstr "" + +-#: src/frontend.py:326 ++#: src/frontend.py:328 + msgid "Added user rules (see 'ufw status' for running firewall):" + msgstr "" + +-#: src/frontend.py:329 ++#: src/frontend.py:331 + msgid "" + "\n" + "(None)" + msgstr "" + +-#: src/frontend.py:381 src/frontend.py:479 src/frontend.py:489 ++#: src/frontend.py:383 src/frontend.py:481 src/frontend.py:491 + #, python-format + msgid "Invalid IP version '%s'" + msgstr "" + +-#: src/frontend.py:412 ++#: src/frontend.py:414 + msgid "Invalid position '" + msgstr "" + +-#: src/frontend.py:486 ++#: src/frontend.py:488 + msgid "IPv6 support not enabled" + msgstr "" + +-#: src/frontend.py:497 ++#: src/frontend.py:499 + msgid "Rule changed after normalization" + msgstr "" + +-#: src/frontend.py:521 ++#: src/frontend.py:523 + #, python-format + msgid "Could not back out rule '%s'" + msgstr "" + +-#: src/frontend.py:525 ++#: src/frontend.py:527 + msgid "" + "\n" + "Error applying application rules." + msgstr "" + +-#: src/frontend.py:527 ++#: src/frontend.py:529 + msgid " Some rules could not be unapplied." + msgstr "" + +-#: src/frontend.py:529 ++#: src/frontend.py:531 + msgid " Attempted rules successfully unapplied." + msgstr "" + +-#: src/frontend.py:540 ++#: src/frontend.py:542 + #, python-format + msgid "Could not find rule '%s'" + msgstr "" + +-#: src/frontend.py:545 src/frontend.py:550 ++#: src/frontend.py:547 src/frontend.py:552 + #, python-format + msgid "Could not find rule '%d'" + msgstr "" + +-#: src/frontend.py:562 ++#: src/frontend.py:564 + #, python-format + msgid "" + "Deleting:\n" +@@ -628,93 +629,93 @@ msgid "" + "Proceed with operation (%(yes)s|%(no)s)? " + msgstr "" + +-#: src/frontend.py:593 ++#: src/frontend.py:595 + msgid "Unsupported default policy" + msgstr "" + +-#: src/frontend.py:622 src/frontend.py:767 ++#: src/frontend.py:624 src/frontend.py:769 + msgid "Firewall reloaded" + msgstr "" + +-#: src/frontend.py:624 ++#: src/frontend.py:626 + msgid "Firewall not enabled (skipping reload)" + msgstr "" + +-#: src/frontend.py:641 src/frontend.py:655 src/frontend.py:692 ++#: src/frontend.py:643 src/frontend.py:657 src/frontend.py:694 + msgid "Invalid profile name" + msgstr "" + +-#: src/frontend.py:660 src/frontend.py:842 ++#: src/frontend.py:662 src/frontend.py:844 + #, python-format + msgid "Unsupported action '%s'" + msgstr "" + +-#: src/frontend.py:679 ++#: src/frontend.py:681 + msgid "Available applications:" + msgstr "" + +-#: src/frontend.py:700 ++#: src/frontend.py:702 + #, python-format + msgid "Could not find profile '%s'" + msgstr "" + +-#: src/frontend.py:705 ++#: src/frontend.py:707 + msgid "Invalid profile" + msgstr "" + +-#: src/frontend.py:708 ++#: src/frontend.py:710 + #, python-format + msgid "Profile: %s\n" + msgstr "" + +-#: src/frontend.py:709 ++#: src/frontend.py:711 + #, python-format + msgid "Title: %s\n" + msgstr "" + +-#: src/frontend.py:712 ++#: src/frontend.py:714 + #, python-format + msgid "" + "Description: %s\n" + "\n" + msgstr "" + +-#: src/frontend.py:718 ++#: src/frontend.py:720 + msgid "Ports:" + msgstr "" + +-#: src/frontend.py:720 ++#: src/frontend.py:722 + msgid "Port:" + msgstr "" + +-#: src/frontend.py:769 ++#: src/frontend.py:771 + msgid "Skipped reloading firewall" + msgstr "" + +-#: src/frontend.py:779 ++#: src/frontend.py:781 + msgid "Cannot specify 'all' with '--add-new'" + msgstr "" + +-#: src/frontend.py:794 ++#: src/frontend.py:796 + #, python-format + msgid "Unknown policy '%s'" + msgstr "" + +-#: src/frontend.py:851 ++#: src/frontend.py:853 + #, python-format + msgid "" + "Command may disrupt existing ssh connections. Proceed with operation " + "(%(yes)s|%(no)s)? " + msgstr "" + +-#: src/frontend.py:864 ++#: src/frontend.py:866 + #, python-format + msgid "" + "Resetting all rules to installed defaults. Proceed with operation (%(yes)s|" + "%(no)s)? " + msgstr "" + +-#: src/frontend.py:868 ++#: src/frontend.py:870 + #, python-format + msgid "" + "Resetting all rules to installed defaults. This may disrupt existing ssh " +diff --git a/setup.py b/setup.py +index 6fb3751..1685401 100644 +--- a/setup.py ++++ b/setup.py +@@ -35,7 +35,7 @@ import sys + import shutil + import subprocess + +-ufw_version = '0.33' ++ufw_version = '0.34' + + def cmd(command): + '''Try to execute the given command.''' +diff --git a/src/backend_iptables.py b/src/backend_iptables.py +index 76d8515..478e35c 100644 +--- a/src/backend_iptables.py ++++ b/src/backend_iptables.py +@@ -564,7 +564,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \ + policy) + if not pat_logall.search(s): +- lstr = '-m state --state NEW ' + lstr ++ lstr = '-m conntrack --ctstate NEW ' + lstr + snippets[i] = pat_log.sub(r'\1-j \2\4', s) + snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \ + '-user-logging-' + suffix, s)) +@@ -580,9 +580,9 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + pat_limit = re.compile(r' -j LIMIT') + for i, s in enumerate(snippets): + if pat_limit.search(s): +- tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \ ++ tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \ + s) +- tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \ ++ tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \ + ' --update --seconds 30 --hitcount 6' + \ + ' -j ' + prefix + '-user-limit', s) + tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s) +@@ -1212,12 +1212,12 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + prefix = "[UFW BLOCK] " + if self.loglevels[level] < self.loglevels["medium"]: + # only log INVALID in medium and higher +- rules_t.append([c, ['-I', c, '-m', 'state', \ +- '--state', 'INVALID', \ ++ rules_t.append([c, ['-I', c, '-m', 'conntrack', \ ++ '--ctstate', 'INVALID', \ + '-j', 'RETURN'] + largs, '']) + else: +- rules_t.append([c, ['-A', c, '-m', 'state', \ +- '--state', 'INVALID', \ ++ rules_t.append([c, ['-A', c, '-m', 'conntrack', \ ++ '--ctstate', 'INVALID', \ + '-j', 'LOG', \ + '--log-prefix', \ + "[UFW AUDIT INVALID] "] + \ +@@ -1236,7 +1236,7 @@ class UFWBackendIptables(ufw.backend.UFWBackend): + + # loglevel medium logs all new packets with limit + if self.loglevels[level] < self.loglevels["high"]: +- largs = ['-m', 'state', '--state', 'NEW'] + limit_args ++ largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args + + prefix = "[UFW AUDIT] " + for c in self.chains['before']: +diff --git a/src/ufw-init-functions b/src/ufw-init-functions +index f4783e7..c5e0319 100755 +--- a/src/ufw-init-functions ++++ b/src/ufw-init-functions +@@ -251,15 +251,15 @@ ufw_start() { + # add tracking policy + if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then + printf "*filter\n"\ +-"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\ +-"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ + "COMMIT\n" | $exe-restore -n || error="yes" + fi + + if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then + printf "*filter\n"\ +-"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\ +-"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\ ++"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\ + "COMMIT\n" | $exe-restore -n || error="yes" + fi + +diff --git a/src/util.py b/src/util.py +index fe9cd5c..bf0a6f6 100644 +--- a/src/util.py ++++ b/src/util.py +@@ -737,12 +737,12 @@ def get_netfilter_capabilities(exe="/sbin/iptables"): + # the stuff we know isn't supported everywhere but we want to support. + + # recent-set +- if test_cap(exe, chain, ['-m', 'state', '--state', 'NEW', \ ++ if test_cap(exe, chain, ['-m', 'conntrack', '--ctstate', 'NEW', \ + '-m', 'recent', '--set']): + caps.append('recent-set') + + # recent-update +- if test_cap(exe, chain, ['-m', 'state', '--state', 'NEW', \ ++ if test_cap(exe, chain, ['-m', 'conntrack', '--ctstate', 'NEW', \ + '-m', 'recent', '--update', \ + '--seconds', '30', \ + '--hitcount', '6']): +diff --git a/tests/bugs/rules/result b/tests/bugs/rules/result +index af2879a..396ff4c 100644 +--- a/tests/bugs/rules/result ++++ b/tests/bugs/rules/result +@@ -28,7 +28,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -73,7 +73,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/check-requirements b/tests/check-requirements +index 613a3c8..ffbe9fc 100755 +--- a/tests/check-requirements ++++ b/tests/check-requirements +@@ -172,24 +172,24 @@ for i in "" 6; do + done + + echo -n "hashlimit: " +- runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT ++ runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT + + echo -n "limit: " + runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT + + for j in NEW RELATED ESTABLISHED INVALID; do + echo -n "state ($j): " +- runcmd $exe -A $c -m state --state $j ++ runcmd $exe -A $c -m conntrack --ctstate $j + done + + echo -n "state (new, recent set): " +- runcmd runtime $exe -A $c -m state --state NEW -m recent --set ++ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --set + + echo -n "state (new, recent update): " +- runcmd runtime $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT ++ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT + + echo -n "state (new, limit): " +- runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT ++ runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT + + echo -n "interface (input): " + runcmd $exe -A $c -i eth0 -j ACCEPT +diff --git a/tests/good/apps/result b/tests/good/apps/result +index c6988b0..8b477c2 100644 +--- a/tests/good/apps/result ++++ b/tests/good/apps/result +@@ -717,7 +717,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -760,7 +760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -803,7 +803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -847,7 +847,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -890,7 +890,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -931,7 +931,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -974,7 +974,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1017,7 +1017,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1060,7 +1060,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1103,7 +1103,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1146,7 +1146,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1189,7 +1189,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1232,7 +1232,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1276,7 +1276,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1319,7 +1319,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1360,7 +1360,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1403,7 +1403,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1446,7 +1446,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1489,7 +1489,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1532,7 +1532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1568,8 +1568,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -1577,7 +1577,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1613,8 +1613,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -1622,7 +1622,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1658,8 +1658,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -1667,7 +1667,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1703,11 +1703,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -1715,7 +1715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1751,8 +1751,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1760,7 +1760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1791,13 +1791,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1805,7 +1805,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1841,8 +1841,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -1850,7 +1850,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1886,8 +1886,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -1895,7 +1895,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1931,8 +1931,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -1940,7 +1940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1976,8 +1976,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080:8089 0.0.0.0/0 any 0.0.0.0/0 Custom%20Web%20App2 - in +--A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m state --state NEW -m recent --set -m comment --comment 'dapp_Custom%20Web%20App2' +--A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Custom%20Web%20App2' ++-A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Custom%20Web%20App2' ++-A ufw-user-input -p tcp -m multiport --dports 8080:8089 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Custom%20Web%20App2' + -A ufw-user-input -p tcp -m multiport --dports 8080:8089 -j ufw-user-limit-accept -m comment --comment 'dapp_Custom%20Web%20App2' + + ### END RULES ### +@@ -1985,7 +1985,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2029,7 +2029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2072,7 +2072,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2115,7 +2115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2159,7 +2159,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2202,7 +2202,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2243,7 +2243,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2286,7 +2286,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2329,7 +2329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2372,7 +2372,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2415,7 +2415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2458,7 +2458,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2501,7 +2501,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2545,7 +2545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2588,7 +2588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2629,7 +2629,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2672,7 +2672,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2715,7 +2715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2758,7 +2758,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2801,7 +2801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2844,7 +2844,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2887,7 +2887,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2931,7 +2931,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2974,7 +2974,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3015,7 +3015,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3058,7 +3058,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3101,7 +3101,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3144,7 +3144,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3187,7 +3187,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3230,7 +3230,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3273,7 +3273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3317,7 +3317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3360,7 +3360,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3401,7 +3401,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3444,7 +3444,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3487,7 +3487,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3530,7 +3530,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3573,7 +3573,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3616,7 +3616,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3659,7 +3659,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3700,7 +3700,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3743,7 +3743,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3784,7 +3784,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3827,7 +3827,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3870,7 +3870,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3913,7 +3913,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3956,7 +3956,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3997,7 +3997,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4040,7 +4040,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4081,7 +4081,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4124,7 +4124,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4167,7 +4167,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4208,7 +4208,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4251,7 +4251,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4294,7 +4294,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4337,7 +4337,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4378,7 +4378,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4421,7 +4421,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4462,7 +4462,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4505,7 +4505,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4548,7 +4548,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4591,7 +4591,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4634,7 +4634,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4675,7 +4675,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4718,7 +4718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4759,7 +4759,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4802,7 +4802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4845,7 +4845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4886,7 +4886,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4929,7 +4929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4972,7 +4972,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5015,7 +5015,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5059,7 +5059,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5102,7 +5102,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5143,7 +5143,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5186,7 +5186,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5229,7 +5229,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5272,7 +5272,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5315,7 +5315,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5358,7 +5358,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5401,7 +5401,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5445,7 +5445,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5488,7 +5488,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5529,7 +5529,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5572,7 +5572,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5615,7 +5615,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5658,7 +5658,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5701,7 +5701,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5744,7 +5744,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5787,7 +5787,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5831,7 +5831,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5874,7 +5874,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5915,7 +5915,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5958,7 +5958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6001,7 +6001,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6044,7 +6044,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6087,7 +6087,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6130,7 +6130,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6173,7 +6173,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6217,7 +6217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6260,7 +6260,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6301,7 +6301,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6344,7 +6344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6387,7 +6387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6430,7 +6430,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6473,7 +6473,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6516,7 +6516,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6559,7 +6559,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6600,7 +6600,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6643,7 +6643,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6684,7 +6684,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6727,7 +6727,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6770,7 +6770,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6813,7 +6813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6856,7 +6856,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6897,7 +6897,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6940,7 +6940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6981,7 +6981,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7024,7 +7024,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7067,7 +7067,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7108,7 +7108,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7151,7 +7151,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7194,7 +7194,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7237,7 +7237,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7278,7 +7278,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7321,7 +7321,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7362,7 +7362,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7405,7 +7405,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7448,7 +7448,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7491,7 +7491,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7534,7 +7534,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7575,7 +7575,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7618,7 +7618,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7659,7 +7659,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7702,7 +7702,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7745,7 +7745,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7786,7 +7786,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7822,8 +7822,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.0/16 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -7831,7 +7831,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7867,8 +7867,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 192.168.0.0/16 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -7876,7 +7876,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7912,8 +7912,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 192.168.0.0/16 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -7921,7 +7921,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7957,11 +7957,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 192.168.0.0/16 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp -d 192.168.0.0/16 --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp -d 192.168.0.0/16 --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -7969,7 +7969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8005,8 +8005,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8014,7 +8014,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8045,13 +8045,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.0/16 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8059,7 +8059,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8095,8 +8095,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 192.168.0.0/16 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.0/16 --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -8104,7 +8104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8140,8 +8140,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 192.168.0.0/16 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -8149,7 +8149,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8185,8 +8185,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 192.168.0.0/16 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -d 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -8194,7 +8194,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8230,8 +8230,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -8239,7 +8239,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8275,8 +8275,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Secure - in +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Secure' ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Secure' + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Secure' + + ### END RULES ### +@@ -8284,7 +8284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8320,8 +8320,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 any 0.0.0.0/0 Apache%20Full - in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full' + + ### END RULES ### +@@ -8329,7 +8329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8365,11 +8365,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 53 0.0.0.0/0 any 0.0.0.0/0 Bind9 - in +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p tcp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p tcp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p tcp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9' +--A ufw-user-input -p udp --dport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9' ++-A ufw-user-input -p udp --dport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9' + -A ufw-user-input -p udp --dport 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9' + + ### END RULES ### +@@ -8377,7 +8377,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8413,8 +8413,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8422,7 +8422,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8453,13 +8453,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -8467,7 +8467,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8503,8 +8503,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 any 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -8512,7 +8512,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8548,8 +8548,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20TCP - in +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20TCP' + + ### END RULES ### +@@ -8557,7 +8557,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8593,8 +8593,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1234,5678 0.0.0.0/0 any 0.0.0.0/0 Multi%20UDP - in +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --dports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --dports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --dports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'dapp_Multi%20UDP' + + ### END RULES ### +@@ -8602,7 +8602,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8638,8 +8638,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.0/16 - Apache in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -8647,7 +8647,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8683,8 +8683,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 443 192.168.0.0/16 - Apache%20Secure in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Secure' + + ### END RULES ### +@@ -8692,7 +8692,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8728,8 +8728,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80,443 192.168.0.0/16 - Apache%20Full in +--A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --sports 80,443 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Full' + + ### END RULES ### +@@ -8737,7 +8737,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8773,11 +8773,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 53 192.168.0.0/16 - Bind9 in +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p tcp -s 192.168.0.0/16 --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p udp -s 192.168.0.0/16 --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' + + ### END RULES ### +@@ -8785,7 +8785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8821,8 +8821,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 192.168.0.0/16 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -8830,7 +8830,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8861,13 +8861,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 192.168.0.0/16 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 192.168.0.0/16 - Samba in +--A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --sports 139,445 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -8875,7 +8875,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8911,8 +8911,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 123 192.168.0.0/16 - OpenNTPD in +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp -s 192.168.0.0/16 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -8920,7 +8920,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8956,8 +8956,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 1234,5678 192.168.0.0/16 - Multi%20TCP in +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20TCP' + + ### END RULES ### +@@ -8965,7 +8965,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9001,8 +9001,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 1234,5678 192.168.0.0/16 - Multi%20UDP in +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --sports 1234,5678 -s 192.168.0.0/16 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20UDP' + + ### END RULES ### +@@ -9010,7 +9010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9046,8 +9046,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 0.0.0.0/0 - Apache in +--A ufw-user-input -p tcp --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -9055,7 +9055,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9091,8 +9091,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 443 0.0.0.0/0 - Apache%20Secure in +--A ufw-user-input -p tcp --sport 443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' +--A ufw-user-input -p tcp --sport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp --sport 443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Secure' ++-A ufw-user-input -p tcp --sport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Secure' + -A ufw-user-input -p tcp --sport 443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Secure' + + ### END RULES ### +@@ -9100,7 +9100,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9136,8 +9136,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80,443 0.0.0.0/0 - Apache%20Full in +--A ufw-user-input -p tcp -m multiport --sports 80,443 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --sports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --sports 80,443 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache%20Full' + + ### END RULES ### +@@ -9145,7 +9145,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9181,11 +9181,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 53 0.0.0.0/0 - Bind9 in +--A ufw-user-input -p tcp --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p tcp --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p tcp --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p tcp --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp --sport 53 -m state --state NEW -m recent --set -m comment --comment 'sapp_Bind9' +--A ufw-user-input -p udp --sport 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp --sport 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Bind9' ++-A ufw-user-input -p udp --sport 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Bind9' + -A ufw-user-input -p udp --sport 53 -j ufw-user-limit-accept -m comment --comment 'sapp_Bind9' + + ### END RULES ### +@@ -9193,7 +9193,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9229,8 +9229,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9238,7 +9238,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9269,13 +9269,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 0.0.0.0/0 - Samba in +--A ufw-user-input -p tcp -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9283,7 +9283,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9319,8 +9319,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 123 0.0.0.0/0 - OpenNTPD in +--A ufw-user-input -p udp --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -9328,7 +9328,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9364,8 +9364,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 1234,5678 0.0.0.0/0 - Multi%20TCP in +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' +--A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20TCP' ++-A ufw-user-input -p tcp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20TCP' + -A ufw-user-input -p tcp -m multiport --sports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20TCP' + + ### END RULES ### +@@ -9373,7 +9373,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9409,8 +9409,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 1234,5678 0.0.0.0/0 - Multi%20UDP in +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -m state --state NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' +--A ufw-user-input -p udp -m multiport --sports 1234,5678 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Multi%20UDP' ++-A ufw-user-input -p udp -m multiport --sports 1234,5678 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Multi%20UDP' + -A ufw-user-input -p udp -m multiport --sports 1234,5678 -j ufw-user-limit-accept -m comment --comment 'sapp_Multi%20UDP' + + ### END RULES ### +@@ -9418,7 +9418,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9454,8 +9454,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080 192.168.0.2 80 192.168.0.1 - Apache in +--A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.2 --dport 8080 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -9463,7 +9463,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9499,8 +9499,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 10123 192.168.0.2 123 192.168.0.1 - OpenNTPD in +--A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.2 --dport 10123 -s 192.168.0.1 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -9508,7 +9508,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9544,8 +9544,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 53 192.168.0.2 137,138 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -9553,7 +9553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9584,13 +9584,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 53 192.168.0.2 137,138 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### tuple ### limit tcp 53 192.168.0.2 139,445 192.168.0.1 Bind9 Samba in +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -9598,7 +9598,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9634,8 +9634,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 22 192.168.0.2 137,138 192.168.0.1 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9643,7 +9643,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9674,13 +9674,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 22 192.168.0.2 137,138 192.168.0.1 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp 22 192.168.0.2 139,445 192.168.0.1 - Samba in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -9688,7 +9688,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9724,8 +9724,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 192.168.0.2 80 192.168.0.1 Apache%20Full Apache in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -d 192.168.0.2 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + + ### END RULES ### +@@ -9733,7 +9733,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9769,8 +9769,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.1 8080 192.168.0.2 Apache - in +--A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 80 -s 192.168.0.2 --sport 8080 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -9778,7 +9778,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9814,8 +9814,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 192.168.0.1 10123 192.168.0.2 OpenNTPD - in +--A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp -d 192.168.0.1 --dport 123 -s 192.168.0.2 --sport 10123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -9823,7 +9823,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9859,8 +9859,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -9868,7 +9868,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9899,13 +9899,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### tuple ### limit tcp 139,445 192.168.0.1 53 192.168.0.2 Samba Bind9 in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -9913,7 +9913,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9949,8 +9949,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -9958,7 +9958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9989,13 +9989,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 22 192.168.0.2 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10003,7 +10003,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10039,8 +10039,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 192.168.0.1 80,443 192.168.0.2 Apache Apache%20Full in +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -d 192.168.0.1 -s 192.168.0.2 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + + ### END RULES ### +@@ -10048,7 +10048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10084,8 +10084,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10093,7 +10093,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10124,13 +10124,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 192.168.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10138,7 +10138,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10174,8 +10174,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 8080 0.0.0.0/0 80 0.0.0.0/0 - Apache in +--A ufw-user-input -p tcp --dport 8080 --sport 80 -m state --state NEW -m recent --set -m comment --comment 'sapp_Apache' +--A ufw-user-input -p tcp --dport 8080 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --dport 8080 --sport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Apache' ++-A ufw-user-input -p tcp --dport 8080 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Apache' + -A ufw-user-input -p tcp --dport 8080 --sport 80 -j ufw-user-limit-accept -m comment --comment 'sapp_Apache' + + ### END RULES ### +@@ -10183,7 +10183,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10219,8 +10219,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 10123 0.0.0.0/0 123 0.0.0.0/0 - OpenNTPD in +--A ufw-user-input -p udp --dport 10123 --sport 123 -m state --state NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' +--A ufw-user-input -p udp --dport 10123 --sport 123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 10123 --sport 123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 10123 --sport 123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_OpenNTPD' + -A ufw-user-input -p udp --dport 10123 --sport 123 -j ufw-user-limit-accept -m comment --comment 'sapp_OpenNTPD' + + ### END RULES ### +@@ -10228,7 +10228,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10264,8 +10264,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 53 0.0.0.0/0 137,138 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -10273,7 +10273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10304,13 +10304,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 53 0.0.0.0/0 137,138 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 53 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### tuple ### limit tcp 53 0.0.0.0/0 139,445 0.0.0.0/0 Bind9 Samba in +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Bind9,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Bind9,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 53 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Bind9,sapp_Samba' + + ### END RULES ### +@@ -10318,7 +10318,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10354,8 +10354,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 22 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -10363,7 +10363,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10394,13 +10394,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 22 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 22 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp 22 0.0.0.0/0 139,445 0.0.0.0/0 - Samba in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### END RULES ### +@@ -10408,7 +10408,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10444,8 +10444,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80,443 0.0.0.0/0 80 0.0.0.0/0 Apache%20Full Apache in +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' +--A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache%20Full,sapp_Apache' ++-A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + -A ufw-user-input -p tcp -m multiport --dports 80,443 -m multiport --sports 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache%20Full,sapp_Apache' + + ### END RULES ### +@@ -10453,7 +10453,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10489,8 +10489,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 8080 0.0.0.0/0 Apache - in +--A ufw-user-input -p tcp --dport 80 --sport 8080 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 --sport 8080 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 --sport 8080 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 --sport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 --sport 8080 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### END RULES ### +@@ -10498,7 +10498,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10534,8 +10534,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 123 0.0.0.0/0 10123 0.0.0.0/0 OpenNTPD - in +--A ufw-user-input -p udp --dport 123 --sport 10123 -m state --state NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' +--A ufw-user-input -p udp --dport 123 --sport 10123 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 --sport 10123 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_OpenNTPD' ++-A ufw-user-input -p udp --dport 123 --sport 10123 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_OpenNTPD' + -A ufw-user-input -p udp --dport 123 --sport 10123 -j ufw-user-limit-accept -m comment --comment 'dapp_OpenNTPD' + + ### END RULES ### +@@ -10543,7 +10543,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10579,8 +10579,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -10588,7 +10588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10619,13 +10619,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 53 0.0.0.0/0 Samba Bind9 in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Bind9' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Bind9' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 53 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Bind9' + + ### END RULES ### +@@ -10633,7 +10633,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10669,8 +10669,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10678,7 +10678,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10709,13 +10709,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 22 0.0.0.0/0 Samba - in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 22 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -10723,7 +10723,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10759,8 +10759,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 80 0.0.0.0/0 80,443 0.0.0.0/0 Apache Apache%20Full in +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' +--A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache,sapp_Apache%20Full' ++-A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + -A ufw-user-input -p tcp -m multiport --dports 80 -m multiport --sports 80,443 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache,sapp_Apache%20Full' + + ### END RULES ### +@@ -10768,7 +10768,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10804,8 +10804,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 137,138 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10813,7 +10813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10844,13 +10844,13 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 0.0.0.0/0 137,138 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 139,445 0.0.0.0/0 Samba Samba in +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -10858,7 +10858,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10902,7 +10902,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10945,7 +10945,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10994,7 +10994,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11042,7 +11042,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11083,7 +11083,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11140,7 +11140,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11181,7 +11181,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11252,7 +11252,7 @@ TESTING INSERT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11299,7 +11299,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11389,7 +11389,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11445,7 +11445,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11508,7 +11508,7 @@ TESTING APPLICATION INTEGRATION (interfaces) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11552,7 +11552,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11614,7 +11614,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11658,7 +11658,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11698,33 +11698,33 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit udp any 0.0.0.0/0 137,138 10.0.0.1 - Samba in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 10.0.0.1 - Samba in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -11732,7 +11732,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11776,7 +11776,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11838,7 +11838,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11882,7 +11882,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11942,7 +11942,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11986,7 +11986,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12048,7 +12048,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12092,7 +12092,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12154,7 +12154,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12198,7 +12198,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12238,33 +12238,33 @@ COMMIT + ### RULES ### + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit udp any 0.0.0.0/0 137,138 10.0.0.1 - Samba out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --sports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit tcp any 0.0.0.0/0 139,445 10.0.0.1 - Samba out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'sapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'sapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'sapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --sports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'sapp_Samba' + + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -12272,7 +12272,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12316,7 +12316,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12378,7 +12378,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12422,7 +12422,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12482,7 +12482,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12526,7 +12526,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/good/logging/result b/tests/good/logging/result +index 6714e12..4b23f9a 100644 +--- a/tests/good/logging/result ++++ b/tests/good/logging/result +@@ -102,69 +102,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j ACCEPT + + ### tuple ### allow_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j ACCEPT + + ### tuple ### allow_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j ACCEPT -m comment --comment 'dapp_Apache' + + ### tuple ### allow_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ACCEPT + + ### tuple ### allow_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### allow_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -175,12 +175,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -245,12 +245,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -383,12 +383,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -453,12 +453,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -518,69 +518,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j DROP + + ### tuple ### deny_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j DROP + + ### tuple ### deny_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j DROP +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j DROP -m comment --comment 'dapp_Apache' + + ### tuple ### deny_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j DROP + + ### tuple ### deny_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j DROP -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### deny_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j DROP -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -591,12 +591,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -661,12 +661,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -799,12 +799,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -869,12 +869,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -934,95 +934,95 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 69 -j ufw-user-limit-accept + + ### tuple ### limit_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 443 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### tuple ### limit_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -1031,12 +1031,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1101,12 +1101,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1169,92 +1169,92 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all tcp 25 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p tcp --dport 25 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 69 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p udp --dport 69 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 69 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 69 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 69 -j ufw-user-limit-accept + + ### tuple ### limit_log-all any 443 0.0.0.0/0 any 0.0.0.0/0 in + -A ufw-user-logging-input -p tcp --dport 443 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 443 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 443 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 443 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 443 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in + -A ufw-user-logging-input -p tcp --dport 80 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set -m comment --comment 'dapp_Apache' +--A ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Apache' ++-A ufw-user-input -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Apache' + -A ufw-user-input -p tcp --dport 80 -j ufw-user-limit-accept -m comment --comment 'dapp_Apache' + + ### tuple ### limit_log-all tcp 25 10.0.0.1 25 192.168.0.1 in + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba,sapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba,sapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba,sapp_Samba' + + ### END RULES ### +@@ -1263,12 +1263,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1333,12 +1333,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1398,69 +1398,69 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log tcp 25 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 25 -j RETURN + -A ufw-user-input -p tcp --dport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 25 -j REJECT --reject-with tcp-reset + + ### tuple ### reject_log udp 69 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p udp --dport 69 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 69 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 69 -j RETURN + -A ufw-user-input -p udp --dport 69 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 69 -j REJECT + + ### tuple ### reject_log any 443 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 443 -j RETURN + -A ufw-user-input -p tcp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 443 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 443 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 443 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 443 -j RETURN + -A ufw-user-input -p udp --dport 443 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 443 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 80 0.0.0.0/0 any 0.0.0.0/0 Apache - in +--A ufw-user-logging-input -p tcp --dport 80 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 80 -j RETURN + -A ufw-user-input -p tcp --dport 80 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 80 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Apache' + + ### tuple ### reject_log tcp 25 10.0.0.1 25 192.168.0.1 in +--A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j RETURN + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j ufw-user-logging-input + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 25 -j REJECT --reject-with tcp-reset + + ### tuple ### reject_log udp 137,138 10.0.0.1 137,138 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -m multiport --sports 137,138 -d 10.0.0.1 -s 192.168.0.1 -j REJECT -m comment --comment 'dapp_Samba,sapp_Samba' + + ### tuple ### reject_log tcp 139,445 10.0.0.1 139,445 192.168.0.1 Samba Samba in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -m multiport --sports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba,sapp_Samba' +@@ -1471,12 +1471,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1541,12 +1541,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1679,12 +1679,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1749,12 +1749,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1797,13 +1797,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1820,12 +1820,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1867,19 +1867,19 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log-all tcp 23 10.0.0.1 any 192.168.0.1 in +@@ -1894,12 +1894,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -1946,12 +1946,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2006,13 +2006,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ACCEPT +@@ -2024,13 +2024,13 @@ contents of user*.rules: + -A ufw-user-input -i eth0 -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j DROP + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -A ufw-user-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j ACCEPT +@@ -2047,12 +2047,12 @@ contents of user*.rules: + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2163,7 +2163,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2211,12 +2211,12 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 +--I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m state --state NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 ++-I ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] " -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### + + ### RATE LIMITING ### +@@ -2262,7 +2262,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " -m limit --limit 3/min --limit-burst 10 +@@ -2313,7 +2313,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " +@@ -2364,7 +2364,7 @@ WARN: Checks disabled + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " +--A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " ++-A ufw-logging-deny -m conntrack --ctstate INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] " + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " + -I ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] " +diff --git a/tests/good/rules/result b/tests/good/rules/result +index 7c1570a..e4b918c 100644 +--- a/tests/good/rules/result ++++ b/tests/good/rules/result +@@ -29,7 +29,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -72,7 +72,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -115,7 +115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -158,7 +158,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -201,7 +201,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -244,7 +244,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -284,7 +284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -320,8 +320,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept + + ### END RULES ### +@@ -329,7 +329,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -373,7 +373,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -416,7 +416,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -459,7 +459,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -502,7 +502,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -545,7 +545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -588,7 +588,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -631,7 +631,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -676,7 +676,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -719,7 +719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -763,7 +763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -806,7 +806,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -849,7 +849,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -889,7 +889,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -929,7 +929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -969,7 +969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1012,7 +1012,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1052,7 +1052,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1095,7 +1095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1135,7 +1135,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1178,7 +1178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1218,7 +1218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1261,7 +1261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1301,7 +1301,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1345,7 +1345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1385,7 +1385,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1428,7 +1428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1468,7 +1468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1511,7 +1511,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1551,7 +1551,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1595,7 +1595,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1635,7 +1635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1678,7 +1678,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1718,7 +1718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1761,7 +1761,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1801,7 +1801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1845,7 +1845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1885,7 +1885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1929,7 +1929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1969,7 +1969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2013,7 +2013,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2053,7 +2053,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2097,7 +2097,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2137,7 +2137,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2181,7 +2181,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2221,7 +2221,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2264,7 +2264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2304,7 +2304,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2347,7 +2347,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2387,7 +2387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2430,7 +2430,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2470,7 +2470,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2513,7 +2513,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2553,7 +2553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2596,7 +2596,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2636,7 +2636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2679,7 +2679,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2719,7 +2719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2762,7 +2762,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2802,7 +2802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2845,7 +2845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2885,7 +2885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2928,7 +2928,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2968,7 +2968,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3011,7 +3011,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3051,7 +3051,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3094,7 +3094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3134,7 +3134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3177,7 +3177,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3217,7 +3217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3260,7 +3260,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3300,7 +3300,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3344,7 +3344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3384,7 +3384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3428,7 +3428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3468,7 +3468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3512,7 +3512,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3552,7 +3552,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3596,7 +3596,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3636,7 +3636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3680,7 +3680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3720,7 +3720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3763,7 +3763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3803,7 +3803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3846,7 +3846,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3886,7 +3886,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3929,7 +3929,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3969,7 +3969,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4012,7 +4012,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4052,7 +4052,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4095,7 +4095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4135,7 +4135,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4178,7 +4178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4218,7 +4218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4261,7 +4261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4301,7 +4301,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4344,7 +4344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4384,7 +4384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4427,7 +4427,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4467,7 +4467,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4510,7 +4510,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4550,7 +4550,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4586,8 +4586,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 192.168.0.1 in +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4595,7 +4595,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4635,7 +4635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4671,8 +4671,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4680,7 +4680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4720,7 +4720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4756,8 +4756,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4765,7 +4765,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4805,7 +4805,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4841,11 +4841,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4853,7 +4853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4893,7 +4893,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4929,11 +4929,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -4941,7 +4941,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4981,7 +4981,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5017,11 +5017,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5029,7 +5029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5069,7 +5069,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5105,11 +5105,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5117,7 +5117,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5157,7 +5157,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5193,11 +5193,11 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit any 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5205,7 +5205,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5245,7 +5245,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5281,8 +5281,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5290,7 +5290,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5330,7 +5330,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5366,8 +5366,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5375,7 +5375,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5415,7 +5415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5451,8 +5451,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5460,7 +5460,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5500,7 +5500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5536,8 +5536,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5545,7 +5545,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5585,7 +5585,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5621,8 +5621,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5630,7 +5630,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5670,7 +5670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5706,8 +5706,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5715,7 +5715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5755,7 +5755,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5791,8 +5791,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5800,7 +5800,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5840,7 +5840,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5876,8 +5876,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5885,7 +5885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5925,7 +5925,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5961,8 +5961,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5970,7 +5970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6010,7 +6010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6046,8 +6046,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -6055,7 +6055,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6095,7 +6095,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6139,7 +6139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6179,7 +6179,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6222,7 +6222,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6262,7 +6262,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6305,7 +6305,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6345,7 +6345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6388,7 +6388,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6428,7 +6428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6471,7 +6471,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6511,7 +6511,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6554,7 +6554,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6594,7 +6594,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6637,7 +6637,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6677,7 +6677,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6720,7 +6720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6760,7 +6760,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6803,7 +6803,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6843,7 +6843,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6886,7 +6886,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6926,7 +6926,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6970,7 +6970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7010,7 +7010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7054,7 +7054,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7094,7 +7094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7138,7 +7138,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7178,7 +7178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7221,7 +7221,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7261,7 +7261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7304,7 +7304,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7344,7 +7344,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7387,7 +7387,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7427,7 +7427,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7470,7 +7470,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7510,7 +7510,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7553,7 +7553,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7593,7 +7593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7636,7 +7636,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7676,7 +7676,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7719,7 +7719,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7759,7 +7759,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7802,7 +7802,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7842,7 +7842,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7885,7 +7885,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7925,7 +7925,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7968,7 +7968,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8008,7 +8008,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8051,7 +8051,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8091,7 +8091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8134,7 +8134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8174,7 +8174,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8217,7 +8217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8257,7 +8257,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8300,7 +8300,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8340,7 +8340,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8383,7 +8383,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8423,7 +8423,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8466,7 +8466,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8506,7 +8506,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8550,7 +8550,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8594,7 +8594,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8637,7 +8637,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8680,7 +8680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8724,7 +8724,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8767,7 +8767,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8810,7 +8810,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8854,7 +8854,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8898,7 +8898,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8941,7 +8941,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -8984,7 +8984,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9027,7 +9027,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9070,7 +9070,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9113,7 +9113,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9156,7 +9156,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9199,7 +9199,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9242,7 +9242,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9285,7 +9285,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9328,7 +9328,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9371,7 +9371,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9414,7 +9414,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9457,7 +9457,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9500,7 +9500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9543,7 +9543,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9586,7 +9586,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9629,7 +9629,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9672,7 +9672,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9715,7 +9715,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9758,7 +9758,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9801,7 +9801,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9844,7 +9844,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9887,7 +9887,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9930,7 +9930,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -9973,7 +9973,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10016,7 +10016,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10059,7 +10059,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10102,7 +10102,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10145,7 +10145,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10188,7 +10188,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10231,7 +10231,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10274,7 +10274,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10317,7 +10317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10360,7 +10360,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10403,7 +10403,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10446,7 +10446,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10489,7 +10489,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10532,7 +10532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10575,7 +10575,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10618,7 +10618,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10661,7 +10661,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10704,7 +10704,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10747,7 +10747,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10790,7 +10790,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10833,7 +10833,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10876,7 +10876,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10919,7 +10919,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -10962,7 +10962,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11005,7 +11005,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11048,7 +11048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11091,7 +11091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11134,7 +11134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11177,7 +11177,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11220,7 +11220,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11263,7 +11263,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11306,7 +11306,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11349,7 +11349,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11392,7 +11392,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11435,7 +11435,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11478,7 +11478,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11521,7 +11521,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11564,7 +11564,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11607,7 +11607,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11650,7 +11650,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11693,7 +11693,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11736,7 +11736,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11779,7 +11779,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11815,8 +11815,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11824,7 +11824,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11860,8 +11860,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11869,7 +11869,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11905,8 +11905,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11914,7 +11914,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11950,8 +11950,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -11959,7 +11959,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -11995,8 +11995,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 1,9 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 1,9 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 1,9 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 1,9 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12004,7 +12004,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12040,8 +12040,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12049,7 +12049,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12085,8 +12085,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12094,7 +12094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12130,8 +12130,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12139,7 +12139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12175,8 +12175,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12184,7 +12184,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12220,8 +12220,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 1,9 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 1,9 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 1,9 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 1,9 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 1,9 -j ufw-user-limit-accept + + ### END RULES ### +@@ -12229,7 +12229,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12273,7 +12273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12317,7 +12317,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12357,7 +12357,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12400,7 +12400,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12440,7 +12440,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12484,7 +12484,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12527,7 +12527,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12570,7 +12570,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12613,7 +12613,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12656,7 +12656,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12706,11 +12706,11 @@ Insert + ### RULES ### + + ### tuple ### allow_log any 9998 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 9998 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 9998 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 9998 -j RETURN + -A ufw-user-input -p tcp --dport 9998 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 9998 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 9998 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 9998 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 9998 -j RETURN + -A ufw-user-input -p udp --dport 9998 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 9998 -j ACCEPT +@@ -12735,7 +12735,7 @@ Insert + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12785,7 +12785,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12908,7 +12908,7 @@ Interfaces + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -12982,7 +12982,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13100,7 +13100,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13174,7 +13174,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13244,83 +13244,83 @@ COMMIT + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp 22 192.168.0.1 any 0.0.0.0/0 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 0.0.0.0/0 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 any 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp any 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 80 10.0.0.1 in_eth0 +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -i eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -13328,7 +13328,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13402,7 +13402,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13520,7 +13520,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13594,7 +13594,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13638,7 +13638,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13676,7 +13676,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13794,7 +13794,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13868,7 +13868,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -13986,7 +13986,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14060,7 +14060,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14130,83 +14130,83 @@ COMMIT + ### RULES ### + + ### tuple ### limit any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit any any 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp 22 192.168.0.1 any 0.0.0.0/0 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 --dport 22 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 0.0.0.0/0 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit tcp any 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p tcp -d 192.168.0.1 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 any 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j ufw-user-limit-accept + + ### tuple ### limit udp any 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### tuple ### limit udp 22 192.168.0.1 80 10.0.0.1 out_eth0 +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-output -o eth0 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -j ufw-user-limit-accept + + ### END RULES ### +@@ -14214,7 +14214,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14288,7 +14288,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14406,7 +14406,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14480,7 +14480,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14524,7 +14524,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14562,7 +14562,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14603,7 +14603,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14646,7 +14646,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14690,7 +14690,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14733,7 +14733,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14776,7 +14776,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -14819,7 +14819,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/logging/result b/tests/ipv6/logging/result +index dd9c077..afd72dd 100644 +--- a/tests/ipv6/logging/result ++++ b/tests/ipv6/logging/result +@@ -26,23 +26,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -52,7 +52,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -81,23 +81,23 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -107,7 +107,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -143,7 +143,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -176,7 +176,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -209,7 +209,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -238,7 +238,7 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -248,7 +248,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -281,7 +281,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -314,7 +314,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -372,7 +372,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -427,7 +427,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -463,7 +463,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -496,7 +496,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -529,7 +529,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -568,7 +568,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -601,7 +601,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -634,7 +634,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -666,23 +666,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -692,7 +692,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -721,23 +721,23 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -747,7 +747,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -783,7 +783,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -816,7 +816,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -849,7 +849,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -878,7 +878,7 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -888,7 +888,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -921,7 +921,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -954,7 +954,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1012,7 +1012,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1067,7 +1067,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1103,7 +1103,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1136,7 +1136,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1169,7 +1169,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1208,7 +1208,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1241,7 +1241,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1274,7 +1274,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1306,33 +1306,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1340,7 +1340,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1373,7 +1373,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1409,7 +1409,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1442,7 +1442,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1475,7 +1475,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1508,7 +1508,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1541,7 +1541,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1574,7 +1574,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1609,30 +1609,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1640,7 +1640,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1673,7 +1673,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1709,7 +1709,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1742,7 +1742,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1775,7 +1775,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1808,7 +1808,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1841,7 +1841,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1874,7 +1874,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1906,23 +1906,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1932,7 +1932,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1961,23 +1961,23 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1987,7 +1987,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2023,7 +2023,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2056,7 +2056,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2089,7 +2089,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2118,7 +2118,7 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -2128,7 +2128,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2161,7 +2161,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2194,7 +2194,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2252,7 +2252,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2307,7 +2307,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2343,7 +2343,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2376,7 +2376,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2409,7 +2409,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2448,7 +2448,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2481,7 +2481,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2514,7 +2514,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2547,13 +2547,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -2563,7 +2563,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2592,13 +2592,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -2614,7 +2614,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2646,13 +2646,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -2662,7 +2662,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2691,13 +2691,13 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -2713,7 +2713,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2749,7 +2749,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2782,7 +2782,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2827,13 +2827,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT +@@ -2843,7 +2843,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2872,13 +2872,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -A ufw6-user-input -i eth0 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in_eth0 +--A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -2890,13 +2890,13 @@ COMMIT + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -A ufw6-user-output -o eth0 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 out_eth0 +--A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -2912,7 +2912,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/logging/result.1.3 b/tests/ipv6/logging/result.1.3 +index 5b0c26d..036b49e 100644 +--- a/tests/ipv6/logging/result.1.3 ++++ b/tests/ipv6/logging/result.1.3 +@@ -15,23 +15,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -48,11 +48,11 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT +@@ -111,7 +111,7 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -303,23 +303,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -336,11 +336,11 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP +@@ -399,7 +399,7 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -591,33 +591,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -730,30 +730,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -863,23 +863,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -896,11 +896,11 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT +@@ -959,7 +959,7 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -1152,13 +1152,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1198,13 +1198,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -1285,13 +1285,13 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -A ufw-user-input -i eth0 -j ufw-user-logging-input + -A ufw-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -A ufw-user-output -o eth0 -j ufw-user-logging-output + -A ufw-user-output -o eth0 -j ACCEPT +@@ -1308,13 +1308,13 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -A ufw6-user-input -i eth0 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in_eth0 +--A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +@@ -1326,13 +1326,13 @@ COMMIT + -A ufw6-user-input -i eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -A ufw6-user-output -o eth0 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -j ACCEPT + + ### tuple ### allow_log tcp 24 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 out_eth0 +--A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j RETURN + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ufw6-user-logging-output + -A ufw6-user-output -o eth0 -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 24 -s 2001:db8::/32 -j ACCEPT +diff --git a/tests/ipv6/rules6/result b/tests/ipv6/rules6/result +index 4e6a197..4fd299c 100644 +--- a/tests/ipv6/rules6/result ++++ b/tests/ipv6/rules6/result +@@ -26,7 +26,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -62,7 +62,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -94,7 +94,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -129,7 +129,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -161,7 +161,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -196,7 +196,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -228,7 +228,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -264,7 +264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -296,7 +296,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -332,7 +332,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -364,7 +364,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -400,7 +400,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -432,7 +432,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -468,7 +468,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -500,7 +500,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -536,7 +536,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -568,7 +568,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -603,7 +603,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -635,7 +635,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -670,7 +670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -702,7 +702,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -737,7 +737,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -769,7 +769,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -804,7 +804,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -836,7 +836,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -871,7 +871,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -903,7 +903,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -938,7 +938,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -970,7 +970,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1005,7 +1005,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1037,7 +1037,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1072,7 +1072,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1104,7 +1104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1139,7 +1139,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1171,7 +1171,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1206,7 +1206,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1238,7 +1238,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1273,7 +1273,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1305,7 +1305,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1340,7 +1340,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1372,7 +1372,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1408,7 +1408,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1440,7 +1440,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1475,7 +1475,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1507,7 +1507,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1542,7 +1542,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1574,7 +1574,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1609,7 +1609,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1641,7 +1641,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1677,7 +1677,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1709,7 +1709,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1745,7 +1745,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1777,7 +1777,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1813,7 +1813,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1845,7 +1845,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1881,7 +1881,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1913,7 +1913,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1949,7 +1949,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1981,7 +1981,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2016,7 +2016,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2048,7 +2048,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2083,7 +2083,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2115,7 +2115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2150,7 +2150,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2182,7 +2182,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2217,7 +2217,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2249,7 +2249,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2284,7 +2284,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2316,7 +2316,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2351,7 +2351,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2383,7 +2383,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2418,7 +2418,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2450,7 +2450,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2485,7 +2485,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2517,7 +2517,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2552,7 +2552,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2584,7 +2584,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2619,7 +2619,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2651,7 +2651,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2686,7 +2686,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2718,7 +2718,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2753,7 +2753,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2785,7 +2785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2821,7 +2821,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2853,7 +2853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3099,7 +3099,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3134,7 +3134,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3169,7 +3169,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3204,7 +3204,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3239,7 +3239,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3274,7 +3274,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3309,7 +3309,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3345,7 +3345,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3380,7 +3380,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3415,7 +3415,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3450,7 +3450,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3485,7 +3485,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3520,7 +3520,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3555,7 +3555,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3590,7 +3590,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3625,7 +3625,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3660,7 +3660,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3695,7 +3695,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3730,7 +3730,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3765,7 +3765,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3800,7 +3800,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3835,7 +3835,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3870,7 +3870,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3905,7 +3905,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3940,7 +3940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3975,7 +3975,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4010,7 +4010,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4045,7 +4045,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4080,7 +4080,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4115,7 +4115,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4150,7 +4150,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4187,7 +4187,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4223,7 +4223,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4261,7 +4261,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4297,7 +4297,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4335,7 +4335,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4371,7 +4371,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4409,7 +4409,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4445,7 +4445,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4483,7 +4483,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4519,7 +4519,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4557,7 +4557,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4593,7 +4593,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4631,7 +4631,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4667,7 +4667,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4705,7 +4705,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4741,7 +4741,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4779,7 +4779,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4815,7 +4815,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4853,7 +4853,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4889,7 +4889,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4927,7 +4927,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4963,7 +4963,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5001,7 +5001,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5037,7 +5037,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5075,7 +5075,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5111,7 +5111,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5149,7 +5149,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5185,7 +5185,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5223,7 +5223,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5259,7 +5259,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5297,7 +5297,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5333,7 +5333,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5371,7 +5371,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5407,7 +5407,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5445,7 +5445,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5481,7 +5481,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5519,7 +5519,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5555,7 +5555,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5593,7 +5593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5629,7 +5629,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5667,7 +5667,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5703,7 +5703,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5741,7 +5741,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5777,7 +5777,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5815,7 +5815,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5851,7 +5851,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5889,7 +5889,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5925,7 +5925,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5999,7 +5999,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6034,7 +6034,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6069,7 +6069,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6104,7 +6104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/ipv6/rules64/result b/tests/ipv6/rules64/result +index 8703253..cc2d397 100644 +--- a/tests/ipv6/rules64/result ++++ b/tests/ipv6/rules64/result +@@ -29,7 +29,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -66,7 +66,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -104,7 +104,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -140,7 +140,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -178,7 +178,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -214,7 +214,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -252,7 +252,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -288,7 +288,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -326,7 +326,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -367,7 +367,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -404,7 +404,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -440,7 +440,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -475,7 +475,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -508,7 +508,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -539,8 +539,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 22 -j ufw-user-limit-accept + + ### END RULES ### +@@ -548,7 +548,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -593,7 +593,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -630,7 +630,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -668,7 +668,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -704,7 +704,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -742,7 +742,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -785,7 +785,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -828,7 +828,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -871,7 +871,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -914,7 +914,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -958,7 +958,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -994,7 +994,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1029,7 +1029,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1062,7 +1062,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1100,7 +1100,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1136,7 +1136,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1171,7 +1171,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1204,7 +1204,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1242,7 +1242,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1278,7 +1278,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1313,7 +1313,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1346,7 +1346,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1384,7 +1384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1420,7 +1420,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1455,7 +1455,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1488,7 +1488,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1527,7 +1527,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1564,7 +1564,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1599,7 +1599,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1632,7 +1632,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1670,7 +1670,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1706,7 +1706,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1741,7 +1741,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1774,7 +1774,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1812,7 +1812,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1848,7 +1848,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1883,7 +1883,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1916,7 +1916,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1955,7 +1955,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1991,7 +1991,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2026,7 +2026,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2059,7 +2059,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2097,7 +2097,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2133,7 +2133,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2168,7 +2168,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2201,7 +2201,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2240,7 +2240,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2277,7 +2277,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2312,7 +2312,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2345,7 +2345,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2384,7 +2384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2428,7 +2428,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2471,7 +2471,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2514,7 +2514,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2558,7 +2558,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2601,7 +2601,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2644,7 +2644,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2685,7 +2685,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2720,7 +2720,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2755,7 +2755,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2790,7 +2790,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2825,7 +2825,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2860,7 +2860,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2895,7 +2895,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3472,7 +3472,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3515,7 +3515,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3558,7 +3558,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3601,7 +3601,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3644,7 +3644,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3687,7 +3687,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3728,7 +3728,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3763,7 +3763,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3798,7 +3798,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3833,7 +3833,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3868,7 +3868,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3903,7 +3903,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3940,7 +3940,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -3976,7 +3976,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4014,7 +4014,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4050,7 +4050,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4088,7 +4088,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4124,7 +4124,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4162,7 +4162,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4198,7 +4198,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4236,7 +4236,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4272,7 +4272,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4310,7 +4310,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4346,7 +4346,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4384,7 +4384,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4420,7 +4420,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4458,7 +4458,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4494,7 +4494,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4532,7 +4532,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4568,7 +4568,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4606,7 +4606,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4642,7 +4642,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4680,7 +4680,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4716,7 +4716,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4754,7 +4754,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4790,7 +4790,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4828,7 +4828,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4864,7 +4864,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4902,7 +4902,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4938,7 +4938,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -4976,7 +4976,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5012,7 +5012,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5050,7 +5050,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5086,7 +5086,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5117,8 +5117,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5126,7 +5126,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5163,8 +5163,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5172,7 +5172,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5209,8 +5209,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5218,7 +5218,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5255,8 +5255,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit tcp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5264,7 +5264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5301,8 +5301,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5310,7 +5310,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5347,8 +5347,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 34,35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 34,35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 34,35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 34,35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5356,7 +5356,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5393,8 +5393,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 35:39 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 35:39 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 35:39 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 35:39 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5402,7 +5402,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5439,8 +5439,8 @@ WARN: Checks disabled + ### RULES ### + + ### tuple ### limit udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ufw-user-limit-accept + + ### END RULES ### +@@ -5448,7 +5448,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5493,7 +5493,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5529,7 +5529,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5568,7 +5568,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5604,7 +5604,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5639,7 +5639,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5672,7 +5672,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5710,7 +5710,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5750,7 +5750,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5794,7 +5794,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5831,7 +5831,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5869,7 +5869,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5905,7 +5905,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5943,7 +5943,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -5979,7 +5979,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6017,7 +6017,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6053,7 +6053,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6091,7 +6091,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6127,7 +6127,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6164,7 +6164,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6199,7 +6199,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6234,7 +6234,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6295,7 +6295,7 @@ ipv4 rule in ipv4 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6336,7 +6336,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6380,7 +6380,7 @@ ipv6 rule in ipv6 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6425,7 +6425,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6487,7 +6487,7 @@ ipv4 rule in ipv6 section + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6532,7 +6532,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6572,11 +6572,11 @@ COMMIT + -A ufw-user-input -p udp -d 127.0.0.1 --dport 23 -j ACCEPT + + ### tuple ### allow_log any 8888 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 8888 -j RETURN + -A ufw-user-input -p tcp --dport 8888 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 8888 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 8888 -j RETURN + -A ufw-user-input -p udp --dport 8888 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 8888 -j ACCEPT +@@ -6586,7 +6586,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6619,11 +6619,11 @@ COMMIT + -A ufw6-user-input -p udp -d ::1 --dport 24 -j ACCEPT + + ### tuple ### allow_log any 8888 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 8888 -j RETURN + -A ufw6-user-input -p tcp --dport 8888 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 8888 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 8888 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 8888 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 8888 -j RETURN + -A ufw6-user-input -p udp --dport 8888 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 8888 -j ACCEPT +@@ -6637,7 +6637,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6681,7 +6681,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6714,7 +6714,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6768,7 +6768,7 @@ Interfaces + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6810,7 +6810,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6854,7 +6854,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6887,7 +6887,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6940,7 +6940,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -6982,7 +6982,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7026,7 +7026,7 @@ COMMIT + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7059,7 +7059,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7094,7 +7094,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7137,7 +7137,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7180,7 +7180,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7223,7 +7223,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7264,7 +7264,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7299,7 +7299,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7334,7 +7334,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7369,7 +7369,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7406,7 +7406,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7442,7 +7442,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7480,7 +7480,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -7516,7 +7516,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/bugs/result b/tests/root/bugs/result +index e7ee4da..34bee1a 100644 +--- a/tests/root/bugs/result ++++ b/tests/root/bugs/result +@@ -34,7 +34,7 @@ WARN: Checks disabled + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/live/result b/tests/root/live/result +index 78148f4..7b183c5 100644 +--- a/tests/root/live/result ++++ b/tests/root/live/result +@@ -145,8 +145,8 @@ Anywhere ALLOW 192.168.0.0/16 + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### allow any 53 ::/0 any ::/0 in + -A ufw6-user-input -p tcp --dport 53 -j ACCEPT + -A ufw6-user-input -p udp --dport 53 -j ACCEPT +@@ -368,8 +368,8 @@ Anywhere ALLOW 192.168.0.0/16 + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + TESTING ARGS (delete allow/deny to/from) + 48: delete allow 53 + WARN: Checks disabled +@@ -1057,8 +1057,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1072,8 +1072,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1082,11 +1082,11 @@ Status: active + -A ufw-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 in_eth0 +@@ -1109,7 +1109,7 @@ Status: active + -A ufw6-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any ::/0 any ::/0 in_eth0 +--A ufw6-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow udp 137,138 ::/0 any ::/0 Samba - in_eth0 +@@ -1312,8 +1312,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1327,8 +1327,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1337,11 +1337,11 @@ Status: active + -A ufw-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 out_eth0 +@@ -1364,7 +1364,7 @@ Status: active + -A ufw6-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any ::/0 any ::/0 out_eth0 +--A ufw6-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow udp 137,138 ::/0 any ::/0 Samba - out_eth0 +@@ -1556,8 +1556,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1571,8 +1571,8 @@ Status: active + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1581,11 +1581,11 @@ Status: active + -A ufw-user-input -i eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 in_eth0 +--A ufw-user-logging-input -i eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 in_eth0 +--A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -i eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 in_eth0 +@@ -1777,8 +1777,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT +@@ -1792,8 +1792,8 @@ Status: active + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- + ### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1802,11 +1802,11 @@ Status: active + -A ufw-user-output -o eth2 -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log any any 0.0.0.0/0 any 0.0.0.0/0 out_eth0 +--A ufw-user-logging-output -o eth0 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -j RETURN + -- + ### tuple ### allow_log tcp 24 10.0.0.1 any 192.168.0.1 out_eth0 +--A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-output -o eth0 -p tcp -d 10.0.0.1 --dport 24 -s 192.168.0.1 -j RETURN + -- + ### tuple ### deny_log-all tcp 25 10.0.0.1 any 192.168.0.1 out_eth0 +diff --git a/tests/root/live_apps/result b/tests/root/live_apps/result +index c0aa6e2..cb97ffb 100644 +--- a/tests/root/live_apps/result ++++ b/tests/root/live_apps/result +@@ -1235,7 +1235,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1318,7 +1318,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1444,7 +1444,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1543,7 +1543,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1647,7 +1647,7 @@ Rule inserted (v6) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1696,7 +1696,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1755,7 +1755,7 @@ Rule deleted (v6) + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1788,7 +1788,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1889,7 +1889,7 @@ Rule inserted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1932,7 +1932,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2005,7 +2005,7 @@ Rule deleted + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2038,7 +2038,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -2173,23 +2173,23 @@ Samba on eth0 LIMIT 10.0.0.1 + + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - in_eth0 +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -i eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + 225: delete limit in on eth0 to 192.168.0.1 app Samba + WARN: Checks disabled +@@ -2447,23 +2447,23 @@ Samba LIMIT OUT 10.0.0.1 on eth0 + + + ### tuple ### limit udp 137,138 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 192.168.0.1 any 0.0.0.0/0 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -d 192.168.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit udp 137,138 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p udp -m multiport --dports 137,138 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + -- + ### tuple ### limit tcp 139,445 0.0.0.0/0 any 10.0.0.1 Samba - out_eth0 +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-output -o eth0 -p tcp -m multiport --dports 139,445 -s 10.0.0.1 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + 259: delete limit out on eth0 to 192.168.0.1 app Samba + WARN: Checks disabled +diff --git a/tests/root/logging/result b/tests/root/logging/result +index bbcc434..583ec46 100644 +--- a/tests/root/logging/result ++++ b/tests/root/logging/result +@@ -35,23 +35,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### allow_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j ACCEPT +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -61,7 +61,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -90,29 +90,29 @@ COMMIT + ### RULES ### + + ### tuple ### allow_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j ACCEPT +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j ACCEPT + + ### tuple ### allow_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + + ### tuple ### allow_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ACCEPT +@@ -122,7 +122,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -167,7 +167,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -200,7 +200,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -261,7 +261,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -322,7 +322,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -367,7 +367,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -400,7 +400,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -435,23 +435,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### deny_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j DROP +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' +@@ -461,7 +461,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -490,29 +490,29 @@ COMMIT + ### RULES ### + + ### tuple ### deny_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j DROP +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j DROP + + ### tuple ### deny_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j DROP -m comment --comment 'dapp_Samba' + + ### tuple ### deny_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j DROP +@@ -522,7 +522,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -567,7 +567,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -600,7 +600,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -661,7 +661,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -722,7 +722,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -767,7 +767,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -800,7 +800,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -835,33 +835,33 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### limit_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -869,7 +869,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -902,7 +902,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -947,7 +947,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -980,7 +980,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1018,30 +1018,30 @@ contents of user*.rules: + -A ufw-user-logging-input -p tcp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp --dport 23 -j ufw-user-limit-accept + -A ufw-user-logging-input -p udp --dport 23 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p udp --dport 23 -j ufw-user-limit-accept + + ### tuple ### limit_log-all udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p udp -m multiport --dports 137,138 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### tuple ### limit_log-all tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW LIMIT] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --set -m comment --comment 'dapp_Samba' +--A ufw-user-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --set -m comment --comment 'dapp_Samba' ++-A ufw-user-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit -m comment --comment 'dapp_Samba' + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-limit-accept -m comment --comment 'dapp_Samba' + + ### END RULES ### +@@ -1049,7 +1049,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1082,7 +1082,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1127,7 +1127,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1160,7 +1160,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1195,23 +1195,23 @@ contents of user*.rules: + ### RULES ### + + ### tuple ### reject_log any 23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw-user-input -p tcp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp --dport 23 -j RETURN + -A ufw-user-input -p udp --dport 23 -j ufw-user-logging-input + -A ufw-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw-user-input -p udp -m multiport --dports 137,138 -j ufw-user-logging-input + -A ufw-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in +--A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ufw-user-logging-input + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' +@@ -1221,7 +1221,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1250,29 +1250,29 @@ COMMIT + ### RULES ### + + ### tuple ### reject_log any 23 ::/0 any ::/0 in +--A ufw6-user-logging-input -p tcp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp --dport 23 -j RETURN + -A ufw6-user-input -p tcp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp --dport 23 -j REJECT --reject-with tcp-reset +--A ufw6-user-logging-input -p udp --dport 23 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp --dport 23 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp --dport 23 -j RETURN + -A ufw6-user-input -p udp --dport 23 -j ufw6-user-logging-input + -A ufw6-user-input -p udp --dport 23 -j REJECT + + ### tuple ### reject_log udp 137,138 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p udp -m multiport --dports 137,138 -j RETURN + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j ufw6-user-logging-input + -A ufw6-user-input -p udp -m multiport --dports 137,138 -j REJECT -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 139,445 ::/0 any ::/0 Samba - in +--A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -m multiport --dports 139,445 -j RETURN + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j REJECT --reject-with tcp-reset -m comment --comment 'dapp_Samba' + + ### tuple ### reject_log tcp 25 2001:db8:3:4:5:6:7:8 any 2001:db8::/32 in +--A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " ++-A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " + -A ufw6-user-logging-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j RETURN + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j ufw6-user-logging-input + -A ufw6-user-input -p tcp -d 2001:db8:3:4:5:6:7:8 --dport 25 -s 2001:db8::/32 -j REJECT --reject-with tcp-reset +@@ -1282,7 +1282,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1327,7 +1327,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1360,7 +1360,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1421,7 +1421,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1482,7 +1482,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1527,7 +1527,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1560,7 +1560,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1590,7 +1590,7 @@ contents of user*.rules: + ### LOGGING ### + -A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +@@ -1623,7 +1623,7 @@ COMMIT + ### LOGGING ### + -A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 +--I ufw6-logging-deny -m state --state INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 ++-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10 + -A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10 + ### END LOGGING ### +diff --git a/tests/root/valid/result b/tests/root/valid/result +index 3a493da..320a728 100644 +--- a/tests/root/valid/result ++++ b/tests/root/valid/result +@@ -234,8 +234,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 27: deny 53 + WARN: Checks disabled + Rules updated +@@ -255,8 +255,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 28: allow 80/tcp + WARN: Checks disabled + Rules updated +@@ -276,8 +276,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 29: allow from 10.0.0.0/8 + WARN: Checks disabled + Rules updated +@@ -297,8 +297,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -322,8 +322,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -350,8 +350,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -381,8 +381,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -415,8 +415,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -452,8 +452,8 @@ Rules updated + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -1173,8 +1173,8 @@ Rules updated + + + ### tuple ### limit any any 0.0.0.0/0 any 192.168.0.1 in +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1189,8 +1189,8 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1205,8 +1205,8 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -d 10.0.0.1 -s 192.168.0.1 -j ufw-user-limit-accept + + ### END RULES ### +@@ -1221,11 +1221,11 @@ Rules updated + + + ### tuple ### limit any any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 151: delete limit from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1237,11 +1237,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 153: delete limit to 10.0.0.1 port 25 + WARN: Checks disabled + Rules updated +@@ -1253,11 +1253,11 @@ Rules updated + + + ### tuple ### limit any any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 155: delete limit to 10.0.0.1 from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1269,11 +1269,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 157: delete limit to 10.0.0.1 port 25 from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1285,11 +1285,11 @@ Rules updated + + + ### tuple ### limit any 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -j ufw-user-limit-accept +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 159: delete limit to 10.0.0.1 port 25 from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1301,8 +1301,8 @@ Rules updated + + + ### tuple ### limit udp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 161: delete limit from 192.168.0.1 port 80 proto udp + WARN: Checks disabled + Rules updated +@@ -1314,8 +1314,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 163: delete limit to 10.0.0.1 port 25 proto udp + WARN: Checks disabled + Rules updated +@@ -1327,8 +1327,8 @@ Rules updated + + + ### tuple ### limit udp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 165: delete limit to 10.0.0.1 from 192.168.0.1 port 80 proto udp + WARN: Checks disabled + Rules updated +@@ -1340,8 +1340,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 167: delete limit to 10.0.0.1 port 25 proto udp from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1353,8 +1353,8 @@ Rules updated + + + ### tuple ### limit udp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 169: delete limit to 10.0.0.1 port 25 proto udp from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +@@ -1366,8 +1366,8 @@ Rules updated + + + ### tuple ### limit tcp any 0.0.0.0/0 80 192.168.0.1 in +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 171: delete limit from 192.168.0.1 port 80 proto tcp + WARN: Checks disabled + Rules updated +@@ -1379,8 +1379,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 173: delete limit to 10.0.0.1 port 25 proto tcp + WARN: Checks disabled + Rules updated +@@ -1392,8 +1392,8 @@ Rules updated + + + ### tuple ### limit tcp any 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 175: delete limit to 10.0.0.1 from 192.168.0.1 port 80 proto tcp + WARN: Checks disabled + Rules updated +@@ -1405,8 +1405,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 any 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 177: delete limit to 10.0.0.1 port 25 proto tcp from 192.168.0.1 + WARN: Checks disabled + Rules updated +@@ -1418,8 +1418,8 @@ Rules updated + + + ### tuple ### limit tcp 25 10.0.0.1 80 192.168.0.1 in +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp -d 10.0.0.1 --dport 25 -s 192.168.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 179: delete limit to 10.0.0.1 port 25 proto tcp from 192.168.0.1 port 80 + WARN: Checks disabled + Rules updated +diff --git a/tests/root/valid6/result b/tests/root/valid6/result +index dc76378..74fcd86 100644 +--- a/tests/root/valid6/result ++++ b/tests/root/valid6/result +@@ -1670,8 +1670,8 @@ Rules updated + + + ### tuple ### limit ah any 10.0.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p ah -d 10.0.0.1 -m state --state NEW -m recent --set +--A ufw-user-input -p ah -d 10.0.0.1 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p ah -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p ah -d 10.0.0.1 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 249: delete limit to 10.0.0.1 proto ah + WARN: Checks disabled + Rules updated +diff --git a/tests/root_kern/limit6/result b/tests/root_kern/limit6/result +index 008d993..7a3a1ad 100644 +--- a/tests/root_kern/limit6/result ++++ b/tests/root_kern/limit6/result +@@ -40,27 +40,27 @@ Anywhere (v6) LIMIT 24/udp + + + ### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### limit udp any 0.0.0.0/0 24 0.0.0.0/0 in +--A ufw-user-input -p udp --sport 24 -m state --state NEW -m recent --set +--A ufw-user-input -p udp --sport 24 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### limit any 23 0.0.0.0/0 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++-A ufw-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### limit tcp 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -m state --state NEW -m recent --set +--A ufw6-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + -- + ### tuple ### limit udp any ::/0 24 ::/0 in +--A ufw6-user-input -p udp --sport 24 -m state --state NEW -m recent --set +--A ufw6-user-input -p udp --sport 24 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -p udp --sport 24 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + -- + ### tuple ### limit any 23 ::/0 any ::/0 in_eth1 +--A ufw6-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --set +--A ufw6-user-input -i eth1 -p tcp --dport 23 -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit ++-A ufw6-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --set ++-A ufw6-user-input -i eth1 -p tcp --dport 23 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw6-user-limit + TESTING ARGS (delete allow/deny to/from) + 6: delete limit 22/tcp + WARN: Checks disabled diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch b/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch new file mode 100644 index 0000000000..4184e33f41 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0008-support-.-setup.py-build-LP-819600.patch @@ -0,0 +1,93 @@ +support ./setup.py build (LP: #819600) + +Written by Jamie Strandboge <jamie@canonical.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id 10dc74cdc0948e4038d2921e7428cbf2896df98c + +Removed ChangeLog patch due to backport status of this patch. +Modified for statement to match the one in 0.33 setup.py + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/setup.py b/setup.py +index 730c568..4e1ec9a 100644 +--- a/setup.py ++++ b/setup.py +@@ -64,37 +64,44 @@ class Install(_install, object): + real_sharedir = os.path.join(real_prefix, 'share', 'ufw') + + # Update the modules' paths +- for file in [ 'common.py', 'util.py' ]: +- print("Updating " + file) +- subprocess.call(["sed", +- "-i", +- "s%#CONFIG_PREFIX#%" + real_confdir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#STATE_PREFIX#%" + real_statedir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#PREFIX#%" + real_prefix + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#IPTABLES_DIR#%" + iptables_dir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i", +- "s%#SHARE_DIR#%" + real_sharedir + "%g", +- os.path.join('staging', file)]) +- +- subprocess.call(["sed", +- "-i.jjm", +- "s%/sbin/iptables%" + iptables_exe + "%g", +- os.path.join('staging', file)]) ++ for fn in [ 'common.py', 'util.py' ]: ++ # 'staging' is used with just 'install' but build_lib is used when ++ # using 'build'. We could probably override 'def build()' but this ++ # at least works ++ for d in [os.path.join(self.build_lib, "ufw"), 'staging']: ++ f = os.path.join(d, fn) ++ if not os.path.exists(f): ++ continue ++ print("Updating " + f) ++ subprocess.call(["sed", ++ "-i", ++ "s%#CONFIG_PREFIX#%" + real_confdir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#STATE_PREFIX#%" + real_statedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#PREFIX#%" + real_prefix + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#IPTABLES_DIR#%" + iptables_dir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i", ++ "s%#SHARE_DIR#%" + real_sharedir + "%g", ++ f]) ++ ++ subprocess.call(["sed", ++ "-i.jjm", ++ "s%/sbin/iptables%" + iptables_exe + "%g", ++ f]) + + # Now byte-compile everything + super(Install, self).run() diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch b/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch new file mode 100644 index 0000000000..5f9e68df82 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0009-adjust-runtime-tests-to-use-daytime-port.patch @@ -0,0 +1,2895 @@ +adjust runtime tests to use daytime/port 13 instead of ssh/port 22 everywhere + +and adjust to use daytime/port 13 instead of http/port 80 and https/port 443 in +good/logging and ipv6/bad_args6 (Closes: 849628) + +Patch from git://git.launchpad.net/ufw +Commit f1ecc2475f8612f1ea87bd43a088d39009145dd8 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Removed code not present (tests/live_route). +Omitted result output that did not seem to change. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/tests/root/bugs/result b/tests/root/bugs/result +index 34bee1a..d1fab59 100644 +--- a/tests/root/bugs/result ++++ b/tests/root/bugs/result +@@ -94,7 +94,7 @@ Could not delete non-existent rule + + + iptables -L -n: +-ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ ++ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ + + Chain ufw-user-limit (0 references) + 10: delete allow Apache +@@ -254,7 +254,7 @@ WARN: Checks disabled + Status: active + + +-37: delete allow 22 ++37: delete allow 13 + WARN: Checks disabled + Could not delete non-existent rule + Could not delete non-existent rule (v6) +@@ -266,7 +266,7 @@ Could not delete non-existent rule + Could not delete non-existent rule (v6) + + +-39: delete allow to 127.0.0.1 port 22 ++39: delete allow to 127.0.0.1 port 13 + WARN: Checks disabled + Could not delete non-existent rule + +@@ -276,7 +276,7 @@ WARN: Checks disabled + Could not delete non-existent rule + + +-41: delete allow to ::1 port 22 ++41: delete allow to ::1 port 13 + WARN: Checks disabled + Could not delete non-existent rule (v6) + +diff --git a/tests/root/bugs/runtest.sh b/tests/root/bugs/runtest.sh +index 0c4db9b..4bd68d7 100755 +--- a/tests/root/bugs/runtest.sh ++++ b/tests/root/bugs/runtest.sh +@@ -93,11 +93,11 @@ sed -i "s/IPV6=.*/IPV6=yes/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + do_cmd "0" nostats enable + do_cmd "0" status +-do_cmd "0" delete allow 22 ++do_cmd "0" delete allow 13 + do_cmd "0" delete allow Apache +-do_cmd "0" delete allow to 127.0.0.1 port 22 ++do_cmd "0" delete allow to 127.0.0.1 port 13 + do_cmd "0" delete allow to 127.0.0.1 app Apache +-do_cmd "0" delete allow to ::1 port 22 ++do_cmd "0" delete allow to ::1 port 13 + do_cmd "0" delete allow to ::1 app Apache + do_cmd "0" status + +diff --git a/tests/root/live/result b/tests/root/live/result +index 7b183c5..e862327 100644 +--- a/tests/root/live/result ++++ b/tests/root/live/result +@@ -71,7 +71,7 @@ WARN: Checks disabled + Rule added + + +-14: limit 22/tcp ++14: limit 13/tcp + WARN: Checks disabled + Rule added + Skipping unsupported IPv6 'limit' rule +@@ -103,7 +103,7 @@ Anywhere ALLOW 172.16.0.0/12 + Anywhere ALLOW 192.168.0.0/16 + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp +-22/tcp LIMIT Anywhere ++13/tcp LIMIT Anywhere + 53 ALLOW Anywhere (v6) + 23/tcp ALLOW Anywhere (v6) + 25/tcp ALLOW Anywhere (v6) +@@ -144,9 +144,9 @@ Anywhere ALLOW 192.168.0.0/16 + ### tuple ### allow udp 5469 1.2.3.4 5469 1.2.3.5 in + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + ### tuple ### allow any 53 ::/0 any ::/0 in + -A ufw6-user-input -p tcp --dport 53 -j ACCEPT + -A ufw6-user-input -p udp --dport 53 -j ACCEPT +@@ -221,7 +221,7 @@ WARN: Checks disabled + Rule deleted + + +-28: delete limit 22/tcp ++28: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + Skipping unsupported IPv6 'limit' rule +@@ -311,7 +311,7 @@ WARN: Checks disabled + Rule added + + +-46: limit 22/tcp ++46: limit 13/tcp + WARN: Checks disabled + Rule added + +@@ -332,7 +332,7 @@ Anywhere ALLOW 172.16.0.0/12 + Anywhere ALLOW 192.168.0.0/16 + 514/udp DENY 1.2.3.4 + 1.2.3.4 5469/udp ALLOW 1.2.3.5 5469/udp +-22/tcp LIMIT Anywhere ++13/tcp LIMIT Anywhere + + + +@@ -367,9 +367,9 @@ Anywhere ALLOW 192.168.0.0/16 + ### tuple ### allow udp 5469 1.2.3.4 5469 1.2.3.5 in + -A ufw-user-input -p udp -d 1.2.3.4 --dport 5469 -s 1.2.3.5 --sport 5469 -j ACCEPT + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + TESTING ARGS (delete allow/deny to/from) + 48: delete allow 53 + WARN: Checks disabled +@@ -421,7 +421,7 @@ WARN: Checks disabled + Rule deleted + + +-58: delete limit 22/tcp ++58: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + +@@ -667,7 +667,7 @@ WARN: Checks disabled + Rule added + + +-99: limit 22/tcp ++99: limit 13/tcp + WARN: Checks disabled + Rule added + Skipping unsupported IPv6 'limit' rule +@@ -699,7 +699,7 @@ Status: active + [ 8] Anywhere ALLOW IN 192.168.0.0/16 + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp +-[11] 22/tcp LIMIT IN Anywhere ++[11] 13/tcp LIMIT IN Anywhere + [12] 53 ALLOW IN Anywhere (v6) + [13] 23/tcp ALLOW IN Anywhere (v6) + [14] 25/tcp ALLOW IN Anywhere (v6) +@@ -763,7 +763,7 @@ WARN: Checks disabled + Rule deleted + + +-113: delete limit 22/tcp ++113: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + Skipping unsupported IPv6 'limit' rule +@@ -841,7 +841,7 @@ WARN: Checks disabled + Rule added + + +-129: limit 22/tcp ++129: limit 13/tcp + WARN: Checks disabled + Rule added + +@@ -862,7 +862,7 @@ Status: active + [ 8] Anywhere ALLOW IN 192.168.0.0/16 + [ 9] 514/udp DENY IN 1.2.3.4 + [10] 1.2.3.4 5469/udp ALLOW IN 1.2.3.5 5469/udp +-[11] 22/tcp LIMIT IN Anywhere ++[11] 13/tcp LIMIT IN Anywhere + + + +@@ -916,7 +916,7 @@ WARN: Checks disabled + Rule deleted + + +-141: delete limit 22/tcp ++141: delete limit 13/tcp + WARN: Checks disabled + Rule deleted + +@@ -943,7 +943,7 @@ Rule added (v6) + 146: deny in on eth1:1 + + +-147: reject in on eth1 to 192.168.0.1 port 22 ++147: reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -958,7 +958,7 @@ WARN: Checks disabled + Rule added + + +-150: deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++150: deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -968,7 +968,7 @@ WARN: Checks disabled + Rule added + + +-152: limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++152: limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1002,12 +1002,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Anywhere on eth0 ALLOW IN Anywhere (log) + [ 9] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) + [10] 10.0.0.1 25/tcp on eth0 DENY IN 192.168.0.1 (log-all) +@@ -1031,12 +1031,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Samba on eth2 ALLOW IN Anywhere + [ 9] Anywhere on eth0 ALLOW IN Anywhere (log) + [10] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) +@@ -1052,9 +1052,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 in_eth1 + -A ufw-user-input -i eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1063,17 +1063,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1124,7 +1124,7 @@ Rule deleted + Rule deleted (v6) + + +-161: delete reject in on eth1 to 192.168.0.1 port 22 ++161: delete reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1139,7 +1139,7 @@ WARN: Checks disabled + Rule deleted + + +-164: delete deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++164: delete deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1149,7 +1149,7 @@ WARN: Checks disabled + Rule deleted + + +-166: delete limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++166: delete limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1198,7 +1198,7 @@ Rule added (v6) + 175: deny out on eth1:1 + + +-176: reject out on eth1 to 192.168.0.1 port 22 ++176: reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1213,7 +1213,7 @@ WARN: Checks disabled + Rule added + + +-179: deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++179: deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1223,7 +1223,7 @@ WARN: Checks disabled + Rule added + + +-181: limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++181: limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1257,12 +1257,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [ 9] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) + [10] 10.0.0.1 25/tcp DENY OUT 192.168.0.1 on eth0 (log-all, out) +@@ -1286,12 +1286,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Samba ALLOW OUT Anywhere on eth2 (out) + [ 9] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [10] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) +@@ -1307,9 +1307,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_eth1 + -A ufw-user-output -o eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1318,17 +1318,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1379,7 +1379,7 @@ Rule deleted + Rule deleted (v6) + + +-190: delete reject out on eth1 to 192.168.0.1 port 22 ++190: delete reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1394,7 +1394,7 @@ WARN: Checks disabled + Rule deleted + + +-193: delete deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++193: delete deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1404,7 +1404,7 @@ WARN: Checks disabled + Rule deleted + + +-195: delete limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++195: delete limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1452,7 +1452,7 @@ Rule added + 204: deny in on eth1:1 + + +-205: reject in on eth1 to 192.168.0.1 port 22 ++205: reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1467,7 +1467,7 @@ WARN: Checks disabled + Rule added + + +-208: deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++208: deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1477,7 +1477,7 @@ WARN: Checks disabled + Rule added + + +-210: limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++210: limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1509,12 +1509,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Anywhere on eth0 ALLOW IN Anywhere (log) + [ 9] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) + [10] 10.0.0.1 25/tcp on eth0 DENY IN 192.168.0.1 (log-all) +@@ -1534,12 +1534,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere on eth1 ALLOW IN Anywhere +-[ 2] 192.168.0.1 22 on eth1 REJECT IN Anywhere ++[ 2] 192.168.0.1 13 on eth1 REJECT IN Anywhere + [ 3] Anywhere on eth1 LIMIT IN 10.0.0.1 80 + [ 4] 192.168.0.1 on eth1 ALLOW IN 10.0.0.1 +-[ 5] 192.168.0.1 22 on eth1 DENY IN 10.0.0.1 ++[ 5] 192.168.0.1 13 on eth1 DENY IN 10.0.0.1 + [ 6] 192.168.0.1 on eth1 REJECT IN 10.0.0.1 80 +-[ 7] 192.168.0.1 22 on eth1 LIMIT IN 10.0.0.1 80 ++[ 7] 192.168.0.1 13 on eth1 LIMIT IN 10.0.0.1 80 + [ 8] Samba on eth2 ALLOW IN Anywhere + [ 9] Anywhere on eth0 ALLOW IN Anywhere (log) + [10] 10.0.0.1 24/tcp on eth0 ALLOW IN 192.168.0.1 (log) +@@ -1551,9 +1551,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 in_eth1 + -A ufw-user-input -i eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1562,17 +1562,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-input -i eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 in_eth1 + -A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-input -i eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 in_eth1 +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 in_eth1 ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -i eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - in_eth2 + -A ufw-user-input -i eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1603,7 +1603,7 @@ WARN: Checks disabled + Rule deleted + + +-219: delete reject in on eth1 to 192.168.0.1 port 22 ++219: delete reject in on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1618,7 +1618,7 @@ WARN: Checks disabled + Rule deleted + + +-222: delete deny in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++222: delete deny in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1628,7 +1628,7 @@ WARN: Checks disabled + Rule deleted + + +-224: delete limit in on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++224: delete limit in on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -1673,7 +1673,7 @@ Rule added + 233: deny out on eth1:1 + + +-234: reject out on eth1 to 192.168.0.1 port 22 ++234: reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule added + +@@ -1688,7 +1688,7 @@ WARN: Checks disabled + Rule added + + +-237: deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++237: deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule added + +@@ -1698,7 +1698,7 @@ WARN: Checks disabled + Rule added + + +-239: limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++239: limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule added + +@@ -1730,12 +1730,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [ 9] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) + [10] 10.0.0.1 25/tcp DENY OUT 192.168.0.1 on eth0 (log-all, out) +@@ -1755,12 +1755,12 @@ Status: active + To Action From + -- ------ ---- + [ 1] Anywhere ALLOW OUT Anywhere on eth1 (out) +-[ 2] 192.168.0.1 22 REJECT OUT Anywhere on eth1 (out) ++[ 2] 192.168.0.1 13 REJECT OUT Anywhere on eth1 (out) + [ 3] Anywhere LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 4] 192.168.0.1 ALLOW OUT 10.0.0.1 on eth1 (out) +-[ 5] 192.168.0.1 22 DENY OUT 10.0.0.1 on eth1 (out) ++[ 5] 192.168.0.1 13 DENY OUT 10.0.0.1 on eth1 (out) + [ 6] 192.168.0.1 REJECT OUT 10.0.0.1 80 on eth1 (out) +-[ 7] 192.168.0.1 22 LIMIT OUT 10.0.0.1 80 on eth1 (out) ++[ 7] 192.168.0.1 13 LIMIT OUT 10.0.0.1 80 on eth1 (out) + [ 8] Samba ALLOW OUT Anywhere on eth2 (out) + [ 9] Anywhere ALLOW OUT Anywhere on eth0 (log, out) + [10] 10.0.0.1 24/tcp ALLOW OUT 192.168.0.1 on eth0 (log, out) +@@ -1772,9 +1772,9 @@ Status: active + ### tuple ### allow any any 0.0.0.0/0 any 0.0.0.0/0 out_eth1 + -A ufw-user-output -o eth1 -j ACCEPT + +-### tuple ### reject any 22 192.168.0.1 any 0.0.0.0/0 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -j REJECT --reject-with tcp-reset +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -j REJECT ++### tuple ### reject any 13 192.168.0.1 any 0.0.0.0/0 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -j REJECT --reject-with tcp-reset ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -j REJECT + -- + ### tuple ### limit any any 0.0.0.0/0 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +@@ -1783,17 +1783,17 @@ Status: active + ### tuple ### allow any any 192.168.0.1 any 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -d 192.168.0.1 -s 10.0.0.1 -j ACCEPT + +-### tuple ### deny any 22 192.168.0.1 any 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP +--A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 22 -s 10.0.0.1 -j DROP ++### tuple ### deny any 13 192.168.0.1 any 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP ++-A ufw-user-output -o eth1 -p udp -d 192.168.0.1 --dport 13 -s 10.0.0.1 -j DROP + -- + ### tuple ### reject any any 192.168.0.1 80 10.0.0.1 out_eth1 + -A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT --reject-with tcp-reset + -A ufw-user-output -o eth1 -p udp -d 192.168.0.1 -s 10.0.0.1 --sport 80 -j REJECT + -- +-### tuple ### limit any 22 192.168.0.1 80 10.0.0.1 out_eth1 +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 22 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit any 13 192.168.0.1 80 10.0.0.1 out_eth1 ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-output -o eth1 -p tcp -d 192.168.0.1 --dport 13 -s 10.0.0.1 --sport 80 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow udp 137,138 0.0.0.0/0 any 0.0.0.0/0 Samba - out_eth2 + -A ufw-user-output -o eth2 -p udp -m multiport --dports 137,138 -j ACCEPT -m comment --comment 'dapp_Samba' +@@ -1824,7 +1824,7 @@ WARN: Checks disabled + Rule deleted + + +-248: delete reject out on eth1 to 192.168.0.1 port 22 ++248: delete reject out on eth1 to 192.168.0.1 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1839,7 +1839,7 @@ WARN: Checks disabled + Rule deleted + + +-251: delete deny out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++251: delete deny out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + WARN: Checks disabled + Rule deleted + +@@ -1849,7 +1849,7 @@ WARN: Checks disabled + Rule deleted + + +-253: delete limit out on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++253: delete limit out on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + WARN: Checks disabled + Rule deleted + +@@ -2591,7 +2591,7 @@ Verify secondary chains + 494: disable + + +-495: allow 22/tcp ++495: allow 13/tcp + + + 496: enable +@@ -2675,7 +2675,7 @@ Verify secondary chains + 522: enable + + +-523: delete allow 22/tcp ++523: delete allow 13/tcp + + + Reset test +@@ -3033,7 +3033,7 @@ Setting IPV6 to yes + 588: enable + + +-589: limit 22/tcp ++589: limit 13/tcp + + + 590: allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp +@@ -3045,12 +3045,12 @@ Setting IPV6 to yes + 592: show added + WARN: Checks disabled + Added user rules (see 'ufw status' for running firewall): +-ufw limit 22/tcp ++ufw limit 13/tcp + ufw deny Samba + ufw allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + + +-593: delete limit 22/tcp ++593: delete limit 13/tcp + + + 594: delete allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp +@@ -3072,7 +3072,7 @@ Setting IPV6 to no + 598: enable + + +-599: limit 22/tcp ++599: limit 13/tcp + + + 600: deny Samba +@@ -3081,11 +3081,11 @@ Setting IPV6 to no + 601: show added + WARN: Checks disabled + Added user rules (see 'ufw status' for running firewall): +-ufw limit 22/tcp ++ufw limit 13/tcp + ufw deny Samba + + +-602: delete limit 22/tcp ++602: delete limit 13/tcp + + + 603: delete deny Samba +diff --git a/tests/root/live/runtest.sh b/tests/root/live/runtest.sh +index 3dd4e35..228e3e6 100755 +--- a/tests/root/live/runtest.sh ++++ b/tests/root/live/runtest.sh +@@ -43,7 +43,7 @@ do + do_cmd "0" allow from 192.168.0.0/16 + do_cmd "0" deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" limit 22/tcp ++ do_cmd "0" limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -63,7 +63,7 @@ do + do_cmd "0" delete allow from 192.168.0.0/16 + do_cmd "0" delete deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" delete limit 22/tcp ++ do_cmd "0" delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" delete deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -132,7 +132,7 @@ do + do_cmd "0" allow from 192.168.0.0/16 + do_cmd "0" deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" limit 22/tcp ++ do_cmd "0" limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -149,7 +149,7 @@ do + do_cmd "0" delete allow from 192.168.0.0/16 + do_cmd "0" delete deny proto udp from 1.2.3.4 to any port 514 + do_cmd "0" delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469 +- do_cmd "0" delete limit 22/tcp ++ do_cmd "0" delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" delete deny proto tcp from 2001:db8::/32 to any port 25 + do_cmd "0" delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8 +@@ -168,12 +168,12 @@ do + + do_cmd "0" allow $i on eth1 + do_cmd "1" null deny $i on eth1:1 +- do_cmd "0" reject $i on eth1 to 192.168.0.1 port 22 ++ do_cmd "0" reject $i on eth1 to 192.168.0.1 port 13 + do_cmd "0" limit $i on eth1 from 10.0.0.1 port 80 + do_cmd "0" allow $i on eth1 to 192.168.0.1 from 10.0.0.1 +- do_cmd "0" deny $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++ do_cmd "0" deny $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + do_cmd "0" reject $i on eth1 to 192.168.0.1 from 10.0.0.1 port 80 +- do_cmd "0" limit $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++ do_cmd "0" limit $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + + do_cmd "0" allow $i on eth0 log + do_cmd "0" allow $i on eth0 log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp +@@ -189,12 +189,12 @@ do + + # delete what we added + do_cmd "0" delete allow $i on eth1 +- do_cmd "0" delete reject $i on eth1 to 192.168.0.1 port 22 ++ do_cmd "0" delete reject $i on eth1 to 192.168.0.1 port 13 + do_cmd "0" delete limit $i on eth1 from 10.0.0.1 port 80 + do_cmd "0" delete allow $i on eth1 to 192.168.0.1 from 10.0.0.1 +- do_cmd "0" delete deny $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 ++ do_cmd "0" delete deny $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 + do_cmd "0" delete reject $i on eth1 to 192.168.0.1 from 10.0.0.1 port 80 +- do_cmd "0" delete limit $i on eth1 to 192.168.0.1 port 22 from 10.0.0.1 port 80 ++ do_cmd "0" delete limit $i on eth1 to 192.168.0.1 port 13 from 10.0.0.1 port 80 + + do_cmd "0" delete allow $i on eth0 log + do_cmd "0" delete allow $i on eth0 log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp +@@ -312,7 +312,7 @@ do_cmd "0" nostats disable + echo "'Resource temporarily unavailable' test" >> $TESTTMP/result + do_cmd "0" nostats disable + $TESTSTATE/ufw-init flush-all >/dev/null +-do_cmd "0" nostats allow 22/tcp ++do_cmd "0" nostats allow 13/tcp + do_cmd "0" nostats enable + $TESTSTATE/ufw-init stop >/dev/null + for i in `seq 1 25`; do +@@ -327,7 +327,7 @@ for i in `seq 1 25`; do + let count=count+1 + done + do_cmd "0" nostats enable +-do_cmd "0" nostats delete allow 22/tcp ++do_cmd "0" nostats delete allow 13/tcp + + echo "Reset test" >> $TESTTMP/result + do_cmd "0" nostats enable +@@ -445,13 +445,13 @@ do + sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw + do_cmd "0" nostats disable + do_cmd "0" nostats enable +- do_cmd "0" nostats limit 22/tcp ++ do_cmd "0" nostats limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" nostats allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + fi + do_cmd "0" nostats deny Samba + do_cmd "0" show added +- do_cmd "0" nostats delete limit 22/tcp ++ do_cmd "0" nostats delete limit 13/tcp + if [ "$ipv6" = "yes" ]; then + do_cmd "0" nostats delete allow in on eth0 to 2001::211:aaaa:bbbb:d54c port 123 proto tcp + fi +diff --git a/tests/root/live_apps/result b/tests/root/live_apps/result +index cb97ffb..1d9338e 100644 +--- a/tests/root/live_apps/result ++++ b/tests/root/live_apps/result +@@ -31,7 +31,7 @@ Rule added + Rule added (v6) + + +-6: allow to any app Samba from any port 22 ++6: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -58,7 +58,7 @@ WARN: Checks disabled + Rule added (v6) + + +-11: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++11: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule added (v6) + +@@ -78,18 +78,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -110,8 +110,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 80/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -120,8 +120,8 @@ Anywhere (v6) ALLOW IN 137,138/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++137,138/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 80/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -129,8 +129,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 80/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -159,7 +159,7 @@ Rule deleted + Rule deleted (v6) + + +-19: delete allow to any app Samba from any port 22 ++19: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -186,7 +186,7 @@ WARN: Checks disabled + Rule deleted (v6) + + +-24: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++24: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule deleted (v6) + +@@ -228,7 +228,7 @@ WARN: Checks disabled + Rule added + + +-33: allow to any app Samba from any port 22 ++33: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + +@@ -253,7 +253,7 @@ WARN: Checks disabled + Rule added + + +-38: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++38: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule added + +@@ -273,12 +273,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -299,8 +299,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -308,8 +308,8 @@ Anywhere ALLOW IN 192.168.2.0/24 137,138/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 80/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -334,7 +334,7 @@ WARN: Checks disabled + Rule deleted + + +-46: delete allow to any app Samba from any port 22 ++46: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + +@@ -359,7 +359,7 @@ WARN: Checks disabled + Rule deleted + + +-51: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++51: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule deleted + +@@ -406,7 +406,7 @@ Rule added + Rule added (v6) + + +-60: allow to any app Samba from any port 22 ++60: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -433,7 +433,7 @@ WARN: Checks disabled + Rule added (v6) + + +-65: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++65: allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule added (v6) + +@@ -453,18 +453,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -485,8 +485,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 80/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -495,8 +495,8 @@ Anywhere (v6) ALLOW IN 137,138/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 137,138/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-137,138/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++137,138/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 80/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 137,138/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -504,8 +504,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 137,138/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 137,138/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 80/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -532,18 +532,18 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + Apache (v6) ALLOW Anywhere (v6) + Samba (v6) ALLOW Anywhere (v6) + Anywhere (v6) ALLOW Samba (v6) + Samba (v6) ALLOW Bind9 (v6) +-Samba (v6) ALLOW 22 ++Samba (v6) ALLOW 13 + Apache (v6) ALLOW 88 + 2001:db8::/32 Samba ALLOW Anywhere (v6) + Anywhere (v6) ALLOW 2001:db8::/32 Samba + 2001:db8::/32 Samba ALLOW 2001:db8::/32 Bind9 +-2001:db8::/32 Samba ALLOW 2001:db8::/32 22 ++2001:db8::/32 Samba ALLOW 2001:db8::/32 13 + 2001:db8::/32 Apache ALLOW 2001:db8::/32 88 + + +@@ -564,8 +564,8 @@ Anywhere ALLOW IN 138,9999/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 138,9999/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-138,9999/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++138,9999/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 8888/tcp (Apache) ALLOW IN 88/tcp + 8888/tcp (Apache (v6)) ALLOW IN Anywhere (v6) + 138,9999/udp (Samba (v6)) ALLOW IN Anywhere (v6) +@@ -574,8 +574,8 @@ Anywhere (v6) ALLOW IN 138,9999/udp (Samba (v6)) + Anywhere (v6) ALLOW IN 139,445/tcp (Samba (v6)) + 138,9999/udp (Samba (v6)) ALLOW IN 53/udp (Bind9 (v6)) + 139,445/tcp (Samba (v6)) ALLOW IN 53/tcp (Bind9 (v6)) +-138,9999/udp (Samba (v6)) ALLOW IN 22/udp +-139,445/tcp (Samba (v6)) ALLOW IN 22/tcp ++138,9999/udp (Samba (v6)) ALLOW IN 13/udp ++139,445/tcp (Samba (v6)) ALLOW IN 13/tcp + 8888/tcp (Apache (v6)) ALLOW IN 88/tcp + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN Anywhere (v6) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN Anywhere (v6) +@@ -583,8 +583,8 @@ Anywhere (v6) ALLOW IN 2001:db8::/32 138,9999/udp (Samba) + Anywhere (v6) ALLOW IN 2001:db8::/32 139,445/tcp (Samba) + 2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 53/udp (Bind9) + 2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 53/tcp (Bind9) +-2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 22/udp +-2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 22/tcp ++2001:db8::/32 138,9999/udp (Samba) ALLOW IN 2001:db8::/32 13/udp ++2001:db8::/32 139,445/tcp (Samba) ALLOW IN 2001:db8::/32 13/tcp + 2001:db8::/32 8888/tcp (Apache) ALLOW IN 2001:db8::/32 88/tcp + + +@@ -613,7 +613,7 @@ Rule deleted + Rule deleted (v6) + + +-77: delete allow to any app Samba from any port 22 ++77: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -640,7 +640,7 @@ WARN: Checks disabled + Rule deleted (v6) + + +-82: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 22 ++82: delete allow to 2001:db8::/32 app Samba from 2001:db8::/32 port 13 + WARN: Checks disabled + Rule deleted (v6) + +@@ -682,7 +682,7 @@ WARN: Checks disabled + Rule added + + +-91: allow to any app Samba from any port 22 ++91: allow to any app Samba from any port 13 + WARN: Checks disabled + Rule added + +@@ -707,7 +707,7 @@ WARN: Checks disabled + Rule added + + +-96: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++96: allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule added + +@@ -727,12 +727,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -753,8 +753,8 @@ Anywhere ALLOW IN 137,138/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 137,138/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-137,138/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++137,138/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 80/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -762,8 +762,8 @@ Anywhere ALLOW IN 192.168.2.0/24 137,138/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 137,138/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 80/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -790,12 +790,12 @@ Apache ALLOW Anywhere + Samba ALLOW Anywhere + Anywhere ALLOW Samba + Samba ALLOW Bind9 +-Samba ALLOW 22 ++Samba ALLOW 13 + Apache ALLOW 88 + 192.168.2.0/24 Samba ALLOW Anywhere + Anywhere ALLOW 192.168.2.0/24 Samba + 192.168.2.0/24 Samba ALLOW 192.168.2.0/24 Bind9 +-192.168.2.0/24 Samba ALLOW 192.168.2.0/24 22 ++192.168.2.0/24 Samba ALLOW 192.168.2.0/24 13 + 192.168.2.0/24 Apache ALLOW 192.168.2.0/24 88 + + +@@ -816,8 +816,8 @@ Anywhere ALLOW IN 138,9999/udp (Samba) + Anywhere ALLOW IN 139,445/tcp (Samba) + 138,9999/udp (Samba) ALLOW IN 53/udp (Bind9) + 139,445/tcp (Samba) ALLOW IN 53/tcp (Bind9) +-138,9999/udp (Samba) ALLOW IN 22/udp +-139,445/tcp (Samba) ALLOW IN 22/tcp ++138,9999/udp (Samba) ALLOW IN 13/udp ++139,445/tcp (Samba) ALLOW IN 13/tcp + 8888/tcp (Apache) ALLOW IN 88/tcp + 192.168.2.0/24 138,9999/udp (Samba) ALLOW IN Anywhere + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN Anywhere +@@ -825,8 +825,8 @@ Anywhere ALLOW IN 192.168.2.0/24 138,9999/udp (Samba) + Anywhere ALLOW IN 192.168.2.0/24 139,445/tcp (Samba) + 192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 53/udp (Bind9) + 192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 53/tcp (Bind9) +-192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 22/udp +-192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 22/tcp ++192.168.2.0/24 138,9999/udp (Samba) ALLOW IN 192.168.2.0/24 13/udp ++192.168.2.0/24 139,445/tcp (Samba) ALLOW IN 192.168.2.0/24 13/tcp + 192.168.2.0/24 8888/tcp (Apache) ALLOW IN 192.168.2.0/24 88/tcp + + +@@ -851,7 +851,7 @@ WARN: Checks disabled + Rule deleted + + +-108: delete allow to any app Samba from any port 22 ++108: delete allow to any app Samba from any port 13 + WARN: Checks disabled + Rule deleted + +@@ -876,7 +876,7 @@ WARN: Checks disabled + Rule deleted + + +-113: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 22 ++113: delete allow to 192.168.2.0/24 app Samba from 192.168.2.0/24 port 13 + WARN: Checks disabled + Rule deleted + +@@ -1356,7 +1356,7 @@ WARN: Checks disabled + Rule added + + +-164: allow 22 ++164: allow 13 + WARN: Checks disabled + Rule added + +@@ -1435,9 +1435,9 @@ Rule inserted + ### tuple ### allow tcp 139,445 10.0.0.1 any 192.168.0.1 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1488,7 +1488,7 @@ WARN: Checks disabled + Rule deleted + + +-173: delete allow 22 ++173: delete allow 13 + WARN: Checks disabled + Rule deleted + +@@ -1799,7 +1799,7 @@ Rule added + Rule added (v6) + + +-192: allow 22 ++192: allow 13 + WARN: Checks disabled + Rule added + Rule added (v6) +@@ -1880,9 +1880,9 @@ Rule inserted + ### tuple ### allow tcp 139,445 10.0.0.1 any 192.168.0.1 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -d 10.0.0.1 -s 192.168.0.1 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1923,9 +1923,9 @@ COMMIT + ### tuple ### allow tcp 139,445 ::/0 any ::/0 Samba - in + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow any 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow any 13 ::/0 any ::/0 in ++-A ufw6-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 -j ACCEPT + + ### END RULES ### + +@@ -1949,7 +1949,7 @@ Rule deleted + Rule deleted (v6) + + +-201: delete allow 22 ++201: delete allow 13 + WARN: Checks disabled + Rule deleted + Rule deleted (v6) +@@ -2606,7 +2606,7 @@ Setting IPV6 to yes + 278: allow Samba + + +-279: allow 22/tcp ++279: allow 13/tcp + + + ### tuple ### allow udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +@@ -2621,8 +2621,8 @@ Setting IPV6 to yes + ### tuple ### allow tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + + ### tuple ### allow udp any ::/0 137,138 ::/0 - Samba in + -A ufw6-user-input -p udp -m multiport --sports 137,138 -j ACCEPT -m comment --comment 'sapp_Samba' +@@ -2636,8 +2636,8 @@ Setting IPV6 to yes + ### tuple ### allow tcp 139,445 ::/0 any ::/0 Samba - in + -A ufw6-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 ::/0 any ::/0 in +--A ufw6-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 any ::/0 in ++-A ufw6-user-input -p tcp --dport 13 -j ACCEPT + + 280: --force delete 6 + +@@ -2706,7 +2706,7 @@ Setting IPV6 to no + 289: allow Samba + + +-290: allow 22/tcp ++290: allow 13/tcp + + + ### tuple ### allow udp any 0.0.0.0/0 137,138 0.0.0.0/0 - Samba in +@@ -2721,8 +2721,8 @@ Setting IPV6 to no + ### tuple ### allow tcp 139,445 0.0.0.0/0 any 0.0.0.0/0 Samba - in + -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT -m comment --comment 'dapp_Samba' + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + + 291: --force delete 3 + +diff --git a/tests/root/live_apps/runtest.sh b/tests/root/live_apps/runtest.sh +index 04bbde3..5feb86c 100755 +--- a/tests/root/live_apps/runtest.sh ++++ b/tests/root/live_apps/runtest.sh +@@ -51,7 +51,7 @@ do + do_cmd "0" allow to $loc app Samba + do_cmd "0" allow from $loc app Samba + do_cmd "0" allow to $loc app Samba from $loc app Bind9 +- do_cmd "0" allow to $loc app Samba from $loc port 22 ++ do_cmd "0" allow to $loc app Samba from $loc port 13 + do_cmd "0" allow to $loc app Apache from $loc port 88 + done + do_cmd "0" status +@@ -78,7 +78,7 @@ do + do_cmd "0" delete allow to $loc app Samba + do_cmd "0" delete allow from $loc app Samba + do_cmd "0" delete allow to $loc app Samba from $loc app Bind9 +- do_cmd "0" delete allow to $loc app Samba from $loc port 22 ++ do_cmd "0" delete allow to $loc app Samba from $loc port 13 + do_cmd "0" delete allow to $loc app Apache from $loc port 88 + done + do_cmd "0" status +@@ -188,7 +188,7 @@ for ipv6 in no yes ; do + cat $TESTSTATE/user6.rules >> $TESTTMP/result + + do_cmd "0" allow Samba +- do_cmd "0" allow 22 ++ do_cmd "0" allow 13 + do_cmd "0" insert 2 allow from any to any app Samba + do_cmd "0" insert 2 allow from 192.168.0.1 to 10.0.0.1 app Samba + do_cmd "0" insert 2 allow from 192.168.0.1 to any app Samba +@@ -209,7 +209,7 @@ for ipv6 in no yes ; do + } + + do_cmd "0" delete allow Samba +- do_cmd "0" delete allow 22 ++ do_cmd "0" delete allow 13 + do_cmd "0" delete allow from any to any app Samba + do_cmd "0" delete allow from 192.168.0.1 to 10.0.0.1 app Samba + do_cmd "0" delete allow from 192.168.0.1 to any app Samba +@@ -258,7 +258,7 @@ do + + do_cmd "0" nostats allow from any app Samba + do_cmd "0" nostats allow Samba +- do_cmd "0" nostats allow 22/tcp ++ do_cmd "0" nostats allow 13/tcp + + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + if [ "$ipv6" = "yes" ]; then +@@ -267,16 +267,16 @@ do + + if [ "$ipv6" = "yes" ]; then + do_cmd "0" null --force delete 6 +- grep -v -q "^### tuple ### allow any 22 " $TESTSTATE/user6.rules || { +- echo "Failed: Found port '22' in user6.rules" >> $TESTTMP/result ++ grep -v -q "^### tuple ### allow any 13 " $TESTSTATE/user6.rules || { ++ echo "Failed: Found port '13' in user6.rules" >> $TESTTMP/result + exit 1 + } + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + fi + + do_cmd "0" null --force delete 3 +- grep -v -q "^### tuple ### allow any 22 " $TESTSTATE/user.rules || { +- echo "Failed: Found port '22' in user.rules" >> $TESTTMP/result ++ grep -v -q "^### tuple ### allow any 13 " $TESTSTATE/user.rules || { ++ echo "Failed: Found port '13' in user.rules" >> $TESTTMP/result + exit 1 + } + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +diff --git a/tests/root/valid/result b/tests/root/valid/result +index 320a728..752b6f2 100644 +--- a/tests/root/valid/result ++++ b/tests/root/valid/result +@@ -215,7 +215,7 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-26: limit 22/tcp ++26: limit 13/tcp + WARN: Checks disabled + Rules updated + +@@ -233,9 +233,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 27: deny 53 + WARN: Checks disabled + Rules updated +@@ -254,9 +254,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 28: allow 80/tcp + WARN: Checks disabled + Rules updated +@@ -275,9 +275,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + 29: allow from 10.0.0.0/8 + WARN: Checks disabled + Rules updated +@@ -296,9 +296,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -321,9 +321,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -349,9 +349,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -380,9 +380,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -414,9 +414,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -451,9 +451,9 @@ Rules updated + ### tuple ### deny tcp 25 192.168.0.1 any 10.0.0.0/8 in + -A ufw-user-input -p tcp -d 192.168.0.1 --dport 25 -s 10.0.0.0/8 -j DROP + +-### tuple ### limit tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set +--A ufw-user-input -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit ++### tuple ### limit tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --set ++-A ufw-user-input -p tcp --dport 13 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ufw-user-limit + -- + ### tuple ### allow any any 0.0.0.0/0 any 10.0.0.0/8 in + -A ufw-user-input -s 10.0.0.0/8 -j ACCEPT +@@ -483,7 +483,7 @@ WARN: Checks disabled + Rules updated + + +-37: delete limit 22/tcp ++37: delete limit 13/tcp + WARN: Checks disabled + Rules updated + +@@ -659,41 +659,41 @@ WARN: Checks disabled + Rules updated + + +-66: allow ssh ++66: allow daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 22 -j ACCEPT +-67: delete allow ssh ++### tuple ### allow any 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 -j ACCEPT ++67: delete allow daytime + WARN: Checks disabled + Rules updated + + +-68: allow ssh/tcp ++68: allow daytime/tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 -j ACCEPT + +-69: delete allow ssh/tcp ++69: delete allow daytime/tcp + WARN: Checks disabled + Rules updated + + +-70: allow ssh/udp ++70: allow daytime/udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 -j ACCEPT + +-71: delete allow ssh/udp ++71: delete allow daytime/udp + WARN: Checks disabled + Rules updated + +@@ -1679,28 +1679,28 @@ WARN: Checks disabled + Rules updated + + +-219: allow to any port smtp from any port ssh ++219: allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 25 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-220: delete allow to any port smtp from any port ssh ++220: delete allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + + +-221: allow to any port ssh from any port smtp ++221: allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 25 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 25 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-222: delete allow to any port ssh from any port smtp ++222: delete allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + +@@ -1744,28 +1744,28 @@ WARN: Checks disabled + Rules updated + + +-229: allow to any port tftp from any port ssh ++229: allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 69 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-230: delete allow to any port tftp from any port ssh ++230: delete allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + + +-231: allow to any port ssh from any port tftp ++231: allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 69 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 69 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-232: delete allow to any port ssh from any port tftp ++232: delete allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + +@@ -1796,41 +1796,41 @@ WARN: Checks disabled + Rules updated + + +-237: allow to any port ssh from any port 23 ++237: allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 23 -j ACCEPT +--A ufw-user-input -p udp --dport 22 --sport 23 -j ACCEPT +-238: delete allow to any port ssh from any port 23 ++### tuple ### allow any 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 23 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 --sport 23 -j ACCEPT ++238: delete allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + + +-239: allow to any port 23 from any port ssh ++239: allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 23 --sport 22 -j ACCEPT +--A ufw-user-input -p udp --dport 23 --sport 22 -j ACCEPT +-240: delete allow to any port 23 from any port ssh ++### tuple ### allow any 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 23 --sport 13 -j ACCEPT ++-A ufw-user-input -p udp --dport 23 --sport 13 -j ACCEPT ++240: delete allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + + +-241: allow to any port ssh from any port domain ++241: allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + + +-### tuple ### allow any 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 53 -j ACCEPT +--A ufw-user-input -p udp --dport 22 --sport 53 -j ACCEPT +-242: delete allow to any port ssh from any port domain ++### tuple ### allow any 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 53 -j ACCEPT ++-A ufw-user-input -p udp --dport 13 --sport 53 -j ACCEPT ++242: delete allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + +@@ -1848,28 +1848,28 @@ WARN: Checks disabled + Rules updated + + +-245: allow to any port smtp from any port ssh proto tcp ++245: allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 25 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-246: delete allow to any port smtp from any port ssh proto tcp ++246: delete allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-247: allow to any port ssh from any port smtp proto tcp ++247: allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 25 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 25 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-248: delete allow to any port ssh from any port smtp proto tcp ++248: delete allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + +@@ -1913,28 +1913,28 @@ WARN: Checks disabled + Rules updated + + +-255: allow to any port tftp from any port ssh proto udp ++255: allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 69 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-256: delete allow to any port tftp from any port ssh proto udp ++256: delete allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-257: allow to any port ssh from any port tftp proto udp ++257: allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 69 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 69 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-258: delete allow to any port ssh from any port tftp proto udp ++258: delete allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + +@@ -1965,80 +1965,80 @@ WARN: Checks disabled + Rules updated + + +-263: allow to any port ssh from any port 23 proto tcp ++263: allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 23 -j ACCEPT + +-264: delete allow to any port ssh from any port 23 proto tcp ++264: delete allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + + +-265: allow to any port 23 from any port ssh proto tcp ++265: allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow tcp 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 23 --sport 13 -j ACCEPT + +-266: delete allow to any port 23 from any port ssh proto tcp ++266: delete allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + + +-267: allow to any port ssh from any port domain proto tcp ++267: allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p tcp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow tcp 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p tcp --dport 13 --sport 53 -j ACCEPT + +-268: delete allow to any port ssh from any port domain proto tcp ++268: delete allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + + +-269: allow to any port ssh from any port 23 proto udp ++269: allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 23 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 23 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 23 -j ACCEPT + +-270: delete allow to any port ssh from any port 23 proto udp ++270: delete allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + + +-271: allow to any port 23 from any port ssh proto udp ++271: allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 23 0.0.0.0/0 22 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow udp 23 0.0.0.0/0 13 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 23 --sport 13 -j ACCEPT + +-272: delete allow to any port 23 from any port ssh proto udp ++272: delete allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + + +-273: allow to any port ssh from any port domain proto udp ++273: allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 22 0.0.0.0/0 53 0.0.0.0/0 in +--A ufw-user-input -p udp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow udp 13 0.0.0.0/0 53 0.0.0.0/0 in ++-A ufw-user-input -p udp --dport 13 --sport 53 -j ACCEPT + +-274: delete allow to any port ssh from any port domain proto udp ++274: delete allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + +@@ -2196,41 +2196,41 @@ WARN: Checks disabled + Rules updated + + +-297: allow to 192.168.0.1 port 80:83,22 proto tcp ++297: allow to 192.168.0.1 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22,80:83 192.168.0.1 any 0.0.0.0/0 in +--A ufw-user-input -p tcp -m multiport --dports 22,80:83 -d 192.168.0.1 -j ACCEPT ++### tuple ### allow tcp 13,80:83 192.168.0.1 any 0.0.0.0/0 in ++-A ufw-user-input -p tcp -m multiport --dports 13,80:83 -d 192.168.0.1 -j ACCEPT + +-298: delete allow to 192.168.0.1 port 80:83,22 proto tcp ++298: delete allow to 192.168.0.1 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated + + +-299: allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++299: allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow tcp 22 192.168.0.2 35:39 192.168.0.1 in +--A ufw-user-input -p tcp -m multiport --dports 22 -m multiport --sports 35:39 -d 192.168.0.2 -s 192.168.0.1 -j ACCEPT ++### tuple ### allow tcp 13 192.168.0.2 35:39 192.168.0.1 in ++-A ufw-user-input -p tcp -m multiport --dports 13 -m multiport --sports 35:39 -d 192.168.0.2 -s 192.168.0.1 -j ACCEPT + +-300: delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++300: delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + WARN: Checks disabled + Rules updated + + +-301: allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++301: allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 24:26 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 24:26 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-302: delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++302: delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + +@@ -2274,15 +2274,15 @@ WARN: Checks disabled + Rules updated + + +-309: deny 23,21,15:19,22/udp ++309: deny 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + + +-### tuple ### deny udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j DROP ++### tuple ### deny udp 13,15:19,21,23 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -j DROP + +-310: delete deny 23,21,15:19,22/udp ++310: delete deny 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + +diff --git a/tests/root/valid/runtest.sh b/tests/root/valid/runtest.sh +index aa03d99..feeacba 100755 +--- a/tests/root/valid/runtest.sh ++++ b/tests/root/valid/runtest.sh +@@ -76,7 +76,7 @@ do_cmd "0" deny to any port 80 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" deny from 10.0.0.0/8 to 192.168.0.1 port 25 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" limit 22/tcp ++do_cmd "0" limit 13/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" deny 53 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -97,7 +97,7 @@ grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + do_cmd "0" delete allow 25/tcp + do_cmd "0" delete deny from 10.0.0.0/8 to 192.168.0.1 port 25 proto tcp +-do_cmd "0" delete limit 22/tcp ++do_cmd "0" delete limit 13/tcp + do_cmd "0" delete deny 53 + do_cmd "0" delete allow 80/tcp + do_cmd "0" delete allow from 10.0.0.0/8 +@@ -160,19 +160,19 @@ grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow tftp/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh ++do_cmd "0" allow daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh ++do_cmd "0" delete allow daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh/tcp ++do_cmd "0" allow daytime/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh/tcp ++do_cmd "0" delete allow daytime/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + +-do_cmd "0" allow ssh/udp ++do_cmd "0" allow daytime/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow ssh/udp ++do_cmd "0" delete allow daytime/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + +@@ -250,13 +250,13 @@ do_cmd "0" allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh ++do_cmd "0" allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh ++do_cmd "0" delete allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp ++do_cmd "0" allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp ++do_cmd "0" delete allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -270,13 +270,13 @@ do_cmd "0" allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh ++do_cmd "0" allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh ++do_cmd "0" delete allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp ++do_cmd "0" allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp ++do_cmd "0" delete allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -286,30 +286,30 @@ do_cmd "0" allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 ++do_cmd "0" allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 ++do_cmd "0" delete allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh ++do_cmd "0" allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh ++do_cmd "0" delete allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain ++do_cmd "0" allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain ++do_cmd "0" delete allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + do_cmd "0" allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh proto tcp ++do_cmd "0" allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh proto tcp ++do_cmd "0" delete allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp proto tcp ++do_cmd "0" allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp proto tcp ++do_cmd "0" delete allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -323,13 +323,13 @@ do_cmd "0" allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh proto udp ++do_cmd "0" allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh proto udp ++do_cmd "0" delete allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp proto udp ++do_cmd "0" allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp proto udp ++do_cmd "0" delete allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -339,29 +339,29 @@ do_cmd "0" allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto tcp ++do_cmd "0" allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto tcp ++do_cmd "0" delete allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto tcp ++do_cmd "0" allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto tcp ++do_cmd "0" delete allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto tcp ++do_cmd "0" allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto tcp ++do_cmd "0" delete allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto udp ++do_cmd "0" allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto udp ++do_cmd "0" delete allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto udp ++do_cmd "0" allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto udp ++do_cmd "0" delete allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto udp ++do_cmd "0" allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto udp ++do_cmd "0" delete allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + echo "TESTING NETMASK" >> $TESTTMP/result +@@ -413,17 +413,17 @@ do_cmd "0" allow to 192.168.0.1 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete allow to 192.168.0.1 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to 192.168.0.1 port 80:83,22 proto tcp ++do_cmd "0" allow to 192.168.0.1 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to 192.168.0.1 port 80:83,22 proto tcp ++do_cmd "0" delete allow to 192.168.0.1 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++do_cmd "0" allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 22 proto tcp ++do_cmd "0" delete allow from 192.168.0.1 port 35:39 to 192.168.0.2 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" allow 34,35/tcp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +@@ -437,9 +437,9 @@ do_cmd "0" deny 35:39/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + do_cmd "0" delete deny 35:39/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" deny 23,21,15:19,22/udp ++do_cmd "0" deny 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result +-do_cmd "0" delete deny 23,21,15:19,22/udp ++do_cmd "0" delete deny 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + + cleanup +diff --git a/tests/root/valid6/result b/tests/root/valid6/result +index 74fcd86..f568a2f 100644 +--- a/tests/root/valid6/result ++++ b/tests/root/valid6/result +@@ -1049,31 +1049,31 @@ Rules updated + Rules updated (v6) + + +-164: allow to any port smtp from any port ssh ++164: allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 25 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-165: delete allow to any port smtp from any port ssh ++165: delete allow to any port smtp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-166: allow to any port ssh from any port smtp ++166: allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 25 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 25 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-167: delete allow to any port ssh from any port smtp ++167: delete allow to any port daytime from any port smtp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1124,31 +1124,31 @@ Rules updated + Rules updated (v6) + + +-174: allow to any port tftp from any port ssh ++174: allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 69 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-175: delete allow to any port tftp from any port ssh ++175: delete allow to any port tftp from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-176: allow to any port ssh from any port tftp ++176: allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 69 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 ::/0 69 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-177: delete allow to any port ssh from any port tftp ++177: delete allow to any port daytime from any port tftp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1184,46 +1184,46 @@ Rules updated + Rules updated (v6) + + +-182: allow to any port ssh from any port 23 ++182: allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 22 ::/0 23 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 23 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 --sport 23 -j ACCEPT +-183: delete allow to any port ssh from any port 23 ++### tuple ### allow any 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 23 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 --sport 23 -j ACCEPT ++183: delete allow to any port daytime from any port 23 + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-184: allow to any port 23 from any port ssh ++184: allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 23 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 23 --sport 22 -j ACCEPT +--A ufw6-user-input -p udp --dport 23 --sport 22 -j ACCEPT +-185: delete allow to any port 23 from any port ssh ++### tuple ### allow any 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 23 --sport 13 -j ACCEPT ++-A ufw6-user-input -p udp --dport 23 --sport 13 -j ACCEPT ++185: delete allow to any port 23 from any port daytime + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-186: allow to any port ssh from any port domain ++186: allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow any 22 ::/0 53 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 53 -j ACCEPT +--A ufw6-user-input -p udp --dport 22 --sport 53 -j ACCEPT +-187: delete allow to any port ssh from any port domain ++### tuple ### allow any 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 53 -j ACCEPT ++-A ufw6-user-input -p udp --dport 13 --sport 53 -j ACCEPT ++187: delete allow to any port daytime from any port domain + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1244,31 +1244,31 @@ Rules updated + Rules updated (v6) + + +-190: allow to any port smtp from any port ssh proto tcp ++190: allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 25 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 25 --sport 22 -j ACCEPT ++### tuple ### allow tcp 25 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 25 --sport 13 -j ACCEPT + +-191: delete allow to any port smtp from any port ssh proto tcp ++191: delete allow to any port smtp from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-192: allow to any port ssh from any port smtp proto tcp ++192: allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 25 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 25 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 25 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 25 -j ACCEPT + +-193: delete allow to any port ssh from any port smtp proto tcp ++193: delete allow to any port daytime from any port smtp proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1319,31 +1319,31 @@ Rules updated + Rules updated (v6) + + +-200: allow to any port tftp from any port ssh proto udp ++200: allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 69 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 69 --sport 22 -j ACCEPT ++### tuple ### allow udp 69 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 69 --sport 13 -j ACCEPT + +-201: delete allow to any port tftp from any port ssh proto udp ++201: delete allow to any port tftp from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-202: allow to any port ssh from any port tftp proto udp ++202: allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 69 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 69 -j ACCEPT ++### tuple ### allow udp 13 ::/0 69 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 69 -j ACCEPT + +-203: delete allow to any port ssh from any port tftp proto udp ++203: delete allow to any port daytime from any port tftp proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1379,91 +1379,91 @@ Rules updated + Rules updated (v6) + + +-208: allow to any port ssh from any port 23 proto tcp ++208: allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 23 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 23 -j ACCEPT + +-209: delete allow to any port ssh from any port 23 proto tcp ++209: delete allow to any port daytime from any port 23 proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-210: allow to any port 23 from any port ssh proto tcp ++210: allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 23 ::/0 22 ::/0 in +--A ufw6-user-input -p tcp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow tcp 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p tcp --dport 23 --sport 13 -j ACCEPT + +-211: delete allow to any port 23 from any port ssh proto tcp ++211: delete allow to any port 23 from any port daytime proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-212: allow to any port ssh from any port domain proto tcp ++212: allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow tcp 22 ::/0 53 ::/0 in +--A ufw6-user-input -p tcp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow tcp 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p tcp --dport 13 --sport 53 -j ACCEPT + +-213: delete allow to any port ssh from any port domain proto tcp ++213: delete allow to any port daytime from any port domain proto tcp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-214: allow to any port ssh from any port 23 proto udp ++214: allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 23 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 23 -j ACCEPT ++### tuple ### allow udp 13 ::/0 23 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 23 -j ACCEPT + +-215: delete allow to any port ssh from any port 23 proto udp ++215: delete allow to any port daytime from any port 23 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-216: allow to any port 23 from any port ssh proto udp ++216: allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 23 ::/0 22 ::/0 in +--A ufw6-user-input -p udp --dport 23 --sport 22 -j ACCEPT ++### tuple ### allow udp 23 ::/0 13 ::/0 in ++-A ufw6-user-input -p udp --dport 23 --sport 13 -j ACCEPT + +-217: delete allow to any port 23 from any port ssh proto udp ++217: delete allow to any port 23 from any port daytime proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-218: allow to any port ssh from any port domain proto udp ++218: allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 22 ::/0 53 ::/0 in +--A ufw6-user-input -p udp --dport 22 --sport 53 -j ACCEPT ++### tuple ### allow udp 13 ::/0 53 ::/0 in ++-A ufw6-user-input -p udp --dport 13 --sport 53 -j ACCEPT + +-219: delete allow to any port ssh from any port domain proto udp ++219: delete allow to any port daytime from any port domain proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +@@ -1575,63 +1575,63 @@ WARN: Checks disabled + Rules updated (v6) + + +-236: allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++236: allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-### tuple ### allow tcp 22,80:83 2001:db8:85a3:8d3:1319:8a2e:370:7341 any ::/0 in +--A ufw6-user-input -p tcp -m multiport --dports 22,80:83 -d 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT ++### tuple ### allow tcp 13,80:83 2001:db8:85a3:8d3:1319:8a2e:370:7341 any ::/0 in ++-A ufw6-user-input -p tcp -m multiport --dports 13,80:83 -d 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT + +-237: delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++237: delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-238: allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++238: allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-### tuple ### allow tcp 22 2001:db8:85a3:8d3:1319:8a2e:370:7342 35:39 2001:db8:85a3:8d3:1319:8a2e:370:7341 in +--A ufw6-user-input -p tcp -m multiport --dports 22 -m multiport --sports 35:39 -d 2001:db8:85a3:8d3:1319:8a2e:370:7342 -s 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT ++### tuple ### allow tcp 13 2001:db8:85a3:8d3:1319:8a2e:370:7342 35:39 2001:db8:85a3:8d3:1319:8a2e:370:7341 in ++-A ufw6-user-input -p tcp -m multiport --dports 13 -m multiport --sports 35:39 -d 2001:db8:85a3:8d3:1319:8a2e:370:7342 -s 2001:db8:85a3:8d3:1319:8a2e:370:7341 -j ACCEPT + +-239: delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++239: delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + WARN: Checks disabled + Rules updated (v6) + + +-240: allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++240: allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 24:26 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 24:26 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-### tuple ### allow udp 15:19,21,22,23 ::/0 24:26 ::/0 in +--A ufw6-user-input -p udp -m multiport --dports 15:19,21,22,23 -m multiport --sports 24:26 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 ::/0 24:26 ::/0 in ++-A ufw6-user-input -p udp -m multiport --dports 13,15:19,21,23 -m multiport --sports 24:26 -j ACCEPT + +-241: delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++241: delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-242: allow 23,21,15:19,22/udp ++242: allow 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + Rules updated (v6) + + +-### tuple ### allow udp 15:19,21,22,23 0.0.0.0/0 any 0.0.0.0/0 in +--A ufw-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 0.0.0.0/0 any 0.0.0.0/0 in ++-A ufw-user-input -p udp -m multiport --dports 13,15:19,21,23 -j ACCEPT + +-### tuple ### allow udp 15:19,21,22,23 ::/0 any ::/0 in +--A ufw6-user-input -p udp -m multiport --dports 15:19,21,22,23 -j ACCEPT ++### tuple ### allow udp 13,15:19,21,23 ::/0 any ::/0 in ++-A ufw6-user-input -p udp -m multiport --dports 13,15:19,21,23 -j ACCEPT + +-243: delete allow 23,21,15:19,22/udp ++243: delete allow 23,21,15:19,13/udp + WARN: Checks disabled + Rules updated + Rules updated (v6) +diff --git a/tests/root/valid6/runtest.sh b/tests/root/valid6/runtest.sh +index 1695dd1..d08e6f3 100755 +--- a/tests/root/valid6/runtest.sh ++++ b/tests/root/valid6/runtest.sh +@@ -154,13 +154,13 @@ do_cmd "0" allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh ++do_cmd "0" allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh ++do_cmd "0" delete allow to any port smtp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp ++do_cmd "0" allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp ++do_cmd "0" delete allow to any port daytime from any port smtp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -174,13 +174,13 @@ do_cmd "0" allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh ++do_cmd "0" allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh ++do_cmd "0" delete allow to any port tftp from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp ++do_cmd "0" allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp ++do_cmd "0" delete allow to any port daytime from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -190,30 +190,30 @@ do_cmd "0" allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 ++do_cmd "0" allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 ++do_cmd "0" delete allow to any port daytime from any port 23 + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh ++do_cmd "0" allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh ++do_cmd "0" delete allow to any port 23 from any port daytime + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain ++do_cmd "0" allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain ++do_cmd "0" delete allow to any port daytime from any port domain + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + + do_cmd "0" allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port smtp from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port smtp from any port ssh proto tcp ++do_cmd "0" allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port smtp from any port ssh proto tcp ++do_cmd "0" delete allow to any port smtp from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port smtp proto tcp ++do_cmd "0" allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port smtp proto tcp ++do_cmd "0" delete allow to any port daytime from any port smtp proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port smtp from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -227,13 +227,13 @@ do_cmd "0" allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port tftp from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port tftp from any port ssh proto udp ++do_cmd "0" allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port tftp from any port ssh proto udp ++do_cmd "0" delete allow to any port tftp from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port tftp proto udp ++do_cmd "0" allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port tftp proto udp ++do_cmd "0" delete allow to any port daytime from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" allow to any port tftp from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +@@ -243,29 +243,29 @@ do_cmd "0" allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to any port 23 from any port tftp proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto tcp ++do_cmd "0" allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto tcp ++do_cmd "0" delete allow to any port daytime from any port 23 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto tcp ++do_cmd "0" allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto tcp ++do_cmd "0" delete allow to any port 23 from any port daytime proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto tcp ++do_cmd "0" allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto tcp ++do_cmd "0" delete allow to any port daytime from any port domain proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port 23 proto udp ++do_cmd "0" allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port 23 proto udp ++do_cmd "0" delete allow to any port daytime from any port 23 proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23 from any port ssh proto udp ++do_cmd "0" allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23 from any port ssh proto udp ++do_cmd "0" delete allow to any port 23 from any port daytime proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port ssh from any port domain proto udp ++do_cmd "0" allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port ssh from any port domain proto udp ++do_cmd "0" delete allow to any port daytime from any port domain proto udp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + + echo "TESTING NETMASK" >> $TESTTMP/result +@@ -303,24 +303,24 @@ do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++do_cmd "0" allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,22 proto tcp ++do_cmd "0" delete allow to 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 80:83,13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++do_cmd "0" allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 22 proto tcp ++do_cmd "0" delete allow from 2001:db8:85a3:8d3:1319:8a2e:370:7341 port 35:39 to 2001:db8:85a3:8d3:1319:8a2e:370:7342 port 13 proto tcp + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow to any port 23,21,15:19,22 from any port 24:26 proto udp ++do_cmd "0" delete allow to any port 23,21,15:19,13 from any port 24:26 proto udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" allow 23,21,15:19,22/udp ++do_cmd "0" allow 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result +-do_cmd "0" delete allow 23,21,15:19,22/udp ++do_cmd "0" delete allow 23,21,15:19,13/udp + grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result + grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result + diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch new file mode 100644 index 0000000000..f9c387a451 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch @@ -0,0 +1,106 @@ +empty our IPT_MODULES and update documentation + +empty out IPT_MODULES and update documentation regarding modern use of +connection tracking modules. + +Patch from git://git.launchpad.net/ufw +Commit aefb842b73726c245157096fb8992c3e82833147 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Merged patch so they applied to 0.33 with missing code. Unit tests are not +in this version. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + + +diff --git a/conf/ufw.defaults b/conf/ufw.defaults +index 330ad88..b3eba8f 100644 +--- a/conf/ufw.defaults ++++ b/conf/ufw.defaults +@@ -34,12 +34,13 @@ MANAGE_BUILTINS=no + # only enable if using iptables backend + IPT_SYSCTL=#CONFIG_PREFIX#/ufw/sysctl.conf + +-# Extra connection tracking modules to load. Complete list can be found in +-# net/netfilter/Kconfig of your kernel source. Some common modules: ++# Extra connection tracking modules to load. IPT_MODULES should typically be ++# empty for new installations and modules added only as needed. See ++# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can ++# be found in net/netfilter/Kconfig of your kernel source. Some common modules: + # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support + # nf_conntrack_netbios_ns: NetBIOS (samba) client support + # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT + # nf_conntrack_ftp, nf_nat_ftp: active FTP support + # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) +-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" +- ++IPT_MODULES="" + +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index eef28e1..97dc8c5 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -115,5 +115,10 @@ IPT_MODULES in #CONFIG_PREFIX#/default/ufw. Some popular modules to load are: + nf_conntrack_tftp + nf_nat_tftp ++.PP ++Unconditional loading of connection tracking modules (nf_conntrack_*) in this ++manner is deprecated. \fBufw\fR continues to support the functionality but new ++configuration should only contain the specific modules required for the site. ++For more information, see CONNECTION HELPERS. + + .SH "KERNEL PARAMETERS" + .PP +@@ 240,5 +245,50 @@ Add the necessary \fBufw\fR rules: + # ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp + ++.SH "CONNECTION HELPERS" ++.PP ++Various protocols require the use of netfilter connection tracking helpers to ++group related packets into RELATED flows to make rulesets clearer and more ++precise. For example, with a couple of kernel modules and a couple of rules, a ++ruleset could simply allow a connection to FTP port 21, then the kernel would ++examine the traffic and mark the other FTP data packets as RELATED to the ++initial connection. ++.PP ++When the helpers were first introduced, one could only configure the modules as ++part of module load (eg, if your FTP server listened on a different port than ++21, you'd have to load the nf_conntrack_ftp module specifying the correct ++port). Over time it was understood that unconditionally using connection ++helpers could lead to abuse, in part because some protocols allow user ++specified data that would allow traversing the firewall in undesired ways. As ++of kernel 4.7, automatic conntrack helper assignment (ie, handling packets for ++a given port and all IP addresses) is disabled (the old behavior can be ++restored by setting net/netfilter/nf_conntrack_helper=1 in ++#CONFIG_PREFIX#/ufw/sysctl.conf). Firewalls should now instead use the CT ++target to associate traffic with a particular helper and then set RELATED rules ++to use the helper. This allows sites to tailor the use of helpers and help ++avoid abuse. ++.PP ++In general, to use helpers securely, the following needs to happen: ++.IP 1. ++net/netfilter/nf_conntrack_helper should be set to 0 (default) ++.IP 2. ++create a rule for the start of a connection (eg for FTP, port 21) ++.IP 3. ++create a helper rule to associate the helper with this connection ++.IP 4. ++create a helper rule to associate a RELATED flow with this connection ++.IP 5. ++if needed, add the corresponding nf_conntrack_* module to IPT_MODULES ++.IP 6. ++optionally add the corresponding nf_nat_* module to IPT_MODULES ++.PP ++In general it is desirable to make connection helper rules as specific as ++possible and ensure anti\-spoofing is correctly setup for your site to avoid ++security issues in your ruleset. For more information, see ANTI\-SPOOFING, ++above, and <https://home.regit.org/netfilter-en/secure-use-of-helpers/>. ++.PP ++Currently helper rules must be managed in via the RULES FILES. A future version ++of \fBufw\fR will introduce syntax for working with helper rules. ++ + .SH SEE ALSO + .PP + \fBufw\fR(8), \fBiptables\fR(8), \fBip6tables\fR(8), \fBiptables\-restore\fR(8), \fBip6tables\-restore\fR(8), \fBsysctl\fR(8), \fBsysctl.conf\fR(5) diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch b/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch new file mode 100644 index 0000000000..ea48c83b84 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0011-tests-check-requirements--simplify-and-support-python-3.8.patch @@ -0,0 +1,33 @@ +tests/check-requirements: simplify and support python 3.8 + +Written by: Jamie Strandboge <jamie@ubuntu.com> + +The patch was imported from git://git.launchpad.net/ufw +commit id e30f8bc2aeb317d152e74a270a8e1336de06cee6 + +Upstream-Status: Backport + +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + +diff --git a/tests/check-requirements b/tests/check-requirements +index e873703..82fab08 100755 +--- a/tests/check-requirements ++++ b/tests/check-requirements +@@ -45,7 +45,7 @@ runcmd() { + # check python + found_python="no" + echo -n "Has python: " +-for exe in python2.7 python2.6 python2.5 python3.2 python; do ++for exe in python3 python2 python; do + if ! which $exe >/dev/null 2>&1; then + continue + fi +@@ -54,7 +54,7 @@ for exe in python2.7 python2.6 python2.5 python3.2 python; do + echo "pass (binary: $exe, version: $v, py2)" + found_python="yes" + break +- elif echo "$v" | grep -q "^3.[2]"; then ++ elif echo "$v" | grep -q "^3.[2-8]"; then + echo "pass (binary: $exe, version: $v, py3)" + found_python="yes" + break diff --git a/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch b/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch new file mode 100644 index 0000000000..e1fcf0ca56 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/Add-code-to-detect-openembedded-python-interpreter.patch @@ -0,0 +1,33 @@ +Add code to detect openembedded python interpreter + +OE does not use /usr/bin/env as part of the interpreter, Instead, it's a +full path in sys.executable. + +Upstream-Status: Inappropriate (Embedded) +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> +--- + setup.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/setup.py b/setup.py +index 75c1105..3f9a5e0 100644 +--- a/setup.py ++++ b/setup.py +@@ -128,6 +128,14 @@ class Install(_install, object): + "-i.jjm", + "1s%^#.*python.*%#! " + sys.executable + "%g", + 'staging/ufw']) ++ elif '/python' in sys.executable and \ ++ os.path.basename(sys.executable) in ['python', 'python3']: ++ print("Detected full path " + sys.executable + ". substituting " + os.path.basename(sys.executable)) ++ subprocess.call(["sed", ++ "-i.jjm", ++ "1s%python$%" ++ + os.path.basename(sys.executable) + "%g", ++ 'staging/ufw']) + + self.copy_file('staging/ufw', script) + self.copy_file('doc/ufw.8', manpage) +-- +2.7.4 + diff --git a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb index 42fc262589..856270cd5c 100644 --- a/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb +++ b/meta-networking/recipes-connectivity/ufw/ufw_0.33.bb @@ -16,6 +16,13 @@ SRC_URI = " \ file://0003-fix-typeerror-on-error.patch \ file://0004-lp1039729.patch \ file://0005-lp1191197.patch \ + file://0006-check-requirements-get-error.patch \ + file://0007-use-conntrack-instead-of-state-module.patch \ + file://0008-support-.-setup.py-build-LP-819600.patch \ + file://0009-adjust-runtime-tests-to-use-daytime-port.patch \ + file://0010-empty-out-IPT_MODULES-and-update-documentation.patch \ + file://0011-tests-check-requirements--simplify-and-support-python-3.8.patch \ + file://Add-code-to-detect-openembedded-python-interpreter.patch \ " UPSTREAM_CHECK_URI = "https://launchpad.net/ufw" @@ -25,6 +32,17 @@ SRC_URI[sha256sum] = "5f85a8084ad3539b547bec097286948233188c971f498890316dec170b inherit setuptools3 features_check +do_install_append() { + install -d ${D}${datadir}/${PN}/test + cp -R --no-dereference --preserve=mode,links -v ${S}/* ${D}${datadir}/${PN}/test +} +PACKAGES =+ "${PN}-test" +RDEPENDS_${PN}-test += "bash" +FILES_${PN}-test += "${datadir}/${PN}/test" + +# To test, install ufw-test package. You can enter /usr/share/ufw/test and run as root: +# PYTHONPATH=tests/testarea/lib/python ./run_tests.sh -s -i python3 root + RDEPENDS_${PN} = " \ iptables \ python3 \ @@ -33,14 +51,35 @@ RDEPENDS_${PN} = " \ RRECOMMENDS_${PN} = " \ kernel-module-ipv6 \ - kernel-module-nf-conntrack-ipv6 \ + kernel-module-ipt-reject \ + kernel-module-iptable-mangle \ + kernel-module-iptable-raw \ + kernel-module-ip6table-raw \ + kernel-module-ip6t-reject \ + kernel-module-ip6t-rt \ + kernel-module-ip6table-mangle \ + kernel-module-nf-conntrack \ kernel-module-nf-log-common \ + kernel-module-nf-conntrack-broadcast \ + kernel-module-nf-conntrack-ftp \ + kernel-module-nf-conntrack-netbios-ns \ + kernel-module-nf-log-ipv4 \ + kernel-module-nf-log-ipv6 \ kernel-module-nf-log-ipv4 \ kernel-module-nf-log-ipv6 \ - kernel-module-nf-addrtype \ - kernel-module-nf-limit \ - kernel-module-nf-log \ - kernel-module-nf-recent \ + kernel-module-nf-nat-ftp \ + kernel-module-xt-addrtype \ + kernel-module-xt-comment \ + kernel-module-xt-conntrack \ + kernel-module-xt-hashlimit \ + kernel-module-xt-hl \ + kernel-module-xt-multiport \ + kernel-module-xt-ratetest \ + kernel-module-xt-socket \ + kernel-module-xt-tcpudp \ + kernel-module-xt-limit \ + kernel-module-xt-log \ + kernel-module-xt-recent \ " # Certain items are explicitly put under /lib, not base_libdir when installed. diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb index 54e855a099..5d968f1476 100644 --- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb +++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb @@ -9,7 +9,7 @@ DEPENDS += "libgcrypt" PV .= "r550-2jnpr1" SRCREV = "b1243d29e0c00312ead038b04a2cf5e2fa31d740" -SRC_URI = "git://github.com/ndpgroup/vpnc \ +SRC_URI = "git://github.com/ndpgroup/vpnc;branch=master;protocol=https \ file://long-help \ file://default.conf \ file://0001-search-for-log-help-in-build-dir.patch \ diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb index db7b0d486b..b9c545e155 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" PROVIDES += "cyassl" RPROVIDES_${PN} = "cyassl" -SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https" +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master" SRCREV = "e116c89a58af750421d82ece13f80516d2bde02e" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch new file mode 100644 index 0000000000..88794aa7ab --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch @@ -0,0 +1,111 @@ +From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001 +From: Martin Dummer <md11@users.sourceforge.net> +Date: Sun, 12 Sep 2021 22:52:26 +0200 +Subject: [PATCH] fix buffer overflow in atftpd + +Andreas B. Mundt <andi@debian.org> reports: + +I've found a problem in atftpd that might be relevant for security. +The daemon can be crashed by any client sending a crafted combination +of TFTP options to the server. As TFTP is usually only used in the LAN, +it's probably not too dramatic. + +Observations and how to reproduce the issue +=========================================== + +Install bullseye packages and prepare tftp-root: + sudo apt install atftp atftpd + mkdir tmp + touch tmp/file.txt + +Run server: + /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \ + --logfile=/dev/stdout --verbose=7 --port 2000 tmp + +Fetch file from client: + /usr/bin/atftp -g --trace --option "blksize 8" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Crash server by adding another option to the tiny blksize: + /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Analysis +======== + +The reason for the crash is a buffer overflow. The size of the buffer keeping the data +to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode +and block number). However, the same buffer is used for the OACK, which for a blksize=8 +overflows as soon as another option is set. + +Signed-off-by: Martin Dummer <md11@users.sourceforge.net> + +CVE: CVE-2021-41054 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/d255bf90834fb45be52decf9bc0b4fb46c90f205.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + tftpd_file.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tftpd_file.c b/tftpd_file.c +index ff40e8d..37a0906 100644 +--- a/tftpd_file.c ++++ b/tftpd_file.c +@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data) + logger(LOG_DEBUG, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data) + logger(LOG_INFO, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch new file mode 100644 index 0000000000..310728aaca --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch @@ -0,0 +1,48 @@ +From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001 +From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de> +Date: Wed, 10 Jan 2018 17:01:20 +0100 +Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array + +This properly fixes what commit:b3e36dd tried to do. + +CVE: CVE-2021-46671 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + options.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/options.c b/options.c +index ee419c6..c716994 100644 +--- a/options.c ++++ b/options.c +@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - requests always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + /* read filename */ + entry = argz_next(tftp_data->th_stuff, size, entry); + if (!entry) +@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - options always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) + { + tmp = entry; +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb index ff9084dbf6..32b776e578 100644 --- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb +++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb @@ -6,9 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f" -SRC_URI = "git://git.code.sf.net/p/atftp/code \ +SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \ file://atftpd.init \ file://atftpd.service \ + file://0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch \ + file://0001-fix-buffer-overflow-in-atftpd.patch \ " SRC_URI_append_libc-musl = " file://0001-argz.h-fix-musl-compile-add-missing-defines.patch \ file://0002-tftp.h-tftpd.h-fix-musl-compile-missing-include.patch \ diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..0ddea03c69 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index d55dc4ab7e..3e7056d67d 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396" SRCREV = "e41cfb986c1b1935770de554872247453fdbb079" -SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ +SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ file://avoid-to-call-AC_TRY_RUN.patch \ file://Fix-hardcoded-libdir.patch \ file://debian_patches_0014_avoid_pic_overwrite.diff \ @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ file://0001-makeinit.sh-fix-parallel-build-issue.patch \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" @@ -96,3 +97,6 @@ FILES_${PN}-dbg += "${libdir}/sasl2/.debug" FILES_${PN}-staticdev += "${libdir}/sasl2/*.a" INSANE_SKIP_${PN} += "dev-so" + +# CVE-2020-8032 affects only openSUSE +CVE_CHECK_WHITELIST += "CVE-2020-8032" diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Makefile-Do-not-set-Werror.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Makefile-Do-not-set-Werror.patch new file mode 100644 index 0000000000..d5e0deb899 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0001-Makefile-Do-not-set-Werror.patch @@ -0,0 +1,31 @@ +From 31d88f46bfc67de2659991674253a5d5dfb92afc Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 12 Aug 2020 12:00:29 -0700 +Subject: [PATCH] Makefile: Do not set -Werror + +clang finds more warnings which causes build to fail, disable treating +warning as errors + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + usr/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/Makefile b/usr/Makefile +index 21bb154..0018605 100644 +--- a/usr/Makefile ++++ b/usr/Makefile +@@ -35,7 +35,7 @@ endif + PKG_CONFIG = /usr/bin/pkg-config + + CFLAGS ?= -O2 -g +-WARNFLAGS ?= -Wall -Wextra -Werror -Wstrict-prototypes -fno-common ++WARNFLAGS ?= -Wall -Wextra -Wstrict-prototypes -fno-common + CFLAGS += $(WARNFLAGS) -I../include -I. -D_GNU_SOURCE \ + -I$(TOPDIR)/libopeniscsiusr + CFLAGS += $(shell $(PKG_CONFIG) --cflags libkmod) +-- +2.28.0 + diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.0.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb index 97b5563574..7cf8cfa94c 100644 --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.0.bb +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb @@ -12,9 +12,10 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d) LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRCREV ?= "549f8987be49583bb06b117a364bea3a8fc5250c" +SRCREV ?= "34e3ffb194f6fa3028c0eb2ff57e7db2d1026771" -SRC_URI = "git://github.com/open-iscsi/open-iscsi \ +SRC_URI = "git://github.com/open-iscsi/open-iscsi;branch=master;protocol=https \ + file://0001-Makefile-Do-not-set-Werror.patch \ file://initd.debian \ file://99_iscsi-initiator-utils \ file://iscsi-initiator \ @@ -23,9 +24,6 @@ SRC_URI = "git://github.com/open-iscsi/open-iscsi \ file://set_initiatorname \ " S = "${WORKDIR}/git" -B = "${WORKDIR}/build" - -PV .= "+git${SRCPV}" inherit update-rc.d systemd autotools pkgconfig @@ -34,7 +32,7 @@ EXTRA_OECONF = " \ --host=${BUILD_SYS} \ " -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', '--without-systemd', d)}" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', '--without-systemd NO_SYSTEMD=1', d)}" EXTRA_OEMAKE = ' \ OS="${TARGET_SYS}" \ @@ -43,7 +41,6 @@ EXTRA_OEMAKE = ' \ MANDIR="${mandir}" \ OPTFLAGS="-DNO_SYSTEMD ${CFLAGS}" \ PKG_CONFIG="${STAGING_BINDIR_NATIVE}/pkg-config" \ - NO_SYSTEMD=1 \ ' diff --git a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb index 6b73506c2a..d5296f6a96 100644 --- a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb +++ b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb @@ -12,9 +12,10 @@ inherit features_check systemd RDEPENDS_${PN} = "python3-pygobject python3-dbus" REQUIRED_DISTRO_FEATURES = "systemd" -SRC_URI = "https://gitlab.com/craftyguy/networkd-dispatcher/-/archive/${PV}/networkd-dispatcher-${PV}.tar.bz2" -SRC_URI[md5sum] = "304d7dcc21331ea295e207f8493cb8d8" -SRC_URI[sha256sum] = "21f84c3646a043329dc64787e4e58dfce592b2559b0e3069af82c469805660c2" +SRCREV = "333ef1ed1d7c7c17264fcf7629e5c2f78ab4112c" +SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https;branch=master" + +S = "${WORKDIR}/git" SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "networkd-dispatcher.service" diff --git a/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch new file mode 100644 index 0000000000..b6ec8c70df --- /dev/null +++ b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch @@ -0,0 +1,46 @@ +From 1f25dae3f38548bad32c5a3ebee4c07938d8c1b8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 30 Dec 2021 10:35:57 +0800 +Subject: [PATCH] fix build with glibc 2.34 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The closefrom() function which is introduced in glibc 2.34 conflicts +with the one provided by postfix. + +Fixes: +| In file included from attr_clnt.c:88: +| /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’ +| 363 | extern void closefrom (int __lowfd) __THROW; +| | ^~~~~~~~~ +| In file included from attr_clnt.c:87: +| ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’ +| 1506 | extern int closefrom(int); +| | ^~~~~~~~~ + +Upstream-Status: Backport +[https://github.com/vdukhovni/postfix/commit/3d966d3bd5f95b2c918aefb864549fa9f0442e24] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/util/sys_defs.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h +index 39daa16..5de5855 100644 +--- a/src/util/sys_defs.h ++++ b/src/util/sys_defs.h +@@ -827,6 +827,9 @@ extern int initgroups(const char *, int); + #define HAVE_POSIX_GETPW_R + #endif + #endif ++#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34) ++#define HAS_CLOSEFROM ++#endif + + #endif + +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb index db5b41bfbd..2612e12be4 100644 --- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb +++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb @@ -13,6 +13,7 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P file://postfix-install.patch \ file://icu-config.patch \ file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \ + file://0001-fix-build-with-glibc-2.34.patch \ " -SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec" -UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz" +SRC_URI[sha256sum] = "5f71658546d9b65863249dec3a189d084ea0596e23dc4613c579ad3ae75b10d2" +UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz" diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch new file mode 100644 index 0000000000..712d5db07d --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch @@ -0,0 +1,51 @@ +From ed31fe2cbd5b8b1148b467f84f7acea66fa43bb8 Mon Sep 17 00:00:00 2001 +From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com> +Date: Tue, 3 Aug 2021 21:53:28 +0200 +Subject: [PATCH] CVE-2021-46854 + +mod_radius: copy _only_ the password + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43] +CVE: CVE-2021-46854 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + contrib/mod_radius.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c +index b56cdfe..f234dd5 100644 +--- a/contrib/mod_radius.c ++++ b/contrib/mod_radius.c +@@ -2319,21 +2319,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type, + + pwlen = strlen((const char *) passwd); + ++ /* Clear the buffers. */ ++ memset(pwhash, '\0', sizeof(pwhash)); ++ + if (pwlen == 0) { + pwlen = RADIUS_PASSWD_LEN; + + } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) { ++ /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */ ++ memcpy(pwhash, passwd, pwlen); + + /* Round up the length. */ + pwlen += (RADIUS_PASSWD_LEN - 1); + + /* Truncate the length, as necessary. */ + pwlen &= ~(RADIUS_PASSWD_LEN - 1); ++ } else { ++ /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */ ++ memcpy(pwhash, passwd, pwlen); + } + +- /* Clear the buffers. */ +- memset(pwhash, '\0', sizeof(pwhash)); +- memcpy(pwhash, passwd, pwlen); + + /* Find the password attribute. */ + attrib = radius_get_attrib(packet, RADIUS_PASSWORD); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch new file mode 100644 index 0000000000..12f6948075 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2023-51713.patch @@ -0,0 +1,278 @@ +From 97bbe68363ccf2de0c07f67170ec64a8b4d62592 Mon Sep 17 00:00:00 2001 +From: TJ Saunders <tj@castaglia.org> +Date: Sun, 6 Aug 2023 13:16:26 -0700 +Subject: [PATCH] Issue #1683: Avoid an edge case when handling unexpectedly + formatted input text from client, caused by quote/backslash semantics, by + skipping those semantics. + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592] +CVE: CVE-2023-51713 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/str.h | 3 ++- + src/main.c | 35 +++++++++++++++++++++++++++++----- + src/str.c | 22 +++++++++++++--------- + tests/api/str.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++- + 4 files changed, 94 insertions(+), 16 deletions(-) + +diff --git a/include/str.h b/include/str.h +index 316a32a..049a1b2 100644 +--- a/include/str.h ++++ b/include/str.h +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -121,6 +121,7 @@ const char *pr_gid2str(pool *, gid_t); + #define PR_STR_FL_PRESERVE_COMMENTS 0x0001 + #define PR_STR_FL_PRESERVE_WHITESPACE 0x0002 + #define PR_STR_FL_IGNORE_CASE 0x0004 ++#define PR_STR_FL_IGNORE_QUOTES 0x0008 + + char *pr_str_get_token(char **, char *); + char *pr_str_get_token2(char **, char *, size_t *); +diff --git a/src/main.c b/src/main.c +index 1ead27f..01b1ef8 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -787,8 +787,24 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* By default, pr_str_get_word will handle quotes and backslashes for ++ * escaping characters. This can produce words which are shorter, use ++ * fewer bytes than the corresponding input buffer. ++ * ++ * In this particular situation, we use the length of this initial word ++ * for determining the length of the remaining buffer bytes, assumed to ++ * contain the FTP command arguments. If this initial word is thus ++ * unexpectedly "shorter", due to nonconformant FTP text, it can lead ++ * the subsequent buffer scan, looking for CRNUL sequencees, to access ++ * unexpected memory addresses (Issue #1683). ++ * ++ * Thus for this particular situation, we tell the function to ignore/skip ++ * such quote/backslash semantics, and treat them as any other character ++ * using the IGNORE_QUOTES flag. ++ */ ++ + ptr = buf; +- wrd = pr_str_get_word(&ptr, str_flags); ++ wrd = pr_str_get_word(&ptr, str_flags|PR_STR_FL_IGNORE_QUOTES); + if (wrd == NULL) { + /* Nothing there...bail out. */ + pr_trace_msg("ctrl", 5, "command '%s' is empty, ignoring", buf); +@@ -796,6 +812,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + return NULL; + } + ++ /* Note that this first word is the FTP command. This is why we make ++ * use of the ptr buffer, which advances through the input buffer as ++ * we read words from the buffer. ++ */ ++ + subpool = make_sub_pool(p); + pr_pool_tag(subpool, "make_ftp_cmd pool"); + cmd = pcalloc(subpool, sizeof(cmd_rec)); +@@ -822,6 +843,7 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + arg_len = buflen - strlen(wrd); + arg = pcalloc(cmd->pool, arg_len + 1); + ++ /* Remember that ptr here is advanced past the first word. */ + for (i = 0, j = 0; i < arg_len; i++) { + pr_signals_handle(); + if (i > 1 && +@@ -830,15 +852,13 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + + /* Strip out the NUL by simply not copying it into the new buffer. */ + have_crnul = TRUE; +- ++ + } else { + arg[j++] = ptr[i]; + } + } + +- cmd->arg = arg; +- +- if (have_crnul) { ++ if (have_crnul == TRUE) { + char *dup_arg; + + /* Now make a copy of the stripped argument; this is what we need to +@@ -848,6 +868,11 @@ static cmd_rec *make_ftp_cmd(pool *p, char *buf, size_t buflen, int flags) { + ptr = dup_arg; + } + ++ cmd->arg = arg; ++ ++ /* Now we can read the remamining words, as command arguments, from the ++ * input buffer. ++ */ + while ((wrd = pr_str_get_word(&ptr, str_flags)) != NULL) { + pr_signals_handle(); + *((char **) push_array(tarr)) = pstrdup(cmd->pool, wrd); +diff --git a/src/str.c b/src/str.c +index eeed096..04188ce 100644 +--- a/src/str.c ++++ b/src/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -1209,7 +1209,7 @@ int pr_str_get_nbytes(const char *str, const char *units, off_t *nbytes) { + + char *pr_str_get_word(char **cp, int flags) { + char *res, *dst; +- char quote_mode = 0; ++ int quote_mode = FALSE; + + if (cp == NULL || + !*cp || +@@ -1238,24 +1238,28 @@ char *pr_str_get_word(char **cp, int flags) { + } + } + +- if (**cp == '\"') { +- quote_mode++; +- (*cp)++; ++ if (!(flags & PR_STR_FL_IGNORE_QUOTES)) { ++ if (**cp == '\"') { ++ quote_mode = TRUE; ++ (*cp)++; ++ } + } + + while (**cp && (quote_mode ? (**cp != '\"') : !PR_ISSPACE(**cp))) { + pr_signals_handle(); + +- if (**cp == '\\' && quote_mode) { +- ++ if (**cp == '\\' && ++ quote_mode == TRUE) { + /* Escaped char */ + if (*((*cp)+1)) { +- *dst = *(++(*cp)); ++ *dst++ = *(++(*cp)); ++ (*cp)++; ++ continue; + } + } + + *dst++ = **cp; +- ++(*cp); ++ (*cp)++; + } + + if (**cp) { +diff --git a/tests/api/str.c b/tests/api/str.c +index 7c6e110..77fda8f 100644 +--- a/tests/api/str.c ++++ b/tests/api/str.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server testsuite +- * Copyright (c) 2008-2017 The ProFTPD Project team ++ * Copyright (c) 2008-2023 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -695,19 +695,23 @@ END_TEST + START_TEST (get_word_test) { + char *ok, *res, *str; + ++ mark_point(); + res = pr_str_get_word(NULL, 0); + fail_unless(res == NULL, "Failed to handle null arguments"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = NULL; + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle null str argument"); + fail_unless(errno == EINVAL, "Failed to set errno to EINVAL"); + ++ mark_point(); + str = pstrdup(p, " "); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle whitespace argument"); + ++ mark_point(); + str = pstrdup(p, " foo"); + res = pr_str_get_word(&str, PR_STR_FL_PRESERVE_WHITESPACE); + fail_unless(res != NULL, "Failed to handle whitespace argument: %s", +@@ -723,6 +727,7 @@ START_TEST (get_word_test) { + ok = "foo"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + ++ mark_point(); + str = pstrdup(p, " # foo"); + res = pr_str_get_word(&str, 0); + fail_unless(res == NULL, "Failed to handle commented argument"); +@@ -742,6 +747,8 @@ START_TEST (get_word_test) { + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + + /* Test multiple embedded quotes. */ ++ ++ mark_point(); + str = pstrdup(p, "foo \"bar baz\" qux \"quz norf\""); + res = pr_str_get_word(&str, 0); + fail_unless(res != NULL, "Failed to handle quoted argument: %s", +@@ -770,6 +777,47 @@ START_TEST (get_word_test) { + + ok = "quz norf"; + fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ ++ /* Test embedded quotes with backslashes (Issue #1683). */ ++ mark_point(); ++ ++ str = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ ok = "\\SYST"; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, 0); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ ++ /* Note that pr_str_get_word() is intended to be called multiple times ++ * on an advancing buffer, effectively tokenizing the buffer. This is ++ * why the function does NOT decrement its quote mode. ++ */ ++ ok = ""; ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ /* Now do the same tests with the IGNORE_QUOTES flag */ ++ mark_point(); ++ ++ str = ok = pstrdup(p, "\"\\\\SYST\""); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); ++ ++ mark_point(); ++ str = ok = pstrdup(p, "\"\"\\\\SYST"); ++ res = pr_str_get_word(&str, PR_STR_FL_IGNORE_QUOTES); ++ fail_unless(res != NULL, "Failed to handle quoted argument: %s", ++ strerror(errno)); ++ fail_unless(strcmp(res, ok) == 0, "Expected '%s', got '%s'", ok, res); + } + END_TEST + +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb index 1e4697a633..aa1f9e4ef9 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb @@ -12,6 +12,8 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ + file://CVE-2021-46854.patch \ + file://CVE-2023-51713.patch \ " SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch new file mode 100644 index 0000000000..b11721041e --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46728.patch @@ -0,0 +1,608 @@ +Partial backport of: + +From 6ea12e8fb590ac6959e9356a81aa3370576568c3 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Tue, 26 Jul 2022 15:05:54 +0000 +Subject: [PATCH] Remove support for Gopher protocol (#1092) + +Gopher code quality remains too low for production use in most +environments. The code is a persistent source of vulnerabilities and +fixing it requires significant effort. We should not be spending scarce +Project resources on improving that code, especially given the lack of +strong demand for Gopher support. + +With this change, Gopher requests will be handled like any other request +with an unknown (to Squid) protocol. For example, HTTP requests with +Gopher URI scheme result in ERR_UNSUP_REQ. + +Default Squid configuration still considers TCP port 70 "safe". The +corresponding Safe_ports ACL rule has not been removed for consistency +sake: We consider WAIS port safe even though Squid refuses to forward +WAIS requests: + + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46728.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3] +CVE: CVE-2023-46728 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + doc/Programming-Guide/Groups.dox | 5 - + doc/debug-sections.txt | 1 - + doc/manuals/de.po | 2 +- + doc/manuals/en.po | 2 +- + doc/manuals/en_AU.po | 2 +- + doc/manuals/es.po | 2 +- + doc/manuals/fr.po | 2 +- + doc/manuals/it.po | 2 +- + errors/af.po | 6 +- + errors/az.po | 6 +- + errors/bg.po | 6 +- + errors/ca.po | 6 +- + errors/cs.po | 6 +- + errors/da.po | 6 +- + errors/de.po | 6 +- + errors/el.po | 4 +- + errors/en.po | 6 +- + errors/errorpage.css | 2 +- + errors/es-mx.po | 3 +- + errors/es.po | 4 +- + errors/et.po | 6 +- + errors/fi.po | 7 +- + errors/fr.po | 6 +- + errors/he.po | 6 +- + errors/hu.po | 6 +- + errors/hy.po | 6 +- + errors/it.po | 4 +- + errors/ja.po | 6 +- + errors/ko.po | 6 +- + errors/lt.po | 6 +- + errors/lv.po | 6 +- + errors/nl.po | 6 +- + errors/pl.po | 6 +- + errors/pt-br.po | 6 +- + errors/pt.po | 6 +- + errors/ro.po | 4 +- + errors/ru.po | 6 +- + errors/sk.po | 6 +- + errors/sl.po | 6 +- + errors/sr-latn.po | 4 +- + errors/sv.po | 6 +- + errors/templates/ERR_UNSUP_REQ | 2 +- + errors/tr.po | 6 +- + errors/uk.po | 6 +- + errors/vi.po | 4 +- + errors/zh-hans.po | 6 +- + errors/zh-hant.po | 7 +- + src/FwdState.cc | 5 - + src/HttpRequest.cc | 6 - + src/IoStats.h | 2 +- + src/Makefile.am | 8 - + src/adaptation/ecap/Host.cc | 1 - + src/adaptation/ecap/MessageRep.cc | 2 - + src/anyp/ProtocolType.h | 1 - + src/anyp/Uri.cc | 1 - + src/anyp/UriScheme.cc | 3 - + src/cf.data.pre | 5 +- + src/client_side_request.cc | 4 - + src/error/forward.h | 2 +- + src/gopher.cc | 993 ----------------------- + src/gopher.h | 29 - + src/http/Message.h | 1 - + src/mgr/IoAction.cc | 3 - + src/mgr/IoAction.h | 2 - + src/squid.8.in | 2 +- + src/stat.cc | 19 - + src/tests/Stub.am | 1 - + src/tests/stub_gopher.cc | 17 - + test-suite/squidconf/regressions-3.4.0.1 | 1 - + 69 files changed, 88 insertions(+), 1251 deletions(-) + delete mode 100644 src/gopher.cc + delete mode 100644 src/gopher.h + delete mode 100644 src/tests/stub_gopher.cc + +--- a/src/FwdState.cc ++++ b/src/FwdState.cc +@@ -28,7 +28,6 @@ + #include "fde.h" + #include "FwdState.h" + #include "globals.h" +-#include "gopher.h" + #include "hier_code.h" + #include "http.h" + #include "http/Stream.h" +@@ -1004,10 +1003,6 @@ FwdState::dispatch() + httpStart(this); + break; + +- case AnyP::PROTO_GOPHER: +- gopherStart(this); +- break; +- + case AnyP::PROTO_FTP: + if (request->flags.ftpNative) + Ftp::StartRelay(this); +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -18,7 +18,6 @@ + #include "Downloader.h" + #include "err_detail_type.h" + #include "globals.h" +-#include "gopher.h" + #include "http.h" + #include "http/one/RequestParser.h" + #include "http/Stream.h" +@@ -556,11 +555,6 @@ HttpRequest::maybeCacheable() + return false; + break; + +- case AnyP::PROTO_GOPHER: +- if (!gopherCachable(this)) +- return false; +- break; +- + case AnyP::PROTO_CACHE_OBJECT: + return false; + +--- a/src/IoStats.h ++++ b/src/IoStats.h +@@ -22,7 +22,7 @@ public: + int writes; + int write_hist[histSize]; + } +- Http, Ftp, Gopher; ++ Http, Ftp; + }; + + #endif /* SQUID_IOSTATS_H_ */ +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -306,8 +306,6 @@ squid_SOURCES = \ + FwdState.h \ + Generic.h \ + globals.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + helper.h \ + hier_code.h \ +@@ -1259,8 +1257,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -1678,8 +1674,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -1914,8 +1908,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2145,8 +2137,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -2461,8 +2451,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -3307,8 +3295,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +--- a/src/adaptation/ecap/Host.cc ++++ b/src/adaptation/ecap/Host.cc +@@ -49,7 +49,6 @@ Adaptation::Ecap::Host::Host() + libecap::protocolHttp.assignHostId(AnyP::PROTO_HTTP); + libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); + libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); +- libecap::protocolGopher.assignHostId(AnyP::PROTO_GOPHER); + libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); + libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); + libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS); +--- a/src/adaptation/ecap/MessageRep.cc ++++ b/src/adaptation/ecap/MessageRep.cc +@@ -140,8 +140,6 @@ Adaptation::Ecap::FirstLineRep::protocol + return libecap::protocolHttps; + case AnyP::PROTO_FTP: + return libecap::protocolFtp; +- case AnyP::PROTO_GOPHER: +- return libecap::protocolGopher; + case AnyP::PROTO_WAIS: + return libecap::protocolWais; + case AnyP::PROTO_WHOIS: +--- a/src/anyp/ProtocolType.h ++++ b/src/anyp/ProtocolType.h +@@ -27,7 +27,6 @@ typedef enum { + PROTO_HTTPS, + PROTO_COAP, + PROTO_COAPS, +- PROTO_GOPHER, + PROTO_WAIS, + PROTO_CACHE_OBJECT, + PROTO_ICP, +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -852,8 +852,6 @@ urlCheckRequest(const HttpRequest * r) + if (r->method == Http::METHOD_PUT) + rc = 1; + +- case AnyP::PROTO_GOPHER: +- + case AnyP::PROTO_WAIS: + + case AnyP::PROTO_WHOIS: +--- a/src/anyp/UriScheme.cc ++++ b/src/anyp/UriScheme.cc +@@ -87,9 +87,6 @@ AnyP::UriScheme::defaultPort() const + // Assuming IANA policy of allocating same port for base and TLS protocol versions will occur. + return 5683; + +- case AnyP::PROTO_GOPHER: +- return 70; +- + case AnyP::PROTO_WAIS: + return 210; + +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -33,7 +33,6 @@ + #include "fd.h" + #include "fde.h" + #include "format/Token.h" +-#include "gopher.h" + #include "helper.h" + #include "helper/Reply.h" + #include "http.h" +@@ -965,9 +964,6 @@ clientHierarchical(ClientHttpRequest * h + if (request->url.getScheme() == AnyP::PROTO_HTTP) + return method.respMaybeCacheable(); + +- if (request->url.getScheme() == AnyP::PROTO_GOPHER) +- return gopherCachable(request); +- + if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT) + return 0; + +--- a/src/err_type.h ++++ b/src/err_type.h +@@ -65,7 +65,7 @@ typedef enum { + ERR_GATEWAY_FAILURE, + + /* Special Cases */ +- ERR_DIR_LISTING, /* Display of remote directory (FTP, Gopher) */ ++ ERR_DIR_LISTING, /* Display of remote directory (FTP) */ + ERR_SQUID_SIGNATURE, /* not really an error */ + ERR_SHUTTING_DOWN, + ERR_PROTOCOL_UNKNOWN, +--- a/src/HttpMsg.h ++++ b/src/HttpMsg.h +@@ -38,7 +38,6 @@ public: + srcFtp = 1 << (16 + 1), ///< ftp_port or FTP server + srcIcap = 1 << (16 + 2), ///< traditional ICAP service without encryption + srcEcap = 1 << (16 + 3), ///< eCAP service that uses insecure libraries/daemons +- srcGopher = 1 << (16 + 14), ///< Gopher server + srcWhois = 1 << (16 + 15), ///< Whois server + srcUnsafe = 0xFFFF0000, ///< Unsafe sources mask + srcSafe = 0x0000FFFF ///< Safe sources mask +--- a/src/mgr/IoAction.cc ++++ b/src/mgr/IoAction.cc +@@ -35,9 +35,6 @@ Mgr::IoActionData::operator += (const Io + ftp_reads += stats.ftp_reads; + for (int i = 0; i < IoStats::histSize; ++i) + ftp_read_hist[i] += stats.ftp_read_hist[i]; +- gopher_reads += stats.gopher_reads; +- for (int i = 0; i < IoStats::histSize; ++i) +- gopher_read_hist[i] += stats.gopher_read_hist[i]; + + return *this; + } +--- a/src/mgr/IoAction.h ++++ b/src/mgr/IoAction.h +@@ -27,10 +27,8 @@ public: + public: + double http_reads; + double ftp_reads; +- double gopher_reads; + double http_read_hist[IoStats::histSize]; + double ftp_read_hist[IoStats::histSize]; +- double gopher_read_hist[IoStats::histSize]; + }; + + /// implement aggregated 'io' action +--- a/src/stat.cc ++++ b/src/stat.cc +@@ -206,12 +206,6 @@ GetIoStats(Mgr::IoActionData& stats) + for (i = 0; i < IoStats::histSize; ++i) { + stats.ftp_read_hist[i] = IOStats.Ftp.read_hist[i]; + } +- +- stats.gopher_reads = IOStats.Gopher.reads; +- +- for (i = 0; i < IoStats::histSize; ++i) { +- stats.gopher_read_hist[i] = IOStats.Gopher.read_hist[i]; +- } + } + + void +@@ -245,19 +239,6 @@ DumpIoStats(Mgr::IoActionData& stats, St + } + + storeAppendPrintf(sentry, "\n"); +- storeAppendPrintf(sentry, "Gopher I/O\n"); +- storeAppendPrintf(sentry, "number of reads: %.0f\n", stats.gopher_reads); +- storeAppendPrintf(sentry, "Read Histogram:\n"); +- +- for (i = 0; i < IoStats::histSize; ++i) { +- storeAppendPrintf(sentry, "%5d-%5d: %9.0f %2.0f%%\n", +- i ? (1 << (i - 1)) + 1 : 1, +- 1 << i, +- stats.gopher_read_hist[i], +- Math::doublePercent(stats.gopher_read_hist[i], stats.gopher_reads)); +- } +- +- storeAppendPrintf(sentry, "\n"); + } + + static const char * +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -263,7 +263,7 @@ am__squid_SOURCES_DIST = AclRegs.cc Auth + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h htcp.cc \ + htcp.h http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -352,7 +352,7 @@ am_squid_OBJECTS = $(am__objects_1) Acce + EventLoop.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) FadingCounter.$(OBJEXT) \ + fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrRange.$(OBJEXT) HttpHdrSc.$(OBJEXT) \ + HttpHdrScTarget.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -539,7 +539,7 @@ am__tests_testCacheManager_SOURCES_DIST + tests/stub_ETag.cc event.cc external_acl.cc \ + ExternalACLEntry.cc fatal.h tests/stub_fatal.cc fd.h fd.cc \ + fde.cc FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc hier_code.h \ ++ FwdState.cc FwdState.h hier_code.h \ + helper.cc htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -594,7 +594,7 @@ am_tests_testCacheManager_OBJECTS = Acce + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) HttpHeader.$(OBJEXT) \ + HttpHeaderTools.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ +@@ -838,7 +838,7 @@ am__tests_testEvent_SOURCES_DIST = Acces + EventLoop.h EventLoop.cc external_acl.cc ExternalACLEntry.cc \ + FadingCounter.cc fatal.h tests/stub_fatal.cc fd.h fd.cc fde.cc \ + FileMap.h filemap.cc fqdncache.h fqdncache.cc FwdState.cc \ +- FwdState.h gopher.h gopher.cc helper.cc hier_code.h htcp.cc \ ++ FwdState.h helper.cc hier_code.h htcp.cc \ + htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -891,7 +891,7 @@ am_tests_testEvent_OBJECTS = AccessLogEn + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -975,8 +975,8 @@ am__tests_testEventLoop_SOURCES_DIST = A + tests/stub_ETag.cc EventLoop.h EventLoop.cc event.cc \ + external_acl.cc ExternalACLEntry.cc FadingCounter.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeader.h HttpHeader.cc HttpHeaderFieldInfo.h \ + HttpHeaderTools.h HttpHeaderTools.cc HttpHeaderFieldStat.h \ +@@ -1029,7 +1029,7 @@ am_tests_testEventLoop_OBJECTS = AccessL + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + FadingCounter.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1187,7 +1187,7 @@ am__tests_testHttpRequest_SOURCES_DIST = + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc \ + tests/stub_ETag.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h gopher.h gopher.cc helper.cc \ ++ FwdState.cc FwdState.h helper.cc \ + hier_code.h htcp.cc htcp.h http.cc HttpBody.h HttpBody.cc \ + tests/stub_HttpControlMsg.cc HttpHeader.h HttpHeader.cc \ + HttpHeaderFieldInfo.h HttpHeaderTools.h HttpHeaderTools.cc \ +@@ -1243,7 +1243,7 @@ am_tests_testHttpRequest_OBJECTS = Acces + $(am__objects_4) errorpage.$(OBJEXT) tests/stub_ETag.$(OBJEXT) \ + external_acl.$(OBJEXT) ExternalACLEntry.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHeader.$(OBJEXT) HttpHeaderTools.$(OBJEXT) \ +@@ -1670,8 +1670,8 @@ am__tests_testURL_SOURCES_DIST = AccessL + fs_io.cc dlink.h dlink.cc dns_internal.cc errorpage.cc ETag.cc \ + event.cc external_acl.cc ExternalACLEntry.cc fatal.h \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1725,7 +1725,7 @@ am_tests_testURL_OBJECTS = AccessLogEntr + event.$(OBJEXT) external_acl.$(OBJEXT) \ + ExternalACLEntry.$(OBJEXT) tests/stub_fatal.$(OBJEXT) \ + fd.$(OBJEXT) fde.$(OBJEXT) filemap.$(OBJEXT) \ +- fqdncache.$(OBJEXT) FwdState.$(OBJEXT) gopher.$(OBJEXT) \ ++ fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ + helper.$(OBJEXT) $(am__objects_5) http.$(OBJEXT) \ + HttpBody.$(OBJEXT) tests/stub_HttpControlMsg.$(OBJEXT) \ + HttpHdrCc.$(OBJEXT) HttpHdrContRange.$(OBJEXT) \ +@@ -1925,8 +1925,8 @@ am__tests_test_http_range_SOURCES_DIST = + dns_internal.cc errorpage.cc tests/stub_ETag.cc event.cc \ + FadingCounter.cc fatal.h tests/stub_libauth.cc \ + tests/stub_fatal.cc fd.h fd.cc fde.cc FileMap.h filemap.cc \ +- fqdncache.h fqdncache.cc FwdState.cc FwdState.h gopher.h \ +- gopher.cc helper.cc hier_code.h htcp.cc htcp.h http.cc \ ++ fqdncache.h fqdncache.cc FwdState.cc FwdState.h \ ++ helper.cc hier_code.h htcp.cc htcp.h http.cc \ + HttpBody.h HttpBody.cc tests/stub_HttpControlMsg.cc \ + HttpHeaderFieldStat.h HttpHdrCc.h HttpHdrCc.cc HttpHdrCc.cci \ + HttpHdrContRange.cc HttpHdrRange.cc HttpHdrSc.cc \ +@@ -1979,7 +1979,7 @@ am_tests_test_http_range_OBJECTS = Acces + FadingCounter.$(OBJEXT) tests/stub_libauth.$(OBJEXT) \ + tests/stub_fatal.$(OBJEXT) fd.$(OBJEXT) fde.$(OBJEXT) \ + filemap.$(OBJEXT) fqdncache.$(OBJEXT) FwdState.$(OBJEXT) \ +- gopher.$(OBJEXT) helper.$(OBJEXT) $(am__objects_5) \ ++ helper.$(OBJEXT) $(am__objects_5) \ + http.$(OBJEXT) HttpBody.$(OBJEXT) \ + tests/stub_HttpControlMsg.$(OBJEXT) HttpHdrCc.$(OBJEXT) \ + HttpHdrContRange.$(OBJEXT) HttpHdrRange.$(OBJEXT) \ +@@ -2131,7 +2131,7 @@ am__depfiles_remade = ./$(DEPDIR)/Access + ./$(DEPDIR)/external_acl.Po ./$(DEPDIR)/fatal.Po \ + ./$(DEPDIR)/fd.Po ./$(DEPDIR)/fde.Po ./$(DEPDIR)/filemap.Po \ + ./$(DEPDIR)/fqdncache.Po ./$(DEPDIR)/fs_io.Po \ +- ./$(DEPDIR)/globals.Po ./$(DEPDIR)/gopher.Po \ ++ ./$(DEPDIR)/globals.Po \ + ./$(DEPDIR)/helper.Po ./$(DEPDIR)/hier_code.Po \ + ./$(DEPDIR)/htcp.Po ./$(DEPDIR)/http.Po \ + ./$(DEPDIR)/icp_opcode.Po ./$(DEPDIR)/icp_v2.Po \ +@@ -3043,7 +3043,7 @@ squid_SOURCES = $(ACL_REGISTRATION_SOURC + ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ + FadingCounter.h FadingCounter.cc fatal.h fatal.cc fd.h fd.cc \ + fde.cc fde.h FileMap.h filemap.cc fqdncache.h fqdncache.cc \ +- FwdState.cc FwdState.h Generic.h globals.h gopher.h gopher.cc \ ++ FwdState.cc FwdState.h Generic.h globals.h \ + helper.cc helper.h hier_code.h HierarchyLogEntry.h \ + $(HTCPSOURCE) http.cc http.h HttpHeaderFieldStat.h HttpHdrCc.h \ + HttpHdrCc.cc HttpHdrCc.cci HttpHdrRange.cc HttpHdrSc.cc \ +@@ -3708,8 +3708,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + hier_code.h \ + helper.cc \ + $(HTCPSOURCE) \ +@@ -4134,8 +4132,6 @@ tests_testEvent_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4371,8 +4367,6 @@ tests_testEventLoop_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4604,8 +4598,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -4924,8 +4916,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -5777,8 +5767,6 @@ tests_testURL_SOURCES = \ + fqdncache.cc \ + FwdState.cc \ + FwdState.h \ +- gopher.h \ +- gopher.cc \ + helper.cc \ + hier_code.h \ + $(HTCPSOURCE) \ +@@ -6823,7 +6811,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fqdncache.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fs_io.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/globals.Po@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gopher.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/helper.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hier_code.Po@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/htcp.Po@am__quote@ # am--include-marker +@@ -7804,7 +7791,6 @@ distclean: distclean-recursive + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po +@@ -8129,7 +8115,6 @@ maintainer-clean: maintainer-clean-recur + -rm -f ./$(DEPDIR)/fqdncache.Po + -rm -f ./$(DEPDIR)/fs_io.Po + -rm -f ./$(DEPDIR)/globals.Po +- -rm -f ./$(DEPDIR)/gopher.Po + -rm -f ./$(DEPDIR)/helper.Po + -rm -f ./$(DEPDIR)/hier_code.Po + -rm -f ./$(DEPDIR)/htcp.Po diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch new file mode 100644 index 0000000000..5b4e370d49 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846-pre1.patch @@ -0,0 +1,1154 @@ +Backport of: + +From 417da4006cf5c97d44e74431b816fc58fec9e270 Mon Sep 17 00:00:00 2001 +From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com> +Date: Mon, 18 Mar 2019 17:48:21 +0000 +Subject: [PATCH] Fix incremental parsing of chunked quoted extensions (#310) + +Before this change, incremental parsing of quoted chunked extensions +was broken for two reasons: + +* Http::One::Parser::skipLineTerminator() unexpectedly threw after + partially received quoted chunk extension value. + +* When Http::One::Tokenizer was unable to parse a quoted extension, + it incorrectly restored the input buffer to the beginning of the + extension value (instead of the extension itself), thus making + further incremental parsing iterations impossible. + +IMO, the reason for this problem was that Http::One::Tokenizer::qdText() +could not distinguish two cases (returning false in both): + +* the end of the quoted string not yet reached + +* an input error, e.g., wrong/unexpected character + +A possible approach could be to improve Http::One::Tokenizer, making it +aware about "needs more data" state. However, to be acceptable, +these improvements should be done in the base Parser::Tokenizer +class instead. These changes seem to be non-trivial and could be +done separately and later. + +Another approach, used here, is to simplify the complex and error-prone +chunked extensions parsing algorithm, fixing incremental parsing bugs +and still parse incrementally in almost all cases. The performance +regression could be expected only in relatively rare cases of partially +received or malformed extensions. + +Also: +* fixed parsing of partial use-original-body extension values +* do not treat an invalid use-original-body as an unknown extension +* optimization: parse use-original-body extension only in ICAP context + (i.e., where it is expected) +* improvement: added a new API to TeChunkedParser to specify known + chunked extensions list + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846-pre1.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270] +CVE: CVE-2023-46846 #Dependency Patch1 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/adaptation/icap/ModXact.cc | 21 ++++- + src/adaptation/icap/ModXact.h | 20 +++++ + src/http/one/Parser.cc | 35 ++++---- + src/http/one/Parser.h | 10 ++- + src/http/one/RequestParser.cc | 16 ++-- + src/http/one/RequestParser.h | 8 +- + src/http/one/ResponseParser.cc | 17 ++-- + src/http/one/ResponseParser.h | 2 +- + src/http/one/TeChunkedParser.cc | 139 ++++++++++++++++++-------------- + src/http/one/TeChunkedParser.h | 41 ++++++++-- + src/http/one/Tokenizer.cc | 104 ++++++++++++------------ + src/http/one/Tokenizer.h | 89 ++++++++------------ + src/http/one/forward.h | 3 + + src/parser/BinaryTokenizer.h | 3 +- + src/parser/Makefile.am | 1 + + src/parser/Tokenizer.cc | 40 +++++++++ + src/parser/Tokenizer.h | 13 +++ + src/parser/forward.h | 22 +++++ + 18 files changed, 364 insertions(+), 220 deletions(-) + create mode 100644 src/parser/forward.h + +--- a/src/adaptation/icap/ModXact.cc ++++ b/src/adaptation/icap/ModXact.cc +@@ -25,12 +25,13 @@ + #include "comm.h" + #include "comm/Connection.h" + #include "err_detail_type.h" +-#include "http/one/TeChunkedParser.h" + #include "HttpHeaderTools.h" + #include "HttpMsg.h" + #include "HttpReply.h" + #include "HttpRequest.h" + #include "MasterXaction.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + #include "SquidTime.h" + + // flow and terminology: +@@ -44,6 +45,8 @@ CBDATA_NAMESPACED_CLASS_INIT(Adaptation: + + static const size_t TheBackupLimit = BodyPipe::MaxCapacity; + ++const SBuf Adaptation::Icap::ChunkExtensionValueParser::UseOriginalBodyName("use-original-body"); ++ + Adaptation::Icap::ModXact::State::State() + { + memset(this, 0, sizeof(*this)); +@@ -1108,6 +1111,7 @@ void Adaptation::Icap::ModXact::decideOn + state.parsing = State::psBody; + replyHttpBodySize = 0; + bodyParser = new Http1::TeChunkedParser; ++ bodyParser->parseExtensionValuesWith(&extensionParser); + makeAdaptedBodyPipe("adapted response from the ICAP server"); + Must(state.sending == State::sendingAdapted); + } else { +@@ -1142,9 +1146,8 @@ void Adaptation::Icap::ModXact::parseBod + } + + if (parsed) { +- if (state.readyForUob && bodyParser->useOriginBody >= 0) { +- prepPartialBodyEchoing( +- static_cast<uint64_t>(bodyParser->useOriginBody)); ++ if (state.readyForUob && extensionParser.sawUseOriginalBody()) { ++ prepPartialBodyEchoing(extensionParser.useOriginalBody()); + stopParsing(); + return; + } +@@ -2014,3 +2017,14 @@ void Adaptation::Icap::ModXactLauncher:: + } + } + ++void ++Adaptation::Icap::ChunkExtensionValueParser::parse(Tokenizer &tok, const SBuf &extName) ++{ ++ if (extName == UseOriginalBodyName) { ++ useOriginalBody_ = tok.udec64("use-original-body"); ++ assert(useOriginalBody_ >= 0); ++ } else { ++ Ignore(tok, extName); ++ } ++} ++ +--- a/src/adaptation/icap/ModXact.h ++++ b/src/adaptation/icap/ModXact.h +@@ -15,6 +15,7 @@ + #include "adaptation/icap/Xaction.h" + #include "BodyPipe.h" + #include "http/one/forward.h" ++#include "http/one/TeChunkedParser.h" + + /* + * ICAPModXact implements ICAP REQMOD and RESPMOD transaction using +@@ -105,6 +106,23 @@ private: + enum State { stDisabled, stWriting, stIeof, stDone } theState; + }; + ++/// handles ICAP-specific chunk extensions supported by Squid ++class ChunkExtensionValueParser: public Http1::ChunkExtensionValueParser ++{ ++public: ++ /* Http1::ChunkExtensionValueParser API */ ++ virtual void parse(Tokenizer &tok, const SBuf &extName) override; ++ ++ bool sawUseOriginalBody() const { return useOriginalBody_ >= 0; } ++ uint64_t useOriginalBody() const { assert(sawUseOriginalBody()); return static_cast<uint64_t>(useOriginalBody_); } ++ ++private: ++ static const SBuf UseOriginalBodyName; ++ ++ /// the value of the parsed use-original-body chunk extension (or -1) ++ int64_t useOriginalBody_ = -1; ++}; ++ + class ModXact: public Xaction, public BodyProducer, public BodyConsumer + { + CBDATA_CLASS(ModXact); +@@ -270,6 +288,8 @@ private: + + int adaptHistoryId; ///< adaptation history slot reservation + ++ ChunkExtensionValueParser extensionParser; ++ + class State + { + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -7,10 +7,11 @@ + */ + + #include "squid.h" ++#include "base/CharacterSet.h" + #include "Debug.h" + #include "http/one/Parser.h" +-#include "http/one/Tokenizer.h" + #include "mime_header.h" ++#include "parser/Tokenizer.h" + #include "SquidConfig.h" + + /// RFC 7230 section 2.6 - 7 magic octets +@@ -61,20 +62,19 @@ Http::One::Parser::DelimiterCharacters() + RelaxedDelimiterCharacters() : CharacterSet::SP; + } + +-bool +-Http::One::Parser::skipLineTerminator(Http1::Tokenizer &tok) const ++void ++Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { + if (tok.skip(Http1::CrLf())) +- return true; ++ return; + + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) +- return true; ++ return; + + if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- return false; // need more data ++ throw InsufficientInput(); + + throw TexcHere("garbage instead of CRLF line terminator"); +- return false; // unreachable, but make naive compilers happy + } + + /// all characters except the LF line terminator +@@ -102,7 +102,7 @@ LineCharacters() + void + Http::One::Parser::cleanMimePrefix() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + while (tok.skipOne(RelaxedDelimiterCharacters())) { + (void)tok.skipAll(LineCharacters()); // optional line content + // LF terminator is required. +@@ -137,7 +137,7 @@ Http::One::Parser::cleanMimePrefix() + void + Http::One::Parser::unfoldMime() + { +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + const auto szLimit = mimeHeaderBlock_.length(); + mimeHeaderBlock_.clear(); + // prevent the mime sender being able to make append() realloc/grow multiple times. +@@ -228,7 +228,7 @@ Http::One::Parser::getHostHeaderField() + debugs(25, 5, "looking for " << name); + + // while we can find more LF in the SBuf +- Http1::Tokenizer tok(mimeHeaderBlock_); ++ Tokenizer tok(mimeHeaderBlock_); + SBuf p; + + while (tok.prefix(p, LineCharacters())) { +@@ -250,7 +250,7 @@ Http::One::Parser::getHostHeaderField() + p.consume(namelen + 1); + + // TODO: optimize SBuf::trim to take CharacterSet directly +- Http1::Tokenizer t(p); ++ Tokenizer t(p); + t.skipAll(CharacterSet::WSP); + p = t.remaining(); + +@@ -278,10 +278,15 @@ Http::One::ErrorLevel() + } + + // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule +-bool +-Http::One::ParseBws(Tokenizer &tok) ++void ++Http::One::ParseBws(Parser::Tokenizer &tok) + { +- if (const auto count = tok.skipAll(Parser::WhitespaceCharacters())) { ++ const auto count = tok.skipAll(Parser::WhitespaceCharacters()); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); // even if count is positive ++ ++ if (count) { + // Generating BWS is a MUST-level violation so warn about it as needed. + debugs(33, ErrorLevel(), "found " << count << " BWS octets"); + // RFC 7230 says we MUST parse BWS, so we fall through even if +@@ -289,6 +294,6 @@ Http::One::ParseBws(Tokenizer &tok) + } + // else we successfully "parsed" an empty BWS sequence + +- return true; ++ // success: no more BWS characters expected + } + +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -12,6 +12,7 @@ + #include "anyp/ProtocolVersion.h" + #include "http/one/forward.h" + #include "http/StatusCode.h" ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Http { +@@ -40,6 +41,7 @@ class Parser : public RefCountable + { + public: + typedef SBuf::size_type size_type; ++ typedef ::Parser::Tokenizer Tokenizer; + + Parser() : parseStatusCode(Http::scNone), parsingStage_(HTTP_PARSE_NONE), hackExpectsMime_(false) {} + virtual ~Parser() {} +@@ -118,11 +120,11 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * throws if non-terminator is detected. ++ * \throws exception on bad or InsuffientInput. + * \retval true only if line terminator found. + * \retval false incomplete or missing line terminator, need more data. + */ +- bool skipLineTerminator(Http1::Tokenizer &tok) const; ++ void skipLineTerminator(Tokenizer &) const; + + /** + * Scan to find the mime headers block for current message. +@@ -159,8 +161,8 @@ private: + }; + + /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) +-/// \returns true (always; unlike all the skip*() functions) +-bool ParseBws(Tokenizer &tok); ++/// \throws InsufficientInput when the end of BWS cannot be confirmed ++void ParseBws(Parser::Tokenizer &); + + /// the right debugs() level for logging HTTP violation messages + int ErrorLevel(); +--- a/src/http/one/RequestParser.cc ++++ b/src/http/one/RequestParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/RequestParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -64,7 +64,7 @@ Http::One::RequestParser::skipGarbageLin + * RFC 7230 section 2.6, 3.1 and 3.5 + */ + bool +-Http::One::RequestParser::parseMethodField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseMethodField(Tokenizer &tok) + { + // method field is a sequence of TCHAR. + // Limit to 32 characters to prevent overly long sequences of non-HTTP +@@ -145,7 +145,7 @@ Http::One::RequestParser::RequestTargetC + } + + bool +-Http::One::RequestParser::parseUriField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseUriField(Tokenizer &tok) + { + /* Arbitrary 64KB URI upper length limit. + * +@@ -178,7 +178,7 @@ Http::One::RequestParser::parseUriField( + } + + bool +-Http::One::RequestParser::parseHttpVersionField(Http1::Tokenizer &tok) ++Http::One::RequestParser::parseHttpVersionField(Tokenizer &tok) + { + static const SBuf http1p0("HTTP/1.0"); + static const SBuf http1p1("HTTP/1.1"); +@@ -253,7 +253,7 @@ Http::One::RequestParser::skipDelimiter( + + /// Parse CRs at the end of request-line, just before the terminating LF. + bool +-Http::One::RequestParser::skipTrailingCrs(Http1::Tokenizer &tok) ++Http::One::RequestParser::skipTrailingCrs(Tokenizer &tok) + { + if (Config.onoff.relaxed_header_parser) { + (void)tok.skipAllTrailing(CharacterSet::CR); // optional; multiple OK +@@ -289,12 +289,12 @@ Http::One::RequestParser::parseRequestFi + // Earlier, skipGarbageLines() took care of any leading LFs (if allowed). + // Now, the request line has to end at the first LF. + static const CharacterSet lineChars = CharacterSet::LF.complement("notLF"); +- ::Parser::Tokenizer lineTok(buf_); ++ Tokenizer lineTok(buf_); + if (!lineTok.prefix(line, lineChars) || !lineTok.skip('\n')) { + if (buf_.length() >= Config.maxRequestHeaderSize) { + /* who should we blame for our failure to parse this line? */ + +- Http1::Tokenizer methodTok(buf_); ++ Tokenizer methodTok(buf_); + if (!parseMethodField(methodTok)) + return -1; // blame a bad method (or its delimiter) + +@@ -308,7 +308,7 @@ Http::One::RequestParser::parseRequestFi + return 0; + } + +- Http1::Tokenizer tok(line); ++ Tokenizer tok(line); + + if (!parseMethodField(tok)) + return -1; +--- a/src/http/one/RequestParser.h ++++ b/src/http/one/RequestParser.h +@@ -54,11 +54,11 @@ private: + bool doParse(const SBuf &aBuf); + + /* all these return false and set parseStatusCode on parsing failures */ +- bool parseMethodField(Http1::Tokenizer &); +- bool parseUriField(Http1::Tokenizer &); +- bool parseHttpVersionField(Http1::Tokenizer &); ++ bool parseMethodField(Tokenizer &); ++ bool parseUriField(Tokenizer &); ++ bool parseHttpVersionField(Tokenizer &); + bool skipDelimiter(const size_t count, const char *where); +- bool skipTrailingCrs(Http1::Tokenizer &tok); ++ bool skipTrailingCrs(Tokenizer &tok); + + bool http0() const {return !msgProtocol_.major;} + static const CharacterSet &RequestTargetCharacters(); +--- a/src/http/one/ResponseParser.cc ++++ b/src/http/one/ResponseParser.cc +@@ -9,8 +9,8 @@ + #include "squid.h" + #include "Debug.h" + #include "http/one/ResponseParser.h" +-#include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" ++#include "parser/Tokenizer.h" + #include "profiler/Profiler.h" + #include "SquidConfig.h" + +@@ -47,7 +47,7 @@ Http::One::ResponseParser::firstLineSize + // NP: we found the protocol version and consumed it already. + // just need the status code and reason phrase + int +-Http::One::ResponseParser::parseResponseStatusAndReason(Http1::Tokenizer &tok, const CharacterSet &WspDelim) ++Http::One::ResponseParser::parseResponseStatusAndReason(Tokenizer &tok, const CharacterSet &WspDelim) + { + if (!completedStatus_) { + debugs(74, 9, "seek status-code in: " << tok.remaining().substr(0,10) << "..."); +@@ -87,14 +87,13 @@ Http::One::ResponseParser::parseResponse + static const CharacterSet phraseChars = CharacterSet::WSP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + (void)tok.prefix(reasonPhrase_, phraseChars); // optional, no error if missing + try { +- if (skipLineTerminator(tok)) { +- debugs(74, DBG_DATA, "parse remaining buf={length=" << tok.remaining().length() << ", data='" << tok.remaining() << "'}"); +- buf_ = tok.remaining(); // resume checkpoint +- return 1; +- } ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); // resume checkpoint ++ debugs(74, DBG_DATA, Raw("leftovers", buf_.rawContent(), buf_.length())); ++ return 1; ++ } catch (const InsufficientInput &) { + reasonPhrase_.clear(); + return 0; // need more to be sure we have it all +- + } catch (const std::exception &ex) { + debugs(74, 6, "invalid status-line: " << ex.what()); + } +@@ -119,7 +118,7 @@ Http::One::ResponseParser::parseResponse + int + Http::One::ResponseParser::parseResponseFirstLine() + { +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + const CharacterSet &WspDelim = DelimiterCharacters(); + +--- a/src/http/one/ResponseParser.h ++++ b/src/http/one/ResponseParser.h +@@ -43,7 +43,7 @@ public: + + private: + int parseResponseFirstLine(); +- int parseResponseStatusAndReason(Http1::Tokenizer&, const CharacterSet &); ++ int parseResponseStatusAndReason(Tokenizer&, const CharacterSet &); + + /// magic prefix for identifying ICY response messages + static const SBuf IcyMagic; +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -13,10 +13,13 @@ + #include "http/one/Tokenizer.h" + #include "http/ProtocolVersion.h" + #include "MemBuf.h" ++#include "parser/Tokenizer.h" + #include "Parsing.h" ++#include "sbuf/Stream.h" + #include "SquidConfig.h" + +-Http::One::TeChunkedParser::TeChunkedParser() ++Http::One::TeChunkedParser::TeChunkedParser(): ++ customExtensionValueParser(nullptr) + { + // chunked encoding only exists in HTTP/1.1 + Http1::Parser::msgProtocol_ = Http::ProtocolVersion(1,1); +@@ -31,7 +34,11 @@ Http::One::TeChunkedParser::clear() + buf_.clear(); + theChunkSize = theLeftBodySize = 0; + theOut = NULL; +- useOriginBody = -1; ++ // XXX: We do not reset customExtensionValueParser here. Based on the ++ // clear() API description, we must, but it makes little sense and could ++ // break method callers if they appear because some of them may forget to ++ // reset customExtensionValueParser. TODO: Remove Http1::Parser as our ++ // parent class and this unnecessary method with it. + } + + bool +@@ -49,14 +56,14 @@ Http::One::TeChunkedParser::parse(const + if (parsingStage_ == Http1::HTTP_PARSE_NONE) + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + +- Http1::Tokenizer tok(buf_); ++ Tokenizer tok(buf_); + + // loop for as many chunks as we can + // use do-while instead of while so that we can incrementally + // restart in the middle of a chunk/frame + do { + +- if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkExtension(tok, theChunkSize)) ++ if (parsingStage_ == Http1::HTTP_PARSE_CHUNK_EXT && !parseChunkMetadataSuffix(tok)) + return false; + + if (parsingStage_ == Http1::HTTP_PARSE_CHUNK && !parseChunkBody(tok)) +@@ -80,7 +87,7 @@ Http::One::TeChunkedParser::needsMoreSpa + + /// RFC 7230 section 4.1 chunk-size + bool +-Http::One::TeChunkedParser::parseChunkSize(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok) + { + Must(theChunkSize <= 0); // Should(), really + +@@ -104,66 +111,75 @@ Http::One::TeChunkedParser::parseChunkSi + return false; // should not be reachable + } + +-/** +- * Parses chunk metadata suffix, looking for interesting extensions and/or +- * getting to the line terminator. RFC 7230 section 4.1.1 and its Errata #4667: +- * +- * chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) +- * chunk-ext-name = token +- * chunk-ext-val = token / quoted-string +- * +- * ICAP 'use-original-body=N' extension is supported. +- */ +-bool +-Http::One::TeChunkedParser::parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown) +-{ +- SBuf ext; +- SBuf value; +- while ( +- ParseBws(tok) && // Bug 4492: IBM_HTTP_Server sends SP after chunk-size +- tok.skip(';') && +- ParseBws(tok) && // Bug 4492: ICAP servers send SP before chunk-ext-name +- tok.prefix(ext, CharacterSet::TCHAR)) { // chunk-ext-name +- +- // whole value part is optional. if no '=' expect next chunk-ext +- if (ParseBws(tok) && tok.skip('=') && ParseBws(tok)) { +- +- if (!skipKnown) { +- if (ext.cmp("use-original-body",17) == 0 && tok.int64(useOriginBody, 10)) { +- debugs(94, 3, "Found chunk extension " << ext << "=" << useOriginBody); +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- } +- +- debugs(94, 5, "skipping unknown chunk extension " << ext); +- +- // unknown might have a value token or quoted-string +- if (tok.quotedStringOrToken(value) && !tok.atEnd()) { +- buf_ = tok.remaining(); // parse checkpoint +- continue; +- } +- +- // otherwise need more data OR corrupt syntax +- break; +- } +- +- if (!tok.atEnd()) +- buf_ = tok.remaining(); // parse checkpoint (unless there might be more token name) +- } +- +- if (skipLineTerminator(tok)) { +- buf_ = tok.remaining(); // checkpoint +- // non-0 chunk means data, 0-size means optional Trailer follows ++/// Parses "[chunk-ext] CRLF" from RFC 7230 section 4.1.1: ++/// chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF ++/// last-chunk = 1*"0" [ chunk-ext ] CRLF ++bool ++Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) ++{ ++ // Code becomes much simpler when incremental parsing functions throw on ++ // bad or insufficient input, like in the code below. TODO: Expand up. ++ try { ++ parseChunkExtensions(tok); // a possibly empty chunk-ext list ++ skipLineTerminator(tok); ++ buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; ++ } catch (const InsufficientInput &) { ++ tok.reset(buf_); // backtrack to the last commit point ++ return false; + } ++ // other exceptions bubble up to kill message parsing ++} ++ ++/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++{ ++ do { ++ ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + +- return false; ++ if (!tok.skip(';')) ++ return; // reached the end of extensions (if any) ++ ++ parseOneChunkExtension(tok); ++ buf_ = tok.remaining(); // got one extension ++ } while (true); ++} ++ ++void ++Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName) ++{ ++ const auto ignoredValue = tokenOrQuotedString(tok); ++ debugs(94, 5, extName << " with value " << ignoredValue); ++} ++ ++/// Parses a single chunk-ext list element: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++void ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++{ ++ ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name ++ ++ const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ ++ ParseBws(tok); ++ ++ if (!tok.skip('=')) ++ return; // parsed a valueless chunk-ext ++ ++ ParseBws(tok); ++ ++ // optimization: the only currently supported extension needs last-chunk ++ if (!theChunkSize && customExtensionValueParser) ++ customExtensionValueParser->parse(tok, extName); ++ else ++ ChunkExtensionValueParser::Ignore(tok, extName); + } + + bool +-Http::One::TeChunkedParser::parseChunkBody(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkBody(Tokenizer &tok) + { + if (theLeftBodySize > 0) { + buf_ = tok.remaining(); // sync buffers before buf_ use +@@ -188,17 +204,20 @@ Http::One::TeChunkedParser::parseChunkBo + } + + bool +-Http::One::TeChunkedParser::parseChunkEnd(Http1::Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok) + { + Must(theLeftBodySize == 0); // Should(), really + +- if (skipLineTerminator(tok)) { ++ try { ++ skipLineTerminator(tok); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; + return true; + } +- +- return false; ++ catch (const InsufficientInput &) { ++ return false; ++ } ++ // other exceptions bubble up to kill message parsing + } + +--- a/src/http/one/TeChunkedParser.h ++++ b/src/http/one/TeChunkedParser.h +@@ -18,6 +18,26 @@ namespace Http + namespace One + { + ++using ::Parser::InsufficientInput; ++ ++// TODO: Move this class into http/one/ChunkExtensionValueParser.* ++/// A customizable parser of a single chunk extension value (chunk-ext-val). ++/// From RFC 7230 section 4.1.1 and its Errata #4667: ++/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) ++/// chunk-ext-name = token ++/// chunk-ext-val = token / quoted-string ++class ChunkExtensionValueParser ++{ ++public: ++ typedef ::Parser::Tokenizer Tokenizer; ++ ++ /// extracts and ignores the value of a named extension ++ static void Ignore(Tokenizer &tok, const SBuf &extName); ++ ++ /// extracts and then interprets (or ignores) the extension value ++ virtual void parse(Tokenizer &tok, const SBuf &extName) = 0; ++}; ++ + /** + * An incremental parser for chunked transfer coding + * defined in RFC 7230 section 4.1. +@@ -25,7 +45,7 @@ namespace One + * + * The parser shovels content bytes from the raw + * input buffer into the content output buffer, both caller-supplied. +- * Ignores chunk extensions except for ICAP's ieof. ++ * Chunk extensions like use-original-body are handled via parseExtensionValuesWith(). + * Trailers are available via mimeHeader() if wanted. + */ + class TeChunkedParser : public Http1::Parser +@@ -37,6 +57,10 @@ public: + /// set the buffer to be used to store decoded chunk data + void setPayloadBuffer(MemBuf *parsedContent) {theOut = parsedContent;} + ++ /// Instead of ignoring all chunk extension values, give the supplied ++ /// parser a chance to handle them. Only applied to last-chunk (for now). ++ void parseExtensionValuesWith(ChunkExtensionValueParser *parser) { customExtensionValueParser = parser; } ++ + bool needsMoreSpace() const; + + /* Http1::Parser API */ +@@ -45,17 +69,20 @@ public: + virtual Parser::size_type firstLineSize() const {return 0;} // has no meaning with multiple chunks + + private: +- bool parseChunkSize(Http1::Tokenizer &tok); +- bool parseChunkExtension(Http1::Tokenizer &tok, bool skipKnown); +- bool parseChunkBody(Http1::Tokenizer &tok); +- bool parseChunkEnd(Http1::Tokenizer &tok); ++ bool parseChunkSize(Tokenizer &tok); ++ bool parseChunkMetadataSuffix(Tokenizer &); ++ void parseChunkExtensions(Tokenizer &); ++ void parseOneChunkExtension(Tokenizer &); ++ bool parseChunkBody(Tokenizer &tok); ++ bool parseChunkEnd(Tokenizer &tok); + + MemBuf *theOut; + uint64_t theChunkSize; + uint64_t theLeftBodySize; + +-public: +- int64_t useOriginBody; ++ /// An optional plugin for parsing and interpreting custom chunk-ext-val. ++ /// This "visitor" object is owned by our creator. ++ ChunkExtensionValueParser *customExtensionValueParser; + }; + + } // namespace One +--- a/src/http/one/Tokenizer.cc ++++ b/src/http/one/Tokenizer.cc +@@ -8,35 +8,18 @@ + + #include "squid.h" + #include "Debug.h" ++#include "http/one/Parser.h" + #include "http/one/Tokenizer.h" ++#include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + +-bool +-Http::One::Tokenizer::quotedString(SBuf &returnedToken, const bool http1p0) ++/// Extracts quoted-string after the caller removes the initial '"'. ++/// \param http1p0 whether to prohibit \-escaped characters in quoted strings ++/// \throws InsufficientInput when input can be a token _prefix_ ++/// \returns extracted quoted string (without quotes and with chars unescaped) ++static SBuf ++parseQuotedStringSuffix(Parser::Tokenizer &tok, const bool http1p0) + { +- checkpoint(); +- +- if (!skip('"')) +- return false; +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::quotedStringOrToken(SBuf &returnedToken, const bool http1p0) +-{ +- checkpoint(); +- +- if (!skip('"')) +- return prefix(returnedToken, CharacterSet::TCHAR); +- +- return qdText(returnedToken, http1p0); +-} +- +-bool +-Http::One::Tokenizer::qdText(SBuf &returnedToken, const bool http1p0) +-{ +- // the initial DQUOTE has been skipped by the caller +- + /* + * RFC 1945 - defines qdtext: + * inclusive of LWS (which includes CR and LF) +@@ -61,12 +44,17 @@ Http::One::Tokenizer::qdText(SBuf &retur + // best we can do is a conditional reference since http1p0 value may change per-client + const CharacterSet &tokenChars = (http1p0 ? qdtext1p0 : qdtext1p1); + +- for (;;) { +- SBuf::size_type prefixLen = buf().findFirstNotOf(tokenChars); +- returnedToken.append(consume(prefixLen)); ++ SBuf parsedToken; ++ ++ while (!tok.atEnd()) { ++ SBuf qdText; ++ if (tok.prefix(qdText, tokenChars)) ++ parsedToken.append(qdText); ++ ++ if (!http1p0 && tok.skip('\\')) { // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not ++ if (tok.atEnd()) ++ break; + +- // HTTP/1.1 allows quoted-pair, HTTP/1.0 does not +- if (!http1p0 && skip('\\')) { + /* RFC 7230 section 3.2.6 + * + * The backslash octet ("\") can be used as a single-octet quoting +@@ -78,32 +66,42 @@ Http::One::Tokenizer::qdText(SBuf &retur + */ + static const CharacterSet qPairChars = CharacterSet::HTAB + CharacterSet::SP + CharacterSet::VCHAR + CharacterSet::OBSTEXT; + SBuf escaped; +- if (!prefix(escaped, qPairChars, 1)) { +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } +- returnedToken.append(escaped); ++ if (!tok.prefix(escaped, qPairChars, 1)) ++ throw TexcHere("invalid escaped character in quoted-pair"); ++ ++ parsedToken.append(escaped); + continue; ++ } + +- } else if (skip('"')) { +- break; // done ++ if (tok.skip('"')) ++ return parsedToken; // may be empty + +- } else if (atEnd()) { +- // need more data +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; +- } ++ if (tok.atEnd()) ++ break; + +- // else, we have an error +- debugs(24, 8, "invalid bytes for set " << tokenChars.name); +- returnedToken.clear(); +- restoreLastCheckpoint(); +- return false; ++ throw TexcHere(ToSBuf("invalid bytes for set ", tokenChars.name)); + } + +- // found the whole string +- return true; ++ throw Http::One::InsufficientInput(); ++} ++ ++SBuf ++Http::One::tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0) ++{ ++ if (tok.skip('"')) ++ return parseQuotedStringSuffix(tok, http1p0); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf parsedToken; ++ if (!tok.prefix(parsedToken, CharacterSet::TCHAR)) ++ throw TexcHere("invalid input while expecting an HTTP token"); ++ ++ if (tok.atEnd()) ++ throw InsufficientInput(); ++ ++ // got the complete token ++ return parsedToken; + } + +--- a/src/http/one/Tokenizer.h ++++ b/src/http/one/Tokenizer.h +@@ -9,68 +9,47 @@ + #ifndef SQUID_SRC_HTTP_ONE_TOKENIZER_H + #define SQUID_SRC_HTTP_ONE_TOKENIZER_H + +-#include "parser/Tokenizer.h" ++#include "parser/forward.h" ++#include "sbuf/forward.h" + + namespace Http { + namespace One { + + /** +- * Lexical processor extended to tokenize HTTP/1.x syntax. ++ * Extracts either an HTTP/1 token or quoted-string while dealing with ++ * possibly incomplete input typical for incremental text parsers. ++ * Unescapes escaped characters in HTTP/1.1 quoted strings. + * +- * \see ::Parser::Tokenizer for more detail ++ * \param http1p0 whether to prohibit \-escaped characters in quoted strings ++ * \throws InsufficientInput as appropriate, including on unterminated tokens ++ * \returns extracted token or quoted string (without quotes) ++ * ++ * Governed by: ++ * - RFC 1945 section 2.1 ++ * " ++ * A string of text is parsed as a single word if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = ( <"> *(qdtext) <"> ) ++ * ++ * qdtext = <any CHAR except <"> and CTLs, ++ * but including LWS> ++ * ++ * Single-character quoting using the backslash ("\") character is not ++ * permitted in HTTP/1.0. ++ * " ++ * ++ * - RFC 7230 section 3.2.6 ++ * " ++ * A string of text is parsed as a single value if it is quoted using ++ * double-quote marks. ++ * ++ * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE ++ * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text ++ * obs-text = %x80-FF ++ * " + */ +-class Tokenizer : public ::Parser::Tokenizer +-{ +-public: +- Tokenizer(SBuf &s) : ::Parser::Tokenizer(s), savedStats_(0) {} +- +- /** +- * Attempt to parse a quoted-string lexical construct. +- * +- * Governed by: +- * - RFC 1945 section 2.1 +- * " +- * A string of text is parsed as a single word if it is quoted using +- * double-quote marks. +- * +- * quoted-string = ( <"> *(qdtext) <"> ) +- * +- * qdtext = <any CHAR except <"> and CTLs, +- * but including LWS> +- * +- * Single-character quoting using the backslash ("\") character is not +- * permitted in HTTP/1.0. +- * " +- * +- * - RFC 7230 section 3.2.6 +- * " +- * A string of text is parsed as a single value if it is quoted using +- * double-quote marks. +- * +- * quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE +- * qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text +- * obs-text = %x80-FF +- * " +- * +- * \param escaped HTTP/1.0 does not permit \-escaped characters +- */ +- bool quotedString(SBuf &value, const bool http1p0 = false); +- +- /** +- * Attempt to parse a (token / quoted-string ) lexical construct. +- */ +- bool quotedStringOrToken(SBuf &value, const bool http1p0 = false); +- +-private: +- /// parse the internal component of a quote-string, and terminal DQUOTE +- bool qdText(SBuf &value, const bool http1p0); +- +- void checkpoint() { savedCheckpoint_ = buf(); savedStats_ = parsedSize(); } +- void restoreLastCheckpoint() { undoParse(savedCheckpoint_, savedStats_); } +- +- SBuf savedCheckpoint_; +- SBuf::size_type savedStats_; +-}; ++SBuf tokenOrQuotedString(Parser::Tokenizer &tok, const bool http1p0 = false); + + } // namespace One + } // namespace Http +--- a/src/http/one/forward.h ++++ b/src/http/one/forward.h +@@ -10,6 +10,7 @@ + #define SQUID_SRC_HTTP_ONE_FORWARD_H + + #include "base/RefCount.h" ++#include "parser/forward.h" + #include "sbuf/forward.h" + + namespace Http { +@@ -31,6 +32,8 @@ typedef RefCount<Http::One::ResponsePars + /// CRLF textual representation + const SBuf &CrLf(); + ++using ::Parser::InsufficientInput; ++ + } // namespace One + } // namespace Http + +--- a/src/parser/BinaryTokenizer.h ++++ b/src/parser/BinaryTokenizer.h +@@ -9,6 +9,7 @@ + #ifndef SQUID_SRC_PARSER_BINARYTOKENIZER_H + #define SQUID_SRC_PARSER_BINARYTOKENIZER_H + ++#include "parser/forward.h" + #include "sbuf/SBuf.h" + + namespace Parser +@@ -44,7 +45,7 @@ public: + class BinaryTokenizer + { + public: +- class InsufficientInput {}; // thrown when a method runs out of data ++ typedef ::Parser::InsufficientInput InsufficientInput; + typedef uint64_t size_type; // enough for the largest supported offset + + BinaryTokenizer(); +--- a/src/parser/Makefile.am ++++ b/src/parser/Makefile.am +@@ -13,6 +13,7 @@ noinst_LTLIBRARIES = libparser.la + libparser_la_SOURCES = \ + BinaryTokenizer.h \ + BinaryTokenizer.cc \ ++ forward.h \ + Tokenizer.h \ + Tokenizer.cc + +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -10,7 +10,9 @@ + + #include "squid.h" + #include "Debug.h" ++#include "parser/forward.h" + #include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + + #include <cerrno> + #if HAVE_CTYPE_H +@@ -96,6 +98,23 @@ Parser::Tokenizer::prefix(SBuf &returned + return true; + } + ++SBuf ++Parser::Tokenizer::prefix(const char *description, const CharacterSet &tokenChars, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ SBuf result; ++ ++ if (!prefix(result, tokenChars, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ return result; ++} ++ + bool + Parser::Tokenizer::suffix(SBuf &returnedToken, const CharacterSet &tokenChars, const SBuf::size_type limit) + { +@@ -283,3 +302,24 @@ Parser::Tokenizer::int64(int64_t & resul + return success(s - range.rawContent()); + } + ++int64_t ++Parser::Tokenizer::udec64(const char *description, const SBuf::size_type limit) ++{ ++ if (atEnd()) ++ throw InsufficientInput(); ++ ++ int64_t result = 0; ++ ++ // Since we only support unsigned decimals, a parsing failure with a ++ // non-empty input always implies invalid/malformed input (or a buggy ++ // limit=0 caller). TODO: Support signed and non-decimal integers by ++ // refactoring int64() to detect insufficient input. ++ if (!int64(result, 10, false, limit)) ++ throw TexcHere(ToSBuf("cannot parse ", description)); ++ ++ if (atEnd()) ++ throw InsufficientInput(); // more digits may be coming ++ ++ return result; ++} ++ +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -143,6 +143,19 @@ public: + */ + bool int64(int64_t &result, int base = 0, bool allowSign = true, SBuf::size_type limit = SBuf::npos); + ++ /* ++ * The methods below mimic their counterparts documented above, but they ++ * throw on errors, including InsufficientInput. The field description ++ * parameter is used for error reporting and debugging. ++ */ ++ ++ /// prefix() wrapper but throws InsufficientInput if input contains ++ /// nothing but the prefix (i.e. if the prefix is not "terminated") ++ SBuf prefix(const char *description, const CharacterSet &tokenChars, SBuf::size_type limit = SBuf::npos); ++ ++ /// int64() wrapper but limited to unsigned decimal integers (for now) ++ int64_t udec64(const char *description, SBuf::size_type limit = SBuf::npos); ++ + protected: + SBuf consume(const SBuf::size_type n); + SBuf::size_type success(const SBuf::size_type n); +--- /dev/null ++++ b/src/parser/forward.h +@@ -0,0 +1,22 @@ ++/* ++ * Copyright (C) 1996-2019 The Squid Software Foundation and contributors ++ * ++ * Squid software is distributed under GPLv2+ license and includes ++ * contributions from numerous individuals and organizations. ++ * Please see the COPYING and CONTRIBUTORS files for details. ++ */ ++ ++#ifndef SQUID_PARSER_FORWARD_H ++#define SQUID_PARSER_FORWARD_H ++ ++namespace Parser { ++class Tokenizer; ++class BinaryTokenizer; ++ ++// TODO: Move this declaration (to parser/Elements.h) if we need more like it. ++/// thrown by modern "incremental" parsers when they need more data ++class InsufficientInput {}; ++} // namespace Parser ++ ++#endif /* SQUID_PARSER_FORWARD_H */ ++ diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch new file mode 100644 index 0000000000..a6d0965e7a --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46846.patch @@ -0,0 +1,169 @@ +From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001 +From: Amos Jeffries <yadij@users.noreply.github.com> +Date: Fri, 13 Oct 2023 08:44:16 +0000 +Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498) + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-46846.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/05f6af2f4c85cc99323cfff6149c3d74af661b6d] +CVE: CVE-2023-46846 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/http/one/Parser.cc | 8 +------- + src/http/one/Parser.h | 4 +--- + src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++----- + src/parser/Tokenizer.cc | 12 ++++++++++++ + src/parser/Tokenizer.h | 7 +++++++ + 5 files changed, 39 insertions(+), 15 deletions(-) + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters() + void + Http::One::Parser::skipLineTerminator(Tokenizer &tok) const + { +- if (tok.skip(Http1::CrLf())) +- return; +- + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) + return; + +- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- throw InsufficientInput(); +- +- throw TexcHere("garbage instead of CRLF line terminator"); ++ tok.skipRequired("line-terminating CRLF", Http1::CrLf()); + } + + /// all characters except the LF line terminator +--- a/src/http/one/Parser.h ++++ b/src/http/one/Parser.h +@@ -120,9 +120,7 @@ protected: + * detect and skip the CRLF or (if tolerant) LF line terminator + * consume from the tokenizer. + * +- * \throws exception on bad or InsuffientInput. +- * \retval true only if line terminator found. +- * \retval false incomplete or missing line terminator, need more data. ++ * \throws exception on bad or InsufficientInput + */ + void skipLineTerminator(Tokenizer &) const; + +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSi + { + Must(theChunkSize <= 0); // Should(), really + ++ static const SBuf bannedHexPrefixLower("0x"); ++ static const SBuf bannedHexPrefixUpper("0X"); ++ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper)) ++ throw TextException("chunk starts with 0x", Here()); ++ + int64_t size = -1; + if (tok.int64(size, 16, false) && !tok.atEnd()) { + if (size < 0) +@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMe + // bad or insufficient input, like in the code below. TODO: Expand up. + try { + parseChunkExtensions(tok); // a possibly empty chunk-ext list +- skipLineTerminator(tok); ++ tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); + buf_ = tok.remaining(); + parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; + return true; +@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMe + // other exceptions bubble up to kill message parsing + } + +-/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667): ++/// Parses the chunk-ext list (RFC 9112 section 7.1.1: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok) ++Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) + { + do { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size + + if (!tok.skip(';')) +@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkEx + + parseOneChunkExtension(tok); + buf_ = tok.remaining(); // got one extension ++ callerTok = tok; + } while (true); + } + +@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ig + /// Parses a single chunk-ext list element: + /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) + void +-Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok) ++Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok) + { ++ auto tok = callerTok; ++ + ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name + + const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR); ++ callerTok = tok; // in case we determine that this is a valueless chunk-ext + + ParseBws(tok); + +@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChun + customExtensionValueParser->parse(tok, extName); + else + ChunkExtensionValueParser::Ignore(tok, extName); ++ ++ callerTok = tok; + } + + bool +@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEn + Must(theLeftBodySize == 0); // Should(), really + + try { +- skipLineTerminator(tok); ++ tok.skipRequired("chunk CRLF", Http1::CrLf()); + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const Charact + return success(prefixLen); + } + ++void ++Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip) ++{ ++ if (skip(tokenToSkip) || tokenToSkip.isEmpty()) ++ return; ++ ++ if (tokenToSkip.startsWith(buf_)) ++ throw InsufficientInput(); ++ ++ throw TextException(ToSBuf("cannot skip ", description), Here()); ++} ++ + bool + Parser::Tokenizer::skipOne(const CharacterSet &chars) + { +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -115,6 +115,13 @@ public: + */ + SBuf::size_type skipAll(const CharacterSet &discardables); + ++ /** skips a given character sequence (string); ++ * does nothing if the sequence is empty ++ * ++ * \throws exception on mismatching prefix or InsufficientInput ++ */ ++ void skipRequired(const char *description, const SBuf &tokenToSkip); ++ + /** Removes a single trailing character from the set. + * + * \return whether a character was removed diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch new file mode 100644 index 0000000000..d9f29569d1 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch @@ -0,0 +1,47 @@ +From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001 +From: squidadm <squidadm@users.noreply.github.com> +Date: Wed, 18 Oct 2023 04:50:56 +1300 +Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization + (#1517) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html +where it was filed as "Stack Buffer Overflow in Digest Authentication". + +--------- + +Co-authored-by: Alex Bason <nonsleepr@gmail.com> +Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com> + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3] +CVE: CVE-2023-46847 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/auth/digest/Config.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index 2d25fee..4c206e1 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -862,11 +862,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + break; + + case DIGEST_NC: +- if (value.size() != 8) { ++ if (value.size() == 8) { ++ // for historical reasons, the nc value MUST be exactly 8 bytes ++ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); ++ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); ++ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); ++ } else { + debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); ++ digest_request->nc[0] = 0; + } +- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); +- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); + break; + + case DIGEST_CNONCE: +-- +2.40.1 diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch new file mode 100644 index 0000000000..d3cc549f98 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch @@ -0,0 +1,35 @@ +From 77b3fb4df0f126784d5fd4967c28ed40eb8d521b Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Wed, 25 Oct 2023 19:41:45 +0000 +Subject: [PATCH] RFC 1123: Fix date parsing (#1538) + +The bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html +where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time +Handling". + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b] +CVE: CVE-2023-49285 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/rfc1123.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/rfc1123.c b/lib/rfc1123.c +index e5bf9a4d705..cb484cc002b 100644 +--- a/lib/rfc1123.c ++++ b/lib/rfc1123.c +@@ -50,7 +50,13 @@ make_month(const char *s) + char month[3]; + + month[0] = xtoupper(*s); ++ if (!month[0]) ++ return -1; // protects *(s + 1) below ++ + month[1] = xtolower(*(s + 1)); ++ if (!month[1]) ++ return -1; // protects *(s + 2) below ++ + month[2] = xtolower(*(s + 2)); + + for (i = 0; i < 12; i++) diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch new file mode 100644 index 0000000000..8e0bdf387c --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch @@ -0,0 +1,87 @@ +From 6014c6648a2a54a4ecb7f952ea1163e0798f9264 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov <rousskov@measurement-factory.com> +Date: Fri, 27 Oct 2023 21:27:20 +0000 +Subject: [PATCH] Exit without asserting when helper process startup fails + (#1543) + +... to dup() after fork() and before execvp(). + +Assertions are for handling program logic errors. Helper initialization +code already handled system call errors correctly (i.e. by exiting the +newly created helper process with an error), except for a couple of +assert()s that could be triggered by dup(2) failures. + +This bug was discovered and detailed by Joshua Rogers at +https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html +where it was filed as 'Assertion in Squid "Helper" Process Creator'. + +Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch + +Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264] +CVE: CVE-2023-49286 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ipc.cc | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -20,6 +20,12 @@ + #include "SquidIpc.h" + #include "tools.h" + ++#include <cstdlib> ++ ++#if HAVE_UNISTD_H ++#include <unistd.h> ++#endif ++ + static const char *hello_string = "hi there\n"; + #ifndef HELLO_BUF_SZ + #define HELLO_BUF_SZ 32 +@@ -365,6 +371,22 @@ + } + + PutEnvironment(); ++ ++ // A dup(2) wrapper that reports and exits the process on errors. The ++ // exiting logic is only suitable for this child process context. ++ const auto dupOrExit = [prog,name](const int oldFd) { ++ const auto newFd = dup(oldFd); ++ if (newFd < 0) { ++ const auto savedErrno = errno; ++ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); ++ debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); ++ debugs(54, DBG_CRITICAL, "helper program name: " << prog); ++ debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); ++ _exit(1); ++ } ++ return newFd; ++ }; ++ + /* + * This double-dup stuff avoids problems when one of + * crfd, cwfd, or debug_log are in the rage 0-2. +@@ -372,17 +394,16 @@ + + do { + /* First make sure 0-2 is occupied by something. Gets cleaned up later */ +- x = dup(crfd); +- assert(x > -1); +- } while (x < 3 && x > -1); ++ x = dupOrExit(crfd); ++ } while (x < 3); + + close(x); + +- t1 = dup(crfd); ++ t1 = dupOrExit(crfd); + +- t2 = dup(cwfd); ++ t2 = dupOrExit(cwfd); + +- t3 = dup(fileno(debug_log)); ++ t3 = dupOrExit(fileno(debug_log)); + + assert(t1 > 2 && t2 > 2 && t3 > 2); + diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 0000000000..51c895e0ef --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch @@ -0,0 +1,62 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 26 Dec 2023 19:58:12 +0100 +Subject: CVE-2023-50269 + +Bug-Debian: https://bugs.debian.org/1058721 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa +Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] +CVE: CVE-2023-50269 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/ClientRequestContext.h | 4 ++++ + src/client_side_request.cc | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -78,6 +78,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); ++ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); ++ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); ++ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb index 19949acd84..09c0a2cd7c 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.9.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb @@ -24,6 +24,13 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch \ file://0001-tools.cc-fixed-unused-result-warning.patch \ file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \ + file://CVE-2023-46847.patch \ + file://CVE-2023-46728.patch \ + file://CVE-2023-46846-pre1.patch \ + file://CVE-2023-46846.patch \ + file://CVE-2023-49285.patch \ + file://CVE-2023-49286.patch \ + file://CVE-2023-50269.patch \ " SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" diff --git a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb index 115353fec7..071002c5e7 100644 --- a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb +++ b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403" SRCREV = "39276d14b659684c4c0612725ab83ea841c6ef99" -SRC_URI = "git://github.com/arno-iptables-firewall/aif" +SRC_URI = "git://github.com/arno-iptables-firewall/aif;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch new file mode 100644 index 0000000000..21d4cfd822 --- /dev/null +++ b/meta-networking/recipes-filter/ebtables/ebtables-2.0.10-4/ebtables_optimizations.patch @@ -0,0 +1,19 @@ +ebtables: use optimizations from bitbake + +Enables building with O2 or Os to create smaller binaries. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> + +--- a/Makefile 2021-04-16 12:43:40.475431286 +0000 ++++ b/Makefile 2021-04-16 12:45:23.654597711 +0000 +@@ -18,7 +18,7 @@ SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + + CFLAGS:=-Wall -Wunused -Werror +-CFLAGS_SH_LIB:=-fPIC -O3 ++CFLAGS_SH_LIB:=-fPIC + CC:=gcc + + ifeq ($(shell uname -m),sparc64) diff --git a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb index 276784009f..8b6dcea439 100644 --- a/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb +++ b/meta-networking/recipes-filter/ebtables/ebtables_2.0.10-4.bb @@ -31,6 +31,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/ebtables/ebtables-v${PV}.tar.gz \ file://0007-extensions-Use-stdint-types.patch \ file://0008-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch \ file://0009-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch \ + file://ebtables_optimizations.patch \ " SRC_URI_append_libc-musl = " file://0010-Adjust-header-include-sequence.patch" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb index 2f627d458e..994825cb7e 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324" PV .= "+git${SRCPV}" -SRC_URI = "git://git.netfilter.org/libnetfilter_log" +SRC_URI = "git://git.netfilter.org/libnetfilter_log;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb index 896cfdfaa4..1bbab6f3cb 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "601abd1c71ccdf90753cf294c120ad43fb25dc54" -SRC_URI = "git://git.netfilter.org/libnetfilter_queue \ +SRC_URI = "git://git.netfilter.org/libnetfilter_queue;branch=master \ file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \ " diff --git a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb index 4ff00bf873..fee9967ebd 100644 --- a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb +++ b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb @@ -5,7 +5,7 @@ SECTION = "libs" DEPENDS = "libmnl" SRCREV = "eedafeb6db330b8adff1b7cdd3dac325f9144195" -SRC_URI = "git://git.netfilter.org/libnftnl \ +SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \ file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \ " diff --git a/meta-networking/recipes-irc/znc/znc_1.7.5.bb b/meta-networking/recipes-irc/znc/znc_1.7.5.bb index a3d4b7cc55..d7467ff4a6 100644 --- a/meta-networking/recipes-irc/znc/znc_1.7.5.bb +++ b/meta-networking/recipes-irc/znc/znc_1.7.5.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" DEPENDS = "openssl zlib icu" -SRC_URI = "git://github.com/znc/znc.git;name=znc \ - git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket \ +SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \ + git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \ " SRCREV_znc = "c7f72f8bc800115ac985e7e13eace78031cb1b50" SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4" diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb deleted file mode 100644 index 73199592c8..0000000000 --- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb +++ /dev/null @@ -1,35 +0,0 @@ -require wireguard.inc - -SRCREV = "43f57dac7b8305024f83addc533c9eede6509129" - -SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat" - -inherit module kernel-module-split - -DEPENDS = "virtual/kernel libmnl" - -# This module requires Linux 3.10 higher and several networking related -# configuration options. For exact kernel requirements visit: -# https://www.wireguard.io/install/#kernel-requirements - -EXTRA_OEMAKE_append = " \ - KERNELDIR=${STAGING_KERNEL_DIR} \ - " - -MAKE_TARGETS = "module" - -RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" -MODULE_NAME = "wireguard" - -# Kernel module packages MUST begin with 'kernel-module-', otherwise -# multilib image generation can fail. -# -# The following line is only necessary if the recipe name does not begin -# with kernel-module-. -PKG_${PN} = "kernel-module-${MODULE_NAME}" - -module_do_install() { - install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} - install -m 0644 ${MODULE_NAME}.ko \ - ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko -} diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb new file mode 100644 index 0000000000..df2db15349 --- /dev/null +++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb @@ -0,0 +1,23 @@ +require wireguard.inc + +SRCREV = "18fbcd68a35a892527345dc5679d0b2d860ee004" + +SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;protocol=https;branch=master" + +inherit module kernel-module-split + +DEPENDS = "virtual/kernel libmnl" + +# This module requires Linux 3.10 higher and several networking related +# configuration options. For exact kernel requirements visit: +# https://www.wireguard.io/install/#kernel-requirements + +EXTRA_OEMAKE_append = " \ + KERNELDIR=${STAGING_KERNEL_DIR} \ + " + +MAKE_TARGETS = "module" +MODULES_INSTALL_TARGET = "module-install" + +RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" +MODULE_NAME = "wireguard" diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb index f698b9a9af..b63ef88182 100644 --- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb +++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb @@ -1,7 +1,7 @@ require wireguard.inc -SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585" -SRC_URI = "git://git.zx2c4.com/wireguard-tools" +SRCREV = "3ba6527130c502144e7388b900138bca6260f4e8" +SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master" inherit bash-completion systemd pkgconfig @@ -9,7 +9,7 @@ DEPENDS += "wireguard-module libmnl" do_install () { oe_runmake DESTDIR="${D}" PREFIX="${prefix}" SYSCONFDIR="${sysconfdir}" \ - SYSTEMDUNITDIR="${systemd_unitdir}" \ + SYSTEMDUNITDIR="${systemd_system_unitdir}" \ WITH_SYSTEMDUNITS=${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'yes', '', d)} \ WITH_BASHCOMPLETION=yes \ WITH_WGQUICK=yes \ diff --git a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb index 6dd15ad9fc..fdcd906516 100644 --- a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb +++ b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb @@ -12,7 +12,7 @@ SECTION = "net" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENCE;md5=411a48ac3c2e9e0911b8dd9aed26f754" -SRC_URI = "git://github.com/jech/babeld.git;protocol=git" +SRC_URI = "git://github.com/jech/babeld.git;protocol=https;branch=master" SRCREV = "0835d5d894ea016ab7b81562466cade2c51a12d4" UPSTREAM_CHECK_GITTAGREGEX = "babeld-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb b/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb index 0f8dc92df3..ce31233264 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_878.270.2.bb @@ -26,6 +26,19 @@ SRC_URI = "https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-${P SRC_URI[md5sum] = "4e139a8e1133349006b0436291c9e29b" SRC_URI[sha256sum] = "2cef0ee9900504c5277fb81de0a28e6c0835fe482ebecf1067c6864f5c4eda74" +# CVE-2007-0613 is not applicable as it only affects Apple products +# i.e. ichat,mdnsresponder, instant message framework and MacOS. +# Also, https://www.exploit-db.com/exploits/3230 shows the part of code +# affected by CVE-2007-0613 which is not preset in upstream source code. +# Hence, CVE-2007-0613 does not affect other Yocto implementations and +# is not reported for other distros can be marked whitelisted. +# Links: +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 +# https://security-tracker.debian.org/tracker/CVE-2007-0613 +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 +CVE_CHECK_WHITELIST += "CVE-2007-0613" + PARALLEL_MAKE = "" S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix" diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch new file mode 100644 index 0000000000..4e537c8859 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch @@ -0,0 +1,116 @@ +From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001 +From: Bill Fenner <fenner@gmail.com> +Date: Fri, 25 Nov 2022 08:41:24 -0800 +Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind + +Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57] +CVE: CVE-2022-44792 & CVE-2022-44793 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + agent/snmp_agent.c | 32 +++++++++++++++++++ + apps/snmpset.c | 1 + + .../default/T0142snmpv2csetnull_simple | 31 ++++++++++++++++++ + 3 files changed, 64 insertions(+) + create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 26653f4..eba5b4e 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -3708,12 +3708,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status) + return 1; + } + ++static int ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp) ++{ ++ int i; ++ netsnmp_variable_list *v = NULL; ++ ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) { ++ if (v->type == ASN_NULL) { ++ /* ++ * Protect SET implementations that do not protect themselves ++ * against wrong type. ++ */ ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i)); ++ asp->index = i; ++ return SNMP_ERR_WRONGTYPE; ++ } ++ } ++ return SNMP_ERR_NOERROR; ++} ++ + int + handle_pdu(netsnmp_agent_session *asp) + { + int status, inclusives = 0; + netsnmp_variable_list *v = NULL; + ++#ifndef NETSNMP_NO_WRITE_SUPPORT ++ /* ++ * Check for ASN_NULL in SET request ++ */ ++ if (asp->pdu->command == SNMP_MSG_SET) { ++ status = check_set_pdu_for_null_varbind(asp); ++ if (status != SNMP_ERR_NOERROR) { ++ return status; ++ } ++ } ++#endif /* NETSNMP_NO_WRITE_SUPPORT */ ++ + /* + * for illegal requests, mark all nodes as ASN_NULL + */ +diff --git a/apps/snmpset.c b/apps/snmpset.c +index a2374bc..cd01b9a 100644 +--- a/apps/snmpset.c ++++ b/apps/snmpset.c +@@ -182,6 +182,7 @@ main(int argc, char *argv[]) + case 'x': + case 'd': + case 'b': ++ case 'n': /* undocumented */ + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case 'I': + case 'U': +diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple +new file mode 100644 +index 0000000..0f1b8f3 +--- /dev/null ++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple +@@ -0,0 +1,31 @@ ++#!/bin/sh ++ ++. ../support/simple_eval_tools.sh ++ ++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind ++ ++SKIPIF NETSNMP_DISABLE_SET_SUPPORT ++SKIPIF NETSNMP_NO_WRITE_SUPPORT ++SKIPIF NETSNMP_DISABLE_SNMPV2C ++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE ++ ++# ++# Begin test ++# ++ ++# standard V2C configuration: testcomunnity ++snmp_write_access='all' ++. ./Sv2cconfig ++STARTAGENT ++ ++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0" ++ ++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:" ++ ++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x" ++ ++CHECK "Reason: wrongType" ++ ++STOPAGENT ++ ++FINISHED +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 6b4b6ce8ed..79f2c1d89d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb @@ -35,6 +35,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://CVE-2020-15861-0004.patch \ file://CVE-2020-15861-0005.patch \ file://CVE-2020-15862.patch \ + file://CVE-2022-44792-CVE-2022-44793.patch \ " SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a" SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf" diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index cccbfa19a6..c425b48e19 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2" -SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git" +SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" DEPENDS = "virtual/libc" @@ -35,3 +35,7 @@ do_install_append() { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run } + +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_WHITELIST = "CVE-2018-1078" diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch new file mode 100644 index 0000000000..bdb48a3993 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/CVE-2021-44038.patch @@ -0,0 +1,117 @@ +From b2484f4df6414a6b3dd68b4069b79279c746cc27 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski <mt@suse.com> +Date: Fri Nov 11 09:07:22 UTC 2022 +Subject: [PATCH] quagga: unsafe chown/chmod operations may lead to privileges escalation + +Reference: https://bugzilla.suse.com/show_bug.cgi?id=1191890 + +Patch taken from https://build.opensuse.org/package/view_file/network/quagga/remove-chown-chmod.service.patch + +CVE: CVE-2021-44038 +Signed-off-by: Marius Tomaschewski <mt@suse.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + redhat/bgpd.service | 2 -- + redhat/isisd.service | 2 -- + redhat/ospf6d.service | 2 -- + redhat/ospfd.service | 2 -- + redhat/ripd.service | 2 -- + redhat/ripngd.service | 2 -- + redhat/zebra.service | 3 --- + 7 files changed, 15 deletions(-) + +diff --git a/redhat/bgpd.service b/redhat/bgpd.service +index a50bfff..6f46a97 100644 +--- a/redhat/bgpd.service ++++ b/redhat/bgpd.service +@@ -10,8 +10,6 @@ Documentation=man:bgpd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf + ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf + Restart=on-abort + +diff --git a/redhat/isisd.service b/redhat/isisd.service +index 93663aa..c1464c0 100644 +--- a/redhat/isisd.service ++++ b/redhat/isisd.service +@@ -10,8 +10,6 @@ Documentation=man:isisd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf + ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf + Restart=on-abort + +diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service +index 3c1c978..d493429 100644 +--- a/redhat/ospf6d.service ++++ b/redhat/ospf6d.service +@@ -10,8 +10,6 @@ Documentation=man:ospf6d + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf + ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf + Restart=on-abort + +diff --git a/redhat/ospfd.service b/redhat/ospfd.service +index 0084b6c..6c84580 100644 +--- a/redhat/ospfd.service ++++ b/redhat/ospfd.service +@@ -10,8 +10,6 @@ Documentation=man:ospfd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf + ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf + Restart=on-abort + +diff --git a/redhat/ripd.service b/redhat/ripd.service +index 103b5a9..be0f75c 100644 +--- a/redhat/ripd.service ++++ b/redhat/ripd.service +@@ -10,8 +10,6 @@ Documentation=man:ripd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf + ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf + Restart=on-abort + +diff --git a/redhat/ripngd.service b/redhat/ripngd.service +index 6fe6ba8..23447da 100644 +--- a/redhat/ripngd.service ++++ b/redhat/ripngd.service +@@ -10,8 +10,6 @@ Documentation=man:ripngd + [Service] + Type=forking + EnvironmentFile=/etc/sysconfig/quagga +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf + ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf + Restart=on-abort + +diff --git a/redhat/zebra.service b/redhat/zebra.service +index fa5a004..e3cf0ab 100644 +--- a/redhat/zebra.service ++++ b/redhat/zebra.service +@@ -10,9 +10,6 @@ Documentation=man:zebra + Type=forking + EnvironmentFile=-/etc/sysconfig/quagga + ExecStartPre=/sbin/ip route flush proto zebra +-ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf +-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf + ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf + Restart=on-abort + +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc index 134a33d478..5ef3843b15 100644 --- a/meta-networking/recipes-protocols/quagga/quagga.inc +++ b/meta-networking/recipes-protocols/quagga/quagga.inc @@ -34,8 +34,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quagga/quagga-${PV}.tar.gz; \ file://ripd.service \ file://ripngd.service \ file://zebra.service \ + file://CVE-2021-44038.patch \ " - PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap" PACKAGECONFIG[pam] = "--with-libpam, --without-libpam, libpam" diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index 4f8e4d4282..dcfa7406d2 100644 --- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -23,3 +23,5 @@ PACKAGECONFIG[inet] = "--enable-inet,--disable-inet," PACKAGECONFIG[inet6] = "--enable-inet6,--disable-inet6," EXTRA_OECONF += "--disable-debug" + +CVE_VERSION = "0.9.3.0" diff --git a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb index b02e183db7..181698d778 100644 --- a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb +++ b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb @@ -8,7 +8,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/xelerance/xl2tpd.git" +SRC_URI = "git://github.com/xelerance/xl2tpd.git;branch=master;protocol=https" SRCREV = "ba619c79c4790c78c033df0abde4a9a5de744a08" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/arptables/arptables_git.bb b/meta-networking/recipes-support/arptables/arptables_git.bb index c02a19944d..b59dc4ca1b 100644 --- a/meta-networking/recipes-support/arptables/arptables_git.bb +++ b/meta-networking/recipes-support/arptables/arptables_git.bb @@ -6,7 +6,7 @@ SRCREV = "efae8949e31f8b2eb6290f377a28384cecaf105a" PV = "0.0.5+git${SRCPV}" SRC_URI = " \ - git://git.netfilter.org/arptables \ + git://git.netfilter.org/arptables;branch=master \ file://0001-Use-ARPCFLAGS-for-package-specific-compiler-flags.patch \ file://arptables-arpt-get-target-fix.patch \ file://arptables.service \ diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb index 1c87c48bfa..4b195ededa 100644 --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37" SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606" SRC_URI = "\ - git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git \ + git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=main \ file://kernel-headers.patch \ file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \ file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \ diff --git a/meta-networking/recipes-support/celt051/celt051_git.bb b/meta-networking/recipes-support/celt051/celt051_git.bb index 12b9124f74..c3e4cbbe6d 100644 --- a/meta-networking/recipes-support/celt051/celt051_git.bb +++ b/meta-networking/recipes-support/celt051/celt051_git.bb @@ -16,7 +16,7 @@ PV = "0.5.1.3+git${SRCPV}" SRCREV = "5555aae843f57241d005e330b9cb65602d56db0f" -SRC_URI = "git://git.xiph.org/celt.git;branch=compat-v0.5.1;protocol=https \ +SRC_URI = "git://gitlab.xiph.org/xiph/celt.git;branch=compat-v0.5.1;protocol=https \ file://0001-configure.ac-make-tools-support-optional.patch \ file://0001-tests-Include-entcode.c-into-test-sources-to-provide.patch \ " diff --git a/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch b/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch new file mode 100644 index 0000000000..79df1007e0 --- /dev/null +++ b/meta-networking/recipes-support/chrony/chrony/CVE-2020-14367.patch @@ -0,0 +1,204 @@ +From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Thu, 6 Aug 2020 09:31:11 +0200 +Subject: main: create new file when writing pidfile + +When writing the pidfile, open the file with the O_CREAT|O_EXCL flags +to avoid following a symlink and writing the PID to an unexpected file, +when chronyd still has the root privileges. + +The Linux open(2) man page warns about O_EXCL not working as expected on +NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on +a distributed filesystem like NFS is not generally expected, but if +there is a reason to do that, these old kernel and NFS versions are not +considered to be supported for saving files by chronyd. + +This is a minimal backport specific to this issue of the following +commits: +- commit 2fc8edacb810 ("use PATH_MAX") +- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()") +- commit 7a4c396bba8f ("util: add functions for common file operations") +- commit e18903a6b563 ("switch to new util file functions") + +Reported-by: Matthias Gerstner <mgerstner@suse.de> + +Upstream-Status: Backport [https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545] +CVE: CVE-2020-14367 +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +diff --git a/logging.c b/logging.c +index d2296e0..fd7f900 100644 +--- a/logging.c ++++ b/logging.c +@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity, + system_log = 0; + log_message(1, severity, buf); + } ++ exit(1); + break; + default: + assert(0); +diff --git a/main.c b/main.c +index 6ccf32e..8edb2e1 100644 +--- a/main.c ++++ b/main.c +@@ -281,13 +281,9 @@ write_pidfile(void) + if (!pidfile[0]) + return; + +- out = fopen(pidfile, "w"); +- if (!out) { +- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno)); +- } else { +- fprintf(out, "%d\n", (int)getpid()); +- fclose(out); +- } ++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644); ++ fprintf(out, "%d\n", (int)getpid()); ++ fclose(out); + } + + /* ================================================== */ +diff --git a/sysincl.h b/sysincl.h +index 296c5e6..873a3bd 100644 +--- a/sysincl.h ++++ b/sysincl.h +@@ -37,6 +37,7 @@ + #include <glob.h> + #include <grp.h> + #include <inttypes.h> ++#include <limits.h> + #include <math.h> + #include <netinet/in.h> + #include <pwd.h> +diff --git a/util.c b/util.c +index e7e3442..83b3b20 100644 +--- a/util.c ++++ b/util.c +@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid) + + /* ================================================== */ + ++static int ++join_path(const char *basedir, const char *name, const char *suffix, ++ char *buffer, size_t length, LOG_Severity severity) ++{ ++ const char *sep; ++ ++ if (!basedir) { ++ basedir = ""; ++ sep = ""; ++ } else { ++ sep = "/"; ++ } ++ ++ if (!suffix) ++ suffix = ""; ++ ++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) { ++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ ++FILE * ++UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm) ++{ ++ const char *file_mode; ++ char path[PATH_MAX]; ++ LOG_Severity severity; ++ int fd, flags; ++ FILE *file; ++ ++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR; ++ ++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity)) ++ return NULL; ++ ++ switch (mode) { ++ case 'r': ++ case 'R': ++ flags = O_RDONLY; ++ file_mode = "r"; ++ if (severity != LOGS_FATAL) ++ severity = LOGS_DEBUG; ++ break; ++ case 'w': ++ case 'W': ++ flags = O_WRONLY | O_CREAT | O_EXCL; ++ file_mode = "w"; ++ break; ++ case 'a': ++ case 'A': ++ flags = O_WRONLY | O_CREAT | O_APPEND; ++ file_mode = "a"; ++ break; ++ default: ++ assert(0); ++ return NULL; ++ } ++ ++try_again: ++ fd = open(path, flags, perm); ++ if (fd < 0) { ++ if (errno == EEXIST) { ++ if (unlink(path) < 0) { ++ LOG(severity, "Could not remove %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ DEBUG_LOG("Removed %s", path); ++ goto try_again; ++ } ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ ++ UTI_FdSetCloexec(fd); ++ ++ file = fdopen(fd, file_mode); ++ if (!file) { ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ close(fd); ++ return NULL; ++ } ++ ++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode); ++ ++ return file; ++} ++ ++/* ================================================== */ ++ + void + UTI_DropRoot(uid_t uid, gid_t gid) + { +diff --git a/util.h b/util.h +index e3d6767..a2481cc 100644 +--- a/util.h ++++ b/util.h +@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const char *path, mode_t mode, uid_t uid, gid + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Open a file. The full path of the file is constructed from the basedir ++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). ++ Created files have specified permissions (umasked). Returns NULL on error. ++ The following modes are supported (if the mode is an uppercase character, ++ errors are fatal): ++ r/R - open an existing file for reading ++ w/W - open a new file for writing (remove existing file) ++ a/A - open an existing file for appending (create if does not exist) */ ++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm); ++ + /* Set process user/group IDs and drop supplementary groups */ + extern void UTI_DropRoot(uid_t uid, gid_t gid); + +-- +cgit v0.10.2 + diff --git a/meta-networking/recipes-support/chrony/chrony_3.5.bb b/meta-networking/recipes-support/chrony/chrony_3.5.bb index 7c6356d264..182ce13ccf 100644 --- a/meta-networking/recipes-support/chrony/chrony_3.5.bb +++ b/meta-networking/recipes-support/chrony/chrony_3.5.bb @@ -34,6 +34,7 @@ SRC_URI = "https://download.tuxfamily.org/chrony/chrony-${PV}.tar.gz \ file://chrony.conf \ file://chronyd \ file://arm_eabi.patch \ + file://CVE-2020-14367.patch \ " SRC_URI_append_libc-musl = " \ diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb index 8d82ee4546..e76481cc1b 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" PV = "6.10" SRCREV = "5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a" -SRC_URI = "git://git.samba.org/cifs-utils.git" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" S = "${WORKDIR}/git" DEPENDS += "libtalloc" diff --git a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb index 799cf8611c..3da651c478 100644 --- a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb +++ b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=fd0c9adf285a69aa3b4faf34384e1029" DEPENDS = "curl" DEPENDS_class-native = "curl-native" -SRC_URI = "git://github.com/jpbarrette/curlpp.git" +SRC_URI = "git://github.com/jpbarrette/curlpp.git;branch=master;protocol=https" SRCREV = "592552a165cc569dac7674cb7fc9de3dc829906f" diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch new file mode 100644 index 0000000000..360931a83b --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch @@ -0,0 +1,1040 @@ +From 74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Mon, 15 Mar 2021 21:59:51 +0000 +Subject: [PATCH] Use random source ports where possible if source + addresses/interfaces in use. + +CVE-2021-3448 applies. + +It's possible to specify the source address or interface to be +used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4 +or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of +these have, until now, used a single socket, bound to a fixed +port. This was originally done to allow an error (non-existent +interface, or non-local address) to be detected at start-up. This +means that any upstream servers specified in such a way don't use +random source ports, and are more susceptible to cache-poisoning +attacks. + +We now use random ports where possible, even when the +source is specified, so server=8.8.8.8@1.2.3.4 or +server=8.8.8.8@eth0 will use random source +ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will +use the explicitly configured port, and should only be done with +understanding of the security implications. +Note that this change changes non-existing interface, or non-local +source address errors from fatal to run-time. The error will be +logged and communiction with the server not possible. + +Upstream-Status: Backport +CVE: CVE-2021-3448 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + CHANGELOG | 22 +++ + man/dnsmasq.8 | 4 +- + src/dnsmasq.c | 31 ++-- + src/dnsmasq.h | 26 ++-- + src/forward.c | 392 ++++++++++++++++++++++++++++++-------------------- + src/loop.c | 20 +-- + src/network.c | 110 +++++--------- + src/option.c | 3 +- + src/tftp.c | 6 +- + src/util.c | 2 +- + 10 files changed, 344 insertions(+), 272 deletions(-) + +Index: dnsmasq-2.81/man/dnsmasq.8 +=================================================================== +--- dnsmasq-2.81.orig/man/dnsmasq.8 ++++ dnsmasq-2.81/man/dnsmasq.8 +@@ -489,7 +489,7 @@ source address specified but the port ma + part of the source address. Forcing queries to an interface is not + implemented on all platforms supported by dnsmasq. + .TP +-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]] ++.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]] + This is functionally the same as + .B --server, + but provides some syntactic sugar to make specifying address-to-name queries easier. For example +Index: dnsmasq-2.81/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.c ++++ dnsmasq-2.81/src/dnsmasq.c +@@ -1668,6 +1668,7 @@ static int set_dns_listeners(time_t now) + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int wait = 0, i; + + #ifdef HAVE_TFTP +@@ -1688,11 +1689,14 @@ static int set_dns_listeners(time_t now) + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + poll_listen(serverfdp->fd, POLLIN); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0) +- poll_listen(daemon->randomsocks[i].fd, POLLIN); +- ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0) ++ poll_listen(daemon->randomsocks[i].fd, POLLIN); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ poll_listen(rfl->rfd->fd, POLLIN); ++ + for (listener = daemon->listeners; listener; listener = listener->next) + { + /* only listen for queries if we have resources */ +@@ -1729,18 +1733,23 @@ static void check_dns_listeners(time_t n + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int i; + int pipefd[2]; + + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + if (poll_check(serverfdp->fd, POLLIN)) +- reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now); ++ reply_query(serverfdp->fd, now); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0 && +- poll_check(daemon->randomsocks[i].fd, POLLIN)) +- reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now); ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && ++ poll_check(daemon->randomsocks[i].fd, POLLIN)) ++ reply_query(daemon->randomsocks[i].fd, now); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ if (poll_check(rfl->rfd->fd, POLLIN)) ++ reply_query(rfl->rfd->fd, now); + + /* Races. The child process can die before we read all of the data from the + pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -542,13 +542,20 @@ struct serverfd { + }; + + struct randfd { ++ struct server *serv; + int fd; +- unsigned short refcount, family; ++ unsigned short refcount; /* refcount == 0xffff means overflow record. */ + }; +- ++ ++struct randfd_list { ++ struct randfd *rfd; ++ struct randfd_list *next; ++}; ++ + struct server { + union mysockaddr addr, source_addr; + char interface[IF_NAMESIZE+1]; ++ unsigned int ifindex; /* corresponding to interface, above */ + struct serverfd *sfd; + char *domain; /* set if this server only handles a domain. */ + int flags, tcpfd, edns_pktsz; +@@ -669,8 +676,7 @@ struct frec { + struct frec_src *next; + } frec_src; + struct server *sentto; /* NULL means free */ +- struct randfd *rfd4; +- struct randfd *rfd6; ++ struct randfd_list *rfds; + unsigned short new_id; + int fd, forwardall, flags; + time_t time; +@@ -1100,11 +1106,12 @@ extern struct daemon { + int forwardcount; + struct server *srv_save; /* Used for resend on DoD */ + size_t packet_len; /* " " */ +- struct randfd *rfd_save; /* " " */ ++ int fd_save; /* " " */ + pid_t tcp_pids[MAX_PROCS]; + int tcp_pipes[MAX_PROCS]; + int pipe_to_parent; + struct randfd randomsocks[RANDOM_SOCKS]; ++ struct randfd_list *rfl_spare, *rfl_poll; + int v6pktinfo; + struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */ + int log_id, log_display_id; /* ids of transactions for logging */ +@@ -1275,7 +1282,7 @@ void safe_strncpy(char *dest, const char + void safe_pipe(int *fd, int read_noblock); + void *whine_malloc(size_t size); + int sa_len(union mysockaddr *addr); +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2); ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2); + int hostname_isequal(const char *a, const char *b); + int hostname_issubdomain(char *a, char *b); + time_t dnsmasq_time(void); +@@ -1326,7 +1333,7 @@ char *parse_server(char *arg, union myso + int option_read_dynfile(char *file, int flags); + + /* forward.c */ +-void reply_query(int fd, int family, time_t now); ++void reply_query(int fd, time_t now); + void receive_query(struct listener *listen, time_t now); + unsigned char *tcp_request(int confd, time_t now, + union mysockaddr *local_addr, struct in_addr netmask, int auth_dns); +@@ -1336,13 +1343,12 @@ int send_from(int fd, int nowild, char * + union mysockaddr *to, union all_addr *source, + unsigned int iface); + void resend_query(void); +-struct randfd *allocate_rfd(int family); +-void free_rfd(struct randfd *rfd); ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv); ++void free_rfds(struct randfd_list **fdlp); + + /* network.c */ + int indextoname(int fd, int index, char *name); + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp); +-int random_sock(int family); + void pre_allocate_sfds(void); + int reload_servers(char *fname); + void mark_servers(int flag); +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -307,26 +307,18 @@ static int forward_query(int udpfd, unio + if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) + PUTSHORT(SAFE_PKTSZ, pheader); + +- if (forward->sentto->addr.sa.sa_family == AF_INET) +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); +- else +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); +- +- +- if (forward->sentto->sfd) +- fd = forward->sentto->sfd->fd; +- else ++ if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1) + { +- if (forward->sentto->addr.sa.sa_family == AF_INET6) +- fd = forward->rfd6->fd; ++ if (forward->sentto->addr.sa.sa_family == AF_INET) ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); + else +- fd = forward->rfd4->fd; ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); ++ ++ while (retry_send(sendto(fd, (char *)header, plen, 0, ++ &forward->sentto->addr.sa, ++ sa_len(&forward->sentto->addr)))); + } + +- while (retry_send(sendto(fd, (char *)header, plen, 0, +- &forward->sentto->addr.sa, +- sa_len(&forward->sentto->addr)))); +- + return 1; + } + #endif +@@ -501,49 +493,28 @@ static int forward_query(int udpfd, unio + + while (1) + { ++ int fd; ++ + /* only send to servers dealing with our domain. + domain may be NULL, in which case server->domain + must be NULL also. */ + + if (type == (start->flags & SERV_TYPE) && + (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && +- !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ ((fd = allocate_rfd(&forward->rfds, start)) != -1)) + { +- int fd; +- +- /* find server socket to use, may need to get random one. */ +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- if (!forward->rfd6 && +- !(forward->rfd6 = allocate_rfd(AF_INET6))) +- break; +- daemon->rfd_save = forward->rfd6; +- fd = forward->rfd6->fd; +- } +- else +- { +- if (!forward->rfd4 && +- !(forward->rfd4 = allocate_rfd(AF_INET))) +- break; +- daemon->rfd_save = forward->rfd4; +- fd = forward->rfd4->fd; +- } + + #ifdef HAVE_CONNTRACK +- /* Copy connection mark of incoming query to outgoing connection. */ +- if (option_bool(OPT_CONNTRACK)) +- { +- unsigned int mark; +- if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark)) +- setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); +- } +-#endif ++ /* Copy connection mark of incoming query to outgoing connection. */ ++ if (option_bool(OPT_CONNTRACK)) ++ { ++ unsigned int mark; ++ if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) ++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); + } +- ++#endif ++ + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER)) + { +@@ -574,6 +545,7 @@ static int forward_query(int udpfd, unio + /* Keep info in case we want to re-send this packet */ + daemon->srv_save = start; + daemon->packet_len = plen; ++ daemon->fd_save = fd; + + if (!gotname) + strcpy(daemon->namebuff, "query"); +@@ -590,7 +562,7 @@ static int forward_query(int udpfd, unio + break; + forward->forwardall++; + } +- } ++ } + + if (!(start = start->next)) + start = daemon->servers; +@@ -805,7 +777,7 @@ static size_t process_reply(struct dns_h + } + + /* sets new last_server */ +-void reply_query(int fd, int family, time_t now) ++void reply_query(int fd, time_t now) + { + /* packet from peer server, extract data for cache, and send to + original requester */ +@@ -820,9 +792,9 @@ void reply_query(int fd, int family, tim + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + /* Determine the address of the server replying so that we can mark that as good */ +- if ((serveraddr.sa.sa_family = family) == AF_INET6) ++ if (serveraddr.sa.sa_family == AF_INET6) + serveraddr.in6.sin6_flowinfo = 0; + + header = (struct dns_header *)daemon->packet; +@@ -845,7 +817,7 @@ void reply_query(int fd, int family, tim + + hash = hash_questions(header, n, daemon->namebuff); + +- if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -900,25 +872,8 @@ void reply_query(int fd, int family, tim + } + + +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- /* may have changed family */ +- if (!forward->rfd6) +- forward->rfd6 = allocate_rfd(AF_INET6); +- fd = forward->rfd6->fd; +- } +- else +- { +- /* may have changed family */ +- if (!forward->rfd4) +- forward->rfd4 = allocate_rfd(AF_INET); +- fd = forward->rfd4->fd; +- } +- } ++ if ((fd = allocate_rfd(&forward->rfds, start)) == -1) ++ return; + + #ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr); +@@ -1126,8 +1081,7 @@ void reply_query(int fd, int family, tim + } + + new->sentto = server; +- new->rfd4 = NULL; +- new->rfd6 = NULL; ++ new->rfds = NULL; + new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; +@@ -1166,24 +1120,7 @@ void reply_query(int fd, int family, tim + /* Don't resend this. */ + daemon->srv_save = NULL; + +- if (server->sfd) +- fd = server->sfd->fd; +- else +- { +- fd = -1; +- if (server->addr.sa.sa_family == AF_INET6) +- { +- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) +- fd = new->rfd6->fd; +- } +- else +- { +- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) +- fd = new->rfd4->fd; +- } +- } +- +- if (fd != -1) ++ if ((fd = allocate_rfd(&new->rfds, server)) != -1) + { + #ifdef HAVE_CONNTRACK + /* Copy connection mark of incoming query to outgoing connection. */ +@@ -1344,7 +1281,7 @@ void receive_query(struct listener *list + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0; + netmask.s_addr = 0; + +@@ -2207,9 +2144,8 @@ static struct frec *allocate_frec(time_t + f->next = daemon->frec_list; + f->time = now; + f->sentto = NULL; +- f->rfd4 = NULL; ++ f->rfds = NULL; + f->flags = 0; +- f->rfd6 = NULL; + #ifdef HAVE_DNSSEC + f->dependent = NULL; + f->blocking_query = NULL; +@@ -2221,46 +2157,192 @@ static struct frec *allocate_frec(time_t + return f; + } + +-struct randfd *allocate_rfd(int family) ++/* return a UDP socket bound to a random port, have to cope with straying into ++ occupied port nos and reserved ones. */ ++static int random_sock(struct server *s) ++{ ++ int fd; ++ ++ if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1) ++ { ++ if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0)) ++ return fd; ++ ++ if (s->interface[0] == 0) ++ (void)prettyprint_addr(&s->source_addr, daemon->namebuff); ++ else ++ strcpy(daemon->namebuff, s->interface); ++ ++ my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"), ++ daemon->namebuff, strerror(errno)); ++ close(fd); ++ } ++ ++ return -1; ++} ++ ++/* compare source addresses and interface, serv2 can be null. */ ++static int server_isequal(const struct server *serv1, ++ const struct server *serv2) ++{ ++ return (serv2 && ++ serv2->ifindex == serv1->ifindex && ++ sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) && ++ strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0); ++} ++ ++/* fdlp points to chain of randomfds already in use by transaction. ++ If there's already a suitable one, return it, else allocate a ++ new one and add it to the list. ++ ++ Not leaking any resources in the face of allocation failures ++ is rather convoluted here. ++ ++ Note that rfd->serv may be NULL, when a server goes away. ++*/ ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv) + { + static int finger = 0; +- int i; ++ int i, j = 0; ++ struct randfd_list *rfl; ++ struct randfd *rfd = NULL; ++ int fd = 0; ++ ++ /* If server has a pre-allocated fd, use that. */ ++ if (serv->sfd) ++ return serv->sfd->fd; ++ ++ /* existing suitable random port socket linked to this transaction? */ ++ for (rfl = *fdlp; rfl; rfl = rfl->next) ++ if (server_isequal(serv, rfl->rfd->serv)) ++ return rfl->rfd->fd; ++ ++ /* No. need new link. */ ++ if ((rfl = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl->next; ++ else if (!(rfl = whine_malloc(sizeof(struct randfd_list)))) ++ return -1; + + /* limit the number of sockets we have open to avoid starvation of + (eg) TFTP. Once we have a reasonable number, randomness should be OK */ +- + for (i = 0; i < RANDOM_SOCKS; i++) + if (daemon->randomsocks[i].refcount == 0) + { +- if ((daemon->randomsocks[i].fd = random_sock(family)) == -1) +- break; +- +- daemon->randomsocks[i].refcount = 1; +- daemon->randomsocks[i].family = family; +- return &daemon->randomsocks[i]; ++ if ((fd = random_sock(serv)) != -1) ++ { ++ rfd = &daemon->randomsocks[i]; ++ rfd->serv = serv; ++ rfd->fd = fd; ++ rfd->refcount = 1; ++ } ++ break; + } + + /* No free ones or cannot get new socket, grab an existing one */ +- for (i = 0; i < RANDOM_SOCKS; i++) ++ if (!rfd) ++ for (j = 0; j < RANDOM_SOCKS; j++) ++ { ++ i = (j + finger) % RANDOM_SOCKS; ++ if (daemon->randomsocks[i].refcount != 0 && ++ server_isequal(serv, daemon->randomsocks[i].serv) && ++ daemon->randomsocks[i].refcount != 0xfffe) ++ { ++ finger = i + 1; ++ rfd = &daemon->randomsocks[i]; ++ rfd->refcount++; ++ break; ++ } ++ } ++ ++ if (j == RANDOM_SOCKS) + { +- int j = (i+finger) % RANDOM_SOCKS; +- if (daemon->randomsocks[j].refcount != 0 && +- daemon->randomsocks[j].family == family && +- daemon->randomsocks[j].refcount != 0xffff) ++ struct randfd_list *rfl_poll; ++ ++ /* there are no free slots, and non with the same parameters we can piggy-back on. ++ We're going to have to allocate a new temporary record, distinguished by ++ refcount == 0xffff. This will exist in the frec randfd list, never be shared, ++ and be freed when no longer in use. It will also be held on ++ the daemon->rfl_poll list so the poll system can find it. */ ++ ++ if ((rfl_poll = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl_poll->next; ++ else ++ rfl_poll = whine_malloc(sizeof(struct randfd_list)); ++ ++ if (!rfl_poll || ++ !(rfd = whine_malloc(sizeof(struct randfd))) || ++ (fd = random_sock(serv)) == -1) + { +- finger = j; +- daemon->randomsocks[j].refcount++; +- return &daemon->randomsocks[j]; ++ ++ /* Don't leak anything we may already have */ ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ ++ if (rfl_poll) ++ { ++ rfl_poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl_poll; ++ } ++ ++ if (rfd) ++ free(rfd); ++ ++ return -1; /* doom */ + } ++ ++ /* Note rfd->serv not set here, since it's not reused */ ++ rfd->fd = fd; ++ rfd->refcount = 0xffff; /* marker for temp record */ ++ ++ rfl_poll->rfd = rfd; ++ rfl_poll->next = daemon->rfl_poll; ++ daemon->rfl_poll = rfl_poll; + } + +- return NULL; /* doom */ ++ rfl->rfd = rfd; ++ rfl->next = *fdlp; ++ *fdlp = rfl; ++ ++ return rfl->rfd->fd; + } + +-void free_rfd(struct randfd *rfd) ++void free_rfds(struct randfd_list **fdlp) + { +- if (rfd && --(rfd->refcount) == 0) +- close(rfd->fd); ++ struct randfd_list *tmp, *rfl, *poll, *next, **up; ++ ++ for (rfl = *fdlp; rfl; rfl = tmp) ++ { ++ if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0) ++ close(rfl->rfd->fd); ++ ++ /* temporary overflow record */ ++ if (rfl->rfd->refcount == 0xffff) ++ { ++ free(rfl->rfd); ++ ++ /* go through the link of all these by steam to delete. ++ This list is expected to be almost always empty. */ ++ for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next) ++ { ++ next = poll->next; ++ ++ if (poll->rfd == rfl->rfd) ++ { ++ *up = poll->next; ++ poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = poll; ++ } ++ else ++ up = &poll->next; ++ } ++ } ++ ++ tmp = rfl->next; ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ } ++ ++ *fdlp = NULL; + } + + static void free_frec(struct frec *f) +@@ -2276,12 +2358,9 @@ static void free_frec(struct frec *f) + } + + f->frec_src.next = NULL; +- free_rfd(f->rfd4); +- f->rfd4 = NULL; ++ free_rfds(&f->rfds); + f->sentto = NULL; + f->flags = 0; +- free_rfd(f->rfd6); +- f->rfd6 = NULL; + + #ifdef HAVE_DNSSEC + if (f->stash) +@@ -2389,26 +2468,39 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash) + { + struct frec *f; ++ struct server *s; ++ int type; ++ struct randfd_list *fdl; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ +- if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ for (fdl = f->rfds; fdl; fdl = fdl->next) ++ if (fdl->rfd->fd == fd) + return f; ++ } + +- if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) +- return f; ++ /* Sent to upstream from socket associated with a server. ++ Note we have to iterate over all the possible servers, since they may ++ have different bound sockets. */ ++ type = f->sentto->flags & SERV_TYPE; ++ s = f->sentto; ++ do { ++ if ((type == (s->flags & SERV_TYPE)) && ++ (type != SERV_HAS_DOMAIN || ++ (s->domain && hostname_isequal(f->sentto->domain, s->domain))) && ++ !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ s->sfd && s->sfd->fd == fd) ++ return f; ++ ++ s = s->next ? s->next : daemon->servers; ++ } while (s != f->sentto); + +- /* sent to upstream from bound socket. */ +- if (f->sentto->sfd && f->sentto->sfd->fd == fd) +- return f; +- } +- + return NULL; + } + +@@ -2454,30 +2546,26 @@ static struct frec *lookup_frec_by_query + void resend_query() + { + if (daemon->srv_save) +- { +- int fd; +- +- if (daemon->srv_save->sfd) +- fd = daemon->srv_save->sfd->fd; +- else if (daemon->rfd_save && daemon->rfd_save->refcount != 0) +- fd = daemon->rfd_save->fd; +- else +- return; +- +- while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0, +- &daemon->srv_save->addr.sa, +- sa_len(&daemon->srv_save->addr)))); +- } ++ while(retry_send(sendto(daemon->fd_save, daemon->packet, daemon->packet_len, 0, ++ &daemon->srv_save->addr.sa, ++ sa_len(&daemon->srv_save->addr)))); + } + + /* A server record is going away, remove references to it */ + void server_gone(struct server *server) + { + struct frec *f; ++ int i; + + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->sentto == server) + free_frec(f); ++ ++ /* If any random socket refers to this server, NULL the reference. ++ No more references to the socket will be created in the future. */ ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server) ++ daemon->randomsocks[i].serv = NULL; + + if (daemon->last_server == server) + daemon->last_server = NULL; +Index: dnsmasq-2.81/src/loop.c +=================================================================== +--- dnsmasq-2.81.orig/src/loop.c ++++ dnsmasq-2.81/src/loop.c +@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid); + void loop_send_probes() + { + struct server *serv; ++ struct randfd_list *rfds = NULL; + + if (!option_bool(OPT_LOOP_DETECT)) + return; +@@ -34,22 +35,15 @@ void loop_send_probes() + { + ssize_t len = loop_make_probe(serv->uid); + int fd; +- struct randfd *rfd = NULL; + +- if (serv->sfd) +- fd = serv->sfd->fd; +- else +- { +- if (!(rfd = allocate_rfd(serv->addr.sa.sa_family))) +- continue; +- fd = rfd->fd; +- } ++ if ((fd = allocate_rfd(&rfds, serv)) == -1) ++ continue; + + while (retry_send(sendto(fd, daemon->packet, len, 0, + &serv->addr.sa, sa_len(&serv->addr)))); +- +- free_rfd(rfd); + } ++ ++ free_rfds(&rfds); + } + + static ssize_t loop_make_probe(u32 uid) +Index: dnsmasq-2.81/src/network.c +=================================================================== +--- dnsmasq-2.81.orig/src/network.c ++++ dnsmasq-2.81/src/network.c +@@ -545,6 +545,7 @@ int enumerate_interfaces(int reset) + #ifdef HAVE_AUTH + struct auth_zone *zone; + #endif ++ struct server *serv; + + /* Do this max once per select cycle - also inhibits netlink socket use + in TCP child processes. */ +@@ -562,7 +563,21 @@ int enumerate_interfaces(int reset) + + if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1) + return 0; +- ++ ++ /* iface indexes can change when interfaces are created/destroyed. ++ We use them in the main forwarding control path, when the path ++ to a server is specified by an interface, so cache them. ++ Update the cache here. */ ++ for (serv = daemon->servers; serv; serv = serv->next) ++ if (strlen(serv->interface) != 0) ++ { ++ struct ifreq ifr; ++ ++ safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE); ++ if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1) ++ serv->ifindex = ifr.ifr_ifindex; ++ } ++ + /* Mark interfaces for garbage collection */ + for (iface = daemon->interfaces; iface; iface = iface->next) + iface->found = 0; +@@ -658,7 +673,7 @@ int enumerate_interfaces(int reset) + + errno = errsave; + spare = param.spare; +- ++ + return ret; + } + +@@ -798,10 +813,10 @@ int tcp_interface(int fd, int af) + /* use mshdr so that the CMSDG_* macros are available */ + msg.msg_control = daemon->packet; + msg.msg_controllen = len = daemon->packet_buff_sz; +- ++ + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if (af == AF_INET) + { + if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 && +@@ -1102,59 +1117,6 @@ void join_multicast(int dienow) + } + #endif + +-/* return a UDP socket bound to a random port, have to cope with straying into +- occupied port nos and reserved ones. */ +-int random_sock(int family) +-{ +- int fd; +- +- if ((fd = socket(family, SOCK_DGRAM, 0)) != -1) +- { +- union mysockaddr addr; +- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1; +- int tries = ports_avail < 30 ? 3 * ports_avail : 100; +- +- memset(&addr, 0, sizeof(addr)); +- addr.sa.sa_family = family; +- +- /* don't loop forever if all ports in use. */ +- +- if (fix_fd(fd)) +- while(tries--) +- { +- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail))); +- +- if (family == AF_INET) +- { +- addr.in.sin_addr.s_addr = INADDR_ANY; +- addr.in.sin_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in.sin_len = sizeof(struct sockaddr_in); +-#endif +- } +- else +- { +- addr.in6.sin6_addr = in6addr_any; +- addr.in6.sin6_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in6.sin6_len = sizeof(struct sockaddr_in6); +-#endif +- } +- +- if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0) +- return fd; +- +- if (errno != EADDRINUSE && errno != EACCES) +- break; +- } +- +- close(fd); +- } +- +- return -1; +-} +- +- + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp) + { + union mysockaddr addr_copy = *addr; +@@ -1199,38 +1161,33 @@ int local_bind(int fd, union mysockaddr + return 1; + } + +-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname) ++static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex) + { + struct serverfd *sfd; +- unsigned int ifindex = 0; + int errsave; + int opt = 1; + + /* when using random ports, servers which would otherwise use +- the INADDR_ANY/port0 socket have sfd set to NULL */ +- if (!daemon->osport && intname[0] == 0) ++ the INADDR_ANY/port0 socket have sfd set to NULL, this is ++ anything without an explictly set source port. */ ++ if (!daemon->osport) + { + errno = 0; + + if (addr->sa.sa_family == AF_INET && +- addr->in.sin_addr.s_addr == INADDR_ANY && + addr->in.sin_port == htons(0)) + return NULL; + + if (addr->sa.sa_family == AF_INET6 && +- memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 && + addr->in6.sin6_port == htons(0)) + return NULL; + } + +- if (intname && strlen(intname) != 0) +- ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */ +- + /* may have a suitable one already */ + for (sfd = daemon->sfds; sfd; sfd = sfd->next ) +- if (sockaddr_isequal(&sfd->source_addr, addr) && +- strcmp(intname, sfd->interface) == 0 && +- ifindex == sfd->ifindex) ++ if (ifindex == sfd->ifindex && ++ sockaddr_isequal(&sfd->source_addr, addr) && ++ strcmp(intname, sfd->interface) == 0) + return sfd; + + /* need to make a new one. */ +@@ -1281,7 +1238,7 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in.sin_len = sizeof(struct sockaddr_in); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + + memset(&addr, 0, sizeof(addr)); +@@ -1291,13 +1248,13 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in6.sin6_len = sizeof(struct sockaddr_in6); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + } + + for (srv = daemon->servers; srv; srv = srv->next) + if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) && +- !allocate_sfd(&srv->source_addr, srv->interface) && ++ !allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) && + errno != 0 && + option_bool(OPT_NOWILD)) + { +@@ -1506,7 +1463,7 @@ void check_servers(void) + + /* Do we need a socket set? */ + if (!serv->sfd && +- !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface)) && ++ !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) && + errno != 0) + { + my_syslog(LOG_WARNING, +Index: dnsmasq-2.81/src/option.c +=================================================================== +--- dnsmasq-2.81.orig/src/option.c ++++ dnsmasq-2.81/src/option.c +@@ -810,7 +810,8 @@ char *parse_server(char *arg, union myso + if (interface_opt) + { + #if defined(SO_BINDTODEVICE) +- safe_strncpy(interface, interface_opt, IF_NAMESIZE); ++ safe_strncpy(interface, source, IF_NAMESIZE); ++ source = interface_opt; + #else + return _("interface binding not supported"); + #endif +Index: dnsmasq-2.81/src/tftp.c +=================================================================== +--- dnsmasq-2.81.orig/src/tftp.c ++++ dnsmasq-2.81/src/tftp.c +@@ -601,7 +601,7 @@ void check_tftp_listeners(time_t now) + + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if ((len = get_block(daemon->packet, transfer)) == -1) + { + len = tftp_err_oops(daemon->packet, transfer->file->filename); +Index: dnsmasq-2.81/src/util.c +=================================================================== +--- dnsmasq-2.81.orig/src/util.c ++++ dnsmasq-2.81/src/util.c +@@ -316,7 +316,7 @@ void *whine_malloc(size_t size) + return ret; + } + +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2) ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2) + { + if (s1->sa.sa_family == s2->sa.sa_family) + { diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..b2ef22c06f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,188 @@ +From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 22 Sep 2022 17:39:21 +0530 +Subject: [PATCH] CVE-2022-0934 + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39] +CVE: CVE-2022-0934 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CHANGELOG | 2 ++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 29 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 60b08d0..d1d7e41 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -88,6 +88,8 @@ version 2.81 + + Add --script-on-renewal option. + ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. + + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method +diff --git a/src/rfc3315.c b/src/rfc3315.c +index b3f0a0a..eef1360 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RENEW: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRENEW", NULL, NULL); + +@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch new file mode 100644 index 0000000000..dd3bd27408 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2023-28450.patch @@ -0,0 +1,63 @@ +From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 7 Mar 2023 22:07:46 +0000 +Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232. + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5] +CVE: CVE-2023-28450 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + CHANGELOG | 8 ++++++++ + man/dnsmasq.8 | 3 ++- + src/config.h | 2 +- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index d1d7e41..7a560d3 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -91,6 +91,14 @@ version 2.81 + Fix write-after-free error in DHCPv6 server code. + CVE-2022-0934 refers. + ++ Set the default maximum DNS UDP packet sice to 1232. This ++ has been the recommended value since 2020 because it's the ++ largest value that avoid fragmentation, and fragmentation ++ is just not reliable on the modern internet, especially ++ for IPv6. It's still possible to override this with ++ --edns-packet-max for special circumstances. ++ ++ + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method + for the initial patch and motivation. +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index f2803f9..3cca4bc 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -168,7 +168,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP. + .TP + .B \-P, --edns-packet-max=<size> + Specify the largest EDNS.0 UDP packet which is supported by the DNS +-forwarder. Defaults to 4096, which is the RFC5625-recommended size. ++forwarder. Defaults to 1232, which is the recommended size following the ++DNS flag day in 2020. Only increase if you know what you are doing. + .TP + .B \-Q, --query-port=<query_port> + Send outbound DNS queries from, and listen for their replies on, the +diff --git a/src/config.h b/src/config.h +index 54f6f48..29ac3e7 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -19,7 +19,7 @@ + #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ + #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ + #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ +-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ ++#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ + #define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */ + #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ + #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ +-- +2.18.2 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index 92415386c2..f2b8feac56 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -4,5 +4,13 @@ SRC_URI[dnsmasq-2.81.md5sum] = "e43808177a773014b5892ccba238f7a8" SRC_URI[dnsmasq-2.81.sha256sum] = "3c28c68c6c2967c3a96e9b432c0c046a5df17a426d3a43cffe9e693cf05804d0" SRC_URI += "\ file://lua.patch \ + file://CVE-2020-25681.patch \ + file://CVE-2020-25684.patch \ + file://CVE-2020-25685-1.patch \ + file://CVE-2020-25685-2.patch \ + file://CVE-2020-25686-1.patch \ + file://CVE-2020-25686-2.patch \ + file://CVE-2021-3448.patch \ + file://CVE-2022-0934.patch \ + file://CVE-2023-28450.patch \ " - diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch new file mode 100644 index 0000000000..6756157700 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25681.patch @@ -0,0 +1,370 @@ +From 4e96a4be685c9e4445f6ee79ad0b36b9119b502a Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Wed, 11 Nov 2020 23:25:04 +0000 +Subject: [PATCH] Fix remote buffer overflow CERT VU#434904 + +The problem is in the sort_rrset() function and allows a remote +attacker to overwrite memory. Any dnsmasq instance with DNSSEC +enabled is vulnerable. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 7 +- + src/dnssec.c | 273 ++++++++++++++++++++++++++++----------------------- + 2 files changed, 158 insertions(+), 122 deletions(-) + +CVE: CVE-2020-25681 +CVE: CVE-2020-25682 +CVE: CVE-2020-25683 +CVE: CVE-2020-25687 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4e96a4be685c9e4445f6ee79ad0b36b9119b502a] +Comment: Refreshed first two hunks + +Index: dnsmasq-2.81/src/dnssec.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnssec.c ++++ dnsmasq-2.81/src/dnssec.c +@@ -223,138 +223,144 @@ static int check_date_range(unsigned lon + && serial_compare_32(curtime, date_end) == SERIAL_LT; + } + +-/* Return bytes of canonicalised rdata, when the return value is zero, the remaining +- data, pointed to by *p, should be used raw. */ +-static int get_rdata(struct dns_header *header, size_t plen, unsigned char *end, char *buff, int bufflen, +- unsigned char **p, u16 **desc) ++/* Return bytes of canonicalised rrdata one by one. ++ Init state->ip with the RR, and state->end with the end of same. ++ Init state->op to NULL. ++ Init state->desc to RR descriptor. ++ Init state->buff with a MAXDNAME * 2 buffer. ++ ++ After each call which returns 1, state->op points to the next byte of data. ++ On returning 0, the end has been reached. ++*/ ++struct rdata_state { ++ u16 *desc; ++ size_t c; ++ unsigned char *end, *ip, *op; ++ char *buff; ++}; ++ ++static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state *state) + { +- int d = **desc; ++ int d; + +- /* No more data needs mangling */ +- if (d == (u16)-1) ++ if (state->op && state->c != 1) + { +- /* If there's more data than we have space for, just return what fits, +- we'll get called again for more chunks */ +- if (end - *p > bufflen) +- { +- memcpy(buff, *p, bufflen); +- *p += bufflen; +- return bufflen; +- } +- +- return 0; ++ state->op++; ++ state->c--; ++ return 1; + } +- +- (*desc)++; +- +- if (d == 0 && extract_name(header, plen, p, buff, 1, 0)) +- /* domain-name, canonicalise */ +- return to_wire(buff); +- else +- { +- /* plain data preceding a domain-name, don't run off the end of the data */ +- if ((end - *p) < d) +- d = end - *p; +- +- if (d != 0) ++ ++ while (1) ++ { ++ d = *(state->desc); ++ if (d == (u16)-1) + { +- memcpy(buff, *p, d); +- *p += d; ++ /* all the bytes to the end. */ ++ if ((state->c = state->end - state->ip) != 0) ++ { ++ state->op = state->ip; ++ state->ip = state->end;; ++ } ++ else ++ return 0; ++ } ++ else ++ { ++ state->desc++; ++ ++ if (d == (u16)0) ++ { ++ /* domain-name, canonicalise */ ++ int len; ++ ++ if (!extract_name(header, plen, &state->ip, state->buff, 1, 0) || ++ (len = to_wire(state->buff)) == 0) ++ continue; ++ ++ state->c = len; ++ state->op = (unsigned char *)state->buff; ++ } ++ else ++ { ++ /* plain data preceding a domain-name, don't run off the end of the data */ ++ if ((state->end - state->ip) < d) ++ d = state->end - state->ip; ++ ++ if (d == 0) ++ continue; ++ ++ state->op = state->ip; ++ state->c = d; ++ state->ip += d; ++ } + } + +- return d; ++ return 1; + } + } + +-/* Bubble sort the RRset into the canonical order. +- Note that the byte-streams from two RRs may get unsynced: consider +- RRs which have two domain-names at the start and then other data. +- The domain-names may have different lengths in each RR, but sort equal +- +- ------------ +- |abcde|fghi| +- ------------ +- |abcd|efghi| +- ------------ +- +- leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables. +-*/ ++/* Bubble sort the RRset into the canonical order. */ + + static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx, + unsigned char **rrset, char *buff1, char *buff2) + { +- int swap, quit, i, j; ++ int swap, i, j; + + do + { + for (swap = 0, i = 0; i < rrsetidx-1; i++) + { +- int rdlen1, rdlen2, left1, left2, len1, len2, len, rc; +- u16 *dp1, *dp2; +- unsigned char *end1, *end2; ++ int rdlen1, rdlen2; ++ struct rdata_state state1, state2; ++ + /* Note that these have been determined to be OK previously, + so we don't need to check for NULL return here. */ +- unsigned char *p1 = skip_name(rrset[i], header, plen, 10); +- unsigned char *p2 = skip_name(rrset[i+1], header, plen, 10); +- +- p1 += 8; /* skip class, type, ttl */ +- GETSHORT(rdlen1, p1); +- end1 = p1 + rdlen1; +- +- p2 += 8; /* skip class, type, ttl */ +- GETSHORT(rdlen2, p2); +- end2 = p2 + rdlen2; +- +- dp1 = dp2 = rr_desc; +- +- for (quit = 0, left1 = 0, left2 = 0, len1 = 0, len2 = 0; !quit;) ++ state1.ip = skip_name(rrset[i], header, plen, 10); ++ state2.ip = skip_name(rrset[i+1], header, plen, 10); ++ state1.op = state2.op = NULL; ++ state1.buff = buff1; ++ state2.buff = buff2; ++ state1.desc = state2.desc = rr_desc; ++ ++ state1.ip += 8; /* skip class, type, ttl */ ++ GETSHORT(rdlen1, state1.ip); ++ if (!CHECK_LEN(header, state1.ip, plen, rdlen1)) ++ return rrsetidx; /* short packet */ ++ state1.end = state1.ip + rdlen1; ++ state2.ip += 8; /* skip class, type, ttl */ ++ GETSHORT(rdlen2, state2.ip); ++ if (!CHECK_LEN(header, state2.ip, plen, rdlen2)) ++ return rrsetidx; /* short packet */ ++ state2.end = state2.ip + rdlen2; ++ ++ while (1) + { +- if (left1 != 0) +- memmove(buff1, buff1 + len1 - left1, left1); +- +- if ((len1 = get_rdata(header, plen, end1, buff1 + left1, (MAXDNAME * 2) - left1, &p1, &dp1)) == 0) +- { +- quit = 1; +- len1 = end1 - p1; +- memcpy(buff1 + left1, p1, len1); ++ int ok1, ok2; ++ ok1 = get_rdata(header, plen, &state1); ++ ok2 = get_rdata(header, plen, &state2); ++ ++ if (!ok1 && !ok2) ++ { ++ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ ++ for (j = i+1; j < rrsetidx-1; j++) ++ rrset[j] = rrset[j+1]; ++ rrsetidx--; ++ i--; ++ break; + } +- len1 += left1; +- +- if (left2 != 0) +- memmove(buff2, buff2 + len2 - left2, left2); +- +- if ((len2 = get_rdata(header, plen, end2, buff2 + left2, (MAXDNAME *2) - left2, &p2, &dp2)) == 0) +- { +- quit = 1; +- len2 = end2 - p2; +- memcpy(buff2 + left2, p2, len2); +- } +- len2 += left2; +- +- if (len1 > len2) +- left1 = len1 - len2, left2 = 0, len = len2; +- else +- left2 = len2 - len1, left1 = 0, len = len1; +- +- rc = (len == 0) ? 0 : memcmp(buff1, buff2, len); +- +- if (rc > 0 || (rc == 0 && quit && len1 > len2)) ++ else if (ok1 && (!ok2 || *state1.op > *state2.op)) + { + unsigned char *tmp = rrset[i+1]; + rrset[i+1] = rrset[i]; + rrset[i] = tmp; +- swap = quit = 1; +- } +- else if (rc == 0 && quit && len1 == len2) +- { +- /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */ +- for (j = i+1; j < rrsetidx-1; j++) +- rrset[j] = rrset[j+1]; +- rrsetidx--; +- i--; ++ swap = 1; ++ break; + } +- else if (rc < 0) +- quit = 1; ++ else if (ok2 && (!ok1 || *state2.op > *state1.op)) ++ break; ++ ++ /* arrive here when bytes are equal, go round the loop again ++ and compare the next ones. */ + } + } + } while (swap); +@@ -569,12 +575,15 @@ static int validate_rrset(time_t now, st + wire_len = to_wire(keyname); + hash->update(ctx, (unsigned int)wire_len, (unsigned char*)keyname); + from_wire(keyname); ++ ++#define RRBUFLEN 300 /* Most RRs are smaller than this. */ + + for (i = 0; i < rrsetidx; ++i) + { +- int seg; +- unsigned char *end, *cp; +- u16 len, *dp; ++ int j; ++ struct rdata_state state; ++ u16 len; ++ unsigned char rrbuf[RRBUFLEN]; + + p = rrset[i]; + +@@ -586,12 +595,11 @@ static int validate_rrset(time_t now, st + /* if more labels than in RRsig name, hash *.<no labels in rrsig labels field> 4035 5.3.2 */ + if (labels < name_labels) + { +- int k; +- for (k = name_labels - labels; k != 0; k--) ++ for (j = name_labels - labels; j != 0; j--) + { + while (*name_start != '.' && *name_start != 0) + name_start++; +- if (k != 1 && *name_start == '.') ++ if (j != 1 && *name_start == '.') + name_start++; + } + +@@ -612,24 +620,44 @@ static int validate_rrset(time_t now, st + if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; + +- end = p + rdlen; +- +- /* canonicalise rdata and calculate length of same, use name buffer as workspace. +- Note that name buffer is twice MAXDNAME long in DNSSEC mode. */ +- cp = p; +- dp = rr_desc; +- for (len = 0; (seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp)) != 0; len += seg); +- len += end - cp; +- len = htons(len); ++ /* canonicalise rdata and calculate length of same, use ++ name buffer as workspace for get_rdata. */ ++ state.ip = p; ++ state.op = NULL; ++ state.desc = rr_desc; ++ state.buff = name; ++ state.end = p + rdlen; ++ ++ for (j = 0; get_rdata(header, plen, &state); j++) ++ if (j < RRBUFLEN) ++ rrbuf[j] = *state.op; ++ ++ len = htons((u16)j); + hash->update(ctx, 2, (unsigned char *)&len); ++ ++ /* If the RR is shorter than RRBUFLEN (most of them, in practice) ++ then we can just digest it now. If it exceeds RRBUFLEN we have to ++ go back to the start and do it in chunks. */ ++ if (j >= RRBUFLEN) ++ { ++ state.ip = p; ++ state.op = NULL; ++ state.desc = rr_desc; ++ ++ for (j = 0; get_rdata(header, plen, &state); j++) ++ { ++ rrbuf[j] = *state.op; ++ ++ if (j == RRBUFLEN - 1) ++ { ++ hash->update(ctx, RRBUFLEN, rrbuf); ++ j = -1; ++ } ++ } ++ } + +- /* Now canonicalise again and digest. */ +- cp = p; +- dp = rr_desc; +- while ((seg = get_rdata(header, plen, end, name, MAXDNAME * 2, &cp, &dp))) +- hash->update(ctx, seg, (unsigned char *)name); +- if (cp != end) +- hash->update(ctx, end - cp, cp); ++ if (j != 0) ++ hash->update(ctx, j, rrbuf); + } + + hash->digest(ctx, hash->digest_size, digest); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch new file mode 100644 index 0000000000..f7ff4b27cc --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25684.patch @@ -0,0 +1,98 @@ +From 257ac0c5f7732cbc6aa96fdd3b06602234593aca Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 12 Nov 2020 18:49:23 +0000 +Subject: [PATCH] Check destination of DNS UDP query replies. + +At any time, dnsmasq will have a set of sockets open, bound to +random ports, on which it sends queries to upstream nameservers. +This patch fixes the existing problem that a reply for ANY in-flight +query would be accepted via ANY open port, which increases the +chances of an attacker flooding answers "in the blind" in an +attempt to poison the DNS cache. CERT VU#434904 refers. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 6 +++++- + src/forward.c | 37 ++++++++++++++++++++++++++++--------- + 2 files changed, 33 insertions(+), 10 deletions(-) + +CVE: CVE-2020-25684 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=257ac0c5f7732cbc6aa96fdd3b06602234593aca] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -805,7 +805,7 @@ void reply_query(int fd, int family, tim + crc = questions_crc(header, n, daemon->namebuff); + #endif + +- if (!(forward = lookup_frec(ntohs(header->id), hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -2338,14 +2338,25 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) + { + struct frec *f; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) +- return f; ++ { ++ /* sent from random port */ ++ if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ return f; ++ ++ if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) ++ return f; ++ ++ /* sent to upstream from bound socket. */ ++ if (f->sentto->sfd && f->sentto->sfd->fd == fd) ++ return f; ++ } + + return NULL; + } +@@ -2406,12 +2417,20 @@ void server_gone(struct server *server) + static unsigned short get_id(void) + { + unsigned short ret = 0; ++ struct frec *f; + +- do +- ret = rand16(); +- while (lookup_frec(ret, NULL)); +- +- return ret; ++ while (1) ++ { ++ ret = rand16(); ++ ++ /* ensure id is unique. */ ++ for (f = daemon->frec_list; f; f = f->next) ++ if (f->sentto && f->new_id == ret) ++ break; ++ ++ if (!f) ++ return ret; ++ } + } + + diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch new file mode 100644 index 0000000000..5eb582c671 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-1.patch @@ -0,0 +1,587 @@ +From 2d765867c597db18be9d876c9c17e2c0fe1953cd Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 12 Nov 2020 22:06:07 +0000 +Subject: [PATCH] Use SHA-256 to provide security against DNS cache poisoning. + +Use the SHA-256 hash function to verify that DNS answers +received are for the questions originally asked. This replaces +the slightly insecure SHA-1 (when compiled with DNSSEC) or +the very insecure CRC32 (otherwise). Refer: CERT VU#434904. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 5 + + Makefile | 3 +- + bld/Android.mk | 2 +- + src/dnsmasq.h | 11 +- + src/dnssec.c | 31 ----- + src/forward.c | 43 ++----- + src/hash_questions.c | 281 +++++++++++++++++++++++++++++++++++++++++++ + src/rfc1035.c | 49 -------- + 8 files changed, 301 insertions(+), 124 deletions(-) + create mode 100644 src/hash_questions.c + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: No change in any hunk + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -77,7 +77,8 @@ objs = cache.o rfc1035.o util.o option.o + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +- poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o metrics.o ++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o ubus.o \ ++ metrics.o hash_questions.o + + hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h metrics.h +Index: dnsmasq-2.81/bld/Android.mk +=================================================================== +--- dnsmasq-2.81.orig/bld/Android.mk ++++ dnsmasq-2.81/bld/Android.mk +@@ -11,7 +11,7 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ + loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \ +- crypto.c dump.c ubus.c ++ crypto.c dump.c ubus.c metrics.c hash_questions.c + + LOCAL_MODULE := dnsmasq + +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -654,11 +654,7 @@ struct hostsfile { + #define FREC_TEST_PKTSZ 256 + #define FREC_HAS_EXTRADATA 512 + +-#ifdef HAVE_DNSSEC +-#define HASH_SIZE 20 /* SHA-1 digest size */ +-#else +-#define HASH_SIZE sizeof(int) +-#endif ++#define HASH_SIZE 32 /* SHA-256 digest size */ + + struct frec { + union mysockaddr source; +@@ -1218,7 +1214,6 @@ int check_for_bogus_wildcard(struct dns_ + struct bogus_addr *baddr, time_t now); + int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr); + int check_for_local_domain(char *name, time_t now); +-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name); + size_t resize_packet(struct dns_header *header, size_t plen, + unsigned char *pheader, size_t hlen); + int add_resource_record(struct dns_header *header, char *limit, int *truncp, +@@ -1243,9 +1238,11 @@ int dnssec_validate_reply(time_t now, st + int check_unsigned, int *neganswer, int *nons, int *nsec_ttl); + int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); +-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); + int setup_timestamp(void); + ++/* hash_questions.c */ ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name); ++ + /* crypto.c */ + const struct nettle_hash *hash_find(char *name); + int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char **digestp); +Index: dnsmasq-2.81/src/dnssec.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnssec.c ++++ dnsmasq-2.81/src/dnssec.c +@@ -2084,35 +2084,4 @@ size_t dnssec_generate_query(struct dns_ + return ret; + } + +-unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name) +-{ +- int q; +- unsigned int len; +- unsigned char *p = (unsigned char *)(header+1); +- const struct nettle_hash *hash; +- void *ctx; +- unsigned char *digest; +- +- if (!(hash = hash_find("sha1")) || !hash_init(hash, &ctx, &digest)) +- return NULL; +- +- for (q = ntohs(header->qdcount); q != 0; q--) +- { +- if (!extract_name(header, plen, &p, name, 1, 4)) +- break; /* bad packet */ +- +- len = to_wire(name); +- hash->update(ctx, len, (unsigned char *)name); +- /* CRC the class and type as well */ +- hash->update(ctx, 4, p); +- +- p += 4; +- if (!CHECK_LEN(header, p, plen, 0)) +- break; /* bad packet */ +- } +- +- hash->digest(ctx, hash->digest_size, digest); +- return digest; +-} +- + #endif /* HAVE_DNSSEC */ +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -256,19 +256,16 @@ static int forward_query(int udpfd, unio + union all_addr *addrp = NULL; + unsigned int flags = 0; + struct server *start = NULL; +-#ifdef HAVE_DNSSEC + void *hash = hash_questions(header, plen, daemon->namebuff); ++#ifdef HAVE_DNSSEC + int do_dnssec = 0; +-#else +- unsigned int crc = questions_crc(header, plen, daemon->namebuff); +- void *hash = &crc; + #endif + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; + + /* may be no servers available. */ +- if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))) ++ if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) + { + /* If we didn't get an answer advertising a maximal packet in EDNS, + fall back to 1280, which should work everywhere on IPv6. +@@ -769,9 +766,6 @@ void reply_query(int fd, int family, tim + size_t nn; + struct server *server; + void *hash; +-#ifndef HAVE_DNSSEC +- unsigned int crc; +-#endif + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +@@ -798,12 +792,7 @@ void reply_query(int fd, int family, tim + if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME) + server->edns_pktsz = daemon->edns_pktsz; + +-#ifdef HAVE_DNSSEC + hash = hash_questions(header, n, daemon->namebuff); +-#else +- hash = &crc; +- crc = questions_crc(header, n, daemon->namebuff); +-#endif + + if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) + return; +@@ -1115,8 +1104,7 @@ void reply_query(int fd, int family, tim + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr), + querystr("dnssec-query", querytype)); + +- if ((hash = hash_questions(header, nn, daemon->namebuff))) +- memcpy(new->hash, hash, HASH_SIZE); ++ memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE); + new->new_id = get_id(); + header->id = htons(new->new_id); + /* Save query for retransmission */ +@@ -1969,15 +1957,9 @@ unsigned char *tcp_request(int confd, ti + if (!flags && last_server) + { + struct server *firstsendto = NULL; +-#ifdef HAVE_DNSSEC +- unsigned char *newhash, hash[HASH_SIZE]; +- if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff))) +- memcpy(hash, newhash, HASH_SIZE); +- else +- memset(hash, 0, HASH_SIZE); +-#else +- unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff); +-#endif ++ unsigned char hash[HASH_SIZE]; ++ memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE); ++ + /* Loop round available servers until we succeed in connecting to one. + Note that this code subtly ensures that consecutive queries on this connection + which can go to the same server, do so. */ +@@ -2116,20 +2098,11 @@ unsigned char *tcp_request(int confd, ti + /* If the crc of the question section doesn't match the crc we sent, then + someone might be attempting to insert bogus values into the cache by + sending replies containing questions and bogus answers. */ +-#ifdef HAVE_DNSSEC +- newhash = hash_questions(header, (unsigned int)m, daemon->namebuff); +- if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0) ++ if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0) + { + m = 0; + break; + } +-#else +- if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff)) +- { +- m = 0; +- break; +- } +-#endif + + m = process_reply(header, now, last_server, (unsigned int)m, + option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, +@@ -2344,7 +2317,7 @@ static struct frec *lookup_frec(unsigned + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && +- (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) ++ (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ + if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- /dev/null ++++ dnsmasq-2.81/src/hash_questions.c +@@ -0,0 +1,281 @@ ++/* Copyright (c) 2012-2020 Simon Kelley ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 dated June, 1991, or ++ (at your option) version 3 dated 29 June, 2007. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see <http://www.gnu.org/licenses/>. ++*/ ++ ++ ++/* Hash the question section. This is used to safely detect query ++ retransmission and to detect answers to questions we didn't ask, which ++ might be poisoning attacks. Note that we decode the name rather ++ than CRC the raw bytes, since replies might be compressed differently. ++ We ignore case in the names for the same reason. ++ ++ The hash used is SHA-256. If we're building with DNSSEC support, ++ we use the Nettle cypto library. If not, we prefer not to ++ add a dependency on Nettle, and use a stand-alone implementaion. ++*/ ++ ++#include "dnsmasq.h" ++ ++#ifdef HAVE_DNSSEC ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) ++{ ++ int q; ++ unsigned char *p = (unsigned char *)(header+1); ++ const struct nettle_hash *hash; ++ void *ctx; ++ unsigned char *digest; ++ ++ if (!(hash = hash_find("sha256")) || !hash_init(hash, &ctx, &digest)) ++ { ++ /* don't think this can ever happen. */ ++ static unsigned char dummy[HASH_SIZE]; ++ static int warned = 0; ++ ++ if (warned) ++ my_syslog(LOG_ERR, _("Failed to create SHA-256 hash object")); ++ warned = 1; ++ ++ return dummy; ++ } ++ ++ for (q = ntohs(header->qdcount); q != 0; q--) ++ { ++ char *cp, c; ++ ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ break; /* bad packet */ ++ ++ for (cp = name; (c = *cp); cp++) ++ if (c >= 'A' && c <= 'Z') ++ *cp += 'a' - 'A'; ++ ++ hash->update(ctx, cp - name, (unsigned char *)name); ++ /* CRC the class and type as well */ ++ hash->update(ctx, 4, p); ++ ++ p += 4; ++ if (!CHECK_LEN(header, p, plen, 0)) ++ break; /* bad packet */ ++ } ++ ++ hash->digest(ctx, hash->digest_size, digest); ++ return digest; ++} ++ ++#else /* HAVE_DNSSEC */ ++ ++#define SHA256_BLOCK_SIZE 32 // SHA256 outputs a 32 byte digest ++typedef unsigned char BYTE; // 8-bit byte ++typedef unsigned int WORD; // 32-bit word, change to "long" for 16-bit machines ++ ++typedef struct { ++ BYTE data[64]; ++ WORD datalen; ++ unsigned long long bitlen; ++ WORD state[8]; ++} SHA256_CTX; ++ ++static void sha256_init(SHA256_CTX *ctx); ++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len); ++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]); ++ ++ ++unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) ++{ ++ int q; ++ unsigned char *p = (unsigned char *)(header+1); ++ SHA256_CTX ctx; ++ static BYTE digest[SHA256_BLOCK_SIZE]; ++ ++ sha256_init(&ctx); ++ ++ for (q = ntohs(header->qdcount); q != 0; q--) ++ { ++ char *cp, c; ++ ++ if (!extract_name(header, plen, &p, name, 1, 4)) ++ break; /* bad packet */ ++ ++ for (cp = name; (c = *cp); cp++) ++ if (c >= 'A' && c <= 'Z') ++ *cp += 'a' - 'A'; ++ ++ sha256_update(&ctx, (BYTE *)name, cp - name); ++ /* CRC the class and type as well */ ++ sha256_update(&ctx, (BYTE *)p, 4); ++ ++ p += 4; ++ if (!CHECK_LEN(header, p, plen, 0)) ++ break; /* bad packet */ ++ } ++ ++ sha256_final(&ctx, digest); ++ return (unsigned char *)digest; ++} ++ ++/* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms ++ and was written by Brad Conte (brad@bradconte.com), to whom all credit is given. ++ ++ This code is in the public domain, and the copyright notice at the head of this ++ file does not apply to it. ++*/ ++ ++ ++/****************************** MACROS ******************************/ ++#define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b)))) ++#define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b)))) ++ ++#define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z))) ++#define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) ++#define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22)) ++#define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25)) ++#define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3)) ++#define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10)) ++ ++/**************************** VARIABLES *****************************/ ++static const WORD k[64] = { ++ 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5, ++ 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174, ++ 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da, ++ 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967, ++ 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85, ++ 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070, ++ 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3, ++ 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 ++}; ++ ++/*********************** FUNCTION DEFINITIONS ***********************/ ++static void sha256_transform(SHA256_CTX *ctx, const BYTE data[]) ++{ ++ WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64]; ++ ++ for (i = 0, j = 0; i < 16; ++i, j += 4) ++ m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]); ++ for ( ; i < 64; ++i) ++ m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16]; ++ ++ a = ctx->state[0]; ++ b = ctx->state[1]; ++ c = ctx->state[2]; ++ d = ctx->state[3]; ++ e = ctx->state[4]; ++ f = ctx->state[5]; ++ g = ctx->state[6]; ++ h = ctx->state[7]; ++ ++ for (i = 0; i < 64; ++i) ++ { ++ t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i]; ++ t2 = EP0(a) + MAJ(a,b,c); ++ h = g; ++ g = f; ++ f = e; ++ e = d + t1; ++ d = c; ++ c = b; ++ b = a; ++ a = t1 + t2; ++ } ++ ++ ctx->state[0] += a; ++ ctx->state[1] += b; ++ ctx->state[2] += c; ++ ctx->state[3] += d; ++ ctx->state[4] += e; ++ ctx->state[5] += f; ++ ctx->state[6] += g; ++ ctx->state[7] += h; ++} ++ ++static void sha256_init(SHA256_CTX *ctx) ++{ ++ ctx->datalen = 0; ++ ctx->bitlen = 0; ++ ctx->state[0] = 0x6a09e667; ++ ctx->state[1] = 0xbb67ae85; ++ ctx->state[2] = 0x3c6ef372; ++ ctx->state[3] = 0xa54ff53a; ++ ctx->state[4] = 0x510e527f; ++ ctx->state[5] = 0x9b05688c; ++ ctx->state[6] = 0x1f83d9ab; ++ ctx->state[7] = 0x5be0cd19; ++} ++ ++static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len) ++{ ++ WORD i; ++ ++ for (i = 0; i < len; ++i) ++ { ++ ctx->data[ctx->datalen] = data[i]; ++ ctx->datalen++; ++ if (ctx->datalen == 64) { ++ sha256_transform(ctx, ctx->data); ++ ctx->bitlen += 512; ++ ctx->datalen = 0; ++ } ++ } ++} ++ ++static void sha256_final(SHA256_CTX *ctx, BYTE hash[]) ++{ ++ WORD i; ++ ++ i = ctx->datalen; ++ ++ // Pad whatever data is left in the buffer. ++ if (ctx->datalen < 56) ++ { ++ ctx->data[i++] = 0x80; ++ while (i < 56) ++ ctx->data[i++] = 0x00; ++ } ++ else ++ { ++ ctx->data[i++] = 0x80; ++ while (i < 64) ++ ctx->data[i++] = 0x00; ++ sha256_transform(ctx, ctx->data); ++ memset(ctx->data, 0, 56); ++ } ++ ++ // Append to the padding the total message's length in bits and transform. ++ ctx->bitlen += ctx->datalen * 8; ++ ctx->data[63] = ctx->bitlen; ++ ctx->data[62] = ctx->bitlen >> 8; ++ ctx->data[61] = ctx->bitlen >> 16; ++ ctx->data[60] = ctx->bitlen >> 24; ++ ctx->data[59] = ctx->bitlen >> 32; ++ ctx->data[58] = ctx->bitlen >> 40; ++ ctx->data[57] = ctx->bitlen >> 48; ++ ctx->data[56] = ctx->bitlen >> 56; ++ sha256_transform(ctx, ctx->data); ++ ++ // Since this implementation uses little endian byte ordering and SHA uses big endian, ++ // reverse all the bytes when copying the final state to the output hash. ++ for (i = 0; i < 4; ++i) ++ { ++ hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff; ++ hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff; ++ } ++} ++ ++#endif +Index: dnsmasq-2.81/src/rfc1035.c +=================================================================== +--- dnsmasq-2.81.orig/src/rfc1035.c ++++ dnsmasq-2.81/src/rfc1035.c +@@ -333,55 +333,6 @@ unsigned char *skip_section(unsigned cha + return ansp; + } + +-/* CRC the question section. This is used to safely detect query +- retransmission and to detect answers to questions we didn't ask, which +- might be poisoning attacks. Note that we decode the name rather +- than CRC the raw bytes, since replies might be compressed differently. +- We ignore case in the names for the same reason. Return all-ones +- if there is not question section. */ +-#ifndef HAVE_DNSSEC +-unsigned int questions_crc(struct dns_header *header, size_t plen, char *name) +-{ +- int q; +- unsigned int crc = 0xffffffff; +- unsigned char *p1, *p = (unsigned char *)(header+1); +- +- for (q = ntohs(header->qdcount); q != 0; q--) +- { +- if (!extract_name(header, plen, &p, name, 1, 4)) +- return crc; /* bad packet */ +- +- for (p1 = (unsigned char *)name; *p1; p1++) +- { +- int i = 8; +- char c = *p1; +- +- if (c >= 'A' && c <= 'Z') +- c += 'a' - 'A'; +- +- crc ^= c << 24; +- while (i--) +- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; +- } +- +- /* CRC the class and type as well */ +- for (p1 = p; p1 < p+4; p1++) +- { +- int i = 8; +- crc ^= *p1 << 24; +- while (i--) +- crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1; +- } +- +- p += 4; +- if (!CHECK_LEN(header, p, plen, 0)) +- return crc; /* bad packet */ +- } +- +- return crc; +-} +-#endif +- + size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen) + { + unsigned char *ansp = skip_questions(header, plen); diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch new file mode 100644 index 0000000000..302c42ccca --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25685-2.patch @@ -0,0 +1,175 @@ +From 2024f9729713fd657d65e64c2e4e471baa0a3e5b Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Wed, 25 Nov 2020 17:18:55 +0100 +Subject: [PATCH] Support hash function from nettle (only) + +Unlike COPTS=-DHAVE_DNSSEC, allow usage of just sha256 function from +nettle, but keep DNSSEC disabled at build time. Skips use of internal +hash implementation without support for validation built-in. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + Makefile | 8 +++++--- + bld/pkg-wrapper | 41 ++++++++++++++++++++++------------------- + src/config.h | 8 ++++++++ + src/crypto.c | 7 +++++++ + src/dnsmasq.h | 2 +- + src/hash_questions.c | 2 +- + 6 files changed, 44 insertions(+), 24 deletions(-) + +CVE: CVE-2020-25685 +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=2024f9729713fd657d65e64c2e4e471baa0a3e5b] +Comment: Refreshed a hunk from pkg-wrapper and second hunk from Makefile + +Index: dnsmasq-2.81/Makefile +=================================================================== +--- dnsmasq-2.81.orig/Makefile ++++ dnsmasq-2.81/Makefile +@@ -53,7 +53,7 @@ top?=$(CURDIR) + + dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` + dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` +-ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy -lubox -lubus` ++ubus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_UBUS "" --copy '-lubox -lubus'` + idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` + idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` + idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2` +@@ -62,8 +62,10 @@ ct_cflags = `echo $(COPTS) | $(top)/ + ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` + lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua` + lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua` +-nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` +-nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` ++nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle` ++nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs 'nettle hogweed' \ ++ HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle` + gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` + sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` + version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' +Index: dnsmasq-2.81/bld/pkg-wrapper +=================================================================== +--- dnsmasq-2.81.orig/bld/pkg-wrapper ++++ dnsmasq-2.81/bld/pkg-wrapper +@@ -1,35 +1,37 @@ + #!/bin/sh + +-search=$1 +-shift +-pkg=$1 +-shift +-op=$1 +-shift +- + in=`cat` + +-if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ +- echo $in | grep $search >/dev/null 2>&1; then ++search() ++{ ++ grep "^\#[[:space:]]*define[[:space:]]*$1" config.h >/dev/null 2>&1 || \ ++ echo $in | grep $1 >/dev/null 2>&1 ++} ++ ++while [ "$#" -gt 0 ]; do ++ search=$1 ++ pkg=$2 ++ op=$3 ++ lib=$4 ++ shift 4 ++if search "$search"; then ++ + # Nasty, nasty, in --copy, arg 2 (if non-empty) is another config to search for, used with NO_GMP + if [ $op = "--copy" ]; then + if [ -z "$pkg" ]; then +- pkg="$*" +- elif grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ +- echo $in | grep $pkg >/dev/null 2>&1; then ++ pkg="$lib" ++ elif search "$pkg"; then + pkg="" + else +- pkg="$*" ++ pkg="$lib" + fi +- elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then +- pkg=`$pkg --static $op $*` ++ elif search "${search}_STATIC"; then ++ pkg=`$pkg --static $op $lib` + else +- pkg=`$pkg $op $*` ++ pkg=`$pkg $op $lib` + fi + +- if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ +- echo $in | grep ${search}_STATIC >/dev/null 2>&1; then ++ if search "${search}_STATIC"; then + if [ $op = "--libs" ] || [ $op = "--copy" ]; then + echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" + else +@@ -40,3 +42,4 @@ if grep "^\#[[:space:]]*define[[:space:] + fi + fi + ++done +Index: dnsmasq-2.81/src/config.h +=================================================================== +--- dnsmasq-2.81.orig/src/config.h ++++ dnsmasq-2.81/src/config.h +@@ -118,6 +118,9 @@ HAVE_AUTH + define this to include the facility to act as an authoritative DNS + server for one or more zones. + ++HAVE_NETTLEHASH ++ include just hash function from nettle, but no DNSSEC. ++ + HAVE_DNSSEC + include DNSSEC validator. + +@@ -185,6 +188,7 @@ RESOLVFILE + /* #define HAVE_IDN */ + /* #define HAVE_LIBIDN2 */ + /* #define HAVE_CONNTRACK */ ++/* #define HAVE_NETTLEHASH */ + /* #define HAVE_DNSSEC */ + + +@@ -418,6 +422,10 @@ static char *compile_opts = + "no-" + #endif + "auth " ++#if !defined(HAVE_NETTLEHASH) && !defined(HAVE_DNSSEC) ++"no-" ++#endif ++"nettlehash " + #ifndef HAVE_DNSSEC + "no-" + #endif +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -161,6 +161,9 @@ extern int capget(cap_user_header_t head + # include <nettle/nettle-meta.h> + #endif + ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) ++# include <nettle/nettle-meta.h> ++#endif + /* daemon is function in the C library.... */ + #define daemon dnsmasq_daemon + +Index: dnsmasq-2.81/src/hash_questions.c +=================================================================== +--- dnsmasq-2.81.orig/src/hash_questions.c ++++ dnsmasq-2.81/src/hash_questions.c +@@ -28,7 +28,7 @@ + + #include "dnsmasq.h" + +-#ifdef HAVE_DNSSEC ++#if defined(HAVE_DNSSEC) || defined(HAVE_NETTLEHASH) + unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name) + { + int q; diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch new file mode 100644 index 0000000000..fd9d0a9b16 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-1.patch @@ -0,0 +1,332 @@ +From 15b60ddf935a531269bb8c68198de012a4967156 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Wed, 18 Nov 2020 18:34:55 +0000 +Subject: [PATCH] Handle multiple identical near simultaneous DNS queries + better. + +Previously, such queries would all be forwarded +independently. This is, in theory, inefficent but in practise +not a problem, _except_ that is means that an answer for any +of the forwarded queries will be accepted and cached. +An attacker can send a query multiple times, and for each repeat, +another {port, ID} becomes capable of accepting the answer he is +sending in the blind, to random IDs and ports. The chance of a +succesful attack is therefore multiplied by the number of repeats +of the query. The new behaviour detects repeated queries and +merely stores the clients sending repeats so that when the +first query completes, the answer can be sent to all the +clients who asked. Refer: CERT VU#434904. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + CHANGELOG | 16 +++++- + src/dnsmasq.h | 19 ++++--- + src/forward.c | 142 ++++++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 147 insertions(+), 30 deletions(-) + +CVE: CVE-2020-25686 +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -655,19 +655,24 @@ struct hostsfile { + #define FREC_DO_QUESTION 64 + #define FREC_ADDED_PHEADER 128 + #define FREC_TEST_PKTSZ 256 +-#define FREC_HAS_EXTRADATA 512 ++#define FREC_HAS_EXTRADATA 512 ++#define FREC_HAS_PHEADER 1024 + + #define HASH_SIZE 32 /* SHA-256 digest size */ + + struct frec { +- union mysockaddr source; +- union all_addr dest; ++ struct frec_src { ++ union mysockaddr source; ++ union all_addr dest; ++ unsigned int iface, log_id; ++ unsigned short orig_id; ++ struct frec_src *next; ++ } frec_src; + struct server *sentto; /* NULL means free */ + struct randfd *rfd4; + struct randfd *rfd6; +- unsigned int iface; +- unsigned short orig_id, new_id; +- int log_id, fd, forwardall, flags; ++ unsigned short new_id; ++ int fd, forwardall, flags; + time_t time; + unsigned char *hash[HASH_SIZE]; + #ifdef HAVE_DNSSEC +@@ -1085,6 +1090,8 @@ extern struct daemon { + int back_to_the_future; + #endif + struct frec *frec_list; ++ struct frec_src *free_frec_src; ++ int frec_src_count; + struct serverfd *sfds; + struct irec *interfaces; + struct listener *listeners; +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -20,6 +20,8 @@ static struct frec *lookup_frec(unsigned + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); ++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags); ++ + static unsigned short get_id(void); + static void free_frec(struct frec *f); + +@@ -255,6 +257,7 @@ static int forward_query(int udpfd, unio + int type = SERV_DO_DNSSEC, norebind = 0; + union all_addr *addrp = NULL; + unsigned int flags = 0; ++ unsigned int fwd_flags = 0; + struct server *start = NULL; + void *hash = hash_questions(header, plen, daemon->namebuff); + #ifdef HAVE_DNSSEC +@@ -263,7 +266,18 @@ static int forward_query(int udpfd, unio + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; +- ++ ++ if (header->hb4 & HB4_CD) ++ fwd_flags |= FREC_CHECKING_DISABLED; ++ if (ad_reqd) ++ fwd_flags |= FREC_AD_QUESTION; ++ if (oph) ++ fwd_flags |= FREC_HAS_PHEADER; ++#ifdef HAVE_DNSSEC ++ if (do_bit) ++ fwd_flags |= FREC_DO_QUESTION; ++#endif ++ + /* may be no servers available. */ + if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) + { +@@ -336,6 +350,39 @@ static int forward_query(int udpfd, unio + } + else + { ++ /* Query from new source, but the same query may be in progress ++ from another source. If so, just add this client to the ++ list that will get the reply. ++ ++ Note that is the EDNS client subnet option is in use, we can't do this, ++ as the clients (and therefore query EDNS options) will be different ++ for each query. The EDNS subnet code has checks to avoid ++ attacks in this case. */ ++ if (!option_bool(OPT_CLIENT_SUBNET) && (forward = lookup_frec_by_query(hash, fwd_flags))) ++ { ++ /* Note whine_malloc() zeros memory. */ ++ if (!daemon->free_frec_src && ++ daemon->frec_src_count < daemon->ftabsize && ++ (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) ++ daemon->frec_src_count++; ++ ++ /* If we've been spammed with many duplicates, just drop the query. */ ++ if (daemon->free_frec_src) ++ { ++ struct frec_src *new = daemon->free_frec_src; ++ daemon->free_frec_src = new->next; ++ new->next = forward->frec_src.next; ++ forward->frec_src.next = new; ++ new->orig_id = ntohs(header->id); ++ new->source = *udpaddr; ++ new->dest = *dst_addr; ++ new->log_id = daemon->log_id; ++ new->iface = dst_iface; ++ } ++ ++ return 1; ++ } ++ + if (gotname) + flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); + +@@ -343,22 +390,22 @@ static int forward_query(int udpfd, unio + do_dnssec = type & SERV_DO_DNSSEC; + #endif + type &= ~SERV_DO_DNSSEC; +- ++ + if (daemon->servers && !flags) + forward = get_new_frec(now, NULL, NULL); + /* table full - flags == 0, return REFUSED */ + + if (forward) + { +- forward->source = *udpaddr; +- forward->dest = *dst_addr; +- forward->iface = dst_iface; +- forward->orig_id = ntohs(header->id); ++ forward->frec_src.source = *udpaddr; ++ forward->frec_src.orig_id = ntohs(header->id); ++ forward->frec_src.dest = *dst_addr; ++ forward->frec_src.iface = dst_iface; + forward->new_id = get_id(); + forward->fd = udpfd; + memcpy(forward->hash, hash, HASH_SIZE); + forward->forwardall = 0; +- forward->flags = 0; ++ forward->flags = fwd_flags; + if (norebind) + forward->flags |= FREC_NOREBIND; + if (header->hb4 & HB4_CD) +@@ -413,9 +460,9 @@ static int forward_query(int udpfd, unio + unsigned char *pheader; + + /* If a query is retried, use the log_id for the retry when logging the answer. */ +- forward->log_id = daemon->log_id; ++ forward->frec_src.log_id = daemon->log_id; + +- plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet); ++ plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet); + + if (subnet) + forward->flags |= FREC_HAS_SUBNET; +@@ -552,7 +599,7 @@ static int forward_query(int udpfd, unio + return 1; + + /* could not send on, prepare to return */ +- header->id = htons(forward->orig_id); ++ header->id = htons(forward->frec_src.orig_id); + free_frec(forward); /* cancel */ + } + +@@ -804,8 +851,8 @@ void reply_query(int fd, int family, tim + + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ +- daemon->log_display_id = forward->log_id; +- daemon->log_source_addr = &forward->source; ++ daemon->log_display_id = forward->frec_src.log_id; ++ daemon->log_source_addr = &forward->frec_src.source; + + if (daemon->ignore_addr && RCODE(header) == NOERROR && + check_for_ignored_address(header, n, daemon->ignore_addr)) +@@ -1077,6 +1124,7 @@ void reply_query(int fd, int family, tim + new->sentto = server; + new->rfd4 = NULL; + new->rfd6 = NULL; ++ new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; + +@@ -1212,9 +1260,11 @@ void reply_query(int fd, int family, tim + + if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, + forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, +- forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source))) ++ forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source))) + { +- header->id = htons(forward->orig_id); ++ struct frec_src *src; ++ ++ header->id = htons(forward->frec_src.orig_id); + header->hb4 |= HB4_RA; /* recursion if available */ + #ifdef HAVE_DNSSEC + /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size +@@ -1230,13 +1280,26 @@ void reply_query(int fd, int family, tim + } + #endif + ++ for (src = &forward->frec_src; src; src = src->next) ++ { ++ header->id = htons(src->orig_id); ++ + #ifdef HAVE_DUMPFILE +- dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source); ++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source); + #endif +- +- send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, +- &forward->source, &forward->dest, forward->iface); ++ ++ send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, ++ &src->source, &src->dest, src->iface); ++ ++ if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src) ++ { ++ daemon->log_display_id = src->log_id; ++ daemon->log_source_addr = &src->source; ++ log_query(F_UPSTREAM, "query", NULL, "duplicate"); ++ } ++ } + } ++ + free_frec(forward); /* cancel */ + } + } +@@ -2198,6 +2261,17 @@ void free_rfd(struct randfd *rfd) + + static void free_frec(struct frec *f) + { ++ struct frec_src *src, *tmp; ++ ++ /* add back to freelist of not the record builtin to every frec. */ ++ for (src = f->frec_src.next; src; src = tmp) ++ { ++ tmp = src->next; ++ src->next = daemon->free_frec_src; ++ daemon->free_frec_src = src; ++ } ++ ++ f->frec_src.next = NULL; + free_rfd(f->rfd4); + f->rfd4 = NULL; + f->sentto = NULL; +@@ -2339,17 +2413,39 @@ static struct frec *lookup_frec_by_sende + void *hash) + { + struct frec *f; ++ struct frec_src *src; ++ ++ for (f = daemon->frec_list; f; f = f->next) ++ if (f->sentto && ++ !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) && ++ memcmp(hash, f->hash, HASH_SIZE) == 0) ++ for (src = &f->frec_src; src; src = src->next) ++ if (src->orig_id == id && ++ sockaddr_isequal(&src->source, addr)) ++ return f; ++ ++ return NULL; ++} ++ ++static struct frec *lookup_frec_by_query(void *hash, unsigned int flags) ++{ ++ struct frec *f; ++ ++ /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below ++ ensures that no frec created for internal DNSSEC query can be returned here. */ ++ ++#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \ ++ | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY) + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && +- f->orig_id == id && +- memcmp(hash, f->hash, HASH_SIZE) == 0 && +- sockaddr_isequal(&f->source, addr)) ++ (f->flags & FLAGMASK) == flags && ++ memcmp(hash, f->hash, HASH_SIZE) == 0) + return f; +- ++ + return NULL; + } +- ++ + /* Send query packet again, if we can. */ + void resend_query() + { diff --git a/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch new file mode 100644 index 0000000000..a6ffd37260 --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/files/CVE-2020-25686-2.patch @@ -0,0 +1,63 @@ +From 6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 4 Dec 2020 18:35:11 +0000 +Subject: [PATCH] Small cleanups in frec_src datastucture handling. + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> +--- + src/forward.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +CVE: CVE-2020-25686 +Upstream-Status: Backport [http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914] +Comment: No change in any hunk + +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -364,7 +364,10 @@ static int forward_query(int udpfd, unio + if (!daemon->free_frec_src && + daemon->frec_src_count < daemon->ftabsize && + (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) +- daemon->frec_src_count++; ++ { ++ daemon->frec_src_count++; ++ daemon->free_frec_src->next = NULL; ++ } + + /* If we've been spammed with many duplicates, just drop the query. */ + if (daemon->free_frec_src) +@@ -401,6 +404,7 @@ static int forward_query(int udpfd, unio + forward->frec_src.orig_id = ntohs(header->id); + forward->frec_src.dest = *dst_addr; + forward->frec_src.iface = dst_iface; ++ forward->frec_src.next = NULL; + forward->new_id = get_id(); + forward->fd = udpfd; + memcpy(forward->hash, hash, HASH_SIZE); +@@ -2261,16 +2265,16 @@ void free_rfd(struct randfd *rfd) + + static void free_frec(struct frec *f) + { +- struct frec_src *src, *tmp; +- +- /* add back to freelist of not the record builtin to every frec. */ +- for (src = f->frec_src.next; src; src = tmp) ++ struct frec_src *last; ++ ++ /* add back to freelist if not the record builtin to every frec. */ ++ for (last = f->frec_src.next; last && last->next; last = last->next) ; ++ if (last) + { +- tmp = src->next; +- src->next = daemon->free_frec_src; +- daemon->free_frec_src = src; ++ last->next = daemon->free_frec_src; ++ daemon->free_frec_src = f->frec_src.next; + } +- ++ + f->frec_src.next = NULL; + free_rfd(f->rfd4); + f->rfd4 = NULL; diff --git a/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service b/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service index 2980f7def6..ef2f3f7e41 100644 --- a/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service +++ b/meta-networking/recipes-support/dnsmasq/files/dnsmasq-resolvconf.service @@ -8,7 +8,7 @@ PIDFile=/run/dnsmasq.pid ExecStartPre=/usr/bin/dnsmasq --test ExecStart=/usr/bin/dnsmasq -x /run/dnsmasq.pid -7 /etc/dnsmasq.d --local-service ExecStartPost=/usr/bin/dnsmasq-resolvconf-helper start -ExecStopPre=/usr/bin/dnsmasq-resolvconf-helper stop +ExecStop=/usr/bin/dnsmasq-resolvconf-helper stop ExecStop=/bin/kill $MAINPID ExecReload=/bin/kill -HUP $MAINPID diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch new file mode 100644 index 0000000000..5580cd409f --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch @@ -0,0 +1,30 @@ +From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12674 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); +-- +2.11.0 diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch index f86235076e..3f87714dcc 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch @@ -13,11 +13,11 @@ Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> configure.ac | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) -diff --git a/configure.ac b/configure.ac -index 3b32614..94ec002 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -519,13 +519,10 @@ have_ioloop=no +Index: dovecot-2.2.36.4/configure.ac +=================================================================== +--- dovecot-2.2.36.4.orig/configure.ac ++++ dovecot-2.2.36.4/configure.ac +@@ -490,13 +490,10 @@ have_ioloop=no if test "$ioloop" = "best" || test "$ioloop" = "epoll"; then AC_CACHE_CHECK([whether we can use epoll],i_cv_epoll_works,[ @@ -34,7 +34,7 @@ index 3b32614..94ec002 100644 ], [ i_cv_epoll_works=yes ], [ -@@ -653,7 +650,7 @@ fi +@@ -596,7 +593,7 @@ fi dnl * Old glibcs have broken posix_fallocate(). Make sure not to use it. dnl * It may also be broken in AIX. AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ @@ -43,7 +43,7 @@ index 3b32614..94ec002 100644 #define _XOPEN_SOURCE 600 #include <stdio.h> #include <stdlib.h> -@@ -662,7 +659,7 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -605,7 +602,7 @@ AC_CACHE_CHECK([whether posix_fallocate( #if defined(__GLIBC__) && (__GLIBC__ < 2 || __GLIBC_MINOR__ < 7) possibly broken posix_fallocate #endif @@ -52,7 +52,7 @@ index 3b32614..94ec002 100644 int fd = creat("conftest.temp", 0600); int ret; if (fd == -1) { -@@ -671,8 +668,6 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -614,8 +611,6 @@ AC_CACHE_CHECK([whether posix_fallocate( } ret = posix_fallocate(fd, 1024, 1024) < 0 ? 1 : 0; unlink("conftest.temp"); @@ -61,6 +61,3 @@ index 3b32614..94ec002 100644 ], [ i_cv_posix_fallocate_works=yes ], [ --- -1.8.4.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch index 65ae9bf910..3170ae8658 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch @@ -18,11 +18,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> src/doveadm/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am -index c644646..6ae9144 100644 ---- a/src/doveadm/Makefile.am -+++ b/src/doveadm/Makefile.am -@@ -180,8 +180,8 @@ test_libs = \ +Index: dovecot-2.2.36.4/src/doveadm/Makefile.am +=================================================================== +--- dovecot-2.2.36.4.orig/src/doveadm/Makefile.am ++++ dovecot-2.2.36.4/src/doveadm/Makefile.am +@@ -182,8 +182,8 @@ test_libs = \ ../lib/liblib.la test_deps = $(noinst_LTLIBRARIES) $(test_libs) @@ -33,6 +33,3 @@ index c644646..6ae9144 100644 test_doveadm_util_DEPENDENCIES = $(test_deps) check: check-am check-test --- -2.14.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch new file mode 100644 index 0000000000..583f71ca58 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch @@ -0,0 +1,76 @@ +From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:33:31 +0300 +Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish() + helper function + +--- + src/lib-mail/message-parser.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index b1de1950a..aaa8dd8b7 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent) + return part; + } + ++static void message_part_finish(struct message_parser_ctx *ctx) ++{ ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part = ctx->part->parent; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_boundary *boundary, + struct message_block *block_r, bool first_line) + { +- struct message_part *part; + size_t line_size; + + i_assert(ctx->last_boundary == NULL); + + /* get back to parent MIME part, summing the child MIME part sizes + into parent's body sizes */ +- for (part = ctx->part; part != boundary->part; part = part->parent) { +- message_size_add(&part->parent->body_size, &part->body_size); +- message_size_add(&part->parent->body_size, &part->header_size); ++ while (ctx->part != boundary->part) { ++ message_part_finish(ctx); ++ i_assert(ctx->part != NULL); + } +- i_assert(part != NULL); +- ctx->part = part; + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +@@ -1132,13 +1136,8 @@ int message_parser_parse_next_block(struct message_parser_ctx *ctx, + i_assert(ctx->input->eof || ctx->input->closed || + ctx->input->stream_errno != 0 || + ctx->broken_reason != NULL); +- while (ctx->part->parent != NULL) { +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->body_size); +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->header_size); +- ctx->part = ctx->part->parent; +- } ++ while (ctx->part->parent != NULL) ++ message_part_finish(ctx); + } + + if (block_r->size == 0) { +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch new file mode 100644 index 0000000000..9f24320ebf --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch @@ -0,0 +1,71 @@ +From de0da7bc8df55521db8fa787f88e293618c96386 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:34:22 +0300 +Subject: [PATCH 02/13] lib-mail: message-parser - Change message_part_append() + to do all work internally + +--- + src/lib-mail/message-parser.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index aaa8dd8b7..2edf3e7a6 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -167,16 +167,17 @@ static int message_parser_read_more(struct message_parser_ctx *ctx, + return 1; + } + +-static struct message_part * +-message_part_append(pool_t pool, struct message_part *parent) ++static void ++message_part_append(struct message_parser_ctx *ctx) + { ++ struct message_part *parent = ctx->part; + struct message_part *p, *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | + MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0); + +- part = p_new(pool, struct message_part, 1); ++ part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; + for (p = parent; p != NULL; p = p->parent) + p->children_count++; +@@ -192,7 +193,7 @@ message_part_append(pool_t pool, struct message_part *parent) + list = &(*list)->next; + + *list = part; +- return part; ++ ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -220,7 +221,7 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + return parse_next_header_init(ctx, block_r); + } + +@@ -270,7 +271,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + static int parse_next_mime_header_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + ctx->part->flags |= MESSAGE_PART_FLAG_IS_MIME; + + return parse_next_header_init(ctx, block_r); +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch new file mode 100644 index 0000000000..81aead8aad --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch @@ -0,0 +1,37 @@ +Backport of: + +From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12673 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st + if (length == 0 && space == 0) + return 1; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return 0; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return 0; diff --git a/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch new file mode 100644 index 0000000000..e530902350 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch @@ -0,0 +1,49 @@ +From a9800b436fcf1f9633c2b136a9c5cb7a486a8a52 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:36:48 +0300 +Subject: [PATCH 03/13] lib-mail: message-parser - Optimize updating + children_count + +--- + src/lib-mail/message-parser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 2edf3e7a6..05768a058 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -171,7 +171,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *p, *part, **list; ++ struct message_part *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -179,8 +179,6 @@ message_part_append(struct message_parser_ctx *ctx) + + part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; +- for (p = parent; p != NULL; p = p->parent) +- p->children_count++; + + /* set child position */ + part->physical_pos = +@@ -200,6 +198,7 @@ static void message_part_finish(struct message_parser_ctx *ctx) + { + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part->parent->children_count += 1 + ctx->part->children_count; + ctx->part = ctx->part->parent; + } + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch new file mode 100644 index 0000000000..ba6667fa99 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch @@ -0,0 +1,90 @@ +From 99ee7596712cf0ea0a288b712bc898ecb2b35f9b Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:00:38 +0300 +Subject: [PATCH 04/13] lib-mail: message-parser - Optimize appending new part + to linked list + +--- + src/lib-mail/message-parser.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +Index: dovecot-2.2.36.4/src/lib-mail/message-parser.c +=================================================================== +--- dovecot-2.2.36.4.orig/src/lib-mail/message-parser.c ++++ dovecot-2.2.36.4/src/lib-mail/message-parser.c +@@ -1,7 +1,7 @@ + /* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */ + + #include "lib.h" +-#include "buffer.h" ++#include "array.h" + #include "str.h" + #include "istream.h" + #include "rfc822-parser.h" +@@ -34,6 +34,9 @@ struct message_parser_ctx { + const char *last_boundary; + struct message_boundary *boundaries; + ++ struct message_part **next_part; ++ ARRAY(struct message_part **) next_part_stack; ++ + size_t skip; + char last_chr; + unsigned int want_count; +@@ -171,7 +174,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *part, **list; ++ struct message_part *part; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -186,16 +189,27 @@ message_part_append(struct message_parse + parent->body_size.physical_size + + parent->header_size.physical_size; + +- list = &part->parent->children; +- while (*list != NULL) +- list = &(*list)->next; ++ /* add to parent's linked list */ ++ *ctx->next_part = part; ++ /* update the parent's end-of-linked-list pointer */ ++ struct message_part **next_part = &part->next; ++ array_append(&ctx->next_part_stack, &next_part, 1); ++ /* This part is now the new parent for the next message_part_append() ++ call. Its linked list begins with the children pointer. */ ++ ctx->next_part = &part->children; + +- *list = part; + ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) + { ++ struct message_part **const *parent_next_partp; ++ unsigned int count = array_count(&ctx->next_part_stack); ++ ++ parent_next_partp = array_idx(&ctx->next_part_stack, count-1); ++ array_delete(&ctx->next_part_stack, count-1, 1); ++ ctx->next_part = *parent_next_partp; ++ + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); + ctx->part->parent->children_count += 1 + ctx->part->children_count; +@@ -1062,7 +1076,9 @@ message_parser_init(pool_t part_pool, st + ctx = message_parser_init_int(input, hdr_flags, flags); + ctx->part_pool = part_pool; + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); ++ ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); + return ctx; + } + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch new file mode 100644 index 0000000000..4e63509b45 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch @@ -0,0 +1,45 @@ +From e39c95b248917eb2b596ca55a957f3cbc7fd406f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:10:07 +0300 +Subject: [PATCH 05/13] lib-mail: message-parser - Minor code cleanup to + finding the end of boundary line + +--- + src/lib-mail/message-parser.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index ff4e09e5a..6c6a680b5 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -260,17 +260,16 @@ boundary_line_find(struct message_parser_ctx *ctx, + } + + /* need to find the end of line */ +- if (memchr(data + 2, '\n', size - 2) == NULL && +- size < BOUNDARY_END_MAX_LEN && ++ data += 2; ++ size -= 2; ++ if (memchr(data, '\n', size) == NULL && ++ size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } + +- data += 2; +- size -= 2; +- + *boundary_r = boundary_find(ctx->boundaries, data, size); + if (*boundary_r == NULL) + return -1; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch new file mode 100644 index 0000000000..1012d7983e --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch @@ -0,0 +1,163 @@ +From aed125484a346b4893c1a169088c39fe7ced01f3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:53:12 +0300 +Subject: [PATCH 06/13] lib-mail: message-parser - Truncate excessively long + MIME boundaries + +RFC 2046 requires that the boundaries are a maximum of 70 characters +(excluding the "--" prefix and suffix). We allow 80 characters for a bit of +extra safety. Anything longer than that is truncated and treated the same +as if it was just 80 characters. +--- + src/lib-mail/message-parser.c | 7 ++- + src/lib-mail/test-message-parser.c | 95 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 100 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 6c6a680b5..92f541b02 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -10,7 +10,8 @@ + + /* RFC-2046 requires boundaries are max. 70 chars + "--" prefix + "--" suffix. + We'll add a bit more just in case. */ +-#define BOUNDARY_END_MAX_LEN (70 + 2 + 2 + 10) ++#define BOUNDARY_STRING_MAX_LEN (70 + 10) ++#define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + struct message_boundary { + struct message_boundary *next; +@@ -526,8 +527,10 @@ static void parse_content_type(struct message_parser_ctx *ctx, + rfc2231_parse(&parser, &results); + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { ++ /* truncate excessively long boundaries */ + ctx->last_boundary = +- p_strdup(ctx->parser_pool, results[1]); ++ p_strndup(ctx->parser_pool, results[1], ++ BOUNDARY_STRING_MAX_LEN); + break; + } + } +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 1f1aa1437..94aa3eb7c 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -642,6 +642,100 @@ static void test_message_parser_no_eoh(void) + test_end(); + } + ++static void test_message_parser_long_mime_boundary(void) ++{ ++ /* Close the boundaries in wrong reverse order. But because all ++ boundaries are actually truncated to the same size (..890) it ++ works the same as if all of them were duplicate boundaries. */ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"1234567890123456789012345678901234567890123456789012345678901234567890123456789012\"\n" ++"\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: multipart/mixed; boundary=\"123456789012345678901234567890123456789012345678901234567890123456789012345678901\"\n" ++"\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: multipart/mixed; boundary=\"12345678901234567890123456789012345678901234567890123456789012345678901234567890\"\n" ++"\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"1\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: text/plain\n" ++"\n" ++"22\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: text/plain\n" ++"\n" ++"333\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"4444\n"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts, *part; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser long mime boundary"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ part = parts; ++ test_assert(part->children_count == 6); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 126); ++ test_assert(part->header_size.virtual_size == 126+2); ++ test_assert(part->body_size.lines == 22); ++ test_assert(part->body_size.physical_size == 871); ++ test_assert(part->body_size.virtual_size == 871+22); ++ ++ part = parts->children; ++ test_assert(part->children_count == 5); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 125); ++ test_assert(part->header_size.virtual_size == 125+2); ++ test_assert(part->body_size.lines == 19); ++ test_assert(part->body_size.physical_size == 661); ++ test_assert(part->body_size.virtual_size == 661+19); ++ ++ part = parts->children->children; ++ test_assert(part->children_count == 4); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 124); ++ test_assert(part->header_size.virtual_size == 124+2); ++ test_assert(part->body_size.lines == 16); ++ test_assert(part->body_size.physical_size == 453); ++ test_assert(part->body_size.virtual_size == 453+16); ++ ++ part = parts->children->children->children; ++ for (unsigned int i = 1; i <= 3; i++, part = part->next) { ++ test_assert(part->children_count == 0); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 26); ++ test_assert(part->header_size.virtual_size == 26+2); ++ test_assert(part->body_size.lines == 0); ++ test_assert(part->body_size.physical_size == i); ++ test_assert(part->body_size.virtual_size == i); ++ } ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + int main(void) + { + static void (*test_functions[])(void) = { +@@ -654,6 +748,7 @@ int main(void) + test_message_parser_garbage_suffix_mime_boundary, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, ++ test_message_parser_long_mime_boundary, + test_message_parser_no_eoh, + NULL + }; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch new file mode 100644 index 0000000000..eeb6c96f1a --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch @@ -0,0 +1,72 @@ +From 5f8de52fec3191a1aa68a399ee2068485737dc4f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 13:06:02 +0300 +Subject: [PATCH 07/13] lib-mail: message-parser - Optimize boundary lookups + when exact boundary is found + +When an exact boundary is found, there's no need to continue looking for +more boundaries. +--- + src/lib-mail/message-parser.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 92f541b02..c2934c761 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -80,8 +80,14 @@ boundary_find(struct message_boundary *boundaries, + while (boundaries != NULL) { + if (boundaries->len <= len && + memcmp(boundaries->boundary, data, boundaries->len) == 0 && +- (best == NULL || best->len < boundaries->len)) ++ (best == NULL || best->len < boundaries->len)) { + best = boundaries; ++ if (best->len == len) { ++ /* This is exactly the wanted boundary. There ++ can't be a better one. */ ++ break; ++ } ++ } + + boundaries = boundaries->next; + } +@@ -263,15 +269,27 @@ boundary_line_find(struct message_parser_ctx *ctx, + /* need to find the end of line */ + data += 2; + size -= 2; +- if (memchr(data, '\n', size) == NULL && ++ const unsigned char *lf_pos = memchr(data, '\n', size); ++ if (lf_pos == NULL && + size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } +- +- *boundary_r = boundary_find(ctx->boundaries, data, size); ++ size_t find_size = size; ++ ++ if (lf_pos != NULL) { ++ find_size = lf_pos - data; ++ if (find_size > 0 && data[find_size-1] == '\r') ++ find_size--; ++ if (find_size > 2 && data[find_size-1] == '-' && ++ data[find_size-2] == '-') ++ find_size -= 2; ++ } else if (find_size > BOUNDARY_END_MAX_LEN) ++ find_size = BOUNDARY_END_MAX_LEN; ++ ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size); + if (*boundary_r == NULL) + return -1; + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch new file mode 100644 index 0000000000..4af070a879 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch @@ -0,0 +1,50 @@ +From 929396767d831bedbdec6392aaa835b045332fd3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 14:53:27 +0300 +Subject: [PATCH 08/13] lib-mail: message-parser - Add boundary_remove_until() + helper function + +--- + src/lib-mail/message-parser.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index c2934c761..028f74159 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -223,6 +223,13 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void ++boundary_remove_until(struct message_parser_ctx *ctx, ++ struct message_boundary *boundary) ++{ ++ ctx->boundaries = boundary; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -364,10 +371,10 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +- ctx->boundaries = boundary->next; ++ boundary_remove_until(ctx, boundary->next); + } else { + /* forget about the boundaries we possibly skipped */ +- ctx->boundaries = boundary; ++ boundary_remove_until(ctx, boundary); + } + + /* the boundary itself should already be in buffer. add that. */ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch new file mode 100644 index 0000000000..aade7dc2b3 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch @@ -0,0 +1,169 @@ +From d53d83214b1d635446a8cf8ff9438cc530133d62 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 15:00:57 +0300 +Subject: [PATCH 09/13] lib-mail: message-parser - Don't use memory pool for + parser + +This reduces memory usage when parsing many MIME parts where boundaries are +being added and removed constantly. +--- + src/lib-mail/message-parser.c | 48 ++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 028f74159..8970d8e0e 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -17,14 +17,14 @@ struct message_boundary { + struct message_boundary *next; + + struct message_part *part; +- const char *boundary; ++ char *boundary; + size_t len; + + unsigned int epilogue_found:1; + }; + + struct message_parser_ctx { +- pool_t parser_pool, part_pool; ++ pool_t part_pool; + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; +@@ -32,7 +32,7 @@ struct message_parser_ctx { + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + +- const char *last_boundary; ++ char *last_boundary; + struct message_boundary *boundaries; + + struct message_part **next_part; +@@ -223,10 +223,24 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void message_boundary_free(struct message_boundary *b) ++{ ++ i_free(b->boundary); ++ i_free(b); ++} ++ + static void + boundary_remove_until(struct message_parser_ctx *ctx, + struct message_boundary *boundary) + { ++ while (ctx->boundaries != boundary) { ++ struct message_boundary *cur = ctx->boundaries; ++ ++ i_assert(cur != NULL); ++ ctx->boundaries = cur->next; ++ message_boundary_free(cur); ++ ++ } + ctx->boundaries = boundary; + } + +@@ -234,15 +248,14 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; + +- b = p_new(ctx->parser_pool, struct message_boundary, 1); ++ b = i_new(struct message_boundary, 1); + b->part = ctx->part; + b->boundary = ctx->last_boundary; ++ ctx->last_boundary = NULL; + b->len = strlen(b->boundary); + + b->next = ctx->boundaries; + ctx->boundaries = b; +- +- ctx->last_boundary = NULL; + } + + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, +@@ -359,6 +372,8 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_block *block_r, bool first_line) + { + size_t line_size; ++ size_t boundary_len = boundary->len; ++ bool boundary_epilogue_found = boundary->epilogue_found; + + i_assert(ctx->last_boundary == NULL); + +@@ -391,7 +406,7 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + i_assert(block_r->data[0] == '\n'); + line_size = 1; + } +- line_size += 2 + boundary->len + (boundary->epilogue_found ? 2 : 0); ++ line_size += 2 + boundary_len + (boundary_epilogue_found ? 2 : 0); + i_assert(block_r->size >= ctx->skip + line_size); + block_r->size = line_size; + parse_body_add_block(ctx, block_r); +@@ -553,9 +568,9 @@ static void parse_content_type(struct message_parser_ctx *ctx, + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { + /* truncate excessively long boundaries */ ++ i_free(ctx->last_boundary); + ctx->last_boundary = +- p_strndup(ctx->parser_pool, results[1], +- BOUNDARY_STRING_MAX_LEN); ++ i_strndup(results[1], BOUNDARY_STRING_MAX_LEN); + break; + } + } +@@ -678,7 +693,7 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(!ctx->multipart); + part->flags = 0; + } +- ctx->last_boundary = NULL; ++ i_free(ctx->last_boundary); + + if (!ctx->part_seen_content_type || + (part->flags & MESSAGE_PART_FLAG_IS_MIME) == 0) { +@@ -1081,11 +1096,8 @@ message_parser_init_int(struct istream *input, + enum message_parser_flags flags) + { + struct message_parser_ctx *ctx; +- pool_t pool; + +- pool = pool_alloconly_create("Message Parser", 1024); +- ctx = p_new(pool, struct message_parser_ctx, 1); +- ctx->parser_pool = pool; ++ ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; + ctx->input = input; +@@ -1105,7 +1117,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; +- p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); ++ i_array_init(&ctx->next_part_stack, 4); + return ctx; + } + +@@ -1146,8 +1158,12 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); ++ boundary_remove_until(ctx, NULL); + i_stream_unref(&ctx->input); +- pool_unref(&ctx->parser_pool); ++ if (array_is_created(&ctx->next_part_stack)) ++ array_free(&ctx->next_part_stack); ++ i_free(ctx->last_boundary); ++ i_free(ctx); + i_assert(ret < 0 || *parts_r != NULL); + return ret; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..ae52544665 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,188 @@ +From df9e0d358ef86e3342525dcdefcf79dc2d749a30 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 16:59:40 +0300 +Subject: [PATCH 10/13] lib-mail: message-parser - Support limiting max number + of nested MIME parts + +The default is to allow 100 nested MIME parts. When the limit is reached, +the innermost MIME part's body contains all the rest of the inner bodies +until a parent MIME part is reached. +--- + src/lib-mail/message-parser.c | 43 +++++++++++++++++++++++++++++++------- + src/lib-mail/test-message-parser.c | 31 +++++++++++++++++++++++++++ + 2 files changed, 67 insertions(+), 7 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 8970d8e0e..721615f76 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -13,6 +13,8 @@ + #define BOUNDARY_STRING_MAX_LEN (70 + 10) + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + ++#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++ + struct message_boundary { + struct message_boundary *next; + +@@ -28,9 +30,11 @@ struct message_parser_ctx { + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; ++ unsigned int nested_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; ++ unsigned int max_nested_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -206,6 +210,8 @@ message_part_append(struct message_parser_ctx *ctx) + ctx->next_part = &part->children; + + ctx->part = part; ++ ctx->nested_parts_count++; ++ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -213,8 +219,12 @@ static void message_part_finish(struct message_parser_ctx *ctx) + struct message_part **const *parent_next_partp; + unsigned int count = array_count(&ctx->next_part_stack); + ++ i_assert(ctx->nested_parts_count > 0); ++ ctx->nested_parts_count--; ++ + parent_next_partp = array_idx(&ctx->next_part_stack, count-1); + array_delete(&ctx->next_part_stack, count-1, 1); ++ + ctx->next_part = *parent_next_partp; + + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); +@@ -592,6 +602,11 @@ static bool block_is_at_eoh(const struct message_block *block) + return FALSE; + } + ++static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) ++{ ++ return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++} ++ + #define MUTEX_FLAGS \ + (MESSAGE_PART_FLAG_MESSAGE_RFC822 | MESSAGE_PART_FLAG_MULTIPART) + +@@ -616,8 +631,12 @@ static int parse_next_header(struct message_parser_ctx *ctx, + "\n--boundary" belongs to us or to a previous boundary. + this is a problem if the boundary prefixes are identical, + because MIME requires only the prefix to match. */ +- parse_next_body_multipart_init(ctx); +- ctx->multipart = TRUE; ++ if (!parse_too_many_nested_mime_parts(ctx)) { ++ parse_next_body_multipart_init(ctx); ++ ctx->multipart = TRUE; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MULTIPART; ++ } + } + + /* before parsing the header see if we can find a --boundary from here. +@@ -721,12 +740,16 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(ctx->last_boundary == NULL); + ctx->multipart = FALSE; + ctx->parse_next_block = parse_next_body_to_boundary; +- } else if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) ++ } else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 && ++ !parse_too_many_nested_mime_parts(ctx)) { + ctx->parse_next_block = parse_next_body_message_rfc822_init; +- else if (ctx->boundaries != NULL) +- ctx->parse_next_block = parse_next_body_to_boundary; +- else +- ctx->parse_next_block = parse_next_body_to_eof; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822; ++ if (ctx->boundaries != NULL) ++ ctx->parse_next_block = parse_next_body_to_boundary; ++ else ++ ctx->parse_next_block = parse_next_body_to_eof; ++ } + + ctx->want_count = 1; + +@@ -1100,6 +1123,8 @@ message_parser_init_int(struct istream *input, + ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; ++ ctx->max_nested_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1159,6 +1184,10 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); + boundary_remove_until(ctx, NULL); ++ /* caller might have stopped the parsing early */ ++ i_assert(ctx->nested_parts_count == 0 || ++ i_stream_have_bytes_left(ctx->input)); ++ + i_stream_unref(&ctx->input); + if (array_is_created(&ctx->next_part_stack)) + array_free(&ctx->next_part_stack); +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 94aa3eb7c..481d05942 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -166,6 +166,36 @@ static void test_message_parser_small_blocks(void) + test_end(); + } + ++static void test_message_parser_stop_early(void) ++{ ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ unsigned int i; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser stop early"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(test_msg); ++ ++ test_istream_set_allow_eof(input, FALSE); ++ for (i = 1; i <= TEST_MSG_LEN+1; i++) { ++ i_stream_seek(input, 0); ++ test_istream_set_size(input, i); ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, ++ &block)) > 0) ; ++ test_assert(ret == 0); ++ message_parser_deinit(&parser, &parts); ++ } ++ ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_truncated_mime_headers(void) + { + static const char input_msg[] = +@@ -740,6 +770,7 @@ int main(void) + { + static void (*test_functions[])(void) = { + test_message_parser_small_blocks, ++ test_message_parser_stop_early, + test_message_parser_truncated_mime_headers, + test_message_parser_truncated_mime_headers2, + test_message_parser_truncated_mime_headers3, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..52848bf3a7 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,87 @@ +From d7bba401dd234802bcdb55ff27dfb99bffdab804 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 17:09:33 +0300 +Subject: [PATCH 11/13] lib-mail: message-parser - Support limiting max number + of MIME parts + +The default is to allow 10000 MIME parts. When it's reached, no more +MIME boundary lines will be recognized, so the rest of the mail belongs +to the last added MIME part. +--- + src/lib-mail/message-parser.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 721615f76..646307802 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -14,6 +14,7 @@ + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000 + + struct message_boundary { + struct message_boundary *next; +@@ -31,10 +32,12 @@ struct message_parser_ctx { + struct message_part *parts, *part; + const char *broken_reason; + unsigned int nested_parts_count; ++ unsigned int total_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + unsigned int max_nested_mime_parts; ++ unsigned int max_total_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -211,7 +214,9 @@ message_part_append(struct message_parser_ctx *ctx) + + ctx->part = part; + ctx->nested_parts_count++; ++ ctx->total_parts_count++; + i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); ++ i_assert(ctx->total_parts_count <= ctx->max_total_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -296,6 +301,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + return -1; + } + ++ if (ctx->total_parts_count >= ctx->max_total_mime_parts) { ++ /* can't add any more MIME parts. just stop trying to find ++ more boundaries. */ ++ return -1; ++ } ++ + /* need to find the end of line */ + data += 2; + size -= 2; +@@ -1125,6 +1136,8 @@ message_parser_init_int(struct istream *input, + ctx->flags = flags; + ctx->max_nested_mime_parts = + MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; ++ ctx->max_total_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1142,6 +1155,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ ctx->total_parts_count = 1; + i_array_init(&ctx->next_part_stack, 4); + return ctx; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch new file mode 100644 index 0000000000..a81177d2ba --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch @@ -0,0 +1,133 @@ +From 0c9d56b41b992a868f299e05677a67c4d0495523 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 2 Jul 2020 17:31:19 +0300 +Subject: [PATCH 12/13] lib-mail: Fix handling trailing "--" in MIME boundaries + +Broken by 5b8ec27fae941d06516c30476dcf4820c6d200ab +--- + src/lib-mail/message-parser.c | 14 ++++++++---- + src/lib-mail/test-message-parser.c | 46 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 646307802..175d4b488 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -75,7 +75,7 @@ static int preparsed_parse_next_header_init(struct message_parser_ctx *ctx, + + static struct message_boundary * + boundary_find(struct message_boundary *boundaries, +- const unsigned char *data, size_t len) ++ const unsigned char *data, size_t len, bool trailing_dashes) + { + struct message_boundary *best = NULL; + +@@ -89,7 +89,11 @@ boundary_find(struct message_boundary *boundaries, + memcmp(boundaries->boundary, data, boundaries->len) == 0 && + (best == NULL || best->len < boundaries->len)) { + best = boundaries; +- if (best->len == len) { ++ /* If we see "foo--", it could either mean that there ++ is a boundary named "foo" that ends now or there's ++ a boundary "foo--" which continues. */ ++ if (best->len == len || ++ (best->len == len-2 && trailing_dashes)) { + /* This is exactly the wanted boundary. There + can't be a better one. */ + break; +@@ -319,6 +323,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + return 0; + } + size_t find_size = size; ++ bool trailing_dashes = FALSE; + + if (lf_pos != NULL) { + find_size = lf_pos - data; +@@ -326,11 +331,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + find_size--; + if (find_size > 2 && data[find_size-1] == '-' && + data[find_size-2] == '-') +- find_size -= 2; ++ trailing_dashes = TRUE; + } else if (find_size > BOUNDARY_END_MAX_LEN) + find_size = BOUNDARY_END_MAX_LEN; + +- *boundary_r = boundary_find(ctx->boundaries, data, find_size); ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size, ++ trailing_dashes); + if (*boundary_r == NULL) + return -1; + +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 481d05942..113454ea0 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -510,6 +510,51 @@ static const char input_msg[] = + test_end(); + } + ++static void test_message_parser_trailing_dashes(void) ++{ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"a--\"\n" ++"\n" ++"--a--\n" ++"Content-Type: multipart/mixed; boundary=\"a----\"\n" ++"\n" ++"--a----\n" ++"Content-Type: text/plain\n" ++"\n" ++"body\n" ++"--a------\n" ++"Content-Type: text/html\n" ++"\n" ++"body2\n" ++"--a----"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser trailing dashes"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ test_assert(parts->children_count == 2); ++ test_assert(parts->children->next == NULL); ++ test_assert(parts->children->children_count == 1); ++ test_assert(parts->children->children->next == NULL); ++ test_assert(parts->children->children->children_count == 0); ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_continuing_mime_boundary(void) + { + static const char input_msg[] = +@@ -777,6 +822,7 @@ int main(void) + test_message_parser_empty_multipart, + test_message_parser_duplicate_mime_boundary, + test_message_parser_garbage_suffix_mime_boundary, ++ test_message_parser_trailing_dashes, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, + test_message_parser_long_mime_boundary, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch new file mode 100644 index 0000000000..97068345fb --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch @@ -0,0 +1,32 @@ +From f77a2b6c3ffe2ea96f4a4b05ec38dc9d53266ecb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Wed, 27 May 2020 11:35:55 +0300 +Subject: [PATCH 13/13] lib-mail: Fix parse_too_many_nested_mime_parts() + +This was originally correct, until it was "optimized" wrong and got merged. +--- + src/lib-mail/message-parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 175d4b488..5b11772ff 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -621,7 +621,7 @@ static bool block_is_at_eoh(const struct message_block *block) + + static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) + { +- return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++ return ctx->nested_parts_count+1 >= ctx->max_nested_mime_parts; + } + + #define MUTEX_FLAGS \ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch new file mode 100644 index 0000000000..44f6564f89 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch @@ -0,0 +1,27 @@ +From 1a6ff0beebf0ab0c71081eaff1d5d7fd26015a94 Mon Sep 17 00:00:00 2001 +From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi> +Date: Tue, 19 Sep 2017 13:26:57 +0300 +Subject: [PATCH] lib: buffer_free(NULL) should be a no-op + +--- + src/lib/buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib/buffer.c ++++ b/src/lib/buffer.c +@@ -148,6 +148,9 @@ void buffer_free(buffer_t **_buf) + { + struct real_buffer *buf = (struct real_buffer *)*_buf; + ++ if (buf == NULL) ++ return; ++ + *_buf = NULL; + if (buf->alloced) + p_free(buf->pool, buf->w_buffer); diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb index 0f7fad2b24..29905196b6 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb @@ -10,6 +10,22 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \ file://dovecot.service \ file://dovecot.socket \ file://0001-doveadm-Fix-parallel-build.patch \ + file://0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch \ + file://0002-lib-mail-message-parser-Change-message_part_append-t.patch \ + file://0003-lib-mail-message-parser-Optimize-updating-children_c.patch \ + file://0004-lib-mail-message-parser-Optimize-appending-new-part-.patch \ + file://0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch \ + file://0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch \ + file://0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch \ + file://0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch \ + file://0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch \ + file://0010-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0011-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \ + file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \ + file://buffer_free_fix.patch \ + file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \ + file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \ " SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2" @@ -67,3 +83,6 @@ FILES_${PN} += "${libdir}/dovecot/*plugin.so \ FILES_${PN}-staticdev += "${libdir}/dovecot/*/*.a" FILES_${PN}-dev += "${libdir}/dovecot/libdovecot*.so" FILES_${PN}-dbg += "${libdir}/dovecot/*/.debug" + +# CVE-2016-4983 affects only postinstall script on specific distribution +CVE_CHECK_WHITELIST += "CVE-2016-4983" diff --git a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb index 5dabdd51d0..cad2fa7d71 100644 --- a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb +++ b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb @@ -8,13 +8,14 @@ SECTION = "admin" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018" -SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils \ - git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers \ +SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils;branch=master;protocol=https \ + git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers;branch=master;protocol=https \ ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','file://0001-drbd-utils-support-usrmerge.patch','',d)} \ " # v9.12.0 SRCREV_drbd-utils = "91629a4cce49ca0d4f917fe0bffa25cfe8db3052" SRCREV_drbd-headers = "233006b4d26cf319638be0ef6d16ec7dee287b66" +SRCREV_FORMAT = "drbd-utils_drbd-headers" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb index ed5c3a9799..8301c65bfa 100644 --- a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb +++ b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4f3ea6e9b28af88dc0321190a1f8250" S = "${WORKDIR}/git" SRCREV = "4cdfdc38eca237c19c22a8b90490446ce6d970fa" -SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https; \ +SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https;branch=master \ file://run-ptest \ " diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb index 4271c2e155..0efcbec1fc 100644 --- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb +++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb @@ -10,7 +10,7 @@ SECTION = "libdevel" GEOIP_DATABASE_VERSION = "20181205" -SRC_URI = "git://github.com/maxmind/geoip-api-c.git \ +SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \ http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb index 125b59e760..9c15490dcb 100644 --- a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb +++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb @@ -9,7 +9,7 @@ inherit manpages MAN_PKG = "${PN}" SRCREV = "42bfbb9beb924672ca86b86e9679ac3d6b87d992" -SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https" +SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb index ad0ec27001..59e540a710 100644 --- a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb +++ b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" SRCREV = "c3ee70c878b9c5833a77a1f339f1ca4dc6f225c5" SRC_URI = "\ - git://github.com/nmav/ipcalc.git;protocol=https; \ + git://github.com/nmav/ipcalc.git;protocol=https;branch=master \ file://0001-Makefile-pass-extra-linker-flags.patch \ " diff --git a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb index 3cabc4ff8d..7a229c7b1e 100644 --- a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb +++ b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb @@ -14,7 +14,7 @@ PV .= "+git${SRCPV}" LK_REL = "1.0.18" SRC_URI = " \ - git://github.com/sctp/lksctp-tools.git \ + git://github.com/sctp/lksctp-tools.git;branch=master;protocol=https \ file://0001-withsctp-use-PACKAGE_VERSION-in-withsctp.h.patch \ file://0001-configure.ac-add-CURRENT-REVISION-and-AGE-for-libsct.patch \ file://0001-build-fix-netinet-sctp.h-not-to-be-installed.patch \ diff --git a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb index 5917cfb3e1..e073561655 100644 --- a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb +++ b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "flex-native bison-native libnl python" PV = "0.3.1+git${SRCPV}" -SRC_URI = "git://github.com/linux-wpan/lowpan-tools \ +SRC_URI = "git://github.com/linux-wpan/lowpan-tools;branch=master;protocol=https \ file://no-help2man.patch \ file://0001-Fix-build-errors-with-clang.patch \ file://0001-addrdb-coord-config-parse.y-add-missing-time.h-inclu.patch \ diff --git a/meta-networking/recipes-support/mtr/mtr_0.93.bb b/meta-networking/recipes-support/mtr/mtr_0.93.bb index dd150700a9..4db7f7bbf8 100644 --- a/meta-networking/recipes-support/mtr/mtr_0.93.bb +++ b/meta-networking/recipes-support/mtr/mtr_0.93.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468" SRCREV = "304349bad86229aedbc62c07d5e98a8292967991" -SRC_URI = "git://github.com/traviscross/mtr" +SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb index a63e49ec55..0876c6f354 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb @@ -9,7 +9,7 @@ HOMEPAGE = "https://github.com/libguestfs/nbdkit" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=4332a97808994cf2133a65b6c6f33eaf" -SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \ +SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ file://0001-server-Fix-build-when-printf-is-a-macro.patch \ " diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb index 5f866052c6..d359b620b8 100644 --- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb +++ b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" PV = "1.0.4+git${SRCPV}" SRCREV = "4c794b5512d23c649def1f94a684225dcbb6ac3e" -SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http \ +SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \ file://0001-replace-VLAIS-with-malloc-free-pair.patch \ file://0002-Do-not-undef-_GNU_SOURCE.patch \ file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \ diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb index 14d743f820..1e113de519 100644 --- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb +++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967 inherit autotools +CVE_PRODUCT = "netcat_project:netcat" + do_install_append() { install -d ${D}${bindir} mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN} diff --git a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb index a180571f2d..af617ce922 100644 --- a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb +++ b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb919cc88dbe06ec0b0bd50e001ccf1f" SRCREV = "2c5d4255857531bc09d91dcd02e86545f29004d4" PV .= "+git${SRCPV}" -SRC_URI = "git://pagure.io/netcf.git;protocol=https \ +SRC_URI = "git://pagure.io/netcf.git;protocol=https;branch=master \ " UPSTREAM_CHECK_GITTAGREGEX = "release-(?P<pver>(\d+(\.\d+)+))" diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb index d48f3aeabd..f6ea211f7a 100644 --- a/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-networking/recipes-support/netperf/netperf_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a0ab17253e7a3f318da85382c7d5d5d6" PV = "2.7.0+git${SRCPV}" -SRC_URI = "git://github.com/HewlettPackard/netperf.git \ +SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=https \ file://cpu_set.patch \ file://vfork.patch \ file://init \ diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch new file mode 100644 index 0000000000..ca181bb4b2 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-1.patch @@ -0,0 +1,31 @@ +From f8da73bd042f810f34d19f9eae02b46d870af394 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Sun, 19 Apr 2020 09:12:24 -0700 +Subject: [PATCH] Earlier check for settings flood + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394.patch] +Comment: No hunk refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + lib/nghttp2_session.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -5678,6 +5678,12 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + break; + } + ++ /* Check the settings flood counter early to be safe */ ++ if (session->obq_flood_counter_ >= session->max_outbound_ack && ++ !(iframe->frame.hd.flags & NGHTTP2_FLAG_ACK)) { ++ return NGHTTP2_ERR_FLOODED; ++ } ++ + iframe->state = NGHTTP2_IB_READ_SETTINGS; + + if (iframe->payloadleft) { diff --git a/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch new file mode 100644 index 0000000000..d3c57e9a80 --- /dev/null +++ b/meta-networking/recipes-support/nghttp2/nghttp2/CVE-2020-11080-2.patch @@ -0,0 +1,308 @@ +From 336a98feb0d56b9ac54e12736b18785c27f75090 Mon Sep 17 00:00:00 2001 +From: James M Snell <jasnell@gmail.com> +Date: Fri, 17 Apr 2020 16:53:51 -0700 +Subject: [PATCH] Implement max settings option + +CVE: CVE-2020-11080 +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090.patch] +Comment: No hunks refreshed +Affects-version: < v1.41.0 +Signed-off-by: Rahul Taya <Rahul.Taya@kpit.com> +--- + doc/CMakeLists.txt | 1 + + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 23 +++++++++++++ + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_option.c | 5 +++ + lib/nghttp2_option.h | 5 +++ + lib/nghttp2_session.c | 21 ++++++++++++ + lib/nghttp2_session.h | 2 ++ + tests/main.c | 2 ++ + tests/nghttp2_session_test.c | 61 ++++++++++++++++++++++++++++++++++ + tests/nghttp2_session_test.h | 1 + + 11 files changed, 124 insertions(+) + +Index: nghttp2-1.40.0/doc/CMakeLists.txt +=================================================================== +--- nghttp2-1.40.0.orig/doc/CMakeLists.txt ++++ nghttp2-1.40.0/doc/CMakeLists.txt +@@ -42,6 +42,7 @@ set(APIDOCS + nghttp2_option_set_no_recv_client_magic.rst + nghttp2_option_set_peer_max_concurrent_streams.rst + nghttp2_option_set_user_recv_extension_type.rst ++ nghttp2_option_set_max_settings.rst + nghttp2_pack_settings_payload.rst + nghttp2_priority_spec_check_default.rst + nghttp2_priority_spec_default_init.rst +Index: nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/includes/nghttp2/nghttp2.h ++++ nghttp2-1.40.0/lib/includes/nghttp2/nghttp2.h +@@ -229,6 +229,13 @@ typedef struct { + #define NGHTTP2_CLIENT_MAGIC_LEN 24 + + /** ++ * @macro ++ * ++ * The default max number of settings per SETTINGS frame ++ */ ++#define NGHTTP2_DEFAULT_MAX_SETTINGS 32 ++ ++/** + * @enum + * + * Error codes used in this library. The code range is [-999, -500], +@@ -399,6 +406,11 @@ typedef enum { + */ + NGHTTP2_ERR_SETTINGS_EXPECTED = -536, + /** ++ * When a local endpoint receives too many settings entries ++ * in a single SETTINGS frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_SETTINGS = -537, ++ /** + * The errors < :enum:`NGHTTP2_ERR_FATAL` mean that the library is + * under unexpected condition and processing was terminated (e.g., + * out of memory). If application receives this error code, it must +@@ -2661,6 +2673,17 @@ NGHTTP2_EXTERN void nghttp2_option_set_m + + /** + * @function ++ * ++ * This function sets the maximum number of SETTINGS entries per ++ * SETTINGS frame that will be accepted. If more than those entries ++ * are received, the peer is considered to be misbehaving and session ++ * will be closed. The default value is 32. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_settings(nghttp2_option *option, ++ size_t val); ++ ++/** ++ * @function + * + * Initializes |*session_ptr| for client use. The all members of + * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| +Index: nghttp2-1.40.0/lib/nghttp2_helper.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_helper.c ++++ nghttp2-1.40.0/lib/nghttp2_helper.c +@@ -334,6 +334,8 @@ const char *nghttp2_strerror(int error_c + case NGHTTP2_ERR_FLOODED: + return "Flooding was detected in this HTTP/2 session, and it must be " + "closed"; ++ case NGHTTP2_ERR_TOO_MANY_SETTINGS: ++ return "SETTINGS frame contained more than the maximum allowed entries"; + default: + return "Unknown error code"; + } +Index: nghttp2-1.40.0/lib/nghttp2_option.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.c ++++ nghttp2-1.40.0/lib/nghttp2_option.c +@@ -121,3 +121,8 @@ void nghttp2_option_set_max_outbound_ack + option->opt_set_mask |= NGHTTP2_OPT_MAX_OUTBOUND_ACK; + option->max_outbound_ack = val; + } ++ ++void nghttp2_option_set_max_settings(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS; ++ option->max_settings = val; ++} +Index: nghttp2-1.40.0/lib/nghttp2_option.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_option.h ++++ nghttp2-1.40.0/lib/nghttp2_option.h +@@ -67,6 +67,7 @@ typedef enum { + NGHTTP2_OPT_MAX_DEFLATE_DYNAMIC_TABLE_SIZE = 1 << 9, + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, ++ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + } nghttp2_option_flag; + + /** +@@ -86,6 +87,10 @@ struct nghttp2_option { + */ + size_t max_outbound_ack; + /** ++ * NGHTTP2_OPT_MAX_SETTINGS ++ */ ++ size_t max_settings; ++ /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. + */ +Index: nghttp2-1.40.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.40.0/lib/nghttp2_session.c +@@ -458,6 +458,7 @@ static int session_new(nghttp2_session * + + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; ++ (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -521,6 +522,11 @@ static int session_new(nghttp2_session * + if (option->opt_set_mask & NGHTTP2_OPT_MAX_OUTBOUND_ACK) { + (*session_ptr)->max_outbound_ack = option->max_outbound_ack; + } ++ ++ if ((option->opt_set_mask & NGHTTP2_OPT_MAX_SETTINGS) && ++ option->max_settings) { ++ (*session_ptr)->max_settings = option->max_settings; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -5694,6 +5700,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + iframe->max_niv = + iframe->frame.hd.length / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH + 1; + ++ if (iframe->max_niv - 1 > session->max_settings) { ++ rv = nghttp2_session_terminate_session_with_reason( ++ session, NGHTTP2_ENHANCE_YOUR_CALM, ++ "SETTINGS: too many setting entries"); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ return (ssize_t)inlen; ++ } ++ + iframe->iv = nghttp2_mem_malloc(mem, sizeof(nghttp2_settings_entry) * + iframe->max_niv); + +@@ -7460,6 +7476,11 @@ static int nghttp2_session_upgrade_inter + if (settings_payloadlen % NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH) { + return NGHTTP2_ERR_INVALID_ARGUMENT; + } ++ /* SETTINGS frame contains too many settings */ ++ if (settings_payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH ++ > session->max_settings) { ++ return NGHTTP2_ERR_TOO_MANY_SETTINGS; ++ } + rv = nghttp2_frame_unpack_settings_payload2(&iv, &niv, settings_payload, + settings_payloadlen, mem); + if (rv != 0) { +Index: nghttp2-1.40.0/lib/nghttp2_session.h +=================================================================== +--- nghttp2-1.40.0.orig/lib/nghttp2_session.h ++++ nghttp2-1.40.0/lib/nghttp2_session.h +@@ -267,6 +267,8 @@ struct nghttp2_session { + /* The maximum length of header block to send. Calculated by the + same way as nghttp2_hd_deflate_bound() does. */ + size_t max_send_header_block_length; ++ /* The maximum number of settings accepted per SETTINGS frame. */ ++ size_t max_settings; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +Index: nghttp2-1.40.0/tests/main.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/main.c ++++ nghttp2-1.40.0/tests/main.c +@@ -315,6 +315,8 @@ int main() { + test_nghttp2_session_set_local_window_size) || + !CU_add_test(pSuite, "session_cancel_from_before_frame_send", + test_nghttp2_session_cancel_from_before_frame_send) || ++ !CU_add_test(pSuite, "session_too_many_settings", ++ test_nghttp2_session_too_many_settings) || + !CU_add_test(pSuite, "session_removed_closed_stream", + test_nghttp2_session_removed_closed_stream) || + !CU_add_test(pSuite, "session_pause_data", +Index: nghttp2-1.40.0/tests/nghttp2_session_test.c +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.c ++++ nghttp2-1.40.0/tests/nghttp2_session_test.c +@@ -10558,6 +10558,67 @@ void test_nghttp2_session_cancel_from_be + nghttp2_session_del(session); + } + ++void test_nghttp2_session_too_many_settings(void) { ++ nghttp2_session *session; ++ nghttp2_option *option; ++ nghttp2_session_callbacks callbacks; ++ nghttp2_frame frame; ++ nghttp2_bufs bufs; ++ nghttp2_buf *buf; ++ ssize_t rv; ++ my_user_data ud; ++ nghttp2_settings_entry iv[3]; ++ nghttp2_mem *mem; ++ nghttp2_outbound_item *item; ++ ++ mem = nghttp2_mem_default(); ++ frame_pack_bufs_init(&bufs); ++ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.on_frame_recv_callback = on_frame_recv_callback; ++ callbacks.send_callback = null_send_callback; ++ ++ nghttp2_option_new(&option); ++ nghttp2_option_set_max_settings(option, 1); ++ ++ nghttp2_session_client_new2(&session, &callbacks, &ud, option); ++ ++ CU_ASSERT(1 == session->max_settings); ++ ++ nghttp2_option_del(option); ++ ++ iv[0].settings_id = NGHTTP2_SETTINGS_HEADER_TABLE_SIZE; ++ iv[0].value = 3000; ++ ++ iv[1].settings_id = NGHTTP2_SETTINGS_INITIAL_WINDOW_SIZE; ++ iv[1].value = 16384; ++ ++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, dup_iv(iv, 2), ++ 2); ++ ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings); ++ ++ CU_ASSERT(0 == rv); ++ CU_ASSERT(nghttp2_bufs_len(&bufs) > 0); ++ ++ nghttp2_frame_settings_free(&frame.settings, mem); ++ ++ buf = &bufs.head->buf; ++ assert(nghttp2_bufs_len(&bufs) == nghttp2_buf_len(buf)); ++ ++ ud.frame_recv_cb_called = 0; ++ ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ item = nghttp2_session_get_next_ob_item(session); ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); ++ ++ nghttp2_bufs_reset(&bufs); ++ nghttp2_bufs_free(&bufs); ++ nghttp2_session_del(session); ++} ++ + static void + prepare_session_removed_closed_stream(nghttp2_session *session, + nghttp2_hd_deflater *deflater) { +Index: nghttp2-1.40.0/tests/nghttp2_session_test.h +=================================================================== +--- nghttp2-1.40.0.orig/tests/nghttp2_session_test.h ++++ nghttp2-1.40.0/tests/nghttp2_session_test.h +@@ -156,6 +156,7 @@ void test_nghttp2_session_repeated_prior + void test_nghttp2_session_repeated_priority_submission(void); + void test_nghttp2_session_set_local_window_size(void); + void test_nghttp2_session_cancel_from_before_frame_send(void); ++void test_nghttp2_session_too_many_settings(void); + void test_nghttp2_session_removed_closed_stream(void); + void test_nghttp2_session_pause_data(void); + void test_nghttp2_session_no_closed_streams(void); +Index: nghttp2-1.40.0/doc/Makefile.am +=================================================================== +--- nghttp2-1.40.0.orig/doc/Makefile.am ++++ nghttp2-1.40.0/doc/Makefile.am +@@ -69,6 +69,7 @@ APIDOCS= \ + nghttp2_option_set_peer_max_concurrent_streams.rst \ + nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ ++ nghttp2_option_set_max_settings.rst \ + nghttp2_pack_settings_payload.rst \ + nghttp2_priority_spec_check_default.rst \ + nghttp2_priority_spec_default_init.rst \ diff --git a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb index 9ed8c56420..b497058ca6 100644 --- a/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb +++ b/meta-networking/recipes-support/nghttp2/nghttp2_1.40.0.bb @@ -10,6 +10,8 @@ UPSTREAM_CHECK_URI = "https://github.com/nghttp2/nghttp2/releases" SRC_URI = "\ https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \ file://0001-fetch-ocsp-response-use-python3.patch \ + file://CVE-2020-11080-1.patch \ + file://CVE-2020-11080-2.patch \ " SRC_URI[md5sum] = "8d1a6b96760254e4dd142d7176e8fb7c" SRC_URI[sha256sum] = "09fc43d428ff237138733c737b29fb1a7e49d49de06d2edbed3bc4cdcee69073" diff --git a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb index bb401666c6..0c67f67d70 100644 --- a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb +++ b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb @@ -14,7 +14,7 @@ and ypdomainname. \ # v4.2.3 SRCREV = "1bfda29c342a81b97cb1995ffd9e8da5de63e7ab" -SRC_URI = "git://github.com/thkukuk/yp-tools \ +SRC_URI = "git://github.com/thkukuk/yp-tools;branch=master;protocol=https \ file://domainname.service \ " diff --git a/meta-networking/recipes-support/ntimed/ntimed_git.bb b/meta-networking/recipes-support/ntimed/ntimed_git.bb index a749b16593..43ed1abe38 100644 --- a/meta-networking/recipes-support/ntimed/ntimed_git.bb +++ b/meta-networking/recipes-support/ntimed/ntimed_git.bb @@ -8,7 +8,7 @@ SECTION = "net" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://main.c;beginline=2;endline=24;md5=89db8e76f2951f3fad167e7aa9718a44" -SRC_URI = "git://github.com/bsdphk/Ntimed \ +SRC_URI = "git://github.com/bsdphk/Ntimed;branch=master;protocol=https \ file://use-ldflags.patch" PV = "0.0+git${SRCPV}" diff --git a/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch new file mode 100644 index 0000000000..734c6f197b --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/CVE-2023-2655x.patch @@ -0,0 +1,340 @@ +ntp: backport patch for 5 CVEs CVE-2023-26551/2/3/4/5 + +Upstream-Status: Backport [https://archive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15-3806-3807.patch] +CVE: CVE-2023-26551 +CVE: CVE-2023-26552 +CVE: CVE-2023-26553 +CVE: CVE-2023-26554 +CVE: CVE-2023-26555 + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + include/ntp_fp.h | 4 +- + libntp/mstolfp.c | 108 +++++++++++++++------------------------ + ntpd/refclock_palisade.c | 50 +++++++++++++++--- + tests/libntp/strtolfp.c | 33 +++++++----- + 4 files changed, 104 insertions(+), 91 deletions(-) + +diff --git a/include/ntp_fp.h b/include/ntp_fp.h +index afd1f82..fe6e390 100644 +--- a/include/ntp_fp.h ++++ b/include/ntp_fp.h +@@ -195,9 +195,9 @@ typedef u_int32 u_fp; + do { \ + int32 add_f = (int32)(f); \ + if (add_f >= 0) \ +- M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \ ++ M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \ + else \ +- M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \ ++ M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \ + } while(0) + + #define M_ISNEG(v_i) /* v < 0 */ \ +diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c +index 3dfc4ef..a906d76 100644 +--- a/libntp/mstolfp.c ++++ b/libntp/mstolfp.c +@@ -14,86 +14,58 @@ mstolfp( + l_fp *lfp + ) + { +- register const char *cp; +- register char *bp; +- register const char *cpdec; +- char buf[100]; ++ int ch, neg = 0; ++ u_int32 q, r; + + /* + * We understand numbers of the form: + * + * [spaces][-|+][digits][.][digits][spaces|\n|\0] + * +- * This is one enormous hack. Since I didn't feel like +- * rewriting the decoding routine for milliseconds, what +- * is essentially done here is to make a copy of the string +- * with the decimal moved over three places so the seconds +- * decoding routine can be used. ++ * This is kinda hack. We use 'atolfp' to do the basic parsing ++ * (after some initial checks) and then divide the result by ++ * 1000. The original implementation avoided that by ++ * hacking up the input string to move the decimal point, but ++ * that needed string manipulations prone to buffer overruns. ++ * To avoid that trouble we do the conversion first and adjust ++ * the result. + */ +- bp = buf; +- cp = str; +- while (isspace((unsigned char)*cp)) +- cp++; + +- if (*cp == '-' || *cp == '+') { +- *bp++ = *cp++; +- } +- +- if (*cp != '.' && !isdigit((unsigned char)*cp)) +- return 0; +- ++ while (isspace(ch = *(const unsigned char*)str)) ++ ++str; + +- /* +- * Search forward for the decimal point or the end of the string. +- */ +- cpdec = cp; +- while (isdigit((unsigned char)*cpdec)) +- cpdec++; +- +- /* +- * Found something. If we have more than three digits copy the +- * excess over, else insert a leading 0. +- */ +- if ((cpdec - cp) > 3) { +- do { +- *bp++ = (char)*cp++; +- } while ((cpdec - cp) > 3); +- } else { +- *bp++ = '0'; ++ switch (ch) { ++ case '-': neg = TRUE; ++ case '+': ++str; ++ default : break; + } + +- /* +- * Stick the decimal in. If we've got less than three digits in +- * front of the millisecond decimal we insert the appropriate number +- * of zeros. +- */ +- *bp++ = '.'; +- if ((cpdec - cp) < 3) { +- size_t i = 3 - (cpdec - cp); +- do { +- *bp++ = '0'; +- } while (--i > 0); +- } ++ if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.')) ++ return 0; ++ if (!atolfp(str, lfp)) ++ return 0; + +- /* +- * Copy the remainder up to the millisecond decimal. If cpdec +- * is pointing at a decimal point, copy in the trailing number too. ++ /* now do a chained/overlapping division by 1000 to get from ++ * seconds to msec. 1000 is small enough to go with temporary ++ * 32bit accus for Q and R. + */ +- while (cp < cpdec) +- *bp++ = (char)*cp++; +- +- if (*cp == '.') { +- cp++; +- while (isdigit((unsigned char)*cp)) +- *bp++ = (char)*cp++; +- } +- *bp = '\0'; ++ q = lfp->l_ui / 1000u; ++ r = lfp->l_ui - (q * 1000u); ++ lfp->l_ui = q; + +- /* +- * Check to make sure the string is properly terminated. If +- * so, give the buffer to the decoding routine. +- */ +- if (*cp != '\0' && !isspace((unsigned char)*cp)) +- return 0; +- return atolfp(buf, lfp); ++ r = (r << 16) | (lfp->l_uf >> 16); ++ q = r / 1000u; ++ r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu); ++ lfp->l_uf = q << 16; ++ q = r / 1000; ++ lfp->l_uf |= q; ++ r -= q * 1000u; ++ ++ /* fix sign */ ++ if (neg) ++ L_NEG(lfp); ++ /* round */ ++ if (r >= 500) ++ L_ADDF(lfp, (neg ? -1 : 1)); ++ return 1; + } +diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c +index cb68255..15c21d8 100644 +--- a/ntpd/refclock_palisade.c ++++ b/ntpd/refclock_palisade.c +@@ -1225,9 +1225,9 @@ palisade_poll ( + return; /* using synchronous packet input */ + + if(up->type == CLK_PRAECIS) { +- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) ++ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) { + msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit); +- else { ++ } else { + praecis_msg = 1; + return; + } +@@ -1249,20 +1249,53 @@ praecis_parse ( + + pp = peer->procptr; + +- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length); ++ if (p + rbufp->recv_length >= sizeof buf) { ++ struct palisade_unit *up; ++ up = pp->unitptr; ++ ++ /* ++ * We COULD see if there is a \r\n in the incoming ++ * buffer before it overflows, and then process the ++ * current line. ++ * ++ * Similarly, if we already have a hunk of data that ++ * we're now flushing, that will cause the line of ++ * data we're in the process of collecting to be garbage. ++ * ++ * Since we now check for this overflow and log when it ++ * happens, we're now in a better place to easily see ++ * what's going on and perhaps better choices can be made. ++ */ ++ ++ /* Do we need to log the size of the overflow? */ ++ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow", ++ up->unit); ++ ++ p = 0; ++ praecis_msg = 0; ++ ++ refclock_report(peer, CEVNT_BADREPLY); ++ ++ return; ++ } ++ ++ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length); + p += rbufp->recv_length; + +- if(buf[p-2] == '\r' && buf[p-1] == '\n') { ++ if ( p >= 2 ++ && buf[p-2] == '\r' ++ && buf[p-1] == '\n') { + buf[p-2] = '\0'; + record_clock_stats(&peer->srcadr, buf); + + p = 0; + praecis_msg = 0; + +- if (HW_poll(pp) < 0) ++ if (HW_poll(pp) < 0) { + refclock_report(peer, CEVNT_FAULT); +- ++ } + } ++ return; + } + + static void +@@ -1407,7 +1440,10 @@ HW_poll ( + + /* Edge trigger */ + if (up->type == CLK_ACUTIME) +- write (pp->io.fd, "", 1); ++ if (write (pp->io.fd, "", 1) != 1) ++ msyslog(LOG_WARNING, ++ "Palisade(%d) HW_poll: failed to send trigger: %m", ++ up->unit); + + if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { + #ifdef DEBUG +diff --git a/tests/libntp/strtolfp.c b/tests/libntp/strtolfp.c +index 6855d9b..9090159 100644 +--- a/tests/libntp/strtolfp.c ++++ b/tests/libntp/strtolfp.c +@@ -26,6 +26,13 @@ setUp(void) + return; + } + ++static const char* fmtLFP(const l_fp *e, const l_fp *a) ++{ ++ static char buf[100]; ++ snprintf(buf, sizeof(buf), "e=$%08x.%08x, a=$%08x.%08x", ++ e->l_ui, e->l_uf, a->l_ui, a->l_uf); ++ return buf; ++} + + void test_PositiveInteger(void) { + const char *str = "500"; +@@ -37,8 +44,8 @@ void test_PositiveInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeInteger(void) { +@@ -54,8 +61,8 @@ void test_NegativeInteger(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveFraction(void) { +@@ -68,8 +75,8 @@ void test_PositiveFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeFraction(void) { +@@ -85,8 +92,8 @@ void test_NegativeFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_PositiveMsFraction(void) { +@@ -100,9 +107,8 @@ void test_PositiveMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_NegativeMsFraction(void) { +@@ -118,9 +124,8 @@ void test_NegativeMsFraction(void) { + TEST_ASSERT_TRUE(atolfp(str, &actual)); + TEST_ASSERT_TRUE(mstolfp(str_ms, &actual_ms)); + +- TEST_ASSERT_TRUE(IsEqual(expected, actual)); +- TEST_ASSERT_TRUE(IsEqual(expected, actual_ms)); +- ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual), fmtLFP(&expected, &actual)); ++ TEST_ASSERT_TRUE_MESSAGE(IsEqual(expected, actual_ms), fmtLFP(&expected, &actual_ms)); + } + + void test_InvalidChars(void) { +-- +2.25.1 + diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate index 17b64d1335..be3bacfcd1 100755 --- a/meta-networking/recipes-support/ntp/ntp/ntpdate +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate @@ -52,3 +52,8 @@ if [ -x /usr/bin/lockfile-create ] ; then fi ) & + +# wait for all subprocesses to finish +# this is required when using systemd service as ntpd will start before ntpdate finishes +# and results in a bind error (port 123) +wait diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb index 7e168825e0..1a223db6fa 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p15.bb @@ -22,8 +22,8 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://sntp.service \ file://sntp \ file://ntpd.list \ + file://CVE-2023-2655x.patch \ " - SRC_URI[sha256sum] = "f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19" inherit autotools update-rc.d useradd systemd pkgconfig @@ -61,6 +61,14 @@ PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" PACKAGECONFIG[mdns] = "ac_cv_header_dns_sd_h=yes,ac_cv_header_dns_sd_h=no,mdns" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +do_configure_append() { + # tests are generated but also checked-in to source control + # when CVE-2023-2655x.patch changes timestamp of test source file, Makefile detects it and tries to regenerate it + # however it fails because of missing ruby interpretter; adding ruby-native as dependency fixes it + # since the regenerated file is identical to the one from source control, touch the generated file instead of adding heavy dependency + touch ${S}/tests/libntp/run-strtolfp.c +} + do_install_append() { install -d ${D}${sysconfdir}/init.d install -m 644 ${WORKDIR}/ntp.conf ${D}${sysconfdir} diff --git a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb index a03b92f5fe..1bf7c48e09 100644 --- a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb +++ b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb @@ -13,7 +13,7 @@ SECTION = "net" DEPENDS = "openssl" -SRC_URI = "git://github.com/open-iscsi/open-isns" +SRC_URI = "git://github.com/open-iscsi/open-isns;branch=master;protocol=https" SRCREV = "cfdbcff867ee580a71bc9c18c3a38a6057df0150" diff --git a/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb b/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb index 85634a70eb..6918485870 100644 --- a/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb +++ b/meta-networking/recipes-support/openipmi/openipmi_2.0.29.bb @@ -38,7 +38,7 @@ S = "${WORKDIR}/OpenIPMI-${PV}" SRC_URI[md5sum] = "46b452e95d69c92e4172b3673ed88d52" SRC_URI[sha256sum] = "2244124579afb14e569f34393e9ac61e658a28b6ffa8e5c0d2c1c12a8ce695cd" -inherit autotools-brokensep pkgconfig python3native perlnative update-rc.d systemd cpan-base +inherit autotools-brokensep pkgconfig python3native perlnative update-rc.d systemd cpan-base python3targetconfig EXTRA_OECONF = "--disable-static \ --with-perl='${STAGING_BINDIR_NATIVE}/perl-native/perl' \ diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb index 529e3912bb..55e66036b7 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb @@ -14,8 +14,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[md5sum] = "52863fa9b98e5a3d7f8bec1d5785a2ba" -SRC_URI[sha256sum] = "46b268ef88e67ca6de2e9f19943eb9e5ac8544e55f5c1f3af677298d03e64b6e" +SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc" +SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569" SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-networking/recipes-support/phytool/phytool.bb b/meta-networking/recipes-support/phytool/phytool.bb index 29499d6d7a..7fde88c447 100644 --- a/meta-networking/recipes-support/phytool/phytool.bb +++ b/meta-networking/recipes-support/phytool/phytool.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" PV = "2+git${SRCPV}" SRCREV = "8882328c08ba2efb13c049812098f1d0cb8adf0c" -SRC_URI = "git://github.com/wkz/phytool.git" +SRC_URI = "git://github.com/wkz/phytool.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb index 15fd7ff663..5cb4e67c28 100644 --- a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb +++ b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb @@ -6,7 +6,7 @@ DEPENDS = "libnl" RDEPENDS_${PN} = "bash perl" BRANCH = "stable-v${@d.getVar('PV').split('.')[0]}" -SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH} \ +SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH};protocol=https \ file://0001-Remove-man-files-which-cant-be-built.patch \ " SRCREV = "f12c953f0864691eacc9fcc4cda489b92ffd5a85" diff --git a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb index 0b63f79aca..d8a1f6140f 100644 --- a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb +++ b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "a8e5847e5f7e411be424f9b52a6cdf9d2ed4aeb5" -SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=git" +SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice-protocol_git.bb b/meta-networking/recipes-support/spice/spice-protocol_git.bb index 1d56bea17c..ca683bf220 100644 --- a/meta-networking/recipes-support/spice/spice-protocol_git.bb +++ b/meta-networking/recipes-support/spice/spice-protocol_git.bb @@ -18,7 +18,7 @@ PV = "0.14.1+git${SRCPV}" SRCREV = "e0ec178a72aa33e307ee5ac02b63bf336da921a5" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice-protocol \ + git://anongit.freedesktop.org/spice/spice-protocol;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb index 9d3a0e6cb5..3d47f5a54a 100644 --- a/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-networking/recipes-support/spice/spice_git.bb @@ -21,8 +21,8 @@ SRCREV_spice-common = "4fc4c2db36c7f07b906e9a326a9d3dc0ae6a2671" SRCREV_FORMAT = "spice_spice-common" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice;name=spice \ - git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common \ + git://anongit.freedesktop.org/spice/spice;name=spice;branch=master \ + git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common;branch=master \ file://0001-Convert-pthread_t-to-be-numeric.patch \ file://0001-Fix-compile-errors-on-Linux-32bit-system.patch \ " diff --git a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb index 9ee43be1ea..f07fb3b50c 100644 --- a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb +++ b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb @@ -10,7 +10,7 @@ DEPENDS = "libusb1" SRCREV = "07b98b8e71f620dfdd57e92ddef6b677b259a092" SRC_URI = " \ - git://anongit.freedesktop.org/spice/usbredir \ + git://anongit.freedesktop.org/spice/usbredir;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch new file mode 100644 index 0000000000..b7118ba1fb --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch @@ -0,0 +1,62 @@ +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 17:52:08 +0200 +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length + +The `salt_len` member in the struct is of type `ssize_t` because we use +negative values for special automatic salt lengths when generating +signatures. + +Not checking this could lead to an integer overflow. The value is assigned +to the `len` field of a chunk (`size_t`), which is further used in +calculations to check the padding structure and (if that is passed by a +matching crafted signature value) eventually a memcpy() that will result +in a segmentation fault. + +Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") +Fixes: CVE-2021-41990 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990] +CVE: CVE-2021-41990 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c +index d89bd2c96bb5..837de8443d43 100644 +--- a/src/libstrongswan/credentials/keys/signature_params.c ++++ b/src/libstrongswan/credentials/keys/signature_params.c +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { +- params->salt_len = (size_t)asn1_parse_integer_uint64(object); ++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object); ++ if (params->salt_len < 0) ++ { ++ goto end; ++ } + } + break; + case RSASSA_PSS_PARAMS_TRAILER: +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index f9bd1d314dec..3a775090883e 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + int i; + bool success = FALSE; + +- if (!params) ++ if (!params || params->salt_len < 0) + { + return FALSE; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch new file mode 100644 index 0000000000..2d898fa5cf --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch @@ -0,0 +1,41 @@ +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 19:38:22 +0200 +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change + +random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added +directly to that offset before applying`% CACHE_SIZE` to get an index into +the cache array. If the random value was very high, this resulted in an +integer overflow and a negative index value and, therefore, an out-of-bounds +access of the array and in turn dereferencing invalid pointers when trying +to acquire the read lock. This most likely results in a segmentation fault. + +Fixes: 764e8b2211ce ("reimplemented certificate cache") +Fixes: CVE-2021-41991 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991] +CVE: CVE-2021-41991 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/sets/cert_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c +index f1579c60a9bc..ceebb3843725 100644 +--- a/src/libstrongswan/credentials/sets/cert_cache.c ++++ b/src/libstrongswan/credentials/sets/cert_cache.c +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ +- offset = random(); ++ offset = random() % CACHE_SIZE; + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch new file mode 100644 index 0000000000..97aa6a0efc --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch @@ -0,0 +1,156 @@ +From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Dec 2021 10:51:35 +0100 +Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails + +Without this, the authentication succeeded if the server sent an early +EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, +which may be used in EAP-only scenarios but would complete without server +or client authentication. For clients configured for such EAP-only +scenarios, a rogue server could capture traffic after the tunnel is +established or even access hosts behind the client. For non-mutual EAP +methods, public key server authentication has been enforced for a while. + +A server previously could also crash a client by sending an EAP-Success +immediately without initiating an actual EAP method. + +Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") +Fixes: CVE-2021-45079 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch] +CVE: CVE-2021-45079 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- + src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- + src/libcharon/sa/eap/eap_method.h | 8 ++++- + .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- + 5 files changed, 40 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c +index 95ba090b79ce..cffb6222c2f8 100644 +--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c ++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c +@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_gtc_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c +index ab5f7ff6a823..3a92ad7c0a04 100644 +--- a/src/libcharon/plugins/eap_md5/eap_md5.c ++++ b/src/libcharon/plugins/eap_md5/eap_md5.c +@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, is_mutual, bool, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c +index 2dc7a423e702..5336dead13d9 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius.c +@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, + *out = msk; + return SUCCESS; + } +- return FAILED; ++ /* we assume the selected method did not establish an MSK, if it failed ++ * to establish one, process() would have failed */ ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h +index 0b5218dfec15..33564831f86e 100644 +--- a/src/libcharon/sa/eap/eap_method.h ++++ b/src/libcharon/sa/eap/eap_method.h +@@ -114,10 +114,16 @@ struct eap_method_t { + * Not all EAP methods establish a shared secret. For implementations of + * the EAP-Identity method, get_msk() returns the received identity. + * ++ * @note Returning NOT_SUPPORTED is important for implementations of EAP ++ * methods that don't establish an MSK. In particular as client because ++ * key-generating EAP methods MUST fail to process EAP-Success messages if ++ * no MSK is established. ++ * + * @param msk chunk receiving internal stored MSK + * @return +- * - SUCCESS, or ++ * - SUCCESS, if MSK is established + * - FAILED, if MSK not established (yet) ++ * - NOT_SUPPORTED, for non-MSK-establishing methods + */ + status_t (*get_msk) (eap_method_t *this, chunk_t *msk); + +diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +index e1e6cd7ee6f3..87548fc471a6 100644 +--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c ++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ switch (this->method->get_msk(this->method, &this->msk)) + { +- this->msk = chunk_clone(this->msk); ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "failed to establish MSK"); ++ goto failure; + } + if (vendor) + { +@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: ++failure: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); + if (vendor) +@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t, + uint32_t vendor; + auth_cfg_t *cfg; + +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ if (!this->method) + { +- this->msk = chunk_clone(this->msk); ++ DBG1(DBG_IKE, "received unexpected %N", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; ++ } ++ switch (this->method->get_msk(this->method, &this->msk)) ++ { ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "received %N but failed to establish MSK", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; + } + type = this->method->get_type(this->method, &vendor); + if (vendor) +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch new file mode 100644 index 0000000000..66e5047125 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch @@ -0,0 +1,210 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 + +CVE: CVE-2022-40617 +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch new file mode 100644 index 0000000000..c0de1f1588 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2023-41913.patch @@ -0,0 +1,46 @@ +From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 11 Jul 2023 12:12:25 +0200 +Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer + overflow + +Seems this was forgotten in the referenced commit and actually could lead +to a buffer overflow. Since charon-tkm is untrusted this isn't that +much of an issue but could at least be easily exploited for a DoS attack +as DH public values are set when handling IKE_SA_INIT requests. + +Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends") +Fixes: CVE-2023-41913 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.3.0-5.9.6_charon_tkm_dh_len.patch] +CVE: CVE-2023-41913 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 2b2d103d03e9..6999ad360d7e 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool, + return TRUE; + } + +- + METHOD(diffie_hellman_t, set_other_public_value, bool, + private_tkm_diffie_hellman_t *this, chunk_t value) + { + dh_pubvalue_type othervalue; ++ ++ if (!key_exchange_verify_pubkey(this->group, value) || ++ value.len > sizeof(othervalue.data)) ++ { ++ return FALSE; ++ } + othervalue.size = value.len; + memcpy(&othervalue.data, value.ptr, value.len); + +-- +2.34.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index 8a8809243a..9f676d0b18 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -11,6 +11,11 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://fix-funtion-parameter.patch \ file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \ file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \ + file://CVE-2021-41990.patch \ + file://CVE-2021-41991.patch \ + file://CVE-2021-45079.patch \ + file://CVE-2022-40617.patch \ + file://CVE-2023-41913.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" diff --git a/meta-networking/recipes-support/stunnel/stunnel_5.56.bb b/meta-networking/recipes-support/stunnel/stunnel_5.57.bb index 3411e5d0c7..8f6de571f3 100644 --- a/meta-networking/recipes-support/stunnel/stunnel_5.56.bb +++ b/meta-networking/recipes-support/stunnel/stunnel_5.57.bb @@ -6,7 +6,7 @@ SECTION = "net" # a combined work based on stunnel. Thus, the terms and conditions of the GNU # General Public License cover the whole combination. LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING.md;md5=d6d635d290ba1705821254a0278f1ef7" +LIC_FILES_CHKSUM = "file://COPYING.md;md5=6bae28875b3b599f8f621f4335b17955" DEPENDS = "autoconf-archive libnsl2 openssl" @@ -14,8 +14,7 @@ SRC_URI = "ftp://ftp.stunnel.org/stunnel/archive/5.x/${BP}.tar.gz \ file://fix-openssl-no-des.patch \ " -SRC_URI[md5sum] = "01b0ca9e071f582ff803a85d5ed72166" -SRC_URI[sha256sum] = "7384bfb356b9a89ddfee70b5ca494d187605bb516b4fff597e167f97e2236b22" +SRC_URI[sha256sum] = "af5ab973dde11807c38735b87bdd87563a47d2fa1c72a07929fcfce80a600fe1" inherit autotools diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch new file mode 100644 index 0000000000..84d4716f38 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch @@ -0,0 +1,71 @@ +From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001 +From: Guy Harris <guy@alum.mit.edu> +Date: Sat, 18 Apr 2020 14:04:59 -0700 +Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer. + +The buffer should be big enough to hold the captured data, but it +doesn't need to be big enough to hold the entire on-the-network packet, +if we haven't captured all of it. + +(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334) + +CVE: CVE-2020-8037 +Upstream-Status: Backport +Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com> + +--- + print-ppp.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/print-ppp.c b/print-ppp.c +index 89176172..33fb0341 100644 +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -1367,19 +1367,29 @@ trunc: + return 0; + } + ++/* ++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes. ++ * The length argument is the on-the-wire length, not the captured ++ * length; we can only un-escape the captured part. ++ */ + static void + ppp_hdlc(netdissect_options *ndo, + const u_char *p, int length) + { ++ u_int caplen = ndo->ndo_snapend - p; + u_char *b, *t, c; + const u_char *s; +- int i, proto; ++ u_int i; ++ int proto; + const void *se; + ++ if (caplen == 0) ++ return; ++ + if (length <= 0) + return; + +- b = (u_char *)malloc(length); ++ b = (u_char *)malloc(caplen); + if (b == NULL) + return; + +@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo, + * Do this so that we dont overwrite the original packet + * contents. + */ +- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) { ++ for (s = p, t = b, i = caplen; i != 0; i--) { + c = *s++; + if (c == 0x7d) { +- if (i <= 1 || !ND_TTEST(*s)) ++ if (i <= 1) + break; + i--; + c = *s++ ^ 0x20; +-- +2.17.1 + diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch new file mode 100644 index 0000000000..5f5c68ccd6 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch @@ -0,0 +1,111 @@ +From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 30 Sep 2020 11:37:30 -0700 +Subject: [PATCH] Handle very large -f files by rejecting them. + +_read(), on Windows, has a 32-bit size argument and a 32-bit return +value, so reject -f files that have more than 2^31-1 characters. + +Add some #defines so that, on Windows, we use _fstati64 to get the size +of that file, to handle large files. + +Don't assume that our definition for ssize_t is the same size as size_t; +by the time we want to print the return value of the read, we know it'll +fit into an int, so just cast it to int and print it with %d. + +(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77) + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86] + +Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> + +--- + netdissect-stdinc.h | 16 +++++++++++++++- + tcpdump.c | 15 ++++++++++++--- + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h +index 8282c5846..9941c2a16 100644 +--- a/netdissect-stdinc.h ++++ b/netdissect-stdinc.h +@@ -149,10 +149,17 @@ + #ifdef _MSC_VER + #define stat _stat + #define open _open +-#define fstat _fstat + #define read _read + #define close _close + #define O_RDONLY _O_RDONLY ++ ++/* ++ * We define our_fstat64 as _fstati64, and define our_statb as ++ * struct _stati64, so we get 64-bit file sizes. ++ */ ++#define our_fstat _fstati64 ++#define our_statb struct _stati64 ++ + #endif /* _MSC_VER */ + + /* +@@ -211,6 +218,13 @@ typedef char* caddr_t; + + #include <arpa/inet.h> + ++/* ++ * We should have large file support enabled, if it's available, ++ * so just use fstat as our_fstat and struct stat as our_statb. ++ */ ++#define our_fstat fstat ++#define our_statb struct stat ++ + #endif /* _WIN32 */ + + #ifndef HAVE___ATTRIBUTE__ +diff --git a/tcpdump.c b/tcpdump.c +index 043bda1d7..8f27ba2a4 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n"; + #endif /* HAVE_CAP_NG_H */ + #endif /* HAVE_LIBCAP_NG */ + ++#include "netdissect-stdinc.h" + #include "netdissect.h" + #include "interface.h" + #include "addrtoname.h" +@@ -861,15 +862,22 @@ read_infile(char *fname) + { + register int i, fd, cc; + register char *cp; +- struct stat buf; ++ our_statb buf; + + fd = open(fname, O_RDONLY|O_BINARY); + if (fd < 0) + error("can't open %s: %s", fname, pcap_strerror(errno)); + +- if (fstat(fd, &buf) < 0) ++ if (our_fstat(fd, &buf) < 0) + error("can't stat %s: %s", fname, pcap_strerror(errno)); + ++ /* ++ * Reject files whose size doesn't fit into an int; a filter ++ * *that* large will probably be too big. ++ */ ++ if (buf.st_size > INT_MAX) ++ error("%s is too large", fname); ++ + cp = malloc((u_int)buf.st_size + 1); + if (cp == NULL) + error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, +@@ -878,7 +886,8 @@ read_infile(char *fname) + if (cc < 0) + error("read %s: %s", fname, pcap_strerror(errno)); + if (cc != buf.st_size) +- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size); ++ error("short read %s (%d != %d)", fname, (int) cc, ++ (int)buf.st_size); + + close(fd); + /* replace "# comment" with spaces */ diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 94543dd1da..66bf217751 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb @@ -17,6 +17,8 @@ SRC_URI = " \ file://avoid-absolute-path-when-searching-for-libdlpi.patch \ file://add-ptest.patch \ file://run-ptest \ + file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \ + file://CVE-2018-16301.patch \ " SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae" @@ -49,3 +51,8 @@ do_install_append() { do_compile_ptest() { oe_runmake buildtest-TESTS } + +#https://nvd.nist.gov/vuln/detail/CVE-2020-8036 +#Introduce in 4.9 by 246ca110 Autosar SOME/IP protocol support +#which does not exist in 4.9.3 +CVE_CHECK_WHITELIST += "CVE-2020-8036" diff --git a/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch new file mode 100644 index 0000000000..3ca9a831f4 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch @@ -0,0 +1,37 @@ +From d3110859064b15408dbca1294dc7e31c2208504d Mon Sep 17 00:00:00 2001 +From: Gabriel Ganne <gabriel.ganne@gmail.com> +Date: Mon, 3 Aug 2020 08:26:38 +0200 +Subject: [PATCH] fix heap-buffer-overflow when DLT_JUNIPER_ETHER + +The test logic on datalen was inverted. + +Processing truncated packats should now raise a warning like the +following: + Warning: <pcap> was captured using a snaplen of 4 bytes. This may mean you have truncated packets. + +Fixes #616 #617 + +CVE: CVE-2020-24265 +CVE: CVE-2020-24266 +Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d] + +Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com> +Signed-off-by: Akash Hadke <akash.hadke@kpit.com> +Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> +--- + src/common/get.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/get.c b/src/common/get.c +index f9ee92d3..0517bf0a 100644 +--- a/src/common/get.c ++++ b/src/common/get.c +@@ -178,7 +178,7 @@ get_l2len(const u_char *pktdata, const int datalen, const int datalink) + break; + + case DLT_JUNIPER_ETHER: +- if (datalen >= 5) { ++ if (datalen < 5) { + l2_len = -1; + break; + } diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb index 39be950ad4..557d323311 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb @@ -6,7 +6,8 @@ SECTION = "net" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=890b830b22fd632e9ffd996df20338f8" -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz" +SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ + file://CVE-2020-24265-and-CVE-2020-24266.patch" SRC_URI[md5sum] = "53b52bf64f0b6b9443428e657b37bc6b" SRC_URI[sha256sum] = "ed2402caa9434ff5c74b2e7b31178c73e7c7c5c4ea1e1d0e2e39a7dc46958fde" diff --git a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb index 19bbf03f1d..c1ad203bc0 100644 --- a/meta-networking/recipes-support/traceroute/traceroute_2.1.0.bb +++ b/meta-networking/recipes-support/traceroute/traceroute_2.1.3.bb @@ -19,8 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/traceroute/traceroute/${BP}/${BP}.tar.gz \ file://filter-out-the-patches-from-subdirs.patch \ " -SRC_URI[md5sum] = "84d329d67abc3fb83fc8cb12aeaddaba" -SRC_URI[sha256sum] = "3669d22a34d3f38ed50caba18cd525ba55c5c00d5465f2d20d7472e5d81603b6" +SRC_URI[sha256sum] = "05ebc7aba28a9100f9bbae54ceecbf75c82ccf46bdfce8b5d64806459a7e0412" EXTRA_OEMAKE = "VPATH=${STAGING_LIBDIR}" diff --git a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb index 6200214acb..f4b3c28ae4 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb @@ -9,7 +9,7 @@ SECTION = "net" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06" -SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master \ +SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master;protocol=https \ file://0001-contrib-add-yocto-compatible-startup-scripts.patch \ " SRCREV="b60c4a472c856f0a98120b7259e991b3a6507eb5" diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch new file mode 100644 index 0000000000..1fc4a5fe38 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-0585-CVE-2023-2879.patch @@ -0,0 +1,93 @@ +From 5a7a80e139396c07d45e70d63c6d3974c50ae5e8 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 13 May 2023 21:45:16 -0400 +Subject: GDSDB: Make sure our offset advances. + +add_uint_string() returns the next offset to use, not the number +of bytes consumed. So to consume all the bytes and make sure the +offset advances, return the entire reported tvb length, not the +number of bytes remaining. + +Fixup 8d3c2177793e900cfc7cfaac776a2807e4ea289f + +Fixes #19068 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/8d3c2177793e900cfc7cfaac776a2807e4ea289f && https://gitlab.com/wireshark/wireshark/-/commit/118815ca7c9f82c1f83f8f64d9e0e54673f31677] +CVE: CVE-2022-0585 & CVE-2023-2879 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gdsdb.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-gdsdb.c b/epan/dissectors/packet-gdsdb.c +index 95fed7e..950d68f 100644 +--- a/epan/dissectors/packet-gdsdb.c ++++ b/epan/dissectors/packet-gdsdb.c +@@ -15,6 +15,7 @@ + #include "config.h" + + #include <epan/packet.h> ++#include <epan/expert.h> + + void proto_register_gdsdb(void); + void proto_reg_handoff_gdsdb(void); +@@ -182,6 +183,8 @@ static int hf_gdsdb_cursor_type = -1; + static int hf_gdsdb_sqlresponse_messages = -1; + #endif + ++static expert_field ei_gdsdb_invalid_length = EI_INIT; ++ + enum + { + op_void = 0, +@@ -474,7 +477,12 @@ static int add_uint_string(proto_tree *tree, int hf_string, tvbuff_t *tvb, int o + offset, 4, ENC_ASCII|ENC_BIG_ENDIAN); + length = dword_align(tvb_get_ntohl(tvb, offset))+4; + proto_item_set_len(ti, length); +- return offset + length; ++ int ret_offset = offset + length; ++ if (length < 4 || ret_offset < offset) { ++ expert_add_info_format(NULL, ti, &ei_gdsdb_invalid_length, "Invalid length: %d", length); ++ return tvb_reported_length(tvb); ++ } ++ return ret_offset; + } + + static int add_byte_array(proto_tree *tree, int hf_len, int hf_byte, tvbuff_t *tvb, int offset) +@@ -1407,7 +1415,12 @@ dissect_gdsdb(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U + offset, 4, ENC_BIG_ENDIAN); + + /* opcode < op_max */ ++ int old_offset = offset; + offset = gdsdb_handle_opcode[opcode](tvb, pinfo, gdsdb_tree, offset+4); ++ if (offset <= old_offset) { ++ expert_add_info(NULL, ti, &ei_gdsdb_invalid_length); ++ return tvb_reported_length_remaining(tvb, old_offset); ++ } + if (offset < 0) + { + /* But at this moment we don't know how much we will need */ +@@ -2022,12 +2035,20 @@ proto_register_gdsdb(void) + &ett_gdsdb_connect_pref + }; + ++/* Expert info */ ++ static ei_register_info ei[] = { ++ { &ei_gdsdb_invalid_length, { "gdsdb.invalid_length", PI_MALFORMED, PI_ERROR, ++ "Invalid length", EXPFILL }}, ++ }; ++ + proto_gdsdb = proto_register_protocol( + "Firebird SQL Database Remote Protocol", + "FB/IB GDS DB", "gdsdb"); + + proto_register_field_array(proto_gdsdb, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); ++ expert_module_t *expert_gdsdb = expert_register_protocol(proto_gdsdb); ++ expert_register_field_array(expert_gdsdb, ei, array_length(ei)); + } + + void +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch new file mode 100644 index 0000000000..938b7cf772 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2022-4345.patch @@ -0,0 +1,52 @@ +From 39db474f80af87449ce0f034522dccc80ed4153f Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 1 Dec 2022 20:46:15 -0500 +Subject: [PATCH] openflow_v6: Prevent infinite loops in too short ofp_stats + +The ofp_stats struct length field includes the fixed 4 bytes. +If the length is smaller than that, report the length error +and break out. In particular, a value of zero can cause +infinite loops if this isn't done. + + +(cherry picked from commit 13823bb1059cf70f401892ba1b1eaa2400cdf3db) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/39db474f80af87449ce0f034522dccc80ed4153f] +CVE: CVE-2022-4345 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + epan/dissectors/packet-openflow_v6.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-openflow_v6.c b/epan/dissectors/packet-openflow_v6.c +index f3bd0ef..96a3233 100644 +--- a/epan/dissectors/packet-openflow_v6.c ++++ b/epan/dissectors/packet-openflow_v6.c +@@ -1118,17 +1118,23 @@ dissect_openflow_v6_oxs(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + static int + dissect_openflow_stats_v6(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset, guint16 length _U_) + { ++ proto_item *ti; + guint32 stats_length; + int oxs_end; + guint32 padding; + + proto_tree_add_item(tree, hf_openflow_v6_stats_reserved, tvb, offset, 2, ENC_NA); + +- proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); ++ ti = proto_tree_add_item_ret_uint(tree, hf_openflow_v6_stats_length, tvb, offset+2, 2, ENC_BIG_ENDIAN, &stats_length); + + oxs_end = offset + stats_length; + offset+=4; + ++ if (stats_length < 4) { ++ expert_add_info(pinfo, ti, &ei_openflow_v6_length_too_short); ++ return offset; ++ } ++ + while (offset < oxs_end) { + offset = dissect_openflow_v6_oxs(tvb, pinfo, tree, offset, oxs_end - offset); + } +-- +2.40.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch new file mode 100644 index 0000000000..e6fc158c3a --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667-pre1.patch @@ -0,0 +1,153 @@ +From 35418a73f7c9cefebe392b1ea0f012fccaf89801 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 19 Aug 2020 23:58:20 -0700 +Subject: [PATCH] Add format_text_string(), which gets the length with + strlen(). + +format_text(alloc, string, strlen(string)) is a common idiom; provide +format_text_string(), which does the strlen(string) for you. (Any +string used in a %s to set the text of a protocol tree item, if it was +directly extracted from the packet, should be run through a format_text +routine, to ensure that it's valid UTF-8 and that control characters are +handled correctly.) + +Update comments while we're at it. + +Change-Id: Ia8549efa1c96510ffce97178ed4ff7be4b02eb6e +Reviewed-on: https://code.wireshark.org/review/38202 +Petri-Dish: Guy Harris <gharris@sonic.net> +Tested-by: Petri Dish Buildbot +Reviewed-by: Guy Harris <gharris@sonic.net> + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/35418a73f7c9cefebe392b1ea0f012fccaf89801] +Comment: to backport fix for CVE-2023-0667, add function format_text_string(). +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/strutil.c | 33 ++++++++++++++++++++++++++++---- + epan/strutil.h | 51 ++++++++++++++++++++++++++++++++++++++++++++++---- + 2 files changed, 76 insertions(+), 8 deletions(-) + +diff --git a/epan/strutil.c b/epan/strutil.c +index 347a173..bc3b19e 100644 +--- a/epan/strutil.c ++++ b/epan/strutil.c +@@ -193,10 +193,11 @@ get_token_len(const guchar *linep, const guchar *lineend, + #define UNPOOP 0x1F4A9 + + /* +- * Given a string, expected to be in UTF-8 but possibly containing +- * invalid sequences (as it may have come from packet data), generate +- * a valid UTF-8 string from it, allocated with the specified wmem +- * allocator, that: ++ * Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: + * + * shows printable Unicode characters as themselves; + * +@@ -493,6 +494,30 @@ format_text(wmem_allocator_t* allocator, const guchar *string, size_t len) + return fmtbuf; + } + ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ */ ++gchar * ++format_text_string(wmem_allocator_t* allocator, const guchar *string) ++{ ++ return format_text(allocator, string, strlen(string)); ++} ++ + /* + * Given a string, generate a string from it that shows non-printable + * characters as C-style escapes except a whitespace character +diff --git a/epan/strutil.h b/epan/strutil.h +index 2046cb0..705beb5 100644 +--- a/epan/strutil.h ++++ b/epan/strutil.h +@@ -46,18 +46,61 @@ WS_DLL_PUBLIC + int get_token_len(const guchar *linep, const guchar *lineend, + const guchar **next_token); + +-/** Given a string, generate a string from it that shows non-printable +- * characters as C-style escapes, and return a pointer to it. ++/** Given a wmem scope, a not-necessarily-null-terminated string, ++ * expected to be in UTF-8 but possibly containing invalid sequences ++ * (as it may have come from packet data), and the length of the string, ++ * generate a valid UTF-8 string from it, allocated in the specified ++ * wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. + * + * @param allocator The wmem scope +- * @param line A pointer to the input string ++ * @param string A pointer to the input string + * @param len The length of the input string + * @return A pointer to the formatted string + * + * @see tvb_format_text() + */ + WS_DLL_PUBLIC +-gchar* format_text(wmem_allocator_t* allocator, const guchar *line, size_t len); ++gchar* format_text(wmem_allocator_t* allocator, const guchar *string, size_t len); ++ ++/** Given a wmem scope and a null-terminated string, expected to be in ++ * UTF-8 but possibly containing invalid sequences (as it may have come ++ * from packet data), and the length of the string, generate a valid ++ * UTF-8 string from it, allocated in the specified wmem scope, that: ++ * ++ * shows printable Unicode characters as themselves; ++ * ++ * shows non-printable ASCII characters as C-style escapes (octal ++ * if not one of the standard ones such as LF -> '\n'); ++ * ++ * shows non-printable Unicode-but-not-ASCII characters as ++ * their universal character names; ++ * ++ * shows illegal UTF-8 sequences as a sequence of bytes represented ++ * as C-style hex escapes; ++ * ++ * and return a pointer to it. ++ * ++ * @param allocator The wmem scope ++ * @param string A pointer to the input string ++ * @return A pointer to the formatted string ++ * ++ * @see tvb_format_text() ++ */ ++WS_DLL_PUBLIC ++gchar* format_text_string(wmem_allocator_t* allocator, const guchar *string); + + /** + * Given a string, generate a string from it that shows non-printable +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch new file mode 100644 index 0000000000..3fc5296073 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0667.patch @@ -0,0 +1,66 @@ +From 85fbca8adb09ea8e1af635db3d92727fbfa1e28a Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 18 May 2023 18:06:36 -0400 +Subject: [PATCH] MS-MMS: Use format_text_string() + +The length of a string transcoded from UTF-16 to UTF-8 can be +shorter (or longer) than the original length in bytes in the packet. +Use the new string length, not the original length. + +Use format_text_string, which is a convenience function that +calls strlen. + +Fix #19086 + +(cherry picked from commit 1c45a899f83fa88e60ab69936bea3c4754e7808b) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/85fbca8adb09ea8e1af635db3d92727fbfa1e28a] +CVE: CVE-2023-0667 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-ms-mms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/epan/dissectors/packet-ms-mms.c b/epan/dissectors/packet-ms-mms.c +index db1d2cc..3d5c7ee 100644 +--- a/epan/dissectors/packet-ms-mms.c ++++ b/epan/dissectors/packet-ms-mms.c +@@ -739,7 +739,7 @@ static void dissect_client_transport_info(tvbuff_t *tvb, packet_info *pinfo, pro + transport_info, "Transport: (%s)", transport_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (guchar*)transport_info, length_remaining - 20)); ++ format_text_string(pinfo->pool, (const guchar*)transport_info)); + + + /* Try to extract details from this string */ +@@ -836,7 +836,7 @@ static void dissect_server_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *t + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_version); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (version='%s')", +- format_text(wmem_packet_scope(), (const guchar*)server_version, strlen(server_version))); ++ format_text_string(pinfo->pool, (const guchar*)server_version)); + } + offset += (server_version_length*2); + +@@ -890,7 +890,7 @@ static void dissect_client_player_info(tvbuff_t *tvb, packet_info *pinfo, proto_ + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &player_info); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)player_info, strlen(player_info))); ++ format_text_string(pinfo->pool, (const guchar*)player_info)); + } + + /* Dissect info about where client wants to start playing from */ +@@ -965,7 +965,7 @@ static void dissect_request_server_file(tvbuff_t *tvb, packet_info *pinfo, proto + ENC_UTF_16|ENC_LITTLE_ENDIAN, wmem_packet_scope(), &server_file); + + col_append_fstr(pinfo->cinfo, COL_INFO, " (%s)", +- format_text(wmem_packet_scope(), (const guchar*)server_file, strlen(server_file))); ++ format_text_string(pinfo->pool, (const guchar*)server_file)); + } + + /* Dissect media details from server */ +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch new file mode 100644 index 0000000000..42f8108301 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-0668.patch @@ -0,0 +1,33 @@ +From c4f37d77b29ec6a9754795d0efb6f68d633728d9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 20 May 2023 23:08:08 -0400 +Subject: [PATCH] synphasor: Use val_to_str_const + +Don't use a value from packet data to directly index a value_string, +particularly when the value string doesn't cover all possible values. + +Fix #19087 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/c4f37d77b29ec6a9754795d0efb6f68d633728d9] +CVE: CVE-2023-0668 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-synphasor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/epan/dissectors/packet-synphasor.c b/epan/dissectors/packet-synphasor.c +index 2d2f4ad..47120f5 100644 +--- a/epan/dissectors/packet-synphasor.c ++++ b/epan/dissectors/packet-synphasor.c +@@ -1130,7 +1130,7 @@ static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint c + + data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4, + ett_conf_phflags, NULL, "Phasor Data flags: %s", +- conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr); ++ val_to_str_const(tvb_get_guint8(tvb, offset + 2), conf_phasor_type, "Unknown")); + + /* first and second bytes - phasor modification flags*/ + phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch new file mode 100644 index 0000000000..2fbef6bae0 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-1992.patch @@ -0,0 +1,62 @@ +From 3c8be14c827f1587da3c2b3bb0d9c04faff57413 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sun, 19 Mar 2023 15:16:39 -0400 +Subject: [PATCH] RPCoRDMA: Frame end cleanup for global write offsets + +Add a frame end routine for a global which is assigned to packet +scoped memory. It really should be made proto data, but is used +in a function in the header (that doesn't take the packet info +struct as an argument) and this fix needs to be made in stable +branches. + +Fix #18852 +--- +Upstream-Status: Backport from [https://gitlab.com/colin.mcinnes/wireshark/-/commit/3c8be14c827f1587da3c2b3bb0d9c04faff57413] +CVE: CVE-2023-1992 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + epan/dissectors/packet-rpcrdma.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/epan/dissectors/packet-rpcrdma.c b/epan/dissectors/packet-rpcrdma.c +index 680187b2653..3f250f0ea1c 100644 +--- a/epan/dissectors/packet-rpcrdma.c ++++ b/epan/dissectors/packet-rpcrdma.c +@@ -24,6 +24,7 @@ + #include <epan/addr_resolv.h> + + #include "packet-rpcrdma.h" ++#include "packet-frame.h" + #include "packet-infiniband.h" + #include "packet-iwarp-ddp-rdmap.h" + +@@ -285,6 +286,18 @@ void rpcrdma_insert_offset(gint offset) + wmem_array_append_one(gp_rdma_write_offsets, offset); + } + ++/* ++ * Reset the array of write offsets at the end of the frame. These ++ * are packet scoped, so they don't need to be freed, but we want ++ * to ensure that the global doesn't point to no longer allocated ++ * memory in a later packet. ++ */ ++static void ++reset_write_offsets(void) ++{ ++ gp_rdma_write_offsets = NULL; ++} ++ + /* Get conversation state, it is created if it does not exist */ + static rdma_conv_info_t *get_rdma_conv_info(packet_info *pinfo) + { +@@ -1600,6 +1613,7 @@ dissect_rpcrdma(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data + if (write_size > 0 && !pinfo->fd->visited) { + /* Initialize array of write chunk offsets */ + gp_rdma_write_offsets = wmem_array_new(wmem_packet_scope(), sizeof(gint)); ++ register_frame_end_routine(pinfo, reset_write_offsets); + TRY { + /* + * Call the upper layer dissector to get a list of offsets +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch new file mode 100644 index 0000000000..a6370f91cf --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2855.patch @@ -0,0 +1,117 @@ +From 0181fafb2134a177328443a60b5e29c4ee1041cb Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 16 May 2023 12:05:07 -0700 +Subject: [PATCH] candump: check for a too-long frame length. + +If the frame length is longer than the maximum, report an error in the +file. + +Fixes #19062, preventing the overflow on a buffer on the stack (assuming +your compiler doesn't call a bounds-checknig version of memcpy() if the +size of the target space is known). + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/0181fafb2134a177328443a60b5e29c4ee1041cb] +CVE: CVE-2023-2855 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/candump.c | 47 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/wiretap/candump.c b/wiretap/candump.c +index 3eb17dd..954b509 100644 +--- a/wiretap/candump.c ++++ b/wiretap/candump.c +@@ -26,8 +26,9 @@ static gboolean candump_seek_read(wtap *wth, gint64 seek_off, + wtap_rec *rec, Buffer *buf, + int *err, gchar **err_info); + +-static void +-candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) ++static gboolean ++candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg, int *err, ++ gchar **err_info) + { + static const char *can_proto_name = "can-hostendian"; + static const char *canfd_proto_name = "canfd"; +@@ -57,9 +58,20 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + if (msg->is_fd) + { +- canfd_frame_t canfd_frame; ++ canfd_frame_t canfd_frame = {0}; ++ ++ /* ++ * There's a maximum of CANFD_MAX_DLEN bytes in a CAN-FD frame. ++ */ ++ if (msg->data.length > CANFD_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN FD packet, bigger than maximum of %u", ++ msg->data.length, CANFD_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&canfd_frame, 0, sizeof(canfd_frame)); + canfd_frame.can_id = msg->id; + canfd_frame.flags = msg->flags; + canfd_frame.len = msg->data.length; +@@ -69,10 +81,21 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + } + else + { +- can_frame_t can_frame; ++ can_frame_t can_frame = {0}; ++ ++ /* ++ * There's a maximum of CAN_MAX_DLEN bytes in a CAN frame. ++ */ ++ if (msg->data.length > CAN_MAX_DLEN) { ++ *err = WTAP_ERR_BAD_FILE; ++ if (err_info != NULL) { ++ *err_info = g_strdup_printf("candump: File has %u-byte CAN packet, bigger than maximum of %u", ++ msg->data.length, CAN_MAX_DLEN); ++ } ++ return FALSE; ++ } + +- memset(&can_frame, 0, sizeof(can_frame)); +- can_frame.can_id = msg->id; ++ can_frame.can_id = msg->id; + can_frame.can_dlc = msg->data.length; + memcpy(can_frame.data, msg->data.data, msg->data.length); + +@@ -86,6 +109,8 @@ candump_write_packet(wtap_rec *rec, Buffer *buf, const msg_t *msg) + + rec->rec_header.packet_header.caplen = packet_length; + rec->rec_header.packet_header.len = packet_length; ++ ++ return TRUE; + } + + static gboolean +@@ -193,9 +218,7 @@ candump_read(wtap *wth, wtap_rec *rec, Buffer *buf, int *err, gchar **err_info, + ws_debug_printf("%s: Stopped at offset %" PRIi64 "\n", G_STRFUNC, file_tell(wth->fh)); + #endif + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + static gboolean +@@ -219,9 +242,7 @@ candump_seek_read(wtap *wth , gint64 seek_off, wtap_rec *rec, + if (!candump_parse(wth->random_fh, &msg, NULL, err, err_info)) + return FALSE; + +- candump_write_packet(rec, buf, &msg); +- +- return TRUE; ++ return candump_write_packet(rec, buf, &msg, err, err_info); + } + + /* +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch new file mode 100644 index 0000000000..1fb75353b4 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2856.patch @@ -0,0 +1,68 @@ +From db5135826de3a5fdb3618225c2ff02f4207012ca Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Thu, 18 May 2023 15:03:23 -0700 +Subject: [PATCH] vms: fix the search for the packet length field. + +The packet length field is of the form + + Total Length = DDD = ^xXXX + +where "DDD" is the length in decimal and "XXX" is the length in +hexadecimal. + +Search for "length ". not just "Length", as we skip past "Length ", not +just "Length", so if we assume we found "Length " but only found +"Length", we'd skip past the end of the string. + +While we're at it, fail if we don't find a length field, rather than +just blithely acting as if the packet length were zero. + +Fixes #19083. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/db5135826de3a5fdb3618225c2ff02f4207012ca] +CVE: CVE-2023-2856 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/vms.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/wiretap/vms.c b/wiretap/vms.c +index 84e3def..fa77689 100644 +--- a/wiretap/vms.c ++++ b/wiretap/vms.c +@@ -310,6 +310,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + { + char line[VMS_LINE_LENGTH + 1]; + int num_items_scanned; ++ gboolean have_pkt_len = FALSE; + guint32 pkt_len = 0; + int pktnum; + int csec = 101; +@@ -366,7 +367,7 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + return FALSE; + } + } +- if ( (! pkt_len) && (p = strstr(line, "Length"))) { ++ if ( (! have_pkt_len) && (p = strstr(line, "Length "))) { + p += sizeof("Length "); + while (*p && ! g_ascii_isdigit(*p)) + p++; +@@ -382,9 +383,15 @@ parse_vms_packet(FILE_T fh, wtap_rec *rec, Buffer *buf, int *err, gchar **err_in + *err_info = g_strdup_printf("vms: Length field '%s' not valid", p); + return FALSE; + } ++ have_pkt_len = TRUE; + break; + } + } while (! isdumpline(line)); ++ if (! have_pkt_len) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup_printf("vms: Length field not found"); ++ return FALSE; ++ } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; return an error, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch new file mode 100644 index 0000000000..150b4609bb --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2858.patch @@ -0,0 +1,94 @@ +From cb190d6839ddcd4596b0205844f45553f1e77105 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Fri, 19 May 2023 16:29:45 -0700 +Subject: [PATCH] netscaler: add more checks to make sure the record is within + the page. + +Whie we're at it, restructure some other checks to test-before-casting - +it's OK to test afterwards, but testing before makes it follow the +pattern used elsewhere. + +Fixes #19081. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/cb190d6839ddcd4596b0205844f45553f1e77105] +CVE: CVE-2023-2858 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscaler.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/wiretap/netscaler.c b/wiretap/netscaler.c +index 93da9a2..f835dfa 100644 +--- a/wiretap/netscaler.c ++++ b/wiretap/netscaler.c +@@ -1082,13 +1082,13 @@ static gboolean nstrace_set_start_time(wtap *wth, int *err, gchar **err_info) + + #define PACKET_DESCRIBE(rec,buf,FULLPART,fullpart,ver,type,HEADERVER) \ + do {\ +- nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace_buflen - nstrace_buf_offset) < sizeof *type) {\ ++ if ((nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_pktrace##fullpart##_v##ver##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + return FALSE;\ + }\ ++ nspr_pktrace##fullpart##_v##ver##_t *type = (nspr_pktrace##fullpart##_v##ver##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Check sanity of record size */\ + if (pletoh16(&type->nsprRecordSize) < sizeof *type) {\ + *err = WTAP_ERR_BAD_FILE;\ +@@ -1153,6 +1153,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_ABSTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1166,6 +1168,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + case NSPR_RELTIME_V10: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1183,6 +1187,8 @@ static gboolean nstrace_read_v10(wtap *wth, wtap_rec *rec, Buffer *buf, + + default: + { ++ if (!nstrace_ensure_buflen(nstrace, nstrace_buf_offset, sizeof(nspr_pktracefull_v10_t), err, err_info)) ++ return FALSE; + nspr_pktracefull_v10_t *fp = (nspr_pktracefull_v10_t *) &nstrace_buf[nstrace_buf_offset]; + if (pletoh16(&fp->nsprRecordSize) == 0) { + *err = WTAP_ERR_BAD_FILE; +@@ -1466,14 +1472,14 @@ static gboolean nstrace_read_v20(wtap *wth, wtap_rec *rec, Buffer *buf, + + #define PACKET_DESCRIBE(rec,buf,FULLPART,ver,enumprefix,type,structname,HEADERVER)\ + do {\ +- nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + /* Make sure the record header is entirely contained in the page */\ +- if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof *fp) {\ ++ if ((nstrace->nstrace_buflen - nstrace_buf_offset) < sizeof(nspr_##structname##_t)) {\ + *err = WTAP_ERR_BAD_FILE;\ + *err_info = g_strdup("nstrace: record header crosses page boundary");\ + g_free(nstrace_tmpbuff);\ + return FALSE;\ + }\ ++ nspr_##structname##_t *fp = (nspr_##structname##_t *) &nstrace_buf[nstrace_buf_offset];\ + (rec)->rec_type = REC_TYPE_PACKET;\ + TIMEDEFV##ver((rec),fp,type);\ + FULLPART##SIZEDEFV##ver((rec),fp,ver);\ +@@ -1580,7 +1586,6 @@ static gboolean nstrace_read_v30(wtap *wth, wtap_rec *rec, Buffer *buf, + g_free(nstrace_tmpbuff); + return FALSE; + } +- + hdp = (nspr_hd_v20_t *) &nstrace_buf[nstrace_buf_offset]; + if (nspr_getv20recordsize(hdp) == 0) { + *err = WTAP_ERR_BAD_FILE; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch new file mode 100644 index 0000000000..3a81a3c714 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2906.patch @@ -0,0 +1,38 @@ +From 44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d Mon Sep 17 00:00:00 2001 +From: Jaap Keuter <jaap.keuter@xs4all.nl> +Date: Thu, 27 Jul 2023 20:21:19 +0200 +Subject: [PATCH] CP2179: Handle timetag info response without records + +Fixes #19229 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/44dc70cc5aadca91cb8ba3710c59c3651b7b0d4d] +CVE: CVE-2023-2906 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-cp2179.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/packet-cp2179.c b/epan/dissectors/packet-cp2179.c +index 142cac3..9fc9a47 100644 +--- a/epan/dissectors/packet-cp2179.c ++++ b/epan/dissectors/packet-cp2179.c +@@ -721,11 +721,14 @@ dissect_response_frame(tvbuff_t *tvb, proto_tree *tree, packet_info *pinfo, int + proto_tree_add_item(cp2179_proto_tree, hf_cp2179_timetag_numsets, tvb, offset, 1, ENC_LITTLE_ENDIAN); + + num_records = tvb_get_guint8(tvb, offset) & 0x7F; ++ offset += 1; ++ ++ if (num_records == 0 || numberofcharacters <= 1) ++ break; ++ + recordsize = (numberofcharacters-1) / num_records; + num_values = (recordsize-6) / 2; /* Determine how many 16-bit analog values are present in each event record */ + +- offset += 1; +- + for (x = 0; x < num_records; x++) + { + cp2179_event_tree = proto_tree_add_subtree_format(cp2179_proto_tree, tvb, offset, recordsize, ett_cp2179_event, NULL, "Event Record # %d", x+1); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch new file mode 100644 index 0000000000..82098271ec --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-2952.patch @@ -0,0 +1,97 @@ +From ce87eac0325581b600b3093fcd75080df14ccfda Mon Sep 17 00:00:00 2001 +From: Gerald Combs <gerald@wireshark.org> +Date: Tue, 23 May 2023 13:52:03 -0700 +Subject: [PATCH] XRA: Fix an infinite loop + +C compilers don't care what size a value was on the wire. Use +naturally-sized ints, including in dissect_message_channel_mb where we +would otherwise overflow and loop infinitely. + +Fixes #19100 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/e18d0e369729b0fff5f76f41cbae67e97c2e52e5] +CVE: CVE-2023-2952 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-xra.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/epan/dissectors/packet-xra.c b/epan/dissectors/packet-xra.c +index f59d899..6c1445f 100644 +--- a/epan/dissectors/packet-xra.c ++++ b/epan/dissectors/packet-xra.c +@@ -478,7 +478,7 @@ dissect_xra_tlv_cw_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_cw_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_cw_info_tree = proto_item_add_subtree (it, ett_xra_tlv_cw_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -533,7 +533,7 @@ dissect_xra_tlv_ms_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, guint + it = proto_tree_add_item (tree, hf_xra_tlv_ms_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_ms_info_tree = proto_item_add_subtree (it, ett_xra_tlv_ms_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -567,7 +567,7 @@ dissect_xra_tlv_burst_info(tvbuff_t * tvb, proto_tree * tree, void* data _U_, gu + it = proto_tree_add_item (tree, hf_xra_tlv_burst_info, tvb, 0, tlv_length, ENC_NA); + xra_tlv_burst_info_tree = proto_item_add_subtree (it, ett_xra_tlv_burst_info); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + while (tlv_index < tlv_length) { + guint8 type = tvb_get_guint8 (tvb, tlv_index); + ++tlv_index; +@@ -607,7 +607,7 @@ dissect_xra_tlv(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* da + it = proto_tree_add_item (tree, hf_xra_tlv, tvb, 0, tlv_length, ENC_NA); + xra_tlv_tree = proto_item_add_subtree (it, ett_xra_tlv); + +- guint32 tlv_index =0; ++ unsigned tlv_index = 0; + tvbuff_t *xra_tlv_cw_info_tvb, *xra_tlv_ms_info_tvb, *xra_tlv_burst_info_tvb; + + while (tlv_index < tlv_length) { +@@ -751,7 +751,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + if(packet_start_pointer_field_present) { + proto_tree_add_item_ret_uint (tree, hf_plc_mb_mc_psp, tvb, 1, 2, FALSE, &packet_start_pointer); + +- guint16 docsis_start = 3 + packet_start_pointer; ++ unsigned docsis_start = 3 + packet_start_pointer; + while (docsis_start + 6 < remaining_length) { + /*DOCSIS header in packet*/ + guint8 fc = tvb_get_guint8(tvb,docsis_start + 0); +@@ -760,7 +760,7 @@ dissect_message_channel_mb(tvbuff_t * tvb, packet_info * pinfo, proto_tree* tree + docsis_start += 1; + continue; + } +- guint16 docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); ++ unsigned docsis_length = 256*tvb_get_guint8(tvb,docsis_start + 2) + tvb_get_guint8(tvb,docsis_start + 3); + if (docsis_start + 6 + docsis_length <= remaining_length) { + /*DOCSIS packet included in packet*/ + tvbuff_t *docsis_tvb; +@@ -830,7 +830,7 @@ dissect_ncp_message_block(tvbuff_t * tvb, proto_tree * tree) { + static int + dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _U_) { + +- guint16 offset = 0; ++ int offset = 0; + proto_tree *plc_tree; + proto_item *plc_item; + tvbuff_t *mb_tvb; +@@ -890,7 +890,7 @@ dissect_plc(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree, void* data _ + + static int + dissect_ncp(tvbuff_t * tvb, proto_tree * tree, void* data _U_) { +- guint16 offset = 0; ++ int offset = 0; + proto_tree *ncp_tree; + proto_item *ncp_item; + tvbuff_t *ncp_mb_tvb; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch new file mode 100644 index 0000000000..5e92bd8a28 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-3649.patch @@ -0,0 +1,231 @@ +From 75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Sat, 24 Jun 2023 00:34:50 -0400 +Subject: [PATCH] iscsi: Check bounds when extracting TargetAddress + +Use tvb_ functions that do bounds checking when parsing the +TargetAddress string, instead of incrementing a pointer to an +extracted char* and sometimes accidentally overrunning the +string. + +While we're there, go ahead and add support for IPv6 addresses. + +Fix #19164 + +(backported from commit 94349bbdaeb384b12d554dd65e7be7ceb0e93d21) + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/75e0ffcb42f3816e5f2fdef12f3c9ae906130b0c] +CVE: CVE-2023-3649 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-iscsi.c | 146 +++++++++++++++++---------------- + 1 file changed, 75 insertions(+), 71 deletions(-) + +diff --git a/epan/dissectors/packet-iscsi.c b/epan/dissectors/packet-iscsi.c +index 8a80f49..08f44a8 100644 +--- a/epan/dissectors/packet-iscsi.c ++++ b/epan/dissectors/packet-iscsi.c +@@ -20,8 +20,6 @@ + + #include "config.h" + +-#include <stdio.h> +- + #include <epan/packet.h> + #include <epan/prefs.h> + #include <epan/conversation.h> +@@ -29,6 +27,7 @@ + #include "packet-scsi.h" + #include <epan/crc32-tvb.h> + #include <wsutil/crc32.h> ++#include <wsutil/inet_addr.h> + #include <wsutil/strtoi.h> + + void proto_register_iscsi(void); +@@ -512,70 +511,81 @@ typedef struct _iscsi_conv_data { + dissector for the address/port that TargetAddress points to. + (it starts to be common to use redirectors to point to non-3260 ports) + */ ++static address null_address = ADDRESS_INIT_NONE; ++ + static void +-iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, char *val, guint offset) ++iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, guint offset) + { +- address *addr = NULL; ++ address addr = ADDRESS_INIT_NONE; + guint16 port; +- char *value = wmem_strdup(wmem_packet_scope(), val); +- char *p = NULL, *pgt = NULL; +- +- if (value[0] == '[') { +- /* this looks like an ipv6 address */ +- p = strchr(value, ']'); +- if (p != NULL) { +- *p = 0; +- p += 2; /* skip past "]:" */ +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } ++ int colon_offset; ++ int end_offset; ++ char *ip_str, *port_str; ++ ++ colon_offset = tvb_find_guint8(tvb, offset, -1, ':'); ++ if (colon_offset == -1) { ++ /* RFC 7143 13.8 TargetAddress "If the TCP port is not specified, ++ * it is assumed to be the IANA-assigned default port for iSCSI", ++ * so nothing to do here. ++ */ ++ return; ++ } + +- /* can't handle ipv6 yet */ ++ /* We found a colon, so there's at least one byte and this won't fail. */ ++ if (tvb_get_guint8(tvb, offset) == '[') { ++ offset++; ++ /* could be an ipv6 address */ ++ end_offset = tvb_find_guint8(tvb, offset, -1, ']'); ++ if (end_offset == -1) { ++ return; + } +- } else { +- /* This is either a ipv4 address or a dns name */ +- int i0,i1,i2,i3; +- if (sscanf(value, "%d.%d.%d.%d", &i0,&i1,&i2,&i3) == 4) { +- /* looks like a ipv4 address */ +- p = strchr(value, ':'); +- if (p != NULL) { +- char *addr_data; +- +- *p++ = 0; +- +- pgt = strchr(p, ','); +- if (pgt != NULL) { +- *pgt++ = 0; +- } + +- addr_data = (char *) wmem_alloc(wmem_packet_scope(), 4); +- addr_data[0] = i0; +- addr_data[1] = i1; +- addr_data[2] = i2; +- addr_data[3] = i3; +- +- addr = wmem_new(wmem_packet_scope(), address); +- addr->type = AT_IPv4; +- addr->len = 4; +- addr->data = addr_data; ++ /* look for the colon before the port, if any */ ++ colon_offset = tvb_find_guint8(tvb, end_offset, -1, ':'); ++ if (colon_offset == -1) { ++ return; ++ } + +- if (!ws_strtou16(p, NULL, &port)) { +- proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, +- tvb, offset + (guint)strlen(value), (guint)strlen(p), "Invalid port: %s", p); +- } +- } ++ ws_in6_addr *ip6_addr = wmem_new(pinfo->pool, ws_in6_addr); ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, end_offset - offset, ENC_ASCII); ++ if (ws_inet_pton6(ip_str, ip6_addr)) { ++ /* looks like a ipv6 address */ ++ set_address(&addr, AT_IPv6, sizeof(ws_in6_addr), ip6_addr); ++ } + ++ } else { ++ /* This is either a ipv4 address or a dns name */ ++ ip_str = tvb_get_string_enc(pinfo->pool, tvb, offset, colon_offset - offset, ENC_ASCII); ++ ws_in4_addr *ip4_addr = wmem_new(pinfo->pool, ws_in4_addr); ++ if (ws_inet_pton4(ip_str, ip4_addr)) { ++ /* looks like a ipv4 address */ ++ set_address(&addr, AT_IPv4, 4, ip4_addr); + } ++ /* else a DNS host name; we could, theoretically, try to use ++ * name resolution information in the capture to lookup the address. ++ */ + } + ++ /* Extract the port */ ++ end_offset = tvb_find_guint8(tvb, colon_offset, -1, ','); ++ int port_len; ++ if (end_offset == -1) { ++ port_len = tvb_reported_length_remaining(tvb, colon_offset + 1); ++ } else { ++ port_len = end_offset - (colon_offset + 1); ++ } ++ port_str = tvb_get_string_enc(pinfo->pool, tvb, colon_offset + 1, port_len, ENC_ASCII); ++ if (!ws_strtou16(port_str, NULL, &port)) { ++ proto_tree_add_expert_format(tree, pinfo, &ei_iscsi_keyvalue_invalid, ++ tvb, colon_offset + 1, port_len, "Invalid port: %s", port_str); ++ return; ++ } + + /* attach a conversation dissector to this address/port tuple */ +- if (addr && !pinfo->fd->visited) { ++ if (!addresses_equal(&addr, &null_address) && !pinfo->fd->visited) { + conversation_t *conv; + +- conv = conversation_new(pinfo->num, addr, addr, ENDPOINT_TCP, port, port, NO_ADDR2|NO_PORT2); ++ conv = conversation_new(pinfo->num, &addr, &null_address, ENDPOINT_TCP, port, 0, NO_ADDR2|NO_PORT2); + if (conv == NULL) { + return; + } +@@ -587,30 +597,24 @@ iscsi_dissect_TargetAddress(packet_info *pinfo, tvbuff_t* tvb, proto_tree *tree, + static gint + addTextKeys(packet_info *pinfo, proto_tree *tt, tvbuff_t *tvb, gint offset, guint32 text_len) { + const gint limit = offset + text_len; ++ tvbuff_t *keyvalue_tvb; ++ int len, value_offset; + + while(offset < limit) { +- char *key = NULL, *value = NULL; +- gint len = tvb_strnlen(tvb, offset, limit - offset); +- +- if(len == -1) { +- len = limit - offset; +- } else { +- len = len + 1; +- } +- +- key = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_ASCII); +- if (key == NULL) { +- break; +- } +- value = strchr(key, '='); +- if (value == NULL) { ++ /* RFC 7143 6.1 Text Format: "Every key=value pair, including the ++ * last or only pair in a LTDS, MUST be followed by one null (0x00) ++ * delimiter. ++ */ ++ proto_tree_add_item_ret_length(tt, hf_iscsi_KeyValue, tvb, offset, -1, ENC_ASCII, &len); ++ keyvalue_tvb = tvb_new_subset_length(tvb, offset, len); ++ value_offset = tvb_find_guint8(keyvalue_tvb, 0, len, '='); ++ if (value_offset == -1) { + break; + } +- *value++ = 0; ++ value_offset++; + +- proto_tree_add_item(tt, hf_iscsi_KeyValue, tvb, offset, len, ENC_ASCII|ENC_NA); +- if (!strcmp(key, "TargetAddress")) { +- iscsi_dissect_TargetAddress(pinfo, tvb, tt, value, offset + (guint)strlen("TargetAddress") + 2); ++ if (tvb_strneql(keyvalue_tvb, 0, "TargetAddress=", strlen("TargetAddress=")) == 0) { ++ iscsi_dissect_TargetAddress(pinfo, keyvalue_tvb, tt, value_offset); + } + + offset += len; +@@ -2941,7 +2945,7 @@ proto_register_iscsi(void) + }, + { &hf_iscsi_KeyValue, + { "KeyValue", "iscsi.keyvalue", +- FT_STRING, BASE_NONE, NULL, 0, ++ FT_STRINGZ, BASE_NONE, NULL, 0, + "Key/value pair", HFILL } + }, + { &hf_iscsi_Text_F, +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch new file mode 100644 index 0000000000..fbbdf0cfc3 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-4511.patch @@ -0,0 +1,81 @@ +From ef9c79ae81b00a63aa8638076ec81dc9482972e9 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 10 Aug 2023 05:29:09 -0400 +Subject: [PATCH] btsdp: Keep offset advancing + +hf_data_element_value is a FT_NONE, so we can add the item with +the expected length and get_hfi_length() will adjust the length +without throwing an exception. There's no need to add it with +zero length and call proto_item_set_len. Also, don't increment +the offset by 0 instead of the real length when there isn't +enough data in the packet, as that can lead to failing to advance +the offset. + +When dissecting a sequence type (sequence or alternative) and +recursing into the sequence member, instead of using the main +packet tvb directly, create a subset using the indicated length +of the sequence. That will properly throw an exception if a +contained item is larger than the containing sequence, instead of +dissecting the same bytes as several different items (inside +the sequence recursively, as well in the outer loop.) + +Fix #19258 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/ef9c79ae81b00a63aa8638076ec81dc9482972e9] +CVE: CVE-2023-4511 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + epan/dissectors/packet-btsdp.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/epan/dissectors/packet-btsdp.c b/epan/dissectors/packet-btsdp.c +index 529bb71..f18d531 100644 +--- a/epan/dissectors/packet-btsdp.c ++++ b/epan/dissectors/packet-btsdp.c +@@ -1925,13 +1925,11 @@ dissect_data_element(proto_tree *tree, proto_tree **next_tree, + offset += len - length; + } + +- pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, 0, ENC_NA); ++ pitem = proto_tree_add_item(ptree, hf_data_element_value, tvb, offset, length, ENC_NA); + if (length > tvb_reported_length_remaining(tvb, offset)) { + expert_add_info(pinfo, pitem, &ei_data_element_value_large); +- length = 0; +- } +- proto_item_set_len(pitem, length); +- if (length == 0) ++ proto_item_append_text(pitem, ": MISSING"); ++ } else if (length == 0) + proto_item_append_text(pitem, ": MISSING"); + + if (next_tree) *next_tree = proto_item_add_subtree(pitem, ett_btsdp_data_element_value); +@@ -3523,6 +3521,8 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + gint bytes_to_go = size; + gint first = 1; + wmem_strbuf_t *substr; ++ tvbuff_t *next_tvb = tvb_new_subset_length(tvb, offset, size); ++ gint next_offset = 0; + + ti = proto_tree_add_item(next_tree, (type == 6) ? hf_data_element_value_sequence : hf_data_element_value_alternative, + tvb, offset, size, ENC_NA); +@@ -3537,14 +3537,15 @@ dissect_sdp_type(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, + first = 0; + } + +- size = dissect_sdp_type(st, pinfo, tvb, offset, attribute, service_uuid, ++ size = dissect_sdp_type(st, pinfo, next_tvb, next_offset, ++ attribute, service_uuid, + service_did_vendor_id, service_did_vendor_id_source, + service_hdp_data_exchange_specification, service_info, &substr); + if (size < 1) { + break; + } + wmem_strbuf_append_printf(info_buf, "%s ", wmem_strbuf_get_str(substr)); +- offset += size ; ++ next_offset += size; + bytes_to_go -= size; + } + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2023-6175.patch b/meta-networking/recipes-support/wireshark/files/CVE-2023-6175.patch new file mode 100644 index 0000000000..a08610f8d2 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2023-6175.patch @@ -0,0 +1,246 @@ +From 2d59b26d3b554960c777003c431add89d018b0a6 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Tue, 17 Oct 2023 22:08:42 -0700 +Subject: [PATCH] netscreen: do bounds checking for each byte of packet data. + +Make sure each byte we add to the packet data from the file fits in the +buffer, rather than stuffing bytes into the buffer and checking +afterwards. + +This prevents a buffer overflow. + +Fixes #19404, which was filed as part of Trend Micro's Zero Day +Initiative as ZDI-CAN-22164. + +While we're at it, expand a comment and make error messages give some +more detail. + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/3be1c99180a6fc48c34ae4bfc79bfd840b29ae3e] +CVE: CVE-2023-6175 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + wiretap/netscreen.c | 125 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 94 insertions(+), 31 deletions(-) + +diff --git a/wiretap/netscreen.c b/wiretap/netscreen.c +index 9ad825f..ffcb689 100644 +--- a/wiretap/netscreen.c ++++ b/wiretap/netscreen.c +@@ -59,7 +59,12 @@ static gboolean netscreen_seek_read(wtap *wth, gint64 seek_off, + static gboolean parse_netscreen_packet(FILE_T fh, wtap_rec *rec, + Buffer* buf, char *line, int *err, gchar **err_info); + static int parse_single_hex_dump_line(char* rec, guint8 *buf, +- guint byte_offset); ++ guint byte_offset, guint pkt_len); ++ ++/* Error returns from parse_single_hex_dump_line() */ ++#define PARSE_LINE_INVALID_CHARACTER -1 ++#define PARSE_LINE_NO_BYTES_SEEN -2 ++#define PARSE_LINE_TOO_MANY_BYTES_SEEN -3 + + /* Returns TRUE if the line appears to be a line with protocol info. + Otherwise it returns FALSE. */ +@@ -241,13 +246,40 @@ netscreen_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec, Buffer *buf, + 2c 21 b6 d3 20 60 0c 8c 35 98 88 cf 20 91 0e a9 ,!...`..5....... + 1d 0b .. + ++ * The first line of a packet is in the form ++ ++<secs>.<dsecs>: <iface>({i,o}) len=<length>:<llinfo>> + ++ * where: ++ * ++ * <secs> and <dsecs> are a time stamp in seconds and deciseconds, ++ * giving the time since the firewall was booted; ++ * ++ * <iface> is the name of the interface on which the packet was ++ * received or on which it was transmitted; ++ * ++ * {i,o} is i for a received packet and o for a transmitted packet; ++ * ++ * <length> is the length of the packet on the network; ++ * ++ * <llinfo>, at least for Ethernet, appears to be a source MAC ++ * address, folowed by "->", folowed by a destination MAC ++ * address, followed by a sequence of Ethertypes, each ++ * preceded by a "/" (multiple Ethertypes if there are VLAN ++ * tags and the like), possibly followed by ", tag <tag>". ++ * ++ * Following that may be some "info lines", each of which is indented ++ * by 14 spaces, giving a dissection of the payload after the ++ * link-layer header. ++ * ++ * Following that is a hex/ASCII dump of the contents of the ++ * packet, with 16 octets per line. + */ + static gboolean + parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + char *line, int *err, gchar **err_info) + { +- int pkt_len; ++ guint pkt_len; + int sec; + int dsec; + char cap_int[NETSCREEN_MAX_INT_NAME_LENGTH]; +@@ -266,17 +298,12 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + memset(cap_int, 0, sizeof(cap_int)); + memset(cap_dst, 0, sizeof(cap_dst)); + +- if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/", ++ if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9u:%12s->%12s/", + &sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) { + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup("netscreen: Can't parse packet-header"); + return -1; + } +- if (pkt_len < 0) { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: packet header has a negative packet length"); +- return FALSE; +- } + if (pkt_len > WTAP_MAX_PACKET_SIZE_STANDARD) { + /* + * Probably a corrupt capture file; don't blow up trying +@@ -323,44 +350,71 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + break; + } + +- n = parse_single_hex_dump_line(p, pd, offset); ++ n = parse_single_hex_dump_line(p, pd, offset, pkt_len); + +- /* the smallest packet has a length of 6 bytes, if +- * the first hex-data is less then check whether +- * it is a info-line and act accordingly ++ /* ++ * The smallest packet has a length of 6 bytes. ++ * If the first line either gets an error when ++ * parsed as hex data, or has fewer than 6 ++ * bytes of hex data, check whether it's an ++ * info line by see if it has at least ++ * NETSCREEN_SPACES_ON_INFO_LINE spaces at the ++ * beginning. ++ * ++ * If it does, count this line and, if we have, ++ * so far, skipped no more than NETSCREEN_MAX_INFOLINES ++ * lines, skip this line. + */ + if (offset == 0 && n < 6) { + if (info_line(line)) { ++ /* Info line */ + if (++i <= NETSCREEN_MAX_INFOLINES) { ++ /* Skip this line */ + continue; + } + } else { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: cannot parse hex-data"); +- return FALSE; ++ if (n >= 0) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: first line of packet data has only %d hex bytes, < 6"); ++ return FALSE; ++ } ++ /* Otherwise, fall through to report error */ + } + } + + /* If there is no more data and the line was not empty, + * then there must be an error in the file + */ +- if (n == -1) { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: cannot parse hex-data"); ++ if (n < 0) { ++ switch (n) { ++ ++ case PARSE_LINE_INVALID_CHARACTER: ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: invalid character in hex data"); ++ break; ++ ++ case PARSE_LINE_NO_BYTES_SEEN: ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: no hex bytes seen in hex data"); ++ break; ++ ++ case PARSE_LINE_TOO_MANY_BYTES_SEEN: ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = g_strdup("netscreen: number of hex bytes seen in hex data is greater than the packet length"); ++ break; ++ ++ default: ++ *err = WTAP_ERR_INTERNAL; ++ *err_info = g_strdup_printf("netscreen: unknown error %d from parse_single_hex_dump_line()", n); ++ break; ++ } ++ + return FALSE; + } + + /* Adjust the offset to the data that was just added to the buffer */ + offset += n; + +- /* If there was more hex-data than was announced in the len=x +- * header, then then there must be an error in the file +- */ +- if (offset > pkt_len) { +- *err = WTAP_ERR_BAD_FILE; +- *err_info = g_strdup("netscreen: too much hex-data"); +- return FALSE; +- } + } + + /* +@@ -400,7 +454,7 @@ parse_netscreen_packet(FILE_T fh, wtap_rec *rec, Buffer* buf, + * + * Returns number of bytes successfully read, -1 if bad. */ + static int +-parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) ++parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset, guint pkt_len) + { + int num_items_scanned; + guint8 character; +@@ -419,7 +473,7 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) + /* Nothing more to parse */ + break; + } else +- return -1; /* not a hex digit, space before ASCII dump, or EOL */ ++ return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit, space before ASCII dump, or EOL */ + byte <<= 4; + character = *rec++ & 0xFF; + if (character >= '0' && character <= '9') +@@ -429,7 +483,16 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) + else if (character >= 'a' && character <= 'f') + byte += character - 'a' + 0xa; + else +- return -1; /* not a hex digit */ ++ return PARSE_LINE_INVALID_CHARACTER; /* not a hex digit */ ++ ++ /* If there was more hex-data than was announced in the len=x ++ * header, then there must be an error in the file; quit ++ * now, as adding this byte will overflow the buffer. ++ */ ++ if (byte_offset + num_items_scanned >= pkt_len) { ++ return PARSE_LINE_TOO_MANY_BYTES_SEEN; ++ } ++ + buf[byte_offset + num_items_scanned] = byte; + character = *rec++ & 0xFF; + if (character == '\0' || character == '\r' || character == '\n') { +@@ -437,11 +500,11 @@ parse_single_hex_dump_line(char* rec, guint8 *buf, guint byte_offset) + break; + } else if (character != ' ') { + /* not space before ASCII dump */ +- return -1; ++ return PARSE_LINE_INVALID_CHARACTER; + } + } + if (num_items_scanned == 0) +- return -1; ++ return PARSE_LINE_NO_BYTES_SEEN; + + return num_items_scanned; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch new file mode 100644 index 0000000000..c4dfb6c37d --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-0208.patch @@ -0,0 +1,42 @@ +From a8586fde3a6512466afb2a660538ef3fe712076b Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Thu, 23 Nov 2023 13:47:51 -0500 +Subject: [PATCH] gvcp: Don't try to add a NULL string to a column + +This was caught as an invalid argument by g_strlcpy before 4.2, +but it was never a good idea. + +Fix #19496 + +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/a8586fde3a6512466afb2a660538ef3fe712076b] +CVE: CVE-2024-0208 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + epan/dissectors/packet-gvcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/epan/dissectors/packet-gvcp.c b/epan/dissectors/packet-gvcp.c +index 2de4552..b94ddea 100644 +--- a/epan/dissectors/packet-gvcp.c ++++ b/epan/dissectors/packet-gvcp.c +@@ -2222,15 +2222,12 @@ static void dissect_readreg_ack(proto_tree *gvcp_telegram_tree, tvbuff_t *tvb, p + if (addr_list_size > 0) + { + address_string = get_register_name_from_address(*((guint32*)wmem_array_index(gvcp_trans->addr_list, 0)), gvcp_info, &is_custom_register); ++ col_append_str(pinfo->cinfo, COL_INFO, address_string); + } + + if (num_registers) + { +- col_append_fstr(pinfo->cinfo, COL_INFO, "%s Value=0x%08X", address_string, tvb_get_ntohl(tvb, offset)); +- } +- else +- { +- col_append_str(pinfo->cinfo, COL_INFO, address_string); ++ col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "Value=0x%08X", tvb_get_ntohl(tvb, offset)); + } + } + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch new file mode 100644 index 0000000000..347943d422 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/CVE-2024-2955.patch @@ -0,0 +1,52 @@ +From 6fd3af5e999c71df67c2cdcefb96d0dc4afa5341 Mon Sep 17 00:00:00 2001 +From: John Thacker <johnthacker@gmail.com> +Date: Wed, 6 Mar 2024 20:40:42 -0500 +Subject: [PATCH] t38: Allocate forced defragmented memory in correct scope + +Fragment data can't be allocated in pinfo->pool scope, as it +outlives the frame. Set it to be freed when the associated tvb +is freed, as done in the main reassemble.c code. + +Fix #19695 + +CVE: CVE-2024-2955 +Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/6fd3af5e999c71df67c2cdcefb96d0dc4afa5341] +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + epan/dissectors/asn1/t38/packet-t38-template.c | 3 ++- + epan/dissectors/packet-t38.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/epan/dissectors/asn1/t38/packet-t38-template.c b/epan/dissectors/asn1/t38/packet-t38-template.c +index 7b856626865..526b313d054 100644 +--- a/epan/dissectors/asn1/t38/packet-t38-template.c ++++ b/epan/dissectors/asn1/t38/packet-t38-template.c +@@ -325,8 +325,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) + last_fd=fd_i; + } + +- data = (guint8 *) wmem_alloc(pinfo->pool, size); ++ data = (guint8 *) g_malloc(size); + fd_head->tvb_data = tvb_new_real_data(data, size, size); ++ tvb_set_free_cb(fd_head->tvb_data, g_free); + fd_head->len = size; /* record size for caller */ + + /* add all data fragments */ +diff --git a/epan/dissectors/packet-t38.c b/epan/dissectors/packet-t38.c +index ca95ae8b64e..5083c936c5a 100644 +--- a/epan/dissectors/packet-t38.c ++++ b/epan/dissectors/packet-t38.c +@@ -355,8 +355,9 @@ force_reassemble_seq(reassembly_table *table, packet_info *pinfo, guint32 id) + last_fd=fd_i; + } + +- data = (guint8 *) wmem_alloc(pinfo->pool, size); ++ data = (guint8 *) g_malloc(size); + fd_head->tvb_data = tvb_new_real_data(data, size, size); ++ tvb_set_free_cb(fd_head->tvb_data, g_free); + fd_head->len = size; /* record size for caller */ + + /* add all data fragments */ +-- +GitLab + diff --git a/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch new file mode 100644 index 0000000000..54438dd870 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch @@ -0,0 +1,22 @@ +Fix update to build for alt arch machine. + +Commit 9ca6e39c7ee26570e29dc87332ffb0f6c1d0e4a4 changed the UseLemon to use +the target lemon built by the target wireshark. Revert to use the one built by +wireshark-native. + +Upstream-Status: Inappropriate [configuration] +Signed-off: Armin Kuster <akuster@mvista.com> + +Index: wireshark-3.2.18/cmake/modules/UseLemon.cmake +=================================================================== +--- wireshark-3.2.18.orig/cmake/modules/UseLemon.cmake ++++ wireshark-3.2.18/cmake/modules/UseLemon.cmake +@@ -13,7 +13,7 @@ MACRO(ADD_LEMON_FILES _source _generated + # These files are generated as side-effect + ${_out}.h + ${_out}.out +- COMMAND $<TARGET_FILE:lemon> ++ COMMAND lemon + -T${_lemonpardir}/lempar.c + -d. + ${_in} diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.5.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index a6c09d47ba..4e48d5294c 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.5.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -8,11 +8,28 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" - +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \ + file://fix_lemon_path.patch \ + file://CVE-2023-2855.patch \ + file://CVE-2023-2856.patch \ + file://CVE-2023-2858.patch \ + file://CVE-2023-2952.patch \ + file://CVE-2023-0667-pre1.patch \ + file://CVE-2023-0667.patch \ + file://CVE-2023-0668.patch \ + file://CVE-2023-2906.patch \ + file://CVE-2023-3649.patch \ + file://CVE-2022-0585-CVE-2023-2879.patch \ + file://CVE-2022-4345.patch \ + file://CVE-2024-0208.patch \ + file://CVE-2023-1992.patch \ + file://CVE-2023-4511.patch \ + file://CVE-2024-2955.patch \ + file://CVE-2023-6175.patch \ + " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "bd89052a5766cce08b1090df49628567e48cdd24bbaa47667c851bac6aaac940" +SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887" PE = "1" diff --git a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb index bab75fee3f..6b83cbd522 100644 --- a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb +++ b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4cfd939b1d7e6aba9fcefb7f6e2fd45d" DEPENDS = "libnl" -SRC_URI = "git://github.com/linux-wpan/wpan-tools" +SRC_URI = "git://github.com/linux-wpan/wpan-tools;branch=master;protocol=https" SRCREV = "a316ca2caa746d60817400e5bf646c2820f09273" S = "${WORKDIR}/git" diff --git a/meta-oe/README b/meta-oe/README index 10583aef27..972c830356 100644 --- a/meta-oe/README +++ b/meta-oe/README @@ -14,15 +14,18 @@ e.g. on archlinux based distributions install prerequisites like below pacman -S lib32-gcc-libs lib32-glibc +Ubuntu +sudo apt-get install gcc-multilib + Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-oe][dunfell]' in the subject' When sending single patches, please use something like: 'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-oe][dunfell][PATCH' -You are encouraged to fork the mirror on GitHub https://github.com/openembedded/openembedded-core +You are encouraged to fork the mirror on GitHub https://github.com/openembedded/meta-openembedded to share your patches, this is preferred for patch sets consisting of more than one patch. -Other services like gitorious, repo.or.cz or self-hosted setups are of course accepted as well, +Other services like GitLab, repo.or.cz or self-hosted setups are of course accepted as well, 'git fetch <remote>' works the same on all of them. We recommend GitHub because it is free, easy to use, has been proven to be reliable and has a really good web GUI. diff --git a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb index de4fa16426..75a206c6b8 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" inherit setuptools3 -SRC_URI = "git://github.com/sivel/speedtest-cli.git" +SRC_URI = "git://github.com/sivel/speedtest-cli.git;branch=master;protocol=https" SRCREV = "c58ad3367bf27f4b4a4d5b1bca29ebd574731c5d" S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb index 065243ccfe..604d989ed9 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb @@ -21,8 +21,8 @@ SRCREV_inih = "4b10c654051a86556dfdb634c891b6c3224c4109" SRCREV_FORMAT = "rwmem_inih" SRC_URI = " \ - git://github.com/tomba/rwmem.git;protocol=https;name=rwmem \ - git://github.com/benhoyt/inih.git;protocol=https;name=inih;nobranch=1;destsuffix=git/ext/inih \ + git://github.com/tomba/rwmem.git;protocol=https;name=rwmem;branch=master \ + git://github.com/benhoyt/inih.git;protocol=https;name=inih;branch=master;destsuffix=git/ext/inih \ " S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 58841ef319..cc15a8de31 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -14,7 +14,7 @@ inherit scons dos2unix siteinfo python3native PV = "4.2.2" #v4.2.2 SRCREV = "a0bbbff6ada159e19298d37946ac8dc4b497eadf" -SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2 \ +SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2;protocol=https \ file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \ file://0001-Use-long-long-instead-of-int64_t.patch \ file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \ @@ -56,6 +56,8 @@ EXTRA_OESCONS = "--prefix=${D}${prefix} \ LINKFLAGS='${LDFLAGS}' \ CXXFLAGS='${CXXFLAGS}' \ TARGET_ARCH=${TARGET_ARCH} \ + MONGO_VERSION=${PV} \ + OBJCOPY=${OBJCOPY} \ --ssl \ --disable-warnings-as-errors \ --use-system-zlib \ diff --git a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb index 275b984e47..f0a0c67975 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=18810669f13b87348459e611d31ab760 \ PV = "0.5.9+git${SRCPV}" SRCREV = "3a3d622d9bb74c44fa67bc20573751a207514134" -SRC_URI = "git://github.com/lcdproc/lcdproc \ +SRC_URI = "git://github.com/lcdproc/lcdproc;branch=master;protocol=https \ file://0001-Fix-parallel-build-fix-port-internal-make-dependenci.patch \ file://0002-Include-limits.h-for-PATH_MAX-definition.patch \ file://0003-Fix-non-x86-platforms-on-musl.patch \ diff --git a/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb b/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb index 90db9c3f3e..fa1bad021c 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-support/smem/smem_1.5.bb @@ -39,5 +39,3 @@ RRECOMMENDS_${PN} = "python3-matplotlib python3-numpy" PACKAGE_BEFORE_PN = "smemcap" FILES_smemcap = "${bindir}/smemcap" - -BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb index b21212a430..de2341da4c 100644 --- a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb +++ b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb @@ -9,7 +9,7 @@ SRCREV = "ad7e646700d14b81413297bda02fb7fe96613c3f" PV = "1.0+git${SRCPV}" -SRC_URI = "git://github.com/ssvb/cpuburn-arm.git \ +SRC_URI = "git://github.com/ssvb/cpuburn-arm.git;branch=master;protocol=https \ file://0001-cpuburn-a8.S-Remove-.func-.endfunc.patch \ file://0002-burn.S-Add.patch \ file://0003-burn.S-Remove-.func-.endfunc.patch \ diff --git a/meta-oe/recipes-benchmark/fio/fio_3.17.bb b/meta-oe/recipes-benchmark/fio/fio_3.17.bb index 759d1087c0..bb3243a5cc 100644 --- a/meta-oe/recipes-benchmark/fio/fio_3.17.bb +++ b/meta-oe/recipes-benchmark/fio/fio_3.17.bb @@ -23,7 +23,7 @@ PACKAGECONFIG ??= "${PACKAGECONFIG_NUMA}" PACKAGECONFIG[numa] = ",--disable-numa,numactl" SRCREV = "08ce9dc20b8a4e55db7af6d869ddfa49b4a02d03" -SRC_URI = "git://git.kernel.dk/fio.git \ +SRC_URI = "git://git.kernel.dk/fio.git;branch=master \ file://0001-update-the-interpreter-paths.patch \ file://python3_shebangs.patch \ " diff --git a/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch b/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch new file mode 100644 index 0000000000..c56fa64e58 --- /dev/null +++ b/meta-oe/recipes-benchmark/glmark2/files/0001-waflib-fix-compatibility-with-python-3.11.patch @@ -0,0 +1,76 @@ +From b85ba8c3ff3fb9ae708576ccef03434d2ef73054 Mon Sep 17 00:00:00 2001 +From: Martin Jansa <Martin.Jansa@gmail.com> +Date: Tue, 14 Jun 2022 09:54:18 +0000 +Subject: [PATCH] waflib: fix compatibility with python-3.11 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* https://docs.python.org/3.11/whatsnew/3.11.html#changes-in-the-python-api + + open(), io.open(), codecs.open() and fileinput.FileInput no longer + accept 'U' (“universal newlineâ€) in the file mode. This flag was + deprecated since Python 3.3. In Python 3, the “universal newline†is + used by default when a file is open in text mode. The newline parameter + of open() controls how universal newlines works. (Contributed by Victor + Stinner in bpo-37330.) + +* fixes: +Waf: The wscript in '/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git' is unreadable +Traceback (most recent call last): + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Scripting.py", line 104, in waf_entry_point + set_main_module(os.path.normpath(os.path.join(Context.run_dir,Context.WSCRIPT_FILE))) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Scripting.py", line 135, in set_main_module + Context.g_module=Context.load_module(file_path) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Context.py", line 343, in load_module + code=Utils.readf(path,m='rU',encoding=encoding) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/OE/build/luneos-langdale/webos-ports/tmp-glibc/work/core2-64-webos-linux/glmark2/2021.12-r0/git/waflib/Utils.py", line 117, in readf + f=open(fname,m) + ^^^^^^^^^^^^^ +ValueError: invalid mode: 'rUb' + +Upstream-Status: Submitted [https://github.com/glmark2/glmark2/pull/178] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + waflib/ConfigSet.py | 2 +- + waflib/Context.py | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/waflib/ConfigSet.py b/waflib/ConfigSet.py +index 16142a2..87de4ad 100644 +--- a/waflib/ConfigSet.py ++++ b/waflib/ConfigSet.py +@@ -140,7 +140,7 @@ class ConfigSet(object): + Utils.writef(filename,''.join(buf)) + def load(self,filename): + tbl=self.table +- code=Utils.readf(filename,m='rU') ++ code=Utils.readf(filename,m='r') + for m in re_imp.finditer(code): + g=m.group + tbl[g(2)]=eval(g(3)) +diff --git a/waflib/Context.py b/waflib/Context.py +index 8f2cbfb..f3e35ae 100644 +--- a/waflib/Context.py ++++ b/waflib/Context.py +@@ -109,7 +109,7 @@ class Context(ctx): + cache[node]=True + self.pre_recurse(node) + try: +- function_code=node.read('rU',encoding) ++ function_code=node.read('r',encoding) + exec(compile(function_code,node.abspath(),'exec'),self.exec_dict) + finally: + self.post_recurse(node) +@@ -340,7 +340,7 @@ def load_module(path,encoding=None): + pass + module=imp.new_module(WSCRIPT_FILE) + try: +- code=Utils.readf(path,m='rU',encoding=encoding) ++ code=Utils.readf(path,encoding=encoding) + except EnvironmentError: + raise Errors.WafError('Could not read the file %r'%path) + module_dir=os.path.dirname(path) diff --git a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb index 6d20bbdaf1..2b2ff53c7e 100644 --- a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb +++ b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb @@ -14,10 +14,11 @@ PV = "20191226+${SRCPV}" COMPATIBLE_HOST_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '.*-linux*', 'null', d)}" -SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https \ - file://python3.patch" +SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https;branch=master \ + file://python3.patch \ + file://0001-waflib-fix-compatibility-with-python-3.11.patch \ + " SRCREV = "72dabc5d72b49c6d45badeb8a941ba4d829b0bd6" - S = "${WORKDIR}/git" inherit waf pkgconfig features_check diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb index 4a520e3be5..86e5fef530 100644 --- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb +++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb @@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}" PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch new file mode 100644 index 0000000000..450cdde1f8 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch @@ -0,0 +1,46 @@ +From 0ef151550d96cc4460f98832df84b4a1e87c65e9 Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" <bmah@es.net> +Date: Fri, 7 Jul 2023 11:35:02 -0700 +Subject: [PATCH] Fix memory allocation hazard (#1542). (#1543) + +Reported by: @someusername123 on GitHub +--- + src/iperf_api.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/iperf_api.c b/src/iperf_api.c +index f2d4162..a95e024 100644 +--- a/src/iperf_api.c ++++ b/src/iperf_api.c +@@ -2670,6 +2670,7 @@ static cJSON * + JSON_read(int fd) + { + uint32_t hsize, nsize; ++ size_t strsize; + char *str; + cJSON *json = NULL; + int rc; +@@ -2682,7 +2683,9 @@ JSON_read(int fd) + if (Nread(fd, (char*) &nsize, sizeof(nsize), Ptcp) >= 0) { + hsize = ntohl(nsize); + /* Allocate a buffer to hold the JSON */ +- str = (char *) calloc(sizeof(char), hsize+1); /* +1 for trailing null */ ++ strsize = hsize + 1; /* +1 for trailing NULL */ ++ if (strsize) { ++ str = (char *) calloc(sizeof(char), strsize); + if (str != NULL) { + rc = Nread(fd, str, hsize, Ptcp); + if (rc >= 0) { +@@ -2701,6 +2704,10 @@ JSON_read(int fd) + } + } + free(str); ++ } ++ else { ++ printf("WARNING: Data length overflow\n"); ++ } + } + return json; + } +-- +2.25.1 diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb index 98d2faabfd..19be5d94c0 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb @@ -13,8 +13,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9088fe7ffdccd042f7645f1012d7f70" DEPENDS = "openssl" -SRC_URI = "git://github.com/esnet/iperf.git \ +SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ + file://0001-Fix-memory-allocation-hazard-1542-.-1543.patch \ " SRCREV = "dfcea9f6a09ead01089a3c9d20c7032f2c0af2c1" @@ -28,3 +29,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc CFLAGS += "-D_GNU_SOURCE" EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}${prefix}" + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb index e813894316..60286c3249 100644 --- a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb +++ b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a825c63897c53f487ef900598c31527" SRCREV = "b6b2ce5f9f87a09b14499cb00c600c601f022634" PV = "20110206+git${SRCPV}" -SRC_URI = "git://git.musl-libc.org/libc-bench \ +SRC_URI = "git://git.musl-libc.org/libc-bench;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb index 4768d7b63a..d6c35d0b3a 100644 --- a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb +++ b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb @@ -12,7 +12,7 @@ PE = "1" SRCREV = "e6499ff92b4a7dcffbd131d1f5d24933e48c3f20" SRC_URI = " \ - git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https \ + git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https;branch=master \ file://skip-checking-LIB32-and-LIB64-if-they-point-to-the-s.patch \ file://libhugetlbfs-avoid-search-host-library-path-for-cros.patch \ file://tests-Makefile-install-static-4G-edge-testcases.patch \ diff --git a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb index a2966e99dd..d30ea5a01b 100644 --- a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb +++ b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ea9d559f985fb4834317d8ed6b9e58" SRCREV = "fb72e5e5f0879231f38e0e826a98a6ca2d1ca38e" -SRC_URI = "git://github.com/stressapptest/stressapptest \ +SRC_URI = "git://github.com/stressapptest/stressapptest;branch=master;protocol=https \ file://libcplusplus-compat.patch \ file://read_sysfs_for_cachesize.patch \ " diff --git a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb index 2ce10f9c44..9c20d68ef2 100644 --- a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb +++ b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=22;md5=879b9bbb60851454885b5fa47eb6b34 PV = "0.4.0+git${SRCPV}" SRCREV = "a2cf6d7e382e3aea1eb39173174d9fa28cad15f3" -SRC_URI = "git://github.com/ssvb/tinymembench.git \ +SRC_URI = "git://github.com/ssvb/tinymembench.git;branch=master;protocol=https \ file://0001-asm-Delete-.func-.endfunc-directives.patch \ " diff --git a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb index 88fcc0200f..589d62717c 100644 --- a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb +++ b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "a2f0c39d5f21596bb9f5223e895c0ff210b265d0" # SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/cpufreq/cpufrequtils.git -SRC_URI = "git://github.com/emagii/cpufrequtils.git \ +SRC_URI = "git://github.com/emagii/cpufrequtils.git;branch=master;protocol=https \ file://0001-dont-unset-cflags.patch \ " diff --git a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb index b89fe6771c..e42adc6dc0 100644 --- a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb +++ b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb @@ -11,7 +11,7 @@ PV = "0.18+git${SRCPV}" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/grondo/edac-utils \ +SRC_URI = "git://github.com/grondo/edac-utils;branch=master;protocol=https \ file://make-init-script-be-able-to-automatically-load-EDAC-.patch \ file://add-restart-to-initscript.patch \ file://edac.service \ diff --git a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb index f9ae9aad9a..1a9cb18c5c 100644 --- a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb +++ b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb @@ -16,7 +16,7 @@ inherit autotools systemd SYSTEMD_SERVICE_${PN} = "ledmon.service" # 0.93 -SRC_URI = "git://github.com/intel/ledmon;branch=master \ +SRC_URI = "git://github.com/intel/ledmon;branch=master;protocol=https \ file://0002-include-sys-select.h-and-sys-types.h.patch \ file://0001-Don-t-build-with-Werror-to-fix-compile-error.patch \ " diff --git a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb index 890db55bcc..37a98a0996 100644 --- a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb +++ b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb @@ -10,7 +10,7 @@ DEPENDS = " \ virtual/libiconv \ " -SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https \ +SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https;branch=master \ file://fancontrol.init \ file://sensord.init \ " @@ -95,7 +95,7 @@ RDEPENDS_${PN} += " \ ${PN}-sensorsdetect \ ${PN}-sensorsconfconvert \ ${PN}-pwmconfig \ - ${PN}-isatools \ + ${@bb.utils.contains('MACHINE_FEATURES', 'x86', '${PN}-isatools', '', d)} \ " # libsensors packages diff --git a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb index 4f4bb2dfab..9344c17dce 100644 --- a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb +++ b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022" DEPENDS = "util-linux" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/linux-nvme/nvme-cli.git \ +SRC_URI = "git://github.com/linux-nvme/nvme-cli.git;branch=master;protocol=https \ file://0001-fix-musl-compilation.patch \ " SRCREV = "1d84d6ae0c7d7ceff5a73fe174dde8b0005f6108" diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb index 6b4decce51..64595d59c1 100644 --- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb +++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb @@ -9,7 +9,7 @@ DEPENDS += "glib-2.0-native" PV = "0.2+git${SRCPV}" -SRC_URI = "git://github.com/labapart/gattlib.git \ +SRC_URI = "git://github.com/labapart/gattlib.git;branch=master;protocol=https \ file://dbus-avoid-strange-chars-from-the-build-dir.patch \ file://0001-cmake-Use-GNUInstallDirs.patch \ " @@ -28,5 +28,5 @@ EXTRA_OECMAKE += "-DGATTLIB_BUILD_DOCS=OFF" inherit pkgconfig cmake -FILES_${PN} = "${libdir}/* ${includedir}/*" -FILES_${PN}-dev = "${includedir}/*" +FILES_${PN} = "${libdir}/*" +FILES_${PN}-dev = "${includedir}/* ${libdir}/pkgconfig" diff --git a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb index 8c97662df5..bee757d5a6 100644 --- a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb +++ b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a0fd36908af843bcee10cb6dfc47fa67 \ SRCREV = "95ec1ab31ee97411fc37156d12061adcf0331598" PV = "1.5.3+git${SRCPV}" -SRC_URI = "git://github.com/cminyard/gensio;protocol=https \ +SRC_URI = "git://github.com/cminyard/gensio;protocol=https;branch=master \ file://0001-filter-Rename-some-variables-to-tr_stdxxx.patch \ " diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch new file mode 100644 index 0000000000..1bedb4f753 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-Prepare-for-CVE-2021-30004.patch.patch @@ -0,0 +1,45 @@ +From 14fab0772db19297c82dd1b8612c9335369dce41 Mon Sep 17 00:00:00 2001 +From: Alexander Vickberg <wickbergster@gmail.com> +Date: Mon, 17 May 2021 17:54:13 +0200 +Subject: [PATCH] Prepare for CVE-2021-30004.patch + +Without this building fails for CONFIG_TLS=internal + +Signed-off-by: Alexander Vickberg <wickbergster@gmail.com> +--- + src/tls/asn1.h | 6 ++++++ + src/utils/includes.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/src/tls/asn1.h b/src/tls/asn1.h +index 6bd7df5..77b94ef 100644 +--- a/src/tls/asn1.h ++++ b/src/tls/asn1.h +@@ -66,6 +66,12 @@ void asn1_oid_to_str(const struct asn1_oid *oid, char *buf, size_t len); + unsigned long asn1_bit_string_to_long(const u8 *buf, size_t len); + int asn1_oid_equal(const struct asn1_oid *a, const struct asn1_oid *b); + ++static inline bool asn1_is_null(const struct asn1_hdr *hdr) ++{ ++ return hdr->class == ASN1_CLASS_UNIVERSAL && ++ hdr->tag == ASN1_TAG_NULL; ++} ++ + extern struct asn1_oid asn1_sha1_oid; + extern struct asn1_oid asn1_sha256_oid; + +diff --git a/src/utils/includes.h b/src/utils/includes.h +index 75513fc..741fc9c 100644 +--- a/src/utils/includes.h ++++ b/src/utils/includes.h +@@ -18,6 +18,7 @@ + + #include <stdlib.h> + #include <stddef.h> ++#include <stdbool.h> + #include <stdio.h> + #include <stdarg.h> + #include <string.h> +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch new file mode 100644 index 0000000000..9214615d12 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2019-5061.patch @@ -0,0 +1,854 @@ +From 018edec9b2bd3db20605117c32ff79c1e625c432 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 11 Sep 2019 12:34:28 +0300 +Subject: [PATCH] Remove IAPP functionality from hostapd + +IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been +maintained nor is there any expectation of the withdrawn trial-use +recommended practice to be maintained in the future. Furthermore, +implementation of IAPP in hostapd was not complete, i.e., only parts of +the recommended practice were included. The main item of some real use +long time ago was the Layer 2 Update frame to update bridges when a STA +roams within an ESS, but that functionality has, in practice, been moved +to kernel drivers to provide better integration with the networking +stack. + +CVE: CVE-2019-5061 + +Upstream-Status: Backport + +Signed-off-by: Jouni Malinen <j@w1.fi> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + hostapd/Android.mk | 5 - + hostapd/Makefile | 5 - + hostapd/android.config | 3 - + hostapd/config_file.c | 3 +- + hostapd/defconfig | 3 - + hostapd/hostapd.conf | 6 - + hostapd/main.c | 3 - + src/ap/Makefile | 2 - + src/ap/ap_config.h | 4 - + src/ap/hostapd.c | 14 - + src/ap/hostapd.h | 2 - + src/ap/iapp.c | 542 ---------------------- + src/ap/iapp.h | 39 -- + src/utils/wpa_debug.h | 1 - + 14 files changed, 1 insertion(+), 633 deletions(-) + delete mode 100644 src/ap/iapp.c + delete mode 100644 src/ap/iapp.h + +diff --git a/hostapd/Android.mk b/hostapd/Android.mk +index 3183323ef..a87ac8144 100644 +--- a/hostapd/Android.mk ++++ b/hostapd/Android.mk +@@ -205,11 +205,6 @@ endif + + L_CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX + +-ifdef CONFIG_IAPP +-L_CFLAGS += -DCONFIG_IAPP +-OBJS += src/ap/iapp.c +-endif +- + ifdef CONFIG_RSN_PREAUTH + L_CFLAGS += -DCONFIG_RSN_PREAUTH + CONFIG_L2_PACKET=y +diff --git a/hostapd/Makefile b/hostapd/Makefile +index f7f4c785b..42bb9e4c8 100644 +--- a/hostapd/Makefile ++++ b/hostapd/Makefile +@@ -248,11 +248,6 @@ ifndef CONFIG_NO_CTRL_IFACE + CFLAGS += -DCONFIG_CTRL_IFACE + endif + +-ifdef CONFIG_IAPP +-CFLAGS += -DCONFIG_IAPP +-OBJS += ../src/ap/iapp.o +-endif +- + ifdef CONFIG_RSN_PREAUTH + CFLAGS += -DCONFIG_RSN_PREAUTH + CONFIG_L2_PACKET=y +diff --git a/hostapd/android.config b/hostapd/android.config +index efe252332..e2e6c7821 100644 +--- a/hostapd/android.config ++++ b/hostapd/android.config +@@ -38,9 +38,6 @@ CONFIG_DRIVER_NL80211_QCA=y + # Driver interface for no driver (e.g., RADIUS server only) + #CONFIG_DRIVER_NONE=y + +-# IEEE 802.11F/IAPP +-#CONFIG_IAPP=y +- + # WPA2/IEEE 802.11i RSN pre-authentication + #CONFIG_RSN_PREAUTH=y + +diff --git a/hostapd/config_file.c b/hostapd/config_file.c +index 680f17ee0..0d340d252 100644 +--- a/hostapd/config_file.c ++++ b/hostapd/config_file.c +@@ -2712,8 +2712,7 @@ static int hostapd_config_fill(struct hostapd_config *conf, + bss->eapol_key_index_workaround = atoi(pos); + #ifdef CONFIG_IAPP + } else if (os_strcmp(buf, "iapp_interface") == 0) { +- bss->ieee802_11f = 1; +- os_strlcpy(bss->iapp_iface, pos, sizeof(bss->iapp_iface)); ++ wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used"); + #endif /* CONFIG_IAPP */ + } else if (os_strcmp(buf, "own_ip_addr") == 0) { + if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) { +diff --git a/hostapd/defconfig b/hostapd/defconfig +index b1fb56c3b..1a3d9f9ba 100644 +--- a/hostapd/defconfig ++++ b/hostapd/defconfig +@@ -44,9 +44,6 @@ CONFIG_LIBNL32=y + # Driver interface for no driver (e.g., RADIUS server only) + #CONFIG_DRIVER_NONE=y + +-# IEEE 802.11F/IAPP +-CONFIG_IAPP=y +- + # WPA2/IEEE 802.11i RSN pre-authentication + CONFIG_RSN_PREAUTH=y + +diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf +index 6c96a760a..a3c698480 100644 +--- a/hostapd/hostapd.conf ++++ b/hostapd/hostapd.conf +@@ -41,7 +41,6 @@ interface=wlan0 + # bit 2 (4) = RADIUS + # bit 3 (8) = WPA + # bit 4 (16) = driver interface +-# bit 5 (32) = IAPP + # bit 6 (64) = MLME + # + # Levels (minimum value for logged events): +@@ -1243,11 +1242,6 @@ eap_server=0 + # Whether to enable ERP on the EAP server. + #eap_server_erp=1 + +-##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### +- +-# Interface to be used for IAPP broadcast packets +-#iapp_interface=eth0 +- + + ##### RADIUS client configuration ############################################# + # for IEEE 802.1X with external Authentication Server, IEEE 802.11 +diff --git a/hostapd/main.c b/hostapd/main.c +index 08896ffe2..8bfe24281 100644 +--- a/hostapd/main.c ++++ b/hostapd/main.c +@@ -81,9 +81,6 @@ static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module, + case HOSTAPD_MODULE_DRIVER: + module_str = "DRIVER"; + break; +- case HOSTAPD_MODULE_IAPP: +- module_str = "IAPP"; +- break; + case HOSTAPD_MODULE_MLME: + module_str = "MLME"; + break; +diff --git a/src/ap/Makefile b/src/ap/Makefile +index bd3f33b77..54e48a0dd 100644 +--- a/src/ap/Makefile ++++ b/src/ap/Makefile +@@ -18,7 +18,6 @@ CFLAGS += -DCONFIG_IEEE80211R_AP + CFLAGS += -DCONFIG_WPS + CFLAGS += -DCONFIG_PROXYARP + CFLAGS += -DCONFIG_IPV6 +-CFLAGS += -DCONFIG_IAPP + CFLAGS += -DCONFIG_AIRTIME_POLICY + + LIB_OBJS= \ +@@ -41,7 +40,6 @@ LIB_OBJS= \ + hostapd.o \ + hs20.o \ + hw_features.o \ +- iapp.o \ + ieee802_11_auth.o \ + ieee802_11.o \ + ieee802_11_ht.o \ +diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h +index e219160b0..17eb0682b 100644 +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -325,10 +325,6 @@ struct hostapd_bss_config { + int erp_send_reauth_start; + char *erp_domain; + +- int ieee802_11f; /* use IEEE 802.11f (IAPP) */ +- char iapp_iface[IFNAMSIZ + 1]; /* interface used with IAPP broadcast +- * frames */ +- + enum macaddr_acl { + ACCEPT_UNLESS_DENIED = 0, + DENY_UNLESS_ACCEPTED = 1, +diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c +index ef988b634..bf7b1f89e 100644 +--- a/src/ap/hostapd.c ++++ b/src/ap/hostapd.c +@@ -28,7 +28,6 @@ + #include "accounting.h" + #include "ap_list.h" + #include "beacon.h" +-#include "iapp.h" + #include "ieee802_1x.h" + #include "ieee802_11_auth.h" + #include "vlan_init.h" +@@ -361,8 +360,6 @@ static void hostapd_free_hapd_data(struct hostapd_data *hapd) + hapd->beacon_set_done = 0; + + wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface); +- iapp_deinit(hapd->iapp); +- hapd->iapp = NULL; + accounting_deinit(hapd); + hostapd_deinit_wpa(hapd); + vlan_deinit(hapd); +@@ -1296,13 +1293,6 @@ static int hostapd_setup_bss(struct hostapd_data *hapd, int first) + return -1; + } + +- if (conf->ieee802_11f && +- (hapd->iapp = iapp_init(hapd, conf->iapp_iface)) == NULL) { +- wpa_printf(MSG_ERROR, "IEEE 802.11F (IAPP) initialization " +- "failed."); +- return -1; +- } +- + #ifdef CONFIG_INTERWORKING + if (gas_serv_init(hapd)) { + wpa_printf(MSG_ERROR, "GAS server initialization failed"); +@@ -3056,10 +3046,6 @@ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta, + hostapd_prune_associations(hapd, sta->addr); + ap_sta_clear_disconnect_timeouts(hapd, sta); + +- /* IEEE 802.11F (IAPP) */ +- if (hapd->conf->ieee802_11f) +- iapp_new_station(hapd->iapp, sta); +- + #ifdef CONFIG_P2P + if (sta->p2p_ie == NULL && !sta->no_p2p_set) { + sta->no_p2p_set = 1; +diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h +index 5b859b8a9..2358d1664 100644 +--- a/src/ap/hostapd.h ++++ b/src/ap/hostapd.h +@@ -179,8 +179,6 @@ struct hostapd_data { + u64 acct_session_id; + struct radius_das_data *radius_das; + +- struct iapp_data *iapp; +- + struct hostapd_cached_radius_acl *acl_cache; + struct hostapd_acl_query_data *acl_queries; + +diff --git a/src/ap/iapp.c b/src/ap/iapp.c +deleted file mode 100644 +index 2556da30c..000000000 +--- a/src/ap/iapp.c ++++ /dev/null +@@ -1,542 +0,0 @@ +-/* +- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP) +- * Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> +- * +- * This software may be distributed under the terms of the BSD license. +- * See README for more details. +- * +- * Note: IEEE 802.11F-2003 was a experimental use specification. It has expired +- * and IEEE has withdrawn it. In other words, it is likely better to look at +- * using some other mechanism for AP-to-AP communication than extending the +- * implementation here. +- */ +- +-/* TODO: +- * Level 1: no administrative or security support +- * (e.g., static BSSID to IP address mapping in each AP) +- * Level 2: support for dynamic mapping of BSSID to IP address +- * Level 3: support for encryption and authentication of IAPP messages +- * - add support for MOVE-notify and MOVE-response (this requires support for +- * finding out IP address for previous AP using RADIUS) +- * - add support for Send- and ACK-Security-Block to speedup IEEE 802.1X during +- * reassociation to another AP +- * - implement counters etc. for IAPP MIB +- * - verify endianness of fields in IAPP messages; are they big-endian as +- * used here? +- * - RADIUS connection for AP registration and BSSID to IP address mapping +- * - TCP connection for IAPP MOVE, CACHE +- * - broadcast ESP for IAPP ADD-notify +- * - ESP for IAPP MOVE messages +- * - security block sending/processing +- * - IEEE 802.11 context transfer +- */ +- +-#include "utils/includes.h" +-#include <net/if.h> +-#include <sys/ioctl.h> +-#include <netpacket/packet.h> +- +-#include "utils/common.h" +-#include "utils/eloop.h" +-#include "common/ieee802_11_defs.h" +-#include "hostapd.h" +-#include "ap_config.h" +-#include "ieee802_11.h" +-#include "sta_info.h" +-#include "iapp.h" +- +- +-#define IAPP_MULTICAST "224.0.1.178" +-#define IAPP_UDP_PORT 3517 +-#define IAPP_TCP_PORT 3517 +- +-struct iapp_hdr { +- u8 version; +- u8 command; +- be16 identifier; +- be16 length; +- /* followed by length-6 octets of data */ +-} __attribute__ ((packed)); +- +-#define IAPP_VERSION 0 +- +-enum IAPP_COMMAND { +- IAPP_CMD_ADD_notify = 0, +- IAPP_CMD_MOVE_notify = 1, +- IAPP_CMD_MOVE_response = 2, +- IAPP_CMD_Send_Security_Block = 3, +- IAPP_CMD_ACK_Security_Block = 4, +- IAPP_CMD_CACHE_notify = 5, +- IAPP_CMD_CACHE_response = 6, +-}; +- +- +-/* ADD-notify - multicast UDP on the local LAN */ +-struct iapp_add_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- be16 seq_num; +-} __attribute__ ((packed)); +- +- +-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ +-struct iapp_layer2_update { +- u8 da[ETH_ALEN]; /* broadcast */ +- u8 sa[ETH_ALEN]; /* STA addr */ +- be16 len; /* 6 */ +- u8 dsap; /* null DSAP address */ +- u8 ssap; /* null SSAP address, CR=Response */ +- u8 control; +- u8 xid_info[3]; +-} __attribute__ ((packed)); +- +- +-/* MOVE-notify - unicast TCP */ +-struct iapp_move_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u16 ctx_block_len; +- /* followed by ctx_block_len bytes */ +-} __attribute__ ((packed)); +- +- +-/* MOVE-response - unicast TCP */ +-struct iapp_move_response { +- u8 addr_len; /* ETH_ALEN */ +- u8 status; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u16 ctx_block_len; +- /* followed by ctx_block_len bytes */ +-} __attribute__ ((packed)); +- +-enum { +- IAPP_MOVE_SUCCESSFUL = 0, +- IAPP_MOVE_DENIED = 1, +- IAPP_MOVE_STALE_MOVE = 2, +-}; +- +- +-/* CACHE-notify */ +-struct iapp_cache_notify { +- u8 addr_len; /* ETH_ALEN */ +- u8 reserved; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +- u8 current_ap[ETH_ALEN]; +- u16 ctx_block_len; +- /* ctx_block_len bytes of context block followed by 16-bit context +- * timeout */ +-} __attribute__ ((packed)); +- +- +-/* CACHE-response - unicast TCP */ +-struct iapp_cache_response { +- u8 addr_len; /* ETH_ALEN */ +- u8 status; +- u8 mac_addr[ETH_ALEN]; +- u16 seq_num; +-} __attribute__ ((packed)); +- +-enum { +- IAPP_CACHE_SUCCESSFUL = 0, +- IAPP_CACHE_STALE_CACHE = 1, +-}; +- +- +-/* Send-Security-Block - unicast TCP */ +-struct iapp_send_security_block { +- u8 iv[8]; +- u16 sec_block_len; +- /* followed by sec_block_len bytes of security block */ +-} __attribute__ ((packed)); +- +- +-/* ACK-Security-Block - unicast TCP */ +-struct iapp_ack_security_block { +- u8 iv[8]; +- u8 new_ap_ack_authenticator[48]; +-} __attribute__ ((packed)); +- +- +-struct iapp_data { +- struct hostapd_data *hapd; +- u16 identifier; /* next IAPP identifier */ +- struct in_addr own, multicast; +- int udp_sock; +- int packet_sock; +-}; +- +- +-static void iapp_send_add(struct iapp_data *iapp, u8 *mac_addr, u16 seq_num) +-{ +- char buf[128]; +- struct iapp_hdr *hdr; +- struct iapp_add_notify *add; +- struct sockaddr_in addr; +- +- /* Send IAPP ADD-notify to remove possible association from other APs +- */ +- +- hdr = (struct iapp_hdr *) buf; +- hdr->version = IAPP_VERSION; +- hdr->command = IAPP_CMD_ADD_notify; +- hdr->identifier = host_to_be16(iapp->identifier++); +- hdr->length = host_to_be16(sizeof(*hdr) + sizeof(*add)); +- +- add = (struct iapp_add_notify *) (hdr + 1); +- add->addr_len = ETH_ALEN; +- add->reserved = 0; +- os_memcpy(add->mac_addr, mac_addr, ETH_ALEN); +- +- add->seq_num = host_to_be16(seq_num); +- +- os_memset(&addr, 0, sizeof(addr)); +- addr.sin_family = AF_INET; +- addr.sin_addr.s_addr = iapp->multicast.s_addr; +- addr.sin_port = htons(IAPP_UDP_PORT); +- if (sendto(iapp->udp_sock, buf, (char *) (add + 1) - buf, 0, +- (struct sockaddr *) &addr, sizeof(addr)) < 0) +- wpa_printf(MSG_INFO, "sendto[IAPP-ADD]: %s", strerror(errno)); +-} +- +- +-static void iapp_send_layer2_update(struct iapp_data *iapp, u8 *addr) +-{ +- struct iapp_layer2_update msg; +- +- /* Send Level 2 Update Frame to update forwarding tables in layer 2 +- * bridge devices */ +- +- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) +- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ +- +- os_memset(msg.da, 0xff, ETH_ALEN); +- os_memcpy(msg.sa, addr, ETH_ALEN); +- msg.len = host_to_be16(6); +- msg.dsap = 0; /* NULL DSAP address */ +- msg.ssap = 0x01; /* NULL SSAP address, CR Bit: Response */ +- msg.control = 0xaf; /* XID response lsb.1111F101. +- * F=0 (no poll command; unsolicited frame) */ +- msg.xid_info[0] = 0x81; /* XID format identifier */ +- msg.xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ +- msg.xid_info[2] = 1 << 1; /* XID sender's receive window size (RW) +- * FIX: what is correct RW with 802.11? */ +- +- if (send(iapp->packet_sock, &msg, sizeof(msg), 0) < 0) +- wpa_printf(MSG_INFO, "send[L2 Update]: %s", strerror(errno)); +-} +- +- +-/** +- * iapp_new_station - IAPP processing for a new STA +- * @iapp: IAPP data +- * @sta: The associated station +- */ +-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta) +-{ +- u16 seq = 0; /* TODO */ +- +- if (iapp == NULL) +- return; +- +- /* IAPP-ADD.request(MAC Address, Sequence Number, Timeout) */ +- hostapd_logger(iapp->hapd, sta->addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, "IAPP-ADD.request(seq=%d)", seq); +- iapp_send_layer2_update(iapp, sta->addr); +- iapp_send_add(iapp, sta->addr, seq); +- +- /* TODO: If this was reassociation: +- * IAPP-MOVE.request(MAC Address, Sequence Number, Old AP, +- * Context Block, Timeout) +- * TODO: Send IAPP-MOVE to the old AP; Map Old AP BSSID to +- * IP address */ +-} +- +- +-static void iapp_process_add_notify(struct iapp_data *iapp, +- struct sockaddr_in *from, +- struct iapp_hdr *hdr, int len) +-{ +- struct iapp_add_notify *add = (struct iapp_add_notify *) (hdr + 1); +- struct sta_info *sta; +- +- if (len != sizeof(*add)) { +- wpa_printf(MSG_INFO, "Invalid IAPP-ADD packet length %d (expected %lu)", +- len, (unsigned long) sizeof(*add)); +- return; +- } +- +- sta = ap_get_sta(iapp->hapd, add->mac_addr); +- +- /* IAPP-ADD.indication(MAC Address, Sequence Number) */ +- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_INFO, +- "Received IAPP ADD-notify (seq# %d) from %s:%d%s", +- be_to_host16(add->seq_num), +- inet_ntoa(from->sin_addr), ntohs(from->sin_port), +- sta ? "" : " (STA not found)"); +- +- if (!sta) +- return; +- +- /* TODO: could use seq_num to try to determine whether last association +- * to this AP is newer than the one advertised in IAPP-ADD. Although, +- * this is not really a reliable verification. */ +- +- hostapd_logger(iapp->hapd, add->mac_addr, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "Removing STA due to IAPP ADD-notify"); +- ap_sta_disconnect(iapp->hapd, sta, NULL, 0); +-} +- +- +-/** +- * iapp_receive_udp - Process IAPP UDP frames +- * @sock: File descriptor for the socket +- * @eloop_ctx: IAPP data (struct iapp_data *) +- * @sock_ctx: Not used +- */ +-static void iapp_receive_udp(int sock, void *eloop_ctx, void *sock_ctx) +-{ +- struct iapp_data *iapp = eloop_ctx; +- int len, hlen; +- unsigned char buf[128]; +- struct sockaddr_in from; +- socklen_t fromlen; +- struct iapp_hdr *hdr; +- +- /* Handle incoming IAPP frames (over UDP/IP) */ +- +- fromlen = sizeof(from); +- len = recvfrom(iapp->udp_sock, buf, sizeof(buf), 0, +- (struct sockaddr *) &from, &fromlen); +- if (len < 0) { +- wpa_printf(MSG_INFO, "iapp_receive_udp - recvfrom: %s", +- strerror(errno)); +- return; +- } +- +- if (from.sin_addr.s_addr == iapp->own.s_addr) +- return; /* ignore own IAPP messages */ +- +- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "Received %d byte IAPP frame from %s%s\n", +- len, inet_ntoa(from.sin_addr), +- len < (int) sizeof(*hdr) ? " (too short)" : ""); +- +- if (len < (int) sizeof(*hdr)) +- return; +- +- hdr = (struct iapp_hdr *) buf; +- hlen = be_to_host16(hdr->length); +- hostapd_logger(iapp->hapd, NULL, HOSTAPD_MODULE_IAPP, +- HOSTAPD_LEVEL_DEBUG, +- "RX: version=%d command=%d id=%d len=%d\n", +- hdr->version, hdr->command, +- be_to_host16(hdr->identifier), hlen); +- if (hdr->version != IAPP_VERSION) { +- wpa_printf(MSG_INFO, "Dropping IAPP frame with unknown version %d", +- hdr->version); +- return; +- } +- if (hlen > len) { +- wpa_printf(MSG_INFO, "Underflow IAPP frame (hlen=%d len=%d)", +- hlen, len); +- return; +- } +- if (hlen < len) { +- wpa_printf(MSG_INFO, "Ignoring %d extra bytes from IAPP frame", +- len - hlen); +- len = hlen; +- } +- +- switch (hdr->command) { +- case IAPP_CMD_ADD_notify: +- iapp_process_add_notify(iapp, &from, hdr, len - sizeof(*hdr)); +- break; +- case IAPP_CMD_MOVE_notify: +- /* TODO: MOVE is using TCP; so move this to TCP handler once it +- * is implemented.. */ +- /* IAPP-MOVE.indication(MAC Address, New BSSID, +- * Sequence Number, AP Address, Context Block) */ +- /* TODO: process */ +- break; +- default: +- wpa_printf(MSG_INFO, "Unknown IAPP command %d", hdr->command); +- break; +- } +-} +- +- +-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface) +-{ +- struct ifreq ifr; +- struct sockaddr_ll addr; +- int ifindex; +- struct sockaddr_in *paddr, uaddr; +- struct iapp_data *iapp; +- struct ip_mreqn mreq; +- int reuseaddr = 1; +- +- iapp = os_zalloc(sizeof(*iapp)); +- if (iapp == NULL) +- return NULL; +- iapp->hapd = hapd; +- iapp->udp_sock = iapp->packet_sock = -1; +- +- /* TODO: +- * open socket for sending and receiving IAPP frames over TCP +- */ +- +- iapp->udp_sock = socket(PF_INET, SOCK_DGRAM, 0); +- if (iapp->udp_sock < 0) { +- wpa_printf(MSG_INFO, "iapp_init - socket[PF_INET,SOCK_DGRAM]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&ifr, 0, sizeof(ifr)); +- os_strlcpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name)); +- if (ioctl(iapp->udp_sock, SIOCGIFINDEX, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFINDEX): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- ifindex = ifr.ifr_ifindex; +- +- if (ioctl(iapp->udp_sock, SIOCGIFADDR, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFADDR): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- paddr = (struct sockaddr_in *) &ifr.ifr_addr; +- if (paddr->sin_family != AF_INET) { +- wpa_printf(MSG_INFO, "IAPP: Invalid address family %i (SIOCGIFADDR)", +- paddr->sin_family); +- iapp_deinit(iapp); +- return NULL; +- } +- iapp->own.s_addr = paddr->sin_addr.s_addr; +- +- if (ioctl(iapp->udp_sock, SIOCGIFBRDADDR, &ifr) != 0) { +- wpa_printf(MSG_INFO, "iapp_init - ioctl(SIOCGIFBRDADDR): %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- paddr = (struct sockaddr_in *) &ifr.ifr_addr; +- if (paddr->sin_family != AF_INET) { +- wpa_printf(MSG_INFO, "Invalid address family %i (SIOCGIFBRDADDR)", +- paddr->sin_family); +- iapp_deinit(iapp); +- return NULL; +- } +- inet_aton(IAPP_MULTICAST, &iapp->multicast); +- +- os_memset(&uaddr, 0, sizeof(uaddr)); +- uaddr.sin_family = AF_INET; +- uaddr.sin_port = htons(IAPP_UDP_PORT); +- +- if (setsockopt(iapp->udp_sock, SOL_SOCKET, SO_REUSEADDR, &reuseaddr, +- sizeof(reuseaddr)) < 0) { +- wpa_printf(MSG_INFO, +- "iapp_init - setsockopt[UDP,SO_REUSEADDR]: %s", +- strerror(errno)); +- /* +- * Ignore this and try to continue. This is fine for single +- * BSS cases, but may fail if multiple BSSes enable IAPP. +- */ +- } +- +- if (bind(iapp->udp_sock, (struct sockaddr *) &uaddr, +- sizeof(uaddr)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - bind[UDP]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&mreq, 0, sizeof(mreq)); +- mreq.imr_multiaddr = iapp->multicast; +- mreq.imr_address.s_addr = INADDR_ANY; +- mreq.imr_ifindex = 0; +- if (setsockopt(iapp->udp_sock, SOL_IP, IP_ADD_MEMBERSHIP, &mreq, +- sizeof(mreq)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - setsockopt[UDP,IP_ADD_MEMBERSHIP]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- iapp->packet_sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); +- if (iapp->packet_sock < 0) { +- wpa_printf(MSG_INFO, "iapp_init - socket[PF_PACKET,SOCK_RAW]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- os_memset(&addr, 0, sizeof(addr)); +- addr.sll_family = AF_PACKET; +- addr.sll_ifindex = ifindex; +- if (bind(iapp->packet_sock, (struct sockaddr *) &addr, +- sizeof(addr)) < 0) { +- wpa_printf(MSG_INFO, "iapp_init - bind[PACKET]: %s", +- strerror(errno)); +- iapp_deinit(iapp); +- return NULL; +- } +- +- if (eloop_register_read_sock(iapp->udp_sock, iapp_receive_udp, +- iapp, NULL)) { +- wpa_printf(MSG_INFO, "Could not register read socket for IAPP"); +- iapp_deinit(iapp); +- return NULL; +- } +- +- wpa_printf(MSG_INFO, "IEEE 802.11F (IAPP) using interface %s", iface); +- +- /* TODO: For levels 2 and 3: send RADIUS Initiate-Request, receive +- * RADIUS Initiate-Accept or Initiate-Reject. IAPP port should actually +- * be openned only after receiving Initiate-Accept. If Initiate-Reject +- * is received, IAPP is not started. */ +- +- return iapp; +-} +- +- +-void iapp_deinit(struct iapp_data *iapp) +-{ +- struct ip_mreqn mreq; +- +- if (iapp == NULL) +- return; +- +- if (iapp->udp_sock >= 0) { +- os_memset(&mreq, 0, sizeof(mreq)); +- mreq.imr_multiaddr = iapp->multicast; +- mreq.imr_address.s_addr = INADDR_ANY; +- mreq.imr_ifindex = 0; +- if (setsockopt(iapp->udp_sock, SOL_IP, IP_DROP_MEMBERSHIP, +- &mreq, sizeof(mreq)) < 0) { +- wpa_printf(MSG_INFO, "iapp_deinit - setsockopt[UDP,IP_DEL_MEMBERSHIP]: %s", +- strerror(errno)); +- } +- +- eloop_unregister_read_sock(iapp->udp_sock); +- close(iapp->udp_sock); +- } +- if (iapp->packet_sock >= 0) { +- eloop_unregister_read_sock(iapp->packet_sock); +- close(iapp->packet_sock); +- } +- os_free(iapp); +-} +diff --git a/src/ap/iapp.h b/src/ap/iapp.h +deleted file mode 100644 +index c22118342..000000000 +--- a/src/ap/iapp.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * hostapd / IEEE 802.11F-2003 Inter-Access Point Protocol (IAPP) +- * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi> +- * +- * This software may be distributed under the terms of the BSD license. +- * See README for more details. +- */ +- +-#ifndef IAPP_H +-#define IAPP_H +- +-struct iapp_data; +- +-#ifdef CONFIG_IAPP +- +-void iapp_new_station(struct iapp_data *iapp, struct sta_info *sta); +-struct iapp_data * iapp_init(struct hostapd_data *hapd, const char *iface); +-void iapp_deinit(struct iapp_data *iapp); +- +-#else /* CONFIG_IAPP */ +- +-static inline void iapp_new_station(struct iapp_data *iapp, +- struct sta_info *sta) +-{ +-} +- +-static inline struct iapp_data * iapp_init(struct hostapd_data *hapd, +- const char *iface) +-{ +- return NULL; +-} +- +-static inline void iapp_deinit(struct iapp_data *iapp) +-{ +-} +- +-#endif /* CONFIG_IAPP */ +- +-#endif /* IAPP_H */ +diff --git a/src/utils/wpa_debug.h b/src/utils/wpa_debug.h +index 1fe0b7db7..c94c4391f 100644 +--- a/src/utils/wpa_debug.h ++++ b/src/utils/wpa_debug.h +@@ -305,7 +305,6 @@ void hostapd_logger_register_cb(hostapd_logger_cb_func func); + #define HOSTAPD_MODULE_RADIUS 0x00000004 + #define HOSTAPD_MODULE_WPA 0x00000008 + #define HOSTAPD_MODULE_DRIVER 0x00000010 +-#define HOSTAPD_MODULE_IAPP 0x00000020 + #define HOSTAPD_MODULE_MLME 0x00000040 + + enum hostapd_logger_level { +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch new file mode 100644 index 0000000000..54c405b539 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-0326.patch @@ -0,0 +1,43 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +CVE: CVE-2021-0326 + +Upstream-Status: Backport + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index 74b7b52ae..5cbfc217f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch new file mode 100644 index 0000000000..fedff76b18 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-27803.patch @@ -0,0 +1,54 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +CVE: CVE-2021-27803 + +Upstream-Status: Backport + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec03f..05fd59349 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb index 68dc123702..a9780bc6db 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.9.bb @@ -11,7 +11,12 @@ SRC_URI = " \ file://defconfig \ file://init \ file://hostapd.service \ + file://0001-Prepare-for-CVE-2021-30004.patch.patch \ file://CVE-2019-16275.patch \ + file://CVE-2019-5061.patch \ + file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "f188fc53a495fe7af3b6d77d3c31dee8" diff --git a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb index 25500e6501..1606f10cf9 100644 --- a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb +++ b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb504b67c50331fc78734fed90fb0e09" DEPENDS = "ell" -SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git" +SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git;branch=master" SRCREV = "aa3dc1b95348dea177e9d8c2c3063b29e20fe2e9" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch new file mode 100644 index 0000000000..fe871cecb3 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch @@ -0,0 +1,121 @@ +From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 7 Jul 2021 11:47:44 +1200 +Subject: [PATCH] Fix KDC null deref on bad encrypted challenge + +The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check +to avoid further processing if the armor key is NULL. However, this +check is bypassed by a call to k5memdup0() which overwrites retval +with 0 if the allocation succeeds. If the armor key is NULL, a call +to krb5_c_fx_cf2_simple() will then dereference it, resulting in a +crash. Add a check before the k5memdup0() call to avoid overwriting +retval. + +CVE-2021-36222: + +In MIT krb5 releases 1.16 and later, an unauthenticated attacker can +cause a null dereference in the KDC by sending a request containing a +PA-ENCRYPTED-CHALLENGE padata element without using FAST. + +[ghudson@mit.edu: trimmed patch; added test case; edited commit +message] + +ticket: 9007 (new) +tags: pullup +target_version: 1.19-next +target_version: 1.18-next + +CVE: CVE-2021-36222 + +Upstream-Status: Backport +[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + kdc/kdc_preauth_ec.c | 3 ++- + tests/Makefile.in | 1 + + tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++ + 3 files changed, 49 insertions(+), 1 deletion(-) + create mode 100644 src/tests/t_cve-2021-36222.py + +diff --git a/kdc/kdc_preauth_ec.c b/kdc/kdc_preauth_ec.c +index 7e636b3f9..43a9902cc 100644 +--- a/kdc/kdc_preauth_ec.c ++++ b/kdc/kdc_preauth_ec.c +@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + } + + /* Check for a configured FAST ec auth indicator. */ +- realmstr = k5memdup0(realm.data, realm.length, &retval); ++ if (retval == 0) ++ realmstr = k5memdup0(realm.data, realm.length, &retval); + if (realmstr != NULL) + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + realmstr, +diff --git a/tests/Makefile.in b/tests/Makefile.in +index fc6fcc0c3..1a1938306 100644 +--- a/tests/Makefile.in ++++ b/tests/Makefile.in +@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self + $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) ++ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS) + $(RM) au.log + $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ +diff --git a/tests/t_cve-2021-36222.py b/tests/t_cve-2021-36222.py +new file mode 100644 +index 000000000..57e04993b +--- /dev/null ++++ b/tests/t_cve-2021-36222.py +@@ -0,0 +1,46 @@ ++import socket ++from k5test import * ++ ++realm = K5Realm() ++ ++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth ++# without FAST ++ ++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++a = (hostname, realm.portbase) ++ ++m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE ++ 'A103' '0201' '05' # [1] pvno = 5 ++ 'A203' '0201' '0A' # [2] msg-type = 10 ++ 'A30E' '300C' # [3] padata = SEQUENCE OF ++ '300A' # SEQUENCE ++ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE ++ 'A202' '0400' # [2] padata-value = "" ++ 'A48180' '307E' # [4] req-body = SEQUENCE ++ 'A007' '0305' '0000000000' # [0] kdc-options = 0 ++ 'A120' '301E' # [1] cname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A20D' '1B0B' '4B5242544553542E434F4D' ++ # [2] realm = KRBTEST.COM ++ 'A320' '301E' # [3] sname = SEQUENCE ++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL ++ 'A117' '3015' # [1] name-string = SEQUENCE-OF ++ '1B06' '6B7262746774' # krbtgt ++ '1B0B' '4B5242544553542E434F4D' ++ # KRBTEST.COM ++ 'A511' '180F' '31393934303631303036303331375A' ++ # [5] till = 19940610060317Z ++ 'A703' '0201' '00' # [7] nonce = 0 ++ 'A808' '3006' # [8] etype = SEQUENCE OF ++ '020112' '020111') # aes256-cts aes128-cts ++ ++s.sendto(bytes.fromhex(m), a) ++ ++# Make sure kinit still works. ++realm.kinit(realm.user_princ, password('user')) ++ ++success('CVE-2021-36222 regression test') +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch new file mode 100644 index 0000000000..6d04bf8980 --- /dev/null +++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2022-42898.patch @@ -0,0 +1,110 @@ +From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 17 Oct 2022 20:25:11 -0400 +Subject: [PATCH] Fix integer overflows in PAC parsing + +In krb5_parse_pac(), check for buffer counts large enough to threaten +integer overflow in the header length and memory length calculations. +Avoid potential integer overflows when checking the length of each +buffer. Credit to OSS-Fuzz for discovering one of the issues. + +CVE-2022-42898: + +In MIT krb5 releases 1.8 and later, an authenticated attacker may be +able to cause a KDC or kadmind process to crash by reading beyond the +bounds of allocated memory, creating a denial of service. A +privileged attacker may similarly be able to cause a Kerberos or GSS +application service to crash. On 32-bit platforms, an attacker can +also cause insufficient memory to be allocated for the result, +potentially leading to remote code execution in a KDC, kadmind, or GSS +or Kerberos application server process. An attacker with the +privileges of a cross-realm KDC may be able to extract secrets from a +KDC process's memory by having them copied into the PAC of a new +ticket. + +(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) + +ticket: 9074 +version_fixed: 1.19.4 + +Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4] +CVE: CVE-2022-42898 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/krb5/krb/pac.c | 9 +++++++-- + src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c +index cc74f37..70428a1 100644 +--- a/src/lib/krb5/krb/pac.c ++++ b/src/lib/krb5/krb/pac.c +@@ -27,6 +27,8 @@ + #include "k5-int.h" + #include "authdata.h" + ++#define MAX_BUFFERS 4096 ++ + /* draft-brezak-win2k-krb-authz-00 */ + + /* +@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, + if (version != 0) + return EINVAL; + ++ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) ++ return ERANGE; ++ + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); + if (len < header_len) + return ERANGE; +@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, + krb5_pac_free(context, pac); + return EINVAL; + } +- if (buffer->Offset < header_len || +- buffer->Offset + buffer->cbBufferSize > len) { ++ if (buffer->Offset < header_len || buffer->Offset > len || ++ buffer->cbBufferSize > len - buffer->Offset) { + krb5_pac_free(context, pac); + return ERANGE; + } +diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c +index 7b756a2..2353e9f 100644 +--- a/src/lib/krb5/krb/t_pac.c ++++ b/src/lib/krb5/krb/t_pac.c +@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 + }; + ++static const unsigned char fuzz1[] = { ++ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, ++ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 ++}; ++ ++static const unsigned char fuzz2[] = { ++ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, ++ 0x20, 0x20 ++}; ++ + static const char *s4u_principal = "w2k8u@ACME.COM"; + static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +@@ -646,6 +656,14 @@ main(int argc, char **argv) + krb5_free_principal(context, sep); + } + ++ /* Check problematic PACs found by fuzzing. */ ++ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); ++ if (!ret) ++ err(context, ret, "krb5_pac_parse should have failed"); ++ + /* + * Test empty free + */ +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb index 6164c82480..ebcfbc524c 100644 --- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.1.bb @@ -30,6 +30,8 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \ file://etc/default/krb5-admin-server \ file://krb5-kdc.service \ file://krb5-admin-server.service \ + file://CVE-2021-36222.patch \ + file://CVE-2022-42898.patch;striplevel=2 \ " SRC_URI[md5sum] = "417d654c72526ac51466e7fe84608878" SRC_URI[sha256sum] = "3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181" diff --git a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb index 908b98d8c5..b1a9ed7ec6 100644 --- a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb +++ b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb @@ -12,7 +12,7 @@ DEPENDS = "libplist usbmuxd libusbmuxd libtasn1 gnutls libgcrypt" SRCREV = "fb71aeef10488ed7b0e60a1c8a553193301428c0" PV = "1.2.0+git${SRCPV}" SRC_URI = "\ - git://github.com/libimobiledevice/libimobiledevice;protocol=https \ + git://github.com/libimobiledevice/libimobiledevice;protocol=https;branch=master \ file://configure-fix-largefile.patch \ " diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb index 07a7a1d239..2537963dda 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://libndp.org/" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://github.com/jpirko/libndp \ +SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \ " # tag for v1.6 SRCREV = "96674e7d4f4d569c2c961e865cc16152dfab5f09" diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb index 3ee69554b6..b4094dd6f3 100644 --- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb +++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" DEPENDS = "zlib libsigc++-2.0 openssl cppunit" -SRC_URI = "git://github.com/rakshasa/libtorrent \ +SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \ file://don-t-run-code-while-configuring-package.patch \ " SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1" diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2020-8252.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2020-8252.patch new file mode 100644 index 0000000000..dd99b44873 --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2020-8252.patch @@ -0,0 +1,41 @@ +From 0e6e8620496dff0eb285589ef1e37a7f407f3ddd Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Mon, 24 Aug 2020 11:42:27 +0200 +Subject: [PATCH] unix: don't use _POSIX_PATH_MAX + +Libuv was using _POSIX_PATH_MAX wrong. Bug introduced in commit b56d279b +("unix: do not require PATH_MAX to be defined") from September 2018. + +_POSIX_PATH_MAX is the minimum max path size guaranteed by POSIX, not +the actual max path size of the system libuv runs on. _POSIX_PATH_MAX +is always 256, the real max is often much bigger. + +This commit fixes buffer overruns when processing very long paths in +uv_fs_readlink() and uv_fs_realpath() because libuv was not allocating +enough memory to store the result. + +Fixes: https://github.com/libuv/libuv/issues/2965 +PR-URL: https://github.com/libuv/libuv/pull/2966 + +Upstream-Status: Backport [https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd] +CVE: CVE-2020-8252 +Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> +--- + src/unix/internal.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/unix/internal.h b/src/unix/internal.h +index 30711673e0..9d3c2297f8 100644 +--- a/src/unix/internal.h ++++ b/src/unix/internal.h +@@ -62,9 +62,7 @@ + # include <AvailabilityMacros.h> + #endif + +-#if defined(_POSIX_PATH_MAX) +-# define UV__PATH_MAX _POSIX_PATH_MAX +-#elif defined(PATH_MAX) ++#if defined(PATH_MAX) + # define UV__PATH_MAX PATH_MAX + #else + # define UV__PATH_MAX 8192 diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch new file mode 100644 index 0000000000..426388c3bf --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-1.patch @@ -0,0 +1,32 @@ +From 40dad53252e82eb4ee6e0c000e0c9ab15c7af312 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:51:40 +0100 +Subject: [PATCH] fix: always zero-terminate idna output + +CVE: CVE-2024-24806 +Upstream commit: 0f2d7e784a256b54b2385043438848047bc2a629 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +--- + src/idna.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/idna.c b/src/idna.c +index 13ffac6b..874f1caf 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -284,8 +284,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + return rc; + } + +- if (d < de) +- *d++ = '\0'; ++ if (d >= de) ++ return UV_EINVAL; + ++ *d++ = '\0'; + return d - ds; /* Number of bytes written. */ + } +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch new file mode 100644 index 0000000000..f231cf96b9 --- /dev/null +++ b/meta-oe/recipes-connectivity/libuv/libuv/CVE-2024-24806-2.patch @@ -0,0 +1,30 @@ +From 6b8bce71f3ea435fcb286d49df1204c23ef3ea01 Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis <info@bnoordhuis.nl> +Date: Thu, 18 Jan 2024 14:52:38 +0100 +Subject: [PATCH] fix: reject zero-length idna inputs + +CVE: CVE-2024-24806 +Upstream commit: 3530bcc30350d4a6ccf35d2f7b33e23292b9de70 + +Fixes: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 +--- + src/idna.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/idna.c b/src/idna.c +index 874f1caf..97edf06c 100644 +--- a/src/idna.c ++++ b/src/idna.c +@@ -254,6 +254,9 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) { + char* ds; + int rc; + ++ if (s == se) ++ return UV_EINVAL; ++ + ds = d; + + for (si = s; si < se; /* empty */) { +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb index deeaa2b15c..da99b41fdd 100644 --- a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb +++ b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb @@ -5,7 +5,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47" SRCREV = "533b738838ad8407032e14b6772b29ef9af63cfa" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x" +SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https \ + file://CVE-2020-8252.patch \ + file://CVE-2024-24806-1.patch \ + file://CVE-2024-24806-2.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch new file mode 100644 index 0000000000..83bdae858f --- /dev/null +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp/0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch @@ -0,0 +1,42 @@ +From dfd38cb29c0768692f886d3ab9158bd2b3132582 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Tue, 22 Nov 2022 15:20:48 +0800 +Subject: [PATCH] makefile: use conditional assignment for KBUILD_OUTPUT + +Refer [1],from make 4.4, all variables that are marked as export will +also be passed to the shell started by the shell function. use "=" will +make KBUILD_OUTPUT always empty for shell function, use "?=" to make +"export KBUILD_OUTPUT" in enrironment can work. + +[snip of 4.4 NEWS] +* WARNING: Backward-incompatibility! + Previously makefile variables marked as export were not exported to commands + started by the $(shell ...) function. Now, all exported variables are + exported to $(shell ...). +[snip] + +[1] https://git.savannah.gnu.org/cgit/make.git/tree/NEWS?h=4.4&id=ed493f6c9116cc217b99c2cfa6a95f15803235a2#n74 + +Upstream-Status: Backport [d3dd51ba611802d7cbb28631cb943cb882fa4aac] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/makefile b/makefile +index 529d8a0..3db60fa 100644 +--- a/makefile ++++ b/makefile +@@ -15,7 +15,7 @@ + # with this program; if not, write to the Free Software Foundation, Inc., + # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +-KBUILD_OUTPUT = ++KBUILD_OUTPUT ?= + + DEBUG = + CC ?= $(CROSS_COMPILE)gcc +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch new file mode 100644 index 0000000000..876088649e --- /dev/null +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp/Use-cross-cpp-in-incdefs.patch @@ -0,0 +1,26 @@ +From 8a4cad5e2f2cbb6a34bdc6e877fe499502b8c4c8 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler <marcel.ziswiler@toradex.com> +Date: Fri, 23 Dec 2016 18:12:29 +0100 +Subject: [PATCH] linuxptp: Use cross cpp in incdefs + +Use cross cpp incdefs.sh shell script since we are doing cross compiling +we need to ensure we use correct setttings from toolchain + +Upstream-Status: Inappropriate [OE-Specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + + makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/incdefs.sh ++++ b/incdefs.sh +@@ -27,7 +27,7 @@ user_flags() + printf " -D_GNU_SOURCE" + + # Get list of directories searched for header files. +- dirs=$(echo "" | ${CROSS_COMPILE}cpp -Wp,-v 2>&1 >/dev/null | grep ^" /") ++ dirs=$(${CPP} -Wp,-v -xc /dev/null 2>&1 >/dev/null | grep ^" /") + + # Look for clock_adjtime(). + for d in $dirs; do diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch b/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch deleted file mode 100644 index 02dbb23465..0000000000 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp/no-incdefs-using-host-headers.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8a4cad5e2f2cbb6a34bdc6e877fe499502b8c4c8 Mon Sep 17 00:00:00 2001 -From: Marcel Ziswiler <marcel.ziswiler@toradex.com> -Date: Fri, 23 Dec 2016 18:12:29 +0100 -Subject: [PATCH] linuxptp: no incdefs using host headers - -Avoid using host headers via incdefs.sh shell script. - -Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com> ---- - - makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/makefile b/makefile -index 8cdbd15..85174b8 100644 ---- a/makefile -+++ b/makefile -@@ -33,7 +33,7 @@ OBJECTS = $(OBJ) hwstamp_ctl.o phc2sys.o phc_ctl.o pmc.o pmc_common.o \ - SRC = $(OBJECTS:.o=.c) - DEPEND = $(OBJECTS:.o=.d) - srcdir := $(dir $(lastword $(MAKEFILE_LIST))) --incdefs := $(shell $(srcdir)/incdefs.sh) -+#incdefs := $(shell $(srcdir)/incdefs.sh) - version := $(shell $(srcdir)/version.sh $(srcdir)) - VPATH = $(srcdir) - --- -2.9.3 - diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb index 930c6673dc..b848575e13 100644 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb @@ -2,17 +2,18 @@ DESCRIPTION = "Precision Time Protocol (PTP) according to IEEE standard 1588 for LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \ +SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v2.0/linuxptp-${PV}.tgz \ file://build-Allow-CC-and-prefix-to-be-overriden.patch \ - file://no-incdefs-using-host-headers.patch \ + file://Use-cross-cpp-in-incdefs.patch \ file://time_t_maybe_long_long.patch \ + file://0001-makefile-use-conditional-assignment-for-KBUILD_OUTPU.patch \ " -SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11" -SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d" +SRC_URI[sha256sum] = "6f4669db1733747427217a9e74c8b5ca25c4245947463e9cdb860ec8f5ec797a" -EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} \ - EXTRA_CFLAGS='-D_GNU_SOURCE -DHAVE_CLOCK_ADJTIME -DHAVE_POSIX_SPAWN -DHAVE_ONESTEP_SYNC ${CFLAGS}'" +EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'" + +export KBUILD_OUTPUT="${RECIPE_SYSROOT}" do_install () { install -d ${D}/${bindir} diff --git a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb index 3a1222e89e..d070111e95 100644 --- a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb +++ b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = " \ file://about.html;md5=e5662cbb5f8fd5c9faac526e4077898e \ " -SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http \ +SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http;branch=master;protocol=https \ file://0001-Fix-bug-of-free-with-musl.patch" SRCREV = "3148fe2d5f4b87e16266dfe559c0764e16ca0546" diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb index 2ef6b187e9..bbc311ee1e 100644 --- a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb +++ b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c" LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53" LICENSE = "MIT" -SRC_URI = "git://github.com/alanxz/rabbitmq-c.git" +SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https" # v0.10.0-master SRCREV = "ffe918a5fcef72038a88054dca3c56762b1953d4" diff --git a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb index 331f978f86..41fb1ec826 100644 --- a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb +++ b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "libsigc++-2.0 curl cppunit libtorrent ncurses" -SRC_URI = "git://github.com/rakshasa/rtorrent \ +SRC_URI = "git://github.com/rakshasa/rtorrent;branch=master;protocol=https \ file://don-t-run-code-while-configuring-package.patch \ " # v0.9.8 diff --git a/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb b/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb index 4a91fa4f4d..ae93ff561c 100644 --- a/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb +++ b/meta-oe/recipes-connectivity/ser2net/ser2net_4.1.8.bb @@ -14,5 +14,3 @@ SRC_URI[sha256sum] = "cffb5147021202b064eb0a9389d0db63d1bb2dcde5a896f7785f97b1b5 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/ser2net/files/ser2net" inherit autotools pkgconfig - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb b/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb index 2b05c61a0d..4d4e841f62 100644 --- a/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb +++ b/meta-oe/recipes-connectivity/telepathy/telepathy-glib_0.24.1.bb @@ -12,7 +12,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e413d83db6ee8f2c8e6055719096a48e" inherit autotools pkgconfig gettext gobject-introspection vala -EXTRA_OECONF = "--enable-vala-bindings" +# Respect GI_DATA_ENABLED value when enabling vala-bindings: +# configure: error: GObject-Introspection must be enabled for Vala bindings +EXTRA_OECONF = "${@bb.utils.contains('GI_DATA_ENABLED', 'True', '--enable-vala-bindings', '--disable-vala-bindings', d)}" FILES_${PN} += "${datadir}/telepathy \ ${datadir}/dbus-1" diff --git a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb index 7284234326..7993e608db 100644 --- a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb +++ b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb @@ -10,7 +10,7 @@ inherit autotools pkgconfig gitpkgv systemd PKGV = "${GITPKGVTAG}" SRCREV = "ee85938c21043ef5f7cd4dfbc7677f385814d4d8" -SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https" +SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb index 99cfb32051..dd2b4392c2 100644 --- a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb +++ b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb @@ -9,7 +9,7 @@ SECTION = "test" S = "${WORKDIR}/git" SRCREV = "f7a8d7ef7d1a831c1bb47de21fa083536ea2f3a9" -SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git \ +SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git;branch=master;protocol=https \ file://0001-Use-toolchain-from-environment-variables.patch \ file://0002-Add-missing-include-removes-unnedded-stuff-and-add-n.patch \ file://0003-fix-path-to-usr-sbin-for-script-and-make-script-for-.patch \ diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch new file mode 100644 index 0000000000..2eec4bf327 --- /dev/null +++ b/meta-oe/recipes-connectivity/zabbix/zabbix/CVE-2020-15803.patch @@ -0,0 +1,36 @@ +From 4943334fd9bf7dffd49f9e86251ad40b3efe2135 Mon Sep 17 00:00:00 2001 +From: Wang Mingyu <wangmy@cn.fujitsu.com> +Date: Fri, 11 Dec 2020 17:02:20 +0900 +Subject: [PATCH] Fix bug for CVE-2020-15803 + +Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> +--- + frontends/php/include/classes/html/CIFrame.php | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/frontends/php/include/classes/html/CIFrame.php b/frontends/php/include/classes/html/CIFrame.php +index 32220cd..70f2ab5 100644 +--- a/frontends/php/include/classes/html/CIFrame.php ++++ b/frontends/php/include/classes/html/CIFrame.php +@@ -29,6 +29,7 @@ class CIFrame extends CTag { + $this->setHeight($height); + $this->setScrolling($scrolling); + $this->setId($id); ++ $this->setSandbox(); + } + + public function setSrc($value = null) { +@@ -69,4 +70,10 @@ class CIFrame extends CTag { + $this->setAttribute('scrolling', $value); + return $this; + } ++ ++ private function setSandbox() { ++ if (ZBX_IFRAME_SANDBOX !== false) { ++ $this->setAttribute('sandbox', ZBX_IFRAME_SANDBOX); ++ } ++ } + } +-- +2.25.1 + diff --git a/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb b/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb index 0e0ddd5779..98a31879c4 100644 --- a/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb +++ b/meta-oe/recipes-connectivity/zabbix/zabbix_4.4.6.bb @@ -26,6 +26,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" SRC_URI = "http://jaist.dl.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stable/${PV}/${BPN}-${PV}.tar.gz \ file://0001-Fix-configure.ac.patch \ file://zabbix-agent.service \ + file://CVE-2020-15803.patch \ " SRC_URI[md5sum] = "e666539220be93b1af38e40f5fbb1f79" diff --git a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb index 0b66970a9d..2a435897d3 100644 --- a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb +++ b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb @@ -7,7 +7,7 @@ DEPENDS = "zeromq" SRCREV = "8d5c9a88988dcbebb72939ca0939d432230ffde1" PV = "4.6.0" -SRC_URI = "git://github.com/zeromq/cppzmq.git" +SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb index 7c9a33e8c1..75d534ea66 100644 --- a/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb +++ b/meta-oe/recipes-connectivity/zeromq/czmq_4.2.0.bb @@ -27,6 +27,3 @@ PACKAGECONFIG[lz4] = ",-DCMAKE_DISABLE_FIND_PACKAGE_lz4=TRUE,lz4" PACKAGECONFIG[uuid] = ",-DCMAKE_DISABLE_FIND_PACKAGE_uuid=TRUE,util-linux" PACKAGECONFIG[curl] = ",-DCMAKE_DISABLE_FIND_PACKAGE_libcurl=TRUE,curl" PACKAGECONFIG[systemd] = ",-DCMAKE_DISABLE_FIND_PACKAGE_systemd=TRUE,systemd" - -BBCLASSEXTEND = "nativesdk" - diff --git a/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch b/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch index eb3dee4d31..31f6529225 100644 --- a/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch +++ b/meta-oe/recipes-connectivity/zeromq/files/0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch @@ -19,8 +19,8 @@ Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -1210,7 +1210,7 @@ - target_link_libraries(libzmq ${OPTIONAL_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT}) +@@ -1440,7 +1440,7 @@ if(BUILD_SHARED) + endif() if(SODIUM_FOUND) - target_link_libraries(libzmq ${SODIUM_LIBRARIES}) @@ -28,8 +28,8 @@ Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> # On Solaris, libsodium depends on libssp if(${CMAKE_SYSTEM_NAME} MATCHES "SunOS") target_link_libraries(libzmq ssp) -@@ -1240,7 +1240,7 @@ - target_link_libraries(libzmq-static ${OPTIONAL_LIBRARIES} ${CMAKE_THREAD_LIBS_INIT}) +@@ -1485,7 +1485,7 @@ if(BUILD_STATIC) + endif() if(SODIUM_FOUND) - target_link_libraries(libzmq-static ${SODIUM_LIBRARIES}) diff --git a/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.2.bb b/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.4.bb index 02a4c04fd7..4381f2d6d6 100644 --- a/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.2.bb +++ b/meta-oe/recipes-connectivity/zeromq/zeromq_4.3.4.bb @@ -10,8 +10,8 @@ SRC_URI = "http://github.com/zeromq/libzmq/releases/download/v${PV}/zeromq-${PV} file://0001-CMakeLists-txt-Avoid-host-specific-path-to-libsodium.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "2047e917c2cc93505e2579bcba67a573" -SRC_URI[sha256sum] = "ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763" +SRC_URI[md5sum] = "c897d4005a3f0b8276b00b7921412379" +SRC_URI[sha256sum] = "c593001a89f5a85dd2ddf564805deb860e02471171b3f204944857336295c3e5" UPSTREAM_CHECK_URI = "https://github.com/${BPN}/libzmq/releases" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch index 2c4ca057f2..1c2fc3813f 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch @@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644 if (!dbus_conn) - return; -+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; if (verbose) g_print ("New message from server: type='%d' path='%s' iface='%s'" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb index 42cd032c22..f40b48836a 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb @@ -6,7 +6,7 @@ SRCREV = "1226a0a1374628ff191f6d8a56000be5e53e7608" PV = "0.0.0+gitr${SRCPV}" PR = "r1.59" -SRC_URI = "git://github.com/alban/dbus-daemon-proxy \ +SRC_URI = "git://github.com/alban/dbus-daemon-proxy;branch=master;protocol=https \ file://0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc index 9a0f9ba928..fb3cd3f712 100644 --- a/meta-oe/recipes-core/emlog/emlog.inc +++ b/meta-oe/recipes-core/emlog/emlog.inc @@ -3,9 +3,9 @@ most recent (and only the most recent) output from a process" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http" +SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http;branch=master;protocol=https" SRCREV = "aee53e8dee862f35291242ba41b0ca88010f6c71" - +PV = "0.70+git${SRCPV}" S = "${WORKDIR}/git" EXTRA_OEMAKE += " \ diff --git a/meta-oe/recipes-core/emlog/emlog_git.bb b/meta-oe/recipes-core/emlog/emlog_git.bb index 387dd67123..a503ab82b8 100644 --- a/meta-oe/recipes-core/emlog/emlog_git.bb +++ b/meta-oe/recipes-core/emlog/emlog_git.bb @@ -24,3 +24,16 @@ do_install() { } RRECOMMENDS_${PN} += "kernel-module-emlog" + +# The NVD database doesn't have a CPE for this product, +# the name of this product is exactly the same as github.com/emlog/emlog +# but it's not related in any way. The following CVEs are from that project +# so they can be safely ignored +CVE_CHECK_WHITELIST += "\ + CVE-2019-16868 \ + CVE-2019-17073 \ + CVE-2021-44584 \ + CVE-2022-1526 \ + CVE-2022-3968 \ + CVE-2023-43291 \ +" diff --git a/meta-oe/recipes-core/glfw/glfw_3.3.bb b/meta-oe/recipes-core/glfw/glfw_3.3.bb index 0fcf716c8e..c920cbd507 100644 --- a/meta-oe/recipes-core/glfw/glfw_3.3.bb +++ b/meta-oe/recipes-core/glfw/glfw_3.3.bb @@ -12,7 +12,7 @@ inherit pkgconfig cmake features_check PV .= "+git${SRCPV}" SRCREV = "781fbbadb0bccc749058177b1385c82da9ace880" -SRC_URI = "git://github.com/glfw/glfw.git" +SRC_URI = "git://github.com/glfw/glfw.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/libnfc/libnfc_git.bb b/meta-oe/recipes-core/libnfc/libnfc_git.bb index 2851ecf9fe..65586247a2 100644 --- a/meta-oe/recipes-core/libnfc/libnfc_git.bb +++ b/meta-oe/recipes-core/libnfc/libnfc_git.bb @@ -11,7 +11,7 @@ PV = "1.7.1+git${SRCPV}" S = "${WORKDIR}/git" SRCREV = "2d4543673e9b76c02679ca8b89259659f1afd932" -SRC_URI = "git://github.com/nfc-tools/libnfc.git \ +SRC_URI = "git://github.com/nfc-tools/libnfc.git;branch=master;protocol=https \ file://0001-usbbus-Include-stdint.h-for-uintX_t.patch \ " diff --git a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb index 82f2cf8c94..fa98e1cb46 100644 --- a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb +++ b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb @@ -6,7 +6,7 @@ DEPENDS = "readline" PV = "2.3.3+git${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http" +SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http;branch=master;protocol=https" SRCREV = "28202692d0b441000f4ddb8f347f72d1355021aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/ndctl/ndctl_v67.bb b/meta-oe/recipes-core/ndctl/ndctl_v67.bb index da0c6563a7..19d96414d3 100644 --- a/meta-oe/recipes-core/ndctl/ndctl_v67.bb +++ b/meta-oe/recipes-core/ndctl/ndctl_v67.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e66651809cac5da60c8b80e9e4e79e08" inherit autotools-brokensep pkgconfig bash-completion systemd SRCREV = "637bb424dc317a044c722a671355ef9df0e0d30f" -SRC_URI = "git://github.com/pmem/ndctl.git" +SRC_URI = "git://github.com/pmem/ndctl.git;branch=master;protocol=https" DEPENDS = "kmod udev json-c keyutils" diff --git a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb index dec1bea566..1d86f48aee 100644 --- a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb +++ b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb @@ -6,7 +6,7 @@ SECTION = "base" S = "${WORKDIR}/git" SRCREV = "40c5d226c7c0706f0176884e9b94b3886679c983" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=main;protocol=https" do_configure[noexec] = "1" do_compile[noexec] = "1" diff --git a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb index 7c49c8d552..de355d29d6 100644 --- a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb +++ b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb @@ -8,7 +8,7 @@ inherit pkgconfig cmake S = "${WORKDIR}/git" SRCREV = "b342ff7b7f70a4b3f2cfc53215af8fa20adc3d86" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=main;protocol=https" do_install () { install -d ${D}${bindir} diff --git a/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb b/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb index 8358e933d7..505d4efc1a 100644 --- a/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb +++ b/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb @@ -8,17 +8,21 @@ PACKAGES = ' \ packagegroup-meta-oe \ packagegroup-meta-oe-benchmarks \ packagegroup-meta-oe-connectivity \ + packagegroup-meta-oe-connectivity-python2 \ packagegroup-meta-oe-core \ packagegroup-meta-oe-crypto \ packagegroup-meta-oe-bsp \ packagegroup-meta-oe-dbs \ + packagegroup-meta-oe-dbs-python2 \ packagegroup-meta-oe-devtools \ packagegroup-meta-oe-extended \ + packagegroup-meta-oe-extended-python2 \ packagegroup-meta-oe-kernel \ packagegroup-meta-oe-multimedia \ packagegroup-meta-oe-navigation \ packagegroup-meta-oe-security \ packagegroup-meta-oe-support \ + packagegroup-meta-oe-support-python2 \ packagegroup-meta-oe-test \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-gnome", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-graphics", "", d)} \ @@ -28,17 +32,21 @@ PACKAGES = ' \ RDEPENDS_packagegroup-meta-oe = "\ packagegroup-meta-oe-benchmarks \ packagegroup-meta-oe-connectivity \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-connectivity-python2", "", d)} \ packagegroup-meta-oe-core \ packagegroup-meta-oe-crypto \ packagegroup-meta-oe-bsp \ packagegroup-meta-oe-dbs \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-dbs-python2", "", d)} \ packagegroup-meta-oe-devtools \ packagegroup-meta-oe-extended \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-extended-python2", "", d)} \ packagegroup-meta-oe-kernel \ packagegroup-meta-oe-multimedia \ packagegroup-meta-oe-navigation \ packagegroup-meta-oe-security \ packagegroup-meta-oe-support \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "packagegroup-meta-oe-support-python2", "", d)} \ packagegroup-meta-oe-test \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-gnome", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-meta-oe-graphics", "", d)} \ @@ -70,10 +78,13 @@ RDEPENDS_packagegroup-meta-oe-connectivity ="\ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "obex-data-server", "", d)} \ libmikmod \ obexftp openobex libnet \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "telepathy-idle", "", d)} \ " RDEPENDS_packagegroup-meta-oe-connectivity_append_libc-glibc = " wvstreams wvdial" +RDEPENDS_packagegroup-meta-oe-connectivity-python2 = "\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "telepathy-idle", "", d)} \ +" + # dracut needs dracut RDEPENDS_packagegroup-meta-oe-core ="\ dbus-daemon-proxy libdbus-c++ \ @@ -103,24 +114,26 @@ RDEPENDS_packagegroup-meta-oe-dbs ="\ leveldb libdbi mariadb mariadb-native \ postgresql psqlodbc rocksdb soci \ sqlite \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "mysql-python", "", d)} \ " +RDEPENDS_packagegroup-meta-oe-dbs-python2 ="\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "mysql-python", "", d)} \ +" + RDEPENDS_packagegroup-meta-oe-devtools ="\ android-tools android-tools-conf bootchart breakpad \ capnproto cgdb cscope ctags \ debootstrap dmalloc flatbuffers \ - giflib grpc icon-slicer iptraf-ng jq jsoncpp jsonrpc json-spirit \ + giflib grpc guider icon-slicer iptraf-ng jq jsoncpp jsonrpc json-spirit \ kconfig-frontends lemon libedit libgee libsombok3 \ libubox log4cplus lshw ltrace lua mcpp memstat mercurial \ - mpich msgpack-c nlohmann-json openocd pax-utils \ + mpich msgpack-c nlohmann-json nodejs openocd pax-utils \ ipc-run libdbd-mysql-perl libdbi-perl libio-pty-perl php \ protobuf protobuf-c \ rapidjson serialcheck sip3 tclap uftrace uw-imap valijson \ xmlrpc-c yajl yasm \ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "geany geany-plugins glade tk", "", d)} \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "nodejs", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-devtools_remove_armv5 = "uftrace nodejs" RDEPENDS_packagegroup-meta-oe-devtools_remove_mipsarch = "uftrace lshw" @@ -155,8 +168,7 @@ RDEPENDS_packagegroup-meta-oe-extended ="\ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-ssh-agent-auth openwsman sblim-sfcb ", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "polkit polkit-group-rule-datetime ", "", d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "polkit-group-rule-network ", "", d)} \ - ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "openlmi-tools", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-extended_remove_mipsarch = "upm mraa tiptop" RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc = "upm mraa" RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc64 = "upm mraa" @@ -164,6 +176,10 @@ RDEPENDS_packagegroup-meta-oe-extended_remove_powerpc64le = "upm mraa" RDEPENDS_packagegroup-meta-oe-extended_remove_riscv64 = "upm mraa tiptop" RDEPENDS_packagegroup-meta-oe-extended_remove_riscv32 = "upm mraa tiptop" +RDEPENDS_packagegroup-meta-oe-extended-python2 ="\ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "openlmi-tools", "", d)} \ +" + RDEPENDS_packagegroup-meta-oe-gnome ="\ atkmm gnome-common gnome-doc-utils-stub gtkmm \ gtkmm3 pyxdg vte9 \ @@ -270,8 +286,11 @@ RDEPENDS_packagegroup-meta-oe-support ="\ procmail \ ${@bb.utils.contains("DISTRO_FEATURES", "polkit", "udisks2 upower", "", d)} \ ${NE10} \ +" + +RDEPENDS_packagegroup-meta-oe-support-python2 ="\ ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "lio-utils", "", d)} \ - " +" RDEPENDS_packagegroup-meta-oe-support_remove_arm ="numactl" RDEPENDS_packagegroup-meta-oe-support_remove_mipsarch = "gperftools" diff --git a/meta-oe/recipes-core/safec/safec_3.5.1.bb b/meta-oe/recipes-core/safec/safec_3.5.1.bb index 91d8fc65a0..29158094a1 100644 --- a/meta-oe/recipes-core/safec/safec_3.5.1.bb +++ b/meta-oe/recipes-core/safec/safec_3.5.1.bb @@ -9,7 +9,7 @@ inherit autotools pkgconfig S = "${WORKDIR}/git" # v08112019 SRCREV = "ad76c7b1dbd0403b0c9decf54164fcce271c590f" -SRC_URI = "git://github.com/rurban/safeclib.git \ +SRC_URI = "git://github.com/rurban/safeclib.git;branch=master;protocol=https \ " COMPATIBLE_HOST = '(x86_64|i.86|powerpc|powerpc64|arm|aarch64|mips).*-linux' diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch new file mode 100644 index 0000000000..89cb593e60 --- /dev/null +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch @@ -0,0 +1,96 @@ +From b073e1c2b9a8138da83300f598b9a56fc9762b4b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stanislav=20Angelovi=C4=8D?= <angelovic.s@gmail.com> +Date: Mon, 16 Nov 2020 17:05:36 +0100 +Subject: [PATCH] Try to first find googletest in the system before downloading + it (#125) + +Upstream-Status: Backport [d6fdaca] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> + +--- + tests/CMakeLists.txt | 62 ++++++++++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 22 deletions(-) + +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 97f7c1a..7ecc327 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -2,26 +2,44 @@ + # DOWNLOAD AND BUILD OF GOOGLETEST + #------------------------------- + +-include(FetchContent) +- +-message("Fetching googletest...") +-FetchContent_Declare(googletest +- GIT_REPOSITORY https://github.com/google/googletest.git +- GIT_TAG master +- GIT_SHALLOW 1 +- UPDATE_COMMAND "") +- +-#FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually: +-FetchContent_GetProperties(googletest) +-if(NOT googletest_POPULATED) +- FetchContent_Populate(googletest) +- set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE) +- set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE) +- set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE) +- set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS}) +- set(BUILD_SHARED_LIBS OFF) +- add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) +- set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK}) ++set(GOOGLETEST_VERSION 1.10.0 CACHE STRING "Version of gmock to use") ++set(GOOGLETEST_GIT_REPO "https://github.com/google/googletest.git" CACHE STRING "A git repo to clone and build googletest from if gmock is not found in the system") ++ ++find_package(GTest ${GOOGLETEST_VERSION} CONFIG) ++if (NOT TARGET GTest::gmock) ++ # Try pkg-config if GTest was not found through CMake config ++ find_package(PkgConfig) ++ if (PkgConfig_FOUND) ++ pkg_check_modules(GMock IMPORTED_TARGET GLOBAL gmock>=${GOOGLETEST_VERSION}) ++ if(TARGET PkgConfig::GMock) ++ add_library(GTest::gmock ALIAS PkgConfig::GMock) ++ endif() ++ endif() ++ # GTest was not found in the system, build it on our own ++ if (NOT TARGET GTest::gmock) ++ include(FetchContent) ++ ++ message("Fetching googletest...") ++ FetchContent_Declare(googletest ++ GIT_REPOSITORY ${GOOGLETEST_GIT_REPO} ++ GIT_TAG release-${GOOGLETEST_VERSION} ++ GIT_SHALLOW 1 ++ UPDATE_COMMAND "") ++ ++ #FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually: ++ FetchContent_GetProperties(googletest) ++ if(NOT googletest_POPULATED) ++ FetchContent_Populate(googletest) ++ set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE) ++ set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE) ++ set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE) ++ set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS}) ++ set(BUILD_SHARED_LIBS OFF) ++ add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) ++ set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK}) ++ add_library(GTest::gmock ALIAS gmock) ++ endif() ++ endif() + endif() + + #------------------------------- +@@ -87,11 +105,11 @@ include_directories(${CMAKE_CURRENT_SOURCE_DIR}) + + add_executable(sdbus-c++-unit-tests ${UNITTESTS_SRCS}) + target_compile_definitions(sdbus-c++-unit-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION}) +-target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib gmock gmock_main) ++target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib GTest::gmock) + + add_executable(sdbus-c++-integration-tests ${INTEGRATIONTESTS_SRCS}) + target_compile_definitions(sdbus-c++-integration-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION}) +-target_link_libraries(sdbus-c++-integration-tests sdbus-c++ gmock gmock_main) ++target_link_libraries(sdbus-c++-integration-tests sdbus-c++ GTest::gmock) + + # Manual performance and stress tests + option(ENABLE_PERF_TESTS "Build and install manual performance tests (default OFF)" OFF) diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb index c8e81a4123..f0e928d0da 100644 --- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb @@ -12,7 +12,7 @@ DEPENDS += "gperf-native gettext-native util-linux libcap" SRCREV = "efb536d0cbe2e58f80e501d19999928c75e08f6a" SRCBRANCH = "v243-stable" -SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}" +SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}" SRC_URI += "file://static-libsystemd-pkgconfig.patch" diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb index c4d63fd272..a94fb8deff 100644 --- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb @@ -12,13 +12,16 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'with-exte ${@bb.utils.contains('PTEST_ENABLED', '1', 'with-tests', '', d)}" PACKAGECONFIG[with-builtin-libsystemd] = ",,sdbus-c++-libsystemd,libcap" PACKAGECONFIG[with-external-libsystemd] = ",,systemd,libsystemd" -PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF" +PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF,googletest gmock" DEPENDS += "expat" SRCREV = "3a4f343fb924650e7639660efa5f143961162044" -SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master" -SRC_URI += "file://run-ptest" + +SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master \ + file://0001-Try-to-first-find-googletest-in-the-system-before-do.patch \ + file://run-ptest \ +" EXTRA_OECMAKE = "-DBUILD_CODE_GEN=ON \ -DBUILD_DOC=ON \ diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb index b9668eb099..d303f27ebb 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb @@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \ " SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd" -SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb" +SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964" +SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9" inherit autotools gettext pkgconfig @@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't # recognized. diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb index 4e217a351d..ad5355ea64 100644 --- a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb +++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" SRCREV = "5649050d201856bf06c8738b5d2aa1710c86ac2f" PV = "1.1.5" SRC_URI = " \ - git://github.com/smuellerDD/libkcapi.git \ + git://github.com/smuellerDD/libkcapi.git;branch=master;protocol=https \ file://0001-kcapi-kdf-Move-code-to-fix.patch \ file://0001-Use-__builtin_bswap32-on-Clang-if-supported.patch \ " diff --git a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb index 9b6e7ccbe2..321aa4fdc1 100644 --- a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb +++ b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb @@ -15,7 +15,7 @@ LIC_FILES_CHKSUM = " \ file://COPYING.GPL;md5=8a71d0475d08eee76d8b6d0c6dbec543 \ file://COPYING.BSD;md5=66b7a37c3c10483c1fd86007726104d7 \ " -SRC_URI = "git://github.com/OpenSC/${BPN}.git" +SRC_URI = "git://github.com/OpenSC/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" # v1.26 diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb index b597ef1ea8..48f2fd8ac1 100644 --- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb +++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d" -SRC_URI = "git://github.com/google/${BPN}.git \ +SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \ file://run-ptest" SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595" diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.12.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.28.bb index e1a038dfa3..e1a038dfa3 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.12.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.28.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 95f5acba1f..e4eb48492a 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -15,14 +15,11 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \ file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://0001-disable-ucontext-on-musl.patch \ - file://c11_atomics.patch \ - file://clang_version_header_conflict.patch \ file://fix-arm-atomic.patch \ - file://0001-Fix-build-breakage-from-lock_guard-error-6161.patch \ - file://0001-Fix-library-LZ4-lookup.patch \ + file://CVE-2022-47015.patch \ " -SRC_URI[md5sum] = "97d7c0f508c04a31c138fdb24e95dbc4" -SRC_URI[sha256sum] = "fef1e1d38aa253dd8a51006bd15aad184912fce31c446bb69434fcde735aa208" + +SRC_URI[sha256sum] = "003fd23f3c6ee516176e1b62b0b43cdb6cdd3dcd4e30f855c1c5ab2baaf5a86c" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" @@ -169,8 +166,12 @@ do_install() { mv ${D}${datadir}/doc/README ${D}${datadir}/doc/${PN}/ fi if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then - mv ${D}/lib/security ${D}/${libdir} - rmdir --ignore-fail-on-non-empty ${D}/lib + pam_so=$(find ${D} -name pam_user_map.so) + if [ x"${pam_so}" != x ]; then + pam_dir=$(dirname ${pam_so}) + mv ${pam_dir} ${D}/${libdir} + rmdir --ignore-fail-on-non-empty ${pam_dir%security} + fi fi } diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch deleted file mode 100644 index 87c70617a1..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-build-breakage-from-lock_guard-error-6161.patch +++ /dev/null @@ -1,32 +0,0 @@ -Subject: [PATCH] Fix build breakage from lock_guard error (#6161) - -Summary: -This change fixes a source issue that caused compile time error which -breaks build for many fbcode services in that setup. The size() member -function of channel is a const member, so member variables accessed -within it are implicitly const as well. This caused error when clang -fails to resolve to a constructor that takes std::mutex because the -suitable constructor got rejected due to loss of constness for its -argument. The fix is to add mutable modifier to the lock_ member of -channel. - -Pull Request resolved: https://github.com/facebook/rocksdb/pull/6161 - -Differential Revision: D18967685 - -Pulled By: maysamyabandeh - -Upstream-Status: Backport - -fbshipit-source-id:698b6a5153c3c92eeacb842c467aa28cc350d432 ---- a/storage/rocksdb/rocksdb/util/channel.h -+++ b/storage/rocksdb/rocksdb/util/channel.h -@@ -60,7 +60,7 @@ class channel { - - private: - std::condition_variable cv_; -- std::mutex lock_; -+ mutable std::mutex lock_; - std::queue<T> buffer_; - bool eof_; - }; diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch index 574dfd317a..4b90d280ac 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch +++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-Fix-library-LZ4-lookup.patch @@ -8,15 +8,15 @@ Signed-off-by: Sumit Garg <sumit.garg@linaro.org> cmake/FindLZ4.cmake | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) -diff --git a/cmake/FindLZ4.cmake b/cmake/FindLZ4.cmake -index e97dd63e2b0..2f4694e727c 100644 ---- a/cmake/FindLZ4.cmake -+++ b/cmake/FindLZ4.cmake -@@ -1,5 +1,10 @@ --find_path(LZ4_INCLUDE_DIR NAMES lz4.h) --find_library(LZ4_LIBRARY NAMES lz4) +Index: mariadb-10.4.17/cmake/FindLZ4.cmake +=================================================================== +--- mariadb-10.4.17.orig/cmake/FindLZ4.cmake ++++ mariadb-10.4.17/cmake/FindLZ4.cmake +@@ -1,5 +1,11 @@ + find_path(LZ4_INCLUDE_DIR NAMES lz4.h) +-find_library(LZ4_LIBRARIES NAMES lz4) +find_path(LZ4_INCLUDE_DIR -+ NAMES lz4.h ++ NAMES lz4.h + NO_DEFAULT_PATH NO_CMAKE_FIND_ROOT_PATH) + +find_library(LZ4_LIBRARY @@ -25,6 +25,3 @@ index e97dd63e2b0..2f4694e727c 100644 include(FindPackageHandleStandardArgs) FIND_PACKAGE_HANDLE_STANDARD_ARGS( --- -2.17.1 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch new file mode 100644 index 0000000000..0ddcdc028c --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2022-47015.patch @@ -0,0 +1,269 @@ +From be0a46b3d52b58956fd0d47d040b9f4514406954 Mon Sep 17 00:00:00 2001 +From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com> +Date: Tue, 27 Sep 2022 15:22:57 +0900 +Subject: [PATCH] MDEV-29644 a potential bug of null pointer dereference in + spider_db_mbase::print_warnings() + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954] +CVE: CVE-2022-47015 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + .../spider/bugfix/r/mdev_29644.result | 44 ++++++++++ + .../mysql-test/spider/bugfix/t/mdev_29644.cnf | 3 + + .../spider/bugfix/t/mdev_29644.test | 58 ++++++++++++ + storage/spider/spd_db_mysql.cc | 88 ++++++++----------- + storage/spider/spd_db_mysql.h | 4 +- + 5 files changed, 141 insertions(+), 56 deletions(-) + create mode 100644 spider/mysql-test/spider/bugfix/r/mdev_29644.result + create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.cnf + create mode 100644 spider/mysql-test/spider/bugfix/t/mdev_29644.test + +diff --git a/spider/mysql-test/spider/bugfix/r/mdev_29644.result b/spider/mysql-test/spider/bugfix/r/mdev_29644.result +new file mode 100644 +index 00000000..eb725602 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/r/mdev_29644.result +@@ -0,0 +1,44 @@ ++# ++# MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++# ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 ++connection child2_1; ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++CREATE TABLE tbl_a ( ++a CHAR(5) ++) ENGINE=InnoDB DEFAULT CHARSET=utf8; ++set @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++connection master_1; ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++CREATE TABLE tbl_a ( ++a CHAR(255) ++) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"'; ++SET @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++NOT FOUND /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++SET @orig_log_result_errors=@@global.spider_log_result_errors; ++SET GLOBAL spider_log_result_errors=4; ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++FOUND 1 /\[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*/ in mysqld.1.1.err ++connection master_1; ++SET GLOBAL spider_log_result_errors=@orig_log_result_errors; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_local; ++connection child2_1; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_remote; ++for master_1 ++for child2 ++child2_1 ++child2_2 ++child2_3 ++for child3 +diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +new file mode 100644 +index 00000000..05dfd8a0 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.cnf +@@ -0,0 +1,3 @@ ++!include include/default_mysqld.cnf ++!include ../my_1_1.cnf ++!include ../my_2_1.cnf +diff --git a/spider/mysql-test/spider/bugfix/t/mdev_29644.test b/spider/mysql-test/spider/bugfix/t/mdev_29644.test +new file mode 100644 +index 00000000..4ebdf317 +--- /dev/null ++++ b/spider/mysql-test/spider/bugfix/t/mdev_29644.test +@@ -0,0 +1,58 @@ ++--echo # ++--echo # MDEV-29644 a potential bug of null pointer dereference in spider_db_mbase::print_warnings() ++--echo # ++ ++# The test case below does not cause the potential null pointer dereference. ++# It is just for checking spider_db_mbase::fetch_and_print_warnings() works. ++ ++--disable_query_log ++--disable_result_log ++--source ../../t/test_init.inc ++--enable_result_log ++--enable_query_log ++ ++--connection child2_1 ++CREATE DATABASE auto_test_remote; ++USE auto_test_remote; ++eval CREATE TABLE tbl_a ( ++ a CHAR(5) ++) $CHILD2_1_ENGINE $CHILD2_1_CHARSET; ++set @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++ ++--connection master_1 ++CREATE DATABASE auto_test_local; ++USE auto_test_local; ++eval CREATE TABLE tbl_a ( ++ a CHAR(255) ++) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"'; ++ ++SET @orig_sql_mode=@@global.sql_mode; ++SET GLOBAL sql_mode=''; ++ ++let SEARCH_FILE= $MYSQLTEST_VARDIR/log/mysqld.1.1.err; ++let SEARCH_PATTERN= \[WARN SPIDER RESULT\].* Warning 1265 Data truncated for column 'a' at row 1.*; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should not find ++ ++SET @orig_log_result_errors=@@global.spider_log_result_errors; ++SET GLOBAL spider_log_result_errors=4; ++ ++INSERT INTO tbl_a VALUES ("this will be truncated"); ++--source include/search_pattern_in_file.inc # should find ++ ++--connection master_1 ++SET GLOBAL spider_log_result_errors=@orig_log_result_errors; ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_local; ++ ++--connection child2_1 ++SET GLOBAL sql_mode=@orig_sql_mode; ++DROP DATABASE IF EXISTS auto_test_remote; ++ ++--disable_query_log ++--disable_result_log ++--source ../t/test_deinit.inc ++--enable_query_log ++--enable_result_log +diff --git a/storage/spider/spd_db_mysql.cc b/storage/spider/spd_db_mysql.cc +index 85f910aa..7d6bd599 100644 +--- a/storage/spider/spd_db_mysql.cc ++++ b/storage/spider/spd_db_mysql.cc +@@ -2197,7 +2197,7 @@ int spider_db_mbase::exec_query( + db_conn->affected_rows, db_conn->insert_id, + db_conn->server_status, db_conn->warning_count); + if (spider_param_log_result_errors() >= 3) +- print_warnings(l_time); ++ fetch_and_print_warnings(l_time); + } else if (log_result_errors >= 4) + { + time_t cur_time = (time_t) time((time_t*) 0); +@@ -2279,61 +2279,43 @@ bool spider_db_mbase::is_xa_nota_error( + DBUG_RETURN(xa_nota); + } + +-void spider_db_mbase::print_warnings( +- struct tm *l_time +-) { +- DBUG_ENTER("spider_db_mbase::print_warnings"); +- DBUG_PRINT("info",("spider this=%p", this)); +- if (db_conn->status == MYSQL_STATUS_READY) ++void spider_db_mbase::fetch_and_print_warnings(struct tm *l_time) ++{ ++ DBUG_ENTER("spider_db_mbase::fetch_and_print_warnings"); ++ ++ if (spider_param_dry_access() || db_conn->status != MYSQL_STATUS_READY || ++ db_conn->server_status & SERVER_MORE_RESULTS_EXISTS) ++ DBUG_VOID_RETURN; ++ ++ if (mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, ++ SPIDER_SQL_SHOW_WARNINGS_LEN)) ++ DBUG_VOID_RETURN; ++ ++ MYSQL_RES *res= mysql_store_result(db_conn); ++ if (!res) ++ DBUG_VOID_RETURN; ++ ++ uint num_fields= mysql_num_fields(res); ++ if (num_fields != 3) + { +-#if MYSQL_VERSION_ID < 50500 +- if (!(db_conn->last_used_con->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#else +- if (!(db_conn->server_status & SERVER_MORE_RESULTS_EXISTS)) +-#endif +- { +- if ( +- spider_param_dry_access() || +- !mysql_real_query(db_conn, SPIDER_SQL_SHOW_WARNINGS_STR, +- SPIDER_SQL_SHOW_WARNINGS_LEN) +- ) { +- MYSQL_RES *res = NULL; +- MYSQL_ROW row = NULL; +- uint num_fields; +- if ( +- spider_param_dry_access() || +- !(res = mysql_store_result(db_conn)) || +- !(row = mysql_fetch_row(res)) +- ) { +- if (mysql_errno(db_conn)) +- { +- if (res) +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- /* no record is ok */ +- } +- num_fields = mysql_num_fields(res); +- if (num_fields != 3) +- { +- mysql_free_result(res); +- DBUG_VOID_RETURN; +- } +- while (row) +- { +- fprintf(stderr, "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] " +- "from [%s] %ld to %ld: %s %s %s\n", ++ mysql_free_result(res); ++ DBUG_VOID_RETURN; ++ } ++ ++ MYSQL_ROW row= mysql_fetch_row(res); ++ while (row) ++ { ++ fprintf(stderr, ++ "%04d%02d%02d %02d:%02d:%02d [WARN SPIDER RESULT] from [%s] %ld " ++ "to %ld: %s %s %s\n", + l_time->tm_year + 1900, l_time->tm_mon + 1, l_time->tm_mday, +- l_time->tm_hour, l_time->tm_min, l_time->tm_sec, +- conn->tgt_host, (ulong) db_conn->thread_id, +- (ulong) current_thd->thread_id, row[0], row[1], row[2]); +- row = mysql_fetch_row(res); +- } +- if (res) +- mysql_free_result(res); +- } +- } ++ l_time->tm_hour, l_time->tm_min, l_time->tm_sec, conn->tgt_host, ++ (ulong) db_conn->thread_id, (ulong) current_thd->thread_id, row[0], ++ row[1], row[2]); ++ row= mysql_fetch_row(res); + } ++ mysql_free_result(res); ++ + DBUG_VOID_RETURN; + } + +diff --git a/storage/spider/spd_db_mysql.h b/storage/spider/spd_db_mysql.h +index 626bb4d5..82c7c0ec 100644 +--- a/storage/spider/spd_db_mysql.h ++++ b/storage/spider/spd_db_mysql.h +@@ -439,9 +439,7 @@ class spider_db_mbase: public spider_db_conn + bool is_xa_nota_error( + int error_num + ); +- void print_warnings( +- struct tm *l_time +- ); ++ void fetch_and_print_warnings(struct tm *l_time); + spider_db_result *store_result( + spider_db_result_buffer **spider_res_buf, + st_spider_db_request_key *request_key, +-- +2.25.1 diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch deleted file mode 100644 index 169986130c..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch +++ /dev/null @@ -1,67 +0,0 @@ -Author: VicenÈ›iu Ciorbaru <vicentiu@mariadb.org> -Date: Fri Dec 21 19:14:04 2018 +0200 - - Link with libatomic to enable C11 atomics support - - Some architectures (mips) require libatomic to support proper - atomic operations. Check first if support is available without - linking, otherwise use the library. - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- a/configure.cmake -+++ b/configure.cmake -@@ -926,7 +926,25 @@ int main() - long long int *ptr= &var; - return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); - }" --HAVE_GCC_C11_ATOMICS) -+HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ELSE() -+ SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES}) -+ LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic") -+ CHECK_CXX_SOURCE_COMPILES(" -+ int main() -+ { -+ long long int var= 1; -+ long long int *ptr= &var; -+ return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); -+ }" -+ HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ ENDIF() -+ SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES}) -+ENDIF() - - IF(WITH_VALGRIND) - SET(HAVE_valgrind 1) ---- a/mysys/CMakeLists.txt -+++ b/mysys/CMakeLists.txt -@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings - ${LIBNSL} ${LIBM} ${LIBRT} ${LIBDL} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) - DTRACE_INSTRUMENT(mysys) - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(mysys atomic) -+ENDIF() -+ - IF(HAVE_BFD_H) - TARGET_LINK_LIBRARIES(mysys bfd) - ENDIF(HAVE_BFD_H) ---- a/sql/CMakeLists.txt -+++ b/sql/CMakeLists.txt -@@ -178,6 +178,10 @@ ELSE() - SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL}) - ENDIF() - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(sql atomic) -+ENDIF() -+ - - IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS) - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch b/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch deleted file mode 100644 index c77a869441..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch +++ /dev/null @@ -1,32 +0,0 @@ -libc++ also has a file called version and this file and how cflags are specified -it ends up including this file and resulting in compile errors - -fixes errors like -storage/mroonga/version:1:1: error: expected unqualified-id -7.07 -^ - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- a/storage/mroonga/CMakeLists.txt -+++ b/storage/mroonga/CMakeLists.txt -@@ -80,7 +80,7 @@ else() - set(MRN_SOURCE_DIR ${CMAKE_SOURCE_DIR}) - endif() - --file(READ ${MRN_SOURCE_DIR}/version MRN_VERSION) -+file(READ ${MRN_SOURCE_DIR}/ver MRN_VERSION) - file(READ ${MRN_SOURCE_DIR}/version_major MRN_VERSION_MAJOR) - file(READ ${MRN_SOURCE_DIR}/version_minor MRN_VERSION_MINOR) - file(READ ${MRN_SOURCE_DIR}/version_micro MRN_VERSION_MICRO) ---- /dev/null -+++ b/storage/mroonga/ver -@@ -0,0 +1 @@ -+7.07 -\ No newline at end of file ---- a/storage/mroonga/version -+++ /dev/null -@@ -1 +0,0 @@ --7.07 -\ No newline at end of file diff --git a/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch b/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch index ac94279585..162b1e295b 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch +++ b/meta-oe/recipes-dbs/mysql/mariadb/configure.cmake-fix-valgrind.patch @@ -21,11 +21,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> configure.cmake | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) -diff --git a/configure.cmake b/configure.cmake -index 3cfc4b31..d017b3b3 100644 ---- a/configure.cmake -+++ b/configure.cmake -@@ -930,10 +930,9 @@ HAVE_GCC_C11_ATOMICS) +Index: mariadb-10.4.17/configure.cmake +=================================================================== +--- mariadb-10.4.17.orig/configure.cmake ++++ mariadb-10.4.17/configure.cmake +@@ -867,10 +867,9 @@ HAVE_GCC_C11_ATOMICS) IF(WITH_VALGRIND) SET(HAVE_valgrind 1) diff --git a/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch b/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch index 9149ee21f2..5fc94835ea 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch +++ b/meta-oe/recipes-dbs/mysql/mariadb/fix-a-building-failure.patch @@ -14,11 +14,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> CMakeLists.txt | 5 ----- 1 file changed, 5 deletions(-) -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fc30750..4f9110e 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -347,11 +347,6 @@ CHECK_PCRE() +Index: mariadb-10.4.17/CMakeLists.txt +=================================================================== +--- mariadb-10.4.17.orig/CMakeLists.txt ++++ mariadb-10.4.17/CMakeLists.txt +@@ -376,11 +376,6 @@ CHECK_PCRE() CHECK_SYSTEMD() @@ -30,6 +30,3 @@ index fc30750..4f9110e 100644 # # Setup maintainer mode options. Platform checks are # not run with the warning options as to not perturb fragile checks --- -2.17.1 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch b/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch index 05b0cf8ff7..db72709439 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch +++ b/meta-oe/recipes-dbs/mysql/mariadb/fix-arm-atomic.patch @@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> storage/rocksdb/build_rocksdb.cmake | 3 +++ 1 file changed, 3 insertions(+) -diff --git a/storage/rocksdb/build_rocksdb.cmake b/storage/rocksdb/build_rocksdb.cmake -index d7895b0..3bcd52a 100644 ---- a/storage/rocksdb/build_rocksdb.cmake -+++ b/storage/rocksdb/build_rocksdb.cmake -@@ -470,6 +470,9 @@ list(APPEND SOURCES ${CMAKE_CURRENT_BINARY_DIR}/build_version.cc) +Index: mariadb-10.4.17/storage/rocksdb/build_rocksdb.cmake +=================================================================== +--- mariadb-10.4.17.orig/storage/rocksdb/build_rocksdb.cmake ++++ mariadb-10.4.17/storage/rocksdb/build_rocksdb.cmake +@@ -498,6 +498,9 @@ list(APPEND SOURCES ${CMAKE_CURRENT_BINA ADD_CONVENIENCE_LIBRARY(rocksdblib ${SOURCES}) target_link_libraries(rocksdblib ${THIRDPARTY_LIBS} ${SYSTEM_LIBS}) @@ -29,6 +29,3 @@ index d7895b0..3bcd52a 100644 IF(CMAKE_CXX_COMPILER_ID MATCHES "GNU" OR CMAKE_CXX_COMPILER_ID MATCHES "Clang") set_target_properties(rocksdblib PROPERTIES COMPILE_FLAGS "-fPIC -fno-builtin-memcmp -Wno-error") endif() --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch b/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch index afc1be47b5..16cd584da9 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch +++ b/meta-oe/recipes-dbs/mysql/mariadb/sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch @@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> sql/CMakeLists.txt | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) -diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt -index c6910f46..bf51f4cb 100644 ---- a/sql/CMakeLists.txt -+++ b/sql/CMakeLists.txt -@@ -50,11 +50,16 @@ ${WSREP_INCLUDES} +Index: mariadb-10.4.17/sql/CMakeLists.txt +=================================================================== +--- mariadb-10.4.17.orig/sql/CMakeLists.txt ++++ mariadb-10.4.17/sql/CMakeLists.txt +@@ -55,11 +55,16 @@ ${CMAKE_BINARY_DIR}/sql @@ -41,7 +41,7 @@ index c6910f46..bf51f4cb 100644 ADD_DEFINITIONS(-DMYSQL_SERVER -DHAVE_EVENT_SCHEDULER) -@@ -370,11 +375,16 @@ IF(NOT CMAKE_CROSSCOMPILING) +@@ -364,11 +369,16 @@ IF(NOT CMAKE_CROSSCOMPILING) ADD_EXECUTABLE(gen_lex_hash gen_lex_hash.cc) ENDIF() diff --git a/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch b/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch index 4f9a4e9b0e..937d13da31 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch +++ b/meta-oe/recipes-dbs/mysql/mariadb/support-files-CMakeLists.txt-fix-do_populate_sysroot.patch @@ -15,11 +15,11 @@ Signed-off-by: Mingli Yu <mingli.yu@windriver.com> support-files/CMakeLists.txt | 7 ------- 1 file changed, 7 deletions(-) -diff --git a/support-files/CMakeLists.txt b/support-files/CMakeLists.txt -index b5767432..56733de1 100644 ---- a/support-files/CMakeLists.txt -+++ b/support-files/CMakeLists.txt -@@ -165,12 +165,5 @@ IF(UNIX) +Index: mariadb-10.4.17/support-files/CMakeLists.txt +=================================================================== +--- mariadb-10.4.17.orig/support-files/CMakeLists.txt ++++ mariadb-10.4.17/support-files/CMakeLists.txt +@@ -192,12 +192,5 @@ IF(UNIX) INSTALL(FILES rpm/enable_encryption.preset DESTINATION ${INSTALL_SYSCONF2DIR} COMPONENT IniFiles) ENDIF() diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.12.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.28.bb index c0b53379d9..c0b53379d9 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb_10.4.12.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb_10.4.28.bb diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index 865ad3287b..e5fb85170b 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch @@ -9,11 +9,11 @@ extending the existing aarch64 macro works. src/include/storage/s_lock.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h -index 3fe29ce..7cd578f 100644 ---- a/src/include/storage/s_lock.h -+++ b/src/include/storage/s_lock.h -@@ -316,11 +316,12 @@ tas(volatile slock_t *lock) +Index: postgresql-12.16/src/include/storage/s_lock.h +=================================================================== +--- postgresql-12.16.orig/src/include/storage/s_lock.h ++++ postgresql-12.16/src/include/storage/s_lock.h +@@ -317,11 +317,12 @@ tas(volatile slock_t *lock) /* * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available. @@ -27,7 +27,7 @@ index 3fe29ce..7cd578f 100644 #ifdef HAVE_GCC__SYNC_INT32_TAS #define HAS_TEST_AND_SET -@@ -337,7 +338,7 @@ tas(volatile slock_t *lock) +@@ -338,7 +339,7 @@ tas(volatile slock_t *lock) #define S_UNLOCK(lock) __sync_lock_release(lock) #endif /* HAVE_GCC__SYNC_INT32_TAS */ @@ -36,6 +36,3 @@ index 3fe29ce..7cd578f 100644 /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ --- -2.9.3 - diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch index 32b7f42845..70c813adf5 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch @@ -19,11 +19,11 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> src/common/Makefile | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/src/common/Makefile b/src/common/Makefile -index 1fc2c66..5e6c457 100644 ---- a/src/common/Makefile -+++ b/src/common/Makefile -@@ -27,10 +27,6 @@ include $(top_builddir)/src/Makefile.global +Index: postgresql-12.16/src/common/Makefile +=================================================================== +--- postgresql-12.16.orig/src/common/Makefile ++++ postgresql-12.16/src/common/Makefile +@@ -31,10 +31,6 @@ include $(top_builddir)/src/Makefile.glo # don't include subdirectory-path-dependent -I and -L switches STD_CPPFLAGS := $(filter-out -I$(top_srcdir)/src/include -I$(top_builddir)/src/include,$(CPPFLAGS)) STD_LDFLAGS := $(filter-out -L$(top_builddir)/src/common -L$(top_builddir)/src/port,$(LDFLAGS)) @@ -34,6 +34,3 @@ index 1fc2c66..5e6c457 100644 override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch index 22b62d9ded..eb6226b179 100644 --- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch +++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch @@ -19,11 +19,11 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com> configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/configure.in b/configure.in -index b98b9bb..8584677 100644 ---- a/configure.in -+++ b/configure.in -@@ -2211,7 +2211,7 @@ Use --without-tcl to disable building PL/Tcl.]) +Index: postgresql-12.16/configure.in +=================================================================== +--- postgresql-12.16.orig/configure.in ++++ postgresql-12.16/configure.in +@@ -2357,7 +2357,7 @@ Use --without-tcl to disable building PL fi # check for <perl.h> @@ -32,6 +32,3 @@ index b98b9bb..8584677 100644 ac_save_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $perl_includespec" AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file <perl.h> is required for Perl])], --- -2.7.4 - diff --git a/meta-oe/recipes-dbs/postgresql/postgresql.inc b/meta-oe/recipes-dbs/postgresql/postgresql.inc index 5b5bfb0886..2294a3de42 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql.inc +++ b/meta-oe/recipes-dbs/postgresql/postgresql.inc @@ -36,7 +36,7 @@ LEAD_SONAME = "libpq.so" # LDFLAGS for shared libraries export LDFLAGS_SL = "${LDFLAGS}" -inherit autotools pkgconfig perlnative python3native useradd update-rc.d systemd gettext cpan-base +inherit autotools pkgconfig perlnative python3native python3targetconfig useradd update-rc.d systemd gettext cpan-base CFLAGS += "-I${STAGING_INCDIR}/${PYTHON_DIR} -I${STAGING_INCDIR}/tcl8.6" diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.4.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.18.bb index 6ea9acc000..44074a233c 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.4.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.18.bb @@ -1,6 +1,6 @@ require postgresql.inc -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fc4ce21960f0c561460d750bc270d11f" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=89afbb2d7716371015101c2b2cb4297a" SRC_URI += "\ file://not-check-libperl.patch \ @@ -8,4 +8,4 @@ SRC_URI += "\ file://0001-Improve-reproducibility.patch \ " -SRC_URI[sha256sum] = "bee93fbe2c32f59419cb162bcc0145c58da9a8644ee154a30b9a5ce47de606cc" +SRC_URI[sha256sum] = "4f9919725d941ce9868e07fe1ed1d3a86748599b483386547583928b74c3918a" diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb index b9038df81d..f971319915 100644 --- a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb +++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb @@ -10,7 +10,7 @@ SRCREV = "551a110918493a19d11243f53408b97485de1411" SRCBRANCH = "6.6.fb" PV = "6.6.4" -SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH} \ +SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=https \ file://0001-db-write_thread.cc-Initialize-state.patch \ file://0001-cmake-Add-check-for-atomic-support.patch \ " diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb index e874e4a5ea..87f9c23ebf 100644 --- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb +++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=df52c6edb7adc22e533b2bacc3bd3915" PV = "20190808+git${SRCPV}" SRCREV = "aa844899c937bde5d2b24f276b59997e5b668bde" BRANCH = "lts_2019_08_08" -SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH} \ +SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \ file://0001-Remove-maes-option-from-cross-compilation.patch \ file://0002-Add-forgotten-ABSL_HAVE_VDSO_SUPPORT-conditional.patch \ file://0003-Add-fPIC-option.patch \ diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb index fb6125e2a5..ef440471bf 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb +++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb @@ -19,6 +19,7 @@ SRCREV_libhardware = "be55eb1f4d840c82ffaf7c47460df17ff5bc4d9b" SRCREV_libselinux = "07e9e1339ad1ba608acfba9dce2d0f474b252feb" SRCREV_build = "16e987def3d7d8f7d30805eb95cef69e52a87dbc" +SRCREV_FORMAT = "core_extras_libhardware_libselinux_build" SRC_URI = " \ git://${ANDROID_MIRROR}/platform/system/core;name=core;protocol=https;nobranch=1;destsuffix=git/system/core \ git://${ANDROID_MIRROR}/platform/system/extras;name=extras;protocol=https;nobranch=1;destsuffix=git/system/extras \ diff --git a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb index 2b75eaac9d..79754050d0 100644 --- a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb +++ b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb @@ -8,7 +8,7 @@ PV = "1.17" PR = "r1" PE = "1" -SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https \ +SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https;branch=master \ file://0001-svg-add-rudimentary-support-for-ARM-cpuinfo.patch \ file://0002-svg-open-etc-os-release-and-use-PRETTY_NAME-for-the-.patch \ " diff --git a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb index daf262ed66..1e474225a2 100644 --- a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb +++ b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb @@ -26,11 +26,11 @@ SRCREV_protobuf = "cb6dd4ef5f82e41e06179dcd57d3b1d9246ad6ac" SRCREV_lss = "8048ece6c16c91acfe0d36d1d3cc0890ab6e945c" SRCREV_gyp = "324dd166b7c0b39d513026fa52d6280ac6d56770" -SRC_URI = "git://github.com/google/breakpad;name=breakpad \ - git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest \ - git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf \ - git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss \ - git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp \ +SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=main;protocol=https \ + git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=main;protocol=https \ + git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=main;protocol=https \ + git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=main \ + git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp;branch=master \ file://0001-include-sys-reg.h-to-get-__WORDSIZE-on-musl-libc.patch \ file://0003-Fix-conflict-between-musl-libc-dirent.h-and-lss.patch \ file://0001-Turn-off-sign-compare-for-musl-libc.patch \ diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb index c6bab5ec2b..fa1751e566 100644 --- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb +++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb @@ -5,7 +5,9 @@ SECTION = "console/tools" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9" -SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV}" +SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \ + file://CVE-2022-46149.patch \ +" SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19" S = "${WORKDIR}/git/c++" diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch new file mode 100644 index 0000000000..b6b1fa6514 --- /dev/null +++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch @@ -0,0 +1,49 @@ +From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001 +From: Kenton Varda <kenton@cloudflare.com> +Date: Wed, 23 Nov 2022 12:02:29 -0600 +Subject: [PATCH] Apply data offset for list-of-pointers at access time rather + than ListReader creation time. + +Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected. + +CVE: CVE-2022-46149 +Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + c++/src/capnp/layout.c++ | 4 ---- + c++/src/capnp/layout.h | 6 +++++- + 2 files changed, 5 insertions(+), 5 deletions(-) + +Index: c++/src/capnp/layout.c++ +=================================================================== +--- c++.orig/src/capnp/layout.c++ ++++ c++/src/capnp/layout.c++ +@@ -2322,10 +2322,6 @@ struct WireHelpers { + break; + + case ElementSize::POINTER: +- // We expected a list of pointers but got a list of structs. Assuming the first field +- // in the struct is the pointer we were looking for, we want to munge the pointer to +- // point at the first element's pointer section. +- ptr += tag->structRef.dataSize.get(); + KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS, + "Expected a pointer list, but got a list of data-only structs.") { + goto useDefault; +Index: c++/src/capnp/layout.h +=================================================================== +--- c++.orig/src/capnp/layout.h ++++ c++/src/capnp/layout.h +@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V + } + + inline PointerReader ListReader::getPointerElement(ElementCount index) const { ++ // If the list elements have data sections we need to skip those. Note that for pointers to be ++ // present at all (which already must be true if we get here), then `structDataSize` must be a ++ // whole number of words, so we don't have to worry about unaligned reads here. ++ auto offset = structDataSize / BITS_PER_BYTE; + return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>( +- ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); ++ ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); + } + + // ------------------------------------------------------------------- diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb index e6174821ff..7af05acf9a 100644 --- a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb +++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb @@ -5,7 +5,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0" -SRC_URI = "git://github.com/DaveGamble/cJSON.git" +SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https" SRCREV = "39853e5148dad8dc5d32ea2b00943cf4a0c6f120" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb index 8c6cf7db20..996314a758 100644 --- a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb +++ b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb @@ -10,7 +10,7 @@ SECTION = "base" PV = "0.5.1+git${SRCPV}" SRCREV = "f97d3da5c375ac2fc5a9173cdd36cb828915a2e1" LIC_FILES_CHKSUM = "file://LICENSE;md5=a0b24c1a8f9ad516a297d055b0294231" -SRC_URI = "git://github.com/concurrencykit/ck.git \ +SRC_URI = "git://github.com/concurrencykit/ck.git;branch=master;protocol=https \ file://cross.patch \ " diff --git a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb index 406494ebbc..d1b7134b83 100644 --- a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb +++ b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb @@ -3,11 +3,11 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master " +SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master;protocol=https" SRCREV = "c5416adeb210154dc4ccc4c3e1c5297d83ebd41e" PV = "1.1" -SRC_URI_append_class-target = "file://oe-remote.repo.sample" +SRC_URI_append_class-target = " file://oe-remote.repo.sample" inherit distutils3-base diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb index c31cef63cf..c4f3594f36 100644 --- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb +++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb @@ -12,7 +12,10 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" SRCREV = "6df40a2471737b27271bdd9b900ab5f3aec746c7" -SRC_URI = "git://github.com/google/flatbuffers.git" +SRC_URI = "git://github.com/google/flatbuffers.git;branch=master;protocol=https" + +# affects only flatbuffers rust crate +CVE_CHECK_WHITELIST += "CVE-2020-35864" # Make sure C++11 is used, required for example for GCC 4.9 CXXFLAGS += "-std=c++11 -fPIC" @@ -21,12 +24,17 @@ BUILD_CXXFLAGS += "-std=c++11 -fPIC" # BUILD_TYPE=Release is required, otherwise flatc is not installed EXTRA_OECMAKE += "\ -DCMAKE_BUILD_TYPE=Release \ - -DFLATBUFFERS_BUILD_TESTS=OFF \ + -DFLATBUFFERS_BUILD_TESTS=OFF \ -DFLATBUFFERS_BUILD_SHAREDLIB=ON \ " inherit cmake +rm_flatc_cmaketarget_for_target() { + rm -f "${SYSROOT_DESTDIR}/${libdir}/cmake/flatbuffers/FlatcTargets.cmake" +} +SYSROOT_PREPROCESS_FUNCS:class-target += "rm_flatc_cmaketarget_for_target" + S = "${WORKDIR}/git" FILES_${PN}-compiler = "${bindir}" diff --git a/meta-oe/recipes-devtools/giflib/files/CVE-2019-15133.patch b/meta-oe/recipes-devtools/giflib/files/CVE-2019-15133.patch new file mode 100644 index 0000000000..9957be82f3 --- /dev/null +++ b/meta-oe/recipes-devtools/giflib/files/CVE-2019-15133.patch @@ -0,0 +1,23 @@ +From 799eb6a3af8a3dd81e2429bf11a72a57e541f908 Mon Sep 17 00:00:00 2001 +From: "Eric S. Raymond" <esr@thyrsus.com> +Date: Sun, 17 Mar 2019 12:37:21 -0400 +Subject: [PATCH] Address SF bug #119: MemorySanitizer: FPE on unknown address + +--- + dgif_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Upstream-status: Backport [https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908/] +CVE: CVE-2019-15133 + +--- a/lib/dgif_lib.c 2021-01-13 19:28:18.923493586 +0100 ++++ b/lib/dgif_lib.c 2021-01-13 19:28:55.245863085 +0100 +@@ -1099,7 +1099,7 @@ DGifSlurp(GifFileType *GifFile) + + sp = &GifFile->SavedImages[GifFile->ImageCount - 1]; + /* Allocate memory for the image */ +- if (sp->ImageDesc.Width < 0 && sp->ImageDesc.Height < 0 && ++ if (sp->ImageDesc.Width <= 0 && sp->ImageDesc.Height <= 0 && + sp->ImageDesc.Width > (INT_MAX / sp->ImageDesc.Height)) { + return GIF_ERROR; + } diff --git a/meta-oe/recipes-devtools/giflib/giflib_5.1.4.bb b/meta-oe/recipes-devtools/giflib/giflib_5.1.4.bb index 21fa352cdc..1871bab46e 100644 --- a/meta-oe/recipes-devtools/giflib/giflib_5.1.4.bb +++ b/meta-oe/recipes-devtools/giflib/giflib_5.1.4.bb @@ -3,7 +3,12 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=ae11c61b04b2917be39b11f78d71519a" -SRC_URI = "${SOURCEFORGE_MIRROR}/giflib/${BP}.tar.bz2" +SRC_URI = " \ + ${SOURCEFORGE_MIRROR}/giflib/${BP}.tar.bz2 \ + file://CVE-2019-15133.patch \ +" + +CVE_PRODUCT = "giflib_project:giflib" inherit autotools diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb index 752562eb33..8a055412f2 100644 --- a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb +++ b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb @@ -15,9 +15,10 @@ SRCREV_grpc = "2de2e8dd8921e1f7d043e01faf7fe8a291fbb072" SRCREV_upb = "9effcbcb27f0a665f9f345030188c0b291e32482" BRANCH = "v1.24.x" SRC_URI = "git://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \ - git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb \ + git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=main;protocol=https \ file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \ " +SRCREV_FORMAT = "grpc_upb" SRC_URI_append_class-target = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch \ " SRC_URI_append_class-nativesdk = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch" @@ -62,6 +63,6 @@ do_configure_prepend_toolchain-clang_x86() { BBCLASSEXTEND = "native nativesdk" -SYSROOT_DIRS_BLACKLIST_append_class-target = "${baselib}/cmake/grpc" +SYSROOT_DIRS_BLACKLIST_append_class-target = " ${baselib}/cmake/grpc" FILES_${PN}-dev += "${bindir}" diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.6.bb b/meta-oe/recipes-devtools/guider/guider_3.9.6.bb deleted file mode 100644 index f059002161..0000000000 --- a/meta-oe/recipes-devtools/guider/guider_3.9.6.bb +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "runtime performance analyzer" -HOMEPAGE = "https://github.com/iipeace/guider" -BUGTRACKER = "https://github.com/iipeace/guider/issues" -AUTHOR = "Peace Lee <ipeace5@gmail.com>" - -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" - -PV = "3.9.6+git${SRCPV}" -PR = "r0" - -SRC_URI = "git://github.com/iipeace/${BPN}" -#SRCREV = "${AUTOREV}" -SRCREV = "fef25c41efb9bde0614ea477d0b90bd9565ae0b4" - -S = "${WORKDIR}/git" -R = "${RECIPE_SYSROOT}" - -inherit ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "distutils", "", d)} - -GUIDER_OBJ = "guider.pyc" -GUIDER_SCRIPT = "guider" - -do_install() { - python ${S}/setup.py install - - install -d ${D}${bindir} - install -v -m 0755 ${STAGING_BINDIR_NATIVE}/${GUIDER_SCRIPT} ${D}${bindir}/${GUIDER_SCRIPT} - - install -d ${D}${datadir}/${BPN} - install -v -m 0755 ${STAGING_LIBDIR_NATIVE}/python${PYTHON_BASEVERSION}/site-packages/${BPN}/${GUIDER_OBJ} ${D}${datadir}/${BPN}/${GUIDER_OBJ} -} - -RDEPENDS_${PN} = "python-ctypes python-shell \ - python-json python-subprocess" -python() { - if 'meta-python2' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-python2 to be present.') -} diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb new file mode 100644 index 0000000000..cc81443d5d --- /dev/null +++ b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb @@ -0,0 +1,19 @@ +SUMMARY = "runtime performance analyzer" +HOMEPAGE = "https://github.com/iipeace/guider" +BUGTRACKER = "https://github.com/iipeace/guider/issues" +AUTHOR = "Peace Lee <ipeace5@gmail.com>" + +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" + +PV = "3.9.7+git${SRCPV}" + +SRC_URI = "git://github.com/iipeace/${BPN};branch=master;protocol=https" +SRCREV = "459b5189a46023fc98e19888b196bdc2674022fd" + +S = "${WORKDIR}/git" + +inherit setuptools3 + +RDEPENDS_${PN} = "python3 python3-core \ + python3-ctypes python3-shell python3-json" diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch b/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch new file mode 100644 index 0000000000..784f175eea --- /dev/null +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch @@ -0,0 +1,52 @@ +From 2d5a94aeeab01f0448b5a0bb8d4a9a23a5b790d5 Mon Sep 17 00:00:00 2001 +From: Andrew Childs <lorne@cons.org.nz> +Date: Sat, 28 Dec 2019 16:04:24 +0900 +Subject: [PATCH] json_writer: fix inverted sense in isAnyCharRequiredQuoting + (#1120) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug is only affects platforms where `char` is unsigned. + +When char is a signed type, values >= 0x80 are also considered < 0, +and hence require escaping due to the < ' ' condition. + +When char is an unsigned type, values >= 0x80 match none of the +conditions and are considered safe to emit without escaping. + +This shows up as a test failure: + +* Detail of EscapeSequenceTest/writeEscapeSequence test failure: +/build/source/src/test_lib_json/main.cpp(3370): expected == result + Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"] + ' + Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","ð¤¢"] + ' +Upstream-Status: Backport [https://github.com/open-source-parsers/jsoncpp/commit/f11611c8785082ead760494cba06196f14a06dcb] + +Signed-off-by: Viktor Rosendahl <Viktor.Rosendahl@bmw.de> + +--- + src/lib_json/json_writer.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/lib_json/json_writer.cpp b/src/lib_json/json_writer.cpp +index 519ce23..b68a638 100644 +--- a/src/lib_json/json_writer.cpp ++++ b/src/lib_json/json_writer.cpp +@@ -178,8 +178,9 @@ static bool isAnyCharRequiredQuoting(char const* s, size_t n) { + + char const* const end = s + n; + for (char const* cur = s; cur < end; ++cur) { +- if (*cur == '\\' || *cur == '\"' || *cur < ' ' || +- static_cast<unsigned char>(*cur) < 0x80) ++ if (*cur == '\\' || *cur == '\"' || ++ static_cast<unsigned char>(*cur) < ' ' || ++ static_cast<unsigned char>(*cur) >= 0x80) + return true; + } + return false; +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb index 8a5db3da3c..ae4b4c9840 100644 --- a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb @@ -14,7 +14,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b" SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f" -SRC_URI = "git://github.com/open-source-parsers/jsoncpp" +SRC_URI = "\ + git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https \ + file://0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch \ + " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb index ca9675ed64..e9672ea4dd 100644 --- a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb +++ b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb @@ -9,7 +9,7 @@ SECTION = "libs" DEPENDS = "curl jsoncpp libmicrohttpd hiredis" -SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp" +SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp;branch=master;protocol=https" SRCREV = "c696f6932113b81cd20cd4a34fdb1808e773f23e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb index 62d4df5e09..72f06ae44f 100644 --- a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb +++ b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=930f8aa500a47c7dab0f8efb5a1c9a40" DEPENDS = "libgfortran" SRCREV = "6acc99d5f39130be7cec00fb835606042101a970" -SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https" +SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https;branch=master" S = "${WORKDIR}/git" EXTRA_OECMAKE = " -DBUILD_SHARED_LIBS=ON " diff --git a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb index b83e86a488..2dc3776e81 100644 --- a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb +++ b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb @@ -7,7 +7,7 @@ Cluster segmentation described in Annex #29 (UAX #29)." LICENSE = "Artistic-1.0 | GPLv1+" LIC_FILES_CHKSUM = "file://COPYING;md5=5b122a36d0f6dc55279a0ebc69f3c60b" -SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https \ +SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https;branch=master \ file://0001-configure.ac-fix-cross-compiling-issue.patch \ " diff --git a/meta-oe/recipes-devtools/libubox/libubox_git.bb b/meta-oe/recipes-devtools/libubox/libubox_git.bb index 7dbefa1152..18f26b009b 100644 --- a/meta-oe/recipes-devtools/libubox/libubox_git.bb +++ b/meta-oe/recipes-devtools/libubox/libubox_git.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "\ " SRC_URI = "\ - git://git.openwrt.org/project/libubox.git \ + git://git.openwrt.org/project/libubox.git;branch=master \ file://0001-version-libraries.patch \ file://fix-libdir.patch \ file://0001-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch \ diff --git a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb index 5710943d74..339841acf3 100644 --- a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb +++ b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb @@ -14,7 +14,7 @@ PV = "7.91+git${SRCPV}" SRCREV = "c22d359433b333937ee3d803450dc41998115685" DEPENDS = "elfutils" -SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http \ +SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http;protocol=https \ file://configure-allow-to-disable-selinux-support.patch \ file://0001-replace-readdir_r-with-readdir.patch \ file://0001-Use-correct-enum-type.patch \ diff --git a/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch b/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch new file mode 100644 index 0000000000..a302874d76 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch @@ -0,0 +1,90 @@ +From 1e6df25ac28dcd89f0324177bb55019422404b44 Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Thu, 3 Sep 2020 15:32:17 +0800 +Subject: [PATCH] Fixed bug: barriers cannot be active during sweep + +Barriers cannot be active during sweep, even in generational mode. +(Although gen. mode is not incremental, it can hit a barrier when +deleting a thread and closing its upvalues.) The colors of objects are +being changed during sweep and, therefore, cannot be trusted. + +Upstream-Status: Backport [https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110] +CVE: CVE-2020-24371 + +[Adjust code KGC_INC -> KGC_NORMAL, refer 69371c4b84becac09c445aae01d005b49658ef82] +Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> +--- + src/lgc.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/src/lgc.c b/src/lgc.c +index 973c269..7af23d5 100644 +--- a/src/lgc.c ++++ b/src/lgc.c +@@ -142,10 +142,17 @@ static int iscleared (global_State *g, const TValue *o) { + + + /* +-** barrier that moves collector forward, that is, mark the white object +-** being pointed by a black object. (If in sweep phase, clear the black +-** object to white [sweep it] to avoid other barrier calls for this +-** same object.) ++** Barrier that moves collector forward, that is, marks the white object ++** 'v' being pointed by the black object 'o'. In the generational ++** mode, 'v' must also become old, if 'o' is old; however, it cannot ++** be changed directly to OLD, because it may still point to non-old ++** objects. So, it is marked as OLD0. In the next cycle it will become ++** OLD1, and in the next it will finally become OLD (regular old). By ++** then, any object it points to will also be old. If called in the ++** incremental sweep phase, it clears the black object to white (sweep ++** it) to avoid other barrier calls for this same object. (That cannot ++** be done is generational mode, as its sweep does not distinguish ++** whites from deads.) + */ + void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) { + global_State *g = G(L); +@@ -154,7 +161,8 @@ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) { + reallymarkobject(g, v); /* restore invariant */ + else { /* sweep phase */ + lua_assert(issweepphase(g)); +- makewhite(g, o); /* mark main obj. as white to avoid other barriers */ ++ if (g->gckind == KGC_NORMAL) /* incremental mode? */ ++ makewhite(g, o); /* mark 'o' as white to avoid other barriers */ + } + } + +@@ -299,10 +307,15 @@ static void markbeingfnz (global_State *g) { + + + /* +-** Mark all values stored in marked open upvalues from non-marked threads. +-** (Values from marked threads were already marked when traversing the +-** thread.) Remove from the list threads that no longer have upvalues and +-** not-marked threads. ++** For each non-marked thread, simulates a barrier between each open ++** upvalue and its value. (If the thread is collected, the value will be ++** assigned to the upvalue, but then it can be too late for the barrier ++** to act. The "barrier" does not need to check colors: A non-marked ++** thread must be young; upvalues cannot be older than their threads; so ++** any visited upvalue must be young too.) Also removes the thread from ++** the list, as it was already visited. Removes also threads with no ++** upvalues, as they have nothing to be checked. (If the thread gets an ++** upvalue later, it will be linked in the list again.) + */ + static void remarkupvals (global_State *g) { + lua_State *thread; +@@ -313,9 +326,11 @@ static void remarkupvals (global_State *g) { + p = &thread->twups; /* keep marked thread with upvalues in the list */ + else { /* thread is not marked or without upvalues */ + UpVal *uv; ++ lua_assert(!isold(thread) || thread->openupval == NULL); + *p = thread->twups; /* remove thread from the list */ + thread->twups = thread; /* mark that it is out of list */ + for (uv = thread->openupval; uv != NULL; uv = uv->u.open.next) { ++ lua_assert(getage(uv) <= getage(thread)); + if (uv->u.open.touched) { + markvalue(g, uv->v); /* remark upvalue's value */ + uv->u.open.touched = 0; +-- +1.9.1 + diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch new file mode 100644 index 0000000000..606c9ea98c --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch @@ -0,0 +1,73 @@ +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001 +From: Steve Sakoman <steve@sakoman.com> +Date: Mon, 18 Apr 2022 09:04:08 -1000 +Subject: [PATCH] lua: fix CVE-2022-28805 + +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup +call, leading to a heap-based buffer over-read that might affect a system that +compiles untrusted Lua code. + +https://nvd.nist.gov/vuln/detail/CVE-2022-28805 + +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> +--- + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++ + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + + 2 files changed, 29 insertions(+) + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch + +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +new file mode 100644 +index 000000000..0a21d1ce7 +--- /dev/null ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +@@ -0,0 +1,28 @@ ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> ++Date: Tue, 15 Feb 2022 12:28:46 -0300 ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> ++ ++CVE: CVE-2022-28805 ++ ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] ++ ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com> ++Signed-off-by: Steve Sakoman <steve@sakoman.com> ++--- ++ src/lparser.c | 1 + ++ 1 files changed, 1 insertions(+) ++ ++diff --git a/src/lparser.c b/src/lparser.c ++index 3abe3d751..a5cd55257 100644 ++--- a/src/lparser.c +++++ b/src/lparser.c ++@@ -300,6 +300,7 @@ ++ expdesc key; ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ ++ lua_assert(var->k != VVOID); /* this one must exist */ +++ luaK_exp2anyregup(fs, var); /* but could be a constant */ ++ codestring(ls, &key, varname); /* key is variable name */ ++ luaK_indexed(fs, var, &key); /* env[varname] */ ++ } ++ +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +index 342ed1b54..0137cc3c5 100644 +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ + file://CVE-2020-15888.patch \ + file://CVE-2020-15945.patch \ + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ ++ file://CVE-2022-28805.patch \ + " + + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch new file mode 100644 index 0000000000..89ce491487 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch @@ -0,0 +1,167 @@ +From d8d344365945a534f700c82c5dd26f704f89fef3 Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Wed, 5 Aug 2020 16:59:58 +0800 +Subject: [PATCH] Fixed bug: invalid 'oldpc' when returning to a function + +The field 'L->oldpc' is not always updated when control returns to a +function; an invalid value can seg. fault when computing 'changedline'. +(One example is an error in a finalizer; control can return to +'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to +fix all possible corner cases, it seems safer to be resilient to invalid +values for 'oldpc'. Valid but wrong values at most cause an extra call +to a line hook. + +CVE: CVE-2020-15945 + +[Adjust the code to be applicable to the tree] + +Upstream-Status: Backport [https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3] + +Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> +Signed-off-by: Joe Slater <joe.slater@@windriver.com> + +--- + src/ldebug.c | 30 +++++++++++++++--------------- + src/ldebug.h | 4 ++++ + src/ldo.c | 2 +- + src/lstate.c | 1 + + src/lstate.h | 2 +- + 5 files changed, 22 insertions(+), 17 deletions(-) + +diff --git a/src/ldebug.c b/src/ldebug.c +index 239affb..832b16c 100644 +--- a/src/ldebug.c ++++ b/src/ldebug.c +@@ -34,9 +34,8 @@ + #define noLuaClosure(f) ((f) == NULL || (f)->c.tt == LUA_TCCL) + + +-/* Active Lua function (given call info) */ +-#define ci_func(ci) (clLvalue((ci)->func)) +- ++/* inverse of 'pcRel' */ ++#define invpcRel(pc, p) ((p)->code + (pc) + 1) + + static const char *funcnamefromcode (lua_State *L, CallInfo *ci, + const char **name); +@@ -71,20 +70,18 @@ static void swapextra (lua_State *L) { + + /* + ** This function can be called asynchronously (e.g. during a signal). +-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by +-** 'resethookcount') are for debug only, and it is no problem if they +-** get arbitrary values (causes at most one wrong hook call). 'hookmask' +-** is an atomic value. We assume that pointers are atomic too (e.g., gcc +-** ensures that for all platforms where it runs). Moreover, 'hook' is +-** always checked before being called (see 'luaD_hook'). ++** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount') ++** are for debug only, and it is no problem if they get arbitrary ++** values (causes at most one wrong hook call). 'hookmask' is an atomic ++** value. We assume that pointers are atomic too (e.g., gcc ensures that ++** for all platforms where it runs). Moreover, 'hook' is always checked ++** before being called (see 'luaD_hook'). + */ + LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) { + if (func == NULL || mask == 0) { /* turn off hooks? */ + mask = 0; + func = NULL; + } +- if (isLua(L->ci)) +- L->oldpc = L->ci->u.l.savedpc; + L->hook = func; + L->basehookcount = count; + resethookcount(L); +@@ -665,7 +662,10 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) { + void luaG_traceexec (lua_State *L) { + CallInfo *ci = L->ci; + lu_byte mask = L->hookmask; ++ const Proto *p = ci_func(ci)->p; + int counthook = (--L->hookcount == 0 && (mask & LUA_MASKCOUNT)); ++ /* 'L->oldpc' may be invalid; reset it in this case */ ++ int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0; + if (counthook) + resethookcount(L); /* reset count */ + else if (!(mask & LUA_MASKLINE)) +@@ -677,15 +677,15 @@ void luaG_traceexec (lua_State *L) { + if (counthook) + luaD_hook(L, LUA_HOOKCOUNT, -1); /* call count hook */ + if (mask & LUA_MASKLINE) { +- Proto *p = ci_func(ci)->p; + int npc = pcRel(ci->u.l.savedpc, p); + int newline = getfuncline(p, npc); + if (npc == 0 || /* call linehook when enter a new function, */ +- ci->u.l.savedpc <= L->oldpc || /* when jump back (loop), or when */ +- newline != getfuncline(p, pcRel(L->oldpc, p))) /* enter a new line */ ++ ci->u.l.savedpc <= invpcRel(oldpc, p) || /* when jump back (loop), or when */ ++ newline != getfuncline(p, oldpc)) /* enter a new line */ + luaD_hook(L, LUA_HOOKLINE, newline); /* call line hook */ ++ ++ L->oldpc = npc; /* 'pc' of last call to line hook */ + } +- L->oldpc = ci->u.l.savedpc; + if (L->status == LUA_YIELD) { /* did hook yield? */ + if (counthook) + L->hookcount = 1; /* undo decrement to zero */ +diff --git a/src/ldebug.h b/src/ldebug.h +index 0e31546..c224cc4 100644 +--- a/src/ldebug.h ++++ b/src/ldebug.h +@@ -13,6 +13,10 @@ + + #define pcRel(pc, p) (cast(int, (pc) - (p)->code) - 1) + ++/* Active Lua function (given call info) */ ++#define ci_func(ci) (clLvalue((ci)->func)) ++ ++ + #define getfuncline(f,pc) (((f)->lineinfo) ? (f)->lineinfo[pc] : -1) + + #define resethookcount(L) (L->hookcount = L->basehookcount) +diff --git a/src/ldo.c b/src/ldo.c +index 90b695f..f66ac1a 100644 +--- a/src/ldo.c ++++ b/src/ldo.c +@@ -382,7 +382,7 @@ int luaD_poscall (lua_State *L, CallInfo *ci, StkId firstResult, int nres) { + luaD_hook(L, LUA_HOOKRET, -1); + firstResult = restorestack(L, fr); + } +- L->oldpc = ci->previous->u.l.savedpc; /* 'oldpc' for caller function */ ++ L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p); /* 'oldpc' for caller function */ + } + res = ci->func; /* res == final position of 1st result */ + L->ci = ci->previous; /* back to caller */ +diff --git a/src/lstate.c b/src/lstate.c +index 9194ac3..3573e36 100644 +--- a/src/lstate.c ++++ b/src/lstate.c +@@ -236,6 +236,7 @@ static void preinit_thread (lua_State *L, global_State *g) { + L->nny = 1; + L->status = LUA_OK; + L->errfunc = 0; ++ L->oldpc = 0; + } + + +diff --git a/src/lstate.h b/src/lstate.h +index a469466..d75eadf 100644 +--- a/src/lstate.h ++++ b/src/lstate.h +@@ -164,7 +164,6 @@ struct lua_State { + StkId top; /* first free slot in the stack */ + global_State *l_G; + CallInfo *ci; /* call info for current function */ +- const Instruction *oldpc; /* last pc traced */ + StkId stack_last; /* last free slot in the stack */ + StkId stack; /* stack base */ + UpVal *openupval; /* list of open upvalues in this stack */ +@@ -174,6 +173,7 @@ struct lua_State { + CallInfo base_ci; /* CallInfo for first level (C calling Lua) */ + volatile lua_Hook hook; + ptrdiff_t errfunc; /* current error handling function (stack index) */ ++ int oldpc; /* last pc traced */ + int stacksize; + int basehookcount; + int hookcount; +-- +2.13.3 + diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch new file mode 100644 index 0000000000..0a21d1ce77 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch @@ -0,0 +1,28 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> + +CVE: CVE-2022-28805 + +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + src/lparser.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/src/lparser.c b/src/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -300,6 +300,7 @@ + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(ls, &key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } + diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb index d3461b06de..d46d402aa3 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb @@ -1,13 +1,16 @@ DESCRIPTION = "Lua is a powerful light-weight programming language designed \ for extending applications." LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://doc/readme.html;beginline=318;endline=352;md5=60aa5cfdbd40086501778d9b6ebf29ee" +LIC_FILES_CHKSUM = "file://doc/readme.html;beginline=318;endline=352;md5=f43d8ee6bc4df18ef8b276439cc4a153" HOMEPAGE = "http://www.lua.org/" SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ file://lua.pc.in \ file://0001-Allow-building-lua-without-readline-on-Linux.patch \ file://CVE-2020-15888.patch \ + file://CVE-2020-15945.patch \ + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ + file://CVE-2022-28805.patch \ " # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. @@ -18,8 +21,8 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \ file://run-ptest \ ', '', d)}" -SRC_URI[tarballsrc.md5sum] = "4f4b4f323fd3514a68e0ab3da8ce3455" -SRC_URI[tarballsrc.sha256sum] = "0c2eed3f960446e1a3e4b9a1ca2f3ff893b6ce41942cf54d5dd59ab4b3b058ac" +SRC_URI[tarballsrc.md5sum] = "83f23dbd5230140a3770d5f54076948d" +SRC_URI[tarballsrc.sha256sum] = "fc5fd69bb8736323f026672b1b7235da613d7177e72558893a0bdcd320466d60" SRC_URI[tarballtest.md5sum] = "b14fe3748c1cb2d74e3acd1943629ba3" SRC_URI[tarballtest.sha256sum] = "b80771238271c72565e5a1183292ef31bd7166414cd0d43a8eb79845fa7f599f" @@ -29,7 +32,7 @@ PACKAGECONFIG ??= "readline" PACKAGECONFIG[readline] = ",,readline" UCLIBC_PATCHES += "file://uclibc-pthread.patch" -SRC_URI_append_libc-uclibc = "${UCLIBC_PATCHES}" +SRC_URI_append_libc-uclibc = " ${UCLIBC_PATCHES}" TARGET_CC_ARCH += " -fPIC ${LDFLAGS}" EXTRA_OEMAKE = "'CC=${CC} -fPIC' 'MYCFLAGS=${CFLAGS} -fPIC' MYLDFLAGS='${LDFLAGS}'" diff --git a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb index 1bee9fe0b9..83f6aa0f42 100644 --- a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb +++ b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7dd2aad04bb7ca212e69127ba8d58f9f" DEPENDS += "lua-native lua" -SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release \ +SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release;protocol=https \ file://0001-fix-avoid-race-condition-between-test-and-mkdir.patch \ " SRCREV = "8e4902ed81c922ed8f76a7ed85be1eaa3fd7e66d" diff --git a/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch b/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch new file mode 100644 index 0000000000..a0c6584ecb --- /dev/null +++ b/meta-oe/recipes-devtools/mcpp/files/CVE-2019-14274.patch @@ -0,0 +1,34 @@ +From ea453aca2742be6ac43ba4ce0da6f938a7e5a5d8 Mon Sep 17 00:00:00 2001 +From: He Liu <liulonnie@gmail.com> +Date: Tue, 4 Feb 2014 11:00:40 -0800 +Subject: [PATCH] line comment bug + +--- + src/support.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/support.c b/src/support.c +index c57eaef..e3357e4 100644 +--- a/src/support.c ++++ b/src/support.c +@@ -188,7 +188,7 @@ static char * append_to_buffer( + size_t length + ) + { +- if (mem_buf_p->bytes_avail < length) { /* Need to allocate more memory */ ++ if (mem_buf_p->bytes_avail < length + 1) { /* Need to allocate more memory */ + size_t size = MAX( BUF_INCR_SIZE, length); + + if (mem_buf_p->buffer == NULL) { /* 1st append */ +@@ -1722,6 +1722,8 @@ com_start: + sp -= 2; + while (*sp != '\n') /* Until end of line */ + mcpp_fputc( *sp++, OUT); ++ mcpp_fputc('\n', OUT); ++ wrong_line = TRUE; + } + goto end_line; + default: /* Not a comment */ +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch b/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch index 8103cf0920..1df3ae55bc 100644 --- a/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch +++ b/meta-oe/recipes-devtools/mcpp/files/ice-mcpp.patch @@ -114,37 +114,6 @@ diff -r -c -N ../mcpp-2.7.2-old/src/main.c ./src/main.c } int mcpp_lib_main -diff -r -c -N ../mcpp-2.7.2-old/src/support.c ./src/support.c -*** ../mcpp-2.7.2-old/src/support.c Tue Jun 10 06:02:33 2008 ---- ./src/support.c Fri May 14 12:40:56 2010 -*************** -*** 188,194 **** - size_t length - ) - { -! if (mem_buf_p->bytes_avail < length) { /* Need to allocate more memory */ - size_t size = MAX( BUF_INCR_SIZE, length); - - if (mem_buf_p->buffer == NULL) { /* 1st append */ ---- 188,194 ---- - size_t length - ) - { -! if (mem_buf_p->bytes_avail < length + 1) { /* Need to allocate more memory */ - size_t size = MAX( BUF_INCR_SIZE, length); - - if (mem_buf_p->buffer == NULL) { /* 1st append */ -*************** -*** 1722,1727 **** ---- 1722,1729 ---- - sp -= 2; - while (*sp != '\n') /* Until end of line */ - mcpp_fputc( *sp++, OUT); -+ mcpp_fputc( '\n', OUT); -+ wrong_line = TRUE; - } - goto end_line; - default: /* Not a comment */ diff -r -c -N ../mcpp-2.7.2-old/src/system.c ./src/system.c *** ../mcpp-2.7.2-old/src/system.c 2008-11-26 10:53:51.000000000 +0100 --- ./src/system.c 2011-02-21 16:18:05.678058106 +0100 diff --git a/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb b/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb index b5ca495663..f8125f72d9 100644 --- a/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb +++ b/meta-oe/recipes-devtools/mcpp/mcpp_2.7.2.bb @@ -4,7 +4,8 @@ LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=5ca370b75ec890321888a00cea9bc1d5" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ - file://ice-mcpp.patch " + file://ice-mcpp.patch \ + file://CVE-2019-14274.patch" SRC_URI[md5sum] = "512de48c87ab023a69250edc7a0c7b05" SRC_URI[sha256sum] = "3b9b4421888519876c4fc68ade324a3bbd81ceeb7092ecdbbc2055099fcb8864" diff --git a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb index d410dc6e0a..90b55ad2df 100644 --- a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb +++ b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=7a858c074723608e08614061dc044352 \ PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/msgpack/msgpack-c \ +SRC_URI = "git://github.com/msgpack/msgpack-c;branch=master;protocol=https \ " # cpp-3.2.1 SRCREV = "8085ab8721090a447cf98bb802d1406ad7afe420" diff --git a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb index 21d110aeea..9de6f8c99d 100644 --- a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb +++ b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" DEPENDS = "protobuf-native" -SRC_URI = "git://github.com/nanopb/nanopb.git" +SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https" SRCREV = "70f0de9877b1ce12abc0229d5df84db6349fcbfc" S = "${WORKDIR}/git" @@ -25,6 +25,6 @@ RDEPENDS_${PN} += "\ protobuf-compiler \ " -BBCLASSEXTEND = "native nativesdk" +BBCLASSEXTEND = "nativesdk" PNBLACKLIST[nanopb] = "Needs forward porting to use python3" diff --git a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb index a97eb53c1d..62fdecf6ff 100644 --- a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb +++ b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=b67209a1e36b682a8226de19d265b1e0" -SRC_URI = "git://github.com/nlohmann/fifo_map.git" +SRC_URI = "git://github.com/nlohmann/fifo_map.git;branch=master;protocol=https" PV = "1.0.0+git${SRCPV}" diff --git a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb index 5766194d26..a7ba46c8d1 100644 --- a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb +++ b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=f5f7c71504da070bcf4f090205ce1080" -SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1 \ +SRC_URI = "git://github.com/nlohmann/json.git;branch=develop;protocol=https \ file://0001-Templatize-basic_json-ctor-from-json_ref.patch \ file://0001-typo-fix.patch \ " diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch new file mode 100644 index 0000000000..c719c9c3b0 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch @@ -0,0 +1,22 @@ +From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova <zsvetlik@redhat.com> +Date: Thu, 27 Apr 2017 14:25:42 +0200 +Subject: [PATCH] Disable running gyp on shared deps + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 93d63110..79caaec2 100644 +--- a/Makefile ++++ b/Makefile +@@ -138,7 +138,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ ++ deps/llhttp/llhttp.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch new file mode 100644 index 0000000000..a23f1c243e --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch @@ -0,0 +1,53 @@ +From be8d3cd6eab4b8f9849133060abb1aba4400276b Mon Sep 17 00:00:00 2001 +From: Amy Huang <akhuang@google.com> +Date: Thu, 23 Apr 2020 11:25:53 -0700 +Subject: [PATCH] Remove use of register r7 because llvm now issues an error + when "r7" is used (starting in commit d85b3877) + +Bug: chromium:1073270 +Change-Id: I7ec8112f170b98d2edaf92bc9341e738f8de07a3 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2163435 +Reviewed-by: Nico Weber <thakis@chromium.org> +Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> +Commit-Queue: Nico Weber <thakis@chromium.org> +Cr-Commit-Position: refs/heads/master@{#67371} +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- +Upstream-Status: Backport [https://chromium.googlesource.com/v8/v8/+/00604cd2806b5d26bef592dd19989a234bd07a4b%5E%21/] + deps/v8/src/codegen/arm/cpu-arm.cc | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/deps/v8/src/codegen/arm/cpu-arm.cc b/deps/v8/src/codegen/arm/cpu-arm.cc +index 868f360..654d68f 100644 +--- a/deps/v8/src/codegen/arm/cpu-arm.cc ++++ b/deps/v8/src/codegen/arm/cpu-arm.cc +@@ -30,18 +30,6 @@ V8_NOINLINE void CpuFeatures::FlushICache(void* start, size_t size) { + register uint32_t end asm("r1") = beg + size; + register uint32_t flg asm("r2") = 0; + +-#ifdef __clang__ +- // This variant of the asm avoids a constant pool entry, which can be +- // problematic when LTO'ing. It is also slightly shorter. +- register uint32_t scno asm("r7") = __ARM_NR_cacheflush; +- +- asm volatile("svc 0\n" +- : +- : "r"(beg), "r"(end), "r"(flg), "r"(scno) +- : "memory"); +-#else +- // Use a different variant of the asm with GCC because some versions doesn't +- // support r7 as an asm input. + asm volatile( + // This assembly works for both ARM and Thumb targets. + +@@ -59,7 +47,6 @@ V8_NOINLINE void CpuFeatures::FlushICache(void* start, size_t size) { + : "r"(beg), "r"(end), "r"(flg), [scno] "i"(__ARM_NR_cacheflush) + : "memory"); + #endif +-#endif + #endif // !USE_SIMULATOR + } + +-- +2.29.2 + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch deleted file mode 100644 index 13edf229b3..0000000000 --- a/meta-oe/recipes-devtools/nodejs/nodejs/0001-build-allow-passing-multiple-libs-to-pkg_config.patch +++ /dev/null @@ -1,41 +0,0 @@ -From fdaa0e3bef93c5c72a7258b5f1e30718e7d81f9b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> -Date: Mon, 2 Mar 2020 12:17:09 +0000 -Subject: [PATCH 1/2] build: allow passing multiple libs to pkg_config -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Sometimes it's necessary to pass multiple library names to pkg-config, -e.g. the brotli shared libraries can be pulled in with - pkg-config libbrotlienc libbrotlidec - -Update the code to handle both, strings (as used so far), and lists -of strings. - -Signed-off-by: André Draszik <git@andred.net> ---- -Upstream-Status: Submitted [https://github.com/nodejs/node/pull/32046] - configure.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/configure.py b/configure.py -index beb08df088..e3f78f2fed 100755 ---- a/configure.py -+++ b/configure.py -@@ -680,7 +680,11 @@ def pkg_config(pkg): - retval = () - for flag in ['--libs-only-l', '--cflags-only-I', - '--libs-only-L', '--modversion']: -- args += [flag, pkg] -+ args += [flag] -+ if isinstance(pkg, list): -+ args += pkg -+ else: -+ args += [pkg] - try: - proc = subprocess.Popen(shlex.split(pkg_config) + args, - stdout=subprocess.PIPE) --- -2.25.0 - diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch new file mode 100644 index 0000000000..8c5f75112d --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch @@ -0,0 +1,40 @@ +From e1d838089cd461d9efcf4d29d9f18f65994d2d6b Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Sun, 3 Oct 2021 22:48:39 +0200 +Subject: [PATCH] jinja/tests.py: add py 3.10 fix + +Upstream-Status: Pending +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + deps/v8/third_party/jinja2/tests.py | 2 +- + tools/inspector_protocol/jinja2/tests.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/v8/third_party/jinja2/tests.py b/deps/v8/third_party/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/deps/v8/third_party/jinja2/tests.py ++++ b/deps/v8/third_party/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +diff --git a/tools/inspector_protocol/jinja2/tests.py b/tools/inspector_protocol/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/tools/inspector_protocol/jinja2/tests.py ++++ b/tools/inspector_protocol/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +-- +2.20.1 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch new file mode 100644 index 0000000000..ee287bf94a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch @@ -0,0 +1,27 @@ +From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 15 Jun 2021 19:01:31 -0700 +Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang + +clang does not support this option + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + common.gypi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common.gypi b/common.gypi +index ee91fb1d..049c8f8c 100644 +--- a/common.gypi ++++ b/common.gypi +@@ -413,7 +413,7 @@ + 'ldflags': [ '-m32' ], + }], + [ 'target_arch=="ppc64" and OS!="aix"', { +- 'cflags': [ '-m64', '-mminimal-toc' ], ++ 'cflags': [ '-m64' ], + 'ldflags': [ '-m64' ], + }], + [ 'target_arch=="s390x"', { +-- +2.32.0 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch new file mode 100644 index 0000000000..c6fc2dcd76 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch @@ -0,0 +1,62 @@ +From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001 +From: Guillaume Burel <guillaume.burel@stormshield.eu> +Date: Fri, 3 Jan 2020 11:25:54 +0100 +Subject: [PATCH] Using native binaries + +--- + node.gyp | 4 ++-- + tools/v8_gypfiles/v8.gyp | 11 ++++------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/node.gyp ++++ b/node.gyp +@@ -487,6 +487,7 @@ + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mkcodecache_exec)', + ], + 'outputs': [ +@@ -512,6 +513,7 @@ + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(node_mksnapshot_exec)', + ], + 'outputs': [ +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -220,6 +220,7 @@ + { + 'action_name': 'run_torque_action', + 'inputs': [ # Order matters. ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)', + '<@(torque_files)', + ], +@@ -351,6 +352,7 @@ + { + 'action_name': 'generate_bytecode_builtins_list_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ +@@ -533,6 +535,7 @@ + ], + }, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mksnapshot_exec)', + ], + 'outputs': [ +@@ -1448,6 +1451,7 @@ + { + 'action_name': 'run_gen-regexp-special-case_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch deleted file mode 100644 index fc038f3aae..0000000000 --- a/meta-oe/recipes-devtools/nodejs/nodejs/0002-build-allow-use-of-system-installed-brotli.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f0f927feee8cb1fb173835d5c3f6beb6bf7d5e54 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> -Date: Mon, 2 Mar 2020 12:17:35 +0000 -Subject: [PATCH 2/2] build: allow use of system-installed brotli -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -brotli is available as a shared library since 2016, so it makes sense -to allow its use as a system-installed version. - -Some of the infrastructure was in place already (node.gyp and -node.gypi), but some bits in the configure script here were missing. - -Add them, keeping the default as before, to use the bundled version. - -Refs: https://github.com/google/brotli/pull/421 -Signed-off-by: André Draszik <git@andred.net> ---- -Upstream-Status: Submitted [https://github.com/nodejs/node/pull/32046] - configure.py | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/configure.py b/configure.py -index e3f78f2fed..0190e31b41 100755 ---- a/configure.py -+++ b/configure.py -@@ -301,6 +301,27 @@ shared_optgroup.add_option('--shared-zlib-libpath', - dest='shared_zlib_libpath', - help='a directory to search for the shared zlib DLL') - -+shared_optgroup.add_option('--shared-brotli', -+ action='store_true', -+ dest='shared_brotli', -+ help='link to a shared brotli DLL instead of static linking') -+ -+shared_optgroup.add_option('--shared-brotli-includes', -+ action='store', -+ dest='shared_brotli_includes', -+ help='directory containing brotli header files') -+ -+shared_optgroup.add_option('--shared-brotli-libname', -+ action='store', -+ dest='shared_brotli_libname', -+ default='brotlidec,brotlienc', -+ help='alternative lib name to link to [default: %default]') -+ -+shared_optgroup.add_option('--shared-brotli-libpath', -+ action='store', -+ dest='shared_brotli_libpath', -+ help='a directory to search for the shared brotli DLL') -+ - shared_optgroup.add_option('--shared-cares', - action='store_true', - dest='shared_cares', -@@ -1692,6 +1713,7 @@ configure_napi(output) - configure_library('zlib', output) - configure_library('http_parser', output) - configure_library('libuv', output) -+configure_library('brotli', output, pkgname=['libbrotlidec', 'libbrotlienc']) - configure_library('cares', output, pkgname='libcares') - configure_library('nghttp2', output, pkgname='libnghttp2') - configure_v8(output) --- -2.25.0 - diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch new file mode 100644 index 0000000000..3c4b2317d8 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch @@ -0,0 +1,84 @@ +From 5b22fac923d1ca3e9fefb97f5a171124a88f5e22 Mon Sep 17 00:00:00 2001 +From: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Date: Tue, 19 Mar 2019 23:22:40 -0400 +Subject: [PATCH] Install both binaries and use libdir. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows us to build with a shared library for other users while +still providing the normal executable. + +Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch + +Upstream-Status: Pending + +Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure.py | 7 +++++++ + tools/install.py | 21 +++++++++------------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/configure.py b/configure.py +index e6f7e4db..6cf5c45d 100755 +--- a/configure.py ++++ b/configure.py +@@ -626,6 +626,12 @@ parser.add_option('--shared', + help='compile shared library for embedding node in another project. ' + + '(This mode is not officially supported for regular applications)') + ++parser.add_option('--libdir', ++ action='store', ++ dest='libdir', ++ default='lib', ++ help='a directory to install the shared library into') ++ + parser.add_option('--without-v8-platform', + action='store_true', + dest='without_v8_platform', +@@ -1202,6 +1208,7 @@ def configure_node(o): + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + + o['variables']['node_shared'] = b(options.shared) ++ o['variables']['libdir'] = options.libdir + node_module_version = getmoduleversion.get_version() + + if options.dest_os == 'android': +diff --git a/tools/install.py b/tools/install.py +index 729b416f..9bfc6234 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -121,22 +121,19 @@ def subdir_files(path, dest, action): + + def files(action): + is_windows = sys.platform == 'win32' +- output_file = 'node' + output_prefix = 'out/Release/' ++ output_libprefix = output_prefix + +- if 'false' == variables.get('node_shared'): +- if is_windows: +- output_file += '.exe' ++ if is_windows: ++ output_bin = 'node.exe' ++ output_lib = 'node.dll' + else: +- if is_windows: +- output_file += '.dll' +- else: +- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') ++ output_bin = 'node' ++ output_lib = 'libnode.' + variables.get('shlib_suffix') + +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) ++ action([output_prefix + output_bin], 'bin/' + output_bin) ++ if 'true' == variables.get('node_shared'): ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + + if 'true' == variables.get('node_use_dtrace'): + action(['out/Release/node.d'], 'lib/dtrace/node.d') diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch index 599f742b2f..92386fa779 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir.patch @@ -20,11 +20,9 @@ Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> tools/install.py | 31 ++++++++++++++----------------- 2 files changed, 21 insertions(+), 17 deletions(-) -diff --git a/configure.py b/configure.py -index 20cce214db..e2d78a2a51 100755 --- a/configure.py +++ b/configure.py -@@ -559,6 +559,12 @@ parser.add_option('--shared', +@@ -602,6 +602,12 @@ parser.add_option('--shared', help='compile shared library for embedding node in another project. ' + '(This mode is not officially supported for regular applications)') @@ -37,16 +35,14 @@ index 20cce214db..e2d78a2a51 100755 parser.add_option('--without-v8-platform', action='store_true', dest='without_v8_platform', -@@ -1103,6 +1109,7 @@ def configure_node(o): - if o['variables']['want_separate_host_toolset'] == 0: - o['variables']['node_code_cache'] = 'yes' # For testing +@@ -1168,6 +1174,7 @@ def configure_node(o): + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + o['variables']['node_shared'] = b(options.shared) + o['variables']['libdir'] = options.libdir node_module_version = getmoduleversion.get_version() - if sys.platform == 'darwin': -diff --git a/tools/install.py b/tools/install.py -index 655802980a..fe4723bf15 100755 + if options.dest_os == 'android': --- a/tools/install.py +++ b/tools/install.py @@ -121,26 +121,23 @@ def subdir_files(path, dest, action): @@ -72,24 +68,20 @@ index 655802980a..fe4723bf15 100755 - # in its source - see the _InstallableTargetInstallPath function. - if sys.platform != 'darwin': - output_prefix += 'lib.target/' -- -- if 'false' == variables.get('node_shared'): -- action([output_prefix + output_file], 'bin/' + output_file) -- else: -- action([output_prefix + output_file], 'lib/' + output_file) + output_bin = 'node' + output_lib = 'libnode.' + variables.get('shlib_suffix') + # GYP will output to lib.target except on OS X, this is hardcoded + # in its source - see the _InstallableTargetInstallPath function. + if sys.platform != 'darwin': + output_libprefix += 'lib.target/' -+ + +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) + action([output_prefix + output_bin], 'bin/' + output_bin) + if 'true' == variables.get('node_shared'): + action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) if 'true' == variables.get('node_use_dtrace'): action(['out/Release/node.d'], 'lib/dtrace/node.d') --- -2.20.1 - diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch new file mode 100644 index 0000000000..f7b4b61f47 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-32212.patch @@ -0,0 +1,133 @@ +commit 48c5aa5cab718d04473fa2761d532657c84b8131 +Author: Tobias Nießen <tniessen@tnie.de> +Date: Fri May 27 21:18:49 2022 +0000 + + src: fix IPv4 validation in inspector_socket + + Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> + PR-URL: https://github.com/nodejs-private/node-private/pull/320 + Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/325 + Reviewed-By: Matteo Collina <matteo.collina@gmail.com> + Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com> + CVE-ID: CVE-2022-32212 + +CVE: CVE-2022-32212 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-32212.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/src/inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_socket.cc ++++ nodejs-12.22.12~dfsg/src/inspector_socket.cc +@@ -168,14 +168,22 @@ static std::string TrimPort(const std::s + static bool IsIPAddress(const std::string& host) { + if (host.length() >= 4 && host.front() == '[' && host.back() == ']') + return true; +- int quads = 0; ++ uint_fast16_t accum = 0; ++ uint_fast8_t quads = 0; ++ bool empty = true; ++ auto endOctet = [&accum, &quads, &empty](bool final = false) { ++ return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && ++ (empty = true) && !(accum = 0); ++ }; + for (char c : host) { +- if (c == '.') +- quads++; +- else if (!isdigit(c)) ++ if (isdigit(c)) { ++ if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; ++ empty = false; ++ } else if (c != '.' || !endOctet()) { + return false; ++ } + } +- return quads == 3; ++ return endOctet(true); + } + + // Constants for hybi-10 frame format. +Index: nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/test/cctest/test_inspector_socket.cc ++++ nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +@@ -851,4 +851,78 @@ TEST_F(InspectorSocketTest, HostCheckedF + expect_failure_no_delegate(UPGRADE_REQUEST); + } + ++TEST_F(InspectorSocketTest, HostIPChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 10.0.2.555:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostNegativeIPChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 10.0.-23.255:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpOctetOutOfIntRangeChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = ++ "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.4294967296:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpOctetFarOutOfIntRangeChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = ++ "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.18446744073709552000:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: .0.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127..0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpEmptyOctetEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpTooFewOctetsChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 127.0.0.0.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ + } // anonymous namespace diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch new file mode 100644 index 0000000000..e9c2e7404a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-35255.patch @@ -0,0 +1,237 @@ +Origin: https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 +Reviewed-by: Aron Xu <aron@debian.org> +Last-Update: 2022-01-05 +Comment: + Although WebCrypto is not implemented in 12.x series, this fix is introducing + enhancment to the crypto setup of V8:EntropySource(). + +commit 0c2a5723beff39d1f62daec96b5389da3d427e79 +Author: Ben Noordhuis <info@bnoordhuis.nl> +Date: Sun Sep 11 10:48:34 2022 +0200 + + crypto: fix weak randomness in WebCrypto keygen + + Commit dae283d96f from August 2020 introduced a call to EntropySource() + in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There + are two problems with that: + + 1. It does not check the return value, it assumes EntropySource() always + succeeds, but it can (and sometimes will) fail. + + 2. The random data returned byEntropySource() may not be + cryptographically strong and therefore not suitable as keying + material. + + An example is a freshly booted system or a system without /dev/random or + getrandom(2). + + EntropySource() calls out to openssl's RAND_poll() and RAND_bytes() in a + best-effort attempt to obtain random data. OpenSSL has a built-in CSPRNG + but that can fail to initialize, in which case it's possible either: + + 1. No random data gets written to the output buffer, i.e., the output is + unmodified, or + + 2. Weak random data is written. It's theoretically possible for the + output to be fully predictable because the CSPRNG starts from a + predictable state. + + Replace EntropySource() and CheckEntropy() with new function CSPRNG() + that enforces checking of the return value. Abort on startup when the + entropy pool fails to initialize because that makes it too easy to + compromise the security of the process. + + Refs: https://hackerone.com/bugs?report_id=1690000 + Refs: https://github.com/nodejs/node/pull/35093 + + Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> + Reviewed-By: Tobias Nießen <tniessen@tnie.de> + PR-URL: #346 + Backport-PR-URL: #351 + CVE-ID: CVE-2022-35255 + +CVE: CVE-2022-35255 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-35255.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/node.gyp +=================================================================== +--- nodejs-12.22.12~dfsg.orig/node.gyp ++++ nodejs-12.22.12~dfsg/node.gyp +@@ -743,6 +743,8 @@ + 'openssl_default_cipher_list%': '', + }, + ++ 'cflags': ['-Werror=unused-result'], ++ + 'defines': [ + 'NODE_ARCH="<(target_arch)"', + 'NODE_PLATFORM="<(OS)"', +Index: nodejs-12.22.12~dfsg/src/node_crypto.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node_crypto.cc ++++ nodejs-12.22.12~dfsg/src/node_crypto.cc +@@ -386,48 +386,14 @@ void ThrowCryptoError(Environment* env, + env->isolate()->ThrowException(exception); + } + ++MUST_USE_RESULT CSPRNGResult CSPRNG(void* buffer, size_t length) { ++ do { ++ if (1 == RAND_status()) ++ if (1 == RAND_bytes(static_cast<unsigned char*>(buffer), length)) ++ return {true}; ++ } while (1 == RAND_poll()); + +-// Ensure that OpenSSL has enough entropy (at least 256 bits) for its PRNG. +-// The entropy pool starts out empty and needs to fill up before the PRNG +-// can be used securely. Once the pool is filled, it never dries up again; +-// its contents is stirred and reused when necessary. +-// +-// OpenSSL normally fills the pool automatically but not when someone starts +-// generating random numbers before the pool is full: in that case OpenSSL +-// keeps lowering the entropy estimate to thwart attackers trying to guess +-// the initial state of the PRNG. +-// +-// When that happens, we will have to wait until enough entropy is available. +-// That should normally never take longer than a few milliseconds. +-// +-// OpenSSL draws from /dev/random and /dev/urandom. While /dev/random may +-// block pending "true" randomness, /dev/urandom is a CSPRNG that doesn't +-// block under normal circumstances. +-// +-// The only time when /dev/urandom may conceivably block is right after boot, +-// when the whole system is still low on entropy. That's not something we can +-// do anything about. +-inline void CheckEntropy() { +- for (;;) { +- int status = RAND_status(); +- CHECK_GE(status, 0); // Cannot fail. +- if (status != 0) +- break; +- +- // Give up, RAND_poll() not supported. +- if (RAND_poll() == 0) +- break; +- } +-} +- +- +-bool EntropySource(unsigned char* buffer, size_t length) { +- // Ensure that OpenSSL's PRNG is properly seeded. +- CheckEntropy(); +- // RAND_bytes() can return 0 to indicate that the entropy data is not truly +- // random. That's okay, it's still better than V8's stock source of entropy, +- // which is /dev/urandom on UNIX platforms and the current time on Windows. +- return RAND_bytes(buffer, length) != -1; ++ return {false}; + } + + void SecureContext::Initialize(Environment* env, Local<Object> target) { +@@ -649,9 +615,9 @@ void SecureContext::Init(const FunctionC + // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was + // exposed in the public API. To retain compatibility, install a callback + // which restores the old algorithm. +- if (RAND_bytes(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)) <= 0 || +- RAND_bytes(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)) <= 0 || +- RAND_bytes(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)) <= 0) { ++ if (CSPRNG(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)).is_err() || ++ CSPRNG(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)).is_err() || ++ CSPRNG(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)).is_err()) { + return env->ThrowError("Error generating ticket keys"); + } + SSL_CTX_set_tlsext_ticket_key_cb(sc->ctx_.get(), TicketCompatibilityCallback); +@@ -1643,7 +1609,7 @@ int SecureContext::TicketCompatibilityCa + + if (enc) { + memcpy(name, sc->ticket_key_name_, sizeof(sc->ticket_key_name_)); +- if (RAND_bytes(iv, 16) <= 0 || ++ if (CSPRNG(iv, 16).is_err() || + EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), nullptr, + sc->ticket_key_aes_, iv) <= 0 || + HMAC_Init_ex(hctx, sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_), +@@ -5867,8 +5833,7 @@ struct RandomBytesJob : public CryptoJob + : CryptoJob(env), rc(Nothing<int>()) {} + + inline void DoThreadPoolWork() override { +- CheckEntropy(); // Ensure that OpenSSL's PRNG is properly seeded. +- rc = Just(RAND_bytes(data, size)); ++ rc = Just(int(CSPRNG(data, size).is_ok())); + if (0 == rc.FromJust()) errors.Capture(); + } + +@@ -6318,8 +6283,8 @@ class GenerateKeyPairJob : public Crypto + } + + inline bool GenerateKey() { +- // Make sure that the CSPRNG is properly seeded so the results are secure. +- CheckEntropy(); ++ // Make sure that the CSPRNG is properly seeded. ++ CHECK(CSPRNG(nullptr, 0).is_ok()); + + // Create the key generation context. + EVPKeyCtxPointer ctx = config_->Setup(); +Index: nodejs-12.22.12~dfsg/src/node_crypto.h +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node_crypto.h ++++ nodejs-12.22.12~dfsg/src/node_crypto.h +@@ -840,7 +840,19 @@ class ECDH final : public BaseObject { + const EC_GROUP* group_; + }; + +-bool EntropySource(unsigned char* buffer, size_t length); ++struct CSPRNGResult { ++ const bool ok; ++ MUST_USE_RESULT bool is_ok() const { return ok; } ++ MUST_USE_RESULT bool is_err() const { return !ok; } ++}; ++ ++// Either succeeds with exactly |length| bytes of cryptographically ++// strong pseudo-random data, or fails. This function may block. ++// Don't assume anything about the contents of |buffer| on error. ++// As a special case, |length == 0| can be used to check if the CSPRNG ++// is properly seeded without consuming entropy. ++MUST_USE_RESULT CSPRNGResult CSPRNG(void* buffer, size_t length); ++ + #ifndef OPENSSL_NO_ENGINE + void SetEngine(const v8::FunctionCallbackInfo<v8::Value>& args); + #endif // !OPENSSL_NO_ENGINE +Index: nodejs-12.22.12~dfsg/src/inspector_io.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_io.cc ++++ nodejs-12.22.12~dfsg/src/inspector_io.cc +@@ -46,8 +46,7 @@ std::string ScriptPath(uv_loop_t* loop, + // Used ver 4 - with numbers + std::string GenerateID() { + uint16_t buffer[8]; +- CHECK(crypto::EntropySource(reinterpret_cast<unsigned char*>(buffer), +- sizeof(buffer))); ++ CHECK(crypto::CSPRNG(buffer, sizeof(buffer)).is_ok()); + + char uuid[256]; + snprintf(uuid, sizeof(uuid), "%04x%04x-%04x-%04x-%04x-%04x%04x%04x", +Index: nodejs-12.22.12~dfsg/src/node.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/node.cc ++++ nodejs-12.22.12~dfsg/src/node.cc +@@ -969,9 +969,17 @@ InitializationResult InitializeOncePerPr + // the random source is properly initialized first. + OPENSSL_init(); + #endif // NODE_FIPS_MODE +- // V8 on Windows doesn't have a good source of entropy. Seed it from +- // OpenSSL's pool. +- V8::SetEntropySource(crypto::EntropySource); ++ // Ensure CSPRNG is properly seeded. ++ CHECK(crypto::CSPRNG(nullptr, 0).is_ok()); ++ ++ V8::SetEntropySource([](unsigned char* buffer, size_t length) { ++ // V8 falls back to very weak entropy when this function fails ++ // and /dev/urandom isn't available. That wouldn't be so bad if ++ // the entropy was only used for Math.random() but it's also used for ++ // hash table and address space layout randomization. Better to abort. ++ CHECK(crypto::CSPRNG(buffer, length).is_ok()); ++ return true; ++ }); + #endif // HAVE_OPENSSL + + per_process::v8_platform.Initialize( diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch new file mode 100644 index 0000000000..54da1fba99 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2022-43548.patch @@ -0,0 +1,214 @@ +commit 2b433af094fb79cf80f086038b7f36342cb6826f +Author: Tobias Nießen <tniessen@tnie.de> +Date: Sun Sep 25 12:34:05 2022 +0000 + + inspector: harden IP address validation again + + Use inet_pton() to parse IP addresses, which restricts IP addresses + to a small number of well-defined formats. In particular, octal and + hexadecimal number formats are not allowed, and neither are leading + zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable. + + Refs: https://hackerone.com/reports/1710652 + CVE-ID: CVE-2022-43548 + PR-URL: https://github.com/nodejs-private/node-private/pull/354 + Reviewed-by: Michael Dawson <midawson@redhat.com> + Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com> + Reviewed-by: Rich Trott <rtrott@gmail.com> + +CVE: CVE-2022-43548 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-2022-43548.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +Index: nodejs-12.22.12~dfsg/src/inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/src/inspector_socket.cc ++++ nodejs-12.22.12~dfsg/src/inspector_socket.cc +@@ -10,6 +10,7 @@ + + #include "openssl/sha.h" // Sha-1 hash + ++#include <algorithm> + #include <cstring> + #include <map> + +@@ -166,25 +167,71 @@ static std::string TrimPort(const std::s + } + + static bool IsIPAddress(const std::string& host) { +- if (host.length() >= 4 && host.front() == '[' && host.back() == ']') ++ // TODO(tniessen): add CVEs to the following bullet points ++ // To avoid DNS rebinding attacks, we are aware of the following requirements: ++ // * the host name must be an IP address, ++ // * the IP address must be routable, and ++ // * the IP address must be formatted unambiguously. ++ ++ // The logic below assumes that the string is null-terminated, so ensure that ++ // we did not somehow end up with null characters within the string. ++ if (host.find('\0') != std::string::npos) return false; ++ ++ // All IPv6 addresses must be enclosed in square brackets, and anything ++ // enclosed in square brackets must be an IPv6 address. ++ if (host.length() >= 4 && host.front() == '[' && host.back() == ']') { ++ // INET6_ADDRSTRLEN is the maximum length of the dual format (including the ++ // terminating null character), which is the longest possible representation ++ // of an IPv6 address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:ddd.ddd.ddd.ddd ++ if (host.length() - 2 >= INET6_ADDRSTRLEN) return false; ++ ++ // Annoyingly, libuv's implementation of inet_pton() deviates from other ++ // implementations of the function in that it allows '%' in IPv6 addresses. ++ if (host.find('%') != std::string::npos) return false; ++ ++ // Parse the IPv6 address to ensure it is syntactically valid. ++ char ipv6_str[INET6_ADDRSTRLEN]; ++ std::copy(host.begin() + 1, host.end() - 1, ipv6_str); ++ ipv6_str[host.length()] = '\0'; ++ unsigned char ipv6[sizeof(struct in6_addr)]; ++ if (uv_inet_pton(AF_INET6, ipv6_str, ipv6) != 0) return false; ++ ++ // The only non-routable IPv6 address is ::/128. It should not be necessary ++ // to explicitly reject it because it will still be enclosed in square ++ // brackets and not even macOS should make DNS requests in that case, but ++ // history has taught us that we cannot be careful enough. ++ // Note that RFC 4291 defines both "IPv4-Compatible IPv6 Addresses" and ++ // "IPv4-Mapped IPv6 Addresses", which means that there are IPv6 addresses ++ // (other than ::/128) that represent non-routable IPv4 addresses. However, ++ // this translation assumes that the host is interpreted as an IPv6 address ++ // in the first place, at which point DNS rebinding should not be an issue. ++ if (std::all_of(ipv6, ipv6 + sizeof(ipv6), [](auto b) { return b == 0; })) { ++ return false; ++ } ++ ++ // It is a syntactically valid and routable IPv6 address enclosed in square ++ // brackets. No client should be able to misinterpret this. + return true; +- uint_fast16_t accum = 0; +- uint_fast8_t quads = 0; +- bool empty = true; +- auto endOctet = [&accum, &quads, &empty](bool final = false) { +- return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) && +- (empty = true) && !(accum = 0); +- }; +- for (char c : host) { +- if (isdigit(c)) { +- if ((accum = (accum * 10) + (c - '0')) > 0xff) return false; +- empty = false; +- } else if (c != '.' || !endOctet()) { +- return false; +- } +- } +- return endOctet(true); +-} ++ } ++ ++ // Anything not enclosed in square brackets must be an IPv4 address. It is ++ // important here that inet_pton() accepts only the so-called dotted-decimal ++ // notation, which is a strict subset of the so-called numbers-and-dots ++ // notation that is allowed by inet_aton() and inet_addr(). This subset does ++ // not allow hexadecimal or octal number formats. ++ unsigned char ipv4[sizeof(struct in_addr)]; ++ if (uv_inet_pton(AF_INET, host.c_str(), ipv4) != 0) return false; ++ ++ // The only strictly non-routable IPv4 address is 0.0.0.0, and macOS will make ++ // DNS requests for this IP address, so we need to explicitly reject it. In ++ // fact, we can safely reject all of 0.0.0.0/8 (see Section 3.2 of RFC 791 and ++ // Section 3.2.1.3 of RFC 1122). ++ // Note that inet_pton() stores the IPv4 address in network byte order. ++ if (ipv4[0] == 0) return false; ++ ++ // It is a routable IPv4 address in dotted-decimal notation. ++ return true; ++ } + + // Constants for hybi-10 frame format. + +Index: nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +=================================================================== +--- nodejs-12.22.12~dfsg.orig/test/cctest/test_inspector_socket.cc ++++ nodejs-12.22.12~dfsg/test/cctest/test_inspector_socket.cc +@@ -925,4 +925,84 @@ TEST_F(InspectorSocketTest, HostIpTooMan + expect_handshake_failure(); + } + ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 08.1.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.09.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpInvalidOctalOctetEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.1.009:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroStartChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 01.1.1.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroMidChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.001.1:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIpLeadingZeroEndChecked) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: 1.1.1.01:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6NonRoutable) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [::]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6NonRoutableDual) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [::0.0.0.0]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv4InSquareBrackets) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [127.0.0.1]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ ++TEST_F(InspectorSocketTest, HostIPv6InvalidAbbreviation) { ++ const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n" ++ "Host: [:::1]:9229\r\n\r\n"; ++ send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(), ++ INVALID_HOST_IP_REQUEST.length()); ++ expect_handshake_failure(); ++} ++ + } // anonymous namespace diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch new file mode 100644 index 0000000000..790cf92d2e --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-llhttp.patch @@ -0,0 +1,4348 @@ +Reviewed-by: Aron Xu <aron@debian.org> +Last-Update: 2023-01-05 +Comment: + This patch updates the embeded copy of llhttp from version 2.1.4 to 2.1.6, + which is upstream's actual fix for CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, + CVE-2022-35256. + Test cases are ported to use mustCall() to replace the later introduced + mustSucceed(), to avoid pulling in too many dependent new test codes. +References: + * https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd + * https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 + +CVE: CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 CVE-2022-35256 +Upstream-Status: Backport [https://sources.debian.org/src/nodejs/12.22.12~dfsg-1~deb11u3/debian/patches/cve-llhttp.patch] +Comment: No hunks refreshed +Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> + +--- nodejs-12.22.12~dfsg/deps/llhttp/include/llhttp.h ++++ nodejs-12.22.12~dfsg/deps/llhttp/include/llhttp.h +@@ -3,7 +3,7 @@ + + #define LLHTTP_VERSION_MAJOR 2 + #define LLHTTP_VERSION_MINOR 1 +-#define LLHTTP_VERSION_PATCH 4 ++#define LLHTTP_VERSION_PATCH 6 + + #ifndef LLHTTP_STRICT_MODE + # define LLHTTP_STRICT_MODE 0 +@@ -58,6 +58,7 @@ + HPE_OK = 0, + HPE_INTERNAL = 1, + HPE_STRICT = 2, ++ HPE_CR_EXPECTED = 25, + HPE_LF_EXPECTED = 3, + HPE_UNEXPECTED_CONTENT_LENGTH = 4, + HPE_CLOSED_CONNECTION = 5, +@@ -78,7 +79,7 @@ + HPE_CB_CHUNK_COMPLETE = 20, + HPE_PAUSED = 21, + HPE_PAUSED_UPGRADE = 22, +- HPE_USER = 23 ++ HPE_USER = 24 + }; + typedef enum llhttp_errno llhttp_errno_t; + +@@ -153,6 +154,7 @@ + XX(0, OK, OK) \ + XX(1, INTERNAL, INTERNAL) \ + XX(2, STRICT, STRICT) \ ++ XX(25, CR_EXPECTED, CR_EXPECTED) \ + XX(3, LF_EXPECTED, LF_EXPECTED) \ + XX(4, UNEXPECTED_CONTENT_LENGTH, UNEXPECTED_CONTENT_LENGTH) \ + XX(5, CLOSED_CONNECTION, CLOSED_CONNECTION) \ +@@ -173,7 +175,7 @@ + XX(20, CB_CHUNK_COMPLETE, CB_CHUNK_COMPLETE) \ + XX(21, PAUSED, PAUSED) \ + XX(22, PAUSED_UPGRADE, PAUSED_UPGRADE) \ +- XX(23, USER, USER) \ ++ XX(24, USER, USER) \ + + + #define HTTP_METHOD_MAP(XX) \ +--- nodejs-12.22.12~dfsg/deps/llhttp/src/llhttp.c ++++ nodejs-12.22.12~dfsg/deps/llhttp/src/llhttp.c +@@ -325,6 +325,7 @@ + s_n_llhttp__internal__n_header_value_lws, + s_n_llhttp__internal__n_header_value_almost_done, + s_n_llhttp__internal__n_header_value_lenient, ++ s_n_llhttp__internal__n_error_25, + s_n_llhttp__internal__n_header_value_otherwise, + s_n_llhttp__internal__n_header_value_connection_token, + s_n_llhttp__internal__n_header_value_connection_ws, +@@ -332,14 +333,16 @@ + s_n_llhttp__internal__n_header_value_connection_2, + s_n_llhttp__internal__n_header_value_connection_3, + s_n_llhttp__internal__n_header_value_connection, +- s_n_llhttp__internal__n_error_26, + s_n_llhttp__internal__n_error_27, ++ s_n_llhttp__internal__n_error_28, + s_n_llhttp__internal__n_header_value_content_length_ws, + s_n_llhttp__internal__n_header_value_content_length, +- s_n_llhttp__internal__n_header_value_te_chunked_last, ++ s_n_llhttp__internal__n_error_30, ++ s_n_llhttp__internal__n_error_29, + s_n_llhttp__internal__n_header_value_te_token_ows, + s_n_llhttp__internal__n_header_value, + s_n_llhttp__internal__n_header_value_te_token, ++ s_n_llhttp__internal__n_header_value_te_chunked_last, + s_n_llhttp__internal__n_header_value_te_chunked, + s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1, + s_n_llhttp__internal__n_header_value_discard_ws, +@@ -734,7 +737,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_2( ++int llhttp__internal__c_update_header_state_3( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -742,7 +745,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_4( ++int llhttp__internal__c_update_header_state_1( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -750,7 +753,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_5( ++int llhttp__internal__c_update_header_state_6( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -758,7 +761,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_6( ++int llhttp__internal__c_update_header_state_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -766,7 +769,7 @@ + return 0; + } + +-int llhttp__internal__c_test_flags_6( ++int llhttp__internal__c_test_flags_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -807,6 +810,13 @@ + return 0; + } + ++int llhttp__internal__c_test_flags_8( ++ llhttp__internal_t* state, ++ const unsigned char* p, ++ const unsigned char* endp) { ++ return (state->flags & 8) == 8; ++} ++ + int llhttp__internal__c_or_flags_16( + llhttp__internal_t* state, + const unsigned char* p, +@@ -823,7 +833,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_7( ++int llhttp__internal__c_update_header_state_8( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -831,7 +841,7 @@ + return 0; + } + +-int llhttp__internal__c_or_flags_17( ++int llhttp__internal__c_or_flags_18( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -1554,7 +1564,7 @@ + goto s_n_llhttp__internal__n_header_value_discard_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_22; ++ goto s_n_llhttp__internal__n_error_23; + } + } + /* UNREACHABLE */; +@@ -1567,13 +1577,13 @@ + } + switch (*p) { + case 9: { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + case ' ': { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + default: { +- goto s_n_llhttp__internal__n_invoke_load_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_4; + } + } + /* UNREACHABLE */; +@@ -1590,7 +1600,7 @@ + goto s_n_llhttp__internal__n_header_value_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_23; ++ goto s_n_llhttp__internal__n_error_24; + } + } + /* UNREACHABLE */; +@@ -1603,10 +1613,10 @@ + } + switch (*p) { + case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; + } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; + } + default: { + p++; +@@ -1616,20 +1626,27 @@ + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_error_25: ++ s_n_llhttp__internal__n_error_25: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_header_value_otherwise: + s_n_llhttp__internal__n_header_value_otherwise: { + if (p == endp) { + return s_n_llhttp__internal__n_header_value_otherwise; + } + switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; +- } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_test_flags_5; ++ goto s_n_llhttp__internal__n_invoke_test_flags_6; + } + } + /* UNREACHABLE */; +@@ -1692,10 +1709,10 @@ + } + case ',': { + p++; +- goto s_n_llhttp__internal__n_invoke_load_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_5; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_5; + } + } + /* UNREACHABLE */; +@@ -1713,7 +1730,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_2; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_3; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_1; +@@ -1737,7 +1754,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_5; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_6; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_2; +@@ -1761,7 +1778,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_6; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_7; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_3; +@@ -1806,8 +1823,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_26: +- s_n_llhttp__internal__n_error_26: { ++ case s_n_llhttp__internal__n_error_27: ++ s_n_llhttp__internal__n_error_27: { + state->error = 0xb; + state->reason = "Content-Length overflow"; + state->error_pos = (const char*) p; +@@ -1816,8 +1833,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_27: +- s_n_llhttp__internal__n_error_27: { ++ case s_n_llhttp__internal__n_error_28: ++ s_n_llhttp__internal__n_error_28: { + state->error = 0xb; + state->reason = "Invalid character in Content-Length"; + state->error_pos = (const char*) p; +@@ -1843,7 +1860,7 @@ + goto s_n_llhttp__internal__n_header_value_content_length_ws; + } + default: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6; + } + } + /* UNREACHABLE */; +@@ -1912,26 +1929,23 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_header_value_te_chunked_last: +- s_n_llhttp__internal__n_header_value_te_chunked_last: { +- if (p == endp) { +- return s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case 13: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- default: { +- goto s_n_llhttp__internal__n_header_value_te_chunked; +- } +- } ++ case s_n_llhttp__internal__n_error_30: ++ s_n_llhttp__internal__n_error_30: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_error_29: ++ s_n_llhttp__internal__n_error_29: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; + /* UNREACHABLE */; + abort(); + } +@@ -2048,8 +2062,34 @@ + goto s_n_llhttp__internal__n_header_value_te_token_ows; + } + default: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_header_value_te_chunked_last: ++ s_n_llhttp__internal__n_header_value_te_chunked_last: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ switch (*p) { ++ case 10: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ } ++ case 13: { + goto s_n_llhttp__internal__n_invoke_update_header_state_8; + } ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ case ',': { ++ goto s_n_llhttp__internal__n_invoke_load_type_1; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_header_value_te_token; ++ } + } + /* UNREACHABLE */; + abort(); +@@ -2101,7 +2141,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_header_value_discard_lws; ++ goto s_n_llhttp__internal__n_invoke_test_flags_5; + } + case 13: { + p++; +@@ -2128,7 +2168,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_2; + } + default: { +- goto s_n_llhttp__internal__n_error_28; ++ goto s_n_llhttp__internal__n_error_31; + } + } + /* UNREACHABLE */; +@@ -2218,7 +2258,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_10; + } + } + /* UNREACHABLE */; +@@ -2243,7 +2283,7 @@ + return s_n_llhttp__internal__n_header_field_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2268,7 +2308,7 @@ + return s_n_llhttp__internal__n_header_field_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2289,7 +2329,7 @@ + goto s_n_llhttp__internal__n_header_field_4; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2313,7 +2353,7 @@ + return s_n_llhttp__internal__n_header_field_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2338,7 +2378,7 @@ + return s_n_llhttp__internal__n_header_field_5; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2363,7 +2403,7 @@ + return s_n_llhttp__internal__n_header_field_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2388,7 +2428,7 @@ + return s_n_llhttp__internal__n_header_field_7; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2417,7 +2457,7 @@ + goto s_n_llhttp__internal__n_header_field_7; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -2508,7 +2548,7 @@ + goto s_n_llhttp__internal__n_url_to_http_09; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -2533,7 +2573,7 @@ + goto s_n_llhttp__internal__n_url_skip_lf_to_http09_1; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -2550,7 +2590,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -2571,7 +2611,7 @@ + goto s_n_llhttp__internal__n_req_http_end_1; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -2634,7 +2674,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_31; ++ goto s_n_llhttp__internal__n_error_34; + } + } + /* UNREACHABLE */; +@@ -2651,7 +2691,7 @@ + goto s_n_llhttp__internal__n_req_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_32; ++ goto s_n_llhttp__internal__n_error_35; + } + } + /* UNREACHABLE */; +@@ -2714,7 +2754,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major; + } + default: { +- goto s_n_llhttp__internal__n_error_33; ++ goto s_n_llhttp__internal__n_error_36; + } + } + /* UNREACHABLE */; +@@ -2738,7 +2778,7 @@ + return s_n_llhttp__internal__n_req_http_start_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2762,7 +2802,7 @@ + return s_n_llhttp__internal__n_req_http_start_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2787,7 +2827,7 @@ + goto s_n_llhttp__internal__n_req_http_start_2; + } + default: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -2878,7 +2918,7 @@ + goto s_n_llhttp__internal__n_url_fragment; + } + default: { +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + } + /* UNREACHABLE */; +@@ -2939,7 +2979,7 @@ + goto s_n_llhttp__internal__n_span_end_stub_query_3; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -2977,7 +3017,7 @@ + goto s_n_llhttp__internal__n_url_query; + } + default: { +- goto s_n_llhttp__internal__n_error_38; ++ goto s_n_llhttp__internal__n_error_41; + } + } + /* UNREACHABLE */; +@@ -3102,10 +3142,10 @@ + } + case 8: { + p++; +- goto s_n_llhttp__internal__n_error_39; ++ goto s_n_llhttp__internal__n_error_42; + } + default: { +- goto s_n_llhttp__internal__n_error_40; ++ goto s_n_llhttp__internal__n_error_43; + } + } + /* UNREACHABLE */; +@@ -3164,7 +3204,7 @@ + goto s_n_llhttp__internal__n_url_server_with_at; + } + default: { +- goto s_n_llhttp__internal__n_error_41; ++ goto s_n_llhttp__internal__n_error_44; + } + } + /* UNREACHABLE */; +@@ -3181,7 +3221,7 @@ + goto s_n_llhttp__internal__n_url_server; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -3199,7 +3239,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 12: { + p++; +@@ -3207,18 +3247,18 @@ + } + case 13: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case ' ': { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case '/': { + p++; + goto s_n_llhttp__internal__n_url_schema_delim_1; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -3264,7 +3304,7 @@ + } + case 2: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 3: { + goto s_n_llhttp__internal__n_span_end_stub_schema; +@@ -3274,7 +3314,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_44; ++ goto s_n_llhttp__internal__n_error_47; + } + } + /* UNREACHABLE */; +@@ -3310,7 +3350,7 @@ + } + case 2: { + p++; +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + case 3: { + goto s_n_llhttp__internal__n_span_start_stub_path_2; +@@ -3319,7 +3359,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_45; ++ goto s_n_llhttp__internal__n_error_48; + } + } + /* UNREACHABLE */; +@@ -3417,7 +3457,7 @@ + goto s_n_llhttp__internal__n_req_spaces_before_url; + } + default: { +- goto s_n_llhttp__internal__n_error_46; ++ goto s_n_llhttp__internal__n_error_49; + } + } + /* UNREACHABLE */; +@@ -3442,7 +3482,7 @@ + return s_n_llhttp__internal__n_start_req_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3467,7 +3507,7 @@ + return s_n_llhttp__internal__n_start_req_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3492,7 +3532,7 @@ + return s_n_llhttp__internal__n_start_req_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3517,7 +3557,7 @@ + return s_n_llhttp__internal__n_start_req_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3535,7 +3575,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3556,7 +3596,7 @@ + goto s_n_llhttp__internal__n_start_req_7; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3577,7 +3617,7 @@ + goto s_n_llhttp__internal__n_start_req_5; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3602,7 +3642,7 @@ + return s_n_llhttp__internal__n_start_req_8; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3627,7 +3667,7 @@ + return s_n_llhttp__internal__n_start_req_9; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3652,7 +3692,7 @@ + return s_n_llhttp__internal__n_start_req_10; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3677,7 +3717,7 @@ + return s_n_llhttp__internal__n_start_req_12; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3702,7 +3742,7 @@ + return s_n_llhttp__internal__n_start_req_13; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3723,7 +3763,7 @@ + goto s_n_llhttp__internal__n_start_req_13; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3748,7 +3788,7 @@ + return s_n_llhttp__internal__n_start_req_15; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3773,7 +3813,7 @@ + return s_n_llhttp__internal__n_start_req_16; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3798,7 +3838,7 @@ + return s_n_llhttp__internal__n_start_req_18; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3823,7 +3863,7 @@ + return s_n_llhttp__internal__n_start_req_20; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3841,7 +3881,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3862,7 +3902,7 @@ + goto s_n_llhttp__internal__n_start_req_21; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3883,7 +3923,7 @@ + goto s_n_llhttp__internal__n_start_req_19; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3908,7 +3948,7 @@ + return s_n_llhttp__internal__n_start_req_22; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3937,7 +3977,7 @@ + goto s_n_llhttp__internal__n_start_req_22; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3962,7 +4002,7 @@ + return s_n_llhttp__internal__n_start_req_23; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -3987,7 +4027,7 @@ + return s_n_llhttp__internal__n_start_req_24; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4012,7 +4052,7 @@ + return s_n_llhttp__internal__n_start_req_26; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4037,7 +4077,7 @@ + return s_n_llhttp__internal__n_start_req_27; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4062,7 +4102,7 @@ + return s_n_llhttp__internal__n_start_req_31; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4087,7 +4127,7 @@ + return s_n_llhttp__internal__n_start_req_32; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4108,7 +4148,7 @@ + goto s_n_llhttp__internal__n_start_req_32; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4125,7 +4165,7 @@ + goto s_n_llhttp__internal__n_start_req_30; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4147,7 +4187,7 @@ + goto s_n_llhttp__internal__n_start_req_29; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4172,7 +4212,7 @@ + return s_n_llhttp__internal__n_start_req_34; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4194,7 +4234,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4223,7 +4263,7 @@ + goto s_n_llhttp__internal__n_start_req_33; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4248,7 +4288,7 @@ + return s_n_llhttp__internal__n_start_req_37; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4273,7 +4313,7 @@ + return s_n_llhttp__internal__n_start_req_38; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4294,7 +4334,7 @@ + goto s_n_llhttp__internal__n_start_req_38; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4311,7 +4351,7 @@ + goto s_n_llhttp__internal__n_start_req_36; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4336,7 +4376,7 @@ + return s_n_llhttp__internal__n_start_req_40; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4361,7 +4401,7 @@ + return s_n_llhttp__internal__n_start_req_41; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4386,7 +4426,7 @@ + return s_n_llhttp__internal__n_start_req_42; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4411,7 +4451,7 @@ + goto s_n_llhttp__internal__n_start_req_42; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4436,7 +4476,7 @@ + return s_n_llhttp__internal__n_start_req_43; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4461,7 +4501,7 @@ + return s_n_llhttp__internal__n_start_req_46; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4486,7 +4526,7 @@ + return s_n_llhttp__internal__n_start_req_48; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4511,7 +4551,7 @@ + return s_n_llhttp__internal__n_start_req_49; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4532,7 +4572,7 @@ + goto s_n_llhttp__internal__n_start_req_49; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4557,7 +4597,7 @@ + return s_n_llhttp__internal__n_start_req_50; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4582,7 +4622,7 @@ + goto s_n_llhttp__internal__n_start_req_50; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4599,7 +4639,7 @@ + goto s_n_llhttp__internal__n_start_req_45; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4672,7 +4712,7 @@ + goto s_n_llhttp__internal__n_start_req_44; + } + default: { +- goto s_n_llhttp__internal__n_error_55; ++ goto s_n_llhttp__internal__n_error_58; + } + } + /* UNREACHABLE */; +@@ -4689,7 +4729,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -4764,7 +4804,7 @@ + goto s_n_llhttp__internal__n_res_status_start; + } + default: { +- goto s_n_llhttp__internal__n_error_49; ++ goto s_n_llhttp__internal__n_error_52; + } + } + /* UNREACHABLE */; +@@ -4844,7 +4884,7 @@ + goto s_n_llhttp__internal__n_invoke_update_status_code; + } + default: { +- goto s_n_llhttp__internal__n_error_50; ++ goto s_n_llhttp__internal__n_error_53; + } + } + /* UNREACHABLE */; +@@ -4907,7 +4947,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor_1; + } + default: { +- goto s_n_llhttp__internal__n_error_51; ++ goto s_n_llhttp__internal__n_error_54; + } + } + /* UNREACHABLE */; +@@ -4924,7 +4964,7 @@ + goto s_n_llhttp__internal__n_res_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_52; ++ goto s_n_llhttp__internal__n_error_55; + } + } + /* UNREACHABLE */; +@@ -4987,7 +5027,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major_1; + } + default: { +- goto s_n_llhttp__internal__n_error_53; ++ goto s_n_llhttp__internal__n_error_56; + } + } + /* UNREACHABLE */; +@@ -5011,7 +5051,7 @@ + return s_n_llhttp__internal__n_start_res; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_56; ++ goto s_n_llhttp__internal__n_error_59; + } + } + /* UNREACHABLE */; +@@ -5036,7 +5076,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5060,7 +5100,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5081,7 +5121,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_3; + } + default: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5098,7 +5138,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_54; ++ goto s_n_llhttp__internal__n_error_57; + } + } + /* UNREACHABLE */; +@@ -5167,7 +5207,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_42: { ++ s_n_llhttp__internal__n_error_45: { + state->error = 0x7; + state->reason = "Invalid characters in url"; + state->error_pos = (const char*) p; +@@ -5655,7 +5695,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_21: { ++ s_n_llhttp__internal__n_error_22: { + state->error = 0xb; + state->reason = "Empty Content-Length"; + state->error_pos = (const char*) p; +@@ -5740,14 +5780,33 @@ + s_n_llhttp__internal__n_invoke_load_header_state: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 2: +- goto s_n_llhttp__internal__n_error_21; ++ goto s_n_llhttp__internal__n_error_22; + default: + goto s_n_llhttp__internal__n_invoke_load_header_state_1; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_22: { ++ s_n_llhttp__internal__n_error_21: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_5: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_header_value_discard_lws; ++ default: ++ goto s_n_llhttp__internal__n_error_21; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_error_23: { + state->error = 0x2; + state->reason = "Expected LF after CR"; + state->error_pos = (const char*) p; +@@ -5757,6 +5816,24 @@ + abort(); + } + s_n_llhttp__internal__n_invoke_update_header_state_1: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ switch (llhttp__internal__c_load_header_state(state, p, endp)) { ++ case 8: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_2: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_start; +@@ -5767,7 +5844,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_7: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5775,7 +5852,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_8: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5783,7 +5860,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_9: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -5796,7 +5873,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ s_n_llhttp__internal__n_invoke_load_header_state_4: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_7; +@@ -5812,7 +5889,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_23: { ++ s_n_llhttp__internal__n_error_24: { + state->error = 0x3; + state->reason = "Missing expected LF after header value"; + state->error_pos = (const char*) p; +@@ -5830,6 +5907,24 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_header_value_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; + state->error_pos = (const char*) p; + state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; + return s_error; +@@ -5838,7 +5933,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { + const unsigned char* start; + int err; + +@@ -5856,7 +5951,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { + const unsigned char* start; + int err; + +@@ -5865,35 +5960,25 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; +- state->error_pos = (const char*) (p + 1); +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_25; + return s_error; + } +- p++; +- goto s_n_llhttp__internal__n_header_value_almost_done; +- /* UNREACHABLE */; +- abort(); +- } +- s_n_llhttp__internal__n_error_24: { +- state->error = 0xa; +- state->reason = "Invalid header value char"; +- state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_error; +- return s_error; ++ goto s_n_llhttp__internal__n_error_25; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_5: { ++ s_n_llhttp__internal__n_invoke_test_flags_6: { + switch (llhttp__internal__c_test_flags_2(state, p, endp)) { + case 1: + goto s_n_llhttp__internal__n_header_value_lenient; + default: +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ s_n_llhttp__internal__n_invoke_update_header_state_4: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection; +@@ -5904,7 +5989,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_11: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5912,7 +5997,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_12: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5920,7 +6005,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_13: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -5933,7 +6018,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_4: { ++ s_n_llhttp__internal__n_invoke_load_header_state_5: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_11; +@@ -5949,39 +6034,39 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_4: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_5: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_token; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_2: { +- switch (llhttp__internal__c_update_header_state_2(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ switch (llhttp__internal__c_update_header_state_3(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_5: { +- switch (llhttp__internal__c_update_header_state_5(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_6: { ++ switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_6: { +- switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_7: { ++ switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { + const unsigned char* start; + int err; + +@@ -5991,17 +6076,17 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_26; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_27; + return s_error; + } +- goto s_n_llhttp__internal__n_error_26; ++ goto s_n_llhttp__internal__n_error_27; + /* UNREACHABLE */; + abort(); + } + s_n_llhttp__internal__n_invoke_mul_add_content_length_1: { + switch (llhttp__internal__c_mul_add_content_length_1(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; + default: + goto s_n_llhttp__internal__n_header_value_content_length; + } +@@ -6016,7 +6101,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6: { + const unsigned char* start; + int err; + +@@ -6026,14 +6111,14 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_27; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_28; + return s_error; + } +- goto s_n_llhttp__internal__n_error_27; ++ goto s_n_llhttp__internal__n_error_28; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_25: { ++ s_n_llhttp__internal__n_error_26: { + state->error = 0x4; + state->reason = "Duplicate Content-Length"; + state->error_pos = (const char*) p; +@@ -6042,26 +6127,82 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_6: { +- switch (llhttp__internal__c_test_flags_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_7: { ++ switch (llhttp__internal__c_test_flags_7(state, p, endp)) { + case 0: + goto s_n_llhttp__internal__n_header_value_content_length; + default: +- goto s_n_llhttp__internal__n_error_25; ++ goto s_n_llhttp__internal__n_error_26; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_7: { +- switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_30; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_30; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_8: { ++ switch (llhttp__internal__c_update_header_state_8(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_otherwise; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_8: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_29; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_29; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_9: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_1: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_9; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_9: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -6076,6 +6217,34 @@ + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_invoke_or_flags_17: { ++ switch (llhttp__internal__c_or_flags_16(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_and_flags; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_10: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_2: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_10; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_or_flags_16: { + switch (llhttp__internal__c_or_flags_16(state, p, endp)) { + default: +@@ -6084,10 +6253,20 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_or_flags_17: { +- switch (llhttp__internal__c_or_flags_17(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_8: { ++ switch (llhttp__internal__c_test_flags_8(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_load_type_2; + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_or_flags_18: { ++ switch (llhttp__internal__c_or_flags_18(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; + } + /* UNREACHABLE */; + abort(); +@@ -6097,11 +6276,11 @@ + case 1: + goto s_n_llhttp__internal__n_header_value_connection; + case 2: +- goto s_n_llhttp__internal__n_invoke_test_flags_6; ++ goto s_n_llhttp__internal__n_invoke_test_flags_7; + case 3: +- goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ goto s_n_llhttp__internal__n_invoke_test_flags_8; + case 4: +- goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ goto s_n_llhttp__internal__n_invoke_or_flags_18; + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -6144,7 +6323,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_28: { ++ s_n_llhttp__internal__n_error_31: { + state->error = 0xa; + state->reason = "Invalid header token"; + state->error_pos = (const char*) p; +@@ -6153,8 +6332,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_9: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_10: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -6169,8 +6348,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_10: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_11: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -6210,7 +6389,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_29: { ++ s_n_llhttp__internal__n_error_32: { + state->error = 0x7; + state->reason = "Expected CRLF"; + state->error_pos = (const char*) p; +@@ -6236,7 +6415,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_30: { ++ s_n_llhttp__internal__n_error_33: { + state->error = 0x9; + state->reason = "Expected CRLF after version"; + state->error_pos = (const char*) p; +@@ -6253,7 +6432,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_31: { ++ s_n_llhttp__internal__n_error_34: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -6262,7 +6441,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_32: { ++ s_n_llhttp__internal__n_error_35: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -6279,7 +6458,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_33: { ++ s_n_llhttp__internal__n_error_36: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -6288,7 +6467,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_35: { ++ s_n_llhttp__internal__n_error_38: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -6297,7 +6476,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_34: { ++ s_n_llhttp__internal__n_error_37: { + state->error = 0x8; + state->reason = "Expected SOURCE method for ICE/x.x request"; + state->error_pos = (const char*) p; +@@ -6309,7 +6488,7 @@ + s_n_llhttp__internal__n_invoke_is_equal_method_1: { + switch (llhttp__internal__c_is_equal_method_1(state, p, endp)) { + case 0: +- goto s_n_llhttp__internal__n_error_34; ++ goto s_n_llhttp__internal__n_error_37; + default: + goto s_n_llhttp__internal__n_req_http_major; + } +@@ -6384,7 +6563,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_36: { ++ s_n_llhttp__internal__n_error_39: { + state->error = 0x7; + state->reason = "Invalid char in url fragment start"; + state->error_pos = (const char*) p; +@@ -6444,7 +6623,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_37: { ++ s_n_llhttp__internal__n_error_40: { + state->error = 0x7; + state->reason = "Invalid char in url query"; + state->error_pos = (const char*) p; +@@ -6453,7 +6632,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_38: { ++ s_n_llhttp__internal__n_error_41: { + state->error = 0x7; + state->reason = "Invalid char in url path"; + state->error_pos = (const char*) p; +@@ -6564,7 +6743,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_39: { ++ s_n_llhttp__internal__n_error_42: { + state->error = 0x7; + state->reason = "Double @ in url"; + state->error_pos = (const char*) p; +@@ -6573,7 +6752,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_40: { ++ s_n_llhttp__internal__n_error_43: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -6582,7 +6761,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_41: { ++ s_n_llhttp__internal__n_error_44: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -6591,7 +6770,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_43: { ++ s_n_llhttp__internal__n_error_46: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -6600,7 +6779,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_44: { ++ s_n_llhttp__internal__n_error_47: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -6609,7 +6788,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_45: { ++ s_n_llhttp__internal__n_error_48: { + state->error = 0x7; + state->reason = "Unexpected start char in url"; + state->error_pos = (const char*) p; +@@ -6628,7 +6807,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_46: { ++ s_n_llhttp__internal__n_error_49: { + state->error = 0x6; + state->reason = "Expected space after method"; + state->error_pos = (const char*) p; +@@ -6645,7 +6824,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_55: { ++ s_n_llhttp__internal__n_error_58: { + state->error = 0x6; + state->reason = "Invalid method encountered"; + state->error_pos = (const char*) p; +@@ -6654,7 +6833,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_47: { ++ s_n_llhttp__internal__n_error_50: { + state->error = 0xd; + state->reason = "Response overflow"; + state->error_pos = (const char*) p; +@@ -6666,14 +6845,14 @@ + s_n_llhttp__internal__n_invoke_mul_add_status_code: { + switch (llhttp__internal__c_mul_add_status_code(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + default: + goto s_n_llhttp__internal__n_res_status_code; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_48: { ++ s_n_llhttp__internal__n_error_51: { + state->error = 0x2; + state->reason = "Expected LF after CR"; + state->error_pos = (const char*) p; +@@ -6718,7 +6897,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_49: { ++ s_n_llhttp__internal__n_error_52: { + state->error = 0xd; + state->reason = "Invalid response status"; + state->error_pos = (const char*) p; +@@ -6735,7 +6914,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_50: { ++ s_n_llhttp__internal__n_error_53: { + state->error = 0x9; + state->reason = "Expected space after version"; + state->error_pos = (const char*) p; +@@ -6752,7 +6931,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_51: { ++ s_n_llhttp__internal__n_error_54: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -6761,7 +6940,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_52: { ++ s_n_llhttp__internal__n_error_55: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -6778,7 +6957,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_53: { ++ s_n_llhttp__internal__n_error_56: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -6787,7 +6966,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_56: { ++ s_n_llhttp__internal__n_error_59: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -6812,7 +6991,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_54: { ++ s_n_llhttp__internal__n_error_57: { + state->error = 0x8; + state->reason = "Invalid word encountered"; + state->error_pos = (const char*) p; +@@ -7244,6 +7423,7 @@ + s_n_llhttp__internal__n_header_value_lws, + s_n_llhttp__internal__n_header_value_almost_done, + s_n_llhttp__internal__n_header_value_lenient, ++ s_n_llhttp__internal__n_error_19, + s_n_llhttp__internal__n_header_value_otherwise, + s_n_llhttp__internal__n_header_value_connection_token, + s_n_llhttp__internal__n_header_value_connection_ws, +@@ -7251,14 +7431,16 @@ + s_n_llhttp__internal__n_header_value_connection_2, + s_n_llhttp__internal__n_header_value_connection_3, + s_n_llhttp__internal__n_header_value_connection, +- s_n_llhttp__internal__n_error_20, + s_n_llhttp__internal__n_error_21, ++ s_n_llhttp__internal__n_error_22, + s_n_llhttp__internal__n_header_value_content_length_ws, + s_n_llhttp__internal__n_header_value_content_length, +- s_n_llhttp__internal__n_header_value_te_chunked_last, ++ s_n_llhttp__internal__n_error_24, ++ s_n_llhttp__internal__n_error_23, + s_n_llhttp__internal__n_header_value_te_token_ows, + s_n_llhttp__internal__n_header_value, + s_n_llhttp__internal__n_header_value_te_token, ++ s_n_llhttp__internal__n_header_value_te_chunked_last, + s_n_llhttp__internal__n_header_value_te_chunked, + s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1, + s_n_llhttp__internal__n_header_value_discard_ws, +@@ -7648,7 +7830,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_2( ++int llhttp__internal__c_update_header_state_3( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7656,7 +7838,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_4( ++int llhttp__internal__c_update_header_state_1( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7664,7 +7846,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_5( ++int llhttp__internal__c_update_header_state_6( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7672,7 +7854,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_6( ++int llhttp__internal__c_update_header_state_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7680,7 +7862,7 @@ + return 0; + } + +-int llhttp__internal__c_test_flags_6( ++int llhttp__internal__c_test_flags_7( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7721,6 +7903,13 @@ + return 0; + } + ++int llhttp__internal__c_test_flags_8( ++ llhttp__internal_t* state, ++ const unsigned char* p, ++ const unsigned char* endp) { ++ return (state->flags & 8) == 8; ++} ++ + int llhttp__internal__c_or_flags_16( + llhttp__internal_t* state, + const unsigned char* p, +@@ -7737,7 +7926,7 @@ + return 0; + } + +-int llhttp__internal__c_update_header_state_7( ++int llhttp__internal__c_update_header_state_8( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -7745,7 +7934,7 @@ + return 0; + } + +-int llhttp__internal__c_or_flags_17( ++int llhttp__internal__c_or_flags_18( + llhttp__internal_t* state, + const unsigned char* p, + const unsigned char* endp) { +@@ -8432,13 +8621,13 @@ + } + switch (*p) { + case 9: { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + case ' ': { +- goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_3; + } + default: { +- goto s_n_llhttp__internal__n_invoke_load_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_4; + } + } + /* UNREACHABLE */; +@@ -8455,7 +8644,7 @@ + goto s_n_llhttp__internal__n_header_value_lws; + } + default: { +- goto s_n_llhttp__internal__n_error_17; ++ goto s_n_llhttp__internal__n_error_18; + } + } + /* UNREACHABLE */; +@@ -8468,10 +8657,10 @@ + } + switch (*p) { + case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; + } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; + } + default: { + p++; +@@ -8481,20 +8670,27 @@ + /* UNREACHABLE */; + abort(); + } ++ case s_n_llhttp__internal__n_error_19: ++ s_n_llhttp__internal__n_error_19: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } + case s_n_llhttp__internal__n_header_value_otherwise: + s_n_llhttp__internal__n_header_value_otherwise: { + if (p == endp) { + return s_n_llhttp__internal__n_header_value_otherwise; + } + switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; +- } + case 13: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_test_flags_5; ++ goto s_n_llhttp__internal__n_invoke_test_flags_6; + } + } + /* UNREACHABLE */; +@@ -8557,10 +8753,10 @@ + } + case ',': { + p++; +- goto s_n_llhttp__internal__n_invoke_load_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_load_header_state_5; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_4; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_5; + } + } + /* UNREACHABLE */; +@@ -8578,7 +8774,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_2; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_3; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_1; +@@ -8602,7 +8798,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_5; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_6; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_2; +@@ -8626,7 +8822,7 @@ + switch (match_seq.status) { + case kMatchComplete: { + p++; +- goto s_n_llhttp__internal__n_invoke_update_header_state_6; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_7; + } + case kMatchPause: { + return s_n_llhttp__internal__n_header_value_connection_3; +@@ -8671,8 +8867,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_20: +- s_n_llhttp__internal__n_error_20: { ++ case s_n_llhttp__internal__n_error_21: ++ s_n_llhttp__internal__n_error_21: { + state->error = 0xb; + state->reason = "Content-Length overflow"; + state->error_pos = (const char*) p; +@@ -8681,8 +8877,8 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_error_21: +- s_n_llhttp__internal__n_error_21: { ++ case s_n_llhttp__internal__n_error_22: ++ s_n_llhttp__internal__n_error_22: { + state->error = 0xb; + state->reason = "Invalid character in Content-Length"; + state->error_pos = (const char*) p; +@@ -8708,7 +8904,7 @@ + goto s_n_llhttp__internal__n_header_value_content_length_ws; + } + default: { +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6; + } + } + /* UNREACHABLE */; +@@ -8777,26 +8973,23 @@ + /* UNREACHABLE */; + abort(); + } +- case s_n_llhttp__internal__n_header_value_te_chunked_last: +- s_n_llhttp__internal__n_header_value_te_chunked_last: { +- if (p == endp) { +- return s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- switch (*p) { +- case 10: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case 13: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_7; +- } +- case ' ': { +- p++; +- goto s_n_llhttp__internal__n_header_value_te_chunked_last; +- } +- default: { +- goto s_n_llhttp__internal__n_header_value_te_chunked; +- } +- } ++ case s_n_llhttp__internal__n_error_24: ++ s_n_llhttp__internal__n_error_24: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_error_23: ++ s_n_llhttp__internal__n_error_23: { ++ state->error = 0xf; ++ state->reason = "Invalid `Transfer-Encoding` header value"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; + /* UNREACHABLE */; + abort(); + } +@@ -8913,8 +9106,34 @@ + goto s_n_llhttp__internal__n_header_value_te_token_ows; + } + default: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ } ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ case s_n_llhttp__internal__n_header_value_te_chunked_last: ++ s_n_llhttp__internal__n_header_value_te_chunked_last: { ++ if (p == endp) { ++ return s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ switch (*p) { ++ case 10: { + goto s_n_llhttp__internal__n_invoke_update_header_state_8; + } ++ case 13: { ++ goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ } ++ case ' ': { ++ p++; ++ goto s_n_llhttp__internal__n_header_value_te_chunked_last; ++ } ++ case ',': { ++ goto s_n_llhttp__internal__n_invoke_load_type_1; ++ } ++ default: { ++ goto s_n_llhttp__internal__n_header_value_te_token; ++ } + } + /* UNREACHABLE */; + abort(); +@@ -8966,7 +9185,7 @@ + } + case 10: { + p++; +- goto s_n_llhttp__internal__n_header_value_discard_lws; ++ goto s_n_llhttp__internal__n_invoke_test_flags_5; + } + case 13: { + p++; +@@ -8993,7 +9212,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_2; + } + default: { +- goto s_n_llhttp__internal__n_error_22; ++ goto s_n_llhttp__internal__n_error_25; + } + } + /* UNREACHABLE */; +@@ -9083,7 +9302,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_header_field_1; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_9; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_10; + } + } + /* UNREACHABLE */; +@@ -9108,7 +9327,7 @@ + return s_n_llhttp__internal__n_header_field_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9133,7 +9352,7 @@ + return s_n_llhttp__internal__n_header_field_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9154,7 +9373,7 @@ + goto s_n_llhttp__internal__n_header_field_4; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9178,7 +9397,7 @@ + return s_n_llhttp__internal__n_header_field_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9203,7 +9422,7 @@ + return s_n_llhttp__internal__n_header_field_5; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9228,7 +9447,7 @@ + return s_n_llhttp__internal__n_header_field_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9253,7 +9472,7 @@ + return s_n_llhttp__internal__n_header_field_7; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9282,7 +9501,7 @@ + goto s_n_llhttp__internal__n_header_field_7; + } + default: { +- goto s_n_llhttp__internal__n_invoke_update_header_state_10; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_11; + } + } + /* UNREACHABLE */; +@@ -9347,7 +9566,7 @@ + return s_n_llhttp__internal__n_url_skip_lf_to_http09; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_23; ++ goto s_n_llhttp__internal__n_error_26; + } + } + /* UNREACHABLE */; +@@ -9364,7 +9583,7 @@ + goto s_n_llhttp__internal__n_header_field_start; + } + default: { +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_error_27; + } + } + /* UNREACHABLE */; +@@ -9385,7 +9604,7 @@ + goto s_n_llhttp__internal__n_req_http_end_1; + } + default: { +- goto s_n_llhttp__internal__n_error_24; ++ goto s_n_llhttp__internal__n_error_27; + } + } + /* UNREACHABLE */; +@@ -9448,7 +9667,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_25; ++ goto s_n_llhttp__internal__n_error_28; + } + } + /* UNREACHABLE */; +@@ -9465,7 +9684,7 @@ + goto s_n_llhttp__internal__n_req_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_26; ++ goto s_n_llhttp__internal__n_error_29; + } + } + /* UNREACHABLE */; +@@ -9528,7 +9747,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major; + } + default: { +- goto s_n_llhttp__internal__n_error_27; ++ goto s_n_llhttp__internal__n_error_30; + } + } + /* UNREACHABLE */; +@@ -9552,7 +9771,7 @@ + return s_n_llhttp__internal__n_req_http_start_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9576,7 +9795,7 @@ + return s_n_llhttp__internal__n_req_http_start_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9601,7 +9820,7 @@ + goto s_n_llhttp__internal__n_req_http_start_2; + } + default: { +- goto s_n_llhttp__internal__n_error_29; ++ goto s_n_llhttp__internal__n_error_32; + } + } + /* UNREACHABLE */; +@@ -9655,7 +9874,7 @@ + goto s_n_llhttp__internal__n_span_end_llhttp__on_url_8; + } + default: { +- goto s_n_llhttp__internal__n_error_30; ++ goto s_n_llhttp__internal__n_error_33; + } + } + /* UNREACHABLE */; +@@ -9712,7 +9931,7 @@ + goto s_n_llhttp__internal__n_span_end_stub_query_3; + } + default: { +- goto s_n_llhttp__internal__n_error_31; ++ goto s_n_llhttp__internal__n_error_34; + } + } + /* UNREACHABLE */; +@@ -9742,7 +9961,7 @@ + goto s_n_llhttp__internal__n_url_query; + } + default: { +- goto s_n_llhttp__internal__n_error_32; ++ goto s_n_llhttp__internal__n_error_35; + } + } + /* UNREACHABLE */; +@@ -9883,10 +10102,10 @@ + } + case 7: { + p++; +- goto s_n_llhttp__internal__n_error_33; ++ goto s_n_llhttp__internal__n_error_36; + } + default: { +- goto s_n_llhttp__internal__n_error_34; ++ goto s_n_llhttp__internal__n_error_37; + } + } + /* UNREACHABLE */; +@@ -9941,7 +10160,7 @@ + goto s_n_llhttp__internal__n_url_server_with_at; + } + default: { +- goto s_n_llhttp__internal__n_error_35; ++ goto s_n_llhttp__internal__n_error_38; + } + } + /* UNREACHABLE */; +@@ -9958,7 +10177,7 @@ + goto s_n_llhttp__internal__n_url_server; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -9972,22 +10191,22 @@ + switch (*p) { + case 10: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 13: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case ' ': { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case '/': { + p++; + goto s_n_llhttp__internal__n_url_schema_delim_1; + } + default: { +- goto s_n_llhttp__internal__n_error_37; ++ goto s_n_llhttp__internal__n_error_40; + } + } + /* UNREACHABLE */; +@@ -10029,7 +10248,7 @@ + switch (lookup_table[(uint8_t) *p]) { + case 1: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 2: { + goto s_n_llhttp__internal__n_span_end_stub_schema; +@@ -10039,7 +10258,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_38; ++ goto s_n_llhttp__internal__n_error_41; + } + } + /* UNREACHABLE */; +@@ -10071,7 +10290,7 @@ + switch (lookup_table[(uint8_t) *p]) { + case 1: { + p++; +- goto s_n_llhttp__internal__n_error_36; ++ goto s_n_llhttp__internal__n_error_39; + } + case 2: { + goto s_n_llhttp__internal__n_span_start_stub_path_2; +@@ -10080,7 +10299,7 @@ + goto s_n_llhttp__internal__n_url_schema; + } + default: { +- goto s_n_llhttp__internal__n_error_39; ++ goto s_n_llhttp__internal__n_error_42; + } + } + /* UNREACHABLE */; +@@ -10136,7 +10355,7 @@ + goto s_n_llhttp__internal__n_req_spaces_before_url; + } + default: { +- goto s_n_llhttp__internal__n_error_40; ++ goto s_n_llhttp__internal__n_error_43; + } + } + /* UNREACHABLE */; +@@ -10161,7 +10380,7 @@ + return s_n_llhttp__internal__n_start_req_1; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10186,7 +10405,7 @@ + return s_n_llhttp__internal__n_start_req_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10211,7 +10430,7 @@ + return s_n_llhttp__internal__n_start_req_4; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10236,7 +10455,7 @@ + return s_n_llhttp__internal__n_start_req_6; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10254,7 +10473,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10275,7 +10494,7 @@ + goto s_n_llhttp__internal__n_start_req_7; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10296,7 +10515,7 @@ + goto s_n_llhttp__internal__n_start_req_5; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10321,7 +10540,7 @@ + return s_n_llhttp__internal__n_start_req_8; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10346,7 +10565,7 @@ + return s_n_llhttp__internal__n_start_req_9; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10371,7 +10590,7 @@ + return s_n_llhttp__internal__n_start_req_10; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10396,7 +10615,7 @@ + return s_n_llhttp__internal__n_start_req_12; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10421,7 +10640,7 @@ + return s_n_llhttp__internal__n_start_req_13; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10442,7 +10661,7 @@ + goto s_n_llhttp__internal__n_start_req_13; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10467,7 +10686,7 @@ + return s_n_llhttp__internal__n_start_req_15; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10492,7 +10711,7 @@ + return s_n_llhttp__internal__n_start_req_16; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10517,7 +10736,7 @@ + return s_n_llhttp__internal__n_start_req_18; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10542,7 +10761,7 @@ + return s_n_llhttp__internal__n_start_req_20; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10560,7 +10779,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10581,7 +10800,7 @@ + goto s_n_llhttp__internal__n_start_req_21; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10602,7 +10821,7 @@ + goto s_n_llhttp__internal__n_start_req_19; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10627,7 +10846,7 @@ + return s_n_llhttp__internal__n_start_req_22; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10656,7 +10875,7 @@ + goto s_n_llhttp__internal__n_start_req_22; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10681,7 +10900,7 @@ + return s_n_llhttp__internal__n_start_req_23; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10706,7 +10925,7 @@ + return s_n_llhttp__internal__n_start_req_24; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10731,7 +10950,7 @@ + return s_n_llhttp__internal__n_start_req_26; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10756,7 +10975,7 @@ + return s_n_llhttp__internal__n_start_req_27; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10781,7 +11000,7 @@ + return s_n_llhttp__internal__n_start_req_31; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10806,7 +11025,7 @@ + return s_n_llhttp__internal__n_start_req_32; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10827,7 +11046,7 @@ + goto s_n_llhttp__internal__n_start_req_32; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10844,7 +11063,7 @@ + goto s_n_llhttp__internal__n_start_req_30; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10866,7 +11085,7 @@ + goto s_n_llhttp__internal__n_start_req_29; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10891,7 +11110,7 @@ + return s_n_llhttp__internal__n_start_req_34; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10913,7 +11132,7 @@ + goto s_n_llhttp__internal__n_invoke_store_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10942,7 +11161,7 @@ + goto s_n_llhttp__internal__n_start_req_33; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10967,7 +11186,7 @@ + return s_n_llhttp__internal__n_start_req_37; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -10992,7 +11211,7 @@ + return s_n_llhttp__internal__n_start_req_38; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11013,7 +11232,7 @@ + goto s_n_llhttp__internal__n_start_req_38; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11030,7 +11249,7 @@ + goto s_n_llhttp__internal__n_start_req_36; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11055,7 +11274,7 @@ + return s_n_llhttp__internal__n_start_req_40; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11080,7 +11299,7 @@ + return s_n_llhttp__internal__n_start_req_41; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11105,7 +11324,7 @@ + return s_n_llhttp__internal__n_start_req_42; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11130,7 +11349,7 @@ + goto s_n_llhttp__internal__n_start_req_42; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11155,7 +11374,7 @@ + return s_n_llhttp__internal__n_start_req_43; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11180,7 +11399,7 @@ + return s_n_llhttp__internal__n_start_req_46; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11205,7 +11424,7 @@ + return s_n_llhttp__internal__n_start_req_48; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11230,7 +11449,7 @@ + return s_n_llhttp__internal__n_start_req_49; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11251,7 +11470,7 @@ + goto s_n_llhttp__internal__n_start_req_49; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11276,7 +11495,7 @@ + return s_n_llhttp__internal__n_start_req_50; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11301,7 +11520,7 @@ + goto s_n_llhttp__internal__n_start_req_50; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11318,7 +11537,7 @@ + goto s_n_llhttp__internal__n_start_req_45; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11391,7 +11610,7 @@ + goto s_n_llhttp__internal__n_start_req_44; + } + default: { +- goto s_n_llhttp__internal__n_error_48; ++ goto s_n_llhttp__internal__n_error_51; + } + } + /* UNREACHABLE */; +@@ -11476,7 +11695,7 @@ + goto s_n_llhttp__internal__n_res_status_start; + } + default: { +- goto s_n_llhttp__internal__n_error_42; ++ goto s_n_llhttp__internal__n_error_45; + } + } + /* UNREACHABLE */; +@@ -11556,7 +11775,7 @@ + goto s_n_llhttp__internal__n_invoke_update_status_code; + } + default: { +- goto s_n_llhttp__internal__n_error_43; ++ goto s_n_llhttp__internal__n_error_46; + } + } + /* UNREACHABLE */; +@@ -11619,7 +11838,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_minor_1; + } + default: { +- goto s_n_llhttp__internal__n_error_44; ++ goto s_n_llhttp__internal__n_error_47; + } + } + /* UNREACHABLE */; +@@ -11636,7 +11855,7 @@ + goto s_n_llhttp__internal__n_res_http_minor; + } + default: { +- goto s_n_llhttp__internal__n_error_45; ++ goto s_n_llhttp__internal__n_error_48; + } + } + /* UNREACHABLE */; +@@ -11699,7 +11918,7 @@ + goto s_n_llhttp__internal__n_invoke_store_http_major_1; + } + default: { +- goto s_n_llhttp__internal__n_error_46; ++ goto s_n_llhttp__internal__n_error_49; + } + } + /* UNREACHABLE */; +@@ -11723,7 +11942,7 @@ + return s_n_llhttp__internal__n_start_res; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_49; ++ goto s_n_llhttp__internal__n_error_52; + } + } + /* UNREACHABLE */; +@@ -11748,7 +11967,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_2; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11772,7 +11991,7 @@ + return s_n_llhttp__internal__n_req_or_res_method_3; + } + case kMatchMismatch: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11793,7 +12012,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_3; + } + default: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11810,7 +12029,7 @@ + goto s_n_llhttp__internal__n_req_or_res_method_1; + } + default: { +- goto s_n_llhttp__internal__n_error_47; ++ goto s_n_llhttp__internal__n_error_50; + } + } + /* UNREACHABLE */; +@@ -11870,7 +12089,7 @@ + /* UNREACHABLE */ + abort(); + } +- s_n_llhttp__internal__n_error_36: { ++ s_n_llhttp__internal__n_error_39: { + state->error = 0x7; + state->reason = "Invalid characters in url"; + state->error_pos = (const char*) p; +@@ -12314,7 +12533,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_16: { ++ s_n_llhttp__internal__n_error_17: { + state->error = 0xb; + state->reason = "Empty Content-Length"; + state->error_pos = (const char*) p; +@@ -12399,14 +12618,51 @@ + s_n_llhttp__internal__n_invoke_load_header_state: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 2: +- goto s_n_llhttp__internal__n_error_16; ++ goto s_n_llhttp__internal__n_error_17; + default: + goto s_n_llhttp__internal__n_invoke_load_header_state_1; + } + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_error_16: { ++ state->error = 0xa; ++ state->reason = "Invalid header value char"; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_error; ++ return s_error; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_5: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_header_value_discard_lws; ++ default: ++ goto s_n_llhttp__internal__n_error_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_update_header_state_1: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ switch (llhttp__internal__c_load_header_state(state, p, endp)) { ++ case 8: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ default: ++ goto s_n_llhttp__internal__n_span_start_llhttp__on_header_value_1; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_2: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_start; +@@ -12417,7 +12673,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_7: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12425,7 +12681,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_8: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12433,7 +12689,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_9: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_1; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_2; + } + /* UNREACHABLE */; + abort(); +@@ -12446,7 +12702,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_3: { ++ s_n_llhttp__internal__n_invoke_load_header_state_4: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_7; +@@ -12462,7 +12718,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_17: { ++ s_n_llhttp__internal__n_error_18: { + state->error = 0x3; + state->reason = "Missing expected LF after header value"; + state->error_pos = (const char*) p; +@@ -12480,6 +12736,24 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_header_value_almost_done; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; + state->error_pos = (const char*) p; + state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; + return s_error; +@@ -12488,7 +12762,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { + const unsigned char* start; + int err; + +@@ -12506,7 +12780,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_3: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2: { + const unsigned char* start; + int err; + +@@ -12515,35 +12789,25 @@ + err = llhttp__on_header_value(state, start, p); + if (err != 0) { + state->error = err; +- state->error_pos = (const char*) (p + 1); +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_header_value_almost_done; ++ state->error_pos = (const char*) p; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_19; + return s_error; + } +- p++; +- goto s_n_llhttp__internal__n_header_value_almost_done; ++ goto s_n_llhttp__internal__n_error_19; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_18: { +- state->error = 0xa; +- state->reason = "Invalid header value char"; +- state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_error; +- return s_error; +- /* UNREACHABLE */; +- abort(); +- } +- s_n_llhttp__internal__n_invoke_test_flags_5: { ++ s_n_llhttp__internal__n_invoke_test_flags_6: { + switch (llhttp__internal__c_test_flags_2(state, p, endp)) { + case 1: + goto s_n_llhttp__internal__n_header_value_lenient; + default: +- goto s_n_llhttp__internal__n_error_18; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_2; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ s_n_llhttp__internal__n_invoke_update_header_state_4: { + switch (llhttp__internal__c_update_header_state(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection; +@@ -12554,7 +12818,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_11: { + switch (llhttp__internal__c_or_flags_3(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12562,7 +12826,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_12: { + switch (llhttp__internal__c_or_flags_4(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12570,7 +12834,7 @@ + s_n_llhttp__internal__n_invoke_or_flags_13: { + switch (llhttp__internal__c_or_flags_5(state, p, endp)) { + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_3; ++ goto s_n_llhttp__internal__n_invoke_update_header_state_4; + } + /* UNREACHABLE */; + abort(); +@@ -12583,7 +12847,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_load_header_state_4: { ++ s_n_llhttp__internal__n_invoke_load_header_state_5: { + switch (llhttp__internal__c_load_header_state(state, p, endp)) { + case 5: + goto s_n_llhttp__internal__n_invoke_or_flags_11; +@@ -12599,39 +12863,39 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_4: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_5: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_token; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_2: { +- switch (llhttp__internal__c_update_header_state_2(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_3: { ++ switch (llhttp__internal__c_update_header_state_3(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_5: { +- switch (llhttp__internal__c_update_header_state_5(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_6: { ++ switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_6: { +- switch (llhttp__internal__c_update_header_state_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_7: { ++ switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_connection_ws; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { + const unsigned char* start; + int err; + +@@ -12641,17 +12905,17 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_20; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_21; + return s_error; + } +- goto s_n_llhttp__internal__n_error_20; ++ goto s_n_llhttp__internal__n_error_21; + /* UNREACHABLE */; + abort(); + } + s_n_llhttp__internal__n_invoke_mul_add_content_length_1: { + switch (llhttp__internal__c_mul_add_content_length_1(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_4; ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5; + default: + goto s_n_llhttp__internal__n_header_value_content_length; + } +@@ -12666,7 +12930,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_span_end_llhttp__on_header_value_5: { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_6: { + const unsigned char* start; + int err; + +@@ -12676,14 +12940,14 @@ + if (err != 0) { + state->error = err; + state->error_pos = (const char*) p; +- state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_21; ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_22; + return s_error; + } +- goto s_n_llhttp__internal__n_error_21; ++ goto s_n_llhttp__internal__n_error_22; + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_19: { ++ s_n_llhttp__internal__n_error_20: { + state->error = 0x4; + state->reason = "Duplicate Content-Length"; + state->error_pos = (const char*) p; +@@ -12692,26 +12956,82 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_test_flags_6: { +- switch (llhttp__internal__c_test_flags_6(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_7: { ++ switch (llhttp__internal__c_test_flags_7(state, p, endp)) { + case 0: + goto s_n_llhttp__internal__n_header_value_content_length; + default: +- goto s_n_llhttp__internal__n_error_19; ++ goto s_n_llhttp__internal__n_error_20; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_7: { +- switch (llhttp__internal__c_update_header_state_7(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_24; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_24; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_8: { ++ switch (llhttp__internal__c_update_header_state_8(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value_otherwise; + } + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_8: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7: { ++ const unsigned char* start; ++ int err; ++ ++ start = state->_span_pos0; ++ state->_span_pos0 = NULL; ++ err = llhttp__on_header_value(state, start, p); ++ if (err != 0) { ++ state->error = err; ++ state->error_pos = (const char*) (p + 1); ++ state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_error_23; ++ return s_error; ++ } ++ p++; ++ goto s_n_llhttp__internal__n_error_23; ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_9: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_7; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_1: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_9; ++ default: ++ goto s_n_llhttp__internal__n_header_value_te_chunked; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_update_header_state_9: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -12726,6 +13046,34 @@ + /* UNREACHABLE */; + abort(); + } ++ s_n_llhttp__internal__n_invoke_or_flags_17: { ++ switch (llhttp__internal__c_or_flags_16(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_and_flags; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_test_flags_10: { ++ switch (llhttp__internal__c_test_flags_2(state, p, endp)) { ++ case 0: ++ goto s_n_llhttp__internal__n_span_end_llhttp__on_header_value_8; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_load_type_2: { ++ switch (llhttp__internal__c_load_type(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_test_flags_10; ++ default: ++ goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } + s_n_llhttp__internal__n_invoke_or_flags_16: { + switch (llhttp__internal__c_or_flags_16(state, p, endp)) { + default: +@@ -12734,10 +13082,20 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_or_flags_17: { +- switch (llhttp__internal__c_or_flags_17(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_test_flags_8: { ++ switch (llhttp__internal__c_test_flags_8(state, p, endp)) { ++ case 1: ++ goto s_n_llhttp__internal__n_invoke_load_type_2; + default: +- goto s_n_llhttp__internal__n_invoke_update_header_state_8; ++ goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ } ++ /* UNREACHABLE */; ++ abort(); ++ } ++ s_n_llhttp__internal__n_invoke_or_flags_18: { ++ switch (llhttp__internal__c_or_flags_18(state, p, endp)) { ++ default: ++ goto s_n_llhttp__internal__n_invoke_update_header_state_9; + } + /* UNREACHABLE */; + abort(); +@@ -12747,11 +13105,11 @@ + case 1: + goto s_n_llhttp__internal__n_header_value_connection; + case 2: +- goto s_n_llhttp__internal__n_invoke_test_flags_6; ++ goto s_n_llhttp__internal__n_invoke_test_flags_7; + case 3: +- goto s_n_llhttp__internal__n_invoke_or_flags_16; ++ goto s_n_llhttp__internal__n_invoke_test_flags_8; + case 4: +- goto s_n_llhttp__internal__n_invoke_or_flags_17; ++ goto s_n_llhttp__internal__n_invoke_or_flags_18; + default: + goto s_n_llhttp__internal__n_header_value; + } +@@ -12794,7 +13152,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_22: { ++ s_n_llhttp__internal__n_error_25: { + state->error = 0xa; + state->reason = "Invalid header token"; + state->error_pos = (const char*) p; +@@ -12803,8 +13161,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_9: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_10: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -12819,8 +13177,8 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_invoke_update_header_state_10: { +- switch (llhttp__internal__c_update_header_state_4(state, p, endp)) { ++ s_n_llhttp__internal__n_invoke_update_header_state_11: { ++ switch (llhttp__internal__c_update_header_state_1(state, p, endp)) { + default: + goto s_n_llhttp__internal__n_header_field_general; + } +@@ -12860,7 +13218,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_23: { ++ s_n_llhttp__internal__n_error_26: { + state->error = 0x7; + state->reason = "Expected CRLF"; + state->error_pos = (const char*) p; +@@ -12886,7 +13244,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_24: { ++ s_n_llhttp__internal__n_error_27: { + state->error = 0x9; + state->reason = "Expected CRLF after version"; + state->error_pos = (const char*) p; +@@ -12903,7 +13261,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_25: { ++ s_n_llhttp__internal__n_error_28: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -12912,7 +13270,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_26: { ++ s_n_llhttp__internal__n_error_29: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -12929,7 +13287,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_27: { ++ s_n_llhttp__internal__n_error_30: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -12938,7 +13296,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_29: { ++ s_n_llhttp__internal__n_error_32: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -12947,7 +13305,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_28: { ++ s_n_llhttp__internal__n_error_31: { + state->error = 0x8; + state->reason = "Expected SOURCE method for ICE/x.x request"; + state->error_pos = (const char*) p; +@@ -12959,7 +13317,7 @@ + s_n_llhttp__internal__n_invoke_is_equal_method_1: { + switch (llhttp__internal__c_is_equal_method_1(state, p, endp)) { + case 0: +- goto s_n_llhttp__internal__n_error_28; ++ goto s_n_llhttp__internal__n_error_31; + default: + goto s_n_llhttp__internal__n_req_http_major; + } +@@ -13034,7 +13392,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_30: { ++ s_n_llhttp__internal__n_error_33: { + state->error = 0x7; + state->reason = "Invalid char in url fragment start"; + state->error_pos = (const char*) p; +@@ -13094,7 +13452,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_31: { ++ s_n_llhttp__internal__n_error_34: { + state->error = 0x7; + state->reason = "Invalid char in url query"; + state->error_pos = (const char*) p; +@@ -13103,7 +13461,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_32: { ++ s_n_llhttp__internal__n_error_35: { + state->error = 0x7; + state->reason = "Invalid char in url path"; + state->error_pos = (const char*) p; +@@ -13214,7 +13572,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_33: { ++ s_n_llhttp__internal__n_error_36: { + state->error = 0x7; + state->reason = "Double @ in url"; + state->error_pos = (const char*) p; +@@ -13223,7 +13581,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_34: { ++ s_n_llhttp__internal__n_error_37: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -13232,7 +13590,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_35: { ++ s_n_llhttp__internal__n_error_38: { + state->error = 0x7; + state->reason = "Unexpected char in url server"; + state->error_pos = (const char*) p; +@@ -13241,7 +13599,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_37: { ++ s_n_llhttp__internal__n_error_40: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -13250,7 +13608,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_38: { ++ s_n_llhttp__internal__n_error_41: { + state->error = 0x7; + state->reason = "Unexpected char in url schema"; + state->error_pos = (const char*) p; +@@ -13259,7 +13617,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_39: { ++ s_n_llhttp__internal__n_error_42: { + state->error = 0x7; + state->reason = "Unexpected start char in url"; + state->error_pos = (const char*) p; +@@ -13278,7 +13636,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_40: { ++ s_n_llhttp__internal__n_error_43: { + state->error = 0x6; + state->reason = "Expected space after method"; + state->error_pos = (const char*) p; +@@ -13295,7 +13653,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_48: { ++ s_n_llhttp__internal__n_error_51: { + state->error = 0x6; + state->reason = "Invalid method encountered"; + state->error_pos = (const char*) p; +@@ -13304,7 +13662,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_41: { ++ s_n_llhttp__internal__n_error_44: { + state->error = 0xd; + state->reason = "Response overflow"; + state->error_pos = (const char*) p; +@@ -13316,7 +13674,7 @@ + s_n_llhttp__internal__n_invoke_mul_add_status_code: { + switch (llhttp__internal__c_mul_add_status_code(state, p, endp, match)) { + case 1: +- goto s_n_llhttp__internal__n_error_41; ++ goto s_n_llhttp__internal__n_error_44; + default: + goto s_n_llhttp__internal__n_res_status_code; + } +@@ -13359,7 +13717,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_42: { ++ s_n_llhttp__internal__n_error_45: { + state->error = 0xd; + state->reason = "Invalid response status"; + state->error_pos = (const char*) p; +@@ -13376,7 +13734,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_43: { ++ s_n_llhttp__internal__n_error_46: { + state->error = 0x9; + state->reason = "Expected space after version"; + state->error_pos = (const char*) p; +@@ -13393,7 +13751,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_44: { ++ s_n_llhttp__internal__n_error_47: { + state->error = 0x9; + state->reason = "Invalid minor version"; + state->error_pos = (const char*) p; +@@ -13402,7 +13760,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_45: { ++ s_n_llhttp__internal__n_error_48: { + state->error = 0x9; + state->reason = "Expected dot"; + state->error_pos = (const char*) p; +@@ -13419,7 +13777,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_46: { ++ s_n_llhttp__internal__n_error_49: { + state->error = 0x9; + state->reason = "Invalid major version"; + state->error_pos = (const char*) p; +@@ -13428,7 +13786,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_49: { ++ s_n_llhttp__internal__n_error_52: { + state->error = 0x8; + state->reason = "Expected HTTP/"; + state->error_pos = (const char*) p; +@@ -13453,7 +13811,7 @@ + /* UNREACHABLE */; + abort(); + } +- s_n_llhttp__internal__n_error_47: { ++ s_n_llhttp__internal__n_error_50: { + state->error = 0x8; + state->reason = "Invalid word encountered"; + state->error_pos = (const char*) p; +--- nodejs-12.22.12~dfsg/test/parallel/test-http-invalid-te.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-invalid-te.js +@@ -13,7 +13,7 @@ Content-Type: text/plain; charset=utf-8 + Host: hacker.exploit.com + Connection: keep-alive + Content-Length: 10 +-Transfer-Encoding: chunked, eee ++Transfer-Encoding: eee, chunked + + HELLOWORLDPOST / HTTP/1.1 + Content-Type: text/plain; charset=utf-8 +--- nodejs-12.22.12~dfsg/test/parallel/test-http-missing-header-separator-cr.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-missing-header-separator-cr.js +@@ -0,0 +1,83 @@ ++'use strict'; ++ ++const common = require('../common'); ++const assert = require('assert'); ++ ++const http = require('http'); ++const net = require('net'); ++ ++function serverHandler(server, msg) { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++} ++ ++{ ++ const msg = [ ++ 'GET / HTTP/1.1', ++ 'Host: localhost', ++ 'Dummy: x\nContent-Length: 23', ++ '', ++ 'GET / HTTP/1.1', ++ 'Dummy: GET /admin HTTP/1.1', ++ 'Host: localhost', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} ++ ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: localhost', ++ 'x:x\nTransfer-Encoding: chunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} ++ ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: localhost', ++ 'x:\nTransfer-Encoding: chunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall()); ++ ++ server.listen(0, common.mustCall(serverHandler.bind(null, server, msg))); ++} +--- /dev/null ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-repeated-chunked.js +@@ -0,0 +1,51 @@ ++'use strict'; ++ ++const common = require('../common'); ++const assert = require('assert'); ++ ++const http = require('http'); ++const net = require('net'); ++ ++const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunkedchunked', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++].join('\r\n'); ++ ++const server = http.createServer(common.mustCall((req, res) => { ++ // Verify that no data is received ++ ++ req.on('data', common.mustNotCall()); ++ ++ req.on('end', common.mustNotCall(() => { ++ res.writeHead(200, { 'Content-Type': 'text/plain' }); ++ res.end(); ++ })); ++}, 1)); ++ ++server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++})); +--- nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-smuggling.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-transfer-encoding-smuggling.js +@@ -1,46 +1,89 @@ + 'use strict'; + + const common = require('../common'); +- + const assert = require('assert'); ++ + const http = require('http'); + const net = require('net'); + +-const msg = [ +- 'POST / HTTP/1.1', +- 'Host: 127.0.0.1', +- 'Transfer-Encoding: chunked', +- 'Transfer-Encoding: chunked-false', +- 'Connection: upgrade', +- '', +- '1', +- 'A', +- '0', +- '', +- 'GET /flag HTTP/1.1', +- 'Host: 127.0.0.1', +- '', +- '', +-].join('\r\n'); +- +-// Verify that the server is called only once even with a smuggled request. +- +-const server = http.createServer(common.mustCall((req, res) => { +- res.end(); +-}, 1)); +- +-function send(next) { +- const client = net.connect(server.address().port, 'localhost'); +- client.setEncoding('utf8'); +- client.on('error', common.mustNotCall()); +- client.on('end', next); +- client.write(msg); +- client.resume(); ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunked', ++ 'Transfer-Encoding: chunked-false', ++ 'Connection: upgrade', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ 'GET /flag HTTP/1.1', ++ 'Host: 127.0.0.1', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustNotCall((req, res) => { ++ res.end(); ++ }, 1)); ++ ++ server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ let response = ''; ++ ++ // Verify that the server listener is never called ++ ++ client.on('data', common.mustCall((chunk) => { ++ response += chunk.toString('utf-8'); ++ })); ++ ++ client.setEncoding('utf8'); ++ client.on('error', common.mustNotCall()); ++ client.on('end', common.mustCall(() => { ++ assert.strictEqual( ++ response, ++ 'HTTP/1.1 400 Bad Request\r\nConnection: close\r\n\r\n' ++ ); ++ server.close(); ++ })); ++ client.write(msg); ++ client.resume(); ++ })); + } + +-server.listen(0, common.mustCall((err) => { +- assert.ifError(err); +- send(common.mustCall(() => { +- server.close(); ++{ ++ const msg = [ ++ 'POST / HTTP/1.1', ++ 'Host: 127.0.0.1', ++ 'Transfer-Encoding: chunked', ++ ' , chunked-false', ++ 'Connection: upgrade', ++ '', ++ '1', ++ 'A', ++ '0', ++ '', ++ 'GET /flag HTTP/1.1', ++ 'Host: 127.0.0.1', ++ '', ++ '', ++ ].join('\r\n'); ++ ++ const server = http.createServer(common.mustCall((request, response) => { ++ assert.notStrictEqual(request.url, '/admin'); ++ response.end('hello world'); ++ }), 1); ++ ++ server.listen(0, common.mustCall(() => { ++ const client = net.connect(server.address().port, 'localhost'); ++ ++ client.on('end', common.mustCall(function() { ++ server.close(); ++ })); ++ ++ client.write(msg); ++ client.resume(); + })); +-})); ++} +--- nodejs-12.22.12~dfsg/test/parallel/test-http-header-overflow.js ++++ nodejs-12.22.12~dfsg/test/parallel/test-http-header-overflow.js +@@ -1,3 +1,5 @@ ++// Flags: --expose-internals ++ + 'use strict'; + const { expectsError, mustCall } = require('../common'); + const assert = require('assert'); +@@ -8,7 +10,7 @@ const CRLF = '\r\n'; + const DUMMY_HEADER_NAME = 'Cookie: '; + const DUMMY_HEADER_VALUE = 'a'.repeat( + // Plus one is to make it 1 byte too big +- maxHeaderSize - DUMMY_HEADER_NAME.length - (2 * CRLF.length) + 1 ++ maxHeaderSize - DUMMY_HEADER_NAME.length + 2 + ); + const PAYLOAD_GET = 'GET /blah HTTP/1.1'; + const PAYLOAD = PAYLOAD_GET + CRLF + +@@ -21,7 +23,7 @@ server.on('connection', mustCall((socket + name: 'Error', + message: 'Parse Error: Header overflow', + code: 'HPE_HEADER_OVERFLOW', +- bytesParsed: maxHeaderSize + PAYLOAD_GET.length, ++ bytesParsed: maxHeaderSize + PAYLOAD_GET.length + (CRLF.length * 2) + 1, + rawPacket: Buffer.from(PAYLOAD) + })); + })); diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch b/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch new file mode 100644 index 0000000000..dd21af6b3a --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/gcc13.patch @@ -0,0 +1,63 @@ +From 576aed71db7b40c90b44c623580629792a606928 Mon Sep 17 00:00:00 2001 +From: Jiawen Geng <technicalcute@gmail.com> +Date: Fri, 14 Oct 2022 09:54:33 +0800 +Subject: [PATCH] deps: V8: cherry-pick c2792e58035f +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original commit message: + + [base] Fix build with gcc-13 + + See https://gcc.gnu.org/gcc-13/porting_to.html#header-dep-changes. + + Also see Gentoo Linux bug report: https://bugs.gentoo.org/865981 + + Change-Id: I421f396b02ba37e12ee70048ee33e034f8113566 + Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3934140 + Reviewed-by: Clemens Backes <clemensb@chromium.org> + Reviewed-by: Simon Zund <szuend@chromium.org> + Commit-Queue: Clemens Backes <clemensb@chromium.org> + Cr-Commit-Position: refs/heads/main@{#83587} + +Refs: https://github.com/v8/v8/commit/c2792e58035fcbaa16d0cb70998852fbeb5df4cc +PR-URL: https://github.com/nodejs/node/pull/44961 +Fixes: https://github.com/nodejs/node/issues/43642 +Reviewed-By: Michael Zasso <targos@protonmail.com> +Reviewed-By: Richard Lau <rlau@redhat.com> +Reviewed-By: Luigi Pinca <luigipinca@gmail.com> +Reviewed-By: Colin Ihrig <cjihrig@gmail.com> + +Upstream-Status: Backport [https://github.com/nodejs/node/commit/0be1c5728173ea9ac42843058e26b6268568acf0] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + deps/v8/AUTHORS | 1 + + deps/v8/src/base/logging.h | 1 + + deps/v8/src/inspector/v8-string-conversions.h | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/deps/v8/src/base/logging.h b/deps/v8/src/base/logging.h +index 08db24a9..38be165f 100644 +--- a/deps/v8/src/base/logging.h ++++ b/deps/v8/src/base/logging.h +@@ -5,6 +5,7 @@ + #ifndef V8_BASE_LOGGING_H_ + #define V8_BASE_LOGGING_H_ + ++#include <cstdint> + #include <cstring> + #include <sstream> + #include <string> +diff --git a/deps/v8/src/inspector/v8-string-conversions.h b/deps/v8/src/inspector/v8-string-conversions.h +index c1d69c18..eb33c681 100644 +--- a/deps/v8/src/inspector/v8-string-conversions.h ++++ b/deps/v8/src/inspector/v8-string-conversions.h +@@ -5,6 +5,7 @@ + #ifndef V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ + #define V8_INSPECTOR_V8_STRING_CONVERSIONS_H_ + ++#include <cstdint> + #include <string> + + // Conversion routines between UT8 and UTF16, used by string-16.{h,cc}. You may diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch new file mode 100644 index 0000000000..cdf6bc8e23 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch @@ -0,0 +1,21 @@ +Link mksnapshot with libatomic on x86 + +Clang-12 on x86 emits atomic builtins + +Fixes +| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un +defined reference to `__atomic_load' + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -1336,6 +1336,7 @@ + { + 'target_name': 'mksnapshot', + 'type': 'executable', ++ 'libraries': [ '-latomic' ], + 'dependencies': [ + 'v8_base_without_compiler', + 'v8_compiler_for_mksnapshot', diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch b/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch new file mode 100644 index 0000000000..21a2281231 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch @@ -0,0 +1,32 @@ +Description: mksnapshot uses too much memory on 32-bit mipsel +Author: Jérémy Lal <kapouer@melix.org> +Last-Update: 2020-06-03 +Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586 + +This ensures that we reserve 500M instead of 2G range for codegen +ensures that qemu-mips can allocate such large ranges + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/deps/v8/src/common/globals.h ++++ b/deps/v8/src/common/globals.h +@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize = + constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux + #elif V8_TARGET_ARCH_MIPS + constexpr bool kPlatformRequiresCodeRange = false; +-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB; ++constexpr size_t kMaximalCodeRangeSize = 512 * MB; + constexpr size_t kMinimumCodeRangeSize = 0 * MB; + constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page. + #else +--- a/deps/v8/src/codegen/mips/constants-mips.h ++++ b/deps/v8/src/codegen/mips/constants-mips.h +@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn + namespace v8 { + namespace internal { + +-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096; ++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024; + + // ----------------------------------------------------------------------------- + // Registers and FPURegisters. diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch b/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch new file mode 100644 index 0000000000..588ffc1eee --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/python-3.11-invalid-mode-rU.patch @@ -0,0 +1,46 @@ +From e4d6f2e4091a4c7b6f3281be0e281b32ee6e5a33 Mon Sep 17 00:00:00 2001 +From: Christian Clauss <cclauss@me.com> +Date: Thu, 26 Nov 2020 12:39:11 +0100 +Subject: [PATCH] Fix ValueError: invalid mode: 'rU' while trying to load + binding.gyp + +Fixes nodejs/node-gyp#2219 +File mode `U` is deprecated in Python 3 https://docs.python.org/3/library/functions.html#open +https://github.com/asottile/pyupgrade#redundant-open-modes + +Upstream-Status: Backport [https://github.com/nodejs/gyp-next/commit/3f8cb33ea4d191df41f4fb7a1dfbd302507f7260] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py | 2 +- + tools/gyp/pylib/gyp/input.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py +index d174280..2f34bc0 100644 +--- a/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py ++++ b/deps/npm/node_modules/node-gyp/gyp/pylib/gyp/input.py +@@ -226,7 +226,7 @@ def LoadOneBuildFile(build_file_path, data, aux_data, includes, + # Open the build file for read ('r') with universal-newlines mode ('U') + # to make sure platform specific newlines ('\r\n' or '\r') are converted to '\n' + # which otherwise will fail eval() +- if sys.platform == 'zos': ++ if PY3 or sys.platform == 'zos': + # On z/OS, universal-newlines mode treats the file as an ascii file. But since + # node-gyp produces ebcdic files, do not use that mode. + build_file_contents = open(build_file_path, 'r').read() +diff --git a/tools/gyp/pylib/gyp/input.py b/tools/gyp/pylib/gyp/input.py +index 1f40abb..fd12e78 100644 +--- a/tools/gyp/pylib/gyp/input.py ++++ b/tools/gyp/pylib/gyp/input.py +@@ -226,7 +226,7 @@ def LoadOneBuildFile(build_file_path, data, aux_data, includes, + # Open the build file for read ('r') with universal-newlines mode ('U') + # to make sure platform specific newlines ('\r\n' or '\r') are converted to '\n' + # which otherwise will fail eval() +- if sys.platform == 'zos': ++ if PY3 or sys.platform == 'zos': + # On z/OS, universal-newlines mode treats the file as an ascii file. But since + # node-gyp produces ebcdic files, do not use that mode. + build_file_contents = open(build_file_path, 'r').read() +-- +2.38.1 + diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb index d468fb3ffa..f004671a6e 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_12.14.1.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb @@ -1,7 +1,7 @@ DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" HOMEPAGE = "http://nodejs.org" LICENSE = "MIT & BSD & Artistic-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=be4d5107c64dc3d7c57e3797e1a0674b" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8" DEPENDS = "openssl" DEPENDS_append_class-target = " nodejs-native" @@ -20,19 +20,24 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://0003-Install-both-binaries-and-use-libdir.patch \ file://0004-v8-don-t-override-ARM-CFLAGS.patch \ file://big-endian.patch \ - file://0001-build-allow-passing-multiple-libs-to-pkg_config.patch \ - file://0002-build-allow-use-of-system-installed-brotli.patch \ file://mips-warnings.patch \ + file://0001-Remove-use-of-register-r7-because-llvm-now-issues-an.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + file://CVE-llhttp.patch \ + file://python-3.11-invalid-mode-rU.patch \ + file://gcc13.patch \ " SRC_URI_append_class-target = " \ file://0002-Using-native-binaries.patch \ " - -SRC_URI[md5sum] = "1c78a75f5c95321f533ecccca695e814" -SRC_URI[sha256sum] = "877b4b842318b0e09bc754faf7343f2f097f0fc4f88ab9ae57cf9944e88e7adb" +SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2" S = "${WORKDIR}/node-v${PV}" +CVE_PRODUCT += "node.js" + # v8 errors out if you have set CCACHE CCACHE = "" @@ -54,7 +59,8 @@ ARCHFLAGS_arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '- GYP_DEFINES_append_mipsel = " mips_arch_variant='r1' " ARCHFLAGS ?= "" -PACKAGECONFIG ??= "ares brotli icu libuv zlib" +PACKAGECONFIG ??= "ares brotli icu zlib" + PACKAGECONFIG[ares] = "--shared-cares,,c-ares" PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb b/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb new file mode 100644 index 0000000000..b64a57f941 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb @@ -0,0 +1,211 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & BSD & Artistic-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6768abdfc4dae4fde59d6b4df96930f3" + +DEFAULT_PREFERENCE = "-1" + +DEPENDS = "openssl" +DEPENDS:append:class-target = " qemu-native" +DEPENDS:append:class-native = " c-ares-native" + +inherit pkgconfig python3native qemu + +COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST:riscv64 = "null" +COMPATIBLE_HOST:riscv32 = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch \ + file://0003-Install-both-binaries-and-use-libdir-nodejs14.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-warnings.patch \ + file://mips-less-memory-nodejs14.patch \ + file://0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + file://gcc13.patch \ + " +SRC_URI:append:class-target = " \ + file://0002-Using-native-binaries-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:x86 = " \ + file://libatomic-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:powerpc64le = " \ + file://0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch \ + " +SRC_URI[sha256sum] = "3fa1d71adddfab2f5e3e41874b4eddbdf92b65cade4a43922fb1e437afcf89ed" + +S = "${WORKDIR}/node-v${PV}" + +CVE_PRODUCT += "node.js" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +GYP_DEFINES:append:mipsel = " mips_arch_variant='r1' " +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +python do_unpack() { + import shutil + + bb.build.exec_func('base_do_unpack', d) + + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares', True) + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli', True) + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv', True) + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib', True) +} + +# V8's JIT infrastructure requires binaries such as mksnapshot and +# mkpeephole to be run in the host during the build. However, these +# binaries must have the same bit-width as the target (e.g. a x86_64 +# host targeting ARMv6 needs to produce a 32-bit binary). Instead of +# depending on a third Yocto toolchain, we just build those binaries +# for the target and run them on the host with QEMU. +python do_create_v8_qemu_wrapper () { + """Creates a small wrapper that invokes QEMU to run some target V8 binaries + on the host.""" + qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), + d.expand('${STAGING_DIR_HOST}${base_libdir}')] + qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True), + qemu_libdirs) + wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') + with open(wrapper_path, 'w') as wrapper_file: + wrapper_file.write("""#!/bin/sh + +# This file has been generated automatically. +# It invokes QEMU to run binaries built for the target in the host during the +# build process. + +%s "$@" +""" % qemu_cmd) + os.chmod(wrapper_path, 0o755) +} + +do_create_v8_qemu_wrapper[dirs] = "${B}" +addtask create_v8_qemu_wrapper after do_configure before do_compile + +# Work around compatibility issues with gcc-13 on host +BUILD_CXXFLAGS += "-fpermissive" + +LDFLAGS:append:x86 = " -latomic" + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + export LD="${CXX}" + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --prefix=${prefix} --cross-compiling \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${D}${libdir} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + export LD="${CXX}" + install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} + + # wasn't updated since 2009 and is the only thing requiring python2 in runtime + # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps] + rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples +} + +do_install:append:class-native() { + # use node from PATH instead of absolute path to sysroot + # node-v0.10.25/tools/install.py is using: + # shebang = os.path.join(node_prefix, 'bin/node') + # update_shebang(link_path, shebang) + # and node_prefix can be very long path to bindir in native sysroot and + # when it exceeds 128 character shebang limit it's stripped to incorrect path + # and npm fails to execute like in this case with 133 characters show in log.do_install: + # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node + # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js + # use sed on npm-cli.js because otherwise symlink is replaced with normal file and + # npm-cli.js continues to use old shebang + sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js + + # Install the native binaries to provide it within sysroot for the target compilation + install -d ${D}${bindir} + install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque + install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator + if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then + install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case + fi + install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache + install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot +} + +do_install:append:class-target() { + sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js +} + +PACKAGES =+ "${PN}-npm" +FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" +RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES:${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-devtools/openocd/openocd_git.bb b/meta-oe/recipes-devtools/openocd/openocd_git.bb index e95f1cfa54..9ff23d17af 100644 --- a/meta-oe/recipes-devtools/openocd/openocd_git.bb +++ b/meta-oe/recipes-devtools/openocd/openocd_git.bb @@ -5,10 +5,10 @@ DEPENDS = "libusb-compat libftdi" RDEPENDS_${PN} = "libusb1" SRC_URI = " \ - git://repo.or.cz/openocd.git;protocol=http;name=openocd \ - git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl \ - git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl \ - git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink \ + git://repo.or.cz/openocd.git;protocol=http;name=openocd;branch=master \ + git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl;branch=master \ + git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl;branch=master \ + git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink;branch=master \ file://0001-Do-not-include-syscrtl.h-with-glibc.patch \ " diff --git a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb index 107d5a8b72..84f6c3ce24 100644 --- a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb +++ b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263" COMPATIBLE_HOST = "(x86_64|aarch64|arm)" SRCREV = "09724edb1783a98da2b7ae53c5aaa87493aabc9b" -SRC_URI = "git://github.com/billfarrow/pcimem.git " +SRC_URI = "git://github.com/billfarrow/pcimem.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb index c812ae1374..03812e901b 100644 --- a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb +++ b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb @@ -9,7 +9,7 @@ LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://LICENSE;md5=0ebd37caf53781e8b7223e6b99b63f4e" DEPENDS = "perl" -SRC_URI = "git://github.com/toddr/IPC-Run.git" +SRC_URI = "git://github.com/toddr/IPC-Run.git;branch=master;protocol=https" SRCREV = "0b409702490729eeb97ae65f5b94d949ec083134" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb index 049dc665dd..760c0ad0a5 100644 --- a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb +++ b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb @@ -15,7 +15,7 @@ DEPENDS += "libdev-checklib-perl-native libdbi-perl-native libmysqlclient" LIC_FILES_CHKSUM = "file://LICENSE;md5=d0a06964340e5c0cde88b7af611f755c" SRCREV = "9b5b70ea372f49fe9bc9e592dae3870596d1e3d6" -SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https" +SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch b/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch new file mode 100644 index 0000000000..b41bbe0a50 --- /dev/null +++ b/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch @@ -0,0 +1,56 @@ +Backport patch to fix CVE-2014-10402. + +CVE: CVE-2014-10402 +Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1] + +Ref: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + + +From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001 +From: Jens Rehsack <sno@netbsd.org> +Date: Tue, 6 Oct 2020 10:22:17 +0200 +Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401 + +Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and +figure out that DBI->parse_dsn is the wrong helper to parse our attributes in +DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes +parse_dsn to bailout. + +Parsing on our own similar to parse_dsn shows the way out. + +Signed-off-by: Jens Rehsack <sno@netbsd.org> +--- + lib/DBD/File.pm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm +index fb14e9a..f55076f 100644 +--- a/lib/DBD/File.pm ++++ b/lib/DBD/File.pm +@@ -109,7 +109,11 @@ sub connect + # We do not (yet) care about conflicting attributes here + # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" }); + # will test here that both test and text should exist +- if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) { ++ # ++ # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter. ++ if ($dbname) { ++ my @attrs = split /;/ => $dbname; ++ my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs }; + if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) { + my $msg = "No such directory '$attr_hash->{f_dir}"; + $drh->set_err (2, $msg); +@@ -120,7 +124,6 @@ sub connect + if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) { + my $msg = "No such directory '$attr->{f_dir}"; + $drh->set_err (2, $msg); +- $attr->{RaiseError} and croak $msg; + return; + } + +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb b/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb index 75fad46bfd..c8abae628f 100644 --- a/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb +++ b/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb @@ -9,7 +9,9 @@ SECTION = "libs" LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://LICENSE;md5=10982c7148e0a012c0fd80534522f5c5" -SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz" +SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz \ + file://CVE-2014-10402.patch \ + " SRC_URI[md5sum] = "352f80b1e23769c116082a90905d7398" SRC_URI[sha256sum] = "8a2b993db560a2c373c174ee976a51027dd780ec766ae17620c20393d2e836fa" diff --git a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb index 4e5a8a6ff2..29bc99e141 100644 --- a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb +++ b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://README;beginline=1171;endline=1176;md5=3be2cb8159d094 DEPENDS += "perl" -SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https" +SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https;branch=master" SRCREV = "42a6324df654e92419512cee80c0b49155d9e56d" diff --git a/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch b/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch new file mode 100644 index 0000000000..4bfd94c9fd --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2022-4900.patch @@ -0,0 +1,48 @@ +From 789a37f14405e2d1a05a76c9fb4ed2d49d4580d5 Mon Sep 17 00:00:00 2001 +From: guoyiyuan <yguoaz@gmail.com> +Date: Wed, 13 Jul 2022 20:55:51 +0800 +Subject: [PATCH] Prevent potential buffer overflow for large value of + php_cli_server_workers_max + +Fixes #8989. +Closes #9000 + +Upstream-Status: Backport [https://github.com/php/php-src/commit/789a37f14405e2d1a05a76c9fb4ed2d49d4580d5] +CVE: CVE-2022-4900 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + sapi/cli/php_cli_server.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c +index c3097861..48f8309d 100644 +--- a/sapi/cli/php_cli_server.c ++++ b/sapi/cli/php_cli_server.c +@@ -517,13 +517,8 @@ static int sapi_cli_server_startup(sapi_module_struct *sapi_module) /* {{{ */ + if (php_cli_server_workers_max > 1) { + zend_long php_cli_server_worker; + +- php_cli_server_workers = calloc( +- php_cli_server_workers_max, sizeof(pid_t)); +- if (!php_cli_server_workers) { +- php_cli_server_workers_max = 1; +- +- return SUCCESS; +- } ++ php_cli_server_workers = pecalloc( ++ php_cli_server_workers_max, sizeof(pid_t), 1); + + php_cli_server_master = getpid(); + +@@ -2361,7 +2356,7 @@ static void php_cli_server_dtor(php_cli_server *server) /* {{{ */ + !WIFSIGNALED(php_cli_server_worker_status)); + } + +- free(php_cli_server_workers); ++ pefree(php_cli_server_workers, 1); + } + #endif + } /* }}} */ +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch new file mode 100644 index 0000000000..db9e41796c --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-1.patch @@ -0,0 +1,87 @@ +From ac4254ad764c70cb1f05c9270d8d12689fc3aeb6 Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Sun, 16 Apr 2023 15:05:03 +0200 +Subject: [PATCH] Fix missing randomness check and insufficient random bytes + for SOAP HTTP Digest +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If php_random_bytes_throw fails, the nonce will be uninitialized, but +still sent to the server. The client nonce is intended to protect +against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], +and bullet point 2 below. + +Tim pointed out that even though it's the MD5 of the nonce that gets sent, +enumerating 31 bits is trivial. So we have still a stack information leak +of 31 bits. + +Furthermore, Tim found the following issues: +* The small size of cnonce might cause the server to erroneously reject + a request due to a repeated (cnonce, nc) pair. As per the birthday + problem 31 bits of randomness will return a duplication with 50% + chance after less than 55000 requests and nc always starts counting at 1. +* The cnonce is intended to protect the client and password against a + malicious server that returns a constant server nonce where the server + precomputed a rainbow table between passwords and correct client response. + As storage is fairly cheap, a server could precompute the client responses + for (a subset of) client nonces and still have a chance of reversing the + client response with the same probability as the cnonce duplication. + + Precomputing the rainbow table for all 2^31 cnonces increases the rainbow + table size by factor 2 billion, which is infeasible. But precomputing it + for 2^14 cnonces only increases the table size by factor 16k and the server + would still have a 10% chance of successfully reversing a password with a + single client request. + +This patch fixes the issues by increasing the nonce size, and checking +the return value of php_random_bytes_throw(). In the process we also get +rid of the MD5 hashing of the nonce. + +[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 + +Co-authored-by: Tim Düsterhus <timwolla@php.net> + +Upstream-Status: Backport [https://github.com/php/php-src/commit/ac4254ad764c70cb1f05c9270d8d12689fc3aeb6] +CVE: CVE-2023-3247 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + ext/soap/php_http.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 1da286ad875f..e796dba9619a 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -664,18 +664,23 @@ int make_http_soap_request(zval *this_ptr, + if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) { + if (Z_TYPE_P(digest) == IS_ARRAY) { + char HA1[33], HA2[33], response[33], cnonce[33], nc[9]; +- zend_long nonce; ++ unsigned char nonce[16]; + PHP_MD5_CTX md5ctx; + unsigned char hash[16]; + +- php_random_bytes_throw(&nonce, sizeof(nonce)); +- nonce &= 0x7fffffff; ++ if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { ++ ZEND_ASSERT(EG(exception)); ++ php_stream_close(stream); ++ convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr)); ++ convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr)); ++ convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr)); ++ smart_str_free(&soap_headers_z); ++ smart_str_free(&soap_headers); ++ return FALSE; ++ } + +- PHP_MD5Init(&md5ctx); +- snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce); +- PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce)); +- PHP_MD5Final(hash, &md5ctx); +- make_digest(cnonce, hash); ++ php_hash_bin2hex(cnonce, nonce, sizeof(nonce)); ++ cnonce[32] = 0; + + if ((tmp = zend_hash_str_find(Z_ARRVAL_P(digest), "nc", sizeof("nc")-1)) != NULL && + Z_TYPE_P(tmp) == IS_LONG) { diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch new file mode 100644 index 0000000000..80c1961aa1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3247-2.patch @@ -0,0 +1,29 @@ +From 32c7c433ac1983c4497349051681a4f361d3d33e Mon Sep 17 00:00:00 2001 +From: Pierrick Charron <pierrick@php.net> +Date: Tue, 6 Jun 2023 18:49:32 -0400 +Subject: [PATCH] Fix wrong backporting of previous soap patch + +Upstream-Status: Backport [https://github.com/php/php-src/commit/32c7c433ac1983c4497349051681a4f361d3d33e] +CVE: CVE-2023-3247 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + ext/soap/php_http.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c +index 77ed21d4f0f4..37250a6bdcd1 100644 +--- a/ext/soap/php_http.c ++++ b/ext/soap/php_http.c +@@ -672,9 +672,9 @@ int make_http_soap_request(zval *this_ptr, + if (UNEXPECTED(php_random_bytes_throw(&nonce, sizeof(nonce)) != SUCCESS)) { + ZEND_ASSERT(EG(exception)); + php_stream_close(stream); +- convert_to_null(Z_CLIENT_HTTPURL_P(this_ptr)); +- convert_to_null(Z_CLIENT_HTTPSOCKET_P(this_ptr)); +- convert_to_null(Z_CLIENT_USE_PROXY_P(this_ptr)); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpurl", sizeof("httpurl")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "httpsocket", sizeof("httpsocket")-1); ++ zend_hash_str_del(Z_OBJPROP_P(this_ptr), "_use_proxy", sizeof("_use_proxy")-1); + smart_str_free(&soap_headers_z); + smart_str_free(&soap_headers); + return FALSE; diff --git a/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch new file mode 100644 index 0000000000..953b5258e1 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2023-3824.patch @@ -0,0 +1,91 @@ +From 80316123f3e9dcce8ac419bd9dd43546e2ccb5ef Mon Sep 17 00:00:00 2001 +From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> +Date: Mon, 10 Jul 2023 13:25:34 +0200 +Subject: [PATCH] Fix buffer mismanagement in phar_dir_read() + +Fixes GHSA-jqcx-ccgc-xwhv. + +Upstream-Status: Backport from [https://github.com/php/php-src/commit/80316123f3e9dcce8ac419bd9dd43546e2ccb5ef] +CVE: CVE-2023-3824 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + ext/phar/dirstream.c | 15 ++++++++------ + ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt | 27 +++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 6 deletions(-) + create mode 100644 ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt + +diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c +index 4710703c..490b1452 100644 +--- a/ext/phar/dirstream.c ++++ b/ext/phar/dirstream.c +@@ -91,25 +91,28 @@ static int phar_dir_seek(php_stream *stream, zend_off_t offset, int whence, zend + */ + static ssize_t phar_dir_read(php_stream *stream, char *buf, size_t count) /* {{{ */ + { +- size_t to_read; + HashTable *data = (HashTable *)stream->abstract; + zend_string *str_key; + zend_ulong unused; + ++ if (count != sizeof(php_stream_dirent)) { ++ return -1; ++ } ++ + if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(data, &str_key, &unused)) { + return 0; + } + + zend_hash_move_forward(data); +- to_read = MIN(ZSTR_LEN(str_key), count); + +- if (to_read == 0 || count < ZSTR_LEN(str_key)) { ++ php_stream_dirent *dirent = (php_stream_dirent *) buf; ++ ++ if (sizeof(dirent->d_name) <= ZSTR_LEN(str_key)) { + return 0; + } + +- memset(buf, 0, sizeof(php_stream_dirent)); +- memcpy(((php_stream_dirent *) buf)->d_name, ZSTR_VAL(str_key), to_read); +- ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0'; ++ memset(dirent, 0, sizeof(php_stream_dirent)); ++ PHP_STRLCPY(dirent->d_name, ZSTR_VAL(str_key), sizeof(dirent->d_name), ZSTR_LEN(str_key)); + + return sizeof(php_stream_dirent); + } +diff --git a/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt +new file mode 100644 +index 00000000..4e12f05f +--- /dev/null ++++ b/ext/phar/tests/GHSA-jqcx-ccgc-xwhv.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++GHSA-jqcx-ccgc-xwhv (Buffer overflow and overread in phar_dir_read()) ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--INI-- ++phar.readonly=0 ++--FILE-- ++<?php ++$phar = new Phar(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); ++$phar->startBuffering(); ++$phar->addFromString(str_repeat('A', PHP_MAXPATHLEN - 1), 'This is the content of file 1.'); ++$phar->addFromString(str_repeat('B', PHP_MAXPATHLEN - 1).'C', 'This is the content of file 2.'); ++$phar->stopBuffering(); ++ ++$handle = opendir('phar://' . __DIR__ . '/GHSA-jqcx-ccgc-xwhv.phar'); ++var_dump(strlen(readdir($handle))); ++// Must not be a string of length PHP_MAXPATHLEN+1 ++var_dump(readdir($handle)); ++closedir($handle); ++?> ++--CLEAN-- ++<?php ++unlink(__DIR__. '/GHSA-jqcx-ccgc-xwhv.phar'); ++?> ++--EXPECTF-- ++int(%d) ++bool(false) +-- +2.24.4 + diff --git a/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch b/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch index 21050f7605..a4804d1849 100755..100644 --- a/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch +++ b/meta-oe/recipes-devtools/php/php/debian-php-fixheader.patch @@ -1,31 +1,32 @@ -php: remove host specific info from header file +From 1234a8ef7c5ab88e24bc5908f0ccfd55af21aa39 Mon Sep 17 00:00:00 2001 +From: Leon Anavi <leon.anavi@konsulko.com> +Date: Mon, 31 Aug 2020 16:03:27 +0300 +Subject: [PATCH] php: remove host specific info from header file +Based on: https://sources.debian.org/data/main/p/php7.3/7.3.6-1/debian/patches/ 0036-php-5.4.9-fixheader.patch Upstream-Status: Inappropriate [not author] Signed-off-by: Joe Slater <joe.slater@windriver.com> - ---- -From: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org> -Date: Sat, 2 May 2015 10:26:56 +0200 -Subject: php-5.4.9-fixheader - -Make generated php_config.h constant across rebuilds. +Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 433d7e6..41893d7 100644 +index 2a474ba36d..6d22a21630 100644 --- a/configure.ac +++ b/configure.ac -@@ -1357,7 +1357,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d` +@@ -1323,7 +1323,7 @@ PHP_BUILD_DATE=`date -u +%Y-%m-%d` fi AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date]) --PHP_UNAME=`uname -a | xargs` -+PHP_UNAME=`uname | xargs` +-UNAME=`uname -a | xargs` ++UNAME=`uname | xargs` + PHP_UNAME=${PHP_UNAME:-$UNAME} AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output]) PHP_OS=`uname | xargs` - AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output]) +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/php/php_7.4.4.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index 1d93902e72..74606e4883 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.4.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.php.net" SECTION = "console/network" LICENSE = "PHP-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=7e571b888d585b31f9ef5edcc647fa30" +LIC_FILES_CHKSUM = "file://LICENSE;md5=99532e0f6620bc9bca34f12fadaee33c" BBCLASSEXTEND = "native" DEPENDS = "zlib bzip2 libxml2 virtual/libiconv php-native lemon-native" @@ -16,6 +16,8 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \ file://debian-php-fixheader.patch \ file://0001-configure.ac-don-t-include-build-libtool.m4.patch \ file://0001-php.m4-don-t-unset-cache-variables.patch \ + file://CVE-2023-3824.patch \ + file://CVE-2022-4900.patch \ " SRC_URI_append_class-target = " \ @@ -30,10 +32,13 @@ SRC_URI_append_class-target = " \ file://phar-makefile.patch \ file://0001-opcache-config.m4-enable-opcache.patch \ file://xfail_two_bug_tests.patch \ + file://CVE-2023-3247-1.patch \ + file://CVE-2023-3247-2.patch \ " + S = "${WORKDIR}/php-${PV}" -SRC_URI[md5sum] = "262c258a3b8b5699fcca89a64e58758c" -SRC_URI[sha256sum] = "308e8f4182ec8a2767b0b1b8e1e7c69fb149b37cfb98ee4a37475e082fa9829f" +SRC_URI[sha256sum] = "4e8117458fe5a475bf203128726b71bcbba61c42ad463dffadee5667a198a98a" + inherit autotools pkgconfig python3native gettext @@ -153,7 +158,6 @@ do_install_prepend_class-target() { # fixme do_install_append_class-target() { install -d ${D}${sysconfdir}/ - rm -rf ${D}/${TMPDIR} rm -rf ${D}/.registry rm -rf ${D}/.channels rm -rf ${D}/.[a-z]* @@ -177,14 +181,6 @@ do_install_append_class-target() { ${D}${systemd_unitdir}/system/php-fpm.service fi - TMP=`dirname ${D}/${TMPDIR}` - while test ${TMP} != ${D}; do - if [ -d ${TMP} ]; then - rmdir ${TMP} - fi - TMP=`dirname ${TMP}`; - done - if ${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/apache2/modules.d install -d ${D}${sysconfdir}/php/apache2-php${PHP_MAJOR_VERSION} @@ -210,7 +206,7 @@ php_sysroot_preprocess () { MODPHP_PACKAGE = "${@bb.utils.contains('PACKAGECONFIG', 'apache2', '${PN}-modphp', '', d)}" -PACKAGES = "${PN}-dbg ${PN}-cli ${PN}-cgi ${PN}-fpm ${PN}-fpm-apache2 ${PN}-pear ${PN}-phar ${MODPHP_PACKAGE} ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-opcache ${PN}" +PACKAGES = "${PN}-dbg ${PN}-cli ${PN}-phpdbg ${PN}-cgi ${PN}-fpm ${PN}-fpm-apache2 ${PN}-pear ${PN}-phar ${MODPHP_PACKAGE} ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-opcache ${PN}" RDEPENDS_${PN} += "libgcc" RDEPENDS_${PN}-pear = "${PN}" @@ -219,6 +215,8 @@ RDEPENDS_${PN}-cli = "${PN}" RDEPENDS_${PN}-modphp = "${PN} apache2" RDEPENDS_${PN}-opcache = "${PN}" +ALLOW_EMPTY_${PN} = "1" + INITSCRIPT_PACKAGES = "${PN}-fpm" inherit update-rc.d @@ -226,6 +224,7 @@ FILES_${PN}-dbg =+ "${bindir}/.debug \ ${libexecdir}/apache2/modules/.debug" FILES_${PN}-doc += "${PHP_LIBDIR}/php/doc" FILES_${PN}-cli = "${bindir}/php" +FILES_${PN}-phpdbg = "${bindir}/phpdbg" FILES_${PN}-phar = "${bindir}/phar*" FILES_${PN}-cgi = "${bindir}/php-cgi" FILES_${PN}-fpm = "${sbindir}/php-fpm ${sysconfdir}/php-fpm.conf ${datadir}/fpm ${sysconfdir}/init.d/php-fpm ${systemd_unitdir}/system/php-fpm.service ${sysconfdir}/php-fpm.d/www.conf.default" diff --git a/meta-oe/recipes-devtools/ply/ply_git.bb b/meta-oe/recipes-devtools/ply/ply_git.bb index 7d693b36da..bf789488d7 100644 --- a/meta-oe/recipes-devtools/ply/ply_git.bb +++ b/meta-oe/recipes-devtools/ply/ply_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "bison-native" -SRC_URI = "git://github.com/iovisor/ply" +SRC_URI = "git://github.com/iovisor/ply;branch=master;protocol=https" SRCREV = "aa5b9ac31307ec1acece818be334ef801c802a12" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb index 9afcbbb7f5..f605d2c90d 100644 --- a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb +++ b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" PV = "20130209+git${SRCPV}" -SRC_URI = "git://github.com/anyc/pmtools.git \ +SRC_URI = "git://github.com/anyc/pmtools.git;branch=master;protocol=https \ file://pmtools-switch-to-dynamic-buffer-for-huge-ACPI-table.patch \ " SRCREV = "3ebe0e54c54061b4c627236cbe35d820de2e1168" diff --git a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb index ed8773443e..7bc1f23e70 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb @@ -14,7 +14,7 @@ DEPENDS = "protobuf-native protobuf" SRCREV = "f20a3fa131c275a0e795d99a28f94b4dbbb5af26" -SRC_URI = "git://github.com/protobuf-c/protobuf-c.git \ +SRC_URI = "git://github.com/protobuf-c/protobuf-c.git;branch=master;protocol=https \ file://0001-avoid-race-condition.patch \ " diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch new file mode 100644 index 0000000000..bb9594e968 --- /dev/null +++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch @@ -0,0 +1,73 @@ +From f5ce0700d80c776186b0fb0414ef20966a3a6a03 Mon Sep 17 00:00:00 2001 +From: "Sana.Kazi" <Sana.Kazi@kpit.com> +Date: Wed, 23 Feb 2022 15:50:16 +0530 +Subject: [PATCH] protobuf: Fix CVE-2021-22570 + +CVE: CVE-2021-22570 +Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch] +Comment: Removed first and second hunk +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +--- + src/google/protobuf/descriptor.cc | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 6835a3cde..1514ae531 100644 +--- a/src/google/protobuf/descriptor.cc ++++ b/src/google/protobuf/descriptor.cc +@@ -2603,6 +2603,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2815,6 +2817,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4002,6 +4006,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++ return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4041,6 +4050,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, + const Message& proto, + const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++ return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4354,6 +4368,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++ return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index 4d6c5b2557..55d56ff08e 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb @@ -12,11 +12,12 @@ DEPENDS_append_class-target = " protobuf-native" SRCREV = "d0bfd5221182da1a7cc280f3337b5e41a89539cf" -SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x \ +SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \ file://run-ptest \ file://0001-protobuf-fix-configure-error.patch \ file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \ file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \ + file://CVE-2021-22570.patch \ " S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python-cython.inc b/meta-oe/recipes-devtools/python/python-cython.inc index 3260e92bac..3260e92bac 100644 --- a/meta-python/recipes-devtools/python/python-cython.inc +++ b/meta-oe/recipes-devtools/python/python-cython.inc diff --git a/meta-python/recipes-devtools/python/python3-cython_0.29.14.bb b/meta-oe/recipes-devtools/python/python3-cython_0.29.14.bb index 2ce6bdbd68..2ce6bdbd68 100644 --- a/meta-python/recipes-devtools/python/python3-cython_0.29.14.bb +++ b/meta-oe/recipes-devtools/python/python3-cython_0.29.14.bb diff --git a/meta-python/recipes-devtools/python/python3-pyparsing_2.4.6.bb b/meta-oe/recipes-devtools/python/python3-pyparsing_2.4.6.bb index a6ec1cb9c3..a6ec1cb9c3 100644 --- a/meta-python/recipes-devtools/python/python3-pyparsing_2.4.6.bb +++ b/meta-oe/recipes-devtools/python/python3-pyparsing_2.4.6.bb diff --git a/meta-python/recipes-devtools/python/python3-pyyaml_5.3.1.bb b/meta-oe/recipes-devtools/python/python3-pyyaml_5.3.1.bb index 8cf9093041..8cf9093041 100644 --- a/meta-python/recipes-devtools/python/python3-pyyaml_5.3.1.bb +++ b/meta-oe/recipes-devtools/python/python3-pyyaml_5.3.1.bb diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb index e3ed9c6a17..bc90bffe5e 100644 --- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb +++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb @@ -4,10 +4,9 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://license.txt;md5=ba04aa8f65de1396a7e59d1d746c2125" -SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1 \ - file://0001-CMake-remove-hardcoded-CMAKECONFIG_INSTALL_DIR-path.patch" +SRC_URI = "git://github.com/miloyip/rapidjson.git;branch=master;protocol=https" -SRCREV = "6a905f9311f82d306da77bd963ec5aa5da07da9c" +SRCREV = "0ccdbf364c577803e2a751f5aededce935314313" PV = "1.1.0+git${SRCPV}" diff --git a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb index cd5e0a4e5c..20cad69b53 100644 --- a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb +++ b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://git.breakpoint.cc/cgit/bigeasy/serialcheck.git/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git \ +SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git;branch=master \ file://0001-Add-option-to-enable-internal-loopback.patch \ file://0002-Restore-original-loopback-config.patch \ file://0001-Makefile-Change-order-of-link-flags.patch \ diff --git a/meta-oe/recipes-devtools/sip/sip3_4.19.19.bb b/meta-oe/recipes-devtools/sip/sip3_4.19.19.bb deleted file mode 100644 index 010fa30fe3..0000000000 --- a/meta-oe/recipes-devtools/sip/sip3_4.19.19.bb +++ /dev/null @@ -1,11 +0,0 @@ -require sip.inc - -DEPENDS = "python3" - -inherit python3-dir python3native - -PACKAGES += "python3-sip3" - -FILES_python3-sip3 = "${libdir}/${PYTHON_DIR}/site-packages/" -FILES_${PN}-dbg += "${libdir}/${PYTHON_DIR}/site-packages/.debug" - diff --git a/meta-oe/recipes-devtools/sip/sip.inc b/meta-oe/recipes-devtools/sip/sip3_4.19.23.bb index d8e32a7687..320755b844 100644 --- a/meta-oe/recipes-devtools/sip/sip.inc +++ b/meta-oe/recipes-devtools/sip/sip3_4.19.23.bb @@ -1,16 +1,22 @@ SUMMARY = "SIP is a C++/Python Wrapper Generator" -HOMEPAGE = "http://www.riverbankcomputing.co.uk/sip" +HOMEPAGE = "https://riverbankcomputing.com/software/sip/" SECTION = "devel" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://LICENSE-GPL2;md5=e91355d8a6f8bd8f7c699d62863c7303" SRC_URI = "https://www.riverbankcomputing.com/static/Downloads/sip/${PV}/sip-${PV}.tar.gz \ " -SRC_URI[md5sum] = "98111479309dc472410f26080d6d4a88" -SRC_URI[sha256sum] = "5436b61a78f48c7e8078e93a6b59453ad33780f80c644e5f3af39f94be1ede44" +SRC_URI[md5sum] = "70adc0c9734e2d9dcd241d3f931dfc74" +SRC_URI[sha256sum] = "22ca9bcec5388114e40d4aafd7ccd0c4fe072297b628d0c5cdfa2f010c0bc7e7" + +inherit python3-dir python3native S = "${WORKDIR}/sip-${PV}" +DEPENDS = "python3" + +PACKAGES += "python3-sip3" + BBCLASSEXTEND = "native" do_configure_prepend_class-target() { @@ -22,6 +28,7 @@ do_configure_prepend_class-target() { echo "sip_sip_dir = ${D}/${datadir}/sip" >> sip.cfg ${PYTHON} configure.py --configuration sip.cfg --sip-module PyQt5.sip --sysroot ${STAGING_DIR_HOST} CC="${CC}" CXX="${CXX}" LINK="${CXX}" STRIP="" LINK_SHLIB="${CXX}" CFLAGS="${CFLAGS}" CXXFLAGS="${CXXFLAGS}" LFLAGS="${LDFLAGS}" } + do_configure_prepend_class-native() { echo "py_platform = linux" > sip.cfg echo "py_inc_dir = ${includedir}/python%(py_major).%(py_minor)${PYTHON_ABI}" >> sip.cfg @@ -31,6 +38,10 @@ do_configure_prepend_class-native() { echo "sip_sip_dir = ${D}/${datadir}/sip" >> sip.cfg ${PYTHON} configure.py --configuration sip.cfg --sip-module PyQt5.sip --sysroot=${STAGING_DIR_NATIVE} } + do_install() { oe_runmake install } + +FILES_python3-sip3 = "${libdir}/${PYTHON_DIR}/site-packages/" +FILES_${PN}-dbg += "${libdir}/${PYTHON_DIR}/site-packages/.debug" diff --git a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb index 4a27e4b2a5..9d07405560 100644 --- a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb +++ b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb @@ -8,7 +8,7 @@ inherit cmake DEPENDS += "sqlite3" SRCREV = "e8a9e9416f421303f4b8970caab26dadf8bae98b" -SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https" +SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https;branch=master" S = "${WORKDIR}/git" EXTRA_OECMAKE += "-DSqliteOrm_BuildTests=OFF" diff --git a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb index 46a9408031..3280dba49b 100644 --- a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb +++ b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=0ca8b9c5c5445cfa7af7e78fd27e60ed" SRCREV = "75f440bcac1276c847f5351e14216f6e91def44d" -SRC_URI = "git://git.code.sf.net/p/tclap/code \ +SRC_URI = "git://git.code.sf.net/p/tclap/code;branch=master \ file://Makefile.am-disable-docs.patch \ " diff --git a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb index c33fa048cf..a78eecfea3 100644 --- a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb +++ b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb @@ -12,7 +12,7 @@ inherit autotools # v0.9.4 SRCREV = "d648bbffedef529220896283fb59e35531c13804" -SRC_URI = "git://github.com/namhyung/${BPN} \ +SRC_URI = "git://github.com/namhyung/${BPN};branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/valijson/valijson_git.bb b/meta-oe/recipes-devtools/valijson/valijson_git.bb index c3254d16e7..5cff40752a 100644 --- a/meta-oe/recipes-devtools/valijson/valijson_git.bb +++ b/meta-oe/recipes-devtools/valijson/valijson_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/tristanpenman/valijson" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=015106c62262b2383f6c72063f0998f2" -SRC_URI = "git://github.com/tristanpenman/valijson.git" +SRC_URI = "git://github.com/tristanpenman/valijson.git;branch=master;protocol=https" PV = "0.1+git${SRCPV}" SRCREV = "c2f22fddf599d04dc33fcd7ed257c698a05345d9" diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb index 6c31b69817..34df701260 100644 --- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb +++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://xmlrpc-c.sourceforge.net/" LICENSE = "BSD & MIT" LIC_FILES_CHKSUM = "file://doc/COPYING;md5=aefbf81ba0750f02176b6f86752ea951" -SRC_URI = "git://github.com/mirror/xmlrpc-c.git \ +SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \ file://0001-test-cpp-server_abyss-Fix-build-with-clang-libc.patch \ file://0002-fix-formatting-issues.patch \ " diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch new file mode 100644 index 0000000000..169784d427 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2023-33460.patch @@ -0,0 +1,29 @@ +From 23a122eddaa28165a6c219000adcc31ff9a8a698 Mon Sep 17 00:00:00 2001 +From: "zhang.jiujiu" <282627424@qq.com> +Date: Tue, 7 Dec 2021 22:37:02 +0800 +Subject: [PATCH] fix memory leaks + +Upstream-Status: Backport [https://github.com/openEuler-BaseService/yajl/commit/23a122eddaa28165a6c219000adcc31ff9a8a698] +CVE: CVE-2023-33460 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/yajl_tree.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/yajl_tree.c b/src/yajl_tree.c +index 3d357a3..a71167e 100644 +--- a/src/yajl_tree.c ++++ b/src/yajl_tree.c +@@ -445,6 +445,9 @@ yajl_val yajl_tree_parse (const char *input, + YA_FREE(&(handle->alloc), internal_err_str); + } + yajl_free (handle); ++ //If the requested memory is not released in time, it will cause memory leakage ++ if(ctx.root) ++ yajl_tree_free(ctx.root); + return NULL; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb index e112a5e30f..186f2c8ed0 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=da2e9aa80962d54e7c726f232a2bd1e8" # Use 1.0.12 tag SRCREV = "17b1790fb9c8abbb3c0f7e083864a6a014191d56" -SRC_URI = "git://github.com/lloyd/yajl;nobranch=1" +SRC_URI = "git://github.com/lloyd/yajl;nobranch=1;protocol=https" inherit cmake lib_package diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index d9a5821cbb..697f54d9fb 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -8,7 +8,9 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" -SRC_URI = "git://github.com/lloyd/yajl" +SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ + file://CVE-2023-33460.patch \ + " SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 53856263f7..6aae29ad8c 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -9,7 +9,7 @@ DEPENDS += "flex-native bison-native xmlto-native" PV = "1.3.0+git${SRCPV}" # v1.3.0 SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a" -SRC_URI = "git://github.com/yasm/yasm.git" +SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch new file mode 100644 index 0000000000..c21794d147 --- /dev/null +++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch @@ -0,0 +1,44 @@ +From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001 +From: Jan Kraemer <jan@spectrejan.de> +Date: Thu, 7 Oct 2021 12:48:04 +0200 +Subject: [PATCH] brotli: fix CVE-2020-8927 + +[No upstream tracking] -- + +This fixes a potential overflow when input chunk is >2GiB in +BrotliGetAvailableBits by capping the returned value to 2^30 + +Fixed in brotli version 1.0.8 +https://github.com/google/brotli as of commit id +223d80cfbec8fd346e32906c732c8ede21f0cea6 + +Patch taken from Debian Buster: 1.0.7-2+deb10u1 +http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc +https://security-tracker.debian.org/tracker/CVE-2020-8927 + + +Upstream-Status: Backported +CVE: CVE-2020-8927 + +Signed-off-by: Jan Kraemer <jan@spectrejan.de> +--- + c/dec/bit_reader.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h +index c06e914..0d20312 100644 +--- a/c/dec/bit_reader.h ++++ b/c/dec/bit_reader.h +@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits( + } + + /* Returns amount of unread bytes the bit reader still has buffered from the +- BrotliInput, including whole bytes in br->val_. */ ++ BrotliInput, including whole bytes in br->val_. Result is capped with ++ maximal ring-buffer size (larger number won't be utilized anyway). */ + static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) { ++ static const size_t kCap = (size_t)1 << 30; ++ if (br->avail_in > kCap) return kCap; + return br->avail_in + (BrotliGetAvailableBits(br) >> 3); + } + diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb index 70dbcaffb1..77fef778a4 100644 --- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb +++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb @@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b" -SRC_URI = "git://github.com/google/brotli.git" +SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \ + file://0001-brotli-fix-CVE-2020-8927.patch \ + " # tag 1.0.7 SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb index 6c71d534be..388feb703b 100644 --- a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb +++ b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b19ee058d2d5f69af45da98051d91064" SECTION = "Development/Libraries" DEPENDS = "swig-native python3 sblim-cmpi-devel" -SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http \ +SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http;branch=master;protocol=https \ file://cmpi-bindings-0.4.17-no-ruby-perl.patch \ file://cmpi-bindings-0.4.17-sblim-sigsegv.patch \ file://cmpi-bindings-0.9.5-python-lib-dir.patch \ diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/204.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/204.patch deleted file mode 100644 index f0fc0bcb2c..0000000000 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/204.patch +++ /dev/null @@ -1,148 +0,0 @@ -Upstream-Status: Submitted [https://github.com/GENIVI/dlt-daemon/pull/204] -From 92830aff6e91041f574753d78da758c62981d9a4 Mon Sep 17 00:00:00 2001 -From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Date: Sat, 25 Jan 2020 09:08:07 +0100 -Subject: [PATCH 1/3] dlt_user.h: fix build when musl is the libc - implementation, by adding a missing include for pthread_t reference: - -see https://errors.yoctoproject.org/Errors/Details/308000/ for details - -Thanks Khem Raj <raj.khem@gmail.com> for the report - -Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> ---- - include/dlt/dlt_user.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/dlt/dlt_user.h b/include/dlt/dlt_user.h -index 69cb854..766d349 100644 ---- a/include/dlt/dlt_user.h -+++ b/include/dlt/dlt_user.h -@@ -74,6 +74,7 @@ - \{ - */ - # include <mqueue.h> -+# include <pthread.h> - - # if !defined (__WIN32__) - # include <semaphore.h> - -From 5f67aba02c12b7446e63ccc86285c13bc5c7a432 Mon Sep 17 00:00:00 2001 -From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Date: Sat, 25 Jan 2020 09:16:14 +0100 -Subject: [PATCH 2/3] dlt-test-init-free: fix build failure with strict - compiler flags, due to uint being undefined. This is actually an "int" type, - looking at the test implementation - -Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> ---- - src/tests/dlt-test-init-free.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/dlt-test-init-free.c b/src/tests/dlt-test-init-free.c -index 96b5245..35b8803 100644 ---- a/src/tests/dlt-test-init-free.c -+++ b/src/tests/dlt-test-init-free.c -@@ -32,7 +32,7 @@ - - void exec(const char *cmd, char *buffer, size_t length); - void printMemoryUsage(); --char *occupyMemory(uint size); -+char *occupyMemory(int size); - void do_example_test(); - void do_dlt_test(); - -@@ -131,7 +131,7 @@ void printMemoryUsage() - printf("%s", result); - } - --char *occupyMemory(uint size) -+char *occupyMemory(int size) - { - char *buf = (char *)malloc(size * sizeof(char)); - - -From c790d61fad382e5d3e648ee99904087eb9bc4a77 Mon Sep 17 00:00:00 2001 -From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Date: Sat, 25 Jan 2020 09:20:48 +0100 -Subject: [PATCH 3/3] sys/poll.h: deprecate old sys/poll.h include header, now - glibc/musl wants poll.h being included directly. This fixes a build failure - on musl systems with strict c hardening flags - -Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> -Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> ---- - src/console/logstorage/dlt-logstorage-ctrl.c | 2 +- - src/daemon/dlt_daemon_event_handler.c | 2 +- - src/daemon/dlt_daemon_event_handler.h | 2 +- - src/daemon/dlt_daemon_event_handler_types.h | 2 +- - src/lib/dlt_user.c | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/console/logstorage/dlt-logstorage-ctrl.c b/src/console/logstorage/dlt-logstorage-ctrl.c -index 525c137..6614f44 100644 ---- a/src/console/logstorage/dlt-logstorage-ctrl.c -+++ b/src/console/logstorage/dlt-logstorage-ctrl.c -@@ -61,7 +61,7 @@ - #include <string.h> - #include <getopt.h> - --#include <sys/poll.h> -+#include <poll.h> - - #if defined(__linux__) - # include "sd-daemon.h" -diff --git a/src/daemon/dlt_daemon_event_handler.c b/src/daemon/dlt_daemon_event_handler.c -index 1611f7b..0d463da 100644 ---- a/src/daemon/dlt_daemon_event_handler.c -+++ b/src/daemon/dlt_daemon_event_handler.c -@@ -30,7 +30,7 @@ - #include <string.h> - #include <errno.h> - --#include <sys/poll.h> -+#include <poll.h> - #include <syslog.h> - - #include "dlt_common.h" -diff --git a/src/daemon/dlt_daemon_event_handler.h b/src/daemon/dlt_daemon_event_handler.h -index eb96101..bd550d3 100644 ---- a/src/daemon/dlt_daemon_event_handler.h -+++ b/src/daemon/dlt_daemon_event_handler.h -@@ -25,7 +25,7 @@ - * \file dlt_daemon_event_handler.h - */ - --#include <sys/poll.h> -+#include <poll.h> - - #include "dlt_daemon_connection_types.h" - #include "dlt_daemon_event_handler_types.h" -diff --git a/src/daemon/dlt_daemon_event_handler_types.h b/src/daemon/dlt_daemon_event_handler_types.h -index 370e503..0b16d08 100644 ---- a/src/daemon/dlt_daemon_event_handler_types.h -+++ b/src/daemon/dlt_daemon_event_handler_types.h -@@ -25,7 +25,7 @@ - * \file dlt_daemon_event_handler_types.h - */ - --#include <sys/poll.h> -+#include <poll.h> - - #include "dlt_daemon_connection_types.h" - -#diff --git a/src/lib/dlt_user.c b/src/lib/dlt_user.c -#index ffa9b09..511f991 100644 -#--- a/src/lib/dlt_user.c -#+++ b/src/lib/dlt_user.c -#@@ -43,7 +43,7 @@ -# #include <errno.h> -# -# #include <sys/uio.h> /* writev() */ -#-#include <sys/poll.h> -#+#include <poll.h> -# -# #include <limits.h> -# #ifdef linux diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/317.patch b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/317.patch new file mode 100644 index 0000000000..fe40334b65 --- /dev/null +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon/317.patch @@ -0,0 +1,43 @@ +Origin: https://github.com/GENIVI/dlt-daemon/pull/317 +From 55d31216823841a1547fe261cdf8e3b1002d5f94 Mon Sep 17 00:00:00 2001 +From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> +Date: Thu, 1 Jul 2021 12:58:20 +0200 +Subject: [PATCH] dlt-control-common.c: Fix build failure due to out-of-bound + write -Werror=stringop-truncation + +cd /build/dlt-daemon-2.18.7/obj-x86_64-linux-gnu/src/console/logstorage && /usr/bin/cc -DCONFIGURATION_FILES_DIR=\"/etc\" -DDLT_DAEMON_USE_FIFO_IPC -DDLT_LIB_USE_FIFO_IPC -DDLT_NETWORK_TRACE_ENABLE -DDLT_SYSTEMD_ENABLE -DDLT_SYSTEMD_JOURNAL_ENABLE -DDLT_UNIT_TESTS -DDLT_USER_IPC_PATH=\"/tmp\" -DDLT_USE_IPv6 -DEXTENDED_FILTERING -D_GNU_SOURCE -I/build/dlt-daemon-2.18.7 -I/build/dlt-daemon-2.18.7/obj-x86_64-linux-gnu/include/dlt -I/build/dlt-daemon-2.18.7/include/dlt -I/build/dlt-daemon-2.18.7/src/shared -I/build/dlt-daemon-2.18.7/src/core_dump_handler -I/build/dlt-daemon-2.18.7/src/offlinelogstorage -I/build/dlt-daemon-2.18.7/src/lib -I/build/dlt-daemon-2.18.7/src/daemon -I/build/dlt-daemon-2.18.7/src/console -I/build/dlt-daemon-2.18.7/src/gateway -I/build/dlt-daemon-2.18.7/systemd/3rdparty -g -O2 -ffile-prefix-map=/build/dlt-daemon-2.18.7=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Werror -std=gnu99 -Wall -Wextra -Wno-variadic-macros -Wno-strict-aliasing -o CMakeFiles/dlt-logstorage-ctrl.dir/__/dlt-control-common.c.o -c /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c +make[3]: Leaving directory '/build/dlt-daemon-2.18.7/obj-x86_64-linux-gnu' +In file included from /usr/include/string.h:495, + from /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c:56: +In function 'strncpy', + inlined from 'dlt_json_filter_load' at /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c:716:13: +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4 equals destination size [-Werror=stringop-truncation] + 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In function 'strncpy', + inlined from 'dlt_json_filter_load' at /build/dlt-daemon-2.18.7/src/console/dlt-control-common.c:721:13: +/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4 equals destination size [-Werror=stringop-truncation] + 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Gianfranco Costamagna <costamagnagianfranco@yahoo.it> +Signed-off-by: Gianfranco Costamagna <locutusofborg@debian.org> +--- + src/console/dlt-control-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/console/dlt-control-common.c b/src/console/dlt-control-common.c +index 8a9d29f0..f58d8268 100644 +--- a/src/console/dlt-control-common.c ++++ b/src/console/dlt-control-common.c +@@ -671,8 +671,8 @@ DltReturnValue dlt_json_filter_load(DltFilter *filter, const char *filename, int + struct json_object *j_payload_max; + enum json_tokener_error jerr; + +- char app_id[DLT_ID_SIZE] = ""; +- char context_id[DLT_ID_SIZE] = ""; ++ char app_id[DLT_ID_SIZE + 1] = ""; ++ char context_id[DLT_ID_SIZE + 1] = ""; + int32_t log_level = 0; + int32_t payload_max = INT32_MAX; + int32_t payload_min = 0; diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb index 35c638bc78..2a045f5790 100644 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.4.bb +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb @@ -12,14 +12,14 @@ SECTION = "console/utils" LICENSE = "MPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=8184208060df880fe3137b93eb88aeea" -DEPENDS = "zlib gzip-native" +DEPENDS = "zlib gzip-native json-c" -SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \ +SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \ file://0002-Don-t-execute-processes-as-a-specific-user.patch \ file://0004-Modify-systemd-config-directory.patch \ - file://204.patch \ + file://317.patch \ " -SRCREV = "14ea971be7e808b9c5099c7f404ed3cf341873c4" +SRCREV = "24d197214bfdcec7430d31b42e5c87df27287aaf" S = "${WORKDIR}/git" @@ -41,12 +41,13 @@ PACKAGECONFIG[dlt-console] = "-DWITH_DLT_CONSOLE=ON,-DWITH_DLT_CONSOLE=OFF,,dlt- inherit autotools gettext cmake systemd -EXTRA_OECMAKE += "-DSYSTEMD_UNITDIR=${systemd_system_unitdir}" +EXTRA_OECMAKE += "-DWITH_EXTENDED_FILTERING=ON -DSYSTEMD_UNITDIR=${systemd_system_unitdir}" PACKAGES += "${PN}-systemd" SYSTEMD_PACKAGES = "${PN} ${PN}-systemd" SYSTEMD_SERVICE_${PN} = " ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'dlt.service', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'dlt-system', 'dlt-system.service', '', d)}" + ${@bb.utils.contains('PACKAGECONFIG', 'dlt-system', 'dlt-system.service', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'dlt-dbus', 'dlt-dbus.service', '', d)}" SYSTEMD_AUTO_ENABLE_${PN} = "enable" SYSTEMD_SERVICE_${PN}-systemd = " \ ${@bb.utils.contains('PACKAGECONFIG', 'dlt-adaptor', 'dlt-adaptor-udp.service', '', d)} \ diff --git a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb index aa55ebf84d..162f5aa339 100644 --- a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb +++ b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb @@ -18,7 +18,7 @@ SRCREV = "3dd23e3280f213bacefdf5fcb04857bf52e90917" PV = "0.6.2+git${SRCPV}" SRC_URI = "\ - git://github.com/docopt/docopt.cpp.git;protocol=https \ + git://github.com/docopt/docopt.cpp.git;protocol=https;branch=master \ file://0001-Set-library-VERSION-and-SOVERSION.patch \ " diff --git a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb index 09eab9dcd0..eb00092c7b 100644 --- a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb +++ b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=5940d39995ea6857d01b8227109c2e9c" SRCREV = "b1e978e486114797347deefcc03ab12629a13cc3" -SRC_URI = "git://github.com/Yelp/dumb-init" +SRC_URI = "git://github.com/Yelp/dumb-init;branch=master;protocol=https" S = "${WORKDIR}/git" EXTRA_OEMAKE = "CC='${CC}' CFLAGS='${CFLAGS} ${LDFLAGS}'" diff --git a/meta-oe/recipes-extended/figlet/figlet_git.bb b/meta-oe/recipes-extended/figlet/figlet_git.bb index 4611646b9b..61b050aac6 100644 --- a/meta-oe/recipes-extended/figlet/figlet_git.bb +++ b/meta-oe/recipes-extended/figlet/figlet_git.bb @@ -4,7 +4,7 @@ HOMEPAGE = "http://www.figlet.org/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=1688bcd97b27704f1afcac7336409857" -SRC_URI = "git://github.com/cmatsuoka/figlet.git \ +SRC_URI = "git://github.com/cmatsuoka/figlet.git;branch=master;protocol=https \ file://0001-build-add-autotools-support-to-allow-easy-cross-comp.patch" SRCREV = "5bbcd7383a8c3a531299b216b0c734e1495c6db3" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb index 926d8851d2..b2c41756e5 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb @@ -32,7 +32,7 @@ BBCLASSEXTEND = "native" DEPENDS_class-native = "readline-native" PACKAGECONFIG_class-native = "" -SRC_URI_append_class-native = "file://0001-reduce-build-to-conversion-tools-for-native-build.patch" +SRC_URI_append_class-native = " file://0001-reduce-build-to-conversion-tools-for-native-build.patch" do_install_class-native() { install -d ${D}${bindir} diff --git a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb index 50326ea2f4..19b0d8dbd7 100644 --- a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb +++ b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM="file://COPYING;md5=d32239bcb673463ab874e80d47fae504" # v1.9.9 SRCREV = "1283a65c541c4a83e152024a63faf7b267b9b1cd" -SRC_URI = "git://github.com/jirka-h/haveged.git \ +SRC_URI = "git://github.com/jirka-h/haveged.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb index 050b7da3d7..c0d1b1b8bb 100644 --- a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb +++ b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb @@ -6,7 +6,7 @@ DEPENDS = "ncurses" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://github.com/pixel/hexedit.git \ +SRC_URI = "git://github.com/pixel/hexedit.git;branch=master;protocol=https \ " SRCREV = "800e4b2e6280531a84fd23ee0b48e16baeb90878" diff --git a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb index 29f8de8d2f..cee1f342bd 100644 --- a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb +++ b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb @@ -6,7 +6,7 @@ DEPENDS = "redis" LIC_FILES_CHKSUM = "file://COPYING;md5=d84d659a35c666d23233e54503aaea51" SRCREV = "685030652cd98c5414ce554ff5b356dfe8437870" -SRC_URI = "git://github.com/redis/hiredis;protocol=git \ +SRC_URI = "git://github.com/redis/hiredis;protocol=https;branch=master \ file://0001-Makefile-remove-hardcoding-of-CC.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/hplip/hplip_3.19.12.bb b/meta-oe/recipes-extended/hplip/hplip_3.19.12.bb index 883a6ffe95..457a974534 100644 --- a/meta-oe/recipes-extended/hplip/hplip_3.19.12.bb +++ b/meta-oe/recipes-extended/hplip/hplip_3.19.12.bb @@ -39,8 +39,8 @@ EXTRA_OECONF += "\ --enable-foomatic-drv-install \ --disable-foomatic-ppd-install \ --disable-foomatic-rip-hplip-install \ - --with-cupsbackenddir=${libdir}/cups/backend \ - --with-cupsfilterdir=${libdir}/cups/filter \ + --with-cupsbackenddir=${libexecdir}/cups/backend \ + --with-cupsfilterdir=${libexecdir}/cups/filter \ " EXTRA_OEMAKE = "rulessystemdir=${systemd_unitdir}/system/" @@ -52,7 +52,7 @@ do_install_append() { sed -i -e "s|/usr/bin/python|/usr/bin/env python3|g" ${D}${datadir}/hplip/*.py } -PACKAGES += "${PN}-ppd ${PN}-cups ${PN}-backend ${PN}-filter ${PN}-hal" +PACKAGE_BEFORE_PN += "${PN}-ppd ${PN}-cups ${PN}-backend ${PN}-filter ${PN}-hal" RDEPENDS_${PN} += " \ python3\ @@ -70,15 +70,15 @@ RDEPENDS_${PN}-filter += "perl" # need to snag the debug file or OE will fail on backend package FILES_${PN}-dbg += "\ - ${libdir}/cups/backend/.debug \ + ${libexecdir}/cups/backend/.debug \ ${PYTHON_SITEPACKAGES_DIR}/.debug \ - ${libdir}/cups/filter/.debug " + ${libexecdir}/cups/filter/.debug " FILES_${PN}-dev += "${PYTHON_SITEPACKAGES_DIR}/*.la" FILES_${PN}-ppd = "${datadir}/ppd" FILES_${PN}-cups = "${datadir}/cups" -FILES_${PN}-backend = "${libdir}/cups/backend" -FILES_${PN}-filter = "${libdir}/cups/filter" +FILES_${PN}-backend = "${libexecdir}/cups/backend" +FILES_${PN}-filter = "${libexecdir}/cups/filter" FILES_${PN}-hal = "${datadir}/hal" FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}/*.so" diff --git a/meta-oe/recipes-extended/iotop/iotop_0.6.bb b/meta-oe/recipes-extended/iotop/iotop_0.6.bb index 3a597218db..19af46cb16 100644 --- a/meta-oe/recipes-extended/iotop/iotop_0.6.bb +++ b/meta-oe/recipes-extended/iotop/iotop_0.6.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4325afd396febcb659c36b49533135d4" PV .= "+git${SRCPV}" SRCREV = "1bfb3bc70febb1ffb95146b6dcd65257228099a3" -SRC_URI = "git://repo.or.cz/iotop.git" +SRC_URI = "git://repo.or.cz/iotop.git;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb index b7899a11b6..2f4724a336 100644 --- a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb +++ b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb @@ -7,7 +7,7 @@ RDEPENDS_${BPN} = "openssl curl" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" -SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master \ +SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master;protocol=https \ file://0001-tweak-install-prefix.patch \ file://0002-fix-parallel-error.patch \ " diff --git a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb index d6e56ea768..7beea9f1e7 100644 --- a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb +++ b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb @@ -11,4 +11,7 @@ SRC_URI[sha256sum] = "f4f377da17b10201a60c1108613e78ee15df6b12016b116b6de42209f4 inherit autotools pkgconfig +# upstream considers it isn't a real bug https://github.com/akheron/jansson/issues/548 +CVE_CHECK_WHITELIST = "CVE-2020-36325 " + BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb index 50dd74b685..ba1fece05c 100644 --- a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb +++ b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a" PV = "2.3.5+git${SRCPV}" -SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http" +SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http;branch=master;protocol=https" SRCREV = "c2d857091c0dfed05139ac07ea9b0f36ad259638" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb index e6d5663f85..977aabf040 100644 --- a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb +++ b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f673270bfc350d9ce1efc8724c6c1873" DEPENDS_append_class-target = " swig-native sblim-cmpi-devel python3" DEPENDS_append_class-native = " cmpi-bindings-native" -SRC_URI = "git://github.com/rnovacek/konkretcmpi.git \ +SRC_URI = "git://github.com/rnovacek/konkretcmpi.git;branch=master;protocol=https \ file://0001-CMakeLists.txt-fix-lib64-can-not-be-shiped-in-64bit-.patch \ file://0001-drop-including-rpath-cmake-module.patch \ " diff --git a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb index 99cdee5bba..c1023e625e 100644 --- a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb +++ b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c" inherit autotools gobject-introspection -SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch" +SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https" SRCREV = "f5a4ba8bb298f8cbc435707d0b19b4b2ff836a8e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libcec/libcec_git.bb b/meta-oe/recipes-extended/libcec/libcec_git.bb index 39ceb489e2..07320e42bd 100644 --- a/meta-oe/recipes-extended/libcec/libcec_git.bb +++ b/meta-oe/recipes-extended/libcec/libcec_git.bb @@ -12,7 +12,7 @@ DEPENDS_append_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '' PV = "5.0.0" SRCREV = "43bc27fe7be491149e6f57d14110e02abdac2f24" -SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release \ +SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release;protocol=https \ file://0001-CheckPlatformSupport.cmake-Do-not-hardcode-lib-path.patch \ file://0001-Enhance-reproducibility.patch \ " diff --git a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb index b7c1958eef..e763a701e5 100644 --- a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb +++ b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb @@ -11,7 +11,7 @@ inherit autotools pkgconfig PV = "0.6.0" SRCREV = "1195abc2f4acc7b10175d570ec73549d0938c83e" -SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https \ +SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb index 36659e752d..0906e9a645 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb @@ -6,10 +6,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ebb5c50ab7cab4baeffba14977030c07 \ DEPENDS = "libxml2 glib-2.0 swig python3" -inherit autotools pkgconfig python3native +inherit autotools pkgconfig python3native python3targetconfig SRCREV = "3df02d4d0e9008771e8622fdc10de8333b3f0d85" -SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https \ +SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb index 36fc5c858c..5901057840 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb @@ -7,9 +7,10 @@ DEPENDS = "udev libusb1 libplist" inherit autotools pkgconfig gitpkgv PKGV = "${GITPKGVTAG}" +PV = "1.0.10+git${SRCPV}" SRCREV = "78df9be5fc8222ed53846cb553de9b5d24c85c6c" -SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https" +SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb index 7fc5997983..bbfee1ff7a 100644 --- a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb +++ b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=84dcc94da3adb52b53ae4fa38fe49e5d" inherit cmake pkgconfig -SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https \ +SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https;branch=master \ file://0001-cmake-Use-GNUInstallDirs-instead-of-hardcoding-lib-p.patch \ " SRCREV = "59d2b405f95701e5b04326589786dbb43ce49e81" diff --git a/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch b/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch new file mode 100644 index 0000000000..2aec818574 --- /dev/null +++ b/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch @@ -0,0 +1,38 @@ +From 790ff6dad16b70e68804a2d53ad54db40412e889 Mon Sep 17 00:00:00 2001 +From: Michael Heimpold <mhei@heimpold.de> +Date: Sat, 8 Jan 2022 20:00:50 +0100 +Subject: [PATCH] modbus_reply: fix copy & paste error in sanity check (fixes + #614) + +[ Upstream commit b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 ] + +While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets +must be checked, i.e. the read and the write address must be within the +mapping range. + +At the moment, only the read address was considered, it looks like a +simple copy and paste error, so let's fix it. + +CVE: CVE-2022-0367 + +Signed-off-by: Michael Heimpold <mhei@heimpold.de> +--- + src/modbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modbus.c b/src/modbus.c +index 68a28a3..c871152 100644 +--- a/src/modbus.c ++++ b/src/modbus.c +@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS); + } else if (mapping_address < 0 || + (mapping_address + nb) > mb_mapping->nb_registers || +- mapping_address < 0 || ++ mapping_address_write < 0 || + (mapping_address_write + nb_write) > mb_mapping->nb_registers) { + rsp_length = response_exception( + ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE, +-- +2.39.1 + diff --git a/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb b/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb index 075487ae90..5c59312760 100644 --- a/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb +++ b/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb @@ -2,7 +2,10 @@ require libmodbus.inc SRC_URI += "file://f1eb4bc7ccb09cd8d19ab641ee37637f8c34d16d.patch \ file://Fix-float-endianness-issue-on-big-endian-arch.patch \ - file://Fix-typo.patch" + file://Fix-typo.patch \ + file://CVE-2022-0367.patch \ + " + SRC_URI[md5sum] = "15c84c1f7fb49502b3efaaa668cfd25e" SRC_URI[sha256sum] = "d7d9fa94a16edb094e5fdf5d87ae17a0dc3f3e3d687fead81835d9572cf87c16" diff --git a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb index c9d259b1a0..29c35caf54 100644 --- a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb +++ b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb @@ -17,7 +17,7 @@ PV = "1.3+git${SRCPV}" SRCREV = "116219e215858f4af9370171d3ead63baca8fdb4" -SRC_URI = "git://github.com/thkukuk/libnss_nisplus \ +SRC_URI = "git://github.com/thkukuk/libnss_nisplus;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb index cd4019666d..dbe03fedef 100644 --- a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb +++ b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb @@ -11,7 +11,7 @@ inherit autotools pkgconfig # v1.0.5 SRCREV = "d08dbcf08b0da418bce9b5427dfd89522916322a" -SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1 \ +SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1;protocol=https \ file://0001-build-fix-configure-script-neglecting-re-enable-out-.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb index 4276c49173..24784f77a0 100644 --- a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb +++ b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb @@ -11,7 +11,7 @@ DEPENDS = "xmlrpc-c xmlrpc-c-native intltool-native \ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://github.com/abrt/libreport.git;protocol=https" +SRC_URI = "git://github.com/abrt/libreport.git;protocol=https;branch=master" SRC_URI += "file://0001-Makefile.am-remove-doc-and-apidoc.patch \ file://0002-configure.ac-remove-prog-test-of-xmlto-and-asciidoc.patch \ file://0003-without-build-plugins.patch \ diff --git a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb index a081cb17a8..27fe0e2c40 100644 --- a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb +++ b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb @@ -31,4 +31,4 @@ FILES_statgrab-dbg = "${bindir}/.debug/statgrab" FILES_saidar = "${bindir}/saidar" FILES_saidar-dbg = "${bindir}/.debug/saidar" FILES_${PN}-mrtg = "${bindir}/statgrab-make-mrtg-config ${bindir}/statgrab-make-mrtg-index" -RDEPENDS_${PN}-mrtg_append = "perl statgrab" +RDEPENDS_${PN}-mrtg_append = " perl statgrab" diff --git a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb index dd34c180a3..0278e55f3e 100644 --- a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb +++ b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb @@ -3,7 +3,7 @@ SECTION = "base" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI = "git://git.code.sf.net/p/libuio/code \ +SRC_URI = "git://git.code.sf.net/p/libuio/code;branch=master \ file://replace_inline_with_static-inline.patch \ file://0001-include-fcntl.h-for-O_RDWR-define.patch \ " diff --git a/meta-oe/recipes-extended/md5deep/md5deep_git.bb b/meta-oe/recipes-extended/md5deep/md5deep_git.bb index e8c6864c1f..cc31323c3f 100644 --- a/meta-oe/recipes-extended/md5deep/md5deep_git.bb +++ b/meta-oe/recipes-extended/md5deep/md5deep_git.bb @@ -9,7 +9,7 @@ PV = "4.4+git${SRCPV}" SRCREV = "877613493ff44807888ce1928129574be393cbb0" -SRC_URI = "git://github.com/jessek/hashdeep.git \ +SRC_URI = "git://github.com/jessek/hashdeep.git;branch=master;protocol=https \ file://wrong-variable-expansion.patch \ file://0001-Fix-literal-and-identifier-spacing-as-dictated-by-C-.patch \ " diff --git a/meta-oe/recipes-extended/mraa/mraa_git.bb b/meta-oe/recipes-extended/mraa/mraa_git.bb index 0b40dcb71b..540ef6e12a 100644 --- a/meta-oe/recipes-extended/mraa/mraa_git.bb +++ b/meta-oe/recipes-extended/mraa/mraa_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=91e7de50a8d3cf01057f318d72460acd" SRCREV = "e15ce6fbc76148ba8835adc92196b0d0a3f245e7" PV = "2.1.0+git${SRCPV}" -SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \ +SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \ file://0001-cmake-Use-a-regular-expression-to-match-x86-architec.patch \ " diff --git a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb index 9d5a2307e7..e96c977453 100644 --- a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb +++ b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb @@ -17,7 +17,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "d8eba6cb6682b59d84ca1da67a523520b879ade6" -SRC_URI = "git://github.com/Openwsman/openwsman.git \ +SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=main;protocol=https \ file://libssl-is-required-if-eventint-supported.patch \ file://openwsmand.service \ file://0001-lock.c-Define-PTHREAD_MUTEX_RECURSIVE_NP-if-undefine.patch \ diff --git a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb index 43021c5342..5b0171d8c8 100644 --- a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb +++ b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb @@ -22,7 +22,7 @@ DEPENDS = " \ PREMIRRORS = "" SRC_URI = " \ - gitsm://github.com/ostreedev/ostree \ + gitsm://github.com/ostreedev/ostree;branch=main;protocol=https \ file://run-ptest \ " SRCREV = "6ed48234ba579ff73eb128af237212b0a00f2057" @@ -176,12 +176,12 @@ RDEPENDS_${PN}-ptest += " \ util-linux \ xz \ ${PN}-trivial-httpd \ - ${@bb.utils.contains('BBFILE_COLLECTIONS', 'meta-python', 'python3-pyyaml', '', d)} \ + python3-pyyaml \ ${@bb.utils.contains('PACKAGECONFIG', 'gjs', 'gjs', '', d)} \ " RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils glibc-localedata-en-us" -RRECOMMENDS_${PN} += "kernel-module-overlay" +RRECOMMENDS_${PN}_append_class-target = " kernel-module-overlay" SYSTEMD_SERVICE_${PN} = "ostree-remount.service ostree-finalize-staged.path" SYSTEMD_SERVICE_${PN}-switchroot = "ostree-prepare-root.service" diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch new file mode 100644 index 0000000000..98e186cbf0 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch @@ -0,0 +1,27 @@ +p7zip: Update CVE-2016-9296 patch URL. +From: Robert Luberda <robert@debian.org> +Date: Sat, 19 Nov 2016 08:48:08 +0100 +Subject: Fix nullptr dereference (CVE-2016-9296) + +Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ +This patch file taken from Debian's patch set for p7zip + +Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/185/] +CVE: CVE-2016-9296 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +Index: p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/7z/7zIn.cpp ++++ p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch new file mode 100644 index 0000000000..b6deb5d3a7 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch @@ -0,0 +1,226 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 28 Jan 2018 23:47:40 +0100 +Subject: CVE-2018-5996 + +Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by +applying a few changes from 7Zip 18.00-beta. + +Bug-Debian: https://bugs.debian.org/#888314 + +Upstream-Status: Backport [https://sources.debian.org/data/non-free/p/p7zip-rar/16.02-3/debian/patches/06-CVE-2018-5996.patch] +CVE: CVE-2018-5996 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- + CPP/7zip/Compress/Rar1Decoder.h | 1 + + CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- + CPP/7zip/Compress/Rar2Decoder.h | 1 + + CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- + CPP/7zip/Compress/Rar3Decoder.h | 2 ++ + 6 files changed, 42 insertions(+), 8 deletions(-) + +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +@@ -29,7 +29,7 @@ public: + }; + */ + +-CDecoder::CDecoder(): m_IsSolid(false) { } ++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } + + void CDecoder::InitStructures() + { +@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialIn + InitData(); + if (!m_IsSolid) + { ++ _errorMode = false; + InitStructures(); + InitHuff(); + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (m_UnpackSize > 0) + { + GetFlagsBuf(); +@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialI + const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) + { + try { return CodeReal(inStream, outStream, inSize, outSize, progress); } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(const CLzOutWindowException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + } + + STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +@@ -39,6 +39,7 @@ public: + + Int64 m_UnpackSize; + bool m_IsSolid; ++ bool _errorMode; + + UInt32 ReadBits(int numBits); + HRESULT CopyBlock(UInt32 distance, UInt32 len); +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << + static const UInt32 kWindowReservSize = (1 << 22) + 256; + + CDecoder::CDecoder(): +- m_IsSolid(false) ++ m_IsSolid(false), ++ m_TablesOK(false) + { + } + +@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBi + + bool CDecoder::ReadTables(void) + { ++ m_TablesOK = false; ++ + Byte levelLevels[kLevelTableSize]; + Byte newLevels[kMaxTableSize]; + m_AudioMode = (ReadBits(1) == 1); +@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) + } + + memcpy(m_LastLevels, newLevels, kMaxTableSize); ++ m_TablesOK = true; ++ + return true; + } + +@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialIn + return S_FALSE; + } + ++ if (!m_TablesOK) ++ return S_FALSE; ++ + UInt64 startPos = m_OutWindowStream.GetProcessedSize(); + while (pos < unPackSize) + { +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +@@ -139,6 +139,7 @@ class CDecoder : + + UInt64 m_PackSize; + bool m_IsSolid; ++ bool m_TablesOK; + + void InitStructures(); + UInt32 ReadBits(unsigned numBits); +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +@@ -92,7 +92,8 @@ CDecoder::CDecoder(): + _writtenFileSize(0), + _vmData(0), + _vmCode(0), +- m_IsSolid(false) ++ m_IsSolid(false), ++ _errorMode(false) + { + Ppmd7_Construct(&_ppmd); + } +@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + return InitPPM(); + } + ++ TablesRead = false; ++ TablesOK = false; ++ + _lzMode = true; + PrevAlignBits = 0; + PrevAlignCount = 0; +@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + } + } + } ++ if (InputEofError()) ++ return S_FALSE; ++ + TablesRead = true; + + // original code has check here: +@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); + + memcpy(m_LastLevels, newLevels, kTablesSizesSum); ++ ++ TablesOK = true; ++ + return S_OK; + } + +@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProg + PpmEscChar = 2; + PpmError = true; + InitFilters(); ++ _errorMode = false; + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (!m_IsSolid || !TablesRead) + { + bool keepDecompressing; +@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProg + bool keepDecompressing; + if (_lzMode) + { ++ if (!TablesOK) ++ return S_FALSE; + RINOK(DecodeLZ(keepDecompressing)) + } + else +@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialI + _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; + return CodeReal(progress); + } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + // CNewException is possible here. But probably CNewException is caused + // by error in data stream. + } +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +@@ -192,6 +192,7 @@ class CDecoder: + UInt32 _lastFilter; + + bool m_IsSolid; ++ bool _errorMode; + + bool _lzMode; + bool _unsupportedFilter; +@@ -200,6 +201,7 @@ class CDecoder: + UInt32 PrevAlignCount; + + bool TablesRead; ++ bool TablesOK; + + CPpmd7 _ppmd; + int PpmEscChar; diff --git a/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch new file mode 100644 index 0000000000..dcde83e8a4 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch @@ -0,0 +1,27 @@ +fixes the below error + +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)': +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 308 | numMethods++; +| | ^~~~~~~~~~ +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 318 | numMethods++; + + +use unsigned instead of bool +Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com> + +Upstream-Status: Pending +Index: p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/Wim/WimHandler.cpp ++++ p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchivePropert + + AString res; + +- bool numMethods = 0; ++ unsigned numMethods = 0; + for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++) + { + if (methodMask & ((UInt32)1 << i)) diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb index 13479a90fe..79677c6487 100644 --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb @@ -9,6 +9,9 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al file://do_not_override_compiler_and_do_not_strip.patch \ file://CVE-2017-17969.patch \ file://0001-Fix-narrowing-errors-Wc-11-narrowing.patch \ + file://change_numMethods_from_bool_to_unsigned.patch \ + file://CVE-2018-5996.patch \ + file://CVE-2016-9296.patch \ " SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" @@ -16,10 +19,26 @@ SRC_URI[sha256sum] = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6 S = "${WORKDIR}/${BPN}_${PV}" +do_compile_append() { + oe_runmake 7z +} +FILES_${PN} += "${libdir}/* ${bindir}/7z" + +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" + do_install() { install -d ${D}${bindir} - install -m 0755 ${S}/bin/* ${D}${bindir} + install -d ${D}${bindir}/Codecs + install -d ${D}${libdir} + install -d ${D}${libdir}/Codecs + install -m 0755 ${S}/bin/7za ${D}${bindir} ln -s 7za ${D}${bindir}/7z + install -m 0755 ${S}/bin/Codecs/* ${D}${libdir}/Codecs/ + install -m 0755 ${S}/bin/7z.so ${D}${libdir}/lib7z.so } -BBCLASSEXTEND = "native" +RPROVIDES_${PN} += "lib7z.so()(64bit) 7z lib7z.so" +RPROVIDES_${PN}-dev += "lib7z.so()(64bit) 7z lib7z.so" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-extended/p8platform/p8platform_git.bb b/meta-oe/recipes-extended/p8platform/p8platform_git.bb index 0690d4ba3c..2e52caeffa 100644 --- a/meta-oe/recipes-extended/p8platform/p8platform_git.bb +++ b/meta-oe/recipes-extended/p8platform/p8platform_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/os.h;md5=752555fa94e82005d45fd201fee5bd33" PV = "2.1.0.1" -SRC_URI = "git://github.com/Pulse-Eight/platform.git \ +SRC_URI = "git://github.com/Pulse-Eight/platform.git;branch=master;protocol=https \ file://0001-Make-resulting-cmake-config-relocatable.patch" SRCREV = "2d90f98620e25f47702c9e848380c0d93f29462b" diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb index 9838e75ef5..5c2af44c73 100644 --- a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb @@ -11,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "e2145df09469bf84878e4729b4ecd814efb797d1" -SRC_URI = "git://github.com/PADL/pam_ccreds" +SRC_URI = "git://github.com/PADL/pam_ccreds;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb index 626b22fe48..5022300ba3 100644 --- a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb +++ b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb @@ -11,7 +11,7 @@ inherit features_check REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "84d7b260f1ae6857ae36e014c9a5968e8aa1cbe8" -SRC_URI = "git://github.com/rmbreak/pam_ldapdb \ +SRC_URI = "git://github.com/rmbreak/pam_ldapdb;branch=master;protocol=https \ file://0001-include-stdexcept-for-std-invalid_argument.patch \ " diff --git a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb index f5066da0d8..5c56a16f41 100644 --- a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb +++ b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb @@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " fts" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/pmem/pmdk.git \ +SRC_URI = "git://github.com/pmem/pmdk.git;branch=master;protocol=https \ file://0001-jemalloc-jemalloc.cfg-Specify-the-host-when-building.patch \ file://0002-Makefile-Don-t-install-the-docs.patch \ file://0001-os_posix-Use-__FreeBSD__-to-control-secure_getenv-de.patch \ diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch new file mode 100644 index 0000000000..cab1c83c09 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch @@ -0,0 +1,74 @@ +From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001 +From: "Jeremy A. Puhlman" <jpuhlman@mvista.com> +Date: Thu, 27 Jan 2022 00:01:27 +0000 +Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to + incorrect handling of argument vector + +Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 +CVE: CVE-2021-4034 + +Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> +--- + src/programs/pkcheck.c | 6 ++++++ + src/programs/pkexec.c | 21 ++++++++++++++++++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..aff4f60 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,12 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ help(); ++ exit(1); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..3ff4c58 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,17 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called wrong, just show help and bail out. ++ */ ++ if (argc<1) ++ { ++ clearenv(); ++ usage(argc, argv); ++ exit(1); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -636,7 +647,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { +-- +2.26.2 + diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch new file mode 100644 index 0000000000..37e0d6063c --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch @@ -0,0 +1,87 @@ +From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Mon, 21 Feb 2022 08:29:05 +0000 +Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch] +CVE: CVE-2021-4115 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8ed1363..2fbf5f1 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -62,6 +62,10 @@ enum + PROP_NAME, + }; + ++ ++guint8 dbus_call_respond_fails; // has to be global because of callback ++ ++ + static void subject_iface_init (PolkitSubjectIface *subject_iface); + + G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, +@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, + if (!v) + { + data->caught_error = TRUE; ++ dbus_call_respond_fails += 1; + } + else + { +@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + tmp_context = g_main_context_new (); + g_main_context_push_thread_default (tmp_context); + ++ dbus_call_respond_fails = 0; ++ + /* Do two async calls as it's basically as fast as one sync call. + */ + g_dbus_connection_call (connection, +@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + on_retrieved_unix_uid_pid, + &data); + +- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) +- g_main_context_iteration (tmp_context, TRUE); ++ while (TRUE) ++ { ++ /* If one dbus call returns error, we must wait until the other call ++ * calls _call_finish(), otherwise fd leak is possible. ++ * Resolves: GHSL-2021-077 ++ */ + +- if (data.caught_error) +- goto out; ++ if ( (dbus_call_respond_fails > 1) ) ++ { ++ // we got two faults, we can leave ++ goto out; ++ } ++ ++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) ++ { ++ // we got one fault and the other call finally finished, we can leave ++ goto out; ++ } ++ ++ if ( !(data.retrieved_uid && data.retrieved_pid) ) ++ { ++ g_main_context_iteration (tmp_context, TRUE); ++ } ++ else ++ { ++ break; ++ } ++ } + + if (out_uid) + *out_uid = data.uid; +-- +GitLab + diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch new file mode 100644 index 0000000000..76308ffdb9 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch @@ -0,0 +1,33 @@ +From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Wed, 2 Jun 2021 15:43:38 +0200 +Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit + +initial values returned if error caught + +CVE: CVE-2021-3560 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/polkit/polkitsystembusname.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8daa12c..8ed1363 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) +-- +2.29.2 + diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb index ad1973b136..dd8e208616 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb @@ -25,6 +25,9 @@ PAM_SRC_URI = "file://polkit-1_pam.patch" SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0003-make-netgroup-support-optional.patch \ + file://CVE-2021-3560.patch \ + file://CVE-2021-4034.patch \ + file://CVE-2021-4115.patch \ " SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a" SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1" diff --git a/meta-oe/recipes-extended/redis/redis_5.0.9.bb b/meta-oe/recipes-extended/redis/redis_5.0.14.bb index d04293369a..3d849ec8c3 100644 --- a/meta-oe/recipes-extended/redis/redis_5.0.9.bb +++ b/meta-oe/recipes-extended/redis/redis_5.0.14.bb @@ -17,8 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ " -SRC_URI[md5sum] = "c94523c9f4ee662027ddf90575d0e058" -SRC_URI[sha256sum] = "53d0ae164cd33536c3d4b720ae9a128ea6166ebf04ff1add3b85f1242090cb85" +SRC_URI[sha256sum] = "3ea5024766d983249e80d4aa9457c897a9f079957d0fb1f35682df233f997f32" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb index 5662e63474..914b12e7ca 100644 --- a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb +++ b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb @@ -10,7 +10,7 @@ SRCREV = "56a83f4f52e6745cd4352f9ee008be3183a6dedf" PV = "1.7.2" SRC_URI = "\ - git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http; \ + git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb index b84dde3d37..3b63971e5d 100644 --- a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb +++ b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f" DEPENDS = "" -SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https \ +SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master \ file://0001-fix-jump-misses-init-gcc-8-warning.patch" SRCREV = "4758b1caf69ada911ef79e1d80793fe489b98dff" diff --git a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb index a4663148cd..9da9d7c96c 100644 --- a/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb +++ b/meta-oe/recipes-extended/rsyslog/librelp_1.5.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9" DEPENDS = "gmp nettle libidn zlib gnutls openssl" -SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https \ +SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=master \ " SRCREV = "0beb2258e12e4131dc31e261078ea53d18f787d7" diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb index ffd46da0af..e720d3e5c8 100644 --- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb +++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.0.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://../README.license;md5=60487bf0bf429d6b5aa72b6d37a0eb2 PV .= "+git${SRCPV}" -SRC_URI = "git://pagure.io/sanlock.git;protocol=http \ +SRC_URI = "git://pagure.io/sanlock.git;protocol=http;branch=master \ file://0001-sanlock-Replace-cp-a-with-cp-R-no-dereference-preser.patch;patchdir=../ \ " SRCREV = "cff348800722f7dadf030ffe7494c2df714996e3" diff --git a/meta-oe/recipes-extended/sedutil/sedutil_git.bb b/meta-oe/recipes-extended/sedutil/sedutil_git.bb index 765618433b..03446c324d 100644 --- a/meta-oe/recipes-extended/sedutil/sedutil_git.bb +++ b/meta-oe/recipes-extended/sedutil/sedutil_git.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://Common/LICENSE.txt;md5=d32239bcb673463ab874e80d47fae5 BASEPV = "1.15.1" PV = "${BASEPV}+git${SRCPV}" SRCREV = "358cc758948be788284d5faba46ccf4cc1813796" -SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git \ +SRC_URI = "git://github.com/Drive-Trust-Alliance/sedutil.git;branch=master;protocol=https \ file://0001-Fix-build-on-big-endian-architectures.patch \ " diff --git a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb index e40e1cd263..7d016bc963 100644 --- a/meta-oe/recipes-extended/socketcan/can-isotp_git.bb +++ b/meta-oe/recipes-extended/socketcan/can-isotp_git.bb @@ -3,7 +3,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=72d977d697c3c05830fdff00a7448931" SRCREV = "b31bce98d65f894aad6427bcf6f3f7822e261a59" PV = "1.0+git${SRCPV}" -SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https" +SRC_URI = "git://github.com/hartkopp/can-isotp.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/socketcan/can-utils_git.bb b/meta-oe/recipes-extended/socketcan/can-utils_git.bb index 519368817f..92b38030fe 100644 --- a/meta-oe/recipes-extended/socketcan/can-utils_git.bb +++ b/meta-oe/recipes-extended/socketcan/can-utils_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://include/linux/can.h;endline=44;md5=a9e1169c6c9a114a61 DEPENDS = "libsocketcan" -SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=git" +SRC_URI = "git://github.com/linux-can/${BPN}.git;protocol=https;branch=master" SRCREV = "da65fdfe0d1986625ee00af0b56ae17ec132e700" diff --git a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb index e1508af857..56466a6cd2 100644 --- a/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb +++ b/meta-oe/recipes-extended/socketcan/canutils_4.0.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "libsocketcan" SRCREV = "299dff7f5322bf0348dcdd60071958ebedf5f09d" -SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git \ +SRC_URI = "git://git.pengutronix.de/git/tools/canutils.git;protocol=git;branch=master \ file://0001-canutils-candump-Add-error-frame-s-handling.patch \ " diff --git a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb index 0debe47e03..6a44cff93d 100644 --- a/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb +++ b/meta-oe/recipes-extended/socketcan/libsocketcan_0.0.11.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://src/libsocketcan.c;beginline=3;endline=17;md5=97e38ad SRCREV = "0ff01ae7e4d271a7b81241e7a7026bfcea0add3f" -SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git" +SRC_URI = "git://git.pengutronix.de/git/tools/libsocketcan.git;protocol=git;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/sysdig/sysdig_git.bb b/meta-oe/recipes-extended/sysdig/sysdig_git.bb index 04a022af4f..b06340f82f 100644 --- a/meta-oe/recipes-extended/sysdig/sysdig_git.bb +++ b/meta-oe/recipes-extended/sysdig/sysdig_git.bb @@ -15,10 +15,10 @@ JIT_mipsarchn64 = "" JIT_riscv64 = "" JIT_riscv32 = "" -DEPENDS += "lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" +DEPENDS += "libb64 lua${JIT} zlib c-ares grpc-native grpc curl ncurses jsoncpp tbb jq openssl elfutils protobuf protobuf-native jq-native" RDEPENDS_${PN} = "bash" -SRC_URI = "git://github.com/draios/sysdig.git;branch=dev \ +SRC_URI = "git://github.com/draios/sysdig.git;branch=dev;protocol=https \ file://0001-fix-build-with-LuaJIT-2.1-betas.patch \ file://0001-Fix-build-with-musl-backtrace-APIs-are-glibc-specifi.patch \ file://fix-uint64-const.patch \ @@ -32,7 +32,6 @@ S = "${WORKDIR}/git" EXTRA_OECMAKE = "\ -DBUILD_DRIVER=OFF \ -DUSE_BUNDLED_DEPS=OFF \ - -DUSE_BUNDLED_B64=ON \ -DCREATE_TEST_TARGETS=OFF \ -DDIR_ETC=${sysconfdir} \ -DLUA_INCLUDE_DIR=${STAGING_INCDIR}/luajit-2.1 \ diff --git a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb index 637770af24..c9d9fb5729 100644 --- a/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb +++ b/meta-oe/recipes-extended/tipcutils/tipcutils_git.bb @@ -2,7 +2,7 @@ SUMMARY = "Transparent Inter-Process Communication protocol" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://tipclog/tipc.h;endline=35;md5=985b6ea8735818511d276c1b466cce98" -SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils \ +SRC_URI = "git://git.code.sf.net/p/tipc/tipcutils;branch=master \ file://0001-include-sys-select.h-for-FD_-definitions.patch \ file://0002-replace-non-standard-uint-with-unsigned-int.patch \ file://0001-multicast_blast-tipcc-Fix-struct-type-for-TIPC_GROUP.patch \ diff --git a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb index 38ce4f5571..c62cef36d3 100644 --- a/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb +++ b/meta-oe/recipes-extended/triggerhappy/triggerhappy_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" # matches debian/0.5.0-1 tag SRCREV = "44a173195986d0d853316cb02a58785ded66c12b" PV = "0.5.0+git${SRCPV}" -SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian" +SRC_URI = "git://github.com/wertarbyte/${BPN}.git;branch=debian;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb b/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb index ed19d1e41a..de1fc3a1fe 100644 --- a/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb +++ b/meta-oe/recipes-extended/uml-utilities/uml-utilities_20040406.bb @@ -16,12 +16,11 @@ PR = "r1" S = "${WORKDIR}/tools" do_compile() { - oe_runmake + oe_runmake LIB_DIR=${libdir}/uml } do_install() { oe_runmake install DESTDIR=${D} } -FILES_${PN} += "${exec_prefix}${nonarch_base_libdir}" -FILES_${PN}-dbg += "${exec_prefix}${nonarch_base_libdir}/uml/.debug" +FILES_${PN} += "${libdir}/uml" diff --git a/meta-oe/recipes-extended/upm/upm_git.bb b/meta-oe/recipes-extended/upm/upm_git.bb index 6a7611f382..7643d13e25 100644 --- a/meta-oe/recipes-extended/upm/upm_git.bb +++ b/meta-oe/recipes-extended/upm/upm_git.bb @@ -10,7 +10,7 @@ DEPENDS = "libjpeg-turbo mraa" SRCREV = "5cf20df96c6b35c19d5b871ba4e319e96b4df72d" PV = "2.0.0+git${SRCPV}" -SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \ +SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \ file://0001-CMakeLists.txt-Use-SWIG_SUPPORT_FILES-to-find-the-li.patch \ file://0001-Use-stdint-types.patch \ file://0001-initialize-local-variables-before-use.patch \ diff --git a/meta-oe/recipes-extended/wipe/wipe_0.24.bb b/meta-oe/recipes-extended/wipe/wipe_0.24.bb index 831d514a4e..3ccc5afd5c 100644 --- a/meta-oe/recipes-extended/wipe/wipe_0.24.bb +++ b/meta-oe/recipes-extended/wipe/wipe_0.24.bb @@ -9,7 +9,7 @@ HOMEPAGE = "http://lambda-diode.com/software/wipe/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://GPL;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://github.com/berke/wipe.git;branch=master \ +SRC_URI = "git://github.com/berke/wipe.git;branch=master;protocol=https \ file://support-cross-compile-for-linux.patch \ file://makefile-add-ldflags.patch \ " diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb index 06337b79c7..8f766ac877 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_git.bb @@ -21,7 +21,7 @@ DEPENDS += " \ tiff \ " -SRC_URI = "git://github.com/wxWidgets/wxWidgets.git" +SRC_URI = "git://github.com/wxWidgets/wxWidgets.git;branch=master;protocol=https" PV = "3.1.3" SRCREV= "8a40d23b27ed1c80b5a2ca9f7e8461df4fbc1a31" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb index b94664c33c..eddf1ed960 100644 --- a/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb +++ b/meta-oe/recipes-extended/zlog/zlog_1.2.14.bb @@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRCREV = "8fc78c3c65cb705953a2f3f9a813c3ef3c8b2270" -SRC_URI = "git://github.com/HardySimpson/zlog" +SRC_URI = "git://github.com/HardySimpson/zlog;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/zram/zram/zram-swap-init b/meta-oe/recipes-extended/zram/zram/zram-swap-init index 0643dbca23..ccc3aafe3a 100755 --- a/meta-oe/recipes-extended/zram/zram/zram-swap-init +++ b/meta-oe/recipes-extended/zram/zram/zram-swap-init @@ -14,7 +14,7 @@ fi ZRAM_SIZE_PERCENT=100 ZRAM_ALGORITHM=lz4 -[ -f /etc/default/zram ] && ./etc/default/zram || true +[ -f /etc/default/zram ] && . /etc/default/zram || true memtotal=$(grep MemTotal /proc/meminfo | awk ' { print $2 } ') memzram=$(($memtotal*${ZRAM_SIZE_PERCENT}/100)) diff --git a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb index cd0b471e17..0c564c0d1c 100644 --- a/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb +++ b/meta-oe/recipes-extended/zstd/zstd_1.4.5.bb @@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \ file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" -SRC_URI = "git://github.com/facebook/zstd.git;nobranch=1 \ +SRC_URI = "git://github.com/facebook/zstd.git;branch=dev;protocol=https \ file://0001-Fix-legacy-build-after-2103.patch \ " diff --git a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb index a957c1d673..6fa31c58ff 100644 --- a/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb +++ b/meta-oe/recipes-gnome/pyxdg/pyxdg_0.26.bb @@ -5,7 +5,7 @@ LICENSE = "LGPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=f30a9716ef3762e3467a2f62bf790f0a" SRCREV = "7db14dcf4c4305c3859a2d9fcf9f5da2db328330" -SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg" +SRC_URI = "git://anongit.freedesktop.org/xdg/pyxdg;branch=master" inherit distutils3 diff --git a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb index 32f0815921..2d13f26a3d 100644 --- a/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb +++ b/meta-oe/recipes-graphics/dietsplash/dietsplash_git.bb @@ -8,7 +8,7 @@ PV = "0.3" PR = "r1" SRCREV = "ef2e1a390e768e21e6a6268977580ee129a96633" -SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git \ +SRC_URI = "git://github.com/lucasdemarchi/dietsplash.git;branch=master;protocol=https \ file://0001-configure.ac-Do-not-demand-linker-hash-style.patch \ " diff --git a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb index 007385101c..24f8e44d89 100644 --- a/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb +++ b/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb @@ -3,7 +3,7 @@ LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504 \ " -SRC_URI = "git://github.com/manatools/dnfdragora.git \ +SRC_URI = "git://github.com/manatools/dnfdragora.git;branch=master;protocol=https \ file://0001-disable-build-manpages.patch \ file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \ file://0001-To-fix-error-when-do_package.patch \ diff --git a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb index e3dff91915..8036d5f7a9 100644 --- a/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb +++ b/meta-oe/recipes-graphics/fbgrab/fbgrab_1.3.3.bb @@ -4,7 +4,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=ea5bed2f60d357618ca161ad539f7c0a" SECTION = "console/utils" DEPENDS = "libpng zlib" -SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https" +SRC_URI = "git://github.com/GunnarMonell/fbgrab.git;protocol=https;branch=master" SRCREV = "b179e2a42b8a5d72516b9c8d91713c9025cf6044" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb index 1863f95f0f..8f65da2c1f 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb @@ -15,7 +15,7 @@ REQUIRED_DISTRO_FEATURES_append_class-target = " x11" # tag 20190801 SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e" -SRC_URI = "git://github.com/${BPN}/${BPN}.git \ +SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://0001-include-sys-select-on-non-glibc-platforms.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb index 51f5a4eca1..d405cb8775 100644 --- a/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb +++ b/meta-oe/recipes-graphics/fvwm/fvwm_2.6.9.bb @@ -32,7 +32,7 @@ DEPENDS = " \ " SRC_URI = " \ - git://github.com/fvwmorg/fvwm.git;protocol=https \ + git://github.com/fvwmorg/fvwm.git;protocol=https;branch=master \ file://0001-Fix-compilation-for-disabled-gnome.patch \ " @@ -82,12 +82,17 @@ do_install_append() { install -d -m 0755 ${D}/${datadir}/fvwm touch ${D}/${datadir}/fvwm/ConfigFvwmDefaults + sed -i -e 's:${STAGING_BINDIR_NATIVE}/perl-native/perl:${USRBINPATH}/env perl:g' ${D}${bindir}/fvwm-* + sed -i -e 's:${STAGING_BINDIR_NATIVE}/perl-native/perl:${USRBINPATH}/env perl:g' ${D}${libexecdir}/fvwm/*/Fvwm* + sed -i -e 's:${STAGING_BINDIR_NATIVE}/python3-native/python3:${USRBINPATH}/env python3:g' ${D}${bindir}/fvwm-menu-desktop } # the only needed packages (note: locale packages are automatically generated # as well) PACKAGES = " \ ${PN} \ + ${PN}-extra \ + ${PN}-doc \ ${PN}-dbg \ " @@ -98,12 +103,20 @@ FILES_${PN} = " \ ${datadir}/fvwm/ConfigFvwmDefaults \ " +FILES_${PN}-extra = " \ + ${bindir} \ + ${libexecdir} \ + ${sysconfdir}/xdg/fvwm \ +" +FILES_${PN}-doc = " \ + ${mandir} \ + ${datadir}/fvwm \ +" + RDEPENDS_${PN} = " \ xuser-account \ " - -# by default a lot of stuff is installed and it's not easy to control what to -# install, so install everything, but skip the check -INSANE_SKIP_${PN} = " \ - installed-vs-shipped \ +RDEPENDS_${PN}-extra += "\ + perl \ + python3-core \ " diff --git a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb index e2f4dbebc5..b44f06c555 100644 --- a/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb +++ b/meta-oe/recipes-graphics/glm/glm_0.9.9.6.bb @@ -9,7 +9,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://copying.txt;md5=4a735e33f271f57404fda17e80085411" SRC_URI = " \ - git://github.com/g-truc/glm;branch=master \ + git://github.com/g-truc/glm;branch=master;protocol=https \ file://0001-Fix-Wimplicit-int-float-conversion-warnings-with-cla.patch \ file://glmConfig.cmake.in \ file://glmConfigVersion.cmake.in \ diff --git a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.25.bb b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.25.bb index 8daf737a5e..fe7657f54c 100644 --- a/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.25.bb +++ b/meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.25.bb @@ -29,6 +29,12 @@ do_configure_append() { cp ${STAGING_DATADIR_NATIVE}/gettext/po/Makefile.in.in ${S}/libgphoto2_port/po/ cd ${S}/libgphoto2_port/ autoreconf -Wcross --verbose --install --force ${EXTRA_AUTORECONF} $acpaths + + # remove WORKDIR information from config to improve reproducibility + # libgphoto2_port recheck config will set the WORKDIR info again, so dont do that + sed -i 's/'$(echo ${WORKDIR} | sed 's_/_\\/_g')'/../g' ${B}/config.h + sed -i 's/'$(echo ${WORKDIR} | sed 's_/_\\/_g')'/../g' ${B}/libgphoto2_port/config.status + sed -i '/config\.status/ s/\-\-recheck//' ${B}/libgphoto2_port/Makefile cd ${S} } diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb index 12ecb99091..72e2f5cc7a 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb @@ -19,13 +19,12 @@ DEPENDS_append_class-target = " ${BPN}-native" inherit autotools-brokensep pkgconfig gettext -# The source tarball suggested at -# https://graphviz.gitlab.io/_pages/Download/Download_source.html has no -# version in its name. So once graphviz is updgraded, only first time users will -# get checksum errors. Fedora people seem to expect same so they use a versioned -# source - see https://src.fedoraproject.org/cgit/rpms/graphviz.git/tree/graphviz.spec - -SRC_URI = "https://gitlab.com/graphviz/graphviz/-/archive/stable_release_${PV}/graphviz-stable_release_${PV}.tar.gz \ +# it was already moved from github.com/ellson/graphviz to https://gitlab.com/graphviz/graphviz/ +# but the later doesn't have stable_release_2.40.1 tag (anymore?), but it has corresponding commit: +# https://github.com/ellson/MOTHBALLED-graphviz/releases/tag/stable_release_2.40.1 +# https://gitlab.com/graphviz/graphviz/-/commit/67cd2e5121379a38e0801cc05cce5033f8a2a609 +SRCREV = "67cd2e5121379a38e0801cc05cce5033f8a2a609" +SRC_URI = "git://gitlab.com/${BPN}/${BPN}.git;branch=master \ file://0001-plugin-pango-Include-freetype-headers-explicitly.patch \ " # Use native mkdefs @@ -33,10 +32,7 @@ SRC_URI_append_class-target = "\ file://0001-Use-native-mkdefs.patch \ file://0001-Set-use_tcl-to-be-empty-string-if-tcl-is-disabled.patch \ " -SRC_URI[md5sum] = "2acf30ca8e6cc8b001b0334db65fd072" -SRC_URI[sha256sum] = "e6c3f8dbfde1c4523055403927bef29f97f9fc12715c1042b5dcf648a2c1c62a" - -S = "${WORKDIR}/${BPN}-stable_release_${PV}" +S = "${WORKDIR}/git" EXTRA_OECONF_class-target = "\ --with-expatincludedir=${STAGING_INCDIR} \ @@ -59,6 +55,17 @@ do_install_append_class-native() { install -m755 ${B}/lib/gvpr/mkdefs ${D}${bindir} } +# create /usr/lib/graphviz/config6 +graphviz_sstate_postinst() { + mkdir -p ${SYSROOT_DESTDIR}${bindir} + dest=${SYSROOT_DESTDIR}${bindir}/postinst-${PN} + echo '#!/bin/sh' > $dest + echo '' >> $dest + echo 'dot -c' >> $dest + chmod 0755 $dest +} +SYSROOT_PREPROCESS_FUNCS_append_class-native = " graphviz_sstate_postinst" + PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo" FILES_${PN}-python += "${libdir}/python*/site-packages/ ${libdir}/graphviz/python/" diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb index 1d5a29438a..977c0961bc 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.16.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/mdadams/jasper" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb" -SRC_URI = "git://github.com/mdadams/jasper.git;protocol=https" +SRC_URI = "git://github.com/mdadams/jasper.git;protocol=https;branch=master" SRCREV = "9aef6d91a82a8a6aecb575cbee57f74470603cc2" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch new file mode 100644 index 0000000000..2db67966cf --- /dev/null +++ b/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-13616.patch @@ -0,0 +1,27 @@ +From 97fefd050976bbbfca9608499f6a7d9fb86e70db Mon Sep 17 00:00:00 2001 +From: Sam Lantinga <slouken@libsdl.org> +Date: Tue, 30 Jul 2019 11:00:00 -0700 +Subject: [PATCH] Fixed bug 4538 - validate image size when loading BMP files +--- + src/video/SDL_bmp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c +index 8eadc5f..5b5e12c 100644 +--- a/src/video/SDL_bmp.c ++++ b/src/video/SDL_bmp.c +@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) + (void) biYPelsPerMeter; + (void) biClrImportant; + ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; +-- +2.25.1 + diff --git a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb index aa246f9995..8f1960d8ad 100644 --- a/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb +++ b/meta-oe/recipes-graphics/libsdl/libsdl2-mixer_2.0.4.bb @@ -14,7 +14,7 @@ S = "${WORKDIR}/SDL2_mixer-${PV}" inherit autotools-brokensep pkgconfig EXTRA_AUTORECONF += "--include=acinclude" -EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg --enable-music-ogg-tremor LIBS=-L${STAGING_LIBDIR}" +EXTRA_OECONF = "--disable-music-mp3 --enable-music-ogg --disable-music-ogg-shared LIBS=-L${STAGING_LIBDIR}" PACKAGECONFIG[mad] = "--enable-music-mp3-mad-gpl,--disable-music-mp3-mad-gpl,libmad" diff --git a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb index 7a01908322..d91a1856b4 100644 --- a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb +++ b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb @@ -27,6 +27,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL-${PV}.tar.gz \ file://CVE-2019-7637.patch \ file://CVE-2019-7638.patch \ file://CVE-2019-7576.patch \ + file://CVE-2019-13616.patch \ " UPSTREAM_CHECK_REGEX = "SDL-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb index dfdf82458c..7f622c2793 100644 --- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.12.bb @@ -44,7 +44,7 @@ FILES_libvncclient = "${libdir}/libvncclient.*" inherit cmake -SRC_URI = "git://github.com/LibVNC/libvncserver" +SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https" SRCREV = "1354f7f1bb6962dab209eddb9d6aac1f03408110" PV .= "+git${SRCPV}" diff --git a/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb b/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb index 1a376a4697..8fda4b5fb0 100644 --- a/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb +++ b/meta-oe/recipes-graphics/libyui/libyui-ncurses_2.52.0.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \ file://COPYING.lgpl-2.1;md5=4fbd65380cdd255951079008b364516c \ " -SRC_URI = "git://github.com/libyui/libyui-ncurses.git \ +SRC_URI = "git://github.com/libyui/libyui-ncurses.git;branch=master;protocol=https \ file://0003-Simplify-ncurses-finding-module.patch \ " diff --git a/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb b/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb index 7c6f4c13d2..72a86955e1 100644 --- a/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb +++ b/meta-oe/recipes-graphics/libyui/libyui_3.6.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING.gpl-3;md5=d32239bcb673463ab874e80d47fae504 \ file://COPYING.lgpl-3;md5=e6a600fd5e1d9cbde2d983680233ad02 \ " -SRC_URI = "git://github.com/libyui/libyui.git \ +SRC_URI = "git://github.com/libyui/libyui-old.git;branch=master;protocol=https \ file://0001-Fix-build-with-clang.patch \ file://0001-Use-relative-install-paths-for-CMake.patch \ " diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch new file mode 100644 index 0000000000..98988e686e --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-1.patch @@ -0,0 +1,72 @@ +From 21399f6b7d318fcdf4406d5e88723c4922202aa3 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 19:57:27 +0800 +Subject: [PATCH] convertbmp: detect invalid file dimensions early + +width/length dimensions read from bmp headers are not necessarily +valid. For instance they may have been maliciously set to very large +values with the intention to cause DoS (large memory allocation, stack +overflow). In these cases we want to detect the invalid size as early +as possible. + +This commit introduces a counter which verifies that the number of +written bytes corresponds to the advertized width/length. + +See commit 8ee335227bbc for details. + +Signed-off-by: Young Xiao <YangX92@hotmail.com> + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertbmp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index 0af52f816..ec34f535b 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -622,13 +622,13 @@ static OPJ_BOOL bmp_read_rle8_data(FILE* IN, OPJ_UINT8* pData, + static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + OPJ_UINT32 stride, OPJ_UINT32 width, OPJ_UINT32 height) + { +- OPJ_UINT32 x, y; ++ OPJ_UINT32 x, y, written; + OPJ_UINT8 *pix; + const OPJ_UINT8 *beyond; + + beyond = pData + stride * height; + pix = pData; +- x = y = 0U; ++ x = y = written = 0U; + while (y < height) { + int c = getc(IN); + if (c == EOF) { +@@ -642,6 +642,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + } else { /* absolute mode */ + c = getc(IN); +@@ -671,6 +672,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + c1 = (OPJ_UINT8)getc(IN); + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); ++ written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ + getc(IN); +@@ -678,6 +680,10 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } + } + } /* while(y < height) */ ++ if (written != width * height) { ++ fprintf(stderr, "warning, image's actual size does not match advertized one\n"); ++ return OPJ_FALSE; ++ } + return OPJ_TRUE; + } + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch new file mode 100644 index 0000000000..2177bfdbdb --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2019-12973-2.patch @@ -0,0 +1,86 @@ +From 3aef207f90e937d4931daf6d411e092f76d82e66 Mon Sep 17 00:00:00 2001 +From: Young Xiao <YangX92@hotmail.com> +Date: Sat, 16 Mar 2019 20:09:59 +0800 +Subject: [PATCH] bmp_read_rle4_data(): avoid potential infinite loop + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2019-12973 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertbmp.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c +index ec34f535b..2fc4e9bc4 100644 +--- a/src/bin/jp2/convertbmp.c ++++ b/src/bin/jp2/convertbmp.c +@@ -632,12 +632,18 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + while (y < height) { + int c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c) { /* encoded mode */ +- int j; +- OPJ_UINT8 c1 = (OPJ_UINT8)getc(IN); ++ int j, c1_int; ++ OPJ_UINT8 c1; ++ ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { +@@ -647,7 +653,7 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + } else { /* absolute mode */ + c = getc(IN); + if (c == EOF) { +- break; ++ return OPJ_FALSE; + } + + if (c == 0x00) { /* EOL */ +@@ -658,8 +664,14 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + break; + } else if (c == 0x02) { /* MOVE by dxdy */ + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + x += (OPJ_UINT32)c; + c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + y += (OPJ_UINT32)c; + pix = pData + y * stride + x; + } else { /* 03 .. 255 : absolute mode */ +@@ -669,13 +681,21 @@ static OPJ_BOOL bmp_read_rle4_data(FILE* IN, OPJ_UINT8* pData, + for (j = 0; (j < c) && (x < width) && + ((OPJ_SIZE_T)pix < (OPJ_SIZE_T)beyond); j++, x++, pix++) { + if ((j & 1) == 0) { +- c1 = (OPJ_UINT8)getc(IN); ++ int c1_int; ++ c1_int = getc(IN); ++ if (c1_int == EOF) { ++ return OPJ_FALSE; ++ } ++ c1 = (OPJ_UINT8)c1_int; + } + *pix = (OPJ_UINT8)((j & 1) ? (c1 & 0x0fU) : ((c1 >> 4) & 0x0fU)); + written++; + } + if (((c & 3) == 1) || ((c & 3) == 2)) { /* skip padding byte */ +- getc(IN); ++ c = getc(IN); ++ if (c == EOF) { ++ return OPJ_FALSE; ++ } + } + } + } diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch new file mode 100644 index 0000000000..f22e153b52 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-15389.patch @@ -0,0 +1,43 @@ +From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 28 Jun 2020 14:19:59 +0200 +Subject: [PATCH] opj_decompress: fix double-free on input directory with mix + of valid and invalid images (CVE-2020-15389) + +Fixes #1261 + +Credits to @Ruia-ruia for reporting and analysis. + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-15389 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/opj_decompress.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 7eeb0952f..2634907f0 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original) + int main(int argc, char **argv) + { + opj_decompress_parameters parameters; /* decompression parameters */ +- opj_image_t* image = NULL; +- opj_stream_t *l_stream = NULL; /* Stream */ +- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ +- opj_codestream_index_t* cstr_index = NULL; + + OPJ_INT32 num_images, imageno; + img_fol_t img_fol; +@@ -1393,6 +1389,10 @@ int main(int argc, char **argv) + + /*Decoding image one by one*/ + for (imageno = 0; imageno < num_images ; imageno++) { ++ opj_image_t* image = NULL; ++ opj_stream_t *l_stream = NULL; /* Stream */ ++ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ ++ opj_codestream_index_t* cstr_index = NULL; + + if (!parameters.quiet) { + fprintf(stderr, "\n"); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch new file mode 100644 index 0000000000..da06db6db7 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-1.patch @@ -0,0 +1,29 @@ +From eaa098b59b346cb88e4d10d505061f669d7134fc Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 23 Nov 2020 13:49:05 +0100 +Subject: [PATCH] Encoder: grow buffer size in + opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in + opj_mqc_flush (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1235,9 +1235,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + + /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */ + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ ++ /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ ++ /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch new file mode 100644 index 0000000000..9c5894c720 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-2.patch @@ -0,0 +1,27 @@ +From 15cf3d95814dc931ca0ecb132f81cb152e051bae Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 23 Nov 2020 18:14:02 +0100 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1237,9 +1237,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */ + /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ + /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ ++ /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 26 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch new file mode 100644 index 0000000000..1eb030af46 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-3.patch @@ -0,0 +1,30 @@ +From 649298dcf84b2f20cfe458d887c1591db47372a6 Mon Sep 17 00:00:00 2001 +From: yuan <zodf0055980@gmail.com> +Date: Wed, 25 Nov 2020 20:41:39 +0800 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1238,10 +1238,12 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and +7 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 3) */ + /* and +26 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 7) */ + /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ ++ /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ ++ /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 28 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * +- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); ++ l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { + if (p_code_block->data) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch new file mode 100644 index 0000000000..1c267c313b --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27814-4.patch @@ -0,0 +1,27 @@ +From 4ce7d285a55d29b79880d0566d4b010fe1907aa9 Mon Sep 17 00:00:00 2001 +From: yuan <zodf0055980@gmail.com> +Date: Fri, 4 Dec 2020 19:00:22 +0800 +Subject: [PATCH] Encoder: grow again buffer size in + opj_tcd_code_block_enc_allocate_data() (fixes #1283) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27814 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/tcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/lib/openjp2/tcd.c ++++ b/src/lib/openjp2/tcd.c +@@ -1240,9 +1240,10 @@ static OPJ_BOOL opj_tcd_code_block_enc_a + /* and +28 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 44) */ + /* and +33 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4) */ + /* and +63 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -IMF 2K) */ ++ /* and +74 for https://github.com/uclouvain/openjpeg/issues/1283 (-M 4 -n 8 -s 7,7 -I) */ + /* TODO: is there a theoretical upper-bound for the compressed code */ + /* block size ? */ +- l_data_size = 63 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * ++ l_data_size = 74 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) * + (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32)); + + if (l_data_size > p_code_block->data_size) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch new file mode 100644 index 0000000000..e4373d0d32 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27823.patch @@ -0,0 +1,29 @@ +From b2072402b7e14d22bba6fb8cde2a1e9996e9a919 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 30 Nov 2020 22:31:51 +0100 +Subject: [PATCH] pngtoimage(): fix wrong computation of x1,y1 if -d option is + used, that would result in a heap buffer overflow (fixes #1284) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27823 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/bin/jp2/convertpng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bin/jp2/convertpng.c b/src/bin/jp2/convertpng.c +index 328c91beb..00f596e27 100644 +--- a/src/bin/jp2/convertpng.c ++++ b/src/bin/jp2/convertpng.c +@@ -223,9 +223,9 @@ opj_image_t *pngtoimage(const char *read_idf, opj_cparameters_t * params) + image->x0 = (OPJ_UINT32)params->image_offset_x0; + image->y0 = (OPJ_UINT32)params->image_offset_y0; + image->x1 = (OPJ_UINT32)(image->x0 + (width - 1) * (OPJ_UINT32) +- params->subsampling_dx + 1 + image->x0); ++ params->subsampling_dx + 1); + image->y1 = (OPJ_UINT32)(image->y0 + (height - 1) * (OPJ_UINT32) +- params->subsampling_dy + 1 + image->y0); ++ params->subsampling_dy + 1); + + row32s = (OPJ_INT32 *)malloc((size_t)width * nr_comp * sizeof(OPJ_INT32)); + if (row32s == NULL) { diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch new file mode 100644 index 0000000000..5f3deb4dda --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27824.patch @@ -0,0 +1,24 @@ +From 6daf5f3e1ec6eff03b7982889874a3de6617db8d Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Mon, 30 Nov 2020 22:37:07 +0100 +Subject: [PATCH] Encoder: avoid global buffer overflow on irreversible + conversion when too many decomposition levels are specified (fixes #1286) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27824 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/dwt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/lib/openjp2/dwt.c ++++ b/src/lib/openjp2/dwt.c +@@ -1293,7 +1293,7 @@ void opj_dwt_calc_explicit_stepsizes(opj + if (tccp->qntsty == J2K_CCP_QNTSTY_NOQNT) { + stepsize = 1.0; + } else { +- OPJ_FLOAT64 norm = opj_dwt_norms_real[orient][level]; ++ OPJ_FLOAT64 norm = opj_dwt_getnorm_real(level, orient); + stepsize = (1 << (gain)) / norm; + } + opj_dwt_encode_stepsize((OPJ_INT32) floor(stepsize * 8192.0), diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch new file mode 100644 index 0000000000..db6d12dc2c --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27841.patch @@ -0,0 +1,238 @@ +From 00383e162ae2f8fc951f5745bf1011771acb8dce Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 2 Dec 2020 14:02:17 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (refs + https://github.com/uclouvain/openjpeg/issues/1293#issuecomment-737122836) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27841 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/pi.c | 49 +++++++++++++++++++++++++++++--------------- + src/lib/openjp2/pi.h | 10 +++++++-- + src/lib/openjp2/t2.c | 4 ++-- + 3 files changed, 42 insertions(+), 21 deletions(-) + +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -192,10 +192,12 @@ static void opj_get_all_encoding_paramet + * @param p_image the image used to initialize the packet iterator (in fact only the number of components is relevant. + * @param p_cp the coding parameters. + * @param tileno the index of the tile from which creating the packet iterator. ++ * @param manager Event manager + */ + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *p_image, + const opj_cp_t *p_cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * FIXME DOC + */ +@@ -230,12 +232,6 @@ static OPJ_BOOL opj_pi_check_next_level( + ========================================================== + */ + +-static void opj_pi_emit_error(opj_pi_iterator_t * pi, const char* msg) +-{ +- (void)pi; +- (void)msg; +-} +- + static OPJ_BOOL opj_pi_next_lrcp(opj_pi_iterator_t * pi) + { + opj_pi_comp_t *comp = NULL; +@@ -272,7 +268,7 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + /* include should be resized when a POC arises, or */ + /* the POC should be rejected */ + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -318,7 +314,7 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -449,7 +445,7 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -473,6 +469,13 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -580,7 +583,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -604,6 +607,13 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_cprl(): invalid compno0/compno1"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + goto LABEL_SKIP; +@@ -708,7 +718,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + index = pi->layno * pi->step_l + pi->resno * pi->step_r + pi->compno * + pi->step_c + pi->precno * pi->step_p; + if (index >= pi->include_size) { +- opj_pi_emit_error(pi, "Invalid access to pi->include"); ++ opj_event_msg(pi->manager, EVT_ERROR, "Invalid access to pi->include"); + return OPJ_FALSE; + } + if (!pi->include[index]) { +@@ -981,7 +991,8 @@ static void opj_get_all_encoding_paramet + + static opj_pi_iterator_t * opj_pi_create(const opj_image_t *image, + const opj_cp_t *cp, +- OPJ_UINT32 tileno) ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager) + { + /* loop*/ + OPJ_UINT32 pino, compno; +@@ -1015,6 +1026,8 @@ static opj_pi_iterator_t * opj_pi_create + l_current_pi = l_pi; + for (pino = 0; pino < l_poc_bound ; ++pino) { + ++ l_current_pi->manager = manager; ++ + l_current_pi->comps = (opj_pi_comp_t*) opj_calloc(image->numcomps, + sizeof(opj_pi_comp_t)); + if (! l_current_pi->comps) { +@@ -1352,7 +1365,8 @@ static OPJ_BOOL opj_pi_check_next_level( + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t *p_image, + opj_cp_t *p_cp, +- OPJ_UINT32 p_tile_no) ++ OPJ_UINT32 p_tile_no, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1407,7 +1421,7 @@ opj_pi_iterator_t *opj_pi_create_decode( + } + + /* memory allocation for pi */ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +@@ -1552,7 +1566,8 @@ opj_pi_iterator_t *opj_pi_create_decode( + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + opj_cp_t *p_cp, + OPJ_UINT32 p_tile_no, +- J2K_T2_MODE p_t2_mode) ++ J2K_T2_MODE p_t2_mode, ++ opj_event_mgr_t* manager) + { + OPJ_UINT32 numcomps = p_image->numcomps; + +@@ -1606,7 +1621,7 @@ opj_pi_iterator_t *opj_pi_initialise_enc + } + + /* memory allocation for pi*/ +- l_pi = opj_pi_create(p_image, p_cp, p_tile_no); ++ l_pi = opj_pi_create(p_image, p_cp, p_tile_no, manager); + if (!l_pi) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); +--- a/src/lib/openjp2/pi.h ++++ b/src/lib/openjp2/pi.h +@@ -107,6 +107,8 @@ typedef struct opj_pi_iterator { + OPJ_INT32 x, y; + /** FIXME DOC*/ + OPJ_UINT32 dx, dy; ++ /** event manager */ ++ opj_event_mgr_t* manager; + } opj_pi_iterator_t; + + /** @name Exported functions */ +@@ -119,13 +121,15 @@ typedef struct opj_pi_iterator { + * @param cp the coding parameters. + * @param tileno index of the tile being encoded. + * @param t2_mode the type of pass for generating the packet iterator ++ * @param manager Event manager + * + * @return a list of packet iterator that points to the first packet of the tile (not true). + */ + opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *image, + opj_cp_t *cp, + OPJ_UINT32 tileno, +- J2K_T2_MODE t2_mode); ++ J2K_T2_MODE t2_mode, ++ opj_event_mgr_t* manager); + + /** + * Updates the encoding parameters of the codec. +@@ -161,12 +165,14 @@ Create a packet iterator for Decoder + @param image Raw image for which the packets will be listed + @param cp Coding parameters + @param tileno Number that identifies the tile for which to list the packets ++@param manager Event manager + @return Returns a packet iterator that points to the first packet of the tile + @see opj_pi_destroy + */ + opj_pi_iterator_t *opj_pi_create_decode(opj_image_t * image, + opj_cp_t * cp, +- OPJ_UINT32 tileno); ++ OPJ_UINT32 tileno, ++ opj_event_mgr_t* manager); + /** + * Destroys a packet iterator array. + * +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -244,7 +244,7 @@ OPJ_BOOL opj_t2_encode_packets(opj_t2_t* + l_image->numcomps : 1; + OPJ_UINT32 l_nb_pocs = l_tcp->numpocs + 1; + +- l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode); ++ l_pi = opj_pi_initialise_encode(l_image, l_cp, p_tile_no, p_t2_mode, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } +@@ -405,7 +405,7 @@ OPJ_BOOL opj_t2_decode_packets(opj_tcd_t + #endif + + /* create a packet iterator */ +- l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no); ++ l_pi = opj_pi_create_decode(l_image, l_cp, p_tile_no, p_manager); + if (!l_pi) { + return OPJ_FALSE; + } diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch new file mode 100644 index 0000000000..6984aa8602 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27842.patch @@ -0,0 +1,31 @@ +From fbd30b064f8f9607d500437b6fedc41431fd6cdc Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 1 Dec 2020 19:51:35 +0100 +Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1294, + but likely not the proper fix + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27842 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/t2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -711,6 +711,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1294 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + opj_tgt_reset(prc->incltree); + opj_tgt_reset(prc->imsbtree); diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch new file mode 100644 index 0000000000..53c86ea5e4 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27843.patch @@ -0,0 +1,31 @@ +From 38d661a3897052c7ff0b39b30c29cb067e130121 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Wed, 2 Dec 2020 13:13:26 +0100 +Subject: [PATCH] opj_t2_encode_packet(): avoid out of bound access of #1297, + but likely not the proper fix + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27843 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/t2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/src/lib/openjp2/t2.c ++++ b/src/lib/openjp2/t2.c +@@ -787,6 +787,15 @@ static OPJ_BOOL opj_t2_encode_packet(OPJ + continue; + } + ++ /* Avoid out of bounds access of https://github.com/uclouvain/openjpeg/issues/1297 */ ++ /* but likely not a proper fix. */ ++ if (precno >= res->pw * res->ph) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_t2_encode_packet(): accessing precno=%u >= %u\n", ++ precno, res->pw * res->ph); ++ return OPJ_FALSE; ++ } ++ + prc = &band->precincts[precno]; + l_nb_blocks = prc->cw * prc->ch; + cblk = prc->cblks.enc; diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch new file mode 100644 index 0000000000..a1aa49a217 --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2020-27845.patch @@ -0,0 +1,74 @@ +From 8f5aff1dff510a964d3901d0fba281abec98ab63 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Fri, 4 Dec 2020 20:45:25 +0100 +Subject: [PATCH] pi.c: avoid out of bounds access with POC (fixes #1302) + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/openjpeg2/2.3.1-1ubuntu4.20.04.1/openjpeg2_2.3.1-1ubuntu4.20.04.1.debian.tar.xz] +CVE: CVE-2020-27845 +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + src/lib/openjp2/pi.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -238,6 +238,13 @@ static OPJ_BOOL opj_pi_next_lrcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_lrcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -291,6 +298,13 @@ static OPJ_BOOL opj_pi_next_rlcp(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rlcp(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + comp = &pi->comps[pi->compno]; + res = &comp->resolutions[pi->resno]; +@@ -337,6 +351,13 @@ static OPJ_BOOL opj_pi_next_rpcl(opj_pi_ + opj_pi_resolution_t *res = NULL; + OPJ_UINT32 index = 0; + ++ if (pi->poc.compno0 >= pi->numcomps || ++ pi->poc.compno1 >= pi->numcomps + 1) { ++ opj_event_msg(pi->manager, EVT_ERROR, ++ "opj_pi_next_rpcl(): invalid compno0/compno1\n"); ++ return OPJ_FALSE; ++ } ++ + if (!pi->first) { + goto LABEL_SKIP; + } else { +@@ -472,7 +493,7 @@ static OPJ_BOOL opj_pi_next_pcrl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_pcrl(): invalid compno0/compno1"); ++ "opj_pi_next_pcrl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + +@@ -610,7 +631,7 @@ static OPJ_BOOL opj_pi_next_cprl(opj_pi_ + if (pi->poc.compno0 >= pi->numcomps || + pi->poc.compno1 >= pi->numcomps + 1) { + opj_event_msg(pi->manager, EVT_ERROR, +- "opj_pi_next_cprl(): invalid compno0/compno1"); ++ "opj_pi_next_cprl(): invalid compno0/compno1\n"); + return OPJ_FALSE; + } + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index 42011efa97..9cf513f3f7 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb @@ -6,10 +6,23 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c648878b4840d7babaade1303e7f108c" DEPENDS = "libpng tiff lcms zlib" SRC_URI = " \ - git://github.com/uclouvain/openjpeg.git \ + git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0002-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ + file://CVE-2019-12973-1.patch \ + file://CVE-2019-12973-2.patch \ file://CVE-2020-6851.patch \ file://CVE-2020-8112.patch \ + file://CVE-2020-15389.patch \ + file://CVE-2020-27814-1.patch \ + file://CVE-2020-27814-2.patch \ + file://CVE-2020-27814-3.patch \ + file://CVE-2020-27814-4.patch \ + file://CVE-2020-27823.patch \ + file://CVE-2020-27824.patch \ + file://CVE-2020-27841.patch \ + file://CVE-2020-27842.patch \ + file://CVE-2020-27843.patch \ + file://CVE-2020-27845.patch \ " SRCREV = "57096325457f96d8cd07bd3af04fe81d7a2ba788" S = "${WORKDIR}/git" @@ -20,3 +33,17 @@ inherit cmake EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}" FILES_${PN} += "${libdir}/openjpeg*" + +# This flaw is introduced by +# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 +# but the contents of this patch is not present in openjpeg_2.3.1 +# Hence, it can be whitelisted. +# https://security-tracker.debian.org/tracker/CVE-2020-27844 + +CVE_CHECK_WHITELIST += "CVE-2020-27844" + +# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg +# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. +# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1 + +CVE_CHECK_WHITELIST += "CVE-2015-1239" diff --git a/meta-oe/recipes-graphics/qrencode/qrencode_git.bb b/meta-oe/recipes-graphics/qrencode/qrencode_git.bb index 108c339bf5..3ef4f59597 100644 --- a/meta-oe/recipes-graphics/qrencode/qrencode_git.bb +++ b/meta-oe/recipes-graphics/qrencode/qrencode_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" PV = "4.0.1+git${SRCPV}" SRCREV = "7c83deb8f562ae6013fea4c3e65278df93f98fb7" -SRC_URI = "git://github.com/fukuchi/libqrencode.git" +SRC_URI = "git://github.com/fukuchi/libqrencode.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb index 6ea632d064..b20e06a454 100644 --- a/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb +++ b/meta-oe/recipes-graphics/renderdoc/renderdoc_1.7.bb @@ -5,7 +5,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=df7ea9e196efc7014c124747a0ef9772" SRCREV = "a56af589d94dc851809fd5344d0ae441da70c1f2" -SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=http;branch=v1.x \ +SRC_URI = "git://github.com/baldurk/${BPN}.git;protocol=http;branch=v1.x;protocol=https \ file://0001-renderdoc-use-xxd-instead-of-cross-compiling-shim-bi.patch \ file://0001-Remove-glslang-pool_allocator-setAllocator.patch \ " diff --git a/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb b/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb index b787972da6..bf0a5947b0 100644 --- a/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb +++ b/meta-oe/recipes-graphics/spir/spirv-shader-generator_git.bb @@ -6,7 +6,7 @@ SECTION = "graphics" S = "${WORKDIR}/git" SRCREV = "ed16b3e69985feaf565efbecea70a1cc2fca2a58" -SRC_URI = "git://github.com/KhronosGroup/SPIRV-Cross.git \ +SRC_URI = "git://github.com/KhronosGroup/SPIRV-Cross.git;branch=master;protocol=https \ file://0001-Add-install-PHONY-target-in-Makefile.patch \ " diff --git a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb index 8e8388e8d4..362a250725 100644 --- a/meta-oe/recipes-graphics/spir/spirv-tools_git.bb +++ b/meta-oe/recipes-graphics/spir/spirv-tools_git.bb @@ -8,11 +8,11 @@ SECTION = "graphics" S = "${WORKDIR}/git" DEST_DIR = "${S}/external" -SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools \ - git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers \ - git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee \ - git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2 \ - git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest \ +SRC_URI = "git://github.com/KhronosGroup/SPIRV-Tools.git;name=spirv-tools;branch=main;protocol=https \ + git://github.com/KhronosGroup/SPIRV-Headers.git;name=spirv-headers;destsuffix=${DEST_DIR}/spirv-headers;branch=main;protocol=https \ + git://github.com/google/effcee.git;name=effcee;destsuffix=${DEST_DIR}/effcee;branch=main;protocol=https \ + git://github.com/google/re2.git;name=re2;destsuffix=${DEST_DIR}/re2;branch=main;protocol=https \ + git://github.com/google/googletest.git;name=googletest;destsuffix=${DEST_DIR}/googletest;branch=main;protocol=https \ file://0001-Respect-CMAKE_INSTALL_LIBDIR-in-installed-CMake-file.patch \ file://0001-Avoid-pessimizing-std-move-3124.patch \ " @@ -21,6 +21,7 @@ SRCREV_spirv-headers = "af64a9e826bf5bb5fcd2434dd71be1e41e922563" SRCREV_effcee = "cd25ec17e9382f99a895b9ef53ff3c277464d07d" SRCREV_re2 = "5bd613749fd530b576b890283bfb6bc6ea6246cb" SRCREV_googletest = "f2fb48c3b3d79a75a88a99fba6576b25d42ec528" +SRCREV_FORMAT = "spirv-ttols_spirv-headers_effcee_re2_googletest" inherit cmake python3native diff --git a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb index 75c2bc00e2..9fe61ae9c1 100644 --- a/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb +++ b/meta-oe/recipes-graphics/tesseract/tesseract-lang_4.0.0.bb @@ -4,7 +4,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=9648bd7af63bd3cc4f5ac046d12c49e4" SRCREV = "590567f20dc044f6948a8e2c61afc714c360ad0e" -SRC_URI = "git://github.com/tesseract-ocr/tessdata.git" +SRC_URI = "git://github.com/tesseract-ocr/tessdata.git;branch=main;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/tesseract/tesseract_git.bb b/meta-oe/recipes-graphics/tesseract/tesseract_git.bb index 89d09a0f55..70c98372b3 100644 --- a/meta-oe/recipes-graphics/tesseract/tesseract_git.bb +++ b/meta-oe/recipes-graphics/tesseract/tesseract_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7ea4f9a43aba9d3c849fe5c203a0ed40" BRANCH = "3.05" PV = "${BRANCH}.01+git${SRCPV}" SRCREV = "215866151e774972c9502282111b998d7a053562" -SRC_URI = "git://github.com/${BPN}-ocr/${BPN}.git;branch=${BRANCH}" +SRC_URI = "git://github.com/${BPN}-ocr/${BPN}.git;branch=${BRANCH};protocol=https" S = "${WORKDIR}/git" DEPENDS = "leptonica" diff --git a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb index f97c2b2d6c..de2d059061 100644 --- a/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb +++ b/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.tigervnc.com/" LICENSE = "GPLv2+" SECTION = "x11/utils" DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk" -RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl" +RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl xkbcomp" LIC_FILES_CHKSUM = "file://LICENCE.TXT;md5=75b02c2872421380bbd47781d2bd75d3" @@ -17,7 +17,7 @@ B = "${S}" SRCREV = "4739493b635372bd40a34640a719f79fa90e4dba" -SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch \ +SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch;protocol=https \ file://0002-do-not-build-tests-sub-directory.patch \ file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \ file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb index 8dba7ee6fa..16ac65b1be 100644 --- a/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb +++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-droid_git.bb @@ -8,7 +8,7 @@ SRCREV = "21e6e2de1f0062f949fcc52d0b4559dfa3246e0e" PV = "0.1+gitr${SRCPV}" PR = "r3" -SRC_URI = "git://github.com/android/platform_frameworks_base.git;branch=master" +SRC_URI = "git://github.com/android/platform_frameworks_base.git;branch=master;protocol=https" S = "${WORKDIR}/git/data/fonts" diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb index 0af0e91d68..7dde4cc661 100644 --- a/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb +++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-lohit_2.bb @@ -8,7 +8,7 @@ LICENSE = "OFL-1.1" LIC_FILES_CHKSUM = "file://OFL.txt;md5=7dfa0a236dc535ad2d2548e6170c4402" SRCREV = "d678f1b1807ea5602586279e90b5db6d62ed475e" -SRC_URI = "git://github.com/pravins/lohit.git;branch=master" +SRC_URI = "git://github.com/pravins/lohit.git;branch=master;protocol=https" DEPENDS = "fontforge-native" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb b/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb index e74f7a7f67..1a2f6cb4d2 100644 --- a/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb +++ b/meta-oe/recipes-graphics/ttf-fonts/ttf-noto-emoji_20190815.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/googlefonts/noto-emoji" LICENSE = "OFL-1.1" LIC_FILES_CHKSUM = "file://fonts/LICENSE;md5=55719faa0112708e946b820b24b14097" -SRC_URI = "git://github.com/googlefonts/noto-emoji;protocol=https" +SRC_URI = "git://github.com/googlefonts/noto-emoji;protocol=https;branch=master" SRCREV = "833a43d03246a9325e748a2d783006454d76ff66" PACKAGES = "${PN}-color ${PN}-regular" diff --git a/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb b/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb index 7e22038f24..427882d32b 100644 --- a/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb +++ b/meta-oe/recipes-graphics/unclutter-xfixes/unclutter-xfixes_1.5.bb @@ -5,7 +5,7 @@ AUTHOR = "Ingo Bürk" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=b25d2c4cca175f44120d1b8e67cb358d" -SRC_URI = "git://github.com/Airblader/unclutter-xfixes.git \ +SRC_URI = "git://github.com/Airblader/unclutter-xfixes.git;branch=master;protocol=https \ file://0001-build-use-autotools.patch" SRCREV = "10fd337bb77e4e93c3380f630a0555372778a948" diff --git a/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb b/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb index 240949f55c..dd8f41aa5d 100644 --- a/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb +++ b/meta-oe/recipes-graphics/vdpau/libvdpau_1.3.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=83af8811a28727a13f04132cc33b7f58" DEPENDS = "virtual/libx11 libxext xorgproto" SRCREV = "f57a9904c43ef5d726320c77baa91d0c38361ed4" -SRC_URI = "git://anongit.freedesktop.org/vdpau/libvdpau" +SRC_URI = "git://anongit.freedesktop.org/vdpau/libvdpau;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb index e3a1914fef..fe725879d0 100644 --- a/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb +++ b/meta-oe/recipes-graphics/x11vnc/x11vnc_0.9.16.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://src/x11vnc.h;endline=31;md5=e871a2ad004776794b616822dcab6314" SRCREV = "4ca006fed80410bd9b061a1519bd5d9366bb0bc8" -SRC_URI = "git://github.com/LibVNC/x11vnc \ +SRC_URI = "git://github.com/LibVNC/x11vnc;branch=master;protocol=https \ file://starting-fix.patch \ file://0001-misc-Makefile.am-don-t-install-Xdummy-when-configure.patch \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ diff --git a/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb b/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb index 4949616ddc..df5979a094 100644 --- a/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb +++ b/meta-oe/recipes-graphics/xorg-app/xgamma_1.0.6.bb @@ -9,7 +9,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ac9801b8423fd7a7699ccbd45cf134d8" DEPENDS += "libxxf86vm" -BBCLASSEXTEND = "native" - SRC_URI[md5sum] = "90b4305157c2b966d5180e2ee61262be" SRC_URI[sha256sum] = "0ef1c35b5c18b1b22317f455c8df13c0a471a8efad63c89c98ae3ce8c2b222d3" diff --git a/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb b/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb index 6a05e98e32..d394b33de2 100644 --- a/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb +++ b/meta-oe/recipes-graphics/xorg-app/xkbutils_1.0.4.bb @@ -13,7 +13,5 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=64322fab5239f5c8d97cf6e0e14f1c62" DEPENDS += "libxaw libxkbfile" -BBCLASSEXTEND = "native" - SRC_URI[md5sum] = "502b14843f610af977dffc6cbf2102d5" SRC_URI[sha256sum] = "d2a18ab90275e8bca028773c44264d2266dab70853db4321bdbc18da75148130" diff --git a/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb b/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb index 30a1e089e3..a9a8acf05c 100644 --- a/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb +++ b/meta-oe/recipes-graphics/xorg-app/xsetroot_1.1.2.bb @@ -8,7 +8,6 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=6ea29dbee22324787c061f039e0529de" DEPENDS += "xbitmaps libxcursor" -BBCLASSEXTEND = "native" SRC_URI[md5sum] = "5fe769c8777a6e873ed1305e4ce2c353" SRC_URI[sha256sum] = "10c442ba23591fb5470cea477a0aa5f679371f4f879c8387a1d9d05637ae417c" diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch new file mode 100644 index 0000000000..937b2176aa --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch @@ -0,0 +1,68 @@ +Description: Fix for CVE-2021-27135 from xterm 366 + Correct upper-limit for selection buffer, accounting for + combining characters (report by Tavis Ormandy). + +Upstream-Status: Backport +https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff +CVE: CVE-2021-27135 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + button.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +Index: xterm-353/button.c +=================================================================== +--- xterm-353.orig/button.c ++++ xterm-353/button.c +@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw, + int i; + int eol; + int need = 0; ++ size_t have = 0; + Char *line; + Char *lp; + CELL first = *cellc; +@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw, + + /* UTF-8 may require more space */ + if_OPT_WIDE_CHARS(screen, { +- need *= 4; ++ if (need > 0) { ++ if (screen->max_combining > 0) ++ need += screen->max_combining; ++ need *= 6; ++ } + }); + + /* now get some memory to save it in */ +@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw, + } + *lp = '\0'; /* make sure we have end marked */ + +- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line), +- visibleChars(line, (unsigned) (lp - line)))); ++ have = (size_t) (lp - line); ++ /* ++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if ++ * the estimate is too-far off. ++ */ ++ if ((have * 2) < (size_t) need) { ++ Char *next; ++ scp->data_limit = have + 1; ++ next = realloc(line, scp->data_limit); ++ if (next == NULL) { ++ free(line); ++ scp->data_length = 0; ++ scp->data_limit = 0; ++ } ++ scp->data_buffer = next; ++ } ++ scp->data_length = have; + +- scp->data_length = (size_t) (lp - line); ++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have, ++ visibleChars(scp->data_buffer, (unsigned) have))); + } + + #if OPT_PASTE64 diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch new file mode 100644 index 0000000000..b7a5f297a5 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch @@ -0,0 +1,84 @@ +From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 21 Jun 2022 10:53:01 +0530 +Subject: [PATCH] CVE-2022-24130 + +Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d] +CVE: CVE-2022-24130 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/graphics_sixel.c b/graphics_sixel.c +index 00ba3ef..6a82295 100644 +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context) + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- set_sixel(graphic, &context, sixel); ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string) + graphic->valid = 1; + } + for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } + } + } else if (ch == '#') { /* DECGCI */ + ANSI color_params; +-- +2.25.1 + diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch new file mode 100644 index 0000000000..e63169a209 --- /dev/null +++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-45063.patch @@ -0,0 +1,776 @@ +From 787636674918873a091e7a4ef5977263ba982322 Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" <dickey@invisible-island.net> +Date: Sun, 23 Oct 2022 22:59:52 +0000 +Subject: [PATCH] snapshot of project "xterm", label xterm-374c + +Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/787636674918873a091e7a4ef5977263ba982322] +CVE: CVE-2022-45063 + +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + button.c | 16 +-- + charproc.c | 9 +- + doublechr.c | 4 +- + fontutils.c | 266 ++++++++++++++++++++++++++----------------------- + fontutils.h | 4 +- + misc.c | 7 +- + screen.c | 2 +- + xterm.h | 2 +- + xterm.log.html | 6 ++ + 9 files changed, 164 insertions(+), 152 deletions(-) + +diff --git a/button.c b/button.c +index 66a6181..e05ca50 100644 +--- a/button.c ++++ b/button.c +@@ -1619,14 +1619,9 @@ static void + UnmapSelections(XtermWidget xw) + { + TScreen *screen = TScreenOf(xw); +- Cardinal n; + +- if (screen->mappedSelect) { +- for (n = 0; screen->mappedSelect[n] != 0; ++n) +- free((void *) screen->mappedSelect[n]); +- free(screen->mappedSelect); +- screen->mappedSelect = 0; +- } ++ free(screen->mappedSelect); ++ screen->mappedSelect = 0; + } + + /* +@@ -1662,14 +1657,11 @@ MapSelections(XtermWidget xw, String *params, Cardinal num_params) + if ((result = TypeMallocN(String, num_params + 1)) != 0) { + result[num_params] = 0; + for (j = 0; j < num_params; ++j) { +- result[j] = x_strdup((isSELECT(params[j]) ++ result[j] = (String) (isSELECT(params[j]) + ? mapTo +- : params[j])); ++ : params[j]); + if (result[j] == 0) { + UnmapSelections(xw); +- while (j != 0) { +- free((void *) result[--j]); +- } + free(result); + result = 0; + break; +diff --git a/charproc.c b/charproc.c +index 55f0108..b07de4c 100644 +--- a/charproc.c ++++ b/charproc.c +@@ -12548,7 +12548,6 @@ DoSetSelectedFont(Widget w, + Bell(xw, XkbBI_MinorError, 0); + } else { + Boolean failed = False; +- int oldFont = TScreenOf(xw)->menu_font_number; + char *save = TScreenOf(xw)->SelectFontName(); + char *val; + char *test; +@@ -12593,10 +12592,6 @@ DoSetSelectedFont(Widget w, + failed = True; + } + if (failed) { +- (void) xtermLoadFont(xw, +- xtermFontName(TScreenOf(xw)->MenuFontName(oldFont)), +- True, +- oldFont); + Bell(xw, XkbBI_MinorError, 0); + } + free(used); +@@ -12605,7 +12600,7 @@ DoSetSelectedFont(Widget w, + } + } + +-void ++Bool + FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe) + { + TScreen *screen = TScreenOf(xw); +@@ -12645,7 +12640,7 @@ FindFontSelection(XtermWidget xw, const char *atom_name, Bool justprobe) + DoSetSelectedFont, NULL, + XtLastTimestampProcessed(XtDisplay(xw))); + } +- return; ++ return (screen->SelectFontName() != NULL) ? True : False; + } + + Bool +diff --git a/doublechr.c b/doublechr.c +index a60f5bd..f7b6bae 100644 +--- a/doublechr.c ++++ b/doublechr.c +@@ -294,7 +294,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp) + temp.flags = (params->attr_flags & BOLD); + temp.warn = fwResource; + +- if (!xtermOpenFont(params->xw, name, &temp, False)) { ++ if (!xtermOpenFont(params->xw, name, &temp, NULL, False)) { + XTermDraw local = *params; + char *nname; + +@@ -303,7 +303,7 @@ xterm_DoubleGC(XTermDraw * params, GC old_gc, int *inxp) + nname = xtermSpecialFont(&local); + if (nname != 0) { + found = (Boolean) xtermOpenFont(params->xw, nname, &temp, +- False); ++ NULL, False); + free(nname); + } + } else { +diff --git a/fontutils.c b/fontutils.c +index 4b0ef85..d9bfaf8 100644 +--- a/fontutils.c ++++ b/fontutils.c +@@ -92,9 +92,9 @@ + } + + #define FREE_FNAME(field) \ +- if (fonts == 0 || myfonts.field != fonts->field) { \ +- FREE_STRING(myfonts.field); \ +- myfonts.field = 0; \ ++ if (fonts == 0 || new_fnames.field != fonts->field) { \ ++ FREE_STRING(new_fnames.field); \ ++ new_fnames.field = 0; \ + } + + /* +@@ -573,7 +573,7 @@ open_italic_font(XtermWidget xw, int n, FontNameProperties *fp, XTermFonts * dat + if ((name = italic_font_name(fp, slant[pass])) != 0) { + TRACE(("open_italic_font %s %s\n", + whichFontEnum((VTFontEnum) n), name)); +- if (xtermOpenFont(xw, name, data, False)) { ++ if (xtermOpenFont(xw, name, data, NULL, False)) { + result = (data->fs != 0); + #if OPT_REPORT_FONTS + if (resource.reportFonts) { +@@ -1006,13 +1006,14 @@ cannotFont(XtermWidget xw, const char *who, const char *tag, const char *name) + } + + /* +- * Open the given font and verify that it is non-empty. Return a null on ++ * Open the given font and verify that it is non-empty. Return false on + * failure. + */ + Bool + xtermOpenFont(XtermWidget xw, + const char *name, + XTermFonts * result, ++ XTermFonts * current, + Bool force) + { + Bool code = False; +@@ -1020,7 +1021,12 @@ xtermOpenFont(XtermWidget xw, + + TRACE(("xtermOpenFont %d:%d '%s'\n", + result->warn, xw->misc.fontWarnings, NonNull(name))); ++ + if (!IsEmpty(name)) { ++ Bool existing = (current != NULL ++ && current->fs != NULL ++ && current->fn != NULL); ++ + if ((result->fs = XLoadQueryFont(screen->display, name)) != 0) { + code = True; + if (EmptyFont(result->fs)) { +@@ -1039,9 +1045,13 @@ xtermOpenFont(XtermWidget xw, + } else { + TRACE(("xtermOpenFont: cannot load font '%s'\n", name)); + } +- if (force) { ++ if (existing) { ++ TRACE(("...continue using font '%s'\n", current->fn)); ++ result->fn = x_strdup(current->fn); ++ result->fs = current->fs; ++ } else if (force) { + NoFontWarning(result); +- code = xtermOpenFont(xw, DEFFONT, result, True); ++ code = xtermOpenFont(xw, DEFFONT, result, NULL, True); + } + } + } +@@ -1289,6 +1299,7 @@ static Bool + loadNormFP(XtermWidget xw, + char **nameOutP, + XTermFonts * infoOut, ++ XTermFonts * current, + int fontnum) + { + Bool status = True; +@@ -1298,7 +1309,7 @@ loadNormFP(XtermWidget xw, + if (!xtermOpenFont(xw, + *nameOutP, + infoOut, +- (fontnum == fontMenu_default))) { ++ current, (fontnum == fontMenu_default))) { + /* + * If we are opening the default font, and it happens to be missing, + * force that to the compiled-in default font, e.g., "fixed". If we +@@ -1333,10 +1344,10 @@ loadBoldFP(XtermWidget xw, + if (fp != 0) { + NoFontWarning(infoOut); + *nameOutP = bold_font_name(fp, fp->average_width); +- if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) { ++ if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) { + free(*nameOutP); + *nameOutP = bold_font_name(fp, -1); +- xtermOpenFont(xw, *nameOutP, infoOut, False); ++ xtermOpenFont(xw, *nameOutP, infoOut, NULL, False); + } + TRACE(("...derived bold '%s'\n", NonNull(*nameOutP))); + } +@@ -1354,7 +1365,7 @@ loadBoldFP(XtermWidget xw, + TRACE(("...did not get a matching bold font\n")); + } + free(normal); +- } else if (!xtermOpenFont(xw, *nameOutP, infoOut, False)) { ++ } else if (!xtermOpenFont(xw, *nameOutP, infoOut, NULL, False)) { + xtermCopyFontInfo(infoOut, infoRef); + TRACE(("...cannot load bold font '%s'\n", NonNull(*nameOutP))); + } else { +@@ -1408,7 +1419,7 @@ loadWideFP(XtermWidget xw, + } + + if (check_fontname(*nameOutP)) { +- if (xtermOpenFont(xw, *nameOutP, infoOut, False) ++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False) + && is_derived_font_name(*nameOutP) + && EmptyFont(infoOut->fs)) { + xtermCloseFont2(xw, infoOut - fWide, fWide); +@@ -1452,7 +1463,7 @@ loadWBoldFP(XtermWidget xw, + + if (check_fontname(*nameOutP)) { + +- if (xtermOpenFont(xw, *nameOutP, infoOut, False) ++ if (xtermOpenFont(xw, *nameOutP, infoOut, NULL, False) + && is_derived_font_name(*nameOutP) + && !compatibleWideCounts(wideInfoRef->fs, infoOut->fs)) { + xtermCloseFont2(xw, infoOut - fWBold, fWBold); +@@ -1505,6 +1516,10 @@ loadWBoldFP(XtermWidget xw, + } + #endif + ++/* ++ * Load a given bitmap font, along with the bold/wide variants. ++ * Returns nonzero on success. ++ */ + int + xtermLoadFont(XtermWidget xw, + const VTFontNames * fonts, +@@ -1514,33 +1529,37 @@ xtermLoadFont(XtermWidget xw, + TScreen *screen = TScreenOf(xw); + VTwin *win = WhichVWin(screen); + +- VTFontNames myfonts; +- XTermFonts fnts[fMAX]; ++ VTFontNames new_fnames; ++ XTermFonts new_fonts[fMAX]; ++ XTermFonts old_fonts[fMAX]; + char *tmpname = NULL; + Boolean proportional = False; ++ Boolean recovered; ++ int code = 0; + +- memset(&myfonts, 0, sizeof(myfonts)); +- memset(fnts, 0, sizeof(fnts)); ++ memset(&new_fnames, 0, sizeof(new_fnames)); ++ memset(new_fonts, 0, sizeof(new_fonts)); ++ memcpy(&old_fonts, screen->fnts, sizeof(old_fonts)); + + if (fonts != 0) +- myfonts = *fonts; +- if (!check_fontname(myfonts.f_n)) +- return 0; ++ new_fnames = *fonts; ++ if (!check_fontname(new_fnames.f_n)) ++ return code; + + if (fontnum == fontMenu_fontescape +- && myfonts.f_n != screen->MenuFontName(fontnum)) { +- if ((tmpname = x_strdup(myfonts.f_n)) == 0) +- return 0; ++ && new_fnames.f_n != screen->MenuFontName(fontnum)) { ++ if ((tmpname = x_strdup(new_fnames.f_n)) == 0) ++ return code; + } + +- TRACE(("Begin Cgs - xtermLoadFont(%s)\n", myfonts.f_n)); ++ TRACE(("Begin Cgs - xtermLoadFont(%s)\n", new_fnames.f_n)); + releaseWindowGCs(xw, win); + + #define DbgResource(name, field, index) \ + TRACE(("xtermLoadFont #%d "name" %s%s\n", \ + fontnum, \ +- (fnts[index].warn == fwResource) ? "*" : " ", \ +- NonNull(myfonts.field))) ++ (new_fonts[index].warn == fwResource) ? "*" : " ", \ ++ NonNull(new_fnames.field))) + DbgResource("normal", f_n, fNorm); + DbgResource("bold ", f_b, fBold); + #if OPT_WIDE_CHARS +@@ -1549,16 +1568,17 @@ xtermLoadFont(XtermWidget xw, + #endif + + if (!loadNormFP(xw, +- &myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_n, ++ &new_fonts[fNorm], ++ &old_fonts[fNorm], + fontnum)) + goto bad; + + if (!loadBoldFP(xw, +- &myfonts.f_b, +- &fnts[fBold], +- myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_b, ++ &new_fonts[fBold], ++ new_fnames.f_n, ++ &new_fonts[fNorm], + fontnum)) + goto bad; + +@@ -1570,20 +1590,20 @@ xtermLoadFont(XtermWidget xw, + if_OPT_WIDE_CHARS(screen, { + + if (!loadWideFP(xw, +- &myfonts.f_w, +- &fnts[fWide], +- myfonts.f_n, +- &fnts[fNorm], ++ &new_fnames.f_w, ++ &new_fonts[fWide], ++ new_fnames.f_n, ++ &new_fonts[fNorm], + fontnum)) + goto bad; + + if (!loadWBoldFP(xw, +- &myfonts.f_wb, +- &fnts[fWBold], +- myfonts.f_w, +- &fnts[fWide], +- myfonts.f_b, +- &fnts[fBold], ++ &new_fnames.f_wb, ++ &new_fonts[fWBold], ++ new_fnames.f_w, ++ &new_fonts[fWide], ++ new_fnames.f_b, ++ &new_fonts[fBold], + fontnum)) + goto bad; + +@@ -1593,30 +1613,30 @@ xtermLoadFont(XtermWidget xw, + * Normal/bold fonts should be the same width. Also, the min/max + * values should be the same. + */ +- if (fnts[fNorm].fs != 0 +- && fnts[fBold].fs != 0 +- && (!is_fixed_font(fnts[fNorm].fs) +- || !is_fixed_font(fnts[fBold].fs) +- || differing_widths(fnts[fNorm].fs, fnts[fBold].fs))) { ++ if (new_fonts[fNorm].fs != 0 ++ && new_fonts[fBold].fs != 0 ++ && (!is_fixed_font(new_fonts[fNorm].fs) ++ || !is_fixed_font(new_fonts[fBold].fs) ++ || differing_widths(new_fonts[fNorm].fs, new_fonts[fBold].fs))) { + TRACE(("Proportional font! normal %d/%d, bold %d/%d\n", +- fnts[fNorm].fs->min_bounds.width, +- fnts[fNorm].fs->max_bounds.width, +- fnts[fBold].fs->min_bounds.width, +- fnts[fBold].fs->max_bounds.width)); ++ new_fonts[fNorm].fs->min_bounds.width, ++ new_fonts[fNorm].fs->max_bounds.width, ++ new_fonts[fBold].fs->min_bounds.width, ++ new_fonts[fBold].fs->max_bounds.width)); + proportional = True; + } + + if_OPT_WIDE_CHARS(screen, { +- if (fnts[fWide].fs != 0 +- && fnts[fWBold].fs != 0 +- && (!is_fixed_font(fnts[fWide].fs) +- || !is_fixed_font(fnts[fWBold].fs) +- || differing_widths(fnts[fWide].fs, fnts[fWBold].fs))) { ++ if (new_fonts[fWide].fs != 0 ++ && new_fonts[fWBold].fs != 0 ++ && (!is_fixed_font(new_fonts[fWide].fs) ++ || !is_fixed_font(new_fonts[fWBold].fs) ++ || differing_widths(new_fonts[fWide].fs, new_fonts[fWBold].fs))) { + TRACE(("Proportional font! wide %d/%d, wide bold %d/%d\n", +- fnts[fWide].fs->min_bounds.width, +- fnts[fWide].fs->max_bounds.width, +- fnts[fWBold].fs->min_bounds.width, +- fnts[fWBold].fs->max_bounds.width)); ++ new_fonts[fWide].fs->min_bounds.width, ++ new_fonts[fWide].fs->max_bounds.width, ++ new_fonts[fWBold].fs->min_bounds.width, ++ new_fonts[fWBold].fs->max_bounds.width)); + proportional = True; + } + }); +@@ -1635,13 +1655,13 @@ xtermLoadFont(XtermWidget xw, + screen->ifnts_ok = False; + #endif + +- xtermCopyFontInfo(GetNormalFont(screen, fNorm), &fnts[fNorm]); +- xtermCopyFontInfo(GetNormalFont(screen, fBold), &fnts[fBold]); ++ xtermCopyFontInfo(GetNormalFont(screen, fNorm), &new_fonts[fNorm]); ++ xtermCopyFontInfo(GetNormalFont(screen, fBold), &new_fonts[fBold]); + #if OPT_WIDE_CHARS +- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]); +- if (fnts[fWBold].fs == NULL) +- xtermCopyFontInfo(GetNormalFont(screen, fWide), &fnts[fWide]); +- xtermCopyFontInfo(GetNormalFont(screen, fWBold), &fnts[fWBold]); ++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]); ++ if (new_fonts[fWBold].fs == NULL) ++ xtermCopyFontInfo(GetNormalFont(screen, fWide), &new_fonts[fWide]); ++ xtermCopyFontInfo(GetNormalFont(screen, fWBold), &new_fonts[fWBold]); + #endif + + xtermUpdateFontGCs(xw, getNormalFont); +@@ -1672,7 +1692,7 @@ xtermLoadFont(XtermWidget xw, + unsigned ch; + + #if OPT_TRACE +-#define TRACE_MISS(index) show_font_misses(#index, &fnts[index]) ++#define TRACE_MISS(index) show_font_misses(#index, &new_fonts[index]) + TRACE_MISS(fNorm); + TRACE_MISS(fBold); + #if OPT_WIDE_CHARS +@@ -1689,8 +1709,8 @@ xtermLoadFont(XtermWidget xw, + if ((n != UCS_REPL) + && (n != ch) + && (screen->fnt_boxes & 2)) { +- if (xtermMissingChar(n, &fnts[fNorm]) || +- xtermMissingChar(n, &fnts[fBold])) { ++ if (xtermMissingChar(n, &new_fonts[fNorm]) || ++ xtermMissingChar(n, &new_fonts[fBold])) { + UIntClr(screen->fnt_boxes, 2); + TRACE(("missing graphics character #%d, U+%04X\n", + ch, n)); +@@ -1702,12 +1722,12 @@ xtermLoadFont(XtermWidget xw, + #endif + + for (ch = 1; ch < 32; ch++) { +- if (xtermMissingChar(ch, &fnts[fNorm])) { ++ if (xtermMissingChar(ch, &new_fonts[fNorm])) { + TRACE(("missing normal char #%d\n", ch)); + UIntClr(screen->fnt_boxes, 1); + break; + } +- if (xtermMissingChar(ch, &fnts[fBold])) { ++ if (xtermMissingChar(ch, &new_fonts[fBold])) { + TRACE(("missing bold char #%d\n", ch)); + UIntClr(screen->fnt_boxes, 1); + break; +@@ -1724,8 +1744,8 @@ xtermLoadFont(XtermWidget xw, + screen->enbolden = screen->bold_mode; + } else { + screen->enbolden = screen->bold_mode +- && ((fnts[fNorm].fs == fnts[fBold].fs) +- || same_font_name(myfonts.f_n, myfonts.f_b)); ++ && ((new_fonts[fNorm].fs == new_fonts[fBold].fs) ++ || same_font_name(new_fnames.f_n, new_fnames.f_b)); + } + TRACE(("Will %suse 1-pixel offset/overstrike to simulate bold\n", + screen->enbolden ? "" : "not ")); +@@ -1741,7 +1761,7 @@ xtermLoadFont(XtermWidget xw, + update_font_escape(); + } + #if OPT_SHIFT_FONTS +- screen->menu_font_sizes[fontnum] = FontSize(fnts[fNorm].fs); ++ screen->menu_font_sizes[fontnum] = FontSize(new_fonts[fNorm].fs); + #endif + } + set_cursor_gcs(xw); +@@ -1756,20 +1776,21 @@ xtermLoadFont(XtermWidget xw, + FREE_FNAME(f_w); + FREE_FNAME(f_wb); + #endif +- if (fnts[fNorm].fn == fnts[fBold].fn) { +- free(fnts[fNorm].fn); ++ if (new_fonts[fNorm].fn == new_fonts[fBold].fn) { ++ free(new_fonts[fNorm].fn); + } else { +- free(fnts[fNorm].fn); +- free(fnts[fBold].fn); ++ free(new_fonts[fNorm].fn); ++ free(new_fonts[fBold].fn); + } + #if OPT_WIDE_CHARS +- free(fnts[fWide].fn); +- free(fnts[fWBold].fn); ++ free(new_fonts[fWide].fn); ++ free(new_fonts[fWBold].fn); + #endif + xtermSetWinSize(xw); + return 1; + + bad: ++ recovered = False; + if (tmpname) + free(tmpname); + +@@ -1780,15 +1801,15 @@ xtermLoadFont(XtermWidget xw, + SetItemSensitivity(fontMenuEntries[fontnum].widget, True); + #endif + Bell(xw, XkbBI_MinorError, 0); +- myfonts.f_n = screen->MenuFontName(old_fontnum); +- return xtermLoadFont(xw, &myfonts, doresize, old_fontnum); +- } else if (x_strcasecmp(myfonts.f_n, DEFFONT)) { +- int code; +- +- myfonts.f_n = x_strdup(DEFFONT); +- TRACE(("...recovering for TrueType fonts\n")); +- code = xtermLoadFont(xw, &myfonts, doresize, fontnum); +- if (code) { ++ new_fnames.f_n = screen->MenuFontName(old_fontnum); ++ if (xtermLoadFont(xw, &new_fnames, doresize, old_fontnum)) ++ recovered = True; ++ } else if (x_strcasecmp(new_fnames.f_n, DEFFONT) ++ && x_strcasecmp(new_fnames.f_n, old_fonts[fNorm].fn)) { ++ new_fnames.f_n = x_strdup(old_fonts[fNorm].fn); ++ TRACE(("...recovering from failed font-load\n")); ++ if (xtermLoadFont(xw, &new_fnames, doresize, fontnum)) { ++ recovered = True; + if (fontnum != fontMenu_fontsel) { + SetItemSensitivity(fontMenuEntries[fontnum].widget, + UsingRenderFont(xw)); +@@ -1797,15 +1818,15 @@ xtermLoadFont(XtermWidget xw, + FontHeight(screen), + FontWidth(screen))); + } +- return code; + } + #endif +- +- releaseWindowGCs(xw, win); +- +- xtermCloseFonts(xw, fnts); +- TRACE(("Fail Cgs - xtermLoadFont\n")); +- return 0; ++ if (!recovered) { ++ releaseWindowGCs(xw, win); ++ xtermCloseFonts(xw, new_fonts); ++ TRACE(("Fail Cgs - xtermLoadFont\n")); ++ code = 0; ++ } ++ return code; + } + + #if OPT_WIDE_ATTRS +@@ -1853,7 +1874,7 @@ xtermLoadItalics(XtermWidget xw) + } else { + xtermOpenFont(xw, + getNormalFont(screen, n)->fn, +- data, False); ++ data, NULL, False); + } + } + } +@@ -4317,7 +4338,7 @@ lookupOneFontSize(XtermWidget xw, int fontnum) + + memset(&fnt, 0, sizeof(fnt)); + screen->menu_font_sizes[fontnum] = -1; +- if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, True)) { ++ if (xtermOpenFont(xw, screen->MenuFontName(fontnum), &fnt, NULL, True)) { + if (fontnum <= fontMenu_lastBuiltin + || strcmp(fnt.fn, DEFFONT)) { + screen->menu_font_sizes[fontnum] = FontSize(fnt.fs); +@@ -4722,13 +4743,14 @@ HandleSetFont(Widget w GCC_UNUSED, + } + } + +-void ++Bool + SetVTFont(XtermWidget xw, + int which, + Bool doresize, + const VTFontNames * fonts) + { + TScreen *screen = TScreenOf(xw); ++ Bool result = False; + + TRACE(("SetVTFont(which=%d, f_n=%s, f_b=%s)\n", which, + (fonts && fonts->f_n) ? fonts->f_n : "<null>", +@@ -4737,34 +4759,31 @@ SetVTFont(XtermWidget xw, + if (IsIcon(screen)) { + Bell(xw, XkbBI_MinorError, 0); + } else if (which >= 0 && which < NMENUFONTS) { +- VTFontNames myfonts; ++ VTFontNames new_fnames; + +- memset(&myfonts, 0, sizeof(myfonts)); ++ memset(&new_fnames, 0, sizeof(new_fnames)); + if (fonts != 0) +- myfonts = *fonts; ++ new_fnames = *fonts; + + if (which == fontMenu_fontsel) { /* go get the selection */ +- FindFontSelection(xw, myfonts.f_n, False); ++ result = FindFontSelection(xw, new_fnames.f_n, False); + } else { +- int oldFont = screen->menu_font_number; +- + #define USE_CACHED(field, name) \ +- if (myfonts.field == 0) { \ +- myfonts.field = x_strdup(screen->menu_font_names[which][name]); \ +- TRACE(("set myfonts." #field " from menu_font_names[%d][" #name "] %s\n", \ +- which, NonNull(myfonts.field))); \ ++ if (new_fnames.field == NULL) { \ ++ new_fnames.field = x_strdup(screen->menu_font_names[which][name]); \ ++ TRACE(("set new_fnames." #field " from menu_font_names[%d][" #name "] %s\n", \ ++ which, NonNull(new_fnames.field))); \ + } else { \ +- TRACE(("set myfonts." #field " reused\n")); \ ++ TRACE(("set new_fnames." #field " reused\n")); \ + } + #define SAVE_FNAME(field, name) \ +- if (myfonts.field != 0) { \ +- if (screen->menu_font_names[which][name] == 0 \ +- || strcmp(screen->menu_font_names[which][name], myfonts.field)) { \ +- TRACE(("updating menu_font_names[%d][" #name "] to %s\n", \ +- which, myfonts.field)); \ +- FREE_STRING(screen->menu_font_names[which][name]); \ +- screen->menu_font_names[which][name] = x_strdup(myfonts.field); \ +- } \ ++ if (new_fnames.field != NULL \ ++ && (screen->menu_font_names[which][name] == NULL \ ++ || strcmp(screen->menu_font_names[which][name], new_fnames.field))) { \ ++ TRACE(("updating menu_font_names[%d][" #name "] to \"%s\"\n", \ ++ which, new_fnames.field)); \ ++ FREE_STRING(screen->menu_font_names[which][name]); \ ++ screen->menu_font_names[which][name] = x_strdup(new_fnames.field); \ + } + + USE_CACHED(f_n, fNorm); +@@ -4774,7 +4793,7 @@ SetVTFont(XtermWidget xw, + USE_CACHED(f_wb, fWBold); + #endif + if (xtermLoadFont(xw, +- &myfonts, ++ &new_fnames, + doresize, which)) { + /* + * If successful, save the data so that a subsequent query via +@@ -4786,10 +4805,8 @@ SetVTFont(XtermWidget xw, + SAVE_FNAME(f_w, fWide); + SAVE_FNAME(f_wb, fWBold); + #endif ++ result = True; + } else { +- (void) xtermLoadFont(xw, +- xtermFontName(screen->MenuFontName(oldFont)), +- doresize, oldFont); + Bell(xw, XkbBI_MinorError, 0); + } + FREE_FNAME(f_n); +@@ -4802,7 +4819,8 @@ SetVTFont(XtermWidget xw, + } else { + Bell(xw, XkbBI_MinorError, 0); + } +- return; ++ TRACE(("...SetVTFont: %d\n", result)); ++ return result; + } + + #if OPT_RENDERFONT +diff --git a/fontutils.h b/fontutils.h +index 9d530c5..ceaf44a 100644 +--- a/fontutils.h ++++ b/fontutils.h +@@ -37,7 +37,7 @@ + /* *INDENT-OFF* */ + + extern Bool xtermLoadDefaultFonts (XtermWidget /* xw */); +-extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, Bool /* force */); ++extern Bool xtermOpenFont (XtermWidget /* xw */, const char */* name */, XTermFonts * /* result */, XTermFonts * /* current */, Bool /* force */); + extern XTermFonts * getDoubleFont (TScreen * /* screen */, int /* which */); + extern XTermFonts * getItalicFont (TScreen * /* screen */, int /* which */); + extern XTermFonts * getNormalFont (TScreen * /* screen */, int /* which */); +@@ -50,7 +50,7 @@ extern int lookupRelativeFontSize (XtermWidget /* xw */, int /* old */, int /* r + extern int xtermGetFont (const char * /* param */); + extern int xtermLoadFont (XtermWidget /* xw */, const VTFontNames */* fonts */, Bool /* doresize */, int /* fontnum */); + extern void HandleSetFont PROTO_XT_ACTIONS_ARGS; +-extern void SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */); ++extern Bool SetVTFont (XtermWidget /* xw */, int /* i */, Bool /* doresize */, const VTFontNames */* fonts */); + extern void allocFontList (XtermWidget /* xw */, const char * /* name */, XtermFontNames * /* target */, VTFontEnum /* which */, const char * /* source */, Bool /* ttf */); + extern void copyFontList (char *** /* targetp */, char ** /* source */); + extern void initFontLists (XtermWidget /* xw */); +diff --git a/misc.c b/misc.c +index cc323f8..6c5e938 100644 +--- a/misc.c ++++ b/misc.c +@@ -3787,9 +3787,9 @@ ChangeFontRequest(XtermWidget xw, String buf) + { + memset(&fonts, 0, sizeof(fonts)); + fonts.f_n = name; +- SetVTFont(xw, num, True, &fonts); +- if (num == screen->menu_font_number && +- num != fontMenu_fontescape) { ++ if (SetVTFont(xw, num, True, &fonts) ++ && num == screen->menu_font_number ++ && num != fontMenu_fontescape) { + screen->EscapeFontName() = x_strdup(name); + } + } +@@ -6237,7 +6237,6 @@ xtermSetenv(const char *var, const char *value) + + found = envindex; + environ[found + 1] = NULL; +- environ = environ; + } + + environ[found] = TextAlloc(1 + len + strlen(value)); +diff --git a/screen.c b/screen.c +index 690e3e2..f84254f 100644 +--- a/screen.c ++++ b/screen.c +@@ -1497,7 +1497,7 @@ ScrnRefresh(XtermWidget xw, + screen->topline, toprow, leftcol, + nrows, ncols, + force ? " force" : "")); +- ++ (void) recurse; + ++recurse; + + if (screen->cursorp.col >= leftcol +diff --git a/xterm.h b/xterm.h +index ec70e43..aa71f96 100644 +--- a/xterm.h ++++ b/xterm.h +@@ -967,7 +967,7 @@ extern Bool CheckBufPtrs (TScreen * /* screen */); + extern Bool set_cursor_gcs (XtermWidget /* xw */); + extern char * vt100ResourceToString (XtermWidget /* xw */, const char * /* name */); + extern int VTInit (XtermWidget /* xw */); +-extern void FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */); ++extern Bool FindFontSelection (XtermWidget /* xw */, const char * /* atom_name */, Bool /* justprobe */); + extern void HideCursor (void); + extern void RestartBlinking(XtermWidget /* xw */); + extern void ShowCursor (void); +diff --git a/xterm.log.html b/xterm.log.html +index 47d590b..e27dc31 100644 +--- a/xterm.log.html ++++ b/xterm.log.html +@@ -991,6 +991,12 @@ + 2020/02/01</a></h1> + + <ul> ++ <li>improve error-recovery when setting a bitmap font for the ++ VT100 window, e.g., in case <em>OSC 50</em> failed, ++ restoring the most recent valid font so that a subsequent ++ <em>OSC 50</em> reports this correctly (report by David ++ Leadbeater).</li> ++ + <li>amend change in <a href="#xterm_352">patch #352</a> for + button-events to fix a case where some followup events were not + processed soon enough (report/patch by Jimmy Aguilar +-- +2.24.4 + diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb index 6de704d0b7..4e2b0c9d53 100644 --- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb +++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb @@ -1,18 +1,23 @@ require recipes-graphics/xorg-app/xorg-app-common.inc SUMMARY = "xterm is the standard terminal emulator for the X Window System" -DEPENDS = "libxaw xorgproto libxext libxau libxinerama libxpm ncurses" +DEPENDS = "libxaw xorgproto libxext libxau libxinerama libxpm ncurses desktop-file-utils-native" LIC_FILES_CHKSUM = "file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b17b57654cc81e8e" SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \ file://0001-Add-configure-time-check-for-setsid.patch \ + file://CVE-2021-27135.patch \ + file://CVE-2022-24130.patch \ + file://CVE-2022-45063.patch \ " - SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f" SRC_URI[sha256sum] = "e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768" PACKAGECONFIG ?= "" PACKAGECONFIG[xft] = "--enable-freetype,--disable-freetype,libxft fontconfig freetype-native" +# Let xterm install .desktop files +inherit mime-xdg + EXTRA_OECONF = " --x-includes=${STAGING_INCDIR} \ --x-libraries=${STAGING_LIBDIR} \ FREETYPE_CONFIG=${STAGING_BINDIR_CROSS}/freetype-config \ @@ -30,7 +35,16 @@ do_configure() { oe_runconf } +do_install_append() { + oe_runmake install-desktop DESTDIR="${D}" DESKTOP_FLAGS="--dir=${D}${DESKTOPDIR}" +} + +RPROVIDES_${PN} = "virtual/x-terminal-emulator" + # busybox can supply resize too inherit update-alternatives -ALTERNATIVE_${PN} = "resize" +ALTERNATIVE_${PN} = "resize x-terminal-emulator" +ALTERNATIVE_TARGET[x-terminal-emulator] = "${bindir}/xterm" +# rxvt-unicode defaults to priority 10. Let's be one point lower to let it override xterm. +ALTERNATIVE_PRIORITY[x-terminal-emulator] = "9" diff --git a/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb b/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb index b436ef1e4a..3d60ed1310 100644 --- a/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb +++ b/meta-oe/recipes-graphics/xorg-driver/xf86-video-armsoc_1.4.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=10ce5de3b111315ea652a5f74ec0c602" DEPENDS += "virtual/libx11 libdrm xorgproto" SRCREV = "8bbdb2ae3bb8ef649999a8da33ddbe11a04763b8" -SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-armsoc" +SRC_URI = "git://anongit.freedesktop.org/xorg/driver/xf86-video-armsoc;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/yad/yad_6.0.bb b/meta-oe/recipes-graphics/yad/yad_6.0.bb index 3760a37d31..92a5c284b3 100644 --- a/meta-oe/recipes-graphics/yad/yad_6.0.bb +++ b/meta-oe/recipes-graphics/yad/yad_6.0.bb @@ -5,7 +5,7 @@ AUTHOR = "Victor Ananjevsky" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -SRC_URI = "git://github.com/v1cont/yad.git" +SRC_URI = "git://github.com/v1cont/yad.git;branch=master;protocol=https" SRCREV = "a5b1a7a3867bc7dffbbc539f586f301687b6ec02" inherit autotools gsettings features_check diff --git a/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb b/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb index 2eb19206d3..57232f8d5f 100644 --- a/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb +++ b/meta-oe/recipes-kernel/agent-proxy/agent-proxy_1.97.bb @@ -10,7 +10,7 @@ EXTRA_OEMAKE = "'CC=${CC}'" SRCREV = "468fe4c31e6c62c9bbb328b06ba71eaf7be0b76a" -SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git;protocol=git \ +SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kgdb/agent-proxy.git;protocol=git;branch=master \ file://0001-Makefile-Add-LDFLAGS-variable.patch \ " diff --git a/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb b/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb index 8c474ecdc4..b6fbccfbf5 100644 --- a/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb +++ b/meta-oe/recipes-kernel/broadcom-bt-firmware/broadcom-bt-firmware_git.bb @@ -9,7 +9,7 @@ LICENSE = "Firmware-Broadcom-WIDCOMM" NO_GENERIC_LICENSE[Firmware-Broadcom-WIDCOMM] = "LICENSE.broadcom_bcm20702" LIC_FILES_CHKSUM = "file://LICENSE.broadcom_bcm20702;md5=c0d5ea0502b00df74173d0f8a48b619d" -SRC_URI = "git://github.com/winterheart/broadcom-bt-firmware.git" +SRC_URI = "git://github.com/winterheart/broadcom-bt-firmware.git;branch=master;protocol=https" SRCREV = "c0bd928b8ae5754b6077c99afe6ef5c949a58f32" PE = "1" PV = "0.0+git${SRCPV}" diff --git a/meta-oe/recipes-kernel/crash/crash_7.2.8.bb b/meta-oe/recipes-kernel/crash/crash_7.2.8.bb index 834c92cc46..5dd2c0aa0d 100644 --- a/meta-oe/recipes-kernel/crash/crash_7.2.8.bb +++ b/meta-oe/recipes-kernel/crash/crash_7.2.8.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING3;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "zlib readline coreutils-native ncurses-native" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/crash-utility/${BPN}.git \ +SRC_URI = "git://github.com/crash-utility/${BPN}.git;branch=master;protocol=https \ ${GNU_MIRROR}/gdb/gdb-7.6.tar.gz;name=gdb;subdir=git \ file://7001force_define_architecture.patch \ file://7003cross_ranlib.patch \ diff --git a/meta-oe/recipes-kernel/kpatch/kpatch.inc b/meta-oe/recipes-kernel/kpatch/kpatch.inc index 1f70f72054..685be7d40c 100644 --- a/meta-oe/recipes-kernel/kpatch/kpatch.inc +++ b/meta-oe/recipes-kernel/kpatch/kpatch.inc @@ -3,7 +3,7 @@ DESCRIPTION = "kpatch is a Linux dynamic kernel patching infrastructure which al LICENSE = "GPLv2 & LGPLv2" DEPENDS = "elfutils bash" -SRC_URI = "git://github.com/dynup/kpatch.git;protocol=https \ +SRC_URI = "git://github.com/dynup/kpatch.git;protocol=https;branch=master \ file://0001-kpatch-build-add-cross-compilation-support.patch \ file://0002-kpatch-build-allow-overriding-of-distro-name.patch \ " diff --git a/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb b/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb index d381c83ae8..8188ae599d 100644 --- a/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb +++ b/meta-oe/recipes-kernel/minicoredumper/minicoredumper_2.0.1.bb @@ -13,7 +13,7 @@ SRCREV = "16a0d44f1725eaa93096eaa0e086f42ef4c2712c" PR .= "+git${SRCPV}" -SRC_URI = "git://github.com/diamon/minicoredumper;protocol=https \ +SRC_URI = "git://github.com/diamon/minicoredumper;protocol=https;branch=master \ file://minicoredumper.service \ file://minicoredumper.init \ " diff --git a/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb b/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb index a1378866ad..78d9c36c92 100644 --- a/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb +++ b/meta-oe/recipes-kernel/pm-graph/pm-graph_5.5.bb @@ -6,7 +6,7 @@ LICENSE = "GPL-2" LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e" SRCREV = "cf59527dc24fdd2f314ae4dcaeb3d68a117988f6" -SRC_URI = "git://github.com/intel/pm-graph.git \ +SRC_URI = "git://github.com/intel/pm-graph.git;branch=master;protocol=https \ file://0001-Makefile-fix-multilib-build-failure.patch \ file://0001-sleepgraph.py-use-python3.patch \ " diff --git a/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb b/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb index 5fffe77c2d..e33a3f2574 100644 --- a/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb +++ b/meta-oe/recipes-multimedia/jack/a2jmidid_9.bb @@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " libexecinfo" SRCREV = "de37569c926c5886768f892c019e3f0468615038" SRC_URI = " \ - git://github.com/linuxaudio/a2jmidid;protocol=https \ + git://github.com/linuxaudio/a2jmidid;protocol=https;branch=master \ file://riscv_ucontext.patch \ " diff --git a/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb b/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb index e954341ffe..dbf4c1ae74 100644 --- a/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb +++ b/meta-oe/recipes-multimedia/jack/jack_1.19.14.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = " \ DEPENDS = "libsamplerate0 libsndfile1 readline" -SRC_URI = "git://github.com/jackaudio/jack2.git \ +SRC_URI = "git://github.com/jackaudio/jack2.git;branch=master;protocol=https \ file://0001-example-clients-Use-c-compiler-for-jack_simdtests.patch \ " SRCREV = "b54a09bf7ef760d81fdb8544ad10e45575394624" diff --git a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb index 3454a5c270..f6c64212fe 100644 --- a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb +++ b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75" DEPENDS = "enca fontconfig freetype libpng fribidi" -SRC_URI = "git://github.com/libass/libass.git" +SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https" SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb b/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb index f7b0f30fb9..13979ae9b9 100644 --- a/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb +++ b/meta-oe/recipes-multimedia/mplayer/mpv_0.32.0.bb @@ -17,8 +17,10 @@ LICENSE_FLAGS = "commercial" SRCREV_mpv = "70b991749df389bcc0a4e145b5687233a03b4ed7" SRC_URI = " \ - git://github.com/mpv-player/mpv;name=mpv \ + git://github.com/mpv-player/mpv;name=mpv;branch=master;protocol=https \ + https://waf.io/waf-2.0.20;name=waf;subdir=git \ " +SRC_URI[waf.sha256sum] = "bf971e98edc2414968a262c6aa6b88541a26c3cd248689c89f4c57370955ee7f" S = "${WORKDIR}/git" @@ -101,14 +103,10 @@ EXTRA_OECONF = " \ ${PACKAGECONFIG_CONFARGS} \ " -do_patch[postfuncs] += "get_waf" - -get_waf() { - cd ${S} - ./bootstrap.py - sed -i -e 's|/usr/bin/env python|/usr/bin/env python3|g' ${S}/waf - cd - +link_waf() { + ln -s waf-2.0.20 ${S}/waf } +do_unpack[postfuncs] += "link_waf" FILES_${PN} += " \ ${datadir}/icons \ diff --git a/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb b/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb index bcb3015f8b..f6cefd8107 100644 --- a/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb +++ b/meta-oe/recipes-multimedia/pipewire/pipewire-0.2_git.bb @@ -11,7 +11,7 @@ DEPENDS = "alsa-lib dbus udev" SRCREV = "14c11c0fe4d366bad4cfecdee97b6652ff9ed63d" PV = "0.2.7" -SRC_URI = "git://github.com/PipeWire/pipewire" +SRC_URI = "git://github.com/PipeWire/pipewire;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb b/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb index 1a415c13c3..c55432d3bd 100644 --- a/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb +++ b/meta-oe/recipes-multimedia/pipewire/pipewire_git.bb @@ -11,7 +11,7 @@ DEPENDS = "alsa-lib dbus udev" SRCREV = "74a1632f0720886d5b3b6c23ee8fcd6c03ca7aac" PV = "0.3.1" -SRC_URI = "git://github.com/PipeWire/pipewire" +SRC_URI = "git://github.com/PipeWire/pipewire;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb b/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb index a192d1a3bb..98542ffe61 100644 --- a/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb +++ b/meta-oe/recipes-multimedia/v4l2apps/yavta_git.bb @@ -2,7 +2,7 @@ SUMMARY = "Yet Another V4L2 Test Application" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING.GPL;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://git.ideasonboard.org/yavta.git \ +SRC_URI = "git://git.ideasonboard.org/yavta.git;branch=master \ file://0001-Add-stdout-mode-to-allow-streaming-over-the-network-.patch" SRCREV = "7e9f28bedc1ed3205fb5164f686aea96f27a0de2" diff --git a/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb b/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb index 4a98ec17dd..d607bbebe8 100644 --- a/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb +++ b/meta-oe/recipes-multimedia/webm/libvpx_1.8.2.bb @@ -8,7 +8,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d5b04755015be901744a78cc30d390d4" SRCREV = "7ec7a33a081aeeb53fed1a8d87e4cbd189152527" -SRC_URI += "git://chromium.googlesource.com/webm/libvpx;protocol=https \ +SRC_URI += "git://chromium.googlesource.com/webm/libvpx;protocol=https;branch=master \ file://libvpx-configure-support-blank-prefix.patch \ " diff --git a/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb b/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb index b46445a2ba..e57e7a7209 100644 --- a/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb +++ b/meta-oe/recipes-navigation/geoclue/geoclue_2.5.3.bb @@ -31,7 +31,7 @@ PACKAGECONFIG ??= "3g modem-gps cdma nmea lib" PACKAGECONFIG[3g] = "-D3g-source=true,-D3g-source=false,modemmanager" PACKAGECONFIG[modem-gps] = "-Dmodem-gps-source=true,-Dmodem-gps-source=false,modemmanager" PACKAGECONFIG[cdma] = "-Dcdma-source=true,-Dcdma-source=false,modemmanager" -PACKAGECONFIG[nmea] = "-Dnmea-source=true,-Dnmea-source=false,avahi" +PACKAGECONFIG[nmea] = "-Dnmea-source=true,-Dnmea-source=false,avahi,avahi-daemon" PACKAGECONFIG[lib] = "-Dlibgeoclue=true,-Dlibgeoclue=false,gobject-introspection" GTKDOC_MESON_OPTION = "gtk-doc" diff --git a/meta-oe/recipes-navigation/gpsd/gpsd_3.19.bb b/meta-oe/recipes-navigation/gpsd/gpsd_3.19.bb index f74ebda5f1..05fbed6227 100644 --- a/meta-oe/recipes-navigation/gpsd/gpsd_3.19.bb +++ b/meta-oe/recipes-navigation/gpsd/gpsd_3.19.bb @@ -23,6 +23,8 @@ SYSTEMD_OESCONS = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'f export STAGING_INCDIR export STAGING_LIBDIR +CLEANBROKEN = "1" + PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} usb" PACKAGECONFIG[bluez] = "bluez='true',bluez='false',bluez5" PACKAGECONFIG[qt] = "qt='yes' qt_versioned=5,qt='no',qtbase" diff --git a/meta-oe/recipes-printing/cups/cups-filters.inc b/meta-oe/recipes-printing/cups/cups-filters.inc index 589bb90e6e..ff1b9ec875 100644 --- a/meta-oe/recipes-printing/cups/cups-filters.inc +++ b/meta-oe/recipes-printing/cups/cups-filters.inc @@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=516215fd57564996d70327db19b368ff" SECTION = "console/utils" DEPENDS = "cups glib-2.0 glib-2.0-native dbus dbus-glib lcms ghostscript poppler qpdf libpng" -DEPENDS_class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-native gettext-native libpng-native" SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz" @@ -23,13 +22,6 @@ EXTRA_OECONF += " --enable-ghostscript --disable-ldap \ --with-rcdir=no \ --without-php" -EXTRA_OECONF_class-native += " --with-pdftops=pdftops \ - --disable-avahi --disable-ghostscript \ - --disable-ldap \ - --with-png --without-jpeg --without-tiff" - -BBCLASSEXTEND = "native" - PACKAGECONFIG[jpeg] = "--with-jpeg,--without-jpeg,jpeg" PACKAGECONFIG[png] = "--with-png,--without-png,libpng" PACKAGECONFIG[tiff] = "--with-tiff,--without-tiff,tiff" diff --git a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb b/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb index 0a8c2e4834..879dbe5cae 100644 --- a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb +++ b/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb @@ -31,6 +31,9 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ LIBDIR=${libdir} \ USRLIBDIR=${libdir} \ INCLUDEDIR=${includedir} \ + ETCDIR=${sysconfdir} \ + SHAREDIR=${datadir}/keyutils \ + MANDIR=${datadir}/man \ BUILDFOR=${SITEINFO_BITS}-bit \ NO_GLIBC_KEYERR=1 \ " @@ -40,18 +43,6 @@ do_install () { oe_runmake DESTDIR=${D} install } -do_install_append_class-nativesdk() { - install -d ${D}${datadir} - src_dir="${D}${target_datadir}" - mv $src_dir/* ${D}${datadir} - par_dir=`dirname $src_dir` - rmdir $src_dir $par_dir - - install -d ${D}${sysconfdir} - mv ${D}/etc/* ${D}${sysconfdir}/ - rmdir ${D}/etc -} - do_install_ptest () { cp -r ${S}/tests ${D}${PTEST_PATH}/ sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh diff --git a/meta-oe/recipes-security/softhsm/softhsm_git.bb b/meta-oe/recipes-security/softhsm/softhsm_git.bb index 3236cb9a60..4ceda3d4b8 100644 --- a/meta-oe/recipes-security/softhsm/softhsm_git.bb +++ b/meta-oe/recipes-security/softhsm/softhsm_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" DEPENDS = "openssl" PV = "2.5.0" -SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master" +SRC_URI = "git://github.com/opendnssec/SoftHSMv2.git;branch=master;protocol=https" SRCREV = "369df0383d101bc8952692c2a368ac8bc887d1b4" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb b/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb index 4ea6c8a295..8df94d91e2 100644 --- a/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb +++ b/meta-oe/recipes-support/ace-cloud-editor/ace-cloud-editor_git.bb @@ -4,7 +4,7 @@ SUMMARY = "Ace is a code editor written in JavaScript. This repository has only LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=794d11c5219c59c9efa2487c2b4066b2" -SRC_URI = "git://github.com/ajaxorg/ace-builds.git;protocol=https" +SRC_URI = "git://github.com/ajaxorg/ace-builds.git;protocol=https;branch=master" PV = "02.07.17+git${SRCPV}" SRCREV = "812e2c56aed246931a667f16c28b096e34597016" diff --git a/meta-oe/recipes-support/anthy/anthy_9100h.bb b/meta-oe/recipes-support/anthy/anthy_9100h.bb index a65d324eae..b464c00003 100644 --- a/meta-oe/recipes-support/anthy/anthy_9100h.bb +++ b/meta-oe/recipes-support/anthy/anthy_9100h.bb @@ -10,8 +10,8 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/anthy/37536/anthy-9100h.tar.gz \ file://2ch_t.patch \ " -SRC_URI_append_class-target = "file://target-helpers.patch" -SRC_URI_append_class-native = "file://native-helpers.patch" +SRC_URI_append_class-target = " file://target-helpers.patch" +SRC_URI_append_class-native = " file://native-helpers.patch" SRC_URI[md5sum] = "1f558ff7ed296787b55bb1c6cf131108" SRC_URI[sha256sum] = "d256f075f018b4a3cb0d165ed6151fda4ba7db1621727e0eb54569b6e2275547" diff --git a/meta-oe/recipes-support/avro/avro-c_1.9.2.bb b/meta-oe/recipes-support/avro/avro-c_1.9.2.bb index 0642179fb3..e85f341f1f 100644 --- a/meta-oe/recipes-support/avro/avro-c_1.9.2.bb +++ b/meta-oe/recipes-support/avro/avro-c_1.9.2.bb @@ -9,7 +9,7 @@ DEPENDS = "jansson zlib xz" BRANCH = "branch-1.9" SRCREV = "bf20128ca6138a830b2ea13e0490f3df6b035639" -SRC_URI = "git://github.com/apache/avro;branch=${BRANCH} \ +SRC_URI = "git://github.com/apache/avro;branch=${BRANCH};protocol=https \ file://0001-cmake-Use-GNUInstallDirs-instead-of-hard-coded-paths.patch;patchdir=../../ \ " diff --git a/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb b/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb index 407de21385..d7d0b9c154 100644 --- a/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb +++ b/meta-oe/recipes-support/bdwgc/bdwgc_8.0.4.bb @@ -24,7 +24,7 @@ LIC_FILES_CHKSUM = "file://README.QUICK;md5=81b447d779e278628c843aef92f088fa" DEPENDS = "libatomic-ops" SRCREV = "d3dede3ce4462cd82a15f161af797ca51654546a" -SRC_URI = "git://github.com/ivmai/bdwgc.git;branch=release-8_0" +SRC_URI = "git://github.com/ivmai/bdwgc.git;branch=release-8_0;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch deleted file mode 100644 index 8f15f8424c..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f2f1e134bf5d9d0789942848e03006af8d926cf8 Mon Sep 17 00:00:00 2001 -From: Wang Mingyu <wangmy@cn.fujitsu.com> -Date: Tue, 17 Mar 2020 12:53:35 +0800 -Subject: [PATCH] fix configure error : mv libcares.pc.cmakein to - libcares.pc.cmake - -Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> ---- - CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 3a5878d..c2e5740 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -563,7 +563,7 @@ IF (CARES_STATIC) - ENDIF() - - # Write ares_config.h configuration file. This is used only for the build. --CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+CONFIGURE_FILE (libcares.pc.cmake ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) - - - --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch new file mode 100644 index 0000000000..fb0aee372f --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2022-4904.patch @@ -0,0 +1,67 @@ +From 9903253c347f9e0bffd285ae3829aef251cc852d Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] Add str len check in config_sortlist to avoid stack overflow + (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul + +CVE: CVE-2022-4904 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index 51668a5c..3f9cec65 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -1913,6 +1913,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -1921,6 +1923,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 63c6a228..ee845181 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -275,6 +275,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch new file mode 100644 index 0000000000..603d2687d5 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31130.patch @@ -0,0 +1,329 @@ +From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: [PATCH] Merge pull request from GHSA-x6mf-cxr9-8q6v + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2] +CVE: CVE-2023-31130 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/inet_net_pton.c | 155 ++++++++++++++++++++----------------- + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + +diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +index 840de506..fc50425b 100644 +--- a/src/lib/inet_net_pton.c ++++ b/src/lib/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade <gilles@openbsd.org> + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE ++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL ++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR ++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS ++ * SOFTWARE. + */ + + #include "ares_setup.h" +@@ -35,9 +36,6 @@ + + const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }; + +- +-#ifndef HAVE_INET_NET_PTON +- + /* + * static int + * inet_net_pton_ipv4(src, dst, size) +@@ -60,7 +58,7 @@ const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0, + * Paul Vixie (ISC), June 1996 + */ + static int +-inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) ++ares_inet_net_pton_ipv4(const char *src, unsigned char *dst, size_t size) + { + static const char xdigits[] = "0123456789abcdef"; + static const char digits[] = "0123456789"; +@@ -261,19 +259,14 @@ getv4(const char *src, unsigned char *dst, int *bitsp) + } + + static int +-inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++ares_inet_pton6(const char *src, unsigned char *dst) + { + static const char xdigits_l[] = "0123456789abcdef", +- xdigits_u[] = "0123456789ABCDEF"; ++ xdigits_u[] = "0123456789ABCDEF"; + unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; +- int ch, saw_xdigit; ++ int ch, saw_xdigit, count_xdigit; + unsigned int val; +- int digits; +- int bits; +- size_t bytes; +- int words; +- int ipv4; + + memset((tp = tmp), '\0', NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; +@@ -283,22 +276,22 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + if (*++src != ':') + goto enoent; + curtok = src; +- saw_xdigit = 0; ++ saw_xdigit = count_xdigit = 0; + val = 0; +- digits = 0; +- bits = -1; +- ipv4 = 0; + while ((ch = *src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { ++ if (count_xdigit >= 4) ++ goto enoent; + val <<= 4; +- val |= aresx_sztoui(pch - xdigits); +- if (++digits > 4) ++ val |= (pch - xdigits); ++ if (val > 0xffff) + goto enoent; + saw_xdigit = 1; ++ count_xdigit++; + continue; + } + if (ch == ':') { +@@ -308,78 +301,107 @@ inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) + goto enoent; + colonp = tp; + continue; +- } else if (*src == '\0') ++ } else if (*src == '\0') { + goto enoent; ++ } + if (tp + NS_INT16SZ > endp) +- return (0); +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ goto enoent; ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + saw_xdigit = 0; +- digits = 0; ++ count_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && +- getv4(curtok, tp, &bits) > 0) { +- tp += NS_INADDRSZ; ++ ares_inet_net_pton_ipv4(curtok, tp, INADDRSZ) > 0) { ++ tp += INADDRSZ; + saw_xdigit = 0; +- ipv4 = 1; ++ count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } +- if (ch == '/' && getbits(src, &bits) > 0) +- break; + goto enoent; + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + goto enoent; +- *tp++ = (unsigned char)((val >> 8) & 0xff); +- *tp++ = (unsigned char)(val & 0xff); ++ *tp++ = (unsigned char) (val >> 8) & 0xff; ++ *tp++ = (unsigned char) val & 0xff; + } +- if (bits == -1) +- bits = 128; +- +- words = (bits + 15) / 16; +- if (words < 2) +- words = 2; +- if (ipv4) +- words = 8; +- endp = tmp + 2 * words; +- + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ +- const ares_ssize_t n = tp - colonp; +- ares_ssize_t i; ++ const int n = tp - colonp; ++ int i; + + if (tp == endp) + goto enoent; + for (i = 1; i <= n; i++) { +- *(endp - i) = *(colonp + n - i); +- *(colonp + n - i) = 0; ++ endp[- i] = colonp[n - i]; ++ colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + goto enoent; + +- bytes = (bits + 7) / 8; +- if (bytes > size) +- goto emsgsize; +- memcpy(dst, tmp, bytes); +- return (bits); ++ memcpy(dst, tmp, NS_IN6ADDRSZ); ++ return (1); + +- enoent: ++enoent: + SET_ERRNO(ENOENT); + return (-1); + +- emsgsize: ++emsgsize: + SET_ERRNO(EMSGSIZE); + return (-1); + } + ++static int ++ares_inet_net_pton_ipv6(const char *src, unsigned char *dst, size_t size) ++{ ++ struct ares_in6_addr in6; ++ int ret; ++ int bits; ++ size_t bytes; ++ char buf[INET6_ADDRSTRLEN + sizeof("/128")]; ++ char *sep; ++ const char *errstr; ++ ++ if (strlen(src) >= sizeof buf) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ strncpy(buf, src, sizeof buf); ++ ++ sep = strchr(buf, '/'); ++ if (sep != NULL) ++ *sep++ = '\0'; ++ ++ ret = ares_inet_pton6(buf, (unsigned char *)&in6); ++ if (ret != 1) ++ return (-1); ++ ++ if (sep == NULL) ++ bits = 128; ++ else { ++ if (!getbits(sep, &bits)) { ++ SET_ERRNO(ENOENT); ++ return (-1); ++ } ++ } ++ ++ bytes = (bits + 7) / 8; ++ if (bytes > size) { ++ SET_ERRNO(EMSGSIZE); ++ return (-1); ++ } ++ memcpy(dst, &in6, bytes); ++ return (bits); ++} ++ + /* + * int + * inet_net_pton(af, src, dst, size) +@@ -403,18 +425,15 @@ ares_inet_net_pton(int af, const char *src, void *dst, size_t size) + { + switch (af) { + case AF_INET: +- return (inet_net_pton_ipv4(src, dst, size)); ++ return (ares_inet_net_pton_ipv4(src, dst, size)); + case AF_INET6: +- return (inet_net_pton_ipv6(src, dst, size)); ++ return (ares_inet_net_pton_ipv6(src, dst, size)); + default: + SET_ERRNO(EAFNOSUPPORT); + return (-1); + } + } + +-#endif /* HAVE_INET_NET_PTON */ +- +-#ifndef HAVE_INET_PTON + int ares_inet_pton(int af, const char *src, void *dst) + { + int result; +@@ -434,11 +453,3 @@ int ares_inet_pton(int af, const char *src, void *dst) + return 0; + return (result > -1 ? 1 : -1); + } +-#else /* HAVE_INET_PTON */ +-int ares_inet_pton(int af, const char *src, void *dst) +-{ +- /* just relay this to the underlying function */ +- return inet_pton(af, src, dst); +-} +- +-#endif +diff --git a/test/ares-test-internal.cc b/test/ares-test-internal.cc +index 96d4edec..161f0a5c 100644 +--- a/test/ares-test-internal.cc ++++ b/test/ares-test-internal.cc +@@ -81,6 +81,7 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "12:34::ff/0", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "12:34::ffff:0.2", &a6, sizeof(a6))); + EXPECT_EQ(16 * 8, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); ++ EXPECT_EQ(2, ares_inet_net_pton(AF_INET6, "0::00:00:00/2", &a6, sizeof(a6))); + + // Various malformed versions + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET, "", &a4, sizeof(a4))); +@@ -118,11 +119,9 @@ TEST_F(LibraryTest, InetPtoN) { + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, ":1234:1234:1234:1234:1234:1234:1234:1234:", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678", &a6, sizeof(a6))); +- // TODO(drysdale): check whether the next two tests should give -1. +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); +- EXPECT_EQ(0, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678", &a6, sizeof(a6))); ++ EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "1234:1234:1234:1234:1234:1234:1234:1234:5678:5678:5678", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:257.2.3.4", &a6, sizeof(a6))); +- EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:002.2.3.4", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5.6", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.4.5", &a6, sizeof(a6))); + EXPECT_EQ(-1, ares_inet_net_pton(AF_INET6, "12:34::ffff:1.2.3.z", &a6, sizeof(a6))); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch new file mode 100644 index 0000000000..ba17721a58 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-31147.patch @@ -0,0 +1,717 @@ +From 823df3b989e59465d17b0a2eb1239a5fc048b4e5 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:06 -0400 +Subject: [PATCH] Merge pull request from GHSA-8r8p-23f3-64c2 + +* segment random number generation into own file + +* abstract random code to make it more modular so we can have multiple backends + +* rand: add support for arc4random_buf() and also direct CARES_RANDOM_FILE reading + +* autotools: fix detection of arc4random_buf + +* rework initial rc4 seed for PRNG as last fallback + +* rc4: more proper implementation, simplified for clarity + +* clarifications + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/823df3b989e59465d17b0a2eb1239a5fc048b4e5] +CVE: CVE-2023-31147 + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CMakeLists.txt | 2 + + configure.ac | 1 + + m4/cares-functions.m4 | 85 +++++++++++ + src/lib/Makefile.inc | 1 + + src/lib/ares_config.h.cmake | 3 + + src/lib/ares_destroy.c | 3 + + src/lib/ares_init.c | 82 ++--------- + src/lib/ares_private.h | 19 ++- + src/lib/ares_query.c | 36 +---- + src/lib/ares_rand.c | 274 ++++++++++++++++++++++++++++++++++++ + 10 files changed, 387 insertions(+), 119 deletions(-) + create mode 100644 src/lib/ares_rand.c + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 194485a3..1fb9af55 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -386,6 +386,8 @@ CHECK_SYMBOL_EXISTS (strncasecmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCAS + CHECK_SYMBOL_EXISTS (strncmpi "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNCMPI) + CHECK_SYMBOL_EXISTS (strnicmp "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_STRNICMP) + CHECK_SYMBOL_EXISTS (writev "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_WRITEV) ++CHECK_SYMBOL_EXISTS (arc4random_buf "${CMAKE_EXTRA_INCLUDE_FILES}" HAVE_ARC4RANDOM_BUF) ++ + + # On Android, the system headers may define __system_property_get(), but excluded + # from libc. We need to perform a link test instead of a header/symbol test. +diff --git a/configure.ac b/configure.ac +index 1d0fb5ce..9a763696 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -683,6 +683,7 @@ CARES_CHECK_FUNC_STRNCASECMP + CARES_CHECK_FUNC_STRNCMPI + CARES_CHECK_FUNC_STRNICMP + CARES_CHECK_FUNC_WRITEV ++CARES_CHECK_FUNC_ARC4RANDOM_BUF + + + dnl check for AF_INET6 +diff --git a/m4/cares-functions.m4 b/m4/cares-functions.m4 +index 0f3992c7..d4f4f994 100644 +--- a/m4/cares-functions.m4 ++++ b/m4/cares-functions.m4 +@@ -3753,3 +3753,88 @@ AC_DEFUN([CARES_CHECK_FUNC_WRITEV], [ + ac_cv_func_writev="no" + fi + ]) ++ ++dnl CARES_CHECK_FUNC_ARC4RANDOM_BUF ++dnl ------------------------------------------------- ++dnl Verify if arc4random_buf is available, prototyped, and ++dnl can be compiled. If all of these are true, and ++dnl usage has not been previously disallowed with ++dnl shell variable cares_disallow_arc4random_buf, then ++dnl HAVE_ARC4RANDOM_BUF will be defined. ++ ++AC_DEFUN([CARES_CHECK_FUNC_ARC4RANDOM_BUF], [ ++ AC_REQUIRE([CARES_INCLUDES_STDLIB])dnl ++ # ++ tst_links_arc4random_buf="unknown" ++ tst_proto_arc4random_buf="unknown" ++ tst_compi_arc4random_buf="unknown" ++ tst_allow_arc4random_buf="unknown" ++ # ++ AC_MSG_CHECKING([if arc4random_buf can be linked]) ++ AC_LINK_IFELSE([ ++ AC_LANG_FUNC_LINK_TRY([arc4random_buf]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_links_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_links_arc4random_buf="no" ++ ]) ++ # ++ if test "$tst_links_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is prototyped]) ++ AC_EGREP_CPP([arc4random_buf],[ ++ $cares_includes_stdlib ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_proto_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_proto_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_proto_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf is compilable]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $cares_includes_stdlib ++ ]],[[ ++ arc4random_buf(NULL, 0); ++ return 1; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ tst_compi_arc4random_buf="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_compi_arc4random_buf="no" ++ ]) ++ fi ++ # ++ if test "$tst_compi_arc4random_buf" = "yes"; then ++ AC_MSG_CHECKING([if arc4random_buf usage allowed]) ++ if test "x$cares_disallow_arc4random_buf" != "xyes"; then ++ AC_MSG_RESULT([yes]) ++ tst_allow_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ tst_allow_arc4random_buf="no" ++ fi ++ fi ++ # ++ AC_MSG_CHECKING([if arc4random_buf might be used]) ++ if test "$tst_links_arc4random_buf" = "yes" && ++ test "$tst_proto_arc4random_buf" = "yes" && ++ test "$tst_compi_arc4random_buf" = "yes" && ++ test "$tst_allow_arc4random_buf" = "yes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_ARC4RANDOM_BUF, 1, ++ [Define to 1 if you have the arc4random_buf function.]) ++ ac_cv_func_arc4random_buf="yes" ++ else ++ AC_MSG_RESULT([no]) ++ ac_cv_func_arc4random_buf="no" ++ fi ++]) ++ +diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc +index a3b060c2..72a7673c 100644 +--- a/src/lib/Makefile.inc ++++ b/src/lib/Makefile.inc +@@ -45,6 +45,7 @@ CSOURCES = ares__addrinfo2hostent.c \ + ares_platform.c \ + ares_process.c \ + ares_query.c \ ++ ares_rand.c \ + ares_search.c \ + ares_send.c \ + ares_strcasecmp.c \ +diff --git a/src/lib/ares_config.h.cmake b/src/lib/ares_config.h.cmake +index fddb7853..798820a3 100644 +--- a/src/lib/ares_config.h.cmake ++++ b/src/lib/ares_config.h.cmake +@@ -346,6 +346,9 @@ + /* Define to 1 if you need the memory.h header file even with stdlib.h */ + #cmakedefine NEED_MEMORY_H + ++/* Define if have arc4random_buf() */ ++#cmakedefine HAVE_ARC4RANDOM_BUF ++ + /* a suitable file/device to read random data from */ + #cmakedefine CARES_RANDOM_FILE "@CARES_RANDOM_FILE@" + +diff --git a/src/lib/ares_destroy.c b/src/lib/ares_destroy.c +index fed2009a..0447af4c 100644 +--- a/src/lib/ares_destroy.c ++++ b/src/lib/ares_destroy.c +@@ -90,6 +90,9 @@ void ares_destroy(ares_channel channel) + if (channel->resolvconf_path) + ares_free(channel->resolvconf_path); + ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); ++ + ares_free(channel); + } + +diff --git a/src/lib/ares_init.c b/src/lib/ares_init.c +index de5d86c9..2607ed6f 100644 +--- a/src/lib/ares_init.c ++++ b/src/lib/ares_init.c +@@ -72,7 +72,6 @@ static int config_nameserver(struct server_state **servers, int *nservers, + static int set_search(ares_channel channel, const char *str); + static int set_options(ares_channel channel, const char *str); + static const char *try_option(const char *p, const char *q, const char *opt); +-static int init_id_key(rc4_key* key,int key_data_len); + + static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str); +@@ -149,6 +148,7 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + channel->sock_funcs = NULL; + channel->sock_func_cb_data = NULL; + channel->resolvconf_path = NULL; ++ channel->rand_state = NULL; + + channel->last_server = 0; + channel->last_timeout_processed = (time_t)now.tv_sec; +@@ -202,9 +202,13 @@ int ares_init_options(ares_channel *channelptr, struct ares_options *options, + /* Generate random key */ + + if (status == ARES_SUCCESS) { +- status = init_id_key(&channel->id_key, ARES_ID_KEY_LEN); ++ channel->rand_state = ares__init_rand_state(); ++ if (channel->rand_state == NULL) { ++ status = ARES_ENOMEM; ++ } ++ + if (status == ARES_SUCCESS) +- channel->next_id = ares__generate_new_id(&channel->id_key); ++ channel->next_id = ares__generate_new_id(channel->rand_state); + else + DEBUGF(fprintf(stderr, "Error: init_id_key failed: %s\n", + ares_strerror(status))); +@@ -224,6 +228,8 @@ done: + ares_free(channel->lookups); + if(channel->resolvconf_path) + ares_free(channel->resolvconf_path); ++ if (channel->rand_state) ++ ares__destroy_rand_state(channel->rand_state); + ares_free(channel); + return status; + } +@@ -2495,76 +2501,6 @@ static int sortlist_alloc(struct apattern **sortlist, int *nsort, + return 1; + } + +-/* initialize an rc4 key. If possible a cryptographically secure random key +- is generated using a suitable function (for example win32's RtlGenRandom as +- described in +- http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx +- otherwise the code defaults to cross-platform albeit less secure mechanism +- using rand +-*/ +-static void randomize_key(unsigned char* key,int key_data_len) +-{ +- int randomized = 0; +- int counter=0; +-#ifdef WIN32 +- BOOLEAN res; +- if (ares_fpSystemFunction036) +- { +- res = (*ares_fpSystemFunction036) (key, key_data_len); +- if (res) +- randomized = 1; +- } +-#else /* !WIN32 */ +-#ifdef CARES_RANDOM_FILE +- FILE *f = fopen(CARES_RANDOM_FILE, "rb"); +- if(f) { +- setvbuf(f, NULL, _IONBF, 0); +- counter = aresx_uztosi(fread(key, 1, key_data_len, f)); +- fclose(f); +- } +-#endif +-#endif /* WIN32 */ +- +- if (!randomized) { +- for (;counter<key_data_len;counter++) +- key[counter]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ +- } +-} +- +-static int init_id_key(rc4_key* key,int key_data_len) +-{ +- unsigned char index1; +- unsigned char index2; +- unsigned char* state; +- short counter; +- unsigned char *key_data_ptr = 0; +- +- key_data_ptr = ares_malloc(key_data_len); +- if (!key_data_ptr) +- return ARES_ENOMEM; +- memset(key_data_ptr, 0, key_data_len); +- +- state = &key->state[0]; +- for(counter = 0; counter < 256; counter++) +- /* unnecessary AND but it keeps some compilers happier */ +- state[counter] = (unsigned char)(counter & 0xff); +- randomize_key(key->state,key_data_len); +- key->x = 0; +- key->y = 0; +- index1 = 0; +- index2 = 0; +- for(counter = 0; counter < 256; counter++) +- { +- index2 = (unsigned char)((key_data_ptr[index1] + state[counter] + +- index2) % 256); +- ARES_SWAP_BYTE(&state[counter], &state[index2]); +- +- index1 = (unsigned char)((index1 + 1) % key_data_len); +- } +- ares_free(key_data_ptr); +- return ARES_SUCCESS; +-} +- + void ares_set_local_ip4(ares_channel channel, unsigned int local_ip) + { + channel->local_ip4 = local_ip; +diff --git a/src/lib/ares_private.h b/src/lib/ares_private.h +index 60d69e08..518b5c33 100644 +--- a/src/lib/ares_private.h ++++ b/src/lib/ares_private.h +@@ -101,8 +101,6 @@ W32_FUNC const char *_w32_GetHostsFile (void); + + #endif + +-#define ARES_ID_KEY_LEN 31 +- + #include "ares_ipv6.h" + #include "ares_llist.h" + +@@ -262,12 +260,8 @@ struct apattern { + unsigned short type; + }; + +-typedef struct rc4_key +-{ +- unsigned char state[256]; +- unsigned char x; +- unsigned char y; +-} rc4_key; ++struct ares_rand_state; ++typedef struct ares_rand_state ares_rand_state; + + struct ares_channeldata { + /* Configuration data */ +@@ -302,8 +296,8 @@ struct ares_channeldata { + + /* ID to use for next query */ + unsigned short next_id; +- /* key to use when generating new ids */ +- rc4_key id_key; ++ /* random state to use when generating new ids */ ++ ares_rand_state *rand_state; + + /* Generation number to use for the next TCP socket open/close */ + int tcp_connection_generation; +@@ -359,7 +353,10 @@ void ares__close_sockets(ares_channel channel, struct server_state *server); + int ares__get_hostent(FILE *fp, int family, struct hostent **host); + int ares__read_line(FILE *fp, char **buf, size_t *bufsize); + void ares__free_query(struct query *query); +-unsigned short ares__generate_new_id(rc4_key* key); ++ ++ares_rand_state *ares__init_rand_state(void); ++void ares__destroy_rand_state(ares_rand_state *state); ++unsigned short ares__generate_new_id(ares_rand_state *state); + struct timeval ares__tvnow(void); + int ares__expand_name_validated(const unsigned char *encoded, + const unsigned char *abuf, +diff --git a/src/lib/ares_query.c b/src/lib/ares_query.c +index 508274db..42323bec 100644 +--- a/src/lib/ares_query.c ++++ b/src/lib/ares_query.c +@@ -33,32 +33,6 @@ struct qquery { + + static void qcallback(void *arg, int status, int timeouts, unsigned char *abuf, int alen); + +-static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len) +-{ +- unsigned char x; +- unsigned char y; +- unsigned char* state; +- unsigned char xorIndex; +- int counter; +- +- x = key->x; +- y = key->y; +- +- state = &key->state[0]; +- for(counter = 0; counter < buffer_len; counter ++) +- { +- x = (unsigned char)((x + 1) % 256); +- y = (unsigned char)((state[x] + y) % 256); +- ARES_SWAP_BYTE(&state[x], &state[y]); +- +- xorIndex = (unsigned char)((state[x] + state[y]) % 256); +- +- buffer_ptr[counter] = (unsigned char)(buffer_ptr[counter]^state[xorIndex]); +- } +- key->x = x; +- key->y = y; +-} +- + static struct query* find_query_by_id(ares_channel channel, unsigned short id) + { + unsigned short qid; +@@ -78,7 +52,6 @@ static struct query* find_query_by_id(ares_channel channel, unsigned short id) + return NULL; + } + +- + /* a unique query id is generated using an rc4 key. Since the id may already + be used by a running query (as infrequent as it may be), a lookup is + performed per id generation. In practice this search should happen only +@@ -89,19 +62,12 @@ static unsigned short generate_unique_id(ares_channel channel) + unsigned short id; + + do { +- id = ares__generate_new_id(&channel->id_key); ++ id = ares__generate_new_id(channel->rand_state); + } while (find_query_by_id(channel, id)); + + return (unsigned short)id; + } + +-unsigned short ares__generate_new_id(rc4_key* key) +-{ +- unsigned short r=0; +- rc4(key, (unsigned char *)&r, sizeof(r)); +- return r; +-} +- + void ares_query(ares_channel channel, const char *name, int dnsclass, + int type, ares_callback callback, void *arg) + { +diff --git a/src/lib/ares_rand.c b/src/lib/ares_rand.c +new file mode 100644 +index 00000000..a564bc23 +--- /dev/null ++++ b/src/lib/ares_rand.c +@@ -0,0 +1,274 @@ ++/* Copyright 1998 by the Massachusetts Institute of Technology. ++ * Copyright (C) 2007-2013 by Daniel Stenberg ++ * ++ * Permission to use, copy, modify, and distribute this ++ * software and its documentation for any purpose and without ++ * fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright ++ * notice and this permission notice appear in supporting ++ * documentation, and that the name of M.I.T. not be used in ++ * advertising or publicity pertaining to distribution of the ++ * software without specific, written prior permission. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" ++ * without express or implied warranty. ++ */ ++ ++#include "ares_setup.h" ++#include "ares.h" ++#include "ares_private.h" ++#include "ares_nowarn.h" ++#include <stdlib.h> ++ ++typedef enum { ++ ARES_RAND_OS = 1, /* OS-provided such as RtlGenRandom or arc4random */ ++ ARES_RAND_FILE = 2, /* OS file-backed random number generator */ ++ ARES_RAND_RC4 = 3 /* Internal RC4 based PRNG */ ++} ares_rand_backend; ++ ++typedef struct ares_rand_rc4 ++{ ++ unsigned char S[256]; ++ size_t i; ++ size_t j; ++} ares_rand_rc4; ++ ++struct ares_rand_state ++{ ++ ares_rand_backend type; ++ union { ++ FILE *rand_file; ++ ares_rand_rc4 rc4; ++ } state; ++}; ++ ++ ++/* Define RtlGenRandom = SystemFunction036. This is in advapi32.dll. There is ++ * no need to dynamically load this, other software used widely does not. ++ * http://blogs.msdn.com/michael_howard/archive/2005/01/14/353379.aspx ++ * https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom ++ */ ++#ifdef _WIN32 ++BOOLEAN WINAPI SystemFunction036(PVOID RandomBuffer, ULONG RandomBufferLength); ++# ifndef RtlGenRandom ++# define RtlGenRandom(a,b) SystemFunction036(a,b) ++# endif ++#endif ++ ++ ++#define ARES_RC4_KEY_LEN 32 /* 256 bits */ ++ ++static unsigned int ares_u32_from_ptr(void *addr) ++{ ++ if (sizeof(void *) == 8) { ++ return (unsigned int)((((size_t)addr >> 32) & 0xFFFFFFFF) | ((size_t)addr & 0xFFFFFFFF)); ++ } ++ return (unsigned int)((size_t)addr & 0xFFFFFFFF); ++} ++ ++ ++/* initialize an rc4 key as the last possible fallback. */ ++static void ares_rc4_generate_key(ares_rand_rc4 *rc4_state, unsigned char *key, size_t key_len) ++{ ++ size_t i; ++ size_t len = 0; ++ unsigned int data; ++ struct timeval tv; ++ ++ if (key_len != ARES_RC4_KEY_LEN) ++ return; ++ ++ /* Randomness is hard to come by. Maybe the system randomizes heap and stack addresses. ++ * Maybe the current timestamp give us some randomness. ++ * Use rc4_state (heap), &i (stack), and ares__tvnow() ++ */ ++ data = ares_u32_from_ptr(rc4_state); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ data = ares_u32_from_ptr(&i); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ tv = ares__tvnow(); ++ data = (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF); ++ memcpy(key + len, &data, sizeof(data)); ++ len += sizeof(data); ++ ++ srand(ares_u32_from_ptr(rc4_state) | ares_u32_from_ptr(&i) | (unsigned int)((tv.tv_sec | tv.tv_usec) & 0xFFFFFFFF)); ++ ++ for (i=len; i<key_len; i++) { ++ key[i]=(unsigned char)(rand() % 256); /* LCOV_EXCL_LINE */ ++ } ++} ++ ++ ++static void ares_rc4_init(ares_rand_rc4 *rc4_state) ++{ ++ unsigned char key[ARES_RC4_KEY_LEN]; ++ size_t i; ++ size_t j; ++ ++ ares_rc4_generate_key(rc4_state, key, sizeof(key)); ++ ++ for (i = 0; i < sizeof(rc4_state->S); i++) { ++ rc4_state->S[i] = i & 0xFF; ++ } ++ ++ for(i = 0, j = 0; i < 256; i++) { ++ j = (j + rc4_state->S[i] + key[i % sizeof(key)]) % 256; ++ ARES_SWAP_BYTE(&rc4_state->S[i], &rc4_state->S[j]); ++ } ++ ++ rc4_state->i = 0; ++ rc4_state->j = 0; ++} ++ ++/* Just outputs the key schedule, no need to XOR with any data since we have none */ ++static void ares_rc4_prng(ares_rand_rc4 *rc4_state, unsigned char *buf, int len) ++{ ++ unsigned char *S = rc4_state->S; ++ size_t i = rc4_state->i; ++ size_t j = rc4_state->j; ++ size_t cnt; ++ ++ for (cnt=0; cnt<len; cnt++) { ++ i = (i + 1) % 256; ++ j = (j + S[i]) % 256; ++ ++ ARES_SWAP_BYTE(&S[i], &S[j]); ++ buf[cnt] = S[(S[i] + S[j]) % 256]; ++ } ++ ++ rc4_state->i = i; ++ rc4_state->j = j; ++} ++ ++ ++static int ares__init_rand_engine(ares_rand_state *state) ++{ ++ memset(state, 0, sizeof(*state)); ++ ++#if defined(HAVE_ARC4RANDOM_BUF) || defined(_WIN32) ++ state->type = ARES_RAND_OS; ++ return 1; ++#elif defined(CARES_RANDOM_FILE) ++ state->type = ARES_RAND_FILE; ++ state->state.rand_file = fopen(CARES_RANDOM_FILE, "rb"); ++ if (state->state.rand_file) { ++ setvbuf(state->state.rand_file, NULL, _IONBF, 0); ++ return 1; ++ } ++ /* Fall-Thru on failure to RC4 */ ++#endif ++ ++ state->type = ARES_RAND_RC4; ++ ares_rc4_init(&state->state.rc4); ++ ++ /* Currently cannot fail */ ++ return 1; ++} ++ ++ ++ares_rand_state *ares__init_rand_state() ++{ ++ ares_rand_state *state = NULL; ++ ++ state = ares_malloc(sizeof(*state)); ++ if (!state) ++ return NULL; ++ ++ if (!ares__init_rand_engine(state)) { ++ ares_free(state); ++ return NULL; ++ } ++ ++ return state; ++} ++ ++ ++static void ares__clear_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++ break; ++ case ARES_RAND_FILE: ++ fclose(state->state.rand_file); ++ break; ++ case ARES_RAND_RC4: ++ break; ++ } ++} ++ ++ ++static void ares__reinit_rand(ares_rand_state *state) ++{ ++ ares__clear_rand_state(state); ++ ares__init_rand_engine(state); ++} ++ ++ ++void ares__destroy_rand_state(ares_rand_state *state) ++{ ++ if (!state) ++ return; ++ ++ ares__clear_rand_state(state); ++ ares_free(state); ++} ++ ++ ++static void ares__rand_bytes(ares_rand_state *state, unsigned char *buf, size_t len) ++{ ++ ++ while (1) { ++ size_t rv; ++ size_t bytes_read = 0; ++ ++ switch (state->type) { ++ case ARES_RAND_OS: ++#ifdef _WIN32 ++ RtlGenRandom(buf, len); ++ return; ++#elif defined(HAVE_ARC4RANDOM_BUF) ++ arc4random_buf(buf, len); ++ return; ++#else ++ /* Shouldn't be possible to be here */ ++ break; ++#endif ++ ++ case ARES_RAND_FILE: ++ while (1) { ++ size_t rv = fread(buf + bytes_read, 1, len - bytes_read, state->state.rand_file); ++ if (rv == 0) ++ break; /* critical error, will reinit rand state */ ++ ++ bytes_read += rv; ++ if (bytes_read == len) ++ return; ++ } ++ break; ++ ++ case ARES_RAND_RC4: ++ ares_rc4_prng(&state->state.rc4, buf, len); ++ return; ++ } ++ ++ /* If we didn't return before we got here, that means we had a critical rand ++ * failure and need to reinitialized */ ++ ares__reinit_rand(state); ++ } ++} ++ ++unsigned short ares__generate_new_id(ares_rand_state *state) ++{ ++ unsigned short r=0; ++ ++ ares__rand_bytes(state, (unsigned char *)&r, sizeof(r)); ++ return r; ++} ++ +-- +2.25.1 + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 0000000000..63192d3c81 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch @@ -0,0 +1,84 @@ +From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 22 May 2023 06:51:49 -0400 +Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc + +Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1 + +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae] +CVE: CVE-2023-32067 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/lib/ares_process.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c +index bf0cde464..6cac0a99f 100644 +--- a/src/lib/ares_process.c ++++ b/src/lib/ares_process.c +@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + { + struct server_state *server; + int i; +- ares_ssize_t count; ++ ares_ssize_t read_len; + unsigned char buf[MAXENDSSZ + 1]; + #ifdef HAVE_RECVFROM + ares_socklen_t fromlen; +@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds, + /* To reduce event loop overhead, read and process as many + * packets as we can. */ + do { +- if (server->udp_socket == ARES_SOCKET_BAD) +- count = 0; +- +- else { +- if (server->addr.family == AF_INET) ++ if (server->udp_socket == ARES_SOCKET_BAD) { ++ read_len = -1; ++ } else { ++ if (server->addr.family == AF_INET) { + fromlen = sizeof(from.sa4); +- else ++ } else { + fromlen = sizeof(from.sa6); +- count = socket_recvfrom(channel, server->udp_socket, (void *)buf, +- sizeof(buf), 0, &from.sa, &fromlen); ++ } ++ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf, ++ sizeof(buf), 0, &from.sa, &fromlen); + } + +- if (count == -1 && try_again(SOCKERRNO)) ++ if (read_len == 0) { ++ /* UDP is connectionless, so result code of 0 is a 0-length UDP ++ * packet, and not an indication the connection is closed like on ++ * tcp */ + continue; +- else if (count <= 0) ++ } else if (read_len < 0) { ++ if (try_again(SOCKERRNO)) ++ continue; ++ + handle_error(channel, i, now); ++ + #ifdef HAVE_RECVFROM +- else if (!same_address(&from.sa, &server->addr)) ++ } else if (!same_address(&from.sa, &server->addr)) { + /* The address the response comes from does not match the address we + * sent the request to. Someone may be attempting to perform a cache + * poisoning attack. */ +- break; ++ continue; + #endif +- else +- process_answer(channel, buf, (int)count, i, 0, now); +- } while (count > 0); ++ ++ } else { ++ process_answer(channel, buf, (int)read_len, i, 0, now); ++ } ++ } while (read_len >= 0); + } + } + diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch new file mode 100644 index 0000000000..2887634289 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2024-25629.patch @@ -0,0 +1,32 @@ +From: a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001 +From: Brad House <brad@brad-house.com> +Date: Mon, 11 Mar 2024 14:29:39 +0000 +Subject: [PATCH] Merge pull request from GHSA-mg26-v6qh-x48q + +CVE: CVE-2024-25629 +Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183] +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/lib/ares__read_line.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c +index c62ad2a..d6625a3 100644 +--- a/src/lib/ares__read_line.c ++++ b/src/lib/ares__read_line.c +@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize) + if (!fgets(*buf + offset, bytestoread, fp)) + return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; + len = offset + strlen(*buf + offset); ++ ++ /* Probably means there was an embedded NULL as the first character in ++ * the line, throw away line */ ++ if (len == 0) { ++ offset = 0; ++ continue; ++ } ++ + if ((*buf)[len - 1] == '\n') + { + (*buf)[len - 1] = 0; +-- diff --git a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch b/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch deleted file mode 100644 index 0eb7e4bbb3..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares/cmake-install-libcares.pc.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 12414304245cce6ef0e8b9547949be5109845353 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Tue, 24 Jul 2018 13:33:33 +0800 -Subject: [PATCH] cmake: Install libcares.pc - -Prepare and install libcares.pc file during cmake build, so libraries -using pkg-config to find libcares will not fail. - -Signed-off-by: Alexey Firago <alexey_firago@mentor.com> - -update to 1.14.0, fix patch warning - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - CMakeLists.txt | 28 +++++++++++++++++++++++----- - 1 file changed, 23 insertions(+), 5 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index fd123e1..3a5878d 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -214,22 +214,25 @@ ADD_DEFINITIONS(${SYSFLAGS}) - - - # Tell C-Ares about libraries to depend on -+# Also pass these libraries to pkg-config file -+SET(CARES_PRIVATE_LIBS_LIST) - IF (HAVE_LIBRESOLV) -- LIST (APPEND CARES_DEPENDENT_LIBS resolv) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lresolv") - ENDIF () - IF (HAVE_LIBNSL) -- LIST (APPEND CARES_DEPENDENT_LIBS nsl) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lnsl") - ENDIF () - IF (HAVE_LIBSOCKET) -- LIST (APPEND CARES_DEPENDENT_LIBS socket) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lsocket") - ENDIF () - IF (HAVE_LIBRT) -- LIST (APPEND CARES_DEPENDENT_LIBS rt) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lrt") - ENDIF () - IF (WIN32) -- LIST (APPEND CARES_DEPENDENT_LIBS ws2_32 Advapi32) -+ LIST (APPEND CARES_PRIVATE_LIBS_LIST "-lws2_32") - ENDIF () - -+string (REPLACE ";" " " CARES_PRIVATE_LIBS "${CARES_PRIVATE_LIBS_LIST}") - - # When checking for symbols, we need to make sure we set the proper - # headers, libraries, and definitions for the detection to work properly -@@ -554,6 +557,15 @@ CONFIGURE_FILE (ares_build.h.cmake ${PROJECT_BINARY_DIR}/ares_build.h) - # Write ares_config.h configuration file. This is used only for the build. - CONFIGURE_FILE (ares_config.h.cmake ${PROJECT_BINARY_DIR}/ares_config.h) - -+# Pass required CFLAGS to pkg-config in case of static library -+IF (CARES_STATIC) -+ SET (CPPFLAG_CARES_STATICLIB "-DCARES_STATICLIB") -+ENDIF() -+ -+# Write ares_config.h configuration file. This is used only for the build. -+CONFIGURE_FILE (libcares.pc.cmakein ${PROJECT_BINARY_DIR}/libcares.pc @ONLY) -+ -+ - - # TRANSFORM_MAKEFILE_INC - # -@@ -728,6 +740,12 @@ IF (CARES_INSTALL) - INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" COMPONENT Devel DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig") - ENDIF () - -+# pkg-config file -+IF (CARES_INSTALL) -+ SET (PKGCONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/pkgconfig") -+ INSTALL (FILES "${CMAKE_CURRENT_BINARY_DIR}/libcares.pc" DESTINATION ${PKGCONFIG_INSTALL_DIR}) -+ENDIF () -+ - # Legacy chain-building variables (provided for compatibility with old code). - # Don't use these, external code should be updated to refer to the aliases directly (e.g., Cares::cares). - SET (CARES_FOUND 1 CACHE INTERNAL "CARES LIBRARY FOUND") --- -2.17.1 - diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.0.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.0.bb deleted file mode 100644 index e235b9b954..0000000000 --- a/meta-oe/recipes-support/c-ares/c-ares_1.16.0.bb +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright (c) 2012-2014 LG Electronics, Inc. -SUMMARY = "c-ares is a C library that resolves names asynchronously." -HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" -SECTION = "libs" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" - -PV = "1.16.0+gitr${SRCPV}" - -SRC_URI = "\ - git://github.com/c-ares/c-ares.git \ - file://cmake-install-libcares.pc.patch \ - file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \ -" -SRCREV = "077a587dccbe2f0d8a1987fbd3525333705c2249" - -UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" - -S = "${WORKDIR}/git" - -inherit cmake pkgconfig - -PACKAGES =+ "${PN}-utils" - -FILES_${PN}-utils = "${bindir}" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb new file mode 100644 index 0000000000..b5936e1ad0 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb @@ -0,0 +1,31 @@ +# Copyright (c) 2012-2014 LG Electronics, Inc. +SUMMARY = "c-ares is a C library that resolves names asynchronously." +HOMEPAGE = "http://daniel.haxx.se/projects/c-ares/" +SECTION = "libs" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006" + +SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \ + file://CVE-2022-4904.patch \ + file://CVE-2023-31130.patch \ + file://CVE-2023-31147.patch \ + file://CVE-2023-32067.patch \ + file://CVE-2024-25629.patch \ + " +SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed" + +UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig + +PACKAGES =+ "${PN}-utils" + +FILES_${PN}-utils = "${bindir}" + +BBCLASSEXTEND = "native nativesdk" + +# this vulneribility applies only when cross-compiling using autotools +# yocto cross-compiles via cmake which is also listed as official workaround +CVE_CHECK_WHITELIST += "CVE-2023-31124" diff --git a/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb b/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb index ac463038aa..e0e50366d4 100644 --- a/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb +++ b/meta-oe/recipes-support/ceres-solver/ceres-solver_1.14.0.bb @@ -6,13 +6,21 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=35e00f0c4c96a0820a03e0b31e6416be" DEPENDS = "libeigen glog" -SRC_URI = "git://github.com/ceres-solver/ceres-solver.git" +SRC_URI = "git://github.com/ceres-solver/ceres-solver.git;branch=master;protocol=https" SRCREV = "facb199f3eda902360f9e1d5271372b7e54febe1" S = "${WORKDIR}/git" inherit cmake +do_configure_prepend() { + # otherwise https://github.com/ceres-solver/ceres-solver/blob/0b748597889f460764f6c980a00c6f502caa3875/cmake/AddGerritCommitHook.cmake#L68 + # will try to fetch https://ceres-solver-review.googlesource.com/tools/hooks/commit-msg durind do_configure + # which sometimes gets stuck (as there is no TIMEOUT set in DOWNLOAD) + # and we really don't need Gerrit's Change-Id tags when just building this + touch ${S}/.git/hooks/commit-msg +} + # We don't want path to eigen3 in ceres-solver RSS to be # used by components which use CeresConfig.cmake from their # own RSS diff --git a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb index dd129cbec9..a49eab72fd 100644 --- a/meta-oe/recipes-support/cli11/cli11_1.8.0.bb +++ b/meta-oe/recipes-support/cli11/cli11_1.8.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b73927b18d5c6cd8d2ed28a6ad539733" SRCREV = "13becaddb657eacd090537719a669d66d393b8b2" PV .= "+git${SRCPV}" -SRC_URI += "gitsm://github.com/CLIUtils/CLI11 \ +SRC_URI += "gitsm://github.com/CLIUtils/CLI11;branch=main;protocol=https \ file://0001-Add-CLANG_TIDY-check.patch \ file://0001-Use-GNUInstallDirs-instead-of-hard-coded-path.patch \ " diff --git a/meta-oe/recipes-support/cmark/cmark_git.bb b/meta-oe/recipes-support/cmark/cmark_git.bb index f74a39b500..4f07beb317 100644 --- a/meta-oe/recipes-support/cmark/cmark_git.bb +++ b/meta-oe/recipes-support/cmark/cmark_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/commonmark/cmark" LICENSE = "BSD-2-Clause & MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=81f9cae6293cc0345a9144b78152ab62" -SRC_URI = "git://github.com/commonmark/cmark.git" +SRC_URI = "git://github.com/commonmark/cmark.git;branch=master;protocol=https" SRCREV = "8daa6b1495124f0b67e6034130e12d7be83e38bd" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/daemonize/daemonize_git.bb b/meta-oe/recipes-support/daemonize/daemonize_git.bb index c76632781a..f46dec59fc 100644 --- a/meta-oe/recipes-support/daemonize/daemonize_git.bb +++ b/meta-oe/recipes-support/daemonize/daemonize_git.bb @@ -7,7 +7,7 @@ PV = "1.7.8" inherit autotools SRCREV = "18869a797dab12bf1c917ba3b4782fef484c407c" -SRC_URI = "git://github.com/bmc/daemonize.git \ +SRC_URI = "git://github.com/bmc/daemonize.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb b/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb index 9fcc278d35..cac2b4fd61 100644 --- a/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb +++ b/meta-oe/recipes-support/digitemp/digitemp_3.7.2.bb @@ -4,7 +4,7 @@ DEPENDS = "libusb1" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=44fee82a1d2ed0676cf35478283e0aa0" -SRC_URI = "git://github.com/bcl/digitemp" +SRC_URI = "git://github.com/bcl/digitemp;branch=master;protocol=https" SRCREV = "a162e63aad35358aab325388f3d5e88121606419" diff --git a/meta-oe/recipes-support/dstat/dstat_0.7.4.bb b/meta-oe/recipes-support/dstat/dstat_0.7.4.bb index 74af54ca53..18c3cdf82c 100644 --- a/meta-oe/recipes-support/dstat/dstat_0.7.4.bb +++ b/meta-oe/recipes-support/dstat/dstat_0.7.4.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "asciidoc-native xmlto-native" -SRC_URI = "git://github.com/dagwieers/dstat.git \ +SRC_URI = "git://github.com/dagwieers/dstat.git;branch=master;protocol=https \ file://0001-change-dstat-to-python3.patch \ " @@ -21,4 +21,4 @@ do_install() { oe_runmake 'DESTDIR=${D}' install } -RDEPENDS_${PN} += "python3-core python3-misc python3-resource python3-shell python3-unixadmin" +RDEPENDS_${PN} += "python3-core python3-misc python3-resource python3-shell python3-six python3-unixadmin" diff --git a/meta-oe/recipes-support/enca/enca_1.9.bb b/meta-oe/recipes-support/enca/enca_1.9.bb index bf19843b2f..b0ba3aedef 100644 --- a/meta-oe/recipes-support/enca/enca_1.9.bb +++ b/meta-oe/recipes-support/enca/enca_1.9.bb @@ -1,21 +1,20 @@ SUMMARY = "Enca is an Extremely Naive Charset Analyser" SECTION = "libs" -HOMEPAGE = "http://trific.ath.cx/software/enca/" +HOMEPAGE = "https://cihar.com/software/enca/" DEPENDS += "gettext-native" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=24b9569831c46d4818450b55282476b4" -SRC_URI = "http://www.sourcefiles.org/Networking/Tools/Miscellanenous/enca-${PV}.tar.bz2 \ +SRC_URI = "https://dl.cihar.com/enca/enca-${PV}.tar.gz \ file://configure-hack.patch \ file://dont-run-tests.patch \ file://configure-remove-dumbness.patch \ file://makefile-remove-tools.patch \ file://libenca-003-iconv.patch " -SRC_URI[md5sum] = "b3581e28d68d452286fb0bfe58bed3b3" -SRC_URI[sha256sum] = "02acfef2b24a9c842612da49338138311f909f1cd33933520c07b8b26c410f4d" +SRC_URI[sha256sum] = "75a38ed23bac37cc12166cc5edc8335c3af862adc202f84823d3aef3e2208e47" inherit autotools diff --git a/meta-oe/recipes-support/epeg/epeg_git.bb b/meta-oe/recipes-support/epeg/epeg_git.bb index 8ca574014b..bdffe4ba78 100644 --- a/meta-oe/recipes-support/epeg/epeg_git.bb +++ b/meta-oe/recipes-support/epeg/epeg_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e7732a9290ea1e4b034fdc15cf49968d \ file://COPYING-PLAIN;md5=f59cacc08235a546b0c34a5422133035" DEPENDS = "jpeg libexif" -SRC_URI = "git://github.com/mattes/epeg.git" +SRC_URI = "git://github.com/mattes/epeg.git;branch=master;protocol=https" SRCREV = "9a175cd67eaa61fe45413d8da82da72936567047" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch new file mode 100644 index 0000000000..e5d069487c --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29457.patch @@ -0,0 +1,26 @@ +From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001 +From: Pydera <pydera@mailbox.org> +Date: Thu, 8 Apr 2021 17:36:16 +0200 +Subject: [PATCH] Fix out of buffer access in #1529 + +--- + src/jp2image.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 88ab9b2d6..12025f966 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m) + #endif + box.length = (uint32_t) (io_->size() - io_->tell() + 8); + } +- if (box.length == 1) ++ if (box.length < 8) + { +- // FIXME. Special case. the real box size is given in another place. ++ // box is broken, so there is nothing we can do here ++ throw Error(kerCorruptedMetadata); + } + + // Read whole box : Box header + Box data (not fixed size - can be null). diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch new file mode 100644 index 0000000000..285f6fe4ce --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch @@ -0,0 +1,37 @@ +From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 9 Apr 2021 13:37:48 +0100 +Subject: [PATCH] Fix integer overflow. +--- + src/crwimage_int.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp +index aefaf22..2e3e507 100644 +--- a/src/crwimage_int.cpp ++++ b/src/crwimage_int.cpp +@@ -559,7 +559,7 @@ namespace Exiv2 { + void CiffComponent::setValue(DataBuf buf) + { + if (isAllocated_) { +- delete pData_; ++ delete[] pData_; + pData_ = 0; + size_ = 0; + } +@@ -1167,7 +1167,11 @@ namespace Exiv2 { + pCrwMapping->crwDir_); + if (edX != edEnd || edY != edEnd || edO != edEnd) { + uint32_t size = 28; +- if (cc && cc->size() > size) size = cc->size(); ++ if (cc) { ++ if (cc->size() < size) ++ throw Error(kerCorruptedMetadata); ++ size = cc->size(); ++ } + DataBuf buf(size); + std::memset(buf.pData_, 0x0, buf.size_); + if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch new file mode 100644 index 0000000000..5ab64a7d3e --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29463.patch @@ -0,0 +1,120 @@ +From 783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Mon, 19 Apr 2021 18:06:00 +0100 +Subject: [PATCH] Improve bound checking in WebPImage::doWriteMetadata() + +--- + src/webpimage.cpp | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/src/webpimage.cpp b/src/webpimage.cpp +index 4ddec544c..fee110bca 100644 +--- a/src/webpimage.cpp ++++ b/src/webpimage.cpp +@@ -145,7 +145,7 @@ namespace Exiv2 { + DataBuf chunkId(WEBP_TAG_SIZE+1); + chunkId.pData_ [WEBP_TAG_SIZE] = '\0'; + +- io_->read(data, WEBP_TAG_SIZE * 3); ++ readOrThrow(*io_, data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata); + uint64_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian); + + /* Set up header */ +@@ -185,13 +185,20 @@ namespace Exiv2 { + case we have any exif or xmp data, also check + for any chunks with alpha frame/layer set */ + while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { +- io_->read(chunkId.pData_, WEBP_TAG_SIZE); +- io_->read(size_buff, WEBP_TAG_SIZE); +- long size = Exiv2::getULong(size_buff, littleEndian); ++ readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); ++ readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); ++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); ++ ++ // Check that `size_u32` is safe to cast to `long`. ++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), ++ Exiv2::kerCorruptedMetadata); ++ const long size = static_cast<long>(size_u32); + DataBuf payload(size); +- io_->read(payload.pData_, payload.size_); +- byte c; +- if ( payload.size_ % 2 ) io_->read(&c,1); ++ readOrThrow(*io_, payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata); ++ if ( payload.size_ % 2 ) { ++ byte c; ++ readOrThrow(*io_, &c, 1, Exiv2::kerCorruptedMetadata); ++ } + + /* Chunk with information about features + used in the file. */ +@@ -199,6 +206,7 @@ namespace Exiv2 { + has_vp8x = true; + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_size) { ++ enforce(size >= 10, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[WEBP_TAG_SIZE]; + +@@ -227,6 +235,7 @@ namespace Exiv2 { + } + #endif + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_size) { ++ enforce(size >= 10, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[2]; + +@@ -244,11 +253,13 @@ namespace Exiv2 { + + /* Chunk with with lossless image data. */ + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_alpha) { ++ enforce(size >= 5, Exiv2::kerCorruptedMetadata); + if ((payload.pData_[4] & WEBP_VP8X_ALPHA_BIT) == WEBP_VP8X_ALPHA_BIT) { + has_alpha = true; + } + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_size) { ++ enforce(size >= 5, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf_w[2]; + byte size_buf_h[3]; +@@ -276,11 +287,13 @@ namespace Exiv2 { + + /* Chunk with animation frame. */ + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_alpha) { ++ enforce(size >= 6, Exiv2::kerCorruptedMetadata); + if ((payload.pData_[5] & 0x2) == 0x2) { + has_alpha = true; + } + } + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_size) { ++ enforce(size >= 12, Exiv2::kerCorruptedMetadata); + has_size = true; + byte size_buf[WEBP_TAG_SIZE]; + +@@ -309,16 +322,22 @@ namespace Exiv2 { + + io_->seek(12, BasicIo::beg); + while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { +- io_->read(chunkId.pData_, 4); +- io_->read(size_buff, 4); ++ readOrThrow(*io_, chunkId.pData_, 4, Exiv2::kerCorruptedMetadata); ++ readOrThrow(*io_, size_buff, 4, Exiv2::kerCorruptedMetadata); ++ ++ const uint32_t size_u32 = Exiv2::getULong(size_buff, littleEndian); + +- long size = Exiv2::getULong(size_buff, littleEndian); ++ // Check that `size_u32` is safe to cast to `long`. ++ enforce(size_u32 <= static_cast<size_t>(std::numeric_limits<unsigned int>::max()), ++ Exiv2::kerCorruptedMetadata); ++ const long size = static_cast<long>(size_u32); + + DataBuf payload(size); +- io_->read(payload.pData_, size); ++ readOrThrow(*io_, payload.pData_, size, Exiv2::kerCorruptedMetadata); + if ( io_->tell() % 2 ) io_->seek(+1,BasicIo::cur); // skip pad + + if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X)) { ++ enforce(size >= 1, Exiv2::kerCorruptedMetadata); + if (has_icc){ + payload.pData_[0] |= WEBP_VP8X_ICC_BIT; + } else { diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch new file mode 100644 index 0000000000..f0c482450c --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch @@ -0,0 +1,72 @@ +From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001 +From: Wang Mingyu <wangmy@fujitsu.com> +Date: Tue, 18 May 2021 10:52:54 +0900 +Subject: [PATCH] modify + +Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> +--- + src/jp2image.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 52723a4..0ac4f50 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m) + void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf) + { + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space +- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? +- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? ++ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; +- int32_t length = getLong((byte*)&pBox->length, bigEndian); +- int32_t count = sizeof (Jp2BoxHeader); ++ uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + +@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m) + #ifdef EXIV2_DEBUG_MESSAGES + std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl; + #endif ++ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata); + count += subBox.length; + newBox.type = subBox.type; + } else { +@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m) + count = length; + } + +- int32_t newlen = subBox.length; ++ uint32_t newlen = subBox.length; + if ( newBox.type == kJp2BoxTypeColorHeader ) { + bWroteColor = true ; + if ( ! iccProfileDefined() ) { + const char* pad = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid"; + uint32_t psize = 15; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize ,bigEndian); + ul2Data((byte*)&newBox.type ,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox)); +@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m) + } else { + const char* pad = "\0x02\x00\x00"; + uint32_t psize = 3; ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian); + ul2Data((byte*)&newBox.type,newBox.type,bigEndian); + ::memcpy(output.pData_+outlen ,&newBox ,sizeof(newBox) ); +@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m) + newlen = psize + iccProfile_.size_; + } + } else { ++ enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata); + ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length); + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch new file mode 100644 index 0000000000..eedf9d79aa --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch @@ -0,0 +1,32 @@ +From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Wed, 21 Apr 2021 12:06:04 +0100 +Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header +--- + src/jp2image.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b424225..349a9f0 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space + long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? + long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; + uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + + while ( count < length || !bWroteColor ) { ++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch new file mode 100644 index 0000000000..4afedf8e59 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29473.patch @@ -0,0 +1,21 @@ +From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Fri, 23 Apr 2021 11:44:44 +0100 +Subject: [PATCH] Add bounds check in Jp2Image::doWriteMetadata(). + +--- + src/jp2image.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 1694fed27..ca8c9ddbb 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m) + + case kJp2BoxTypeUuid: + { ++ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata); + if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0) + { + #ifdef EXIV2_DEBUG_MESSAGES diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch new file mode 100644 index 0000000000..e7c5e1b656 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-3482.patch @@ -0,0 +1,54 @@ +From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 +From: Robin Mills <robin@clanmills.com> +Date: Mon, 5 Apr 2021 20:33:25 +0100 +Subject: [PATCH] fix_1522_jp2image_exif_asan + +--- + src/jp2image.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index eb31cea4a..88ab9b2d6 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -28,6 +28,7 @@ + #include "image.hpp" + #include "image_int.hpp" + #include "basicio.hpp" ++#include "enforce.hpp" + #include "error.hpp" + #include "futils.hpp" + #include "types.hpp" +@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m) + if (io_->error()) throw Error(kerFailedToReadImageData); + if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed); + +- if (rawData.size_ > 0) ++ if (rawData.size_ > 8) // "II*\0long" + { + // Find the position of Exif header in bytes array. + long pos = ( (rawData.pData_[0] == rawData.pData_[1]) +@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m) + position = io_->tell(); + box.length = getLong((byte*)&box.length, bigEndian); + box.type = getLong((byte*)&box.type, bigEndian); ++ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); + + if (bPrint) { + out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)), +@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m) + throw Error(kerInputDataReadFailed); + + if (bPrint) { +- out << Internal::binaryToString(makeSlice(rawData, 0, 40)); ++ out << Internal::binaryToString( ++ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_)); + out.flush(); + } + lf(out, bLF); + +- if (bIsExif && bRecursive && rawData.size_ > 0) { ++ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long" + if ((rawData.pData_[0] == rawData.pData_[1]) && + (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) { + BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_)); diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index ed1e8de5c2..d5d9e62ff2 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -9,7 +9,14 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994 # Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either inherit dos2unix -SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch" +SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \ + file://CVE-2021-29457.patch \ + file://CVE-2021-29458.patch \ + file://CVE-2021-29463.patch \ + file://CVE-2021-29464.patch \ + file://CVE-2021-29470.patch \ + file://CVE-2021-29473.patch \ + file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" diff --git a/meta-oe/recipes-support/fmt/fmt_6.2.0.bb b/meta-oe/recipes-support/fmt/fmt_6.2.0.bb index 05dc94a990..1a05f0d547 100644 --- a/meta-oe/recipes-support/fmt/fmt_6.2.0.bb +++ b/meta-oe/recipes-support/fmt/fmt_6.2.0.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://fmt.dev" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=af88d758f75f3c5c48a967501f24384b" -SRC_URI += "git://github.com/fmtlib/fmt" +SRC_URI += "git://github.com/fmtlib/fmt;branch=master;protocol=https" SRCREV = "9bdd1596cef1b57b9556f8bef32dc4a32322ef3e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_git.bb index 7cafbb7993..309acfbffc 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_git.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_git.bb @@ -16,7 +16,7 @@ PKGV = "${GITPKGVTAG}" # 2.0.0 release SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684" -SRC_URI = "git://github.com/FreeRDP/FreeRDP.git \ +SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ file://winpr-makecert-Build-with-install-RPATH.patch \ " @@ -40,7 +40,7 @@ PACKAGECONFIG ??= " \ X11_DEPS = "virtual/libx11 libxinerama libxext libxcursor libxv libxi libxrender libxfixes libxdamage libxrandr libxkbfile" PACKAGECONFIG[x11] = "-DWITH_X11=ON -DWITH_XINERAMA=ON -DWITH_XEXT=ON -DWITH_XCURSOR=ON -DWITH_XV=ON -DWITH_XI=ON -DWITH_XRENDER=ON -DWITH_XFIXES=ON -DWITH_XDAMAGE=ON -DWITH_XRANDR=ON -DWITH_XKBFILE=ON,-DWITH_X11=OFF,${X11_DEPS}" -PACKAGECONFIG[wayland] = "-DWITH_WAYLAND=ON,-DWITH_WAYLAND=OFF,wayland wayland-native" +PACKAGECONFIG[wayland] = "-DWITH_WAYLAND=ON,-DWITH_WAYLAND=OFF,wayland wayland-native libxkbcommon" PACKAGECONFIG[directfb] = "-DWITH_DIRECTFB=ON,-DWITH_DIRECTFB=OFF,directfb" PACKAGECONFIG[pam] = "-DWITH_PAM=ON,-DWITH_PAM=OFF,libpam" PACKAGECONFIG[pulseaudio] = "-DWITH_PULSEAUDIO=ON,-DWITH_PULSEAUDIO=OFF,pulseaudio" diff --git a/meta-oe/recipes-support/function2/function2_4.0.0.bb b/meta-oe/recipes-support/function2/function2_4.0.0.bb index 556a25aa14..07aa669375 100644 --- a/meta-oe/recipes-support/function2/function2_4.0.0.bb +++ b/meta-oe/recipes-support/function2/function2_4.0.0.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" SRCREV = "d2acdb6c3c7612a6133cd03464ef941161258f4e" PV .= "+git${SRCPV}" -SRC_URI += "gitsm://github.com/Naios/function2" +SRC_URI += "gitsm://github.com/Naios/function2;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/gd/gd_2.3.0.bb b/meta-oe/recipes-support/gd/gd_2.3.0.bb index eec8a05ae8..8adb7db4d1 100644 --- a/meta-oe/recipes-support/gd/gd_2.3.0.bb +++ b/meta-oe/recipes-support/gd/gd_2.3.0.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8e5bc8627b9494741c905d65238c66b7" DEPENDS = "freetype libpng jpeg zlib tiff" -SRC_URI = "git://github.com/libgd/libgd.git;branch=master \ +SRC_URI = "git://github.com/libgd/libgd.git;branch=master;protocol=https \ " SRCREV = "b079fa06223c3ab862c8f0eea58a968727971988" diff --git a/meta-oe/recipes-support/gflags/gflags_2.2.2.bb b/meta-oe/recipes-support/gflags/gflags_2.2.2.bb index 6eea0c00ec..4379c2d9e1 100644 --- a/meta-oe/recipes-support/gflags/gflags_2.2.2.bb +++ b/meta-oe/recipes-support/gflags/gflags_2.2.2.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/gflags/gflags" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING.txt;md5=c80d1a3b623f72bb85a4c75b556551df" -SRC_URI = "git://github.com/gflags/gflags.git" +SRC_URI = "git://github.com/gflags/gflags.git;branch=master;protocol=https" SRCREV = "e171aa2d15ed9eb17054558e0b3a6a413bb01067" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/glog/glog_0.3.5.bb b/meta-oe/recipes-support/glog/glog_0.3.5.bb index 9a8332836b..55ca838cd7 100644 --- a/meta-oe/recipes-support/glog/glog_0.3.5.bb +++ b/meta-oe/recipes-support/glog/glog_0.3.5.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=dc9db360e0bbd4e46672f3fd91dd6c4b" SRC_URI = " \ - git://github.com/google/glog.git;nobranch=1 \ + git://github.com/google/glog.git;nobranch=1;protocol=https \ file://0001-Rework-CMake-glog-VERSION-management.patch \ file://0002-Find-Libunwind-during-configure.patch \ file://0003-installation-path-fix.patch \ @@ -25,3 +25,10 @@ PACKAGECONFIG_remove_riscv32 = "unwind" PACKAGECONFIG[unwind] = "-DWITH_UNWIND=ON,-DWITH_UNWIND=OFF,libunwind,libunwind" PACKAGECONFIG[shared] = "-DBUILD_SHARED_LIBS=ON,-DBUILD_SHARED_LIBS=OFF,," + +do_configure_append() { + # remove WORKDIR info to improve reproducibility + if [ -f "${B}/config.h" ] ; then + sed -i 's/'$(echo ${WORKDIR} | sed 's_/_\\/_g')'/../g' ${B}/config.h + fi +} diff --git a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb b/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb index 146747eee1..ac46b5676c 100644 --- a/meta-oe/recipes-support/gnulib/gnulib_2018-03-07.03.bb +++ b/meta-oe/recipes-support/gnulib/gnulib_2018-12-18.bb @@ -13,7 +13,7 @@ LICENSE = "LGPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=56a22a6e5bcce45e2c8ac184f81412b5" SRCREV = "0d6e3307bbdb8df4d56043d5f373eeeffe4cbef3" -SRC_URI = "git://git.sv.gnu.org/gnulib.git \ +SRC_URI = "git://git.sv.gnu.org/gnulib.git;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb b/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb index b7b7839313..1a1f7db5cf 100644 --- a/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb +++ b/meta-oe/recipes-support/gperftools/gperftools_2.7.90.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=762732742c73dc6c7fbe8632f06c059a" SRCREV = "db7aa547abb5abdd558587a15502584cbc825438" -SRC_URI = "git://github.com/gperftools/gperftools \ +SRC_URI = "git://github.com/gperftools/gperftools;branch=master;protocol=https \ file://0001-Support-Atomic-ops-on-clang.patch \ file://0001-fix-build-with-musl-libc.patch \ file://0001-disbale-heap-checkers-and-debug-allocator-on-musl.patch \ diff --git a/meta-oe/recipes-support/gpm/gpm_git.bb b/meta-oe/recipes-support/gpm/gpm_git.bb index 3800d147f9..6bf071d89e 100644 --- a/meta-oe/recipes-support/gpm/gpm_git.bb +++ b/meta-oe/recipes-support/gpm/gpm_git.bb @@ -13,7 +13,7 @@ SRCREV = "1fd19417b8a4dd9945347e98dfa97e4cfd798d77" DEPENDS = "ncurses bison-native" -SRC_URI = "git://github.com/telmich/gpm;protocol=git \ +SRC_URI = "git://github.com/telmich/gpm;protocol=https;branch=master \ file://init \ file://gpm.service.in \ file://0001-Use-sigemptyset-API-instead-of-__sigemptyset.patch \ diff --git a/meta-oe/recipes-support/hidapi/hidapi_git.bb b/meta-oe/recipes-support/hidapi/hidapi_git.bb index a34797ff51..1cc3acac2c 100644 --- a/meta-oe/recipes-support/hidapi/hidapi_git.bb +++ b/meta-oe/recipes-support/hidapi/hidapi_git.bb @@ -8,7 +8,7 @@ DEPENDS = "libusb udev" PV = "0.7.99+0.8.0-rc1+git${SRCPV}" SRCREV = "d17db57b9d4354752e0af42f5f33007a42ef2906" -SRC_URI = "git://github.com/signal11/hidapi.git" +SRC_URI = "git://github.com/signal11/hidapi.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb b/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb index 3da67d1e3a..2e902ca4cb 100644 --- a/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb +++ b/meta-oe/recipes-support/hunspell/hunspell-dictionaries.bb @@ -135,7 +135,7 @@ RDEPENDS_${PN} = "hunspell" PV = "0.0.0+git${SRCPV}" SRCREV = "820a65e539e34a3a8c2a855d2450b84745c624ee" -SRC_URI = "git://github.com/wooorm/dictionaries.git" +SRC_URI = "git://github.com/wooorm/dictionaries.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb b/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb index c2fb4fa05b..63d68ea06b 100644 --- a/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb +++ b/meta-oe/recipes-support/hunspell/hunspell_1.7.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = " \ " SRCREV = "4ddd8ed5ca6484b930b111aec50c2750a6119a0f" -SRC_URI = "git://github.com/${BPN}/${BPN}.git" +SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/hwdata/hwdata_git.bb b/meta-oe/recipes-support/hwdata/hwdata_git.bb index 5f3e3f686a..1d0c640003 100644 --- a/meta-oe/recipes-support/hwdata/hwdata_git.bb +++ b/meta-oe/recipes-support/hwdata/hwdata_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=1556547711e8246992b999edd9445a57" PV = "0.333" SRCREV = "2de52be0d00015fa6cde70bb845fa9b86cf6f420" -SRC_URI = "git://github.com/vcrhonek/${BPN}.git" +SRC_URI = "git://github.com/vcrhonek/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/iksemel/iksemel_1.5.bb b/meta-oe/recipes-support/iksemel/iksemel_1.5.bb index 986984d1ff..ac23630d01 100644 --- a/meta-oe/recipes-support/iksemel/iksemel_1.5.bb +++ b/meta-oe/recipes-support/iksemel/iksemel_1.5.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" SRCREV = "978b733462e41efd5db72bc9974cb3b0d1d5f6fa" PV = "1.5+git${SRCPV}" -SRC_URI = "git://github.com/meduketto/iksemel.git;protocol=https \ +SRC_URI = "git://github.com/meduketto/iksemel.git;protocol=https;branch=master \ file://fix-configure-option-parsing.patch \ file://avoid-obsolete-gnutls-apis.patch" diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb index 3f7d06e261..21f51ff155 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.0.9.bb @@ -10,7 +10,7 @@ DEPENDS = "lcms bzip2 jpeg libpng tiff zlib fftw freetype libtool" BASE_PV := "${PV}" PV .= "_13" -SRC_URI = "git://github.com/ImageMagick/ImageMagick.git " +SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=https" SRCREV = "15b935d64f613b5a0fc9d3fead5c6ec1b0e3908f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/inih/libinih_git.bb b/meta-oe/recipes-support/inih/libinih_git.bb index 227e2a7b7c..4c3c8f0fa7 100644 --- a/meta-oe/recipes-support/inih/libinih_git.bb +++ b/meta-oe/recipes-support/inih/libinih_git.bb @@ -9,7 +9,7 @@ PR = "r3" # The github repository provides a cmake and pkg-config integration SRCREV = "c858aff8c31fa63ef4d1e0176c10e5928cde9a23" -SRC_URI = "git://github.com/OSSystems/inih.git \ +SRC_URI = "git://github.com/OSSystems/inih.git;branch=master;protocol=https \ " UPSTREAM_CHECK_COMMITS = "1" diff --git a/meta-oe/recipes-support/iniparser/iniparser_4.1.bb b/meta-oe/recipes-support/iniparser/iniparser_4.1.bb index f4b553a578..f3593fb5ff 100644 --- a/meta-oe/recipes-support/iniparser/iniparser_4.1.bb +++ b/meta-oe/recipes-support/iniparser/iniparser_4.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e02baf71c76e0650e667d7da133379ac" DEPENDS = "doxygen-native" -SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https \ +SRC_URI = "git://github.com/ndevilla/iniparser.git;protocol=https;branch=master \ file://Add-CMake-support.patch" # tag 4.1 diff --git a/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb b/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb index f42abeb2ba..1d84bfd498 100644 --- a/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb +++ b/meta-oe/recipes-support/inotify-tools/inotify-tools_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ac6c26e52aea428ee7f56dc2c56424c6" SRCREV = "cfa93aa19f81d85b63cd64da30c7499890d4c07d" PV = "3.20.2.2" -SRC_URI = "git://github.com/rvoicilas/${BPN} \ +SRC_URI = "git://github.com/rvoicilas/${BPN};branch=master;protocol=https \ file://0001-Makefile.am-add-build-rule-for-README.patch \ " diff --git a/meta-oe/recipes-support/lcov/lcov_1.14.bb b/meta-oe/recipes-support/lcov/lcov_1.14.bb index 0cc8b31b3f..5e8fb938cf 100755 --- a/meta-oe/recipes-support/lcov/lcov_1.14.bb +++ b/meta-oe/recipes-support/lcov/lcov_1.14.bb @@ -59,7 +59,7 @@ SRC_URI[md5sum] = "0220d01753469f83921f8f41ae5054c1" SRC_URI[sha256sum] = "14995699187440e0ae4da57fe3a64adc0a3c5cf14feab971f8db38fb7d8f071a" do_install() { - oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} + oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} LCOV_PERL_PATH="/usr/bin/env perl" } BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb b/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb index 4cfb732932..d084a3b9b1 100644 --- a/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb +++ b/meta-oe/recipes-support/libatasmart/libatasmart_0.19.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LGPL;md5=2d5025d4aa3495befef8f17206a5b0a1" DEPENDS = "udev" SRCREV = "de6258940960443038b4c1651dfda3620075e870" -SRC_URI = "git://git.0pointer.de/libatasmart.git \ +SRC_URI = "git://git.0pointer.de/libatasmart.git;branch=master \ file://0001-Makefile.am-add-CFLAGS-and-LDFLAGS-definiton.patch \ " diff --git a/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch b/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch new file mode 100644 index 0000000000..ea3ddfb64b --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0001-example-Do-not-run-the-tests.patch @@ -0,0 +1,27 @@ +From 68f66d1583be670eb8d5f3f38dbd5dd1d63b733c Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 21:41:04 -0700 +Subject: [PATCH] example: Do not run the tests + +Upstream-Status: Inappropritate [Cross-compile specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + examples/Makefile | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/examples/Makefile b/examples/Makefile +index d9667a5..554b346 100644 +--- a/examples/Makefile ++++ b/examples/Makefile +@@ -33,11 +33,8 @@ depend: $(SOURCES) + makedepend -f- $(CFLAGS) $(SOURCES) 2> /dev/null 1> depend + + test-c-example1: c-example1 +- ./c-example1 + + test-c-example2: c-example2 +- ./c-example2 loremgibson.txt encoded.txt decoded.txt +- diff -q loremgibson.txt decoded.txt + + test: test-c-example1 test-c-example2 + diff --git a/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch b/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch new file mode 100644 index 0000000000..10ec8e14a8 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0002-use-BUFSIZ-as-buffer-size.patch @@ -0,0 +1,57 @@ +From ee03e265804a07a0da5028b86960031bd7ab86b2 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:01:13 -0700 +Subject: [PATCH] use BUFSIZ as buffer size + +Author: Jakub Wilk <jwilk@debian.org> +Bug: http://sourceforge.net/tracker/?func=detail&atid=785907&aid=3591336&group_id=152942 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/b64/decode.h | 3 ++- + include/b64/encode.h | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/b64/decode.h b/include/b64/decode.h +index 12b16ea..e9019f3 100644 +--- a/include/b64/decode.h ++++ b/include/b64/decode.h +@@ -8,6 +8,7 @@ For details, see http://sourceforge.net/projects/libb64 + #ifndef BASE64_DECODE_H + #define BASE64_DECODE_H + ++#include <cstdio> + #include <iostream> + + namespace base64 +@@ -22,7 +23,7 @@ namespace base64 + base64_decodestate _state; + int _buffersize; + +- decoder(int buffersize_in = BUFFERSIZE) ++ decoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) + {} + +diff --git a/include/b64/encode.h b/include/b64/encode.h +index 5d807d9..e7a7035 100644 +--- a/include/b64/encode.h ++++ b/include/b64/encode.h +@@ -8,6 +8,7 @@ For details, see http://sourceforge.net/projects/libb64 + #ifndef BASE64_ENCODE_H + #define BASE64_ENCODE_H + ++#include <cstdio> + #include <iostream> + + namespace base64 +@@ -22,7 +23,7 @@ namespace base64 + base64_encodestate _state; + int _buffersize; + +- encoder(int buffersize_in = BUFFERSIZE) ++ encoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) + {} + diff --git a/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch b/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch new file mode 100644 index 0000000000..8854bb6af4 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0003-fix-integer-overflows.patch @@ -0,0 +1,77 @@ +From 7b30fbc3d47dfaf38d8ce8b8949a69d2984dac76 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:06:03 -0700 +Subject: [PATCH] fix integer overflows + +Author: Jakub Wilk <jwilk@debian.org> +Bug: http://sourceforge.net/tracker/?func=detail&aid=3591129&group_id=152942&atid=785907 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cdecode.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/cdecode.c b/src/cdecode.c +index a6c0a42..4e47e9f 100644 +--- a/src/cdecode.c ++++ b/src/cdecode.c +@@ -9,10 +9,11 @@ For details, see http://sourceforge.net/projects/libb64 + + int base64_decode_value(char value_in) + { +- static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; ++ static const signed char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51}; + static const char decoding_size = sizeof(decoding); ++ if (value_in < 43) return -1; + value_in -= 43; +- if (value_in < 0 || value_in >= decoding_size) return -1; ++ if (value_in > decoding_size) return -1; + return decoding[(int)value_in]; + } + +@@ -26,7 +27,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + { + const char* codechar = code_in; + char* plainchar = plaintext_out; +- char fragment; ++ int fragment; + + *plainchar = state_in->plainchar; + +@@ -42,7 +43,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar = (fragment & 0x03f) << 2; + case step_b: +@@ -53,7 +54,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x030) >> 4; + *plainchar = (fragment & 0x00f) << 4; +@@ -65,7 +66,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x03c) >> 2; + *plainchar = (fragment & 0x003) << 6; +@@ -77,7 +78,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex + state_in->plainchar = *plainchar; + return plainchar - plaintext_out; + } +- fragment = (char)base64_decode_value(*codechar++); ++ fragment = base64_decode_value(*codechar++); + } while (fragment < 0); + *plainchar++ |= (fragment & 0x03f); + } diff --git a/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch b/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch new file mode 100644 index 0000000000..e19dbad08d --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0004-Fix-off-by-one-error.patch @@ -0,0 +1,26 @@ +From 8144fd9e02bd5ccd1e080297b19a1e9eb4d3ff96 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:07:15 -0700 +Subject: [PATCH] Fix off by one error + +Launchpad bug #1501176 reported by William McCall on 2015-09-30 + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cdecode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cdecode.c b/src/cdecode.c +index 4e47e9f..45da4e1 100644 +--- a/src/cdecode.c ++++ b/src/cdecode.c +@@ -13,7 +13,7 @@ int base64_decode_value(char value_in) + static const char decoding_size = sizeof(decoding); + if (value_in < 43) return -1; + value_in -= 43; +- if (value_in > decoding_size) return -1; ++ if (value_in >= decoding_size) return -1; + return decoding[(int)value_in]; + } + diff --git a/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch b/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch new file mode 100644 index 0000000000..e93015ee48 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0005-make-overriding-CFLAGS-possible.patch @@ -0,0 +1,40 @@ +From a7914d5ffee6ffdfb3f2b8ebcc22c8367d078301 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:08:43 -0700 +Subject: [PATCH] make overriding CFLAGS possible + +Author: Jakub Wilk <jwilk@debian.org> + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + base64/Makefile | 2 +- + src/Makefile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/base64/Makefile b/base64/Makefile +index 30a2c5c..783a248 100644 +--- a/base64/Makefile ++++ b/base64/Makefile +@@ -3,7 +3,7 @@ BINARIES = base64 + # Build flags (uncomment one) + ############################# + # Release build flags +-CFLAGS += -O3 ++CFLAGS ?= -O3 + ############################# + # Debug build flags + #CFLAGS += -g +diff --git a/src/Makefile b/src/Makefile +index 28b2382..48801fc 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -3,7 +3,7 @@ LIBRARIES = libb64.a + # Build flags (uncomment one) + ############################# + # Release build flags +-CFLAGS += -O3 ++CFLAGS ?= -O3 + ############################# + # Debug build flags + #CFLAGS += -g diff --git a/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch b/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch new file mode 100644 index 0000000000..9ba08c87ee --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0006-do-not-export-the-CHARS_PER_LINE-variable.patch @@ -0,0 +1,27 @@ +From a1b9bb4af819ed389675f16e4a521efeda4cc3f3 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:10:48 -0700 +Subject: [PATCH] do not export the CHARS_PER_LINE variable + +The library exports a variable named "CHARS_PER_LINE". This is a generic name that could conflict with a name in user's code. +Please either rename the variable or make it static. + +Upstream-Status: Submitted [http://sourceforge.net/tracker/?func=detail&aid=3591420&group_id=152942&atid=785907] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/cencode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cencode.c b/src/cencode.c +index 03ba5b6..3df62a8 100644 +--- a/src/cencode.c ++++ b/src/cencode.c +@@ -7,7 +7,7 @@ For details, see http://sourceforge.net/projects/libb64 + + #include <b64/cencode.h> + +-const int CHARS_PER_LINE = 72; ++static const int CHARS_PER_LINE = 72; + + void base64_init_encodestate(base64_encodestate* state_in) + { diff --git a/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch b/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch new file mode 100644 index 0000000000..fdf8339bed --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64/0007-initialize-encoder-decoder-state-in-the-constructors.patch @@ -0,0 +1,44 @@ +From c1ba44d83cc7d9d756cfb063717852eae9d03328 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 27 Mar 2021 22:12:41 -0700 +Subject: [PATCH] initialize encoder/decoder state in the constructors + +Author: Jakub Wilk <jwilk@debian.org> + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/b64/decode.h | 4 +++- + include/b64/encode.h | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/include/b64/decode.h b/include/b64/decode.h +index e9019f3..aefb7bc 100644 +--- a/include/b64/decode.h ++++ b/include/b64/decode.h +@@ -25,7 +25,9 @@ namespace base64 + + decoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) +- {} ++ { ++ base64_init_decodestate(&_state); ++ } + + int decode(char value_in) + { +diff --git a/include/b64/encode.h b/include/b64/encode.h +index e7a7035..33848b3 100644 +--- a/include/b64/encode.h ++++ b/include/b64/encode.h +@@ -25,7 +25,9 @@ namespace base64 + + encoder(int buffersize_in = BUFSIZ) + : _buffersize(buffersize_in) +- {} ++ { ++ base64_init_encodestate(&_state); ++ } + + int encode(char value_in) + { diff --git a/meta-oe/recipes-support/libb64/libb64_1.2.1.bb b/meta-oe/recipes-support/libb64/libb64_1.2.1.bb new file mode 100644 index 0000000000..64a34fece7 --- /dev/null +++ b/meta-oe/recipes-support/libb64/libb64_1.2.1.bb @@ -0,0 +1,39 @@ +SUMMARY = "Base64 Encoding/Decoding Routines" +DESCRIPTION = "base64 encoding/decoding library - runtime library \ +libb64 is a library of ANSI C routines for fast encoding/decoding data into \ +and from a base64-encoded format" +HOMEPAGE = "http://libb64.sourceforge.net/" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ce551aad762074c7ab618a0e07a8dca3" + +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}/${BP}.zip \ + file://0001-example-Do-not-run-the-tests.patch \ + file://0002-use-BUFSIZ-as-buffer-size.patch \ + file://0003-fix-integer-overflows.patch \ + file://0004-Fix-off-by-one-error.patch \ + file://0005-make-overriding-CFLAGS-possible.patch \ + file://0006-do-not-export-the-CHARS_PER_LINE-variable.patch \ + file://0007-initialize-encoder-decoder-state-in-the-constructors.patch \ + " +SRC_URI[sha256sum] = "20106f0ba95cfd9c35a13c71206643e3fb3e46512df3e2efb2fdbf87116314b2" + +PARALLEL_MAKE = "" + +CFLAGS += "-fPIC" + +do_configure () { + : +} + +do_compile () { + oe_runmake + ${CC} ${LDFLAGS} ${CFLAGS} -shared -Wl,-soname,${BPN}.so.0 src/*.o -o src/${BPN}.so.0 +} + +do_install () { + install -d ${D}${includedir}/b64 + install -Dm 0644 ${B}/src/libb64.a ${D}${libdir}/libb64.a + install -Dm 0644 ${B}/src/libb64.so.0 ${D}${libdir}/libb64.so.0 + ln -s libb64.so.0 ${D}${libdir}/libb64.so + install -Dm 0644 ${S}/include/b64/*.h ${D}${includedir}/b64/ +} diff --git a/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb b/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb index a954499c69..527de93e40 100644 --- a/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb +++ b/meta-oe/recipes-support/libbytesize/libbytesize_2.2.bb @@ -10,7 +10,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "e64e752a28a4a41b0a43cba3bedf9571c22af807" -SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master" +SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master;protocol=https" inherit gettext autotools python3native diff --git a/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb b/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb index 6fc5881c59..ac6aedfd50 100644 --- a/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb +++ b/meta-oe/recipes-support/libcereal/libcereal_1.3.0.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e612690af2f575dfd02e2e91443cea23" SRCREV = "02eace19a99ce3cd564ca4e379753d69af08c2c8" -SRC_URI = "git://github.com/USCiLab/cereal.git" +SRC_URI = "git://github.com/USCiLab/cereal.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb b/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb index 74b5e21e23..c6878577ef 100644 --- a/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb +++ b/meta-oe/recipes-support/libcyusbserial/libcyusbserial_git.bb @@ -8,7 +8,7 @@ DEPENDS = "libusb udev" PV = "1.0.0+git${SRCPV}" SRCREV = "655e2d544183d094f0e2d119c7e0c6206a0ddb3f" -SRC_URI = "git://github.com/cyrozap/${BPN}.git" +SRC_URI = "git://github.com/cyrozap/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb b/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb index f638848d15..6ce318d0b5 100644 --- a/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb +++ b/meta-oe/recipes-support/libeigen/libeigen_3.3.7.bb @@ -4,11 +4,11 @@ HOMEPAGE = "http://eigen.tuxfamily.org/" LICENSE = "MPL-2.0" LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad" -SRC_URI = "https://bitbucket.org/eigen/eigen/get/${PV}.tar.bz2;downloadfilename=${BP}.tar.bz2" -SRC_URI[md5sum] = "05b1f7511c93980c385ebe11bd3c93fa" -SRC_URI[sha256sum] = "9f13cf90dedbe3e52a19f43000d71fdf72e986beb9a5436dddcd61ff9d77a3ce" +SRC_URI = "git://gitlab.com/libeigen/eigen.git;protocol=http;nobranch=1" -S = "${WORKDIR}/eigen-eigen-323c052e1731" +SRCREV = "21ae2afd4edaa1b69782c67a54182d34efe43f9c" + +S = "${WORKDIR}/git" inherit cmake diff --git a/meta-oe/recipes-support/libfann/libfann_git.bb b/meta-oe/recipes-support/libfann/libfann_git.bb index eae24461dc..5ab484d8a5 100644 --- a/meta-oe/recipes-support/libfann/libfann_git.bb +++ b/meta-oe/recipes-support/libfann/libfann_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=f14599a2f089f6ff8c97e2baa4e3d575" inherit cmake SRCREV ?= "7ec1fc7e5bd734f1d3c89b095e630e83c86b9be1" -SRC_URI = "git://github.com/libfann/fann.git;branch=master \ +SRC_URI = "git://github.com/libfann/fann.git;branch=master;protocol=https \ " PV = "2.2.0+git${SRCPV}" diff --git a/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb b/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb index 9b9c191049..c971491b1c 100644 --- a/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb +++ b/meta-oe/recipes-support/libgit2/libgit2_0.28.4.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f2cd5d3cccd71d62066ba619614592b" DEPENDS = "curl openssl zlib libssh2 libgcrypt" -SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v0.28" +SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v0.28;protocol=https" SRCREV = "106a5f27586504ea371528191f0ea3aac2ad432b" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libgusb/libgusb_git.bb b/meta-oe/recipes-support/libgusb/libgusb_git.bb index e3c0bdd15e..a26c234652 100644 --- a/meta-oe/recipes-support/libgusb/libgusb_git.bb +++ b/meta-oe/recipes-support/libgusb/libgusb_git.bb @@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 libusb" inherit meson gobject-introspection gtk-doc gettext vala -SRC_URI = "git://github.com/hughsie/libgusb.git" +SRC_URI = "git://github.com/hughsie/libgusb.git;branch=master;protocol=https" SRCREV = "636efc0624aa2a88174220fcabc9764c13d7febf" PV = "0.3.0+git${SRCPV}" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libharu/libharu_2.3.0.bb b/meta-oe/recipes-support/libharu/libharu_2.3.0.bb index 2d1a37c421..86b5ba540f 100644 --- a/meta-oe/recipes-support/libharu/libharu_2.3.0.bb +++ b/meta-oe/recipes-support/libharu/libharu_2.3.0.bb @@ -6,7 +6,7 @@ DESCRIPTION = "libHaru is a library for generating PDF files. \ LICENSE = "Zlib" LIC_FILES_CHKSUM = "file://README;md5=3ee6bc1f64d9cc7907f44840c8e50cb1" -SRC_URI = "git://github.com/libharu/libharu.git;branch=2_3 \ +SRC_URI = "git://github.com/libharu/libharu.git;branch=2_3;protocol=https \ file://libharu-RELEASE_2_3_0_cmake.patch \ " diff --git a/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-oe/recipes-support/libiio/libiio_git.bb index f83d9c9225..8fbe474485 100644 --- a/meta-oe/recipes-support/libiio/libiio_git.bb +++ b/meta-oe/recipes-support/libiio/libiio_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c" SRCREV = "5f5af2e417129ad8f4e05fc5c1b730f0694dca12" PV = "0.19+git${SRCPV}" -SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https" +SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https;branch=main" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch new file mode 100644 index 0000000000..ff792d4daa --- /dev/null +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd/CVE-2021-3466.patch @@ -0,0 +1,158 @@ +From 86d9a61be6395220714b1a50d5144e65668961f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernst=20Sj=C3=B6strand?= <ernst.sjostrand@verisure.com> +Date: Tue, 21 Dec 2021 11:05:22 +0000 +Subject: [PATCH] Fix buffer overflow in url parser and add test + +Reference: +https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241 + +Upstream-Status: Backport +CVE: CVE-2021-3466 + +Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com> +--- + src/microhttpd/postprocessor.c | 18 ++++++-- + src/microhttpd/test_postprocessor.c | 66 +++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+), 4 deletions(-) + +diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c +index b7f6b10..ebd1686 100644 +--- a/src/microhttpd/postprocessor.c ++++ b/src/microhttpd/postprocessor.c +@@ -137,8 +137,7 @@ struct MHD_PostProcessor + void *cls; + + /** +- * Encoding as given by the headers of the +- * connection. ++ * Encoding as given by the headers of the connection. + */ + const char *encoding; + +@@ -586,7 +585,7 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + pp->state = PP_Error; + break; + case PP_Callback: +- if ( (pp->buffer_pos + (end_key - start_key) > ++ if ( (pp->buffer_pos + (end_key - start_key) >= + pp->buffer_size) || + (pp->buffer_pos + (end_key - start_key) < + pp->buffer_pos) ) +@@ -636,6 +635,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + { + if (NULL == end_key) + end_key = &post_data[poff]; ++ if (pp->buffer_pos + (end_key - start_key) >= pp->buffer_size) ++ { ++ pp->state = PP_Error; ++ return MHD_NO; ++ } + memcpy (&kbuf[pp->buffer_pos], + start_key, + end_key - start_key); +@@ -663,6 +667,11 @@ post_process_urlencoded (struct MHD_PostProcessor *pp, + last_escape); + pp->must_ikvi = false; + } ++ if (PP_Error == pp->state) ++ { ++ /* State in error, returning failure */ ++ return MHD_NO; ++ } + return MHD_YES; + } + +@@ -1424,7 +1433,8 @@ MHD_destroy_post_processor (struct MHD_PostProcessor *pp) + the post-processing may have been interrupted + at any stage */ + if ( (pp->xbuf_pos > 0) || +- (pp->state != PP_Done) ) ++ ( (pp->state != PP_Done) && ++ (pp->state != PP_Init) ) ) + ret = MHD_NO; + else + ret = MHD_YES; +diff --git a/src/microhttpd/test_postprocessor.c b/src/microhttpd/test_postprocessor.c +index 2c37565..cba486d 100644 +--- a/src/microhttpd/test_postprocessor.c ++++ b/src/microhttpd/test_postprocessor.c +@@ -451,6 +451,71 @@ test_empty_value (void) + } + + ++static enum MHD_Result ++value_checker2 (void *cls, ++ enum MHD_ValueKind kind, ++ const char *key, ++ const char *filename, ++ const char *content_type, ++ const char *transfer_encoding, ++ const char *data, ++ uint64_t off, ++ size_t size) ++{ ++ return MHD_YES; ++} ++ ++ ++static int ++test_overflow () ++{ ++ struct MHD_Connection connection; ++ struct MHD_HTTP_Header header; ++ struct MHD_PostProcessor *pp; ++ size_t i; ++ size_t j; ++ size_t delta; ++ char *buf; ++ ++ memset (&connection, 0, sizeof (struct MHD_Connection)); ++ memset (&header, 0, sizeof (struct MHD_HTTP_Header)); ++ connection.headers_received = &header; ++ header.header = MHD_HTTP_HEADER_CONTENT_TYPE; ++ header.value = MHD_HTTP_POST_ENCODING_FORM_URLENCODED; ++ header.header_size = strlen (header.header); ++ header.value_size = strlen (header.value); ++ header.kind = MHD_HEADER_KIND; ++ for (i = 128; i < 1024 * 1024; i += 1024) ++ { ++ pp = MHD_create_post_processor (&connection, ++ 1024, ++ &value_checker2, ++ NULL); ++ buf = malloc (i); ++ if (NULL == buf) ++ return 1; ++ memset (buf, 'A', i); ++ buf[i / 2] = '='; ++ delta = 1 + (MHD_random_ () % (i - 1)); ++ j = 0; ++ while (j < i) ++ { ++ if (j + delta > i) ++ delta = i - j; ++ if (MHD_NO == ++ MHD_post_process (pp, ++ &buf[j], ++ delta)) ++ break; ++ j += delta; ++ } ++ free (buf); ++ MHD_destroy_post_processor (pp); ++ } ++ return 0; ++} ++ ++ + int + main (int argc, char *const *argv) + { +@@ -463,6 +528,7 @@ main (int argc, char *const *argv) + errorCount += test_multipart (); + errorCount += test_nested_multipart (); + errorCount += test_empty_value (); ++ errorCount += test_overflow (); + if (errorCount != 0) + fprintf (stderr, "Error (code: %u)\n", errorCount); + return errorCount != 0; /* 0 == pass */ diff --git a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb index 94976d2e98..9d5e85e1ad 100644 --- a/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb +++ b/meta-oe/recipes-support/libmicrohttpd/libmicrohttpd_0.9.70.bb @@ -7,7 +7,8 @@ SECTION = "net" DEPENDS = "file" SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz \ -" + file://CVE-2021-3466.patch \ + " SRC_URI[md5sum] = "dcd6045ecb4ea18c120afedccbd1da74" SRC_URI[sha256sum] = "90d0a3d396f96f9bc41eb0f7e8187796049285fabef82604acd4879590977307" diff --git a/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb b/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb index 590c4ebc28..fc0b1ee495 100644 --- a/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb +++ b/meta-oe/recipes-support/libmimetic/libmimetic_0.9.8.bb @@ -10,7 +10,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=b49da7df0ca479ef01ff7f2d799eabee" SRCREV = "50486af99b4f9b35522d7b3de40b6ce107505279" -SRC_URI += "git://github.com/LadislavSopko/mimetic/ \ +SRC_URI += "git://github.com/LadislavSopko/mimetic/;branch=master;protocol=https \ file://0001-libmimetic-Removing-test-directory-from-the-Makefile.patch \ file://0001-mimetic-Check-for-MMAP_FAILED-return-from-mmap.patch \ " diff --git a/meta-oe/recipes-support/libmxml/libmxml_3.1.bb b/meta-oe/recipes-support/libmxml/libmxml_3.1.bb index 4e77d6cc02..fd3369d8df 100644 --- a/meta-oe/recipes-support/libmxml/libmxml_3.1.bb +++ b/meta-oe/recipes-support/libmxml/libmxml_3.1.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" HOMEPAGE = "https://www.msweet.org/mxml/" BUGTRACKER = "https://github.com/michaelrsweet/mxml/issues" -SRC_URI = "git://github.com/michaelrsweet/mxml.git" +SRC_URI = "git://github.com/michaelrsweet/mxml.git;branch=master;protocol=https" SRCREV = "e483e5fd8a33386fd46967681521bdd2da2b548f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libp11/libp11_0.4.10.bb b/meta-oe/recipes-support/libp11/libp11_0.4.10.bb index 7fe0640d94..142002a262 100644 --- a/meta-oe/recipes-support/libp11/libp11_0.4.10.bb +++ b/meta-oe/recipes-support/libp11/libp11_0.4.10.bb @@ -9,7 +9,7 @@ LICENSE = "LGPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=fad9b3332be894bab9bc501572864b29" DEPENDS = "libtool openssl" -SRC_URI = "git://github.com/OpenSC/libp11.git" +SRC_URI = "git://github.com/OpenSC/libp11.git;branch=master;protocol=https" SRCREV = "973d31f3f58d5549ddd8b1f822ce8f72186f9d68" UPSTREAM_CHECK_GITTAGREGEX = "libp11-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-oe/recipes-support/librsync/librsync_2.3.1.bb b/meta-oe/recipes-support/librsync/librsync_2.3.1.bb index 004c93d0f9..fddece8d1f 100644 --- a/meta-oe/recipes-support/librsync/librsync_2.3.1.bb +++ b/meta-oe/recipes-support/librsync/librsync_2.3.1.bb @@ -4,7 +4,7 @@ AUTHOR = "Martin Pool, Andrew Tridgell, Donovan Baarda, Adam Schubert" LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" -SRC_URI = "git://github.com/librsync/librsync.git" +SRC_URI = "git://github.com/librsync/librsync.git;branch=master;protocol=https" SRCREV = "27f738650c20fef1285f11d85a34e5094a71c06f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb b/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb index 8b773aefa5..f6fc0e36b6 100644 --- a/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb +++ b/meta-oe/recipes-support/libsoc/libsoc_0.8.2.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e0bfebea12a718922225ba987b2126a5" inherit autotools pkgconfig python3-dir SRCREV = "fd1ad6e7823fa76d8db0d3c5884faffa8ffddafb" -SRC_URI = "git://github.com/jackmitch/libsoc.git" +SRC_URI = "git://github.com/jackmitch/libsoc.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch new file mode 100644 index 0000000000..2944a44622 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch @@ -0,0 +1,40 @@ +From 533d881b0f4b24c72b35ecc97fa35d295d063e53 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:04:09 +0200 +Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new() + +Thanks to Ramin Farajpour Cami for spotting this. + +Fixes T232 + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/sftpserver.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index 5a2110e58..b639a2ce3 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + + /* take a copy of the whole packet */ + msg->complete_message = ssh_buffer_new(); ++ if (msg->complete_message == NULL) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } ++ + ssh_buffer_add_data(msg->complete_message, + ssh_buffer_get(payload), + ssh_buffer_get_len(payload)); +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch new file mode 100644 index 0000000000..3c4ff0c614 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch @@ -0,0 +1,42 @@ +From 2782cb0495b7450bd8fe43ce4af886b66fea6c40 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:05:51 +0200 +Subject: [PATCH] sftpserver: Add missing return check for + ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/sftpserver.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b639a2ce3..9117f155f 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) { + return NULL; + } + +- ssh_buffer_add_data(msg->complete_message, +- ssh_buffer_get(payload), +- ssh_buffer_get_len(payload)); ++ rc = ssh_buffer_add_data(msg->complete_message, ++ ssh_buffer_get(payload), ++ ssh_buffer_get_len(payload)); ++ if (rc < 0) { ++ ssh_set_error_oom(session); ++ sftp_client_message_free(msg); ++ return NULL; ++ } + + ssh_buffer_get_u32(payload, &msg->id); + +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch new file mode 100644 index 0000000000..03a8ac156a --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch @@ -0,0 +1,70 @@ +From 10b3ebbe61a7031a3dae97f05834442220447181 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:10:11 +0200 +Subject: [PATCH] buffer: Reformat ssh_buffer_add_data() + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/buffer.c | 35 ++++++++++++++++++----------------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/src/buffer.c b/src/buffer.c +index a2e6246af..476bc1358 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { +- buffer_verify(buffer); ++ buffer_verify(buffer); + +- if (data == NULL) { +- return -1; +- } ++ if (data == NULL) { ++ return -1; ++ } + +- if (buffer->used + len < len) { +- return -1; +- } ++ if (buffer->used + len < len) { ++ return -1; ++ } + +- if (buffer->allocated < (buffer->used + len)) { +- if(buffer->pos > 0) +- buffer_shift(buffer); +- if (realloc_buffer(buffer, buffer->used + len) < 0) { +- return -1; ++ if (buffer->allocated < (buffer->used + len)) { ++ if (buffer->pos > 0) { ++ buffer_shift(buffer); ++ } ++ if (realloc_buffer(buffer, buffer->used + len) < 0) { ++ return -1; ++ } + } +- } + +- memcpy(buffer->data+buffer->used, data, len); +- buffer->used+=len; +- buffer_verify(buffer); +- return 0; ++ memcpy(buffer->data + buffer->used, data, len); ++ buffer->used += len; ++ buffer_verify(buffer); ++ return 0; + } + + /** +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch new file mode 100644 index 0000000000..8e9a4c3f5c --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch @@ -0,0 +1,34 @@ +From 245ad744b5ab0582fef7cf3905a717b791d7e08b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 3 Jun 2020 10:11:21 +0200 +Subject: [PATCH] buffer: Add NULL check for 'buffer' argument + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b] +CVE: CVE-2020-16135 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/buffer.c b/src/buffer.c +index 476bc1358..ce12f491a 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer) + */ + int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) + { ++ if (buffer == NULL) { ++ return -1; ++ } ++ + buffer_verify(buffer); + + if (data == NULL) { +-- +GitLab + diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 39ed8a8fbb..0fb07a0eb7 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -6,7 +6,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0" DEPENDS = "zlib openssl libgcrypt" -SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8" +SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8 \ + file://CVE-2020-16135-1.patch \ + file://CVE-2020-16135-2.patch \ + file://CVE-2020-16135-3.patch \ + file://CVE-2020-16135-4.patch \ + " + SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch b/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch new file mode 100644 index 0000000000..49dbde737f --- /dev/null +++ b/meta-oe/recipes-support/libssh2/files/CVE-2020-22218.patch @@ -0,0 +1,39 @@ +From 642eec48ff3adfdb7a9e562b6d7fc865d1733f45 Mon Sep 17 00:00:00 2001 +From: lutianxiong <lutianxiong@huawei.com> +Date: Fri, 29 May 2020 01:25:40 +0800 +Subject: [PATCH] transport.c: fix use-of-uninitialized-value (#476) + +file:transport.c + +notes: +return error if malloc(0) + +credit: +lutianxiong + +Bug: https://github.com/libssh2/libssh2/pull/476 +Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 +& +https://github.com/libssh2/libssh2/commit/0b44e558f311671f6e6d14c559bc1c9bda59b8df] +CVE: CVE-2020-22218 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/transport.c b/src/transport.c +index 45e445c..35e7df3 100644 +--- a/src/transport.c ++++ b/src/transport.c +@@ -465,7 +465,7 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session) + * or less (including length, padding length, payload, + * padding, and MAC.)." + */ +- if(total_num > LIBSSH2_PACKET_MAXPAYLOAD) { ++ if(total_num > LIBSSH2_PACKET_MAXPAYLOAD || total_num == 0) { + return LIBSSH2_ERROR_OUT_OF_BOUNDARY; + } + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb index c1f337a440..e11e663769 100644 --- a/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb +++ b/meta-oe/recipes-support/libssh2/libssh2_1.9.0.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c5cf34fc0acb44b082ef50ef5e4354ca" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://CVE-2019-17498.patch \ + file://CVE-2020-22218.patch \ " SRC_URI[md5sum] = "1beefafe8963982adc84b408b2959927" SRC_URI[sha256sum] = "d5fb8bd563305fd1074dda90bd053fb2d29fc4bce048d182f96eaa466dfadafd" diff --git a/meta-oe/recipes-support/libteam/libteam_1.30.bb b/meta-oe/recipes-support/libteam/libteam_1.30.bb index 9cd02b0c09..d04660ca10 100644 --- a/meta-oe/recipes-support/libteam/libteam_1.30.bb +++ b/meta-oe/recipes-support/libteam/libteam_1.30.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" DEPENDS = "libnl libdaemon jansson" -SRC_URI = "git://github.com/jpirko/libteam \ +SRC_URI = "git://github.com/jpirko/libteam;branch=master;protocol=https \ file://0001-include-sys-select.h-for-fd_set-definition.patch \ file://0002-teamd-Re-adjust-include-header-order.patch \ file://0001-team_basic_test.py-disable-RedHat-specific-test.patch \ diff --git a/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb b/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb index a2491cf9e6..2a33284b8a 100644 --- a/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb +++ b/meta-oe/recipes-support/libtinyxml2/libtinyxml2_8.0.0.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "Zlib" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=135624eef03e1f1101b9ba9ac9b5fffd" -SRC_URI = "git://github.com/leethomason/tinyxml2.git" +SRC_URI = "git://github.com/leethomason/tinyxml2.git;branch=master;protocol=https" SRCREV = "bf15233ad88390461f6ab0dbcf046cce643c5fcb" diff --git a/meta-oe/recipes-support/libusbg/libusbg_git.bb b/meta-oe/recipes-support/libusbg/libusbg_git.bb index 97d60a6a8a..6edac56fef 100644 --- a/meta-oe/recipes-support/libusbg/libusbg_git.bb +++ b/meta-oe/recipes-support/libusbg/libusbg_git.bb @@ -8,7 +8,7 @@ inherit autotools PV = "0.1.0" SRCREV = "a826d136e0e8fa53815f1ba05893e6dd74208c15" -SRC_URI = "git://github.com/libusbg/libusbg.git \ +SRC_URI = "git://github.com/libusbg/libusbg.git;branch=master;protocol=https \ file://0001-Fix-out-of-tree-builds.patch \ " diff --git a/meta-oe/recipes-support/libusbgx/libusbgx_git.bb b/meta-oe/recipes-support/libusbgx/libusbgx_git.bb index d73ca61060..b88941d6e3 100644 --- a/meta-oe/recipes-support/libusbgx/libusbgx_git.bb +++ b/meta-oe/recipes-support/libusbgx/libusbgx_git.bb @@ -11,7 +11,7 @@ PV = "0.2.0+git${SRCPV}" SRCREV = "45c14ef4d5d7ced0fbf984208de44ced6d5ed898" SRCBRANCH = "master" SRC_URI = " \ - git://github.com/libusbgx/libusbgx.git;branch=${SRCBRANCH} \ + git://github.com/libusbgx/libusbgx.git;branch=${SRCBRANCH};protocol=https \ file://gadget-start \ file://usbgx.initd \ file://usbgx.service \ diff --git a/meta-oe/recipes-support/libutempter/libutempter.bb b/meta-oe/recipes-support/libutempter/libutempter.bb index b8a700b7b7..d259f166d1 100644 --- a/meta-oe/recipes-support/libutempter/libutempter.bb +++ b/meta-oe/recipes-support/libutempter/libutempter.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2d5025d4aa3495befef8f17206a5b0a1" SRCREV = "3ef74fff310f09e2601e241b9f042cd39d591018" PV = "1.1.6-alt2+git${SRCPV}" -SRC_URI = "git://git.altlinux.org/people/ldv/packages/libutempter.git \ +SRC_URI = "git://git.altlinux.org/people/ldv/packages/libutempter.git;branch=master \ file://0001-Fix-macro-error.patch \ file://0002-Proper-macro-path-generation.patch \ file://libutempter-remove-glibc-assumption.patch \ diff --git a/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb b/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb index 0fb4a6e516..aab81461a4 100644 --- a/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb +++ b/meta-oe/recipes-support/lio-utils/lio-utils_4.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://debian/copyright;md5=c3ea231a32635cbb5debedf3e88aa3df PV = "4.1+git${SRCPV}" -SRC_URI = "git://github.com/Datera/lio-utils.git \ +SRC_URI = "git://github.com/Datera/lio-utils.git;branch=master;protocol=https \ file://0001-Makefiles-Respect-environment-variables-and-add-LDFL.patch \ " SRCREV = "0ac9091c1ff7a52d5435a4f4449e82637142e06e" diff --git a/meta-oe/recipes-support/lvm2/lvm2.inc b/meta-oe/recipes-support/lvm2/lvm2.inc index 01c9df45c1..d0fb33d118 100644 --- a/meta-oe/recipes-support/lvm2/lvm2.inc +++ b/meta-oe/recipes-support/lvm2/lvm2.inc @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12713b4d9386533feeb07d6e4831765a \ DEPENDS += "libaio" -SRC_URI = "git://sourceware.org/git/lvm2.git \ +SRC_URI = "git://sourceware.org/git/lvm2.git;branch=master \ file://lvm.conf \ file://0001-implement-libc-specific-reopen_stream.patch \ file://0002-Guard-use-of-mallinfo-with-__GLIBC__.patch \ @@ -19,12 +19,11 @@ SRC_URI = "git://sourceware.org/git/lvm2.git \ SRCREV = "b9391b1b9f0b73303fa21f8f92574d17ce4c2b02" S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig systemd license +inherit autotools-brokensep pkgconfig systemd LVM2_PACKAGECONFIG = "dmeventd" LVM2_PACKAGECONFIG_append_class-target = " \ ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - ${@incompatible_license_contains('GPLv3', '', 'thin-provisioning-tools', d)} \ " # odirect is always enabled because there currently is a bug in @@ -37,6 +36,7 @@ PACKAGECONFIG[dmeventd] = "--enable-dmeventd,--disable-dmeventd" PACKAGECONFIG[odirect] = "--enable-o_direct,--disable-o_direct" PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" +# NOTE: Add thin-provisioning-tools only if your distro policy allows GPL-3.0 license PACKAGECONFIG[thin-provisioning-tools] = "--with-thin=internal,--with-thin=none,,thin-provisioning-tools" # Unset user/group to unbreak install. @@ -53,4 +53,3 @@ EXTRA_OECONF = "--with-user= \ --with-thin-repair=${sbindir}/thin_repair \ --with-thin-restore=${sbindir}/thin_restore \ " - diff --git a/meta-oe/recipes-support/mcelog/mce-inject_git.bb b/meta-oe/recipes-support/mcelog/mce-inject_git.bb index cc33cbaf28..8241bd2342 100644 --- a/meta-oe/recipes-support/mcelog/mce-inject_git.bb +++ b/meta-oe/recipes-support/mcelog/mce-inject_git.bb @@ -4,7 +4,7 @@ software level into a running Linux kernel. This is intended for \ validation of the kernel machine check handler." SECTION = "System Environment/Base" -SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git" +SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git;branch=master" SRCREV = "4cbe46321b4a81365ff3aafafe63967264dbfec5" diff --git a/meta-oe/recipes-support/mcelog/mce-test_git.bb b/meta-oe/recipes-support/mcelog/mce-test_git.bb index 35fb944702..f245515216 100644 --- a/meta-oe/recipes-support/mcelog/mce-test_git.bb +++ b/meta-oe/recipes-support/mcelog/mce-test_git.bb @@ -10,7 +10,7 @@ containment and recovery, ACPI/APEI support etc." LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git;protocol=git \ +SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git;protocol=git;branch=master \ file://makefile-remove-ldflags.patch \ file://0001-gcov_merge.py-scov_merge.py-switch-to-python3.patch \ " diff --git a/meta-oe/recipes-support/mcelog/mcelog_168.bb b/meta-oe/recipes-support/mcelog/mcelog_168.bb index e2ef6ea589..c464132176 100644 --- a/meta-oe/recipes-support/mcelog/mcelog_168.bb +++ b/meta-oe/recipes-support/mcelog/mcelog_168.bb @@ -5,7 +5,7 @@ and should run on all Linux systems that need error handling." HOMEPAGE = "http://mcelog.org/" SECTION = "System Environment/Base" -SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git;protocol=http; \ +SRC_URI = "git://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git;protocol=http;branch=master \ file://run-ptest \ " diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch new file mode 100644 index 0000000000..d06ef44f68 --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch @@ -0,0 +1,154 @@ +From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.com> +Date: Thu, 1 Sep 2022 19:21:30 +0200 +Subject: [PATCH] multipath-tools: use /run instead of /dev/shm + +/dev/shm may have unsafe permissions. Use /run instead. +Use systemd's tmpfiles.d mechanism to create /run/multipath +early during boot. + +For backward compatibilty, make the runtime directory configurable +via the "runtimedir" make variable. + +Signed-off-by: Martin Wilck <mwilck@suse.com> +Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com> + +CVE: CVE-2022-41973 +Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .gitignore | 2 ++ + Makefile.inc | 7 ++++++- + libmultipath/defaults.h | 3 +-- + multipath/Makefile | 11 ++++++++--- + multipath/{multipath.rules => multipath.rules.in} | 4 ++-- + multipath/tmpfiles.conf.in | 1 + + 6 files changed, 20 insertions(+), 8 deletions(-) + rename multipath/{multipath.rules => multipath.rules.in} (95%) + create mode 100644 multipath/tmpfiles.conf.in + +diff --git a/.gitignore b/.gitignore +index 9926756b..f90b0350 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -8,6 +8,8 @@ + *.d + kpartx/kpartx + multipath/multipath ++multipath/multipath.rules ++multipath/tmpfiles.conf + multipathd/multipathd + mpathpersist/mpathpersist + .nfs* +diff --git a/Makefile.inc b/Makefile.inc +index 4eb08eed..648f91b4 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -44,6 +44,7 @@ exec_prefix = $(prefix) + usr_prefix = $(prefix) + bindir = $(exec_prefix)/usr/sbin + libudevdir = $(prefix)/$(SYSTEMDPATH)/udev ++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d + udevrulesdir = $(libudevdir)/rules.d + multipathdir = $(TOPDIR)/libmultipath + man8dir = $(prefix)/usr/share/man/man8 +@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp + nvmedir = $(TOPDIR)/libmultipath/nvme + includedir = $(prefix)/usr/include + pkgconfdir = $(usrlibdir)/pkgconfig ++runtimedir := /$(RUN) + + GZIP = gzip -9 -c + RM = rm -f +@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ + -Wno-unused-parameter -Werror=cast-qual \ + -Werror=discarded-qualifiers + +-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 ++CPPFLAGS := $(FORTIFY_OPT) \ ++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ ++ -DRUNTIME_DIR=\"$(runtimedir)\" \ ++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP + CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ + -MMD -MP $(CFLAGS) + BIN_CFLAGS = -fPIE -DPIE +diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h +index c2164c16..908e0ca3 100644 +--- a/libmultipath/defaults.h ++++ b/libmultipath/defaults.h +@@ -64,8 +64,7 @@ + #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" + #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" + #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" +-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" +- ++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" + + static inline char *set_default(char *str) + { +diff --git a/multipath/Makefile b/multipath/Makefile +index e720c7f6..28976546 100644 +--- a/multipath/Makefile ++++ b/multipath/Makefile +@@ -12,7 +12,7 @@ EXEC = multipath + + OBJS = main.o + +-all: $(EXEC) ++all: $(EXEC) multipath.rules tmpfiles.conf + + $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so + $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) +@@ -26,7 +26,9 @@ install: + $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ + $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) + $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) +- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules ++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules ++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) ++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) +@@ -43,9 +45,12 @@ uninstall: + $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz + + clean: dep_clean +- $(RM) core *.o $(EXEC) *.gz ++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf + + include $(wildcard $(OBJS:.o=.d)) + + dep_clean: + $(RM) $(OBJS:.o=.d) ++ ++%: %.in ++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ +diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in +similarity index 95% +rename from multipath/multipath.rules +rename to multipath/multipath.rules.in +index 0486bf70..5fb499e6 100644 +--- a/multipath/multipath.rules ++++ b/multipath/multipath.rules.in +@@ -1,8 +1,8 @@ + # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath + SUBSYSTEM!="block", GOTO="end_mpath" + KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" +-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ +- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" ++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ ++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" + ACTION!="add|change", GOTO="end_mpath" + + IMPORT{cmdline}="nompath" +diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in +new file mode 100644 +index 00000000..21be438a +--- /dev/null ++++ b/multipath/tmpfiles.conf.in +@@ -0,0 +1 @@ ++d @RUNTIME_DIR@/multipath 0700 root root - +-- +2.25.1 + diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch new file mode 100644 index 0000000000..dcc2cd49ef --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41974.patch @@ -0,0 +1,162 @@ +From 0168696f95b5c610c3861ced8ef98accd1a83b91 Mon Sep 17 00:00:00 2001 +From: Benjamin Marzinski <bmarzins@redhat.com> +Date: Tue, 27 Sep 2022 12:36:37 +0200 +Subject: [PATCH] multipathd: ignore duplicated multipathd command keys + +multipath adds rather than or-s the values of command keys. Fix this. +Also, return an invalid fingerprint if a key is used more than once. + +References: +https://nvd.nist.gov/vuln/detail/CVE-2022-41974 +https://github.com/opensvc/multipath-tools/issues/59 + +Upstream-Status: Backport [https://github.com/openSUSE/multipath-tools/commit/fbbf280a0e26026c19879d938ebb2a8200b6357c] +CVE: CVE-2022-41974 + +Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + multipathd/cli.c | 8 ++-- + multipathd/main.c | 104 +++++++++++++++++++++++----------------------- + 2 files changed, 57 insertions(+), 55 deletions(-) + +diff --git a/multipathd/cli.c b/multipathd/cli.c +index 800c0fbe..0a266761 100644 +--- a/multipathd/cli.c ++++ b/multipathd/cli.c +@@ -336,9 +336,11 @@ fingerprint(vector vec) + if (!vec) + return 0; + +- vector_foreach_slot(vec, kw, i) +- fp += kw->code; +- ++ vector_foreach_slot(vec, kw, i) { ++ if (fp & kw->code) ++ return (uint64_t)-1; ++ fp |= kw->code; ++ } + return fp; + } + +diff --git a/multipathd/main.c b/multipathd/main.c +index 8baf9abe..975287d2 100644 +--- a/multipathd/main.c ++++ b/multipathd/main.c +@@ -1522,61 +1522,61 @@ uxlsnrloop (void * ap) + /* Tell main thread that thread has started */ + post_config_state(DAEMON_CONFIGURE); + +- set_handler_callback(LIST+PATHS, cli_list_paths); +- set_handler_callback(LIST+PATHS+FMT, cli_list_paths_fmt); +- set_handler_callback(LIST+PATHS+RAW+FMT, cli_list_paths_raw); +- set_handler_callback(LIST+PATH, cli_list_path); +- set_handler_callback(LIST+MAPS, cli_list_maps); +- set_handler_callback(LIST+STATUS, cli_list_status); +- set_unlocked_handler_callback(LIST+DAEMON, cli_list_daemon); +- set_handler_callback(LIST+MAPS+STATUS, cli_list_maps_status); +- set_handler_callback(LIST+MAPS+STATS, cli_list_maps_stats); +- set_handler_callback(LIST+MAPS+FMT, cli_list_maps_fmt); +- set_handler_callback(LIST+MAPS+RAW+FMT, cli_list_maps_raw); +- set_handler_callback(LIST+MAPS+TOPOLOGY, cli_list_maps_topology); +- set_handler_callback(LIST+TOPOLOGY, cli_list_maps_topology); +- set_handler_callback(LIST+MAPS+JSON, cli_list_maps_json); +- set_handler_callback(LIST+MAP+TOPOLOGY, cli_list_map_topology); +- set_handler_callback(LIST+MAP+FMT, cli_list_map_fmt); +- set_handler_callback(LIST+MAP+RAW+FMT, cli_list_map_fmt); +- set_handler_callback(LIST+MAP+JSON, cli_list_map_json); +- set_handler_callback(LIST+CONFIG+LOCAL, cli_list_config_local); +- set_handler_callback(LIST+CONFIG, cli_list_config); +- set_handler_callback(LIST+BLACKLIST, cli_list_blacklist); +- set_handler_callback(LIST+DEVICES, cli_list_devices); +- set_handler_callback(LIST+WILDCARDS, cli_list_wildcards); +- set_handler_callback(RESET+MAPS+STATS, cli_reset_maps_stats); +- set_handler_callback(RESET+MAP+STATS, cli_reset_map_stats); +- set_handler_callback(ADD+PATH, cli_add_path); +- set_handler_callback(DEL+PATH, cli_del_path); +- set_handler_callback(ADD+MAP, cli_add_map); +- set_handler_callback(DEL+MAP, cli_del_map); +- set_handler_callback(SWITCH+MAP+GROUP, cli_switch_group); ++ set_handler_callback(LIST|PATHS, cli_list_paths); ++ set_handler_callback(LIST|PATHS|FMT, cli_list_paths_fmt); ++ set_handler_callback(LIST|PATHS|RAW|FMT, cli_list_paths_raw); ++ set_handler_callback(LIST|PATH, cli_list_path); ++ set_handler_callback(LIST|MAPS, cli_list_maps); ++ set_handler_callback(LIST|STATUS, cli_list_status); ++ set_unlocked_handler_callback(LIST|DAEMON, cli_list_daemon); ++ set_handler_callback(LIST|MAPS|STATUS, cli_list_maps_status); ++ set_handler_callback(LIST|MAPS|STATS, cli_list_maps_stats); ++ set_handler_callback(LIST|MAPS|FMT, cli_list_maps_fmt); ++ set_handler_callback(LIST|MAPS|RAW|FMT, cli_list_maps_raw); ++ set_handler_callback(LIST|MAPS|TOPOLOGY, cli_list_maps_topology); ++ set_handler_callback(LIST|TOPOLOGY, cli_list_maps_topology); ++ set_handler_callback(LIST|MAPS|JSON, cli_list_maps_json); ++ set_handler_callback(LIST|MAP|TOPOLOGY, cli_list_map_topology); ++ set_handler_callback(LIST|MAP|FMT, cli_list_map_fmt); ++ set_handler_callback(LIST|MAP|RAW|FMT, cli_list_map_fmt); ++ set_handler_callback(LIST|MAP|JSON, cli_list_map_json); ++ set_handler_callback(LIST|CONFIG|LOCAL, cli_list_config_local); ++ set_handler_callback(LIST|CONFIG, cli_list_config); ++ set_handler_callback(LIST|BLACKLIST, cli_list_blacklist); ++ set_handler_callback(LIST|DEVICES, cli_list_devices); ++ set_handler_callback(LIST|WILDCARDS, cli_list_wildcards); ++ set_handler_callback(RESET|MAPS|STATS, cli_reset_maps_stats); ++ set_handler_callback(RESET|MAP|STATS, cli_reset_map_stats); ++ set_handler_callback(ADD|PATH, cli_add_path); ++ set_handler_callback(DEL|PATH, cli_del_path); ++ set_handler_callback(ADD|MAP, cli_add_map); ++ set_handler_callback(DEL|MAP, cli_del_map); ++ set_handler_callback(SWITCH|MAP|GROUP, cli_switch_group); + set_unlocked_handler_callback(RECONFIGURE, cli_reconfigure); +- set_handler_callback(SUSPEND+MAP, cli_suspend); +- set_handler_callback(RESUME+MAP, cli_resume); +- set_handler_callback(RESIZE+MAP, cli_resize); +- set_handler_callback(RELOAD+MAP, cli_reload); +- set_handler_callback(RESET+MAP, cli_reassign); +- set_handler_callback(REINSTATE+PATH, cli_reinstate); +- set_handler_callback(FAIL+PATH, cli_fail); +- set_handler_callback(DISABLEQ+MAP, cli_disable_queueing); +- set_handler_callback(RESTOREQ+MAP, cli_restore_queueing); +- set_handler_callback(DISABLEQ+MAPS, cli_disable_all_queueing); +- set_handler_callback(RESTOREQ+MAPS, cli_restore_all_queueing); ++ set_handler_callback(SUSPEND|MAP, cli_suspend); ++ set_handler_callback(RESUME|MAP, cli_resume); ++ set_handler_callback(RESIZE|MAP, cli_resize); ++ set_handler_callback(RELOAD|MAP, cli_reload); ++ set_handler_callback(RESET|MAP, cli_reassign); ++ set_handler_callback(REINSTATE|PATH, cli_reinstate); ++ set_handler_callback(FAIL|PATH, cli_fail); ++ set_handler_callback(DISABLEQ|MAP, cli_disable_queueing); ++ set_handler_callback(RESTOREQ|MAP, cli_restore_queueing); ++ set_handler_callback(DISABLEQ|MAPS, cli_disable_all_queueing); ++ set_handler_callback(RESTOREQ|MAPS, cli_restore_all_queueing); + set_unlocked_handler_callback(QUIT, cli_quit); + set_unlocked_handler_callback(SHUTDOWN, cli_shutdown); +- set_handler_callback(GETPRSTATUS+MAP, cli_getprstatus); +- set_handler_callback(SETPRSTATUS+MAP, cli_setprstatus); +- set_handler_callback(UNSETPRSTATUS+MAP, cli_unsetprstatus); +- set_handler_callback(FORCEQ+DAEMON, cli_force_no_daemon_q); +- set_handler_callback(RESTOREQ+DAEMON, cli_restore_no_daemon_q); +- set_handler_callback(GETPRKEY+MAP, cli_getprkey); +- set_handler_callback(SETPRKEY+MAP+KEY, cli_setprkey); +- set_handler_callback(UNSETPRKEY+MAP, cli_unsetprkey); +- set_handler_callback(SETMARGINAL+PATH, cli_set_marginal); +- set_handler_callback(UNSETMARGINAL+PATH, cli_unset_marginal); +- set_handler_callback(UNSETMARGINAL+MAP, cli_unset_all_marginal); ++ set_handler_callback(GETPRSTATUS|MAP, cli_getprstatus); ++ set_handler_callback(SETPRSTATUS|MAP, cli_setprstatus); ++ set_handler_callback(UNSETPRSTATUS|MAP, cli_unsetprstatus); ++ set_handler_callback(FORCEQ|DAEMON, cli_force_no_daemon_q); ++ set_handler_callback(RESTOREQ|DAEMON, cli_restore_no_daemon_q); ++ set_handler_callback(GETPRKEY|MAP, cli_getprkey); ++ set_handler_callback(SETPRKEY|MAP|KEY, cli_setprkey); ++ set_handler_callback(UNSETPRKEY|MAP, cli_unsetprkey); ++ set_handler_callback(SETMARGINAL|PATH, cli_set_marginal); ++ set_handler_callback(UNSETMARGINAL|PATH, cli_unset_marginal); ++ set_handler_callback(UNSETMARGINAL|MAP, cli_unset_all_marginal); + + umask(077); + uxsock_listen(&uxsock_trigger, ux_sock, ap); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 8b0c89338f..e14e494366 100644 --- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb @@ -29,7 +29,7 @@ DEPENDS = "libdevmapper \ LICENSE = "GPLv2" -SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http \ +SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=master \ file://multipathd.oe \ file://multipath.conf.example \ file://0021-RH-fixup-udev-rules-for-redhat.patch \ @@ -45,6 +45,8 @@ SRC_URI = "git://git.opensvc.com/multipath-tools/.git;protocol=http \ file://0031-Always-use-devmapper-for-kpartx.patch \ file://0001-fix-bug-of-do_compile-and-do_install.patch \ file://0001-add-explicit-dependency-on-libraries.patch \ + file://CVE-2022-41973.patch \ + file://CVE-2022-41974.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" @@ -117,3 +119,6 @@ FILES_kpartx = "${base_sbindir}/kpartx \ RDEPENDS_${PN} += "kpartx" PARALLEL_MAKE = "" + +FILES:${PN}-libs += "usr/lib/*.so.*" +FILES:${PN}-libs += "usr/lib/tmpfiles.d/*" diff --git a/meta-oe/recipes-support/ne10/ne10_1.2.1.bb b/meta-oe/recipes-support/ne10/ne10_1.2.1.bb index f37ccde1cb..6cb53212a4 100644 --- a/meta-oe/recipes-support/ne10/ne10_1.2.1.bb +++ b/meta-oe/recipes-support/ne10/ne10_1.2.1.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e7fe20c9be97be5579e3ab5d92d3a218" SECTION = "libs" -SRC_URI = "git://github.com/projectNe10/Ne10.git \ +SRC_URI = "git://github.com/projectNe10/Ne10.git;branch=master;protocol=https \ file://0001-CMakeLists.txt-Remove-mthumb-interwork.patch \ file://0001-Dont-specify-march-explicitly.patch \ " diff --git a/meta-oe/recipes-support/neon/neon/run-ptest b/meta-oe/recipes-support/neon/neon/run-ptest new file mode 100644 index 0000000000..602084a52c --- /dev/null +++ b/meta-oe/recipes-support/neon/neon/run-ptest @@ -0,0 +1,25 @@ +#!/bin/sh + +set -eux + +rm -f debug.log child.log + +ulimit -c unlimited +ulimit -t 120 + +cd test +echo foobar > foobar.txt + +BASIC_TESTS="auth basic redirect request session socket string-tests \ + stubs uri-tests util-tests" +DAV_TESTS="acl3744 lock oldacl props xml xmlreq" +for t in $BASIC_TESTS $DAV_TESTS +do + echo "Running $t..." + if "./$t" + then + echo "PASS:$t" + else + echo "FAIL:$t" + fi +done diff --git a/meta-oe/recipes-support/neon/neon_0.30.2.bb b/meta-oe/recipes-support/neon/neon_0.30.2.bb index 00b79f6330..7feec41d62 100644 --- a/meta-oe/recipes-support/neon/neon_0.30.2.bb +++ b/meta-oe/recipes-support/neon/neon_0.30.2.bb @@ -7,12 +7,13 @@ LIC_FILES_CHKSUM = "file://src/COPYING.LIB;md5=f30a9716ef3762e3467a2f62bf790f0a SRC_URI = "${DEBIAN_MIRROR}/main/n/neon27/neon27_${PV}.orig.tar.gz \ file://pkgconfig.patch \ + file://run-ptest \ " SRC_URI[md5sum] = "e28d77bf14032d7f5046b3930704ef41" SRC_URI[sha256sum] = "db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca" -inherit autotools binconfig-disabled lib_package pkgconfig +inherit autotools binconfig-disabled lib_package pkgconfig ptest # Enable gnutls or openssl, not both PACKAGECONFIG ?= "expat gnutls libproxy webdav zlib" @@ -33,6 +34,18 @@ do_compile_append() { oe_runmake -C test } +do_install_ptest(){ + BASIC_TESTS="auth basic redirect request session socket string-tests \ + stubs uri-tests util-tests" + DAV_TESTS="acl3744 lock oldacl props xml xmlreq" + mkdir "${D}${PTEST_PATH}/test" + for i in ${BASIC_TESTS} ${DAV_TESTS} + do + install -m 0755 "${B}/test/${i}" \ + "${D}${PTEST_PATH}/test" + done +} + BINCONFIG = "${bindir}/neon-config" BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch new file mode 100644 index 0000000000..b935d9eec5 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch @@ -0,0 +1,46 @@ +From 4e7e332b25a2794f381323518e52d8d95273b69e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= <fkrenzel@redhat.com> +Date: Mon, 30 Jan 2023 12:59:20 +0000 +Subject: [PATCH] Bug 1812671 - build failure while implicitly casting + SECStatus to PRUInt32. r=nss-reviewers,mt + +Author of the patch: Bob Relyea <rrelyea@redhat.com> + +Differential Revision: https://phabricator.services.mozilla.com/D167983 + +--HG-- +extra : moz-landing-system : lando +--- + lib/ssl/ssl3exthandle.c | 2 +- + lib/ssl/sslsnce.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c +index b5ae62f39..7134447bf 100644 +--- a/lib/ssl/ssl3exthandle.c ++++ b/lib/ssl/ssl3exthandle.c +@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData) + * Clients sends a filled in session ticket if one is available, and otherwise + * sends an empty ticket. Servers always send empty tickets. + */ +-PRInt32 ++SECStatus + ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, + sslBuffer *buf, PRBool *added) + { +diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c +index 56edafa1f..49f041c97 100644 +--- a/lib/ssl/sslsnce.c ++++ b/lib/ssl/sslsnce.c +@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey, + return SECSuccess; + } + +-static PRBool ++static SECStatus + ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey); + +-- +2.40.1 + diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch new file mode 100644 index 0000000000..dc7e172aae --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch @@ -0,0 +1,75 @@ +From cbf5a2bce75ca2c2fd3e247796b9892f5298584e Mon Sep 17 00:00:00 2001 +From: "John M. Schanck" <jschanck@mozilla.com> +Date: Thu, 13 Apr 2023 17:43:46 +0000 +Subject: [PATCH] Bug 1826650 - cmd/ecperf: fix dangling pointer warning on gcc + 13. r=djackson + +Differential Revision: https://phabricator.services.mozilla.com/D174822 + +--HG-- +extra : moz-landing-system : lando +--- + cmd/ecperf/ecperf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c +index 705d68f35..a07004d8e 100644 +--- a/cmd/ecperf/ecperf.c ++++ b/cmd/ecperf/ecperf.c +@@ -53,6 +53,7 @@ PKCS11Thread(void *data) + SECItem sig; + CK_SESSION_HANDLE session; + CK_RV crv; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -68,6 +69,7 @@ PKCS11Thread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -79,6 +81,10 @@ PKCS11Thread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +@@ -89,6 +95,7 @@ genericThread(void *data) + int iters = threadData->iters; + unsigned char sigData[256]; + SECItem sig; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -96,6 +103,7 @@ genericThread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -107,6 +115,10 @@ genericThread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +-- +2.40.1 + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch new file mode 100644 index 0000000000..e67926fe50 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12401.patch @@ -0,0 +1,52 @@ +# HG changeset patch +# User Billy Brumley <bbrumley@gmail.com> +# Date 1595283525 0 +# Node ID aeb2e583ee957a699d949009c7ba37af76515c20 +# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6 +Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche + +Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. + +Timing attack countermeasures are now applied more generally deeper in +the call stack. + +Differential Revision: https://phabricator.services.mozilla.com/D82011 + + +Upstream-Status: Backport + +CVE: CVE-2020-1240 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: nss-3.51.1/nss/lib/freebl/ec.c +=================================================================== +--- nss-3.51.1.orig/nss/lib/freebl/ec.c ++++ nss-3.51.1/nss/lib/freebl/ec.c +@@ -724,27 +724,6 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k + } + + /* +- ** We do not want timing information to leak the length of k, +- ** so we compute k*G using an equivalent scalar of fixed +- ** bit-length. +- ** Fix based on patch for ECDSA timing attack in the paper +- ** by Billy Bob Brumley and Nicola Tuveri at +- ** http://eprint.iacr.org/2011/232 +- ** +- ** How do we convert k to a value of a fixed bit-length? +- ** k starts off as an integer satisfying 0 <= k < n. Hence, +- ** n <= k+n < 2n, which means k+n has either the same number +- ** of bits as n or one more bit than n. If k+n has the same +- ** number of bits as n, the second addition ensures that the +- ** final value has exactly one more bit than n. Thus, we +- ** always end up with a value that exactly one more bit than n. +- */ +- CHECK_MPI_OK(mp_add(&k, &n, &k)); +- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) { +- CHECK_MPI_OK(mp_add(&k, &n, &k)); +- } +- +- /* + ** ANSI X9.62, Section 5.3.2, Step 2 + ** + ** Compute kG diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch new file mode 100644 index 0000000000..a229a2d20f --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_1.patch @@ -0,0 +1,65 @@ +From 9ff9d3925d31ab265a965ab1d16d76c496ddb5c8 Mon Sep 17 00:00:00 2001 +From: Benjamin Beurdouche <bbeurdouche@mozilla.com> +Date: Sat, 18 Jul 2020 00:13:38 +0000 +Subject: [PATCH] Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by + PKCS11. r=jcj,kjacobs,rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D74801 + +--HG-- +extra : moz-landing-system : lando +--- + nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc | 11 +++++++++-- + nss/lib/freebl/chacha20poly1305.c | 2 +- + 2 files changed, 10 insertions(+), 3 deletions(-) + +CVE: CVE-2020-12403 +Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/9ff9d3925d31ab265a965ab1d16d76c496ddb5c8] +Comment: Refreshed path for whole patchset +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc +index 41f9da71d6..3ea17678d9 100644 +--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc ++++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc +@@ -45,7 +45,7 @@ class Pkcs11ChaCha20Poly1305Test + SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params), + sizeof(aead_params)}; + +- // Encrypt with bad parameters. ++ // Encrypt with bad parameters (TagLen is too long). + unsigned int encrypted_len = 0; + std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen); + aead_params.ulTagLen = 158072; +@@ -54,9 +54,16 @@ class Pkcs11ChaCha20Poly1305Test + &encrypted_len, encrypted.size(), data, data_len); + EXPECT_EQ(SECFailure, rv); + EXPECT_EQ(0U, encrypted_len); +- aead_params.ulTagLen = 16; ++ ++ // Encrypt with bad parameters (TagLen is too short). ++ aead_params.ulTagLen = 2; ++ rv = PK11_Encrypt(key.get(), kMech, ¶ms, encrypted.data(), ++ &encrypted_len, encrypted.size(), data, data_len); ++ EXPECT_EQ(SECFailure, rv); ++ EXPECT_EQ(0U, encrypted_len); + + // Encrypt. ++ aead_params.ulTagLen = 16; + rv = PK11_Encrypt(key.get(), kMech, ¶ms, encrypted.data(), + &encrypted_len, encrypted.size(), data, data_len); + +diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c +index 970c6436da..5c294a9eaf 100644 +--- a/nss/lib/freebl/chacha20poly1305.c ++++ b/nss/lib/freebl/chacha20poly1305.c +@@ -81,7 +81,7 @@ ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx, + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } +- if (tagLen == 0 || tagLen > 16) { ++ if (tagLen != 16) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch new file mode 100644 index 0000000000..7b093d0cda --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-12403_2.patch @@ -0,0 +1,80 @@ +From 06b2b1c50bd4eaa7f65d858e5e3f44f678cb3c45 Mon Sep 17 00:00:00 2001 +From: Benjamin Beurdouche <bbeurdouche@mozilla.com> +Date: Sat, 18 Jul 2020 00:13:14 +0000 +Subject: [PATCH] Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. + r=kjacobs,rrelyea + +Depends on D74801 + +Differential Revision: https://phabricator.services.mozilla.com/D83994 + +--HG-- +extra : moz-landing-system : lando +--- + nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc | 49 +++++++++++++++++++++ + nss/lib/softoken/pkcs11c.c | 1 + + 2 files changed, 50 insertions(+) + +CVE: CVE-2020-12403 +Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/06b2b1c50bd4eaa7f65d858e5e3f44f678cb3c45] +Comment: Refreshed path for whole patchset and removed change for pkcs11c.c +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc +index 38982fd885..700750cc90 100644 +--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc ++++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc +@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) { + NSS_ShutdownContext(globalctx); + } + ++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) { ++ PK11SlotInfo* slot; ++ PK11SymKey* key; ++ PK11Context* ctx; ++ ++ NSSInitContext* globalctx = ++ NSS_InitContext("", "", "", "", NULL, ++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | ++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT); ++ ++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR; ++ ++ slot = PK11_GetInternalSlot(); ++ ASSERT_TRUE(slot); ++ ++ // Use arbitrary bytes for the ChaCha20 key and IV ++ uint8_t key_bytes[32]; ++ for (size_t i = 0; i < 32; i++) { ++ key_bytes[i] = i; ++ } ++ SECItem keyItem = {siBuffer, key_bytes, 32}; ++ ++ uint8_t iv_bytes[16]; ++ for (size_t i = 0; i < 16; i++) { ++ key_bytes[i] = i; ++ } ++ SECItem ivItem = {siBuffer, iv_bytes, 16}; ++ ++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem); ++ ++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT, ++ &keyItem, NULL); ++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param); ++ ASSERT_TRUE(key); ++ ASSERT_TRUE(ctx); ++ ++ uint8_t outbuf[128]; ++ // This is supposed to fail for Chacha20. This is because the underlying ++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for ++ // which multi-part is disabled for ChaCha20 in counter mode. ++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure); ++ ++ PK11_FreeSymKey(key); ++ PK11_FreeSlot(slot); ++ SECITEM_FreeItem(param, PR_TRUE); ++ PK11_DestroyContext(ctx, PR_TRUE); ++ NSS_ShutdownContext(globalctx); ++} ++ + } // namespace nss_test diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch new file mode 100644 index 0000000000..f30d4d32cd --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-25648.patch @@ -0,0 +1,163 @@ +# HG changeset patch +# User Daiki Ueno <dueno@redhat.com> +# Date 1602524521 0 +# Node ID 57bbefa793232586d27cee83e74411171e128361 +# Parent 6e3bc17f05086854ffd2b06f7fae9371f7a0c174 +Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt + +This makes the server reject CCS when the client doesn't indicate the +use of the middlebox compatibility mode with a non-empty +ClientHello.legacy_session_id, or it sends multiple CCS in a row. + +Differential Revision: https://phabricator.services.mozilla.com/D79994 + +Upstream-Status: Backport +CVE: CVE-2020-25648 +Reference to upstream patch: https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361 +Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> + +diff --color -Naur nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc +--- nss-3.51.1_old/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:05:47.447142660 +0100 ++++ nss-3.51.1/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2022-12-08 16:12:32.645932052 +0100 +@@ -348,6 +348,85 @@ + client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT); + } + ++// The server rejects a ChangeCipherSpec if the client advertises an ++// empty session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The server rejects multiple ChangeCipherSpec even if the client ++// indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ // Send CCS twice in a row ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ ++ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ server_->Handshake(); // Consume ClientHello and CCS. ++ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects a ChangeCipherSpec if it advertises an empty ++// session ID. ++TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // Send CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ ++// The client rejects multiple ChangeCipherSpec in a row even if the ++// client indicates compatibility mode with non-empty session ID. ++TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) { ++ EnsureTlsSetup(); ++ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); ++ EnableCompatMode(); ++ ++ // To replace Finished with a CCS below ++ auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_); ++ filter->SetHandshakeTypes({kTlsHandshakeFinished}); ++ filter->EnableDecryption(); ++ ++ StartConnect(); ++ client_->Handshake(); // Send ClientHello ++ server_->Handshake(); // Consume ClientHello, and ++ // send ServerHello..CertificateVerify ++ // the ServerHello is followed by CCS ++ // Send another CCS ++ server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); ++ client_->ExpectSendAlert(kTlsAlertUnexpectedMessage); ++ client_->Handshake(); // Consume ClientHello and CCS ++ client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); ++} ++ + // If we negotiate 1.2, we abort. + TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) { + EnsureTlsSetup(); +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/ssl3con.c nss-3.51.1/nss/lib/ssl/ssl3con.c +--- nss-3.51.1_old/nss/lib/ssl/ssl3con.c 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/ssl3con.c 2022-12-08 16:12:42.037994262 +0100 +@@ -6711,7 +6711,11 @@ + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) { +- return sidMatch; ++ if (sidMatch) { ++ ss->ssl3.hs.allowCcs = PR_TRUE; ++ return PR_TRUE; ++ } ++ return PR_FALSE; + } + + /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */ +@@ -8730,6 +8734,7 @@ + errCode = PORT_GetError(); + goto alert_loser; + } ++ ss->ssl3.hs.allowCcs = PR_TRUE; + } + + /* TLS 1.3 requires that compression include only null. */ +@@ -13058,8 +13063,15 @@ + ss->ssl3.hs.ws != idle_handshake && + cText->buf->len == 1 && + cText->buf->buf[0] == change_cipher_spec_choice) { +- /* Ignore the CCS. */ +- return SECSuccess; ++ if (ss->ssl3.hs.allowCcs) { ++ /* Ignore the first CCS. */ ++ ss->ssl3.hs.allowCcs = PR_FALSE; ++ return SECSuccess; ++ } ++ ++ /* Compatibility mode is not negotiated. */ ++ alert = unexpected_message; ++ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER); + } + + if (IS_DTLS(ss) || +diff --color -Naur nss-3.51.1_old/nss/lib/ssl/sslimpl.h nss-3.51.1/nss/lib/ssl/sslimpl.h +--- nss-3.51.1_old/nss/lib/ssl/sslimpl.h 2022-12-08 16:05:47.471142833 +0100 ++++ nss-3.51.1/nss/lib/ssl/sslimpl.h 2022-12-08 16:12:45.106014567 +0100 +@@ -711,6 +711,10 @@ + * or received. */ + PRBool receivedCcs; /* A server received ChangeCipherSpec + * before the handshake started. */ ++ PRBool allowCcs; /* A server allows ChangeCipherSpec ++ * as the middlebox compatibility mode ++ * is explicitly indicarted by ++ * legacy_session_id in TLS 1.3 ClientHello. */ + PRBool clientCertRequested; /* True if CertificateRequest received. */ + ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def + * we use for TLS 1.3 */ diff --git a/meta-oe/recipes-support/nss/nss/CVE-2020-6829_12400.patch b/meta-oe/recipes-support/nss/nss/CVE-2020-6829_12400.patch new file mode 100644 index 0000000000..5fb9f773a6 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2020-6829_12400.patch @@ -0,0 +1,19789 @@ + +# HG changeset patch +# User Billy Brumley <bbrumley@gmail.com> +# Date 1594909956 0 +# Node ID e55ab3145546ae3cf1333b43956a974675d2d25c +# Parent 688d2a7257586ba8ca7febe46e6ae43c4c1fe04e +Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea + +This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: + +[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. + +Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> +Co-authored-by: Jesús-Javier Chi-DomÃnguez <jesus.chidominguez@tuni.fi> + +Differential Revision: https://phabricator.services.mozilla.com/D79267 + +Upstream-Status: Backport +https://hg.mozilla.org/projects/nss/raw-rev/e55ab3145546ae3cf1333b43956a974675d2d25c +CVE: CVE-2020-6829 +CVE: CVE-2020-12400 +Signed-off-by Armin Kuster <akuster@mvista.com> + +diff --git a/nss/lib/freebl/ecl/ecl-priv.h b/nss/lib/freebl/ecl/ecl-priv.h +--- a/nss/lib/freebl/ecl/ecl-priv.h ++++ b/nss/lib/freebl/ecl/ecl-priv.h +@@ -240,11 +240,12 @@ mp_err ec_group_set_gfp256(ECGroup *grou + mp_err ec_group_set_gfp384(ECGroup *group, ECCurveName); + mp_err ec_group_set_gfp521(ECGroup *group, ECCurveName); + mp_err ec_group_set_gf2m163(ECGroup *group, ECCurveName name); + mp_err ec_group_set_gf2m193(ECGroup *group, ECCurveName name); + mp_err ec_group_set_gf2m233(ECGroup *group, ECCurveName name); + + /* Optimized point multiplication */ + mp_err ec_group_set_gfp256_32(ECGroup *group, ECCurveName name); ++mp_err ec_group_set_secp384r1(ECGroup *group, ECCurveName name); + + SECStatus ec_Curve25519_mul(PRUint8 *q, const PRUint8 *s, const PRUint8 *p); + #endif /* __ecl_priv_h_ */ +diff --git a/lib/freebl/ecl/ecl.c b/lib/freebl/ecl/ecl.c +--- a/nss/lib/freebl/ecl/ecl.c ++++ b/nss/lib/freebl/ecl/ecl.c +@@ -159,16 +159,26 @@ construct_ecgroup(const ECCurveName name + &order, cofactor); + if (group == NULL) { + res = MP_UNDEF; + goto CLEANUP; + } + MP_CHECKOK(ec_group_set_gfp256(group, name)); + MP_CHECKOK(ec_group_set_gfp256_32(group, name)); + break; ++ case ECCurve_SECG_PRIME_384R1: ++ group = ++ ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, ++ &order, cofactor); ++ if (group == NULL) { ++ res = MP_UNDEF; ++ goto CLEANUP; ++ } ++ MP_CHECKOK(ec_group_set_secp384r1(group, name)); ++ break; + case ECCurve_SECG_PRIME_521R1: + group = + ECGroup_consGFp(&irr, &curvea, &curveb, &genx, &geny, + &order, cofactor); + if (group == NULL) { + res = MP_UNDEF; + goto CLEANUP; + } +diff --git a/lib/freebl/ecl/ecp_secp384r1.c b/lib/freebl/ecl/ecp_secp384r1.c +new file mode 100644 +--- /dev/null ++++ b/nss/lib/freebl/ecl/ecp_secp384r1.c +@@ -0,0 +1,19668 @@ ++/* Autogenerated: ECCKiila https://gitlab.com/nisec/ecckiila */ ++/*- ++ * MIT License ++ * ++ * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-DomÃnguez, Billy Bob Brumley ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++#if defined(__SIZEOF_INT128__) && !defined(PEDANTIC) ++ ++#include <stdint.h> ++#include <string.h> ++#define LIMB_BITS 64 ++#define LIMB_CNT 6 ++/* Field elements */ ++typedef uint64_t fe_t[LIMB_CNT]; ++typedef uint64_t limb_t; ++ ++#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) ++#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) ++ ++/* Projective points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++ fe_t Z; ++} pt_prj_t; ++ ++/* Affine points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++} pt_aff_t; ++ ++/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ ++/*- ++ * MIT License ++ * ++ * Copyright (c) 2020 the fiat-crypto authors (see the AUTHORS file) ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++/* Autogenerated: word_by_word_montgomery --static secp384r1 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ ++/* curve description: secp384r1 */ ++/* machine_wordsize = 64 (from "64") */ ++/* requested operations: (all) */ ++/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ ++/* */ ++/* NOTE: In addition to the bounds specified above each function, all */ ++/* functions synthesized for this Montgomery arithmetic require the */ ++/* input to be strictly less than the prime modulus (m), and also */ ++/* require the input to be in the unique saturated representation. */ ++/* All functions also ensure that these two properties are true of */ ++/* return values. */ ++/* */ ++/* Computed values: */ ++/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ ++/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ ++ ++#include <stdint.h> ++typedef unsigned char fiat_secp384r1_uint1; ++typedef signed char fiat_secp384r1_int1; ++typedef signed __int128 fiat_secp384r1_int128; ++typedef unsigned __int128 fiat_secp384r1_uint128; ++ ++#if (-1 & 3) != 3 ++#error "This code only works on a two's complement system" ++#endif ++ ++/* ++ * The function fiat_secp384r1_addcarryx_u64 is an addition with carry. ++ * Postconditions: ++ * out1 = (arg1 + arg2 + arg3) mod 2^64 ++ * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * arg3: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_addcarryx_u64(uint64_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint64_t arg2, uint64_t arg3) ++{ ++ fiat_secp384r1_uint128 x1; ++ uint64_t x2; ++ fiat_secp384r1_uint1 x3; ++ x1 = ((arg1 + (fiat_secp384r1_uint128)arg2) + arg3); ++ x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); ++ x3 = (fiat_secp384r1_uint1)(x1 >> 64); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_subborrowx_u64 is a subtraction with borrow. ++ * Postconditions: ++ * out1 = (-arg1 + arg2 + -arg3) mod 2^64 ++ * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * arg3: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_subborrowx_u64(uint64_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint64_t arg2, uint64_t arg3) ++{ ++ fiat_secp384r1_int128 x1; ++ fiat_secp384r1_int1 x2; ++ uint64_t x3; ++ x1 = ((arg2 - (fiat_secp384r1_int128)arg1) - arg3); ++ x2 = (fiat_secp384r1_int1)(x1 >> 64); ++ x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); ++ *out1 = x3; ++ *out2 = (fiat_secp384r1_uint1)(0x0 - x2); ++} ++ ++/* ++ * The function fiat_secp384r1_mulx_u64 is a multiplication, returning the full double-width result. ++ * Postconditions: ++ * out1 = (arg1 * arg2) mod 2^64 ++ * out2 = ⌊arg1 * arg2 / 2^64⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0xffffffffffffffff] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ * out2: [0x0 ~> 0xffffffffffffffff] ++ */ ++static void ++fiat_secp384r1_mulx_u64(uint64_t *out1, uint64_t *out2, ++ uint64_t arg1, uint64_t arg2) ++{ ++ fiat_secp384r1_uint128 x1; ++ uint64_t x2; ++ uint64_t x3; ++ x1 = ((fiat_secp384r1_uint128)arg1 * arg2); ++ x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); ++ x3 = (uint64_t)(x1 >> 64); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_cmovznz_u64 is a single-word conditional move. ++ * Postconditions: ++ * out1 = (if arg1 = 0 then arg2 else arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffffffffffff] ++ * arg3: [0x0 ~> 0xffffffffffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ */ ++static void ++fiat_secp384r1_cmovznz_u64(uint64_t *out1, ++ fiat_secp384r1_uint1 arg1, uint64_t arg2, ++ uint64_t arg3) ++{ ++ fiat_secp384r1_uint1 x1; ++ uint64_t x2; ++ uint64_t x3; ++ x1 = (!(!arg1)); ++ x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); ++ x3 = ((x2 & arg3) | ((~x2) & arg2)); ++ *out1 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_mul(uint64_t out1[6], const uint64_t arg1[6], ++ const uint64_t arg2[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint64_t x16; ++ uint64_t x17; ++ uint64_t x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint64_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint64_t x27; ++ fiat_secp384r1_uint1 x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ uint64_t x38; ++ uint64_t x39; ++ uint64_t x40; ++ uint64_t x41; ++ uint64_t x42; ++ uint64_t x43; ++ uint64_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint64_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint64_t x48; ++ fiat_secp384r1_uint1 x49; ++ uint64_t x50; ++ fiat_secp384r1_uint1 x51; ++ uint64_t x52; ++ fiat_secp384r1_uint1 x53; ++ uint64_t x54; ++ uint64_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint64_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint64_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint64_t x61; ++ fiat_secp384r1_uint1 x62; ++ uint64_t x63; ++ fiat_secp384r1_uint1 x64; ++ uint64_t x65; ++ fiat_secp384r1_uint1 x66; ++ uint64_t x67; ++ fiat_secp384r1_uint1 x68; ++ uint64_t x69; ++ uint64_t x70; ++ uint64_t x71; ++ uint64_t x72; ++ uint64_t x73; ++ uint64_t x74; ++ uint64_t x75; ++ uint64_t x76; ++ uint64_t x77; ++ uint64_t x78; ++ uint64_t x79; ++ uint64_t x80; ++ uint64_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint64_t x83; ++ fiat_secp384r1_uint1 x84; ++ uint64_t x85; ++ fiat_secp384r1_uint1 x86; ++ uint64_t x87; ++ fiat_secp384r1_uint1 x88; ++ uint64_t x89; ++ fiat_secp384r1_uint1 x90; ++ uint64_t x91; ++ uint64_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint64_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint64_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint64_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint64_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint64_t x102; ++ fiat_secp384r1_uint1 x103; ++ uint64_t x104; ++ fiat_secp384r1_uint1 x105; ++ uint64_t x106; ++ uint64_t x107; ++ uint64_t x108; ++ uint64_t x109; ++ uint64_t x110; ++ uint64_t x111; ++ uint64_t x112; ++ uint64_t x113; ++ uint64_t x114; ++ uint64_t x115; ++ uint64_t x116; ++ uint64_t x117; ++ uint64_t x118; ++ uint64_t x119; ++ uint64_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint64_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint64_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint64_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint64_t x128; ++ fiat_secp384r1_uint1 x129; ++ uint64_t x130; ++ uint64_t x131; ++ fiat_secp384r1_uint1 x132; ++ uint64_t x133; ++ fiat_secp384r1_uint1 x134; ++ uint64_t x135; ++ fiat_secp384r1_uint1 x136; ++ uint64_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint64_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint64_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint64_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint64_t x145; ++ uint64_t x146; ++ uint64_t x147; ++ uint64_t x148; ++ uint64_t x149; ++ uint64_t x150; ++ uint64_t x151; ++ uint64_t x152; ++ uint64_t x153; ++ uint64_t x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ fiat_secp384r1_uint1 x159; ++ uint64_t x160; ++ fiat_secp384r1_uint1 x161; ++ uint64_t x162; ++ fiat_secp384r1_uint1 x163; ++ uint64_t x164; ++ fiat_secp384r1_uint1 x165; ++ uint64_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint64_t x168; ++ uint64_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint64_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint64_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint64_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint64_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint64_t x179; ++ fiat_secp384r1_uint1 x180; ++ uint64_t x181; ++ fiat_secp384r1_uint1 x182; ++ uint64_t x183; ++ uint64_t x184; ++ uint64_t x185; ++ uint64_t x186; ++ uint64_t x187; ++ uint64_t x188; ++ uint64_t x189; ++ uint64_t x190; ++ uint64_t x191; ++ uint64_t x192; ++ uint64_t x193; ++ uint64_t x194; ++ uint64_t x195; ++ uint64_t x196; ++ uint64_t x197; ++ fiat_secp384r1_uint1 x198; ++ uint64_t x199; ++ fiat_secp384r1_uint1 x200; ++ uint64_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint64_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint64_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint64_t x207; ++ uint64_t x208; ++ fiat_secp384r1_uint1 x209; ++ uint64_t x210; ++ fiat_secp384r1_uint1 x211; ++ uint64_t x212; ++ fiat_secp384r1_uint1 x213; ++ uint64_t x214; ++ fiat_secp384r1_uint1 x215; ++ uint64_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint64_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint64_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint64_t x222; ++ uint64_t x223; ++ uint64_t x224; ++ uint64_t x225; ++ uint64_t x226; ++ uint64_t x227; ++ uint64_t x228; ++ uint64_t x229; ++ uint64_t x230; ++ uint64_t x231; ++ uint64_t x232; ++ uint64_t x233; ++ uint64_t x234; ++ uint64_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint64_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint64_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint64_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint64_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint64_t x245; ++ uint64_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint64_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint64_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint64_t x252; ++ fiat_secp384r1_uint1 x253; ++ uint64_t x254; ++ fiat_secp384r1_uint1 x255; ++ uint64_t x256; ++ fiat_secp384r1_uint1 x257; ++ uint64_t x258; ++ fiat_secp384r1_uint1 x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ uint64_t x267; ++ uint64_t x268; ++ uint64_t x269; ++ uint64_t x270; ++ uint64_t x271; ++ uint64_t x272; ++ uint64_t x273; ++ uint64_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint64_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint64_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint64_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint64_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint64_t x284; ++ uint64_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint64_t x287; ++ fiat_secp384r1_uint1 x288; ++ uint64_t x289; ++ fiat_secp384r1_uint1 x290; ++ uint64_t x291; ++ fiat_secp384r1_uint1 x292; ++ uint64_t x293; ++ fiat_secp384r1_uint1 x294; ++ uint64_t x295; ++ fiat_secp384r1_uint1 x296; ++ uint64_t x297; ++ fiat_secp384r1_uint1 x298; ++ uint64_t x299; ++ uint64_t x300; ++ uint64_t x301; ++ uint64_t x302; ++ uint64_t x303; ++ uint64_t x304; ++ uint64_t x305; ++ uint64_t x306; ++ uint64_t x307; ++ uint64_t x308; ++ uint64_t x309; ++ uint64_t x310; ++ uint64_t x311; ++ uint64_t x312; ++ fiat_secp384r1_uint1 x313; ++ uint64_t x314; ++ fiat_secp384r1_uint1 x315; ++ uint64_t x316; ++ fiat_secp384r1_uint1 x317; ++ uint64_t x318; ++ fiat_secp384r1_uint1 x319; ++ uint64_t x320; ++ fiat_secp384r1_uint1 x321; ++ uint64_t x322; ++ uint64_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint64_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint64_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint64_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint64_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint64_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint64_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint64_t x337; ++ uint64_t x338; ++ uint64_t x339; ++ uint64_t x340; ++ uint64_t x341; ++ uint64_t x342; ++ uint64_t x343; ++ uint64_t x344; ++ uint64_t x345; ++ uint64_t x346; ++ uint64_t x347; ++ uint64_t x348; ++ uint64_t x349; ++ uint64_t x350; ++ uint64_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint64_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint64_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint64_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint64_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint64_t x361; ++ uint64_t x362; ++ fiat_secp384r1_uint1 x363; ++ uint64_t x364; ++ fiat_secp384r1_uint1 x365; ++ uint64_t x366; ++ fiat_secp384r1_uint1 x367; ++ uint64_t x368; ++ fiat_secp384r1_uint1 x369; ++ uint64_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint64_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint64_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint64_t x376; ++ uint64_t x377; ++ uint64_t x378; ++ uint64_t x379; ++ uint64_t x380; ++ uint64_t x381; ++ uint64_t x382; ++ uint64_t x383; ++ uint64_t x384; ++ uint64_t x385; ++ uint64_t x386; ++ uint64_t x387; ++ uint64_t x388; ++ uint64_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint64_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint64_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint64_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint64_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint64_t x399; ++ uint64_t x400; ++ fiat_secp384r1_uint1 x401; ++ uint64_t x402; ++ fiat_secp384r1_uint1 x403; ++ uint64_t x404; ++ fiat_secp384r1_uint1 x405; ++ uint64_t x406; ++ fiat_secp384r1_uint1 x407; ++ uint64_t x408; ++ fiat_secp384r1_uint1 x409; ++ uint64_t x410; ++ fiat_secp384r1_uint1 x411; ++ uint64_t x412; ++ fiat_secp384r1_uint1 x413; ++ uint64_t x414; ++ uint64_t x415; ++ uint64_t x416; ++ uint64_t x417; ++ uint64_t x418; ++ uint64_t x419; ++ uint64_t x420; ++ uint64_t x421; ++ uint64_t x422; ++ uint64_t x423; ++ uint64_t x424; ++ uint64_t x425; ++ uint64_t x426; ++ uint64_t x427; ++ uint64_t x428; ++ fiat_secp384r1_uint1 x429; ++ uint64_t x430; ++ fiat_secp384r1_uint1 x431; ++ uint64_t x432; ++ fiat_secp384r1_uint1 x433; ++ uint64_t x434; ++ fiat_secp384r1_uint1 x435; ++ uint64_t x436; ++ fiat_secp384r1_uint1 x437; ++ uint64_t x438; ++ uint64_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint64_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint64_t x443; ++ fiat_secp384r1_uint1 x444; ++ uint64_t x445; ++ fiat_secp384r1_uint1 x446; ++ uint64_t x447; ++ fiat_secp384r1_uint1 x448; ++ uint64_t x449; ++ fiat_secp384r1_uint1 x450; ++ uint64_t x451; ++ fiat_secp384r1_uint1 x452; ++ uint64_t x453; ++ uint64_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint64_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint64_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint64_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint64_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint64_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint64_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint64_t x468; ++ uint64_t x469; ++ uint64_t x470; ++ uint64_t x471; ++ uint64_t x472; ++ uint64_t x473; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); ++ fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); ++ fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); ++ fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); ++ fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); ++ x29 = (x28 + x8); ++ fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); ++ fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); ++ fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); ++ fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); ++ fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); ++ x54 = (x53 + x33); ++ fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); ++ fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); ++ fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); ++ fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); ++ fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); ++ fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); ++ fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); ++ fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); ++ fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); ++ fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); ++ fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); ++ fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); ++ x91 = (x90 + x70); ++ fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); ++ fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); ++ fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); ++ fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); ++ fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); ++ fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); ++ fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); ++ fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); ++ fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); ++ fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); ++ fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); ++ fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); ++ x130 = (x129 + x109); ++ fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); ++ fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); ++ fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); ++ fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); ++ fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); ++ fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); ++ fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); ++ x145 = ((uint64_t)x144 + x105); ++ fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); ++ fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); ++ fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); ++ fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); ++ fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); ++ x168 = (x167 + x147); ++ fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); ++ fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); ++ fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); ++ fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); ++ fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); ++ fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); ++ fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); ++ fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); ++ fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); ++ fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); ++ fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); ++ fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); ++ x207 = (x206 + x186); ++ fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); ++ fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); ++ fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); ++ fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); ++ fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); ++ fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); ++ fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); ++ x222 = ((uint64_t)x221 + x182); ++ fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); ++ fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); ++ fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); ++ fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); ++ fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); ++ x245 = (x244 + x224); ++ fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); ++ fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); ++ fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); ++ fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); ++ fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); ++ fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); ++ fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); ++ fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); ++ fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); ++ fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); ++ fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); ++ fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); ++ x284 = (x283 + x263); ++ fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); ++ fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); ++ fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); ++ fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); ++ fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); ++ fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); ++ fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); ++ x299 = ((uint64_t)x298 + x259); ++ fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); ++ fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); ++ fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); ++ fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); ++ fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); ++ x322 = (x321 + x301); ++ fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); ++ fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); ++ fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); ++ fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); ++ fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); ++ fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); ++ fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); ++ fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); ++ fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); ++ fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); ++ fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); ++ x361 = (x360 + x340); ++ fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); ++ fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); ++ fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); ++ fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); ++ fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); ++ fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); ++ fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); ++ x376 = ((uint64_t)x375 + x336); ++ fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg2[5])); ++ fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg2[4])); ++ fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg2[3])); ++ fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg2[2])); ++ fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg2[1])); ++ fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); ++ fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); ++ fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); ++ fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); ++ fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); ++ x399 = (x398 + x378); ++ fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); ++ fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); ++ fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); ++ fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); ++ fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); ++ fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); ++ fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); ++ fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); ++ fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); ++ fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); ++ fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); ++ fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); ++ x438 = (x437 + x417); ++ fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); ++ fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); ++ fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); ++ fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); ++ fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); ++ fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); ++ fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); ++ x453 = ((uint64_t)x452 + x413); ++ fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); ++ fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); ++ fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); ++ fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); ++ fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); ++ fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); ++ out1[0] = x468; ++ out1[1] = x469; ++ out1[2] = x470; ++ out1[3] = x471; ++ out1[4] = x472; ++ out1[5] = x473; ++} ++ ++/* ++ * The function fiat_secp384r1_square squares a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_square(uint64_t out1[6], const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint64_t x16; ++ uint64_t x17; ++ uint64_t x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint64_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint64_t x27; ++ fiat_secp384r1_uint1 x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ uint64_t x38; ++ uint64_t x39; ++ uint64_t x40; ++ uint64_t x41; ++ uint64_t x42; ++ uint64_t x43; ++ uint64_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint64_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint64_t x48; ++ fiat_secp384r1_uint1 x49; ++ uint64_t x50; ++ fiat_secp384r1_uint1 x51; ++ uint64_t x52; ++ fiat_secp384r1_uint1 x53; ++ uint64_t x54; ++ uint64_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint64_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint64_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint64_t x61; ++ fiat_secp384r1_uint1 x62; ++ uint64_t x63; ++ fiat_secp384r1_uint1 x64; ++ uint64_t x65; ++ fiat_secp384r1_uint1 x66; ++ uint64_t x67; ++ fiat_secp384r1_uint1 x68; ++ uint64_t x69; ++ uint64_t x70; ++ uint64_t x71; ++ uint64_t x72; ++ uint64_t x73; ++ uint64_t x74; ++ uint64_t x75; ++ uint64_t x76; ++ uint64_t x77; ++ uint64_t x78; ++ uint64_t x79; ++ uint64_t x80; ++ uint64_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint64_t x83; ++ fiat_secp384r1_uint1 x84; ++ uint64_t x85; ++ fiat_secp384r1_uint1 x86; ++ uint64_t x87; ++ fiat_secp384r1_uint1 x88; ++ uint64_t x89; ++ fiat_secp384r1_uint1 x90; ++ uint64_t x91; ++ uint64_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint64_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint64_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint64_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint64_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint64_t x102; ++ fiat_secp384r1_uint1 x103; ++ uint64_t x104; ++ fiat_secp384r1_uint1 x105; ++ uint64_t x106; ++ uint64_t x107; ++ uint64_t x108; ++ uint64_t x109; ++ uint64_t x110; ++ uint64_t x111; ++ uint64_t x112; ++ uint64_t x113; ++ uint64_t x114; ++ uint64_t x115; ++ uint64_t x116; ++ uint64_t x117; ++ uint64_t x118; ++ uint64_t x119; ++ uint64_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint64_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint64_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint64_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint64_t x128; ++ fiat_secp384r1_uint1 x129; ++ uint64_t x130; ++ uint64_t x131; ++ fiat_secp384r1_uint1 x132; ++ uint64_t x133; ++ fiat_secp384r1_uint1 x134; ++ uint64_t x135; ++ fiat_secp384r1_uint1 x136; ++ uint64_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint64_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint64_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint64_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint64_t x145; ++ uint64_t x146; ++ uint64_t x147; ++ uint64_t x148; ++ uint64_t x149; ++ uint64_t x150; ++ uint64_t x151; ++ uint64_t x152; ++ uint64_t x153; ++ uint64_t x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ fiat_secp384r1_uint1 x159; ++ uint64_t x160; ++ fiat_secp384r1_uint1 x161; ++ uint64_t x162; ++ fiat_secp384r1_uint1 x163; ++ uint64_t x164; ++ fiat_secp384r1_uint1 x165; ++ uint64_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint64_t x168; ++ uint64_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint64_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint64_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint64_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint64_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint64_t x179; ++ fiat_secp384r1_uint1 x180; ++ uint64_t x181; ++ fiat_secp384r1_uint1 x182; ++ uint64_t x183; ++ uint64_t x184; ++ uint64_t x185; ++ uint64_t x186; ++ uint64_t x187; ++ uint64_t x188; ++ uint64_t x189; ++ uint64_t x190; ++ uint64_t x191; ++ uint64_t x192; ++ uint64_t x193; ++ uint64_t x194; ++ uint64_t x195; ++ uint64_t x196; ++ uint64_t x197; ++ fiat_secp384r1_uint1 x198; ++ uint64_t x199; ++ fiat_secp384r1_uint1 x200; ++ uint64_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint64_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint64_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint64_t x207; ++ uint64_t x208; ++ fiat_secp384r1_uint1 x209; ++ uint64_t x210; ++ fiat_secp384r1_uint1 x211; ++ uint64_t x212; ++ fiat_secp384r1_uint1 x213; ++ uint64_t x214; ++ fiat_secp384r1_uint1 x215; ++ uint64_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint64_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint64_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint64_t x222; ++ uint64_t x223; ++ uint64_t x224; ++ uint64_t x225; ++ uint64_t x226; ++ uint64_t x227; ++ uint64_t x228; ++ uint64_t x229; ++ uint64_t x230; ++ uint64_t x231; ++ uint64_t x232; ++ uint64_t x233; ++ uint64_t x234; ++ uint64_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint64_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint64_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint64_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint64_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint64_t x245; ++ uint64_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint64_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint64_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint64_t x252; ++ fiat_secp384r1_uint1 x253; ++ uint64_t x254; ++ fiat_secp384r1_uint1 x255; ++ uint64_t x256; ++ fiat_secp384r1_uint1 x257; ++ uint64_t x258; ++ fiat_secp384r1_uint1 x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ uint64_t x267; ++ uint64_t x268; ++ uint64_t x269; ++ uint64_t x270; ++ uint64_t x271; ++ uint64_t x272; ++ uint64_t x273; ++ uint64_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint64_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint64_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint64_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint64_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint64_t x284; ++ uint64_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint64_t x287; ++ fiat_secp384r1_uint1 x288; ++ uint64_t x289; ++ fiat_secp384r1_uint1 x290; ++ uint64_t x291; ++ fiat_secp384r1_uint1 x292; ++ uint64_t x293; ++ fiat_secp384r1_uint1 x294; ++ uint64_t x295; ++ fiat_secp384r1_uint1 x296; ++ uint64_t x297; ++ fiat_secp384r1_uint1 x298; ++ uint64_t x299; ++ uint64_t x300; ++ uint64_t x301; ++ uint64_t x302; ++ uint64_t x303; ++ uint64_t x304; ++ uint64_t x305; ++ uint64_t x306; ++ uint64_t x307; ++ uint64_t x308; ++ uint64_t x309; ++ uint64_t x310; ++ uint64_t x311; ++ uint64_t x312; ++ fiat_secp384r1_uint1 x313; ++ uint64_t x314; ++ fiat_secp384r1_uint1 x315; ++ uint64_t x316; ++ fiat_secp384r1_uint1 x317; ++ uint64_t x318; ++ fiat_secp384r1_uint1 x319; ++ uint64_t x320; ++ fiat_secp384r1_uint1 x321; ++ uint64_t x322; ++ uint64_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint64_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint64_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint64_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint64_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint64_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint64_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint64_t x337; ++ uint64_t x338; ++ uint64_t x339; ++ uint64_t x340; ++ uint64_t x341; ++ uint64_t x342; ++ uint64_t x343; ++ uint64_t x344; ++ uint64_t x345; ++ uint64_t x346; ++ uint64_t x347; ++ uint64_t x348; ++ uint64_t x349; ++ uint64_t x350; ++ uint64_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint64_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint64_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint64_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint64_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint64_t x361; ++ uint64_t x362; ++ fiat_secp384r1_uint1 x363; ++ uint64_t x364; ++ fiat_secp384r1_uint1 x365; ++ uint64_t x366; ++ fiat_secp384r1_uint1 x367; ++ uint64_t x368; ++ fiat_secp384r1_uint1 x369; ++ uint64_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint64_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint64_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint64_t x376; ++ uint64_t x377; ++ uint64_t x378; ++ uint64_t x379; ++ uint64_t x380; ++ uint64_t x381; ++ uint64_t x382; ++ uint64_t x383; ++ uint64_t x384; ++ uint64_t x385; ++ uint64_t x386; ++ uint64_t x387; ++ uint64_t x388; ++ uint64_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint64_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint64_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint64_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint64_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint64_t x399; ++ uint64_t x400; ++ fiat_secp384r1_uint1 x401; ++ uint64_t x402; ++ fiat_secp384r1_uint1 x403; ++ uint64_t x404; ++ fiat_secp384r1_uint1 x405; ++ uint64_t x406; ++ fiat_secp384r1_uint1 x407; ++ uint64_t x408; ++ fiat_secp384r1_uint1 x409; ++ uint64_t x410; ++ fiat_secp384r1_uint1 x411; ++ uint64_t x412; ++ fiat_secp384r1_uint1 x413; ++ uint64_t x414; ++ uint64_t x415; ++ uint64_t x416; ++ uint64_t x417; ++ uint64_t x418; ++ uint64_t x419; ++ uint64_t x420; ++ uint64_t x421; ++ uint64_t x422; ++ uint64_t x423; ++ uint64_t x424; ++ uint64_t x425; ++ uint64_t x426; ++ uint64_t x427; ++ uint64_t x428; ++ fiat_secp384r1_uint1 x429; ++ uint64_t x430; ++ fiat_secp384r1_uint1 x431; ++ uint64_t x432; ++ fiat_secp384r1_uint1 x433; ++ uint64_t x434; ++ fiat_secp384r1_uint1 x435; ++ uint64_t x436; ++ fiat_secp384r1_uint1 x437; ++ uint64_t x438; ++ uint64_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint64_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint64_t x443; ++ fiat_secp384r1_uint1 x444; ++ uint64_t x445; ++ fiat_secp384r1_uint1 x446; ++ uint64_t x447; ++ fiat_secp384r1_uint1 x448; ++ uint64_t x449; ++ fiat_secp384r1_uint1 x450; ++ uint64_t x451; ++ fiat_secp384r1_uint1 x452; ++ uint64_t x453; ++ uint64_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint64_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint64_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint64_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint64_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint64_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint64_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint64_t x468; ++ uint64_t x469; ++ uint64_t x470; ++ uint64_t x471; ++ uint64_t x472; ++ uint64_t x473; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); ++ fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); ++ fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); ++ fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); ++ fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); ++ x29 = (x28 + x8); ++ fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); ++ fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); ++ fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); ++ fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); ++ fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); ++ x54 = (x53 + x33); ++ fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); ++ fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); ++ fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); ++ fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); ++ fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); ++ fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); ++ fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); ++ fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); ++ fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); ++ fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); ++ fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); ++ fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); ++ x91 = (x90 + x70); ++ fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); ++ fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); ++ fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); ++ fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); ++ fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); ++ fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); ++ fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); ++ fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); ++ fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); ++ fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); ++ fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); ++ fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); ++ x130 = (x129 + x109); ++ fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); ++ fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); ++ fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); ++ fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); ++ fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); ++ fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); ++ fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); ++ x145 = ((uint64_t)x144 + x105); ++ fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); ++ fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); ++ fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); ++ fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); ++ fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); ++ x168 = (x167 + x147); ++ fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); ++ fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); ++ fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); ++ fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); ++ fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); ++ fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); ++ fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); ++ fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); ++ fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); ++ fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); ++ fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); ++ fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); ++ x207 = (x206 + x186); ++ fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); ++ fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); ++ fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); ++ fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); ++ fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); ++ fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); ++ fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); ++ x222 = ((uint64_t)x221 + x182); ++ fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); ++ fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); ++ fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); ++ fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); ++ fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); ++ x245 = (x244 + x224); ++ fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); ++ fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); ++ fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); ++ fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); ++ fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); ++ fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); ++ fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); ++ fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); ++ fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); ++ fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); ++ fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); ++ fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); ++ x284 = (x283 + x263); ++ fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); ++ fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); ++ fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); ++ fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); ++ fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); ++ fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); ++ fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); ++ x299 = ((uint64_t)x298 + x259); ++ fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); ++ fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); ++ fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); ++ fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); ++ fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); ++ x322 = (x321 + x301); ++ fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); ++ fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); ++ fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); ++ fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); ++ fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); ++ fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); ++ fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); ++ fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); ++ fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); ++ fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); ++ fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); ++ x361 = (x360 + x340); ++ fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); ++ fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); ++ fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); ++ fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); ++ fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); ++ fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); ++ fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); ++ x376 = ((uint64_t)x375 + x336); ++ fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg1[5])); ++ fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg1[4])); ++ fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg1[3])); ++ fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg1[2])); ++ fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg1[1])); ++ fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg1[0])); ++ fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); ++ fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); ++ fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); ++ fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); ++ fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); ++ x399 = (x398 + x378); ++ fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); ++ fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); ++ fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); ++ fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); ++ fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); ++ fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); ++ fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); ++ fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); ++ fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); ++ fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); ++ fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); ++ fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); ++ x438 = (x437 + x417); ++ fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); ++ fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); ++ fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); ++ fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); ++ fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); ++ fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); ++ fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); ++ x453 = ((uint64_t)x452 + x413); ++ fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); ++ fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); ++ fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); ++ fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); ++ fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); ++ fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); ++ out1[0] = x468; ++ out1[1] = x469; ++ out1[2] = x470; ++ out1[3] = x471; ++ out1[4] = x472; ++ out1[5] = x473; ++} ++ ++/* ++ * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_add(uint64_t out1[6], const uint64_t arg1[6], ++ const uint64_t arg2[6]) ++{ ++ uint64_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint64_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint64_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint64_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint64_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint64_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint64_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint64_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint64_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint64_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint64_t x27; ++ uint64_t x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ fiat_secp384r1_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_addcarryx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_addcarryx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_subborrowx_u64(&x13, &x14, 0x0, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x15, &x16, x14, x3, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x17, &x18, x16, x5, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x19, &x20, x18, x7, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x21, &x22, x20, x9, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x23, &x24, x22, x11, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x25, &x26, x24, x12, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x27, x26, x13, x1); ++ fiat_secp384r1_cmovznz_u64(&x28, x26, x15, x3); ++ fiat_secp384r1_cmovznz_u64(&x29, x26, x17, x5); ++ fiat_secp384r1_cmovznz_u64(&x30, x26, x19, x7); ++ fiat_secp384r1_cmovznz_u64(&x31, x26, x21, x9); ++ fiat_secp384r1_cmovznz_u64(&x32, x26, x23, x11); ++ out1[0] = x27; ++ out1[1] = x28; ++ out1[2] = x29; ++ out1[3] = x30; ++ out1[4] = x31; ++ out1[5] = x32; ++} ++ ++/* ++ * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_sub(uint64_t out1[6], const uint64_t arg1[6], ++ const uint64_t arg2[6]) ++{ ++ uint64_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint64_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint64_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint64_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint64_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint64_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint64_t x13; ++ uint64_t x14; ++ fiat_secp384r1_uint1 x15; ++ uint64_t x16; ++ fiat_secp384r1_uint1 x17; ++ uint64_t x18; ++ fiat_secp384r1_uint1 x19; ++ uint64_t x20; ++ fiat_secp384r1_uint1 x21; ++ uint64_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint64_t x24; ++ fiat_secp384r1_uint1 x25; ++ fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, ++ (x13 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, ++ (x13 & UINT64_C(0xffffffff00000000))); ++ fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, ++ (x13 & UINT64_C(0xfffffffffffffffe))); ++ fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ out1[0] = x14; ++ out1[1] = x16; ++ out1[2] = x18; ++ out1[3] = x20; ++ out1[4] = x22; ++ out1[5] = x24; ++} ++ ++/* ++ * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_opp(uint64_t out1[6], const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint64_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint64_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint64_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint64_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint64_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint64_t x13; ++ uint64_t x14; ++ fiat_secp384r1_uint1 x15; ++ uint64_t x16; ++ fiat_secp384r1_uint1 x17; ++ uint64_t x18; ++ fiat_secp384r1_uint1 x19; ++ uint64_t x20; ++ fiat_secp384r1_uint1 x21; ++ uint64_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint64_t x24; ++ fiat_secp384r1_uint1 x25; ++ fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); ++ fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); ++ fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); ++ fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); ++ fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, 0x0, (arg1[4])); ++ fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, 0x0, (arg1[5])); ++ fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, ++ (x13 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, ++ (x13 & UINT64_C(0xffffffff00000000))); ++ fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, ++ (x13 & UINT64_C(0xfffffffffffffffe))); ++ fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, ++ (x13 & UINT64_C(0xffffffffffffffff))); ++ out1[0] = x14; ++ out1[1] = x16; ++ out1[2] = x18; ++ out1[3] = x20; ++ out1[4] = x22; ++ out1[5] = x24; ++} ++ ++/* ++ * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = (eval arg1 * ((2^64)â»Â¹ mod m)^6) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_from_montgomery(uint64_t out1[6], ++ const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint64_t x16; ++ fiat_secp384r1_uint1 x17; ++ uint64_t x18; ++ fiat_secp384r1_uint1 x19; ++ uint64_t x20; ++ fiat_secp384r1_uint1 x21; ++ uint64_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint64_t x24; ++ fiat_secp384r1_uint1 x25; ++ uint64_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint64_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint64_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint64_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint64_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint64_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint64_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint64_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint64_t x42; ++ fiat_secp384r1_uint1 x43; ++ uint64_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint64_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint64_t x48; ++ fiat_secp384r1_uint1 x49; ++ uint64_t x50; ++ fiat_secp384r1_uint1 x51; ++ uint64_t x52; ++ uint64_t x53; ++ uint64_t x54; ++ uint64_t x55; ++ uint64_t x56; ++ uint64_t x57; ++ uint64_t x58; ++ uint64_t x59; ++ uint64_t x60; ++ uint64_t x61; ++ uint64_t x62; ++ uint64_t x63; ++ uint64_t x64; ++ uint64_t x65; ++ uint64_t x66; ++ fiat_secp384r1_uint1 x67; ++ uint64_t x68; ++ fiat_secp384r1_uint1 x69; ++ uint64_t x70; ++ fiat_secp384r1_uint1 x71; ++ uint64_t x72; ++ fiat_secp384r1_uint1 x73; ++ uint64_t x74; ++ fiat_secp384r1_uint1 x75; ++ uint64_t x76; ++ fiat_secp384r1_uint1 x77; ++ uint64_t x78; ++ fiat_secp384r1_uint1 x79; ++ uint64_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint64_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint64_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint64_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint64_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint64_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint64_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint64_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint64_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint64_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint64_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint64_t x102; ++ uint64_t x103; ++ uint64_t x104; ++ uint64_t x105; ++ uint64_t x106; ++ uint64_t x107; ++ uint64_t x108; ++ uint64_t x109; ++ uint64_t x110; ++ uint64_t x111; ++ uint64_t x112; ++ uint64_t x113; ++ uint64_t x114; ++ uint64_t x115; ++ uint64_t x116; ++ fiat_secp384r1_uint1 x117; ++ uint64_t x118; ++ fiat_secp384r1_uint1 x119; ++ uint64_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint64_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint64_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint64_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint64_t x128; ++ fiat_secp384r1_uint1 x129; ++ uint64_t x130; ++ fiat_secp384r1_uint1 x131; ++ uint64_t x132; ++ fiat_secp384r1_uint1 x133; ++ uint64_t x134; ++ fiat_secp384r1_uint1 x135; ++ uint64_t x136; ++ fiat_secp384r1_uint1 x137; ++ uint64_t x138; ++ fiat_secp384r1_uint1 x139; ++ uint64_t x140; ++ fiat_secp384r1_uint1 x141; ++ uint64_t x142; ++ fiat_secp384r1_uint1 x143; ++ uint64_t x144; ++ fiat_secp384r1_uint1 x145; ++ uint64_t x146; ++ fiat_secp384r1_uint1 x147; ++ uint64_t x148; ++ fiat_secp384r1_uint1 x149; ++ uint64_t x150; ++ fiat_secp384r1_uint1 x151; ++ uint64_t x152; ++ uint64_t x153; ++ uint64_t x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ uint64_t x159; ++ uint64_t x160; ++ uint64_t x161; ++ uint64_t x162; ++ uint64_t x163; ++ uint64_t x164; ++ uint64_t x165; ++ uint64_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint64_t x168; ++ fiat_secp384r1_uint1 x169; ++ uint64_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint64_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint64_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint64_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint64_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint64_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint64_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint64_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint64_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint64_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint64_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint64_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint64_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint64_t x196; ++ fiat_secp384r1_uint1 x197; ++ uint64_t x198; ++ fiat_secp384r1_uint1 x199; ++ uint64_t x200; ++ fiat_secp384r1_uint1 x201; ++ uint64_t x202; ++ uint64_t x203; ++ uint64_t x204; ++ uint64_t x205; ++ uint64_t x206; ++ uint64_t x207; ++ uint64_t x208; ++ uint64_t x209; ++ uint64_t x210; ++ uint64_t x211; ++ uint64_t x212; ++ uint64_t x213; ++ uint64_t x214; ++ uint64_t x215; ++ uint64_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint64_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint64_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint64_t x222; ++ fiat_secp384r1_uint1 x223; ++ uint64_t x224; ++ fiat_secp384r1_uint1 x225; ++ uint64_t x226; ++ fiat_secp384r1_uint1 x227; ++ uint64_t x228; ++ fiat_secp384r1_uint1 x229; ++ uint64_t x230; ++ fiat_secp384r1_uint1 x231; ++ uint64_t x232; ++ fiat_secp384r1_uint1 x233; ++ uint64_t x234; ++ fiat_secp384r1_uint1 x235; ++ uint64_t x236; ++ fiat_secp384r1_uint1 x237; ++ uint64_t x238; ++ fiat_secp384r1_uint1 x239; ++ uint64_t x240; ++ fiat_secp384r1_uint1 x241; ++ uint64_t x242; ++ fiat_secp384r1_uint1 x243; ++ uint64_t x244; ++ fiat_secp384r1_uint1 x245; ++ uint64_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint64_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint64_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint64_t x252; ++ uint64_t x253; ++ uint64_t x254; ++ uint64_t x255; ++ uint64_t x256; ++ uint64_t x257; ++ uint64_t x258; ++ uint64_t x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ fiat_secp384r1_uint1 x267; ++ uint64_t x268; ++ fiat_secp384r1_uint1 x269; ++ uint64_t x270; ++ fiat_secp384r1_uint1 x271; ++ uint64_t x272; ++ fiat_secp384r1_uint1 x273; ++ uint64_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint64_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint64_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint64_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint64_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint64_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint64_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint64_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint64_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint64_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint64_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint64_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint64_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint64_t x300; ++ fiat_secp384r1_uint1 x301; ++ uint64_t x302; ++ fiat_secp384r1_uint1 x303; ++ uint64_t x304; ++ uint64_t x305; ++ uint64_t x306; ++ uint64_t x307; ++ uint64_t x308; ++ uint64_t x309; ++ x1 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x2, &x3, x1, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x4, &x5, x2, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x6, &x7, x2, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x8, &x9, x2, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x10, &x11, x2, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x12, &x13, x2, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x14, &x15, x2, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x16, &x17, 0x0, x15, x12); ++ fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x13, x10); ++ fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x11, x8); ++ fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x6); ++ fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x7, x4); ++ fiat_secp384r1_addcarryx_u64(&x26, &x27, 0x0, x1, x14); ++ fiat_secp384r1_addcarryx_u64(&x28, &x29, x27, 0x0, x16); ++ fiat_secp384r1_addcarryx_u64(&x30, &x31, x29, 0x0, x18); ++ fiat_secp384r1_addcarryx_u64(&x32, &x33, x31, 0x0, x20); ++ fiat_secp384r1_addcarryx_u64(&x34, &x35, x33, 0x0, x22); ++ fiat_secp384r1_addcarryx_u64(&x36, &x37, x35, 0x0, x24); ++ fiat_secp384r1_addcarryx_u64(&x38, &x39, x37, 0x0, (x25 + x5)); ++ fiat_secp384r1_addcarryx_u64(&x40, &x41, 0x0, x28, (arg1[1])); ++ fiat_secp384r1_addcarryx_u64(&x42, &x43, x41, x30, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x44, &x45, x43, x32, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x34, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x36, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x38, 0x0); ++ fiat_secp384r1_mulx_u64(&x52, &x53, x40, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x54, &x55, x52, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x56, &x57, x52, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x58, &x59, x52, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x60, &x61, x52, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x62, &x63, x52, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x64, &x65, x52, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x66, &x67, 0x0, x65, x62); ++ fiat_secp384r1_addcarryx_u64(&x68, &x69, x67, x63, x60); ++ fiat_secp384r1_addcarryx_u64(&x70, &x71, x69, x61, x58); ++ fiat_secp384r1_addcarryx_u64(&x72, &x73, x71, x59, x56); ++ fiat_secp384r1_addcarryx_u64(&x74, &x75, x73, x57, x54); ++ fiat_secp384r1_addcarryx_u64(&x76, &x77, 0x0, x40, x64); ++ fiat_secp384r1_addcarryx_u64(&x78, &x79, x77, x42, x66); ++ fiat_secp384r1_addcarryx_u64(&x80, &x81, x79, x44, x68); ++ fiat_secp384r1_addcarryx_u64(&x82, &x83, x81, x46, x70); ++ fiat_secp384r1_addcarryx_u64(&x84, &x85, x83, x48, x72); ++ fiat_secp384r1_addcarryx_u64(&x86, &x87, x85, x50, x74); ++ fiat_secp384r1_addcarryx_u64(&x88, &x89, x87, ((uint64_t)x51 + x39), ++ (x75 + x55)); ++ fiat_secp384r1_addcarryx_u64(&x90, &x91, 0x0, x78, (arg1[2])); ++ fiat_secp384r1_addcarryx_u64(&x92, &x93, x91, x80, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x82, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x84, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x86, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x88, 0x0); ++ fiat_secp384r1_mulx_u64(&x102, &x103, x90, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x104, &x105, x102, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x106, &x107, x102, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x108, &x109, x102, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x110, &x111, x102, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x112, &x113, x102, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x114, &x115, x102, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x116, &x117, 0x0, x115, x112); ++ fiat_secp384r1_addcarryx_u64(&x118, &x119, x117, x113, x110); ++ fiat_secp384r1_addcarryx_u64(&x120, &x121, x119, x111, x108); ++ fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x109, x106); ++ fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x107, x104); ++ fiat_secp384r1_addcarryx_u64(&x126, &x127, 0x0, x90, x114); ++ fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x92, x116); ++ fiat_secp384r1_addcarryx_u64(&x130, &x131, x129, x94, x118); ++ fiat_secp384r1_addcarryx_u64(&x132, &x133, x131, x96, x120); ++ fiat_secp384r1_addcarryx_u64(&x134, &x135, x133, x98, x122); ++ fiat_secp384r1_addcarryx_u64(&x136, &x137, x135, x100, x124); ++ fiat_secp384r1_addcarryx_u64(&x138, &x139, x137, ((uint64_t)x101 + x89), ++ (x125 + x105)); ++ fiat_secp384r1_addcarryx_u64(&x140, &x141, 0x0, x128, (arg1[3])); ++ fiat_secp384r1_addcarryx_u64(&x142, &x143, x141, x130, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x144, &x145, x143, x132, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x146, &x147, x145, x134, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x148, &x149, x147, x136, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x150, &x151, x149, x138, 0x0); ++ fiat_secp384r1_mulx_u64(&x152, &x153, x140, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x154, &x155, x152, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x156, &x157, x152, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x158, &x159, x152, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x160, &x161, x152, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x162, &x163, x152, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x164, &x165, x152, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x166, &x167, 0x0, x165, x162); ++ fiat_secp384r1_addcarryx_u64(&x168, &x169, x167, x163, x160); ++ fiat_secp384r1_addcarryx_u64(&x170, &x171, x169, x161, x158); ++ fiat_secp384r1_addcarryx_u64(&x172, &x173, x171, x159, x156); ++ fiat_secp384r1_addcarryx_u64(&x174, &x175, x173, x157, x154); ++ fiat_secp384r1_addcarryx_u64(&x176, &x177, 0x0, x140, x164); ++ fiat_secp384r1_addcarryx_u64(&x178, &x179, x177, x142, x166); ++ fiat_secp384r1_addcarryx_u64(&x180, &x181, x179, x144, x168); ++ fiat_secp384r1_addcarryx_u64(&x182, &x183, x181, x146, x170); ++ fiat_secp384r1_addcarryx_u64(&x184, &x185, x183, x148, x172); ++ fiat_secp384r1_addcarryx_u64(&x186, &x187, x185, x150, x174); ++ fiat_secp384r1_addcarryx_u64(&x188, &x189, x187, ((uint64_t)x151 + x139), ++ (x175 + x155)); ++ fiat_secp384r1_addcarryx_u64(&x190, &x191, 0x0, x178, (arg1[4])); ++ fiat_secp384r1_addcarryx_u64(&x192, &x193, x191, x180, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x194, &x195, x193, x182, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x196, &x197, x195, x184, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x198, &x199, x197, x186, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x200, &x201, x199, x188, 0x0); ++ fiat_secp384r1_mulx_u64(&x202, &x203, x190, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x204, &x205, x202, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x206, &x207, x202, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x208, &x209, x202, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x210, &x211, x202, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x212, &x213, x202, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x214, &x215, x202, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x216, &x217, 0x0, x215, x212); ++ fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x213, x210); ++ fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x211, x208); ++ fiat_secp384r1_addcarryx_u64(&x222, &x223, x221, x209, x206); ++ fiat_secp384r1_addcarryx_u64(&x224, &x225, x223, x207, x204); ++ fiat_secp384r1_addcarryx_u64(&x226, &x227, 0x0, x190, x214); ++ fiat_secp384r1_addcarryx_u64(&x228, &x229, x227, x192, x216); ++ fiat_secp384r1_addcarryx_u64(&x230, &x231, x229, x194, x218); ++ fiat_secp384r1_addcarryx_u64(&x232, &x233, x231, x196, x220); ++ fiat_secp384r1_addcarryx_u64(&x234, &x235, x233, x198, x222); ++ fiat_secp384r1_addcarryx_u64(&x236, &x237, x235, x200, x224); ++ fiat_secp384r1_addcarryx_u64(&x238, &x239, x237, ((uint64_t)x201 + x189), ++ (x225 + x205)); ++ fiat_secp384r1_addcarryx_u64(&x240, &x241, 0x0, x228, (arg1[5])); ++ fiat_secp384r1_addcarryx_u64(&x242, &x243, x241, x230, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x244, &x245, x243, x232, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x246, &x247, x245, x234, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x236, 0x0); ++ fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x238, 0x0); ++ fiat_secp384r1_mulx_u64(&x252, &x253, x240, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x254, &x255, x252, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x256, &x257, x252, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x258, &x259, x252, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x260, &x261, x252, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x262, &x263, x252, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x264, &x265, x252, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x266, &x267, 0x0, x265, x262); ++ fiat_secp384r1_addcarryx_u64(&x268, &x269, x267, x263, x260); ++ fiat_secp384r1_addcarryx_u64(&x270, &x271, x269, x261, x258); ++ fiat_secp384r1_addcarryx_u64(&x272, &x273, x271, x259, x256); ++ fiat_secp384r1_addcarryx_u64(&x274, &x275, x273, x257, x254); ++ fiat_secp384r1_addcarryx_u64(&x276, &x277, 0x0, x240, x264); ++ fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x242, x266); ++ fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x244, x268); ++ fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x246, x270); ++ fiat_secp384r1_addcarryx_u64(&x284, &x285, x283, x248, x272); ++ fiat_secp384r1_addcarryx_u64(&x286, &x287, x285, x250, x274); ++ fiat_secp384r1_addcarryx_u64(&x288, &x289, x287, ((uint64_t)x251 + x239), ++ (x275 + x255)); ++ fiat_secp384r1_subborrowx_u64(&x290, &x291, 0x0, x278, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x292, &x293, x291, x280, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x294, &x295, x293, x282, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x296, &x297, x295, x284, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x298, &x299, x297, x286, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x300, &x301, x299, x288, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x302, &x303, x301, x289, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x304, x303, x290, x278); ++ fiat_secp384r1_cmovznz_u64(&x305, x303, x292, x280); ++ fiat_secp384r1_cmovznz_u64(&x306, x303, x294, x282); ++ fiat_secp384r1_cmovznz_u64(&x307, x303, x296, x284); ++ fiat_secp384r1_cmovznz_u64(&x308, x303, x298, x286); ++ fiat_secp384r1_cmovznz_u64(&x309, x303, x300, x288); ++ out1[0] = x304; ++ out1[1] = x305; ++ out1[2] = x306; ++ out1[3] = x307; ++ out1[4] = x308; ++ out1[5] = x309; ++} ++ ++/* ++ * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_to_montgomery(uint64_t out1[6], ++ const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint64_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint64_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint64_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint64_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint64_t x23; ++ uint64_t x24; ++ uint64_t x25; ++ uint64_t x26; ++ uint64_t x27; ++ uint64_t x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint64_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint64_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint64_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint64_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint64_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint64_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint64_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint64_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint64_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint64_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint64_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint64_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint64_t x61; ++ uint64_t x62; ++ uint64_t x63; ++ uint64_t x64; ++ uint64_t x65; ++ uint64_t x66; ++ uint64_t x67; ++ uint64_t x68; ++ uint64_t x69; ++ fiat_secp384r1_uint1 x70; ++ uint64_t x71; ++ fiat_secp384r1_uint1 x72; ++ uint64_t x73; ++ fiat_secp384r1_uint1 x74; ++ uint64_t x75; ++ fiat_secp384r1_uint1 x76; ++ uint64_t x77; ++ fiat_secp384r1_uint1 x78; ++ uint64_t x79; ++ fiat_secp384r1_uint1 x80; ++ uint64_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint64_t x83; ++ fiat_secp384r1_uint1 x84; ++ uint64_t x85; ++ fiat_secp384r1_uint1 x86; ++ uint64_t x87; ++ fiat_secp384r1_uint1 x88; ++ uint64_t x89; ++ uint64_t x90; ++ uint64_t x91; ++ uint64_t x92; ++ uint64_t x93; ++ uint64_t x94; ++ uint64_t x95; ++ uint64_t x96; ++ uint64_t x97; ++ uint64_t x98; ++ uint64_t x99; ++ uint64_t x100; ++ uint64_t x101; ++ uint64_t x102; ++ uint64_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint64_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint64_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint64_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint64_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint64_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint64_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint64_t x117; ++ fiat_secp384r1_uint1 x118; ++ uint64_t x119; ++ fiat_secp384r1_uint1 x120; ++ uint64_t x121; ++ fiat_secp384r1_uint1 x122; ++ uint64_t x123; ++ fiat_secp384r1_uint1 x124; ++ uint64_t x125; ++ fiat_secp384r1_uint1 x126; ++ uint64_t x127; ++ uint64_t x128; ++ uint64_t x129; ++ uint64_t x130; ++ uint64_t x131; ++ uint64_t x132; ++ uint64_t x133; ++ uint64_t x134; ++ uint64_t x135; ++ fiat_secp384r1_uint1 x136; ++ uint64_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint64_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint64_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint64_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint64_t x145; ++ fiat_secp384r1_uint1 x146; ++ uint64_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint64_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint64_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint64_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint64_t x155; ++ uint64_t x156; ++ uint64_t x157; ++ uint64_t x158; ++ uint64_t x159; ++ uint64_t x160; ++ uint64_t x161; ++ uint64_t x162; ++ uint64_t x163; ++ uint64_t x164; ++ uint64_t x165; ++ uint64_t x166; ++ uint64_t x167; ++ uint64_t x168; ++ uint64_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint64_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint64_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint64_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint64_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint64_t x179; ++ fiat_secp384r1_uint1 x180; ++ uint64_t x181; ++ fiat_secp384r1_uint1 x182; ++ uint64_t x183; ++ fiat_secp384r1_uint1 x184; ++ uint64_t x185; ++ fiat_secp384r1_uint1 x186; ++ uint64_t x187; ++ fiat_secp384r1_uint1 x188; ++ uint64_t x189; ++ fiat_secp384r1_uint1 x190; ++ uint64_t x191; ++ fiat_secp384r1_uint1 x192; ++ uint64_t x193; ++ uint64_t x194; ++ uint64_t x195; ++ uint64_t x196; ++ uint64_t x197; ++ uint64_t x198; ++ uint64_t x199; ++ uint64_t x200; ++ uint64_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint64_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint64_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint64_t x207; ++ fiat_secp384r1_uint1 x208; ++ uint64_t x209; ++ fiat_secp384r1_uint1 x210; ++ uint64_t x211; ++ fiat_secp384r1_uint1 x212; ++ uint64_t x213; ++ fiat_secp384r1_uint1 x214; ++ uint64_t x215; ++ fiat_secp384r1_uint1 x216; ++ uint64_t x217; ++ fiat_secp384r1_uint1 x218; ++ uint64_t x219; ++ fiat_secp384r1_uint1 x220; ++ uint64_t x221; ++ uint64_t x222; ++ uint64_t x223; ++ uint64_t x224; ++ uint64_t x225; ++ uint64_t x226; ++ uint64_t x227; ++ uint64_t x228; ++ uint64_t x229; ++ uint64_t x230; ++ uint64_t x231; ++ uint64_t x232; ++ uint64_t x233; ++ uint64_t x234; ++ uint64_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint64_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint64_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint64_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint64_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint64_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint64_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint64_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint64_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint64_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint64_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint64_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint64_t x259; ++ uint64_t x260; ++ uint64_t x261; ++ uint64_t x262; ++ uint64_t x263; ++ uint64_t x264; ++ uint64_t x265; ++ uint64_t x266; ++ uint64_t x267; ++ fiat_secp384r1_uint1 x268; ++ uint64_t x269; ++ fiat_secp384r1_uint1 x270; ++ uint64_t x271; ++ fiat_secp384r1_uint1 x272; ++ uint64_t x273; ++ fiat_secp384r1_uint1 x274; ++ uint64_t x275; ++ fiat_secp384r1_uint1 x276; ++ uint64_t x277; ++ fiat_secp384r1_uint1 x278; ++ uint64_t x279; ++ fiat_secp384r1_uint1 x280; ++ uint64_t x281; ++ fiat_secp384r1_uint1 x282; ++ uint64_t x283; ++ fiat_secp384r1_uint1 x284; ++ uint64_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint64_t x287; ++ uint64_t x288; ++ uint64_t x289; ++ uint64_t x290; ++ uint64_t x291; ++ uint64_t x292; ++ uint64_t x293; ++ uint64_t x294; ++ uint64_t x295; ++ uint64_t x296; ++ uint64_t x297; ++ uint64_t x298; ++ uint64_t x299; ++ uint64_t x300; ++ uint64_t x301; ++ fiat_secp384r1_uint1 x302; ++ uint64_t x303; ++ fiat_secp384r1_uint1 x304; ++ uint64_t x305; ++ fiat_secp384r1_uint1 x306; ++ uint64_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint64_t x309; ++ fiat_secp384r1_uint1 x310; ++ uint64_t x311; ++ fiat_secp384r1_uint1 x312; ++ uint64_t x313; ++ fiat_secp384r1_uint1 x314; ++ uint64_t x315; ++ fiat_secp384r1_uint1 x316; ++ uint64_t x317; ++ fiat_secp384r1_uint1 x318; ++ uint64_t x319; ++ fiat_secp384r1_uint1 x320; ++ uint64_t x321; ++ fiat_secp384r1_uint1 x322; ++ uint64_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint64_t x325; ++ uint64_t x326; ++ uint64_t x327; ++ uint64_t x328; ++ uint64_t x329; ++ uint64_t x330; ++ uint64_t x331; ++ uint64_t x332; ++ uint64_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint64_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint64_t x337; ++ fiat_secp384r1_uint1 x338; ++ uint64_t x339; ++ fiat_secp384r1_uint1 x340; ++ uint64_t x341; ++ fiat_secp384r1_uint1 x342; ++ uint64_t x343; ++ fiat_secp384r1_uint1 x344; ++ uint64_t x345; ++ fiat_secp384r1_uint1 x346; ++ uint64_t x347; ++ fiat_secp384r1_uint1 x348; ++ uint64_t x349; ++ fiat_secp384r1_uint1 x350; ++ uint64_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint64_t x353; ++ uint64_t x354; ++ uint64_t x355; ++ uint64_t x356; ++ uint64_t x357; ++ uint64_t x358; ++ uint64_t x359; ++ uint64_t x360; ++ uint64_t x361; ++ uint64_t x362; ++ uint64_t x363; ++ uint64_t x364; ++ uint64_t x365; ++ uint64_t x366; ++ uint64_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint64_t x369; ++ fiat_secp384r1_uint1 x370; ++ uint64_t x371; ++ fiat_secp384r1_uint1 x372; ++ uint64_t x373; ++ fiat_secp384r1_uint1 x374; ++ uint64_t x375; ++ fiat_secp384r1_uint1 x376; ++ uint64_t x377; ++ fiat_secp384r1_uint1 x378; ++ uint64_t x379; ++ fiat_secp384r1_uint1 x380; ++ uint64_t x381; ++ fiat_secp384r1_uint1 x382; ++ uint64_t x383; ++ fiat_secp384r1_uint1 x384; ++ uint64_t x385; ++ fiat_secp384r1_uint1 x386; ++ uint64_t x387; ++ fiat_secp384r1_uint1 x388; ++ uint64_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint64_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint64_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint64_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint64_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint64_t x399; ++ fiat_secp384r1_uint1 x400; ++ uint64_t x401; ++ fiat_secp384r1_uint1 x402; ++ uint64_t x403; ++ fiat_secp384r1_uint1 x404; ++ uint64_t x405; ++ uint64_t x406; ++ uint64_t x407; ++ uint64_t x408; ++ uint64_t x409; ++ uint64_t x410; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[0]); ++ fiat_secp384r1_mulx_u64(&x7, &x8, x6, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x9, &x10, x6, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x11, &x12, x6, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x13, &x14, x6, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x15, &x16, 0x0, x14, x11); ++ fiat_secp384r1_addcarryx_u64(&x17, &x18, x16, x12, x9); ++ fiat_secp384r1_addcarryx_u64(&x19, &x20, x18, x10, x7); ++ fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x8, x6); ++ fiat_secp384r1_mulx_u64(&x23, &x24, x13, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x25, &x26, x23, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x27, &x28, x23, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x29, &x30, x23, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x31, &x32, x23, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x33, &x34, x23, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x35, &x36, x23, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x37, &x38, 0x0, x36, x33); ++ fiat_secp384r1_addcarryx_u64(&x39, &x40, x38, x34, x31); ++ fiat_secp384r1_addcarryx_u64(&x41, &x42, x40, x32, x29); ++ fiat_secp384r1_addcarryx_u64(&x43, &x44, x42, x30, x27); ++ fiat_secp384r1_addcarryx_u64(&x45, &x46, x44, x28, x25); ++ fiat_secp384r1_addcarryx_u64(&x47, &x48, 0x0, x13, x35); ++ fiat_secp384r1_addcarryx_u64(&x49, &x50, x48, x15, x37); ++ fiat_secp384r1_addcarryx_u64(&x51, &x52, x50, x17, x39); ++ fiat_secp384r1_addcarryx_u64(&x53, &x54, x52, x19, x41); ++ fiat_secp384r1_addcarryx_u64(&x55, &x56, x54, x21, x43); ++ fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x22, x45); ++ fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, 0x0, (x46 + x26)); ++ fiat_secp384r1_mulx_u64(&x61, &x62, x1, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x63, &x64, x1, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x65, &x66, x1, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x67, &x68, x1, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x69, &x70, 0x0, x68, x65); ++ fiat_secp384r1_addcarryx_u64(&x71, &x72, x70, x66, x63); ++ fiat_secp384r1_addcarryx_u64(&x73, &x74, x72, x64, x61); ++ fiat_secp384r1_addcarryx_u64(&x75, &x76, x74, x62, x1); ++ fiat_secp384r1_addcarryx_u64(&x77, &x78, 0x0, x49, x67); ++ fiat_secp384r1_addcarryx_u64(&x79, &x80, x78, x51, x69); ++ fiat_secp384r1_addcarryx_u64(&x81, &x82, x80, x53, x71); ++ fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x55, x73); ++ fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x57, x75); ++ fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x59, x76); ++ fiat_secp384r1_mulx_u64(&x89, &x90, x77, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x91, &x92, x89, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x93, &x94, x89, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x95, &x96, x89, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x97, &x98, x89, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x99, &x100, x89, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x101, &x102, x89, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x103, &x104, 0x0, x102, x99); ++ fiat_secp384r1_addcarryx_u64(&x105, &x106, x104, x100, x97); ++ fiat_secp384r1_addcarryx_u64(&x107, &x108, x106, x98, x95); ++ fiat_secp384r1_addcarryx_u64(&x109, &x110, x108, x96, x93); ++ fiat_secp384r1_addcarryx_u64(&x111, &x112, x110, x94, x91); ++ fiat_secp384r1_addcarryx_u64(&x113, &x114, 0x0, x77, x101); ++ fiat_secp384r1_addcarryx_u64(&x115, &x116, x114, x79, x103); ++ fiat_secp384r1_addcarryx_u64(&x117, &x118, x116, x81, x105); ++ fiat_secp384r1_addcarryx_u64(&x119, &x120, x118, x83, x107); ++ fiat_secp384r1_addcarryx_u64(&x121, &x122, x120, x85, x109); ++ fiat_secp384r1_addcarryx_u64(&x123, &x124, x122, x87, x111); ++ fiat_secp384r1_addcarryx_u64(&x125, &x126, x124, ((uint64_t)x88 + x60), ++ (x112 + x92)); ++ fiat_secp384r1_mulx_u64(&x127, &x128, x2, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x129, &x130, x2, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x131, &x132, x2, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x133, &x134, x2, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x135, &x136, 0x0, x134, x131); ++ fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x132, x129); ++ fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x130, x127); ++ fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x128, x2); ++ fiat_secp384r1_addcarryx_u64(&x143, &x144, 0x0, x115, x133); ++ fiat_secp384r1_addcarryx_u64(&x145, &x146, x144, x117, x135); ++ fiat_secp384r1_addcarryx_u64(&x147, &x148, x146, x119, x137); ++ fiat_secp384r1_addcarryx_u64(&x149, &x150, x148, x121, x139); ++ fiat_secp384r1_addcarryx_u64(&x151, &x152, x150, x123, x141); ++ fiat_secp384r1_addcarryx_u64(&x153, &x154, x152, x125, x142); ++ fiat_secp384r1_mulx_u64(&x155, &x156, x143, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x157, &x158, x155, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x159, &x160, x155, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x161, &x162, x155, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x163, &x164, x155, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x165, &x166, x155, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x167, &x168, x155, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x168, x165); ++ fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x166, x163); ++ fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x164, x161); ++ fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x162, x159); ++ fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x160, x157); ++ fiat_secp384r1_addcarryx_u64(&x179, &x180, 0x0, x143, x167); ++ fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x169); ++ fiat_secp384r1_addcarryx_u64(&x183, &x184, x182, x147, x171); ++ fiat_secp384r1_addcarryx_u64(&x185, &x186, x184, x149, x173); ++ fiat_secp384r1_addcarryx_u64(&x187, &x188, x186, x151, x175); ++ fiat_secp384r1_addcarryx_u64(&x189, &x190, x188, x153, x177); ++ fiat_secp384r1_addcarryx_u64(&x191, &x192, x190, ((uint64_t)x154 + x126), ++ (x178 + x158)); ++ fiat_secp384r1_mulx_u64(&x193, &x194, x3, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x195, &x196, x3, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x197, &x198, x3, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x199, &x200, x3, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x201, &x202, 0x0, x200, x197); ++ fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x198, x195); ++ fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x196, x193); ++ fiat_secp384r1_addcarryx_u64(&x207, &x208, x206, x194, x3); ++ fiat_secp384r1_addcarryx_u64(&x209, &x210, 0x0, x181, x199); ++ fiat_secp384r1_addcarryx_u64(&x211, &x212, x210, x183, x201); ++ fiat_secp384r1_addcarryx_u64(&x213, &x214, x212, x185, x203); ++ fiat_secp384r1_addcarryx_u64(&x215, &x216, x214, x187, x205); ++ fiat_secp384r1_addcarryx_u64(&x217, &x218, x216, x189, x207); ++ fiat_secp384r1_addcarryx_u64(&x219, &x220, x218, x191, x208); ++ fiat_secp384r1_mulx_u64(&x221, &x222, x209, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x223, &x224, x221, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x225, &x226, x221, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x227, &x228, x221, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x229, &x230, x221, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x231, &x232, x221, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x233, &x234, x221, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); ++ fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); ++ fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); ++ fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); ++ fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); ++ fiat_secp384r1_addcarryx_u64(&x245, &x246, 0x0, x209, x233); ++ fiat_secp384r1_addcarryx_u64(&x247, &x248, x246, x211, x235); ++ fiat_secp384r1_addcarryx_u64(&x249, &x250, x248, x213, x237); ++ fiat_secp384r1_addcarryx_u64(&x251, &x252, x250, x215, x239); ++ fiat_secp384r1_addcarryx_u64(&x253, &x254, x252, x217, x241); ++ fiat_secp384r1_addcarryx_u64(&x255, &x256, x254, x219, x243); ++ fiat_secp384r1_addcarryx_u64(&x257, &x258, x256, ((uint64_t)x220 + x192), ++ (x244 + x224)); ++ fiat_secp384r1_mulx_u64(&x259, &x260, x4, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x261, &x262, x4, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x263, &x264, x4, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x265, &x266, x4, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x267, &x268, 0x0, x266, x263); ++ fiat_secp384r1_addcarryx_u64(&x269, &x270, x268, x264, x261); ++ fiat_secp384r1_addcarryx_u64(&x271, &x272, x270, x262, x259); ++ fiat_secp384r1_addcarryx_u64(&x273, &x274, x272, x260, x4); ++ fiat_secp384r1_addcarryx_u64(&x275, &x276, 0x0, x247, x265); ++ fiat_secp384r1_addcarryx_u64(&x277, &x278, x276, x249, x267); ++ fiat_secp384r1_addcarryx_u64(&x279, &x280, x278, x251, x269); ++ fiat_secp384r1_addcarryx_u64(&x281, &x282, x280, x253, x271); ++ fiat_secp384r1_addcarryx_u64(&x283, &x284, x282, x255, x273); ++ fiat_secp384r1_addcarryx_u64(&x285, &x286, x284, x257, x274); ++ fiat_secp384r1_mulx_u64(&x287, &x288, x275, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x289, &x290, x287, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x291, &x292, x287, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x293, &x294, x287, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x295, &x296, x287, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x297, &x298, x287, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x299, &x300, x287, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x301, &x302, 0x0, x300, x297); ++ fiat_secp384r1_addcarryx_u64(&x303, &x304, x302, x298, x295); ++ fiat_secp384r1_addcarryx_u64(&x305, &x306, x304, x296, x293); ++ fiat_secp384r1_addcarryx_u64(&x307, &x308, x306, x294, x291); ++ fiat_secp384r1_addcarryx_u64(&x309, &x310, x308, x292, x289); ++ fiat_secp384r1_addcarryx_u64(&x311, &x312, 0x0, x275, x299); ++ fiat_secp384r1_addcarryx_u64(&x313, &x314, x312, x277, x301); ++ fiat_secp384r1_addcarryx_u64(&x315, &x316, x314, x279, x303); ++ fiat_secp384r1_addcarryx_u64(&x317, &x318, x316, x281, x305); ++ fiat_secp384r1_addcarryx_u64(&x319, &x320, x318, x283, x307); ++ fiat_secp384r1_addcarryx_u64(&x321, &x322, x320, x285, x309); ++ fiat_secp384r1_addcarryx_u64(&x323, &x324, x322, ((uint64_t)x286 + x258), ++ (x310 + x290)); ++ fiat_secp384r1_mulx_u64(&x325, &x326, x5, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x327, &x328, x5, UINT64_C(0xfffffffe00000000)); ++ fiat_secp384r1_mulx_u64(&x329, &x330, x5, UINT64_C(0x200000000)); ++ fiat_secp384r1_mulx_u64(&x331, &x332, x5, UINT64_C(0xfffffffe00000001)); ++ fiat_secp384r1_addcarryx_u64(&x333, &x334, 0x0, x332, x329); ++ fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x330, x327); ++ fiat_secp384r1_addcarryx_u64(&x337, &x338, x336, x328, x325); ++ fiat_secp384r1_addcarryx_u64(&x339, &x340, x338, x326, x5); ++ fiat_secp384r1_addcarryx_u64(&x341, &x342, 0x0, x313, x331); ++ fiat_secp384r1_addcarryx_u64(&x343, &x344, x342, x315, x333); ++ fiat_secp384r1_addcarryx_u64(&x345, &x346, x344, x317, x335); ++ fiat_secp384r1_addcarryx_u64(&x347, &x348, x346, x319, x337); ++ fiat_secp384r1_addcarryx_u64(&x349, &x350, x348, x321, x339); ++ fiat_secp384r1_addcarryx_u64(&x351, &x352, x350, x323, x340); ++ fiat_secp384r1_mulx_u64(&x353, &x354, x341, UINT64_C(0x100000001)); ++ fiat_secp384r1_mulx_u64(&x355, &x356, x353, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x357, &x358, x353, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x359, &x360, x353, UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_mulx_u64(&x361, &x362, x353, UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_mulx_u64(&x363, &x364, x353, UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_mulx_u64(&x365, &x366, x353, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u64(&x367, &x368, 0x0, x366, x363); ++ fiat_secp384r1_addcarryx_u64(&x369, &x370, x368, x364, x361); ++ fiat_secp384r1_addcarryx_u64(&x371, &x372, x370, x362, x359); ++ fiat_secp384r1_addcarryx_u64(&x373, &x374, x372, x360, x357); ++ fiat_secp384r1_addcarryx_u64(&x375, &x376, x374, x358, x355); ++ fiat_secp384r1_addcarryx_u64(&x377, &x378, 0x0, x341, x365); ++ fiat_secp384r1_addcarryx_u64(&x379, &x380, x378, x343, x367); ++ fiat_secp384r1_addcarryx_u64(&x381, &x382, x380, x345, x369); ++ fiat_secp384r1_addcarryx_u64(&x383, &x384, x382, x347, x371); ++ fiat_secp384r1_addcarryx_u64(&x385, &x386, x384, x349, x373); ++ fiat_secp384r1_addcarryx_u64(&x387, &x388, x386, x351, x375); ++ fiat_secp384r1_addcarryx_u64(&x389, &x390, x388, ((uint64_t)x352 + x324), ++ (x376 + x356)); ++ fiat_secp384r1_subborrowx_u64(&x391, &x392, 0x0, x379, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x393, &x394, x392, x381, ++ UINT64_C(0xffffffff00000000)); ++ fiat_secp384r1_subborrowx_u64(&x395, &x396, x394, x383, ++ UINT64_C(0xfffffffffffffffe)); ++ fiat_secp384r1_subborrowx_u64(&x397, &x398, x396, x385, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x399, &x400, x398, x387, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x401, &x402, x400, x389, ++ UINT64_C(0xffffffffffffffff)); ++ fiat_secp384r1_subborrowx_u64(&x403, &x404, x402, x390, 0x0); ++ fiat_secp384r1_cmovznz_u64(&x405, x404, x391, x379); ++ fiat_secp384r1_cmovznz_u64(&x406, x404, x393, x381); ++ fiat_secp384r1_cmovznz_u64(&x407, x404, x395, x383); ++ fiat_secp384r1_cmovznz_u64(&x408, x404, x397, x385); ++ fiat_secp384r1_cmovznz_u64(&x409, x404, x399, x387); ++ fiat_secp384r1_cmovznz_u64(&x410, x404, x401, x389); ++ out1[0] = x405; ++ out1[1] = x406; ++ out1[2] = x407; ++ out1[3] = x408; ++ out1[4] = x409; ++ out1[5] = x410; ++} ++ ++/* ++ * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffffffffffff] ++ */ ++static void ++fiat_secp384r1_nonzero(uint64_t *out1, const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ x1 = ((arg1[0]) | ++ ((arg1[1]) | ++ ((arg1[2]) | ++ ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | (uint64_t)0x0)))))); ++ *out1 = x1; ++} ++ ++/* ++ * The function fiat_secp384r1_selectznz is a multi-limb conditional select. ++ * Postconditions: ++ * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_selectznz(uint64_t out1[6], ++ fiat_secp384r1_uint1 arg1, ++ const uint64_t arg2[6], ++ const uint64_t arg3[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ fiat_secp384r1_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); ++ fiat_secp384r1_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); ++ fiat_secp384r1_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); ++ fiat_secp384r1_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); ++ fiat_secp384r1_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); ++ fiat_secp384r1_cmovznz_u64(&x6, arg1, (arg2[5]), (arg3[5])); ++ out1[0] = x1; ++ out1[1] = x2; ++ out1[2] = x3; ++ out1[3] = x4; ++ out1[4] = x5; ++ out1[5] = x6; ++} ++ ++/* ++ * The function fiat_secp384r1_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ */ ++static void ++fiat_secp384r1_to_bytes(uint8_t out1[48], const uint64_t arg1[6]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint8_t x8; ++ uint64_t x9; ++ uint8_t x10; ++ uint64_t x11; ++ uint8_t x12; ++ uint64_t x13; ++ uint8_t x14; ++ uint64_t x15; ++ uint8_t x16; ++ uint64_t x17; ++ uint8_t x18; ++ uint8_t x19; ++ uint8_t x20; ++ uint8_t x21; ++ uint64_t x22; ++ uint8_t x23; ++ uint64_t x24; ++ uint8_t x25; ++ uint64_t x26; ++ uint8_t x27; ++ uint64_t x28; ++ uint8_t x29; ++ uint64_t x30; ++ uint8_t x31; ++ uint64_t x32; ++ uint8_t x33; ++ uint8_t x34; ++ uint8_t x35; ++ uint8_t x36; ++ uint64_t x37; ++ uint8_t x38; ++ uint64_t x39; ++ uint8_t x40; ++ uint64_t x41; ++ uint8_t x42; ++ uint64_t x43; ++ uint8_t x44; ++ uint64_t x45; ++ uint8_t x46; ++ uint64_t x47; ++ uint8_t x48; ++ uint8_t x49; ++ uint8_t x50; ++ uint8_t x51; ++ uint64_t x52; ++ uint8_t x53; ++ uint64_t x54; ++ uint8_t x55; ++ uint64_t x56; ++ uint8_t x57; ++ uint64_t x58; ++ uint8_t x59; ++ uint64_t x60; ++ uint8_t x61; ++ uint64_t x62; ++ uint8_t x63; ++ uint8_t x64; ++ uint8_t x65; ++ uint8_t x66; ++ uint64_t x67; ++ uint8_t x68; ++ uint64_t x69; ++ uint8_t x70; ++ uint64_t x71; ++ uint8_t x72; ++ uint64_t x73; ++ uint8_t x74; ++ uint64_t x75; ++ uint8_t x76; ++ uint64_t x77; ++ uint8_t x78; ++ uint8_t x79; ++ uint8_t x80; ++ uint8_t x81; ++ uint64_t x82; ++ uint8_t x83; ++ uint64_t x84; ++ uint8_t x85; ++ uint64_t x86; ++ uint8_t x87; ++ uint64_t x88; ++ uint8_t x89; ++ uint64_t x90; ++ uint8_t x91; ++ uint64_t x92; ++ uint8_t x93; ++ uint8_t x94; ++ uint8_t x95; ++ x1 = (arg1[5]); ++ x2 = (arg1[4]); ++ x3 = (arg1[3]); ++ x4 = (arg1[2]); ++ x5 = (arg1[1]); ++ x6 = (arg1[0]); ++ x7 = (x6 >> 8); ++ x8 = (uint8_t)(x6 & UINT8_C(0xff)); ++ x9 = (x7 >> 8); ++ x10 = (uint8_t)(x7 & UINT8_C(0xff)); ++ x11 = (x9 >> 8); ++ x12 = (uint8_t)(x9 & UINT8_C(0xff)); ++ x13 = (x11 >> 8); ++ x14 = (uint8_t)(x11 & UINT8_C(0xff)); ++ x15 = (x13 >> 8); ++ x16 = (uint8_t)(x13 & UINT8_C(0xff)); ++ x17 = (x15 >> 8); ++ x18 = (uint8_t)(x15 & UINT8_C(0xff)); ++ x19 = (uint8_t)(x17 >> 8); ++ x20 = (uint8_t)(x17 & UINT8_C(0xff)); ++ x21 = (uint8_t)(x19 & UINT8_C(0xff)); ++ x22 = (x5 >> 8); ++ x23 = (uint8_t)(x5 & UINT8_C(0xff)); ++ x24 = (x22 >> 8); ++ x25 = (uint8_t)(x22 & UINT8_C(0xff)); ++ x26 = (x24 >> 8); ++ x27 = (uint8_t)(x24 & UINT8_C(0xff)); ++ x28 = (x26 >> 8); ++ x29 = (uint8_t)(x26 & UINT8_C(0xff)); ++ x30 = (x28 >> 8); ++ x31 = (uint8_t)(x28 & UINT8_C(0xff)); ++ x32 = (x30 >> 8); ++ x33 = (uint8_t)(x30 & UINT8_C(0xff)); ++ x34 = (uint8_t)(x32 >> 8); ++ x35 = (uint8_t)(x32 & UINT8_C(0xff)); ++ x36 = (uint8_t)(x34 & UINT8_C(0xff)); ++ x37 = (x4 >> 8); ++ x38 = (uint8_t)(x4 & UINT8_C(0xff)); ++ x39 = (x37 >> 8); ++ x40 = (uint8_t)(x37 & UINT8_C(0xff)); ++ x41 = (x39 >> 8); ++ x42 = (uint8_t)(x39 & UINT8_C(0xff)); ++ x43 = (x41 >> 8); ++ x44 = (uint8_t)(x41 & UINT8_C(0xff)); ++ x45 = (x43 >> 8); ++ x46 = (uint8_t)(x43 & UINT8_C(0xff)); ++ x47 = (x45 >> 8); ++ x48 = (uint8_t)(x45 & UINT8_C(0xff)); ++ x49 = (uint8_t)(x47 >> 8); ++ x50 = (uint8_t)(x47 & UINT8_C(0xff)); ++ x51 = (uint8_t)(x49 & UINT8_C(0xff)); ++ x52 = (x3 >> 8); ++ x53 = (uint8_t)(x3 & UINT8_C(0xff)); ++ x54 = (x52 >> 8); ++ x55 = (uint8_t)(x52 & UINT8_C(0xff)); ++ x56 = (x54 >> 8); ++ x57 = (uint8_t)(x54 & UINT8_C(0xff)); ++ x58 = (x56 >> 8); ++ x59 = (uint8_t)(x56 & UINT8_C(0xff)); ++ x60 = (x58 >> 8); ++ x61 = (uint8_t)(x58 & UINT8_C(0xff)); ++ x62 = (x60 >> 8); ++ x63 = (uint8_t)(x60 & UINT8_C(0xff)); ++ x64 = (uint8_t)(x62 >> 8); ++ x65 = (uint8_t)(x62 & UINT8_C(0xff)); ++ x66 = (uint8_t)(x64 & UINT8_C(0xff)); ++ x67 = (x2 >> 8); ++ x68 = (uint8_t)(x2 & UINT8_C(0xff)); ++ x69 = (x67 >> 8); ++ x70 = (uint8_t)(x67 & UINT8_C(0xff)); ++ x71 = (x69 >> 8); ++ x72 = (uint8_t)(x69 & UINT8_C(0xff)); ++ x73 = (x71 >> 8); ++ x74 = (uint8_t)(x71 & UINT8_C(0xff)); ++ x75 = (x73 >> 8); ++ x76 = (uint8_t)(x73 & UINT8_C(0xff)); ++ x77 = (x75 >> 8); ++ x78 = (uint8_t)(x75 & UINT8_C(0xff)); ++ x79 = (uint8_t)(x77 >> 8); ++ x80 = (uint8_t)(x77 & UINT8_C(0xff)); ++ x81 = (uint8_t)(x79 & UINT8_C(0xff)); ++ x82 = (x1 >> 8); ++ x83 = (uint8_t)(x1 & UINT8_C(0xff)); ++ x84 = (x82 >> 8); ++ x85 = (uint8_t)(x82 & UINT8_C(0xff)); ++ x86 = (x84 >> 8); ++ x87 = (uint8_t)(x84 & UINT8_C(0xff)); ++ x88 = (x86 >> 8); ++ x89 = (uint8_t)(x86 & UINT8_C(0xff)); ++ x90 = (x88 >> 8); ++ x91 = (uint8_t)(x88 & UINT8_C(0xff)); ++ x92 = (x90 >> 8); ++ x93 = (uint8_t)(x90 & UINT8_C(0xff)); ++ x94 = (uint8_t)(x92 >> 8); ++ x95 = (uint8_t)(x92 & UINT8_C(0xff)); ++ out1[0] = x8; ++ out1[1] = x10; ++ out1[2] = x12; ++ out1[3] = x14; ++ out1[4] = x16; ++ out1[5] = x18; ++ out1[6] = x20; ++ out1[7] = x21; ++ out1[8] = x23; ++ out1[9] = x25; ++ out1[10] = x27; ++ out1[11] = x29; ++ out1[12] = x31; ++ out1[13] = x33; ++ out1[14] = x35; ++ out1[15] = x36; ++ out1[16] = x38; ++ out1[17] = x40; ++ out1[18] = x42; ++ out1[19] = x44; ++ out1[20] = x46; ++ out1[21] = x48; ++ out1[22] = x50; ++ out1[23] = x51; ++ out1[24] = x53; ++ out1[25] = x55; ++ out1[26] = x57; ++ out1[27] = x59; ++ out1[28] = x61; ++ out1[29] = x63; ++ out1[30] = x65; ++ out1[31] = x66; ++ out1[32] = x68; ++ out1[33] = x70; ++ out1[34] = x72; ++ out1[35] = x74; ++ out1[36] = x76; ++ out1[37] = x78; ++ out1[38] = x80; ++ out1[39] = x81; ++ out1[40] = x83; ++ out1[41] = x85; ++ out1[42] = x87; ++ out1[43] = x89; ++ out1[44] = x91; ++ out1[45] = x93; ++ out1[46] = x95; ++ out1[47] = x94; ++} ++ ++/* ++ * The function fiat_secp384r1_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ bytes_eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = bytes_eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] ++ */ ++static void ++fiat_secp384r1_from_bytes(uint64_t out1[6], ++ const uint8_t arg1[48]) ++{ ++ uint64_t x1; ++ uint64_t x2; ++ uint64_t x3; ++ uint64_t x4; ++ uint64_t x5; ++ uint64_t x6; ++ uint64_t x7; ++ uint8_t x8; ++ uint64_t x9; ++ uint64_t x10; ++ uint64_t x11; ++ uint64_t x12; ++ uint64_t x13; ++ uint64_t x14; ++ uint64_t x15; ++ uint8_t x16; ++ uint64_t x17; ++ uint64_t x18; ++ uint64_t x19; ++ uint64_t x20; ++ uint64_t x21; ++ uint64_t x22; ++ uint64_t x23; ++ uint8_t x24; ++ uint64_t x25; ++ uint64_t x26; ++ uint64_t x27; ++ uint64_t x28; ++ uint64_t x29; ++ uint64_t x30; ++ uint64_t x31; ++ uint8_t x32; ++ uint64_t x33; ++ uint64_t x34; ++ uint64_t x35; ++ uint64_t x36; ++ uint64_t x37; ++ uint64_t x38; ++ uint64_t x39; ++ uint8_t x40; ++ uint64_t x41; ++ uint64_t x42; ++ uint64_t x43; ++ uint64_t x44; ++ uint64_t x45; ++ uint64_t x46; ++ uint64_t x47; ++ uint8_t x48; ++ uint64_t x49; ++ uint64_t x50; ++ uint64_t x51; ++ uint64_t x52; ++ uint64_t x53; ++ uint64_t x54; ++ uint64_t x55; ++ uint64_t x56; ++ uint64_t x57; ++ uint64_t x58; ++ uint64_t x59; ++ x1 = ((uint64_t)(arg1[47]) << 56); ++ x2 = ((uint64_t)(arg1[46]) << 48); ++ x3 = ((uint64_t)(arg1[45]) << 40); ++ x4 = ((uint64_t)(arg1[44]) << 32); ++ x5 = ((uint64_t)(arg1[43]) << 24); ++ x6 = ((uint64_t)(arg1[42]) << 16); ++ x7 = ((uint64_t)(arg1[41]) << 8); ++ x8 = (arg1[40]); ++ x9 = ((uint64_t)(arg1[39]) << 56); ++ x10 = ((uint64_t)(arg1[38]) << 48); ++ x11 = ((uint64_t)(arg1[37]) << 40); ++ x12 = ((uint64_t)(arg1[36]) << 32); ++ x13 = ((uint64_t)(arg1[35]) << 24); ++ x14 = ((uint64_t)(arg1[34]) << 16); ++ x15 = ((uint64_t)(arg1[33]) << 8); ++ x16 = (arg1[32]); ++ x17 = ((uint64_t)(arg1[31]) << 56); ++ x18 = ((uint64_t)(arg1[30]) << 48); ++ x19 = ((uint64_t)(arg1[29]) << 40); ++ x20 = ((uint64_t)(arg1[28]) << 32); ++ x21 = ((uint64_t)(arg1[27]) << 24); ++ x22 = ((uint64_t)(arg1[26]) << 16); ++ x23 = ((uint64_t)(arg1[25]) << 8); ++ x24 = (arg1[24]); ++ x25 = ((uint64_t)(arg1[23]) << 56); ++ x26 = ((uint64_t)(arg1[22]) << 48); ++ x27 = ((uint64_t)(arg1[21]) << 40); ++ x28 = ((uint64_t)(arg1[20]) << 32); ++ x29 = ((uint64_t)(arg1[19]) << 24); ++ x30 = ((uint64_t)(arg1[18]) << 16); ++ x31 = ((uint64_t)(arg1[17]) << 8); ++ x32 = (arg1[16]); ++ x33 = ((uint64_t)(arg1[15]) << 56); ++ x34 = ((uint64_t)(arg1[14]) << 48); ++ x35 = ((uint64_t)(arg1[13]) << 40); ++ x36 = ((uint64_t)(arg1[12]) << 32); ++ x37 = ((uint64_t)(arg1[11]) << 24); ++ x38 = ((uint64_t)(arg1[10]) << 16); ++ x39 = ((uint64_t)(arg1[9]) << 8); ++ x40 = (arg1[8]); ++ x41 = ((uint64_t)(arg1[7]) << 56); ++ x42 = ((uint64_t)(arg1[6]) << 48); ++ x43 = ((uint64_t)(arg1[5]) << 40); ++ x44 = ((uint64_t)(arg1[4]) << 32); ++ x45 = ((uint64_t)(arg1[3]) << 24); ++ x46 = ((uint64_t)(arg1[2]) << 16); ++ x47 = ((uint64_t)(arg1[1]) << 8); ++ x48 = (arg1[0]); ++ x49 = (x48 + (x47 + (x46 + (x45 + (x44 + (x43 + (x42 + x41))))))); ++ x50 = (x49 & UINT64_C(0xffffffffffffffff)); ++ x51 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); ++ x52 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); ++ x53 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); ++ x54 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); ++ x55 = (x40 + (x39 + (x38 + (x37 + (x36 + (x35 + (x34 + x33))))))); ++ x56 = (x55 & UINT64_C(0xffffffffffffffff)); ++ x57 = (x54 & UINT64_C(0xffffffffffffffff)); ++ x58 = (x53 & UINT64_C(0xffffffffffffffff)); ++ x59 = (x52 & UINT64_C(0xffffffffffffffff)); ++ out1[0] = x50; ++ out1[1] = x56; ++ out1[2] = x57; ++ out1[3] = x58; ++ out1[4] = x59; ++ out1[5] = x51; ++} ++ ++/* END verbatim fiat code */ ++ ++/*- ++ * Finite field inversion via FLT. ++ * NB: this is not a real Fiat function, just named that way for consistency. ++ * Autogenerated: ecp/secp384r1/fe_inv.op3 ++ * custom repunit addition chain ++ */ ++static void ++fiat_secp384r1_inv(fe_t output, const fe_t t1) ++{ ++ int i; ++ /* temporary variables */ ++ fe_t acc, t10, t170, t2, t20, t255, t30, t32, t4, t64, t8, t84, t85; ++ ++ fiat_secp384r1_square(acc, t1); ++ fiat_secp384r1_mul(t2, acc, t1); ++ fiat_secp384r1_square(acc, t2); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t4, acc, t2); ++ fiat_secp384r1_square(acc, t4); ++ for (i = 0; i < 3; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t8, acc, t4); ++ fiat_secp384r1_square(acc, t8); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t10, acc, t2); ++ fiat_secp384r1_square(acc, t10); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t20, acc, t10); ++ fiat_secp384r1_square(acc, t20); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t30, acc, t10); ++ fiat_secp384r1_square(acc, t30); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t32, acc, t2); ++ fiat_secp384r1_square(acc, t32); ++ for (i = 0; i < 31; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t64, acc, t32); ++ fiat_secp384r1_square(acc, t64); ++ for (i = 0; i < 19; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t84, acc, t20); ++ fiat_secp384r1_square(acc, t84); ++ fiat_secp384r1_mul(t85, acc, t1); ++ fiat_secp384r1_square(acc, t85); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t170, acc, t85); ++ fiat_secp384r1_square(acc, t170); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t255, acc, t85); ++ fiat_secp384r1_square(acc, t255); ++ for (i = 0; i < 32; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t32); ++ for (i = 0; i < 94; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t30); ++ for (i = 0; i < 2; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(output, acc, t1); ++} ++ ++/* curve coefficient constants */ ++ ++static const limb_t const_one[6] = { ++ UINT64_C(0xFFFFFFFF00000001), UINT64_C(0x00000000FFFFFFFF), ++ UINT64_C(0x0000000000000001), UINT64_C(0x0000000000000000), ++ UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000) ++}; ++ ++static const limb_t const_b[6] = { ++ UINT64_C(0x081188719D412DCC), UINT64_C(0xF729ADD87A4C32EC), ++ UINT64_C(0x77F2209B1920022E), UINT64_C(0xE3374BEE94938AE2), ++ UINT64_C(0xB62B21F41F022094), UINT64_C(0xCD08114B604FBFF9) ++}; ++ ++/* LUT for scalar multiplication by comb interleaving */ ++static const pt_aff_t lut_cmb[21][16] = { ++ { ++ { { UINT64_C(0x3DD0756649C0B528), UINT64_C(0x20E378E2A0D6CE38), ++ UINT64_C(0x879C3AFC541B4D6E), UINT64_C(0x6454868459A30EFF), ++ UINT64_C(0x812FF723614EDE2B), UINT64_C(0x4D3AADC2299E1513) }, ++ { UINT64_C(0x23043DAD4B03A4FE), UINT64_C(0xA1BFA8BF7BB4A9AC), ++ UINT64_C(0x8BADE7562E83B050), UINT64_C(0xC6C3521968F4FFD9), ++ UINT64_C(0xDD8002263969A840), UINT64_C(0x2B78ABC25A15C5E9) } }, ++ { { UINT64_C(0x05E4DBE6C1DC4073), UINT64_C(0xC54EA9FFF04F779C), ++ UINT64_C(0x6B2034E9A170CCF0), UINT64_C(0x3A48D732D51C6C3E), ++ UINT64_C(0xE36F7E2D263AA470), UINT64_C(0xD283FE68E7C1C3AC) }, ++ { UINT64_C(0x7E284821C04EE157), UINT64_C(0x92D789A77AE0E36D), ++ UINT64_C(0x132663C04EF67446), UINT64_C(0x68012D5AD2E1D0B4), ++ UINT64_C(0xF6DB68B15102B339), UINT64_C(0x465465FC983292AF) } }, ++ { { UINT64_C(0xBB595EBA68F1F0DF), UINT64_C(0xC185C0CBCC873466), ++ UINT64_C(0x7F1EB1B5293C703B), UINT64_C(0x60DB2CF5AACC05E6), ++ UINT64_C(0xC676B987E2E8E4C6), UINT64_C(0xE1BB26B11D178FFB) }, ++ { UINT64_C(0x2B694BA07073FA21), UINT64_C(0x22C16E2E72F34566), ++ UINT64_C(0x80B61B3101C35B99), UINT64_C(0x4B237FAF982C0411), ++ UINT64_C(0xE6C5944024DE236D), UINT64_C(0x4DB1C9D6E209E4A3) } }, ++ { { UINT64_C(0xDF13B9D17D69222B), UINT64_C(0x4CE6415F874774B1), ++ UINT64_C(0x731EDCF8211FAA95), UINT64_C(0x5F4215D1659753ED), ++ UINT64_C(0xF893DB589DB2DF55), UINT64_C(0x932C9F811C89025B) }, ++ { UINT64_C(0x0996B2207706A61E), UINT64_C(0x135349D5A8641C79), ++ UINT64_C(0x65AAD76F50130844), UINT64_C(0x0FF37C0401FFF780), ++ UINT64_C(0xF57F238E693B0706), UINT64_C(0xD90A16B6AF6C9B3E) } }, ++ { { UINT64_C(0x2F5D200E2353B92F), UINT64_C(0xE35D87293FD7E4F9), ++ UINT64_C(0x26094833A96D745D), UINT64_C(0xDC351DC13CBFFF3F), ++ UINT64_C(0x26D464C6DAD54D6A), UINT64_C(0x5CAB1D1D53636C6A) }, ++ { UINT64_C(0xF2813072B18EC0B0), UINT64_C(0x3777E270D742AA2F), ++ UINT64_C(0x27F061C7033CA7C2), UINT64_C(0xA6ECACCC68EAD0D8), ++ UINT64_C(0x7D9429F4EE69A754), UINT64_C(0xE770633431E8F5C6) } }, ++ { { UINT64_C(0xC7708B19B68B8C7D), UINT64_C(0x4532077C44377ABA), ++ UINT64_C(0x0DCC67706CDAD64F), UINT64_C(0x01B8BF56147B6602), ++ UINT64_C(0xF8D89885F0561D79), UINT64_C(0x9C19E9FC7BA9C437) }, ++ { UINT64_C(0x764EB146BDC4BA25), UINT64_C(0x604FE46BAC144B83), ++ UINT64_C(0x3CE813298A77E780), UINT64_C(0x2E070F36FE9E682E), ++ UINT64_C(0x41821D0C3A53287A), UINT64_C(0x9AA62F9F3533F918) } }, ++ { { UINT64_C(0x9B7AEB7E75CCBDFB), UINT64_C(0xB25E28C5F6749A95), ++ UINT64_C(0x8A7A8E4633B7D4AE), UINT64_C(0xDB5203A8D9C1BD56), ++ UINT64_C(0xD2657265ED22DF97), UINT64_C(0xB51C56E18CF23C94) }, ++ { UINT64_C(0xF4D394596C3D812D), UINT64_C(0xD8E88F1A87CAE0C2), ++ UINT64_C(0x789A2A48CF4D0FE3), UINT64_C(0xB7FEAC2DFEC38D60), ++ UINT64_C(0x81FDBD1C3B490EC3), UINT64_C(0x4617ADB7CC6979E1) } }, ++ { { UINT64_C(0x446AD8884709F4A9), UINT64_C(0x2B7210E2EC3DABD8), ++ UINT64_C(0x83CCF19550E07B34), UINT64_C(0x59500917789B3075), ++ UINT64_C(0x0FC01FD4EB085993), UINT64_C(0xFB62D26F4903026B) }, ++ { UINT64_C(0x2309CC9D6FE989BB), UINT64_C(0x61609CBD144BD586), ++ UINT64_C(0x4B23D3A0DE06610C), UINT64_C(0xDDDC2866D898F470), ++ UINT64_C(0x8733FC41400C5797), UINT64_C(0x5A68C6FED0BC2716) } }, ++ { { UINT64_C(0x8903E1304B4A3CD0), UINT64_C(0x3EA4EA4C8FF1F43E), ++ UINT64_C(0xE6FC3F2AF655A10D), UINT64_C(0x7BE3737D524FFEFC), ++ UINT64_C(0x9F6928555330455E), UINT64_C(0x524F166EE475CE70) }, ++ { UINT64_C(0x3FCC69CD6C12F055), UINT64_C(0x4E23B6FFD5B9C0DA), ++ UINT64_C(0x49CE6993336BF183), UINT64_C(0xF87D6D854A54504A), ++ UINT64_C(0x25EB5DF1B3C2677A), UINT64_C(0xAC37986F55B164C9) } }, ++ { { UINT64_C(0x82A2ED4ABAA84C08), UINT64_C(0x22C4CC5F41A8C912), ++ UINT64_C(0xCA109C3B154AAD5E), UINT64_C(0x23891298FC38538E), ++ UINT64_C(0xB3B6639C539802AE), UINT64_C(0xFA0F1F450390D706) }, ++ { UINT64_C(0x46B78E5DB0DC21D0), UINT64_C(0xA8C72D3CC3DA2EAC), ++ UINT64_C(0x9170B3786FF2F643), UINT64_C(0x3F5A799BB67F30C3), ++ UINT64_C(0x15D1DC778264B672), UINT64_C(0xA1D47B23E9577764) } }, ++ { { UINT64_C(0x08265E510422CE2F), UINT64_C(0x88E0D496DD2F9E21), ++ UINT64_C(0x30128AA06177F75D), UINT64_C(0x2E59AB62BD9EBE69), ++ UINT64_C(0x1B1A0F6C5DF0E537), UINT64_C(0xAB16C626DAC012B5) }, ++ { UINT64_C(0x8014214B008C5DE7), UINT64_C(0xAA740A9E38F17BEA), ++ UINT64_C(0x262EBB498A149098), UINT64_C(0xB454111E8527CD59), ++ UINT64_C(0x266AD15AACEA5817), UINT64_C(0x21824F411353CCBA) } }, ++ { { UINT64_C(0xD1B4E74D12E3683B), UINT64_C(0x990ED20B569B8EF6), ++ UINT64_C(0xB9D3DD25429C0A18), UINT64_C(0x1C75B8AB2A351783), ++ UINT64_C(0x61E4CA2B905432F0), UINT64_C(0x80826A69EEA8F224) }, ++ { UINT64_C(0x7FC33A6BEC52ABAD), UINT64_C(0x0BCCA3F0A65E4813), ++ UINT64_C(0x7AD8A132A527CEBE), UINT64_C(0xF0138950EAF22C7E), ++ UINT64_C(0x282D2437566718C1), UINT64_C(0x9DFCCB0DE2212559) } }, ++ { { UINT64_C(0x1E93722758CE3B83), UINT64_C(0xBB280DFA3CB3FB36), ++ UINT64_C(0x57D0F3D2E2BE174A), UINT64_C(0x9BD51B99208ABE1E), ++ UINT64_C(0x3809AB50DE248024), UINT64_C(0xC29C6E2CA5BB7331) }, ++ { UINT64_C(0x9944FD2E61124F05), UINT64_C(0x83CCBC4E9009E391), ++ UINT64_C(0x01628F059424A3CC), UINT64_C(0xD6A2F51DEA8E4344), ++ UINT64_C(0xDA3E1A3D4CEBC96E), UINT64_C(0x1FE6FB42E97809DC) } }, ++ { { UINT64_C(0xA04482D2467D66E4), UINT64_C(0xCF1912934D78291D), ++ UINT64_C(0x8E0D4168482396F9), UINT64_C(0x7228E2D5D18F14D0), ++ UINT64_C(0x2F7E8D509C6A58FE), UINT64_C(0xE8CA780E373E5AEC) }, ++ { UINT64_C(0x42AAD1D61B68E9F8), UINT64_C(0x58A6D7F569E2F8F4), ++ UINT64_C(0xD779ADFE31DA1BEA), UINT64_C(0x7D26540638C85A85), ++ UINT64_C(0x67E67195D44D3CDF), UINT64_C(0x17820A0BC5134ED7) } }, ++ { { UINT64_C(0x019D6AC5D3021470), UINT64_C(0x25846B66780443D6), ++ UINT64_C(0xCE3C15ED55C97647), UINT64_C(0x3DC22D490E3FEB0F), ++ UINT64_C(0x2065B7CBA7DF26E4), UINT64_C(0xC8B00AE8187CEA1F) }, ++ { UINT64_C(0x1A5284A0865DDED3), UINT64_C(0x293C164920C83DE2), ++ UINT64_C(0xAB178D26CCE851B3), UINT64_C(0x8E6DB10B404505FB), ++ UINT64_C(0xF6F57E7190C82033), UINT64_C(0x1D2A1C015977F16C) } }, ++ { { UINT64_C(0xA39C89317C8906A4), UINT64_C(0xB6E7ECDD9E821EE6), ++ UINT64_C(0x2ECF8340F0DF4FE6), UINT64_C(0xD42F7DC953C14965), ++ UINT64_C(0x1AFB51A3E3BA8285), UINT64_C(0x6C07C4040A3305D1) }, ++ { UINT64_C(0xDAB83288127FC1DA), UINT64_C(0xBC0A699B374C4B08), ++ UINT64_C(0x402A9BAB42EB20DD), UINT64_C(0xD7DD464F045A7A1C), ++ UINT64_C(0x5B3D0D6D36BEECC4), UINT64_C(0x475A3E756398A19D) } }, ++ }, ++ { ++ { { UINT64_C(0x31BDB48372876AE8), UINT64_C(0xE3325D98961ED1BF), ++ UINT64_C(0x18C042469B6FC64D), UINT64_C(0x0DCC15FA15786B8C), ++ UINT64_C(0x81ACDB068E63DA4A), UINT64_C(0xD3A4B643DADA70FB) }, ++ { UINT64_C(0x46361AFEDEA424EB), UINT64_C(0xDC2D2CAE89B92970), ++ UINT64_C(0xF389B61B615694E6), UINT64_C(0x7036DEF1872951D2), ++ UINT64_C(0x40FD3BDAD93BADC7), UINT64_C(0x45AB6321380A68D3) } }, ++ { { UINT64_C(0x23C1F74481A2703A), UINT64_C(0x1A5D075CB9859136), ++ UINT64_C(0xA4F82C9D5AFD1BFD), UINT64_C(0xA3D1E9A4F89D76FE), ++ UINT64_C(0x964F705075702F80), UINT64_C(0x182BF349F56C089D) }, ++ { UINT64_C(0xE205FA8FBE0DA6E1), UINT64_C(0x32905EB90A40F8F3), ++ UINT64_C(0x331A1004356D4395), UINT64_C(0x58B78901FDBBDFDE), ++ UINT64_C(0xA52A15979BA00E71), UINT64_C(0xE0092E1F55497A30) } }, ++ { { UINT64_C(0x5562A85670EE8F39), UINT64_C(0x86B0C11764E52A9C), ++ UINT64_C(0xC19F317409C75B8C), UINT64_C(0x21C7CC3124923F80), ++ UINT64_C(0xE63FE47F8F5B291E), UINT64_C(0x3D6D3C050DC08B05) }, ++ { UINT64_C(0x58AE455EEE0C39A1), UINT64_C(0x78BEA4310AD97942), ++ UINT64_C(0x42C7C97F3EE3989C), UINT64_C(0xC1B03AF5F38759AE), ++ UINT64_C(0x1A673C75BCF46899), UINT64_C(0x4831B7D38D508C7D) } }, ++ { { UINT64_C(0x76512D1BC552E354), UINT64_C(0x2B7EB6DF273020FD), ++ UINT64_C(0xD1C73AA8025A5F25), UINT64_C(0x2ABA19295CBD2A40), ++ UINT64_C(0xB53CADC3C88D61C6), UINT64_C(0x7E66A95E098290F3) }, ++ { UINT64_C(0x72800ECBAF4C5073), UINT64_C(0x81F2725E9DC63FAF), ++ UINT64_C(0x14BF92A7282BA9D1), UINT64_C(0x90629672BD5F1BB2), ++ UINT64_C(0x362F68EBA97C6C96), UINT64_C(0xB1D3BB8B7EA9D601) } }, ++ { { UINT64_C(0x73878F7FA9C94429), UINT64_C(0xB35C3BC8456CA6D8), ++ UINT64_C(0xD96F0B3CF721923A), UINT64_C(0x28D8F06CE6D44FA1), ++ UINT64_C(0x94EFDCDCD5CD671A), UINT64_C(0x0299AB933F97D481) }, ++ { UINT64_C(0xB7CED6EA2FD1D324), UINT64_C(0xBD6832087E932EC2), ++ UINT64_C(0x24ED31FBCB755A6E), UINT64_C(0xA636098EE48781D2), ++ UINT64_C(0x8687C63CF0A4F297), UINT64_C(0xBB52344007478526) } }, ++ { { UINT64_C(0x2E5F741934124B56), UINT64_C(0x1F223AE14B3F02CA), ++ UINT64_C(0x6345B427E8336C7E), UINT64_C(0x92123E16F5D0E3D0), ++ UINT64_C(0xDAF0D14D45E79F3A), UINT64_C(0x6ACA67656F3BD0C6) }, ++ { UINT64_C(0xF6169FAB403813F4), UINT64_C(0x31DC39C0334A4C59), ++ UINT64_C(0x74C46753D589866D), UINT64_C(0x5741511D984C6A5D), ++ UINT64_C(0xF263128797FED2D3), UINT64_C(0x5687CA1B11614886) } }, ++ { { UINT64_C(0x076D902A33836D4B), UINT64_C(0xEC6C5C4324AFB557), ++ UINT64_C(0xA0FE2D1CA0516A0F), UINT64_C(0x6FB8D73700D22ECC), ++ UINT64_C(0xF1DE9077DAF1D7B3), UINT64_C(0xE4695F77D4C0C1EB) }, ++ { UINT64_C(0x5F0FD8A8B4375573), UINT64_C(0x762383595E50944F), ++ UINT64_C(0x65EA2F28635CD76F), UINT64_C(0x0854776925FDE7B0), ++ UINT64_C(0xB2345A2E51944304), UINT64_C(0x86EFA2F7A16C980D) } }, ++ { { UINT64_C(0x4CCBE2D0BF4D1D63), UINT64_C(0x32E33401397366D5), ++ UINT64_C(0xC83AFDDE71BDA2CE), UINT64_C(0x8DACE2AC478ED9E6), ++ UINT64_C(0x3AC6A559763FDD9E), UINT64_C(0x0FFDB04CB398558F) }, ++ { UINT64_C(0x6C1B99B2AFB9D6B8), UINT64_C(0x572BA39C27F815DD), ++ UINT64_C(0x9DE73EE70DBCF842), UINT64_C(0x2A3ED58929267B88), ++ UINT64_C(0xD46A7FD315EBBBB3), UINT64_C(0xD1D01863E29400C7) } }, ++ { { UINT64_C(0x8FB101D1E1F89EC5), UINT64_C(0xB87A1F53F8508042), ++ UINT64_C(0x28C8DB240ED7BEEF), UINT64_C(0x3940F845ACE8660A), ++ UINT64_C(0x4EACB619C6D453FD), UINT64_C(0x2E044C982BAD6160) }, ++ { UINT64_C(0x8792854880B16C02), UINT64_C(0xF0D4BEB3C0A9EB64), ++ UINT64_C(0xD785B4AFC183C195), UINT64_C(0x23AAB0E65E6C46EA), ++ UINT64_C(0x30F7E104A930FECA), UINT64_C(0x6A1A7B8BD55C10FB) } }, ++ { { UINT64_C(0xDA74EAEBDBFED1AA), UINT64_C(0xC8A59223DF0B025C), ++ UINT64_C(0x7EF7DC85D5B627F7), UINT64_C(0x02A13AE1197D7624), ++ UINT64_C(0x119E9BE12F785A9B), UINT64_C(0xC0B7572F00D6B219) }, ++ { UINT64_C(0x9B1E51266D4CAF30), UINT64_C(0xA16A51170A840BD1), ++ UINT64_C(0x5BE17B910E9CCF43), UINT64_C(0x5BDBEDDD69CF2C9C), ++ UINT64_C(0x9FFBFBCF4CF4F289), UINT64_C(0xE1A621836C355CE9) } }, ++ { { UINT64_C(0x056199D9A7B2FCCF), UINT64_C(0x51F2E7B6CE1D784E), ++ UINT64_C(0xA1D09C47339E2FF0), UINT64_C(0xC8E64890B836D0A9), ++ UINT64_C(0x2F781DCBC0D07EBE), UINT64_C(0x5CF3C2AD3ACF934C) }, ++ { UINT64_C(0xE55DB190A17E26AE), UINT64_C(0xC9C61E1F91245513), ++ UINT64_C(0x83D7E6CF61998C15), UINT64_C(0x4DB33C85E41D38E3), ++ UINT64_C(0x74D5F91DC2FEE43D), UINT64_C(0x7EBBDB4536BBC826) } }, ++ { { UINT64_C(0xE20EC7E9CB655A9D), UINT64_C(0x4977EB925C47D421), ++ UINT64_C(0xA237E12C3B9D72FA), UINT64_C(0xCAAEDBC1CBF7B145), ++ UINT64_C(0x5200F5B23B77AAA3), UINT64_C(0x32EDED55BDBE5380) }, ++ { UINT64_C(0x74E38A40E7C9B80A), UINT64_C(0x3A3F0CF8AB6DE911), ++ UINT64_C(0x56DCDD7AAD16AAF0), UINT64_C(0x3D2924498E861D5E), ++ UINT64_C(0xD6C61878985733E2), UINT64_C(0x2401FE7D6AA6CD5B) } }, ++ { { UINT64_C(0xABB3DC75B42E3686), UINT64_C(0xAE712419B4C57E61), ++ UINT64_C(0x2C565F72B21B009B), UINT64_C(0xA5F1DA2E710C3699), ++ UINT64_C(0x771099A0A5EBA59A), UINT64_C(0x4DA88F4AC10017A0) }, ++ { UINT64_C(0x987FFFD31927B56D), UINT64_C(0xB98CB8ECC4E33478), ++ UINT64_C(0xB224A971C2248166), UINT64_C(0x5470F554DE1DC794), ++ UINT64_C(0xD747CC24E31FF983), UINT64_C(0xB91745E9B5B22DAE) } }, ++ { { UINT64_C(0x6CCBFED072F34420), UINT64_C(0x95045E4DA53039D2), ++ UINT64_C(0x3B6C11545A793944), UINT64_C(0xAA114145DDB6B799), ++ UINT64_C(0xABC15CA4252B7637), UINT64_C(0x5745A35BA5744634) }, ++ { UINT64_C(0x05DC6BDEDA596FC0), UINT64_C(0xCD52C18CA8020881), ++ UINT64_C(0x03FA9F47D296BAD0), UINT64_C(0xD8E2C1297268E139), ++ UINT64_C(0x58C1A98D9EC450B0), UINT64_C(0x909638DADE48B20D) } }, ++ { { UINT64_C(0x7AFC30D49B7F8311), UINT64_C(0x82A0042242368EA3), ++ UINT64_C(0xBFF951986F5F9865), UINT64_C(0x9B24F612FC0A070F), ++ UINT64_C(0x22C06CF2620F489D), UINT64_C(0x3C7ED052780F7DBB) }, ++ { UINT64_C(0xDB87AB1834DAFE9B), UINT64_C(0x20C03B409C4BBCA1), ++ UINT64_C(0x5D718CF059A42341), UINT64_C(0x9863170669E84538), ++ UINT64_C(0x5557192BD27D64E1), UINT64_C(0x08B4EC52DA822766) } }, ++ { { UINT64_C(0xB2D986F6D66C1A59), UINT64_C(0x927DEB1678E0E423), ++ UINT64_C(0x9E673CDE49C3DEDC), UINT64_C(0xFA362D84F7ECB6CF), ++ UINT64_C(0x078E5F401BA17340), UINT64_C(0x934CA5D11F4E489C) }, ++ { UINT64_C(0xC03C073164EEF493), UINT64_C(0x631A353BD7931A7E), ++ UINT64_C(0x8E7CC3BB65DD74F1), UINT64_C(0xD55864C5702676A5), ++ UINT64_C(0x6D306AC4439F04BD), UINT64_C(0x58544F672BAFED57) } }, ++ }, ++ { ++ { { UINT64_C(0xB083BA6AEC074AEA), UINT64_C(0x46FAC5EF7F0B505B), ++ UINT64_C(0x95367A21FC82DC03), UINT64_C(0x227BE26A9D3679D8), ++ UINT64_C(0xC70F6D6C7E9724C0), UINT64_C(0xCD68C757F9EBEC0F) }, ++ { UINT64_C(0x29DDE03E8FF321B2), UINT64_C(0xF84AD7BB031939DC), ++ UINT64_C(0xDAF590C90F602F4B), UINT64_C(0x17C5288849722BC4), ++ UINT64_C(0xA8DF99F0089B22B6), UINT64_C(0xC21BC5D4E59B9B90) } }, ++ { { UINT64_C(0x4936C6A08A31973F), UINT64_C(0x54D442FA83B8C205), ++ UINT64_C(0x03AEE8B45714F2C6), UINT64_C(0x139BD6923F5AC25A), ++ UINT64_C(0x6A2E42BAB5B33794), UINT64_C(0x50FA11643FF7BBA9) }, ++ { UINT64_C(0xB61D8643F7E2C099), UINT64_C(0x2366C993BD5C6637), ++ UINT64_C(0x62110E1472EB77FA), UINT64_C(0x3D5B96F13B99C635), ++ UINT64_C(0x956ECF64F674C9F2), UINT64_C(0xC56F7E51EF2BA250) } }, ++ { { UINT64_C(0x246FFCB6FF602C1B), UINT64_C(0x1E1A1D746E1258E0), ++ UINT64_C(0xB4B43AE2250E6676), UINT64_C(0x95C1B5F0924CE5FA), ++ UINT64_C(0x2555795BEBD8C776), UINT64_C(0x4C1E03DCACD9D9D0) }, ++ { UINT64_C(0xE1D74AA69CE90C61), UINT64_C(0xA88C0769A9C4B9F9), ++ UINT64_C(0xDF74DF2795AF56DE), UINT64_C(0x24B10C5FB331B6F4), ++ UINT64_C(0xB0A6DF9A6559E137), UINT64_C(0x6ACC1B8FC06637F2) } }, ++ { { UINT64_C(0xBD8C086834B4E381), UINT64_C(0x278CACC730DFF271), ++ UINT64_C(0x87ED12DE02459389), UINT64_C(0x3F7D98FFDEF840B6), ++ UINT64_C(0x71EEE0CB5F0B56E1), UINT64_C(0x462B5C9BD8D9BE87) }, ++ { UINT64_C(0xE6B50B5A98094C0F), UINT64_C(0x26F3B274508C67CE), ++ UINT64_C(0x418B1BD17CB1F992), UINT64_C(0x607818ED4FF11827), ++ UINT64_C(0xE630D93A9B042C63), UINT64_C(0x38B9EFF38C779AE3) } }, ++ { { UINT64_C(0xE8767D36729C5431), UINT64_C(0xA8BD07C0BB94642C), ++ UINT64_C(0x0C11FC8E58F2E5B2), UINT64_C(0xD8912D48547533FE), ++ UINT64_C(0xAAE14F5E230D91FB), UINT64_C(0xC122051A676DFBA0) }, ++ { UINT64_C(0x9ED4501F5EA93078), UINT64_C(0x2758515CBD4BEE0A), ++ UINT64_C(0x97733C6C94D21F52), UINT64_C(0x139BCD6D4AD306A2), ++ UINT64_C(0x0AAECBDC298123CC), UINT64_C(0x102B8A311CB7C7C9) } }, ++ { { UINT64_C(0x22A28E59FAF46675), UINT64_C(0x1075730810A31E7D), ++ UINT64_C(0xC7EEAC842B4C2F4F), UINT64_C(0xBA370148B5EF5184), ++ UINT64_C(0x4A5A28668732E055), UINT64_C(0x14B8DCDCB887C36F) }, ++ { UINT64_C(0xDBA8C85C433F093D), UINT64_C(0x73DF549D1C9A201C), ++ UINT64_C(0x69AA0D7B70F927D8), UINT64_C(0xFA3A8685D7D2493A), ++ UINT64_C(0x6F48A2550A7F4013), UINT64_C(0xD20C8BF9DD393067) } }, ++ { { UINT64_C(0x4EC874EA81625E78), UINT64_C(0x8B8D8B5A3FBE9267), ++ UINT64_C(0xA3D9D1649421EC2F), UINT64_C(0x490E92D9880EA295), ++ UINT64_C(0x745D1EDCD8F3B6DA), UINT64_C(0x0116628B8F18BA03) }, ++ { UINT64_C(0x0FF6BCE0834EADCE), UINT64_C(0x464697F2000827F7), ++ UINT64_C(0x08DCCF84498D724E), UINT64_C(0x7896D3651E88304C), ++ UINT64_C(0xE63EBCCE135E3622), UINT64_C(0xFB942E8EDC007521) } }, ++ { { UINT64_C(0xBB155A66A3688621), UINT64_C(0xED2FD7CDF91B52A3), ++ UINT64_C(0x52798F5DEA20CB88), UINT64_C(0x069CE105373F7DD8), ++ UINT64_C(0xF9392EC78CA78F6B), UINT64_C(0xB3013E256B335169) }, ++ { UINT64_C(0x1D92F8006B11715C), UINT64_C(0xADD4050EFF9DC464), ++ UINT64_C(0x2AC226598465B84A), UINT64_C(0x2729D646465B2BD6), ++ UINT64_C(0x6202344AE4EFF9DD), UINT64_C(0x51F3198FCD9B90B9) } }, ++ { { UINT64_C(0x17CE54EFE5F0AE1D), UINT64_C(0x984E8204B09852AF), ++ UINT64_C(0x3365B37AC4B27A71), UINT64_C(0x720E3152A00E0A9C), ++ UINT64_C(0x3692F70D925BD606), UINT64_C(0xBE6E699D7BC7E9AB) }, ++ { UINT64_C(0xD75C041F4C89A3C0), UINT64_C(0x8B9F592D8DC100C0), ++ UINT64_C(0x30750F3AAD228F71), UINT64_C(0x1B9ECF84E8B17A11), ++ UINT64_C(0xDF2025620FBFA8A2), UINT64_C(0x45C811FCAA1B6D67) } }, ++ { { UINT64_C(0xEC5B84B71A5151F8), UINT64_C(0x118E59E8550AB2D2), ++ UINT64_C(0x2CCDEDA4049BD735), UINT64_C(0xC99CBA719CD62F0F), ++ UINT64_C(0x69B8040A62C9E4F8), UINT64_C(0x16F1A31A110B8283) }, ++ { UINT64_C(0x53F6380298E908A3), UINT64_C(0x308CB6EFD862F9DE), ++ UINT64_C(0xE185DAD8A521A95A), UINT64_C(0x4D8FE9A4097F75CA), ++ UINT64_C(0xD1ECCEC71CA07D53), UINT64_C(0x13DFA1DC0DB07E83) } }, ++ { { UINT64_C(0xDDAF9DC60F591A76), UINT64_C(0xE1A6D7CC1685F412), ++ UINT64_C(0x153DE557002B6E8D), UINT64_C(0x730C38BCC6DA37D9), ++ UINT64_C(0xAE1806220914B597), UINT64_C(0x84F98103DD8C3A0A) }, ++ { UINT64_C(0x369C53988DA205B0), UINT64_C(0xA3D95B813888A720), ++ UINT64_C(0x1F3F8BBFE10E2806), UINT64_C(0x48663DF54530D1F3), ++ UINT64_C(0x320523B43E377713), UINT64_C(0xE8B1A575C7894814) } }, ++ { { UINT64_C(0x330668712EE8EA07), UINT64_C(0xC6FB4EC560DA199D), ++ UINT64_C(0x33231860F4370A05), UINT64_C(0x7ABECE72C6DE4E26), ++ UINT64_C(0xDE8D4BD8EBDECE7A), UINT64_C(0xC90EE6571CBE93C7) }, ++ { UINT64_C(0x0246751B85AC2509), UINT64_C(0xD0EF142C30380245), ++ UINT64_C(0x086DF9C47C76E39C), UINT64_C(0x68F1304FB789FB56), ++ UINT64_C(0x23E4CB98A5E4BD56), UINT64_C(0x69A4C63C64663DCA) } }, ++ { { UINT64_C(0x6C72B6AF7CB34E63), UINT64_C(0x073C40CD6DFC23FE), ++ UINT64_C(0xBDEEE7A1C936693A), UINT64_C(0xBC858E806EFAD378), ++ UINT64_C(0xEAD719FFF5BE55D4), UINT64_C(0xC8C3238F04552F5F) }, ++ { UINT64_C(0x0952C068928D5784), UINT64_C(0x89DFDF2294C58F2B), ++ UINT64_C(0x332DEDF367502C50), UINT64_C(0x3ED2FA3AAC0BE258), ++ UINT64_C(0xAEDC9B8A7C5C8244), UINT64_C(0x43A761B9DC0EA34F) } }, ++ { { UINT64_C(0x8FD683A2CC5E21A5), UINT64_C(0x5F444C6EFBA2BB68), ++ UINT64_C(0x709ACD0EAF05586D), UINT64_C(0x8EFA54D2DE8FB348), ++ UINT64_C(0x35276B7134CFE29E), UINT64_C(0x77A06FCD941EAC8C) }, ++ { UINT64_C(0x5815792D928322DD), UINT64_C(0x82FF356B67F7CB59), ++ UINT64_C(0x71E40A78304980F4), UINT64_C(0xC8645C273667D021), ++ UINT64_C(0xE785741CAEBAE28F), UINT64_C(0xB2C1BC7553ECAC37) } }, ++ { { UINT64_C(0x633EB24F1D0A74DB), UINT64_C(0xF1F55E56FA752512), ++ UINT64_C(0x75FECA688EFE11DE), UINT64_C(0xC80FD91CE6BF19EC), ++ UINT64_C(0xAD0BAFEC2A14C908), UINT64_C(0x4E1C4ACAADE4031F) }, ++ { UINT64_C(0x463A815B1EB1549A), UINT64_C(0x5AD4253C668F1298), ++ UINT64_C(0x5CB3866238A37151), UINT64_C(0x34BB1CCFAFF16B96), ++ UINT64_C(0xDCA93B13EE731AB0), UINT64_C(0x9F3CE5CC9BE01A0B) } }, ++ { { UINT64_C(0x75DB5723A110D331), UINT64_C(0x67C66F6A7123D89F), ++ UINT64_C(0x27ABBD4B4009D570), UINT64_C(0xACDA6F84C73451BC), ++ UINT64_C(0xE4B9A23905575ACF), UINT64_C(0x3C2DB7EFAB2D3D6C) }, ++ { UINT64_C(0x01CCDD0829115145), UINT64_C(0x9E0602FE57B5814A), ++ UINT64_C(0x679B35C287862838), UINT64_C(0x0277DC4C38AD598D), ++ UINT64_C(0xEF80A2136D896DD4), UINT64_C(0xC8812213E7B9047B) } }, ++ }, ++ { ++ { { UINT64_C(0xAC6DBDF6EDC9CE62), UINT64_C(0xA58F5B440F9C006E), ++ UINT64_C(0x16694DE3DC28E1B0), UINT64_C(0x2D039CF2A6647711), ++ UINT64_C(0xA13BBE6FC5B08B4B), UINT64_C(0xE44DA93010EBD8CE) }, ++ { UINT64_C(0xCD47208719649A16), UINT64_C(0xE18F4E44683E5DF1), ++ UINT64_C(0xB3F66303929BFA28), UINT64_C(0x7C378E43818249BF), ++ UINT64_C(0x76068C80847F7CD9), UINT64_C(0xEE3DB6D1987EBA16) } }, ++ { { UINT64_C(0xCBBD8576C42A2F52), UINT64_C(0x9ACC6F709D2B06BB), ++ UINT64_C(0xE5CB56202E6B72A4), UINT64_C(0x5738EA0E7C024443), ++ UINT64_C(0x8ED06170B55368F3), UINT64_C(0xE54C99BB1AEED44F) }, ++ { UINT64_C(0x3D90A6B2E2E0D8B2), UINT64_C(0x21718977CF7B2856), ++ UINT64_C(0x089093DCC5612AEC), UINT64_C(0xC272EF6F99C1BACC), ++ UINT64_C(0x47DB3B43DC43EAAD), UINT64_C(0x730F30E40832D891) } }, ++ { { UINT64_C(0x9FFE55630C7FECDB), UINT64_C(0x55CC67B6F88101E5), ++ UINT64_C(0x3039F981CBEFA3C7), UINT64_C(0x2AB06883667BFD64), ++ UINT64_C(0x9007A2574340E3DF), UINT64_C(0x1AC3F3FA5A3A49CA) }, ++ { UINT64_C(0x9C7BE629C97E20FD), UINT64_C(0xF61823D3A3DAE003), ++ UINT64_C(0xFFE7FF39E7380DBA), UINT64_C(0x620BB9B59FACC3B8), ++ UINT64_C(0x2DDCB8CD31AE422C), UINT64_C(0x1DE3BCFAD12C3C43) } }, ++ { { UINT64_C(0x8C074946D6E0F9A9), UINT64_C(0x662FA99551C3B05B), ++ UINT64_C(0x6CDAE96904BB2048), UINT64_C(0x6DEC9594D6DC8B60), ++ UINT64_C(0x8D26586954438BBC), UINT64_C(0x88E983E31B0E95A5) }, ++ { UINT64_C(0x8189F11460CBF838), UINT64_C(0x77190697771DC46B), ++ UINT64_C(0x775775A227F8EC1A), UINT64_C(0x7A125240607E3739), ++ UINT64_C(0xAFAE84E74F793E4E), UINT64_C(0x44FA17F35BF5BAF4) } }, ++ { { UINT64_C(0xA21E69A5D03AC439), UINT64_C(0x2069C5FC88AA8094), ++ UINT64_C(0xB041EEA78C08F206), UINT64_C(0x55B9D4613D65B8ED), ++ UINT64_C(0x951EA25CD392C7C4), UINT64_C(0x4B9A1CEC9D166232) }, ++ { UINT64_C(0xC184FCD8FCF931A4), UINT64_C(0xBA59AD44063AD374), ++ UINT64_C(0x1868AD2A1AA9796F), UINT64_C(0x38A34018DFF29832), ++ UINT64_C(0x01FC880103DF8070), UINT64_C(0x1282CCE048DD334A) } }, ++ { { UINT64_C(0x76AA955726D8503C), UINT64_C(0xBE962B636BC3E3D0), ++ UINT64_C(0xF5CA93E597DE8841), UINT64_C(0x1561B05EAF3F2C16), ++ UINT64_C(0x34BE00AAD34BFF98), UINT64_C(0xEA21E6E9D23D2925) }, ++ { UINT64_C(0x55713230394C3AFB), UINT64_C(0xEAF0529BD6C8BECA), ++ UINT64_C(0xFF38A743202B9A11), UINT64_C(0xA13E39FC6D3A398B), ++ UINT64_C(0x8CBD644B86E2615A), UINT64_C(0x92063988191057EC) } }, ++ { { UINT64_C(0x787835CE13F89146), UINT64_C(0x7FCD42CC69446C3F), ++ UINT64_C(0x0DA2AA98840E679D), UINT64_C(0x44F2052318779A1B), ++ UINT64_C(0xE3A3B34FEFBF5935), UINT64_C(0xA5D2CFD0B9947B70) }, ++ { UINT64_C(0xAE2AF4EF27F4E16F), UINT64_C(0xA7FA70D2B9D21322), ++ UINT64_C(0x68084919B3FD566B), UINT64_C(0xF04D71C8D7AAD6AB), ++ UINT64_C(0xDBEA21E410BC4260), UINT64_C(0xAA7DC6658D949B42) } }, ++ { { UINT64_C(0xD8E958A06CCB8213), UINT64_C(0x118D9DB991900B54), ++ UINT64_C(0x09BB9D4985E8CED6), UINT64_C(0x410E9FB524019281), ++ UINT64_C(0x3B31B4E16D74C86E), UINT64_C(0x52BC0252020BB77D) }, ++ { UINT64_C(0x5616A26F27092CE4), UINT64_C(0x67774DBCA08F65CD), ++ UINT64_C(0x560AD494C08BD569), UINT64_C(0xBE26DA36AD498783), ++ UINT64_C(0x0276C8AB7F019C91), UINT64_C(0x09843ADA5248266E) } }, ++ { { UINT64_C(0xA0AE88A77D963CF2), UINT64_C(0x91EF8986D0E84920), ++ UINT64_C(0xC7EFE344F8C58104), UINT64_C(0x0A25D9FDECA20773), ++ UINT64_C(0x9D989FAA00D8F1D5), UINT64_C(0x4204C8CEC8B06264) }, ++ { UINT64_C(0x717C12E0BE1A2796), UINT64_C(0x1FA4BA8CC190C728), ++ UINT64_C(0xA245CA8D8C8A59BA), UINT64_C(0xE3C374757672B935), ++ UINT64_C(0x083D5E402E4D6375), UINT64_C(0x0B8D5AB35455E16E) } }, ++ { { UINT64_C(0x1DB17DBFEED765D4), UINT64_C(0xBBC9B1BEA5DDB965), ++ UINT64_C(0x1948F76DDFC12ABC), UINT64_C(0x2C2714E5134EF489), ++ UINT64_C(0x60CE2EE8741C600F), UINT64_C(0x32396F22F80E6E63) }, ++ { UINT64_C(0x421DAC7522537F59), UINT64_C(0x58FB73C649475DF5), ++ UINT64_C(0x0ABF28856F18F1C7), UINT64_C(0x364744689A398D16), ++ UINT64_C(0x87A661A7BF673B87), UINT64_C(0x3E80698F73819E17) } }, ++ { { UINT64_C(0xDFE4979353784CC4), UINT64_C(0x4280EAB0486D508F), ++ UINT64_C(0x119593FFE534F5A4), UINT64_C(0x98AEFADD9F63242F), ++ UINT64_C(0x9AE6A24AC4829CAE), UINT64_C(0xF2373CA558E8BA80) }, ++ { UINT64_C(0x4017AF7E51765FB3), UINT64_C(0xD1E40F7CAF4AEC4B), ++ UINT64_C(0x87372C7A0898E3BC), UINT64_C(0x688982B285452CA9), ++ UINT64_C(0x71E0B4BFB1E50BCA), UINT64_C(0x21FD2DBFF70E714A) } }, ++ { { UINT64_C(0xEE6E8820FB78DDAC), UINT64_C(0x0BAED29C063892CD), ++ UINT64_C(0x5F33049C28C0588D), UINT64_C(0x90C2515E18DBC432), ++ UINT64_C(0xB8A1B1433B4CB0BD), UINT64_C(0x0AB5C0C968103043) }, ++ { UINT64_C(0xF3788FA04005EC40), UINT64_C(0x82571C99039EE115), ++ UINT64_C(0xEE8FCED593260BED), UINT64_C(0x5A9BAF7910836D18), ++ UINT64_C(0x7C258B09C46AA4F6), UINT64_C(0x46ECC5E837F53D31) } }, ++ { { UINT64_C(0xFA32C0DCBFE0DD98), UINT64_C(0x66EFAFC4962B1066), ++ UINT64_C(0xBA81D33E64BDF5EB), UINT64_C(0x36C28536FC7FC512), ++ UINT64_C(0x0C95176BE0B4FA97), UINT64_C(0x47DDE29B3B9BC64A) }, ++ { UINT64_C(0x08D986FD5C173B36), UINT64_C(0x46D84B526CF3F28C), ++ UINT64_C(0x6F6ED6C3F026BDB9), UINT64_C(0xAC90668B68206DC5), ++ UINT64_C(0xE8ED5D98ECBE4E70), UINT64_C(0xCFFF61DDDC1A6974) } }, ++ { { UINT64_C(0xFF5C3A2977B1A5C1), UINT64_C(0x10C27E4A0DDF995D), ++ UINT64_C(0xCB745F77E23363E3), UINT64_C(0xD765DF6F32F399A3), ++ UINT64_C(0xF0CA0C2F8A99E109), UINT64_C(0xC3A6BFB71E025CA0) }, ++ { UINT64_C(0x830B2C0A4F9D9FA5), UINT64_C(0xAE914CACBD1A84E5), ++ UINT64_C(0x30B35ED8A4FEBCC1), UINT64_C(0xCB902B4684CFBF2E), ++ UINT64_C(0x0BD4762825FC6375), UINT64_C(0xA858A53C85509D04) } }, ++ { { UINT64_C(0x8B995D0C552E0A3F), UINT64_C(0xEDBD4E9417BE9FF7), ++ UINT64_C(0x3432E83995085178), UINT64_C(0x0FE5C18180C256F5), ++ UINT64_C(0x05A64EA8EBF9597C), UINT64_C(0x6ED44BB13F80371F) }, ++ { UINT64_C(0x6A29A05EFE4C12EE), UINT64_C(0x3E436A43E0BB83B3), ++ UINT64_C(0x38365D9A74D72921), UINT64_C(0x3F5EE823C38E1ED7), ++ UINT64_C(0x09A53213E8FA063F), UINT64_C(0x1E7FE47AB435E713) } }, ++ { { UINT64_C(0xE4D9BC94FDDD17F3), UINT64_C(0xC74B8FEDC1016C20), ++ UINT64_C(0x095DE39BB49C060E), UINT64_C(0xDBCC67958AC0DF00), ++ UINT64_C(0x4CF6BAEB1C34F4DF), UINT64_C(0x72C55C21E8390170) }, ++ { UINT64_C(0x4F17BFD2F6C48E79), UINT64_C(0x18BF4DA0017A80BA), ++ UINT64_C(0xCF51D829BCF4B138), UINT64_C(0x598AEE5FF48F8B0D), ++ UINT64_C(0x83FAEE5620F10809), UINT64_C(0x4615D4DC779F0850) } }, ++ }, ++ { ++ { { UINT64_C(0x22313DEE5852B59B), UINT64_C(0x6F56C8E8B6A0B37F), ++ UINT64_C(0x43D6EEAEA76EC380), UINT64_C(0xA16551360275AD36), ++ UINT64_C(0xE5C1B65ADF095BDA), UINT64_C(0xBD1FFA8D367C44B0) }, ++ { UINT64_C(0xE2B419C26B48AF2B), UINT64_C(0x57BBBD973DA194C8), ++ UINT64_C(0xB5FBE51FA2BAFF05), UINT64_C(0xA0594D706269B5D0), ++ UINT64_C(0x0B07B70523E8D667), UINT64_C(0xAE1976B563E016E7) } }, ++ { { UINT64_C(0x2FDE4893FBECAAAE), UINT64_C(0x444346DE30332229), ++ UINT64_C(0x157B8A5B09456ED5), UINT64_C(0x73606A7925797C6C), ++ UINT64_C(0xA9D0F47C33C14C06), UINT64_C(0x7BC8962CFAF971CA) }, ++ { UINT64_C(0x6E763C5165909DFD), UINT64_C(0x1BBBE41B14A9BF42), ++ UINT64_C(0xD95B7ECBC49E9EFC), UINT64_C(0x0C317927B38F2B59), ++ UINT64_C(0x97912B53B3C397DB), UINT64_C(0xCB3879AA45C7ABC7) } }, ++ { { UINT64_C(0xCD81BDCF24359B81), UINT64_C(0x6FD326E2DB4C321C), ++ UINT64_C(0x4CB0228BF8EBE39C), UINT64_C(0x496A9DCEB2CDD852), ++ UINT64_C(0x0F115A1AD0E9B3AF), UINT64_C(0xAA08BF36D8EEEF8A) }, ++ { UINT64_C(0x5232A51506E5E739), UINT64_C(0x21FAE9D58407A551), ++ UINT64_C(0x289D18B08994B4E8), UINT64_C(0xB4E346A809097A52), ++ UINT64_C(0xC641510F324621D0), UINT64_C(0xC567FD4A95A41AB8) } }, ++ { { UINT64_C(0x261578C7D57C8DE9), UINT64_C(0xB9BC491F3836C5C8), ++ UINT64_C(0x993266B414C8038F), UINT64_C(0xBACAD755FAA7CC39), ++ UINT64_C(0x418C4DEFD69B7E27), UINT64_C(0x53FDC5CDAE751533) }, ++ { UINT64_C(0x6F3BD329C3EEA63A), UINT64_C(0xA7A22091E53DD29E), ++ UINT64_C(0xB7164F73DC4C54EC), UINT64_C(0xCA66290D44D3D74E), ++ UINT64_C(0xF77C62424C9EA511), UINT64_C(0x34337F551F714C49) } }, ++ { { UINT64_C(0x5ED2B216A64B6C4B), UINT64_C(0x1C38794F3AAE640D), ++ UINT64_C(0x30BBAEE08905794F), UINT64_C(0x0D9EE41EC8699CFB), ++ UINT64_C(0xAF38DAF2CF7B7C29), UINT64_C(0x0D6A05CA43E53513) }, ++ { UINT64_C(0xBE96C6442606AB56), UINT64_C(0x13E7A072E9EB9734), ++ UINT64_C(0xF96694455FF50CD7), UINT64_C(0x68EF26B547DA6F1D), ++ UINT64_C(0xF002873823687CB7), UINT64_C(0x5ED9C8766217C1CE) } }, ++ { { UINT64_C(0x423BA5130A3A9691), UINT64_C(0xF421B1E7B3179296), ++ UINT64_C(0x6B51BCDB1A871E1B), UINT64_C(0x6E3BB5B5464E4300), ++ UINT64_C(0x24171E2EFC6C54CC), UINT64_C(0xA9DFA947D3E58DC2) }, ++ { UINT64_C(0x175B33099DE9CFA7), UINT64_C(0x707B25292D1015DA), ++ UINT64_C(0xCBB95F17993EA65A), UINT64_C(0x935150630447450D), ++ UINT64_C(0x0F47B2051B2753C9), UINT64_C(0x4A0BAB14E7D427CF) } }, ++ { { UINT64_C(0xA39DEF39B5AA7CA1), UINT64_C(0x591CB173C47C33DF), ++ UINT64_C(0xA09DAC796BBAB872), UINT64_C(0x3EF9D7CF7208BA2F), ++ UINT64_C(0x3CC189317A0A34FC), UINT64_C(0xAE31C62BBCC3380F) }, ++ { UINT64_C(0xD72A67940287C0B4), UINT64_C(0x3373382C68E334F1), ++ UINT64_C(0xD0310CA8BD20C6A6), UINT64_C(0xA2734B8742C033FD), ++ UINT64_C(0xA5D390F18DCE4509), UINT64_C(0xFC84E74B3E1AFCB5) } }, ++ { { UINT64_C(0xB028334DF2CD8A9C), UINT64_C(0xB8719291570F76F6), ++ UINT64_C(0x662A386E01065A2D), UINT64_C(0xDF1634CB53D940AE), ++ UINT64_C(0x625A7B838F5B41F9), UINT64_C(0xA033E4FEEE6AA1B4) }, ++ { UINT64_C(0x51E9D4631E42BABB), UINT64_C(0x660BC2E40D388468), ++ UINT64_C(0x3F702189FCBB114A), UINT64_C(0x6B46FE35B414CA78), ++ UINT64_C(0x328F6CF24A57316B), UINT64_C(0x917423B5381AD156) } }, ++ { { UINT64_C(0xAC19306E5373A607), UINT64_C(0x471DF8E3191D0969), ++ UINT64_C(0x380ADE35B9720D83), UINT64_C(0x7423FDF548F1FD5C), ++ UINT64_C(0x8B090C9F49CABC95), UINT64_C(0xB768E8CDC9842F2F) }, ++ { UINT64_C(0x399F456DE56162D6), UINT64_C(0xBB6BA2404F326791), ++ UINT64_C(0x8F4FBA3B342590BE), UINT64_C(0x053986B93DFB6B3E), ++ UINT64_C(0xBB6739F1190C7425), UINT64_C(0x32D4A55332F7E95F) } }, ++ { { UINT64_C(0x0205A0EC0DDBFB21), UINT64_C(0x3010327D33AC3407), ++ UINT64_C(0xCF2F4DB33348999B), UINT64_C(0x660DB9F41551604A), ++ UINT64_C(0xC346C69A5D38D335), UINT64_C(0x64AAB3D338882479) }, ++ { UINT64_C(0xA096B5E76AE44403), UINT64_C(0x6B4C9571645F76CD), ++ UINT64_C(0x72E1CD5F4711120F), UINT64_C(0x93EC42ACF27CC3E1), ++ UINT64_C(0x2D18D004A72ABB12), UINT64_C(0x232E9568C9841A04) } }, ++ { { UINT64_C(0xFF01DB223CC7F908), UINT64_C(0x9F214F8FD13CDD3B), ++ UINT64_C(0x38DADBB7E0B014B5), UINT64_C(0x2C548CCC94245C95), ++ UINT64_C(0x714BE331809AFCE3), UINT64_C(0xBCC644109BFE957E) }, ++ { UINT64_C(0xC21C2D215B957F80), UINT64_C(0xBA2D4FDCBB8A4C42), ++ UINT64_C(0xFA6CD4AF74817CEC), UINT64_C(0x9E7FB523C528EAD6), ++ UINT64_C(0xAED781FF7714B10E), UINT64_C(0xB52BB59294F04455) } }, ++ { { UINT64_C(0xA578BD69868CC68B), UINT64_C(0xA40FDC8D603F2C08), ++ UINT64_C(0x53D79BD12D81B042), UINT64_C(0x1B136AF3A7587EAB), ++ UINT64_C(0x1ED4F939868A16DB), UINT64_C(0x775A61FBD0B98273) }, ++ { UINT64_C(0xBA5C12A6E56BEF8C), UINT64_C(0xF926CE52DDDC8595), ++ UINT64_C(0xA13F5C8F586FE1F8), UINT64_C(0xEAC9F7F2060DBB54), ++ UINT64_C(0x70C0AC3A51AF4342), UINT64_C(0xC16E303C79CDA450) } }, ++ { { UINT64_C(0xD0DADD6C8113F4EA), UINT64_C(0xF14E392207BDF09F), ++ UINT64_C(0x3FE5E9C2AA7D877C), UINT64_C(0x9EA95C1948779264), ++ UINT64_C(0xE93F65A74FCB8344), UINT64_C(0x9F40837E76D925A4) }, ++ { UINT64_C(0x0EA6DA3F8271FFC7), UINT64_C(0x557FA529CC8F9B19), ++ UINT64_C(0x2613DBF178E6DDFD), UINT64_C(0x7A7523B836B1E954), ++ UINT64_C(0x20EB3168406A87FB), UINT64_C(0x64C21C1403ABA56A) } }, ++ { { UINT64_C(0xE86C9C2DC032DD5F), UINT64_C(0x158CEB8E86F16A21), ++ UINT64_C(0x0279FF5368326AF1), UINT64_C(0x1FFE2E2B59F12BA5), ++ UINT64_C(0xD75A46DB86826D45), UINT64_C(0xE19B48411E33E6AC) }, ++ { UINT64_C(0x5F0CC5240E52991C), UINT64_C(0x645871F98B116286), ++ UINT64_C(0xAB3B4B1EFCAEC5D3), UINT64_C(0x994C8DF051D0F698), ++ UINT64_C(0x06F890AFE5D13040), UINT64_C(0x72D9DC235F96C7C2) } }, ++ { { UINT64_C(0x7C018DEEE7886A80), UINT64_C(0xFA2093308786E4A3), ++ UINT64_C(0xCEC8E2A3A4415CA1), UINT64_C(0x5C736FC1CC83CC60), ++ UINT64_C(0xFEF9788CF00C259F), UINT64_C(0xED5C01CBDD29A6AD) }, ++ { UINT64_C(0x87834A033E20825B), UINT64_C(0x13B1239D123F9358), ++ UINT64_C(0x7E8869D0FBC286C1), UINT64_C(0xC4AB5AA324CE8609), ++ UINT64_C(0x38716BEEB6349208), UINT64_C(0x0BDF4F99B322AE21) } }, ++ { { UINT64_C(0x6B97A2BF53E3494B), UINT64_C(0xA8AA05C570F7A13E), ++ UINT64_C(0x209709C2F1305B51), UINT64_C(0x57B31888DAB76F2C), ++ UINT64_C(0x75B2ECD7AA2A406A), UINT64_C(0x88801A00A35374A4) }, ++ { UINT64_C(0xE1458D1C45C0471B), UINT64_C(0x5760E306322C1AB0), ++ UINT64_C(0x789A0AF1AD6AB0A6), UINT64_C(0x74398DE1F458B9CE), ++ UINT64_C(0x1652FF9F32E0C65F), UINT64_C(0xFAF1F9D5FFFB3A52) } }, ++ }, ++ { ++ { { UINT64_C(0xA05C751CD1D1B007), UINT64_C(0x016C213B0213E478), ++ UINT64_C(0x9C56E26CF4C98FEE), UINT64_C(0x6084F8B9E7B3A7C7), ++ UINT64_C(0xA0B042F6DECC1646), UINT64_C(0x4A6F3C1AFBF3A0BC) }, ++ { UINT64_C(0x94524C2C51C9F909), UINT64_C(0xF3B3AD403A6D3748), ++ UINT64_C(0x18792D6E7CE1F9F5), UINT64_C(0x8EBC2FD7FC0C34FA), ++ UINT64_C(0x032A9F41780A1693), UINT64_C(0x34F9801E56A60019) } }, ++ { { UINT64_C(0xB398290CF0DB3751), UINT64_C(0x01170580BA42C976), ++ UINT64_C(0x3E71AA2956560B89), UINT64_C(0x80817AAC50E6647B), ++ UINT64_C(0x35C833ADA0BE42DA), UINT64_C(0xFA3C6148F1BABA4E) }, ++ { UINT64_C(0xC57BE645CD8F6253), UINT64_C(0x77CEE46BC657AD0D), ++ UINT64_C(0x830077310DEFD908), UINT64_C(0x92FE9BCE899CBA56), ++ UINT64_C(0x48450EC4BCEFFB5A), UINT64_C(0xE615148DF2F5F4BF) } }, ++ { { UINT64_C(0xF55EDABB90B86166), UINT64_C(0x27F7D784075430A2), ++ UINT64_C(0xF53E822B9BF17161), UINT64_C(0x4A5B3B93AFE808DC), ++ UINT64_C(0x590BBBDED7272F55), UINT64_C(0x233D63FAEAEA79A1) }, ++ { UINT64_C(0xD7042BEAFE1EBA07), UINT64_C(0xD2B9AEA010750D7E), ++ UINT64_C(0xD8D1E69031078AA5), UINT64_C(0x9E837F187E37BC8B), ++ UINT64_C(0x9558FF4F85008975), UINT64_C(0x93EDB837421FE867) } }, ++ { { UINT64_C(0xAA6489DF83D55B5A), UINT64_C(0xEA092E4986BF27F7), ++ UINT64_C(0x4D8943A95FA2EFEC), UINT64_C(0xC9BAAE53720E1A8C), ++ UINT64_C(0xC055444B95A4F8A3), UINT64_C(0x93BD01E8A7C1206B) }, ++ { UINT64_C(0xD97765B6714A27DF), UINT64_C(0xD622D954193F1B16), ++ UINT64_C(0x115CC35AF1503B15), UINT64_C(0x1DD5359FA9FA21F8), ++ UINT64_C(0x197C32996DFED1F1), UINT64_C(0xDEE8B7C9F77F2679) } }, ++ { { UINT64_C(0x5405179F394FD855), UINT64_C(0xC9D6E24449FDFB33), ++ UINT64_C(0x70EBCAB4BD903393), UINT64_C(0x0D3A3899A2C56780), ++ UINT64_C(0x012C7256683D1A0A), UINT64_C(0xC688FC8880A48F3B) }, ++ { UINT64_C(0x180957546F7DF527), UINT64_C(0x9E339B4B71315D16), ++ UINT64_C(0x90560C28A956BB12), UINT64_C(0x2BECEA60D42EEE8D), ++ UINT64_C(0x82AEB9A750632653), UINT64_C(0xED34353EDFA5CD6A) } }, ++ { { UINT64_C(0x82154D2C91AECCE4), UINT64_C(0x312C60705041887F), ++ UINT64_C(0xECF589F3FB9FBD71), UINT64_C(0x67660A7DB524BDE4), ++ UINT64_C(0xE99B029D724ACF23), UINT64_C(0xDF06E4AF6D1CD891) }, ++ { UINT64_C(0x07806CB580EE304D), UINT64_C(0x0C70BB9F7443A8F8), ++ UINT64_C(0x01EC341408B0830A), UINT64_C(0xFD7B63C35A81510B), ++ UINT64_C(0xE90A0A39453B5F93), UINT64_C(0xAB700F8F9BC71725) } }, ++ { { UINT64_C(0x9401AEC2B9F00793), UINT64_C(0x064EC4F4B997F0BF), ++ UINT64_C(0xDC0CC1FD849240C8), UINT64_C(0x39A75F37B6E92D72), ++ UINT64_C(0xAA43CA5D0224A4AB), UINT64_C(0x9C4D632554614C47) }, ++ { UINT64_C(0x1767366FC6709DA3), UINT64_C(0xA6B482D123479232), ++ UINT64_C(0x54DC6DDC84D63E85), UINT64_C(0x0ACCB5ADC99D3B9E), ++ UINT64_C(0x211716BBE8AA3ABF), UINT64_C(0xD0FE25AD69EC6406) } }, ++ { { UINT64_C(0x0D5C1769DF85C705), UINT64_C(0x7086C93DA409DCD1), ++ UINT64_C(0x9710839D0E8D75D8), UINT64_C(0x17B7DB75EBDD4177), ++ UINT64_C(0xAF69EB58F649A809), UINT64_C(0x6EF19EA28A84E220) }, ++ { UINT64_C(0x36EB5C6665C278B2), UINT64_C(0xD2A1512881EA9D65), ++ UINT64_C(0x4FCBA840769300AD), UINT64_C(0xC2052CCDC8E536E5), ++ UINT64_C(0x9CAEE014AC263B8F), UINT64_C(0x56F7ED7AF9239663) } }, ++ { { UINT64_C(0xF6FA251FAC9E09E1), UINT64_C(0xA3775605955A2853), ++ UINT64_C(0x977B8D21F2A4BD78), UINT64_C(0xF68AA7FF3E096410), ++ UINT64_C(0x01AB055265F88419), UINT64_C(0xC4C8D77EBB93F64E) }, ++ { UINT64_C(0x718251113451FE64), UINT64_C(0xFA0F905B46F9BAF0), ++ UINT64_C(0x79BE3BF3CA49EF1A), UINT64_C(0x831109B26CB02071), ++ UINT64_C(0x765F935FC4DDBFE5), UINT64_C(0x6F99CD1480E5A3BA) } }, ++ { { UINT64_C(0xD2E8DA04234F91FF), UINT64_C(0x4DED4D6D813867AA), ++ UINT64_C(0x3B50175DE0A0D945), UINT64_C(0x55AC74064EB78137), ++ UINT64_C(0xE9FA7F6EE1D47730), UINT64_C(0x2C1715315CBF2176) }, ++ { UINT64_C(0xA521788F2BE7A47D), UINT64_C(0x95B15A273FCF1AB3), ++ UINT64_C(0xAADA6401F28A946A), UINT64_C(0x628B2EF48B4E898B), ++ UINT64_C(0x0E6F46296D6592CC), UINT64_C(0x997C7094A723CADD) } }, ++ { { UINT64_C(0x878BCE116AFE80C6), UINT64_C(0xA89ABC9D007BBA38), ++ UINT64_C(0xB0C1F87BA7CC267F), UINT64_C(0x86D33B9D5104FF04), ++ UINT64_C(0xB0504B1B2EF1BA42), UINT64_C(0x21693048B2827E88) }, ++ { UINT64_C(0x11F1CCD579CFCD14), UINT64_C(0x59C09FFA94AD227E), ++ UINT64_C(0x95A4ADCB3EA91ACF), UINT64_C(0x1346238BB4370BAA), ++ UINT64_C(0xB099D2023E1367B0), UINT64_C(0xCF5BBDE690F23CEA) } }, ++ { { UINT64_C(0x453299BBBCB3BE5E), UINT64_C(0x123C588E38E9FF97), ++ UINT64_C(0x8C115DD9F6A2E521), UINT64_C(0x6E333C11FF7D4B98), ++ UINT64_C(0x9DD061E5DA73E736), UINT64_C(0xC6AB7B3A5CA53056) }, ++ { UINT64_C(0xF1EF3EE35B30A76B), UINT64_C(0xADD6B44A961BA11F), ++ UINT64_C(0x7BB00B752CA6E030), UINT64_C(0x270272E82FE270AD), ++ UINT64_C(0x23BC6F4F241A9239), UINT64_C(0x88581E130BB94A94) } }, ++ { { UINT64_C(0xBD225A6924EEF67F), UINT64_C(0x7CFD96140412CEB7), ++ UINT64_C(0xF6DE167999AC298E), UINT64_C(0xB20FD895ED6C3571), ++ UINT64_C(0x03C73B7861836C56), UINT64_C(0xEE3C3A16ABA6CB34) }, ++ { UINT64_C(0x9E8C56674138408A), UINT64_C(0xEC25FCB12DD6EBDF), ++ UINT64_C(0xC54C33FDDBBDF6E3), UINT64_C(0x93E0913B4A3C9DD4), ++ UINT64_C(0x66D7D13535EDEED4), UINT64_C(0xD29A36C4453FB66E) } }, ++ { { UINT64_C(0x7F192F039F1943AF), UINT64_C(0x6488163F4E0B5FB0), ++ UINT64_C(0x66A45C6953599226), UINT64_C(0x924E2E439AD15A73), ++ UINT64_C(0x8B553DB742A99D76), UINT64_C(0x4BC6B53B0451F521) }, ++ { UINT64_C(0xC029B5EF101F8AD6), UINT64_C(0x6A4DA71CC507EED9), ++ UINT64_C(0x3ADFAEC030BB22F3), UINT64_C(0x81BCAF7AB514F85B), ++ UINT64_C(0x2E1E6EFF5A7E60D3), UINT64_C(0x5270ABC0AE39D42F) } }, ++ { { UINT64_C(0x86D56DEB3901F0F8), UINT64_C(0x1D0BC792EED5F650), ++ UINT64_C(0x1A2DDFD8CA1114A3), UINT64_C(0x94ABF4B1F1DD316D), ++ UINT64_C(0xF72179E43D9F18EF), UINT64_C(0x52A0921E9AA2CABF) }, ++ { UINT64_C(0xECDA9E27A7452883), UINT64_C(0x7E90850AAFD771B4), ++ UINT64_C(0xD40F87EA9CC0465C), UINT64_C(0x8CFCB60A865CDA36), ++ UINT64_C(0x3DBEC2CC7C650942), UINT64_C(0x071A4EE7E718CA9D) } }, ++ { { UINT64_C(0x73C0E4FF276AC5F3), UINT64_C(0xE7BA5A6ABDB97EA1), ++ UINT64_C(0x638CA54EC5808398), UINT64_C(0x8258DC82413855E5), ++ UINT64_C(0x35DDD2E957F07614), UINT64_C(0xF98DD6921DC13BF9) }, ++ { UINT64_C(0x3A4C0088F16DCD84), UINT64_C(0xF192EADD833D83F9), ++ UINT64_C(0x3C26C931A6D61D29), UINT64_C(0x589FDD52DE0AD7A1), ++ UINT64_C(0x7CD83DD20442D37F), UINT64_C(0x1E47E777403ECBFC) } }, ++ }, ++ { ++ { { UINT64_C(0x2AF8ED8170D4D7BC), UINT64_C(0xABC3E15FB632435C), ++ UINT64_C(0x4C0E726F78219356), UINT64_C(0x8C1962A1B87254C4), ++ UINT64_C(0x30796A71C9E7691A), UINT64_C(0xD453EF19A75A12EE) }, ++ { UINT64_C(0x535F42C213AE4964), UINT64_C(0x86831C3C0DA9586A), ++ UINT64_C(0xB7F1EF35E39A7A58), UINT64_C(0xA2789AE2D459B91A), ++ UINT64_C(0xEADBCA7F02FD429D), UINT64_C(0x94F215D465290F57) } }, ++ { { UINT64_C(0x37ED2BE51CFB79AC), UINT64_C(0x801946F3E7AF84C3), ++ UINT64_C(0xB061AD8AE77C2F00), UINT64_C(0xE87E1A9A44DE16A8), ++ UINT64_C(0xDF4F57C87EE490FF), UINT64_C(0x4E793B49005993ED) }, ++ { UINT64_C(0xE1036387BCCB593F), UINT64_C(0xF174941195E09B80), ++ UINT64_C(0x59CB20D15AB42F91), UINT64_C(0xA738A18DAC0FF033), ++ UINT64_C(0xDA501A2E2AC1E7F4), UINT64_C(0x1B67EDA084D8A6E0) } }, ++ { { UINT64_C(0x1D27EFCE1080E90B), UINT64_C(0xA28152463FD01DC6), ++ UINT64_C(0x99A3FB83CAA26D18), UINT64_C(0xD27E6133B82BABBE), ++ UINT64_C(0x61030DFDD783DD60), UINT64_C(0x295A291373C78CB8) }, ++ { UINT64_C(0x8707A2CF68BE6A92), UINT64_C(0xC9C2FB98EEB3474A), ++ UINT64_C(0x7C3FD412A2B176B8), UINT64_C(0xD5B52E2FC7202101), ++ UINT64_C(0x24A63030F0A6D536), UINT64_C(0x05842DE304648EC0) } }, ++ { { UINT64_C(0x67477CDC30577AC9), UINT64_C(0x51DD9775244F92A8), ++ UINT64_C(0x31FD60B9917EEC66), UINT64_C(0xACD95BD4D66C5C1D), ++ UINT64_C(0x2E0551F3BF9508BA), UINT64_C(0x121168E1688CB243) }, ++ { UINT64_C(0x8C0397404540D230), UINT64_C(0xC4ED3CF6009ECDF9), ++ UINT64_C(0x191825E144DB62AF), UINT64_C(0x3EE8ACABC4A030DA), ++ UINT64_C(0x8AB154A894081504), UINT64_C(0x1FE09E4B486C9CD0) } }, ++ { { UINT64_C(0x512F82F9D113450B), UINT64_C(0x5878C9012DBC9197), ++ UINT64_C(0xDB87412BE13F355B), UINT64_C(0x0A0A4A9B935B8A5E), ++ UINT64_C(0x818587BDF25A5351), UINT64_C(0xE807931031E3D9C7) }, ++ { UINT64_C(0x8B1D47C7611BC1B1), UINT64_C(0x51722B5872A823F2), ++ UINT64_C(0x6F97EE8A53B36B3E), UINT64_C(0x6E085AAC946DD453), ++ UINT64_C(0x2EC5057DE65E6533), UINT64_C(0xF82D9D714BB18801) } }, ++ { { UINT64_C(0xAD81FA938BA5AA8E), UINT64_C(0x723E628E8F7AA69E), ++ UINT64_C(0x0BA7C2DEEF35937C), UINT64_C(0x83A43EC56DECFB40), ++ UINT64_C(0xF520F849E60C4F2D), UINT64_C(0x8260E8AE457E3B5E) }, ++ { UINT64_C(0x7CE874F0BF1D9ED7), UINT64_C(0x5FDE35537F1A5466), ++ UINT64_C(0x5A63777C0C162DBB), UINT64_C(0x0FD04F8CDAD87289), ++ UINT64_C(0xCA2D9E0E640761D5), UINT64_C(0x4615CFF838501ADB) } }, ++ { { UINT64_C(0x9422789B110B4A25), UINT64_C(0x5C26779F70AD8CC1), ++ UINT64_C(0x4EE6A748EC4F1E14), UINT64_C(0xFB584A0D5C7AB5E0), ++ UINT64_C(0xED1DCB0BFB21EE66), UINT64_C(0xDBED1F0011C6863C) }, ++ { UINT64_C(0xD2969269B1B1D187), UINT64_C(0xF7D0C3F2AFE964E6), ++ UINT64_C(0xE05EE93F12BB865E), UINT64_C(0x1AFB7BEEED79118E), ++ UINT64_C(0x220AF1380F0FE453), UINT64_C(0x1463AA1A52782AB9) } }, ++ { { UINT64_C(0x7C139D56D7DBE5F9), UINT64_C(0xFC16E6110B83685B), ++ UINT64_C(0xFA723C029018463C), UINT64_C(0xC472458C840BF5D7), ++ UINT64_C(0x4D8093590AF07591), UINT64_C(0x418D88303308DFD9) }, ++ { UINT64_C(0x9B381E040C365AE3), UINT64_C(0x3780BF33F8190FD1), ++ UINT64_C(0x45397418DD03E854), UINT64_C(0xA95D030F4E51E491), ++ UINT64_C(0x87C8C686E3286CEA), UINT64_C(0x01C773BF900B5F83) } }, ++ { { UINT64_C(0xDABE347578673B02), UINT64_C(0x4F0F25CEF6E7395E), ++ UINT64_C(0x3117ABB9D181AD45), UINT64_C(0x4B559F88AA13DE0B), ++ UINT64_C(0xFD8EFE78EA7C9745), UINT64_C(0x080600475DD21682) }, ++ { UINT64_C(0xC0F5DE4BD4C86FFC), UINT64_C(0x4BB14B1EF21AB6A2), ++ UINT64_C(0xACB53A6CF50C1D12), UINT64_C(0x46AAC4505CC9162E), ++ UINT64_C(0x049C51E02DE240B6), UINT64_C(0xBB2DC016E383C3B0) } }, ++ { { UINT64_C(0xA3C56AD28E438C92), UINT64_C(0x7C43F98FB2CEAF1A), ++ UINT64_C(0x397C44F7E2150778), UINT64_C(0x48D17AB771A24131), ++ UINT64_C(0xCC5138631E2ACDA9), UINT64_C(0x2C76A55EF0C9BAC9) }, ++ { UINT64_C(0x4D74CDCE7EA4BB7B), UINT64_C(0x834BD5BFB1B3C2BA), ++ UINT64_C(0x46E2911ECCC310A4), UINT64_C(0xD3DE84AA0FC1BF13), ++ UINT64_C(0x27F2892F80A03AD3), UINT64_C(0x85B476203BD2F08B) } }, ++ { { UINT64_C(0xAB1CB818567AF533), UINT64_C(0x273B4537BAC2705A), ++ UINT64_C(0x133066C422C84AB6), UINT64_C(0xC3590DE64830BFC1), ++ UINT64_C(0xEA2978695E4742D0), UINT64_C(0xF6D8C6944F3164C0) }, ++ { UINT64_C(0x09E85F3DC1249588), UINT64_C(0x6C2BB05D4EC64DF7), ++ UINT64_C(0xD267115E8B78000F), UINT64_C(0x07C5D7AEC7E4A316), ++ UINT64_C(0xCB1187BA4619E5BD), UINT64_C(0x57B1D4EFA43F7EEE) } }, ++ { { UINT64_C(0x3618891FC8176A96), UINT64_C(0x62C4B084E5808B97), ++ UINT64_C(0xDE5585464DD95D6E), UINT64_C(0x27A8133E730B2EA4), ++ UINT64_C(0xE07CEEC36AF318A0), UINT64_C(0x0ACC1286CE24FD2C) }, ++ { UINT64_C(0x8A48FE4ADD4D307C), UINT64_C(0x71A9BA9C18CDE0DA), ++ UINT64_C(0x655E2B66D5D79747), UINT64_C(0x409FE856A79AEDC7), ++ UINT64_C(0xC5A9F244D287E5CF), UINT64_C(0xCCE103844E82EC39) } }, ++ { { UINT64_C(0x00675BA7F25D364C), UINT64_C(0x7A7F162968D36BDF), ++ UINT64_C(0x35EC468AA9E23F29), UINT64_C(0xF797AC502D926E6C), ++ UINT64_C(0x639BA4534B4F4376), UINT64_C(0xD71B430F51FF9519) }, ++ { UINT64_C(0xB8C439EC2CF5635C), UINT64_C(0x0CE4C8D181980393), ++ UINT64_C(0x4C5362A964123B15), UINT64_C(0x6E0421E0FFDCF096), ++ UINT64_C(0x624A855F10D1F914), UINT64_C(0x7D8F3AB7614DCD29) } }, ++ { { UINT64_C(0xD9219ADAB3493CE0), UINT64_C(0x971B243A52F09AE5), ++ UINT64_C(0xC16C9BF8E24E3674), UINT64_C(0x026D408DCE68C7CD), ++ UINT64_C(0xF9B33DD9358209E3), UINT64_C(0x02D0595DF3B2A206) }, ++ { UINT64_C(0xBF99427160D15640), UINT64_C(0x6DA7A04E15B5466A), ++ UINT64_C(0x03AA4ED81CADB50D), UINT64_C(0x1548F029129A4253), ++ UINT64_C(0x41741F7EB842865A), UINT64_C(0x859FE0A4A3F88C98) } }, ++ { { UINT64_C(0x80DE085A05FD7553), UINT64_C(0x4A4AB91EB897566B), ++ UINT64_C(0x33BCD4752F1C173F), UINT64_C(0x4E238896C100C013), ++ UINT64_C(0x1C88500DD614B34B), UINT64_C(0x0401C5F6C3BA9E23) }, ++ { UINT64_C(0x8E8003C4D0AF0DE5), UINT64_C(0x19B1DFB59D0DCBB9), ++ UINT64_C(0x4A3640A9EBEF7AB6), UINT64_C(0xEDAFD65B959B15F6), ++ UINT64_C(0x8092EF7F7FB95821), UINT64_C(0xAB8DD52ECE2E45D1) } }, ++ { { UINT64_C(0xD1F2D6B8B9CFE6BF), UINT64_C(0x6358810B00073F6F), ++ UINT64_C(0x5FCE5993D712106E), UINT64_C(0x5EE6B2711C024C91), ++ UINT64_C(0xD0248FF5453DB663), UINT64_C(0xD6D81CB2ADB835E8) }, ++ { UINT64_C(0x8696CFECFDFCB4C7), UINT64_C(0x696B7FCB53BC9045), ++ UINT64_C(0xAB4D3807DDA56981), UINT64_C(0x2F9980521E4B943B), ++ UINT64_C(0x8AA76ADB166B7F18), UINT64_C(0x6393430152A2D7ED) } }, ++ }, ++ { ++ { { UINT64_C(0xBBCCCE39A368EFF6), UINT64_C(0xD8CAABDF8CEB5C43), ++ UINT64_C(0x9EAE35A5D2252FDA), UINT64_C(0xA8F4F20954E7DD49), ++ UINT64_C(0xA56D72A6295100FD), UINT64_C(0x20FC1FE856767727) }, ++ { UINT64_C(0xBF60B2480BBAA5AB), UINT64_C(0xA4F3CE5A313911F2), ++ UINT64_C(0xC2A67AD4B93DAB9C), UINT64_C(0x18CD0ED022D71F39), ++ UINT64_C(0x04380C425F304DB2), UINT64_C(0x26420CBB6729C821) } }, ++ { { UINT64_C(0x26BD07D6BDFBCAE8), UINT64_C(0x10B5173FDF01A80A), ++ UINT64_C(0xD831C5466798B96C), UINT64_C(0x1D6B41081D3F3859), ++ UINT64_C(0x501D38EC991B9EC7), UINT64_C(0x26319283D78431A9) }, ++ { UINT64_C(0x8B85BAF7118B343C), UINT64_C(0x4696CDDD58DEF7D0), ++ UINT64_C(0xEFC7C1107ACDCF58), UINT64_C(0xD9AF415C848D5842), ++ UINT64_C(0x6B5A06BC0AC7FDAC), UINT64_C(0x7D623E0DA344319B) } }, ++ { { UINT64_C(0x4C0D78060C9D3547), UINT64_C(0x993F048DCF2AED47), ++ UINT64_C(0x5217C453E4B57E22), UINT64_C(0xB4669E35F4172B28), ++ UINT64_C(0x509A3CD049F999F8), UINT64_C(0xD19F863287C69D41) }, ++ { UINT64_C(0xE14D01E84C8FDED0), UINT64_C(0x342880FDEAFD9E1C), ++ UINT64_C(0x0E17BFF270DC2BF0), UINT64_C(0x46560B7BC0186400), ++ UINT64_C(0xE28C7B9C49A4DD34), UINT64_C(0x182119160F325D06) } }, ++ { { UINT64_C(0x46D70888D7E02E18), UINT64_C(0x7C806954D9F11FD9), ++ UINT64_C(0xE4948FCA4FBEA271), UINT64_C(0x7D6C7765BD80A9DF), ++ UINT64_C(0x1B470EA6F3871C71), UINT64_C(0xD62DE2448330A570) }, ++ { UINT64_C(0xDAECDDC1C659C3A7), UINT64_C(0x8621E513077F7AFC), ++ UINT64_C(0x56C7CD84CAEEEF13), UINT64_C(0xC60C910FC685A356), ++ UINT64_C(0xE68BC5C59DD93DDC), UINT64_C(0xD904E89FFEB64895) } }, ++ { { UINT64_C(0x75D874FB8BA7917A), UINT64_C(0x18FA7F53FD043BD4), ++ UINT64_C(0x212A0AD71FC3979E), UINT64_C(0x5703A7D95D6EAC0E), ++ UINT64_C(0x222F7188017DEAD5), UINT64_C(0x1EC687B70F6C1817) }, ++ { UINT64_C(0x23412FC3238BACB6), UINT64_C(0xB85D70E954CED154), ++ UINT64_C(0xD4E06722BDA674D0), UINT64_C(0x3EA5F17836F5A0C2), ++ UINT64_C(0x7E7D79CFF5C6D2CA), UINT64_C(0x1FFF94643DBB3C73) } }, ++ { { UINT64_C(0x916E19D0F163E4A8), UINT64_C(0x1E6740E71489DF17), ++ UINT64_C(0x1EAF9723339F3A47), UINT64_C(0x22F0ED1A124B8DAD), ++ UINT64_C(0x39C9166C49C3DD04), UINT64_C(0x628E7FD4CE1E9ACC) }, ++ { UINT64_C(0x124DDF2740031676), UINT64_C(0x002569391EDDB9BE), ++ UINT64_C(0xD39E25E7D360B0DA), UINT64_C(0x6E3015A84AA6C4C9), ++ UINT64_C(0xC6A2F643623EDA09), UINT64_C(0xBEFF2D1250AA99FB) } }, ++ { { UINT64_C(0x1FEEF7CE93EE8089), UINT64_C(0xC6B180BC252DD7BD), ++ UINT64_C(0xA16FB20B1788F051), UINT64_C(0xD86FD392E046ED39), ++ UINT64_C(0xDA0A36119378CE1D), UINT64_C(0x121EF3E7A5F7A61D) }, ++ { UINT64_C(0x94D2206192D13CAE), UINT64_C(0x5076046A77C72E08), ++ UINT64_C(0xF18BC2337D2308B9), UINT64_C(0x004DB3C517F977B1), ++ UINT64_C(0xD05AE3990471C11D), UINT64_C(0x86A2A55785CD1726) } }, ++ { { UINT64_C(0xB8D9B28672107804), UINT64_C(0xB5A7C4133303B79B), ++ UINT64_C(0x927EEF785FA37DED), UINT64_C(0xA1C5CF1EAD67DABA), ++ UINT64_C(0xAA5E3FB27360E7C7), UINT64_C(0x8354E61A0A0C0993) }, ++ { UINT64_C(0x2EC73AF97F5458CC), UINT64_C(0xDE4CB48848474325), ++ UINT64_C(0x2DD134C77209BC69), UINT64_C(0xB70C5567451A2ABE), ++ UINT64_C(0x2CD1B2008E293018), UINT64_C(0x15F8DA7AD33C0D72) } }, ++ { { UINT64_C(0x5DC386D0A8790657), UINT64_C(0xA4FDF676BC4D88BB), ++ UINT64_C(0x1B21F38F48BC6C49), UINT64_C(0xCDCC7FAA543A7003), ++ UINT64_C(0xEA97E7AA8C9CF72C), UINT64_C(0xA6B883F450D938A8) }, ++ { UINT64_C(0x51936F3AA3A10F27), UINT64_C(0x0170785FDECC76BF), ++ UINT64_C(0x7539ECE1908C578A), UINT64_C(0x5D9C8A8E0F3E8C25), ++ UINT64_C(0x8681B43B9E4717A7), UINT64_C(0x94F42507A9D83E39) } }, ++ { { UINT64_C(0xBBE11CA8A55ADDE7), UINT64_C(0x39E6F5CF3BC0896B), ++ UINT64_C(0x1447314E1D2D8D94), UINT64_C(0x45B481255B012F8A), ++ UINT64_C(0x41AD23FA08AD5283), UINT64_C(0x837243E241D13774) }, ++ { UINT64_C(0x1FC0BD9DBADCAA46), UINT64_C(0x8DF164ED26E84CAE), ++ UINT64_C(0x8FF70EC041017176), UINT64_C(0x23AD4BCE5C848BA7), ++ UINT64_C(0x89246FDE97A19CBB), UINT64_C(0xA5EF987B78397991) } }, ++ { { UINT64_C(0x111AF1B74757964D), UINT64_C(0x1D25D351DDBBF258), ++ UINT64_C(0x4161E7767D2B06D6), UINT64_C(0x6EFD26911CAC0C5B), ++ UINT64_C(0x633B95DB211BFAEB), UINT64_C(0x9BEDFA5AE2BDF701) }, ++ { UINT64_C(0xADAC2B0B73E099C8), UINT64_C(0x436F0023BFB16BFF), ++ UINT64_C(0xB91B100230F55854), UINT64_C(0xAF6A2097F4C6C8B7), ++ UINT64_C(0x3FF65CED3AD7B3D9), UINT64_C(0x6FA2626F330E56DF) } }, ++ { { UINT64_C(0x3D28BF2DFFCCFD07), UINT64_C(0x0514F6FFD989603B), ++ UINT64_C(0xB95196295514787A), UINT64_C(0xA1848121C3DB4E9C), ++ UINT64_C(0x47FE2E392A3D4595), UINT64_C(0x506F5D8211B73ED4) }, ++ { UINT64_C(0xA2257AE7A600D8BB), UINT64_C(0xD659DBD10F9F122C), ++ UINT64_C(0xDB0FDC6764DF160F), UINT64_C(0xFF3793397CB19690), ++ UINT64_C(0xDF4366B898E72EC1), UINT64_C(0x97E72BECDF437EB8) } }, ++ { { UINT64_C(0x81DCEA271C81E5D9), UINT64_C(0x7E1B6CDA6717FC49), ++ UINT64_C(0xAA36B3B511EAE80D), UINT64_C(0x1306687C3CD7CBB3), ++ UINT64_C(0xED670235C4E89064), UINT64_C(0x9D3B000958A94760) }, ++ { UINT64_C(0x5A64E158E6A6333C), UINT64_C(0x1A8B4A3649453203), ++ UINT64_C(0xF1CAD7241F77CC21), UINT64_C(0x693EBB4B70518EF7), ++ UINT64_C(0xFB47BD810F39C91A), UINT64_C(0xCFE63DA2FA4BC64B) } }, ++ { { UINT64_C(0x82C1C684EAA66108), UINT64_C(0xE32262184CFE79FC), ++ UINT64_C(0x3F28B72B849C720E), UINT64_C(0x137FB3558FEE1CA8), ++ UINT64_C(0x4D18A9CDE4F90C4E), UINT64_C(0xC0344227CC3E46FA) }, ++ { UINT64_C(0x4FD5C08E79CDA392), UINT64_C(0x65DB20DB8ADC87B5), ++ UINT64_C(0x86F95D5B916C1B84), UINT64_C(0x7EDA387117BB2B7C), ++ UINT64_C(0x18CCF7E7669A533B), UINT64_C(0x5E92421CECAD0E06) } }, ++ { { UINT64_C(0x26063E124174B08B), UINT64_C(0xE621D9BE70DE8E4D), ++ UINT64_C(0xAEA0FD0F5ECDF350), UINT64_C(0x0D9F69E49C20E5C9), ++ UINT64_C(0xD3DADEB90BBE2918), UINT64_C(0xD7B9B5DB58AA2F71) }, ++ { UINT64_C(0x7A971DD73364CAF8), UINT64_C(0x702616A3C25D4BE4), ++ UINT64_C(0xA30F0FA1A9E30071), UINT64_C(0x98AB24385573BC69), ++ UINT64_C(0xCBC63CDF6FEC2E22), UINT64_C(0x965F90EDCC901B9B) } }, ++ { { UINT64_C(0xD53B592D71E15BB3), UINT64_C(0x1F03C0E98820E0D0), ++ UINT64_C(0xCE93947D3CCCB726), UINT64_C(0x2790FEE01D547590), ++ UINT64_C(0x4401D847C59CDD7A), UINT64_C(0x72D69120A926DD9D) }, ++ { UINT64_C(0x38B8F21D4229F289), UINT64_C(0x9F412E407FE978AF), ++ UINT64_C(0xAE07901BCDB59AF1), UINT64_C(0x1E6BE5EBD1D4715E), ++ UINT64_C(0x3715BD8B18C96BEF), UINT64_C(0x4B71F6E6E11B3798) } }, ++ }, ++ { ++ { { UINT64_C(0x11A8FDE5F0CE2DF4), UINT64_C(0xBC70CA3EFA8D26DF), ++ UINT64_C(0x6818C275C74DFE82), UINT64_C(0x2B0294AC38373A50), ++ UINT64_C(0x584C4061E8E5F88F), UINT64_C(0x1C05C1CA7342383A) }, ++ { UINT64_C(0x263895B3911430EC), UINT64_C(0xEF9B0032A5171453), ++ UINT64_C(0x144359DA84DA7F0C), UINT64_C(0x76E3095A924A09F2), ++ UINT64_C(0x612986E3D69AD835), UINT64_C(0x70E03ADA392122AF) } }, ++ { { UINT64_C(0xFEB707EE67AAD17B), UINT64_C(0xBB21B28783042995), ++ UINT64_C(0x26DE16459A0D32BA), UINT64_C(0x9A2FF38A1FFB9266), ++ UINT64_C(0x4E5AD96D8F578B4A), UINT64_C(0x26CC0655883E7443) }, ++ { UINT64_C(0x1D8EECAB2EE9367A), UINT64_C(0x42B84337881DE2F8), ++ UINT64_C(0xE49B2FAED758AE41), UINT64_C(0x6A9A22904A85D867), ++ UINT64_C(0x2FB89DCEE68CBA86), UINT64_C(0xBC2526357F09A982) } }, ++ { { UINT64_C(0xADC794368C61AAAC), UINT64_C(0x24C7FD135E926563), ++ UINT64_C(0xEF9FAAA40406C129), UINT64_C(0xF4E6388C8B658D3C), ++ UINT64_C(0x7262BEB41E435BAF), UINT64_C(0x3BF622CCFDAEAC99) }, ++ { UINT64_C(0xD359F7D84E1AEDDC), UINT64_C(0x05DC4F8CD78C17B7), ++ UINT64_C(0xB18CF03229498BA5), UINT64_C(0xC67388CA85BF35AD), ++ UINT64_C(0x8A7A6AA262AA4BC8), UINT64_C(0x0B8F458E72F4627A) } }, ++ { { UINT64_C(0x3FB812EEC68E4488), UINT64_C(0x53C5EAA460EF7281), ++ UINT64_C(0xE57241838FBEFBE4), UINT64_C(0x2B7D49F4A4B24A05), ++ UINT64_C(0x23B138D0710C0A43), UINT64_C(0x16A5B4C1A85EC1DB) }, ++ { UINT64_C(0x7CC1F3D7305FEB02), UINT64_C(0x52F7947D5B6C1B54), ++ UINT64_C(0x1BDA23128F56981C), UINT64_C(0x68663EAEB4080A01), ++ UINT64_C(0x8DD7BA7E9F999B7F), UINT64_C(0xD8768D19B686580C) } }, ++ { { UINT64_C(0xBCD0E0AD7AFDDA94), UINT64_C(0x95A0DBBE34A30687), ++ UINT64_C(0xBBE3C3DF8C5E2665), UINT64_C(0x742BECD8EBF2BC16), ++ UINT64_C(0x300CEB483FA163A6), UINT64_C(0x0C5D02EE4663354B) }, ++ { UINT64_C(0xE4FB9AD6B5E606A4), UINT64_C(0x93F507B8CF49FF95), ++ UINT64_C(0x9406A90C585C193B), UINT64_C(0xAD1440C14ECF9517), ++ UINT64_C(0x184CB4759CEA53F1), UINT64_C(0x6855C4748EF11302) } }, ++ { { UINT64_C(0x00ECB523EDCAFA52), UINT64_C(0x0DA0AE0E086F69D3), ++ UINT64_C(0xC384DE15C242F347), UINT64_C(0xFB050E6E848C12B7), ++ UINT64_C(0x22F6765464E015CE), UINT64_C(0xCBDC2A487CA122F2) }, ++ { UINT64_C(0xA940D973445FB02C), UINT64_C(0x00F31E783767D89D), ++ UINT64_C(0x2B65A237613DABDD), UINT64_C(0x2BE0AB05C875AE09), ++ UINT64_C(0xB22E54FDBA204F8E), UINT64_C(0x65E2029D0F7687B9) } }, ++ { { UINT64_C(0xFFD825381855A71C), UINT64_C(0x26A330B3438BD8D8), ++ UINT64_C(0x89628311F9D8C5F9), UINT64_C(0x8D5FB9CF953738A0), ++ UINT64_C(0xCB7159C9EDFCD4E5), UINT64_C(0xD64E52302064C7C2) }, ++ { UINT64_C(0xF858ED80689F3CFE), UINT64_C(0x4830E30956128B67), ++ UINT64_C(0x2E1692DAE0E90688), UINT64_C(0xAB818913CA9CC232), ++ UINT64_C(0xE2E30C23A5D229A6), UINT64_C(0xA544E8B10E740E23) } }, ++ { { UINT64_C(0x1C15E569DC61E6CC), UINT64_C(0x8FD7296758FC7800), ++ UINT64_C(0xE61E7DB737A9DFC5), UINT64_C(0x3F34A9C65AFD7822), ++ UINT64_C(0x0A11274219E80773), UINT64_C(0xA353460C4760FC58) }, ++ { UINT64_C(0x2FB7DEEBB3124C71), UINT64_C(0x484636272D4009CC), ++ UINT64_C(0x399D1933C3A10370), UINT64_C(0x7EB1945054388DBD), ++ UINT64_C(0x8ECCE6397C2A006A), UINT64_C(0x3D565DAF55C932A0) } }, ++ { { UINT64_C(0xCEF57A9FD9ADAE53), UINT64_C(0xE2EB27D7F83FD8CD), ++ UINT64_C(0x4AC8F7199BBD2DDE), UINT64_C(0x604283AAE91ABFB7), ++ UINT64_C(0xB6A4E11534799F87), UINT64_C(0x2B253224E4C2A8F3) }, ++ { UINT64_C(0xC34F8B92C8782294), UINT64_C(0xC74D697DFCC2CB6B), ++ UINT64_C(0xD990411BC2C84C46), UINT64_C(0x2807B5C631EA4955), ++ UINT64_C(0x14AE2B93B9EB27F5), UINT64_C(0xF0AE96A76163EDFA) } }, ++ { { UINT64_C(0xA7BDCBB442DB7180), UINT64_C(0xC9FAA41FEDCA752F), ++ UINT64_C(0x147F91B4E820F401), UINT64_C(0x1E6CEF86F5F2645F), ++ UINT64_C(0xB4AB4D7F31FE711D), UINT64_C(0xCE68FB3C743EF882) }, ++ { UINT64_C(0xB9D7D6823EF2FCFF), UINT64_C(0xF6893811020DCAFD), ++ UINT64_C(0x30D9A50CBF81E760), UINT64_C(0x7F247D06B9B87228), ++ UINT64_C(0x143D4FEC5F40CFC0), UINT64_C(0x21D78D73329B2A88) } }, ++ { { UINT64_C(0x06B3FF8AED3F2055), UINT64_C(0x50482C77522BE214), ++ UINT64_C(0x8DF69CD8DDF54620), UINT64_C(0x6D1DB204F78A1165), ++ UINT64_C(0x459AE4A29AFE6BF2), UINT64_C(0xC23A9FFD24AC871E) }, ++ { UINT64_C(0xB7FD22E389E85D81), UINT64_C(0x297F1F6B122E9978), ++ UINT64_C(0xAB283D66144BE1CE), UINT64_C(0xC1F90AC2C00C614E), ++ UINT64_C(0x5465576E3224CD09), UINT64_C(0x8E8D910D441B6059) } }, ++ { { UINT64_C(0xF73A060AAAA228BC), UINT64_C(0xCF1B078356EFF87D), ++ UINT64_C(0x11EF17C0A54C9133), UINT64_C(0x9E476B1576A4DAA5), ++ UINT64_C(0x5624FEAC8018FB92), UINT64_C(0x9826A0FCCFEEC1B9) }, ++ { UINT64_C(0xB732F7FE2DFE2046), UINT64_C(0x9260BD9F3B40DA6A), ++ UINT64_C(0xCC9F908F4F231773), UINT64_C(0x4827FEB9DAFC0D55), ++ UINT64_C(0x07D32E85538ACE95), UINT64_C(0xAD9F897CB8EDAF37) } }, ++ { { UINT64_C(0x2F75B82FE3415498), UINT64_C(0xF99CAC5FF1015F30), ++ UINT64_C(0x766408247D7F25DE), UINT64_C(0x714BC9CDEE74C047), ++ UINT64_C(0x70F847BF07448879), UINT64_C(0xA14481DE072165C0) }, ++ { UINT64_C(0x9BFA59E3DB1140A8), UINT64_C(0x7B9C7FF0FCD13502), ++ UINT64_C(0xF4D7538E68459ABF), UINT64_C(0xED93A791C8FC6AD2), ++ UINT64_C(0xA8BBE2A8B51BD9B2), UINT64_C(0x084B5A279FB34008) } }, ++ { { UINT64_C(0xB3BB9545EB138C84), UINT64_C(0x59C3489C3FC88BFD), ++ UINT64_C(0x3A97FF6385F53EC7), UINT64_C(0x40FDF5A60AA69C3D), ++ UINT64_C(0x0E8CCEC753D19668), UINT64_C(0x0AA72EF933FAA661) }, ++ { UINT64_C(0xF5C5A6CF9B1E684B), UINT64_C(0x630F937131A22EA1), ++ UINT64_C(0x06B2AAC2AC60F7EA), UINT64_C(0xB181CAE25BC37D80), ++ UINT64_C(0x4601A929247B13EA), UINT64_C(0x8A71C3865F739797) } }, ++ { { UINT64_C(0x545387B3AB134786), UINT64_C(0x3179BB061599B64A), ++ UINT64_C(0xB0A6198607593574), UINT64_C(0xC7E39B2163FA7C3B), ++ UINT64_C(0xA1173F8691585D13), UINT64_C(0x09D5CC8ECB9525CD) }, ++ { UINT64_C(0xAAD44FFD8F3A3451), UINT64_C(0x702B04F225820CC5), ++ UINT64_C(0xE90CAC491CB66C17), UINT64_C(0x40F6B547EE161DC4), ++ UINT64_C(0xC08BB8B41BA4AC4E), UINT64_C(0x7DC064FBAE5A6BC1) } }, ++ { { UINT64_C(0x90A5E8719D76DDC7), UINT64_C(0x39DC8FAEEDFC8E2E), ++ UINT64_C(0x98467A235B079C62), UINT64_C(0xE25E378505450C98), ++ UINT64_C(0x2FE23A4D96140083), UINT64_C(0x65CE3B9AE9900312) }, ++ { UINT64_C(0x1D87D0886B72B5D9), UINT64_C(0x72F53220FD9AFC82), ++ UINT64_C(0xC63C7C159E1F71FA), UINT64_C(0x90DF26EA8D449637), ++ UINT64_C(0x97089F40C1C2B215), UINT64_C(0x83AF266442317FAA) } }, ++ }, ++ { ++ { { UINT64_C(0xFA2DB51A8D688E31), UINT64_C(0x225B696CA09C88D4), ++ UINT64_C(0x9F88AF1D6059171F), UINT64_C(0x1C5FEA5E782A0993), ++ UINT64_C(0xE0FB15884EC710D3), UINT64_C(0xFAF372E5D32CE365) }, ++ { UINT64_C(0xD9F896AB26506F45), UINT64_C(0x8D3503388373C724), ++ UINT64_C(0x1B76992DCA6E7342), UINT64_C(0x76338FCA6FD0C08B), ++ UINT64_C(0xC3EA4C65A00F5C23), UINT64_C(0xDFAB29B3B316B35B) } }, ++ { { UINT64_C(0x84E5541F483AEBF9), UINT64_C(0x8ADFF7DC49165772), ++ UINT64_C(0xE0A43AD69BEAAD3C), UINT64_C(0x97DD1820F51C2714), ++ UINT64_C(0xAC2B4CB457EA5B0C), UINT64_C(0x87DBD011D11767CA) }, ++ { UINT64_C(0x18CCF36CBFC7957A), UINT64_C(0xD4A088411BC79227), ++ UINT64_C(0x9811CE43D8D292A8), UINT64_C(0x72C5FC68D58C4EE7), ++ UINT64_C(0x5BC0F0BED35C65A7), UINT64_C(0x0B446DBCCBBF9669) } }, ++ { { UINT64_C(0x7EBA3DA69CEE9BCE), UINT64_C(0x3E2C1248D5377750), ++ UINT64_C(0x8C917D982B93D8B2), UINT64_C(0xCA8FC6AC7CAD1F75), ++ UINT64_C(0x5F581F19A0FF150A), UINT64_C(0x872CC14AE08327FA) }, ++ { UINT64_C(0xC774F187E9333188), UINT64_C(0x528ED4AC497AF7E8), ++ UINT64_C(0xCE036E9B8AD72B10), UINT64_C(0x463F9EBB917986CF), ++ UINT64_C(0xBE5163281325CF9B), UINT64_C(0xD28D5C50DD7E5FEA) } }, ++ { { UINT64_C(0x714C1D1BDD58BBE3), UINT64_C(0x85BA01AE039AFD0F), ++ UINT64_C(0x7F23EA3A6951AC80), UINT64_C(0x5C599290AC00C837), ++ UINT64_C(0xF6EFA2B3BF24CC1B), UINT64_C(0x393D8E421E84462B) }, ++ { UINT64_C(0x9BDA627DF8B89453), UINT64_C(0xE66FFF2EB23E0D1B), ++ UINT64_C(0xD1EE7089C3B94EC2), UINT64_C(0xF75DBA6E3031699A), ++ UINT64_C(0x8FF75F79242B2453), UINT64_C(0xE721EDEB289BFED4) } }, ++ { { UINT64_C(0x083215A1C1390FA8), UINT64_C(0x901D686A6DCE8CE0), ++ UINT64_C(0x4AB1BA62837073FF), UINT64_C(0x10C287AA34BEABA5), ++ UINT64_C(0xB4931AF446985239), UINT64_C(0x07639899B053C4DC) }, ++ { UINT64_C(0x29E7F44DE721EECD), UINT64_C(0x6581718257B3FF48), ++ UINT64_C(0x198542E25054E2E0), UINT64_C(0x923C9E1584616DE8), ++ UINT64_C(0x2A9C15E1AD465BB9), UINT64_C(0xD8D4EFC716319245) } }, ++ { { UINT64_C(0x72DC79439961A674), UINT64_C(0x839A0A52A0E13668), ++ UINT64_C(0xD7A53FA9334945EA), UINT64_C(0xDB21DB77E7AA25DB), ++ UINT64_C(0xB6675A7D66E96DA3), UINT64_C(0x2C31C406E66F33C0) }, ++ { UINT64_C(0x45020B626EC7B9CB), UINT64_C(0xFF46E9CD0391F267), ++ UINT64_C(0x7DABD7440FA2F221), UINT64_C(0x9A32364B9D4A2A3E), ++ UINT64_C(0xF0F84AE852D2E47A), UINT64_C(0xD0B872BB888F488A) } }, ++ { { UINT64_C(0x531E4CEFC9790EEF), UINT64_C(0xF7B5735E2B8D1A58), ++ UINT64_C(0xB8882F1EEF568511), UINT64_C(0xAFB08D1C86A86DB3), ++ UINT64_C(0x88CB9DF2F54DE8C7), UINT64_C(0xA44234F19A683282) }, ++ { UINT64_C(0xBC1B3D3AA6E9AB2E), UINT64_C(0xEFA071FB87FC99EE), ++ UINT64_C(0xFA3C737DA102DC0F), UINT64_C(0xDF3248A6D6A0CBD2), ++ UINT64_C(0x6E62A4FF1ECC1BF4), UINT64_C(0xF718F940C8F1BC17) } }, ++ { { UINT64_C(0x2C8B0AAD4F63F026), UINT64_C(0x2AFF623850B253CC), ++ UINT64_C(0xCAB3E94210C4D122), UINT64_C(0x52B59F0407CD2816), ++ UINT64_C(0x22322803982C41FC), UINT64_C(0x38844E668CF50B19) }, ++ { UINT64_C(0x42A959F7BE3264CD), UINT64_C(0xBDDC24BD6C983524), ++ UINT64_C(0xA489EB0C462B8640), UINT64_C(0xB7C0509298029BE7), ++ UINT64_C(0xD5546B5FA1ADDC64), UINT64_C(0xE7CAC1FCA0C655AF) } }, ++ { { UINT64_C(0x1454719847636F97), UINT64_C(0x6FA67481EBCDCCFF), ++ UINT64_C(0xC164872F395D3258), UINT64_C(0xB8CECAFEEE6ACDBC), ++ UINT64_C(0x3FBFE5F3A933F180), UINT64_C(0xEC20CAC2898C3B1E) }, ++ { UINT64_C(0x6A031BEE87DA73F9), UINT64_C(0xD1E667D15C5AF46E), ++ UINT64_C(0xCB3DC1681DC6EEF9), UINT64_C(0x2DD1BD9433D310C0), ++ UINT64_C(0x0F78D4939207E438), UINT64_C(0xC233D544A99C0E75) } }, ++ { { UINT64_C(0x228F19F19E2A0113), UINT64_C(0x58495BE50E1A5D37), ++ UINT64_C(0x97E08F6938D7F364), UINT64_C(0x1EC3BA3E510759B0), ++ UINT64_C(0x3682F19AE03CD40D), UINT64_C(0xC87745D8F9E16D68) }, ++ { UINT64_C(0xFD527AB509A642EA), UINT64_C(0x6308EEBDF9C81F27), ++ UINT64_C(0xFA9F666C550C5D68), UINT64_C(0xDEBA436F584AB153), ++ UINT64_C(0x1D4861D35B63E939), UINT64_C(0x073BED9BC9850221) } }, ++ { { UINT64_C(0x802BCCF08B171246), UINT64_C(0xFFF7D15A733B072F), ++ UINT64_C(0xEA3862664CBFA4EF), UINT64_C(0x9E5B5073D635946B), ++ UINT64_C(0x16E9A979FA81BE95), UINT64_C(0x41E8716EB14F701F) }, ++ { UINT64_C(0x25782E0F101A6719), UINT64_C(0x442C4875C9D66959), ++ UINT64_C(0x52D845D92B85D153), UINT64_C(0xFF9251382E831117), ++ UINT64_C(0x01B700CC8E02434B), UINT64_C(0xD2DB7F8EEC0BAE3E) } }, ++ { { UINT64_C(0x1B225300966A4872), UINT64_C(0x40C149BE566F537B), ++ UINT64_C(0x3335F4D2CB680021), UINT64_C(0x773D0263778E5F5F), ++ UINT64_C(0x1D9B7602666FA9ED), UINT64_C(0x52490A102E6200CF) }, ++ { UINT64_C(0x8434C7DD961F290B), UINT64_C(0x773AC15664456446), ++ UINT64_C(0x5E2BB78947B712BB), UINT64_C(0xFD3BCBFDBE0974AD), ++ UINT64_C(0x71AE9351791AD5D8), UINT64_C(0x1EE738BA6F4E1400) } }, ++ { { UINT64_C(0x2FA428AB0BE8E26E), UINT64_C(0xFEFF0600BB4CF9FC), ++ UINT64_C(0x76F25CA9B2EA5FB0), UINT64_C(0xAB7FECF06835C5F4), ++ UINT64_C(0x649D077219D5F328), UINT64_C(0xABE7B895ACBCB12E) }, ++ { UINT64_C(0xF2D1031AD69B1EA8), UINT64_C(0x46065D5DC60B0BBB), ++ UINT64_C(0xB0908DC185D798FF), UINT64_C(0x4E2420F0D2C9B18A), ++ UINT64_C(0x6B3A9BDDD30432A2), UINT64_C(0x501C3383C9B134AD) } }, ++ { { UINT64_C(0x608F096798A21284), UINT64_C(0x5361BE86059CCEDE), ++ UINT64_C(0x3A40655CAFD87EF7), UINT64_C(0x03CF311759083AA2), ++ UINT64_C(0x57DB5F61B6C366D9), UINT64_C(0x29DC275B6DD0D232) }, ++ { UINT64_C(0xBDAB24DD8FA67501), UINT64_C(0x5928F77565D08C37), ++ UINT64_C(0x9448A856645D466A), UINT64_C(0x6E6B5E2EC0E927A5), ++ UINT64_C(0xE884D546E80C6871), UINT64_C(0x10C881C953A9A851) } }, ++ { { UINT64_C(0x355053749B627AA5), UINT64_C(0xE7CA1B577976677B), ++ UINT64_C(0x812397124976CE17), UINT64_C(0x96E9080B96DA31B9), ++ UINT64_C(0x458254ABCC64AA1F), UINT64_C(0xFEFF682148E674C9) }, ++ { UINT64_C(0x8772F37A021F1488), UINT64_C(0x2E274E18AB56345C), ++ UINT64_C(0x7C7BE61C29823B76), UINT64_C(0x275DB7B29EEFB39E), ++ UINT64_C(0x83B10ED4BF5CBCEF), UINT64_C(0x40D7F5B4518E5183) } }, ++ { { UINT64_C(0x315CCC01F960B41B), UINT64_C(0x90B417C91D99E722), ++ UINT64_C(0x84AFAA0D013463E0), UINT64_C(0xF133C5D813E6D9E1), ++ UINT64_C(0xD95C6ADC525B7430), UINT64_C(0x082C61AD7A25106A) }, ++ { UINT64_C(0xABC1966DBA1CE179), UINT64_C(0xE0578B77A5DB529A), ++ UINT64_C(0x10988C05EC84107D), UINT64_C(0xFCADE5D71B207F83), ++ UINT64_C(0x0BEB6FDBC5BA83DB), UINT64_C(0x1C39B86D57537E34) } }, ++ }, ++ { ++ { { UINT64_C(0x5B0B5D692A7AECED), UINT64_C(0x4C03450C01DC545F), ++ UINT64_C(0x72AD0A4A404A3458), UINT64_C(0x1DE8E2559F467B60), ++ UINT64_C(0xA4B3570590634809), UINT64_C(0x76F30205706F0178) }, ++ { UINT64_C(0x588D21AB4454F0E5), UINT64_C(0xD22DF54964134928), ++ UINT64_C(0xF4E7E73D241BCD90), UINT64_C(0xB8D8A1D22FACC7CC), ++ UINT64_C(0x483C35A71D25D2A0), UINT64_C(0x7F8D25451EF9F608) } }, ++ { { UINT64_C(0xCB51F03954EBC926), UINT64_C(0xE235D356B8D4A7BB), ++ UINT64_C(0x93C8FAFAB41FE1A6), UINT64_C(0x6297701DA719F254), ++ UINT64_C(0x6E9165BC644F5CDE), UINT64_C(0x6506329D0C11C542) }, ++ { UINT64_C(0xA2564809A92B4250), UINT64_C(0x0E9AC173889C2E3E), ++ UINT64_C(0x286A592622B1D1BE), UINT64_C(0x86A3D7526ECDD041), ++ UINT64_C(0x4B867E0A649F9524), UINT64_C(0x1FE7D95A0629CB0F) } }, ++ { { UINT64_C(0xF4F66843CA5BAF54), UINT64_C(0x298DB357EFE7DB78), ++ UINT64_C(0xF607E86E7365712F), UINT64_C(0xD58822988A822BC0), ++ UINT64_C(0x2CFBD63AC61299B3), UINT64_C(0x6F713D9B67167B1A) }, ++ { UINT64_C(0x750F673FDE0B077A), UINT64_C(0x07482708EE2178DA), ++ UINT64_C(0x5E6D5BD169123C75), UINT64_C(0x6A93D1B6EAB99B37), ++ UINT64_C(0x6EF4F7E68CAEC6A3), UINT64_C(0x7BE411D6CF3ED818) } }, ++ { { UINT64_C(0xF92B307363A0A7D2), UINT64_C(0x32DA431C881DC8CF), ++ UINT64_C(0xE51BD5EDC578E3A3), UINT64_C(0xEFDA70D29587FA22), ++ UINT64_C(0xCFEC17089B2EBA85), UINT64_C(0x6AB51A4BAF7BA530) }, ++ { UINT64_C(0x5AC155AE98174812), UINT64_C(0xCAF07A71CCB076E3), ++ UINT64_C(0x280E86C2C38718A7), UINT64_C(0x9D12DE73D63745B7), ++ UINT64_C(0x0E8EA855BF8A79AA), UINT64_C(0x5EB2BED8BD705BF7) } }, ++ { { UINT64_C(0x33FE9578AE16DE53), UINT64_C(0x3AE85EB510BEC902), ++ UINT64_C(0xC4F4965844AF850E), UINT64_C(0x6EA222B3087DD658), ++ UINT64_C(0xB255E6FDA51F1447), UINT64_C(0xB35E4997117E3F48) }, ++ { UINT64_C(0x562E813B05616CA1), UINT64_C(0xDF5925D68A61E156), ++ UINT64_C(0xB2FA8125571C728B), UINT64_C(0x00864805A2F2D1CF), ++ UINT64_C(0x2DC26F411BCCB6FF), UINT64_C(0xEBD5E09363AE37DD) } }, ++ { { UINT64_C(0xD2D68BB30A285611), UINT64_C(0x3EAE7596DC8378F2), ++ UINT64_C(0x2DC6CCC66CC688A3), UINT64_C(0xC45E5713011F5DFB), ++ UINT64_C(0x6B9C4F6C62D34487), UINT64_C(0xFAD6F0771FC65551) }, ++ { UINT64_C(0x5E3266E062B23B52), UINT64_C(0xF1DAF319E98F4715), ++ UINT64_C(0x064D12EA3ED0AE83), UINT64_C(0x5CCF9326564125CB), ++ UINT64_C(0x09057022C63C1E9F), UINT64_C(0x7171972CDC9B5D2E) } }, ++ { { UINT64_C(0x2364FD9AEABD21B2), UINT64_C(0x3CE5F4BB9174AD6D), ++ UINT64_C(0xA4D6D5D0B38688C0), UINT64_C(0x2292A2D26D87FD7D), ++ UINT64_C(0x2A7D1B534CA02E54), UINT64_C(0x7BEE6E7EB4185715) }, ++ { UINT64_C(0x73E546098FC63ACD), UINT64_C(0xF4D93A124064E09D), ++ UINT64_C(0xD20E157A2B92DAA5), UINT64_C(0x90D125DBC4B81A00), ++ UINT64_C(0xCB951C9E7682DE13), UINT64_C(0x1ABE58F427987545) } }, ++ { { UINT64_C(0x6D35164030C70C8D), UINT64_C(0x8047D811CE2361B8), ++ UINT64_C(0x3F8B3D4FDF8E2C81), UINT64_C(0x5D59547733FA1F6C), ++ UINT64_C(0xF769FE5AE29B8A91), UINT64_C(0x26F0E606D737B2A2) }, ++ { UINT64_C(0x70CBFA5DB8B31C6A), UINT64_C(0x0F883B4A863D3AEA), ++ UINT64_C(0x156A4479E386AE2F), UINT64_C(0xA17A2FCDADE8A684), ++ UINT64_C(0x78BDF958E2A7E335), UINT64_C(0xD1B4E6733B9E3041) } }, ++ { { UINT64_C(0x1EAF48EC449A6D11), UINT64_C(0x6B94B8E46D2FA7B9), ++ UINT64_C(0x1D75D269728E4C1B), UINT64_C(0x91123819DD304E2C), ++ UINT64_C(0x0B34CAE388804F4B), UINT64_C(0x2BA192FBC5495E9A) }, ++ { UINT64_C(0xC93FF6EFFF4D24BF), UINT64_C(0xF8C2C0B00342BA78), ++ UINT64_C(0x8041F769831EB94C), UINT64_C(0x353100747782985E), ++ UINT64_C(0xC755320B3AF84E83), UINT64_C(0x384B6D266F497E7F) } }, ++ { { UINT64_C(0xEF92CD5917E6BD17), UINT64_C(0xA087305BA426965C), ++ UINT64_C(0x13895CE7AC47F773), UINT64_C(0xB85F2A9FE0BB2867), ++ UINT64_C(0x2926E6AA7CD7C58E), UINT64_C(0xE544EDA6450459C5) }, ++ { UINT64_C(0x73DBC351B90A9849), UINT64_C(0x961183F6848EBE86), ++ UINT64_C(0xC45BB21080534712), UINT64_C(0x379D08D7A654D9A3), ++ UINT64_C(0x5B97CEF2BD3FFA9C), UINT64_C(0x0F469F34DDC2FCE5) } }, ++ { { UINT64_C(0x6D1461080642F38D), UINT64_C(0x055171A0D21EB887), ++ UINT64_C(0x28DFFAB4D0DCEB28), UINT64_C(0x0D0E631298DE9CCD), ++ UINT64_C(0x750A9156118C3C3F), UINT64_C(0x8C1F1390B049D799) }, ++ { UINT64_C(0xE4823858439607C5), UINT64_C(0x947E9BA05C111EAB), ++ UINT64_C(0x39C95616A355DF2E), UINT64_C(0xF5F6B98E10E54BDA), ++ UINT64_C(0xB0E0B33D142B876A), UINT64_C(0x71197D73EA18C90C) } }, ++ { { UINT64_C(0x36A5139DF52BE819), UINT64_C(0xF60DDF3429A45D2B), ++ UINT64_C(0x0727EFECE9220E34), UINT64_C(0x431D33864EF7F446), ++ UINT64_C(0xC3165A64FCC4962C), UINT64_C(0xB7D926E1D64362BB) }, ++ { UINT64_C(0x216BC61FD45F9350), UINT64_C(0xA974CB2FBBAED815), ++ UINT64_C(0x31DF342D86FB2F76), UINT64_C(0x3AB67E0501D78314), ++ UINT64_C(0x7AA951E0DEE33ED2), UINT64_C(0x318FBBBDCEC78D94) } }, ++ { { UINT64_C(0xAD7EFB65B8FE0204), UINT64_C(0x0432E1C5230AB7F7), ++ UINT64_C(0x7563A62D9C967400), UINT64_C(0xD88B9C743524D4FF), ++ UINT64_C(0x16A1991CF1A823E3), UINT64_C(0xCF2F9BFEFA6F0FFB) }, ++ { UINT64_C(0x55AAA946A50CA61F), UINT64_C(0x8CBBD3C8FED4CAB3), ++ UINT64_C(0x03A0FAB87651365A), UINT64_C(0x46B5234B62DC3913), ++ UINT64_C(0xFD875B28B558CBBD), UINT64_C(0xA48EC3AE11CEB361) } }, ++ { { UINT64_C(0x5DD131A1B3ADBD8B), UINT64_C(0xF9FBCA3A29B45EF8), ++ UINT64_C(0x022048669341EE18), UINT64_C(0x8D13B89583BF9618), ++ UINT64_C(0x0E395BAEE807459C), UINT64_C(0xB9C110CCB190E7DB) }, ++ { UINT64_C(0xA0DC345225D25063), UINT64_C(0x2FB78EC802371462), ++ UINT64_C(0xC3A9E7BB8975C2D5), UINT64_C(0x9466687285A78264), ++ UINT64_C(0x480D2CC28029AA92), UINT64_C(0x237086C75655726D) } }, ++ { { UINT64_C(0x197F14BB65EB9EEE), UINT64_C(0xFC93125C9F12E5FD), ++ UINT64_C(0x9C20BC538BFBAE5E), UINT64_C(0xB35E21544BC053BA), ++ UINT64_C(0xE5FA9CC721C3898E), UINT64_C(0x502D72FFD42F950F) }, ++ { UINT64_C(0x6812D38AD1EB8C31), UINT64_C(0x1F77F3F1080D30BB), ++ UINT64_C(0x18D128335A8B1E98), UINT64_C(0x7FD39FA9299196CE), ++ UINT64_C(0xFB8C9F11CF4ED6D6), UINT64_C(0x4C00F604D6363194) } }, ++ { { UINT64_C(0x5C8AFCF9FA2A21C2), UINT64_C(0x71CBF2821928D133), ++ UINT64_C(0x56BEF28E42B29506), UINT64_C(0xAFBA250C70323DE2), ++ UINT64_C(0x3FE208D17DED2C30), UINT64_C(0xBD2CD213CE9AA598) }, ++ { UINT64_C(0x52C5EC52CFEED070), UINT64_C(0x0A7223E7D3DA336B), ++ UINT64_C(0x7156A4EDCE156B46), UINT64_C(0x9AF6C499ED7E6159), ++ UINT64_C(0x9D7A679713C029AD), UINT64_C(0xE5B5C9249018DC77) } }, ++ }, ++ { ++ { { UINT64_C(0x3F2EFF53DE1E4E55), UINT64_C(0x6B749943E4D3ECC4), ++ UINT64_C(0xAF10B18A0DDE190D), UINT64_C(0xF491B98DA26B0409), ++ UINT64_C(0x66080782A2B1D944), UINT64_C(0x59277DC697E8C541) }, ++ { UINT64_C(0xFDBFC5F6006F18AA), UINT64_C(0x435D165BFADD8BE1), ++ UINT64_C(0x8E5D263857645EF4), UINT64_C(0x31BCFDA6A0258363), ++ UINT64_C(0xF5330AB8D35D2503), UINT64_C(0xB71369F0C7CAB285) } }, ++ { { UINT64_C(0xE6A19DCC40ACC5A8), UINT64_C(0x1C3A1FF1DBC6DBF8), ++ UINT64_C(0xB4D89B9FC6455613), UINT64_C(0x6CB0FE44A7390D0E), ++ UINT64_C(0xADE197A459EA135A), UINT64_C(0xDA6AA86520680982) }, ++ { UINT64_C(0x03DB9BE95A442C1B), UINT64_C(0x221A2D732BFB93F2), ++ UINT64_C(0x44DEE8D4753C196C), UINT64_C(0x59ADCC700B7C6FF5), ++ UINT64_C(0xC6260EC24CA1B142), UINT64_C(0x4C3CB5C646CBD4F2) } }, ++ { { UINT64_C(0x8A15D6FEA417111F), UINT64_C(0xFE4A16BD71D93FCC), ++ UINT64_C(0x7A7EE38C55BBE732), UINT64_C(0xEFF146A51FF94A9D), ++ UINT64_C(0xE572D13EDD585AB5), UINT64_C(0xD879790E06491A5D) }, ++ { UINT64_C(0x9C84E1C52A58CB2E), UINT64_C(0xD79D13746C938630), ++ UINT64_C(0xDB12CD9B385F06C7), UINT64_C(0x0C93EB977A7759C3), ++ UINT64_C(0xF1F5B0FE683BD706), UINT64_C(0x541E4F7285EC3D50) } }, ++ { { UINT64_C(0x9A0E153581833608), UINT64_C(0x5CCE871E6E2833AC), ++ UINT64_C(0xC17059EAFB29777C), UINT64_C(0x7E40E5FAE354CAFD), ++ UINT64_C(0x9CF594054D07C371), UINT64_C(0x64CE36B2A71C3945) }, ++ { UINT64_C(0x69309E9656CAF487), UINT64_C(0x3D719E9F1AE3454B), ++ UINT64_C(0xF2164070E25823B6), UINT64_C(0xEAD851BD0BC27359), ++ UINT64_C(0x3D21BFE8B0925094), UINT64_C(0xA783B1E934A97F4E) } }, ++ { { UINT64_C(0x406B0C269546491A), UINT64_C(0x9E5E15E2F293C4E5), ++ UINT64_C(0xC60D641315B164DB), UINT64_C(0x0DA46F530C75A78E), ++ UINT64_C(0x7C599BB7EA0C656B), UINT64_C(0x0F07A5121B1A8122) }, ++ { UINT64_C(0x14C7204A15172686), UINT64_C(0x8FAEDFF85165625D), ++ UINT64_C(0x20F260CE37AEDE40), UINT64_C(0xC81F771E8F357FFE), ++ UINT64_C(0x25499197B0912557), UINT64_C(0x736197DC4C739C74) } }, ++ { { UINT64_C(0x6151BAB1381B3462), UINT64_C(0x27E5A07843DBD344), ++ UINT64_C(0x2CB05BD6A1C3E9FB), UINT64_C(0x2A75976027CF2A11), ++ UINT64_C(0x0ADCF9DBFF43E702), UINT64_C(0x4BBF03E21F484146) }, ++ { UINT64_C(0x0E74997F55B6521A), UINT64_C(0x15629231ADE17086), ++ UINT64_C(0x7F143E867493FC58), UINT64_C(0x60869095AF8B9670), ++ UINT64_C(0x482CFCD77E524869), UINT64_C(0x9E8060C31D454756) } }, ++ { { UINT64_C(0xE495747AC88B4D3B), UINT64_C(0xB7559835AE8A948F), ++ UINT64_C(0x67EEF3A9DEB56853), UINT64_C(0x0E20E2699DEE5ADF), ++ UINT64_C(0x9031AF6761F0A1AA), UINT64_C(0x76669D32683402BC) }, ++ { UINT64_C(0x90BD231306718B16), UINT64_C(0xE1B22A21864EFDAC), ++ UINT64_C(0xE4FFE9096620089F), UINT64_C(0xB84C842E3428E2D9), ++ UINT64_C(0x0E28C880FE3871FC), UINT64_C(0x8932F6983F21C200) } }, ++ { { UINT64_C(0x603F00CE6C90EA5D), UINT64_C(0x6473930740A2F693), ++ UINT64_C(0xAF65148B2174E517), UINT64_C(0x162FC2CAF784AE74), ++ UINT64_C(0x0D9A88254D5F6458), UINT64_C(0x0C2D586143AACE93) }, ++ { UINT64_C(0xBF1EADDE9F73CBFC), UINT64_C(0xDE9C34C09C68BBCA), ++ UINT64_C(0x6D95602D67EF8A1A), UINT64_C(0x0AF2581BA791B241), ++ UINT64_C(0x14F7736112CAD604), UINT64_C(0x19F2354DE2ACD1AD) } }, ++ { { UINT64_C(0x272F78F60D60F263), UINT64_C(0xE7A8F4AF208FD785), ++ UINT64_C(0x10E191C636554F2C), UINT64_C(0x06D88551FD5CD0B3), ++ UINT64_C(0x29BF856857069C27), UINT64_C(0x3CE7ECD828AA6FAD) }, ++ { UINT64_C(0x7D8A92D0E9F1A1D8), UINT64_C(0xD40C7FF8D30B5725), ++ UINT64_C(0x16BE6CB2F54CAEB8), UINT64_C(0x14CA471A14CB0A91), ++ UINT64_C(0xD5FF15B802733CAE), UINT64_C(0xCAF88D87DAA76580) } }, ++ { { UINT64_C(0x39430E222C046592), UINT64_C(0x6CDAE81F1AD26706), ++ UINT64_C(0x8C102159A25D9106), UINT64_C(0x9A44057227CA9F30), ++ UINT64_C(0x8D34C43070287FBC), UINT64_C(0x9003A45529DB8AFA) }, ++ { UINT64_C(0x91364CC37FD971AD), UINT64_C(0x7B3AA0489C60EDB7), ++ UINT64_C(0x58B0E008526F4DD8), UINT64_C(0xB7674454D86D98AE), ++ UINT64_C(0xC25F4051B2B45747), UINT64_C(0x8243BF9CCC043E8F) } }, ++ { { UINT64_C(0xA89641C643A0C387), UINT64_C(0x6D92205C87B9AB17), ++ UINT64_C(0x37D691F4DAA0E102), UINT64_C(0xEB3E52D7CDE5312E), ++ UINT64_C(0x60D3C09916F518A2), UINT64_C(0x7854C0518A378EEB) }, ++ { UINT64_C(0x7359DB514BBCAAC5), UINT64_C(0xF5B1B68C1713F102), ++ UINT64_C(0xDAEAE645E4398DE5), UINT64_C(0x8C8ACB6CD1ABFB82), ++ UINT64_C(0x2E8B76C3136423E2), UINT64_C(0x509DCB2DA8BA015E) } }, ++ { { UINT64_C(0x2FF368159AD9C59C), UINT64_C(0xB189A4E8658E65B9), ++ UINT64_C(0x7D33DDBBEA786AD2), UINT64_C(0x96D0D648C0D2DC05), ++ UINT64_C(0x05E49256BFA03BE9), UINT64_C(0x0EA4E7A68BAF5A1C) }, ++ { UINT64_C(0x3DDCE0B09F9AD5A8), UINT64_C(0xF78091959E49C2CB), ++ UINT64_C(0xBFCEF29D21782C2F), UINT64_C(0xE57AD39FC41BFD97), ++ UINT64_C(0xC04B93E81355AD19), UINT64_C(0xAABC9E6E59440F9F) } }, ++ { { UINT64_C(0x7AA481035B6459DA), UINT64_C(0x83EF74770166E880), ++ UINT64_C(0x536182B1511CCE80), UINT64_C(0xAFDD2EEE73CA55AA), ++ UINT64_C(0xAB910D0DA8716143), UINT64_C(0x8BEAA42B83707250) }, ++ { UINT64_C(0x4BCCFD898DA2AB3D), UINT64_C(0x1DBF68A9EC6AA105), ++ UINT64_C(0x32CE610868EB42DA), UINT64_C(0x5C2C2C858EA62E37), ++ UINT64_C(0x1ED2791FCD3088A7), UINT64_C(0x496B4FEBFF05070C) } }, ++ { { UINT64_C(0x9FA9121A0AA629C5), UINT64_C(0xE286CFF157558BEC), ++ UINT64_C(0x4D9D657E59813A4D), UINT64_C(0xC4676A1626103519), ++ UINT64_C(0x616160B32BD4DF80), UINT64_C(0x26FB78CC30FBAE87) }, ++ { UINT64_C(0x096070138F0F66BD), UINT64_C(0xDD4E2D0C03D9B90D), ++ UINT64_C(0x5D3A8912600D1B12), UINT64_C(0xF76DD52F4308E126), ++ UINT64_C(0x97CC04099E4FCCA6), UINT64_C(0x0CFBE31104C4DF7B) } }, ++ { { UINT64_C(0x6CA62C1228437A23), UINT64_C(0x0DAF335340E7A003), ++ UINT64_C(0x1FD07DF0D20F8079), UINT64_C(0xEAE7969C3BBC9749), ++ UINT64_C(0x55861AFA9ECAD022), UINT64_C(0xEC41DAD91FBC3D4C) }, ++ { UINT64_C(0x1FE4CB40DA8B261B), UINT64_C(0xC2671AB6427C5C9D), ++ UINT64_C(0xDFCDA7B8261D4939), UINT64_C(0x9E7B802B2072C0B9), ++ UINT64_C(0x3AFEE900C7828CC2), UINT64_C(0x3488BF28F6DE987F) } }, ++ { { UINT64_C(0x33B9F2DE7BE1F89E), UINT64_C(0xD4E80821299B15C9), ++ UINT64_C(0x87A3067A0E13F37F), UINT64_C(0x6D4C09ED55FD239F), ++ UINT64_C(0x48B1042D92EF014F), UINT64_C(0xA382B2E0B385A759) }, ++ { UINT64_C(0xBF571BB07F6F84F8), UINT64_C(0x25AFFA370CE87F50), ++ UINT64_C(0x826906D3FE54F1BC), UINT64_C(0x6B0421F4C53AE76A), ++ UINT64_C(0x44F85A3A4855EB3C), UINT64_C(0xF49E21518D1F2B27) } }, ++ }, ++ { ++ { { UINT64_C(0xC0426B775E3C647B), UINT64_C(0xBFCBD9398CF05348), ++ UINT64_C(0x31D312E3172C0D3D), UINT64_C(0x5F49FDE6EE754737), ++ UINT64_C(0x895530F06DA7EE61), UINT64_C(0xCF281B0AE8B3A5FB) }, ++ { UINT64_C(0xFD14973541B8A543), UINT64_C(0x41A625A73080DD30), ++ UINT64_C(0xE2BAAE07653908CF), UINT64_C(0xC3D01436BA02A278), ++ UINT64_C(0xA0D0222E7B21B8F8), UINT64_C(0xFDC270E9D7EC1297) } }, ++ { { UINT64_C(0x06A67BD29F101E64), UINT64_C(0xCB6E0AC7E1733A4A), ++ UINT64_C(0xEE0B5D5197BC62D2), UINT64_C(0x52B1703924C51874), ++ UINT64_C(0xFED1F42382A1A0D5), UINT64_C(0x55D90569DB6270AC) }, ++ { UINT64_C(0x36BE4A9C5D73D533), UINT64_C(0xBE9266D6976ED4D5), ++ UINT64_C(0xC17436D3B8F8074B), UINT64_C(0x3BB4D399718545C6), ++ UINT64_C(0x8E1EA3555C757D21), UINT64_C(0xF7EDBC978C474366) } }, ++ { { UINT64_C(0xEC72C6506EA83242), UINT64_C(0xF7DE7BE51B2D237F), ++ UINT64_C(0x3C5E22001819EFB0), UINT64_C(0xDF5AB6D68CDDE870), ++ UINT64_C(0x75A44E9D92A87AEE), UINT64_C(0xBDDC46F4BCF77F19) }, ++ { UINT64_C(0x8191EFBD669B674D), UINT64_C(0x52884DF9ED71768F), ++ UINT64_C(0xE62BE58265CF242C), UINT64_C(0xAE99A3B180B1D17B), ++ UINT64_C(0x48CBB44692DE59A9), UINT64_C(0xD3C226CF2DCB3CE2) } }, ++ { { UINT64_C(0x9580CDFB9FD94EC4), UINT64_C(0xED273A6C28631AD9), ++ UINT64_C(0x5D3D5F77C327F3E7), UINT64_C(0x05D5339C35353C5F), ++ UINT64_C(0xC56FB5FE5C258EB1), UINT64_C(0xEFF8425EEDCE1F79) }, ++ { UINT64_C(0xAB7AA141CF83CF9C), UINT64_C(0xBD2A690A207D6D4F), ++ UINT64_C(0xE1241491458D9E52), UINT64_C(0xDD2448CCAA7F0F31), ++ UINT64_C(0xEC58D3C7F0FDA7AB), UINT64_C(0x7B6E122DC91BBA4D) } }, ++ { { UINT64_C(0x2A2DEDAFB1B48156), UINT64_C(0xA0A2C63ABB93DB87), ++ UINT64_C(0xC655907808ACD99E), UINT64_C(0x03EA42AFFE4AC331), ++ UINT64_C(0x43D2C14AEB180ED6), UINT64_C(0xC2F293DDB1156A1A) }, ++ { UINT64_C(0x1FAFABF5A9D81249), UINT64_C(0x39ADDEAD9A8EEE87), ++ UINT64_C(0x21E206F2119E2E92), UINT64_C(0xBC5DCC2ED74DCEB6), ++ UINT64_C(0x86647FA30A73A358), UINT64_C(0xEAD8BEA42F53F642) } }, ++ { { UINT64_C(0x636225F591C09091), UINT64_C(0xCCF5070A71BDCFDF), ++ UINT64_C(0x0EF8D625B9668EE2), UINT64_C(0x57BDF6CDB5E04E4F), ++ UINT64_C(0xFC6AB0A67C75EA43), UINT64_C(0xEB6B8AFBF7FD6EF3) }, ++ { UINT64_C(0x5B2AEEF02A3DF404), UINT64_C(0x31FD3B48B9823197), ++ UINT64_C(0x56226DB683A7EB23), UINT64_C(0x3772C21E5BB1ED2F), ++ UINT64_C(0x3E833624CD1ABA6A), UINT64_C(0xBAE58FFAAC672DAD) } }, ++ { { UINT64_C(0xCE92224D31BA1705), UINT64_C(0x022C6ED2F0197F63), ++ UINT64_C(0x21F18D99A4DC1113), UINT64_C(0x5CD04DE803616BF1), ++ UINT64_C(0x6F9006799FF12E08), UINT64_C(0xF59A331548E61DDF) }, ++ { UINT64_C(0x9474D42CB51BD024), UINT64_C(0x11A0A4139051E49D), ++ UINT64_C(0x79C92705DCE70EDB), UINT64_C(0x113CE27834198426), ++ UINT64_C(0x8978396FEA8616D2), UINT64_C(0x9A2A14D0EA894C36) } }, ++ { { UINT64_C(0x4F1E1254604F6E4A), UINT64_C(0x4513B0880187D585), ++ UINT64_C(0x9022F25719E0F482), UINT64_C(0x51FB2A80E2239DBF), ++ UINT64_C(0x49940D9E998ED9D5), UINT64_C(0x0583D2416C932C5D) }, ++ { UINT64_C(0x1188CEC8F25B73F7), UINT64_C(0xA28788CB3B3D06CD), ++ UINT64_C(0xDEA194ECA083DB5A), UINT64_C(0xD93A4F7E22DF4272), ++ UINT64_C(0x8D84E4BF6A009C49), UINT64_C(0x893D8DD93E3E4A9E) } }, ++ { { UINT64_C(0x35E909EA33D31160), UINT64_C(0x5020316857172F1E), ++ UINT64_C(0x2707FC4451F3D866), UINT64_C(0xEB9D2018D2442A5D), ++ UINT64_C(0x904D72095DBFE378), UINT64_C(0x6DB132A35F13CF77) }, ++ { UINT64_C(0x9D842BA67A3AF54B), UINT64_C(0x4E16EA195AA5B4F9), ++ UINT64_C(0x2BBA457CAF24228E), UINT64_C(0xCC04B3BB16F3C5FE), ++ UINT64_C(0xBAFAC51677E64944), UINT64_C(0x31580A34F08BCEE0) } }, ++ { { UINT64_C(0xC6808DEE20C30ACA), UINT64_C(0xDADD216FA3EA2056), ++ UINT64_C(0xD331394E7A4A9F9D), UINT64_C(0x9E0441AD424C4026), ++ UINT64_C(0xAEED102F0AEB5350), UINT64_C(0xC6697FBBD45B09DA) }, ++ { UINT64_C(0x52A2590EDEAC1496), UINT64_C(0x7142B831250B87AF), ++ UINT64_C(0xBEF2E68B6D0784A8), UINT64_C(0x5F62593AA5F71CEF), ++ UINT64_C(0x3B8F7616B5DA51A3), UINT64_C(0xC7A6FA0DB680F5FE) } }, ++ { { UINT64_C(0x36C21DE699C8227C), UINT64_C(0xBEE3E867C26813B1), ++ UINT64_C(0x9B05F2E6BDD91549), UINT64_C(0x34FF2B1FA7D1110F), ++ UINT64_C(0x8E6953B937F67FD0), UINT64_C(0x56C7F18BC3183E20) }, ++ { UINT64_C(0x48AF46DE9E2019ED), UINT64_C(0xDEAF972EF551BBBF), ++ UINT64_C(0x88EE38F8CC5E3EEF), UINT64_C(0xFB8D7A44392D6BAF), ++ UINT64_C(0x32293BFC0127187D), UINT64_C(0x7689E767E58647CC) } }, ++ { { UINT64_C(0x00CE901B52168013), UINT64_C(0xC6BF8E38837AAE71), ++ UINT64_C(0xD6F11EFA167677D8), UINT64_C(0xE53BB48586C8E5CF), ++ UINT64_C(0x671167CEC48E74AB), UINT64_C(0x8A40218C8AD720A7) }, ++ { UINT64_C(0x81E827A6E7C1191A), UINT64_C(0x54058F8DADDB153D), ++ UINT64_C(0x0BAF29250D950FA2), UINT64_C(0xC244674D576DDA13), ++ UINT64_C(0x8C4630AE41BCD13B), UINT64_C(0x6C2127BF5A077419) } }, ++ { { UINT64_C(0xCF977FD5A83C501F), UINT64_C(0xD7C6DF36B6AB176F), ++ UINT64_C(0x117F6331397BC6B5), UINT64_C(0x72A6078BF7A2D491), ++ UINT64_C(0xE5A2AAED5242FE2E), UINT64_C(0x88ECFFDCFEBDC212) }, ++ { UINT64_C(0xF2DBBF50CE33BA21), UINT64_C(0xE1343B76CEB19F07), ++ UINT64_C(0x1F32D4C9D2C28F71), UINT64_C(0x93FC64B418587685), ++ UINT64_C(0x39CEEF9BBA1F8BD1), UINT64_C(0x99C36A788D6D6BB0) } }, ++ { { UINT64_C(0x0D0638173E9561CF), UINT64_C(0x1D8646AA3D33704D), ++ UINT64_C(0x8C4513847A08BA33), UINT64_C(0x96446BD3E02D6624), ++ UINT64_C(0x749849F02D6F4166), UINT64_C(0xE364DA0114268BF0) }, ++ { UINT64_C(0x7CE4587E9AEBFCFD), UINT64_C(0xD468606456234393), ++ UINT64_C(0x00231D5116DF73B2), UINT64_C(0xF6A969B77279C78C), ++ UINT64_C(0x1FF1F6B66CB4117C), UINT64_C(0x30AEBC39D3EAB680) } }, ++ { { UINT64_C(0x5CC97E6493EF00B9), UINT64_C(0xDAE13841972345AE), ++ UINT64_C(0x858391844788F43C), UINT64_C(0xD0FF521EE2E6CF3E), ++ UINT64_C(0xAED14A5B4B707C86), UINT64_C(0x7EAAE4A6D2523CF7) }, ++ { UINT64_C(0x266472C5024C8AC6), UINT64_C(0xE47E1522C0170051), ++ UINT64_C(0x7B83DA6173826BAE), UINT64_C(0xE97E19F5CF543F0D), ++ UINT64_C(0x5D5248FA20BF38E2), UINT64_C(0x8A7C2F7DDF56A037) } }, ++ { { UINT64_C(0xB04659DD87B0526C), UINT64_C(0x593C604A2307565E), ++ UINT64_C(0x49E522257C630AB8), UINT64_C(0x24C1D0C6DCE9CD23), ++ UINT64_C(0x6FDB241C85177079), UINT64_C(0x5F521D19F250C351) }, ++ { UINT64_C(0xFB56134BA6FB61DF), UINT64_C(0xA4E70D69D75C07ED), ++ UINT64_C(0xB7A824487D8825A8), UINT64_C(0xA3AEA7D4DD64BBCC), ++ UINT64_C(0xD53E6E6C8692F539), UINT64_C(0x8DDDA83BF7AA4BC0) } }, ++ }, ++ { ++ { { UINT64_C(0x140A0F9FDD93D50A), UINT64_C(0x4799FFDE83B7ABAC), ++ UINT64_C(0x78FF7C2304A1F742), UINT64_C(0xC0568F51195BA34E), ++ UINT64_C(0xE97183603B7F78B4), UINT64_C(0x9CFD1FF1F9EFAA53) }, ++ { UINT64_C(0xE924D2C5BB06022E), UINT64_C(0x9987FA86FAA2AF6D), ++ UINT64_C(0x4B12E73F6EE37E0F), UINT64_C(0x1836FDFA5E5A1DDE), ++ UINT64_C(0x7F1B92259DCD6416), UINT64_C(0xCB2C1B4D677544D8) } }, ++ { { UINT64_C(0x0254486D9C213D95), UINT64_C(0x68A9DB56CB2F6E94), ++ UINT64_C(0xFB5858BA000F5491), UINT64_C(0x1315BDD934009FB6), ++ UINT64_C(0xB18A8E0AC42BDE30), UINT64_C(0xFDCF93D1F1070358) }, ++ { UINT64_C(0xBEB1DB753022937E), UINT64_C(0x9B9ECA7ACAC20DB4), ++ UINT64_C(0x152214D4E4122B20), UINT64_C(0xD3E673F2AABCCC7B), ++ UINT64_C(0x94C50F64AED07571), UINT64_C(0xD767059AE66B4F17) } }, ++ { { UINT64_C(0x40336B12DCD6D14B), UINT64_C(0xF6BCFF5DE3B4919C), ++ UINT64_C(0xC337048D9C841F0C), UINT64_C(0x4CE6D0251D617F50), ++ UINT64_C(0x00FEF2198117D379), UINT64_C(0x18B7C4E9F95BE243) }, ++ { UINT64_C(0x98DE119E38DF08FF), UINT64_C(0xDFD803BD8D772D20), ++ UINT64_C(0x94125B720F9678BD), UINT64_C(0xFC5B57CD334ACE30), ++ UINT64_C(0x09486527B7E86E04), UINT64_C(0xFE9F8BCC6E552039) } }, ++ { { UINT64_C(0x3B75C45BD6F5A10E), UINT64_C(0xFD4680F4C1C35F38), ++ UINT64_C(0x5450227DF8E0A113), UINT64_C(0x5E69F1AE73DDBA24), ++ UINT64_C(0x2007B80E57F24645), UINT64_C(0xC63695DC3D159741) }, ++ { UINT64_C(0xCBE54D294530F623), UINT64_C(0x986AD5732869586B), ++ UINT64_C(0xE19F70594CC39F73), UINT64_C(0x80F00AB32B1B8DA9), ++ UINT64_C(0xB765AAF973F68D26), UINT64_C(0xBC79A394E993F829) } }, ++ { { UINT64_C(0x9C441043F310D2A0), UINT64_C(0x2865EE58DC5EB106), ++ UINT64_C(0x71A959229CB8065C), UINT64_C(0x8EB3A733A052AF0F), ++ UINT64_C(0x56009F42B09D716E), UINT64_C(0xA7F923C5ABCBE6AD) }, ++ { UINT64_C(0x263B7669FA375C01), UINT64_C(0x641C47E521EF27A2), ++ UINT64_C(0xA89B474EB08FFD25), UINT64_C(0x5BE8EC3FF0A239F3), ++ UINT64_C(0x0E79957A242A6C5A), UINT64_C(0x1DFB26D00C6C75F5) } }, ++ { { UINT64_C(0x2FD97B9B9DFBF22A), UINT64_C(0xDEC16CC85643532D), ++ UINT64_C(0xDF0E6E3960FEE7C3), UINT64_C(0xD09AD7B6545860C8), ++ UINT64_C(0xCC16E98473FC3B7C), UINT64_C(0x6CE734C10D4E1555) }, ++ { UINT64_C(0xC6EFE68B4B5F6032), UINT64_C(0x3A64F34C14F54073), ++ UINT64_C(0x25DA689CAC44DC95), UINT64_C(0x990C477E5358AD8A), ++ UINT64_C(0x00E958A5F36DA7DE), UINT64_C(0x902B7360C9B6F161) } }, ++ { { UINT64_C(0x454AB42C9347B90A), UINT64_C(0xCAEBE64AA698B02B), ++ UINT64_C(0x119CDC69FB86FA40), UINT64_C(0x2E5CB7ADC3109281), ++ UINT64_C(0x67BB1EC5CD0C3D00), UINT64_C(0x5D430BC783F25BBF) }, ++ { UINT64_C(0x69FD84A85CDE0ABB), UINT64_C(0x69DA263E9816B688), ++ UINT64_C(0xE52D93DF0E53CBB8), UINT64_C(0x42CF6F25ADD2D5A7), ++ UINT64_C(0x227BA59DC87CA88F), UINT64_C(0x7A1CA876DA738554) } }, ++ { { UINT64_C(0x3FA5C1051CAC82C4), UINT64_C(0x23C760878A78C9BE), ++ UINT64_C(0xE98CDAD61C5CFA42), UINT64_C(0x09C302520A6C0421), ++ UINT64_C(0x149BAC7C42FC61B9), UINT64_C(0x3A1C22AC3004A3E2) }, ++ { UINT64_C(0xDE6B0D6E202C7FED), UINT64_C(0xB2457377E7E63052), ++ UINT64_C(0x31725FD43706B3EF), UINT64_C(0xE16A347D2B1AFDBF), ++ UINT64_C(0xBE4850C48C29CF66), UINT64_C(0x8F51CC4D2939F23C) } }, ++ { { UINT64_C(0x169E025B219AE6C1), UINT64_C(0x55FF526F116E1CA1), ++ UINT64_C(0x01B810A3B191F55D), UINT64_C(0x2D98127229588A69), ++ UINT64_C(0x53C9377048B92199), UINT64_C(0x8C7DD84E8A85236F) }, ++ { UINT64_C(0x293D48B6CAACF958), UINT64_C(0x1F084ACB43572B30), ++ UINT64_C(0x628BFA2DFAD91F28), UINT64_C(0x8D627B11829386AF), ++ UINT64_C(0x3EC1DD00D44A77BE), UINT64_C(0x8D3B0D08649AC7F0) } }, ++ { { UINT64_C(0x00A93DAA177513BF), UINT64_C(0x2EF0B96F42AD79E1), ++ UINT64_C(0x81F5AAF1A07129D9), UINT64_C(0xFC04B7EF923F2449), ++ UINT64_C(0x855DA79560CDB1B7), UINT64_C(0xB1EB5DABAD5D61D4) }, ++ { UINT64_C(0xD2CEF1AE353FD028), UINT64_C(0xC21D54399EE94847), ++ UINT64_C(0x9ED552BB0380C1A8), UINT64_C(0xB156FE7A2BAC328F), ++ UINT64_C(0xBB7E01967213C6A4), UINT64_C(0x36002A331701ED5B) } }, ++ { { UINT64_C(0x20B1632ADDC9EF4D), UINT64_C(0x2A35FF4C272D082B), ++ UINT64_C(0x30D39923F6CC9BD3), UINT64_C(0x6D879BC2E65C9D08), ++ UINT64_C(0xCE8274E16FA9983C), UINT64_C(0x652371E80EB7424F) }, ++ { UINT64_C(0x32B77503C5C35282), UINT64_C(0xD7306333C885A931), ++ UINT64_C(0x8A16D71972955AA8), UINT64_C(0x5548F1637D51F882), ++ UINT64_C(0xB311DC66BABA59EF), UINT64_C(0x773D54480DB8F627) } }, ++ { { UINT64_C(0x59B1B1347A62EB3B), UINT64_C(0x0F8CE157CCEEFB34), ++ UINT64_C(0x3FE842A8A798CB2B), UINT64_C(0xD01BC6260BF4161D), ++ UINT64_C(0x55EF6E554D016FDB), UINT64_C(0xCB561503B242B201) }, ++ { UINT64_C(0x076EBC73AF4199C1), UINT64_C(0x39DEDCBB697244F7), ++ UINT64_C(0x9D184733040162BC), UINT64_C(0x902992C17F6B5FA6), ++ UINT64_C(0xAD1DE754BB4952B5), UINT64_C(0x7ACF1B93A121F6C8) } }, ++ { { UINT64_C(0x7A56867C325C9B9A), UINT64_C(0x1A143999F3DC3D6A), ++ UINT64_C(0xCE10959003F5BCB8), UINT64_C(0x034E9035D6EEE5B7), ++ UINT64_C(0x2AFA81C8495DF1BC), UINT64_C(0x5EAB52DC08924D02) }, ++ { UINT64_C(0xEE6AA014AA181904), UINT64_C(0xE62DEF09310AD621), ++ UINT64_C(0x6C9792FCC7538A03), UINT64_C(0xA89D3E883E41D789), ++ UINT64_C(0xD60FA11C9F94AE83), UINT64_C(0x5E16A8C2E0D6234A) } }, ++ { { UINT64_C(0x87EC053DA9242F3B), UINT64_C(0x99544637F0E03545), ++ UINT64_C(0xEA0633FF6B7019E9), UINT64_C(0x8CB8AE0768DDDB5B), ++ UINT64_C(0x892E7C841A811AC7), UINT64_C(0xC7EF19EB73664249) }, ++ { UINT64_C(0xD1B5819ACD1489E3), UINT64_C(0xF9C80FB0DE45D24A), ++ UINT64_C(0x045C21A683BB7491), UINT64_C(0xA65325BE73F7A47D), ++ UINT64_C(0x08D09F0E9C394F0C), UINT64_C(0xE7FB21C6268D4F08) } }, ++ { { UINT64_C(0xC4CCAB956CA95C18), UINT64_C(0x563FFD56BC42E040), ++ UINT64_C(0xFA3C64D8E701C604), UINT64_C(0xC88D4426B0ABAFEE), ++ UINT64_C(0x1A353E5E8542E4C3), UINT64_C(0x9A2D8B7CED726186) }, ++ { UINT64_C(0xD61CE19042D097FA), UINT64_C(0x6A63E280799A748B), ++ UINT64_C(0x0F48D0633225486B), UINT64_C(0x848F8FE142A3C443), ++ UINT64_C(0x2CCDE2508493CEF4), UINT64_C(0x5450A50845E77E7C) } }, ++ { { UINT64_C(0xD0F4E24803112816), UINT64_C(0xFCAD9DDBCCBE9E16), ++ UINT64_C(0x177999BF5AE01EA0), UINT64_C(0xD20C78B9CE832DCE), ++ UINT64_C(0x3CC694FB50C8C646), UINT64_C(0x24D75968C93D4887) }, ++ { UINT64_C(0x9F06366A87BC08AF), UINT64_C(0x59FAB50E7FD0DF2A), ++ UINT64_C(0x5FFCC7F76C4CC234), UINT64_C(0x87198DD765F52D86), ++ UINT64_C(0x5B9C94B0A855DF04), UINT64_C(0xD8BA6C738A067AD7) } }, ++ }, ++ { ++ { { UINT64_C(0x9E9AF3151C4C9D90), UINT64_C(0x8665C5A9D12E0A89), ++ UINT64_C(0x204ABD9258286493), UINT64_C(0x79959889B2E09205), ++ UINT64_C(0x0C727A3DFE56B101), UINT64_C(0xF366244C8B657F26) }, ++ { UINT64_C(0xDE35D954CCA65BE2), UINT64_C(0x52EE1230B0FD41CE), ++ UINT64_C(0xFA03261F36019FEE), UINT64_C(0xAFDA42D966511D8F), ++ UINT64_C(0xF63211DD821148B9), UINT64_C(0x7B56AF7E6F13A3E1) } }, ++ { { UINT64_C(0x47FE47995913E184), UINT64_C(0x5BBE584C82145900), ++ UINT64_C(0xB76CFA8B9A867173), UINT64_C(0x9BC87BF0514BF471), ++ UINT64_C(0x37392DCE71DCF1FC), UINT64_C(0xEC3EFAE03AD1EFA8) }, ++ { UINT64_C(0xBBEA5A3414876451), UINT64_C(0x96E5F5436217090F), ++ UINT64_C(0x5B3D4ECD9B1665A9), UINT64_C(0xE7B0DF26E329DF22), ++ UINT64_C(0x18FB438E0BAA808D), UINT64_C(0x90757EBFDD516FAF) } }, ++ { { UINT64_C(0x1E6F9A95D5A98D68), UINT64_C(0x759EA7DF849DA828), ++ UINT64_C(0x365D56256E8B4198), UINT64_C(0xE1B9C53B7A4A53F9), ++ UINT64_C(0x55DC1D50E32B9B16), UINT64_C(0xA4657EBBBB6D5701) }, ++ { UINT64_C(0x4C270249EACC76E2), UINT64_C(0xBE49EC75162B1CC7), ++ UINT64_C(0x19A95B610689902B), UINT64_C(0xDD5706BFA4CFC5A8), ++ UINT64_C(0xD33BDB7314E5B424), UINT64_C(0x21311BD1E69EBA87) } }, ++ { { UINT64_C(0x75BA2F9B72A21ACC), UINT64_C(0x356688D4A28EDB4C), ++ UINT64_C(0x3C339E0B610D080F), UINT64_C(0x614AC29333A99C2F), ++ UINT64_C(0xA5E23AF2AA580AFF), UINT64_C(0xA6BCB860E1FDBA3A) }, ++ { UINT64_C(0xAA603365B43F9425), UINT64_C(0xAE8D7126F7EE4635), ++ UINT64_C(0xA2B2524456330A32), UINT64_C(0xC396B5BB9E025AA3), ++ UINT64_C(0xABBF77FAF8A0D5CF), UINT64_C(0xB322EE30EA31C83B) } }, ++ { { UINT64_C(0x048813847890E234), UINT64_C(0x387F1159672E70C6), ++ UINT64_C(0x1468A6147B307F75), UINT64_C(0x56335B52ED85EC96), ++ UINT64_C(0xDA1BB60FD45BCAE9), UINT64_C(0x4D94F3F0F9FAEADD) }, ++ { UINT64_C(0x6C6A7183FC78D86B), UINT64_C(0xA425B5C73018DEC6), ++ UINT64_C(0xB1549C332D877399), UINT64_C(0x6C41C50C92B2BC37), ++ UINT64_C(0x3A9F380C83EE0DDB), UINT64_C(0xDED5FEB6C4599E73) } }, ++ { { UINT64_C(0x14D34C210B7F8354), UINT64_C(0x1475A1CD9177CE45), ++ UINT64_C(0x9F5F764A9B926E4B), UINT64_C(0x77260D1E05DD21FE), ++ UINT64_C(0x3C882480C4B937F7), UINT64_C(0xC92DCD39722372F2) }, ++ { UINT64_C(0xF636A1BEEC6F657E), UINT64_C(0xB0E6C3121D30DD35), ++ UINT64_C(0xFE4B0528E4654EFE), UINT64_C(0x1C4A682021D230D2), ++ UINT64_C(0x615D2E4898FA45AB), UINT64_C(0x1F35D6D801FDBABF) } }, ++ { { UINT64_C(0xA636EEB83A7B10D1), UINT64_C(0x4E1AE352F4A29E73), ++ UINT64_C(0x01704F5FE6BB1EC7), UINT64_C(0x75C04F720EF020AE), ++ UINT64_C(0x448D8CEE5A31E6A6), UINT64_C(0xE40A9C29208F994B) }, ++ { UINT64_C(0x69E09A30FD8F9D5D), UINT64_C(0xE6A5F7EB449BAB7E), ++ UINT64_C(0xF25BC18A2AA1768B), UINT64_C(0x9449E4043C841234), ++ UINT64_C(0x7A3BF43E016A7BEF), UINT64_C(0xF25803E82A150B60) } }, ++ { { UINT64_C(0xE44A2A57B215F9E0), UINT64_C(0x38B34DCE19066F0A), ++ UINT64_C(0x8BB91DAD40BB1BFB), UINT64_C(0x64C9F775E67735FC), ++ UINT64_C(0xDE14241788D613CD), UINT64_C(0xC5014FF51901D88D) }, ++ { UINT64_C(0xA250341DF38116B0), UINT64_C(0xF96B9DD49D6CBCB2), ++ UINT64_C(0x15EC6C7276B3FAC2), UINT64_C(0x88F1952F8124C1E9), ++ UINT64_C(0x6B72F8EA975BE4F5), UINT64_C(0x23D288FF061F7530) } }, ++ { { UINT64_C(0xEBFE3E5FAFB96CE3), UINT64_C(0x2275EDFBB1979537), ++ UINT64_C(0xC37AB9E8C97BA741), UINT64_C(0x446E4B1063D7C626), ++ UINT64_C(0xB73E2DCED025EB02), UINT64_C(0x1F952B517669EEA7) }, ++ { UINT64_C(0xABDD00F66069A424), UINT64_C(0x1C0F9D9BDC298BFB), ++ UINT64_C(0x831B1FD3EB757B33), UINT64_C(0xD7DBE18359D60B32), ++ UINT64_C(0x663D1F369EF094B3), UINT64_C(0x1BD5732E67F7F11A) } }, ++ { { UINT64_C(0x3C7FB3F5C75D8892), UINT64_C(0x2CFF9A0CBA68DA69), ++ UINT64_C(0x76455E8B60EC740B), UINT64_C(0x4B8D67FF167B88F0), ++ UINT64_C(0xEDEC0C025A4186B1), UINT64_C(0x127C462DBEBF35AB) }, ++ { UINT64_C(0x9159C67E049430FC), UINT64_C(0x86B21DD2E7747320), ++ UINT64_C(0x0E0E01520CF27B89), UINT64_C(0x705F28F5CD1316B6), ++ UINT64_C(0x76751691BEAEA8A8), UINT64_C(0x4C73E282360C5B69) } }, ++ { { UINT64_C(0x46BCC0D5FD7B3D74), UINT64_C(0x6F13C20E0DC4F410), ++ UINT64_C(0x98A1AF7D72F11CDF), UINT64_C(0x6099FD837928881C), ++ UINT64_C(0x66976356371BB94B), UINT64_C(0x673FBA7219B945AB) }, ++ { UINT64_C(0xE4D8FA6EAED00700), UINT64_C(0xEA2313EC5C71A9F7), ++ UINT64_C(0xF9ED8268F99D4AEA), UINT64_C(0xADD8916442AB59C7), ++ UINT64_C(0xB37EB26F3F3A2D45), UINT64_C(0x0B39BD7AA924841E) } }, ++ { { UINT64_C(0xD811EB32E03CDBBB), UINT64_C(0x12055F1D7CC3610E), ++ UINT64_C(0x6B23A1A0A9046E3F), UINT64_C(0x4D7121229DD4A749), ++ UINT64_C(0xB0C2ACA1B1BF0AC3), UINT64_C(0x71EFF575C1B0432F) }, ++ { UINT64_C(0x6CD814922B44E285), UINT64_C(0x3088BD9CD87E8D20), ++ UINT64_C(0xACE218E5F567E8FA), UINT64_C(0xB3FA0424CF90CBBB), ++ UINT64_C(0xADBDA751770734D3), UINT64_C(0xBCD78BAD5AD6569A) } }, ++ { { UINT64_C(0xCADB31FA7F39641F), UINT64_C(0x3EF3E295825E5562), ++ UINT64_C(0x4893C633F4094C64), UINT64_C(0x52F685F18ADDF432), ++ UINT64_C(0x9FD887AB7FDC9373), UINT64_C(0x47A9ADA0E8680E8B) }, ++ { UINT64_C(0x579313B7F0CD44F6), UINT64_C(0xAC4B8668E188AE2E), ++ UINT64_C(0x648F43698FB145BD), UINT64_C(0xE0460AB374629E31), ++ UINT64_C(0xC25F28758FF2B05F), UINT64_C(0x4720C2B62D31EAEA) } }, ++ { { UINT64_C(0x4603CDF413D48F80), UINT64_C(0x9ADB50E2A49725DA), ++ UINT64_C(0x8CD3305065DF63F0), UINT64_C(0x58D8B3BBCD643003), ++ UINT64_C(0x170A4F4AB739826B), UINT64_C(0x857772B51EAD0E17) }, ++ { UINT64_C(0x01B78152E65320F1), UINT64_C(0xA6B4D845B7503FC0), ++ UINT64_C(0x0F5089B93DD50798), UINT64_C(0x488F200F5690B6BE), ++ UINT64_C(0x220B4ADF9E096F36), UINT64_C(0x474D7C9F8CE5BC7C) } }, ++ { { UINT64_C(0xFED8C058C745F8C9), UINT64_C(0xB683179E291262D1), ++ UINT64_C(0x26ABD367D15EE88C), UINT64_C(0x29E8EED3F60A6249), ++ UINT64_C(0xED6008BB1E02D6E1), UINT64_C(0xD82ECF4CA6B12B8D) }, ++ { UINT64_C(0x9929D021AAE4FA22), UINT64_C(0xBE4DEF14336A1AB3), ++ UINT64_C(0x529B7E098C80A312), UINT64_C(0xB059188DEE0EB0CE), ++ UINT64_C(0x1E42979A16DEAB7F), UINT64_C(0x2411034984EE9477) } }, ++ { { UINT64_C(0xD65246852BE579CC), UINT64_C(0x849316F1C456FDED), ++ UINT64_C(0xC51B7DA42D1B67DA), UINT64_C(0xC25B539E41BC6D6A), ++ UINT64_C(0xE3B7CCA3A9BF8BED), UINT64_C(0x813EF18C045C15E4) }, ++ { UINT64_C(0x5F3789A1697982C4), UINT64_C(0x4C1253698C435566), ++ UINT64_C(0x00A7AE6EDC0A92C6), UINT64_C(0x1ABC929B2F64A053), ++ UINT64_C(0xF4925C4C38666B44), UINT64_C(0xA81044B00F3DE7F6) } }, ++ }, ++ { ++ { { UINT64_C(0xBCC88422C2EC3731), UINT64_C(0x78A3E4D410DC4EC2), ++ UINT64_C(0x745DA1EF2571D6B1), UINT64_C(0xF01C2921739A956E), ++ UINT64_C(0xEFFD8065E4BFFC16), UINT64_C(0x6EFE62A1F36FE72C) }, ++ { UINT64_C(0xF49E90D20F4629A4), UINT64_C(0xADD1DCC78CE646F4), ++ UINT64_C(0xCB78B583B7240D91), UINT64_C(0x2E1A7C3C03F8387F), ++ UINT64_C(0x16566C223200F2D9), UINT64_C(0x2361B14BAAF80A84) } }, ++ { { UINT64_C(0xDB1CFFD2B5733309), UINT64_C(0x24BC250B0F9DD939), ++ UINT64_C(0xA4181E5AA3C1DB85), UINT64_C(0xE5183E51AC55D391), ++ UINT64_C(0x2793D5EFEFD270D0), UINT64_C(0x7D56F63DC0631546) }, ++ { UINT64_C(0xECB40A590C1EE59D), UINT64_C(0xE613A9E4BB5BFA2C), ++ UINT64_C(0xA89B14AB6C5830F9), UINT64_C(0x4DC477DCA03F201E), ++ UINT64_C(0x5604F5DAC88C54F6), UINT64_C(0xD49264DC2ACFC66E) } }, ++ { { UINT64_C(0x283DD7F01C4DFA95), UINT64_C(0xB898CC2C62C0B160), ++ UINT64_C(0xBA08C095870282AA), UINT64_C(0xB02B00D8F4E36324), ++ UINT64_C(0x53AADDC0604CECF2), UINT64_C(0xF1F927D384DDD24E) }, ++ { UINT64_C(0x34BC00A0E2ABC9E1), UINT64_C(0x2DA1227D60289F88), ++ UINT64_C(0x5228EAAACEF68F74), UINT64_C(0x40A790D23C029351), ++ UINT64_C(0xE0E9AF5C8442E3B7), UINT64_C(0xA3214142A9F141E0) } }, ++ { { UINT64_C(0x72F4949EF9A58E3D), UINT64_C(0x738C700BA48660A6), ++ UINT64_C(0x71B04726092A5805), UINT64_C(0xAD5C3C110F5CDB72), ++ UINT64_C(0xD4951F9E554BFC49), UINT64_C(0xEE594EE56131EBE7) }, ++ { UINT64_C(0x37DA59F33C1AF0A9), UINT64_C(0xD7AFC73BCB040A63), ++ UINT64_C(0xD020962A4D89FA65), UINT64_C(0x2610C61E71D824F5), ++ UINT64_C(0x9C917DA73C050E31), UINT64_C(0x3840F92FE6E7EBFB) } }, ++ { { UINT64_C(0x50FBD7FE8D8B8CED), UINT64_C(0xC7282F7547D240AE), ++ UINT64_C(0x79646A471930FF73), UINT64_C(0x2E0BAC4E2F7F5A77), ++ UINT64_C(0x0EE44FA526127E0B), UINT64_C(0x678881B782BC2AA7) }, ++ { UINT64_C(0xB9E5D38467F5F497), UINT64_C(0x8F94A7D4A9B7106B), ++ UINT64_C(0xBF7E0B079D329F68), UINT64_C(0x169B93EA45D192FB), ++ UINT64_C(0xCCAA946720DBE8C0), UINT64_C(0xD4513A50938F9574) } }, ++ { { UINT64_C(0x841C96B4054CB874), UINT64_C(0xD75B1AF1A3C26834), ++ UINT64_C(0x7237169DEE6575F0), UINT64_C(0xD71FC7E50322AADC), ++ UINT64_C(0xD7A23F1E949E3A8E), UINT64_C(0x77E2D102DD31D8C7) }, ++ { UINT64_C(0x5AD69D09D10F5A1F), UINT64_C(0x526C9CB4B99D9A0B), ++ UINT64_C(0x521BB10B972B237D), UINT64_C(0x1E4CD42FA326F342), ++ UINT64_C(0x5BB6DB27F0F126CA), UINT64_C(0x587AF22CA4A515AD) } }, ++ { { UINT64_C(0x1123A531B12E542F), UINT64_C(0x1D01A64DB9EB2811), ++ UINT64_C(0xA4A3515BF2D70F87), UINT64_C(0xFA205234B4BD0270), ++ UINT64_C(0x74B818305EDA26B9), UINT64_C(0x9305D6E656578E75) }, ++ { UINT64_C(0xF38E69DE9F11BE19), UINT64_C(0x1E2A5C2344DBE89F), ++ UINT64_C(0x1077E7BCFD286654), UINT64_C(0xD36698940FCA4741), ++ UINT64_C(0x893BF904278F8497), UINT64_C(0xD6AC5F83EB3E14F4) } }, ++ { { UINT64_C(0x327B9DAB488F5F74), UINT64_C(0x2B44F4B8CAB7364F), ++ UINT64_C(0xB4A6D22D19B6C6BD), UINT64_C(0xA087E613FC77CD3E), ++ UINT64_C(0x4558E327B0B49BC7), UINT64_C(0x188805BECD835D35) }, ++ { UINT64_C(0x592F293CC1DC1007), UINT64_C(0xFAEE660F6AF02B44), ++ UINT64_C(0x5BFBB3BF904035F2), UINT64_C(0xD7C9AE6079C07E70), ++ UINT64_C(0xC5287DD4234896C2), UINT64_C(0xC4CE4523CB0E4121) } }, ++ { { UINT64_C(0x3626B40658344831), UINT64_C(0xABCCE3568E55C984), ++ UINT64_C(0x495CC81C77241602), UINT64_C(0x4FB796766D70DF8F), ++ UINT64_C(0x6354B37C5B071DCA), UINT64_C(0x2CAD80A48C0FC0AD) }, ++ { UINT64_C(0x18AADD51F68739B4), UINT64_C(0x1BFBB17747F09C6C), ++ UINT64_C(0x9355EA19A8FD51C4), UINT64_C(0x3D512A84EE58DB7B), ++ UINT64_C(0x70842AFDE9237640), UINT64_C(0x36F515CAACAF858D) } }, ++ { { UINT64_C(0x3DDEC7C47E768B23), UINT64_C(0x97E13C53036D43ED), ++ UINT64_C(0x871E59253A39AB5F), UINT64_C(0x9AF292DE07E68E2B), ++ UINT64_C(0x411583494A40112E), UINT64_C(0xCDBB46AF3D4D97E6) }, ++ { UINT64_C(0x2F8912933C0EBE40), UINT64_C(0x696C7EEE3EBAD1E5), ++ UINT64_C(0x8A5F3B6933B50D99), UINT64_C(0xB7BC48407ED47DDE), ++ UINT64_C(0x3A6F8E6C1E6706D8), UINT64_C(0x6A1479433D84BB8F) } }, ++ { { UINT64_C(0xEC3A9C78603AE8D1), UINT64_C(0xBFE07E37228C29E5), ++ UINT64_C(0xB0385C5B396DBC2B), UINT64_C(0x7C14FE83DF85F41F), ++ UINT64_C(0xE2E64676ADFD463E), UINT64_C(0x5BEF10AA8BF9F23D) }, ++ { UINT64_C(0xFA83EA0DF6BAB6DA), UINT64_C(0xCD0C8BA5966BF7E3), ++ UINT64_C(0xD62216B498501C2E), UINT64_C(0xB7F298A4C3E69F2D), ++ UINT64_C(0x42CEF13B9C8740F4), UINT64_C(0xBB317E520DD64307) } }, ++ { { UINT64_C(0x22B6245C3FFEE775), UINT64_C(0x5C3F60BEB37CE7AA), ++ UINT64_C(0xDE195D40E1FEC0DF), UINT64_C(0x3BFAFBC5A0A82074), ++ UINT64_C(0xC36EC86AC72CA86A), UINT64_C(0x5606285113FD43EA) }, ++ { UINT64_C(0x8686BE808E0B03A4), UINT64_C(0xC3BD1F93D540D440), ++ UINT64_C(0x13E4EBC0BF96CEC5), UINT64_C(0xE8E239849190C844), ++ UINT64_C(0x183593A600844802), UINT64_C(0x467168794D206878) } }, ++ { { UINT64_C(0x358F394DB6F63D19), UINT64_C(0xA75D48496B052194), ++ UINT64_C(0x584035905C8D7975), UINT64_C(0x86DC9B6B6CBFBD77), ++ UINT64_C(0x2DB04D77647A51E5), UINT64_C(0x5E9A5B02F8950D88) }, ++ { UINT64_C(0xCE69A7E5017168B0), UINT64_C(0x94630FACC4843AD3), ++ UINT64_C(0xB3B9D7361EFC44FF), UINT64_C(0xE729E9B6B14D7F93), ++ UINT64_C(0xA071FC60E0ED0ABC), UINT64_C(0xFC1A99718C8D9B83) } }, ++ { { UINT64_C(0x49686031D138E975), UINT64_C(0x648640385A8EF0D1), ++ UINT64_C(0x32679713E7F7DE49), UINT64_C(0x5913234929D1CD1D), ++ UINT64_C(0x849AA23A20BE9ED2), UINT64_C(0x15D303E1284B3F33) }, ++ { UINT64_C(0x37309475B63F9FE9), UINT64_C(0x327BAC8B45B7256A), ++ UINT64_C(0x291CD227D17FC5D3), UINT64_C(0x8291D8CDA973EDF1), ++ UINT64_C(0xF3843562437ABA09), UINT64_C(0x33FFB704271D0785) } }, ++ { { UINT64_C(0x5248D6E447E11E5E), UINT64_C(0x0F66FC3C269C7ED3), ++ UINT64_C(0x18C0D2B9903E346E), UINT64_C(0xD81D9D974BEAE1B8), ++ UINT64_C(0x610326B0FC30FDF3), UINT64_C(0x2B13687019A7DFCD) }, ++ { UINT64_C(0xEC75F70AB9527676), UINT64_C(0x90829F5129A3D897), ++ UINT64_C(0x92FE180997980302), UINT64_C(0xA3F2498E68474991), ++ UINT64_C(0x6A66307B0F22BBAD), UINT64_C(0x32014B9120378557) } }, ++ { { UINT64_C(0x72CD7D553CD98610), UINT64_C(0xC3D560B074504ADF), ++ UINT64_C(0x23F0A982CEBB5D5D), UINT64_C(0x1431C15BB839DDB8), ++ UINT64_C(0x7E207CD8CEB72207), UINT64_C(0x28E0A848E7EFB28D) }, ++ { UINT64_C(0xD22561FE1BD96F6E), UINT64_C(0x04812C1862A8236B), ++ UINT64_C(0xA0BF2334975491FA), UINT64_C(0x294F42A6435DF87F), ++ UINT64_C(0x2772B783A5D6F4F6), UINT64_C(0x348F92ED2724F853) } }, ++ }, ++ { ++ { { UINT64_C(0xC20FB9111A42E5E7), UINT64_C(0x075A678B81D12863), ++ UINT64_C(0x12BCBC6A5CC0AA89), UINT64_C(0x5279C6AB4FB9F01E), ++ UINT64_C(0xBC8E178911AE1B89), UINT64_C(0xAE74A706C290003C) }, ++ { UINT64_C(0x9949D6EC79DF3F45), UINT64_C(0xBA18E26296C8D37F), ++ UINT64_C(0x68DE6EE2DD2275BF), UINT64_C(0xA9E4FFF8C419F1D5), ++ UINT64_C(0xBC759CA4A52B5A40), UINT64_C(0xFF18CBD863B0996D) } }, ++ { { UINT64_C(0x73C57FDED7DD47E5), UINT64_C(0xB0FE5479D49A7F5D), ++ UINT64_C(0xD25C71F1CFB9821E), UINT64_C(0x9427E209CF6A1D68), ++ UINT64_C(0xBF3C3916ACD24E64), UINT64_C(0x7E9F5583BDA7B8B5) }, ++ { UINT64_C(0xE7C5F7C8CF971E11), UINT64_C(0xEC16D5D73C7F035E), ++ UINT64_C(0x818DC472E66B277C), UINT64_C(0x4413FD47B2816F1E), ++ UINT64_C(0x40F262AF48383C6D), UINT64_C(0xFB0575844F190537) } }, ++ { { UINT64_C(0x487EDC0708962F6B), UINT64_C(0x6002F1E7190A7E55), ++ UINT64_C(0x7FC62BEA10FDBA0C), UINT64_C(0xC836BBC52C3DBF33), ++ UINT64_C(0x4FDFB5C34F7D2A46), UINT64_C(0x824654DEDCA0DF71) }, ++ { UINT64_C(0x30A076760C23902B), UINT64_C(0x7F1EBB9377FBBF37), ++ UINT64_C(0xD307D49DFACC13DB), UINT64_C(0x148D673AAE1A261A), ++ UINT64_C(0xE008F95B52D98650), UINT64_C(0xC76144409F558FDE) } }, ++ { { UINT64_C(0x17CD6AF69CB16650), UINT64_C(0x86CC27C169F4EEBE), ++ UINT64_C(0x7E495B1D78822432), UINT64_C(0xFED338E31B974525), ++ UINT64_C(0x527743D386F3CE21), UINT64_C(0x87948AD3B515C896) }, ++ { UINT64_C(0x9FDE7039B17F2FB8), UINT64_C(0xA2FA9A5FD9B89D96), ++ UINT64_C(0x5D46600B36FF74DC), UINT64_C(0x8EA74B048302C3C9), ++ UINT64_C(0xD560F570F744B5EB), UINT64_C(0xC921023BFE762402) } }, ++ { { UINT64_C(0xA35AB657FFF4C8ED), UINT64_C(0x017C61248A5FABD7), ++ UINT64_C(0x5646302509ACDA28), UINT64_C(0x6038D36114CF238A), ++ UINT64_C(0x1428B1B6AF1B9F07), UINT64_C(0x5827FF447482E95C) }, ++ { UINT64_C(0xCB997E18780FF362), UINT64_C(0x2B89D702E0BCAC1E), ++ UINT64_C(0xC632A0B5A837DDC8), UINT64_C(0xF3EFCF1F59762647), ++ UINT64_C(0xE9BA309A38B0D60A), UINT64_C(0x05DEABDD20B5FB37) } }, ++ { { UINT64_C(0xD44E5DBACB8AF047), UINT64_C(0x15400CB4943CFE82), ++ UINT64_C(0xDBD695759DF88B67), UINT64_C(0x8299DB2BB2405A7D), ++ UINT64_C(0x46E3BF770B1D80CD), UINT64_C(0xC50CF66CE82BA3D9) }, ++ { UINT64_C(0xB2910A07F2F747A9), UINT64_C(0xF6B669DB5ADC89C1), ++ UINT64_C(0x3B5EF1A09052B081), UINT64_C(0x0F5D5ED3B594ACE2), ++ UINT64_C(0xDA30B8D5D5F01320), UINT64_C(0x0D688C5EAAFCD58F) } }, ++ { { UINT64_C(0x5EEE3A312A161074), UINT64_C(0x6BAAAE56EFE2BE37), ++ UINT64_C(0xF9787F61E3D78698), UINT64_C(0xC6836B2650630A30), ++ UINT64_C(0x7445B85D1445DEF1), UINT64_C(0xD72016A2D568A6A5) }, ++ { UINT64_C(0x9DD6F533E355614F), UINT64_C(0x637E7E5F91E04588), ++ UINT64_C(0x42E142F3B9FB1391), UINT64_C(0x0D07C05C41AFE5DA), ++ UINT64_C(0xD7CD25C81394EDF1), UINT64_C(0xEBE6A0FCB99288EE) } }, ++ { { UINT64_C(0xB8E63B7BBABBAD86), UINT64_C(0x63226A9F90D66766), ++ UINT64_C(0x263818365CF26666), UINT64_C(0xCCBD142D4CADD0BF), ++ UINT64_C(0xA070965E9AC29470), UINT64_C(0x6BDCA26025FF23ED) }, ++ { UINT64_C(0xD4E00FD487DCA7B3), UINT64_C(0xA50978339E0E8734), ++ UINT64_C(0xF73F162E048173A4), UINT64_C(0xD23F91969C3C2FA2), ++ UINT64_C(0x9AB98B45E4AC397A), UINT64_C(0x2BAA0300543F2D4B) } }, ++ { { UINT64_C(0xBBBE15E7C658C445), UINT64_C(0xB8CBCB20C28941D1), ++ UINT64_C(0x65549BE2027D6540), UINT64_C(0xEBBCA8021E8EF4F4), ++ UINT64_C(0x18214B4BD2ACA397), UINT64_C(0xCBEC7DE2E31784A3) }, ++ { UINT64_C(0x96F0533F0116FDF3), UINT64_C(0x68911C905C8F5EE1), ++ UINT64_C(0x7DE9A3AED568603A), UINT64_C(0x3F56C52C6A3AD7B7), ++ UINT64_C(0x5BE9AFCA670B4D0E), UINT64_C(0x628BFEEE375DFE2F) } }, ++ { { UINT64_C(0x97DAE81BDD4ADDB3), UINT64_C(0x12D2CF4E8704761B), ++ UINT64_C(0x5E820B403247788D), UINT64_C(0x82234B620051CA80), ++ UINT64_C(0x0C62704D6CB5EA74), UINT64_C(0xDE56042023941593) }, ++ { UINT64_C(0xB3912A3CF1B04145), UINT64_C(0xE3967CD7AF93688D), ++ UINT64_C(0x2E2DCD2F58DABB4B), UINT64_C(0x6564836F0E303911), ++ UINT64_C(0x1F10F19BECE07C5C), UINT64_C(0xB47F07EED8919126) } }, ++ { { UINT64_C(0xE3545085E9A2EEC9), UINT64_C(0x81866A972C8E51FE), ++ UINT64_C(0xD2BA7DB550027243), UINT64_C(0x29DAEAB54AE87DE4), ++ UINT64_C(0x5EF3D4B8684F9497), UINT64_C(0xE2DACE3B9D5D6873) }, ++ { UINT64_C(0xF012C951FFD29C9C), UINT64_C(0x48289445ADBADA14), ++ UINT64_C(0x8751F50D89558C49), UINT64_C(0x75511A4F99E35BEE), ++ UINT64_C(0xEF802D6E7D59AA5F), UINT64_C(0x14FCAD65A2A795E2) } }, ++ { { UINT64_C(0xC8EB00E808CB8F2C), UINT64_C(0x686075322B45BD86), ++ UINT64_C(0x7A29B45959969713), UINT64_C(0x5FA15B9BD684201B), ++ UINT64_C(0x1A853190B9E538EE), UINT64_C(0x4150605CD573D043) }, ++ { UINT64_C(0xEF011D3BEB9FBB68), UINT64_C(0x6727998266AE32B6), ++ UINT64_C(0x861B86EA445DE5EC), UINT64_C(0x62837D18A34A50E1), ++ UINT64_C(0x228C006ABF5F0663), UINT64_C(0xE007FDE7396DB36A) } }, ++ { { UINT64_C(0xDEE4F8815A916A55), UINT64_C(0x20DC0370F39C82CB), ++ UINT64_C(0xD9A7161540F09821), UINT64_C(0xD50AD8BFF7273492), ++ UINT64_C(0xA06F7D1232E7C4BF), UINT64_C(0xFA0F61544C5CEA36) }, ++ { UINT64_C(0xF4FD9BED5FC49CFE), UINT64_C(0xD8CB45D1C9291678), ++ UINT64_C(0x94DB86CC7B92C9F2), UINT64_C(0x09CA5F3873C81169), ++ UINT64_C(0x109F40B0AEED06F0), UINT64_C(0x9F0360B214DCAA0A) } }, ++ { { UINT64_C(0x4189B70DE12AD3E7), UINT64_C(0x5208ADB210B06607), ++ UINT64_C(0xEBD8E2A2EE8497FA), UINT64_C(0x61B1BD67E04F2ECB), ++ UINT64_C(0x0E2DDA724F3F5F99), UINT64_C(0xD5D96740F747B16D) }, ++ { UINT64_C(0x308A48F6A6BF397F), UINT64_C(0x7021C3E523A93595), ++ UINT64_C(0xF10B022936470AA0), UINT64_C(0x7761E8EC4E03295B), ++ UINT64_C(0x16EFEF5807339770), UINT64_C(0x0D55D2DD5DA5DAA2) } }, ++ { { UINT64_C(0x915EA6A38A22F87A), UINT64_C(0x191151C12E5A088E), ++ UINT64_C(0x190252F17F1D5CBE), UINT64_C(0xE43F59C33B0EC99B), ++ UINT64_C(0xBE8588D4FF2A6135), UINT64_C(0x103877CC2ECB4B9F) }, ++ { UINT64_C(0x8F4147E5023CF92B), UINT64_C(0xC24384CC0CC2085B), ++ UINT64_C(0x6A2DB4A2D082D311), UINT64_C(0x06283811ED7BA9AE), ++ UINT64_C(0xE9A3F5322A8E1592), UINT64_C(0xAC20F0F45A59E894) } }, ++ { { UINT64_C(0x788CAA5274AAB4B1), UINT64_C(0xEB84ABA12FEAFC7E), ++ UINT64_C(0x31DA71DAAC04FF77), UINT64_C(0x39D12EB924E4D0BF), ++ UINT64_C(0x4F2F292F87A34EF8), UINT64_C(0x9B324372A237A8ED) }, ++ { UINT64_C(0xBB2D04B12EE3A82D), UINT64_C(0xED4FF367D18D36B2), ++ UINT64_C(0x99D231EEA6EA0138), UINT64_C(0x7C2D4F064F92E04A), ++ UINT64_C(0x78A82AB2CA272FD0), UINT64_C(0x7EC41340AB8CDC32) } }, ++ }, ++ { ++ { { UINT64_C(0xD23658C8D2E15A8C), UINT64_C(0x23F93DF716BA28CA), ++ UINT64_C(0x6DAB10EC082210F1), UINT64_C(0xFB1ADD91BFC36490), ++ UINT64_C(0xEDA8B02F9A4F2D14), UINT64_C(0x9060318C56560443) }, ++ { UINT64_C(0x6C01479E64711AB2), UINT64_C(0x41446FC7E337EB85), ++ UINT64_C(0x4DCF3C1D71888397), UINT64_C(0x87A9C04E13C34FD2), ++ UINT64_C(0xFE0E08EC510C15AC), UINT64_C(0xFC0D0413C0F495D2) } }, ++ { { UINT64_C(0xEB05C516156636C2), UINT64_C(0x2F613ABA090E93FC), ++ UINT64_C(0xCFD573CD489576F5), UINT64_C(0xE6535380535A8D57), ++ UINT64_C(0x13947314671436C4), UINT64_C(0x1172FB0C5F0A122D) }, ++ { UINT64_C(0xAECC7EC1C12F58F6), UINT64_C(0xFE42F9578E41AFD2), ++ UINT64_C(0xDF96F6523D4221AA), UINT64_C(0xFEF5649F2851996B), ++ UINT64_C(0x46FB9F26D5CFB67E), UINT64_C(0xB047BFC7EF5C4052) } }, ++ { { UINT64_C(0x5CBDC442F4484374), UINT64_C(0x6B156957F92452EF), ++ UINT64_C(0x58A26886C118D02A), UINT64_C(0x87FF74E675AAF276), ++ UINT64_C(0xB133BE95F65F6EC1), UINT64_C(0xA89B62844B1B8D32) }, ++ { UINT64_C(0xDD8A8EF309C81004), UINT64_C(0x7F8225DB0CF21991), ++ UINT64_C(0xD525A6DB26623FAF), UINT64_C(0xF2368D40BAE15453), ++ UINT64_C(0x55D6A84D84F89FC9), UINT64_C(0xAF38358A86021A3E) } }, ++ { { UINT64_C(0xBD048BDCFF52E280), UINT64_C(0x8A51D0B2526A1795), ++ UINT64_C(0x40AAA758A985AC0F), UINT64_C(0x6039BCDCF2C7ACE9), ++ UINT64_C(0x712092CC6AEC347D), UINT64_C(0x7976D0906B5ACAB7) }, ++ { UINT64_C(0x1EBCF80D6EED9617), UINT64_C(0xB3A63149B0F404A4), ++ UINT64_C(0x3FDD3D1AD0B610EF), UINT64_C(0xDD3F6F9498C28AC7), ++ UINT64_C(0x650B77943A59750F), UINT64_C(0xEC59BAB12D3991AC) } }, ++ { { UINT64_C(0x01F40E882E552766), UINT64_C(0x1FE3D50966F5354F), ++ UINT64_C(0x0E46D006B3A8EA7F), UINT64_C(0xF75AB629F831CD6A), ++ UINT64_C(0xDAD808D791465119), UINT64_C(0x442405AF17EF9B10) }, ++ { UINT64_C(0xD5FE0A96672BDFCB), UINT64_C(0xA9DFA422355DBDEC), ++ UINT64_C(0xFDB79AA179B25636), UINT64_C(0xE7F26FFDEECE8AEC), ++ UINT64_C(0xB59255507EDD5AA2), UINT64_C(0x2C8F6FF08EB3A6C2) } }, ++ { { UINT64_C(0x88887756757D6136), UINT64_C(0xAD9AC18388B92E72), ++ UINT64_C(0x92CB2FC48785D3EB), UINT64_C(0xD1A542FE9319764B), ++ UINT64_C(0xAF4CC78F626A62F8), UINT64_C(0x7F3F5FC926BFFAAE) }, ++ { UINT64_C(0x0A203D4340AE2231), UINT64_C(0xA8BFD9E0387898E8), ++ UINT64_C(0x1A0C379C474B7DDD), UINT64_C(0x03855E0A34FD49EA), ++ UINT64_C(0x02B26223B3EF4AE1), UINT64_C(0x804BD8CFE399E0A3) } }, ++ { { UINT64_C(0x11A9F3D0DE865713), UINT64_C(0x81E36B6BBDE98821), ++ UINT64_C(0x324996C86AA891D0), UINT64_C(0x7B95BDC1395682B5), ++ UINT64_C(0x47BF2219C1600563), UINT64_C(0x7A473F50643E38B4) }, ++ { UINT64_C(0x0911F50AF5738288), UINT64_C(0xDF947A706F9C415B), ++ UINT64_C(0xBDB994F267A067F6), UINT64_C(0x3F4BEC1B88BE96CD), ++ UINT64_C(0x9820E931E56DD6D9), UINT64_C(0xB138F14F0A80F419) } }, ++ { { UINT64_C(0xA11A1A8F0429077A), UINT64_C(0x2BB1E33D10351C68), ++ UINT64_C(0x3C25ABFE89459A27), UINT64_C(0x2D0091B86B8AC774), ++ UINT64_C(0xDAFC78533B2415D9), UINT64_C(0xDE713CF19201680D) }, ++ { UINT64_C(0x8E5F445D68889D57), UINT64_C(0x608B209C60EABF5B), ++ UINT64_C(0x10EC0ACCF9CFA408), UINT64_C(0xD5256B9D4D1EE754), ++ UINT64_C(0xFF866BAB0AA6C18D), UINT64_C(0x9D196DB8ACB90A45) } }, ++ { { UINT64_C(0xA46D76A9B9B081B2), UINT64_C(0xFC743A1062163C25), ++ UINT64_C(0xCD2A5C8D7761C392), UINT64_C(0x39BDDE0BBE808583), ++ UINT64_C(0x7C416021B98E4DFE), UINT64_C(0xF930E56365913A44) }, ++ { UINT64_C(0xC3555F7E7585CF3C), UINT64_C(0xC737E3833D6333D5), ++ UINT64_C(0x5B60DBA4B430B03D), UINT64_C(0x42B715EBE7555404), ++ UINT64_C(0x571BDF5B7C7796E3), UINT64_C(0x33DC62C66DB6331F) } }, ++ { { UINT64_C(0x3FB9CCB0E61DEE59), UINT64_C(0xC5185F2318B14DB9), ++ UINT64_C(0x1B2ADC4F845EF36C), UINT64_C(0x195D5B505C1A33AB), ++ UINT64_C(0x8CEA528E421F59D2), UINT64_C(0x7DFCCECFD2931CEA) }, ++ { UINT64_C(0x51FFA1D58CF7E3F7), UINT64_C(0xF01B7886BDC9FB43), ++ UINT64_C(0xD65AB610261A0D35), UINT64_C(0x84BCBAFD7574A554), ++ UINT64_C(0x4B119956FAD70208), UINT64_C(0xDDC329C24FAB5243) } }, ++ { { UINT64_C(0x1A08AA579CE92177), UINT64_C(0x3395E557DC2B5C36), ++ UINT64_C(0xFDFE7041394ED04E), UINT64_C(0xB797EB24C6DFCDDE), ++ UINT64_C(0x284A6B2ACB9DE5D6), UINT64_C(0xE0BD95C807222765) }, ++ { UINT64_C(0x114A951B9FE678A7), UINT64_C(0xE7ECD0BD9E4954EC), ++ UINT64_C(0x7D4096FE79F0B8A9), UINT64_C(0xBDB26E9A09724FE2), ++ UINT64_C(0x08741AD8F787AF95), UINT64_C(0x2BF9727224045AD8) } }, ++ { { UINT64_C(0xAB1FEDD9A9451D57), UINT64_C(0xDF4D91DF483E38C9), ++ UINT64_C(0x2D54D31124E9CF8E), UINT64_C(0x9C2A5AF87A22EEB6), ++ UINT64_C(0xBD9861EF0A43F123), UINT64_C(0x581EA6A238A18B7B) }, ++ { UINT64_C(0xAF339C85296470A3), UINT64_C(0xF9603FCDAFD8203E), ++ UINT64_C(0x95D0535096763C28), UINT64_C(0x15445C16860EC831), ++ UINT64_C(0x2AFB87286867A323), UINT64_C(0x4B152D6D0C4838BF) } }, ++ { { UINT64_C(0x45BA0E4F837CACBA), UINT64_C(0x7ADB38AEC0725275), ++ UINT64_C(0x19C82831942D3C28), UINT64_C(0x94F4731D6D0FE7DD), ++ UINT64_C(0xC3C07E134898F1E6), UINT64_C(0x76350EACED410B51) }, ++ { UINT64_C(0x0FA8BECAF99AACFC), UINT64_C(0x2834D86F65FAF9CF), ++ UINT64_C(0x8E62846A6F3866AF), UINT64_C(0xDAA9BD4F3DFD6A2B), ++ UINT64_C(0xC27115BBA6132655), UINT64_C(0x83972DF7BD5A32C2) } }, ++ { { UINT64_C(0xA330CB5BD513B825), UINT64_C(0xAE18B2D3EE37BEC3), ++ UINT64_C(0xFC3AB80AF780A902), UINT64_C(0xD7835BE2D607DDF1), ++ UINT64_C(0x8120F7675B6E4C2B), UINT64_C(0xAA8C385967E78CCB) }, ++ { UINT64_C(0xA8DA8CE2AA0ED321), UINT64_C(0xCB8846FDD766341A), ++ UINT64_C(0xF2A342EE33DC9D9A), UINT64_C(0xA519E0BED0A18A80), ++ UINT64_C(0x9CDAA39CAF48DF4C), UINT64_C(0xA4B500CA7E0C19EE) } }, ++ { { UINT64_C(0x83A7FD2F8217001B), UINT64_C(0x4F6FCF064296A8BA), ++ UINT64_C(0x7D74864391619927), UINT64_C(0x174C1075941E4D41), ++ UINT64_C(0x037EDEBDA64F5A6C), UINT64_C(0xCF64DB3A6E29DC56) }, ++ { UINT64_C(0x150B3ACE37C0B9F4), UINT64_C(0x1323234A7168178B), ++ UINT64_C(0x1CE47014EF4D1879), UINT64_C(0xA22E374217FB4D5C), ++ UINT64_C(0x69B81822D985F794), UINT64_C(0x199C21C4081D7214) } }, ++ { { UINT64_C(0x160BC7A18F04B4D2), UINT64_C(0x79CA81DDB10DE174), ++ UINT64_C(0xE2A280B02DA1E9C7), UINT64_C(0xB4F6BD991D6A0A29), ++ UINT64_C(0x57CF3EDD1C5B8F27), UINT64_C(0x7E34FC57158C2FD4) }, ++ { UINT64_C(0x828CFD89CAC93459), UINT64_C(0x9E631B6FB7AF499F), ++ UINT64_C(0xF4DC8BC0DA26C135), UINT64_C(0x6128ED3937186735), ++ UINT64_C(0xBB45538B67BF0BA5), UINT64_C(0x1ADDD4C10064A3AB) } }, ++ }, ++ { ++ { { UINT64_C(0xC32730E8DD14D47E), UINT64_C(0xCDC1FD42C0F01E0F), ++ UINT64_C(0x2BACFDBF3F5CD846), UINT64_C(0x45F364167272D4DD), ++ UINT64_C(0xDD813A795EB75776), UINT64_C(0xB57885E450997BE2) }, ++ { UINT64_C(0xDA054E2BDB8C9829), UINT64_C(0x4161D820AAB5A594), ++ UINT64_C(0x4C428F31026116A3), UINT64_C(0x372AF9A0DCD85E91), ++ UINT64_C(0xFDA6E903673ADC2D), UINT64_C(0x4526B8ACA8DB59E6) } }, ++ { { UINT64_C(0x68FE359DE23A8472), UINT64_C(0x43EB12BD4CE3C101), ++ UINT64_C(0x0EC652C3FC704935), UINT64_C(0x1EEFF1F952E4E22D), ++ UINT64_C(0xBA6777CB083E3ADA), UINT64_C(0xAB52D7DC8BEFC871) }, ++ { UINT64_C(0x4EDE689F497CBD59), UINT64_C(0xC8AE42B927577DD9), ++ UINT64_C(0xE0F080517AB83C27), UINT64_C(0x1F3D5F252C8C1F48), ++ UINT64_C(0x57991607AF241AAC), UINT64_C(0xC4458B0AB8A337E0) } }, ++ { { UINT64_C(0x3DBB3FA651DD1BA9), UINT64_C(0xE53C1C4D545E960B), ++ UINT64_C(0x35AC6574793CE803), UINT64_C(0xB2697DC783DBCE4F), ++ UINT64_C(0xE35C5BF2E13CF6B0), UINT64_C(0x35034280B0C4A164) }, ++ { UINT64_C(0xAA490908D9C0D3C1), UINT64_C(0x2CCE614DCB4D2E90), ++ UINT64_C(0xF646E96C54D504E4), UINT64_C(0xD74E7541B73310A3), ++ UINT64_C(0xEAD7159618BDE5DA), UINT64_C(0x96E7F4A8AA09AEF7) } }, ++ { { UINT64_C(0xA8393A245D6E5F48), UINT64_C(0x2C8D7EA2F9175CE8), ++ UINT64_C(0xD8824E0255A20268), UINT64_C(0x9DD9A272A446BCC6), ++ UINT64_C(0xC929CDED5351499B), UINT64_C(0xEA5AD9ECCFE76535) }, ++ { UINT64_C(0x26F3D7D9DC32D001), UINT64_C(0x51C3BE8343EB9689), ++ UINT64_C(0x91FDCC06759E6DDB), UINT64_C(0xAC2E1904E302B891), ++ UINT64_C(0xAD25C645C207E1F7), UINT64_C(0x28A70F0DAB3DEB4A) } }, ++ { { UINT64_C(0x922D7F9703BEA8F1), UINT64_C(0x3AD820D4584570BE), ++ UINT64_C(0x0CE0A8503CD46B43), UINT64_C(0x4C07911FAE66743D), ++ UINT64_C(0x66519EB9FDA60023), UINT64_C(0x7F83004BEC2ACD9C) }, ++ { UINT64_C(0x001E0B80C3117EAD), UINT64_C(0xBB72D5410722BA25), ++ UINT64_C(0x3AF7DB966E9A5078), UINT64_C(0x86C5774E701B6B4C), ++ UINT64_C(0xBD2C0E8E37824DB5), UINT64_C(0x3AE3028CBFAC286D) } }, ++ { { UINT64_C(0x83D4D4A8A33E071B), UINT64_C(0x881C0A9261444BB5), ++ UINT64_C(0xEEA1E292520E3BC3), UINT64_C(0x5A5F4C3C2AAAB729), ++ UINT64_C(0x0B766C5EE63C7C94), UINT64_C(0x62BB8A9FBB2CC79C) }, ++ { UINT64_C(0x97ADC7D2AA5DC49D), UINT64_C(0x30CC26B331718681), ++ UINT64_C(0xAC86E6FF56E86EDE), UINT64_C(0x37BCA7A2CD52F7F2), ++ UINT64_C(0x734D2C949CE6D87F), UINT64_C(0x06A71D71C2F7E0CA) } }, ++ { { UINT64_C(0x559DCF75C6357D33), UINT64_C(0x4616D940652517DE), ++ UINT64_C(0x3D576B981CCF207B), UINT64_C(0x51E2D1EF1979F631), ++ UINT64_C(0x57517DDD06AE8296), UINT64_C(0x309A3D7FD6E7151F) }, ++ { UINT64_C(0xBA2A23E60E3A6FE5), UINT64_C(0x76CF674AD28B22C3), ++ UINT64_C(0xD235AD07F8B808C3), UINT64_C(0x7BBF4C586B71213A), ++ UINT64_C(0x0676792E93271EBB), UINT64_C(0x2CFD2C7605B1FC31) } }, ++ { { UINT64_C(0x4258E5C037A450F5), UINT64_C(0xC3245F1B52D2B118), ++ UINT64_C(0x6DF7B48482BC5963), UINT64_C(0xE520DA4D9C273D1E), ++ UINT64_C(0xED78E0122C3010E5), UINT64_C(0x112229483C1D4C05) }, ++ { UINT64_C(0xE3DAE5AFC692B490), UINT64_C(0x3272BD10C197F793), ++ UINT64_C(0xF7EAE411E709ACAA), UINT64_C(0x00B0C95F778270A6), ++ UINT64_C(0x4DA76EE1220D4350), UINT64_C(0x521E1461AB71E308) } }, ++ { { UINT64_C(0x7B654323343196A3), UINT64_C(0x35D442ADB0C95250), ++ UINT64_C(0x38AF50E6E264FF17), UINT64_C(0x28397A412030D2EA), ++ UINT64_C(0x8F1D84E9F74EEDA1), UINT64_C(0xD521F92DE6FB3C52) }, ++ { UINT64_C(0xAF358D7795733811), UINT64_C(0xEBFDDD0193ABFE94), ++ UINT64_C(0x05D8A028D18D99DE), UINT64_C(0x5A664019B5D5BDD9), ++ UINT64_C(0x3DF172822AA12FE8), UINT64_C(0xB42E006FB889A28E) } }, ++ { { UINT64_C(0xCF10E97DBC35CB1A), UINT64_C(0xC70A7BBD994DEDC5), ++ UINT64_C(0x76A5327C37D04FB9), UINT64_C(0x87539F76A76E0CDA), ++ UINT64_C(0xE9FE493FCD60A6B1), UINT64_C(0xA4574796132F01C0) }, ++ { UINT64_C(0xC43B85EBDB70B167), UINT64_C(0x81D5039A98551DFA), ++ UINT64_C(0x6B56FBE91D979FA4), UINT64_C(0x49714FD78615098F), ++ UINT64_C(0xB10E1CEA94DECAB5), UINT64_C(0x8342EBA3480EF6E3) } }, ++ { { UINT64_C(0xE1E030B0B3677288), UINT64_C(0x2978174C8D5CE3AF), ++ UINT64_C(0xAFC0271CF7B2DE98), UINT64_C(0x745BC6F3B99C20B5), ++ UINT64_C(0x9F6EDCED1E3BB4E5), UINT64_C(0x58D3EE4E73C8C1FC) }, ++ { UINT64_C(0x1F3535F47FD30124), UINT64_C(0xF366AC705FA62502), ++ UINT64_C(0x4C4C1FDD965363FE), UINT64_C(0x8B2C77771DE2CA2B), ++ UINT64_C(0x0CB54743882F1173), UINT64_C(0x94B6B8C071343331) } }, ++ { { UINT64_C(0x75AF014165B8B35B), UINT64_C(0x6D7B84854670A1F5), ++ UINT64_C(0x6EAA3A47A3B6D376), UINT64_C(0xD7E673D2CB3E5B66), ++ UINT64_C(0xC0338E6C9589AB38), UINT64_C(0x4BE26CB309440FAA) }, ++ { UINT64_C(0x82CB05E7394F9AA3), UINT64_C(0xC45C8A8A7F7792EA), ++ UINT64_C(0x37E5E33BB687DC70), UINT64_C(0x63853219DFE48E49), ++ UINT64_C(0x087951C16D0E5C8C), UINT64_C(0x7696A8C72BC27310) } }, ++ { { UINT64_C(0xA05736D5B67E834A), UINT64_C(0xDD2AA0F29098D42A), ++ UINT64_C(0x09F0C1D849C69DDC), UINT64_C(0x81F8BC1C8FF0F0F3), ++ UINT64_C(0x36FD3A4F03037775), UINT64_C(0x8286717D4B06DF5C) }, ++ { UINT64_C(0xB878F496A9079EA2), UINT64_C(0xA5642426D7DC796D), ++ UINT64_C(0x29B9351A67FDAC2B), UINT64_C(0x93774C0E1D543CDE), ++ UINT64_C(0x4F8793BA1A8E31C4), UINT64_C(0x7C9F3F3A6C94798A) } }, ++ { { UINT64_C(0x23C5AD11CB8ECDB8), UINT64_C(0x1E88D25E485A6A02), ++ UINT64_C(0xB27CBE84F1E268AE), UINT64_C(0xDDA80238F4CD0475), ++ UINT64_C(0x4F88857B49F8EB1B), UINT64_C(0x91B1221F52FB07F9) }, ++ { UINT64_C(0x7CE974608637FA67), UINT64_C(0x528B3CF4632198D8), ++ UINT64_C(0x33365AB3F6623769), UINT64_C(0x6FEBCFFF3A83A30F), ++ UINT64_C(0x398F4C999BD341EB), UINT64_C(0x180712BBB33A333C) } }, ++ { { UINT64_C(0x2B8655A2D93429E7), UINT64_C(0x99D600BB75C8B9EE), ++ UINT64_C(0x9FC1AF8B88FCA6CD), UINT64_C(0x2FB533867C311F80), ++ UINT64_C(0x20743ECBE8A71EEE), UINT64_C(0xEC3713C4E848B49E) }, ++ { UINT64_C(0x5B2037B5BB886817), UINT64_C(0x40EF5AC2307DBAF4), ++ UINT64_C(0xC2888AF21B3F643D), UINT64_C(0x0D8252E19D5A4190), ++ UINT64_C(0x06CC0BEC2DB52A8A), UINT64_C(0xB84B98EAAB94E969) } }, ++ { { UINT64_C(0x2E7AC078A0321E0E), UINT64_C(0x5C5A1168EF3DAAB6), ++ UINT64_C(0xD2D573CBADDD454A), UINT64_C(0x27E149E236259CC7), ++ UINT64_C(0x1EDFD469A63F47F1), UINT64_C(0x039AD674F1BD2CFD) }, ++ { UINT64_C(0xBFA633FC3077D3CC), UINT64_C(0x14A7C82F2FD64E9F), ++ UINT64_C(0xAAA650149D824999), UINT64_C(0x41AB113B21760F2E), ++ UINT64_C(0x23E646C51CAE260A), UINT64_C(0x08062C8F68DC5159) } }, ++ }, ++ { ++ { { UINT64_C(0x2E7D0A16204BE028), UINT64_C(0x4F1D082ED0E41851), ++ UINT64_C(0x15F1DDC63EB317F9), UINT64_C(0xF02750715ADF71D7), ++ UINT64_C(0x2CE33C2EEE858BC3), UINT64_C(0xA24C76D1DA73B71A) }, ++ { UINT64_C(0x9EF6A70A6C70C483), UINT64_C(0xEFCF170505CF9612), ++ UINT64_C(0x9F5BF5A67502DE64), UINT64_C(0xD11122A1A4701973), ++ UINT64_C(0x82CFAAC2A2EA7B24), UINT64_C(0x6CAD67CC0A4582E1) } }, ++ { { UINT64_C(0x597A26FFB4DC8600), UINT64_C(0x264A09F3F9288555), ++ UINT64_C(0x0B06AFF65C27F5F6), UINT64_C(0xCE5AB665D8D544E6), ++ UINT64_C(0x92F031BE99275C32), UINT64_C(0xAF51C5BBF42E0E7C) }, ++ { UINT64_C(0x5BB28B061E37B36D), UINT64_C(0x583FBA6A8473543A), ++ UINT64_C(0xE73FD299F93FB7DC), UINT64_C(0xFCD999A86E2CCAD9), ++ UINT64_C(0xB8C8A6DF334D4F57), UINT64_C(0x5ADB28DD9A2ACC9B) } }, ++ { { UINT64_C(0x5ADF3D9A111792B9), UINT64_C(0x1C77A3054F1E0D09), ++ UINT64_C(0xF9FBCE33A82D3736), UINT64_C(0xF307823E718C8AA3), ++ UINT64_C(0x860578CF416CCF69), UINT64_C(0xB942ADD81EF8465B) }, ++ { UINT64_C(0x9EE0CF97CD9472E1), UINT64_C(0xE6792EEFB01528A8), ++ UINT64_C(0xF99B9A8DC09DA90B), UINT64_C(0x1F521C2DCBF3CCB8), ++ UINT64_C(0x6BF6694891A62632), UINT64_C(0xCC7A9CEB854FE9DA) } }, ++ { { UINT64_C(0x46303171491CCB92), UINT64_C(0xA80A8C0D2771235B), ++ UINT64_C(0xD8E497FFF172C7CF), UINT64_C(0x7F7009D735B193CF), ++ UINT64_C(0x6B9FD3F7F19DF4BC), UINT64_C(0xADA548C3B46F1E37) }, ++ { UINT64_C(0x87C6EAA9C7A20270), UINT64_C(0xEF2245D6AE78EF99), ++ UINT64_C(0x2A121042539EAB95), UINT64_C(0x29A6D5D779B8F5CC), ++ UINT64_C(0x33803A10B77840DC), UINT64_C(0xFEDD3A7011A6A30F) } }, ++ { { UINT64_C(0xFA070E22142403D1), UINT64_C(0x68FF316015C6F7F5), ++ UINT64_C(0xE09F04E6223A0CE8), UINT64_C(0x22BBD01853E14183), ++ UINT64_C(0x35D9FAFCCF45B75B), UINT64_C(0x3A34819D7ECEEC88) }, ++ { UINT64_C(0xD9CF7568D33262D2), UINT64_C(0x431036D5841D1505), ++ UINT64_C(0x0C8005659EB2A79A), UINT64_C(0x8E77D9F05F7EDC6A), ++ UINT64_C(0x19E12D0565E800AA), UINT64_C(0x335C8D36B7784E7C) } }, ++ { { UINT64_C(0x8B2FC4E96484FD40), UINT64_C(0xEE702764A35D24EA), ++ UINT64_C(0x15B28AC7B871C3F3), UINT64_C(0x805B4048E097047F), ++ UINT64_C(0xD6F1B8DF647CAD2F), UINT64_C(0xF1D5B458DC7DD67F) }, ++ { UINT64_C(0x324C529C25148803), UINT64_C(0xF6185EBE21274FAF), ++ UINT64_C(0xAF14751E95148B55), UINT64_C(0x283ED89D28F284F4), ++ UINT64_C(0x93AD20E74CBEBF1A), UINT64_C(0x5F6EC65D882935E1) } }, ++ { { UINT64_C(0xE222EBA4A4DCEFE9), UINT64_C(0x63AD235FEC1CEB74), ++ UINT64_C(0x2E0BF749E05B18E7), UINT64_C(0x547BD050B48BDD87), ++ UINT64_C(0x0490C970F5AA2FC4), UINT64_C(0xCED5E4CF2B431390) }, ++ { UINT64_C(0x07D8270451D2898E), UINT64_C(0x44B72442083B57D4), ++ UINT64_C(0xA4ADA2305037FCE8), UINT64_C(0x55F7905E50510DA6), ++ UINT64_C(0xD8EE724F8D890A98), UINT64_C(0x925A8E7C11B85640) } }, ++ { { UINT64_C(0x5BFA10CD1CA459ED), UINT64_C(0x593F085A6DCF56BF), ++ UINT64_C(0xE6F0AD9BC0579C3E), UINT64_C(0xC11C95A22527C1AD), ++ UINT64_C(0x7CFA71E1CF1CB8B3), UINT64_C(0xEDCFF8331D6DC79D) }, ++ { UINT64_C(0x581C4BBE432521C9), UINT64_C(0xBF620096144E11A0), ++ UINT64_C(0x54C38B71BE3A107B), UINT64_C(0xED555E37E2606EC0), ++ UINT64_C(0x3FB148B8D721D034), UINT64_C(0x79D53DAD0091BC90) } }, ++ { { UINT64_C(0xE32068C5B7082C80), UINT64_C(0x4140FFD27A144E22), ++ UINT64_C(0x5811D2F09EDD9E86), UINT64_C(0xCDD79B5FC572C465), ++ UINT64_C(0x3563FED1C97BF450), UINT64_C(0x985C1444F2CE5C9C) }, ++ { UINT64_C(0x260AE79799950F1C), UINT64_C(0x659F4F40765E9DED), ++ UINT64_C(0x2A412D662E3BC286), UINT64_C(0xE865E62CF87E0C82), ++ UINT64_C(0xD63D3A9A6C05E7D7), UINT64_C(0x96725D678686F89A) } }, ++ { { UINT64_C(0xC99A5E4CAB7EA0F5), UINT64_C(0xC9860A1AC5393FA9), ++ UINT64_C(0x9ED83CEE8FDEEFC0), UINT64_C(0xE3EA8B4C5ED6869A), ++ UINT64_C(0x89A85463D2EED3A9), UINT64_C(0x2CD91B6DE421A622) }, ++ { UINT64_C(0x6FEC1EF32C91C41D), UINT64_C(0xB1540D1F8171037D), ++ UINT64_C(0x4FE4991A1C010E5B), UINT64_C(0x28A3469FFC1C7368), ++ UINT64_C(0xE1EEECD1AF118781), UINT64_C(0x1BCCB97799EF3531) } }, ++ { { UINT64_C(0x63D3B638C4DAB7B8), UINT64_C(0xD92133B63F7F5BAB), ++ UINT64_C(0x2573EE2009FB6069), UINT64_C(0x771FABDF890A1686), ++ UINT64_C(0x1D0BA21FA77AFFF5), UINT64_C(0x83145FCCBA3DD2C0) }, ++ { UINT64_C(0xFA073A812D115C20), UINT64_C(0x6AB7A9D319176F27), ++ UINT64_C(0xAF62CF939AC639EE), UINT64_C(0xF73848B92CCD1319), ++ UINT64_C(0x3B6132343C71659D), UINT64_C(0xF8E0011C10AB3826) } }, ++ { { UINT64_C(0x0501F0360282FFA5), UINT64_C(0xC39A5CF4D9E0F15A), ++ UINT64_C(0x48D8C7299A3D1F3C), UINT64_C(0xB5FC136B64E18EDA), ++ UINT64_C(0xE81B53D97E58FEF0), UINT64_C(0x0D534055F7B0F28D) }, ++ { UINT64_C(0x47B8DE127A80619B), UINT64_C(0x60E2A2B381F9E55D), ++ UINT64_C(0x6E9624D7CF564CC5), UINT64_C(0xFDF18A216BDEDFFF), ++ UINT64_C(0x3787DE38C0D5FC82), UINT64_C(0xCBCAA347497A6B11) } }, ++ { { UINT64_C(0x6E7EF35EB226465A), UINT64_C(0x4B4699195F8A2BAF), ++ UINT64_C(0x44B3A3CF1120D93F), UINT64_C(0xB052C8B668F34AD1), ++ UINT64_C(0x27EC574BEF7632DD), UINT64_C(0xAEBEA108685DE26F) }, ++ { UINT64_C(0xDA33236BE39424B6), UINT64_C(0xB1BD94A9EBCC22AD), ++ UINT64_C(0x6DDEE6CC2CDFB5D5), UINT64_C(0xBDAED9276F14069A), ++ UINT64_C(0x2ADE427C2A247CB7), UINT64_C(0xCE96B436ED156A40) } }, ++ { { UINT64_C(0xDDDCA36081F3F819), UINT64_C(0x4AF4A49FD419B96A), ++ UINT64_C(0x746C65257CB966B9), UINT64_C(0x01E390886F610023), ++ UINT64_C(0x05ECB38D98DD33FC), UINT64_C(0x962B971B8F84EDF4) }, ++ { UINT64_C(0xEB32C0A56A6F2602), UINT64_C(0xF026AF71562D60F2), ++ UINT64_C(0xA9E246BF84615FAB), UINT64_C(0xAD96709275DBAE01), ++ UINT64_C(0xBF97C79B3ECE5D07), UINT64_C(0xE06266C774EAA3D3) } }, ++ { { UINT64_C(0x161A01572E6DBB6E), UINT64_C(0xB8AF490460FA8F47), ++ UINT64_C(0xE4336C4400197F22), UINT64_C(0xF811AFFA9CEDCE0E), ++ UINT64_C(0xB1DD7685F94C2EF1), UINT64_C(0xEEDC0F4BCA957BB0) }, ++ { UINT64_C(0xD319FD574AA76BB1), UINT64_C(0xB3525D7C16CD7CCB), ++ UINT64_C(0x7B22DA9CA97DD072), UINT64_C(0x99DB84BD38A83E71), ++ UINT64_C(0x4939BC8DC0EDD8BE), UINT64_C(0x06D524EA903A932C) } }, ++ { { UINT64_C(0x4BC950EC0E31F639), UINT64_C(0xB7ABD3DC6016BE30), ++ UINT64_C(0x3B0F44736703DAD0), UINT64_C(0xCC405F8B0AC1C4EA), ++ UINT64_C(0x9BED5E57176C3FEE), UINT64_C(0xF452481036AE36C2) }, ++ { UINT64_C(0xC1EDBB8315D7B503), UINT64_C(0x943B1156E30F3657), ++ UINT64_C(0x984E9EEF98377805), UINT64_C(0x291AE7AC36CF1DEB), ++ UINT64_C(0xFED8748CA9F66DF3), UINT64_C(0xECA758BBFEA8FA5D) } }, ++ }, ++ { ++ { { UINT64_C(0xACC787EF2DD1B249), UINT64_C(0x736E1030D82976F1), ++ UINT64_C(0x0A6940FAA01B3649), UINT64_C(0xE00B926BC42341E7), ++ UINT64_C(0x911508D0DE8FFD6C), UINT64_C(0x4DCF8D465276B0CB) }, ++ { UINT64_C(0x23AD0A90CC3CAD8D), UINT64_C(0x2A92E54CADED962A), ++ UINT64_C(0x93FBEC4DF231BFAF), UINT64_C(0x9544BC774798987A), ++ UINT64_C(0x48084E2508E29F60), UINT64_C(0x0C0D2F4332DE5869) } }, ++ { { UINT64_C(0x6778F9703A9ABC13), UINT64_C(0xFD014FAC3D2B166B), ++ UINT64_C(0x1FE4FC783C6FED60), UINT64_C(0x04295FA8AA7C69C5), ++ UINT64_C(0xA01DE56D7C123175), UINT64_C(0x0FA0D3A83D9A713A) }, ++ { UINT64_C(0xA7A6E5E3E3E08ADD), UINT64_C(0xBD77E94B1AC58F85), ++ UINT64_C(0x078F6FD2B7321A9C), UINT64_C(0x9564601E911EF6D9), ++ UINT64_C(0x31C5C1B2415C6BEF), UINT64_C(0xE6C0C91ED3212C62) } }, ++ { { UINT64_C(0xBA7BD23C0D16022F), UINT64_C(0xE9CF4750198BE288), ++ UINT64_C(0x304E316947DEEC65), UINT64_C(0xCF65B41F96EEB288), ++ UINT64_C(0x17E99C17927E9E3B), UINT64_C(0x82225546F6630A80) }, ++ { UINT64_C(0x15122B8ACA067BD9), UINT64_C(0xE2673205B77B4E98), ++ UINT64_C(0x130375659407CA63), UINT64_C(0x53624F548B621602), ++ UINT64_C(0x96AF2CB1EAE4BD06), UINT64_C(0x576ECD1C8FA20829) } }, ++ { { UINT64_C(0xA551CE107E02D2D0), UINT64_C(0x1584ED249D13DBC7), ++ UINT64_C(0x082017AD4DA7B6D8), UINT64_C(0x81918A8FE054BC48), ++ UINT64_C(0x677DB48E572DC384), UINT64_C(0x2EF822966155484C) }, ++ { UINT64_C(0xC3DB14C641B9C231), UINT64_C(0x910A87D14A766192), ++ UINT64_C(0x93D5CC8610AB8E0F), UINT64_C(0x4194D548AE57CA1B), ++ UINT64_C(0xFAF3A1D6267FC37A), UINT64_C(0x70EC236413B87C97) } }, ++ { { UINT64_C(0x064B565B5E12756A), UINT64_C(0x953B7BD1AE49C98E), ++ UINT64_C(0xE0CE8284F7001D91), UINT64_C(0x1546060BF31108D0), ++ UINT64_C(0xDBC2C3F46779B6E2), UINT64_C(0x157AA47DE0DD07CF) }, ++ { UINT64_C(0xBF4A1C6FF23B261E), UINT64_C(0x5B8EED30654F4BE5), ++ UINT64_C(0xDF5896D36B20CCD8), UINT64_C(0x56920E2C559ED23D), ++ UINT64_C(0x901F342EFA6E3E27), UINT64_C(0x745C747C896CA082) } }, ++ { { UINT64_C(0xDBCCD5752944EC84), UINT64_C(0x54A2A935A5FF65FE), ++ UINT64_C(0x88C92A5E1A1319B6), UINT64_C(0x9537C28F82DA96C1), ++ UINT64_C(0xB683647435F93C46), UINT64_C(0xEC526A1D65B0846C) }, ++ { UINT64_C(0x6F12AFBDF382C412), UINT64_C(0x5EBC81D89E99FA06), ++ UINT64_C(0x97B5D672869B93BD), UINT64_C(0x2983C310377E12AA), ++ UINT64_C(0x4875968124D681EA), UINT64_C(0x1E0BD106287FD767) } }, ++ { { UINT64_C(0x0AC75A3E7231247F), UINT64_C(0x65C20DE6EF27AD3A), ++ UINT64_C(0x87EB6CF1BD02EEE5), UINT64_C(0x264ACA7A00147E03), ++ UINT64_C(0xEBC78581AE2A9437), UINT64_C(0x9929964E6316BFA5) }, ++ { UINT64_C(0xDC09E0409AF207EF), UINT64_C(0x3ECFFE2D0C9D8658), ++ UINT64_C(0x547EA735DFB43D38), UINT64_C(0x5485247BD04B1B20), ++ UINT64_C(0xB18D3F02BFD8B609), UINT64_C(0xEEB3E805CCE73705) } }, ++ { { UINT64_C(0xDAB1A525DB93850F), UINT64_C(0x18ADAA238365B7D5), ++ UINT64_C(0x58485C90113FC8C7), UINT64_C(0x80C3DBB9348AD323), ++ UINT64_C(0xAF892FB5E16ADCA1), UINT64_C(0x2183C879979F005A) }, ++ { UINT64_C(0x20FA1A940643A99E), UINT64_C(0x2741221C1A1609CB), ++ UINT64_C(0x1C1687E53C2FBDDC), UINT64_C(0xDCCF329ED420D6CF), ++ UINT64_C(0x75D5577D2B7197D1), UINT64_C(0x4C3C3875C8729D9C) } }, ++ { { UINT64_C(0x5E79F995E5CBDCB9), UINT64_C(0x03139824A742FCC7), ++ UINT64_C(0x6D0C214A239EF4A1), UINT64_C(0x53A27952401A2944), ++ UINT64_C(0xF42A1B34C10BCDF0), UINT64_C(0x426BAA437CF38061) }, ++ { UINT64_C(0x16A53139A96AD0C8), UINT64_C(0x627F1D316BAD5301), ++ UINT64_C(0x5AF748774ACCD627), UINT64_C(0x3C58A1C5B55B0FB8), ++ UINT64_C(0xFAA57B91F4399A6A), UINT64_C(0xBAD283FBC28094B8) } }, ++ { { UINT64_C(0xBA32AC6183E10A93), UINT64_C(0x1C91F6B4EC06BDB0), ++ UINT64_C(0x42E6CFBC65F60C93), UINT64_C(0xEFE33BC82C0CDCBE), ++ UINT64_C(0xE0FE1D094D6414F2), UINT64_C(0x4C11231676FA5C5B) }, ++ { UINT64_C(0x812C1DC62E26200A), UINT64_C(0xD6C413C5EE879D25), ++ UINT64_C(0xBEADE255BCA8BAFE), UINT64_C(0x0EAF4AE2CE2BA0E7), ++ UINT64_C(0x66E9FFB0C4F4408A), UINT64_C(0xB36A86D79782C7AD) } }, ++ { { UINT64_C(0x10FCD1F4BAD8D1C7), UINT64_C(0xC903816A4502F645), ++ UINT64_C(0x7FAC1CC1A503B895), UINT64_C(0x8BCD60410778900C), ++ UINT64_C(0x5A5F22025BCF2784), UINT64_C(0x9B157E8710EDB896) }, ++ { UINT64_C(0x4C58DA69F602A8B1), UINT64_C(0xD55132F859EC9D7E), ++ UINT64_C(0x155B719AA26D4870), UINT64_C(0x25AAFCA336441746), ++ UINT64_C(0x01F83338DD3B6B30), UINT64_C(0xD52BB5C1551917CC) } }, ++ { { UINT64_C(0xA0B6207B6135066A), UINT64_C(0xB3409F842AEC8CBD), ++ UINT64_C(0x5EBFD43619D87DF0), UINT64_C(0xCB4C209BE8526DE2), ++ UINT64_C(0xD764085B21E1A230), UINT64_C(0x96F915540899964A) }, ++ { UINT64_C(0xB0BEC8EFA57D122A), UINT64_C(0xC572EC565D9D0B33), ++ UINT64_C(0xEBE2A780CFA7C72C), UINT64_C(0x52D40CDB9EF3295C), ++ UINT64_C(0x640045840DE74DFE), UINT64_C(0xA6846432C0809716) } }, ++ { { UINT64_C(0x0D09E8CD02C979BC), UINT64_C(0xEC4B21F6409F4F2A), ++ UINT64_C(0x68125C7013FB07CA), UINT64_C(0x1C4CFC176FDFA72A), ++ UINT64_C(0xC9E71B9E04539FCD), UINT64_C(0x94B7103D8BA70797) }, ++ { UINT64_C(0x6B81E82FB33FDE83), UINT64_C(0x7CA9A8CAEABAFD4B), ++ UINT64_C(0xADD85A67EAB819CE), UINT64_C(0xAEC2548398E99FFC), ++ UINT64_C(0x938D6440274A07B6), UINT64_C(0x0A5C7097564A6AA0) } }, ++ { { UINT64_C(0x7284FF502F4FCEB6), UINT64_C(0x0A28715A78D0D5CB), ++ UINT64_C(0xE70B7014BFCE187C), UINT64_C(0xA6B538F57A17148D), ++ UINT64_C(0x1DAB07C9DD427166), UINT64_C(0x5C5578B0149D23CA) }, ++ { UINT64_C(0x875E2056875B5EDE), UINT64_C(0xCBF44B6D02C893B9), ++ UINT64_C(0x5715A77E5C2993FB), UINT64_C(0xAF3281463410597E), ++ UINT64_C(0x65DF418F42DC49DF), UINT64_C(0x7AC9C720A9EE52F6) } }, ++ { { UINT64_C(0xB1C9AA0762955486), UINT64_C(0xCBF35BE3245061D7), ++ UINT64_C(0x811E1BD38CF4DDC0), UINT64_C(0xD9D4589C948F7C84), ++ UINT64_C(0x30D09A0FCB0F996D), UINT64_C(0x1A1B3B7A590E7704) }, ++ { UINT64_C(0xA848E3492082768D), UINT64_C(0x9FEBD4929A249DF4), ++ UINT64_C(0x503420AF5F20439A), UINT64_C(0x0CBE52B68E2BFCD4), ++ UINT64_C(0xB1D5E261118C91B2), UINT64_C(0x93CFF6DA71D8F2BC) } }, ++ { { UINT64_C(0x5F5BC06B8AB58944), UINT64_C(0xE4BED5384979882D), ++ UINT64_C(0x57C30362D79B0EB1), UINT64_C(0x391AE2C1EF7C56D8), ++ UINT64_C(0x28BC2E97ADD98625), UINT64_C(0xFA8E86B81B257107) }, ++ { UINT64_C(0x5E4859F86118C715), UINT64_C(0x91C83324524C71DD), ++ UINT64_C(0xFB2092436D2F5E6D), UINT64_C(0x6B4FE21F2A900A43), ++ UINT64_C(0x241F75D632A73C1F), UINT64_C(0xF5BC46295AE89613) } }, ++ } ++}; ++ ++/*- ++ * Q := 2P, both projective, Q and P same pointers OK ++ * Autogenerated: op3/dbl_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 6 ++ * ASSERT: a = -3 ++ */ ++static void ++point_double(pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X = P->X; ++ const limb_t *Y = P->Y; ++ const limb_t *Z = P->Z; ++ limb_t *X3 = Q->X; ++ limb_t *Y3 = Q->Y; ++ limb_t *Z3 = Q->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_square(t0, X); ++ fiat_secp384r1_square(t1, Y); ++ fiat_secp384r1_square(t2, Z); ++ fiat_secp384r1_mul(t3, X, Y); ++ fiat_secp384r1_add(t3, t3, t3); ++ fiat_secp384r1_mul(t4, Y, Z); ++ fiat_secp384r1_mul(Z3, X, Z); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_mul(Y3, b, t2); ++ fiat_secp384r1_sub(Y3, Y3, Z3); ++ fiat_secp384r1_add(X3, Y3, Y3); ++ fiat_secp384r1_add(Y3, X3, Y3); ++ fiat_secp384r1_sub(X3, t1, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_mul(Y3, X3, Y3); ++ fiat_secp384r1_mul(X3, X3, t3); ++ fiat_secp384r1_add(t3, t2, t2); ++ fiat_secp384r1_add(t2, t2, t3); ++ fiat_secp384r1_mul(Z3, b, Z3); ++ fiat_secp384r1_sub(Z3, Z3, t2); ++ fiat_secp384r1_sub(Z3, Z3, t0); ++ fiat_secp384r1_add(t3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, t3); ++ fiat_secp384r1_add(t3, t0, t0); ++ fiat_secp384r1_add(t0, t3, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t0, t0, Z3); ++ fiat_secp384r1_add(Y3, Y3, t0); ++ fiat_secp384r1_add(t0, t4, t4); ++ fiat_secp384r1_mul(Z3, t0, Z3); ++ fiat_secp384r1_sub(X3, X3, Z3); ++ fiat_secp384r1_mul(Z3, t0, t1); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++} ++ ++/*- ++ * R := Q + P where R and Q are projective, P affine. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_mixed.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 5 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ fe_t X3; ++ fe_t Y3; ++ fe_t Z3; ++ limb_t nz; ++ ++ /* check P for affine inf */ ++ fiat_secp384r1_nonzero(&nz, P->Y); ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_add(t3, X2, Y2); ++ fiat_secp384r1_add(t4, X1, Y1); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_mul(t4, Y2, Z1); ++ fiat_secp384r1_add(t4, t4, Y1); ++ fiat_secp384r1_mul(Y3, X2, Z1); ++ fiat_secp384r1_add(Y3, Y3, X1); ++ fiat_secp384r1_mul(Z3, b, Z1); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, Z1, Z1); ++ fiat_secp384r1_add(t2, t1, Z1); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++ ++ /* if P is inf, throw all that away and take Q */ ++ fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); ++ fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); ++ fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); ++} ++ ++/*- ++ * R := Q + P all projective. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 4 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4, t5; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ const limb_t *Z2 = P->Z; ++ limb_t *X3 = R->X; ++ limb_t *Y3 = R->Y; ++ limb_t *Z3 = R->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_mul(t2, Z1, Z2); ++ fiat_secp384r1_add(t3, X1, Y1); ++ fiat_secp384r1_add(t4, X2, Y2); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_add(t4, Y1, Z1); ++ fiat_secp384r1_add(t5, Y2, Z2); ++ fiat_secp384r1_mul(t4, t4, t5); ++ fiat_secp384r1_add(t5, t1, t2); ++ fiat_secp384r1_sub(t4, t4, t5); ++ fiat_secp384r1_add(X3, X1, Z1); ++ fiat_secp384r1_add(Y3, X2, Z2); ++ fiat_secp384r1_mul(X3, X3, Y3); ++ fiat_secp384r1_add(Y3, t0, t2); ++ fiat_secp384r1_sub(Y3, X3, Y3); ++ fiat_secp384r1_mul(Z3, b, t2); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, t2, t2); ++ fiat_secp384r1_add(t2, t1, t2); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++} ++ ++/* constants */ ++#define RADIX 5 ++#define DRADIX (1 << RADIX) ++#define DRADIX_WNAF ((DRADIX) << 1) ++ ++/*- ++ * precomp for wnaf scalar multiplication: ++ * precomp[0] = 1P ++ * precomp[1] = 3P ++ * precomp[2] = 5P ++ * precomp[3] = 7P ++ * precomp[4] = 9P ++ * ... ++ */ ++static void ++precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) ++{ ++ int i; ++ ++ fe_copy(precomp[0].X, P->X); ++ fe_copy(precomp[0].Y, P->Y); ++ fe_copy(precomp[0].Z, const_one); ++ point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); ++ ++ for (i = 1; i < DRADIX / 2; i++) ++ point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); ++} ++ ++/* fetch a scalar bit */ ++static int ++scalar_get_bit(const unsigned char in[48], int idx) ++{ ++ int widx, rshift; ++ ++ widx = idx >> 3; ++ rshift = idx & 0x7; ++ ++ if (idx < 0 || widx >= 48) ++ return 0; ++ ++ return (in[widx] >> rshift) & 0x1; ++} ++ ++/*- ++ * Compute "regular" wnaf representation of a scalar. ++ * See "Exponent Recoding and Regular Exponentiation Algorithms", ++ * Tunstall et al., AfricaCrypt 2009, Alg 6. ++ * It forces an odd scalar and outputs digits in ++ * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} ++ * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". ++ */ ++static void ++scalar_rwnaf(int8_t out[77], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = (in[0] & (DRADIX_WNAF - 1)) | 1; ++ for (i = 0; i < 76; i++) { ++ d = (window & (DRADIX_WNAF - 1)) - DRADIX; ++ out[i] = d; ++ window = (window - d) >> RADIX; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; ++ } ++ out[i] = window; ++} ++ ++/*- ++ * Compute "textbook" wnaf representation of a scalar. ++ * NB: not constant time ++ */ ++static void ++scalar_wnaf(int8_t out[385], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = in[0] & (DRADIX_WNAF - 1); ++ for (i = 0; i < 385; i++) { ++ d = 0; ++ if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) ++ d -= DRADIX_WNAF; ++ out[i] = d; ++ window = (window - d) >> 1; ++ window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; ++ } ++} ++ ++/*- ++ * Simulateous scalar multiplication: interleaved "textbook" wnaf. ++ * NB: not constant time ++ */ ++static void ++var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], ++ const unsigned char b[48], const pt_aff_t *P) ++{ ++ int i, d, is_neg, is_inf = 1, flipped = 0; ++ int8_t anaf[385] = { 0 }; ++ int8_t bnaf[385] = { 0 }; ++ pt_prj_t Q; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_wnaf(anaf, a); ++ scalar_wnaf(bnaf, b); ++ ++ for (i = 384; i >= 0; i--) { ++ if (!is_inf) ++ point_double(&Q, &Q); ++ if ((d = bnaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &precomp[d].X); ++ fe_copy(Q.Y, &precomp[d].Y); ++ fe_copy(Q.Z, &precomp[d].Z); ++ is_inf = 0; ++ } else ++ point_add_proj(&Q, &Q, &precomp[d]); ++ } ++ if ((d = anaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &lut_cmb[0][d].X); ++ fe_copy(Q.Y, &lut_cmb[0][d].Y); ++ fe_copy(Q.Z, const_one); ++ is_inf = 0; ++ } else ++ point_add_mixed(&Q, &Q, &lut_cmb[0][d]); ++ } ++ } ++ ++ if (is_inf) { ++ /* initialize accumulator to inf: all-zero scalars */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ } ++ ++ if (flipped) { ++ /* correct sign */ ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ } ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Variable point scalar multiplication with "regular" wnaf. ++ */ ++static void ++var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], ++ const pt_aff_t *P) ++{ ++ int i, j, d, diff, is_neg; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, lut; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_rwnaf(rnaf, scalar); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ /* initialize accumulator to high digit */ ++ d = (rnaf[76] - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); ++ fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); ++ } ++ ++ for (i = 75; i >= 0; i--) { ++ for (j = 0; j < RADIX; j++) ++ point_double(&Q, &Q); ++ d = rnaf[i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_proj(&Q, &Q, &lut); ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, precomp[0].X); ++ fiat_secp384r1_opp(lut.Y, precomp[0].Y); ++ fe_copy(lut.Z, precomp[0].Z); ++ point_add_proj(&lut, &lut, &Q); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Fixed scalar multiplication: comb with interleaving. ++ */ ++static void ++fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) ++{ ++ int i, j, k, d, diff, is_neg = 0; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, R; ++ pt_aff_t lut; ++ ++ scalar_rwnaf(rnaf, scalar); ++ ++ /* initalize accumulator to inf */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ for (i = 3; i >= 0; i--) { ++ for (j = 0; i != 3 && j < RADIX; j++) ++ point_double(&Q, &Q); ++ for (j = 0; j < 21; j++) { ++ if (j * 4 + i > 76) ++ continue; ++ d = rnaf[j * 4 + i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (k = 0; k < DRADIX / 2; k++) { ++ diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_mixed(&Q, &Q, &lut); ++ } ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, lut_cmb[0][0].X); ++ fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); ++ point_add_mixed(&R, &Q, &lut); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++static void ++point_mul_two(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char a[48], const unsigned char b[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* simultaneous scalar multiplication */ ++ var_smul_wnaf_two(&P, a, b, &P); ++ ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul_g(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48]) ++{ ++ pt_aff_t P; ++ ++ /* fixed scmul function */ ++ fixed_smul_cmb(&P, scalar); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* var scmul function */ ++ var_smul_rwnaf(&P, scalar, &P); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++#undef RADIX ++#include "ecp.h" ++#include "mplogic.h" ++ ++/*- ++ * reverse bytes -- total hack ++ */ ++#define MP_BE2LE(a) \ ++ do { \ ++ unsigned char z_bswap; \ ++ z_bswap = a[0]; \ ++ a[0] = a[47]; \ ++ a[47] = z_bswap; \ ++ z_bswap = a[1]; \ ++ a[1] = a[46]; \ ++ a[46] = z_bswap; \ ++ z_bswap = a[2]; \ ++ a[2] = a[45]; \ ++ a[45] = z_bswap; \ ++ z_bswap = a[3]; \ ++ a[3] = a[44]; \ ++ a[44] = z_bswap; \ ++ z_bswap = a[4]; \ ++ a[4] = a[43]; \ ++ a[43] = z_bswap; \ ++ z_bswap = a[5]; \ ++ a[5] = a[42]; \ ++ a[42] = z_bswap; \ ++ z_bswap = a[6]; \ ++ a[6] = a[41]; \ ++ a[41] = z_bswap; \ ++ z_bswap = a[7]; \ ++ a[7] = a[40]; \ ++ a[40] = z_bswap; \ ++ z_bswap = a[8]; \ ++ a[8] = a[39]; \ ++ a[39] = z_bswap; \ ++ z_bswap = a[9]; \ ++ a[9] = a[38]; \ ++ a[38] = z_bswap; \ ++ z_bswap = a[10]; \ ++ a[10] = a[37]; \ ++ a[37] = z_bswap; \ ++ z_bswap = a[11]; \ ++ a[11] = a[36]; \ ++ a[36] = z_bswap; \ ++ z_bswap = a[12]; \ ++ a[12] = a[35]; \ ++ a[35] = z_bswap; \ ++ z_bswap = a[13]; \ ++ a[13] = a[34]; \ ++ a[34] = z_bswap; \ ++ z_bswap = a[14]; \ ++ a[14] = a[33]; \ ++ a[33] = z_bswap; \ ++ z_bswap = a[15]; \ ++ a[15] = a[32]; \ ++ a[32] = z_bswap; \ ++ z_bswap = a[16]; \ ++ a[16] = a[31]; \ ++ a[31] = z_bswap; \ ++ z_bswap = a[17]; \ ++ a[17] = a[30]; \ ++ a[30] = z_bswap; \ ++ z_bswap = a[18]; \ ++ a[18] = a[29]; \ ++ a[29] = z_bswap; \ ++ z_bswap = a[19]; \ ++ a[19] = a[28]; \ ++ a[28] = z_bswap; \ ++ z_bswap = a[20]; \ ++ a[20] = a[27]; \ ++ a[27] = z_bswap; \ ++ z_bswap = a[21]; \ ++ a[21] = a[26]; \ ++ a[26] = z_bswap; \ ++ z_bswap = a[22]; \ ++ a[22] = a[25]; \ ++ a[25] = z_bswap; \ ++ z_bswap = a[23]; \ ++ a[23] = a[24]; \ ++ a[24] = z_bswap; \ ++ } while (0) ++ ++static mp_err ++point_mul_g_secp384r1(const mp_int *n, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_BE2LE(b_n); ++ point_mul_g(b_x, b_y, b_n); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_secp384r1(const mp_int *n, const mp_int *in_x, ++ const mp_int *in_y, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && ++ out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n); ++ point_mul(b_x, b_y, b_n, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_two_secp384r1(const mp_int *n1, const mp_int *n2, ++ const mp_int *in_x, const mp_int *in_y, ++ mp_int *out_x, mp_int *out_y, ++ const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n1[48]; ++ unsigned char b_n2[48]; ++ mp_err res; ++ ++ /* If n2 == NULL, this is just a base-point multiplication. */ ++ if (n2 == NULL) ++ return point_mul_g_secp384r1(n1, out_x, out_y, group); ++ ++ /* If n1 == NULL, this is just an arbitary-point multiplication. */ ++ if (n1 == NULL) ++ return point_mul_secp384r1(n2, in_x, in_y, out_x, out_y, group); ++ ++ ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n1) > 384 || mp_cmp_z(n1) != 1 || ++ mpl_significant_bits(n2) > 384 || mp_cmp_z(n2) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n1); ++ MP_BE2LE(b_n2); ++ point_mul_two(b_x, b_y, b_n1, b_n2, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++mp_err ++ec_group_set_secp384r1(ECGroup *group, ECCurveName name) ++{ ++ if (name == ECCurve_NIST_P384) { ++ group->base_point_mul = &point_mul_g_secp384r1; ++ group->point_mul = &point_mul_secp384r1; ++ group->points_mul = &point_mul_two_secp384r1; ++ } ++ return MP_OKAY; ++} ++ ++#else /* __SIZEOF_INT128__ */ ++ ++#include <stdint.h> ++#include <string.h> ++#define LIMB_BITS 32 ++#define LIMB_CNT 12 ++/* Field elements */ ++typedef uint32_t fe_t[LIMB_CNT]; ++typedef uint32_t limb_t; ++ ++#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) ++#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) ++ ++/* Projective points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++ fe_t Z; ++} pt_prj_t; ++ ++/* Affine points */ ++typedef struct { ++ fe_t X; ++ fe_t Y; ++} pt_aff_t; ++ ++/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ ++/*- ++ * MIT License ++ * ++ * Copyright (c) 2020 the fiat-crypto authors (see the AUTHORS file) ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++/* Autogenerated: word_by_word_montgomery --static secp384r1 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ ++/* curve description: secp384r1 */ ++/* machine_wordsize = 32 (from "32") */ ++/* requested operations: (all) */ ++/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ ++/* */ ++/* NOTE: In addition to the bounds specified above each function, all */ ++/* functions synthesized for this Montgomery arithmetic require the */ ++/* input to be strictly less than the prime modulus (m), and also */ ++/* require the input to be in the unique saturated representation. */ ++/* All functions also ensure that these two properties are true of */ ++/* return values. */ ++/* */ ++/* Computed values: */ ++/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ ++/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ ++ ++#include <stdint.h> ++typedef unsigned char fiat_secp384r1_uint1; ++typedef signed char fiat_secp384r1_int1; ++ ++#if (-1 & 3) != 3 ++#error "This code only works on a two's complement system" ++#endif ++ ++/* ++ * The function fiat_secp384r1_addcarryx_u32 is an addition with carry. ++ * Postconditions: ++ * out1 = (arg1 + arg2 + arg3) mod 2^32 ++ * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffff] ++ * arg3: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_addcarryx_u32(uint32_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint32_t arg2, uint32_t arg3) ++{ ++ uint64_t x1; ++ uint32_t x2; ++ fiat_secp384r1_uint1 x3; ++ x1 = ((arg1 + (uint64_t)arg2) + arg3); ++ x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); ++ x3 = (fiat_secp384r1_uint1)(x1 >> 32); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_subborrowx_u32 is a subtraction with borrow. ++ * Postconditions: ++ * out1 = (-arg1 + arg2 + -arg3) mod 2^32 ++ * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffff] ++ * arg3: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ * out2: [0x0 ~> 0x1] ++ */ ++static void ++fiat_secp384r1_subborrowx_u32(uint32_t *out1, ++ fiat_secp384r1_uint1 *out2, ++ fiat_secp384r1_uint1 arg1, ++ uint32_t arg2, uint32_t arg3) ++{ ++ int64_t x1; ++ fiat_secp384r1_int1 x2; ++ uint32_t x3; ++ x1 = ((arg2 - (int64_t)arg1) - arg3); ++ x2 = (fiat_secp384r1_int1)(x1 >> 32); ++ x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); ++ *out1 = x3; ++ *out2 = (fiat_secp384r1_uint1)(0x0 - x2); ++} ++ ++/* ++ * The function fiat_secp384r1_mulx_u32 is a multiplication, returning the full double-width result. ++ * Postconditions: ++ * out1 = (arg1 * arg2) mod 2^32 ++ * out2 = ⌊arg1 * arg2 / 2^32⌋ ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0xffffffff] ++ * arg2: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ * out2: [0x0 ~> 0xffffffff] ++ */ ++static void ++fiat_secp384r1_mulx_u32(uint32_t *out1, uint32_t *out2, ++ uint32_t arg1, uint32_t arg2) ++{ ++ uint64_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ x1 = ((uint64_t)arg1 * arg2); ++ x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); ++ x3 = (uint32_t)(x1 >> 32); ++ *out1 = x2; ++ *out2 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_cmovznz_u32 is a single-word conditional move. ++ * Postconditions: ++ * out1 = (if arg1 = 0 then arg2 else arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [0x0 ~> 0xffffffff] ++ * arg3: [0x0 ~> 0xffffffff] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ */ ++static void ++fiat_secp384r1_cmovznz_u32(uint32_t *out1, ++ fiat_secp384r1_uint1 arg1, uint32_t arg2, ++ uint32_t arg3) ++{ ++ fiat_secp384r1_uint1 x1; ++ uint32_t x2; ++ uint32_t x3; ++ x1 = (!(!arg1)); ++ x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT32_C(0xffffffff)); ++ x3 = ((x2 & arg3) | ((~x2) & arg2)); ++ *out1 = x3; ++} ++ ++/* ++ * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_mul(uint32_t out1[12], const uint32_t arg1[12], ++ const uint32_t arg2[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ uint32_t x23; ++ uint32_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint32_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint32_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint32_t x36; ++ uint32_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint32_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint32_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint32_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint32_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint32_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ uint32_t x63; ++ uint32_t x64; ++ uint32_t x65; ++ uint32_t x66; ++ uint32_t x67; ++ uint32_t x68; ++ uint32_t x69; ++ uint32_t x70; ++ uint32_t x71; ++ uint32_t x72; ++ uint32_t x73; ++ uint32_t x74; ++ uint32_t x75; ++ uint32_t x76; ++ uint32_t x77; ++ uint32_t x78; ++ uint32_t x79; ++ uint32_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint32_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint32_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint32_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint32_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint32_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint32_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint32_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint32_t x96; ++ uint32_t x97; ++ fiat_secp384r1_uint1 x98; ++ uint32_t x99; ++ fiat_secp384r1_uint1 x100; ++ uint32_t x101; ++ fiat_secp384r1_uint1 x102; ++ uint32_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint32_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint32_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint32_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint32_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint32_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint32_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint32_t x117; ++ fiat_secp384r1_uint1 x118; ++ uint32_t x119; ++ fiat_secp384r1_uint1 x120; ++ uint32_t x121; ++ fiat_secp384r1_uint1 x122; ++ uint32_t x123; ++ uint32_t x124; ++ uint32_t x125; ++ uint32_t x126; ++ uint32_t x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ uint32_t x138; ++ uint32_t x139; ++ uint32_t x140; ++ uint32_t x141; ++ uint32_t x142; ++ uint32_t x143; ++ uint32_t x144; ++ uint32_t x145; ++ uint32_t x146; ++ uint32_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint32_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint32_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint32_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint32_t x155; ++ fiat_secp384r1_uint1 x156; ++ uint32_t x157; ++ fiat_secp384r1_uint1 x158; ++ uint32_t x159; ++ fiat_secp384r1_uint1 x160; ++ uint32_t x161; ++ fiat_secp384r1_uint1 x162; ++ uint32_t x163; ++ fiat_secp384r1_uint1 x164; ++ uint32_t x165; ++ fiat_secp384r1_uint1 x166; ++ uint32_t x167; ++ fiat_secp384r1_uint1 x168; ++ uint32_t x169; ++ uint32_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint32_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint32_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint32_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint32_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint32_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint32_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint32_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint32_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint32_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint32_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint32_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint32_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint32_t x196; ++ uint32_t x197; ++ uint32_t x198; ++ uint32_t x199; ++ uint32_t x200; ++ uint32_t x201; ++ uint32_t x202; ++ uint32_t x203; ++ uint32_t x204; ++ uint32_t x205; ++ uint32_t x206; ++ uint32_t x207; ++ uint32_t x208; ++ uint32_t x209; ++ uint32_t x210; ++ uint32_t x211; ++ uint32_t x212; ++ uint32_t x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint32_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint32_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint32_t x222; ++ fiat_secp384r1_uint1 x223; ++ uint32_t x224; ++ fiat_secp384r1_uint1 x225; ++ uint32_t x226; ++ fiat_secp384r1_uint1 x227; ++ uint32_t x228; ++ fiat_secp384r1_uint1 x229; ++ uint32_t x230; ++ fiat_secp384r1_uint1 x231; ++ uint32_t x232; ++ uint32_t x233; ++ fiat_secp384r1_uint1 x234; ++ uint32_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint32_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint32_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint32_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint32_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint32_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint32_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint32_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint32_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint32_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint32_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint32_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint32_t x259; ++ uint32_t x260; ++ uint32_t x261; ++ uint32_t x262; ++ uint32_t x263; ++ uint32_t x264; ++ uint32_t x265; ++ uint32_t x266; ++ uint32_t x267; ++ uint32_t x268; ++ uint32_t x269; ++ uint32_t x270; ++ uint32_t x271; ++ uint32_t x272; ++ uint32_t x273; ++ uint32_t x274; ++ uint32_t x275; ++ uint32_t x276; ++ uint32_t x277; ++ uint32_t x278; ++ uint32_t x279; ++ uint32_t x280; ++ uint32_t x281; ++ uint32_t x282; ++ uint32_t x283; ++ uint32_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint32_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint32_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint32_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint32_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint32_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint32_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint32_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint32_t x300; ++ fiat_secp384r1_uint1 x301; ++ uint32_t x302; ++ fiat_secp384r1_uint1 x303; ++ uint32_t x304; ++ fiat_secp384r1_uint1 x305; ++ uint32_t x306; ++ uint32_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint32_t x309; ++ fiat_secp384r1_uint1 x310; ++ uint32_t x311; ++ fiat_secp384r1_uint1 x312; ++ uint32_t x313; ++ fiat_secp384r1_uint1 x314; ++ uint32_t x315; ++ fiat_secp384r1_uint1 x316; ++ uint32_t x317; ++ fiat_secp384r1_uint1 x318; ++ uint32_t x319; ++ fiat_secp384r1_uint1 x320; ++ uint32_t x321; ++ fiat_secp384r1_uint1 x322; ++ uint32_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint32_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint32_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint32_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint32_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint32_t x333; ++ uint32_t x334; ++ uint32_t x335; ++ uint32_t x336; ++ uint32_t x337; ++ uint32_t x338; ++ uint32_t x339; ++ uint32_t x340; ++ uint32_t x341; ++ uint32_t x342; ++ uint32_t x343; ++ uint32_t x344; ++ uint32_t x345; ++ uint32_t x346; ++ uint32_t x347; ++ uint32_t x348; ++ uint32_t x349; ++ uint32_t x350; ++ uint32_t x351; ++ uint32_t x352; ++ uint32_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint32_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint32_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint32_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint32_t x361; ++ fiat_secp384r1_uint1 x362; ++ uint32_t x363; ++ fiat_secp384r1_uint1 x364; ++ uint32_t x365; ++ fiat_secp384r1_uint1 x366; ++ uint32_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint32_t x369; ++ uint32_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint32_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint32_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint32_t x376; ++ fiat_secp384r1_uint1 x377; ++ uint32_t x378; ++ fiat_secp384r1_uint1 x379; ++ uint32_t x380; ++ fiat_secp384r1_uint1 x381; ++ uint32_t x382; ++ fiat_secp384r1_uint1 x383; ++ uint32_t x384; ++ fiat_secp384r1_uint1 x385; ++ uint32_t x386; ++ fiat_secp384r1_uint1 x387; ++ uint32_t x388; ++ fiat_secp384r1_uint1 x389; ++ uint32_t x390; ++ fiat_secp384r1_uint1 x391; ++ uint32_t x392; ++ fiat_secp384r1_uint1 x393; ++ uint32_t x394; ++ fiat_secp384r1_uint1 x395; ++ uint32_t x396; ++ uint32_t x397; ++ uint32_t x398; ++ uint32_t x399; ++ uint32_t x400; ++ uint32_t x401; ++ uint32_t x402; ++ uint32_t x403; ++ uint32_t x404; ++ uint32_t x405; ++ uint32_t x406; ++ uint32_t x407; ++ uint32_t x408; ++ uint32_t x409; ++ uint32_t x410; ++ uint32_t x411; ++ uint32_t x412; ++ uint32_t x413; ++ uint32_t x414; ++ uint32_t x415; ++ uint32_t x416; ++ uint32_t x417; ++ uint32_t x418; ++ uint32_t x419; ++ uint32_t x420; ++ uint32_t x421; ++ fiat_secp384r1_uint1 x422; ++ uint32_t x423; ++ fiat_secp384r1_uint1 x424; ++ uint32_t x425; ++ fiat_secp384r1_uint1 x426; ++ uint32_t x427; ++ fiat_secp384r1_uint1 x428; ++ uint32_t x429; ++ fiat_secp384r1_uint1 x430; ++ uint32_t x431; ++ fiat_secp384r1_uint1 x432; ++ uint32_t x433; ++ fiat_secp384r1_uint1 x434; ++ uint32_t x435; ++ fiat_secp384r1_uint1 x436; ++ uint32_t x437; ++ fiat_secp384r1_uint1 x438; ++ uint32_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint32_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint32_t x443; ++ uint32_t x444; ++ fiat_secp384r1_uint1 x445; ++ uint32_t x446; ++ fiat_secp384r1_uint1 x447; ++ uint32_t x448; ++ fiat_secp384r1_uint1 x449; ++ uint32_t x450; ++ fiat_secp384r1_uint1 x451; ++ uint32_t x452; ++ fiat_secp384r1_uint1 x453; ++ uint32_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint32_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint32_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint32_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint32_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint32_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint32_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint32_t x468; ++ fiat_secp384r1_uint1 x469; ++ uint32_t x470; ++ uint32_t x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ uint32_t x476; ++ uint32_t x477; ++ uint32_t x478; ++ uint32_t x479; ++ uint32_t x480; ++ uint32_t x481; ++ uint32_t x482; ++ uint32_t x483; ++ uint32_t x484; ++ uint32_t x485; ++ uint32_t x486; ++ uint32_t x487; ++ uint32_t x488; ++ uint32_t x489; ++ uint32_t x490; ++ fiat_secp384r1_uint1 x491; ++ uint32_t x492; ++ fiat_secp384r1_uint1 x493; ++ uint32_t x494; ++ fiat_secp384r1_uint1 x495; ++ uint32_t x496; ++ fiat_secp384r1_uint1 x497; ++ uint32_t x498; ++ fiat_secp384r1_uint1 x499; ++ uint32_t x500; ++ fiat_secp384r1_uint1 x501; ++ uint32_t x502; ++ fiat_secp384r1_uint1 x503; ++ uint32_t x504; ++ fiat_secp384r1_uint1 x505; ++ uint32_t x506; ++ uint32_t x507; ++ fiat_secp384r1_uint1 x508; ++ uint32_t x509; ++ fiat_secp384r1_uint1 x510; ++ uint32_t x511; ++ fiat_secp384r1_uint1 x512; ++ uint32_t x513; ++ fiat_secp384r1_uint1 x514; ++ uint32_t x515; ++ fiat_secp384r1_uint1 x516; ++ uint32_t x517; ++ fiat_secp384r1_uint1 x518; ++ uint32_t x519; ++ fiat_secp384r1_uint1 x520; ++ uint32_t x521; ++ fiat_secp384r1_uint1 x522; ++ uint32_t x523; ++ fiat_secp384r1_uint1 x524; ++ uint32_t x525; ++ fiat_secp384r1_uint1 x526; ++ uint32_t x527; ++ fiat_secp384r1_uint1 x528; ++ uint32_t x529; ++ fiat_secp384r1_uint1 x530; ++ uint32_t x531; ++ fiat_secp384r1_uint1 x532; ++ uint32_t x533; ++ uint32_t x534; ++ uint32_t x535; ++ uint32_t x536; ++ uint32_t x537; ++ uint32_t x538; ++ uint32_t x539; ++ uint32_t x540; ++ uint32_t x541; ++ uint32_t x542; ++ uint32_t x543; ++ uint32_t x544; ++ uint32_t x545; ++ uint32_t x546; ++ uint32_t x547; ++ uint32_t x548; ++ uint32_t x549; ++ uint32_t x550; ++ uint32_t x551; ++ uint32_t x552; ++ uint32_t x553; ++ uint32_t x554; ++ uint32_t x555; ++ uint32_t x556; ++ uint32_t x557; ++ uint32_t x558; ++ fiat_secp384r1_uint1 x559; ++ uint32_t x560; ++ fiat_secp384r1_uint1 x561; ++ uint32_t x562; ++ fiat_secp384r1_uint1 x563; ++ uint32_t x564; ++ fiat_secp384r1_uint1 x565; ++ uint32_t x566; ++ fiat_secp384r1_uint1 x567; ++ uint32_t x568; ++ fiat_secp384r1_uint1 x569; ++ uint32_t x570; ++ fiat_secp384r1_uint1 x571; ++ uint32_t x572; ++ fiat_secp384r1_uint1 x573; ++ uint32_t x574; ++ fiat_secp384r1_uint1 x575; ++ uint32_t x576; ++ fiat_secp384r1_uint1 x577; ++ uint32_t x578; ++ fiat_secp384r1_uint1 x579; ++ uint32_t x580; ++ uint32_t x581; ++ fiat_secp384r1_uint1 x582; ++ uint32_t x583; ++ fiat_secp384r1_uint1 x584; ++ uint32_t x585; ++ fiat_secp384r1_uint1 x586; ++ uint32_t x587; ++ fiat_secp384r1_uint1 x588; ++ uint32_t x589; ++ fiat_secp384r1_uint1 x590; ++ uint32_t x591; ++ fiat_secp384r1_uint1 x592; ++ uint32_t x593; ++ fiat_secp384r1_uint1 x594; ++ uint32_t x595; ++ fiat_secp384r1_uint1 x596; ++ uint32_t x597; ++ fiat_secp384r1_uint1 x598; ++ uint32_t x599; ++ fiat_secp384r1_uint1 x600; ++ uint32_t x601; ++ fiat_secp384r1_uint1 x602; ++ uint32_t x603; ++ fiat_secp384r1_uint1 x604; ++ uint32_t x605; ++ fiat_secp384r1_uint1 x606; ++ uint32_t x607; ++ uint32_t x608; ++ uint32_t x609; ++ uint32_t x610; ++ uint32_t x611; ++ uint32_t x612; ++ uint32_t x613; ++ uint32_t x614; ++ uint32_t x615; ++ uint32_t x616; ++ uint32_t x617; ++ uint32_t x618; ++ uint32_t x619; ++ uint32_t x620; ++ uint32_t x621; ++ uint32_t x622; ++ uint32_t x623; ++ uint32_t x624; ++ uint32_t x625; ++ uint32_t x626; ++ uint32_t x627; ++ fiat_secp384r1_uint1 x628; ++ uint32_t x629; ++ fiat_secp384r1_uint1 x630; ++ uint32_t x631; ++ fiat_secp384r1_uint1 x632; ++ uint32_t x633; ++ fiat_secp384r1_uint1 x634; ++ uint32_t x635; ++ fiat_secp384r1_uint1 x636; ++ uint32_t x637; ++ fiat_secp384r1_uint1 x638; ++ uint32_t x639; ++ fiat_secp384r1_uint1 x640; ++ uint32_t x641; ++ fiat_secp384r1_uint1 x642; ++ uint32_t x643; ++ uint32_t x644; ++ fiat_secp384r1_uint1 x645; ++ uint32_t x646; ++ fiat_secp384r1_uint1 x647; ++ uint32_t x648; ++ fiat_secp384r1_uint1 x649; ++ uint32_t x650; ++ fiat_secp384r1_uint1 x651; ++ uint32_t x652; ++ fiat_secp384r1_uint1 x653; ++ uint32_t x654; ++ fiat_secp384r1_uint1 x655; ++ uint32_t x656; ++ fiat_secp384r1_uint1 x657; ++ uint32_t x658; ++ fiat_secp384r1_uint1 x659; ++ uint32_t x660; ++ fiat_secp384r1_uint1 x661; ++ uint32_t x662; ++ fiat_secp384r1_uint1 x663; ++ uint32_t x664; ++ fiat_secp384r1_uint1 x665; ++ uint32_t x666; ++ fiat_secp384r1_uint1 x667; ++ uint32_t x668; ++ fiat_secp384r1_uint1 x669; ++ uint32_t x670; ++ uint32_t x671; ++ uint32_t x672; ++ uint32_t x673; ++ uint32_t x674; ++ uint32_t x675; ++ uint32_t x676; ++ uint32_t x677; ++ uint32_t x678; ++ uint32_t x679; ++ uint32_t x680; ++ uint32_t x681; ++ uint32_t x682; ++ uint32_t x683; ++ uint32_t x684; ++ uint32_t x685; ++ uint32_t x686; ++ uint32_t x687; ++ uint32_t x688; ++ uint32_t x689; ++ uint32_t x690; ++ uint32_t x691; ++ uint32_t x692; ++ uint32_t x693; ++ uint32_t x694; ++ uint32_t x695; ++ fiat_secp384r1_uint1 x696; ++ uint32_t x697; ++ fiat_secp384r1_uint1 x698; ++ uint32_t x699; ++ fiat_secp384r1_uint1 x700; ++ uint32_t x701; ++ fiat_secp384r1_uint1 x702; ++ uint32_t x703; ++ fiat_secp384r1_uint1 x704; ++ uint32_t x705; ++ fiat_secp384r1_uint1 x706; ++ uint32_t x707; ++ fiat_secp384r1_uint1 x708; ++ uint32_t x709; ++ fiat_secp384r1_uint1 x710; ++ uint32_t x711; ++ fiat_secp384r1_uint1 x712; ++ uint32_t x713; ++ fiat_secp384r1_uint1 x714; ++ uint32_t x715; ++ fiat_secp384r1_uint1 x716; ++ uint32_t x717; ++ uint32_t x718; ++ fiat_secp384r1_uint1 x719; ++ uint32_t x720; ++ fiat_secp384r1_uint1 x721; ++ uint32_t x722; ++ fiat_secp384r1_uint1 x723; ++ uint32_t x724; ++ fiat_secp384r1_uint1 x725; ++ uint32_t x726; ++ fiat_secp384r1_uint1 x727; ++ uint32_t x728; ++ fiat_secp384r1_uint1 x729; ++ uint32_t x730; ++ fiat_secp384r1_uint1 x731; ++ uint32_t x732; ++ fiat_secp384r1_uint1 x733; ++ uint32_t x734; ++ fiat_secp384r1_uint1 x735; ++ uint32_t x736; ++ fiat_secp384r1_uint1 x737; ++ uint32_t x738; ++ fiat_secp384r1_uint1 x739; ++ uint32_t x740; ++ fiat_secp384r1_uint1 x741; ++ uint32_t x742; ++ fiat_secp384r1_uint1 x743; ++ uint32_t x744; ++ uint32_t x745; ++ uint32_t x746; ++ uint32_t x747; ++ uint32_t x748; ++ uint32_t x749; ++ uint32_t x750; ++ uint32_t x751; ++ uint32_t x752; ++ uint32_t x753; ++ uint32_t x754; ++ uint32_t x755; ++ uint32_t x756; ++ uint32_t x757; ++ uint32_t x758; ++ uint32_t x759; ++ uint32_t x760; ++ uint32_t x761; ++ uint32_t x762; ++ uint32_t x763; ++ uint32_t x764; ++ fiat_secp384r1_uint1 x765; ++ uint32_t x766; ++ fiat_secp384r1_uint1 x767; ++ uint32_t x768; ++ fiat_secp384r1_uint1 x769; ++ uint32_t x770; ++ fiat_secp384r1_uint1 x771; ++ uint32_t x772; ++ fiat_secp384r1_uint1 x773; ++ uint32_t x774; ++ fiat_secp384r1_uint1 x775; ++ uint32_t x776; ++ fiat_secp384r1_uint1 x777; ++ uint32_t x778; ++ fiat_secp384r1_uint1 x779; ++ uint32_t x780; ++ uint32_t x781; ++ fiat_secp384r1_uint1 x782; ++ uint32_t x783; ++ fiat_secp384r1_uint1 x784; ++ uint32_t x785; ++ fiat_secp384r1_uint1 x786; ++ uint32_t x787; ++ fiat_secp384r1_uint1 x788; ++ uint32_t x789; ++ fiat_secp384r1_uint1 x790; ++ uint32_t x791; ++ fiat_secp384r1_uint1 x792; ++ uint32_t x793; ++ fiat_secp384r1_uint1 x794; ++ uint32_t x795; ++ fiat_secp384r1_uint1 x796; ++ uint32_t x797; ++ fiat_secp384r1_uint1 x798; ++ uint32_t x799; ++ fiat_secp384r1_uint1 x800; ++ uint32_t x801; ++ fiat_secp384r1_uint1 x802; ++ uint32_t x803; ++ fiat_secp384r1_uint1 x804; ++ uint32_t x805; ++ fiat_secp384r1_uint1 x806; ++ uint32_t x807; ++ uint32_t x808; ++ uint32_t x809; ++ uint32_t x810; ++ uint32_t x811; ++ uint32_t x812; ++ uint32_t x813; ++ uint32_t x814; ++ uint32_t x815; ++ uint32_t x816; ++ uint32_t x817; ++ uint32_t x818; ++ uint32_t x819; ++ uint32_t x820; ++ uint32_t x821; ++ uint32_t x822; ++ uint32_t x823; ++ uint32_t x824; ++ uint32_t x825; ++ uint32_t x826; ++ uint32_t x827; ++ uint32_t x828; ++ uint32_t x829; ++ uint32_t x830; ++ uint32_t x831; ++ uint32_t x832; ++ fiat_secp384r1_uint1 x833; ++ uint32_t x834; ++ fiat_secp384r1_uint1 x835; ++ uint32_t x836; ++ fiat_secp384r1_uint1 x837; ++ uint32_t x838; ++ fiat_secp384r1_uint1 x839; ++ uint32_t x840; ++ fiat_secp384r1_uint1 x841; ++ uint32_t x842; ++ fiat_secp384r1_uint1 x843; ++ uint32_t x844; ++ fiat_secp384r1_uint1 x845; ++ uint32_t x846; ++ fiat_secp384r1_uint1 x847; ++ uint32_t x848; ++ fiat_secp384r1_uint1 x849; ++ uint32_t x850; ++ fiat_secp384r1_uint1 x851; ++ uint32_t x852; ++ fiat_secp384r1_uint1 x853; ++ uint32_t x854; ++ uint32_t x855; ++ fiat_secp384r1_uint1 x856; ++ uint32_t x857; ++ fiat_secp384r1_uint1 x858; ++ uint32_t x859; ++ fiat_secp384r1_uint1 x860; ++ uint32_t x861; ++ fiat_secp384r1_uint1 x862; ++ uint32_t x863; ++ fiat_secp384r1_uint1 x864; ++ uint32_t x865; ++ fiat_secp384r1_uint1 x866; ++ uint32_t x867; ++ fiat_secp384r1_uint1 x868; ++ uint32_t x869; ++ fiat_secp384r1_uint1 x870; ++ uint32_t x871; ++ fiat_secp384r1_uint1 x872; ++ uint32_t x873; ++ fiat_secp384r1_uint1 x874; ++ uint32_t x875; ++ fiat_secp384r1_uint1 x876; ++ uint32_t x877; ++ fiat_secp384r1_uint1 x878; ++ uint32_t x879; ++ fiat_secp384r1_uint1 x880; ++ uint32_t x881; ++ uint32_t x882; ++ uint32_t x883; ++ uint32_t x884; ++ uint32_t x885; ++ uint32_t x886; ++ uint32_t x887; ++ uint32_t x888; ++ uint32_t x889; ++ uint32_t x890; ++ uint32_t x891; ++ uint32_t x892; ++ uint32_t x893; ++ uint32_t x894; ++ uint32_t x895; ++ uint32_t x896; ++ uint32_t x897; ++ uint32_t x898; ++ uint32_t x899; ++ uint32_t x900; ++ uint32_t x901; ++ fiat_secp384r1_uint1 x902; ++ uint32_t x903; ++ fiat_secp384r1_uint1 x904; ++ uint32_t x905; ++ fiat_secp384r1_uint1 x906; ++ uint32_t x907; ++ fiat_secp384r1_uint1 x908; ++ uint32_t x909; ++ fiat_secp384r1_uint1 x910; ++ uint32_t x911; ++ fiat_secp384r1_uint1 x912; ++ uint32_t x913; ++ fiat_secp384r1_uint1 x914; ++ uint32_t x915; ++ fiat_secp384r1_uint1 x916; ++ uint32_t x917; ++ uint32_t x918; ++ fiat_secp384r1_uint1 x919; ++ uint32_t x920; ++ fiat_secp384r1_uint1 x921; ++ uint32_t x922; ++ fiat_secp384r1_uint1 x923; ++ uint32_t x924; ++ fiat_secp384r1_uint1 x925; ++ uint32_t x926; ++ fiat_secp384r1_uint1 x927; ++ uint32_t x928; ++ fiat_secp384r1_uint1 x929; ++ uint32_t x930; ++ fiat_secp384r1_uint1 x931; ++ uint32_t x932; ++ fiat_secp384r1_uint1 x933; ++ uint32_t x934; ++ fiat_secp384r1_uint1 x935; ++ uint32_t x936; ++ fiat_secp384r1_uint1 x937; ++ uint32_t x938; ++ fiat_secp384r1_uint1 x939; ++ uint32_t x940; ++ fiat_secp384r1_uint1 x941; ++ uint32_t x942; ++ fiat_secp384r1_uint1 x943; ++ uint32_t x944; ++ uint32_t x945; ++ uint32_t x946; ++ uint32_t x947; ++ uint32_t x948; ++ uint32_t x949; ++ uint32_t x950; ++ uint32_t x951; ++ uint32_t x952; ++ uint32_t x953; ++ uint32_t x954; ++ uint32_t x955; ++ uint32_t x956; ++ uint32_t x957; ++ uint32_t x958; ++ uint32_t x959; ++ uint32_t x960; ++ uint32_t x961; ++ uint32_t x962; ++ uint32_t x963; ++ uint32_t x964; ++ uint32_t x965; ++ uint32_t x966; ++ uint32_t x967; ++ uint32_t x968; ++ uint32_t x969; ++ fiat_secp384r1_uint1 x970; ++ uint32_t x971; ++ fiat_secp384r1_uint1 x972; ++ uint32_t x973; ++ fiat_secp384r1_uint1 x974; ++ uint32_t x975; ++ fiat_secp384r1_uint1 x976; ++ uint32_t x977; ++ fiat_secp384r1_uint1 x978; ++ uint32_t x979; ++ fiat_secp384r1_uint1 x980; ++ uint32_t x981; ++ fiat_secp384r1_uint1 x982; ++ uint32_t x983; ++ fiat_secp384r1_uint1 x984; ++ uint32_t x985; ++ fiat_secp384r1_uint1 x986; ++ uint32_t x987; ++ fiat_secp384r1_uint1 x988; ++ uint32_t x989; ++ fiat_secp384r1_uint1 x990; ++ uint32_t x991; ++ uint32_t x992; ++ fiat_secp384r1_uint1 x993; ++ uint32_t x994; ++ fiat_secp384r1_uint1 x995; ++ uint32_t x996; ++ fiat_secp384r1_uint1 x997; ++ uint32_t x998; ++ fiat_secp384r1_uint1 x999; ++ uint32_t x1000; ++ fiat_secp384r1_uint1 x1001; ++ uint32_t x1002; ++ fiat_secp384r1_uint1 x1003; ++ uint32_t x1004; ++ fiat_secp384r1_uint1 x1005; ++ uint32_t x1006; ++ fiat_secp384r1_uint1 x1007; ++ uint32_t x1008; ++ fiat_secp384r1_uint1 x1009; ++ uint32_t x1010; ++ fiat_secp384r1_uint1 x1011; ++ uint32_t x1012; ++ fiat_secp384r1_uint1 x1013; ++ uint32_t x1014; ++ fiat_secp384r1_uint1 x1015; ++ uint32_t x1016; ++ fiat_secp384r1_uint1 x1017; ++ uint32_t x1018; ++ uint32_t x1019; ++ uint32_t x1020; ++ uint32_t x1021; ++ uint32_t x1022; ++ uint32_t x1023; ++ uint32_t x1024; ++ uint32_t x1025; ++ uint32_t x1026; ++ uint32_t x1027; ++ uint32_t x1028; ++ uint32_t x1029; ++ uint32_t x1030; ++ uint32_t x1031; ++ uint32_t x1032; ++ uint32_t x1033; ++ uint32_t x1034; ++ uint32_t x1035; ++ uint32_t x1036; ++ uint32_t x1037; ++ uint32_t x1038; ++ fiat_secp384r1_uint1 x1039; ++ uint32_t x1040; ++ fiat_secp384r1_uint1 x1041; ++ uint32_t x1042; ++ fiat_secp384r1_uint1 x1043; ++ uint32_t x1044; ++ fiat_secp384r1_uint1 x1045; ++ uint32_t x1046; ++ fiat_secp384r1_uint1 x1047; ++ uint32_t x1048; ++ fiat_secp384r1_uint1 x1049; ++ uint32_t x1050; ++ fiat_secp384r1_uint1 x1051; ++ uint32_t x1052; ++ fiat_secp384r1_uint1 x1053; ++ uint32_t x1054; ++ uint32_t x1055; ++ fiat_secp384r1_uint1 x1056; ++ uint32_t x1057; ++ fiat_secp384r1_uint1 x1058; ++ uint32_t x1059; ++ fiat_secp384r1_uint1 x1060; ++ uint32_t x1061; ++ fiat_secp384r1_uint1 x1062; ++ uint32_t x1063; ++ fiat_secp384r1_uint1 x1064; ++ uint32_t x1065; ++ fiat_secp384r1_uint1 x1066; ++ uint32_t x1067; ++ fiat_secp384r1_uint1 x1068; ++ uint32_t x1069; ++ fiat_secp384r1_uint1 x1070; ++ uint32_t x1071; ++ fiat_secp384r1_uint1 x1072; ++ uint32_t x1073; ++ fiat_secp384r1_uint1 x1074; ++ uint32_t x1075; ++ fiat_secp384r1_uint1 x1076; ++ uint32_t x1077; ++ fiat_secp384r1_uint1 x1078; ++ uint32_t x1079; ++ fiat_secp384r1_uint1 x1080; ++ uint32_t x1081; ++ uint32_t x1082; ++ uint32_t x1083; ++ uint32_t x1084; ++ uint32_t x1085; ++ uint32_t x1086; ++ uint32_t x1087; ++ uint32_t x1088; ++ uint32_t x1089; ++ uint32_t x1090; ++ uint32_t x1091; ++ uint32_t x1092; ++ uint32_t x1093; ++ uint32_t x1094; ++ uint32_t x1095; ++ uint32_t x1096; ++ uint32_t x1097; ++ uint32_t x1098; ++ uint32_t x1099; ++ uint32_t x1100; ++ uint32_t x1101; ++ uint32_t x1102; ++ uint32_t x1103; ++ uint32_t x1104; ++ uint32_t x1105; ++ uint32_t x1106; ++ fiat_secp384r1_uint1 x1107; ++ uint32_t x1108; ++ fiat_secp384r1_uint1 x1109; ++ uint32_t x1110; ++ fiat_secp384r1_uint1 x1111; ++ uint32_t x1112; ++ fiat_secp384r1_uint1 x1113; ++ uint32_t x1114; ++ fiat_secp384r1_uint1 x1115; ++ uint32_t x1116; ++ fiat_secp384r1_uint1 x1117; ++ uint32_t x1118; ++ fiat_secp384r1_uint1 x1119; ++ uint32_t x1120; ++ fiat_secp384r1_uint1 x1121; ++ uint32_t x1122; ++ fiat_secp384r1_uint1 x1123; ++ uint32_t x1124; ++ fiat_secp384r1_uint1 x1125; ++ uint32_t x1126; ++ fiat_secp384r1_uint1 x1127; ++ uint32_t x1128; ++ uint32_t x1129; ++ fiat_secp384r1_uint1 x1130; ++ uint32_t x1131; ++ fiat_secp384r1_uint1 x1132; ++ uint32_t x1133; ++ fiat_secp384r1_uint1 x1134; ++ uint32_t x1135; ++ fiat_secp384r1_uint1 x1136; ++ uint32_t x1137; ++ fiat_secp384r1_uint1 x1138; ++ uint32_t x1139; ++ fiat_secp384r1_uint1 x1140; ++ uint32_t x1141; ++ fiat_secp384r1_uint1 x1142; ++ uint32_t x1143; ++ fiat_secp384r1_uint1 x1144; ++ uint32_t x1145; ++ fiat_secp384r1_uint1 x1146; ++ uint32_t x1147; ++ fiat_secp384r1_uint1 x1148; ++ uint32_t x1149; ++ fiat_secp384r1_uint1 x1150; ++ uint32_t x1151; ++ fiat_secp384r1_uint1 x1152; ++ uint32_t x1153; ++ fiat_secp384r1_uint1 x1154; ++ uint32_t x1155; ++ uint32_t x1156; ++ uint32_t x1157; ++ uint32_t x1158; ++ uint32_t x1159; ++ uint32_t x1160; ++ uint32_t x1161; ++ uint32_t x1162; ++ uint32_t x1163; ++ uint32_t x1164; ++ uint32_t x1165; ++ uint32_t x1166; ++ uint32_t x1167; ++ uint32_t x1168; ++ uint32_t x1169; ++ uint32_t x1170; ++ uint32_t x1171; ++ uint32_t x1172; ++ uint32_t x1173; ++ uint32_t x1174; ++ uint32_t x1175; ++ fiat_secp384r1_uint1 x1176; ++ uint32_t x1177; ++ fiat_secp384r1_uint1 x1178; ++ uint32_t x1179; ++ fiat_secp384r1_uint1 x1180; ++ uint32_t x1181; ++ fiat_secp384r1_uint1 x1182; ++ uint32_t x1183; ++ fiat_secp384r1_uint1 x1184; ++ uint32_t x1185; ++ fiat_secp384r1_uint1 x1186; ++ uint32_t x1187; ++ fiat_secp384r1_uint1 x1188; ++ uint32_t x1189; ++ fiat_secp384r1_uint1 x1190; ++ uint32_t x1191; ++ uint32_t x1192; ++ fiat_secp384r1_uint1 x1193; ++ uint32_t x1194; ++ fiat_secp384r1_uint1 x1195; ++ uint32_t x1196; ++ fiat_secp384r1_uint1 x1197; ++ uint32_t x1198; ++ fiat_secp384r1_uint1 x1199; ++ uint32_t x1200; ++ fiat_secp384r1_uint1 x1201; ++ uint32_t x1202; ++ fiat_secp384r1_uint1 x1203; ++ uint32_t x1204; ++ fiat_secp384r1_uint1 x1205; ++ uint32_t x1206; ++ fiat_secp384r1_uint1 x1207; ++ uint32_t x1208; ++ fiat_secp384r1_uint1 x1209; ++ uint32_t x1210; ++ fiat_secp384r1_uint1 x1211; ++ uint32_t x1212; ++ fiat_secp384r1_uint1 x1213; ++ uint32_t x1214; ++ fiat_secp384r1_uint1 x1215; ++ uint32_t x1216; ++ fiat_secp384r1_uint1 x1217; ++ uint32_t x1218; ++ uint32_t x1219; ++ uint32_t x1220; ++ uint32_t x1221; ++ uint32_t x1222; ++ uint32_t x1223; ++ uint32_t x1224; ++ uint32_t x1225; ++ uint32_t x1226; ++ uint32_t x1227; ++ uint32_t x1228; ++ uint32_t x1229; ++ uint32_t x1230; ++ uint32_t x1231; ++ uint32_t x1232; ++ uint32_t x1233; ++ uint32_t x1234; ++ uint32_t x1235; ++ uint32_t x1236; ++ uint32_t x1237; ++ uint32_t x1238; ++ uint32_t x1239; ++ uint32_t x1240; ++ uint32_t x1241; ++ uint32_t x1242; ++ uint32_t x1243; ++ fiat_secp384r1_uint1 x1244; ++ uint32_t x1245; ++ fiat_secp384r1_uint1 x1246; ++ uint32_t x1247; ++ fiat_secp384r1_uint1 x1248; ++ uint32_t x1249; ++ fiat_secp384r1_uint1 x1250; ++ uint32_t x1251; ++ fiat_secp384r1_uint1 x1252; ++ uint32_t x1253; ++ fiat_secp384r1_uint1 x1254; ++ uint32_t x1255; ++ fiat_secp384r1_uint1 x1256; ++ uint32_t x1257; ++ fiat_secp384r1_uint1 x1258; ++ uint32_t x1259; ++ fiat_secp384r1_uint1 x1260; ++ uint32_t x1261; ++ fiat_secp384r1_uint1 x1262; ++ uint32_t x1263; ++ fiat_secp384r1_uint1 x1264; ++ uint32_t x1265; ++ uint32_t x1266; ++ fiat_secp384r1_uint1 x1267; ++ uint32_t x1268; ++ fiat_secp384r1_uint1 x1269; ++ uint32_t x1270; ++ fiat_secp384r1_uint1 x1271; ++ uint32_t x1272; ++ fiat_secp384r1_uint1 x1273; ++ uint32_t x1274; ++ fiat_secp384r1_uint1 x1275; ++ uint32_t x1276; ++ fiat_secp384r1_uint1 x1277; ++ uint32_t x1278; ++ fiat_secp384r1_uint1 x1279; ++ uint32_t x1280; ++ fiat_secp384r1_uint1 x1281; ++ uint32_t x1282; ++ fiat_secp384r1_uint1 x1283; ++ uint32_t x1284; ++ fiat_secp384r1_uint1 x1285; ++ uint32_t x1286; ++ fiat_secp384r1_uint1 x1287; ++ uint32_t x1288; ++ fiat_secp384r1_uint1 x1289; ++ uint32_t x1290; ++ fiat_secp384r1_uint1 x1291; ++ uint32_t x1292; ++ uint32_t x1293; ++ uint32_t x1294; ++ uint32_t x1295; ++ uint32_t x1296; ++ uint32_t x1297; ++ uint32_t x1298; ++ uint32_t x1299; ++ uint32_t x1300; ++ uint32_t x1301; ++ uint32_t x1302; ++ uint32_t x1303; ++ uint32_t x1304; ++ uint32_t x1305; ++ uint32_t x1306; ++ uint32_t x1307; ++ uint32_t x1308; ++ uint32_t x1309; ++ uint32_t x1310; ++ uint32_t x1311; ++ uint32_t x1312; ++ fiat_secp384r1_uint1 x1313; ++ uint32_t x1314; ++ fiat_secp384r1_uint1 x1315; ++ uint32_t x1316; ++ fiat_secp384r1_uint1 x1317; ++ uint32_t x1318; ++ fiat_secp384r1_uint1 x1319; ++ uint32_t x1320; ++ fiat_secp384r1_uint1 x1321; ++ uint32_t x1322; ++ fiat_secp384r1_uint1 x1323; ++ uint32_t x1324; ++ fiat_secp384r1_uint1 x1325; ++ uint32_t x1326; ++ fiat_secp384r1_uint1 x1327; ++ uint32_t x1328; ++ uint32_t x1329; ++ fiat_secp384r1_uint1 x1330; ++ uint32_t x1331; ++ fiat_secp384r1_uint1 x1332; ++ uint32_t x1333; ++ fiat_secp384r1_uint1 x1334; ++ uint32_t x1335; ++ fiat_secp384r1_uint1 x1336; ++ uint32_t x1337; ++ fiat_secp384r1_uint1 x1338; ++ uint32_t x1339; ++ fiat_secp384r1_uint1 x1340; ++ uint32_t x1341; ++ fiat_secp384r1_uint1 x1342; ++ uint32_t x1343; ++ fiat_secp384r1_uint1 x1344; ++ uint32_t x1345; ++ fiat_secp384r1_uint1 x1346; ++ uint32_t x1347; ++ fiat_secp384r1_uint1 x1348; ++ uint32_t x1349; ++ fiat_secp384r1_uint1 x1350; ++ uint32_t x1351; ++ fiat_secp384r1_uint1 x1352; ++ uint32_t x1353; ++ fiat_secp384r1_uint1 x1354; ++ uint32_t x1355; ++ uint32_t x1356; ++ uint32_t x1357; ++ uint32_t x1358; ++ uint32_t x1359; ++ uint32_t x1360; ++ uint32_t x1361; ++ uint32_t x1362; ++ uint32_t x1363; ++ uint32_t x1364; ++ uint32_t x1365; ++ uint32_t x1366; ++ uint32_t x1367; ++ uint32_t x1368; ++ uint32_t x1369; ++ uint32_t x1370; ++ uint32_t x1371; ++ uint32_t x1372; ++ uint32_t x1373; ++ uint32_t x1374; ++ uint32_t x1375; ++ uint32_t x1376; ++ uint32_t x1377; ++ uint32_t x1378; ++ uint32_t x1379; ++ uint32_t x1380; ++ fiat_secp384r1_uint1 x1381; ++ uint32_t x1382; ++ fiat_secp384r1_uint1 x1383; ++ uint32_t x1384; ++ fiat_secp384r1_uint1 x1385; ++ uint32_t x1386; ++ fiat_secp384r1_uint1 x1387; ++ uint32_t x1388; ++ fiat_secp384r1_uint1 x1389; ++ uint32_t x1390; ++ fiat_secp384r1_uint1 x1391; ++ uint32_t x1392; ++ fiat_secp384r1_uint1 x1393; ++ uint32_t x1394; ++ fiat_secp384r1_uint1 x1395; ++ uint32_t x1396; ++ fiat_secp384r1_uint1 x1397; ++ uint32_t x1398; ++ fiat_secp384r1_uint1 x1399; ++ uint32_t x1400; ++ fiat_secp384r1_uint1 x1401; ++ uint32_t x1402; ++ uint32_t x1403; ++ fiat_secp384r1_uint1 x1404; ++ uint32_t x1405; ++ fiat_secp384r1_uint1 x1406; ++ uint32_t x1407; ++ fiat_secp384r1_uint1 x1408; ++ uint32_t x1409; ++ fiat_secp384r1_uint1 x1410; ++ uint32_t x1411; ++ fiat_secp384r1_uint1 x1412; ++ uint32_t x1413; ++ fiat_secp384r1_uint1 x1414; ++ uint32_t x1415; ++ fiat_secp384r1_uint1 x1416; ++ uint32_t x1417; ++ fiat_secp384r1_uint1 x1418; ++ uint32_t x1419; ++ fiat_secp384r1_uint1 x1420; ++ uint32_t x1421; ++ fiat_secp384r1_uint1 x1422; ++ uint32_t x1423; ++ fiat_secp384r1_uint1 x1424; ++ uint32_t x1425; ++ fiat_secp384r1_uint1 x1426; ++ uint32_t x1427; ++ fiat_secp384r1_uint1 x1428; ++ uint32_t x1429; ++ uint32_t x1430; ++ uint32_t x1431; ++ uint32_t x1432; ++ uint32_t x1433; ++ uint32_t x1434; ++ uint32_t x1435; ++ uint32_t x1436; ++ uint32_t x1437; ++ uint32_t x1438; ++ uint32_t x1439; ++ uint32_t x1440; ++ uint32_t x1441; ++ uint32_t x1442; ++ uint32_t x1443; ++ uint32_t x1444; ++ uint32_t x1445; ++ uint32_t x1446; ++ uint32_t x1447; ++ uint32_t x1448; ++ uint32_t x1449; ++ fiat_secp384r1_uint1 x1450; ++ uint32_t x1451; ++ fiat_secp384r1_uint1 x1452; ++ uint32_t x1453; ++ fiat_secp384r1_uint1 x1454; ++ uint32_t x1455; ++ fiat_secp384r1_uint1 x1456; ++ uint32_t x1457; ++ fiat_secp384r1_uint1 x1458; ++ uint32_t x1459; ++ fiat_secp384r1_uint1 x1460; ++ uint32_t x1461; ++ fiat_secp384r1_uint1 x1462; ++ uint32_t x1463; ++ fiat_secp384r1_uint1 x1464; ++ uint32_t x1465; ++ uint32_t x1466; ++ fiat_secp384r1_uint1 x1467; ++ uint32_t x1468; ++ fiat_secp384r1_uint1 x1469; ++ uint32_t x1470; ++ fiat_secp384r1_uint1 x1471; ++ uint32_t x1472; ++ fiat_secp384r1_uint1 x1473; ++ uint32_t x1474; ++ fiat_secp384r1_uint1 x1475; ++ uint32_t x1476; ++ fiat_secp384r1_uint1 x1477; ++ uint32_t x1478; ++ fiat_secp384r1_uint1 x1479; ++ uint32_t x1480; ++ fiat_secp384r1_uint1 x1481; ++ uint32_t x1482; ++ fiat_secp384r1_uint1 x1483; ++ uint32_t x1484; ++ fiat_secp384r1_uint1 x1485; ++ uint32_t x1486; ++ fiat_secp384r1_uint1 x1487; ++ uint32_t x1488; ++ fiat_secp384r1_uint1 x1489; ++ uint32_t x1490; ++ fiat_secp384r1_uint1 x1491; ++ uint32_t x1492; ++ uint32_t x1493; ++ uint32_t x1494; ++ uint32_t x1495; ++ uint32_t x1496; ++ uint32_t x1497; ++ uint32_t x1498; ++ uint32_t x1499; ++ uint32_t x1500; ++ uint32_t x1501; ++ uint32_t x1502; ++ uint32_t x1503; ++ uint32_t x1504; ++ uint32_t x1505; ++ uint32_t x1506; ++ uint32_t x1507; ++ uint32_t x1508; ++ uint32_t x1509; ++ uint32_t x1510; ++ uint32_t x1511; ++ uint32_t x1512; ++ uint32_t x1513; ++ uint32_t x1514; ++ uint32_t x1515; ++ uint32_t x1516; ++ uint32_t x1517; ++ fiat_secp384r1_uint1 x1518; ++ uint32_t x1519; ++ fiat_secp384r1_uint1 x1520; ++ uint32_t x1521; ++ fiat_secp384r1_uint1 x1522; ++ uint32_t x1523; ++ fiat_secp384r1_uint1 x1524; ++ uint32_t x1525; ++ fiat_secp384r1_uint1 x1526; ++ uint32_t x1527; ++ fiat_secp384r1_uint1 x1528; ++ uint32_t x1529; ++ fiat_secp384r1_uint1 x1530; ++ uint32_t x1531; ++ fiat_secp384r1_uint1 x1532; ++ uint32_t x1533; ++ fiat_secp384r1_uint1 x1534; ++ uint32_t x1535; ++ fiat_secp384r1_uint1 x1536; ++ uint32_t x1537; ++ fiat_secp384r1_uint1 x1538; ++ uint32_t x1539; ++ uint32_t x1540; ++ fiat_secp384r1_uint1 x1541; ++ uint32_t x1542; ++ fiat_secp384r1_uint1 x1543; ++ uint32_t x1544; ++ fiat_secp384r1_uint1 x1545; ++ uint32_t x1546; ++ fiat_secp384r1_uint1 x1547; ++ uint32_t x1548; ++ fiat_secp384r1_uint1 x1549; ++ uint32_t x1550; ++ fiat_secp384r1_uint1 x1551; ++ uint32_t x1552; ++ fiat_secp384r1_uint1 x1553; ++ uint32_t x1554; ++ fiat_secp384r1_uint1 x1555; ++ uint32_t x1556; ++ fiat_secp384r1_uint1 x1557; ++ uint32_t x1558; ++ fiat_secp384r1_uint1 x1559; ++ uint32_t x1560; ++ fiat_secp384r1_uint1 x1561; ++ uint32_t x1562; ++ fiat_secp384r1_uint1 x1563; ++ uint32_t x1564; ++ fiat_secp384r1_uint1 x1565; ++ uint32_t x1566; ++ uint32_t x1567; ++ uint32_t x1568; ++ uint32_t x1569; ++ uint32_t x1570; ++ uint32_t x1571; ++ uint32_t x1572; ++ uint32_t x1573; ++ uint32_t x1574; ++ uint32_t x1575; ++ uint32_t x1576; ++ uint32_t x1577; ++ uint32_t x1578; ++ uint32_t x1579; ++ uint32_t x1580; ++ uint32_t x1581; ++ uint32_t x1582; ++ uint32_t x1583; ++ uint32_t x1584; ++ uint32_t x1585; ++ uint32_t x1586; ++ fiat_secp384r1_uint1 x1587; ++ uint32_t x1588; ++ fiat_secp384r1_uint1 x1589; ++ uint32_t x1590; ++ fiat_secp384r1_uint1 x1591; ++ uint32_t x1592; ++ fiat_secp384r1_uint1 x1593; ++ uint32_t x1594; ++ fiat_secp384r1_uint1 x1595; ++ uint32_t x1596; ++ fiat_secp384r1_uint1 x1597; ++ uint32_t x1598; ++ fiat_secp384r1_uint1 x1599; ++ uint32_t x1600; ++ fiat_secp384r1_uint1 x1601; ++ uint32_t x1602; ++ uint32_t x1603; ++ fiat_secp384r1_uint1 x1604; ++ uint32_t x1605; ++ fiat_secp384r1_uint1 x1606; ++ uint32_t x1607; ++ fiat_secp384r1_uint1 x1608; ++ uint32_t x1609; ++ fiat_secp384r1_uint1 x1610; ++ uint32_t x1611; ++ fiat_secp384r1_uint1 x1612; ++ uint32_t x1613; ++ fiat_secp384r1_uint1 x1614; ++ uint32_t x1615; ++ fiat_secp384r1_uint1 x1616; ++ uint32_t x1617; ++ fiat_secp384r1_uint1 x1618; ++ uint32_t x1619; ++ fiat_secp384r1_uint1 x1620; ++ uint32_t x1621; ++ fiat_secp384r1_uint1 x1622; ++ uint32_t x1623; ++ fiat_secp384r1_uint1 x1624; ++ uint32_t x1625; ++ fiat_secp384r1_uint1 x1626; ++ uint32_t x1627; ++ fiat_secp384r1_uint1 x1628; ++ uint32_t x1629; ++ uint32_t x1630; ++ fiat_secp384r1_uint1 x1631; ++ uint32_t x1632; ++ fiat_secp384r1_uint1 x1633; ++ uint32_t x1634; ++ fiat_secp384r1_uint1 x1635; ++ uint32_t x1636; ++ fiat_secp384r1_uint1 x1637; ++ uint32_t x1638; ++ fiat_secp384r1_uint1 x1639; ++ uint32_t x1640; ++ fiat_secp384r1_uint1 x1641; ++ uint32_t x1642; ++ fiat_secp384r1_uint1 x1643; ++ uint32_t x1644; ++ fiat_secp384r1_uint1 x1645; ++ uint32_t x1646; ++ fiat_secp384r1_uint1 x1647; ++ uint32_t x1648; ++ fiat_secp384r1_uint1 x1649; ++ uint32_t x1650; ++ fiat_secp384r1_uint1 x1651; ++ uint32_t x1652; ++ fiat_secp384r1_uint1 x1653; ++ uint32_t x1654; ++ fiat_secp384r1_uint1 x1655; ++ uint32_t x1656; ++ uint32_t x1657; ++ uint32_t x1658; ++ uint32_t x1659; ++ uint32_t x1660; ++ uint32_t x1661; ++ uint32_t x1662; ++ uint32_t x1663; ++ uint32_t x1664; ++ uint32_t x1665; ++ uint32_t x1666; ++ uint32_t x1667; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[6]); ++ x7 = (arg1[7]); ++ x8 = (arg1[8]); ++ x9 = (arg1[9]); ++ x10 = (arg1[10]); ++ x11 = (arg1[11]); ++ x12 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); ++ fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); ++ fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); ++ fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); ++ fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); ++ fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); ++ fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); ++ fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); ++ fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); ++ fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); ++ fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); ++ x59 = (x58 + x14); ++ fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); ++ fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); ++ fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); ++ fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); ++ fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); ++ fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); ++ fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); ++ fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); ++ x96 = (x95 + x61); ++ fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); ++ fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); ++ fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); ++ fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); ++ fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); ++ fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); ++ fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); ++ fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); ++ fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); ++ fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); ++ fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); ++ fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); ++ fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); ++ fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); ++ fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); ++ fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); ++ fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); ++ fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); ++ fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); ++ fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); ++ fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); ++ fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); ++ fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); ++ x169 = (x168 + x124); ++ fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); ++ fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); ++ fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); ++ fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); ++ fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); ++ fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); ++ fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); ++ fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); ++ fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); ++ fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); ++ fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); ++ fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); ++ fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); ++ fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); ++ fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); ++ fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); ++ fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); ++ fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); ++ fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); ++ fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); ++ fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); ++ x232 = (x231 + x197); ++ fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); ++ fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); ++ fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); ++ fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); ++ fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); ++ fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); ++ fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); ++ fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); ++ fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); ++ fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); ++ fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); ++ fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); ++ x259 = ((uint32_t)x258 + x195); ++ fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); ++ fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); ++ fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); ++ fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); ++ fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); ++ fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); ++ fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); ++ fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); ++ fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); ++ fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); ++ fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); ++ x306 = (x305 + x261); ++ fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); ++ fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); ++ fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); ++ fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); ++ fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); ++ fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); ++ fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); ++ fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); ++ fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); ++ fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); ++ fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); ++ fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); ++ fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); ++ fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); ++ fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); ++ fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); ++ fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); ++ fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); ++ fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); ++ fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); ++ x369 = (x368 + x334); ++ fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); ++ fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); ++ fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); ++ fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); ++ fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); ++ fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); ++ fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); ++ fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); ++ fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); ++ fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); ++ fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); ++ fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); ++ x396 = ((uint32_t)x395 + x332); ++ fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); ++ fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); ++ fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); ++ fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); ++ fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); ++ fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); ++ fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); ++ fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); ++ fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); ++ fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); ++ fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); ++ x443 = (x442 + x398); ++ fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); ++ fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); ++ fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); ++ fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); ++ fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); ++ fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); ++ fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); ++ fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); ++ fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); ++ fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); ++ fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); ++ fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); ++ fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); ++ fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); ++ fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); ++ fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); ++ fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); ++ fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); ++ fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); ++ fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); ++ fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); ++ x506 = (x505 + x471); ++ fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); ++ fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); ++ fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); ++ fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); ++ fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); ++ fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); ++ fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); ++ fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); ++ fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); ++ fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); ++ fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); ++ fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); ++ x533 = ((uint32_t)x532 + x469); ++ fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); ++ fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); ++ fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); ++ fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); ++ fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); ++ fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); ++ fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); ++ fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); ++ fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); ++ fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); ++ fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); ++ x580 = (x579 + x535); ++ fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); ++ fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); ++ fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); ++ fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); ++ fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); ++ fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); ++ fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); ++ fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); ++ fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); ++ fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); ++ fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); ++ fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); ++ fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); ++ fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); ++ fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); ++ fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); ++ fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); ++ fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); ++ fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); ++ fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); ++ fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); ++ x643 = (x642 + x608); ++ fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); ++ fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); ++ fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); ++ fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); ++ fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); ++ fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); ++ fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); ++ fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); ++ fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); ++ fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); ++ fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); ++ fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); ++ x670 = ((uint32_t)x669 + x606); ++ fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); ++ fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); ++ fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); ++ fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); ++ fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); ++ fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); ++ fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); ++ fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); ++ fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); ++ fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); ++ fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); ++ x717 = (x716 + x672); ++ fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); ++ fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); ++ fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); ++ fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); ++ fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); ++ fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); ++ fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); ++ fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); ++ fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); ++ fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); ++ fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); ++ fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); ++ fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); ++ fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); ++ fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); ++ fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); ++ fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); ++ fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); ++ fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); ++ fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); ++ fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); ++ x780 = (x779 + x745); ++ fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); ++ fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); ++ fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); ++ fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); ++ fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); ++ fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); ++ fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); ++ fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); ++ fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); ++ fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); ++ fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); ++ fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); ++ x807 = ((uint32_t)x806 + x743); ++ fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); ++ fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); ++ fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); ++ fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); ++ fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); ++ fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); ++ fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); ++ fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); ++ fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); ++ fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); ++ fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); ++ x854 = (x853 + x809); ++ fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); ++ fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); ++ fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); ++ fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); ++ fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); ++ fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); ++ fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); ++ fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); ++ fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); ++ fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); ++ fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); ++ fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); ++ fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); ++ fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); ++ fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); ++ fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); ++ fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); ++ fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); ++ fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); ++ fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); ++ fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); ++ x917 = (x916 + x882); ++ fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); ++ fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); ++ fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); ++ fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); ++ fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); ++ fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); ++ fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); ++ fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); ++ fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); ++ fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); ++ fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); ++ fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); ++ x944 = ((uint32_t)x943 + x880); ++ fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); ++ fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); ++ fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); ++ fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); ++ fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); ++ fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); ++ fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); ++ fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); ++ fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); ++ fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); ++ fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); ++ x991 = (x990 + x946); ++ fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); ++ fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); ++ fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); ++ fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); ++ fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); ++ fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); ++ fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); ++ fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); ++ fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); ++ fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); ++ fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); ++ fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); ++ fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); ++ fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); ++ fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); ++ fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); ++ fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); ++ fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); ++ fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); ++ fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); ++ fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); ++ x1054 = (x1053 + x1019); ++ fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); ++ fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); ++ fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); ++ fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); ++ fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); ++ fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); ++ fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); ++ fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); ++ fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); ++ fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); ++ fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); ++ fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); ++ x1081 = ((uint32_t)x1080 + x1017); ++ fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); ++ fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); ++ fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); ++ fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); ++ fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); ++ fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); ++ fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); ++ fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); ++ fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); ++ fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); ++ fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); ++ x1128 = (x1127 + x1083); ++ fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); ++ fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); ++ fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); ++ fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); ++ fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); ++ fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); ++ fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); ++ fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); ++ fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); ++ fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); ++ fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); ++ fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); ++ fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); ++ fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); ++ fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); ++ fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); ++ fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); ++ fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); ++ fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); ++ fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); ++ fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); ++ x1191 = (x1190 + x1156); ++ fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); ++ fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); ++ fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); ++ fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); ++ fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); ++ fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); ++ fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); ++ fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); ++ fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); ++ fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); ++ fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); ++ fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); ++ x1218 = ((uint32_t)x1217 + x1154); ++ fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); ++ fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); ++ fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); ++ fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); ++ fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); ++ fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); ++ fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); ++ fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); ++ fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); ++ fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); ++ fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); ++ x1265 = (x1264 + x1220); ++ fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); ++ fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); ++ fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); ++ fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); ++ fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); ++ fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); ++ fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); ++ fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); ++ fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); ++ fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); ++ fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); ++ fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); ++ fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); ++ fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); ++ fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); ++ fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); ++ fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); ++ fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); ++ fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); ++ fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); ++ fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); ++ x1328 = (x1327 + x1293); ++ fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); ++ fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); ++ fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); ++ fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); ++ fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); ++ fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); ++ fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); ++ fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); ++ fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); ++ fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); ++ fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); ++ fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); ++ x1355 = ((uint32_t)x1354 + x1291); ++ fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); ++ fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); ++ fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); ++ fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); ++ fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); ++ fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); ++ fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); ++ fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); ++ fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); ++ fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); ++ fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); ++ x1402 = (x1401 + x1357); ++ fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); ++ fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); ++ fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); ++ fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); ++ fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); ++ fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); ++ fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); ++ fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); ++ fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); ++ fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); ++ fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); ++ fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); ++ fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); ++ fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); ++ fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); ++ fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); ++ fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); ++ fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); ++ fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); ++ fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); ++ fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); ++ x1465 = (x1464 + x1430); ++ fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); ++ fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); ++ fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); ++ fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); ++ fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); ++ fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); ++ fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); ++ fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); ++ fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); ++ fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); ++ fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); ++ fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); ++ x1492 = ((uint32_t)x1491 + x1428); ++ fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg2[11])); ++ fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg2[10])); ++ fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg2[9])); ++ fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg2[8])); ++ fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg2[7])); ++ fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg2[6])); ++ fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg2[5])); ++ fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg2[4])); ++ fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg2[3])); ++ fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg2[2])); ++ fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg2[1])); ++ fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); ++ fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); ++ fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); ++ fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); ++ fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); ++ fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); ++ fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); ++ fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); ++ fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); ++ fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); ++ fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); ++ x1539 = (x1538 + x1494); ++ fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); ++ fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); ++ fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); ++ fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); ++ fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); ++ fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); ++ fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); ++ fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); ++ fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); ++ fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); ++ fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); ++ fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); ++ fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); ++ fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); ++ fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); ++ fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); ++ fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); ++ fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); ++ fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); ++ fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); ++ fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); ++ x1602 = (x1601 + x1567); ++ fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); ++ fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); ++ fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); ++ fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); ++ fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); ++ fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); ++ fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); ++ fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); ++ fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); ++ fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); ++ fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); ++ fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); ++ x1629 = ((uint32_t)x1628 + x1565); ++ fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); ++ fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); ++ fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); ++ fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); ++ fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); ++ fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); ++ fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); ++ fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); ++ fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); ++ fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); ++ fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); ++ fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); ++ out1[0] = x1656; ++ out1[1] = x1657; ++ out1[2] = x1658; ++ out1[3] = x1659; ++ out1[4] = x1660; ++ out1[5] = x1661; ++ out1[6] = x1662; ++ out1[7] = x1663; ++ out1[8] = x1664; ++ out1[9] = x1665; ++ out1[10] = x1666; ++ out1[11] = x1667; ++} ++ ++/* ++ * The function fiat_secp384r1_square squares a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_square(uint32_t out1[12], const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ uint32_t x23; ++ uint32_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint32_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint32_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint32_t x36; ++ uint32_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint32_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint32_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint32_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint32_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint32_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ uint32_t x63; ++ uint32_t x64; ++ uint32_t x65; ++ uint32_t x66; ++ uint32_t x67; ++ uint32_t x68; ++ uint32_t x69; ++ uint32_t x70; ++ uint32_t x71; ++ uint32_t x72; ++ uint32_t x73; ++ uint32_t x74; ++ uint32_t x75; ++ uint32_t x76; ++ uint32_t x77; ++ uint32_t x78; ++ uint32_t x79; ++ uint32_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint32_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint32_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint32_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint32_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint32_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint32_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint32_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint32_t x96; ++ uint32_t x97; ++ fiat_secp384r1_uint1 x98; ++ uint32_t x99; ++ fiat_secp384r1_uint1 x100; ++ uint32_t x101; ++ fiat_secp384r1_uint1 x102; ++ uint32_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint32_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint32_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint32_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint32_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint32_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint32_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint32_t x117; ++ fiat_secp384r1_uint1 x118; ++ uint32_t x119; ++ fiat_secp384r1_uint1 x120; ++ uint32_t x121; ++ fiat_secp384r1_uint1 x122; ++ uint32_t x123; ++ uint32_t x124; ++ uint32_t x125; ++ uint32_t x126; ++ uint32_t x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ uint32_t x138; ++ uint32_t x139; ++ uint32_t x140; ++ uint32_t x141; ++ uint32_t x142; ++ uint32_t x143; ++ uint32_t x144; ++ uint32_t x145; ++ uint32_t x146; ++ uint32_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint32_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint32_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint32_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint32_t x155; ++ fiat_secp384r1_uint1 x156; ++ uint32_t x157; ++ fiat_secp384r1_uint1 x158; ++ uint32_t x159; ++ fiat_secp384r1_uint1 x160; ++ uint32_t x161; ++ fiat_secp384r1_uint1 x162; ++ uint32_t x163; ++ fiat_secp384r1_uint1 x164; ++ uint32_t x165; ++ fiat_secp384r1_uint1 x166; ++ uint32_t x167; ++ fiat_secp384r1_uint1 x168; ++ uint32_t x169; ++ uint32_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint32_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint32_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint32_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint32_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint32_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint32_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint32_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint32_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint32_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint32_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint32_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint32_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint32_t x196; ++ uint32_t x197; ++ uint32_t x198; ++ uint32_t x199; ++ uint32_t x200; ++ uint32_t x201; ++ uint32_t x202; ++ uint32_t x203; ++ uint32_t x204; ++ uint32_t x205; ++ uint32_t x206; ++ uint32_t x207; ++ uint32_t x208; ++ uint32_t x209; ++ uint32_t x210; ++ uint32_t x211; ++ uint32_t x212; ++ uint32_t x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ fiat_secp384r1_uint1 x217; ++ uint32_t x218; ++ fiat_secp384r1_uint1 x219; ++ uint32_t x220; ++ fiat_secp384r1_uint1 x221; ++ uint32_t x222; ++ fiat_secp384r1_uint1 x223; ++ uint32_t x224; ++ fiat_secp384r1_uint1 x225; ++ uint32_t x226; ++ fiat_secp384r1_uint1 x227; ++ uint32_t x228; ++ fiat_secp384r1_uint1 x229; ++ uint32_t x230; ++ fiat_secp384r1_uint1 x231; ++ uint32_t x232; ++ uint32_t x233; ++ fiat_secp384r1_uint1 x234; ++ uint32_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint32_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint32_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint32_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint32_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint32_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint32_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint32_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint32_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint32_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint32_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint32_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint32_t x259; ++ uint32_t x260; ++ uint32_t x261; ++ uint32_t x262; ++ uint32_t x263; ++ uint32_t x264; ++ uint32_t x265; ++ uint32_t x266; ++ uint32_t x267; ++ uint32_t x268; ++ uint32_t x269; ++ uint32_t x270; ++ uint32_t x271; ++ uint32_t x272; ++ uint32_t x273; ++ uint32_t x274; ++ uint32_t x275; ++ uint32_t x276; ++ uint32_t x277; ++ uint32_t x278; ++ uint32_t x279; ++ uint32_t x280; ++ uint32_t x281; ++ uint32_t x282; ++ uint32_t x283; ++ uint32_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint32_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint32_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint32_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint32_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint32_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint32_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint32_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint32_t x300; ++ fiat_secp384r1_uint1 x301; ++ uint32_t x302; ++ fiat_secp384r1_uint1 x303; ++ uint32_t x304; ++ fiat_secp384r1_uint1 x305; ++ uint32_t x306; ++ uint32_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint32_t x309; ++ fiat_secp384r1_uint1 x310; ++ uint32_t x311; ++ fiat_secp384r1_uint1 x312; ++ uint32_t x313; ++ fiat_secp384r1_uint1 x314; ++ uint32_t x315; ++ fiat_secp384r1_uint1 x316; ++ uint32_t x317; ++ fiat_secp384r1_uint1 x318; ++ uint32_t x319; ++ fiat_secp384r1_uint1 x320; ++ uint32_t x321; ++ fiat_secp384r1_uint1 x322; ++ uint32_t x323; ++ fiat_secp384r1_uint1 x324; ++ uint32_t x325; ++ fiat_secp384r1_uint1 x326; ++ uint32_t x327; ++ fiat_secp384r1_uint1 x328; ++ uint32_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint32_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint32_t x333; ++ uint32_t x334; ++ uint32_t x335; ++ uint32_t x336; ++ uint32_t x337; ++ uint32_t x338; ++ uint32_t x339; ++ uint32_t x340; ++ uint32_t x341; ++ uint32_t x342; ++ uint32_t x343; ++ uint32_t x344; ++ uint32_t x345; ++ uint32_t x346; ++ uint32_t x347; ++ uint32_t x348; ++ uint32_t x349; ++ uint32_t x350; ++ uint32_t x351; ++ uint32_t x352; ++ uint32_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint32_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint32_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint32_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint32_t x361; ++ fiat_secp384r1_uint1 x362; ++ uint32_t x363; ++ fiat_secp384r1_uint1 x364; ++ uint32_t x365; ++ fiat_secp384r1_uint1 x366; ++ uint32_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint32_t x369; ++ uint32_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint32_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint32_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint32_t x376; ++ fiat_secp384r1_uint1 x377; ++ uint32_t x378; ++ fiat_secp384r1_uint1 x379; ++ uint32_t x380; ++ fiat_secp384r1_uint1 x381; ++ uint32_t x382; ++ fiat_secp384r1_uint1 x383; ++ uint32_t x384; ++ fiat_secp384r1_uint1 x385; ++ uint32_t x386; ++ fiat_secp384r1_uint1 x387; ++ uint32_t x388; ++ fiat_secp384r1_uint1 x389; ++ uint32_t x390; ++ fiat_secp384r1_uint1 x391; ++ uint32_t x392; ++ fiat_secp384r1_uint1 x393; ++ uint32_t x394; ++ fiat_secp384r1_uint1 x395; ++ uint32_t x396; ++ uint32_t x397; ++ uint32_t x398; ++ uint32_t x399; ++ uint32_t x400; ++ uint32_t x401; ++ uint32_t x402; ++ uint32_t x403; ++ uint32_t x404; ++ uint32_t x405; ++ uint32_t x406; ++ uint32_t x407; ++ uint32_t x408; ++ uint32_t x409; ++ uint32_t x410; ++ uint32_t x411; ++ uint32_t x412; ++ uint32_t x413; ++ uint32_t x414; ++ uint32_t x415; ++ uint32_t x416; ++ uint32_t x417; ++ uint32_t x418; ++ uint32_t x419; ++ uint32_t x420; ++ uint32_t x421; ++ fiat_secp384r1_uint1 x422; ++ uint32_t x423; ++ fiat_secp384r1_uint1 x424; ++ uint32_t x425; ++ fiat_secp384r1_uint1 x426; ++ uint32_t x427; ++ fiat_secp384r1_uint1 x428; ++ uint32_t x429; ++ fiat_secp384r1_uint1 x430; ++ uint32_t x431; ++ fiat_secp384r1_uint1 x432; ++ uint32_t x433; ++ fiat_secp384r1_uint1 x434; ++ uint32_t x435; ++ fiat_secp384r1_uint1 x436; ++ uint32_t x437; ++ fiat_secp384r1_uint1 x438; ++ uint32_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint32_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint32_t x443; ++ uint32_t x444; ++ fiat_secp384r1_uint1 x445; ++ uint32_t x446; ++ fiat_secp384r1_uint1 x447; ++ uint32_t x448; ++ fiat_secp384r1_uint1 x449; ++ uint32_t x450; ++ fiat_secp384r1_uint1 x451; ++ uint32_t x452; ++ fiat_secp384r1_uint1 x453; ++ uint32_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint32_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint32_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint32_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint32_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint32_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint32_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint32_t x468; ++ fiat_secp384r1_uint1 x469; ++ uint32_t x470; ++ uint32_t x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ uint32_t x476; ++ uint32_t x477; ++ uint32_t x478; ++ uint32_t x479; ++ uint32_t x480; ++ uint32_t x481; ++ uint32_t x482; ++ uint32_t x483; ++ uint32_t x484; ++ uint32_t x485; ++ uint32_t x486; ++ uint32_t x487; ++ uint32_t x488; ++ uint32_t x489; ++ uint32_t x490; ++ fiat_secp384r1_uint1 x491; ++ uint32_t x492; ++ fiat_secp384r1_uint1 x493; ++ uint32_t x494; ++ fiat_secp384r1_uint1 x495; ++ uint32_t x496; ++ fiat_secp384r1_uint1 x497; ++ uint32_t x498; ++ fiat_secp384r1_uint1 x499; ++ uint32_t x500; ++ fiat_secp384r1_uint1 x501; ++ uint32_t x502; ++ fiat_secp384r1_uint1 x503; ++ uint32_t x504; ++ fiat_secp384r1_uint1 x505; ++ uint32_t x506; ++ uint32_t x507; ++ fiat_secp384r1_uint1 x508; ++ uint32_t x509; ++ fiat_secp384r1_uint1 x510; ++ uint32_t x511; ++ fiat_secp384r1_uint1 x512; ++ uint32_t x513; ++ fiat_secp384r1_uint1 x514; ++ uint32_t x515; ++ fiat_secp384r1_uint1 x516; ++ uint32_t x517; ++ fiat_secp384r1_uint1 x518; ++ uint32_t x519; ++ fiat_secp384r1_uint1 x520; ++ uint32_t x521; ++ fiat_secp384r1_uint1 x522; ++ uint32_t x523; ++ fiat_secp384r1_uint1 x524; ++ uint32_t x525; ++ fiat_secp384r1_uint1 x526; ++ uint32_t x527; ++ fiat_secp384r1_uint1 x528; ++ uint32_t x529; ++ fiat_secp384r1_uint1 x530; ++ uint32_t x531; ++ fiat_secp384r1_uint1 x532; ++ uint32_t x533; ++ uint32_t x534; ++ uint32_t x535; ++ uint32_t x536; ++ uint32_t x537; ++ uint32_t x538; ++ uint32_t x539; ++ uint32_t x540; ++ uint32_t x541; ++ uint32_t x542; ++ uint32_t x543; ++ uint32_t x544; ++ uint32_t x545; ++ uint32_t x546; ++ uint32_t x547; ++ uint32_t x548; ++ uint32_t x549; ++ uint32_t x550; ++ uint32_t x551; ++ uint32_t x552; ++ uint32_t x553; ++ uint32_t x554; ++ uint32_t x555; ++ uint32_t x556; ++ uint32_t x557; ++ uint32_t x558; ++ fiat_secp384r1_uint1 x559; ++ uint32_t x560; ++ fiat_secp384r1_uint1 x561; ++ uint32_t x562; ++ fiat_secp384r1_uint1 x563; ++ uint32_t x564; ++ fiat_secp384r1_uint1 x565; ++ uint32_t x566; ++ fiat_secp384r1_uint1 x567; ++ uint32_t x568; ++ fiat_secp384r1_uint1 x569; ++ uint32_t x570; ++ fiat_secp384r1_uint1 x571; ++ uint32_t x572; ++ fiat_secp384r1_uint1 x573; ++ uint32_t x574; ++ fiat_secp384r1_uint1 x575; ++ uint32_t x576; ++ fiat_secp384r1_uint1 x577; ++ uint32_t x578; ++ fiat_secp384r1_uint1 x579; ++ uint32_t x580; ++ uint32_t x581; ++ fiat_secp384r1_uint1 x582; ++ uint32_t x583; ++ fiat_secp384r1_uint1 x584; ++ uint32_t x585; ++ fiat_secp384r1_uint1 x586; ++ uint32_t x587; ++ fiat_secp384r1_uint1 x588; ++ uint32_t x589; ++ fiat_secp384r1_uint1 x590; ++ uint32_t x591; ++ fiat_secp384r1_uint1 x592; ++ uint32_t x593; ++ fiat_secp384r1_uint1 x594; ++ uint32_t x595; ++ fiat_secp384r1_uint1 x596; ++ uint32_t x597; ++ fiat_secp384r1_uint1 x598; ++ uint32_t x599; ++ fiat_secp384r1_uint1 x600; ++ uint32_t x601; ++ fiat_secp384r1_uint1 x602; ++ uint32_t x603; ++ fiat_secp384r1_uint1 x604; ++ uint32_t x605; ++ fiat_secp384r1_uint1 x606; ++ uint32_t x607; ++ uint32_t x608; ++ uint32_t x609; ++ uint32_t x610; ++ uint32_t x611; ++ uint32_t x612; ++ uint32_t x613; ++ uint32_t x614; ++ uint32_t x615; ++ uint32_t x616; ++ uint32_t x617; ++ uint32_t x618; ++ uint32_t x619; ++ uint32_t x620; ++ uint32_t x621; ++ uint32_t x622; ++ uint32_t x623; ++ uint32_t x624; ++ uint32_t x625; ++ uint32_t x626; ++ uint32_t x627; ++ fiat_secp384r1_uint1 x628; ++ uint32_t x629; ++ fiat_secp384r1_uint1 x630; ++ uint32_t x631; ++ fiat_secp384r1_uint1 x632; ++ uint32_t x633; ++ fiat_secp384r1_uint1 x634; ++ uint32_t x635; ++ fiat_secp384r1_uint1 x636; ++ uint32_t x637; ++ fiat_secp384r1_uint1 x638; ++ uint32_t x639; ++ fiat_secp384r1_uint1 x640; ++ uint32_t x641; ++ fiat_secp384r1_uint1 x642; ++ uint32_t x643; ++ uint32_t x644; ++ fiat_secp384r1_uint1 x645; ++ uint32_t x646; ++ fiat_secp384r1_uint1 x647; ++ uint32_t x648; ++ fiat_secp384r1_uint1 x649; ++ uint32_t x650; ++ fiat_secp384r1_uint1 x651; ++ uint32_t x652; ++ fiat_secp384r1_uint1 x653; ++ uint32_t x654; ++ fiat_secp384r1_uint1 x655; ++ uint32_t x656; ++ fiat_secp384r1_uint1 x657; ++ uint32_t x658; ++ fiat_secp384r1_uint1 x659; ++ uint32_t x660; ++ fiat_secp384r1_uint1 x661; ++ uint32_t x662; ++ fiat_secp384r1_uint1 x663; ++ uint32_t x664; ++ fiat_secp384r1_uint1 x665; ++ uint32_t x666; ++ fiat_secp384r1_uint1 x667; ++ uint32_t x668; ++ fiat_secp384r1_uint1 x669; ++ uint32_t x670; ++ uint32_t x671; ++ uint32_t x672; ++ uint32_t x673; ++ uint32_t x674; ++ uint32_t x675; ++ uint32_t x676; ++ uint32_t x677; ++ uint32_t x678; ++ uint32_t x679; ++ uint32_t x680; ++ uint32_t x681; ++ uint32_t x682; ++ uint32_t x683; ++ uint32_t x684; ++ uint32_t x685; ++ uint32_t x686; ++ uint32_t x687; ++ uint32_t x688; ++ uint32_t x689; ++ uint32_t x690; ++ uint32_t x691; ++ uint32_t x692; ++ uint32_t x693; ++ uint32_t x694; ++ uint32_t x695; ++ fiat_secp384r1_uint1 x696; ++ uint32_t x697; ++ fiat_secp384r1_uint1 x698; ++ uint32_t x699; ++ fiat_secp384r1_uint1 x700; ++ uint32_t x701; ++ fiat_secp384r1_uint1 x702; ++ uint32_t x703; ++ fiat_secp384r1_uint1 x704; ++ uint32_t x705; ++ fiat_secp384r1_uint1 x706; ++ uint32_t x707; ++ fiat_secp384r1_uint1 x708; ++ uint32_t x709; ++ fiat_secp384r1_uint1 x710; ++ uint32_t x711; ++ fiat_secp384r1_uint1 x712; ++ uint32_t x713; ++ fiat_secp384r1_uint1 x714; ++ uint32_t x715; ++ fiat_secp384r1_uint1 x716; ++ uint32_t x717; ++ uint32_t x718; ++ fiat_secp384r1_uint1 x719; ++ uint32_t x720; ++ fiat_secp384r1_uint1 x721; ++ uint32_t x722; ++ fiat_secp384r1_uint1 x723; ++ uint32_t x724; ++ fiat_secp384r1_uint1 x725; ++ uint32_t x726; ++ fiat_secp384r1_uint1 x727; ++ uint32_t x728; ++ fiat_secp384r1_uint1 x729; ++ uint32_t x730; ++ fiat_secp384r1_uint1 x731; ++ uint32_t x732; ++ fiat_secp384r1_uint1 x733; ++ uint32_t x734; ++ fiat_secp384r1_uint1 x735; ++ uint32_t x736; ++ fiat_secp384r1_uint1 x737; ++ uint32_t x738; ++ fiat_secp384r1_uint1 x739; ++ uint32_t x740; ++ fiat_secp384r1_uint1 x741; ++ uint32_t x742; ++ fiat_secp384r1_uint1 x743; ++ uint32_t x744; ++ uint32_t x745; ++ uint32_t x746; ++ uint32_t x747; ++ uint32_t x748; ++ uint32_t x749; ++ uint32_t x750; ++ uint32_t x751; ++ uint32_t x752; ++ uint32_t x753; ++ uint32_t x754; ++ uint32_t x755; ++ uint32_t x756; ++ uint32_t x757; ++ uint32_t x758; ++ uint32_t x759; ++ uint32_t x760; ++ uint32_t x761; ++ uint32_t x762; ++ uint32_t x763; ++ uint32_t x764; ++ fiat_secp384r1_uint1 x765; ++ uint32_t x766; ++ fiat_secp384r1_uint1 x767; ++ uint32_t x768; ++ fiat_secp384r1_uint1 x769; ++ uint32_t x770; ++ fiat_secp384r1_uint1 x771; ++ uint32_t x772; ++ fiat_secp384r1_uint1 x773; ++ uint32_t x774; ++ fiat_secp384r1_uint1 x775; ++ uint32_t x776; ++ fiat_secp384r1_uint1 x777; ++ uint32_t x778; ++ fiat_secp384r1_uint1 x779; ++ uint32_t x780; ++ uint32_t x781; ++ fiat_secp384r1_uint1 x782; ++ uint32_t x783; ++ fiat_secp384r1_uint1 x784; ++ uint32_t x785; ++ fiat_secp384r1_uint1 x786; ++ uint32_t x787; ++ fiat_secp384r1_uint1 x788; ++ uint32_t x789; ++ fiat_secp384r1_uint1 x790; ++ uint32_t x791; ++ fiat_secp384r1_uint1 x792; ++ uint32_t x793; ++ fiat_secp384r1_uint1 x794; ++ uint32_t x795; ++ fiat_secp384r1_uint1 x796; ++ uint32_t x797; ++ fiat_secp384r1_uint1 x798; ++ uint32_t x799; ++ fiat_secp384r1_uint1 x800; ++ uint32_t x801; ++ fiat_secp384r1_uint1 x802; ++ uint32_t x803; ++ fiat_secp384r1_uint1 x804; ++ uint32_t x805; ++ fiat_secp384r1_uint1 x806; ++ uint32_t x807; ++ uint32_t x808; ++ uint32_t x809; ++ uint32_t x810; ++ uint32_t x811; ++ uint32_t x812; ++ uint32_t x813; ++ uint32_t x814; ++ uint32_t x815; ++ uint32_t x816; ++ uint32_t x817; ++ uint32_t x818; ++ uint32_t x819; ++ uint32_t x820; ++ uint32_t x821; ++ uint32_t x822; ++ uint32_t x823; ++ uint32_t x824; ++ uint32_t x825; ++ uint32_t x826; ++ uint32_t x827; ++ uint32_t x828; ++ uint32_t x829; ++ uint32_t x830; ++ uint32_t x831; ++ uint32_t x832; ++ fiat_secp384r1_uint1 x833; ++ uint32_t x834; ++ fiat_secp384r1_uint1 x835; ++ uint32_t x836; ++ fiat_secp384r1_uint1 x837; ++ uint32_t x838; ++ fiat_secp384r1_uint1 x839; ++ uint32_t x840; ++ fiat_secp384r1_uint1 x841; ++ uint32_t x842; ++ fiat_secp384r1_uint1 x843; ++ uint32_t x844; ++ fiat_secp384r1_uint1 x845; ++ uint32_t x846; ++ fiat_secp384r1_uint1 x847; ++ uint32_t x848; ++ fiat_secp384r1_uint1 x849; ++ uint32_t x850; ++ fiat_secp384r1_uint1 x851; ++ uint32_t x852; ++ fiat_secp384r1_uint1 x853; ++ uint32_t x854; ++ uint32_t x855; ++ fiat_secp384r1_uint1 x856; ++ uint32_t x857; ++ fiat_secp384r1_uint1 x858; ++ uint32_t x859; ++ fiat_secp384r1_uint1 x860; ++ uint32_t x861; ++ fiat_secp384r1_uint1 x862; ++ uint32_t x863; ++ fiat_secp384r1_uint1 x864; ++ uint32_t x865; ++ fiat_secp384r1_uint1 x866; ++ uint32_t x867; ++ fiat_secp384r1_uint1 x868; ++ uint32_t x869; ++ fiat_secp384r1_uint1 x870; ++ uint32_t x871; ++ fiat_secp384r1_uint1 x872; ++ uint32_t x873; ++ fiat_secp384r1_uint1 x874; ++ uint32_t x875; ++ fiat_secp384r1_uint1 x876; ++ uint32_t x877; ++ fiat_secp384r1_uint1 x878; ++ uint32_t x879; ++ fiat_secp384r1_uint1 x880; ++ uint32_t x881; ++ uint32_t x882; ++ uint32_t x883; ++ uint32_t x884; ++ uint32_t x885; ++ uint32_t x886; ++ uint32_t x887; ++ uint32_t x888; ++ uint32_t x889; ++ uint32_t x890; ++ uint32_t x891; ++ uint32_t x892; ++ uint32_t x893; ++ uint32_t x894; ++ uint32_t x895; ++ uint32_t x896; ++ uint32_t x897; ++ uint32_t x898; ++ uint32_t x899; ++ uint32_t x900; ++ uint32_t x901; ++ fiat_secp384r1_uint1 x902; ++ uint32_t x903; ++ fiat_secp384r1_uint1 x904; ++ uint32_t x905; ++ fiat_secp384r1_uint1 x906; ++ uint32_t x907; ++ fiat_secp384r1_uint1 x908; ++ uint32_t x909; ++ fiat_secp384r1_uint1 x910; ++ uint32_t x911; ++ fiat_secp384r1_uint1 x912; ++ uint32_t x913; ++ fiat_secp384r1_uint1 x914; ++ uint32_t x915; ++ fiat_secp384r1_uint1 x916; ++ uint32_t x917; ++ uint32_t x918; ++ fiat_secp384r1_uint1 x919; ++ uint32_t x920; ++ fiat_secp384r1_uint1 x921; ++ uint32_t x922; ++ fiat_secp384r1_uint1 x923; ++ uint32_t x924; ++ fiat_secp384r1_uint1 x925; ++ uint32_t x926; ++ fiat_secp384r1_uint1 x927; ++ uint32_t x928; ++ fiat_secp384r1_uint1 x929; ++ uint32_t x930; ++ fiat_secp384r1_uint1 x931; ++ uint32_t x932; ++ fiat_secp384r1_uint1 x933; ++ uint32_t x934; ++ fiat_secp384r1_uint1 x935; ++ uint32_t x936; ++ fiat_secp384r1_uint1 x937; ++ uint32_t x938; ++ fiat_secp384r1_uint1 x939; ++ uint32_t x940; ++ fiat_secp384r1_uint1 x941; ++ uint32_t x942; ++ fiat_secp384r1_uint1 x943; ++ uint32_t x944; ++ uint32_t x945; ++ uint32_t x946; ++ uint32_t x947; ++ uint32_t x948; ++ uint32_t x949; ++ uint32_t x950; ++ uint32_t x951; ++ uint32_t x952; ++ uint32_t x953; ++ uint32_t x954; ++ uint32_t x955; ++ uint32_t x956; ++ uint32_t x957; ++ uint32_t x958; ++ uint32_t x959; ++ uint32_t x960; ++ uint32_t x961; ++ uint32_t x962; ++ uint32_t x963; ++ uint32_t x964; ++ uint32_t x965; ++ uint32_t x966; ++ uint32_t x967; ++ uint32_t x968; ++ uint32_t x969; ++ fiat_secp384r1_uint1 x970; ++ uint32_t x971; ++ fiat_secp384r1_uint1 x972; ++ uint32_t x973; ++ fiat_secp384r1_uint1 x974; ++ uint32_t x975; ++ fiat_secp384r1_uint1 x976; ++ uint32_t x977; ++ fiat_secp384r1_uint1 x978; ++ uint32_t x979; ++ fiat_secp384r1_uint1 x980; ++ uint32_t x981; ++ fiat_secp384r1_uint1 x982; ++ uint32_t x983; ++ fiat_secp384r1_uint1 x984; ++ uint32_t x985; ++ fiat_secp384r1_uint1 x986; ++ uint32_t x987; ++ fiat_secp384r1_uint1 x988; ++ uint32_t x989; ++ fiat_secp384r1_uint1 x990; ++ uint32_t x991; ++ uint32_t x992; ++ fiat_secp384r1_uint1 x993; ++ uint32_t x994; ++ fiat_secp384r1_uint1 x995; ++ uint32_t x996; ++ fiat_secp384r1_uint1 x997; ++ uint32_t x998; ++ fiat_secp384r1_uint1 x999; ++ uint32_t x1000; ++ fiat_secp384r1_uint1 x1001; ++ uint32_t x1002; ++ fiat_secp384r1_uint1 x1003; ++ uint32_t x1004; ++ fiat_secp384r1_uint1 x1005; ++ uint32_t x1006; ++ fiat_secp384r1_uint1 x1007; ++ uint32_t x1008; ++ fiat_secp384r1_uint1 x1009; ++ uint32_t x1010; ++ fiat_secp384r1_uint1 x1011; ++ uint32_t x1012; ++ fiat_secp384r1_uint1 x1013; ++ uint32_t x1014; ++ fiat_secp384r1_uint1 x1015; ++ uint32_t x1016; ++ fiat_secp384r1_uint1 x1017; ++ uint32_t x1018; ++ uint32_t x1019; ++ uint32_t x1020; ++ uint32_t x1021; ++ uint32_t x1022; ++ uint32_t x1023; ++ uint32_t x1024; ++ uint32_t x1025; ++ uint32_t x1026; ++ uint32_t x1027; ++ uint32_t x1028; ++ uint32_t x1029; ++ uint32_t x1030; ++ uint32_t x1031; ++ uint32_t x1032; ++ uint32_t x1033; ++ uint32_t x1034; ++ uint32_t x1035; ++ uint32_t x1036; ++ uint32_t x1037; ++ uint32_t x1038; ++ fiat_secp384r1_uint1 x1039; ++ uint32_t x1040; ++ fiat_secp384r1_uint1 x1041; ++ uint32_t x1042; ++ fiat_secp384r1_uint1 x1043; ++ uint32_t x1044; ++ fiat_secp384r1_uint1 x1045; ++ uint32_t x1046; ++ fiat_secp384r1_uint1 x1047; ++ uint32_t x1048; ++ fiat_secp384r1_uint1 x1049; ++ uint32_t x1050; ++ fiat_secp384r1_uint1 x1051; ++ uint32_t x1052; ++ fiat_secp384r1_uint1 x1053; ++ uint32_t x1054; ++ uint32_t x1055; ++ fiat_secp384r1_uint1 x1056; ++ uint32_t x1057; ++ fiat_secp384r1_uint1 x1058; ++ uint32_t x1059; ++ fiat_secp384r1_uint1 x1060; ++ uint32_t x1061; ++ fiat_secp384r1_uint1 x1062; ++ uint32_t x1063; ++ fiat_secp384r1_uint1 x1064; ++ uint32_t x1065; ++ fiat_secp384r1_uint1 x1066; ++ uint32_t x1067; ++ fiat_secp384r1_uint1 x1068; ++ uint32_t x1069; ++ fiat_secp384r1_uint1 x1070; ++ uint32_t x1071; ++ fiat_secp384r1_uint1 x1072; ++ uint32_t x1073; ++ fiat_secp384r1_uint1 x1074; ++ uint32_t x1075; ++ fiat_secp384r1_uint1 x1076; ++ uint32_t x1077; ++ fiat_secp384r1_uint1 x1078; ++ uint32_t x1079; ++ fiat_secp384r1_uint1 x1080; ++ uint32_t x1081; ++ uint32_t x1082; ++ uint32_t x1083; ++ uint32_t x1084; ++ uint32_t x1085; ++ uint32_t x1086; ++ uint32_t x1087; ++ uint32_t x1088; ++ uint32_t x1089; ++ uint32_t x1090; ++ uint32_t x1091; ++ uint32_t x1092; ++ uint32_t x1093; ++ uint32_t x1094; ++ uint32_t x1095; ++ uint32_t x1096; ++ uint32_t x1097; ++ uint32_t x1098; ++ uint32_t x1099; ++ uint32_t x1100; ++ uint32_t x1101; ++ uint32_t x1102; ++ uint32_t x1103; ++ uint32_t x1104; ++ uint32_t x1105; ++ uint32_t x1106; ++ fiat_secp384r1_uint1 x1107; ++ uint32_t x1108; ++ fiat_secp384r1_uint1 x1109; ++ uint32_t x1110; ++ fiat_secp384r1_uint1 x1111; ++ uint32_t x1112; ++ fiat_secp384r1_uint1 x1113; ++ uint32_t x1114; ++ fiat_secp384r1_uint1 x1115; ++ uint32_t x1116; ++ fiat_secp384r1_uint1 x1117; ++ uint32_t x1118; ++ fiat_secp384r1_uint1 x1119; ++ uint32_t x1120; ++ fiat_secp384r1_uint1 x1121; ++ uint32_t x1122; ++ fiat_secp384r1_uint1 x1123; ++ uint32_t x1124; ++ fiat_secp384r1_uint1 x1125; ++ uint32_t x1126; ++ fiat_secp384r1_uint1 x1127; ++ uint32_t x1128; ++ uint32_t x1129; ++ fiat_secp384r1_uint1 x1130; ++ uint32_t x1131; ++ fiat_secp384r1_uint1 x1132; ++ uint32_t x1133; ++ fiat_secp384r1_uint1 x1134; ++ uint32_t x1135; ++ fiat_secp384r1_uint1 x1136; ++ uint32_t x1137; ++ fiat_secp384r1_uint1 x1138; ++ uint32_t x1139; ++ fiat_secp384r1_uint1 x1140; ++ uint32_t x1141; ++ fiat_secp384r1_uint1 x1142; ++ uint32_t x1143; ++ fiat_secp384r1_uint1 x1144; ++ uint32_t x1145; ++ fiat_secp384r1_uint1 x1146; ++ uint32_t x1147; ++ fiat_secp384r1_uint1 x1148; ++ uint32_t x1149; ++ fiat_secp384r1_uint1 x1150; ++ uint32_t x1151; ++ fiat_secp384r1_uint1 x1152; ++ uint32_t x1153; ++ fiat_secp384r1_uint1 x1154; ++ uint32_t x1155; ++ uint32_t x1156; ++ uint32_t x1157; ++ uint32_t x1158; ++ uint32_t x1159; ++ uint32_t x1160; ++ uint32_t x1161; ++ uint32_t x1162; ++ uint32_t x1163; ++ uint32_t x1164; ++ uint32_t x1165; ++ uint32_t x1166; ++ uint32_t x1167; ++ uint32_t x1168; ++ uint32_t x1169; ++ uint32_t x1170; ++ uint32_t x1171; ++ uint32_t x1172; ++ uint32_t x1173; ++ uint32_t x1174; ++ uint32_t x1175; ++ fiat_secp384r1_uint1 x1176; ++ uint32_t x1177; ++ fiat_secp384r1_uint1 x1178; ++ uint32_t x1179; ++ fiat_secp384r1_uint1 x1180; ++ uint32_t x1181; ++ fiat_secp384r1_uint1 x1182; ++ uint32_t x1183; ++ fiat_secp384r1_uint1 x1184; ++ uint32_t x1185; ++ fiat_secp384r1_uint1 x1186; ++ uint32_t x1187; ++ fiat_secp384r1_uint1 x1188; ++ uint32_t x1189; ++ fiat_secp384r1_uint1 x1190; ++ uint32_t x1191; ++ uint32_t x1192; ++ fiat_secp384r1_uint1 x1193; ++ uint32_t x1194; ++ fiat_secp384r1_uint1 x1195; ++ uint32_t x1196; ++ fiat_secp384r1_uint1 x1197; ++ uint32_t x1198; ++ fiat_secp384r1_uint1 x1199; ++ uint32_t x1200; ++ fiat_secp384r1_uint1 x1201; ++ uint32_t x1202; ++ fiat_secp384r1_uint1 x1203; ++ uint32_t x1204; ++ fiat_secp384r1_uint1 x1205; ++ uint32_t x1206; ++ fiat_secp384r1_uint1 x1207; ++ uint32_t x1208; ++ fiat_secp384r1_uint1 x1209; ++ uint32_t x1210; ++ fiat_secp384r1_uint1 x1211; ++ uint32_t x1212; ++ fiat_secp384r1_uint1 x1213; ++ uint32_t x1214; ++ fiat_secp384r1_uint1 x1215; ++ uint32_t x1216; ++ fiat_secp384r1_uint1 x1217; ++ uint32_t x1218; ++ uint32_t x1219; ++ uint32_t x1220; ++ uint32_t x1221; ++ uint32_t x1222; ++ uint32_t x1223; ++ uint32_t x1224; ++ uint32_t x1225; ++ uint32_t x1226; ++ uint32_t x1227; ++ uint32_t x1228; ++ uint32_t x1229; ++ uint32_t x1230; ++ uint32_t x1231; ++ uint32_t x1232; ++ uint32_t x1233; ++ uint32_t x1234; ++ uint32_t x1235; ++ uint32_t x1236; ++ uint32_t x1237; ++ uint32_t x1238; ++ uint32_t x1239; ++ uint32_t x1240; ++ uint32_t x1241; ++ uint32_t x1242; ++ uint32_t x1243; ++ fiat_secp384r1_uint1 x1244; ++ uint32_t x1245; ++ fiat_secp384r1_uint1 x1246; ++ uint32_t x1247; ++ fiat_secp384r1_uint1 x1248; ++ uint32_t x1249; ++ fiat_secp384r1_uint1 x1250; ++ uint32_t x1251; ++ fiat_secp384r1_uint1 x1252; ++ uint32_t x1253; ++ fiat_secp384r1_uint1 x1254; ++ uint32_t x1255; ++ fiat_secp384r1_uint1 x1256; ++ uint32_t x1257; ++ fiat_secp384r1_uint1 x1258; ++ uint32_t x1259; ++ fiat_secp384r1_uint1 x1260; ++ uint32_t x1261; ++ fiat_secp384r1_uint1 x1262; ++ uint32_t x1263; ++ fiat_secp384r1_uint1 x1264; ++ uint32_t x1265; ++ uint32_t x1266; ++ fiat_secp384r1_uint1 x1267; ++ uint32_t x1268; ++ fiat_secp384r1_uint1 x1269; ++ uint32_t x1270; ++ fiat_secp384r1_uint1 x1271; ++ uint32_t x1272; ++ fiat_secp384r1_uint1 x1273; ++ uint32_t x1274; ++ fiat_secp384r1_uint1 x1275; ++ uint32_t x1276; ++ fiat_secp384r1_uint1 x1277; ++ uint32_t x1278; ++ fiat_secp384r1_uint1 x1279; ++ uint32_t x1280; ++ fiat_secp384r1_uint1 x1281; ++ uint32_t x1282; ++ fiat_secp384r1_uint1 x1283; ++ uint32_t x1284; ++ fiat_secp384r1_uint1 x1285; ++ uint32_t x1286; ++ fiat_secp384r1_uint1 x1287; ++ uint32_t x1288; ++ fiat_secp384r1_uint1 x1289; ++ uint32_t x1290; ++ fiat_secp384r1_uint1 x1291; ++ uint32_t x1292; ++ uint32_t x1293; ++ uint32_t x1294; ++ uint32_t x1295; ++ uint32_t x1296; ++ uint32_t x1297; ++ uint32_t x1298; ++ uint32_t x1299; ++ uint32_t x1300; ++ uint32_t x1301; ++ uint32_t x1302; ++ uint32_t x1303; ++ uint32_t x1304; ++ uint32_t x1305; ++ uint32_t x1306; ++ uint32_t x1307; ++ uint32_t x1308; ++ uint32_t x1309; ++ uint32_t x1310; ++ uint32_t x1311; ++ uint32_t x1312; ++ fiat_secp384r1_uint1 x1313; ++ uint32_t x1314; ++ fiat_secp384r1_uint1 x1315; ++ uint32_t x1316; ++ fiat_secp384r1_uint1 x1317; ++ uint32_t x1318; ++ fiat_secp384r1_uint1 x1319; ++ uint32_t x1320; ++ fiat_secp384r1_uint1 x1321; ++ uint32_t x1322; ++ fiat_secp384r1_uint1 x1323; ++ uint32_t x1324; ++ fiat_secp384r1_uint1 x1325; ++ uint32_t x1326; ++ fiat_secp384r1_uint1 x1327; ++ uint32_t x1328; ++ uint32_t x1329; ++ fiat_secp384r1_uint1 x1330; ++ uint32_t x1331; ++ fiat_secp384r1_uint1 x1332; ++ uint32_t x1333; ++ fiat_secp384r1_uint1 x1334; ++ uint32_t x1335; ++ fiat_secp384r1_uint1 x1336; ++ uint32_t x1337; ++ fiat_secp384r1_uint1 x1338; ++ uint32_t x1339; ++ fiat_secp384r1_uint1 x1340; ++ uint32_t x1341; ++ fiat_secp384r1_uint1 x1342; ++ uint32_t x1343; ++ fiat_secp384r1_uint1 x1344; ++ uint32_t x1345; ++ fiat_secp384r1_uint1 x1346; ++ uint32_t x1347; ++ fiat_secp384r1_uint1 x1348; ++ uint32_t x1349; ++ fiat_secp384r1_uint1 x1350; ++ uint32_t x1351; ++ fiat_secp384r1_uint1 x1352; ++ uint32_t x1353; ++ fiat_secp384r1_uint1 x1354; ++ uint32_t x1355; ++ uint32_t x1356; ++ uint32_t x1357; ++ uint32_t x1358; ++ uint32_t x1359; ++ uint32_t x1360; ++ uint32_t x1361; ++ uint32_t x1362; ++ uint32_t x1363; ++ uint32_t x1364; ++ uint32_t x1365; ++ uint32_t x1366; ++ uint32_t x1367; ++ uint32_t x1368; ++ uint32_t x1369; ++ uint32_t x1370; ++ uint32_t x1371; ++ uint32_t x1372; ++ uint32_t x1373; ++ uint32_t x1374; ++ uint32_t x1375; ++ uint32_t x1376; ++ uint32_t x1377; ++ uint32_t x1378; ++ uint32_t x1379; ++ uint32_t x1380; ++ fiat_secp384r1_uint1 x1381; ++ uint32_t x1382; ++ fiat_secp384r1_uint1 x1383; ++ uint32_t x1384; ++ fiat_secp384r1_uint1 x1385; ++ uint32_t x1386; ++ fiat_secp384r1_uint1 x1387; ++ uint32_t x1388; ++ fiat_secp384r1_uint1 x1389; ++ uint32_t x1390; ++ fiat_secp384r1_uint1 x1391; ++ uint32_t x1392; ++ fiat_secp384r1_uint1 x1393; ++ uint32_t x1394; ++ fiat_secp384r1_uint1 x1395; ++ uint32_t x1396; ++ fiat_secp384r1_uint1 x1397; ++ uint32_t x1398; ++ fiat_secp384r1_uint1 x1399; ++ uint32_t x1400; ++ fiat_secp384r1_uint1 x1401; ++ uint32_t x1402; ++ uint32_t x1403; ++ fiat_secp384r1_uint1 x1404; ++ uint32_t x1405; ++ fiat_secp384r1_uint1 x1406; ++ uint32_t x1407; ++ fiat_secp384r1_uint1 x1408; ++ uint32_t x1409; ++ fiat_secp384r1_uint1 x1410; ++ uint32_t x1411; ++ fiat_secp384r1_uint1 x1412; ++ uint32_t x1413; ++ fiat_secp384r1_uint1 x1414; ++ uint32_t x1415; ++ fiat_secp384r1_uint1 x1416; ++ uint32_t x1417; ++ fiat_secp384r1_uint1 x1418; ++ uint32_t x1419; ++ fiat_secp384r1_uint1 x1420; ++ uint32_t x1421; ++ fiat_secp384r1_uint1 x1422; ++ uint32_t x1423; ++ fiat_secp384r1_uint1 x1424; ++ uint32_t x1425; ++ fiat_secp384r1_uint1 x1426; ++ uint32_t x1427; ++ fiat_secp384r1_uint1 x1428; ++ uint32_t x1429; ++ uint32_t x1430; ++ uint32_t x1431; ++ uint32_t x1432; ++ uint32_t x1433; ++ uint32_t x1434; ++ uint32_t x1435; ++ uint32_t x1436; ++ uint32_t x1437; ++ uint32_t x1438; ++ uint32_t x1439; ++ uint32_t x1440; ++ uint32_t x1441; ++ uint32_t x1442; ++ uint32_t x1443; ++ uint32_t x1444; ++ uint32_t x1445; ++ uint32_t x1446; ++ uint32_t x1447; ++ uint32_t x1448; ++ uint32_t x1449; ++ fiat_secp384r1_uint1 x1450; ++ uint32_t x1451; ++ fiat_secp384r1_uint1 x1452; ++ uint32_t x1453; ++ fiat_secp384r1_uint1 x1454; ++ uint32_t x1455; ++ fiat_secp384r1_uint1 x1456; ++ uint32_t x1457; ++ fiat_secp384r1_uint1 x1458; ++ uint32_t x1459; ++ fiat_secp384r1_uint1 x1460; ++ uint32_t x1461; ++ fiat_secp384r1_uint1 x1462; ++ uint32_t x1463; ++ fiat_secp384r1_uint1 x1464; ++ uint32_t x1465; ++ uint32_t x1466; ++ fiat_secp384r1_uint1 x1467; ++ uint32_t x1468; ++ fiat_secp384r1_uint1 x1469; ++ uint32_t x1470; ++ fiat_secp384r1_uint1 x1471; ++ uint32_t x1472; ++ fiat_secp384r1_uint1 x1473; ++ uint32_t x1474; ++ fiat_secp384r1_uint1 x1475; ++ uint32_t x1476; ++ fiat_secp384r1_uint1 x1477; ++ uint32_t x1478; ++ fiat_secp384r1_uint1 x1479; ++ uint32_t x1480; ++ fiat_secp384r1_uint1 x1481; ++ uint32_t x1482; ++ fiat_secp384r1_uint1 x1483; ++ uint32_t x1484; ++ fiat_secp384r1_uint1 x1485; ++ uint32_t x1486; ++ fiat_secp384r1_uint1 x1487; ++ uint32_t x1488; ++ fiat_secp384r1_uint1 x1489; ++ uint32_t x1490; ++ fiat_secp384r1_uint1 x1491; ++ uint32_t x1492; ++ uint32_t x1493; ++ uint32_t x1494; ++ uint32_t x1495; ++ uint32_t x1496; ++ uint32_t x1497; ++ uint32_t x1498; ++ uint32_t x1499; ++ uint32_t x1500; ++ uint32_t x1501; ++ uint32_t x1502; ++ uint32_t x1503; ++ uint32_t x1504; ++ uint32_t x1505; ++ uint32_t x1506; ++ uint32_t x1507; ++ uint32_t x1508; ++ uint32_t x1509; ++ uint32_t x1510; ++ uint32_t x1511; ++ uint32_t x1512; ++ uint32_t x1513; ++ uint32_t x1514; ++ uint32_t x1515; ++ uint32_t x1516; ++ uint32_t x1517; ++ fiat_secp384r1_uint1 x1518; ++ uint32_t x1519; ++ fiat_secp384r1_uint1 x1520; ++ uint32_t x1521; ++ fiat_secp384r1_uint1 x1522; ++ uint32_t x1523; ++ fiat_secp384r1_uint1 x1524; ++ uint32_t x1525; ++ fiat_secp384r1_uint1 x1526; ++ uint32_t x1527; ++ fiat_secp384r1_uint1 x1528; ++ uint32_t x1529; ++ fiat_secp384r1_uint1 x1530; ++ uint32_t x1531; ++ fiat_secp384r1_uint1 x1532; ++ uint32_t x1533; ++ fiat_secp384r1_uint1 x1534; ++ uint32_t x1535; ++ fiat_secp384r1_uint1 x1536; ++ uint32_t x1537; ++ fiat_secp384r1_uint1 x1538; ++ uint32_t x1539; ++ uint32_t x1540; ++ fiat_secp384r1_uint1 x1541; ++ uint32_t x1542; ++ fiat_secp384r1_uint1 x1543; ++ uint32_t x1544; ++ fiat_secp384r1_uint1 x1545; ++ uint32_t x1546; ++ fiat_secp384r1_uint1 x1547; ++ uint32_t x1548; ++ fiat_secp384r1_uint1 x1549; ++ uint32_t x1550; ++ fiat_secp384r1_uint1 x1551; ++ uint32_t x1552; ++ fiat_secp384r1_uint1 x1553; ++ uint32_t x1554; ++ fiat_secp384r1_uint1 x1555; ++ uint32_t x1556; ++ fiat_secp384r1_uint1 x1557; ++ uint32_t x1558; ++ fiat_secp384r1_uint1 x1559; ++ uint32_t x1560; ++ fiat_secp384r1_uint1 x1561; ++ uint32_t x1562; ++ fiat_secp384r1_uint1 x1563; ++ uint32_t x1564; ++ fiat_secp384r1_uint1 x1565; ++ uint32_t x1566; ++ uint32_t x1567; ++ uint32_t x1568; ++ uint32_t x1569; ++ uint32_t x1570; ++ uint32_t x1571; ++ uint32_t x1572; ++ uint32_t x1573; ++ uint32_t x1574; ++ uint32_t x1575; ++ uint32_t x1576; ++ uint32_t x1577; ++ uint32_t x1578; ++ uint32_t x1579; ++ uint32_t x1580; ++ uint32_t x1581; ++ uint32_t x1582; ++ uint32_t x1583; ++ uint32_t x1584; ++ uint32_t x1585; ++ uint32_t x1586; ++ fiat_secp384r1_uint1 x1587; ++ uint32_t x1588; ++ fiat_secp384r1_uint1 x1589; ++ uint32_t x1590; ++ fiat_secp384r1_uint1 x1591; ++ uint32_t x1592; ++ fiat_secp384r1_uint1 x1593; ++ uint32_t x1594; ++ fiat_secp384r1_uint1 x1595; ++ uint32_t x1596; ++ fiat_secp384r1_uint1 x1597; ++ uint32_t x1598; ++ fiat_secp384r1_uint1 x1599; ++ uint32_t x1600; ++ fiat_secp384r1_uint1 x1601; ++ uint32_t x1602; ++ uint32_t x1603; ++ fiat_secp384r1_uint1 x1604; ++ uint32_t x1605; ++ fiat_secp384r1_uint1 x1606; ++ uint32_t x1607; ++ fiat_secp384r1_uint1 x1608; ++ uint32_t x1609; ++ fiat_secp384r1_uint1 x1610; ++ uint32_t x1611; ++ fiat_secp384r1_uint1 x1612; ++ uint32_t x1613; ++ fiat_secp384r1_uint1 x1614; ++ uint32_t x1615; ++ fiat_secp384r1_uint1 x1616; ++ uint32_t x1617; ++ fiat_secp384r1_uint1 x1618; ++ uint32_t x1619; ++ fiat_secp384r1_uint1 x1620; ++ uint32_t x1621; ++ fiat_secp384r1_uint1 x1622; ++ uint32_t x1623; ++ fiat_secp384r1_uint1 x1624; ++ uint32_t x1625; ++ fiat_secp384r1_uint1 x1626; ++ uint32_t x1627; ++ fiat_secp384r1_uint1 x1628; ++ uint32_t x1629; ++ uint32_t x1630; ++ fiat_secp384r1_uint1 x1631; ++ uint32_t x1632; ++ fiat_secp384r1_uint1 x1633; ++ uint32_t x1634; ++ fiat_secp384r1_uint1 x1635; ++ uint32_t x1636; ++ fiat_secp384r1_uint1 x1637; ++ uint32_t x1638; ++ fiat_secp384r1_uint1 x1639; ++ uint32_t x1640; ++ fiat_secp384r1_uint1 x1641; ++ uint32_t x1642; ++ fiat_secp384r1_uint1 x1643; ++ uint32_t x1644; ++ fiat_secp384r1_uint1 x1645; ++ uint32_t x1646; ++ fiat_secp384r1_uint1 x1647; ++ uint32_t x1648; ++ fiat_secp384r1_uint1 x1649; ++ uint32_t x1650; ++ fiat_secp384r1_uint1 x1651; ++ uint32_t x1652; ++ fiat_secp384r1_uint1 x1653; ++ uint32_t x1654; ++ fiat_secp384r1_uint1 x1655; ++ uint32_t x1656; ++ uint32_t x1657; ++ uint32_t x1658; ++ uint32_t x1659; ++ uint32_t x1660; ++ uint32_t x1661; ++ uint32_t x1662; ++ uint32_t x1663; ++ uint32_t x1664; ++ uint32_t x1665; ++ uint32_t x1666; ++ uint32_t x1667; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[6]); ++ x7 = (arg1[7]); ++ x8 = (arg1[8]); ++ x9 = (arg1[9]); ++ x10 = (arg1[10]); ++ x11 = (arg1[11]); ++ x12 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); ++ fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); ++ fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); ++ fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); ++ fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); ++ fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); ++ fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); ++ fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); ++ fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); ++ fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); ++ fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); ++ x59 = (x58 + x14); ++ fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); ++ fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); ++ fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); ++ fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); ++ fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); ++ fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); ++ fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); ++ fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); ++ x96 = (x95 + x61); ++ fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); ++ fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); ++ fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); ++ fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); ++ fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); ++ fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); ++ fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); ++ fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); ++ fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); ++ fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); ++ fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); ++ fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); ++ fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); ++ fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); ++ fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); ++ fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); ++ fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); ++ fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); ++ fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); ++ fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); ++ fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); ++ fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); ++ fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); ++ x169 = (x168 + x124); ++ fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); ++ fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); ++ fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); ++ fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); ++ fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); ++ fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); ++ fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); ++ fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); ++ fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); ++ fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); ++ fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); ++ fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); ++ fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); ++ fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); ++ fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); ++ fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); ++ fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); ++ fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); ++ fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); ++ fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); ++ fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); ++ x232 = (x231 + x197); ++ fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); ++ fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); ++ fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); ++ fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); ++ fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); ++ fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); ++ fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); ++ fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); ++ fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); ++ fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); ++ fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); ++ fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); ++ x259 = ((uint32_t)x258 + x195); ++ fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); ++ fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); ++ fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); ++ fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); ++ fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); ++ fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); ++ fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); ++ fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); ++ fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); ++ fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); ++ fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); ++ x306 = (x305 + x261); ++ fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); ++ fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); ++ fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); ++ fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); ++ fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); ++ fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); ++ fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); ++ fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); ++ fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); ++ fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); ++ fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); ++ fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); ++ fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); ++ fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); ++ fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); ++ fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); ++ fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); ++ fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); ++ fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); ++ fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); ++ fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); ++ x369 = (x368 + x334); ++ fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); ++ fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); ++ fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); ++ fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); ++ fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); ++ fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); ++ fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); ++ fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); ++ fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); ++ fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); ++ fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); ++ fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); ++ x396 = ((uint32_t)x395 + x332); ++ fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); ++ fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); ++ fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); ++ fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); ++ fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); ++ fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); ++ fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); ++ fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); ++ fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); ++ fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); ++ fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); ++ x443 = (x442 + x398); ++ fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); ++ fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); ++ fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); ++ fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); ++ fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); ++ fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); ++ fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); ++ fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); ++ fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); ++ fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); ++ fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); ++ fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); ++ fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); ++ fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); ++ fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); ++ fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); ++ fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); ++ fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); ++ fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); ++ fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); ++ fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); ++ x506 = (x505 + x471); ++ fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); ++ fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); ++ fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); ++ fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); ++ fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); ++ fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); ++ fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); ++ fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); ++ fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); ++ fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); ++ fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); ++ fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); ++ x533 = ((uint32_t)x532 + x469); ++ fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); ++ fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); ++ fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); ++ fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); ++ fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); ++ fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); ++ fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); ++ fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); ++ fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); ++ fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); ++ fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); ++ x580 = (x579 + x535); ++ fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); ++ fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); ++ fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); ++ fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); ++ fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); ++ fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); ++ fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); ++ fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); ++ fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); ++ fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); ++ fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); ++ fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); ++ fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); ++ fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); ++ fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); ++ fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); ++ fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); ++ fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); ++ fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); ++ fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); ++ fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); ++ x643 = (x642 + x608); ++ fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); ++ fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); ++ fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); ++ fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); ++ fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); ++ fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); ++ fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); ++ fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); ++ fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); ++ fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); ++ fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); ++ fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); ++ x670 = ((uint32_t)x669 + x606); ++ fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); ++ fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); ++ fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); ++ fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); ++ fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); ++ fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); ++ fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); ++ fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); ++ fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); ++ fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); ++ fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); ++ x717 = (x716 + x672); ++ fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); ++ fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); ++ fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); ++ fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); ++ fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); ++ fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); ++ fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); ++ fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); ++ fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); ++ fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); ++ fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); ++ fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); ++ fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); ++ fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); ++ fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); ++ fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); ++ fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); ++ fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); ++ fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); ++ fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); ++ fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); ++ x780 = (x779 + x745); ++ fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); ++ fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); ++ fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); ++ fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); ++ fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); ++ fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); ++ fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); ++ fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); ++ fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); ++ fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); ++ fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); ++ fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); ++ x807 = ((uint32_t)x806 + x743); ++ fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); ++ fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); ++ fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); ++ fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); ++ fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); ++ fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); ++ fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); ++ fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); ++ fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); ++ fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); ++ fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); ++ x854 = (x853 + x809); ++ fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); ++ fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); ++ fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); ++ fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); ++ fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); ++ fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); ++ fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); ++ fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); ++ fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); ++ fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); ++ fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); ++ fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); ++ fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); ++ fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); ++ fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); ++ fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); ++ fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); ++ fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); ++ fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); ++ fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); ++ fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); ++ x917 = (x916 + x882); ++ fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); ++ fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); ++ fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); ++ fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); ++ fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); ++ fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); ++ fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); ++ fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); ++ fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); ++ fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); ++ fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); ++ fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); ++ x944 = ((uint32_t)x943 + x880); ++ fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); ++ fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); ++ fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); ++ fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); ++ fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); ++ fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); ++ fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); ++ fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); ++ fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); ++ fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); ++ fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); ++ x991 = (x990 + x946); ++ fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); ++ fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); ++ fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); ++ fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); ++ fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); ++ fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); ++ fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); ++ fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); ++ fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); ++ fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); ++ fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); ++ fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); ++ fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); ++ fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); ++ fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); ++ fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); ++ fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); ++ fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); ++ fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); ++ fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); ++ fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); ++ x1054 = (x1053 + x1019); ++ fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); ++ fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); ++ fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); ++ fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); ++ fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); ++ fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); ++ fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); ++ fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); ++ fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); ++ fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); ++ fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); ++ fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); ++ x1081 = ((uint32_t)x1080 + x1017); ++ fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); ++ fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); ++ fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); ++ fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); ++ fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); ++ fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); ++ fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); ++ fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); ++ fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); ++ fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); ++ fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); ++ x1128 = (x1127 + x1083); ++ fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); ++ fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); ++ fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); ++ fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); ++ fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); ++ fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); ++ fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); ++ fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); ++ fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); ++ fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); ++ fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); ++ fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); ++ fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); ++ fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); ++ fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); ++ fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); ++ fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); ++ fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); ++ fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); ++ fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); ++ fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); ++ x1191 = (x1190 + x1156); ++ fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); ++ fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); ++ fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); ++ fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); ++ fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); ++ fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); ++ fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); ++ fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); ++ fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); ++ fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); ++ fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); ++ fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); ++ x1218 = ((uint32_t)x1217 + x1154); ++ fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); ++ fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); ++ fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); ++ fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); ++ fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); ++ fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); ++ fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); ++ fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); ++ fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); ++ fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); ++ fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); ++ x1265 = (x1264 + x1220); ++ fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); ++ fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); ++ fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); ++ fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); ++ fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); ++ fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); ++ fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); ++ fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); ++ fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); ++ fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); ++ fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); ++ fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); ++ fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); ++ fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); ++ fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); ++ fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); ++ fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); ++ fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); ++ fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); ++ fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); ++ fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); ++ x1328 = (x1327 + x1293); ++ fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); ++ fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); ++ fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); ++ fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); ++ fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); ++ fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); ++ fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); ++ fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); ++ fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); ++ fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); ++ fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); ++ fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); ++ x1355 = ((uint32_t)x1354 + x1291); ++ fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); ++ fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); ++ fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); ++ fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); ++ fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); ++ fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); ++ fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); ++ fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); ++ fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); ++ fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); ++ fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); ++ x1402 = (x1401 + x1357); ++ fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); ++ fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); ++ fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); ++ fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); ++ fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); ++ fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); ++ fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); ++ fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); ++ fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); ++ fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); ++ fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); ++ fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); ++ fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); ++ fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); ++ fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); ++ fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); ++ fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); ++ fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); ++ fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); ++ fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); ++ fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); ++ x1465 = (x1464 + x1430); ++ fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); ++ fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); ++ fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); ++ fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); ++ fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); ++ fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); ++ fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); ++ fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); ++ fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); ++ fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); ++ fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); ++ fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); ++ x1492 = ((uint32_t)x1491 + x1428); ++ fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg1[11])); ++ fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg1[10])); ++ fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg1[9])); ++ fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg1[8])); ++ fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg1[7])); ++ fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg1[6])); ++ fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg1[5])); ++ fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg1[4])); ++ fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg1[3])); ++ fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg1[2])); ++ fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg1[0])); ++ fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); ++ fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); ++ fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); ++ fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); ++ fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); ++ fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); ++ fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); ++ fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); ++ fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); ++ fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); ++ fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); ++ x1539 = (x1538 + x1494); ++ fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); ++ fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); ++ fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); ++ fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); ++ fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); ++ fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); ++ fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); ++ fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); ++ fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); ++ fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); ++ fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); ++ fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); ++ fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); ++ fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); ++ fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); ++ fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); ++ fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); ++ fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); ++ fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); ++ fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); ++ fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); ++ x1602 = (x1601 + x1567); ++ fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); ++ fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); ++ fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); ++ fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); ++ fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); ++ fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); ++ fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); ++ fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); ++ fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); ++ fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); ++ fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); ++ fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); ++ x1629 = ((uint32_t)x1628 + x1565); ++ fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); ++ fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); ++ fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); ++ fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); ++ fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); ++ fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); ++ fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); ++ fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); ++ fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); ++ fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); ++ fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); ++ fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); ++ out1[0] = x1656; ++ out1[1] = x1657; ++ out1[2] = x1658; ++ out1[3] = x1659; ++ out1[4] = x1660; ++ out1[5] = x1661; ++ out1[6] = x1662; ++ out1[7] = x1663; ++ out1[8] = x1664; ++ out1[9] = x1665; ++ out1[10] = x1666; ++ out1[11] = x1667; ++} ++ ++/* ++ * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_add(uint32_t out1[12], const uint32_t arg1[12], ++ const uint32_t arg2[12]) ++{ ++ uint32_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint32_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint32_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint32_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint32_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint32_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint32_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint32_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint32_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint32_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint32_t x25; ++ fiat_secp384r1_uint1 x26; ++ uint32_t x27; ++ fiat_secp384r1_uint1 x28; ++ uint32_t x29; ++ fiat_secp384r1_uint1 x30; ++ uint32_t x31; ++ fiat_secp384r1_uint1 x32; ++ uint32_t x33; ++ fiat_secp384r1_uint1 x34; ++ uint32_t x35; ++ fiat_secp384r1_uint1 x36; ++ uint32_t x37; ++ fiat_secp384r1_uint1 x38; ++ uint32_t x39; ++ fiat_secp384r1_uint1 x40; ++ uint32_t x41; ++ fiat_secp384r1_uint1 x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ uint32_t x52; ++ uint32_t x53; ++ uint32_t x54; ++ uint32_t x55; ++ uint32_t x56; ++ uint32_t x57; ++ uint32_t x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ fiat_secp384r1_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); ++ fiat_secp384r1_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); ++ fiat_secp384r1_addcarryx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); ++ fiat_secp384r1_addcarryx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); ++ fiat_secp384r1_addcarryx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); ++ fiat_secp384r1_addcarryx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); ++ fiat_secp384r1_subborrowx_u32(&x25, &x26, 0x0, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x27, &x28, x26, x3, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x29, &x30, x28, x5, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x31, &x32, x30, x7, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x33, &x34, x32, x9, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x35, &x36, x34, x11, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x37, &x38, x36, x13, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x39, &x40, x38, x15, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x41, &x42, x40, x17, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x43, &x44, x42, x19, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x45, &x46, x44, x21, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x47, &x48, x46, x23, UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x49, &x50, x48, x24, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x51, x50, x25, x1); ++ fiat_secp384r1_cmovznz_u32(&x52, x50, x27, x3); ++ fiat_secp384r1_cmovznz_u32(&x53, x50, x29, x5); ++ fiat_secp384r1_cmovznz_u32(&x54, x50, x31, x7); ++ fiat_secp384r1_cmovznz_u32(&x55, x50, x33, x9); ++ fiat_secp384r1_cmovznz_u32(&x56, x50, x35, x11); ++ fiat_secp384r1_cmovznz_u32(&x57, x50, x37, x13); ++ fiat_secp384r1_cmovznz_u32(&x58, x50, x39, x15); ++ fiat_secp384r1_cmovznz_u32(&x59, x50, x41, x17); ++ fiat_secp384r1_cmovznz_u32(&x60, x50, x43, x19); ++ fiat_secp384r1_cmovznz_u32(&x61, x50, x45, x21); ++ fiat_secp384r1_cmovznz_u32(&x62, x50, x47, x23); ++ out1[0] = x51; ++ out1[1] = x52; ++ out1[2] = x53; ++ out1[3] = x54; ++ out1[4] = x55; ++ out1[5] = x56; ++ out1[6] = x57; ++ out1[7] = x58; ++ out1[8] = x59; ++ out1[9] = x60; ++ out1[10] = x61; ++ out1[11] = x62; ++} ++ ++/* ++ * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * 0 ≤ eval arg2 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_sub(uint32_t out1[12], const uint32_t arg1[12], ++ const uint32_t arg2[12]) ++{ ++ uint32_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint32_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint32_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint32_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint32_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint32_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint32_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint32_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint32_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint32_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint32_t x25; ++ uint32_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint32_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint32_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint32_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint32_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint32_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint32_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint32_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint32_t x42; ++ fiat_secp384r1_uint1 x43; ++ uint32_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint32_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint32_t x48; ++ fiat_secp384r1_uint1 x49; ++ fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); ++ fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); ++ fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); ++ fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); ++ fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); ++ fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); ++ fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); ++ fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); ++ fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); ++ fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); ++ fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); ++ fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); ++ fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, ++ (x25 & UINT32_C(0xfffffffe))); ++ fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, ++ (x25 & UINT32_C(0xffffffff))); ++ out1[0] = x26; ++ out1[1] = x28; ++ out1[2] = x30; ++ out1[3] = x32; ++ out1[4] = x34; ++ out1[5] = x36; ++ out1[6] = x38; ++ out1[7] = x40; ++ out1[8] = x42; ++ out1[9] = x44; ++ out1[10] = x46; ++ out1[11] = x48; ++} ++ ++/* ++ * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_opp(uint32_t out1[12], const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ fiat_secp384r1_uint1 x2; ++ uint32_t x3; ++ fiat_secp384r1_uint1 x4; ++ uint32_t x5; ++ fiat_secp384r1_uint1 x6; ++ uint32_t x7; ++ fiat_secp384r1_uint1 x8; ++ uint32_t x9; ++ fiat_secp384r1_uint1 x10; ++ uint32_t x11; ++ fiat_secp384r1_uint1 x12; ++ uint32_t x13; ++ fiat_secp384r1_uint1 x14; ++ uint32_t x15; ++ fiat_secp384r1_uint1 x16; ++ uint32_t x17; ++ fiat_secp384r1_uint1 x18; ++ uint32_t x19; ++ fiat_secp384r1_uint1 x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ fiat_secp384r1_uint1 x24; ++ uint32_t x25; ++ uint32_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint32_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint32_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint32_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint32_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint32_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint32_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint32_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint32_t x42; ++ fiat_secp384r1_uint1 x43; ++ uint32_t x44; ++ fiat_secp384r1_uint1 x45; ++ uint32_t x46; ++ fiat_secp384r1_uint1 x47; ++ uint32_t x48; ++ fiat_secp384r1_uint1 x49; ++ fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); ++ fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); ++ fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); ++ fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); ++ fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); ++ fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); ++ fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); ++ fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); ++ fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, 0x0, (arg1[8])); ++ fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, 0x0, (arg1[9])); ++ fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, 0x0, (arg1[10])); ++ fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, 0x0, (arg1[11])); ++ fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, ++ (x25 & UINT32_C(0xfffffffe))); ++ fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, ++ (x25 & UINT32_C(0xffffffff))); ++ fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, ++ (x25 & UINT32_C(0xffffffff))); ++ out1[0] = x26; ++ out1[1] = x28; ++ out1[2] = x30; ++ out1[3] = x32; ++ out1[4] = x34; ++ out1[5] = x36; ++ out1[6] = x38; ++ out1[7] = x40; ++ out1[8] = x42; ++ out1[9] = x44; ++ out1[10] = x46; ++ out1[11] = x48; ++} ++ ++/* ++ * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = (eval arg1 * ((2^32)â»Â¹ mod m)^12) mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_from_montgomery(uint32_t out1[12], ++ const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ fiat_secp384r1_uint1 x23; ++ uint32_t x24; ++ fiat_secp384r1_uint1 x25; ++ uint32_t x26; ++ fiat_secp384r1_uint1 x27; ++ uint32_t x28; ++ fiat_secp384r1_uint1 x29; ++ uint32_t x30; ++ fiat_secp384r1_uint1 x31; ++ uint32_t x32; ++ fiat_secp384r1_uint1 x33; ++ uint32_t x34; ++ fiat_secp384r1_uint1 x35; ++ uint32_t x36; ++ fiat_secp384r1_uint1 x37; ++ uint32_t x38; ++ fiat_secp384r1_uint1 x39; ++ uint32_t x40; ++ fiat_secp384r1_uint1 x41; ++ uint32_t x42; ++ uint32_t x43; ++ uint32_t x44; ++ uint32_t x45; ++ uint32_t x46; ++ uint32_t x47; ++ uint32_t x48; ++ uint32_t x49; ++ uint32_t x50; ++ uint32_t x51; ++ uint32_t x52; ++ uint32_t x53; ++ uint32_t x54; ++ uint32_t x55; ++ uint32_t x56; ++ uint32_t x57; ++ uint32_t x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ fiat_secp384r1_uint1 x63; ++ uint32_t x64; ++ fiat_secp384r1_uint1 x65; ++ uint32_t x66; ++ fiat_secp384r1_uint1 x67; ++ uint32_t x68; ++ fiat_secp384r1_uint1 x69; ++ uint32_t x70; ++ fiat_secp384r1_uint1 x71; ++ uint32_t x72; ++ fiat_secp384r1_uint1 x73; ++ uint32_t x74; ++ fiat_secp384r1_uint1 x75; ++ uint32_t x76; ++ fiat_secp384r1_uint1 x77; ++ uint32_t x78; ++ fiat_secp384r1_uint1 x79; ++ uint32_t x80; ++ fiat_secp384r1_uint1 x81; ++ uint32_t x82; ++ fiat_secp384r1_uint1 x83; ++ uint32_t x84; ++ fiat_secp384r1_uint1 x85; ++ uint32_t x86; ++ fiat_secp384r1_uint1 x87; ++ uint32_t x88; ++ fiat_secp384r1_uint1 x89; ++ uint32_t x90; ++ fiat_secp384r1_uint1 x91; ++ uint32_t x92; ++ fiat_secp384r1_uint1 x93; ++ uint32_t x94; ++ fiat_secp384r1_uint1 x95; ++ uint32_t x96; ++ fiat_secp384r1_uint1 x97; ++ uint32_t x98; ++ fiat_secp384r1_uint1 x99; ++ uint32_t x100; ++ fiat_secp384r1_uint1 x101; ++ uint32_t x102; ++ fiat_secp384r1_uint1 x103; ++ uint32_t x104; ++ fiat_secp384r1_uint1 x105; ++ uint32_t x106; ++ fiat_secp384r1_uint1 x107; ++ uint32_t x108; ++ fiat_secp384r1_uint1 x109; ++ uint32_t x110; ++ fiat_secp384r1_uint1 x111; ++ uint32_t x112; ++ fiat_secp384r1_uint1 x113; ++ uint32_t x114; ++ fiat_secp384r1_uint1 x115; ++ uint32_t x116; ++ fiat_secp384r1_uint1 x117; ++ uint32_t x118; ++ fiat_secp384r1_uint1 x119; ++ uint32_t x120; ++ fiat_secp384r1_uint1 x121; ++ uint32_t x122; ++ fiat_secp384r1_uint1 x123; ++ uint32_t x124; ++ fiat_secp384r1_uint1 x125; ++ uint32_t x126; ++ fiat_secp384r1_uint1 x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ uint32_t x138; ++ uint32_t x139; ++ uint32_t x140; ++ uint32_t x141; ++ uint32_t x142; ++ uint32_t x143; ++ uint32_t x144; ++ uint32_t x145; ++ uint32_t x146; ++ uint32_t x147; ++ uint32_t x148; ++ fiat_secp384r1_uint1 x149; ++ uint32_t x150; ++ fiat_secp384r1_uint1 x151; ++ uint32_t x152; ++ fiat_secp384r1_uint1 x153; ++ uint32_t x154; ++ fiat_secp384r1_uint1 x155; ++ uint32_t x156; ++ fiat_secp384r1_uint1 x157; ++ uint32_t x158; ++ fiat_secp384r1_uint1 x159; ++ uint32_t x160; ++ fiat_secp384r1_uint1 x161; ++ uint32_t x162; ++ fiat_secp384r1_uint1 x163; ++ uint32_t x164; ++ fiat_secp384r1_uint1 x165; ++ uint32_t x166; ++ fiat_secp384r1_uint1 x167; ++ uint32_t x168; ++ fiat_secp384r1_uint1 x169; ++ uint32_t x170; ++ fiat_secp384r1_uint1 x171; ++ uint32_t x172; ++ fiat_secp384r1_uint1 x173; ++ uint32_t x174; ++ fiat_secp384r1_uint1 x175; ++ uint32_t x176; ++ fiat_secp384r1_uint1 x177; ++ uint32_t x178; ++ fiat_secp384r1_uint1 x179; ++ uint32_t x180; ++ fiat_secp384r1_uint1 x181; ++ uint32_t x182; ++ fiat_secp384r1_uint1 x183; ++ uint32_t x184; ++ fiat_secp384r1_uint1 x185; ++ uint32_t x186; ++ fiat_secp384r1_uint1 x187; ++ uint32_t x188; ++ fiat_secp384r1_uint1 x189; ++ uint32_t x190; ++ fiat_secp384r1_uint1 x191; ++ uint32_t x192; ++ fiat_secp384r1_uint1 x193; ++ uint32_t x194; ++ fiat_secp384r1_uint1 x195; ++ uint32_t x196; ++ fiat_secp384r1_uint1 x197; ++ uint32_t x198; ++ fiat_secp384r1_uint1 x199; ++ uint32_t x200; ++ fiat_secp384r1_uint1 x201; ++ uint32_t x202; ++ fiat_secp384r1_uint1 x203; ++ uint32_t x204; ++ fiat_secp384r1_uint1 x205; ++ uint32_t x206; ++ fiat_secp384r1_uint1 x207; ++ uint32_t x208; ++ fiat_secp384r1_uint1 x209; ++ uint32_t x210; ++ fiat_secp384r1_uint1 x211; ++ uint32_t x212; ++ fiat_secp384r1_uint1 x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ uint32_t x217; ++ uint32_t x218; ++ uint32_t x219; ++ uint32_t x220; ++ uint32_t x221; ++ uint32_t x222; ++ uint32_t x223; ++ uint32_t x224; ++ uint32_t x225; ++ uint32_t x226; ++ uint32_t x227; ++ uint32_t x228; ++ uint32_t x229; ++ uint32_t x230; ++ uint32_t x231; ++ uint32_t x232; ++ uint32_t x233; ++ uint32_t x234; ++ fiat_secp384r1_uint1 x235; ++ uint32_t x236; ++ fiat_secp384r1_uint1 x237; ++ uint32_t x238; ++ fiat_secp384r1_uint1 x239; ++ uint32_t x240; ++ fiat_secp384r1_uint1 x241; ++ uint32_t x242; ++ fiat_secp384r1_uint1 x243; ++ uint32_t x244; ++ fiat_secp384r1_uint1 x245; ++ uint32_t x246; ++ fiat_secp384r1_uint1 x247; ++ uint32_t x248; ++ fiat_secp384r1_uint1 x249; ++ uint32_t x250; ++ fiat_secp384r1_uint1 x251; ++ uint32_t x252; ++ fiat_secp384r1_uint1 x253; ++ uint32_t x254; ++ fiat_secp384r1_uint1 x255; ++ uint32_t x256; ++ fiat_secp384r1_uint1 x257; ++ uint32_t x258; ++ fiat_secp384r1_uint1 x259; ++ uint32_t x260; ++ fiat_secp384r1_uint1 x261; ++ uint32_t x262; ++ fiat_secp384r1_uint1 x263; ++ uint32_t x264; ++ fiat_secp384r1_uint1 x265; ++ uint32_t x266; ++ fiat_secp384r1_uint1 x267; ++ uint32_t x268; ++ fiat_secp384r1_uint1 x269; ++ uint32_t x270; ++ fiat_secp384r1_uint1 x271; ++ uint32_t x272; ++ fiat_secp384r1_uint1 x273; ++ uint32_t x274; ++ fiat_secp384r1_uint1 x275; ++ uint32_t x276; ++ fiat_secp384r1_uint1 x277; ++ uint32_t x278; ++ fiat_secp384r1_uint1 x279; ++ uint32_t x280; ++ fiat_secp384r1_uint1 x281; ++ uint32_t x282; ++ fiat_secp384r1_uint1 x283; ++ uint32_t x284; ++ fiat_secp384r1_uint1 x285; ++ uint32_t x286; ++ fiat_secp384r1_uint1 x287; ++ uint32_t x288; ++ fiat_secp384r1_uint1 x289; ++ uint32_t x290; ++ fiat_secp384r1_uint1 x291; ++ uint32_t x292; ++ fiat_secp384r1_uint1 x293; ++ uint32_t x294; ++ fiat_secp384r1_uint1 x295; ++ uint32_t x296; ++ fiat_secp384r1_uint1 x297; ++ uint32_t x298; ++ fiat_secp384r1_uint1 x299; ++ uint32_t x300; ++ uint32_t x301; ++ uint32_t x302; ++ uint32_t x303; ++ uint32_t x304; ++ uint32_t x305; ++ uint32_t x306; ++ uint32_t x307; ++ uint32_t x308; ++ uint32_t x309; ++ uint32_t x310; ++ uint32_t x311; ++ uint32_t x312; ++ uint32_t x313; ++ uint32_t x314; ++ uint32_t x315; ++ uint32_t x316; ++ uint32_t x317; ++ uint32_t x318; ++ uint32_t x319; ++ uint32_t x320; ++ fiat_secp384r1_uint1 x321; ++ uint32_t x322; ++ fiat_secp384r1_uint1 x323; ++ uint32_t x324; ++ fiat_secp384r1_uint1 x325; ++ uint32_t x326; ++ fiat_secp384r1_uint1 x327; ++ uint32_t x328; ++ fiat_secp384r1_uint1 x329; ++ uint32_t x330; ++ fiat_secp384r1_uint1 x331; ++ uint32_t x332; ++ fiat_secp384r1_uint1 x333; ++ uint32_t x334; ++ fiat_secp384r1_uint1 x335; ++ uint32_t x336; ++ fiat_secp384r1_uint1 x337; ++ uint32_t x338; ++ fiat_secp384r1_uint1 x339; ++ uint32_t x340; ++ fiat_secp384r1_uint1 x341; ++ uint32_t x342; ++ fiat_secp384r1_uint1 x343; ++ uint32_t x344; ++ fiat_secp384r1_uint1 x345; ++ uint32_t x346; ++ fiat_secp384r1_uint1 x347; ++ uint32_t x348; ++ fiat_secp384r1_uint1 x349; ++ uint32_t x350; ++ fiat_secp384r1_uint1 x351; ++ uint32_t x352; ++ fiat_secp384r1_uint1 x353; ++ uint32_t x354; ++ fiat_secp384r1_uint1 x355; ++ uint32_t x356; ++ fiat_secp384r1_uint1 x357; ++ uint32_t x358; ++ fiat_secp384r1_uint1 x359; ++ uint32_t x360; ++ fiat_secp384r1_uint1 x361; ++ uint32_t x362; ++ fiat_secp384r1_uint1 x363; ++ uint32_t x364; ++ fiat_secp384r1_uint1 x365; ++ uint32_t x366; ++ fiat_secp384r1_uint1 x367; ++ uint32_t x368; ++ fiat_secp384r1_uint1 x369; ++ uint32_t x370; ++ fiat_secp384r1_uint1 x371; ++ uint32_t x372; ++ fiat_secp384r1_uint1 x373; ++ uint32_t x374; ++ fiat_secp384r1_uint1 x375; ++ uint32_t x376; ++ fiat_secp384r1_uint1 x377; ++ uint32_t x378; ++ fiat_secp384r1_uint1 x379; ++ uint32_t x380; ++ fiat_secp384r1_uint1 x381; ++ uint32_t x382; ++ fiat_secp384r1_uint1 x383; ++ uint32_t x384; ++ fiat_secp384r1_uint1 x385; ++ uint32_t x386; ++ uint32_t x387; ++ uint32_t x388; ++ uint32_t x389; ++ uint32_t x390; ++ uint32_t x391; ++ uint32_t x392; ++ uint32_t x393; ++ uint32_t x394; ++ uint32_t x395; ++ uint32_t x396; ++ uint32_t x397; ++ uint32_t x398; ++ uint32_t x399; ++ uint32_t x400; ++ uint32_t x401; ++ uint32_t x402; ++ uint32_t x403; ++ uint32_t x404; ++ uint32_t x405; ++ uint32_t x406; ++ fiat_secp384r1_uint1 x407; ++ uint32_t x408; ++ fiat_secp384r1_uint1 x409; ++ uint32_t x410; ++ fiat_secp384r1_uint1 x411; ++ uint32_t x412; ++ fiat_secp384r1_uint1 x413; ++ uint32_t x414; ++ fiat_secp384r1_uint1 x415; ++ uint32_t x416; ++ fiat_secp384r1_uint1 x417; ++ uint32_t x418; ++ fiat_secp384r1_uint1 x419; ++ uint32_t x420; ++ fiat_secp384r1_uint1 x421; ++ uint32_t x422; ++ fiat_secp384r1_uint1 x423; ++ uint32_t x424; ++ fiat_secp384r1_uint1 x425; ++ uint32_t x426; ++ fiat_secp384r1_uint1 x427; ++ uint32_t x428; ++ fiat_secp384r1_uint1 x429; ++ uint32_t x430; ++ fiat_secp384r1_uint1 x431; ++ uint32_t x432; ++ fiat_secp384r1_uint1 x433; ++ uint32_t x434; ++ fiat_secp384r1_uint1 x435; ++ uint32_t x436; ++ fiat_secp384r1_uint1 x437; ++ uint32_t x438; ++ fiat_secp384r1_uint1 x439; ++ uint32_t x440; ++ fiat_secp384r1_uint1 x441; ++ uint32_t x442; ++ fiat_secp384r1_uint1 x443; ++ uint32_t x444; ++ fiat_secp384r1_uint1 x445; ++ uint32_t x446; ++ fiat_secp384r1_uint1 x447; ++ uint32_t x448; ++ fiat_secp384r1_uint1 x449; ++ uint32_t x450; ++ fiat_secp384r1_uint1 x451; ++ uint32_t x452; ++ fiat_secp384r1_uint1 x453; ++ uint32_t x454; ++ fiat_secp384r1_uint1 x455; ++ uint32_t x456; ++ fiat_secp384r1_uint1 x457; ++ uint32_t x458; ++ fiat_secp384r1_uint1 x459; ++ uint32_t x460; ++ fiat_secp384r1_uint1 x461; ++ uint32_t x462; ++ fiat_secp384r1_uint1 x463; ++ uint32_t x464; ++ fiat_secp384r1_uint1 x465; ++ uint32_t x466; ++ fiat_secp384r1_uint1 x467; ++ uint32_t x468; ++ fiat_secp384r1_uint1 x469; ++ uint32_t x470; ++ fiat_secp384r1_uint1 x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ uint32_t x476; ++ uint32_t x477; ++ uint32_t x478; ++ uint32_t x479; ++ uint32_t x480; ++ uint32_t x481; ++ uint32_t x482; ++ uint32_t x483; ++ uint32_t x484; ++ uint32_t x485; ++ uint32_t x486; ++ uint32_t x487; ++ uint32_t x488; ++ uint32_t x489; ++ uint32_t x490; ++ uint32_t x491; ++ uint32_t x492; ++ fiat_secp384r1_uint1 x493; ++ uint32_t x494; ++ fiat_secp384r1_uint1 x495; ++ uint32_t x496; ++ fiat_secp384r1_uint1 x497; ++ uint32_t x498; ++ fiat_secp384r1_uint1 x499; ++ uint32_t x500; ++ fiat_secp384r1_uint1 x501; ++ uint32_t x502; ++ fiat_secp384r1_uint1 x503; ++ uint32_t x504; ++ fiat_secp384r1_uint1 x505; ++ uint32_t x506; ++ fiat_secp384r1_uint1 x507; ++ uint32_t x508; ++ fiat_secp384r1_uint1 x509; ++ uint32_t x510; ++ fiat_secp384r1_uint1 x511; ++ uint32_t x512; ++ fiat_secp384r1_uint1 x513; ++ uint32_t x514; ++ fiat_secp384r1_uint1 x515; ++ uint32_t x516; ++ fiat_secp384r1_uint1 x517; ++ uint32_t x518; ++ fiat_secp384r1_uint1 x519; ++ uint32_t x520; ++ fiat_secp384r1_uint1 x521; ++ uint32_t x522; ++ fiat_secp384r1_uint1 x523; ++ uint32_t x524; ++ fiat_secp384r1_uint1 x525; ++ uint32_t x526; ++ fiat_secp384r1_uint1 x527; ++ uint32_t x528; ++ fiat_secp384r1_uint1 x529; ++ uint32_t x530; ++ fiat_secp384r1_uint1 x531; ++ uint32_t x532; ++ fiat_secp384r1_uint1 x533; ++ uint32_t x534; ++ fiat_secp384r1_uint1 x535; ++ uint32_t x536; ++ fiat_secp384r1_uint1 x537; ++ uint32_t x538; ++ fiat_secp384r1_uint1 x539; ++ uint32_t x540; ++ fiat_secp384r1_uint1 x541; ++ uint32_t x542; ++ fiat_secp384r1_uint1 x543; ++ uint32_t x544; ++ fiat_secp384r1_uint1 x545; ++ uint32_t x546; ++ fiat_secp384r1_uint1 x547; ++ uint32_t x548; ++ fiat_secp384r1_uint1 x549; ++ uint32_t x550; ++ fiat_secp384r1_uint1 x551; ++ uint32_t x552; ++ fiat_secp384r1_uint1 x553; ++ uint32_t x554; ++ fiat_secp384r1_uint1 x555; ++ uint32_t x556; ++ fiat_secp384r1_uint1 x557; ++ uint32_t x558; ++ uint32_t x559; ++ uint32_t x560; ++ uint32_t x561; ++ uint32_t x562; ++ uint32_t x563; ++ uint32_t x564; ++ uint32_t x565; ++ uint32_t x566; ++ uint32_t x567; ++ uint32_t x568; ++ uint32_t x569; ++ uint32_t x570; ++ uint32_t x571; ++ uint32_t x572; ++ uint32_t x573; ++ uint32_t x574; ++ uint32_t x575; ++ uint32_t x576; ++ uint32_t x577; ++ uint32_t x578; ++ fiat_secp384r1_uint1 x579; ++ uint32_t x580; ++ fiat_secp384r1_uint1 x581; ++ uint32_t x582; ++ fiat_secp384r1_uint1 x583; ++ uint32_t x584; ++ fiat_secp384r1_uint1 x585; ++ uint32_t x586; ++ fiat_secp384r1_uint1 x587; ++ uint32_t x588; ++ fiat_secp384r1_uint1 x589; ++ uint32_t x590; ++ fiat_secp384r1_uint1 x591; ++ uint32_t x592; ++ fiat_secp384r1_uint1 x593; ++ uint32_t x594; ++ fiat_secp384r1_uint1 x595; ++ uint32_t x596; ++ fiat_secp384r1_uint1 x597; ++ uint32_t x598; ++ fiat_secp384r1_uint1 x599; ++ uint32_t x600; ++ fiat_secp384r1_uint1 x601; ++ uint32_t x602; ++ fiat_secp384r1_uint1 x603; ++ uint32_t x604; ++ fiat_secp384r1_uint1 x605; ++ uint32_t x606; ++ fiat_secp384r1_uint1 x607; ++ uint32_t x608; ++ fiat_secp384r1_uint1 x609; ++ uint32_t x610; ++ fiat_secp384r1_uint1 x611; ++ uint32_t x612; ++ fiat_secp384r1_uint1 x613; ++ uint32_t x614; ++ fiat_secp384r1_uint1 x615; ++ uint32_t x616; ++ fiat_secp384r1_uint1 x617; ++ uint32_t x618; ++ fiat_secp384r1_uint1 x619; ++ uint32_t x620; ++ fiat_secp384r1_uint1 x621; ++ uint32_t x622; ++ fiat_secp384r1_uint1 x623; ++ uint32_t x624; ++ fiat_secp384r1_uint1 x625; ++ uint32_t x626; ++ fiat_secp384r1_uint1 x627; ++ uint32_t x628; ++ fiat_secp384r1_uint1 x629; ++ uint32_t x630; ++ fiat_secp384r1_uint1 x631; ++ uint32_t x632; ++ fiat_secp384r1_uint1 x633; ++ uint32_t x634; ++ fiat_secp384r1_uint1 x635; ++ uint32_t x636; ++ fiat_secp384r1_uint1 x637; ++ uint32_t x638; ++ fiat_secp384r1_uint1 x639; ++ uint32_t x640; ++ fiat_secp384r1_uint1 x641; ++ uint32_t x642; ++ fiat_secp384r1_uint1 x643; ++ uint32_t x644; ++ uint32_t x645; ++ uint32_t x646; ++ uint32_t x647; ++ uint32_t x648; ++ uint32_t x649; ++ uint32_t x650; ++ uint32_t x651; ++ uint32_t x652; ++ uint32_t x653; ++ uint32_t x654; ++ uint32_t x655; ++ uint32_t x656; ++ uint32_t x657; ++ uint32_t x658; ++ uint32_t x659; ++ uint32_t x660; ++ uint32_t x661; ++ uint32_t x662; ++ uint32_t x663; ++ uint32_t x664; ++ fiat_secp384r1_uint1 x665; ++ uint32_t x666; ++ fiat_secp384r1_uint1 x667; ++ uint32_t x668; ++ fiat_secp384r1_uint1 x669; ++ uint32_t x670; ++ fiat_secp384r1_uint1 x671; ++ uint32_t x672; ++ fiat_secp384r1_uint1 x673; ++ uint32_t x674; ++ fiat_secp384r1_uint1 x675; ++ uint32_t x676; ++ fiat_secp384r1_uint1 x677; ++ uint32_t x678; ++ fiat_secp384r1_uint1 x679; ++ uint32_t x680; ++ fiat_secp384r1_uint1 x681; ++ uint32_t x682; ++ fiat_secp384r1_uint1 x683; ++ uint32_t x684; ++ fiat_secp384r1_uint1 x685; ++ uint32_t x686; ++ fiat_secp384r1_uint1 x687; ++ uint32_t x688; ++ fiat_secp384r1_uint1 x689; ++ uint32_t x690; ++ fiat_secp384r1_uint1 x691; ++ uint32_t x692; ++ fiat_secp384r1_uint1 x693; ++ uint32_t x694; ++ fiat_secp384r1_uint1 x695; ++ uint32_t x696; ++ fiat_secp384r1_uint1 x697; ++ uint32_t x698; ++ fiat_secp384r1_uint1 x699; ++ uint32_t x700; ++ fiat_secp384r1_uint1 x701; ++ uint32_t x702; ++ fiat_secp384r1_uint1 x703; ++ uint32_t x704; ++ fiat_secp384r1_uint1 x705; ++ uint32_t x706; ++ fiat_secp384r1_uint1 x707; ++ uint32_t x708; ++ fiat_secp384r1_uint1 x709; ++ uint32_t x710; ++ fiat_secp384r1_uint1 x711; ++ uint32_t x712; ++ fiat_secp384r1_uint1 x713; ++ uint32_t x714; ++ fiat_secp384r1_uint1 x715; ++ uint32_t x716; ++ fiat_secp384r1_uint1 x717; ++ uint32_t x718; ++ fiat_secp384r1_uint1 x719; ++ uint32_t x720; ++ fiat_secp384r1_uint1 x721; ++ uint32_t x722; ++ fiat_secp384r1_uint1 x723; ++ uint32_t x724; ++ fiat_secp384r1_uint1 x725; ++ uint32_t x726; ++ fiat_secp384r1_uint1 x727; ++ uint32_t x728; ++ fiat_secp384r1_uint1 x729; ++ uint32_t x730; ++ uint32_t x731; ++ uint32_t x732; ++ uint32_t x733; ++ uint32_t x734; ++ uint32_t x735; ++ uint32_t x736; ++ uint32_t x737; ++ uint32_t x738; ++ uint32_t x739; ++ uint32_t x740; ++ uint32_t x741; ++ uint32_t x742; ++ uint32_t x743; ++ uint32_t x744; ++ uint32_t x745; ++ uint32_t x746; ++ uint32_t x747; ++ uint32_t x748; ++ uint32_t x749; ++ uint32_t x750; ++ fiat_secp384r1_uint1 x751; ++ uint32_t x752; ++ fiat_secp384r1_uint1 x753; ++ uint32_t x754; ++ fiat_secp384r1_uint1 x755; ++ uint32_t x756; ++ fiat_secp384r1_uint1 x757; ++ uint32_t x758; ++ fiat_secp384r1_uint1 x759; ++ uint32_t x760; ++ fiat_secp384r1_uint1 x761; ++ uint32_t x762; ++ fiat_secp384r1_uint1 x763; ++ uint32_t x764; ++ fiat_secp384r1_uint1 x765; ++ uint32_t x766; ++ fiat_secp384r1_uint1 x767; ++ uint32_t x768; ++ fiat_secp384r1_uint1 x769; ++ uint32_t x770; ++ fiat_secp384r1_uint1 x771; ++ uint32_t x772; ++ fiat_secp384r1_uint1 x773; ++ uint32_t x774; ++ fiat_secp384r1_uint1 x775; ++ uint32_t x776; ++ fiat_secp384r1_uint1 x777; ++ uint32_t x778; ++ fiat_secp384r1_uint1 x779; ++ uint32_t x780; ++ fiat_secp384r1_uint1 x781; ++ uint32_t x782; ++ fiat_secp384r1_uint1 x783; ++ uint32_t x784; ++ fiat_secp384r1_uint1 x785; ++ uint32_t x786; ++ fiat_secp384r1_uint1 x787; ++ uint32_t x788; ++ fiat_secp384r1_uint1 x789; ++ uint32_t x790; ++ fiat_secp384r1_uint1 x791; ++ uint32_t x792; ++ fiat_secp384r1_uint1 x793; ++ uint32_t x794; ++ fiat_secp384r1_uint1 x795; ++ uint32_t x796; ++ fiat_secp384r1_uint1 x797; ++ uint32_t x798; ++ fiat_secp384r1_uint1 x799; ++ uint32_t x800; ++ fiat_secp384r1_uint1 x801; ++ uint32_t x802; ++ fiat_secp384r1_uint1 x803; ++ uint32_t x804; ++ fiat_secp384r1_uint1 x805; ++ uint32_t x806; ++ fiat_secp384r1_uint1 x807; ++ uint32_t x808; ++ fiat_secp384r1_uint1 x809; ++ uint32_t x810; ++ fiat_secp384r1_uint1 x811; ++ uint32_t x812; ++ fiat_secp384r1_uint1 x813; ++ uint32_t x814; ++ fiat_secp384r1_uint1 x815; ++ uint32_t x816; ++ uint32_t x817; ++ uint32_t x818; ++ uint32_t x819; ++ uint32_t x820; ++ uint32_t x821; ++ uint32_t x822; ++ uint32_t x823; ++ uint32_t x824; ++ uint32_t x825; ++ uint32_t x826; ++ uint32_t x827; ++ uint32_t x828; ++ uint32_t x829; ++ uint32_t x830; ++ uint32_t x831; ++ uint32_t x832; ++ uint32_t x833; ++ uint32_t x834; ++ uint32_t x835; ++ uint32_t x836; ++ fiat_secp384r1_uint1 x837; ++ uint32_t x838; ++ fiat_secp384r1_uint1 x839; ++ uint32_t x840; ++ fiat_secp384r1_uint1 x841; ++ uint32_t x842; ++ fiat_secp384r1_uint1 x843; ++ uint32_t x844; ++ fiat_secp384r1_uint1 x845; ++ uint32_t x846; ++ fiat_secp384r1_uint1 x847; ++ uint32_t x848; ++ fiat_secp384r1_uint1 x849; ++ uint32_t x850; ++ fiat_secp384r1_uint1 x851; ++ uint32_t x852; ++ fiat_secp384r1_uint1 x853; ++ uint32_t x854; ++ fiat_secp384r1_uint1 x855; ++ uint32_t x856; ++ fiat_secp384r1_uint1 x857; ++ uint32_t x858; ++ fiat_secp384r1_uint1 x859; ++ uint32_t x860; ++ fiat_secp384r1_uint1 x861; ++ uint32_t x862; ++ fiat_secp384r1_uint1 x863; ++ uint32_t x864; ++ fiat_secp384r1_uint1 x865; ++ uint32_t x866; ++ fiat_secp384r1_uint1 x867; ++ uint32_t x868; ++ fiat_secp384r1_uint1 x869; ++ uint32_t x870; ++ fiat_secp384r1_uint1 x871; ++ uint32_t x872; ++ fiat_secp384r1_uint1 x873; ++ uint32_t x874; ++ fiat_secp384r1_uint1 x875; ++ uint32_t x876; ++ fiat_secp384r1_uint1 x877; ++ uint32_t x878; ++ fiat_secp384r1_uint1 x879; ++ uint32_t x880; ++ fiat_secp384r1_uint1 x881; ++ uint32_t x882; ++ fiat_secp384r1_uint1 x883; ++ uint32_t x884; ++ fiat_secp384r1_uint1 x885; ++ uint32_t x886; ++ fiat_secp384r1_uint1 x887; ++ uint32_t x888; ++ fiat_secp384r1_uint1 x889; ++ uint32_t x890; ++ fiat_secp384r1_uint1 x891; ++ uint32_t x892; ++ fiat_secp384r1_uint1 x893; ++ uint32_t x894; ++ fiat_secp384r1_uint1 x895; ++ uint32_t x896; ++ fiat_secp384r1_uint1 x897; ++ uint32_t x898; ++ fiat_secp384r1_uint1 x899; ++ uint32_t x900; ++ fiat_secp384r1_uint1 x901; ++ uint32_t x902; ++ uint32_t x903; ++ uint32_t x904; ++ uint32_t x905; ++ uint32_t x906; ++ uint32_t x907; ++ uint32_t x908; ++ uint32_t x909; ++ uint32_t x910; ++ uint32_t x911; ++ uint32_t x912; ++ uint32_t x913; ++ uint32_t x914; ++ uint32_t x915; ++ uint32_t x916; ++ uint32_t x917; ++ uint32_t x918; ++ uint32_t x919; ++ uint32_t x920; ++ uint32_t x921; ++ uint32_t x922; ++ fiat_secp384r1_uint1 x923; ++ uint32_t x924; ++ fiat_secp384r1_uint1 x925; ++ uint32_t x926; ++ fiat_secp384r1_uint1 x927; ++ uint32_t x928; ++ fiat_secp384r1_uint1 x929; ++ uint32_t x930; ++ fiat_secp384r1_uint1 x931; ++ uint32_t x932; ++ fiat_secp384r1_uint1 x933; ++ uint32_t x934; ++ fiat_secp384r1_uint1 x935; ++ uint32_t x936; ++ fiat_secp384r1_uint1 x937; ++ uint32_t x938; ++ fiat_secp384r1_uint1 x939; ++ uint32_t x940; ++ fiat_secp384r1_uint1 x941; ++ uint32_t x942; ++ fiat_secp384r1_uint1 x943; ++ uint32_t x944; ++ fiat_secp384r1_uint1 x945; ++ uint32_t x946; ++ fiat_secp384r1_uint1 x947; ++ uint32_t x948; ++ fiat_secp384r1_uint1 x949; ++ uint32_t x950; ++ fiat_secp384r1_uint1 x951; ++ uint32_t x952; ++ fiat_secp384r1_uint1 x953; ++ uint32_t x954; ++ fiat_secp384r1_uint1 x955; ++ uint32_t x956; ++ fiat_secp384r1_uint1 x957; ++ uint32_t x958; ++ fiat_secp384r1_uint1 x959; ++ uint32_t x960; ++ fiat_secp384r1_uint1 x961; ++ uint32_t x962; ++ fiat_secp384r1_uint1 x963; ++ uint32_t x964; ++ fiat_secp384r1_uint1 x965; ++ uint32_t x966; ++ fiat_secp384r1_uint1 x967; ++ uint32_t x968; ++ fiat_secp384r1_uint1 x969; ++ uint32_t x970; ++ fiat_secp384r1_uint1 x971; ++ uint32_t x972; ++ fiat_secp384r1_uint1 x973; ++ uint32_t x974; ++ fiat_secp384r1_uint1 x975; ++ uint32_t x976; ++ fiat_secp384r1_uint1 x977; ++ uint32_t x978; ++ fiat_secp384r1_uint1 x979; ++ uint32_t x980; ++ fiat_secp384r1_uint1 x981; ++ uint32_t x982; ++ fiat_secp384r1_uint1 x983; ++ uint32_t x984; ++ fiat_secp384r1_uint1 x985; ++ uint32_t x986; ++ fiat_secp384r1_uint1 x987; ++ uint32_t x988; ++ fiat_secp384r1_uint1 x989; ++ uint32_t x990; ++ uint32_t x991; ++ uint32_t x992; ++ uint32_t x993; ++ uint32_t x994; ++ uint32_t x995; ++ uint32_t x996; ++ uint32_t x997; ++ uint32_t x998; ++ uint32_t x999; ++ uint32_t x1000; ++ uint32_t x1001; ++ x1 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x10, &x11, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x12, &x13, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x14, &x15, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x16, &x17, x1, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x18, &x19, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x20, &x21, x1, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x22, &x23, 0x0, x19, x16); ++ fiat_secp384r1_addcarryx_u32(&x24, &x25, x23, x17, x14); ++ fiat_secp384r1_addcarryx_u32(&x26, &x27, x25, x15, x12); ++ fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x13, x10); ++ fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x11, x8); ++ fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x9, x6); ++ fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x7, x4); ++ fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x5, x2); ++ fiat_secp384r1_addcarryx_u32(&x38, &x39, 0x0, x1, x20); ++ fiat_secp384r1_addcarryx_u32(&x40, &x41, 0x0, (x39 + x21), (arg1[1])); ++ fiat_secp384r1_mulx_u32(&x42, &x43, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x44, &x45, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x46, &x47, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x48, &x49, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x50, &x51, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x52, &x53, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x54, &x55, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x56, &x57, x40, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x58, &x59, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x60, &x61, x40, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x62, &x63, 0x0, x59, x56); ++ fiat_secp384r1_addcarryx_u32(&x64, &x65, x63, x57, x54); ++ fiat_secp384r1_addcarryx_u32(&x66, &x67, x65, x55, x52); ++ fiat_secp384r1_addcarryx_u32(&x68, &x69, x67, x53, x50); ++ fiat_secp384r1_addcarryx_u32(&x70, &x71, x69, x51, x48); ++ fiat_secp384r1_addcarryx_u32(&x72, &x73, x71, x49, x46); ++ fiat_secp384r1_addcarryx_u32(&x74, &x75, x73, x47, x44); ++ fiat_secp384r1_addcarryx_u32(&x76, &x77, x75, x45, x42); ++ fiat_secp384r1_addcarryx_u32(&x78, &x79, 0x0, x40, x60); ++ fiat_secp384r1_addcarryx_u32(&x80, &x81, x79, x41, x61); ++ fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x18, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x22, x58); ++ fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x24, x62); ++ fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x26, x64); ++ fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x28, x66); ++ fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x30, x68); ++ fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x32, x70); ++ fiat_secp384r1_addcarryx_u32(&x96, &x97, x95, x34, x72); ++ fiat_secp384r1_addcarryx_u32(&x98, &x99, x97, x36, x74); ++ fiat_secp384r1_addcarryx_u32(&x100, &x101, x99, (x37 + x3), x76); ++ fiat_secp384r1_addcarryx_u32(&x102, &x103, x101, 0x0, (x77 + x43)); ++ fiat_secp384r1_addcarryx_u32(&x104, &x105, 0x0, x80, (arg1[2])); ++ fiat_secp384r1_addcarryx_u32(&x106, &x107, x105, x82, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x108, &x109, x107, x84, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x110, &x111, x109, x86, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x112, &x113, x111, x88, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x114, &x115, x113, x90, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x116, &x117, x115, x92, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x118, &x119, x117, x94, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x120, &x121, x119, x96, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x122, &x123, x121, x98, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x124, &x125, x123, x100, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x126, &x127, x125, x102, 0x0); ++ fiat_secp384r1_mulx_u32(&x128, &x129, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x130, &x131, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x132, &x133, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x134, &x135, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x136, &x137, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x138, &x139, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x140, &x141, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x142, &x143, x104, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x144, &x145, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x146, &x147, x104, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x148, &x149, 0x0, x145, x142); ++ fiat_secp384r1_addcarryx_u32(&x150, &x151, x149, x143, x140); ++ fiat_secp384r1_addcarryx_u32(&x152, &x153, x151, x141, x138); ++ fiat_secp384r1_addcarryx_u32(&x154, &x155, x153, x139, x136); ++ fiat_secp384r1_addcarryx_u32(&x156, &x157, x155, x137, x134); ++ fiat_secp384r1_addcarryx_u32(&x158, &x159, x157, x135, x132); ++ fiat_secp384r1_addcarryx_u32(&x160, &x161, x159, x133, x130); ++ fiat_secp384r1_addcarryx_u32(&x162, &x163, x161, x131, x128); ++ fiat_secp384r1_addcarryx_u32(&x164, &x165, 0x0, x104, x146); ++ fiat_secp384r1_addcarryx_u32(&x166, &x167, x165, x106, x147); ++ fiat_secp384r1_addcarryx_u32(&x168, &x169, x167, x108, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x170, &x171, x169, x110, x144); ++ fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x112, x148); ++ fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x114, x150); ++ fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x116, x152); ++ fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x118, x154); ++ fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x120, x156); ++ fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x122, x158); ++ fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x124, x160); ++ fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x126, x162); ++ fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, ((uint32_t)x127 + x103), ++ (x163 + x129)); ++ fiat_secp384r1_addcarryx_u32(&x190, &x191, 0x0, x166, (arg1[3])); ++ fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x168, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x170, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x196, &x197, x195, x172, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x198, &x199, x197, x174, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x200, &x201, x199, x176, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x202, &x203, x201, x178, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x204, &x205, x203, x180, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x206, &x207, x205, x182, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x208, &x209, x207, x184, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x210, &x211, x209, x186, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x212, &x213, x211, x188, 0x0); ++ fiat_secp384r1_mulx_u32(&x214, &x215, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x216, &x217, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x218, &x219, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x220, &x221, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x222, &x223, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x224, &x225, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x226, &x227, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x228, &x229, x190, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x230, &x231, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x232, &x233, x190, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x234, &x235, 0x0, x231, x228); ++ fiat_secp384r1_addcarryx_u32(&x236, &x237, x235, x229, x226); ++ fiat_secp384r1_addcarryx_u32(&x238, &x239, x237, x227, x224); ++ fiat_secp384r1_addcarryx_u32(&x240, &x241, x239, x225, x222); ++ fiat_secp384r1_addcarryx_u32(&x242, &x243, x241, x223, x220); ++ fiat_secp384r1_addcarryx_u32(&x244, &x245, x243, x221, x218); ++ fiat_secp384r1_addcarryx_u32(&x246, &x247, x245, x219, x216); ++ fiat_secp384r1_addcarryx_u32(&x248, &x249, x247, x217, x214); ++ fiat_secp384r1_addcarryx_u32(&x250, &x251, 0x0, x190, x232); ++ fiat_secp384r1_addcarryx_u32(&x252, &x253, x251, x192, x233); ++ fiat_secp384r1_addcarryx_u32(&x254, &x255, x253, x194, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x256, &x257, x255, x196, x230); ++ fiat_secp384r1_addcarryx_u32(&x258, &x259, x257, x198, x234); ++ fiat_secp384r1_addcarryx_u32(&x260, &x261, x259, x200, x236); ++ fiat_secp384r1_addcarryx_u32(&x262, &x263, x261, x202, x238); ++ fiat_secp384r1_addcarryx_u32(&x264, &x265, x263, x204, x240); ++ fiat_secp384r1_addcarryx_u32(&x266, &x267, x265, x206, x242); ++ fiat_secp384r1_addcarryx_u32(&x268, &x269, x267, x208, x244); ++ fiat_secp384r1_addcarryx_u32(&x270, &x271, x269, x210, x246); ++ fiat_secp384r1_addcarryx_u32(&x272, &x273, x271, x212, x248); ++ fiat_secp384r1_addcarryx_u32(&x274, &x275, x273, ((uint32_t)x213 + x189), ++ (x249 + x215)); ++ fiat_secp384r1_addcarryx_u32(&x276, &x277, 0x0, x252, (arg1[4])); ++ fiat_secp384r1_addcarryx_u32(&x278, &x279, x277, x254, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x280, &x281, x279, x256, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x282, &x283, x281, x258, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x284, &x285, x283, x260, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x262, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x264, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x266, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x268, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x270, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x272, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x274, 0x0); ++ fiat_secp384r1_mulx_u32(&x300, &x301, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x302, &x303, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x304, &x305, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x306, &x307, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x308, &x309, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x310, &x311, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x312, &x313, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x314, &x315, x276, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x316, &x317, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x318, &x319, x276, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x320, &x321, 0x0, x317, x314); ++ fiat_secp384r1_addcarryx_u32(&x322, &x323, x321, x315, x312); ++ fiat_secp384r1_addcarryx_u32(&x324, &x325, x323, x313, x310); ++ fiat_secp384r1_addcarryx_u32(&x326, &x327, x325, x311, x308); ++ fiat_secp384r1_addcarryx_u32(&x328, &x329, x327, x309, x306); ++ fiat_secp384r1_addcarryx_u32(&x330, &x331, x329, x307, x304); ++ fiat_secp384r1_addcarryx_u32(&x332, &x333, x331, x305, x302); ++ fiat_secp384r1_addcarryx_u32(&x334, &x335, x333, x303, x300); ++ fiat_secp384r1_addcarryx_u32(&x336, &x337, 0x0, x276, x318); ++ fiat_secp384r1_addcarryx_u32(&x338, &x339, x337, x278, x319); ++ fiat_secp384r1_addcarryx_u32(&x340, &x341, x339, x280, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x342, &x343, x341, x282, x316); ++ fiat_secp384r1_addcarryx_u32(&x344, &x345, x343, x284, x320); ++ fiat_secp384r1_addcarryx_u32(&x346, &x347, x345, x286, x322); ++ fiat_secp384r1_addcarryx_u32(&x348, &x349, x347, x288, x324); ++ fiat_secp384r1_addcarryx_u32(&x350, &x351, x349, x290, x326); ++ fiat_secp384r1_addcarryx_u32(&x352, &x353, x351, x292, x328); ++ fiat_secp384r1_addcarryx_u32(&x354, &x355, x353, x294, x330); ++ fiat_secp384r1_addcarryx_u32(&x356, &x357, x355, x296, x332); ++ fiat_secp384r1_addcarryx_u32(&x358, &x359, x357, x298, x334); ++ fiat_secp384r1_addcarryx_u32(&x360, &x361, x359, ((uint32_t)x299 + x275), ++ (x335 + x301)); ++ fiat_secp384r1_addcarryx_u32(&x362, &x363, 0x0, x338, (arg1[5])); ++ fiat_secp384r1_addcarryx_u32(&x364, &x365, x363, x340, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x366, &x367, x365, x342, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x368, &x369, x367, x344, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x370, &x371, x369, x346, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x348, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x350, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x352, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x354, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x356, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x358, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x360, 0x0); ++ fiat_secp384r1_mulx_u32(&x386, &x387, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x388, &x389, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x390, &x391, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x392, &x393, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x394, &x395, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x396, &x397, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x398, &x399, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x400, &x401, x362, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x402, &x403, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x404, &x405, x362, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x406, &x407, 0x0, x403, x400); ++ fiat_secp384r1_addcarryx_u32(&x408, &x409, x407, x401, x398); ++ fiat_secp384r1_addcarryx_u32(&x410, &x411, x409, x399, x396); ++ fiat_secp384r1_addcarryx_u32(&x412, &x413, x411, x397, x394); ++ fiat_secp384r1_addcarryx_u32(&x414, &x415, x413, x395, x392); ++ fiat_secp384r1_addcarryx_u32(&x416, &x417, x415, x393, x390); ++ fiat_secp384r1_addcarryx_u32(&x418, &x419, x417, x391, x388); ++ fiat_secp384r1_addcarryx_u32(&x420, &x421, x419, x389, x386); ++ fiat_secp384r1_addcarryx_u32(&x422, &x423, 0x0, x362, x404); ++ fiat_secp384r1_addcarryx_u32(&x424, &x425, x423, x364, x405); ++ fiat_secp384r1_addcarryx_u32(&x426, &x427, x425, x366, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x428, &x429, x427, x368, x402); ++ fiat_secp384r1_addcarryx_u32(&x430, &x431, x429, x370, x406); ++ fiat_secp384r1_addcarryx_u32(&x432, &x433, x431, x372, x408); ++ fiat_secp384r1_addcarryx_u32(&x434, &x435, x433, x374, x410); ++ fiat_secp384r1_addcarryx_u32(&x436, &x437, x435, x376, x412); ++ fiat_secp384r1_addcarryx_u32(&x438, &x439, x437, x378, x414); ++ fiat_secp384r1_addcarryx_u32(&x440, &x441, x439, x380, x416); ++ fiat_secp384r1_addcarryx_u32(&x442, &x443, x441, x382, x418); ++ fiat_secp384r1_addcarryx_u32(&x444, &x445, x443, x384, x420); ++ fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, ((uint32_t)x385 + x361), ++ (x421 + x387)); ++ fiat_secp384r1_addcarryx_u32(&x448, &x449, 0x0, x424, (arg1[6])); ++ fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x426, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x428, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x430, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x432, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x434, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x436, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x438, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x440, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x442, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x444, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x470, &x471, x469, x446, 0x0); ++ fiat_secp384r1_mulx_u32(&x472, &x473, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x474, &x475, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x476, &x477, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x478, &x479, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x480, &x481, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x482, &x483, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x484, &x485, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x486, &x487, x448, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x488, &x489, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x490, &x491, x448, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x492, &x493, 0x0, x489, x486); ++ fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x487, x484); ++ fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x485, x482); ++ fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x483, x480); ++ fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x481, x478); ++ fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x479, x476); ++ fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x477, x474); ++ fiat_secp384r1_addcarryx_u32(&x506, &x507, x505, x475, x472); ++ fiat_secp384r1_addcarryx_u32(&x508, &x509, 0x0, x448, x490); ++ fiat_secp384r1_addcarryx_u32(&x510, &x511, x509, x450, x491); ++ fiat_secp384r1_addcarryx_u32(&x512, &x513, x511, x452, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x514, &x515, x513, x454, x488); ++ fiat_secp384r1_addcarryx_u32(&x516, &x517, x515, x456, x492); ++ fiat_secp384r1_addcarryx_u32(&x518, &x519, x517, x458, x494); ++ fiat_secp384r1_addcarryx_u32(&x520, &x521, x519, x460, x496); ++ fiat_secp384r1_addcarryx_u32(&x522, &x523, x521, x462, x498); ++ fiat_secp384r1_addcarryx_u32(&x524, &x525, x523, x464, x500); ++ fiat_secp384r1_addcarryx_u32(&x526, &x527, x525, x466, x502); ++ fiat_secp384r1_addcarryx_u32(&x528, &x529, x527, x468, x504); ++ fiat_secp384r1_addcarryx_u32(&x530, &x531, x529, x470, x506); ++ fiat_secp384r1_addcarryx_u32(&x532, &x533, x531, ((uint32_t)x471 + x447), ++ (x507 + x473)); ++ fiat_secp384r1_addcarryx_u32(&x534, &x535, 0x0, x510, (arg1[7])); ++ fiat_secp384r1_addcarryx_u32(&x536, &x537, x535, x512, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x538, &x539, x537, x514, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x540, &x541, x539, x516, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x542, &x543, x541, x518, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x544, &x545, x543, x520, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x546, &x547, x545, x522, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x548, &x549, x547, x524, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x550, &x551, x549, x526, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x552, &x553, x551, x528, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x554, &x555, x553, x530, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x556, &x557, x555, x532, 0x0); ++ fiat_secp384r1_mulx_u32(&x558, &x559, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x560, &x561, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x562, &x563, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x564, &x565, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x566, &x567, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x568, &x569, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x570, &x571, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x572, &x573, x534, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x574, &x575, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x576, &x577, x534, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x578, &x579, 0x0, x575, x572); ++ fiat_secp384r1_addcarryx_u32(&x580, &x581, x579, x573, x570); ++ fiat_secp384r1_addcarryx_u32(&x582, &x583, x581, x571, x568); ++ fiat_secp384r1_addcarryx_u32(&x584, &x585, x583, x569, x566); ++ fiat_secp384r1_addcarryx_u32(&x586, &x587, x585, x567, x564); ++ fiat_secp384r1_addcarryx_u32(&x588, &x589, x587, x565, x562); ++ fiat_secp384r1_addcarryx_u32(&x590, &x591, x589, x563, x560); ++ fiat_secp384r1_addcarryx_u32(&x592, &x593, x591, x561, x558); ++ fiat_secp384r1_addcarryx_u32(&x594, &x595, 0x0, x534, x576); ++ fiat_secp384r1_addcarryx_u32(&x596, &x597, x595, x536, x577); ++ fiat_secp384r1_addcarryx_u32(&x598, &x599, x597, x538, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x600, &x601, x599, x540, x574); ++ fiat_secp384r1_addcarryx_u32(&x602, &x603, x601, x542, x578); ++ fiat_secp384r1_addcarryx_u32(&x604, &x605, x603, x544, x580); ++ fiat_secp384r1_addcarryx_u32(&x606, &x607, x605, x546, x582); ++ fiat_secp384r1_addcarryx_u32(&x608, &x609, x607, x548, x584); ++ fiat_secp384r1_addcarryx_u32(&x610, &x611, x609, x550, x586); ++ fiat_secp384r1_addcarryx_u32(&x612, &x613, x611, x552, x588); ++ fiat_secp384r1_addcarryx_u32(&x614, &x615, x613, x554, x590); ++ fiat_secp384r1_addcarryx_u32(&x616, &x617, x615, x556, x592); ++ fiat_secp384r1_addcarryx_u32(&x618, &x619, x617, ((uint32_t)x557 + x533), ++ (x593 + x559)); ++ fiat_secp384r1_addcarryx_u32(&x620, &x621, 0x0, x596, (arg1[8])); ++ fiat_secp384r1_addcarryx_u32(&x622, &x623, x621, x598, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x624, &x625, x623, x600, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x626, &x627, x625, x602, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x628, &x629, x627, x604, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x630, &x631, x629, x606, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x632, &x633, x631, x608, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x634, &x635, x633, x610, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x636, &x637, x635, x612, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x638, &x639, x637, x614, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x640, &x641, x639, x616, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x642, &x643, x641, x618, 0x0); ++ fiat_secp384r1_mulx_u32(&x644, &x645, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x646, &x647, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x648, &x649, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x650, &x651, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x652, &x653, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x654, &x655, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x656, &x657, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x658, &x659, x620, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x660, &x661, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x662, &x663, x620, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x664, &x665, 0x0, x661, x658); ++ fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x659, x656); ++ fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x657, x654); ++ fiat_secp384r1_addcarryx_u32(&x670, &x671, x669, x655, x652); ++ fiat_secp384r1_addcarryx_u32(&x672, &x673, x671, x653, x650); ++ fiat_secp384r1_addcarryx_u32(&x674, &x675, x673, x651, x648); ++ fiat_secp384r1_addcarryx_u32(&x676, &x677, x675, x649, x646); ++ fiat_secp384r1_addcarryx_u32(&x678, &x679, x677, x647, x644); ++ fiat_secp384r1_addcarryx_u32(&x680, &x681, 0x0, x620, x662); ++ fiat_secp384r1_addcarryx_u32(&x682, &x683, x681, x622, x663); ++ fiat_secp384r1_addcarryx_u32(&x684, &x685, x683, x624, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x686, &x687, x685, x626, x660); ++ fiat_secp384r1_addcarryx_u32(&x688, &x689, x687, x628, x664); ++ fiat_secp384r1_addcarryx_u32(&x690, &x691, x689, x630, x666); ++ fiat_secp384r1_addcarryx_u32(&x692, &x693, x691, x632, x668); ++ fiat_secp384r1_addcarryx_u32(&x694, &x695, x693, x634, x670); ++ fiat_secp384r1_addcarryx_u32(&x696, &x697, x695, x636, x672); ++ fiat_secp384r1_addcarryx_u32(&x698, &x699, x697, x638, x674); ++ fiat_secp384r1_addcarryx_u32(&x700, &x701, x699, x640, x676); ++ fiat_secp384r1_addcarryx_u32(&x702, &x703, x701, x642, x678); ++ fiat_secp384r1_addcarryx_u32(&x704, &x705, x703, ((uint32_t)x643 + x619), ++ (x679 + x645)); ++ fiat_secp384r1_addcarryx_u32(&x706, &x707, 0x0, x682, (arg1[9])); ++ fiat_secp384r1_addcarryx_u32(&x708, &x709, x707, x684, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x710, &x711, x709, x686, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x712, &x713, x711, x688, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x714, &x715, x713, x690, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x716, &x717, x715, x692, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x718, &x719, x717, x694, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x696, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x698, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x700, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x702, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x704, 0x0); ++ fiat_secp384r1_mulx_u32(&x730, &x731, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x732, &x733, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x734, &x735, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x736, &x737, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x738, &x739, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x740, &x741, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x742, &x743, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x744, &x745, x706, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x746, &x747, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x748, &x749, x706, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x750, &x751, 0x0, x747, x744); ++ fiat_secp384r1_addcarryx_u32(&x752, &x753, x751, x745, x742); ++ fiat_secp384r1_addcarryx_u32(&x754, &x755, x753, x743, x740); ++ fiat_secp384r1_addcarryx_u32(&x756, &x757, x755, x741, x738); ++ fiat_secp384r1_addcarryx_u32(&x758, &x759, x757, x739, x736); ++ fiat_secp384r1_addcarryx_u32(&x760, &x761, x759, x737, x734); ++ fiat_secp384r1_addcarryx_u32(&x762, &x763, x761, x735, x732); ++ fiat_secp384r1_addcarryx_u32(&x764, &x765, x763, x733, x730); ++ fiat_secp384r1_addcarryx_u32(&x766, &x767, 0x0, x706, x748); ++ fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x708, x749); ++ fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x710, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x712, x746); ++ fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x714, x750); ++ fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x716, x752); ++ fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x718, x754); ++ fiat_secp384r1_addcarryx_u32(&x780, &x781, x779, x720, x756); ++ fiat_secp384r1_addcarryx_u32(&x782, &x783, x781, x722, x758); ++ fiat_secp384r1_addcarryx_u32(&x784, &x785, x783, x724, x760); ++ fiat_secp384r1_addcarryx_u32(&x786, &x787, x785, x726, x762); ++ fiat_secp384r1_addcarryx_u32(&x788, &x789, x787, x728, x764); ++ fiat_secp384r1_addcarryx_u32(&x790, &x791, x789, ((uint32_t)x729 + x705), ++ (x765 + x731)); ++ fiat_secp384r1_addcarryx_u32(&x792, &x793, 0x0, x768, (arg1[10])); ++ fiat_secp384r1_addcarryx_u32(&x794, &x795, x793, x770, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x796, &x797, x795, x772, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x798, &x799, x797, x774, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x800, &x801, x799, x776, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x802, &x803, x801, x778, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x804, &x805, x803, x780, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x806, &x807, x805, x782, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x808, &x809, x807, x784, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x810, &x811, x809, x786, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x812, &x813, x811, x788, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x814, &x815, x813, x790, 0x0); ++ fiat_secp384r1_mulx_u32(&x816, &x817, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x818, &x819, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x820, &x821, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x822, &x823, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x824, &x825, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x826, &x827, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x828, &x829, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x830, &x831, x792, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x832, &x833, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x834, &x835, x792, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x836, &x837, 0x0, x833, x830); ++ fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x831, x828); ++ fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x829, x826); ++ fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x827, x824); ++ fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x825, x822); ++ fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x823, x820); ++ fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x821, x818); ++ fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x819, x816); ++ fiat_secp384r1_addcarryx_u32(&x852, &x853, 0x0, x792, x834); ++ fiat_secp384r1_addcarryx_u32(&x854, &x855, x853, x794, x835); ++ fiat_secp384r1_addcarryx_u32(&x856, &x857, x855, x796, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x858, &x859, x857, x798, x832); ++ fiat_secp384r1_addcarryx_u32(&x860, &x861, x859, x800, x836); ++ fiat_secp384r1_addcarryx_u32(&x862, &x863, x861, x802, x838); ++ fiat_secp384r1_addcarryx_u32(&x864, &x865, x863, x804, x840); ++ fiat_secp384r1_addcarryx_u32(&x866, &x867, x865, x806, x842); ++ fiat_secp384r1_addcarryx_u32(&x868, &x869, x867, x808, x844); ++ fiat_secp384r1_addcarryx_u32(&x870, &x871, x869, x810, x846); ++ fiat_secp384r1_addcarryx_u32(&x872, &x873, x871, x812, x848); ++ fiat_secp384r1_addcarryx_u32(&x874, &x875, x873, x814, x850); ++ fiat_secp384r1_addcarryx_u32(&x876, &x877, x875, ((uint32_t)x815 + x791), ++ (x851 + x817)); ++ fiat_secp384r1_addcarryx_u32(&x878, &x879, 0x0, x854, (arg1[11])); ++ fiat_secp384r1_addcarryx_u32(&x880, &x881, x879, x856, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x882, &x883, x881, x858, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x884, &x885, x883, x860, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x886, &x887, x885, x862, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x888, &x889, x887, x864, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x890, &x891, x889, x866, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x892, &x893, x891, x868, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x894, &x895, x893, x870, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x896, &x897, x895, x872, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x898, &x899, x897, x874, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x900, &x901, x899, x876, 0x0); ++ fiat_secp384r1_mulx_u32(&x902, &x903, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x904, &x905, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x906, &x907, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x908, &x909, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x910, &x911, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x912, &x913, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x914, &x915, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x916, &x917, x878, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x918, &x919, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x920, &x921, x878, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x922, &x923, 0x0, x919, x916); ++ fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x917, x914); ++ fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x915, x912); ++ fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x913, x910); ++ fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x911, x908); ++ fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x909, x906); ++ fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x907, x904); ++ fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x905, x902); ++ fiat_secp384r1_addcarryx_u32(&x938, &x939, 0x0, x878, x920); ++ fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x880, x921); ++ fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x882, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x944, &x945, x943, x884, x918); ++ fiat_secp384r1_addcarryx_u32(&x946, &x947, x945, x886, x922); ++ fiat_secp384r1_addcarryx_u32(&x948, &x949, x947, x888, x924); ++ fiat_secp384r1_addcarryx_u32(&x950, &x951, x949, x890, x926); ++ fiat_secp384r1_addcarryx_u32(&x952, &x953, x951, x892, x928); ++ fiat_secp384r1_addcarryx_u32(&x954, &x955, x953, x894, x930); ++ fiat_secp384r1_addcarryx_u32(&x956, &x957, x955, x896, x932); ++ fiat_secp384r1_addcarryx_u32(&x958, &x959, x957, x898, x934); ++ fiat_secp384r1_addcarryx_u32(&x960, &x961, x959, x900, x936); ++ fiat_secp384r1_addcarryx_u32(&x962, &x963, x961, ((uint32_t)x901 + x877), ++ (x937 + x903)); ++ fiat_secp384r1_subborrowx_u32(&x964, &x965, 0x0, x940, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x966, &x967, x965, x942, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x968, &x969, x967, x944, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x970, &x971, x969, x946, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x972, &x973, x971, x948, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x974, &x975, x973, x950, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x976, &x977, x975, x952, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x978, &x979, x977, x954, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x980, &x981, x979, x956, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x982, &x983, x981, x958, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x984, &x985, x983, x960, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x986, &x987, x985, x962, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x988, &x989, x987, x963, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x990, x989, x964, x940); ++ fiat_secp384r1_cmovznz_u32(&x991, x989, x966, x942); ++ fiat_secp384r1_cmovznz_u32(&x992, x989, x968, x944); ++ fiat_secp384r1_cmovznz_u32(&x993, x989, x970, x946); ++ fiat_secp384r1_cmovznz_u32(&x994, x989, x972, x948); ++ fiat_secp384r1_cmovznz_u32(&x995, x989, x974, x950); ++ fiat_secp384r1_cmovznz_u32(&x996, x989, x976, x952); ++ fiat_secp384r1_cmovznz_u32(&x997, x989, x978, x954); ++ fiat_secp384r1_cmovznz_u32(&x998, x989, x980, x956); ++ fiat_secp384r1_cmovznz_u32(&x999, x989, x982, x958); ++ fiat_secp384r1_cmovznz_u32(&x1000, x989, x984, x960); ++ fiat_secp384r1_cmovznz_u32(&x1001, x989, x986, x962); ++ out1[0] = x990; ++ out1[1] = x991; ++ out1[2] = x992; ++ out1[3] = x993; ++ out1[4] = x994; ++ out1[5] = x995; ++ out1[6] = x996; ++ out1[7] = x997; ++ out1[8] = x998; ++ out1[9] = x999; ++ out1[10] = x1000; ++ out1[11] = x1001; ++} ++ ++/* ++ * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * eval (from_montgomery out1) mod m = eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_to_montgomery(uint32_t out1[12], ++ const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint32_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint32_t x20; ++ uint32_t x21; ++ fiat_secp384r1_uint1 x22; ++ uint32_t x23; ++ uint32_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint32_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint32_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint32_t x36; ++ uint32_t x37; ++ uint32_t x38; ++ uint32_t x39; ++ uint32_t x40; ++ uint32_t x41; ++ uint32_t x42; ++ uint32_t x43; ++ fiat_secp384r1_uint1 x44; ++ uint32_t x45; ++ fiat_secp384r1_uint1 x46; ++ uint32_t x47; ++ fiat_secp384r1_uint1 x48; ++ uint32_t x49; ++ fiat_secp384r1_uint1 x50; ++ uint32_t x51; ++ fiat_secp384r1_uint1 x52; ++ uint32_t x53; ++ fiat_secp384r1_uint1 x54; ++ uint32_t x55; ++ fiat_secp384r1_uint1 x56; ++ uint32_t x57; ++ fiat_secp384r1_uint1 x58; ++ uint32_t x59; ++ fiat_secp384r1_uint1 x60; ++ uint32_t x61; ++ fiat_secp384r1_uint1 x62; ++ uint32_t x63; ++ fiat_secp384r1_uint1 x64; ++ uint32_t x65; ++ fiat_secp384r1_uint1 x66; ++ uint32_t x67; ++ fiat_secp384r1_uint1 x68; ++ uint32_t x69; ++ fiat_secp384r1_uint1 x70; ++ uint32_t x71; ++ fiat_secp384r1_uint1 x72; ++ uint32_t x73; ++ fiat_secp384r1_uint1 x74; ++ uint32_t x75; ++ fiat_secp384r1_uint1 x76; ++ uint32_t x77; ++ fiat_secp384r1_uint1 x78; ++ uint32_t x79; ++ fiat_secp384r1_uint1 x80; ++ uint32_t x81; ++ fiat_secp384r1_uint1 x82; ++ uint32_t x83; ++ uint32_t x84; ++ uint32_t x85; ++ uint32_t x86; ++ uint32_t x87; ++ uint32_t x88; ++ uint32_t x89; ++ uint32_t x90; ++ uint32_t x91; ++ fiat_secp384r1_uint1 x92; ++ uint32_t x93; ++ fiat_secp384r1_uint1 x94; ++ uint32_t x95; ++ fiat_secp384r1_uint1 x96; ++ uint32_t x97; ++ fiat_secp384r1_uint1 x98; ++ uint32_t x99; ++ fiat_secp384r1_uint1 x100; ++ uint32_t x101; ++ fiat_secp384r1_uint1 x102; ++ uint32_t x103; ++ fiat_secp384r1_uint1 x104; ++ uint32_t x105; ++ fiat_secp384r1_uint1 x106; ++ uint32_t x107; ++ fiat_secp384r1_uint1 x108; ++ uint32_t x109; ++ fiat_secp384r1_uint1 x110; ++ uint32_t x111; ++ fiat_secp384r1_uint1 x112; ++ uint32_t x113; ++ fiat_secp384r1_uint1 x114; ++ uint32_t x115; ++ fiat_secp384r1_uint1 x116; ++ uint32_t x117; ++ uint32_t x118; ++ uint32_t x119; ++ uint32_t x120; ++ uint32_t x121; ++ uint32_t x122; ++ uint32_t x123; ++ uint32_t x124; ++ uint32_t x125; ++ uint32_t x126; ++ uint32_t x127; ++ uint32_t x128; ++ uint32_t x129; ++ uint32_t x130; ++ uint32_t x131; ++ uint32_t x132; ++ uint32_t x133; ++ uint32_t x134; ++ uint32_t x135; ++ uint32_t x136; ++ uint32_t x137; ++ fiat_secp384r1_uint1 x138; ++ uint32_t x139; ++ fiat_secp384r1_uint1 x140; ++ uint32_t x141; ++ fiat_secp384r1_uint1 x142; ++ uint32_t x143; ++ fiat_secp384r1_uint1 x144; ++ uint32_t x145; ++ fiat_secp384r1_uint1 x146; ++ uint32_t x147; ++ fiat_secp384r1_uint1 x148; ++ uint32_t x149; ++ fiat_secp384r1_uint1 x150; ++ uint32_t x151; ++ fiat_secp384r1_uint1 x152; ++ uint32_t x153; ++ fiat_secp384r1_uint1 x154; ++ uint32_t x155; ++ fiat_secp384r1_uint1 x156; ++ uint32_t x157; ++ fiat_secp384r1_uint1 x158; ++ uint32_t x159; ++ fiat_secp384r1_uint1 x160; ++ uint32_t x161; ++ fiat_secp384r1_uint1 x162; ++ uint32_t x163; ++ fiat_secp384r1_uint1 x164; ++ uint32_t x165; ++ fiat_secp384r1_uint1 x166; ++ uint32_t x167; ++ fiat_secp384r1_uint1 x168; ++ uint32_t x169; ++ fiat_secp384r1_uint1 x170; ++ uint32_t x171; ++ fiat_secp384r1_uint1 x172; ++ uint32_t x173; ++ fiat_secp384r1_uint1 x174; ++ uint32_t x175; ++ fiat_secp384r1_uint1 x176; ++ uint32_t x177; ++ fiat_secp384r1_uint1 x178; ++ uint32_t x179; ++ uint32_t x180; ++ uint32_t x181; ++ uint32_t x182; ++ uint32_t x183; ++ uint32_t x184; ++ uint32_t x185; ++ uint32_t x186; ++ uint32_t x187; ++ fiat_secp384r1_uint1 x188; ++ uint32_t x189; ++ fiat_secp384r1_uint1 x190; ++ uint32_t x191; ++ fiat_secp384r1_uint1 x192; ++ uint32_t x193; ++ fiat_secp384r1_uint1 x194; ++ uint32_t x195; ++ fiat_secp384r1_uint1 x196; ++ uint32_t x197; ++ fiat_secp384r1_uint1 x198; ++ uint32_t x199; ++ fiat_secp384r1_uint1 x200; ++ uint32_t x201; ++ fiat_secp384r1_uint1 x202; ++ uint32_t x203; ++ fiat_secp384r1_uint1 x204; ++ uint32_t x205; ++ fiat_secp384r1_uint1 x206; ++ uint32_t x207; ++ fiat_secp384r1_uint1 x208; ++ uint32_t x209; ++ fiat_secp384r1_uint1 x210; ++ uint32_t x211; ++ fiat_secp384r1_uint1 x212; ++ uint32_t x213; ++ uint32_t x214; ++ uint32_t x215; ++ uint32_t x216; ++ uint32_t x217; ++ uint32_t x218; ++ uint32_t x219; ++ uint32_t x220; ++ uint32_t x221; ++ uint32_t x222; ++ uint32_t x223; ++ uint32_t x224; ++ uint32_t x225; ++ uint32_t x226; ++ uint32_t x227; ++ uint32_t x228; ++ uint32_t x229; ++ uint32_t x230; ++ uint32_t x231; ++ uint32_t x232; ++ uint32_t x233; ++ fiat_secp384r1_uint1 x234; ++ uint32_t x235; ++ fiat_secp384r1_uint1 x236; ++ uint32_t x237; ++ fiat_secp384r1_uint1 x238; ++ uint32_t x239; ++ fiat_secp384r1_uint1 x240; ++ uint32_t x241; ++ fiat_secp384r1_uint1 x242; ++ uint32_t x243; ++ fiat_secp384r1_uint1 x244; ++ uint32_t x245; ++ fiat_secp384r1_uint1 x246; ++ uint32_t x247; ++ fiat_secp384r1_uint1 x248; ++ uint32_t x249; ++ fiat_secp384r1_uint1 x250; ++ uint32_t x251; ++ fiat_secp384r1_uint1 x252; ++ uint32_t x253; ++ fiat_secp384r1_uint1 x254; ++ uint32_t x255; ++ fiat_secp384r1_uint1 x256; ++ uint32_t x257; ++ fiat_secp384r1_uint1 x258; ++ uint32_t x259; ++ fiat_secp384r1_uint1 x260; ++ uint32_t x261; ++ fiat_secp384r1_uint1 x262; ++ uint32_t x263; ++ fiat_secp384r1_uint1 x264; ++ uint32_t x265; ++ fiat_secp384r1_uint1 x266; ++ uint32_t x267; ++ fiat_secp384r1_uint1 x268; ++ uint32_t x269; ++ fiat_secp384r1_uint1 x270; ++ uint32_t x271; ++ fiat_secp384r1_uint1 x272; ++ uint32_t x273; ++ fiat_secp384r1_uint1 x274; ++ uint32_t x275; ++ uint32_t x276; ++ uint32_t x277; ++ uint32_t x278; ++ uint32_t x279; ++ uint32_t x280; ++ uint32_t x281; ++ uint32_t x282; ++ uint32_t x283; ++ fiat_secp384r1_uint1 x284; ++ uint32_t x285; ++ fiat_secp384r1_uint1 x286; ++ uint32_t x287; ++ fiat_secp384r1_uint1 x288; ++ uint32_t x289; ++ fiat_secp384r1_uint1 x290; ++ uint32_t x291; ++ fiat_secp384r1_uint1 x292; ++ uint32_t x293; ++ fiat_secp384r1_uint1 x294; ++ uint32_t x295; ++ fiat_secp384r1_uint1 x296; ++ uint32_t x297; ++ fiat_secp384r1_uint1 x298; ++ uint32_t x299; ++ fiat_secp384r1_uint1 x300; ++ uint32_t x301; ++ fiat_secp384r1_uint1 x302; ++ uint32_t x303; ++ fiat_secp384r1_uint1 x304; ++ uint32_t x305; ++ fiat_secp384r1_uint1 x306; ++ uint32_t x307; ++ fiat_secp384r1_uint1 x308; ++ uint32_t x309; ++ uint32_t x310; ++ uint32_t x311; ++ uint32_t x312; ++ uint32_t x313; ++ uint32_t x314; ++ uint32_t x315; ++ uint32_t x316; ++ uint32_t x317; ++ uint32_t x318; ++ uint32_t x319; ++ uint32_t x320; ++ uint32_t x321; ++ uint32_t x322; ++ uint32_t x323; ++ uint32_t x324; ++ uint32_t x325; ++ uint32_t x326; ++ uint32_t x327; ++ uint32_t x328; ++ uint32_t x329; ++ fiat_secp384r1_uint1 x330; ++ uint32_t x331; ++ fiat_secp384r1_uint1 x332; ++ uint32_t x333; ++ fiat_secp384r1_uint1 x334; ++ uint32_t x335; ++ fiat_secp384r1_uint1 x336; ++ uint32_t x337; ++ fiat_secp384r1_uint1 x338; ++ uint32_t x339; ++ fiat_secp384r1_uint1 x340; ++ uint32_t x341; ++ fiat_secp384r1_uint1 x342; ++ uint32_t x343; ++ fiat_secp384r1_uint1 x344; ++ uint32_t x345; ++ fiat_secp384r1_uint1 x346; ++ uint32_t x347; ++ fiat_secp384r1_uint1 x348; ++ uint32_t x349; ++ fiat_secp384r1_uint1 x350; ++ uint32_t x351; ++ fiat_secp384r1_uint1 x352; ++ uint32_t x353; ++ fiat_secp384r1_uint1 x354; ++ uint32_t x355; ++ fiat_secp384r1_uint1 x356; ++ uint32_t x357; ++ fiat_secp384r1_uint1 x358; ++ uint32_t x359; ++ fiat_secp384r1_uint1 x360; ++ uint32_t x361; ++ fiat_secp384r1_uint1 x362; ++ uint32_t x363; ++ fiat_secp384r1_uint1 x364; ++ uint32_t x365; ++ fiat_secp384r1_uint1 x366; ++ uint32_t x367; ++ fiat_secp384r1_uint1 x368; ++ uint32_t x369; ++ fiat_secp384r1_uint1 x370; ++ uint32_t x371; ++ uint32_t x372; ++ uint32_t x373; ++ uint32_t x374; ++ uint32_t x375; ++ uint32_t x376; ++ uint32_t x377; ++ uint32_t x378; ++ uint32_t x379; ++ fiat_secp384r1_uint1 x380; ++ uint32_t x381; ++ fiat_secp384r1_uint1 x382; ++ uint32_t x383; ++ fiat_secp384r1_uint1 x384; ++ uint32_t x385; ++ fiat_secp384r1_uint1 x386; ++ uint32_t x387; ++ fiat_secp384r1_uint1 x388; ++ uint32_t x389; ++ fiat_secp384r1_uint1 x390; ++ uint32_t x391; ++ fiat_secp384r1_uint1 x392; ++ uint32_t x393; ++ fiat_secp384r1_uint1 x394; ++ uint32_t x395; ++ fiat_secp384r1_uint1 x396; ++ uint32_t x397; ++ fiat_secp384r1_uint1 x398; ++ uint32_t x399; ++ fiat_secp384r1_uint1 x400; ++ uint32_t x401; ++ fiat_secp384r1_uint1 x402; ++ uint32_t x403; ++ fiat_secp384r1_uint1 x404; ++ uint32_t x405; ++ uint32_t x406; ++ uint32_t x407; ++ uint32_t x408; ++ uint32_t x409; ++ uint32_t x410; ++ uint32_t x411; ++ uint32_t x412; ++ uint32_t x413; ++ uint32_t x414; ++ uint32_t x415; ++ uint32_t x416; ++ uint32_t x417; ++ uint32_t x418; ++ uint32_t x419; ++ uint32_t x420; ++ uint32_t x421; ++ uint32_t x422; ++ uint32_t x423; ++ uint32_t x424; ++ uint32_t x425; ++ fiat_secp384r1_uint1 x426; ++ uint32_t x427; ++ fiat_secp384r1_uint1 x428; ++ uint32_t x429; ++ fiat_secp384r1_uint1 x430; ++ uint32_t x431; ++ fiat_secp384r1_uint1 x432; ++ uint32_t x433; ++ fiat_secp384r1_uint1 x434; ++ uint32_t x435; ++ fiat_secp384r1_uint1 x436; ++ uint32_t x437; ++ fiat_secp384r1_uint1 x438; ++ uint32_t x439; ++ fiat_secp384r1_uint1 x440; ++ uint32_t x441; ++ fiat_secp384r1_uint1 x442; ++ uint32_t x443; ++ fiat_secp384r1_uint1 x444; ++ uint32_t x445; ++ fiat_secp384r1_uint1 x446; ++ uint32_t x447; ++ fiat_secp384r1_uint1 x448; ++ uint32_t x449; ++ fiat_secp384r1_uint1 x450; ++ uint32_t x451; ++ fiat_secp384r1_uint1 x452; ++ uint32_t x453; ++ fiat_secp384r1_uint1 x454; ++ uint32_t x455; ++ fiat_secp384r1_uint1 x456; ++ uint32_t x457; ++ fiat_secp384r1_uint1 x458; ++ uint32_t x459; ++ fiat_secp384r1_uint1 x460; ++ uint32_t x461; ++ fiat_secp384r1_uint1 x462; ++ uint32_t x463; ++ fiat_secp384r1_uint1 x464; ++ uint32_t x465; ++ fiat_secp384r1_uint1 x466; ++ uint32_t x467; ++ uint32_t x468; ++ uint32_t x469; ++ uint32_t x470; ++ uint32_t x471; ++ uint32_t x472; ++ uint32_t x473; ++ uint32_t x474; ++ uint32_t x475; ++ fiat_secp384r1_uint1 x476; ++ uint32_t x477; ++ fiat_secp384r1_uint1 x478; ++ uint32_t x479; ++ fiat_secp384r1_uint1 x480; ++ uint32_t x481; ++ fiat_secp384r1_uint1 x482; ++ uint32_t x483; ++ fiat_secp384r1_uint1 x484; ++ uint32_t x485; ++ fiat_secp384r1_uint1 x486; ++ uint32_t x487; ++ fiat_secp384r1_uint1 x488; ++ uint32_t x489; ++ fiat_secp384r1_uint1 x490; ++ uint32_t x491; ++ fiat_secp384r1_uint1 x492; ++ uint32_t x493; ++ fiat_secp384r1_uint1 x494; ++ uint32_t x495; ++ fiat_secp384r1_uint1 x496; ++ uint32_t x497; ++ fiat_secp384r1_uint1 x498; ++ uint32_t x499; ++ fiat_secp384r1_uint1 x500; ++ uint32_t x501; ++ uint32_t x502; ++ uint32_t x503; ++ uint32_t x504; ++ uint32_t x505; ++ uint32_t x506; ++ uint32_t x507; ++ uint32_t x508; ++ uint32_t x509; ++ uint32_t x510; ++ uint32_t x511; ++ uint32_t x512; ++ uint32_t x513; ++ uint32_t x514; ++ uint32_t x515; ++ uint32_t x516; ++ uint32_t x517; ++ uint32_t x518; ++ uint32_t x519; ++ uint32_t x520; ++ uint32_t x521; ++ fiat_secp384r1_uint1 x522; ++ uint32_t x523; ++ fiat_secp384r1_uint1 x524; ++ uint32_t x525; ++ fiat_secp384r1_uint1 x526; ++ uint32_t x527; ++ fiat_secp384r1_uint1 x528; ++ uint32_t x529; ++ fiat_secp384r1_uint1 x530; ++ uint32_t x531; ++ fiat_secp384r1_uint1 x532; ++ uint32_t x533; ++ fiat_secp384r1_uint1 x534; ++ uint32_t x535; ++ fiat_secp384r1_uint1 x536; ++ uint32_t x537; ++ fiat_secp384r1_uint1 x538; ++ uint32_t x539; ++ fiat_secp384r1_uint1 x540; ++ uint32_t x541; ++ fiat_secp384r1_uint1 x542; ++ uint32_t x543; ++ fiat_secp384r1_uint1 x544; ++ uint32_t x545; ++ fiat_secp384r1_uint1 x546; ++ uint32_t x547; ++ fiat_secp384r1_uint1 x548; ++ uint32_t x549; ++ fiat_secp384r1_uint1 x550; ++ uint32_t x551; ++ fiat_secp384r1_uint1 x552; ++ uint32_t x553; ++ fiat_secp384r1_uint1 x554; ++ uint32_t x555; ++ fiat_secp384r1_uint1 x556; ++ uint32_t x557; ++ fiat_secp384r1_uint1 x558; ++ uint32_t x559; ++ fiat_secp384r1_uint1 x560; ++ uint32_t x561; ++ fiat_secp384r1_uint1 x562; ++ uint32_t x563; ++ uint32_t x564; ++ uint32_t x565; ++ uint32_t x566; ++ uint32_t x567; ++ uint32_t x568; ++ uint32_t x569; ++ uint32_t x570; ++ uint32_t x571; ++ fiat_secp384r1_uint1 x572; ++ uint32_t x573; ++ fiat_secp384r1_uint1 x574; ++ uint32_t x575; ++ fiat_secp384r1_uint1 x576; ++ uint32_t x577; ++ fiat_secp384r1_uint1 x578; ++ uint32_t x579; ++ fiat_secp384r1_uint1 x580; ++ uint32_t x581; ++ fiat_secp384r1_uint1 x582; ++ uint32_t x583; ++ fiat_secp384r1_uint1 x584; ++ uint32_t x585; ++ fiat_secp384r1_uint1 x586; ++ uint32_t x587; ++ fiat_secp384r1_uint1 x588; ++ uint32_t x589; ++ fiat_secp384r1_uint1 x590; ++ uint32_t x591; ++ fiat_secp384r1_uint1 x592; ++ uint32_t x593; ++ fiat_secp384r1_uint1 x594; ++ uint32_t x595; ++ fiat_secp384r1_uint1 x596; ++ uint32_t x597; ++ uint32_t x598; ++ uint32_t x599; ++ uint32_t x600; ++ uint32_t x601; ++ uint32_t x602; ++ uint32_t x603; ++ uint32_t x604; ++ uint32_t x605; ++ uint32_t x606; ++ uint32_t x607; ++ uint32_t x608; ++ uint32_t x609; ++ uint32_t x610; ++ uint32_t x611; ++ uint32_t x612; ++ uint32_t x613; ++ uint32_t x614; ++ uint32_t x615; ++ uint32_t x616; ++ uint32_t x617; ++ fiat_secp384r1_uint1 x618; ++ uint32_t x619; ++ fiat_secp384r1_uint1 x620; ++ uint32_t x621; ++ fiat_secp384r1_uint1 x622; ++ uint32_t x623; ++ fiat_secp384r1_uint1 x624; ++ uint32_t x625; ++ fiat_secp384r1_uint1 x626; ++ uint32_t x627; ++ fiat_secp384r1_uint1 x628; ++ uint32_t x629; ++ fiat_secp384r1_uint1 x630; ++ uint32_t x631; ++ fiat_secp384r1_uint1 x632; ++ uint32_t x633; ++ fiat_secp384r1_uint1 x634; ++ uint32_t x635; ++ fiat_secp384r1_uint1 x636; ++ uint32_t x637; ++ fiat_secp384r1_uint1 x638; ++ uint32_t x639; ++ fiat_secp384r1_uint1 x640; ++ uint32_t x641; ++ fiat_secp384r1_uint1 x642; ++ uint32_t x643; ++ fiat_secp384r1_uint1 x644; ++ uint32_t x645; ++ fiat_secp384r1_uint1 x646; ++ uint32_t x647; ++ fiat_secp384r1_uint1 x648; ++ uint32_t x649; ++ fiat_secp384r1_uint1 x650; ++ uint32_t x651; ++ fiat_secp384r1_uint1 x652; ++ uint32_t x653; ++ fiat_secp384r1_uint1 x654; ++ uint32_t x655; ++ fiat_secp384r1_uint1 x656; ++ uint32_t x657; ++ fiat_secp384r1_uint1 x658; ++ uint32_t x659; ++ uint32_t x660; ++ uint32_t x661; ++ uint32_t x662; ++ uint32_t x663; ++ uint32_t x664; ++ uint32_t x665; ++ uint32_t x666; ++ uint32_t x667; ++ fiat_secp384r1_uint1 x668; ++ uint32_t x669; ++ fiat_secp384r1_uint1 x670; ++ uint32_t x671; ++ fiat_secp384r1_uint1 x672; ++ uint32_t x673; ++ fiat_secp384r1_uint1 x674; ++ uint32_t x675; ++ fiat_secp384r1_uint1 x676; ++ uint32_t x677; ++ fiat_secp384r1_uint1 x678; ++ uint32_t x679; ++ fiat_secp384r1_uint1 x680; ++ uint32_t x681; ++ fiat_secp384r1_uint1 x682; ++ uint32_t x683; ++ fiat_secp384r1_uint1 x684; ++ uint32_t x685; ++ fiat_secp384r1_uint1 x686; ++ uint32_t x687; ++ fiat_secp384r1_uint1 x688; ++ uint32_t x689; ++ fiat_secp384r1_uint1 x690; ++ uint32_t x691; ++ fiat_secp384r1_uint1 x692; ++ uint32_t x693; ++ uint32_t x694; ++ uint32_t x695; ++ uint32_t x696; ++ uint32_t x697; ++ uint32_t x698; ++ uint32_t x699; ++ uint32_t x700; ++ uint32_t x701; ++ uint32_t x702; ++ uint32_t x703; ++ uint32_t x704; ++ uint32_t x705; ++ uint32_t x706; ++ uint32_t x707; ++ uint32_t x708; ++ uint32_t x709; ++ uint32_t x710; ++ uint32_t x711; ++ uint32_t x712; ++ uint32_t x713; ++ fiat_secp384r1_uint1 x714; ++ uint32_t x715; ++ fiat_secp384r1_uint1 x716; ++ uint32_t x717; ++ fiat_secp384r1_uint1 x718; ++ uint32_t x719; ++ fiat_secp384r1_uint1 x720; ++ uint32_t x721; ++ fiat_secp384r1_uint1 x722; ++ uint32_t x723; ++ fiat_secp384r1_uint1 x724; ++ uint32_t x725; ++ fiat_secp384r1_uint1 x726; ++ uint32_t x727; ++ fiat_secp384r1_uint1 x728; ++ uint32_t x729; ++ fiat_secp384r1_uint1 x730; ++ uint32_t x731; ++ fiat_secp384r1_uint1 x732; ++ uint32_t x733; ++ fiat_secp384r1_uint1 x734; ++ uint32_t x735; ++ fiat_secp384r1_uint1 x736; ++ uint32_t x737; ++ fiat_secp384r1_uint1 x738; ++ uint32_t x739; ++ fiat_secp384r1_uint1 x740; ++ uint32_t x741; ++ fiat_secp384r1_uint1 x742; ++ uint32_t x743; ++ fiat_secp384r1_uint1 x744; ++ uint32_t x745; ++ fiat_secp384r1_uint1 x746; ++ uint32_t x747; ++ fiat_secp384r1_uint1 x748; ++ uint32_t x749; ++ fiat_secp384r1_uint1 x750; ++ uint32_t x751; ++ fiat_secp384r1_uint1 x752; ++ uint32_t x753; ++ fiat_secp384r1_uint1 x754; ++ uint32_t x755; ++ uint32_t x756; ++ uint32_t x757; ++ uint32_t x758; ++ uint32_t x759; ++ uint32_t x760; ++ uint32_t x761; ++ uint32_t x762; ++ uint32_t x763; ++ fiat_secp384r1_uint1 x764; ++ uint32_t x765; ++ fiat_secp384r1_uint1 x766; ++ uint32_t x767; ++ fiat_secp384r1_uint1 x768; ++ uint32_t x769; ++ fiat_secp384r1_uint1 x770; ++ uint32_t x771; ++ fiat_secp384r1_uint1 x772; ++ uint32_t x773; ++ fiat_secp384r1_uint1 x774; ++ uint32_t x775; ++ fiat_secp384r1_uint1 x776; ++ uint32_t x777; ++ fiat_secp384r1_uint1 x778; ++ uint32_t x779; ++ fiat_secp384r1_uint1 x780; ++ uint32_t x781; ++ fiat_secp384r1_uint1 x782; ++ uint32_t x783; ++ fiat_secp384r1_uint1 x784; ++ uint32_t x785; ++ fiat_secp384r1_uint1 x786; ++ uint32_t x787; ++ fiat_secp384r1_uint1 x788; ++ uint32_t x789; ++ uint32_t x790; ++ uint32_t x791; ++ uint32_t x792; ++ uint32_t x793; ++ uint32_t x794; ++ uint32_t x795; ++ uint32_t x796; ++ uint32_t x797; ++ uint32_t x798; ++ uint32_t x799; ++ uint32_t x800; ++ uint32_t x801; ++ uint32_t x802; ++ uint32_t x803; ++ uint32_t x804; ++ uint32_t x805; ++ uint32_t x806; ++ uint32_t x807; ++ uint32_t x808; ++ uint32_t x809; ++ fiat_secp384r1_uint1 x810; ++ uint32_t x811; ++ fiat_secp384r1_uint1 x812; ++ uint32_t x813; ++ fiat_secp384r1_uint1 x814; ++ uint32_t x815; ++ fiat_secp384r1_uint1 x816; ++ uint32_t x817; ++ fiat_secp384r1_uint1 x818; ++ uint32_t x819; ++ fiat_secp384r1_uint1 x820; ++ uint32_t x821; ++ fiat_secp384r1_uint1 x822; ++ uint32_t x823; ++ fiat_secp384r1_uint1 x824; ++ uint32_t x825; ++ fiat_secp384r1_uint1 x826; ++ uint32_t x827; ++ fiat_secp384r1_uint1 x828; ++ uint32_t x829; ++ fiat_secp384r1_uint1 x830; ++ uint32_t x831; ++ fiat_secp384r1_uint1 x832; ++ uint32_t x833; ++ fiat_secp384r1_uint1 x834; ++ uint32_t x835; ++ fiat_secp384r1_uint1 x836; ++ uint32_t x837; ++ fiat_secp384r1_uint1 x838; ++ uint32_t x839; ++ fiat_secp384r1_uint1 x840; ++ uint32_t x841; ++ fiat_secp384r1_uint1 x842; ++ uint32_t x843; ++ fiat_secp384r1_uint1 x844; ++ uint32_t x845; ++ fiat_secp384r1_uint1 x846; ++ uint32_t x847; ++ fiat_secp384r1_uint1 x848; ++ uint32_t x849; ++ fiat_secp384r1_uint1 x850; ++ uint32_t x851; ++ uint32_t x852; ++ uint32_t x853; ++ uint32_t x854; ++ uint32_t x855; ++ uint32_t x856; ++ uint32_t x857; ++ uint32_t x858; ++ uint32_t x859; ++ fiat_secp384r1_uint1 x860; ++ uint32_t x861; ++ fiat_secp384r1_uint1 x862; ++ uint32_t x863; ++ fiat_secp384r1_uint1 x864; ++ uint32_t x865; ++ fiat_secp384r1_uint1 x866; ++ uint32_t x867; ++ fiat_secp384r1_uint1 x868; ++ uint32_t x869; ++ fiat_secp384r1_uint1 x870; ++ uint32_t x871; ++ fiat_secp384r1_uint1 x872; ++ uint32_t x873; ++ fiat_secp384r1_uint1 x874; ++ uint32_t x875; ++ fiat_secp384r1_uint1 x876; ++ uint32_t x877; ++ fiat_secp384r1_uint1 x878; ++ uint32_t x879; ++ fiat_secp384r1_uint1 x880; ++ uint32_t x881; ++ fiat_secp384r1_uint1 x882; ++ uint32_t x883; ++ fiat_secp384r1_uint1 x884; ++ uint32_t x885; ++ uint32_t x886; ++ uint32_t x887; ++ uint32_t x888; ++ uint32_t x889; ++ uint32_t x890; ++ uint32_t x891; ++ uint32_t x892; ++ uint32_t x893; ++ uint32_t x894; ++ uint32_t x895; ++ uint32_t x896; ++ uint32_t x897; ++ uint32_t x898; ++ uint32_t x899; ++ uint32_t x900; ++ uint32_t x901; ++ uint32_t x902; ++ uint32_t x903; ++ uint32_t x904; ++ uint32_t x905; ++ fiat_secp384r1_uint1 x906; ++ uint32_t x907; ++ fiat_secp384r1_uint1 x908; ++ uint32_t x909; ++ fiat_secp384r1_uint1 x910; ++ uint32_t x911; ++ fiat_secp384r1_uint1 x912; ++ uint32_t x913; ++ fiat_secp384r1_uint1 x914; ++ uint32_t x915; ++ fiat_secp384r1_uint1 x916; ++ uint32_t x917; ++ fiat_secp384r1_uint1 x918; ++ uint32_t x919; ++ fiat_secp384r1_uint1 x920; ++ uint32_t x921; ++ fiat_secp384r1_uint1 x922; ++ uint32_t x923; ++ fiat_secp384r1_uint1 x924; ++ uint32_t x925; ++ fiat_secp384r1_uint1 x926; ++ uint32_t x927; ++ fiat_secp384r1_uint1 x928; ++ uint32_t x929; ++ fiat_secp384r1_uint1 x930; ++ uint32_t x931; ++ fiat_secp384r1_uint1 x932; ++ uint32_t x933; ++ fiat_secp384r1_uint1 x934; ++ uint32_t x935; ++ fiat_secp384r1_uint1 x936; ++ uint32_t x937; ++ fiat_secp384r1_uint1 x938; ++ uint32_t x939; ++ fiat_secp384r1_uint1 x940; ++ uint32_t x941; ++ fiat_secp384r1_uint1 x942; ++ uint32_t x943; ++ fiat_secp384r1_uint1 x944; ++ uint32_t x945; ++ fiat_secp384r1_uint1 x946; ++ uint32_t x947; ++ uint32_t x948; ++ uint32_t x949; ++ uint32_t x950; ++ uint32_t x951; ++ uint32_t x952; ++ uint32_t x953; ++ uint32_t x954; ++ uint32_t x955; ++ fiat_secp384r1_uint1 x956; ++ uint32_t x957; ++ fiat_secp384r1_uint1 x958; ++ uint32_t x959; ++ fiat_secp384r1_uint1 x960; ++ uint32_t x961; ++ fiat_secp384r1_uint1 x962; ++ uint32_t x963; ++ fiat_secp384r1_uint1 x964; ++ uint32_t x965; ++ fiat_secp384r1_uint1 x966; ++ uint32_t x967; ++ fiat_secp384r1_uint1 x968; ++ uint32_t x969; ++ fiat_secp384r1_uint1 x970; ++ uint32_t x971; ++ fiat_secp384r1_uint1 x972; ++ uint32_t x973; ++ fiat_secp384r1_uint1 x974; ++ uint32_t x975; ++ fiat_secp384r1_uint1 x976; ++ uint32_t x977; ++ fiat_secp384r1_uint1 x978; ++ uint32_t x979; ++ fiat_secp384r1_uint1 x980; ++ uint32_t x981; ++ uint32_t x982; ++ uint32_t x983; ++ uint32_t x984; ++ uint32_t x985; ++ uint32_t x986; ++ uint32_t x987; ++ uint32_t x988; ++ uint32_t x989; ++ uint32_t x990; ++ uint32_t x991; ++ uint32_t x992; ++ uint32_t x993; ++ uint32_t x994; ++ uint32_t x995; ++ uint32_t x996; ++ uint32_t x997; ++ uint32_t x998; ++ uint32_t x999; ++ uint32_t x1000; ++ uint32_t x1001; ++ fiat_secp384r1_uint1 x1002; ++ uint32_t x1003; ++ fiat_secp384r1_uint1 x1004; ++ uint32_t x1005; ++ fiat_secp384r1_uint1 x1006; ++ uint32_t x1007; ++ fiat_secp384r1_uint1 x1008; ++ uint32_t x1009; ++ fiat_secp384r1_uint1 x1010; ++ uint32_t x1011; ++ fiat_secp384r1_uint1 x1012; ++ uint32_t x1013; ++ fiat_secp384r1_uint1 x1014; ++ uint32_t x1015; ++ fiat_secp384r1_uint1 x1016; ++ uint32_t x1017; ++ fiat_secp384r1_uint1 x1018; ++ uint32_t x1019; ++ fiat_secp384r1_uint1 x1020; ++ uint32_t x1021; ++ fiat_secp384r1_uint1 x1022; ++ uint32_t x1023; ++ fiat_secp384r1_uint1 x1024; ++ uint32_t x1025; ++ fiat_secp384r1_uint1 x1026; ++ uint32_t x1027; ++ fiat_secp384r1_uint1 x1028; ++ uint32_t x1029; ++ fiat_secp384r1_uint1 x1030; ++ uint32_t x1031; ++ fiat_secp384r1_uint1 x1032; ++ uint32_t x1033; ++ fiat_secp384r1_uint1 x1034; ++ uint32_t x1035; ++ fiat_secp384r1_uint1 x1036; ++ uint32_t x1037; ++ fiat_secp384r1_uint1 x1038; ++ uint32_t x1039; ++ fiat_secp384r1_uint1 x1040; ++ uint32_t x1041; ++ fiat_secp384r1_uint1 x1042; ++ uint32_t x1043; ++ uint32_t x1044; ++ uint32_t x1045; ++ uint32_t x1046; ++ uint32_t x1047; ++ uint32_t x1048; ++ uint32_t x1049; ++ uint32_t x1050; ++ uint32_t x1051; ++ fiat_secp384r1_uint1 x1052; ++ uint32_t x1053; ++ fiat_secp384r1_uint1 x1054; ++ uint32_t x1055; ++ fiat_secp384r1_uint1 x1056; ++ uint32_t x1057; ++ fiat_secp384r1_uint1 x1058; ++ uint32_t x1059; ++ fiat_secp384r1_uint1 x1060; ++ uint32_t x1061; ++ fiat_secp384r1_uint1 x1062; ++ uint32_t x1063; ++ fiat_secp384r1_uint1 x1064; ++ uint32_t x1065; ++ fiat_secp384r1_uint1 x1066; ++ uint32_t x1067; ++ fiat_secp384r1_uint1 x1068; ++ uint32_t x1069; ++ fiat_secp384r1_uint1 x1070; ++ uint32_t x1071; ++ fiat_secp384r1_uint1 x1072; ++ uint32_t x1073; ++ fiat_secp384r1_uint1 x1074; ++ uint32_t x1075; ++ fiat_secp384r1_uint1 x1076; ++ uint32_t x1077; ++ uint32_t x1078; ++ uint32_t x1079; ++ uint32_t x1080; ++ uint32_t x1081; ++ uint32_t x1082; ++ uint32_t x1083; ++ uint32_t x1084; ++ uint32_t x1085; ++ uint32_t x1086; ++ uint32_t x1087; ++ uint32_t x1088; ++ uint32_t x1089; ++ uint32_t x1090; ++ uint32_t x1091; ++ uint32_t x1092; ++ uint32_t x1093; ++ uint32_t x1094; ++ uint32_t x1095; ++ uint32_t x1096; ++ uint32_t x1097; ++ fiat_secp384r1_uint1 x1098; ++ uint32_t x1099; ++ fiat_secp384r1_uint1 x1100; ++ uint32_t x1101; ++ fiat_secp384r1_uint1 x1102; ++ uint32_t x1103; ++ fiat_secp384r1_uint1 x1104; ++ uint32_t x1105; ++ fiat_secp384r1_uint1 x1106; ++ uint32_t x1107; ++ fiat_secp384r1_uint1 x1108; ++ uint32_t x1109; ++ fiat_secp384r1_uint1 x1110; ++ uint32_t x1111; ++ fiat_secp384r1_uint1 x1112; ++ uint32_t x1113; ++ fiat_secp384r1_uint1 x1114; ++ uint32_t x1115; ++ fiat_secp384r1_uint1 x1116; ++ uint32_t x1117; ++ fiat_secp384r1_uint1 x1118; ++ uint32_t x1119; ++ fiat_secp384r1_uint1 x1120; ++ uint32_t x1121; ++ fiat_secp384r1_uint1 x1122; ++ uint32_t x1123; ++ fiat_secp384r1_uint1 x1124; ++ uint32_t x1125; ++ fiat_secp384r1_uint1 x1126; ++ uint32_t x1127; ++ fiat_secp384r1_uint1 x1128; ++ uint32_t x1129; ++ fiat_secp384r1_uint1 x1130; ++ uint32_t x1131; ++ fiat_secp384r1_uint1 x1132; ++ uint32_t x1133; ++ fiat_secp384r1_uint1 x1134; ++ uint32_t x1135; ++ fiat_secp384r1_uint1 x1136; ++ uint32_t x1137; ++ fiat_secp384r1_uint1 x1138; ++ uint32_t x1139; ++ fiat_secp384r1_uint1 x1140; ++ uint32_t x1141; ++ fiat_secp384r1_uint1 x1142; ++ uint32_t x1143; ++ fiat_secp384r1_uint1 x1144; ++ uint32_t x1145; ++ fiat_secp384r1_uint1 x1146; ++ uint32_t x1147; ++ fiat_secp384r1_uint1 x1148; ++ uint32_t x1149; ++ fiat_secp384r1_uint1 x1150; ++ uint32_t x1151; ++ fiat_secp384r1_uint1 x1152; ++ uint32_t x1153; ++ fiat_secp384r1_uint1 x1154; ++ uint32_t x1155; ++ fiat_secp384r1_uint1 x1156; ++ uint32_t x1157; ++ fiat_secp384r1_uint1 x1158; ++ uint32_t x1159; ++ fiat_secp384r1_uint1 x1160; ++ uint32_t x1161; ++ fiat_secp384r1_uint1 x1162; ++ uint32_t x1163; ++ fiat_secp384r1_uint1 x1164; ++ uint32_t x1165; ++ uint32_t x1166; ++ uint32_t x1167; ++ uint32_t x1168; ++ uint32_t x1169; ++ uint32_t x1170; ++ uint32_t x1171; ++ uint32_t x1172; ++ uint32_t x1173; ++ uint32_t x1174; ++ uint32_t x1175; ++ uint32_t x1176; ++ x1 = (arg1[1]); ++ x2 = (arg1[2]); ++ x3 = (arg1[3]); ++ x4 = (arg1[4]); ++ x5 = (arg1[5]); ++ x6 = (arg1[6]); ++ x7 = (arg1[7]); ++ x8 = (arg1[8]); ++ x9 = (arg1[9]); ++ x10 = (arg1[10]); ++ x11 = (arg1[11]); ++ x12 = (arg1[0]); ++ fiat_secp384r1_mulx_u32(&x13, &x14, x12, 0x2); ++ fiat_secp384r1_mulx_u32(&x15, &x16, x12, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x17, &x18, x12, 0x2); ++ fiat_secp384r1_mulx_u32(&x19, &x20, x12, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x21, &x22, 0x0, (fiat_secp384r1_uint1)x14, ++ x12); ++ fiat_secp384r1_mulx_u32(&x23, &x24, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x25, &x26, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x27, &x28, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x29, &x30, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x31, &x32, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x33, &x34, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x35, &x36, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x37, &x38, x12, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x39, &x40, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x41, &x42, x12, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x43, &x44, 0x0, x40, x37); ++ fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x38, x35); ++ fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x36, x33); ++ fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x34, x31); ++ fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x32, x29); ++ fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x30, x27); ++ fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x28, x25); ++ fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x26, x23); ++ fiat_secp384r1_addcarryx_u32(&x59, &x60, 0x0, x12, x41); ++ fiat_secp384r1_addcarryx_u32(&x61, &x62, x60, x19, x42); ++ fiat_secp384r1_addcarryx_u32(&x63, &x64, 0x0, x17, x39); ++ fiat_secp384r1_addcarryx_u32(&x65, &x66, x64, (fiat_secp384r1_uint1)x18, ++ x43); ++ fiat_secp384r1_addcarryx_u32(&x67, &x68, x66, x15, x45); ++ fiat_secp384r1_addcarryx_u32(&x69, &x70, x68, x16, x47); ++ fiat_secp384r1_addcarryx_u32(&x71, &x72, x70, x13, x49); ++ fiat_secp384r1_addcarryx_u32(&x73, &x74, x72, x21, x51); ++ fiat_secp384r1_addcarryx_u32(&x75, &x76, x74, x22, x53); ++ fiat_secp384r1_addcarryx_u32(&x77, &x78, x76, 0x0, x55); ++ fiat_secp384r1_addcarryx_u32(&x79, &x80, x78, 0x0, x57); ++ fiat_secp384r1_addcarryx_u32(&x81, &x82, x80, 0x0, (x58 + x24)); ++ fiat_secp384r1_mulx_u32(&x83, &x84, x1, 0x2); ++ fiat_secp384r1_mulx_u32(&x85, &x86, x1, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x87, &x88, x1, 0x2); ++ fiat_secp384r1_mulx_u32(&x89, &x90, x1, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x91, &x92, 0x0, (fiat_secp384r1_uint1)x84, ++ x1); ++ fiat_secp384r1_addcarryx_u32(&x93, &x94, 0x0, x61, x1); ++ fiat_secp384r1_addcarryx_u32(&x95, &x96, x94, (x62 + x20), x89); ++ fiat_secp384r1_addcarryx_u32(&x97, &x98, x96, x63, x90); ++ fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x65, x87); ++ fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x67, ++ (fiat_secp384r1_uint1)x88); ++ fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x69, x85); ++ fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x71, x86); ++ fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x73, x83); ++ fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x75, x91); ++ fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x77, x92); ++ fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x79, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x81, 0x0); ++ fiat_secp384r1_mulx_u32(&x117, &x118, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x119, &x120, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x121, &x122, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x123, &x124, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x125, &x126, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x127, &x128, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x129, &x130, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x131, &x132, x93, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x133, &x134, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x135, &x136, x93, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x137, &x138, 0x0, x134, x131); ++ fiat_secp384r1_addcarryx_u32(&x139, &x140, x138, x132, x129); ++ fiat_secp384r1_addcarryx_u32(&x141, &x142, x140, x130, x127); ++ fiat_secp384r1_addcarryx_u32(&x143, &x144, x142, x128, x125); ++ fiat_secp384r1_addcarryx_u32(&x145, &x146, x144, x126, x123); ++ fiat_secp384r1_addcarryx_u32(&x147, &x148, x146, x124, x121); ++ fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x122, x119); ++ fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x120, x117); ++ fiat_secp384r1_addcarryx_u32(&x153, &x154, 0x0, x93, x135); ++ fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x95, x136); ++ fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x97, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x99, x133); ++ fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x101, x137); ++ fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x103, x139); ++ fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x105, x141); ++ fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x107, x143); ++ fiat_secp384r1_addcarryx_u32(&x169, &x170, x168, x109, x145); ++ fiat_secp384r1_addcarryx_u32(&x171, &x172, x170, x111, x147); ++ fiat_secp384r1_addcarryx_u32(&x173, &x174, x172, x113, x149); ++ fiat_secp384r1_addcarryx_u32(&x175, &x176, x174, x115, x151); ++ fiat_secp384r1_addcarryx_u32(&x177, &x178, x176, ((uint32_t)x116 + x82), ++ (x152 + x118)); ++ fiat_secp384r1_mulx_u32(&x179, &x180, x2, 0x2); ++ fiat_secp384r1_mulx_u32(&x181, &x182, x2, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x183, &x184, x2, 0x2); ++ fiat_secp384r1_mulx_u32(&x185, &x186, x2, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x187, &x188, 0x0, (fiat_secp384r1_uint1)x180, ++ x2); ++ fiat_secp384r1_addcarryx_u32(&x189, &x190, 0x0, x155, x2); ++ fiat_secp384r1_addcarryx_u32(&x191, &x192, x190, x157, x185); ++ fiat_secp384r1_addcarryx_u32(&x193, &x194, x192, x159, x186); ++ fiat_secp384r1_addcarryx_u32(&x195, &x196, x194, x161, x183); ++ fiat_secp384r1_addcarryx_u32(&x197, &x198, x196, x163, ++ (fiat_secp384r1_uint1)x184); ++ fiat_secp384r1_addcarryx_u32(&x199, &x200, x198, x165, x181); ++ fiat_secp384r1_addcarryx_u32(&x201, &x202, x200, x167, x182); ++ fiat_secp384r1_addcarryx_u32(&x203, &x204, x202, x169, x179); ++ fiat_secp384r1_addcarryx_u32(&x205, &x206, x204, x171, x187); ++ fiat_secp384r1_addcarryx_u32(&x207, &x208, x206, x173, x188); ++ fiat_secp384r1_addcarryx_u32(&x209, &x210, x208, x175, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x211, &x212, x210, x177, 0x0); ++ fiat_secp384r1_mulx_u32(&x213, &x214, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x215, &x216, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x217, &x218, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x219, &x220, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x221, &x222, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x223, &x224, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x225, &x226, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x227, &x228, x189, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x229, &x230, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x231, &x232, x189, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x230, x227); ++ fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x228, x225); ++ fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x226, x223); ++ fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x224, x221); ++ fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x222, x219); ++ fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x220, x217); ++ fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x218, x215); ++ fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x216, x213); ++ fiat_secp384r1_addcarryx_u32(&x249, &x250, 0x0, x189, x231); ++ fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x191, x232); ++ fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x193, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x195, x229); ++ fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x197, x233); ++ fiat_secp384r1_addcarryx_u32(&x259, &x260, x258, x199, x235); ++ fiat_secp384r1_addcarryx_u32(&x261, &x262, x260, x201, x237); ++ fiat_secp384r1_addcarryx_u32(&x263, &x264, x262, x203, x239); ++ fiat_secp384r1_addcarryx_u32(&x265, &x266, x264, x205, x241); ++ fiat_secp384r1_addcarryx_u32(&x267, &x268, x266, x207, x243); ++ fiat_secp384r1_addcarryx_u32(&x269, &x270, x268, x209, x245); ++ fiat_secp384r1_addcarryx_u32(&x271, &x272, x270, x211, x247); ++ fiat_secp384r1_addcarryx_u32(&x273, &x274, x272, ((uint32_t)x212 + x178), ++ (x248 + x214)); ++ fiat_secp384r1_mulx_u32(&x275, &x276, x3, 0x2); ++ fiat_secp384r1_mulx_u32(&x277, &x278, x3, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x279, &x280, x3, 0x2); ++ fiat_secp384r1_mulx_u32(&x281, &x282, x3, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x283, &x284, 0x0, (fiat_secp384r1_uint1)x276, ++ x3); ++ fiat_secp384r1_addcarryx_u32(&x285, &x286, 0x0, x251, x3); ++ fiat_secp384r1_addcarryx_u32(&x287, &x288, x286, x253, x281); ++ fiat_secp384r1_addcarryx_u32(&x289, &x290, x288, x255, x282); ++ fiat_secp384r1_addcarryx_u32(&x291, &x292, x290, x257, x279); ++ fiat_secp384r1_addcarryx_u32(&x293, &x294, x292, x259, ++ (fiat_secp384r1_uint1)x280); ++ fiat_secp384r1_addcarryx_u32(&x295, &x296, x294, x261, x277); ++ fiat_secp384r1_addcarryx_u32(&x297, &x298, x296, x263, x278); ++ fiat_secp384r1_addcarryx_u32(&x299, &x300, x298, x265, x275); ++ fiat_secp384r1_addcarryx_u32(&x301, &x302, x300, x267, x283); ++ fiat_secp384r1_addcarryx_u32(&x303, &x304, x302, x269, x284); ++ fiat_secp384r1_addcarryx_u32(&x305, &x306, x304, x271, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x307, &x308, x306, x273, 0x0); ++ fiat_secp384r1_mulx_u32(&x309, &x310, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x311, &x312, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x313, &x314, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x315, &x316, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x317, &x318, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x319, &x320, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x321, &x322, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x323, &x324, x285, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x325, &x326, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x327, &x328, x285, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x329, &x330, 0x0, x326, x323); ++ fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x324, x321); ++ fiat_secp384r1_addcarryx_u32(&x333, &x334, x332, x322, x319); ++ fiat_secp384r1_addcarryx_u32(&x335, &x336, x334, x320, x317); ++ fiat_secp384r1_addcarryx_u32(&x337, &x338, x336, x318, x315); ++ fiat_secp384r1_addcarryx_u32(&x339, &x340, x338, x316, x313); ++ fiat_secp384r1_addcarryx_u32(&x341, &x342, x340, x314, x311); ++ fiat_secp384r1_addcarryx_u32(&x343, &x344, x342, x312, x309); ++ fiat_secp384r1_addcarryx_u32(&x345, &x346, 0x0, x285, x327); ++ fiat_secp384r1_addcarryx_u32(&x347, &x348, x346, x287, x328); ++ fiat_secp384r1_addcarryx_u32(&x349, &x350, x348, x289, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x351, &x352, x350, x291, x325); ++ fiat_secp384r1_addcarryx_u32(&x353, &x354, x352, x293, x329); ++ fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x295, x331); ++ fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x297, x333); ++ fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x299, x335); ++ fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x301, x337); ++ fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x303, x339); ++ fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x305, x341); ++ fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x307, x343); ++ fiat_secp384r1_addcarryx_u32(&x369, &x370, x368, ((uint32_t)x308 + x274), ++ (x344 + x310)); ++ fiat_secp384r1_mulx_u32(&x371, &x372, x4, 0x2); ++ fiat_secp384r1_mulx_u32(&x373, &x374, x4, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x375, &x376, x4, 0x2); ++ fiat_secp384r1_mulx_u32(&x377, &x378, x4, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x379, &x380, 0x0, (fiat_secp384r1_uint1)x372, ++ x4); ++ fiat_secp384r1_addcarryx_u32(&x381, &x382, 0x0, x347, x4); ++ fiat_secp384r1_addcarryx_u32(&x383, &x384, x382, x349, x377); ++ fiat_secp384r1_addcarryx_u32(&x385, &x386, x384, x351, x378); ++ fiat_secp384r1_addcarryx_u32(&x387, &x388, x386, x353, x375); ++ fiat_secp384r1_addcarryx_u32(&x389, &x390, x388, x355, ++ (fiat_secp384r1_uint1)x376); ++ fiat_secp384r1_addcarryx_u32(&x391, &x392, x390, x357, x373); ++ fiat_secp384r1_addcarryx_u32(&x393, &x394, x392, x359, x374); ++ fiat_secp384r1_addcarryx_u32(&x395, &x396, x394, x361, x371); ++ fiat_secp384r1_addcarryx_u32(&x397, &x398, x396, x363, x379); ++ fiat_secp384r1_addcarryx_u32(&x399, &x400, x398, x365, x380); ++ fiat_secp384r1_addcarryx_u32(&x401, &x402, x400, x367, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x403, &x404, x402, x369, 0x0); ++ fiat_secp384r1_mulx_u32(&x405, &x406, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x407, &x408, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x409, &x410, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x411, &x412, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x413, &x414, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x415, &x416, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x417, &x418, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x419, &x420, x381, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x421, &x422, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x423, &x424, x381, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x425, &x426, 0x0, x422, x419); ++ fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x420, x417); ++ fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x418, x415); ++ fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x416, x413); ++ fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x414, x411); ++ fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x412, x409); ++ fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x410, x407); ++ fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x408, x405); ++ fiat_secp384r1_addcarryx_u32(&x441, &x442, 0x0, x381, x423); ++ fiat_secp384r1_addcarryx_u32(&x443, &x444, x442, x383, x424); ++ fiat_secp384r1_addcarryx_u32(&x445, &x446, x444, x385, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x447, &x448, x446, x387, x421); ++ fiat_secp384r1_addcarryx_u32(&x449, &x450, x448, x389, x425); ++ fiat_secp384r1_addcarryx_u32(&x451, &x452, x450, x391, x427); ++ fiat_secp384r1_addcarryx_u32(&x453, &x454, x452, x393, x429); ++ fiat_secp384r1_addcarryx_u32(&x455, &x456, x454, x395, x431); ++ fiat_secp384r1_addcarryx_u32(&x457, &x458, x456, x397, x433); ++ fiat_secp384r1_addcarryx_u32(&x459, &x460, x458, x399, x435); ++ fiat_secp384r1_addcarryx_u32(&x461, &x462, x460, x401, x437); ++ fiat_secp384r1_addcarryx_u32(&x463, &x464, x462, x403, x439); ++ fiat_secp384r1_addcarryx_u32(&x465, &x466, x464, ((uint32_t)x404 + x370), ++ (x440 + x406)); ++ fiat_secp384r1_mulx_u32(&x467, &x468, x5, 0x2); ++ fiat_secp384r1_mulx_u32(&x469, &x470, x5, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x471, &x472, x5, 0x2); ++ fiat_secp384r1_mulx_u32(&x473, &x474, x5, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x475, &x476, 0x0, (fiat_secp384r1_uint1)x468, ++ x5); ++ fiat_secp384r1_addcarryx_u32(&x477, &x478, 0x0, x443, x5); ++ fiat_secp384r1_addcarryx_u32(&x479, &x480, x478, x445, x473); ++ fiat_secp384r1_addcarryx_u32(&x481, &x482, x480, x447, x474); ++ fiat_secp384r1_addcarryx_u32(&x483, &x484, x482, x449, x471); ++ fiat_secp384r1_addcarryx_u32(&x485, &x486, x484, x451, ++ (fiat_secp384r1_uint1)x472); ++ fiat_secp384r1_addcarryx_u32(&x487, &x488, x486, x453, x469); ++ fiat_secp384r1_addcarryx_u32(&x489, &x490, x488, x455, x470); ++ fiat_secp384r1_addcarryx_u32(&x491, &x492, x490, x457, x467); ++ fiat_secp384r1_addcarryx_u32(&x493, &x494, x492, x459, x475); ++ fiat_secp384r1_addcarryx_u32(&x495, &x496, x494, x461, x476); ++ fiat_secp384r1_addcarryx_u32(&x497, &x498, x496, x463, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x499, &x500, x498, x465, 0x0); ++ fiat_secp384r1_mulx_u32(&x501, &x502, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x503, &x504, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x505, &x506, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x507, &x508, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x509, &x510, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x511, &x512, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x513, &x514, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x515, &x516, x477, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x517, &x518, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x519, &x520, x477, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x521, &x522, 0x0, x518, x515); ++ fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x516, x513); ++ fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x514, x511); ++ fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x512, x509); ++ fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x510, x507); ++ fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x508, x505); ++ fiat_secp384r1_addcarryx_u32(&x533, &x534, x532, x506, x503); ++ fiat_secp384r1_addcarryx_u32(&x535, &x536, x534, x504, x501); ++ fiat_secp384r1_addcarryx_u32(&x537, &x538, 0x0, x477, x519); ++ fiat_secp384r1_addcarryx_u32(&x539, &x540, x538, x479, x520); ++ fiat_secp384r1_addcarryx_u32(&x541, &x542, x540, x481, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x543, &x544, x542, x483, x517); ++ fiat_secp384r1_addcarryx_u32(&x545, &x546, x544, x485, x521); ++ fiat_secp384r1_addcarryx_u32(&x547, &x548, x546, x487, x523); ++ fiat_secp384r1_addcarryx_u32(&x549, &x550, x548, x489, x525); ++ fiat_secp384r1_addcarryx_u32(&x551, &x552, x550, x491, x527); ++ fiat_secp384r1_addcarryx_u32(&x553, &x554, x552, x493, x529); ++ fiat_secp384r1_addcarryx_u32(&x555, &x556, x554, x495, x531); ++ fiat_secp384r1_addcarryx_u32(&x557, &x558, x556, x497, x533); ++ fiat_secp384r1_addcarryx_u32(&x559, &x560, x558, x499, x535); ++ fiat_secp384r1_addcarryx_u32(&x561, &x562, x560, ((uint32_t)x500 + x466), ++ (x536 + x502)); ++ fiat_secp384r1_mulx_u32(&x563, &x564, x6, 0x2); ++ fiat_secp384r1_mulx_u32(&x565, &x566, x6, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x567, &x568, x6, 0x2); ++ fiat_secp384r1_mulx_u32(&x569, &x570, x6, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x571, &x572, 0x0, (fiat_secp384r1_uint1)x564, ++ x6); ++ fiat_secp384r1_addcarryx_u32(&x573, &x574, 0x0, x539, x6); ++ fiat_secp384r1_addcarryx_u32(&x575, &x576, x574, x541, x569); ++ fiat_secp384r1_addcarryx_u32(&x577, &x578, x576, x543, x570); ++ fiat_secp384r1_addcarryx_u32(&x579, &x580, x578, x545, x567); ++ fiat_secp384r1_addcarryx_u32(&x581, &x582, x580, x547, ++ (fiat_secp384r1_uint1)x568); ++ fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x549, x565); ++ fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x551, x566); ++ fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x553, x563); ++ fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x555, x571); ++ fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x557, x572); ++ fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x559, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x561, 0x0); ++ fiat_secp384r1_mulx_u32(&x597, &x598, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x599, &x600, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x601, &x602, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x603, &x604, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x605, &x606, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x607, &x608, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x609, &x610, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x611, &x612, x573, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x613, &x614, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x615, &x616, x573, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x617, &x618, 0x0, x614, x611); ++ fiat_secp384r1_addcarryx_u32(&x619, &x620, x618, x612, x609); ++ fiat_secp384r1_addcarryx_u32(&x621, &x622, x620, x610, x607); ++ fiat_secp384r1_addcarryx_u32(&x623, &x624, x622, x608, x605); ++ fiat_secp384r1_addcarryx_u32(&x625, &x626, x624, x606, x603); ++ fiat_secp384r1_addcarryx_u32(&x627, &x628, x626, x604, x601); ++ fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x602, x599); ++ fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x600, x597); ++ fiat_secp384r1_addcarryx_u32(&x633, &x634, 0x0, x573, x615); ++ fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x575, x616); ++ fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x577, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x579, x613); ++ fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x581, x617); ++ fiat_secp384r1_addcarryx_u32(&x643, &x644, x642, x583, x619); ++ fiat_secp384r1_addcarryx_u32(&x645, &x646, x644, x585, x621); ++ fiat_secp384r1_addcarryx_u32(&x647, &x648, x646, x587, x623); ++ fiat_secp384r1_addcarryx_u32(&x649, &x650, x648, x589, x625); ++ fiat_secp384r1_addcarryx_u32(&x651, &x652, x650, x591, x627); ++ fiat_secp384r1_addcarryx_u32(&x653, &x654, x652, x593, x629); ++ fiat_secp384r1_addcarryx_u32(&x655, &x656, x654, x595, x631); ++ fiat_secp384r1_addcarryx_u32(&x657, &x658, x656, ((uint32_t)x596 + x562), ++ (x632 + x598)); ++ fiat_secp384r1_mulx_u32(&x659, &x660, x7, 0x2); ++ fiat_secp384r1_mulx_u32(&x661, &x662, x7, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x663, &x664, x7, 0x2); ++ fiat_secp384r1_mulx_u32(&x665, &x666, x7, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x667, &x668, 0x0, (fiat_secp384r1_uint1)x660, ++ x7); ++ fiat_secp384r1_addcarryx_u32(&x669, &x670, 0x0, x635, x7); ++ fiat_secp384r1_addcarryx_u32(&x671, &x672, x670, x637, x665); ++ fiat_secp384r1_addcarryx_u32(&x673, &x674, x672, x639, x666); ++ fiat_secp384r1_addcarryx_u32(&x675, &x676, x674, x641, x663); ++ fiat_secp384r1_addcarryx_u32(&x677, &x678, x676, x643, ++ (fiat_secp384r1_uint1)x664); ++ fiat_secp384r1_addcarryx_u32(&x679, &x680, x678, x645, x661); ++ fiat_secp384r1_addcarryx_u32(&x681, &x682, x680, x647, x662); ++ fiat_secp384r1_addcarryx_u32(&x683, &x684, x682, x649, x659); ++ fiat_secp384r1_addcarryx_u32(&x685, &x686, x684, x651, x667); ++ fiat_secp384r1_addcarryx_u32(&x687, &x688, x686, x653, x668); ++ fiat_secp384r1_addcarryx_u32(&x689, &x690, x688, x655, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x691, &x692, x690, x657, 0x0); ++ fiat_secp384r1_mulx_u32(&x693, &x694, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x695, &x696, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x697, &x698, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x699, &x700, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x701, &x702, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x703, &x704, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x705, &x706, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x707, &x708, x669, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x709, &x710, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x711, &x712, x669, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x713, &x714, 0x0, x710, x707); ++ fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x708, x705); ++ fiat_secp384r1_addcarryx_u32(&x717, &x718, x716, x706, x703); ++ fiat_secp384r1_addcarryx_u32(&x719, &x720, x718, x704, x701); ++ fiat_secp384r1_addcarryx_u32(&x721, &x722, x720, x702, x699); ++ fiat_secp384r1_addcarryx_u32(&x723, &x724, x722, x700, x697); ++ fiat_secp384r1_addcarryx_u32(&x725, &x726, x724, x698, x695); ++ fiat_secp384r1_addcarryx_u32(&x727, &x728, x726, x696, x693); ++ fiat_secp384r1_addcarryx_u32(&x729, &x730, 0x0, x669, x711); ++ fiat_secp384r1_addcarryx_u32(&x731, &x732, x730, x671, x712); ++ fiat_secp384r1_addcarryx_u32(&x733, &x734, x732, x673, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x735, &x736, x734, x675, x709); ++ fiat_secp384r1_addcarryx_u32(&x737, &x738, x736, x677, x713); ++ fiat_secp384r1_addcarryx_u32(&x739, &x740, x738, x679, x715); ++ fiat_secp384r1_addcarryx_u32(&x741, &x742, x740, x681, x717); ++ fiat_secp384r1_addcarryx_u32(&x743, &x744, x742, x683, x719); ++ fiat_secp384r1_addcarryx_u32(&x745, &x746, x744, x685, x721); ++ fiat_secp384r1_addcarryx_u32(&x747, &x748, x746, x687, x723); ++ fiat_secp384r1_addcarryx_u32(&x749, &x750, x748, x689, x725); ++ fiat_secp384r1_addcarryx_u32(&x751, &x752, x750, x691, x727); ++ fiat_secp384r1_addcarryx_u32(&x753, &x754, x752, ((uint32_t)x692 + x658), ++ (x728 + x694)); ++ fiat_secp384r1_mulx_u32(&x755, &x756, x8, 0x2); ++ fiat_secp384r1_mulx_u32(&x757, &x758, x8, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x759, &x760, x8, 0x2); ++ fiat_secp384r1_mulx_u32(&x761, &x762, x8, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x763, &x764, 0x0, (fiat_secp384r1_uint1)x756, ++ x8); ++ fiat_secp384r1_addcarryx_u32(&x765, &x766, 0x0, x731, x8); ++ fiat_secp384r1_addcarryx_u32(&x767, &x768, x766, x733, x761); ++ fiat_secp384r1_addcarryx_u32(&x769, &x770, x768, x735, x762); ++ fiat_secp384r1_addcarryx_u32(&x771, &x772, x770, x737, x759); ++ fiat_secp384r1_addcarryx_u32(&x773, &x774, x772, x739, ++ (fiat_secp384r1_uint1)x760); ++ fiat_secp384r1_addcarryx_u32(&x775, &x776, x774, x741, x757); ++ fiat_secp384r1_addcarryx_u32(&x777, &x778, x776, x743, x758); ++ fiat_secp384r1_addcarryx_u32(&x779, &x780, x778, x745, x755); ++ fiat_secp384r1_addcarryx_u32(&x781, &x782, x780, x747, x763); ++ fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x749, x764); ++ fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x751, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x753, 0x0); ++ fiat_secp384r1_mulx_u32(&x789, &x790, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x791, &x792, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x793, &x794, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x795, &x796, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x797, &x798, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x799, &x800, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x801, &x802, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x803, &x804, x765, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x805, &x806, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x807, &x808, x765, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x809, &x810, 0x0, x806, x803); ++ fiat_secp384r1_addcarryx_u32(&x811, &x812, x810, x804, x801); ++ fiat_secp384r1_addcarryx_u32(&x813, &x814, x812, x802, x799); ++ fiat_secp384r1_addcarryx_u32(&x815, &x816, x814, x800, x797); ++ fiat_secp384r1_addcarryx_u32(&x817, &x818, x816, x798, x795); ++ fiat_secp384r1_addcarryx_u32(&x819, &x820, x818, x796, x793); ++ fiat_secp384r1_addcarryx_u32(&x821, &x822, x820, x794, x791); ++ fiat_secp384r1_addcarryx_u32(&x823, &x824, x822, x792, x789); ++ fiat_secp384r1_addcarryx_u32(&x825, &x826, 0x0, x765, x807); ++ fiat_secp384r1_addcarryx_u32(&x827, &x828, x826, x767, x808); ++ fiat_secp384r1_addcarryx_u32(&x829, &x830, x828, x769, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x831, &x832, x830, x771, x805); ++ fiat_secp384r1_addcarryx_u32(&x833, &x834, x832, x773, x809); ++ fiat_secp384r1_addcarryx_u32(&x835, &x836, x834, x775, x811); ++ fiat_secp384r1_addcarryx_u32(&x837, &x838, x836, x777, x813); ++ fiat_secp384r1_addcarryx_u32(&x839, &x840, x838, x779, x815); ++ fiat_secp384r1_addcarryx_u32(&x841, &x842, x840, x781, x817); ++ fiat_secp384r1_addcarryx_u32(&x843, &x844, x842, x783, x819); ++ fiat_secp384r1_addcarryx_u32(&x845, &x846, x844, x785, x821); ++ fiat_secp384r1_addcarryx_u32(&x847, &x848, x846, x787, x823); ++ fiat_secp384r1_addcarryx_u32(&x849, &x850, x848, ((uint32_t)x788 + x754), ++ (x824 + x790)); ++ fiat_secp384r1_mulx_u32(&x851, &x852, x9, 0x2); ++ fiat_secp384r1_mulx_u32(&x853, &x854, x9, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x855, &x856, x9, 0x2); ++ fiat_secp384r1_mulx_u32(&x857, &x858, x9, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x859, &x860, 0x0, (fiat_secp384r1_uint1)x852, ++ x9); ++ fiat_secp384r1_addcarryx_u32(&x861, &x862, 0x0, x827, x9); ++ fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x829, x857); ++ fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x831, x858); ++ fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x833, x855); ++ fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x835, ++ (fiat_secp384r1_uint1)x856); ++ fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x837, x853); ++ fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x839, x854); ++ fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x841, x851); ++ fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x843, x859); ++ fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x845, x860); ++ fiat_secp384r1_addcarryx_u32(&x881, &x882, x880, x847, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x883, &x884, x882, x849, 0x0); ++ fiat_secp384r1_mulx_u32(&x885, &x886, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x887, &x888, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x889, &x890, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x891, &x892, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x893, &x894, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x895, &x896, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x897, &x898, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x899, &x900, x861, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x901, &x902, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x903, &x904, x861, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x905, &x906, 0x0, x902, x899); ++ fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x900, x897); ++ fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x898, x895); ++ fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x896, x893); ++ fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x894, x891); ++ fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x892, x889); ++ fiat_secp384r1_addcarryx_u32(&x917, &x918, x916, x890, x887); ++ fiat_secp384r1_addcarryx_u32(&x919, &x920, x918, x888, x885); ++ fiat_secp384r1_addcarryx_u32(&x921, &x922, 0x0, x861, x903); ++ fiat_secp384r1_addcarryx_u32(&x923, &x924, x922, x863, x904); ++ fiat_secp384r1_addcarryx_u32(&x925, &x926, x924, x865, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x927, &x928, x926, x867, x901); ++ fiat_secp384r1_addcarryx_u32(&x929, &x930, x928, x869, x905); ++ fiat_secp384r1_addcarryx_u32(&x931, &x932, x930, x871, x907); ++ fiat_secp384r1_addcarryx_u32(&x933, &x934, x932, x873, x909); ++ fiat_secp384r1_addcarryx_u32(&x935, &x936, x934, x875, x911); ++ fiat_secp384r1_addcarryx_u32(&x937, &x938, x936, x877, x913); ++ fiat_secp384r1_addcarryx_u32(&x939, &x940, x938, x879, x915); ++ fiat_secp384r1_addcarryx_u32(&x941, &x942, x940, x881, x917); ++ fiat_secp384r1_addcarryx_u32(&x943, &x944, x942, x883, x919); ++ fiat_secp384r1_addcarryx_u32(&x945, &x946, x944, ((uint32_t)x884 + x850), ++ (x920 + x886)); ++ fiat_secp384r1_mulx_u32(&x947, &x948, x10, 0x2); ++ fiat_secp384r1_mulx_u32(&x949, &x950, x10, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x951, &x952, x10, 0x2); ++ fiat_secp384r1_mulx_u32(&x953, &x954, x10, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x955, &x956, 0x0, (fiat_secp384r1_uint1)x948, ++ x10); ++ fiat_secp384r1_addcarryx_u32(&x957, &x958, 0x0, x923, x10); ++ fiat_secp384r1_addcarryx_u32(&x959, &x960, x958, x925, x953); ++ fiat_secp384r1_addcarryx_u32(&x961, &x962, x960, x927, x954); ++ fiat_secp384r1_addcarryx_u32(&x963, &x964, x962, x929, x951); ++ fiat_secp384r1_addcarryx_u32(&x965, &x966, x964, x931, ++ (fiat_secp384r1_uint1)x952); ++ fiat_secp384r1_addcarryx_u32(&x967, &x968, x966, x933, x949); ++ fiat_secp384r1_addcarryx_u32(&x969, &x970, x968, x935, x950); ++ fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x937, x947); ++ fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x939, x955); ++ fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x941, x956); ++ fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x943, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x945, 0x0); ++ fiat_secp384r1_mulx_u32(&x981, &x982, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x983, &x984, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x985, &x986, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x987, &x988, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x989, &x990, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x991, &x992, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x993, &x994, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x995, &x996, x957, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x997, &x998, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x999, &x1000, x957, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1001, &x1002, 0x0, x998, x995); ++ fiat_secp384r1_addcarryx_u32(&x1003, &x1004, x1002, x996, x993); ++ fiat_secp384r1_addcarryx_u32(&x1005, &x1006, x1004, x994, x991); ++ fiat_secp384r1_addcarryx_u32(&x1007, &x1008, x1006, x992, x989); ++ fiat_secp384r1_addcarryx_u32(&x1009, &x1010, x1008, x990, x987); ++ fiat_secp384r1_addcarryx_u32(&x1011, &x1012, x1010, x988, x985); ++ fiat_secp384r1_addcarryx_u32(&x1013, &x1014, x1012, x986, x983); ++ fiat_secp384r1_addcarryx_u32(&x1015, &x1016, x1014, x984, x981); ++ fiat_secp384r1_addcarryx_u32(&x1017, &x1018, 0x0, x957, x999); ++ fiat_secp384r1_addcarryx_u32(&x1019, &x1020, x1018, x959, x1000); ++ fiat_secp384r1_addcarryx_u32(&x1021, &x1022, x1020, x961, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1023, &x1024, x1022, x963, x997); ++ fiat_secp384r1_addcarryx_u32(&x1025, &x1026, x1024, x965, x1001); ++ fiat_secp384r1_addcarryx_u32(&x1027, &x1028, x1026, x967, x1003); ++ fiat_secp384r1_addcarryx_u32(&x1029, &x1030, x1028, x969, x1005); ++ fiat_secp384r1_addcarryx_u32(&x1031, &x1032, x1030, x971, x1007); ++ fiat_secp384r1_addcarryx_u32(&x1033, &x1034, x1032, x973, x1009); ++ fiat_secp384r1_addcarryx_u32(&x1035, &x1036, x1034, x975, x1011); ++ fiat_secp384r1_addcarryx_u32(&x1037, &x1038, x1036, x977, x1013); ++ fiat_secp384r1_addcarryx_u32(&x1039, &x1040, x1038, x979, x1015); ++ fiat_secp384r1_addcarryx_u32(&x1041, &x1042, x1040, ((uint32_t)x980 + x946), ++ (x1016 + x982)); ++ fiat_secp384r1_mulx_u32(&x1043, &x1044, x11, 0x2); ++ fiat_secp384r1_mulx_u32(&x1045, &x1046, x11, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1047, &x1048, x11, 0x2); ++ fiat_secp384r1_mulx_u32(&x1049, &x1050, x11, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_addcarryx_u32(&x1051, &x1052, 0x0, ++ (fiat_secp384r1_uint1)x1044, x11); ++ fiat_secp384r1_addcarryx_u32(&x1053, &x1054, 0x0, x1019, x11); ++ fiat_secp384r1_addcarryx_u32(&x1055, &x1056, x1054, x1021, x1049); ++ fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x1023, x1050); ++ fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x1025, x1047); ++ fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x1027, ++ (fiat_secp384r1_uint1)x1048); ++ fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1029, x1045); ++ fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1031, x1046); ++ fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1033, x1043); ++ fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1035, x1051); ++ fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1037, x1052); ++ fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1039, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1041, 0x0); ++ fiat_secp384r1_mulx_u32(&x1077, &x1078, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1079, &x1080, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1081, &x1082, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1083, &x1084, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1085, &x1086, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1087, &x1088, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1089, &x1090, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1091, &x1092, x1053, UINT32_C(0xfffffffe)); ++ fiat_secp384r1_mulx_u32(&x1093, &x1094, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_mulx_u32(&x1095, &x1096, x1053, UINT32_C(0xffffffff)); ++ fiat_secp384r1_addcarryx_u32(&x1097, &x1098, 0x0, x1094, x1091); ++ fiat_secp384r1_addcarryx_u32(&x1099, &x1100, x1098, x1092, x1089); ++ fiat_secp384r1_addcarryx_u32(&x1101, &x1102, x1100, x1090, x1087); ++ fiat_secp384r1_addcarryx_u32(&x1103, &x1104, x1102, x1088, x1085); ++ fiat_secp384r1_addcarryx_u32(&x1105, &x1106, x1104, x1086, x1083); ++ fiat_secp384r1_addcarryx_u32(&x1107, &x1108, x1106, x1084, x1081); ++ fiat_secp384r1_addcarryx_u32(&x1109, &x1110, x1108, x1082, x1079); ++ fiat_secp384r1_addcarryx_u32(&x1111, &x1112, x1110, x1080, x1077); ++ fiat_secp384r1_addcarryx_u32(&x1113, &x1114, 0x0, x1053, x1095); ++ fiat_secp384r1_addcarryx_u32(&x1115, &x1116, x1114, x1055, x1096); ++ fiat_secp384r1_addcarryx_u32(&x1117, &x1118, x1116, x1057, 0x0); ++ fiat_secp384r1_addcarryx_u32(&x1119, &x1120, x1118, x1059, x1093); ++ fiat_secp384r1_addcarryx_u32(&x1121, &x1122, x1120, x1061, x1097); ++ fiat_secp384r1_addcarryx_u32(&x1123, &x1124, x1122, x1063, x1099); ++ fiat_secp384r1_addcarryx_u32(&x1125, &x1126, x1124, x1065, x1101); ++ fiat_secp384r1_addcarryx_u32(&x1127, &x1128, x1126, x1067, x1103); ++ fiat_secp384r1_addcarryx_u32(&x1129, &x1130, x1128, x1069, x1105); ++ fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1071, x1107); ++ fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1073, x1109); ++ fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1075, x1111); ++ fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, ++ ((uint32_t)x1076 + x1042), (x1112 + x1078)); ++ fiat_secp384r1_subborrowx_u32(&x1139, &x1140, 0x0, x1115, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1141, &x1142, x1140, x1117, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1143, &x1144, x1142, x1119, 0x0); ++ fiat_secp384r1_subborrowx_u32(&x1145, &x1146, x1144, x1121, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1147, &x1148, x1146, x1123, ++ UINT32_C(0xfffffffe)); ++ fiat_secp384r1_subborrowx_u32(&x1149, &x1150, x1148, x1125, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1151, &x1152, x1150, x1127, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1153, &x1154, x1152, x1129, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1155, &x1156, x1154, x1131, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1157, &x1158, x1156, x1133, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1159, &x1160, x1158, x1135, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1161, &x1162, x1160, x1137, ++ UINT32_C(0xffffffff)); ++ fiat_secp384r1_subborrowx_u32(&x1163, &x1164, x1162, x1138, 0x0); ++ fiat_secp384r1_cmovznz_u32(&x1165, x1164, x1139, x1115); ++ fiat_secp384r1_cmovznz_u32(&x1166, x1164, x1141, x1117); ++ fiat_secp384r1_cmovznz_u32(&x1167, x1164, x1143, x1119); ++ fiat_secp384r1_cmovznz_u32(&x1168, x1164, x1145, x1121); ++ fiat_secp384r1_cmovznz_u32(&x1169, x1164, x1147, x1123); ++ fiat_secp384r1_cmovznz_u32(&x1170, x1164, x1149, x1125); ++ fiat_secp384r1_cmovznz_u32(&x1171, x1164, x1151, x1127); ++ fiat_secp384r1_cmovznz_u32(&x1172, x1164, x1153, x1129); ++ fiat_secp384r1_cmovznz_u32(&x1173, x1164, x1155, x1131); ++ fiat_secp384r1_cmovznz_u32(&x1174, x1164, x1157, x1133); ++ fiat_secp384r1_cmovznz_u32(&x1175, x1164, x1159, x1135); ++ fiat_secp384r1_cmovznz_u32(&x1176, x1164, x1161, x1137); ++ out1[0] = x1165; ++ out1[1] = x1166; ++ out1[2] = x1167; ++ out1[3] = x1168; ++ out1[4] = x1169; ++ out1[5] = x1170; ++ out1[6] = x1171; ++ out1[7] = x1172; ++ out1[8] = x1173; ++ out1[9] = x1174; ++ out1[10] = x1175; ++ out1[11] = x1176; ++} ++ ++/* ++ * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [0x0 ~> 0xffffffff] ++ */ ++static void ++fiat_secp384r1_nonzero(uint32_t *out1, const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ x1 = ((arg1[0]) | ++ ((arg1[1]) | ++ ((arg1[2]) | ++ ((arg1[3]) | ++ ((arg1[4]) | ++ ((arg1[5]) | ++ ((arg1[6]) | ++ ((arg1[7]) | ++ ((arg1[8]) | ++ ((arg1[9]) | ++ ((arg1[10]) | ((arg1[11]) | (uint32_t)0x0)))))))))))); ++ *out1 = x1; ++} ++ ++/* ++ * The function fiat_secp384r1_selectznz is a multi-limb conditional select. ++ * Postconditions: ++ * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) ++ * ++ * Input Bounds: ++ * arg1: [0x0 ~> 0x1] ++ * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_selectznz(uint32_t out1[12], ++ fiat_secp384r1_uint1 arg1, ++ const uint32_t arg2[12], ++ const uint32_t arg3[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ fiat_secp384r1_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); ++ fiat_secp384r1_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); ++ fiat_secp384r1_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); ++ fiat_secp384r1_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); ++ fiat_secp384r1_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); ++ fiat_secp384r1_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); ++ fiat_secp384r1_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); ++ fiat_secp384r1_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); ++ fiat_secp384r1_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); ++ fiat_secp384r1_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9])); ++ fiat_secp384r1_cmovznz_u32(&x11, arg1, (arg2[10]), (arg3[10])); ++ fiat_secp384r1_cmovznz_u32(&x12, arg1, (arg2[11]), (arg3[11])); ++ out1[0] = x1; ++ out1[1] = x2; ++ out1[2] = x3; ++ out1[3] = x4; ++ out1[4] = x5; ++ out1[5] = x6; ++ out1[6] = x7; ++ out1[7] = x8; ++ out1[8] = x9; ++ out1[9] = x10; ++ out1[10] = x11; ++ out1[11] = x12; ++} ++ ++/* ++ * The function fiat_secp384r1_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ eval arg1 < m ++ * Postconditions: ++ * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ */ ++static void ++fiat_secp384r1_to_bytes(uint8_t out1[48], const uint32_t arg1[12]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint32_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint32_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint32_t x12; ++ uint32_t x13; ++ uint8_t x14; ++ uint32_t x15; ++ uint8_t x16; ++ uint8_t x17; ++ uint8_t x18; ++ uint8_t x19; ++ uint32_t x20; ++ uint8_t x21; ++ uint32_t x22; ++ uint8_t x23; ++ uint8_t x24; ++ uint8_t x25; ++ uint8_t x26; ++ uint32_t x27; ++ uint8_t x28; ++ uint32_t x29; ++ uint8_t x30; ++ uint8_t x31; ++ uint8_t x32; ++ uint8_t x33; ++ uint32_t x34; ++ uint8_t x35; ++ uint32_t x36; ++ uint8_t x37; ++ uint8_t x38; ++ uint8_t x39; ++ uint8_t x40; ++ uint32_t x41; ++ uint8_t x42; ++ uint32_t x43; ++ uint8_t x44; ++ uint8_t x45; ++ uint8_t x46; ++ uint8_t x47; ++ uint32_t x48; ++ uint8_t x49; ++ uint32_t x50; ++ uint8_t x51; ++ uint8_t x52; ++ uint8_t x53; ++ uint8_t x54; ++ uint32_t x55; ++ uint8_t x56; ++ uint32_t x57; ++ uint8_t x58; ++ uint8_t x59; ++ uint8_t x60; ++ uint8_t x61; ++ uint32_t x62; ++ uint8_t x63; ++ uint32_t x64; ++ uint8_t x65; ++ uint8_t x66; ++ uint8_t x67; ++ uint8_t x68; ++ uint32_t x69; ++ uint8_t x70; ++ uint32_t x71; ++ uint8_t x72; ++ uint8_t x73; ++ uint8_t x74; ++ uint8_t x75; ++ uint32_t x76; ++ uint8_t x77; ++ uint32_t x78; ++ uint8_t x79; ++ uint8_t x80; ++ uint8_t x81; ++ uint8_t x82; ++ uint32_t x83; ++ uint8_t x84; ++ uint32_t x85; ++ uint8_t x86; ++ uint8_t x87; ++ uint8_t x88; ++ uint8_t x89; ++ uint32_t x90; ++ uint8_t x91; ++ uint32_t x92; ++ uint8_t x93; ++ uint8_t x94; ++ uint8_t x95; ++ x1 = (arg1[11]); ++ x2 = (arg1[10]); ++ x3 = (arg1[9]); ++ x4 = (arg1[8]); ++ x5 = (arg1[7]); ++ x6 = (arg1[6]); ++ x7 = (arg1[5]); ++ x8 = (arg1[4]); ++ x9 = (arg1[3]); ++ x10 = (arg1[2]); ++ x11 = (arg1[1]); ++ x12 = (arg1[0]); ++ x13 = (x12 >> 8); ++ x14 = (uint8_t)(x12 & UINT8_C(0xff)); ++ x15 = (x13 >> 8); ++ x16 = (uint8_t)(x13 & UINT8_C(0xff)); ++ x17 = (uint8_t)(x15 >> 8); ++ x18 = (uint8_t)(x15 & UINT8_C(0xff)); ++ x19 = (uint8_t)(x17 & UINT8_C(0xff)); ++ x20 = (x11 >> 8); ++ x21 = (uint8_t)(x11 & UINT8_C(0xff)); ++ x22 = (x20 >> 8); ++ x23 = (uint8_t)(x20 & UINT8_C(0xff)); ++ x24 = (uint8_t)(x22 >> 8); ++ x25 = (uint8_t)(x22 & UINT8_C(0xff)); ++ x26 = (uint8_t)(x24 & UINT8_C(0xff)); ++ x27 = (x10 >> 8); ++ x28 = (uint8_t)(x10 & UINT8_C(0xff)); ++ x29 = (x27 >> 8); ++ x30 = (uint8_t)(x27 & UINT8_C(0xff)); ++ x31 = (uint8_t)(x29 >> 8); ++ x32 = (uint8_t)(x29 & UINT8_C(0xff)); ++ x33 = (uint8_t)(x31 & UINT8_C(0xff)); ++ x34 = (x9 >> 8); ++ x35 = (uint8_t)(x9 & UINT8_C(0xff)); ++ x36 = (x34 >> 8); ++ x37 = (uint8_t)(x34 & UINT8_C(0xff)); ++ x38 = (uint8_t)(x36 >> 8); ++ x39 = (uint8_t)(x36 & UINT8_C(0xff)); ++ x40 = (uint8_t)(x38 & UINT8_C(0xff)); ++ x41 = (x8 >> 8); ++ x42 = (uint8_t)(x8 & UINT8_C(0xff)); ++ x43 = (x41 >> 8); ++ x44 = (uint8_t)(x41 & UINT8_C(0xff)); ++ x45 = (uint8_t)(x43 >> 8); ++ x46 = (uint8_t)(x43 & UINT8_C(0xff)); ++ x47 = (uint8_t)(x45 & UINT8_C(0xff)); ++ x48 = (x7 >> 8); ++ x49 = (uint8_t)(x7 & UINT8_C(0xff)); ++ x50 = (x48 >> 8); ++ x51 = (uint8_t)(x48 & UINT8_C(0xff)); ++ x52 = (uint8_t)(x50 >> 8); ++ x53 = (uint8_t)(x50 & UINT8_C(0xff)); ++ x54 = (uint8_t)(x52 & UINT8_C(0xff)); ++ x55 = (x6 >> 8); ++ x56 = (uint8_t)(x6 & UINT8_C(0xff)); ++ x57 = (x55 >> 8); ++ x58 = (uint8_t)(x55 & UINT8_C(0xff)); ++ x59 = (uint8_t)(x57 >> 8); ++ x60 = (uint8_t)(x57 & UINT8_C(0xff)); ++ x61 = (uint8_t)(x59 & UINT8_C(0xff)); ++ x62 = (x5 >> 8); ++ x63 = (uint8_t)(x5 & UINT8_C(0xff)); ++ x64 = (x62 >> 8); ++ x65 = (uint8_t)(x62 & UINT8_C(0xff)); ++ x66 = (uint8_t)(x64 >> 8); ++ x67 = (uint8_t)(x64 & UINT8_C(0xff)); ++ x68 = (uint8_t)(x66 & UINT8_C(0xff)); ++ x69 = (x4 >> 8); ++ x70 = (uint8_t)(x4 & UINT8_C(0xff)); ++ x71 = (x69 >> 8); ++ x72 = (uint8_t)(x69 & UINT8_C(0xff)); ++ x73 = (uint8_t)(x71 >> 8); ++ x74 = (uint8_t)(x71 & UINT8_C(0xff)); ++ x75 = (uint8_t)(x73 & UINT8_C(0xff)); ++ x76 = (x3 >> 8); ++ x77 = (uint8_t)(x3 & UINT8_C(0xff)); ++ x78 = (x76 >> 8); ++ x79 = (uint8_t)(x76 & UINT8_C(0xff)); ++ x80 = (uint8_t)(x78 >> 8); ++ x81 = (uint8_t)(x78 & UINT8_C(0xff)); ++ x82 = (uint8_t)(x80 & UINT8_C(0xff)); ++ x83 = (x2 >> 8); ++ x84 = (uint8_t)(x2 & UINT8_C(0xff)); ++ x85 = (x83 >> 8); ++ x86 = (uint8_t)(x83 & UINT8_C(0xff)); ++ x87 = (uint8_t)(x85 >> 8); ++ x88 = (uint8_t)(x85 & UINT8_C(0xff)); ++ x89 = (uint8_t)(x87 & UINT8_C(0xff)); ++ x90 = (x1 >> 8); ++ x91 = (uint8_t)(x1 & UINT8_C(0xff)); ++ x92 = (x90 >> 8); ++ x93 = (uint8_t)(x90 & UINT8_C(0xff)); ++ x94 = (uint8_t)(x92 >> 8); ++ x95 = (uint8_t)(x92 & UINT8_C(0xff)); ++ out1[0] = x14; ++ out1[1] = x16; ++ out1[2] = x18; ++ out1[3] = x19; ++ out1[4] = x21; ++ out1[5] = x23; ++ out1[6] = x25; ++ out1[7] = x26; ++ out1[8] = x28; ++ out1[9] = x30; ++ out1[10] = x32; ++ out1[11] = x33; ++ out1[12] = x35; ++ out1[13] = x37; ++ out1[14] = x39; ++ out1[15] = x40; ++ out1[16] = x42; ++ out1[17] = x44; ++ out1[18] = x46; ++ out1[19] = x47; ++ out1[20] = x49; ++ out1[21] = x51; ++ out1[22] = x53; ++ out1[23] = x54; ++ out1[24] = x56; ++ out1[25] = x58; ++ out1[26] = x60; ++ out1[27] = x61; ++ out1[28] = x63; ++ out1[29] = x65; ++ out1[30] = x67; ++ out1[31] = x68; ++ out1[32] = x70; ++ out1[33] = x72; ++ out1[34] = x74; ++ out1[35] = x75; ++ out1[36] = x77; ++ out1[37] = x79; ++ out1[38] = x81; ++ out1[39] = x82; ++ out1[40] = x84; ++ out1[41] = x86; ++ out1[42] = x88; ++ out1[43] = x89; ++ out1[44] = x91; ++ out1[45] = x93; ++ out1[46] = x95; ++ out1[47] = x94; ++} ++ ++/* ++ * The function fiat_secp384r1_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. ++ * Preconditions: ++ * 0 ≤ bytes_eval arg1 < m ++ * Postconditions: ++ * eval out1 mod m = bytes_eval arg1 mod m ++ * 0 ≤ eval out1 < m ++ * ++ * Input Bounds: ++ * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] ++ * Output Bounds: ++ * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] ++ */ ++static void ++fiat_secp384r1_from_bytes(uint32_t out1[12], ++ const uint8_t arg1[48]) ++{ ++ uint32_t x1; ++ uint32_t x2; ++ uint32_t x3; ++ uint8_t x4; ++ uint32_t x5; ++ uint32_t x6; ++ uint32_t x7; ++ uint8_t x8; ++ uint32_t x9; ++ uint32_t x10; ++ uint32_t x11; ++ uint8_t x12; ++ uint32_t x13; ++ uint32_t x14; ++ uint32_t x15; ++ uint8_t x16; ++ uint32_t x17; ++ uint32_t x18; ++ uint32_t x19; ++ uint8_t x20; ++ uint32_t x21; ++ uint32_t x22; ++ uint32_t x23; ++ uint8_t x24; ++ uint32_t x25; ++ uint32_t x26; ++ uint32_t x27; ++ uint8_t x28; ++ uint32_t x29; ++ uint32_t x30; ++ uint32_t x31; ++ uint8_t x32; ++ uint32_t x33; ++ uint32_t x34; ++ uint32_t x35; ++ uint8_t x36; ++ uint32_t x37; ++ uint32_t x38; ++ uint32_t x39; ++ uint8_t x40; ++ uint32_t x41; ++ uint32_t x42; ++ uint32_t x43; ++ uint8_t x44; ++ uint32_t x45; ++ uint32_t x46; ++ uint32_t x47; ++ uint8_t x48; ++ uint32_t x49; ++ uint32_t x50; ++ uint32_t x51; ++ uint32_t x52; ++ uint32_t x53; ++ uint32_t x54; ++ uint32_t x55; ++ uint32_t x56; ++ uint32_t x57; ++ uint32_t x58; ++ uint32_t x59; ++ uint32_t x60; ++ uint32_t x61; ++ uint32_t x62; ++ uint32_t x63; ++ uint32_t x64; ++ uint32_t x65; ++ uint32_t x66; ++ uint32_t x67; ++ uint32_t x68; ++ uint32_t x69; ++ uint32_t x70; ++ uint32_t x71; ++ x1 = ((uint32_t)(arg1[47]) << 24); ++ x2 = ((uint32_t)(arg1[46]) << 16); ++ x3 = ((uint32_t)(arg1[45]) << 8); ++ x4 = (arg1[44]); ++ x5 = ((uint32_t)(arg1[43]) << 24); ++ x6 = ((uint32_t)(arg1[42]) << 16); ++ x7 = ((uint32_t)(arg1[41]) << 8); ++ x8 = (arg1[40]); ++ x9 = ((uint32_t)(arg1[39]) << 24); ++ x10 = ((uint32_t)(arg1[38]) << 16); ++ x11 = ((uint32_t)(arg1[37]) << 8); ++ x12 = (arg1[36]); ++ x13 = ((uint32_t)(arg1[35]) << 24); ++ x14 = ((uint32_t)(arg1[34]) << 16); ++ x15 = ((uint32_t)(arg1[33]) << 8); ++ x16 = (arg1[32]); ++ x17 = ((uint32_t)(arg1[31]) << 24); ++ x18 = ((uint32_t)(arg1[30]) << 16); ++ x19 = ((uint32_t)(arg1[29]) << 8); ++ x20 = (arg1[28]); ++ x21 = ((uint32_t)(arg1[27]) << 24); ++ x22 = ((uint32_t)(arg1[26]) << 16); ++ x23 = ((uint32_t)(arg1[25]) << 8); ++ x24 = (arg1[24]); ++ x25 = ((uint32_t)(arg1[23]) << 24); ++ x26 = ((uint32_t)(arg1[22]) << 16); ++ x27 = ((uint32_t)(arg1[21]) << 8); ++ x28 = (arg1[20]); ++ x29 = ((uint32_t)(arg1[19]) << 24); ++ x30 = ((uint32_t)(arg1[18]) << 16); ++ x31 = ((uint32_t)(arg1[17]) << 8); ++ x32 = (arg1[16]); ++ x33 = ((uint32_t)(arg1[15]) << 24); ++ x34 = ((uint32_t)(arg1[14]) << 16); ++ x35 = ((uint32_t)(arg1[13]) << 8); ++ x36 = (arg1[12]); ++ x37 = ((uint32_t)(arg1[11]) << 24); ++ x38 = ((uint32_t)(arg1[10]) << 16); ++ x39 = ((uint32_t)(arg1[9]) << 8); ++ x40 = (arg1[8]); ++ x41 = ((uint32_t)(arg1[7]) << 24); ++ x42 = ((uint32_t)(arg1[6]) << 16); ++ x43 = ((uint32_t)(arg1[5]) << 8); ++ x44 = (arg1[4]); ++ x45 = ((uint32_t)(arg1[3]) << 24); ++ x46 = ((uint32_t)(arg1[2]) << 16); ++ x47 = ((uint32_t)(arg1[1]) << 8); ++ x48 = (arg1[0]); ++ x49 = (x48 + (x47 + (x46 + x45))); ++ x50 = (x49 & UINT32_C(0xffffffff)); ++ x51 = (x4 + (x3 + (x2 + x1))); ++ x52 = (x8 + (x7 + (x6 + x5))); ++ x53 = (x12 + (x11 + (x10 + x9))); ++ x54 = (x16 + (x15 + (x14 + x13))); ++ x55 = (x20 + (x19 + (x18 + x17))); ++ x56 = (x24 + (x23 + (x22 + x21))); ++ x57 = (x28 + (x27 + (x26 + x25))); ++ x58 = (x32 + (x31 + (x30 + x29))); ++ x59 = (x36 + (x35 + (x34 + x33))); ++ x60 = (x40 + (x39 + (x38 + x37))); ++ x61 = (x44 + (x43 + (x42 + x41))); ++ x62 = (x61 & UINT32_C(0xffffffff)); ++ x63 = (x60 & UINT32_C(0xffffffff)); ++ x64 = (x59 & UINT32_C(0xffffffff)); ++ x65 = (x58 & UINT32_C(0xffffffff)); ++ x66 = (x57 & UINT32_C(0xffffffff)); ++ x67 = (x56 & UINT32_C(0xffffffff)); ++ x68 = (x55 & UINT32_C(0xffffffff)); ++ x69 = (x54 & UINT32_C(0xffffffff)); ++ x70 = (x53 & UINT32_C(0xffffffff)); ++ x71 = (x52 & UINT32_C(0xffffffff)); ++ out1[0] = x50; ++ out1[1] = x62; ++ out1[2] = x63; ++ out1[3] = x64; ++ out1[4] = x65; ++ out1[5] = x66; ++ out1[6] = x67; ++ out1[7] = x68; ++ out1[8] = x69; ++ out1[9] = x70; ++ out1[10] = x71; ++ out1[11] = x51; ++} ++ ++/* END verbatim fiat code */ ++ ++/*- ++ * Finite field inversion via FLT. ++ * NB: this is not a real Fiat function, just named that way for consistency. ++ * Autogenerated: ecp/secp384r1/fe_inv.op3 ++ * custom repunit addition chain ++ */ ++static void ++fiat_secp384r1_inv(fe_t output, const fe_t t1) ++{ ++ int i; ++ /* temporary variables */ ++ fe_t acc, t10, t170, t2, t20, t255, t30, t32, t4, t64, t8, t84, t85; ++ ++ fiat_secp384r1_square(acc, t1); ++ fiat_secp384r1_mul(t2, acc, t1); ++ fiat_secp384r1_square(acc, t2); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t4, acc, t2); ++ fiat_secp384r1_square(acc, t4); ++ for (i = 0; i < 3; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t8, acc, t4); ++ fiat_secp384r1_square(acc, t8); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t10, acc, t2); ++ fiat_secp384r1_square(acc, t10); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t20, acc, t10); ++ fiat_secp384r1_square(acc, t20); ++ for (i = 0; i < 9; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t30, acc, t10); ++ fiat_secp384r1_square(acc, t30); ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t32, acc, t2); ++ fiat_secp384r1_square(acc, t32); ++ for (i = 0; i < 31; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t64, acc, t32); ++ fiat_secp384r1_square(acc, t64); ++ for (i = 0; i < 19; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t84, acc, t20); ++ fiat_secp384r1_square(acc, t84); ++ fiat_secp384r1_mul(t85, acc, t1); ++ fiat_secp384r1_square(acc, t85); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t170, acc, t85); ++ fiat_secp384r1_square(acc, t170); ++ for (i = 0; i < 84; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(t255, acc, t85); ++ fiat_secp384r1_square(acc, t255); ++ for (i = 0; i < 32; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t32); ++ for (i = 0; i < 94; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(acc, acc, t30); ++ for (i = 0; i < 2; i++) ++ fiat_secp384r1_square(acc, acc); ++ fiat_secp384r1_mul(output, acc, t1); ++} ++ ++/* curve coefficient constants */ ++ ++static const limb_t const_one[12] = { ++ UINT32_C(0x00000001), UINT32_C(0xFFFFFFFF), UINT32_C(0xFFFFFFFF), ++ UINT32_C(0x00000000), UINT32_C(0x00000001), UINT32_C(0x00000000), ++ UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000), ++ UINT32_C(0x00000000), UINT32_C(0x00000000), UINT32_C(0x00000000) ++}; ++ ++static const limb_t const_b[12] = { ++ UINT32_C(0x9D412DCC), UINT32_C(0x08118871), UINT32_C(0x7A4C32EC), ++ UINT32_C(0xF729ADD8), UINT32_C(0x1920022E), UINT32_C(0x77F2209B), ++ UINT32_C(0x94938AE2), UINT32_C(0xE3374BEE), UINT32_C(0x1F022094), ++ UINT32_C(0xB62B21F4), UINT32_C(0x604FBFF9), UINT32_C(0xCD08114B) ++}; ++ ++/* LUT for scalar multiplication by comb interleaving */ ++static const pt_aff_t lut_cmb[21][16] = { ++ { ++ { { UINT32_C(0x49C0B528), UINT32_C(0x3DD07566), UINT32_C(0xA0D6CE38), ++ UINT32_C(0x20E378E2), UINT32_C(0x541B4D6E), UINT32_C(0x879C3AFC), ++ UINT32_C(0x59A30EFF), UINT32_C(0x64548684), UINT32_C(0x614EDE2B), ++ UINT32_C(0x812FF723), UINT32_C(0x299E1513), UINT32_C(0x4D3AADC2) }, ++ { UINT32_C(0x4B03A4FE), UINT32_C(0x23043DAD), UINT32_C(0x7BB4A9AC), ++ UINT32_C(0xA1BFA8BF), UINT32_C(0x2E83B050), UINT32_C(0x8BADE756), ++ UINT32_C(0x68F4FFD9), UINT32_C(0xC6C35219), UINT32_C(0x3969A840), ++ UINT32_C(0xDD800226), UINT32_C(0x5A15C5E9), UINT32_C(0x2B78ABC2) } }, ++ { { UINT32_C(0xC1DC4073), UINT32_C(0x05E4DBE6), UINT32_C(0xF04F779C), ++ UINT32_C(0xC54EA9FF), UINT32_C(0xA170CCF0), UINT32_C(0x6B2034E9), ++ UINT32_C(0xD51C6C3E), UINT32_C(0x3A48D732), UINT32_C(0x263AA470), ++ UINT32_C(0xE36F7E2D), UINT32_C(0xE7C1C3AC), UINT32_C(0xD283FE68) }, ++ { UINT32_C(0xC04EE157), UINT32_C(0x7E284821), UINT32_C(0x7AE0E36D), ++ UINT32_C(0x92D789A7), UINT32_C(0x4EF67446), UINT32_C(0x132663C0), ++ UINT32_C(0xD2E1D0B4), UINT32_C(0x68012D5A), UINT32_C(0x5102B339), ++ UINT32_C(0xF6DB68B1), UINT32_C(0x983292AF), UINT32_C(0x465465FC) } }, ++ { { UINT32_C(0x68F1F0DF), UINT32_C(0xBB595EBA), UINT32_C(0xCC873466), ++ UINT32_C(0xC185C0CB), UINT32_C(0x293C703B), UINT32_C(0x7F1EB1B5), ++ UINT32_C(0xAACC05E6), UINT32_C(0x60DB2CF5), UINT32_C(0xE2E8E4C6), ++ UINT32_C(0xC676B987), UINT32_C(0x1D178FFB), UINT32_C(0xE1BB26B1) }, ++ { UINT32_C(0x7073FA21), UINT32_C(0x2B694BA0), UINT32_C(0x72F34566), ++ UINT32_C(0x22C16E2E), UINT32_C(0x01C35B99), UINT32_C(0x80B61B31), ++ UINT32_C(0x982C0411), UINT32_C(0x4B237FAF), UINT32_C(0x24DE236D), ++ UINT32_C(0xE6C59440), UINT32_C(0xE209E4A3), UINT32_C(0x4DB1C9D6) } }, ++ { { UINT32_C(0x7D69222B), UINT32_C(0xDF13B9D1), UINT32_C(0x874774B1), ++ UINT32_C(0x4CE6415F), UINT32_C(0x211FAA95), UINT32_C(0x731EDCF8), ++ UINT32_C(0x659753ED), UINT32_C(0x5F4215D1), UINT32_C(0x9DB2DF55), ++ UINT32_C(0xF893DB58), UINT32_C(0x1C89025B), UINT32_C(0x932C9F81) }, ++ { UINT32_C(0x7706A61E), UINT32_C(0x0996B220), UINT32_C(0xA8641C79), ++ UINT32_C(0x135349D5), UINT32_C(0x50130844), UINT32_C(0x65AAD76F), ++ UINT32_C(0x01FFF780), UINT32_C(0x0FF37C04), UINT32_C(0x693B0706), ++ UINT32_C(0xF57F238E), UINT32_C(0xAF6C9B3E), UINT32_C(0xD90A16B6) } }, ++ { { UINT32_C(0x2353B92F), UINT32_C(0x2F5D200E), UINT32_C(0x3FD7E4F9), ++ UINT32_C(0xE35D8729), UINT32_C(0xA96D745D), UINT32_C(0x26094833), ++ UINT32_C(0x3CBFFF3F), UINT32_C(0xDC351DC1), UINT32_C(0xDAD54D6A), ++ UINT32_C(0x26D464C6), UINT32_C(0x53636C6A), UINT32_C(0x5CAB1D1D) }, ++ { UINT32_C(0xB18EC0B0), UINT32_C(0xF2813072), UINT32_C(0xD742AA2F), ++ UINT32_C(0x3777E270), UINT32_C(0x033CA7C2), UINT32_C(0x27F061C7), ++ UINT32_C(0x68EAD0D8), UINT32_C(0xA6ECACCC), UINT32_C(0xEE69A754), ++ UINT32_C(0x7D9429F4), UINT32_C(0x31E8F5C6), UINT32_C(0xE7706334) } }, ++ { { UINT32_C(0xB68B8C7D), UINT32_C(0xC7708B19), UINT32_C(0x44377ABA), ++ UINT32_C(0x4532077C), UINT32_C(0x6CDAD64F), UINT32_C(0x0DCC6770), ++ UINT32_C(0x147B6602), UINT32_C(0x01B8BF56), UINT32_C(0xF0561D79), ++ UINT32_C(0xF8D89885), UINT32_C(0x7BA9C437), UINT32_C(0x9C19E9FC) }, ++ { UINT32_C(0xBDC4BA25), UINT32_C(0x764EB146), UINT32_C(0xAC144B83), ++ UINT32_C(0x604FE46B), UINT32_C(0x8A77E780), UINT32_C(0x3CE81329), ++ UINT32_C(0xFE9E682E), UINT32_C(0x2E070F36), UINT32_C(0x3A53287A), ++ UINT32_C(0x41821D0C), UINT32_C(0x3533F918), UINT32_C(0x9AA62F9F) } }, ++ { { UINT32_C(0x75CCBDFB), UINT32_C(0x9B7AEB7E), UINT32_C(0xF6749A95), ++ UINT32_C(0xB25E28C5), UINT32_C(0x33B7D4AE), UINT32_C(0x8A7A8E46), ++ UINT32_C(0xD9C1BD56), UINT32_C(0xDB5203A8), UINT32_C(0xED22DF97), ++ UINT32_C(0xD2657265), UINT32_C(0x8CF23C94), UINT32_C(0xB51C56E1) }, ++ { UINT32_C(0x6C3D812D), UINT32_C(0xF4D39459), UINT32_C(0x87CAE0C2), ++ UINT32_C(0xD8E88F1A), UINT32_C(0xCF4D0FE3), UINT32_C(0x789A2A48), ++ UINT32_C(0xFEC38D60), UINT32_C(0xB7FEAC2D), UINT32_C(0x3B490EC3), ++ UINT32_C(0x81FDBD1C), UINT32_C(0xCC6979E1), UINT32_C(0x4617ADB7) } }, ++ { { UINT32_C(0x4709F4A9), UINT32_C(0x446AD888), UINT32_C(0xEC3DABD8), ++ UINT32_C(0x2B7210E2), UINT32_C(0x50E07B34), UINT32_C(0x83CCF195), ++ UINT32_C(0x789B3075), UINT32_C(0x59500917), UINT32_C(0xEB085993), ++ UINT32_C(0x0FC01FD4), UINT32_C(0x4903026B), UINT32_C(0xFB62D26F) }, ++ { UINT32_C(0x6FE989BB), UINT32_C(0x2309CC9D), UINT32_C(0x144BD586), ++ UINT32_C(0x61609CBD), UINT32_C(0xDE06610C), UINT32_C(0x4B23D3A0), ++ UINT32_C(0xD898F470), UINT32_C(0xDDDC2866), UINT32_C(0x400C5797), ++ UINT32_C(0x8733FC41), UINT32_C(0xD0BC2716), UINT32_C(0x5A68C6FE) } }, ++ { { UINT32_C(0x4B4A3CD0), UINT32_C(0x8903E130), UINT32_C(0x8FF1F43E), ++ UINT32_C(0x3EA4EA4C), UINT32_C(0xF655A10D), UINT32_C(0xE6FC3F2A), ++ UINT32_C(0x524FFEFC), UINT32_C(0x7BE3737D), UINT32_C(0x5330455E), ++ UINT32_C(0x9F692855), UINT32_C(0xE475CE70), UINT32_C(0x524F166E) }, ++ { UINT32_C(0x6C12F055), UINT32_C(0x3FCC69CD), UINT32_C(0xD5B9C0DA), ++ UINT32_C(0x4E23B6FF), UINT32_C(0x336BF183), UINT32_C(0x49CE6993), ++ UINT32_C(0x4A54504A), UINT32_C(0xF87D6D85), UINT32_C(0xB3C2677A), ++ UINT32_C(0x25EB5DF1), UINT32_C(0x55B164C9), UINT32_C(0xAC37986F) } }, ++ { { UINT32_C(0xBAA84C08), UINT32_C(0x82A2ED4A), UINT32_C(0x41A8C912), ++ UINT32_C(0x22C4CC5F), UINT32_C(0x154AAD5E), UINT32_C(0xCA109C3B), ++ UINT32_C(0xFC38538E), UINT32_C(0x23891298), UINT32_C(0x539802AE), ++ UINT32_C(0xB3B6639C), UINT32_C(0x0390D706), UINT32_C(0xFA0F1F45) }, ++ { UINT32_C(0xB0DC21D0), UINT32_C(0x46B78E5D), UINT32_C(0xC3DA2EAC), ++ UINT32_C(0xA8C72D3C), UINT32_C(0x6FF2F643), UINT32_C(0x9170B378), ++ UINT32_C(0xB67F30C3), UINT32_C(0x3F5A799B), UINT32_C(0x8264B672), ++ UINT32_C(0x15D1DC77), UINT32_C(0xE9577764), UINT32_C(0xA1D47B23) } }, ++ { { UINT32_C(0x0422CE2F), UINT32_C(0x08265E51), UINT32_C(0xDD2F9E21), ++ UINT32_C(0x88E0D496), UINT32_C(0x6177F75D), UINT32_C(0x30128AA0), ++ UINT32_C(0xBD9EBE69), UINT32_C(0x2E59AB62), UINT32_C(0x5DF0E537), ++ UINT32_C(0x1B1A0F6C), UINT32_C(0xDAC012B5), UINT32_C(0xAB16C626) }, ++ { UINT32_C(0x008C5DE7), UINT32_C(0x8014214B), UINT32_C(0x38F17BEA), ++ UINT32_C(0xAA740A9E), UINT32_C(0x8A149098), UINT32_C(0x262EBB49), ++ UINT32_C(0x8527CD59), UINT32_C(0xB454111E), UINT32_C(0xACEA5817), ++ UINT32_C(0x266AD15A), UINT32_C(0x1353CCBA), UINT32_C(0x21824F41) } }, ++ { { UINT32_C(0x12E3683B), UINT32_C(0xD1B4E74D), UINT32_C(0x569B8EF6), ++ UINT32_C(0x990ED20B), UINT32_C(0x429C0A18), UINT32_C(0xB9D3DD25), ++ UINT32_C(0x2A351783), UINT32_C(0x1C75B8AB), UINT32_C(0x905432F0), ++ UINT32_C(0x61E4CA2B), UINT32_C(0xEEA8F224), UINT32_C(0x80826A69) }, ++ { UINT32_C(0xEC52ABAD), UINT32_C(0x7FC33A6B), UINT32_C(0xA65E4813), ++ UINT32_C(0x0BCCA3F0), UINT32_C(0xA527CEBE), UINT32_C(0x7AD8A132), ++ UINT32_C(0xEAF22C7E), UINT32_C(0xF0138950), UINT32_C(0x566718C1), ++ UINT32_C(0x282D2437), UINT32_C(0xE2212559), UINT32_C(0x9DFCCB0D) } }, ++ { { UINT32_C(0x58CE3B83), UINT32_C(0x1E937227), UINT32_C(0x3CB3FB36), ++ UINT32_C(0xBB280DFA), UINT32_C(0xE2BE174A), UINT32_C(0x57D0F3D2), ++ UINT32_C(0x208ABE1E), UINT32_C(0x9BD51B99), UINT32_C(0xDE248024), ++ UINT32_C(0x3809AB50), UINT32_C(0xA5BB7331), UINT32_C(0xC29C6E2C) }, ++ { UINT32_C(0x61124F05), UINT32_C(0x9944FD2E), UINT32_C(0x9009E391), ++ UINT32_C(0x83CCBC4E), UINT32_C(0x9424A3CC), UINT32_C(0x01628F05), ++ UINT32_C(0xEA8E4344), UINT32_C(0xD6A2F51D), UINT32_C(0x4CEBC96E), ++ UINT32_C(0xDA3E1A3D), UINT32_C(0xE97809DC), UINT32_C(0x1FE6FB42) } }, ++ { { UINT32_C(0x467D66E4), UINT32_C(0xA04482D2), UINT32_C(0x4D78291D), ++ UINT32_C(0xCF191293), UINT32_C(0x482396F9), UINT32_C(0x8E0D4168), ++ UINT32_C(0xD18F14D0), UINT32_C(0x7228E2D5), UINT32_C(0x9C6A58FE), ++ UINT32_C(0x2F7E8D50), UINT32_C(0x373E5AEC), UINT32_C(0xE8CA780E) }, ++ { UINT32_C(0x1B68E9F8), UINT32_C(0x42AAD1D6), UINT32_C(0x69E2F8F4), ++ UINT32_C(0x58A6D7F5), UINT32_C(0x31DA1BEA), UINT32_C(0xD779ADFE), ++ UINT32_C(0x38C85A85), UINT32_C(0x7D265406), UINT32_C(0xD44D3CDF), ++ UINT32_C(0x67E67195), UINT32_C(0xC5134ED7), UINT32_C(0x17820A0B) } }, ++ { { UINT32_C(0xD3021470), UINT32_C(0x019D6AC5), UINT32_C(0x780443D6), ++ UINT32_C(0x25846B66), UINT32_C(0x55C97647), UINT32_C(0xCE3C15ED), ++ UINT32_C(0x0E3FEB0F), UINT32_C(0x3DC22D49), UINT32_C(0xA7DF26E4), ++ UINT32_C(0x2065B7CB), UINT32_C(0x187CEA1F), UINT32_C(0xC8B00AE8) }, ++ { UINT32_C(0x865DDED3), UINT32_C(0x1A5284A0), UINT32_C(0x20C83DE2), ++ UINT32_C(0x293C1649), UINT32_C(0xCCE851B3), UINT32_C(0xAB178D26), ++ UINT32_C(0x404505FB), UINT32_C(0x8E6DB10B), UINT32_C(0x90C82033), ++ UINT32_C(0xF6F57E71), UINT32_C(0x5977F16C), UINT32_C(0x1D2A1C01) } }, ++ { { UINT32_C(0x7C8906A4), UINT32_C(0xA39C8931), UINT32_C(0x9E821EE6), ++ UINT32_C(0xB6E7ECDD), UINT32_C(0xF0DF4FE6), UINT32_C(0x2ECF8340), ++ UINT32_C(0x53C14965), UINT32_C(0xD42F7DC9), UINT32_C(0xE3BA8285), ++ UINT32_C(0x1AFB51A3), UINT32_C(0x0A3305D1), UINT32_C(0x6C07C404) }, ++ { UINT32_C(0x127FC1DA), UINT32_C(0xDAB83288), UINT32_C(0x374C4B08), ++ UINT32_C(0xBC0A699B), UINT32_C(0x42EB20DD), UINT32_C(0x402A9BAB), ++ UINT32_C(0x045A7A1C), UINT32_C(0xD7DD464F), UINT32_C(0x36BEECC4), ++ UINT32_C(0x5B3D0D6D), UINT32_C(0x6398A19D), UINT32_C(0x475A3E75) } }, ++ }, ++ { ++ { { UINT32_C(0x72876AE8), UINT32_C(0x31BDB483), UINT32_C(0x961ED1BF), ++ UINT32_C(0xE3325D98), UINT32_C(0x9B6FC64D), UINT32_C(0x18C04246), ++ UINT32_C(0x15786B8C), UINT32_C(0x0DCC15FA), UINT32_C(0x8E63DA4A), ++ UINT32_C(0x81ACDB06), UINT32_C(0xDADA70FB), UINT32_C(0xD3A4B643) }, ++ { UINT32_C(0xDEA424EB), UINT32_C(0x46361AFE), UINT32_C(0x89B92970), ++ UINT32_C(0xDC2D2CAE), UINT32_C(0x615694E6), UINT32_C(0xF389B61B), ++ UINT32_C(0x872951D2), UINT32_C(0x7036DEF1), UINT32_C(0xD93BADC7), ++ UINT32_C(0x40FD3BDA), UINT32_C(0x380A68D3), UINT32_C(0x45AB6321) } }, ++ { { UINT32_C(0x81A2703A), UINT32_C(0x23C1F744), UINT32_C(0xB9859136), ++ UINT32_C(0x1A5D075C), UINT32_C(0x5AFD1BFD), UINT32_C(0xA4F82C9D), ++ UINT32_C(0xF89D76FE), UINT32_C(0xA3D1E9A4), UINT32_C(0x75702F80), ++ UINT32_C(0x964F7050), UINT32_C(0xF56C089D), UINT32_C(0x182BF349) }, ++ { UINT32_C(0xBE0DA6E1), UINT32_C(0xE205FA8F), UINT32_C(0x0A40F8F3), ++ UINT32_C(0x32905EB9), UINT32_C(0x356D4395), UINT32_C(0x331A1004), ++ UINT32_C(0xFDBBDFDE), UINT32_C(0x58B78901), UINT32_C(0x9BA00E71), ++ UINT32_C(0xA52A1597), UINT32_C(0x55497A30), UINT32_C(0xE0092E1F) } }, ++ { { UINT32_C(0x70EE8F39), UINT32_C(0x5562A856), UINT32_C(0x64E52A9C), ++ UINT32_C(0x86B0C117), UINT32_C(0x09C75B8C), UINT32_C(0xC19F3174), ++ UINT32_C(0x24923F80), UINT32_C(0x21C7CC31), UINT32_C(0x8F5B291E), ++ UINT32_C(0xE63FE47F), UINT32_C(0x0DC08B05), UINT32_C(0x3D6D3C05) }, ++ { UINT32_C(0xEE0C39A1), UINT32_C(0x58AE455E), UINT32_C(0x0AD97942), ++ UINT32_C(0x78BEA431), UINT32_C(0x3EE3989C), UINT32_C(0x42C7C97F), ++ UINT32_C(0xF38759AE), UINT32_C(0xC1B03AF5), UINT32_C(0xBCF46899), ++ UINT32_C(0x1A673C75), UINT32_C(0x8D508C7D), UINT32_C(0x4831B7D3) } }, ++ { { UINT32_C(0xC552E354), UINT32_C(0x76512D1B), UINT32_C(0x273020FD), ++ UINT32_C(0x2B7EB6DF), UINT32_C(0x025A5F25), UINT32_C(0xD1C73AA8), ++ UINT32_C(0x5CBD2A40), UINT32_C(0x2ABA1929), UINT32_C(0xC88D61C6), ++ UINT32_C(0xB53CADC3), UINT32_C(0x098290F3), UINT32_C(0x7E66A95E) }, ++ { UINT32_C(0xAF4C5073), UINT32_C(0x72800ECB), UINT32_C(0x9DC63FAF), ++ UINT32_C(0x81F2725E), UINT32_C(0x282BA9D1), UINT32_C(0x14BF92A7), ++ UINT32_C(0xBD5F1BB2), UINT32_C(0x90629672), UINT32_C(0xA97C6C96), ++ UINT32_C(0x362F68EB), UINT32_C(0x7EA9D601), UINT32_C(0xB1D3BB8B) } }, ++ { { UINT32_C(0xA9C94429), UINT32_C(0x73878F7F), UINT32_C(0x456CA6D8), ++ UINT32_C(0xB35C3BC8), UINT32_C(0xF721923A), UINT32_C(0xD96F0B3C), ++ UINT32_C(0xE6D44FA1), UINT32_C(0x28D8F06C), UINT32_C(0xD5CD671A), ++ UINT32_C(0x94EFDCDC), UINT32_C(0x3F97D481), UINT32_C(0x0299AB93) }, ++ { UINT32_C(0x2FD1D324), UINT32_C(0xB7CED6EA), UINT32_C(0x7E932EC2), ++ UINT32_C(0xBD683208), UINT32_C(0xCB755A6E), UINT32_C(0x24ED31FB), ++ UINT32_C(0xE48781D2), UINT32_C(0xA636098E), UINT32_C(0xF0A4F297), ++ UINT32_C(0x8687C63C), UINT32_C(0x07478526), UINT32_C(0xBB523440) } }, ++ { { UINT32_C(0x34124B56), UINT32_C(0x2E5F7419), UINT32_C(0x4B3F02CA), ++ UINT32_C(0x1F223AE1), UINT32_C(0xE8336C7E), UINT32_C(0x6345B427), ++ UINT32_C(0xF5D0E3D0), UINT32_C(0x92123E16), UINT32_C(0x45E79F3A), ++ UINT32_C(0xDAF0D14D), UINT32_C(0x6F3BD0C6), UINT32_C(0x6ACA6765) }, ++ { UINT32_C(0x403813F4), UINT32_C(0xF6169FAB), UINT32_C(0x334A4C59), ++ UINT32_C(0x31DC39C0), UINT32_C(0xD589866D), UINT32_C(0x74C46753), ++ UINT32_C(0x984C6A5D), UINT32_C(0x5741511D), UINT32_C(0x97FED2D3), ++ UINT32_C(0xF2631287), UINT32_C(0x11614886), UINT32_C(0x5687CA1B) } }, ++ { { UINT32_C(0x33836D4B), UINT32_C(0x076D902A), UINT32_C(0x24AFB557), ++ UINT32_C(0xEC6C5C43), UINT32_C(0xA0516A0F), UINT32_C(0xA0FE2D1C), ++ UINT32_C(0x00D22ECC), UINT32_C(0x6FB8D737), UINT32_C(0xDAF1D7B3), ++ UINT32_C(0xF1DE9077), UINT32_C(0xD4C0C1EB), UINT32_C(0xE4695F77) }, ++ { UINT32_C(0xB4375573), UINT32_C(0x5F0FD8A8), UINT32_C(0x5E50944F), ++ UINT32_C(0x76238359), UINT32_C(0x635CD76F), UINT32_C(0x65EA2F28), ++ UINT32_C(0x25FDE7B0), UINT32_C(0x08547769), UINT32_C(0x51944304), ++ UINT32_C(0xB2345A2E), UINT32_C(0xA16C980D), UINT32_C(0x86EFA2F7) } }, ++ { { UINT32_C(0xBF4D1D63), UINT32_C(0x4CCBE2D0), UINT32_C(0x397366D5), ++ UINT32_C(0x32E33401), UINT32_C(0x71BDA2CE), UINT32_C(0xC83AFDDE), ++ UINT32_C(0x478ED9E6), UINT32_C(0x8DACE2AC), UINT32_C(0x763FDD9E), ++ UINT32_C(0x3AC6A559), UINT32_C(0xB398558F), UINT32_C(0x0FFDB04C) }, ++ { UINT32_C(0xAFB9D6B8), UINT32_C(0x6C1B99B2), UINT32_C(0x27F815DD), ++ UINT32_C(0x572BA39C), UINT32_C(0x0DBCF842), UINT32_C(0x9DE73EE7), ++ UINT32_C(0x29267B88), UINT32_C(0x2A3ED589), UINT32_C(0x15EBBBB3), ++ UINT32_C(0xD46A7FD3), UINT32_C(0xE29400C7), UINT32_C(0xD1D01863) } }, ++ { { UINT32_C(0xE1F89EC5), UINT32_C(0x8FB101D1), UINT32_C(0xF8508042), ++ UINT32_C(0xB87A1F53), UINT32_C(0x0ED7BEEF), UINT32_C(0x28C8DB24), ++ UINT32_C(0xACE8660A), UINT32_C(0x3940F845), UINT32_C(0xC6D453FD), ++ UINT32_C(0x4EACB619), UINT32_C(0x2BAD6160), UINT32_C(0x2E044C98) }, ++ { UINT32_C(0x80B16C02), UINT32_C(0x87928548), UINT32_C(0xC0A9EB64), ++ UINT32_C(0xF0D4BEB3), UINT32_C(0xC183C195), UINT32_C(0xD785B4AF), ++ UINT32_C(0x5E6C46EA), UINT32_C(0x23AAB0E6), UINT32_C(0xA930FECA), ++ UINT32_C(0x30F7E104), UINT32_C(0xD55C10FB), UINT32_C(0x6A1A7B8B) } }, ++ { { UINT32_C(0xDBFED1AA), UINT32_C(0xDA74EAEB), UINT32_C(0xDF0B025C), ++ UINT32_C(0xC8A59223), UINT32_C(0xD5B627F7), UINT32_C(0x7EF7DC85), ++ UINT32_C(0x197D7624), UINT32_C(0x02A13AE1), UINT32_C(0x2F785A9B), ++ UINT32_C(0x119E9BE1), UINT32_C(0x00D6B219), UINT32_C(0xC0B7572F) }, ++ { UINT32_C(0x6D4CAF30), UINT32_C(0x9B1E5126), UINT32_C(0x0A840BD1), ++ UINT32_C(0xA16A5117), UINT32_C(0x0E9CCF43), UINT32_C(0x5BE17B91), ++ UINT32_C(0x69CF2C9C), UINT32_C(0x5BDBEDDD), UINT32_C(0x4CF4F289), ++ UINT32_C(0x9FFBFBCF), UINT32_C(0x6C355CE9), UINT32_C(0xE1A62183) } }, ++ { { UINT32_C(0xA7B2FCCF), UINT32_C(0x056199D9), UINT32_C(0xCE1D784E), ++ UINT32_C(0x51F2E7B6), UINT32_C(0x339E2FF0), UINT32_C(0xA1D09C47), ++ UINT32_C(0xB836D0A9), UINT32_C(0xC8E64890), UINT32_C(0xC0D07EBE), ++ UINT32_C(0x2F781DCB), UINT32_C(0x3ACF934C), UINT32_C(0x5CF3C2AD) }, ++ { UINT32_C(0xA17E26AE), UINT32_C(0xE55DB190), UINT32_C(0x91245513), ++ UINT32_C(0xC9C61E1F), UINT32_C(0x61998C15), UINT32_C(0x83D7E6CF), ++ UINT32_C(0xE41D38E3), UINT32_C(0x4DB33C85), UINT32_C(0xC2FEE43D), ++ UINT32_C(0x74D5F91D), UINT32_C(0x36BBC826), UINT32_C(0x7EBBDB45) } }, ++ { { UINT32_C(0xCB655A9D), UINT32_C(0xE20EC7E9), UINT32_C(0x5C47D421), ++ UINT32_C(0x4977EB92), UINT32_C(0x3B9D72FA), UINT32_C(0xA237E12C), ++ UINT32_C(0xCBF7B145), UINT32_C(0xCAAEDBC1), UINT32_C(0x3B77AAA3), ++ UINT32_C(0x5200F5B2), UINT32_C(0xBDBE5380), UINT32_C(0x32EDED55) }, ++ { UINT32_C(0xE7C9B80A), UINT32_C(0x74E38A40), UINT32_C(0xAB6DE911), ++ UINT32_C(0x3A3F0CF8), UINT32_C(0xAD16AAF0), UINT32_C(0x56DCDD7A), ++ UINT32_C(0x8E861D5E), UINT32_C(0x3D292449), UINT32_C(0x985733E2), ++ UINT32_C(0xD6C61878), UINT32_C(0x6AA6CD5B), UINT32_C(0x2401FE7D) } }, ++ { { UINT32_C(0xB42E3686), UINT32_C(0xABB3DC75), UINT32_C(0xB4C57E61), ++ UINT32_C(0xAE712419), UINT32_C(0xB21B009B), UINT32_C(0x2C565F72), ++ UINT32_C(0x710C3699), UINT32_C(0xA5F1DA2E), UINT32_C(0xA5EBA59A), ++ UINT32_C(0x771099A0), UINT32_C(0xC10017A0), UINT32_C(0x4DA88F4A) }, ++ { UINT32_C(0x1927B56D), UINT32_C(0x987FFFD3), UINT32_C(0xC4E33478), ++ UINT32_C(0xB98CB8EC), UINT32_C(0xC2248166), UINT32_C(0xB224A971), ++ UINT32_C(0xDE1DC794), UINT32_C(0x5470F554), UINT32_C(0xE31FF983), ++ UINT32_C(0xD747CC24), UINT32_C(0xB5B22DAE), UINT32_C(0xB91745E9) } }, ++ { { UINT32_C(0x72F34420), UINT32_C(0x6CCBFED0), UINT32_C(0xA53039D2), ++ UINT32_C(0x95045E4D), UINT32_C(0x5A793944), UINT32_C(0x3B6C1154), ++ UINT32_C(0xDDB6B799), UINT32_C(0xAA114145), UINT32_C(0x252B7637), ++ UINT32_C(0xABC15CA4), UINT32_C(0xA5744634), UINT32_C(0x5745A35B) }, ++ { UINT32_C(0xDA596FC0), UINT32_C(0x05DC6BDE), UINT32_C(0xA8020881), ++ UINT32_C(0xCD52C18C), UINT32_C(0xD296BAD0), UINT32_C(0x03FA9F47), ++ UINT32_C(0x7268E139), UINT32_C(0xD8E2C129), UINT32_C(0x9EC450B0), ++ UINT32_C(0x58C1A98D), UINT32_C(0xDE48B20D), UINT32_C(0x909638DA) } }, ++ { { UINT32_C(0x9B7F8311), UINT32_C(0x7AFC30D4), UINT32_C(0x42368EA3), ++ UINT32_C(0x82A00422), UINT32_C(0x6F5F9865), UINT32_C(0xBFF95198), ++ UINT32_C(0xFC0A070F), UINT32_C(0x9B24F612), UINT32_C(0x620F489D), ++ UINT32_C(0x22C06CF2), UINT32_C(0x780F7DBB), UINT32_C(0x3C7ED052) }, ++ { UINT32_C(0x34DAFE9B), UINT32_C(0xDB87AB18), UINT32_C(0x9C4BBCA1), ++ UINT32_C(0x20C03B40), UINT32_C(0x59A42341), UINT32_C(0x5D718CF0), ++ UINT32_C(0x69E84538), UINT32_C(0x98631706), UINT32_C(0xD27D64E1), ++ UINT32_C(0x5557192B), UINT32_C(0xDA822766), UINT32_C(0x08B4EC52) } }, ++ { { UINT32_C(0xD66C1A59), UINT32_C(0xB2D986F6), UINT32_C(0x78E0E423), ++ UINT32_C(0x927DEB16), UINT32_C(0x49C3DEDC), UINT32_C(0x9E673CDE), ++ UINT32_C(0xF7ECB6CF), UINT32_C(0xFA362D84), UINT32_C(0x1BA17340), ++ UINT32_C(0x078E5F40), UINT32_C(0x1F4E489C), UINT32_C(0x934CA5D1) }, ++ { UINT32_C(0x64EEF493), UINT32_C(0xC03C0731), UINT32_C(0xD7931A7E), ++ UINT32_C(0x631A353B), UINT32_C(0x65DD74F1), UINT32_C(0x8E7CC3BB), ++ UINT32_C(0x702676A5), UINT32_C(0xD55864C5), UINT32_C(0x439F04BD), ++ UINT32_C(0x6D306AC4), UINT32_C(0x2BAFED57), UINT32_C(0x58544F67) } }, ++ }, ++ { ++ { { UINT32_C(0xEC074AEA), UINT32_C(0xB083BA6A), UINT32_C(0x7F0B505B), ++ UINT32_C(0x46FAC5EF), UINT32_C(0xFC82DC03), UINT32_C(0x95367A21), ++ UINT32_C(0x9D3679D8), UINT32_C(0x227BE26A), UINT32_C(0x7E9724C0), ++ UINT32_C(0xC70F6D6C), UINT32_C(0xF9EBEC0F), UINT32_C(0xCD68C757) }, ++ { UINT32_C(0x8FF321B2), UINT32_C(0x29DDE03E), UINT32_C(0x031939DC), ++ UINT32_C(0xF84AD7BB), UINT32_C(0x0F602F4B), UINT32_C(0xDAF590C9), ++ UINT32_C(0x49722BC4), UINT32_C(0x17C52888), UINT32_C(0x089B22B6), ++ UINT32_C(0xA8DF99F0), UINT32_C(0xE59B9B90), UINT32_C(0xC21BC5D4) } }, ++ { { UINT32_C(0x8A31973F), UINT32_C(0x4936C6A0), UINT32_C(0x83B8C205), ++ UINT32_C(0x54D442FA), UINT32_C(0x5714F2C6), UINT32_C(0x03AEE8B4), ++ UINT32_C(0x3F5AC25A), UINT32_C(0x139BD692), UINT32_C(0xB5B33794), ++ UINT32_C(0x6A2E42BA), UINT32_C(0x3FF7BBA9), UINT32_C(0x50FA1164) }, ++ { UINT32_C(0xF7E2C099), UINT32_C(0xB61D8643), UINT32_C(0xBD5C6637), ++ UINT32_C(0x2366C993), UINT32_C(0x72EB77FA), UINT32_C(0x62110E14), ++ UINT32_C(0x3B99C635), UINT32_C(0x3D5B96F1), UINT32_C(0xF674C9F2), ++ UINT32_C(0x956ECF64), UINT32_C(0xEF2BA250), UINT32_C(0xC56F7E51) } }, ++ { { UINT32_C(0xFF602C1B), UINT32_C(0x246FFCB6), UINT32_C(0x6E1258E0), ++ UINT32_C(0x1E1A1D74), UINT32_C(0x250E6676), UINT32_C(0xB4B43AE2), ++ UINT32_C(0x924CE5FA), UINT32_C(0x95C1B5F0), UINT32_C(0xEBD8C776), ++ UINT32_C(0x2555795B), UINT32_C(0xACD9D9D0), UINT32_C(0x4C1E03DC) }, ++ { UINT32_C(0x9CE90C61), UINT32_C(0xE1D74AA6), UINT32_C(0xA9C4B9F9), ++ UINT32_C(0xA88C0769), UINT32_C(0x95AF56DE), UINT32_C(0xDF74DF27), ++ UINT32_C(0xB331B6F4), UINT32_C(0x24B10C5F), UINT32_C(0x6559E137), ++ UINT32_C(0xB0A6DF9A), UINT32_C(0xC06637F2), UINT32_C(0x6ACC1B8F) } }, ++ { { UINT32_C(0x34B4E381), UINT32_C(0xBD8C0868), UINT32_C(0x30DFF271), ++ UINT32_C(0x278CACC7), UINT32_C(0x02459389), UINT32_C(0x87ED12DE), ++ UINT32_C(0xDEF840B6), UINT32_C(0x3F7D98FF), UINT32_C(0x5F0B56E1), ++ UINT32_C(0x71EEE0CB), UINT32_C(0xD8D9BE87), UINT32_C(0x462B5C9B) }, ++ { UINT32_C(0x98094C0F), UINT32_C(0xE6B50B5A), UINT32_C(0x508C67CE), ++ UINT32_C(0x26F3B274), UINT32_C(0x7CB1F992), UINT32_C(0x418B1BD1), ++ UINT32_C(0x4FF11827), UINT32_C(0x607818ED), UINT32_C(0x9B042C63), ++ UINT32_C(0xE630D93A), UINT32_C(0x8C779AE3), UINT32_C(0x38B9EFF3) } }, ++ { { UINT32_C(0x729C5431), UINT32_C(0xE8767D36), UINT32_C(0xBB94642C), ++ UINT32_C(0xA8BD07C0), UINT32_C(0x58F2E5B2), UINT32_C(0x0C11FC8E), ++ UINT32_C(0x547533FE), UINT32_C(0xD8912D48), UINT32_C(0x230D91FB), ++ UINT32_C(0xAAE14F5E), UINT32_C(0x676DFBA0), UINT32_C(0xC122051A) }, ++ { UINT32_C(0x5EA93078), UINT32_C(0x9ED4501F), UINT32_C(0xBD4BEE0A), ++ UINT32_C(0x2758515C), UINT32_C(0x94D21F52), UINT32_C(0x97733C6C), ++ UINT32_C(0x4AD306A2), UINT32_C(0x139BCD6D), UINT32_C(0x298123CC), ++ UINT32_C(0x0AAECBDC), UINT32_C(0x1CB7C7C9), UINT32_C(0x102B8A31) } }, ++ { { UINT32_C(0xFAF46675), UINT32_C(0x22A28E59), UINT32_C(0x10A31E7D), ++ UINT32_C(0x10757308), UINT32_C(0x2B4C2F4F), UINT32_C(0xC7EEAC84), ++ UINT32_C(0xB5EF5184), UINT32_C(0xBA370148), UINT32_C(0x8732E055), ++ UINT32_C(0x4A5A2866), UINT32_C(0xB887C36F), UINT32_C(0x14B8DCDC) }, ++ { UINT32_C(0x433F093D), UINT32_C(0xDBA8C85C), UINT32_C(0x1C9A201C), ++ UINT32_C(0x73DF549D), UINT32_C(0x70F927D8), UINT32_C(0x69AA0D7B), ++ UINT32_C(0xD7D2493A), UINT32_C(0xFA3A8685), UINT32_C(0x0A7F4013), ++ UINT32_C(0x6F48A255), UINT32_C(0xDD393067), UINT32_C(0xD20C8BF9) } }, ++ { { UINT32_C(0x81625E78), UINT32_C(0x4EC874EA), UINT32_C(0x3FBE9267), ++ UINT32_C(0x8B8D8B5A), UINT32_C(0x9421EC2F), UINT32_C(0xA3D9D164), ++ UINT32_C(0x880EA295), UINT32_C(0x490E92D9), UINT32_C(0xD8F3B6DA), ++ UINT32_C(0x745D1EDC), UINT32_C(0x8F18BA03), UINT32_C(0x0116628B) }, ++ { UINT32_C(0x834EADCE), UINT32_C(0x0FF6BCE0), UINT32_C(0x000827F7), ++ UINT32_C(0x464697F2), UINT32_C(0x498D724E), UINT32_C(0x08DCCF84), ++ UINT32_C(0x1E88304C), UINT32_C(0x7896D365), UINT32_C(0x135E3622), ++ UINT32_C(0xE63EBCCE), UINT32_C(0xDC007521), UINT32_C(0xFB942E8E) } }, ++ { { UINT32_C(0xA3688621), UINT32_C(0xBB155A66), UINT32_C(0xF91B52A3), ++ UINT32_C(0xED2FD7CD), UINT32_C(0xEA20CB88), UINT32_C(0x52798F5D), ++ UINT32_C(0x373F7DD8), UINT32_C(0x069CE105), UINT32_C(0x8CA78F6B), ++ UINT32_C(0xF9392EC7), UINT32_C(0x6B335169), UINT32_C(0xB3013E25) }, ++ { UINT32_C(0x6B11715C), UINT32_C(0x1D92F800), UINT32_C(0xFF9DC464), ++ UINT32_C(0xADD4050E), UINT32_C(0x8465B84A), UINT32_C(0x2AC22659), ++ UINT32_C(0x465B2BD6), UINT32_C(0x2729D646), UINT32_C(0xE4EFF9DD), ++ UINT32_C(0x6202344A), UINT32_C(0xCD9B90B9), UINT32_C(0x51F3198F) } }, ++ { { UINT32_C(0xE5F0AE1D), UINT32_C(0x17CE54EF), UINT32_C(0xB09852AF), ++ UINT32_C(0x984E8204), UINT32_C(0xC4B27A71), UINT32_C(0x3365B37A), ++ UINT32_C(0xA00E0A9C), UINT32_C(0x720E3152), UINT32_C(0x925BD606), ++ UINT32_C(0x3692F70D), UINT32_C(0x7BC7E9AB), UINT32_C(0xBE6E699D) }, ++ { UINT32_C(0x4C89A3C0), UINT32_C(0xD75C041F), UINT32_C(0x8DC100C0), ++ UINT32_C(0x8B9F592D), UINT32_C(0xAD228F71), UINT32_C(0x30750F3A), ++ UINT32_C(0xE8B17A11), UINT32_C(0x1B9ECF84), UINT32_C(0x0FBFA8A2), ++ UINT32_C(0xDF202562), UINT32_C(0xAA1B6D67), UINT32_C(0x45C811FC) } }, ++ { { UINT32_C(0x1A5151F8), UINT32_C(0xEC5B84B7), UINT32_C(0x550AB2D2), ++ UINT32_C(0x118E59E8), UINT32_C(0x049BD735), UINT32_C(0x2CCDEDA4), ++ UINT32_C(0x9CD62F0F), UINT32_C(0xC99CBA71), UINT32_C(0x62C9E4F8), ++ UINT32_C(0x69B8040A), UINT32_C(0x110B8283), UINT32_C(0x16F1A31A) }, ++ { UINT32_C(0x98E908A3), UINT32_C(0x53F63802), UINT32_C(0xD862F9DE), ++ UINT32_C(0x308CB6EF), UINT32_C(0xA521A95A), UINT32_C(0xE185DAD8), ++ UINT32_C(0x097F75CA), UINT32_C(0x4D8FE9A4), UINT32_C(0x1CA07D53), ++ UINT32_C(0xD1ECCEC7), UINT32_C(0x0DB07E83), UINT32_C(0x13DFA1DC) } }, ++ { { UINT32_C(0x0F591A76), UINT32_C(0xDDAF9DC6), UINT32_C(0x1685F412), ++ UINT32_C(0xE1A6D7CC), UINT32_C(0x002B6E8D), UINT32_C(0x153DE557), ++ UINT32_C(0xC6DA37D9), UINT32_C(0x730C38BC), UINT32_C(0x0914B597), ++ UINT32_C(0xAE180622), UINT32_C(0xDD8C3A0A), UINT32_C(0x84F98103) }, ++ { UINT32_C(0x8DA205B0), UINT32_C(0x369C5398), UINT32_C(0x3888A720), ++ UINT32_C(0xA3D95B81), UINT32_C(0xE10E2806), UINT32_C(0x1F3F8BBF), ++ UINT32_C(0x4530D1F3), UINT32_C(0x48663DF5), UINT32_C(0x3E377713), ++ UINT32_C(0x320523B4), UINT32_C(0xC7894814), UINT32_C(0xE8B1A575) } }, ++ { { UINT32_C(0x2EE8EA07), UINT32_C(0x33066871), UINT32_C(0x60DA199D), ++ UINT32_C(0xC6FB4EC5), UINT32_C(0xF4370A05), UINT32_C(0x33231860), ++ UINT32_C(0xC6DE4E26), UINT32_C(0x7ABECE72), UINT32_C(0xEBDECE7A), ++ UINT32_C(0xDE8D4BD8), UINT32_C(0x1CBE93C7), UINT32_C(0xC90EE657) }, ++ { UINT32_C(0x85AC2509), UINT32_C(0x0246751B), UINT32_C(0x30380245), ++ UINT32_C(0xD0EF142C), UINT32_C(0x7C76E39C), UINT32_C(0x086DF9C4), ++ UINT32_C(0xB789FB56), UINT32_C(0x68F1304F), UINT32_C(0xA5E4BD56), ++ UINT32_C(0x23E4CB98), UINT32_C(0x64663DCA), UINT32_C(0x69A4C63C) } }, ++ { { UINT32_C(0x7CB34E63), UINT32_C(0x6C72B6AF), UINT32_C(0x6DFC23FE), ++ UINT32_C(0x073C40CD), UINT32_C(0xC936693A), UINT32_C(0xBDEEE7A1), ++ UINT32_C(0x6EFAD378), UINT32_C(0xBC858E80), UINT32_C(0xF5BE55D4), ++ UINT32_C(0xEAD719FF), UINT32_C(0x04552F5F), UINT32_C(0xC8C3238F) }, ++ { UINT32_C(0x928D5784), UINT32_C(0x0952C068), UINT32_C(0x94C58F2B), ++ UINT32_C(0x89DFDF22), UINT32_C(0x67502C50), UINT32_C(0x332DEDF3), ++ UINT32_C(0xAC0BE258), UINT32_C(0x3ED2FA3A), UINT32_C(0x7C5C8244), ++ UINT32_C(0xAEDC9B8A), UINT32_C(0xDC0EA34F), UINT32_C(0x43A761B9) } }, ++ { { UINT32_C(0xCC5E21A5), UINT32_C(0x8FD683A2), UINT32_C(0xFBA2BB68), ++ UINT32_C(0x5F444C6E), UINT32_C(0xAF05586D), UINT32_C(0x709ACD0E), ++ UINT32_C(0xDE8FB348), UINT32_C(0x8EFA54D2), UINT32_C(0x34CFE29E), ++ UINT32_C(0x35276B71), UINT32_C(0x941EAC8C), UINT32_C(0x77A06FCD) }, ++ { UINT32_C(0x928322DD), UINT32_C(0x5815792D), UINT32_C(0x67F7CB59), ++ UINT32_C(0x82FF356B), UINT32_C(0x304980F4), UINT32_C(0x71E40A78), ++ UINT32_C(0x3667D021), UINT32_C(0xC8645C27), UINT32_C(0xAEBAE28F), ++ UINT32_C(0xE785741C), UINT32_C(0x53ECAC37), UINT32_C(0xB2C1BC75) } }, ++ { { UINT32_C(0x1D0A74DB), UINT32_C(0x633EB24F), UINT32_C(0xFA752512), ++ UINT32_C(0xF1F55E56), UINT32_C(0x8EFE11DE), UINT32_C(0x75FECA68), ++ UINT32_C(0xE6BF19EC), UINT32_C(0xC80FD91C), UINT32_C(0x2A14C908), ++ UINT32_C(0xAD0BAFEC), UINT32_C(0xADE4031F), UINT32_C(0x4E1C4ACA) }, ++ { UINT32_C(0x1EB1549A), UINT32_C(0x463A815B), UINT32_C(0x668F1298), ++ UINT32_C(0x5AD4253C), UINT32_C(0x38A37151), UINT32_C(0x5CB38662), ++ UINT32_C(0xAFF16B96), UINT32_C(0x34BB1CCF), UINT32_C(0xEE731AB0), ++ UINT32_C(0xDCA93B13), UINT32_C(0x9BE01A0B), UINT32_C(0x9F3CE5CC) } }, ++ { { UINT32_C(0xA110D331), UINT32_C(0x75DB5723), UINT32_C(0x7123D89F), ++ UINT32_C(0x67C66F6A), UINT32_C(0x4009D570), UINT32_C(0x27ABBD4B), ++ UINT32_C(0xC73451BC), UINT32_C(0xACDA6F84), UINT32_C(0x05575ACF), ++ UINT32_C(0xE4B9A239), UINT32_C(0xAB2D3D6C), UINT32_C(0x3C2DB7EF) }, ++ { UINT32_C(0x29115145), UINT32_C(0x01CCDD08), UINT32_C(0x57B5814A), ++ UINT32_C(0x9E0602FE), UINT32_C(0x87862838), UINT32_C(0x679B35C2), ++ UINT32_C(0x38AD598D), UINT32_C(0x0277DC4C), UINT32_C(0x6D896DD4), ++ UINT32_C(0xEF80A213), UINT32_C(0xE7B9047B), UINT32_C(0xC8812213) } }, ++ }, ++ { ++ { { UINT32_C(0xEDC9CE62), UINT32_C(0xAC6DBDF6), UINT32_C(0x0F9C006E), ++ UINT32_C(0xA58F5B44), UINT32_C(0xDC28E1B0), UINT32_C(0x16694DE3), ++ UINT32_C(0xA6647711), UINT32_C(0x2D039CF2), UINT32_C(0xC5B08B4B), ++ UINT32_C(0xA13BBE6F), UINT32_C(0x10EBD8CE), UINT32_C(0xE44DA930) }, ++ { UINT32_C(0x19649A16), UINT32_C(0xCD472087), UINT32_C(0x683E5DF1), ++ UINT32_C(0xE18F4E44), UINT32_C(0x929BFA28), UINT32_C(0xB3F66303), ++ UINT32_C(0x818249BF), UINT32_C(0x7C378E43), UINT32_C(0x847F7CD9), ++ UINT32_C(0x76068C80), UINT32_C(0x987EBA16), UINT32_C(0xEE3DB6D1) } }, ++ { { UINT32_C(0xC42A2F52), UINT32_C(0xCBBD8576), UINT32_C(0x9D2B06BB), ++ UINT32_C(0x9ACC6F70), UINT32_C(0x2E6B72A4), UINT32_C(0xE5CB5620), ++ UINT32_C(0x7C024443), UINT32_C(0x5738EA0E), UINT32_C(0xB55368F3), ++ UINT32_C(0x8ED06170), UINT32_C(0x1AEED44F), UINT32_C(0xE54C99BB) }, ++ { UINT32_C(0xE2E0D8B2), UINT32_C(0x3D90A6B2), UINT32_C(0xCF7B2856), ++ UINT32_C(0x21718977), UINT32_C(0xC5612AEC), UINT32_C(0x089093DC), ++ UINT32_C(0x99C1BACC), UINT32_C(0xC272EF6F), UINT32_C(0xDC43EAAD), ++ UINT32_C(0x47DB3B43), UINT32_C(0x0832D891), UINT32_C(0x730F30E4) } }, ++ { { UINT32_C(0x0C7FECDB), UINT32_C(0x9FFE5563), UINT32_C(0xF88101E5), ++ UINT32_C(0x55CC67B6), UINT32_C(0xCBEFA3C7), UINT32_C(0x3039F981), ++ UINT32_C(0x667BFD64), UINT32_C(0x2AB06883), UINT32_C(0x4340E3DF), ++ UINT32_C(0x9007A257), UINT32_C(0x5A3A49CA), UINT32_C(0x1AC3F3FA) }, ++ { UINT32_C(0xC97E20FD), UINT32_C(0x9C7BE629), UINT32_C(0xA3DAE003), ++ UINT32_C(0xF61823D3), UINT32_C(0xE7380DBA), UINT32_C(0xFFE7FF39), ++ UINT32_C(0x9FACC3B8), UINT32_C(0x620BB9B5), UINT32_C(0x31AE422C), ++ UINT32_C(0x2DDCB8CD), UINT32_C(0xD12C3C43), UINT32_C(0x1DE3BCFA) } }, ++ { { UINT32_C(0xD6E0F9A9), UINT32_C(0x8C074946), UINT32_C(0x51C3B05B), ++ UINT32_C(0x662FA995), UINT32_C(0x04BB2048), UINT32_C(0x6CDAE969), ++ UINT32_C(0xD6DC8B60), UINT32_C(0x6DEC9594), UINT32_C(0x54438BBC), ++ UINT32_C(0x8D265869), UINT32_C(0x1B0E95A5), UINT32_C(0x88E983E3) }, ++ { UINT32_C(0x60CBF838), UINT32_C(0x8189F114), UINT32_C(0x771DC46B), ++ UINT32_C(0x77190697), UINT32_C(0x27F8EC1A), UINT32_C(0x775775A2), ++ UINT32_C(0x607E3739), UINT32_C(0x7A125240), UINT32_C(0x4F793E4E), ++ UINT32_C(0xAFAE84E7), UINT32_C(0x5BF5BAF4), UINT32_C(0x44FA17F3) } }, ++ { { UINT32_C(0xD03AC439), UINT32_C(0xA21E69A5), UINT32_C(0x88AA8094), ++ UINT32_C(0x2069C5FC), UINT32_C(0x8C08F206), UINT32_C(0xB041EEA7), ++ UINT32_C(0x3D65B8ED), UINT32_C(0x55B9D461), UINT32_C(0xD392C7C4), ++ UINT32_C(0x951EA25C), UINT32_C(0x9D166232), UINT32_C(0x4B9A1CEC) }, ++ { UINT32_C(0xFCF931A4), UINT32_C(0xC184FCD8), UINT32_C(0x063AD374), ++ UINT32_C(0xBA59AD44), UINT32_C(0x1AA9796F), UINT32_C(0x1868AD2A), ++ UINT32_C(0xDFF29832), UINT32_C(0x38A34018), UINT32_C(0x03DF8070), ++ UINT32_C(0x01FC8801), UINT32_C(0x48DD334A), UINT32_C(0x1282CCE0) } }, ++ { { UINT32_C(0x26D8503C), UINT32_C(0x76AA9557), UINT32_C(0x6BC3E3D0), ++ UINT32_C(0xBE962B63), UINT32_C(0x97DE8841), UINT32_C(0xF5CA93E5), ++ UINT32_C(0xAF3F2C16), UINT32_C(0x1561B05E), UINT32_C(0xD34BFF98), ++ UINT32_C(0x34BE00AA), UINT32_C(0xD23D2925), UINT32_C(0xEA21E6E9) }, ++ { UINT32_C(0x394C3AFB), UINT32_C(0x55713230), UINT32_C(0xD6C8BECA), ++ UINT32_C(0xEAF0529B), UINT32_C(0x202B9A11), UINT32_C(0xFF38A743), ++ UINT32_C(0x6D3A398B), UINT32_C(0xA13E39FC), UINT32_C(0x86E2615A), ++ UINT32_C(0x8CBD644B), UINT32_C(0x191057EC), UINT32_C(0x92063988) } }, ++ { { UINT32_C(0x13F89146), UINT32_C(0x787835CE), UINT32_C(0x69446C3F), ++ UINT32_C(0x7FCD42CC), UINT32_C(0x840E679D), UINT32_C(0x0DA2AA98), ++ UINT32_C(0x18779A1B), UINT32_C(0x44F20523), UINT32_C(0xEFBF5935), ++ UINT32_C(0xE3A3B34F), UINT32_C(0xB9947B70), UINT32_C(0xA5D2CFD0) }, ++ { UINT32_C(0x27F4E16F), UINT32_C(0xAE2AF4EF), UINT32_C(0xB9D21322), ++ UINT32_C(0xA7FA70D2), UINT32_C(0xB3FD566B), UINT32_C(0x68084919), ++ UINT32_C(0xD7AAD6AB), UINT32_C(0xF04D71C8), UINT32_C(0x10BC4260), ++ UINT32_C(0xDBEA21E4), UINT32_C(0x8D949B42), UINT32_C(0xAA7DC665) } }, ++ { { UINT32_C(0x6CCB8213), UINT32_C(0xD8E958A0), UINT32_C(0x91900B54), ++ UINT32_C(0x118D9DB9), UINT32_C(0x85E8CED6), UINT32_C(0x09BB9D49), ++ UINT32_C(0x24019281), UINT32_C(0x410E9FB5), UINT32_C(0x6D74C86E), ++ UINT32_C(0x3B31B4E1), UINT32_C(0x020BB77D), UINT32_C(0x52BC0252) }, ++ { UINT32_C(0x27092CE4), UINT32_C(0x5616A26F), UINT32_C(0xA08F65CD), ++ UINT32_C(0x67774DBC), UINT32_C(0xC08BD569), UINT32_C(0x560AD494), ++ UINT32_C(0xAD498783), UINT32_C(0xBE26DA36), UINT32_C(0x7F019C91), ++ UINT32_C(0x0276C8AB), UINT32_C(0x5248266E), UINT32_C(0x09843ADA) } }, ++ { { UINT32_C(0x7D963CF2), UINT32_C(0xA0AE88A7), UINT32_C(0xD0E84920), ++ UINT32_C(0x91EF8986), UINT32_C(0xF8C58104), UINT32_C(0xC7EFE344), ++ UINT32_C(0xECA20773), UINT32_C(0x0A25D9FD), UINT32_C(0x00D8F1D5), ++ UINT32_C(0x9D989FAA), UINT32_C(0xC8B06264), UINT32_C(0x4204C8CE) }, ++ { UINT32_C(0xBE1A2796), UINT32_C(0x717C12E0), UINT32_C(0xC190C728), ++ UINT32_C(0x1FA4BA8C), UINT32_C(0x8C8A59BA), UINT32_C(0xA245CA8D), ++ UINT32_C(0x7672B935), UINT32_C(0xE3C37475), UINT32_C(0x2E4D6375), ++ UINT32_C(0x083D5E40), UINT32_C(0x5455E16E), UINT32_C(0x0B8D5AB3) } }, ++ { { UINT32_C(0xEED765D4), UINT32_C(0x1DB17DBF), UINT32_C(0xA5DDB965), ++ UINT32_C(0xBBC9B1BE), UINT32_C(0xDFC12ABC), UINT32_C(0x1948F76D), ++ UINT32_C(0x134EF489), UINT32_C(0x2C2714E5), UINT32_C(0x741C600F), ++ UINT32_C(0x60CE2EE8), UINT32_C(0xF80E6E63), UINT32_C(0x32396F22) }, ++ { UINT32_C(0x22537F59), UINT32_C(0x421DAC75), UINT32_C(0x49475DF5), ++ UINT32_C(0x58FB73C6), UINT32_C(0x6F18F1C7), UINT32_C(0x0ABF2885), ++ UINT32_C(0x9A398D16), UINT32_C(0x36474468), UINT32_C(0xBF673B87), ++ UINT32_C(0x87A661A7), UINT32_C(0x73819E17), UINT32_C(0x3E80698F) } }, ++ { { UINT32_C(0x53784CC4), UINT32_C(0xDFE49793), UINT32_C(0x486D508F), ++ UINT32_C(0x4280EAB0), UINT32_C(0xE534F5A4), UINT32_C(0x119593FF), ++ UINT32_C(0x9F63242F), UINT32_C(0x98AEFADD), UINT32_C(0xC4829CAE), ++ UINT32_C(0x9AE6A24A), UINT32_C(0x58E8BA80), UINT32_C(0xF2373CA5) }, ++ { UINT32_C(0x51765FB3), UINT32_C(0x4017AF7E), UINT32_C(0xAF4AEC4B), ++ UINT32_C(0xD1E40F7C), UINT32_C(0x0898E3BC), UINT32_C(0x87372C7A), ++ UINT32_C(0x85452CA9), UINT32_C(0x688982B2), UINT32_C(0xB1E50BCA), ++ UINT32_C(0x71E0B4BF), UINT32_C(0xF70E714A), UINT32_C(0x21FD2DBF) } }, ++ { { UINT32_C(0xFB78DDAC), UINT32_C(0xEE6E8820), UINT32_C(0x063892CD), ++ UINT32_C(0x0BAED29C), UINT32_C(0x28C0588D), UINT32_C(0x5F33049C), ++ UINT32_C(0x18DBC432), UINT32_C(0x90C2515E), UINT32_C(0x3B4CB0BD), ++ UINT32_C(0xB8A1B143), UINT32_C(0x68103043), UINT32_C(0x0AB5C0C9) }, ++ { UINT32_C(0x4005EC40), UINT32_C(0xF3788FA0), UINT32_C(0x039EE115), ++ UINT32_C(0x82571C99), UINT32_C(0x93260BED), UINT32_C(0xEE8FCED5), ++ UINT32_C(0x10836D18), UINT32_C(0x5A9BAF79), UINT32_C(0xC46AA4F6), ++ UINT32_C(0x7C258B09), UINT32_C(0x37F53D31), UINT32_C(0x46ECC5E8) } }, ++ { { UINT32_C(0xBFE0DD98), UINT32_C(0xFA32C0DC), UINT32_C(0x962B1066), ++ UINT32_C(0x66EFAFC4), UINT32_C(0x64BDF5EB), UINT32_C(0xBA81D33E), ++ UINT32_C(0xFC7FC512), UINT32_C(0x36C28536), UINT32_C(0xE0B4FA97), ++ UINT32_C(0x0C95176B), UINT32_C(0x3B9BC64A), UINT32_C(0x47DDE29B) }, ++ { UINT32_C(0x5C173B36), UINT32_C(0x08D986FD), UINT32_C(0x6CF3F28C), ++ UINT32_C(0x46D84B52), UINT32_C(0xF026BDB9), UINT32_C(0x6F6ED6C3), ++ UINT32_C(0x68206DC5), UINT32_C(0xAC90668B), UINT32_C(0xECBE4E70), ++ UINT32_C(0xE8ED5D98), UINT32_C(0xDC1A6974), UINT32_C(0xCFFF61DD) } }, ++ { { UINT32_C(0x77B1A5C1), UINT32_C(0xFF5C3A29), UINT32_C(0x0DDF995D), ++ UINT32_C(0x10C27E4A), UINT32_C(0xE23363E3), UINT32_C(0xCB745F77), ++ UINT32_C(0x32F399A3), UINT32_C(0xD765DF6F), UINT32_C(0x8A99E109), ++ UINT32_C(0xF0CA0C2F), UINT32_C(0x1E025CA0), UINT32_C(0xC3A6BFB7) }, ++ { UINT32_C(0x4F9D9FA5), UINT32_C(0x830B2C0A), UINT32_C(0xBD1A84E5), ++ UINT32_C(0xAE914CAC), UINT32_C(0xA4FEBCC1), UINT32_C(0x30B35ED8), ++ UINT32_C(0x84CFBF2E), UINT32_C(0xCB902B46), UINT32_C(0x25FC6375), ++ UINT32_C(0x0BD47628), UINT32_C(0x85509D04), UINT32_C(0xA858A53C) } }, ++ { { UINT32_C(0x552E0A3F), UINT32_C(0x8B995D0C), UINT32_C(0x17BE9FF7), ++ UINT32_C(0xEDBD4E94), UINT32_C(0x95085178), UINT32_C(0x3432E839), ++ UINT32_C(0x80C256F5), UINT32_C(0x0FE5C181), UINT32_C(0xEBF9597C), ++ UINT32_C(0x05A64EA8), UINT32_C(0x3F80371F), UINT32_C(0x6ED44BB1) }, ++ { UINT32_C(0xFE4C12EE), UINT32_C(0x6A29A05E), UINT32_C(0xE0BB83B3), ++ UINT32_C(0x3E436A43), UINT32_C(0x74D72921), UINT32_C(0x38365D9A), ++ UINT32_C(0xC38E1ED7), UINT32_C(0x3F5EE823), UINT32_C(0xE8FA063F), ++ UINT32_C(0x09A53213), UINT32_C(0xB435E713), UINT32_C(0x1E7FE47A) } }, ++ { { UINT32_C(0xFDDD17F3), UINT32_C(0xE4D9BC94), UINT32_C(0xC1016C20), ++ UINT32_C(0xC74B8FED), UINT32_C(0xB49C060E), UINT32_C(0x095DE39B), ++ UINT32_C(0x8AC0DF00), UINT32_C(0xDBCC6795), UINT32_C(0x1C34F4DF), ++ UINT32_C(0x4CF6BAEB), UINT32_C(0xE8390170), UINT32_C(0x72C55C21) }, ++ { UINT32_C(0xF6C48E79), UINT32_C(0x4F17BFD2), UINT32_C(0x017A80BA), ++ UINT32_C(0x18BF4DA0), UINT32_C(0xBCF4B138), UINT32_C(0xCF51D829), ++ UINT32_C(0xF48F8B0D), UINT32_C(0x598AEE5F), UINT32_C(0x20F10809), ++ UINT32_C(0x83FAEE56), UINT32_C(0x779F0850), UINT32_C(0x4615D4DC) } }, ++ }, ++ { ++ { { UINT32_C(0x5852B59B), UINT32_C(0x22313DEE), UINT32_C(0xB6A0B37F), ++ UINT32_C(0x6F56C8E8), UINT32_C(0xA76EC380), UINT32_C(0x43D6EEAE), ++ UINT32_C(0x0275AD36), UINT32_C(0xA1655136), UINT32_C(0xDF095BDA), ++ UINT32_C(0xE5C1B65A), UINT32_C(0x367C44B0), UINT32_C(0xBD1FFA8D) }, ++ { UINT32_C(0x6B48AF2B), UINT32_C(0xE2B419C2), UINT32_C(0x3DA194C8), ++ UINT32_C(0x57BBBD97), UINT32_C(0xA2BAFF05), UINT32_C(0xB5FBE51F), ++ UINT32_C(0x6269B5D0), UINT32_C(0xA0594D70), UINT32_C(0x23E8D667), ++ UINT32_C(0x0B07B705), UINT32_C(0x63E016E7), UINT32_C(0xAE1976B5) } }, ++ { { UINT32_C(0xFBECAAAE), UINT32_C(0x2FDE4893), UINT32_C(0x30332229), ++ UINT32_C(0x444346DE), UINT32_C(0x09456ED5), UINT32_C(0x157B8A5B), ++ UINT32_C(0x25797C6C), UINT32_C(0x73606A79), UINT32_C(0x33C14C06), ++ UINT32_C(0xA9D0F47C), UINT32_C(0xFAF971CA), UINT32_C(0x7BC8962C) }, ++ { UINT32_C(0x65909DFD), UINT32_C(0x6E763C51), UINT32_C(0x14A9BF42), ++ UINT32_C(0x1BBBE41B), UINT32_C(0xC49E9EFC), UINT32_C(0xD95B7ECB), ++ UINT32_C(0xB38F2B59), UINT32_C(0x0C317927), UINT32_C(0xB3C397DB), ++ UINT32_C(0x97912B53), UINT32_C(0x45C7ABC7), UINT32_C(0xCB3879AA) } }, ++ { { UINT32_C(0x24359B81), UINT32_C(0xCD81BDCF), UINT32_C(0xDB4C321C), ++ UINT32_C(0x6FD326E2), UINT32_C(0xF8EBE39C), UINT32_C(0x4CB0228B), ++ UINT32_C(0xB2CDD852), UINT32_C(0x496A9DCE), UINT32_C(0xD0E9B3AF), ++ UINT32_C(0x0F115A1A), UINT32_C(0xD8EEEF8A), UINT32_C(0xAA08BF36) }, ++ { UINT32_C(0x06E5E739), UINT32_C(0x5232A515), UINT32_C(0x8407A551), ++ UINT32_C(0x21FAE9D5), UINT32_C(0x8994B4E8), UINT32_C(0x289D18B0), ++ UINT32_C(0x09097A52), UINT32_C(0xB4E346A8), UINT32_C(0x324621D0), ++ UINT32_C(0xC641510F), UINT32_C(0x95A41AB8), UINT32_C(0xC567FD4A) } }, ++ { { UINT32_C(0xD57C8DE9), UINT32_C(0x261578C7), UINT32_C(0x3836C5C8), ++ UINT32_C(0xB9BC491F), UINT32_C(0x14C8038F), UINT32_C(0x993266B4), ++ UINT32_C(0xFAA7CC39), UINT32_C(0xBACAD755), UINT32_C(0xD69B7E27), ++ UINT32_C(0x418C4DEF), UINT32_C(0xAE751533), UINT32_C(0x53FDC5CD) }, ++ { UINT32_C(0xC3EEA63A), UINT32_C(0x6F3BD329), UINT32_C(0xE53DD29E), ++ UINT32_C(0xA7A22091), UINT32_C(0xDC4C54EC), UINT32_C(0xB7164F73), ++ UINT32_C(0x44D3D74E), UINT32_C(0xCA66290D), UINT32_C(0x4C9EA511), ++ UINT32_C(0xF77C6242), UINT32_C(0x1F714C49), UINT32_C(0x34337F55) } }, ++ { { UINT32_C(0xA64B6C4B), UINT32_C(0x5ED2B216), UINT32_C(0x3AAE640D), ++ UINT32_C(0x1C38794F), UINT32_C(0x8905794F), UINT32_C(0x30BBAEE0), ++ UINT32_C(0xC8699CFB), UINT32_C(0x0D9EE41E), UINT32_C(0xCF7B7C29), ++ UINT32_C(0xAF38DAF2), UINT32_C(0x43E53513), UINT32_C(0x0D6A05CA) }, ++ { UINT32_C(0x2606AB56), UINT32_C(0xBE96C644), UINT32_C(0xE9EB9734), ++ UINT32_C(0x13E7A072), UINT32_C(0x5FF50CD7), UINT32_C(0xF9669445), ++ UINT32_C(0x47DA6F1D), UINT32_C(0x68EF26B5), UINT32_C(0x23687CB7), ++ UINT32_C(0xF0028738), UINT32_C(0x6217C1CE), UINT32_C(0x5ED9C876) } }, ++ { { UINT32_C(0x0A3A9691), UINT32_C(0x423BA513), UINT32_C(0xB3179296), ++ UINT32_C(0xF421B1E7), UINT32_C(0x1A871E1B), UINT32_C(0x6B51BCDB), ++ UINT32_C(0x464E4300), UINT32_C(0x6E3BB5B5), UINT32_C(0xFC6C54CC), ++ UINT32_C(0x24171E2E), UINT32_C(0xD3E58DC2), UINT32_C(0xA9DFA947) }, ++ { UINT32_C(0x9DE9CFA7), UINT32_C(0x175B3309), UINT32_C(0x2D1015DA), ++ UINT32_C(0x707B2529), UINT32_C(0x993EA65A), UINT32_C(0xCBB95F17), ++ UINT32_C(0x0447450D), UINT32_C(0x93515063), UINT32_C(0x1B2753C9), ++ UINT32_C(0x0F47B205), UINT32_C(0xE7D427CF), UINT32_C(0x4A0BAB14) } }, ++ { { UINT32_C(0xB5AA7CA1), UINT32_C(0xA39DEF39), UINT32_C(0xC47C33DF), ++ UINT32_C(0x591CB173), UINT32_C(0x6BBAB872), UINT32_C(0xA09DAC79), ++ UINT32_C(0x7208BA2F), UINT32_C(0x3EF9D7CF), UINT32_C(0x7A0A34FC), ++ UINT32_C(0x3CC18931), UINT32_C(0xBCC3380F), UINT32_C(0xAE31C62B) }, ++ { UINT32_C(0x0287C0B4), UINT32_C(0xD72A6794), UINT32_C(0x68E334F1), ++ UINT32_C(0x3373382C), UINT32_C(0xBD20C6A6), UINT32_C(0xD0310CA8), ++ UINT32_C(0x42C033FD), UINT32_C(0xA2734B87), UINT32_C(0x8DCE4509), ++ UINT32_C(0xA5D390F1), UINT32_C(0x3E1AFCB5), UINT32_C(0xFC84E74B) } }, ++ { { UINT32_C(0xF2CD8A9C), UINT32_C(0xB028334D), UINT32_C(0x570F76F6), ++ UINT32_C(0xB8719291), UINT32_C(0x01065A2D), UINT32_C(0x662A386E), ++ UINT32_C(0x53D940AE), UINT32_C(0xDF1634CB), UINT32_C(0x8F5B41F9), ++ UINT32_C(0x625A7B83), UINT32_C(0xEE6AA1B4), UINT32_C(0xA033E4FE) }, ++ { UINT32_C(0x1E42BABB), UINT32_C(0x51E9D463), UINT32_C(0x0D388468), ++ UINT32_C(0x660BC2E4), UINT32_C(0xFCBB114A), UINT32_C(0x3F702189), ++ UINT32_C(0xB414CA78), UINT32_C(0x6B46FE35), UINT32_C(0x4A57316B), ++ UINT32_C(0x328F6CF2), UINT32_C(0x381AD156), UINT32_C(0x917423B5) } }, ++ { { UINT32_C(0x5373A607), UINT32_C(0xAC19306E), UINT32_C(0x191D0969), ++ UINT32_C(0x471DF8E3), UINT32_C(0xB9720D83), UINT32_C(0x380ADE35), ++ UINT32_C(0x48F1FD5C), UINT32_C(0x7423FDF5), UINT32_C(0x49CABC95), ++ UINT32_C(0x8B090C9F), UINT32_C(0xC9842F2F), UINT32_C(0xB768E8CD) }, ++ { UINT32_C(0xE56162D6), UINT32_C(0x399F456D), UINT32_C(0x4F326791), ++ UINT32_C(0xBB6BA240), UINT32_C(0x342590BE), UINT32_C(0x8F4FBA3B), ++ UINT32_C(0x3DFB6B3E), UINT32_C(0x053986B9), UINT32_C(0x190C7425), ++ UINT32_C(0xBB6739F1), UINT32_C(0x32F7E95F), UINT32_C(0x32D4A553) } }, ++ { { UINT32_C(0x0DDBFB21), UINT32_C(0x0205A0EC), UINT32_C(0x33AC3407), ++ UINT32_C(0x3010327D), UINT32_C(0x3348999B), UINT32_C(0xCF2F4DB3), ++ UINT32_C(0x1551604A), UINT32_C(0x660DB9F4), UINT32_C(0x5D38D335), ++ UINT32_C(0xC346C69A), UINT32_C(0x38882479), UINT32_C(0x64AAB3D3) }, ++ { UINT32_C(0x6AE44403), UINT32_C(0xA096B5E7), UINT32_C(0x645F76CD), ++ UINT32_C(0x6B4C9571), UINT32_C(0x4711120F), UINT32_C(0x72E1CD5F), ++ UINT32_C(0xF27CC3E1), UINT32_C(0x93EC42AC), UINT32_C(0xA72ABB12), ++ UINT32_C(0x2D18D004), UINT32_C(0xC9841A04), UINT32_C(0x232E9568) } }, ++ { { UINT32_C(0x3CC7F908), UINT32_C(0xFF01DB22), UINT32_C(0xD13CDD3B), ++ UINT32_C(0x9F214F8F), UINT32_C(0xE0B014B5), UINT32_C(0x38DADBB7), ++ UINT32_C(0x94245C95), UINT32_C(0x2C548CCC), UINT32_C(0x809AFCE3), ++ UINT32_C(0x714BE331), UINT32_C(0x9BFE957E), UINT32_C(0xBCC64410) }, ++ { UINT32_C(0x5B957F80), UINT32_C(0xC21C2D21), UINT32_C(0xBB8A4C42), ++ UINT32_C(0xBA2D4FDC), UINT32_C(0x74817CEC), UINT32_C(0xFA6CD4AF), ++ UINT32_C(0xC528EAD6), UINT32_C(0x9E7FB523), UINT32_C(0x7714B10E), ++ UINT32_C(0xAED781FF), UINT32_C(0x94F04455), UINT32_C(0xB52BB592) } }, ++ { { UINT32_C(0x868CC68B), UINT32_C(0xA578BD69), UINT32_C(0x603F2C08), ++ UINT32_C(0xA40FDC8D), UINT32_C(0x2D81B042), UINT32_C(0x53D79BD1), ++ UINT32_C(0xA7587EAB), UINT32_C(0x1B136AF3), UINT32_C(0x868A16DB), ++ UINT32_C(0x1ED4F939), UINT32_C(0xD0B98273), UINT32_C(0x775A61FB) }, ++ { UINT32_C(0xE56BEF8C), UINT32_C(0xBA5C12A6), UINT32_C(0xDDDC8595), ++ UINT32_C(0xF926CE52), UINT32_C(0x586FE1F8), UINT32_C(0xA13F5C8F), ++ UINT32_C(0x060DBB54), UINT32_C(0xEAC9F7F2), UINT32_C(0x51AF4342), ++ UINT32_C(0x70C0AC3A), UINT32_C(0x79CDA450), UINT32_C(0xC16E303C) } }, ++ { { UINT32_C(0x8113F4EA), UINT32_C(0xD0DADD6C), UINT32_C(0x07BDF09F), ++ UINT32_C(0xF14E3922), UINT32_C(0xAA7D877C), UINT32_C(0x3FE5E9C2), ++ UINT32_C(0x48779264), UINT32_C(0x9EA95C19), UINT32_C(0x4FCB8344), ++ UINT32_C(0xE93F65A7), UINT32_C(0x76D925A4), UINT32_C(0x9F40837E) }, ++ { UINT32_C(0x8271FFC7), UINT32_C(0x0EA6DA3F), UINT32_C(0xCC8F9B19), ++ UINT32_C(0x557FA529), UINT32_C(0x78E6DDFD), UINT32_C(0x2613DBF1), ++ UINT32_C(0x36B1E954), UINT32_C(0x7A7523B8), UINT32_C(0x406A87FB), ++ UINT32_C(0x20EB3168), UINT32_C(0x03ABA56A), UINT32_C(0x64C21C14) } }, ++ { { UINT32_C(0xC032DD5F), UINT32_C(0xE86C9C2D), UINT32_C(0x86F16A21), ++ UINT32_C(0x158CEB8E), UINT32_C(0x68326AF1), UINT32_C(0x0279FF53), ++ UINT32_C(0x59F12BA5), UINT32_C(0x1FFE2E2B), UINT32_C(0x86826D45), ++ UINT32_C(0xD75A46DB), UINT32_C(0x1E33E6AC), UINT32_C(0xE19B4841) }, ++ { UINT32_C(0x0E52991C), UINT32_C(0x5F0CC524), UINT32_C(0x8B116286), ++ UINT32_C(0x645871F9), UINT32_C(0xFCAEC5D3), UINT32_C(0xAB3B4B1E), ++ UINT32_C(0x51D0F698), UINT32_C(0x994C8DF0), UINT32_C(0xE5D13040), ++ UINT32_C(0x06F890AF), UINT32_C(0x5F96C7C2), UINT32_C(0x72D9DC23) } }, ++ { { UINT32_C(0xE7886A80), UINT32_C(0x7C018DEE), UINT32_C(0x8786E4A3), ++ UINT32_C(0xFA209330), UINT32_C(0xA4415CA1), UINT32_C(0xCEC8E2A3), ++ UINT32_C(0xCC83CC60), UINT32_C(0x5C736FC1), UINT32_C(0xF00C259F), ++ UINT32_C(0xFEF9788C), UINT32_C(0xDD29A6AD), UINT32_C(0xED5C01CB) }, ++ { UINT32_C(0x3E20825B), UINT32_C(0x87834A03), UINT32_C(0x123F9358), ++ UINT32_C(0x13B1239D), UINT32_C(0xFBC286C1), UINT32_C(0x7E8869D0), ++ UINT32_C(0x24CE8609), UINT32_C(0xC4AB5AA3), UINT32_C(0xB6349208), ++ UINT32_C(0x38716BEE), UINT32_C(0xB322AE21), UINT32_C(0x0BDF4F99) } }, ++ { { UINT32_C(0x53E3494B), UINT32_C(0x6B97A2BF), UINT32_C(0x70F7A13E), ++ UINT32_C(0xA8AA05C5), UINT32_C(0xF1305B51), UINT32_C(0x209709C2), ++ UINT32_C(0xDAB76F2C), UINT32_C(0x57B31888), UINT32_C(0xAA2A406A), ++ UINT32_C(0x75B2ECD7), UINT32_C(0xA35374A4), UINT32_C(0x88801A00) }, ++ { UINT32_C(0x45C0471B), UINT32_C(0xE1458D1C), UINT32_C(0x322C1AB0), ++ UINT32_C(0x5760E306), UINT32_C(0xAD6AB0A6), UINT32_C(0x789A0AF1), ++ UINT32_C(0xF458B9CE), UINT32_C(0x74398DE1), UINT32_C(0x32E0C65F), ++ UINT32_C(0x1652FF9F), UINT32_C(0xFFFB3A52), UINT32_C(0xFAF1F9D5) } }, ++ }, ++ { ++ { { UINT32_C(0xD1D1B007), UINT32_C(0xA05C751C), UINT32_C(0x0213E478), ++ UINT32_C(0x016C213B), UINT32_C(0xF4C98FEE), UINT32_C(0x9C56E26C), ++ UINT32_C(0xE7B3A7C7), UINT32_C(0x6084F8B9), UINT32_C(0xDECC1646), ++ UINT32_C(0xA0B042F6), UINT32_C(0xFBF3A0BC), UINT32_C(0x4A6F3C1A) }, ++ { UINT32_C(0x51C9F909), UINT32_C(0x94524C2C), UINT32_C(0x3A6D3748), ++ UINT32_C(0xF3B3AD40), UINT32_C(0x7CE1F9F5), UINT32_C(0x18792D6E), ++ UINT32_C(0xFC0C34FA), UINT32_C(0x8EBC2FD7), UINT32_C(0x780A1693), ++ UINT32_C(0x032A9F41), UINT32_C(0x56A60019), UINT32_C(0x34F9801E) } }, ++ { { UINT32_C(0xF0DB3751), UINT32_C(0xB398290C), UINT32_C(0xBA42C976), ++ UINT32_C(0x01170580), UINT32_C(0x56560B89), UINT32_C(0x3E71AA29), ++ UINT32_C(0x50E6647B), UINT32_C(0x80817AAC), UINT32_C(0xA0BE42DA), ++ UINT32_C(0x35C833AD), UINT32_C(0xF1BABA4E), UINT32_C(0xFA3C6148) }, ++ { UINT32_C(0xCD8F6253), UINT32_C(0xC57BE645), UINT32_C(0xC657AD0D), ++ UINT32_C(0x77CEE46B), UINT32_C(0x0DEFD908), UINT32_C(0x83007731), ++ UINT32_C(0x899CBA56), UINT32_C(0x92FE9BCE), UINT32_C(0xBCEFFB5A), ++ UINT32_C(0x48450EC4), UINT32_C(0xF2F5F4BF), UINT32_C(0xE615148D) } }, ++ { { UINT32_C(0x90B86166), UINT32_C(0xF55EDABB), UINT32_C(0x075430A2), ++ UINT32_C(0x27F7D784), UINT32_C(0x9BF17161), UINT32_C(0xF53E822B), ++ UINT32_C(0xAFE808DC), UINT32_C(0x4A5B3B93), UINT32_C(0xD7272F55), ++ UINT32_C(0x590BBBDE), UINT32_C(0xEAEA79A1), UINT32_C(0x233D63FA) }, ++ { UINT32_C(0xFE1EBA07), UINT32_C(0xD7042BEA), UINT32_C(0x10750D7E), ++ UINT32_C(0xD2B9AEA0), UINT32_C(0x31078AA5), UINT32_C(0xD8D1E690), ++ UINT32_C(0x7E37BC8B), UINT32_C(0x9E837F18), UINT32_C(0x85008975), ++ UINT32_C(0x9558FF4F), UINT32_C(0x421FE867), UINT32_C(0x93EDB837) } }, ++ { { UINT32_C(0x83D55B5A), UINT32_C(0xAA6489DF), UINT32_C(0x86BF27F7), ++ UINT32_C(0xEA092E49), UINT32_C(0x5FA2EFEC), UINT32_C(0x4D8943A9), ++ UINT32_C(0x720E1A8C), UINT32_C(0xC9BAAE53), UINT32_C(0x95A4F8A3), ++ UINT32_C(0xC055444B), UINT32_C(0xA7C1206B), UINT32_C(0x93BD01E8) }, ++ { UINT32_C(0x714A27DF), UINT32_C(0xD97765B6), UINT32_C(0x193F1B16), ++ UINT32_C(0xD622D954), UINT32_C(0xF1503B15), UINT32_C(0x115CC35A), ++ UINT32_C(0xA9FA21F8), UINT32_C(0x1DD5359F), UINT32_C(0x6DFED1F1), ++ UINT32_C(0x197C3299), UINT32_C(0xF77F2679), UINT32_C(0xDEE8B7C9) } }, ++ { { UINT32_C(0x394FD855), UINT32_C(0x5405179F), UINT32_C(0x49FDFB33), ++ UINT32_C(0xC9D6E244), UINT32_C(0xBD903393), UINT32_C(0x70EBCAB4), ++ UINT32_C(0xA2C56780), UINT32_C(0x0D3A3899), UINT32_C(0x683D1A0A), ++ UINT32_C(0x012C7256), UINT32_C(0x80A48F3B), UINT32_C(0xC688FC88) }, ++ { UINT32_C(0x6F7DF527), UINT32_C(0x18095754), UINT32_C(0x71315D16), ++ UINT32_C(0x9E339B4B), UINT32_C(0xA956BB12), UINT32_C(0x90560C28), ++ UINT32_C(0xD42EEE8D), UINT32_C(0x2BECEA60), UINT32_C(0x50632653), ++ UINT32_C(0x82AEB9A7), UINT32_C(0xDFA5CD6A), UINT32_C(0xED34353E) } }, ++ { { UINT32_C(0x91AECCE4), UINT32_C(0x82154D2C), UINT32_C(0x5041887F), ++ UINT32_C(0x312C6070), UINT32_C(0xFB9FBD71), UINT32_C(0xECF589F3), ++ UINT32_C(0xB524BDE4), UINT32_C(0x67660A7D), UINT32_C(0x724ACF23), ++ UINT32_C(0xE99B029D), UINT32_C(0x6D1CD891), UINT32_C(0xDF06E4AF) }, ++ { UINT32_C(0x80EE304D), UINT32_C(0x07806CB5), UINT32_C(0x7443A8F8), ++ UINT32_C(0x0C70BB9F), UINT32_C(0x08B0830A), UINT32_C(0x01EC3414), ++ UINT32_C(0x5A81510B), UINT32_C(0xFD7B63C3), UINT32_C(0x453B5F93), ++ UINT32_C(0xE90A0A39), UINT32_C(0x9BC71725), UINT32_C(0xAB700F8F) } }, ++ { { UINT32_C(0xB9F00793), UINT32_C(0x9401AEC2), UINT32_C(0xB997F0BF), ++ UINT32_C(0x064EC4F4), UINT32_C(0x849240C8), UINT32_C(0xDC0CC1FD), ++ UINT32_C(0xB6E92D72), UINT32_C(0x39A75F37), UINT32_C(0x0224A4AB), ++ UINT32_C(0xAA43CA5D), UINT32_C(0x54614C47), UINT32_C(0x9C4D6325) }, ++ { UINT32_C(0xC6709DA3), UINT32_C(0x1767366F), UINT32_C(0x23479232), ++ UINT32_C(0xA6B482D1), UINT32_C(0x84D63E85), UINT32_C(0x54DC6DDC), ++ UINT32_C(0xC99D3B9E), UINT32_C(0x0ACCB5AD), UINT32_C(0xE8AA3ABF), ++ UINT32_C(0x211716BB), UINT32_C(0x69EC6406), UINT32_C(0xD0FE25AD) } }, ++ { { UINT32_C(0xDF85C705), UINT32_C(0x0D5C1769), UINT32_C(0xA409DCD1), ++ UINT32_C(0x7086C93D), UINT32_C(0x0E8D75D8), UINT32_C(0x9710839D), ++ UINT32_C(0xEBDD4177), UINT32_C(0x17B7DB75), UINT32_C(0xF649A809), ++ UINT32_C(0xAF69EB58), UINT32_C(0x8A84E220), UINT32_C(0x6EF19EA2) }, ++ { UINT32_C(0x65C278B2), UINT32_C(0x36EB5C66), UINT32_C(0x81EA9D65), ++ UINT32_C(0xD2A15128), UINT32_C(0x769300AD), UINT32_C(0x4FCBA840), ++ UINT32_C(0xC8E536E5), UINT32_C(0xC2052CCD), UINT32_C(0xAC263B8F), ++ UINT32_C(0x9CAEE014), UINT32_C(0xF9239663), UINT32_C(0x56F7ED7A) } }, ++ { { UINT32_C(0xAC9E09E1), UINT32_C(0xF6FA251F), UINT32_C(0x955A2853), ++ UINT32_C(0xA3775605), UINT32_C(0xF2A4BD78), UINT32_C(0x977B8D21), ++ UINT32_C(0x3E096410), UINT32_C(0xF68AA7FF), UINT32_C(0x65F88419), ++ UINT32_C(0x01AB0552), UINT32_C(0xBB93F64E), UINT32_C(0xC4C8D77E) }, ++ { UINT32_C(0x3451FE64), UINT32_C(0x71825111), UINT32_C(0x46F9BAF0), ++ UINT32_C(0xFA0F905B), UINT32_C(0xCA49EF1A), UINT32_C(0x79BE3BF3), ++ UINT32_C(0x6CB02071), UINT32_C(0x831109B2), UINT32_C(0xC4DDBFE5), ++ UINT32_C(0x765F935F), UINT32_C(0x80E5A3BA), UINT32_C(0x6F99CD14) } }, ++ { { UINT32_C(0x234F91FF), UINT32_C(0xD2E8DA04), UINT32_C(0x813867AA), ++ UINT32_C(0x4DED4D6D), UINT32_C(0xE0A0D945), UINT32_C(0x3B50175D), ++ UINT32_C(0x4EB78137), UINT32_C(0x55AC7406), UINT32_C(0xE1D47730), ++ UINT32_C(0xE9FA7F6E), UINT32_C(0x5CBF2176), UINT32_C(0x2C171531) }, ++ { UINT32_C(0x2BE7A47D), UINT32_C(0xA521788F), UINT32_C(0x3FCF1AB3), ++ UINT32_C(0x95B15A27), UINT32_C(0xF28A946A), UINT32_C(0xAADA6401), ++ UINT32_C(0x8B4E898B), UINT32_C(0x628B2EF4), UINT32_C(0x6D6592CC), ++ UINT32_C(0x0E6F4629), UINT32_C(0xA723CADD), UINT32_C(0x997C7094) } }, ++ { { UINT32_C(0x6AFE80C6), UINT32_C(0x878BCE11), UINT32_C(0x007BBA38), ++ UINT32_C(0xA89ABC9D), UINT32_C(0xA7CC267F), UINT32_C(0xB0C1F87B), ++ UINT32_C(0x5104FF04), UINT32_C(0x86D33B9D), UINT32_C(0x2EF1BA42), ++ UINT32_C(0xB0504B1B), UINT32_C(0xB2827E88), UINT32_C(0x21693048) }, ++ { UINT32_C(0x79CFCD14), UINT32_C(0x11F1CCD5), UINT32_C(0x94AD227E), ++ UINT32_C(0x59C09FFA), UINT32_C(0x3EA91ACF), UINT32_C(0x95A4ADCB), ++ UINT32_C(0xB4370BAA), UINT32_C(0x1346238B), UINT32_C(0x3E1367B0), ++ UINT32_C(0xB099D202), UINT32_C(0x90F23CEA), UINT32_C(0xCF5BBDE6) } }, ++ { { UINT32_C(0xBCB3BE5E), UINT32_C(0x453299BB), UINT32_C(0x38E9FF97), ++ UINT32_C(0x123C588E), UINT32_C(0xF6A2E521), UINT32_C(0x8C115DD9), ++ UINT32_C(0xFF7D4B98), UINT32_C(0x6E333C11), UINT32_C(0xDA73E736), ++ UINT32_C(0x9DD061E5), UINT32_C(0x5CA53056), UINT32_C(0xC6AB7B3A) }, ++ { UINT32_C(0x5B30A76B), UINT32_C(0xF1EF3EE3), UINT32_C(0x961BA11F), ++ UINT32_C(0xADD6B44A), UINT32_C(0x2CA6E030), UINT32_C(0x7BB00B75), ++ UINT32_C(0x2FE270AD), UINT32_C(0x270272E8), UINT32_C(0x241A9239), ++ UINT32_C(0x23BC6F4F), UINT32_C(0x0BB94A94), UINT32_C(0x88581E13) } }, ++ { { UINT32_C(0x24EEF67F), UINT32_C(0xBD225A69), UINT32_C(0x0412CEB7), ++ UINT32_C(0x7CFD9614), UINT32_C(0x99AC298E), UINT32_C(0xF6DE1679), ++ UINT32_C(0xED6C3571), UINT32_C(0xB20FD895), UINT32_C(0x61836C56), ++ UINT32_C(0x03C73B78), UINT32_C(0xABA6CB34), UINT32_C(0xEE3C3A16) }, ++ { UINT32_C(0x4138408A), UINT32_C(0x9E8C5667), UINT32_C(0x2DD6EBDF), ++ UINT32_C(0xEC25FCB1), UINT32_C(0xDBBDF6E3), UINT32_C(0xC54C33FD), ++ UINT32_C(0x4A3C9DD4), UINT32_C(0x93E0913B), UINT32_C(0x35EDEED4), ++ UINT32_C(0x66D7D135), UINT32_C(0x453FB66E), UINT32_C(0xD29A36C4) } }, ++ { { UINT32_C(0x9F1943AF), UINT32_C(0x7F192F03), UINT32_C(0x4E0B5FB0), ++ UINT32_C(0x6488163F), UINT32_C(0x53599226), UINT32_C(0x66A45C69), ++ UINT32_C(0x9AD15A73), UINT32_C(0x924E2E43), UINT32_C(0x42A99D76), ++ UINT32_C(0x8B553DB7), UINT32_C(0x0451F521), UINT32_C(0x4BC6B53B) }, ++ { UINT32_C(0x101F8AD6), UINT32_C(0xC029B5EF), UINT32_C(0xC507EED9), ++ UINT32_C(0x6A4DA71C), UINT32_C(0x30BB22F3), UINT32_C(0x3ADFAEC0), ++ UINT32_C(0xB514F85B), UINT32_C(0x81BCAF7A), UINT32_C(0x5A7E60D3), ++ UINT32_C(0x2E1E6EFF), UINT32_C(0xAE39D42F), UINT32_C(0x5270ABC0) } }, ++ { { UINT32_C(0x3901F0F8), UINT32_C(0x86D56DEB), UINT32_C(0xEED5F650), ++ UINT32_C(0x1D0BC792), UINT32_C(0xCA1114A3), UINT32_C(0x1A2DDFD8), ++ UINT32_C(0xF1DD316D), UINT32_C(0x94ABF4B1), UINT32_C(0x3D9F18EF), ++ UINT32_C(0xF72179E4), UINT32_C(0x9AA2CABF), UINT32_C(0x52A0921E) }, ++ { UINT32_C(0xA7452883), UINT32_C(0xECDA9E27), UINT32_C(0xAFD771B4), ++ UINT32_C(0x7E90850A), UINT32_C(0x9CC0465C), UINT32_C(0xD40F87EA), ++ UINT32_C(0x865CDA36), UINT32_C(0x8CFCB60A), UINT32_C(0x7C650942), ++ UINT32_C(0x3DBEC2CC), UINT32_C(0xE718CA9D), UINT32_C(0x071A4EE7) } }, ++ { { UINT32_C(0x276AC5F3), UINT32_C(0x73C0E4FF), UINT32_C(0xBDB97EA1), ++ UINT32_C(0xE7BA5A6A), UINT32_C(0xC5808398), UINT32_C(0x638CA54E), ++ UINT32_C(0x413855E5), UINT32_C(0x8258DC82), UINT32_C(0x57F07614), ++ UINT32_C(0x35DDD2E9), UINT32_C(0x1DC13BF9), UINT32_C(0xF98DD692) }, ++ { UINT32_C(0xF16DCD84), UINT32_C(0x3A4C0088), UINT32_C(0x833D83F9), ++ UINT32_C(0xF192EADD), UINT32_C(0xA6D61D29), UINT32_C(0x3C26C931), ++ UINT32_C(0xDE0AD7A1), UINT32_C(0x589FDD52), UINT32_C(0x0442D37F), ++ UINT32_C(0x7CD83DD2), UINT32_C(0x403ECBFC), UINT32_C(0x1E47E777) } }, ++ }, ++ { ++ { { UINT32_C(0x70D4D7BC), UINT32_C(0x2AF8ED81), UINT32_C(0xB632435C), ++ UINT32_C(0xABC3E15F), UINT32_C(0x78219356), UINT32_C(0x4C0E726F), ++ UINT32_C(0xB87254C4), UINT32_C(0x8C1962A1), UINT32_C(0xC9E7691A), ++ UINT32_C(0x30796A71), UINT32_C(0xA75A12EE), UINT32_C(0xD453EF19) }, ++ { UINT32_C(0x13AE4964), UINT32_C(0x535F42C2), UINT32_C(0x0DA9586A), ++ UINT32_C(0x86831C3C), UINT32_C(0xE39A7A58), UINT32_C(0xB7F1EF35), ++ UINT32_C(0xD459B91A), UINT32_C(0xA2789AE2), UINT32_C(0x02FD429D), ++ UINT32_C(0xEADBCA7F), UINT32_C(0x65290F57), UINT32_C(0x94F215D4) } }, ++ { { UINT32_C(0x1CFB79AC), UINT32_C(0x37ED2BE5), UINT32_C(0xE7AF84C3), ++ UINT32_C(0x801946F3), UINT32_C(0xE77C2F00), UINT32_C(0xB061AD8A), ++ UINT32_C(0x44DE16A8), UINT32_C(0xE87E1A9A), UINT32_C(0x7EE490FF), ++ UINT32_C(0xDF4F57C8), UINT32_C(0x005993ED), UINT32_C(0x4E793B49) }, ++ { UINT32_C(0xBCCB593F), UINT32_C(0xE1036387), UINT32_C(0x95E09B80), ++ UINT32_C(0xF1749411), UINT32_C(0x5AB42F91), UINT32_C(0x59CB20D1), ++ UINT32_C(0xAC0FF033), UINT32_C(0xA738A18D), UINT32_C(0x2AC1E7F4), ++ UINT32_C(0xDA501A2E), UINT32_C(0x84D8A6E0), UINT32_C(0x1B67EDA0) } }, ++ { { UINT32_C(0x1080E90B), UINT32_C(0x1D27EFCE), UINT32_C(0x3FD01DC6), ++ UINT32_C(0xA2815246), UINT32_C(0xCAA26D18), UINT32_C(0x99A3FB83), ++ UINT32_C(0xB82BABBE), UINT32_C(0xD27E6133), UINT32_C(0xD783DD60), ++ UINT32_C(0x61030DFD), UINT32_C(0x73C78CB8), UINT32_C(0x295A2913) }, ++ { UINT32_C(0x68BE6A92), UINT32_C(0x8707A2CF), UINT32_C(0xEEB3474A), ++ UINT32_C(0xC9C2FB98), UINT32_C(0xA2B176B8), UINT32_C(0x7C3FD412), ++ UINT32_C(0xC7202101), UINT32_C(0xD5B52E2F), UINT32_C(0xF0A6D536), ++ UINT32_C(0x24A63030), UINT32_C(0x04648EC0), UINT32_C(0x05842DE3) } }, ++ { { UINT32_C(0x30577AC9), UINT32_C(0x67477CDC), UINT32_C(0x244F92A8), ++ UINT32_C(0x51DD9775), UINT32_C(0x917EEC66), UINT32_C(0x31FD60B9), ++ UINT32_C(0xD66C5C1D), UINT32_C(0xACD95BD4), UINT32_C(0xBF9508BA), ++ UINT32_C(0x2E0551F3), UINT32_C(0x688CB243), UINT32_C(0x121168E1) }, ++ { UINT32_C(0x4540D230), UINT32_C(0x8C039740), UINT32_C(0x009ECDF9), ++ UINT32_C(0xC4ED3CF6), UINT32_C(0x44DB62AF), UINT32_C(0x191825E1), ++ UINT32_C(0xC4A030DA), UINT32_C(0x3EE8ACAB), UINT32_C(0x94081504), ++ UINT32_C(0x8AB154A8), UINT32_C(0x486C9CD0), UINT32_C(0x1FE09E4B) } }, ++ { { UINT32_C(0xD113450B), UINT32_C(0x512F82F9), UINT32_C(0x2DBC9197), ++ UINT32_C(0x5878C901), UINT32_C(0xE13F355B), UINT32_C(0xDB87412B), ++ UINT32_C(0x935B8A5E), UINT32_C(0x0A0A4A9B), UINT32_C(0xF25A5351), ++ UINT32_C(0x818587BD), UINT32_C(0x31E3D9C7), UINT32_C(0xE8079310) }, ++ { UINT32_C(0x611BC1B1), UINT32_C(0x8B1D47C7), UINT32_C(0x72A823F2), ++ UINT32_C(0x51722B58), UINT32_C(0x53B36B3E), UINT32_C(0x6F97EE8A), ++ UINT32_C(0x946DD453), UINT32_C(0x6E085AAC), UINT32_C(0xE65E6533), ++ UINT32_C(0x2EC5057D), UINT32_C(0x4BB18801), UINT32_C(0xF82D9D71) } }, ++ { { UINT32_C(0x8BA5AA8E), UINT32_C(0xAD81FA93), UINT32_C(0x8F7AA69E), ++ UINT32_C(0x723E628E), UINT32_C(0xEF35937C), UINT32_C(0x0BA7C2DE), ++ UINT32_C(0x6DECFB40), UINT32_C(0x83A43EC5), UINT32_C(0xE60C4F2D), ++ UINT32_C(0xF520F849), UINT32_C(0x457E3B5E), UINT32_C(0x8260E8AE) }, ++ { UINT32_C(0xBF1D9ED7), UINT32_C(0x7CE874F0), UINT32_C(0x7F1A5466), ++ UINT32_C(0x5FDE3553), UINT32_C(0x0C162DBB), UINT32_C(0x5A63777C), ++ UINT32_C(0xDAD87289), UINT32_C(0x0FD04F8C), UINT32_C(0x640761D5), ++ UINT32_C(0xCA2D9E0E), UINT32_C(0x38501ADB), UINT32_C(0x4615CFF8) } }, ++ { { UINT32_C(0x110B4A25), UINT32_C(0x9422789B), UINT32_C(0x70AD8CC1), ++ UINT32_C(0x5C26779F), UINT32_C(0xEC4F1E14), UINT32_C(0x4EE6A748), ++ UINT32_C(0x5C7AB5E0), UINT32_C(0xFB584A0D), UINT32_C(0xFB21EE66), ++ UINT32_C(0xED1DCB0B), UINT32_C(0x11C6863C), UINT32_C(0xDBED1F00) }, ++ { UINT32_C(0xB1B1D187), UINT32_C(0xD2969269), UINT32_C(0xAFE964E6), ++ UINT32_C(0xF7D0C3F2), UINT32_C(0x12BB865E), UINT32_C(0xE05EE93F), ++ UINT32_C(0xED79118E), UINT32_C(0x1AFB7BEE), UINT32_C(0x0F0FE453), ++ UINT32_C(0x220AF138), UINT32_C(0x52782AB9), UINT32_C(0x1463AA1A) } }, ++ { { UINT32_C(0xD7DBE5F9), UINT32_C(0x7C139D56), UINT32_C(0x0B83685B), ++ UINT32_C(0xFC16E611), UINT32_C(0x9018463C), UINT32_C(0xFA723C02), ++ UINT32_C(0x840BF5D7), UINT32_C(0xC472458C), UINT32_C(0x0AF07591), ++ UINT32_C(0x4D809359), UINT32_C(0x3308DFD9), UINT32_C(0x418D8830) }, ++ { UINT32_C(0x0C365AE3), UINT32_C(0x9B381E04), UINT32_C(0xF8190FD1), ++ UINT32_C(0x3780BF33), UINT32_C(0xDD03E854), UINT32_C(0x45397418), ++ UINT32_C(0x4E51E491), UINT32_C(0xA95D030F), UINT32_C(0xE3286CEA), ++ UINT32_C(0x87C8C686), UINT32_C(0x900B5F83), UINT32_C(0x01C773BF) } }, ++ { { UINT32_C(0x78673B02), UINT32_C(0xDABE3475), UINT32_C(0xF6E7395E), ++ UINT32_C(0x4F0F25CE), UINT32_C(0xD181AD45), UINT32_C(0x3117ABB9), ++ UINT32_C(0xAA13DE0B), UINT32_C(0x4B559F88), UINT32_C(0xEA7C9745), ++ UINT32_C(0xFD8EFE78), UINT32_C(0x5DD21682), UINT32_C(0x08060047) }, ++ { UINT32_C(0xD4C86FFC), UINT32_C(0xC0F5DE4B), UINT32_C(0xF21AB6A2), ++ UINT32_C(0x4BB14B1E), UINT32_C(0xF50C1D12), UINT32_C(0xACB53A6C), ++ UINT32_C(0x5CC9162E), UINT32_C(0x46AAC450), UINT32_C(0x2DE240B6), ++ UINT32_C(0x049C51E0), UINT32_C(0xE383C3B0), UINT32_C(0xBB2DC016) } }, ++ { { UINT32_C(0x8E438C92), UINT32_C(0xA3C56AD2), UINT32_C(0xB2CEAF1A), ++ UINT32_C(0x7C43F98F), UINT32_C(0xE2150778), UINT32_C(0x397C44F7), ++ UINT32_C(0x71A24131), UINT32_C(0x48D17AB7), UINT32_C(0x1E2ACDA9), ++ UINT32_C(0xCC513863), UINT32_C(0xF0C9BAC9), UINT32_C(0x2C76A55E) }, ++ { UINT32_C(0x7EA4BB7B), UINT32_C(0x4D74CDCE), UINT32_C(0xB1B3C2BA), ++ UINT32_C(0x834BD5BF), UINT32_C(0xCCC310A4), UINT32_C(0x46E2911E), ++ UINT32_C(0x0FC1BF13), UINT32_C(0xD3DE84AA), UINT32_C(0x80A03AD3), ++ UINT32_C(0x27F2892F), UINT32_C(0x3BD2F08B), UINT32_C(0x85B47620) } }, ++ { { UINT32_C(0x567AF533), UINT32_C(0xAB1CB818), UINT32_C(0xBAC2705A), ++ UINT32_C(0x273B4537), UINT32_C(0x22C84AB6), UINT32_C(0x133066C4), ++ UINT32_C(0x4830BFC1), UINT32_C(0xC3590DE6), UINT32_C(0x5E4742D0), ++ UINT32_C(0xEA297869), UINT32_C(0x4F3164C0), UINT32_C(0xF6D8C694) }, ++ { UINT32_C(0xC1249588), UINT32_C(0x09E85F3D), UINT32_C(0x4EC64DF7), ++ UINT32_C(0x6C2BB05D), UINT32_C(0x8B78000F), UINT32_C(0xD267115E), ++ UINT32_C(0xC7E4A316), UINT32_C(0x07C5D7AE), UINT32_C(0x4619E5BD), ++ UINT32_C(0xCB1187BA), UINT32_C(0xA43F7EEE), UINT32_C(0x57B1D4EF) } }, ++ { { UINT32_C(0xC8176A96), UINT32_C(0x3618891F), UINT32_C(0xE5808B97), ++ UINT32_C(0x62C4B084), UINT32_C(0x4DD95D6E), UINT32_C(0xDE558546), ++ UINT32_C(0x730B2EA4), UINT32_C(0x27A8133E), UINT32_C(0x6AF318A0), ++ UINT32_C(0xE07CEEC3), UINT32_C(0xCE24FD2C), UINT32_C(0x0ACC1286) }, ++ { UINT32_C(0xDD4D307C), UINT32_C(0x8A48FE4A), UINT32_C(0x18CDE0DA), ++ UINT32_C(0x71A9BA9C), UINT32_C(0xD5D79747), UINT32_C(0x655E2B66), ++ UINT32_C(0xA79AEDC7), UINT32_C(0x409FE856), UINT32_C(0xD287E5CF), ++ UINT32_C(0xC5A9F244), UINT32_C(0x4E82EC39), UINT32_C(0xCCE10384) } }, ++ { { UINT32_C(0xF25D364C), UINT32_C(0x00675BA7), UINT32_C(0x68D36BDF), ++ UINT32_C(0x7A7F1629), UINT32_C(0xA9E23F29), UINT32_C(0x35EC468A), ++ UINT32_C(0x2D926E6C), UINT32_C(0xF797AC50), UINT32_C(0x4B4F4376), ++ UINT32_C(0x639BA453), UINT32_C(0x51FF9519), UINT32_C(0xD71B430F) }, ++ { UINT32_C(0x2CF5635C), UINT32_C(0xB8C439EC), UINT32_C(0x81980393), ++ UINT32_C(0x0CE4C8D1), UINT32_C(0x64123B15), UINT32_C(0x4C5362A9), ++ UINT32_C(0xFFDCF096), UINT32_C(0x6E0421E0), UINT32_C(0x10D1F914), ++ UINT32_C(0x624A855F), UINT32_C(0x614DCD29), UINT32_C(0x7D8F3AB7) } }, ++ { { UINT32_C(0xB3493CE0), UINT32_C(0xD9219ADA), UINT32_C(0x52F09AE5), ++ UINT32_C(0x971B243A), UINT32_C(0xE24E3674), UINT32_C(0xC16C9BF8), ++ UINT32_C(0xCE68C7CD), UINT32_C(0x026D408D), UINT32_C(0x358209E3), ++ UINT32_C(0xF9B33DD9), UINT32_C(0xF3B2A206), UINT32_C(0x02D0595D) }, ++ { UINT32_C(0x60D15640), UINT32_C(0xBF994271), UINT32_C(0x15B5466A), ++ UINT32_C(0x6DA7A04E), UINT32_C(0x1CADB50D), UINT32_C(0x03AA4ED8), ++ UINT32_C(0x129A4253), UINT32_C(0x1548F029), UINT32_C(0xB842865A), ++ UINT32_C(0x41741F7E), UINT32_C(0xA3F88C98), UINT32_C(0x859FE0A4) } }, ++ { { UINT32_C(0x05FD7553), UINT32_C(0x80DE085A), UINT32_C(0xB897566B), ++ UINT32_C(0x4A4AB91E), UINT32_C(0x2F1C173F), UINT32_C(0x33BCD475), ++ UINT32_C(0xC100C013), UINT32_C(0x4E238896), UINT32_C(0xD614B34B), ++ UINT32_C(0x1C88500D), UINT32_C(0xC3BA9E23), UINT32_C(0x0401C5F6) }, ++ { UINT32_C(0xD0AF0DE5), UINT32_C(0x8E8003C4), UINT32_C(0x9D0DCBB9), ++ UINT32_C(0x19B1DFB5), UINT32_C(0xEBEF7AB6), UINT32_C(0x4A3640A9), ++ UINT32_C(0x959B15F6), UINT32_C(0xEDAFD65B), UINT32_C(0x7FB95821), ++ UINT32_C(0x8092EF7F), UINT32_C(0xCE2E45D1), UINT32_C(0xAB8DD52E) } }, ++ { { UINT32_C(0xB9CFE6BF), UINT32_C(0xD1F2D6B8), UINT32_C(0x00073F6F), ++ UINT32_C(0x6358810B), UINT32_C(0xD712106E), UINT32_C(0x5FCE5993), ++ UINT32_C(0x1C024C91), UINT32_C(0x5EE6B271), UINT32_C(0x453DB663), ++ UINT32_C(0xD0248FF5), UINT32_C(0xADB835E8), UINT32_C(0xD6D81CB2) }, ++ { UINT32_C(0xFDFCB4C7), UINT32_C(0x8696CFEC), UINT32_C(0x53BC9045), ++ UINT32_C(0x696B7FCB), UINT32_C(0xDDA56981), UINT32_C(0xAB4D3807), ++ UINT32_C(0x1E4B943B), UINT32_C(0x2F998052), UINT32_C(0x166B7F18), ++ UINT32_C(0x8AA76ADB), UINT32_C(0x52A2D7ED), UINT32_C(0x63934301) } }, ++ }, ++ { ++ { { UINT32_C(0xA368EFF6), UINT32_C(0xBBCCCE39), UINT32_C(0x8CEB5C43), ++ UINT32_C(0xD8CAABDF), UINT32_C(0xD2252FDA), UINT32_C(0x9EAE35A5), ++ UINT32_C(0x54E7DD49), UINT32_C(0xA8F4F209), UINT32_C(0x295100FD), ++ UINT32_C(0xA56D72A6), UINT32_C(0x56767727), UINT32_C(0x20FC1FE8) }, ++ { UINT32_C(0x0BBAA5AB), UINT32_C(0xBF60B248), UINT32_C(0x313911F2), ++ UINT32_C(0xA4F3CE5A), UINT32_C(0xB93DAB9C), UINT32_C(0xC2A67AD4), ++ UINT32_C(0x22D71F39), UINT32_C(0x18CD0ED0), UINT32_C(0x5F304DB2), ++ UINT32_C(0x04380C42), UINT32_C(0x6729C821), UINT32_C(0x26420CBB) } }, ++ { { UINT32_C(0xBDFBCAE8), UINT32_C(0x26BD07D6), UINT32_C(0xDF01A80A), ++ UINT32_C(0x10B5173F), UINT32_C(0x6798B96C), UINT32_C(0xD831C546), ++ UINT32_C(0x1D3F3859), UINT32_C(0x1D6B4108), UINT32_C(0x991B9EC7), ++ UINT32_C(0x501D38EC), UINT32_C(0xD78431A9), UINT32_C(0x26319283) }, ++ { UINT32_C(0x118B343C), UINT32_C(0x8B85BAF7), UINT32_C(0x58DEF7D0), ++ UINT32_C(0x4696CDDD), UINT32_C(0x7ACDCF58), UINT32_C(0xEFC7C110), ++ UINT32_C(0x848D5842), UINT32_C(0xD9AF415C), UINT32_C(0x0AC7FDAC), ++ UINT32_C(0x6B5A06BC), UINT32_C(0xA344319B), UINT32_C(0x7D623E0D) } }, ++ { { UINT32_C(0x0C9D3547), UINT32_C(0x4C0D7806), UINT32_C(0xCF2AED47), ++ UINT32_C(0x993F048D), UINT32_C(0xE4B57E22), UINT32_C(0x5217C453), ++ UINT32_C(0xF4172B28), UINT32_C(0xB4669E35), UINT32_C(0x49F999F8), ++ UINT32_C(0x509A3CD0), UINT32_C(0x87C69D41), UINT32_C(0xD19F8632) }, ++ { UINT32_C(0x4C8FDED0), UINT32_C(0xE14D01E8), UINT32_C(0xEAFD9E1C), ++ UINT32_C(0x342880FD), UINT32_C(0x70DC2BF0), UINT32_C(0x0E17BFF2), ++ UINT32_C(0xC0186400), UINT32_C(0x46560B7B), UINT32_C(0x49A4DD34), ++ UINT32_C(0xE28C7B9C), UINT32_C(0x0F325D06), UINT32_C(0x18211916) } }, ++ { { UINT32_C(0xD7E02E18), UINT32_C(0x46D70888), UINT32_C(0xD9F11FD9), ++ UINT32_C(0x7C806954), UINT32_C(0x4FBEA271), UINT32_C(0xE4948FCA), ++ UINT32_C(0xBD80A9DF), UINT32_C(0x7D6C7765), UINT32_C(0xF3871C71), ++ UINT32_C(0x1B470EA6), UINT32_C(0x8330A570), UINT32_C(0xD62DE244) }, ++ { UINT32_C(0xC659C3A7), UINT32_C(0xDAECDDC1), UINT32_C(0x077F7AFC), ++ UINT32_C(0x8621E513), UINT32_C(0xCAEEEF13), UINT32_C(0x56C7CD84), ++ UINT32_C(0xC685A356), UINT32_C(0xC60C910F), UINT32_C(0x9DD93DDC), ++ UINT32_C(0xE68BC5C5), UINT32_C(0xFEB64895), UINT32_C(0xD904E89F) } }, ++ { { UINT32_C(0x8BA7917A), UINT32_C(0x75D874FB), UINT32_C(0xFD043BD4), ++ UINT32_C(0x18FA7F53), UINT32_C(0x1FC3979E), UINT32_C(0x212A0AD7), ++ UINT32_C(0x5D6EAC0E), UINT32_C(0x5703A7D9), UINT32_C(0x017DEAD5), ++ UINT32_C(0x222F7188), UINT32_C(0x0F6C1817), UINT32_C(0x1EC687B7) }, ++ { UINT32_C(0x238BACB6), UINT32_C(0x23412FC3), UINT32_C(0x54CED154), ++ UINT32_C(0xB85D70E9), UINT32_C(0xBDA674D0), UINT32_C(0xD4E06722), ++ UINT32_C(0x36F5A0C2), UINT32_C(0x3EA5F178), UINT32_C(0xF5C6D2CA), ++ UINT32_C(0x7E7D79CF), UINT32_C(0x3DBB3C73), UINT32_C(0x1FFF9464) } }, ++ { { UINT32_C(0xF163E4A8), UINT32_C(0x916E19D0), UINT32_C(0x1489DF17), ++ UINT32_C(0x1E6740E7), UINT32_C(0x339F3A47), UINT32_C(0x1EAF9723), ++ UINT32_C(0x124B8DAD), UINT32_C(0x22F0ED1A), UINT32_C(0x49C3DD04), ++ UINT32_C(0x39C9166C), UINT32_C(0xCE1E9ACC), UINT32_C(0x628E7FD4) }, ++ { UINT32_C(0x40031676), UINT32_C(0x124DDF27), UINT32_C(0x1EDDB9BE), ++ UINT32_C(0x00256939), UINT32_C(0xD360B0DA), UINT32_C(0xD39E25E7), ++ UINT32_C(0x4AA6C4C9), UINT32_C(0x6E3015A8), UINT32_C(0x623EDA09), ++ UINT32_C(0xC6A2F643), UINT32_C(0x50AA99FB), UINT32_C(0xBEFF2D12) } }, ++ { { UINT32_C(0x93EE8089), UINT32_C(0x1FEEF7CE), UINT32_C(0x252DD7BD), ++ UINT32_C(0xC6B180BC), UINT32_C(0x1788F051), UINT32_C(0xA16FB20B), ++ UINT32_C(0xE046ED39), UINT32_C(0xD86FD392), UINT32_C(0x9378CE1D), ++ UINT32_C(0xDA0A3611), UINT32_C(0xA5F7A61D), UINT32_C(0x121EF3E7) }, ++ { UINT32_C(0x92D13CAE), UINT32_C(0x94D22061), UINT32_C(0x77C72E08), ++ UINT32_C(0x5076046A), UINT32_C(0x7D2308B9), UINT32_C(0xF18BC233), ++ UINT32_C(0x17F977B1), UINT32_C(0x004DB3C5), UINT32_C(0x0471C11D), ++ UINT32_C(0xD05AE399), UINT32_C(0x85CD1726), UINT32_C(0x86A2A557) } }, ++ { { UINT32_C(0x72107804), UINT32_C(0xB8D9B286), UINT32_C(0x3303B79B), ++ UINT32_C(0xB5A7C413), UINT32_C(0x5FA37DED), UINT32_C(0x927EEF78), ++ UINT32_C(0xAD67DABA), UINT32_C(0xA1C5CF1E), UINT32_C(0x7360E7C7), ++ UINT32_C(0xAA5E3FB2), UINT32_C(0x0A0C0993), UINT32_C(0x8354E61A) }, ++ { UINT32_C(0x7F5458CC), UINT32_C(0x2EC73AF9), UINT32_C(0x48474325), ++ UINT32_C(0xDE4CB488), UINT32_C(0x7209BC69), UINT32_C(0x2DD134C7), ++ UINT32_C(0x451A2ABE), UINT32_C(0xB70C5567), UINT32_C(0x8E293018), ++ UINT32_C(0x2CD1B200), UINT32_C(0xD33C0D72), UINT32_C(0x15F8DA7A) } }, ++ { { UINT32_C(0xA8790657), UINT32_C(0x5DC386D0), UINT32_C(0xBC4D88BB), ++ UINT32_C(0xA4FDF676), UINT32_C(0x48BC6C49), UINT32_C(0x1B21F38F), ++ UINT32_C(0x543A7003), UINT32_C(0xCDCC7FAA), UINT32_C(0x8C9CF72C), ++ UINT32_C(0xEA97E7AA), UINT32_C(0x50D938A8), UINT32_C(0xA6B883F4) }, ++ { UINT32_C(0xA3A10F27), UINT32_C(0x51936F3A), UINT32_C(0xDECC76BF), ++ UINT32_C(0x0170785F), UINT32_C(0x908C578A), UINT32_C(0x7539ECE1), ++ UINT32_C(0x0F3E8C25), UINT32_C(0x5D9C8A8E), UINT32_C(0x9E4717A7), ++ UINT32_C(0x8681B43B), UINT32_C(0xA9D83E39), UINT32_C(0x94F42507) } }, ++ { { UINT32_C(0xA55ADDE7), UINT32_C(0xBBE11CA8), UINT32_C(0x3BC0896B), ++ UINT32_C(0x39E6F5CF), UINT32_C(0x1D2D8D94), UINT32_C(0x1447314E), ++ UINT32_C(0x5B012F8A), UINT32_C(0x45B48125), UINT32_C(0x08AD5283), ++ UINT32_C(0x41AD23FA), UINT32_C(0x41D13774), UINT32_C(0x837243E2) }, ++ { UINT32_C(0xBADCAA46), UINT32_C(0x1FC0BD9D), UINT32_C(0x26E84CAE), ++ UINT32_C(0x8DF164ED), UINT32_C(0x41017176), UINT32_C(0x8FF70EC0), ++ UINT32_C(0x5C848BA7), UINT32_C(0x23AD4BCE), UINT32_C(0x97A19CBB), ++ UINT32_C(0x89246FDE), UINT32_C(0x78397991), UINT32_C(0xA5EF987B) } }, ++ { { UINT32_C(0x4757964D), UINT32_C(0x111AF1B7), UINT32_C(0xDDBBF258), ++ UINT32_C(0x1D25D351), UINT32_C(0x7D2B06D6), UINT32_C(0x4161E776), ++ UINT32_C(0x1CAC0C5B), UINT32_C(0x6EFD2691), UINT32_C(0x211BFAEB), ++ UINT32_C(0x633B95DB), UINT32_C(0xE2BDF701), UINT32_C(0x9BEDFA5A) }, ++ { UINT32_C(0x73E099C8), UINT32_C(0xADAC2B0B), UINT32_C(0xBFB16BFF), ++ UINT32_C(0x436F0023), UINT32_C(0x30F55854), UINT32_C(0xB91B1002), ++ UINT32_C(0xF4C6C8B7), UINT32_C(0xAF6A2097), UINT32_C(0x3AD7B3D9), ++ UINT32_C(0x3FF65CED), UINT32_C(0x330E56DF), UINT32_C(0x6FA2626F) } }, ++ { { UINT32_C(0xFFCCFD07), UINT32_C(0x3D28BF2D), UINT32_C(0xD989603B), ++ UINT32_C(0x0514F6FF), UINT32_C(0x5514787A), UINT32_C(0xB9519629), ++ UINT32_C(0xC3DB4E9C), UINT32_C(0xA1848121), UINT32_C(0x2A3D4595), ++ UINT32_C(0x47FE2E39), UINT32_C(0x11B73ED4), UINT32_C(0x506F5D82) }, ++ { UINT32_C(0xA600D8BB), UINT32_C(0xA2257AE7), UINT32_C(0x0F9F122C), ++ UINT32_C(0xD659DBD1), UINT32_C(0x64DF160F), UINT32_C(0xDB0FDC67), ++ UINT32_C(0x7CB19690), UINT32_C(0xFF379339), UINT32_C(0x98E72EC1), ++ UINT32_C(0xDF4366B8), UINT32_C(0xDF437EB8), UINT32_C(0x97E72BEC) } }, ++ { { UINT32_C(0x1C81E5D9), UINT32_C(0x81DCEA27), UINT32_C(0x6717FC49), ++ UINT32_C(0x7E1B6CDA), UINT32_C(0x11EAE80D), UINT32_C(0xAA36B3B5), ++ UINT32_C(0x3CD7CBB3), UINT32_C(0x1306687C), UINT32_C(0xC4E89064), ++ UINT32_C(0xED670235), UINT32_C(0x58A94760), UINT32_C(0x9D3B0009) }, ++ { UINT32_C(0xE6A6333C), UINT32_C(0x5A64E158), UINT32_C(0x49453203), ++ UINT32_C(0x1A8B4A36), UINT32_C(0x1F77CC21), UINT32_C(0xF1CAD724), ++ UINT32_C(0x70518EF7), UINT32_C(0x693EBB4B), UINT32_C(0x0F39C91A), ++ UINT32_C(0xFB47BD81), UINT32_C(0xFA4BC64B), UINT32_C(0xCFE63DA2) } }, ++ { { UINT32_C(0xEAA66108), UINT32_C(0x82C1C684), UINT32_C(0x4CFE79FC), ++ UINT32_C(0xE3226218), UINT32_C(0x849C720E), UINT32_C(0x3F28B72B), ++ UINT32_C(0x8FEE1CA8), UINT32_C(0x137FB355), UINT32_C(0xE4F90C4E), ++ UINT32_C(0x4D18A9CD), UINT32_C(0xCC3E46FA), UINT32_C(0xC0344227) }, ++ { UINT32_C(0x79CDA392), UINT32_C(0x4FD5C08E), UINT32_C(0x8ADC87B5), ++ UINT32_C(0x65DB20DB), UINT32_C(0x916C1B84), UINT32_C(0x86F95D5B), ++ UINT32_C(0x17BB2B7C), UINT32_C(0x7EDA3871), UINT32_C(0x669A533B), ++ UINT32_C(0x18CCF7E7), UINT32_C(0xECAD0E06), UINT32_C(0x5E92421C) } }, ++ { { UINT32_C(0x4174B08B), UINT32_C(0x26063E12), UINT32_C(0x70DE8E4D), ++ UINT32_C(0xE621D9BE), UINT32_C(0x5ECDF350), UINT32_C(0xAEA0FD0F), ++ UINT32_C(0x9C20E5C9), UINT32_C(0x0D9F69E4), UINT32_C(0x0BBE2918), ++ UINT32_C(0xD3DADEB9), UINT32_C(0x58AA2F71), UINT32_C(0xD7B9B5DB) }, ++ { UINT32_C(0x3364CAF8), UINT32_C(0x7A971DD7), UINT32_C(0xC25D4BE4), ++ UINT32_C(0x702616A3), UINT32_C(0xA9E30071), UINT32_C(0xA30F0FA1), ++ UINT32_C(0x5573BC69), UINT32_C(0x98AB2438), UINT32_C(0x6FEC2E22), ++ UINT32_C(0xCBC63CDF), UINT32_C(0xCC901B9B), UINT32_C(0x965F90ED) } }, ++ { { UINT32_C(0x71E15BB3), UINT32_C(0xD53B592D), UINT32_C(0x8820E0D0), ++ UINT32_C(0x1F03C0E9), UINT32_C(0x3CCCB726), UINT32_C(0xCE93947D), ++ UINT32_C(0x1D547590), UINT32_C(0x2790FEE0), UINT32_C(0xC59CDD7A), ++ UINT32_C(0x4401D847), UINT32_C(0xA926DD9D), UINT32_C(0x72D69120) }, ++ { UINT32_C(0x4229F289), UINT32_C(0x38B8F21D), UINT32_C(0x7FE978AF), ++ UINT32_C(0x9F412E40), UINT32_C(0xCDB59AF1), UINT32_C(0xAE07901B), ++ UINT32_C(0xD1D4715E), UINT32_C(0x1E6BE5EB), UINT32_C(0x18C96BEF), ++ UINT32_C(0x3715BD8B), UINT32_C(0xE11B3798), UINT32_C(0x4B71F6E6) } }, ++ }, ++ { ++ { { UINT32_C(0xF0CE2DF4), UINT32_C(0x11A8FDE5), UINT32_C(0xFA8D26DF), ++ UINT32_C(0xBC70CA3E), UINT32_C(0xC74DFE82), UINT32_C(0x6818C275), ++ UINT32_C(0x38373A50), UINT32_C(0x2B0294AC), UINT32_C(0xE8E5F88F), ++ UINT32_C(0x584C4061), UINT32_C(0x7342383A), UINT32_C(0x1C05C1CA) }, ++ { UINT32_C(0x911430EC), UINT32_C(0x263895B3), UINT32_C(0xA5171453), ++ UINT32_C(0xEF9B0032), UINT32_C(0x84DA7F0C), UINT32_C(0x144359DA), ++ UINT32_C(0x924A09F2), UINT32_C(0x76E3095A), UINT32_C(0xD69AD835), ++ UINT32_C(0x612986E3), UINT32_C(0x392122AF), UINT32_C(0x70E03ADA) } }, ++ { { UINT32_C(0x67AAD17B), UINT32_C(0xFEB707EE), UINT32_C(0x83042995), ++ UINT32_C(0xBB21B287), UINT32_C(0x9A0D32BA), UINT32_C(0x26DE1645), ++ UINT32_C(0x1FFB9266), UINT32_C(0x9A2FF38A), UINT32_C(0x8F578B4A), ++ UINT32_C(0x4E5AD96D), UINT32_C(0x883E7443), UINT32_C(0x26CC0655) }, ++ { UINT32_C(0x2EE9367A), UINT32_C(0x1D8EECAB), UINT32_C(0x881DE2F8), ++ UINT32_C(0x42B84337), UINT32_C(0xD758AE41), UINT32_C(0xE49B2FAE), ++ UINT32_C(0x4A85D867), UINT32_C(0x6A9A2290), UINT32_C(0xE68CBA86), ++ UINT32_C(0x2FB89DCE), UINT32_C(0x7F09A982), UINT32_C(0xBC252635) } }, ++ { { UINT32_C(0x8C61AAAC), UINT32_C(0xADC79436), UINT32_C(0x5E926563), ++ UINT32_C(0x24C7FD13), UINT32_C(0x0406C129), UINT32_C(0xEF9FAAA4), ++ UINT32_C(0x8B658D3C), UINT32_C(0xF4E6388C), UINT32_C(0x1E435BAF), ++ UINT32_C(0x7262BEB4), UINT32_C(0xFDAEAC99), UINT32_C(0x3BF622CC) }, ++ { UINT32_C(0x4E1AEDDC), UINT32_C(0xD359F7D8), UINT32_C(0xD78C17B7), ++ UINT32_C(0x05DC4F8C), UINT32_C(0x29498BA5), UINT32_C(0xB18CF032), ++ UINT32_C(0x85BF35AD), UINT32_C(0xC67388CA), UINT32_C(0x62AA4BC8), ++ UINT32_C(0x8A7A6AA2), UINT32_C(0x72F4627A), UINT32_C(0x0B8F458E) } }, ++ { { UINT32_C(0xC68E4488), UINT32_C(0x3FB812EE), UINT32_C(0x60EF7281), ++ UINT32_C(0x53C5EAA4), UINT32_C(0x8FBEFBE4), UINT32_C(0xE5724183), ++ UINT32_C(0xA4B24A05), UINT32_C(0x2B7D49F4), UINT32_C(0x710C0A43), ++ UINT32_C(0x23B138D0), UINT32_C(0xA85EC1DB), UINT32_C(0x16A5B4C1) }, ++ { UINT32_C(0x305FEB02), UINT32_C(0x7CC1F3D7), UINT32_C(0x5B6C1B54), ++ UINT32_C(0x52F7947D), UINT32_C(0x8F56981C), UINT32_C(0x1BDA2312), ++ UINT32_C(0xB4080A01), UINT32_C(0x68663EAE), UINT32_C(0x9F999B7F), ++ UINT32_C(0x8DD7BA7E), UINT32_C(0xB686580C), UINT32_C(0xD8768D19) } }, ++ { { UINT32_C(0x7AFDDA94), UINT32_C(0xBCD0E0AD), UINT32_C(0x34A30687), ++ UINT32_C(0x95A0DBBE), UINT32_C(0x8C5E2665), UINT32_C(0xBBE3C3DF), ++ UINT32_C(0xEBF2BC16), UINT32_C(0x742BECD8), UINT32_C(0x3FA163A6), ++ UINT32_C(0x300CEB48), UINT32_C(0x4663354B), UINT32_C(0x0C5D02EE) }, ++ { UINT32_C(0xB5E606A4), UINT32_C(0xE4FB9AD6), UINT32_C(0xCF49FF95), ++ UINT32_C(0x93F507B8), UINT32_C(0x585C193B), UINT32_C(0x9406A90C), ++ UINT32_C(0x4ECF9517), UINT32_C(0xAD1440C1), UINT32_C(0x9CEA53F1), ++ UINT32_C(0x184CB475), UINT32_C(0x8EF11302), UINT32_C(0x6855C474) } }, ++ { { UINT32_C(0xEDCAFA52), UINT32_C(0x00ECB523), UINT32_C(0x086F69D3), ++ UINT32_C(0x0DA0AE0E), UINT32_C(0xC242F347), UINT32_C(0xC384DE15), ++ UINT32_C(0x848C12B7), UINT32_C(0xFB050E6E), UINT32_C(0x64E015CE), ++ UINT32_C(0x22F67654), UINT32_C(0x7CA122F2), UINT32_C(0xCBDC2A48) }, ++ { UINT32_C(0x445FB02C), UINT32_C(0xA940D973), UINT32_C(0x3767D89D), ++ UINT32_C(0x00F31E78), UINT32_C(0x613DABDD), UINT32_C(0x2B65A237), ++ UINT32_C(0xC875AE09), UINT32_C(0x2BE0AB05), UINT32_C(0xBA204F8E), ++ UINT32_C(0xB22E54FD), UINT32_C(0x0F7687B9), UINT32_C(0x65E2029D) } }, ++ { { UINT32_C(0x1855A71C), UINT32_C(0xFFD82538), UINT32_C(0x438BD8D8), ++ UINT32_C(0x26A330B3), UINT32_C(0xF9D8C5F9), UINT32_C(0x89628311), ++ UINT32_C(0x953738A0), UINT32_C(0x8D5FB9CF), UINT32_C(0xEDFCD4E5), ++ UINT32_C(0xCB7159C9), UINT32_C(0x2064C7C2), UINT32_C(0xD64E5230) }, ++ { UINT32_C(0x689F3CFE), UINT32_C(0xF858ED80), UINT32_C(0x56128B67), ++ UINT32_C(0x4830E309), UINT32_C(0xE0E90688), UINT32_C(0x2E1692DA), ++ UINT32_C(0xCA9CC232), UINT32_C(0xAB818913), UINT32_C(0xA5D229A6), ++ UINT32_C(0xE2E30C23), UINT32_C(0x0E740E23), UINT32_C(0xA544E8B1) } }, ++ { { UINT32_C(0xDC61E6CC), UINT32_C(0x1C15E569), UINT32_C(0x58FC7800), ++ UINT32_C(0x8FD72967), UINT32_C(0x37A9DFC5), UINT32_C(0xE61E7DB7), ++ UINT32_C(0x5AFD7822), UINT32_C(0x3F34A9C6), UINT32_C(0x19E80773), ++ UINT32_C(0x0A112742), UINT32_C(0x4760FC58), UINT32_C(0xA353460C) }, ++ { UINT32_C(0xB3124C71), UINT32_C(0x2FB7DEEB), UINT32_C(0x2D4009CC), ++ UINT32_C(0x48463627), UINT32_C(0xC3A10370), UINT32_C(0x399D1933), ++ UINT32_C(0x54388DBD), UINT32_C(0x7EB19450), UINT32_C(0x7C2A006A), ++ UINT32_C(0x8ECCE639), UINT32_C(0x55C932A0), UINT32_C(0x3D565DAF) } }, ++ { { UINT32_C(0xD9ADAE53), UINT32_C(0xCEF57A9F), UINT32_C(0xF83FD8CD), ++ UINT32_C(0xE2EB27D7), UINT32_C(0x9BBD2DDE), UINT32_C(0x4AC8F719), ++ UINT32_C(0xE91ABFB7), UINT32_C(0x604283AA), UINT32_C(0x34799F87), ++ UINT32_C(0xB6A4E115), UINT32_C(0xE4C2A8F3), UINT32_C(0x2B253224) }, ++ { UINT32_C(0xC8782294), UINT32_C(0xC34F8B92), UINT32_C(0xFCC2CB6B), ++ UINT32_C(0xC74D697D), UINT32_C(0xC2C84C46), UINT32_C(0xD990411B), ++ UINT32_C(0x31EA4955), UINT32_C(0x2807B5C6), UINT32_C(0xB9EB27F5), ++ UINT32_C(0x14AE2B93), UINT32_C(0x6163EDFA), UINT32_C(0xF0AE96A7) } }, ++ { { UINT32_C(0x42DB7180), UINT32_C(0xA7BDCBB4), UINT32_C(0xEDCA752F), ++ UINT32_C(0xC9FAA41F), UINT32_C(0xE820F401), UINT32_C(0x147F91B4), ++ UINT32_C(0xF5F2645F), UINT32_C(0x1E6CEF86), UINT32_C(0x31FE711D), ++ UINT32_C(0xB4AB4D7F), UINT32_C(0x743EF882), UINT32_C(0xCE68FB3C) }, ++ { UINT32_C(0x3EF2FCFF), UINT32_C(0xB9D7D682), UINT32_C(0x020DCAFD), ++ UINT32_C(0xF6893811), UINT32_C(0xBF81E760), UINT32_C(0x30D9A50C), ++ UINT32_C(0xB9B87228), UINT32_C(0x7F247D06), UINT32_C(0x5F40CFC0), ++ UINT32_C(0x143D4FEC), UINT32_C(0x329B2A88), UINT32_C(0x21D78D73) } }, ++ { { UINT32_C(0xED3F2055), UINT32_C(0x06B3FF8A), UINT32_C(0x522BE214), ++ UINT32_C(0x50482C77), UINT32_C(0xDDF54620), UINT32_C(0x8DF69CD8), ++ UINT32_C(0xF78A1165), UINT32_C(0x6D1DB204), UINT32_C(0x9AFE6BF2), ++ UINT32_C(0x459AE4A2), UINT32_C(0x24AC871E), UINT32_C(0xC23A9FFD) }, ++ { UINT32_C(0x89E85D81), UINT32_C(0xB7FD22E3), UINT32_C(0x122E9978), ++ UINT32_C(0x297F1F6B), UINT32_C(0x144BE1CE), UINT32_C(0xAB283D66), ++ UINT32_C(0xC00C614E), UINT32_C(0xC1F90AC2), UINT32_C(0x3224CD09), ++ UINT32_C(0x5465576E), UINT32_C(0x441B6059), UINT32_C(0x8E8D910D) } }, ++ { { UINT32_C(0xAAA228BC), UINT32_C(0xF73A060A), UINT32_C(0x56EFF87D), ++ UINT32_C(0xCF1B0783), UINT32_C(0xA54C9133), UINT32_C(0x11EF17C0), ++ UINT32_C(0x76A4DAA5), UINT32_C(0x9E476B15), UINT32_C(0x8018FB92), ++ UINT32_C(0x5624FEAC), UINT32_C(0xCFEEC1B9), UINT32_C(0x9826A0FC) }, ++ { UINT32_C(0x2DFE2046), UINT32_C(0xB732F7FE), UINT32_C(0x3B40DA6A), ++ UINT32_C(0x9260BD9F), UINT32_C(0x4F231773), UINT32_C(0xCC9F908F), ++ UINT32_C(0xDAFC0D55), UINT32_C(0x4827FEB9), UINT32_C(0x538ACE95), ++ UINT32_C(0x07D32E85), UINT32_C(0xB8EDAF37), UINT32_C(0xAD9F897C) } }, ++ { { UINT32_C(0xE3415498), UINT32_C(0x2F75B82F), UINT32_C(0xF1015F30), ++ UINT32_C(0xF99CAC5F), UINT32_C(0x7D7F25DE), UINT32_C(0x76640824), ++ UINT32_C(0xEE74C047), UINT32_C(0x714BC9CD), UINT32_C(0x07448879), ++ UINT32_C(0x70F847BF), UINT32_C(0x072165C0), UINT32_C(0xA14481DE) }, ++ { UINT32_C(0xDB1140A8), UINT32_C(0x9BFA59E3), UINT32_C(0xFCD13502), ++ UINT32_C(0x7B9C7FF0), UINT32_C(0x68459ABF), UINT32_C(0xF4D7538E), ++ UINT32_C(0xC8FC6AD2), UINT32_C(0xED93A791), UINT32_C(0xB51BD9B2), ++ UINT32_C(0xA8BBE2A8), UINT32_C(0x9FB34008), UINT32_C(0x084B5A27) } }, ++ { { UINT32_C(0xEB138C84), UINT32_C(0xB3BB9545), UINT32_C(0x3FC88BFD), ++ UINT32_C(0x59C3489C), UINT32_C(0x85F53EC7), UINT32_C(0x3A97FF63), ++ UINT32_C(0x0AA69C3D), UINT32_C(0x40FDF5A6), UINT32_C(0x53D19668), ++ UINT32_C(0x0E8CCEC7), UINT32_C(0x33FAA661), UINT32_C(0x0AA72EF9) }, ++ { UINT32_C(0x9B1E684B), UINT32_C(0xF5C5A6CF), UINT32_C(0x31A22EA1), ++ UINT32_C(0x630F9371), UINT32_C(0xAC60F7EA), UINT32_C(0x06B2AAC2), ++ UINT32_C(0x5BC37D80), UINT32_C(0xB181CAE2), UINT32_C(0x247B13EA), ++ UINT32_C(0x4601A929), UINT32_C(0x5F739797), UINT32_C(0x8A71C386) } }, ++ { { UINT32_C(0xAB134786), UINT32_C(0x545387B3), UINT32_C(0x1599B64A), ++ UINT32_C(0x3179BB06), UINT32_C(0x07593574), UINT32_C(0xB0A61986), ++ UINT32_C(0x63FA7C3B), UINT32_C(0xC7E39B21), UINT32_C(0x91585D13), ++ UINT32_C(0xA1173F86), UINT32_C(0xCB9525CD), UINT32_C(0x09D5CC8E) }, ++ { UINT32_C(0x8F3A3451), UINT32_C(0xAAD44FFD), UINT32_C(0x25820CC5), ++ UINT32_C(0x702B04F2), UINT32_C(0x1CB66C17), UINT32_C(0xE90CAC49), ++ UINT32_C(0xEE161DC4), UINT32_C(0x40F6B547), UINT32_C(0x1BA4AC4E), ++ UINT32_C(0xC08BB8B4), UINT32_C(0xAE5A6BC1), UINT32_C(0x7DC064FB) } }, ++ { { UINT32_C(0x9D76DDC7), UINT32_C(0x90A5E871), UINT32_C(0xEDFC8E2E), ++ UINT32_C(0x39DC8FAE), UINT32_C(0x5B079C62), UINT32_C(0x98467A23), ++ UINT32_C(0x05450C98), UINT32_C(0xE25E3785), UINT32_C(0x96140083), ++ UINT32_C(0x2FE23A4D), UINT32_C(0xE9900312), UINT32_C(0x65CE3B9A) }, ++ { UINT32_C(0x6B72B5D9), UINT32_C(0x1D87D088), UINT32_C(0xFD9AFC82), ++ UINT32_C(0x72F53220), UINT32_C(0x9E1F71FA), UINT32_C(0xC63C7C15), ++ UINT32_C(0x8D449637), UINT32_C(0x90DF26EA), UINT32_C(0xC1C2B215), ++ UINT32_C(0x97089F40), UINT32_C(0x42317FAA), UINT32_C(0x83AF2664) } }, ++ }, ++ { ++ { { UINT32_C(0x8D688E31), UINT32_C(0xFA2DB51A), UINT32_C(0xA09C88D4), ++ UINT32_C(0x225B696C), UINT32_C(0x6059171F), UINT32_C(0x9F88AF1D), ++ UINT32_C(0x782A0993), UINT32_C(0x1C5FEA5E), UINT32_C(0x4EC710D3), ++ UINT32_C(0xE0FB1588), UINT32_C(0xD32CE365), UINT32_C(0xFAF372E5) }, ++ { UINT32_C(0x26506F45), UINT32_C(0xD9F896AB), UINT32_C(0x8373C724), ++ UINT32_C(0x8D350338), UINT32_C(0xCA6E7342), UINT32_C(0x1B76992D), ++ UINT32_C(0x6FD0C08B), UINT32_C(0x76338FCA), UINT32_C(0xA00F5C23), ++ UINT32_C(0xC3EA4C65), UINT32_C(0xB316B35B), UINT32_C(0xDFAB29B3) } }, ++ { { UINT32_C(0x483AEBF9), UINT32_C(0x84E5541F), UINT32_C(0x49165772), ++ UINT32_C(0x8ADFF7DC), UINT32_C(0x9BEAAD3C), UINT32_C(0xE0A43AD6), ++ UINT32_C(0xF51C2714), UINT32_C(0x97DD1820), UINT32_C(0x57EA5B0C), ++ UINT32_C(0xAC2B4CB4), UINT32_C(0xD11767CA), UINT32_C(0x87DBD011) }, ++ { UINT32_C(0xBFC7957A), UINT32_C(0x18CCF36C), UINT32_C(0x1BC79227), ++ UINT32_C(0xD4A08841), UINT32_C(0xD8D292A8), UINT32_C(0x9811CE43), ++ UINT32_C(0xD58C4EE7), UINT32_C(0x72C5FC68), UINT32_C(0xD35C65A7), ++ UINT32_C(0x5BC0F0BE), UINT32_C(0xCBBF9669), UINT32_C(0x0B446DBC) } }, ++ { { UINT32_C(0x9CEE9BCE), UINT32_C(0x7EBA3DA6), UINT32_C(0xD5377750), ++ UINT32_C(0x3E2C1248), UINT32_C(0x2B93D8B2), UINT32_C(0x8C917D98), ++ UINT32_C(0x7CAD1F75), UINT32_C(0xCA8FC6AC), UINT32_C(0xA0FF150A), ++ UINT32_C(0x5F581F19), UINT32_C(0xE08327FA), UINT32_C(0x872CC14A) }, ++ { UINT32_C(0xE9333188), UINT32_C(0xC774F187), UINT32_C(0x497AF7E8), ++ UINT32_C(0x528ED4AC), UINT32_C(0x8AD72B10), UINT32_C(0xCE036E9B), ++ UINT32_C(0x917986CF), UINT32_C(0x463F9EBB), UINT32_C(0x1325CF9B), ++ UINT32_C(0xBE516328), UINT32_C(0xDD7E5FEA), UINT32_C(0xD28D5C50) } }, ++ { { UINT32_C(0xDD58BBE3), UINT32_C(0x714C1D1B), UINT32_C(0x039AFD0F), ++ UINT32_C(0x85BA01AE), UINT32_C(0x6951AC80), UINT32_C(0x7F23EA3A), ++ UINT32_C(0xAC00C837), UINT32_C(0x5C599290), UINT32_C(0xBF24CC1B), ++ UINT32_C(0xF6EFA2B3), UINT32_C(0x1E84462B), UINT32_C(0x393D8E42) }, ++ { UINT32_C(0xF8B89453), UINT32_C(0x9BDA627D), UINT32_C(0xB23E0D1B), ++ UINT32_C(0xE66FFF2E), UINT32_C(0xC3B94EC2), UINT32_C(0xD1EE7089), ++ UINT32_C(0x3031699A), UINT32_C(0xF75DBA6E), UINT32_C(0x242B2453), ++ UINT32_C(0x8FF75F79), UINT32_C(0x289BFED4), UINT32_C(0xE721EDEB) } }, ++ { { UINT32_C(0xC1390FA8), UINT32_C(0x083215A1), UINT32_C(0x6DCE8CE0), ++ UINT32_C(0x901D686A), UINT32_C(0x837073FF), UINT32_C(0x4AB1BA62), ++ UINT32_C(0x34BEABA5), UINT32_C(0x10C287AA), UINT32_C(0x46985239), ++ UINT32_C(0xB4931AF4), UINT32_C(0xB053C4DC), UINT32_C(0x07639899) }, ++ { UINT32_C(0xE721EECD), UINT32_C(0x29E7F44D), UINT32_C(0x57B3FF48), ++ UINT32_C(0x65817182), UINT32_C(0x5054E2E0), UINT32_C(0x198542E2), ++ UINT32_C(0x84616DE8), UINT32_C(0x923C9E15), UINT32_C(0xAD465BB9), ++ UINT32_C(0x2A9C15E1), UINT32_C(0x16319245), UINT32_C(0xD8D4EFC7) } }, ++ { { UINT32_C(0x9961A674), UINT32_C(0x72DC7943), UINT32_C(0xA0E13668), ++ UINT32_C(0x839A0A52), UINT32_C(0x334945EA), UINT32_C(0xD7A53FA9), ++ UINT32_C(0xE7AA25DB), UINT32_C(0xDB21DB77), UINT32_C(0x66E96DA3), ++ UINT32_C(0xB6675A7D), UINT32_C(0xE66F33C0), UINT32_C(0x2C31C406) }, ++ { UINT32_C(0x6EC7B9CB), UINT32_C(0x45020B62), UINT32_C(0x0391F267), ++ UINT32_C(0xFF46E9CD), UINT32_C(0x0FA2F221), UINT32_C(0x7DABD744), ++ UINT32_C(0x9D4A2A3E), UINT32_C(0x9A32364B), UINT32_C(0x52D2E47A), ++ UINT32_C(0xF0F84AE8), UINT32_C(0x888F488A), UINT32_C(0xD0B872BB) } }, ++ { { UINT32_C(0xC9790EEF), UINT32_C(0x531E4CEF), UINT32_C(0x2B8D1A58), ++ UINT32_C(0xF7B5735E), UINT32_C(0xEF568511), UINT32_C(0xB8882F1E), ++ UINT32_C(0x86A86DB3), UINT32_C(0xAFB08D1C), UINT32_C(0xF54DE8C7), ++ UINT32_C(0x88CB9DF2), UINT32_C(0x9A683282), UINT32_C(0xA44234F1) }, ++ { UINT32_C(0xA6E9AB2E), UINT32_C(0xBC1B3D3A), UINT32_C(0x87FC99EE), ++ UINT32_C(0xEFA071FB), UINT32_C(0xA102DC0F), UINT32_C(0xFA3C737D), ++ UINT32_C(0xD6A0CBD2), UINT32_C(0xDF3248A6), UINT32_C(0x1ECC1BF4), ++ UINT32_C(0x6E62A4FF), UINT32_C(0xC8F1BC17), UINT32_C(0xF718F940) } }, ++ { { UINT32_C(0x4F63F026), UINT32_C(0x2C8B0AAD), UINT32_C(0x50B253CC), ++ UINT32_C(0x2AFF6238), UINT32_C(0x10C4D122), UINT32_C(0xCAB3E942), ++ UINT32_C(0x07CD2816), UINT32_C(0x52B59F04), UINT32_C(0x982C41FC), ++ UINT32_C(0x22322803), UINT32_C(0x8CF50B19), UINT32_C(0x38844E66) }, ++ { UINT32_C(0xBE3264CD), UINT32_C(0x42A959F7), UINT32_C(0x6C983524), ++ UINT32_C(0xBDDC24BD), UINT32_C(0x462B8640), UINT32_C(0xA489EB0C), ++ UINT32_C(0x98029BE7), UINT32_C(0xB7C05092), UINT32_C(0xA1ADDC64), ++ UINT32_C(0xD5546B5F), UINT32_C(0xA0C655AF), UINT32_C(0xE7CAC1FC) } }, ++ { { UINT32_C(0x47636F97), UINT32_C(0x14547198), UINT32_C(0xEBCDCCFF), ++ UINT32_C(0x6FA67481), UINT32_C(0x395D3258), UINT32_C(0xC164872F), ++ UINT32_C(0xEE6ACDBC), UINT32_C(0xB8CECAFE), UINT32_C(0xA933F180), ++ UINT32_C(0x3FBFE5F3), UINT32_C(0x898C3B1E), UINT32_C(0xEC20CAC2) }, ++ { UINT32_C(0x87DA73F9), UINT32_C(0x6A031BEE), UINT32_C(0x5C5AF46E), ++ UINT32_C(0xD1E667D1), UINT32_C(0x1DC6EEF9), UINT32_C(0xCB3DC168), ++ UINT32_C(0x33D310C0), UINT32_C(0x2DD1BD94), UINT32_C(0x9207E438), ++ UINT32_C(0x0F78D493), UINT32_C(0xA99C0E75), UINT32_C(0xC233D544) } }, ++ { { UINT32_C(0x9E2A0113), UINT32_C(0x228F19F1), UINT32_C(0x0E1A5D37), ++ UINT32_C(0x58495BE5), UINT32_C(0x38D7F364), UINT32_C(0x97E08F69), ++ UINT32_C(0x510759B0), UINT32_C(0x1EC3BA3E), UINT32_C(0xE03CD40D), ++ UINT32_C(0x3682F19A), UINT32_C(0xF9E16D68), UINT32_C(0xC87745D8) }, ++ { UINT32_C(0x09A642EA), UINT32_C(0xFD527AB5), UINT32_C(0xF9C81F27), ++ UINT32_C(0x6308EEBD), UINT32_C(0x550C5D68), UINT32_C(0xFA9F666C), ++ UINT32_C(0x584AB153), UINT32_C(0xDEBA436F), UINT32_C(0x5B63E939), ++ UINT32_C(0x1D4861D3), UINT32_C(0xC9850221), UINT32_C(0x073BED9B) } }, ++ { { UINT32_C(0x8B171246), UINT32_C(0x802BCCF0), UINT32_C(0x733B072F), ++ UINT32_C(0xFFF7D15A), UINT32_C(0x4CBFA4EF), UINT32_C(0xEA386266), ++ UINT32_C(0xD635946B), UINT32_C(0x9E5B5073), UINT32_C(0xFA81BE95), ++ UINT32_C(0x16E9A979), UINT32_C(0xB14F701F), UINT32_C(0x41E8716E) }, ++ { UINT32_C(0x101A6719), UINT32_C(0x25782E0F), UINT32_C(0xC9D66959), ++ UINT32_C(0x442C4875), UINT32_C(0x2B85D153), UINT32_C(0x52D845D9), ++ UINT32_C(0x2E831117), UINT32_C(0xFF925138), UINT32_C(0x8E02434B), ++ UINT32_C(0x01B700CC), UINT32_C(0xEC0BAE3E), UINT32_C(0xD2DB7F8E) } }, ++ { { UINT32_C(0x966A4872), UINT32_C(0x1B225300), UINT32_C(0x566F537B), ++ UINT32_C(0x40C149BE), UINT32_C(0xCB680021), UINT32_C(0x3335F4D2), ++ UINT32_C(0x778E5F5F), UINT32_C(0x773D0263), UINT32_C(0x666FA9ED), ++ UINT32_C(0x1D9B7602), UINT32_C(0x2E6200CF), UINT32_C(0x52490A10) }, ++ { UINT32_C(0x961F290B), UINT32_C(0x8434C7DD), UINT32_C(0x64456446), ++ UINT32_C(0x773AC156), UINT32_C(0x47B712BB), UINT32_C(0x5E2BB789), ++ UINT32_C(0xBE0974AD), UINT32_C(0xFD3BCBFD), UINT32_C(0x791AD5D8), ++ UINT32_C(0x71AE9351), UINT32_C(0x6F4E1400), UINT32_C(0x1EE738BA) } }, ++ { { UINT32_C(0x0BE8E26E), UINT32_C(0x2FA428AB), UINT32_C(0xBB4CF9FC), ++ UINT32_C(0xFEFF0600), UINT32_C(0xB2EA5FB0), UINT32_C(0x76F25CA9), ++ UINT32_C(0x6835C5F4), UINT32_C(0xAB7FECF0), UINT32_C(0x19D5F328), ++ UINT32_C(0x649D0772), UINT32_C(0xACBCB12E), UINT32_C(0xABE7B895) }, ++ { UINT32_C(0xD69B1EA8), UINT32_C(0xF2D1031A), UINT32_C(0xC60B0BBB), ++ UINT32_C(0x46065D5D), UINT32_C(0x85D798FF), UINT32_C(0xB0908DC1), ++ UINT32_C(0xD2C9B18A), UINT32_C(0x4E2420F0), UINT32_C(0xD30432A2), ++ UINT32_C(0x6B3A9BDD), UINT32_C(0xC9B134AD), UINT32_C(0x501C3383) } }, ++ { { UINT32_C(0x98A21284), UINT32_C(0x608F0967), UINT32_C(0x059CCEDE), ++ UINT32_C(0x5361BE86), UINT32_C(0xAFD87EF7), UINT32_C(0x3A40655C), ++ UINT32_C(0x59083AA2), UINT32_C(0x03CF3117), UINT32_C(0xB6C366D9), ++ UINT32_C(0x57DB5F61), UINT32_C(0x6DD0D232), UINT32_C(0x29DC275B) }, ++ { UINT32_C(0x8FA67501), UINT32_C(0xBDAB24DD), UINT32_C(0x65D08C37), ++ UINT32_C(0x5928F775), UINT32_C(0x645D466A), UINT32_C(0x9448A856), ++ UINT32_C(0xC0E927A5), UINT32_C(0x6E6B5E2E), UINT32_C(0xE80C6871), ++ UINT32_C(0xE884D546), UINT32_C(0x53A9A851), UINT32_C(0x10C881C9) } }, ++ { { UINT32_C(0x9B627AA5), UINT32_C(0x35505374), UINT32_C(0x7976677B), ++ UINT32_C(0xE7CA1B57), UINT32_C(0x4976CE17), UINT32_C(0x81239712), ++ UINT32_C(0x96DA31B9), UINT32_C(0x96E9080B), UINT32_C(0xCC64AA1F), ++ UINT32_C(0x458254AB), UINT32_C(0x48E674C9), UINT32_C(0xFEFF6821) }, ++ { UINT32_C(0x021F1488), UINT32_C(0x8772F37A), UINT32_C(0xAB56345C), ++ UINT32_C(0x2E274E18), UINT32_C(0x29823B76), UINT32_C(0x7C7BE61C), ++ UINT32_C(0x9EEFB39E), UINT32_C(0x275DB7B2), UINT32_C(0xBF5CBCEF), ++ UINT32_C(0x83B10ED4), UINT32_C(0x518E5183), UINT32_C(0x40D7F5B4) } }, ++ { { UINT32_C(0xF960B41B), UINT32_C(0x315CCC01), UINT32_C(0x1D99E722), ++ UINT32_C(0x90B417C9), UINT32_C(0x013463E0), UINT32_C(0x84AFAA0D), ++ UINT32_C(0x13E6D9E1), UINT32_C(0xF133C5D8), UINT32_C(0x525B7430), ++ UINT32_C(0xD95C6ADC), UINT32_C(0x7A25106A), UINT32_C(0x082C61AD) }, ++ { UINT32_C(0xBA1CE179), UINT32_C(0xABC1966D), UINT32_C(0xA5DB529A), ++ UINT32_C(0xE0578B77), UINT32_C(0xEC84107D), UINT32_C(0x10988C05), ++ UINT32_C(0x1B207F83), UINT32_C(0xFCADE5D7), UINT32_C(0xC5BA83DB), ++ UINT32_C(0x0BEB6FDB), UINT32_C(0x57537E34), UINT32_C(0x1C39B86D) } }, ++ }, ++ { ++ { { UINT32_C(0x2A7AECED), UINT32_C(0x5B0B5D69), UINT32_C(0x01DC545F), ++ UINT32_C(0x4C03450C), UINT32_C(0x404A3458), UINT32_C(0x72AD0A4A), ++ UINT32_C(0x9F467B60), UINT32_C(0x1DE8E255), UINT32_C(0x90634809), ++ UINT32_C(0xA4B35705), UINT32_C(0x706F0178), UINT32_C(0x76F30205) }, ++ { UINT32_C(0x4454F0E5), UINT32_C(0x588D21AB), UINT32_C(0x64134928), ++ UINT32_C(0xD22DF549), UINT32_C(0x241BCD90), UINT32_C(0xF4E7E73D), ++ UINT32_C(0x2FACC7CC), UINT32_C(0xB8D8A1D2), UINT32_C(0x1D25D2A0), ++ UINT32_C(0x483C35A7), UINT32_C(0x1EF9F608), UINT32_C(0x7F8D2545) } }, ++ { { UINT32_C(0x54EBC926), UINT32_C(0xCB51F039), UINT32_C(0xB8D4A7BB), ++ UINT32_C(0xE235D356), UINT32_C(0xB41FE1A6), UINT32_C(0x93C8FAFA), ++ UINT32_C(0xA719F254), UINT32_C(0x6297701D), UINT32_C(0x644F5CDE), ++ UINT32_C(0x6E9165BC), UINT32_C(0x0C11C542), UINT32_C(0x6506329D) }, ++ { UINT32_C(0xA92B4250), UINT32_C(0xA2564809), UINT32_C(0x889C2E3E), ++ UINT32_C(0x0E9AC173), UINT32_C(0x22B1D1BE), UINT32_C(0x286A5926), ++ UINT32_C(0x6ECDD041), UINT32_C(0x86A3D752), UINT32_C(0x649F9524), ++ UINT32_C(0x4B867E0A), UINT32_C(0x0629CB0F), UINT32_C(0x1FE7D95A) } }, ++ { { UINT32_C(0xCA5BAF54), UINT32_C(0xF4F66843), UINT32_C(0xEFE7DB78), ++ UINT32_C(0x298DB357), UINT32_C(0x7365712F), UINT32_C(0xF607E86E), ++ UINT32_C(0x8A822BC0), UINT32_C(0xD5882298), UINT32_C(0xC61299B3), ++ UINT32_C(0x2CFBD63A), UINT32_C(0x67167B1A), UINT32_C(0x6F713D9B) }, ++ { UINT32_C(0xDE0B077A), UINT32_C(0x750F673F), UINT32_C(0xEE2178DA), ++ UINT32_C(0x07482708), UINT32_C(0x69123C75), UINT32_C(0x5E6D5BD1), ++ UINT32_C(0xEAB99B37), UINT32_C(0x6A93D1B6), UINT32_C(0x8CAEC6A3), ++ UINT32_C(0x6EF4F7E6), UINT32_C(0xCF3ED818), UINT32_C(0x7BE411D6) } }, ++ { { UINT32_C(0x63A0A7D2), UINT32_C(0xF92B3073), UINT32_C(0x881DC8CF), ++ UINT32_C(0x32DA431C), UINT32_C(0xC578E3A3), UINT32_C(0xE51BD5ED), ++ UINT32_C(0x9587FA22), UINT32_C(0xEFDA70D2), UINT32_C(0x9B2EBA85), ++ UINT32_C(0xCFEC1708), UINT32_C(0xAF7BA530), UINT32_C(0x6AB51A4B) }, ++ { UINT32_C(0x98174812), UINT32_C(0x5AC155AE), UINT32_C(0xCCB076E3), ++ UINT32_C(0xCAF07A71), UINT32_C(0xC38718A7), UINT32_C(0x280E86C2), ++ UINT32_C(0xD63745B7), UINT32_C(0x9D12DE73), UINT32_C(0xBF8A79AA), ++ UINT32_C(0x0E8EA855), UINT32_C(0xBD705BF7), UINT32_C(0x5EB2BED8) } }, ++ { { UINT32_C(0xAE16DE53), UINT32_C(0x33FE9578), UINT32_C(0x10BEC902), ++ UINT32_C(0x3AE85EB5), UINT32_C(0x44AF850E), UINT32_C(0xC4F49658), ++ UINT32_C(0x087DD658), UINT32_C(0x6EA222B3), UINT32_C(0xA51F1447), ++ UINT32_C(0xB255E6FD), UINT32_C(0x117E3F48), UINT32_C(0xB35E4997) }, ++ { UINT32_C(0x05616CA1), UINT32_C(0x562E813B), UINT32_C(0x8A61E156), ++ UINT32_C(0xDF5925D6), UINT32_C(0x571C728B), UINT32_C(0xB2FA8125), ++ UINT32_C(0xA2F2D1CF), UINT32_C(0x00864805), UINT32_C(0x1BCCB6FF), ++ UINT32_C(0x2DC26F41), UINT32_C(0x63AE37DD), UINT32_C(0xEBD5E093) } }, ++ { { UINT32_C(0x0A285611), UINT32_C(0xD2D68BB3), UINT32_C(0xDC8378F2), ++ UINT32_C(0x3EAE7596), UINT32_C(0x6CC688A3), UINT32_C(0x2DC6CCC6), ++ UINT32_C(0x011F5DFB), UINT32_C(0xC45E5713), UINT32_C(0x62D34487), ++ UINT32_C(0x6B9C4F6C), UINT32_C(0x1FC65551), UINT32_C(0xFAD6F077) }, ++ { UINT32_C(0x62B23B52), UINT32_C(0x5E3266E0), UINT32_C(0xE98F4715), ++ UINT32_C(0xF1DAF319), UINT32_C(0x3ED0AE83), UINT32_C(0x064D12EA), ++ UINT32_C(0x564125CB), UINT32_C(0x5CCF9326), UINT32_C(0xC63C1E9F), ++ UINT32_C(0x09057022), UINT32_C(0xDC9B5D2E), UINT32_C(0x7171972C) } }, ++ { { UINT32_C(0xEABD21B2), UINT32_C(0x2364FD9A), UINT32_C(0x9174AD6D), ++ UINT32_C(0x3CE5F4BB), UINT32_C(0xB38688C0), UINT32_C(0xA4D6D5D0), ++ UINT32_C(0x6D87FD7D), UINT32_C(0x2292A2D2), UINT32_C(0x4CA02E54), ++ UINT32_C(0x2A7D1B53), UINT32_C(0xB4185715), UINT32_C(0x7BEE6E7E) }, ++ { UINT32_C(0x8FC63ACD), UINT32_C(0x73E54609), UINT32_C(0x4064E09D), ++ UINT32_C(0xF4D93A12), UINT32_C(0x2B92DAA5), UINT32_C(0xD20E157A), ++ UINT32_C(0xC4B81A00), UINT32_C(0x90D125DB), UINT32_C(0x7682DE13), ++ UINT32_C(0xCB951C9E), UINT32_C(0x27987545), UINT32_C(0x1ABE58F4) } }, ++ { { UINT32_C(0x30C70C8D), UINT32_C(0x6D351640), UINT32_C(0xCE2361B8), ++ UINT32_C(0x8047D811), UINT32_C(0xDF8E2C81), UINT32_C(0x3F8B3D4F), ++ UINT32_C(0x33FA1F6C), UINT32_C(0x5D595477), UINT32_C(0xE29B8A91), ++ UINT32_C(0xF769FE5A), UINT32_C(0xD737B2A2), UINT32_C(0x26F0E606) }, ++ { UINT32_C(0xB8B31C6A), UINT32_C(0x70CBFA5D), UINT32_C(0x863D3AEA), ++ UINT32_C(0x0F883B4A), UINT32_C(0xE386AE2F), UINT32_C(0x156A4479), ++ UINT32_C(0xADE8A684), UINT32_C(0xA17A2FCD), UINT32_C(0xE2A7E335), ++ UINT32_C(0x78BDF958), UINT32_C(0x3B9E3041), UINT32_C(0xD1B4E673) } }, ++ { { UINT32_C(0x449A6D11), UINT32_C(0x1EAF48EC), UINT32_C(0x6D2FA7B9), ++ UINT32_C(0x6B94B8E4), UINT32_C(0x728E4C1B), UINT32_C(0x1D75D269), ++ UINT32_C(0xDD304E2C), UINT32_C(0x91123819), UINT32_C(0x88804F4B), ++ UINT32_C(0x0B34CAE3), UINT32_C(0xC5495E9A), UINT32_C(0x2BA192FB) }, ++ { UINT32_C(0xFF4D24BF), UINT32_C(0xC93FF6EF), UINT32_C(0x0342BA78), ++ UINT32_C(0xF8C2C0B0), UINT32_C(0x831EB94C), UINT32_C(0x8041F769), ++ UINT32_C(0x7782985E), UINT32_C(0x35310074), UINT32_C(0x3AF84E83), ++ UINT32_C(0xC755320B), UINT32_C(0x6F497E7F), UINT32_C(0x384B6D26) } }, ++ { { UINT32_C(0x17E6BD17), UINT32_C(0xEF92CD59), UINT32_C(0xA426965C), ++ UINT32_C(0xA087305B), UINT32_C(0xAC47F773), UINT32_C(0x13895CE7), ++ UINT32_C(0xE0BB2867), UINT32_C(0xB85F2A9F), UINT32_C(0x7CD7C58E), ++ UINT32_C(0x2926E6AA), UINT32_C(0x450459C5), UINT32_C(0xE544EDA6) }, ++ { UINT32_C(0xB90A9849), UINT32_C(0x73DBC351), UINT32_C(0x848EBE86), ++ UINT32_C(0x961183F6), UINT32_C(0x80534712), UINT32_C(0xC45BB210), ++ UINT32_C(0xA654D9A3), UINT32_C(0x379D08D7), UINT32_C(0xBD3FFA9C), ++ UINT32_C(0x5B97CEF2), UINT32_C(0xDDC2FCE5), UINT32_C(0x0F469F34) } }, ++ { { UINT32_C(0x0642F38D), UINT32_C(0x6D146108), UINT32_C(0xD21EB887), ++ UINT32_C(0x055171A0), UINT32_C(0xD0DCEB28), UINT32_C(0x28DFFAB4), ++ UINT32_C(0x98DE9CCD), UINT32_C(0x0D0E6312), UINT32_C(0x118C3C3F), ++ UINT32_C(0x750A9156), UINT32_C(0xB049D799), UINT32_C(0x8C1F1390) }, ++ { UINT32_C(0x439607C5), UINT32_C(0xE4823858), UINT32_C(0x5C111EAB), ++ UINT32_C(0x947E9BA0), UINT32_C(0xA355DF2E), UINT32_C(0x39C95616), ++ UINT32_C(0x10E54BDA), UINT32_C(0xF5F6B98E), UINT32_C(0x142B876A), ++ UINT32_C(0xB0E0B33D), UINT32_C(0xEA18C90C), UINT32_C(0x71197D73) } }, ++ { { UINT32_C(0xF52BE819), UINT32_C(0x36A5139D), UINT32_C(0x29A45D2B), ++ UINT32_C(0xF60DDF34), UINT32_C(0xE9220E34), UINT32_C(0x0727EFEC), ++ UINT32_C(0x4EF7F446), UINT32_C(0x431D3386), UINT32_C(0xFCC4962C), ++ UINT32_C(0xC3165A64), UINT32_C(0xD64362BB), UINT32_C(0xB7D926E1) }, ++ { UINT32_C(0xD45F9350), UINT32_C(0x216BC61F), UINT32_C(0xBBAED815), ++ UINT32_C(0xA974CB2F), UINT32_C(0x86FB2F76), UINT32_C(0x31DF342D), ++ UINT32_C(0x01D78314), UINT32_C(0x3AB67E05), UINT32_C(0xDEE33ED2), ++ UINT32_C(0x7AA951E0), UINT32_C(0xCEC78D94), UINT32_C(0x318FBBBD) } }, ++ { { UINT32_C(0xB8FE0204), UINT32_C(0xAD7EFB65), UINT32_C(0x230AB7F7), ++ UINT32_C(0x0432E1C5), UINT32_C(0x9C967400), UINT32_C(0x7563A62D), ++ UINT32_C(0x3524D4FF), UINT32_C(0xD88B9C74), UINT32_C(0xF1A823E3), ++ UINT32_C(0x16A1991C), UINT32_C(0xFA6F0FFB), UINT32_C(0xCF2F9BFE) }, ++ { UINT32_C(0xA50CA61F), UINT32_C(0x55AAA946), UINT32_C(0xFED4CAB3), ++ UINT32_C(0x8CBBD3C8), UINT32_C(0x7651365A), UINT32_C(0x03A0FAB8), ++ UINT32_C(0x62DC3913), UINT32_C(0x46B5234B), UINT32_C(0xB558CBBD), ++ UINT32_C(0xFD875B28), UINT32_C(0x11CEB361), UINT32_C(0xA48EC3AE) } }, ++ { { UINT32_C(0xB3ADBD8B), UINT32_C(0x5DD131A1), UINT32_C(0x29B45EF8), ++ UINT32_C(0xF9FBCA3A), UINT32_C(0x9341EE18), UINT32_C(0x02204866), ++ UINT32_C(0x83BF9618), UINT32_C(0x8D13B895), UINT32_C(0xE807459C), ++ UINT32_C(0x0E395BAE), UINT32_C(0xB190E7DB), UINT32_C(0xB9C110CC) }, ++ { UINT32_C(0x25D25063), UINT32_C(0xA0DC3452), UINT32_C(0x02371462), ++ UINT32_C(0x2FB78EC8), UINT32_C(0x8975C2D5), UINT32_C(0xC3A9E7BB), ++ UINT32_C(0x85A78264), UINT32_C(0x94666872), UINT32_C(0x8029AA92), ++ UINT32_C(0x480D2CC2), UINT32_C(0x5655726D), UINT32_C(0x237086C7) } }, ++ { { UINT32_C(0x65EB9EEE), UINT32_C(0x197F14BB), UINT32_C(0x9F12E5FD), ++ UINT32_C(0xFC93125C), UINT32_C(0x8BFBAE5E), UINT32_C(0x9C20BC53), ++ UINT32_C(0x4BC053BA), UINT32_C(0xB35E2154), UINT32_C(0x21C3898E), ++ UINT32_C(0xE5FA9CC7), UINT32_C(0xD42F950F), UINT32_C(0x502D72FF) }, ++ { UINT32_C(0xD1EB8C31), UINT32_C(0x6812D38A), UINT32_C(0x080D30BB), ++ UINT32_C(0x1F77F3F1), UINT32_C(0x5A8B1E98), UINT32_C(0x18D12833), ++ UINT32_C(0x299196CE), UINT32_C(0x7FD39FA9), UINT32_C(0xCF4ED6D6), ++ UINT32_C(0xFB8C9F11), UINT32_C(0xD6363194), UINT32_C(0x4C00F604) } }, ++ { { UINT32_C(0xFA2A21C2), UINT32_C(0x5C8AFCF9), UINT32_C(0x1928D133), ++ UINT32_C(0x71CBF282), UINT32_C(0x42B29506), UINT32_C(0x56BEF28E), ++ UINT32_C(0x70323DE2), UINT32_C(0xAFBA250C), UINT32_C(0x7DED2C30), ++ UINT32_C(0x3FE208D1), UINT32_C(0xCE9AA598), UINT32_C(0xBD2CD213) }, ++ { UINT32_C(0xCFEED070), UINT32_C(0x52C5EC52), UINT32_C(0xD3DA336B), ++ UINT32_C(0x0A7223E7), UINT32_C(0xCE156B46), UINT32_C(0x7156A4ED), ++ UINT32_C(0xED7E6159), UINT32_C(0x9AF6C499), UINT32_C(0x13C029AD), ++ UINT32_C(0x9D7A6797), UINT32_C(0x9018DC77), UINT32_C(0xE5B5C924) } }, ++ }, ++ { ++ { { UINT32_C(0xDE1E4E55), UINT32_C(0x3F2EFF53), UINT32_C(0xE4D3ECC4), ++ UINT32_C(0x6B749943), UINT32_C(0x0DDE190D), UINT32_C(0xAF10B18A), ++ UINT32_C(0xA26B0409), UINT32_C(0xF491B98D), UINT32_C(0xA2B1D944), ++ UINT32_C(0x66080782), UINT32_C(0x97E8C541), UINT32_C(0x59277DC6) }, ++ { UINT32_C(0x006F18AA), UINT32_C(0xFDBFC5F6), UINT32_C(0xFADD8BE1), ++ UINT32_C(0x435D165B), UINT32_C(0x57645EF4), UINT32_C(0x8E5D2638), ++ UINT32_C(0xA0258363), UINT32_C(0x31BCFDA6), UINT32_C(0xD35D2503), ++ UINT32_C(0xF5330AB8), UINT32_C(0xC7CAB285), UINT32_C(0xB71369F0) } }, ++ { { UINT32_C(0x40ACC5A8), UINT32_C(0xE6A19DCC), UINT32_C(0xDBC6DBF8), ++ UINT32_C(0x1C3A1FF1), UINT32_C(0xC6455613), UINT32_C(0xB4D89B9F), ++ UINT32_C(0xA7390D0E), UINT32_C(0x6CB0FE44), UINT32_C(0x59EA135A), ++ UINT32_C(0xADE197A4), UINT32_C(0x20680982), UINT32_C(0xDA6AA865) }, ++ { UINT32_C(0x5A442C1B), UINT32_C(0x03DB9BE9), UINT32_C(0x2BFB93F2), ++ UINT32_C(0x221A2D73), UINT32_C(0x753C196C), UINT32_C(0x44DEE8D4), ++ UINT32_C(0x0B7C6FF5), UINT32_C(0x59ADCC70), UINT32_C(0x4CA1B142), ++ UINT32_C(0xC6260EC2), UINT32_C(0x46CBD4F2), UINT32_C(0x4C3CB5C6) } }, ++ { { UINT32_C(0xA417111F), UINT32_C(0x8A15D6FE), UINT32_C(0x71D93FCC), ++ UINT32_C(0xFE4A16BD), UINT32_C(0x55BBE732), UINT32_C(0x7A7EE38C), ++ UINT32_C(0x1FF94A9D), UINT32_C(0xEFF146A5), UINT32_C(0xDD585AB5), ++ UINT32_C(0xE572D13E), UINT32_C(0x06491A5D), UINT32_C(0xD879790E) }, ++ { UINT32_C(0x2A58CB2E), UINT32_C(0x9C84E1C5), UINT32_C(0x6C938630), ++ UINT32_C(0xD79D1374), UINT32_C(0x385F06C7), UINT32_C(0xDB12CD9B), ++ UINT32_C(0x7A7759C3), UINT32_C(0x0C93EB97), UINT32_C(0x683BD706), ++ UINT32_C(0xF1F5B0FE), UINT32_C(0x85EC3D50), UINT32_C(0x541E4F72) } }, ++ { { UINT32_C(0x81833608), UINT32_C(0x9A0E1535), UINT32_C(0x6E2833AC), ++ UINT32_C(0x5CCE871E), UINT32_C(0xFB29777C), UINT32_C(0xC17059EA), ++ UINT32_C(0xE354CAFD), UINT32_C(0x7E40E5FA), UINT32_C(0x4D07C371), ++ UINT32_C(0x9CF59405), UINT32_C(0xA71C3945), UINT32_C(0x64CE36B2) }, ++ { UINT32_C(0x56CAF487), UINT32_C(0x69309E96), UINT32_C(0x1AE3454B), ++ UINT32_C(0x3D719E9F), UINT32_C(0xE25823B6), UINT32_C(0xF2164070), ++ UINT32_C(0x0BC27359), UINT32_C(0xEAD851BD), UINT32_C(0xB0925094), ++ UINT32_C(0x3D21BFE8), UINT32_C(0x34A97F4E), UINT32_C(0xA783B1E9) } }, ++ { { UINT32_C(0x9546491A), UINT32_C(0x406B0C26), UINT32_C(0xF293C4E5), ++ UINT32_C(0x9E5E15E2), UINT32_C(0x15B164DB), UINT32_C(0xC60D6413), ++ UINT32_C(0x0C75A78E), UINT32_C(0x0DA46F53), UINT32_C(0xEA0C656B), ++ UINT32_C(0x7C599BB7), UINT32_C(0x1B1A8122), UINT32_C(0x0F07A512) }, ++ { UINT32_C(0x15172686), UINT32_C(0x14C7204A), UINT32_C(0x5165625D), ++ UINT32_C(0x8FAEDFF8), UINT32_C(0x37AEDE40), UINT32_C(0x20F260CE), ++ UINT32_C(0x8F357FFE), UINT32_C(0xC81F771E), UINT32_C(0xB0912557), ++ UINT32_C(0x25499197), UINT32_C(0x4C739C74), UINT32_C(0x736197DC) } }, ++ { { UINT32_C(0x381B3462), UINT32_C(0x6151BAB1), UINT32_C(0x43DBD344), ++ UINT32_C(0x27E5A078), UINT32_C(0xA1C3E9FB), UINT32_C(0x2CB05BD6), ++ UINT32_C(0x27CF2A11), UINT32_C(0x2A759760), UINT32_C(0xFF43E702), ++ UINT32_C(0x0ADCF9DB), UINT32_C(0x1F484146), UINT32_C(0x4BBF03E2) }, ++ { UINT32_C(0x55B6521A), UINT32_C(0x0E74997F), UINT32_C(0xADE17086), ++ UINT32_C(0x15629231), UINT32_C(0x7493FC58), UINT32_C(0x7F143E86), ++ UINT32_C(0xAF8B9670), UINT32_C(0x60869095), UINT32_C(0x7E524869), ++ UINT32_C(0x482CFCD7), UINT32_C(0x1D454756), UINT32_C(0x9E8060C3) } }, ++ { { UINT32_C(0xC88B4D3B), UINT32_C(0xE495747A), UINT32_C(0xAE8A948F), ++ UINT32_C(0xB7559835), UINT32_C(0xDEB56853), UINT32_C(0x67EEF3A9), ++ UINT32_C(0x9DEE5ADF), UINT32_C(0x0E20E269), UINT32_C(0x61F0A1AA), ++ UINT32_C(0x9031AF67), UINT32_C(0x683402BC), UINT32_C(0x76669D32) }, ++ { UINT32_C(0x06718B16), UINT32_C(0x90BD2313), UINT32_C(0x864EFDAC), ++ UINT32_C(0xE1B22A21), UINT32_C(0x6620089F), UINT32_C(0xE4FFE909), ++ UINT32_C(0x3428E2D9), UINT32_C(0xB84C842E), UINT32_C(0xFE3871FC), ++ UINT32_C(0x0E28C880), UINT32_C(0x3F21C200), UINT32_C(0x8932F698) } }, ++ { { UINT32_C(0x6C90EA5D), UINT32_C(0x603F00CE), UINT32_C(0x40A2F693), ++ UINT32_C(0x64739307), UINT32_C(0x2174E517), UINT32_C(0xAF65148B), ++ UINT32_C(0xF784AE74), UINT32_C(0x162FC2CA), UINT32_C(0x4D5F6458), ++ UINT32_C(0x0D9A8825), UINT32_C(0x43AACE93), UINT32_C(0x0C2D5861) }, ++ { UINT32_C(0x9F73CBFC), UINT32_C(0xBF1EADDE), UINT32_C(0x9C68BBCA), ++ UINT32_C(0xDE9C34C0), UINT32_C(0x67EF8A1A), UINT32_C(0x6D95602D), ++ UINT32_C(0xA791B241), UINT32_C(0x0AF2581B), UINT32_C(0x12CAD604), ++ UINT32_C(0x14F77361), UINT32_C(0xE2ACD1AD), UINT32_C(0x19F2354D) } }, ++ { { UINT32_C(0x0D60F263), UINT32_C(0x272F78F6), UINT32_C(0x208FD785), ++ UINT32_C(0xE7A8F4AF), UINT32_C(0x36554F2C), UINT32_C(0x10E191C6), ++ UINT32_C(0xFD5CD0B3), UINT32_C(0x06D88551), UINT32_C(0x57069C27), ++ UINT32_C(0x29BF8568), UINT32_C(0x28AA6FAD), UINT32_C(0x3CE7ECD8) }, ++ { UINT32_C(0xE9F1A1D8), UINT32_C(0x7D8A92D0), UINT32_C(0xD30B5725), ++ UINT32_C(0xD40C7FF8), UINT32_C(0xF54CAEB8), UINT32_C(0x16BE6CB2), ++ UINT32_C(0x14CB0A91), UINT32_C(0x14CA471A), UINT32_C(0x02733CAE), ++ UINT32_C(0xD5FF15B8), UINT32_C(0xDAA76580), UINT32_C(0xCAF88D87) } }, ++ { { UINT32_C(0x2C046592), UINT32_C(0x39430E22), UINT32_C(0x1AD26706), ++ UINT32_C(0x6CDAE81F), UINT32_C(0xA25D9106), UINT32_C(0x8C102159), ++ UINT32_C(0x27CA9F30), UINT32_C(0x9A440572), UINT32_C(0x70287FBC), ++ UINT32_C(0x8D34C430), UINT32_C(0x29DB8AFA), UINT32_C(0x9003A455) }, ++ { UINT32_C(0x7FD971AD), UINT32_C(0x91364CC3), UINT32_C(0x9C60EDB7), ++ UINT32_C(0x7B3AA048), UINT32_C(0x526F4DD8), UINT32_C(0x58B0E008), ++ UINT32_C(0xD86D98AE), UINT32_C(0xB7674454), UINT32_C(0xB2B45747), ++ UINT32_C(0xC25F4051), UINT32_C(0xCC043E8F), UINT32_C(0x8243BF9C) } }, ++ { { UINT32_C(0x43A0C387), UINT32_C(0xA89641C6), UINT32_C(0x87B9AB17), ++ UINT32_C(0x6D92205C), UINT32_C(0xDAA0E102), UINT32_C(0x37D691F4), ++ UINT32_C(0xCDE5312E), UINT32_C(0xEB3E52D7), UINT32_C(0x16F518A2), ++ UINT32_C(0x60D3C099), UINT32_C(0x8A378EEB), UINT32_C(0x7854C051) }, ++ { UINT32_C(0x4BBCAAC5), UINT32_C(0x7359DB51), UINT32_C(0x1713F102), ++ UINT32_C(0xF5B1B68C), UINT32_C(0xE4398DE5), UINT32_C(0xDAEAE645), ++ UINT32_C(0xD1ABFB82), UINT32_C(0x8C8ACB6C), UINT32_C(0x136423E2), ++ UINT32_C(0x2E8B76C3), UINT32_C(0xA8BA015E), UINT32_C(0x509DCB2D) } }, ++ { { UINT32_C(0x9AD9C59C), UINT32_C(0x2FF36815), UINT32_C(0x658E65B9), ++ UINT32_C(0xB189A4E8), UINT32_C(0xEA786AD2), UINT32_C(0x7D33DDBB), ++ UINT32_C(0xC0D2DC05), UINT32_C(0x96D0D648), UINT32_C(0xBFA03BE9), ++ UINT32_C(0x05E49256), UINT32_C(0x8BAF5A1C), UINT32_C(0x0EA4E7A6) }, ++ { UINT32_C(0x9F9AD5A8), UINT32_C(0x3DDCE0B0), UINT32_C(0x9E49C2CB), ++ UINT32_C(0xF7809195), UINT32_C(0x21782C2F), UINT32_C(0xBFCEF29D), ++ UINT32_C(0xC41BFD97), UINT32_C(0xE57AD39F), UINT32_C(0x1355AD19), ++ UINT32_C(0xC04B93E8), UINT32_C(0x59440F9F), UINT32_C(0xAABC9E6E) } }, ++ { { UINT32_C(0x5B6459DA), UINT32_C(0x7AA48103), UINT32_C(0x0166E880), ++ UINT32_C(0x83EF7477), UINT32_C(0x511CCE80), UINT32_C(0x536182B1), ++ UINT32_C(0x73CA55AA), UINT32_C(0xAFDD2EEE), UINT32_C(0xA8716143), ++ UINT32_C(0xAB910D0D), UINT32_C(0x83707250), UINT32_C(0x8BEAA42B) }, ++ { UINT32_C(0x8DA2AB3D), UINT32_C(0x4BCCFD89), UINT32_C(0xEC6AA105), ++ UINT32_C(0x1DBF68A9), UINT32_C(0x68EB42DA), UINT32_C(0x32CE6108), ++ UINT32_C(0x8EA62E37), UINT32_C(0x5C2C2C85), UINT32_C(0xCD3088A7), ++ UINT32_C(0x1ED2791F), UINT32_C(0xFF05070C), UINT32_C(0x496B4FEB) } }, ++ { { UINT32_C(0x0AA629C5), UINT32_C(0x9FA9121A), UINT32_C(0x57558BEC), ++ UINT32_C(0xE286CFF1), UINT32_C(0x59813A4D), UINT32_C(0x4D9D657E), ++ UINT32_C(0x26103519), UINT32_C(0xC4676A16), UINT32_C(0x2BD4DF80), ++ UINT32_C(0x616160B3), UINT32_C(0x30FBAE87), UINT32_C(0x26FB78CC) }, ++ { UINT32_C(0x8F0F66BD), UINT32_C(0x09607013), UINT32_C(0x03D9B90D), ++ UINT32_C(0xDD4E2D0C), UINT32_C(0x600D1B12), UINT32_C(0x5D3A8912), ++ UINT32_C(0x4308E126), UINT32_C(0xF76DD52F), UINT32_C(0x9E4FCCA6), ++ UINT32_C(0x97CC0409), UINT32_C(0x04C4DF7B), UINT32_C(0x0CFBE311) } }, ++ { { UINT32_C(0x28437A23), UINT32_C(0x6CA62C12), UINT32_C(0x40E7A003), ++ UINT32_C(0x0DAF3353), UINT32_C(0xD20F8079), UINT32_C(0x1FD07DF0), ++ UINT32_C(0x3BBC9749), UINT32_C(0xEAE7969C), UINT32_C(0x9ECAD022), ++ UINT32_C(0x55861AFA), UINT32_C(0x1FBC3D4C), UINT32_C(0xEC41DAD9) }, ++ { UINT32_C(0xDA8B261B), UINT32_C(0x1FE4CB40), UINT32_C(0x427C5C9D), ++ UINT32_C(0xC2671AB6), UINT32_C(0x261D4939), UINT32_C(0xDFCDA7B8), ++ UINT32_C(0x2072C0B9), UINT32_C(0x9E7B802B), UINT32_C(0xC7828CC2), ++ UINT32_C(0x3AFEE900), UINT32_C(0xF6DE987F), UINT32_C(0x3488BF28) } }, ++ { { UINT32_C(0x7BE1F89E), UINT32_C(0x33B9F2DE), UINT32_C(0x299B15C9), ++ UINT32_C(0xD4E80821), UINT32_C(0x0E13F37F), UINT32_C(0x87A3067A), ++ UINT32_C(0x55FD239F), UINT32_C(0x6D4C09ED), UINT32_C(0x92EF014F), ++ UINT32_C(0x48B1042D), UINT32_C(0xB385A759), UINT32_C(0xA382B2E0) }, ++ { UINT32_C(0x7F6F84F8), UINT32_C(0xBF571BB0), UINT32_C(0x0CE87F50), ++ UINT32_C(0x25AFFA37), UINT32_C(0xFE54F1BC), UINT32_C(0x826906D3), ++ UINT32_C(0xC53AE76A), UINT32_C(0x6B0421F4), UINT32_C(0x4855EB3C), ++ UINT32_C(0x44F85A3A), UINT32_C(0x8D1F2B27), UINT32_C(0xF49E2151) } }, ++ }, ++ { ++ { { UINT32_C(0x5E3C647B), UINT32_C(0xC0426B77), UINT32_C(0x8CF05348), ++ UINT32_C(0xBFCBD939), UINT32_C(0x172C0D3D), UINT32_C(0x31D312E3), ++ UINT32_C(0xEE754737), UINT32_C(0x5F49FDE6), UINT32_C(0x6DA7EE61), ++ UINT32_C(0x895530F0), UINT32_C(0xE8B3A5FB), UINT32_C(0xCF281B0A) }, ++ { UINT32_C(0x41B8A543), UINT32_C(0xFD149735), UINT32_C(0x3080DD30), ++ UINT32_C(0x41A625A7), UINT32_C(0x653908CF), UINT32_C(0xE2BAAE07), ++ UINT32_C(0xBA02A278), UINT32_C(0xC3D01436), UINT32_C(0x7B21B8F8), ++ UINT32_C(0xA0D0222E), UINT32_C(0xD7EC1297), UINT32_C(0xFDC270E9) } }, ++ { { UINT32_C(0x9F101E64), UINT32_C(0x06A67BD2), UINT32_C(0xE1733A4A), ++ UINT32_C(0xCB6E0AC7), UINT32_C(0x97BC62D2), UINT32_C(0xEE0B5D51), ++ UINT32_C(0x24C51874), UINT32_C(0x52B17039), UINT32_C(0x82A1A0D5), ++ UINT32_C(0xFED1F423), UINT32_C(0xDB6270AC), UINT32_C(0x55D90569) }, ++ { UINT32_C(0x5D73D533), UINT32_C(0x36BE4A9C), UINT32_C(0x976ED4D5), ++ UINT32_C(0xBE9266D6), UINT32_C(0xB8F8074B), UINT32_C(0xC17436D3), ++ UINT32_C(0x718545C6), UINT32_C(0x3BB4D399), UINT32_C(0x5C757D21), ++ UINT32_C(0x8E1EA355), UINT32_C(0x8C474366), UINT32_C(0xF7EDBC97) } }, ++ { { UINT32_C(0x6EA83242), UINT32_C(0xEC72C650), UINT32_C(0x1B2D237F), ++ UINT32_C(0xF7DE7BE5), UINT32_C(0x1819EFB0), UINT32_C(0x3C5E2200), ++ UINT32_C(0x8CDDE870), UINT32_C(0xDF5AB6D6), UINT32_C(0x92A87AEE), ++ UINT32_C(0x75A44E9D), UINT32_C(0xBCF77F19), UINT32_C(0xBDDC46F4) }, ++ { UINT32_C(0x669B674D), UINT32_C(0x8191EFBD), UINT32_C(0xED71768F), ++ UINT32_C(0x52884DF9), UINT32_C(0x65CF242C), UINT32_C(0xE62BE582), ++ UINT32_C(0x80B1D17B), UINT32_C(0xAE99A3B1), UINT32_C(0x92DE59A9), ++ UINT32_C(0x48CBB446), UINT32_C(0x2DCB3CE2), UINT32_C(0xD3C226CF) } }, ++ { { UINT32_C(0x9FD94EC4), UINT32_C(0x9580CDFB), UINT32_C(0x28631AD9), ++ UINT32_C(0xED273A6C), UINT32_C(0xC327F3E7), UINT32_C(0x5D3D5F77), ++ UINT32_C(0x35353C5F), UINT32_C(0x05D5339C), UINT32_C(0x5C258EB1), ++ UINT32_C(0xC56FB5FE), UINT32_C(0xEDCE1F79), UINT32_C(0xEFF8425E) }, ++ { UINT32_C(0xCF83CF9C), UINT32_C(0xAB7AA141), UINT32_C(0x207D6D4F), ++ UINT32_C(0xBD2A690A), UINT32_C(0x458D9E52), UINT32_C(0xE1241491), ++ UINT32_C(0xAA7F0F31), UINT32_C(0xDD2448CC), UINT32_C(0xF0FDA7AB), ++ UINT32_C(0xEC58D3C7), UINT32_C(0xC91BBA4D), UINT32_C(0x7B6E122D) } }, ++ { { UINT32_C(0xB1B48156), UINT32_C(0x2A2DEDAF), UINT32_C(0xBB93DB87), ++ UINT32_C(0xA0A2C63A), UINT32_C(0x08ACD99E), UINT32_C(0xC6559078), ++ UINT32_C(0xFE4AC331), UINT32_C(0x03EA42AF), UINT32_C(0xEB180ED6), ++ UINT32_C(0x43D2C14A), UINT32_C(0xB1156A1A), UINT32_C(0xC2F293DD) }, ++ { UINT32_C(0xA9D81249), UINT32_C(0x1FAFABF5), UINT32_C(0x9A8EEE87), ++ UINT32_C(0x39ADDEAD), UINT32_C(0x119E2E92), UINT32_C(0x21E206F2), ++ UINT32_C(0xD74DCEB6), UINT32_C(0xBC5DCC2E), UINT32_C(0x0A73A358), ++ UINT32_C(0x86647FA3), UINT32_C(0x2F53F642), UINT32_C(0xEAD8BEA4) } }, ++ { { UINT32_C(0x91C09091), UINT32_C(0x636225F5), UINT32_C(0x71BDCFDF), ++ UINT32_C(0xCCF5070A), UINT32_C(0xB9668EE2), UINT32_C(0x0EF8D625), ++ UINT32_C(0xB5E04E4F), UINT32_C(0x57BDF6CD), UINT32_C(0x7C75EA43), ++ UINT32_C(0xFC6AB0A6), UINT32_C(0xF7FD6EF3), UINT32_C(0xEB6B8AFB) }, ++ { UINT32_C(0x2A3DF404), UINT32_C(0x5B2AEEF0), UINT32_C(0xB9823197), ++ UINT32_C(0x31FD3B48), UINT32_C(0x83A7EB23), UINT32_C(0x56226DB6), ++ UINT32_C(0x5BB1ED2F), UINT32_C(0x3772C21E), UINT32_C(0xCD1ABA6A), ++ UINT32_C(0x3E833624), UINT32_C(0xAC672DAD), UINT32_C(0xBAE58FFA) } }, ++ { { UINT32_C(0x31BA1705), UINT32_C(0xCE92224D), UINT32_C(0xF0197F63), ++ UINT32_C(0x022C6ED2), UINT32_C(0xA4DC1113), UINT32_C(0x21F18D99), ++ UINT32_C(0x03616BF1), UINT32_C(0x5CD04DE8), UINT32_C(0x9FF12E08), ++ UINT32_C(0x6F900679), UINT32_C(0x48E61DDF), UINT32_C(0xF59A3315) }, ++ { UINT32_C(0xB51BD024), UINT32_C(0x9474D42C), UINT32_C(0x9051E49D), ++ UINT32_C(0x11A0A413), UINT32_C(0xDCE70EDB), UINT32_C(0x79C92705), ++ UINT32_C(0x34198426), UINT32_C(0x113CE278), UINT32_C(0xEA8616D2), ++ UINT32_C(0x8978396F), UINT32_C(0xEA894C36), UINT32_C(0x9A2A14D0) } }, ++ { { UINT32_C(0x604F6E4A), UINT32_C(0x4F1E1254), UINT32_C(0x0187D585), ++ UINT32_C(0x4513B088), UINT32_C(0x19E0F482), UINT32_C(0x9022F257), ++ UINT32_C(0xE2239DBF), UINT32_C(0x51FB2A80), UINT32_C(0x998ED9D5), ++ UINT32_C(0x49940D9E), UINT32_C(0x6C932C5D), UINT32_C(0x0583D241) }, ++ { UINT32_C(0xF25B73F7), UINT32_C(0x1188CEC8), UINT32_C(0x3B3D06CD), ++ UINT32_C(0xA28788CB), UINT32_C(0xA083DB5A), UINT32_C(0xDEA194EC), ++ UINT32_C(0x22DF4272), UINT32_C(0xD93A4F7E), UINT32_C(0x6A009C49), ++ UINT32_C(0x8D84E4BF), UINT32_C(0x3E3E4A9E), UINT32_C(0x893D8DD9) } }, ++ { { UINT32_C(0x33D31160), UINT32_C(0x35E909EA), UINT32_C(0x57172F1E), ++ UINT32_C(0x50203168), UINT32_C(0x51F3D866), UINT32_C(0x2707FC44), ++ UINT32_C(0xD2442A5D), UINT32_C(0xEB9D2018), UINT32_C(0x5DBFE378), ++ UINT32_C(0x904D7209), UINT32_C(0x5F13CF77), UINT32_C(0x6DB132A3) }, ++ { UINT32_C(0x7A3AF54B), UINT32_C(0x9D842BA6), UINT32_C(0x5AA5B4F9), ++ UINT32_C(0x4E16EA19), UINT32_C(0xAF24228E), UINT32_C(0x2BBA457C), ++ UINT32_C(0x16F3C5FE), UINT32_C(0xCC04B3BB), UINT32_C(0x77E64944), ++ UINT32_C(0xBAFAC516), UINT32_C(0xF08BCEE0), UINT32_C(0x31580A34) } }, ++ { { UINT32_C(0x20C30ACA), UINT32_C(0xC6808DEE), UINT32_C(0xA3EA2056), ++ UINT32_C(0xDADD216F), UINT32_C(0x7A4A9F9D), UINT32_C(0xD331394E), ++ UINT32_C(0x424C4026), UINT32_C(0x9E0441AD), UINT32_C(0x0AEB5350), ++ UINT32_C(0xAEED102F), UINT32_C(0xD45B09DA), UINT32_C(0xC6697FBB) }, ++ { UINT32_C(0xDEAC1496), UINT32_C(0x52A2590E), UINT32_C(0x250B87AF), ++ UINT32_C(0x7142B831), UINT32_C(0x6D0784A8), UINT32_C(0xBEF2E68B), ++ UINT32_C(0xA5F71CEF), UINT32_C(0x5F62593A), UINT32_C(0xB5DA51A3), ++ UINT32_C(0x3B8F7616), UINT32_C(0xB680F5FE), UINT32_C(0xC7A6FA0D) } }, ++ { { UINT32_C(0x99C8227C), UINT32_C(0x36C21DE6), UINT32_C(0xC26813B1), ++ UINT32_C(0xBEE3E867), UINT32_C(0xBDD91549), UINT32_C(0x9B05F2E6), ++ UINT32_C(0xA7D1110F), UINT32_C(0x34FF2B1F), UINT32_C(0x37F67FD0), ++ UINT32_C(0x8E6953B9), UINT32_C(0xC3183E20), UINT32_C(0x56C7F18B) }, ++ { UINT32_C(0x9E2019ED), UINT32_C(0x48AF46DE), UINT32_C(0xF551BBBF), ++ UINT32_C(0xDEAF972E), UINT32_C(0xCC5E3EEF), UINT32_C(0x88EE38F8), ++ UINT32_C(0x392D6BAF), UINT32_C(0xFB8D7A44), UINT32_C(0x0127187D), ++ UINT32_C(0x32293BFC), UINT32_C(0xE58647CC), UINT32_C(0x7689E767) } }, ++ { { UINT32_C(0x52168013), UINT32_C(0x00CE901B), UINT32_C(0x837AAE71), ++ UINT32_C(0xC6BF8E38), UINT32_C(0x167677D8), UINT32_C(0xD6F11EFA), ++ UINT32_C(0x86C8E5CF), UINT32_C(0xE53BB485), UINT32_C(0xC48E74AB), ++ UINT32_C(0x671167CE), UINT32_C(0x8AD720A7), UINT32_C(0x8A40218C) }, ++ { UINT32_C(0xE7C1191A), UINT32_C(0x81E827A6), UINT32_C(0xADDB153D), ++ UINT32_C(0x54058F8D), UINT32_C(0x0D950FA2), UINT32_C(0x0BAF2925), ++ UINT32_C(0x576DDA13), UINT32_C(0xC244674D), UINT32_C(0x41BCD13B), ++ UINT32_C(0x8C4630AE), UINT32_C(0x5A077419), UINT32_C(0x6C2127BF) } }, ++ { { UINT32_C(0xA83C501F), UINT32_C(0xCF977FD5), UINT32_C(0xB6AB176F), ++ UINT32_C(0xD7C6DF36), UINT32_C(0x397BC6B5), UINT32_C(0x117F6331), ++ UINT32_C(0xF7A2D491), UINT32_C(0x72A6078B), UINT32_C(0x5242FE2E), ++ UINT32_C(0xE5A2AAED), UINT32_C(0xFEBDC212), UINT32_C(0x88ECFFDC) }, ++ { UINT32_C(0xCE33BA21), UINT32_C(0xF2DBBF50), UINT32_C(0xCEB19F07), ++ UINT32_C(0xE1343B76), UINT32_C(0xD2C28F71), UINT32_C(0x1F32D4C9), ++ UINT32_C(0x18587685), UINT32_C(0x93FC64B4), UINT32_C(0xBA1F8BD1), ++ UINT32_C(0x39CEEF9B), UINT32_C(0x8D6D6BB0), UINT32_C(0x99C36A78) } }, ++ { { UINT32_C(0x3E9561CF), UINT32_C(0x0D063817), UINT32_C(0x3D33704D), ++ UINT32_C(0x1D8646AA), UINT32_C(0x7A08BA33), UINT32_C(0x8C451384), ++ UINT32_C(0xE02D6624), UINT32_C(0x96446BD3), UINT32_C(0x2D6F4166), ++ UINT32_C(0x749849F0), UINT32_C(0x14268BF0), UINT32_C(0xE364DA01) }, ++ { UINT32_C(0x9AEBFCFD), UINT32_C(0x7CE4587E), UINT32_C(0x56234393), ++ UINT32_C(0xD4686064), UINT32_C(0x16DF73B2), UINT32_C(0x00231D51), ++ UINT32_C(0x7279C78C), UINT32_C(0xF6A969B7), UINT32_C(0x6CB4117C), ++ UINT32_C(0x1FF1F6B6), UINT32_C(0xD3EAB680), UINT32_C(0x30AEBC39) } }, ++ { { UINT32_C(0x93EF00B9), UINT32_C(0x5CC97E64), UINT32_C(0x972345AE), ++ UINT32_C(0xDAE13841), UINT32_C(0x4788F43C), UINT32_C(0x85839184), ++ UINT32_C(0xE2E6CF3E), UINT32_C(0xD0FF521E), UINT32_C(0x4B707C86), ++ UINT32_C(0xAED14A5B), UINT32_C(0xD2523CF7), UINT32_C(0x7EAAE4A6) }, ++ { UINT32_C(0x024C8AC6), UINT32_C(0x266472C5), UINT32_C(0xC0170051), ++ UINT32_C(0xE47E1522), UINT32_C(0x73826BAE), UINT32_C(0x7B83DA61), ++ UINT32_C(0xCF543F0D), UINT32_C(0xE97E19F5), UINT32_C(0x20BF38E2), ++ UINT32_C(0x5D5248FA), UINT32_C(0xDF56A037), UINT32_C(0x8A7C2F7D) } }, ++ { { UINT32_C(0x87B0526C), UINT32_C(0xB04659DD), UINT32_C(0x2307565E), ++ UINT32_C(0x593C604A), UINT32_C(0x7C630AB8), UINT32_C(0x49E52225), ++ UINT32_C(0xDCE9CD23), UINT32_C(0x24C1D0C6), UINT32_C(0x85177079), ++ UINT32_C(0x6FDB241C), UINT32_C(0xF250C351), UINT32_C(0x5F521D19) }, ++ { UINT32_C(0xA6FB61DF), UINT32_C(0xFB56134B), UINT32_C(0xD75C07ED), ++ UINT32_C(0xA4E70D69), UINT32_C(0x7D8825A8), UINT32_C(0xB7A82448), ++ UINT32_C(0xDD64BBCC), UINT32_C(0xA3AEA7D4), UINT32_C(0x8692F539), ++ UINT32_C(0xD53E6E6C), UINT32_C(0xF7AA4BC0), UINT32_C(0x8DDDA83B) } }, ++ }, ++ { ++ { { UINT32_C(0xDD93D50A), UINT32_C(0x140A0F9F), UINT32_C(0x83B7ABAC), ++ UINT32_C(0x4799FFDE), UINT32_C(0x04A1F742), UINT32_C(0x78FF7C23), ++ UINT32_C(0x195BA34E), UINT32_C(0xC0568F51), UINT32_C(0x3B7F78B4), ++ UINT32_C(0xE9718360), UINT32_C(0xF9EFAA53), UINT32_C(0x9CFD1FF1) }, ++ { UINT32_C(0xBB06022E), UINT32_C(0xE924D2C5), UINT32_C(0xFAA2AF6D), ++ UINT32_C(0x9987FA86), UINT32_C(0x6EE37E0F), UINT32_C(0x4B12E73F), ++ UINT32_C(0x5E5A1DDE), UINT32_C(0x1836FDFA), UINT32_C(0x9DCD6416), ++ UINT32_C(0x7F1B9225), UINT32_C(0x677544D8), UINT32_C(0xCB2C1B4D) } }, ++ { { UINT32_C(0x9C213D95), UINT32_C(0x0254486D), UINT32_C(0xCB2F6E94), ++ UINT32_C(0x68A9DB56), UINT32_C(0x000F5491), UINT32_C(0xFB5858BA), ++ UINT32_C(0x34009FB6), UINT32_C(0x1315BDD9), UINT32_C(0xC42BDE30), ++ UINT32_C(0xB18A8E0A), UINT32_C(0xF1070358), UINT32_C(0xFDCF93D1) }, ++ { UINT32_C(0x3022937E), UINT32_C(0xBEB1DB75), UINT32_C(0xCAC20DB4), ++ UINT32_C(0x9B9ECA7A), UINT32_C(0xE4122B20), UINT32_C(0x152214D4), ++ UINT32_C(0xAABCCC7B), UINT32_C(0xD3E673F2), UINT32_C(0xAED07571), ++ UINT32_C(0x94C50F64), UINT32_C(0xE66B4F17), UINT32_C(0xD767059A) } }, ++ { { UINT32_C(0xDCD6D14B), UINT32_C(0x40336B12), UINT32_C(0xE3B4919C), ++ UINT32_C(0xF6BCFF5D), UINT32_C(0x9C841F0C), UINT32_C(0xC337048D), ++ UINT32_C(0x1D617F50), UINT32_C(0x4CE6D025), UINT32_C(0x8117D379), ++ UINT32_C(0x00FEF219), UINT32_C(0xF95BE243), UINT32_C(0x18B7C4E9) }, ++ { UINT32_C(0x38DF08FF), UINT32_C(0x98DE119E), UINT32_C(0x8D772D20), ++ UINT32_C(0xDFD803BD), UINT32_C(0x0F9678BD), UINT32_C(0x94125B72), ++ UINT32_C(0x334ACE30), UINT32_C(0xFC5B57CD), UINT32_C(0xB7E86E04), ++ UINT32_C(0x09486527), UINT32_C(0x6E552039), UINT32_C(0xFE9F8BCC) } }, ++ { { UINT32_C(0xD6F5A10E), UINT32_C(0x3B75C45B), UINT32_C(0xC1C35F38), ++ UINT32_C(0xFD4680F4), UINT32_C(0xF8E0A113), UINT32_C(0x5450227D), ++ UINT32_C(0x73DDBA24), UINT32_C(0x5E69F1AE), UINT32_C(0x57F24645), ++ UINT32_C(0x2007B80E), UINT32_C(0x3D159741), UINT32_C(0xC63695DC) }, ++ { UINT32_C(0x4530F623), UINT32_C(0xCBE54D29), UINT32_C(0x2869586B), ++ UINT32_C(0x986AD573), UINT32_C(0x4CC39F73), UINT32_C(0xE19F7059), ++ UINT32_C(0x2B1B8DA9), UINT32_C(0x80F00AB3), UINT32_C(0x73F68D26), ++ UINT32_C(0xB765AAF9), UINT32_C(0xE993F829), UINT32_C(0xBC79A394) } }, ++ { { UINT32_C(0xF310D2A0), UINT32_C(0x9C441043), UINT32_C(0xDC5EB106), ++ UINT32_C(0x2865EE58), UINT32_C(0x9CB8065C), UINT32_C(0x71A95922), ++ UINT32_C(0xA052AF0F), UINT32_C(0x8EB3A733), UINT32_C(0xB09D716E), ++ UINT32_C(0x56009F42), UINT32_C(0xABCBE6AD), UINT32_C(0xA7F923C5) }, ++ { UINT32_C(0xFA375C01), UINT32_C(0x263B7669), UINT32_C(0x21EF27A2), ++ UINT32_C(0x641C47E5), UINT32_C(0xB08FFD25), UINT32_C(0xA89B474E), ++ UINT32_C(0xF0A239F3), UINT32_C(0x5BE8EC3F), UINT32_C(0x242A6C5A), ++ UINT32_C(0x0E79957A), UINT32_C(0x0C6C75F5), UINT32_C(0x1DFB26D0) } }, ++ { { UINT32_C(0x9DFBF22A), UINT32_C(0x2FD97B9B), UINT32_C(0x5643532D), ++ UINT32_C(0xDEC16CC8), UINT32_C(0x60FEE7C3), UINT32_C(0xDF0E6E39), ++ UINT32_C(0x545860C8), UINT32_C(0xD09AD7B6), UINT32_C(0x73FC3B7C), ++ UINT32_C(0xCC16E984), UINT32_C(0x0D4E1555), UINT32_C(0x6CE734C1) }, ++ { UINT32_C(0x4B5F6032), UINT32_C(0xC6EFE68B), UINT32_C(0x14F54073), ++ UINT32_C(0x3A64F34C), UINT32_C(0xAC44DC95), UINT32_C(0x25DA689C), ++ UINT32_C(0x5358AD8A), UINT32_C(0x990C477E), UINT32_C(0xF36DA7DE), ++ UINT32_C(0x00E958A5), UINT32_C(0xC9B6F161), UINT32_C(0x902B7360) } }, ++ { { UINT32_C(0x9347B90A), UINT32_C(0x454AB42C), UINT32_C(0xA698B02B), ++ UINT32_C(0xCAEBE64A), UINT32_C(0xFB86FA40), UINT32_C(0x119CDC69), ++ UINT32_C(0xC3109281), UINT32_C(0x2E5CB7AD), UINT32_C(0xCD0C3D00), ++ UINT32_C(0x67BB1EC5), UINT32_C(0x83F25BBF), UINT32_C(0x5D430BC7) }, ++ { UINT32_C(0x5CDE0ABB), UINT32_C(0x69FD84A8), UINT32_C(0x9816B688), ++ UINT32_C(0x69DA263E), UINT32_C(0x0E53CBB8), UINT32_C(0xE52D93DF), ++ UINT32_C(0xADD2D5A7), UINT32_C(0x42CF6F25), UINT32_C(0xC87CA88F), ++ UINT32_C(0x227BA59D), UINT32_C(0xDA738554), UINT32_C(0x7A1CA876) } }, ++ { { UINT32_C(0x1CAC82C4), UINT32_C(0x3FA5C105), UINT32_C(0x8A78C9BE), ++ UINT32_C(0x23C76087), UINT32_C(0x1C5CFA42), UINT32_C(0xE98CDAD6), ++ UINT32_C(0x0A6C0421), UINT32_C(0x09C30252), UINT32_C(0x42FC61B9), ++ UINT32_C(0x149BAC7C), UINT32_C(0x3004A3E2), UINT32_C(0x3A1C22AC) }, ++ { UINT32_C(0x202C7FED), UINT32_C(0xDE6B0D6E), UINT32_C(0xE7E63052), ++ UINT32_C(0xB2457377), UINT32_C(0x3706B3EF), UINT32_C(0x31725FD4), ++ UINT32_C(0x2B1AFDBF), UINT32_C(0xE16A347D), UINT32_C(0x8C29CF66), ++ UINT32_C(0xBE4850C4), UINT32_C(0x2939F23C), UINT32_C(0x8F51CC4D) } }, ++ { { UINT32_C(0x219AE6C1), UINT32_C(0x169E025B), UINT32_C(0x116E1CA1), ++ UINT32_C(0x55FF526F), UINT32_C(0xB191F55D), UINT32_C(0x01B810A3), ++ UINT32_C(0x29588A69), UINT32_C(0x2D981272), UINT32_C(0x48B92199), ++ UINT32_C(0x53C93770), UINT32_C(0x8A85236F), UINT32_C(0x8C7DD84E) }, ++ { UINT32_C(0xCAACF958), UINT32_C(0x293D48B6), UINT32_C(0x43572B30), ++ UINT32_C(0x1F084ACB), UINT32_C(0xFAD91F28), UINT32_C(0x628BFA2D), ++ UINT32_C(0x829386AF), UINT32_C(0x8D627B11), UINT32_C(0xD44A77BE), ++ UINT32_C(0x3EC1DD00), UINT32_C(0x649AC7F0), UINT32_C(0x8D3B0D08) } }, ++ { { UINT32_C(0x177513BF), UINT32_C(0x00A93DAA), UINT32_C(0x42AD79E1), ++ UINT32_C(0x2EF0B96F), UINT32_C(0xA07129D9), UINT32_C(0x81F5AAF1), ++ UINT32_C(0x923F2449), UINT32_C(0xFC04B7EF), UINT32_C(0x60CDB1B7), ++ UINT32_C(0x855DA795), UINT32_C(0xAD5D61D4), UINT32_C(0xB1EB5DAB) }, ++ { UINT32_C(0x353FD028), UINT32_C(0xD2CEF1AE), UINT32_C(0x9EE94847), ++ UINT32_C(0xC21D5439), UINT32_C(0x0380C1A8), UINT32_C(0x9ED552BB), ++ UINT32_C(0x2BAC328F), UINT32_C(0xB156FE7A), UINT32_C(0x7213C6A4), ++ UINT32_C(0xBB7E0196), UINT32_C(0x1701ED5B), UINT32_C(0x36002A33) } }, ++ { { UINT32_C(0xDDC9EF4D), UINT32_C(0x20B1632A), UINT32_C(0x272D082B), ++ UINT32_C(0x2A35FF4C), UINT32_C(0xF6CC9BD3), UINT32_C(0x30D39923), ++ UINT32_C(0xE65C9D08), UINT32_C(0x6D879BC2), UINT32_C(0x6FA9983C), ++ UINT32_C(0xCE8274E1), UINT32_C(0x0EB7424F), UINT32_C(0x652371E8) }, ++ { UINT32_C(0xC5C35282), UINT32_C(0x32B77503), UINT32_C(0xC885A931), ++ UINT32_C(0xD7306333), UINT32_C(0x72955AA8), UINT32_C(0x8A16D719), ++ UINT32_C(0x7D51F882), UINT32_C(0x5548F163), UINT32_C(0xBABA59EF), ++ UINT32_C(0xB311DC66), UINT32_C(0x0DB8F627), UINT32_C(0x773D5448) } }, ++ { { UINT32_C(0x7A62EB3B), UINT32_C(0x59B1B134), UINT32_C(0xCCEEFB34), ++ UINT32_C(0x0F8CE157), UINT32_C(0xA798CB2B), UINT32_C(0x3FE842A8), ++ UINT32_C(0x0BF4161D), UINT32_C(0xD01BC626), UINT32_C(0x4D016FDB), ++ UINT32_C(0x55EF6E55), UINT32_C(0xB242B201), UINT32_C(0xCB561503) }, ++ { UINT32_C(0xAF4199C1), UINT32_C(0x076EBC73), UINT32_C(0x697244F7), ++ UINT32_C(0x39DEDCBB), UINT32_C(0x040162BC), UINT32_C(0x9D184733), ++ UINT32_C(0x7F6B5FA6), UINT32_C(0x902992C1), UINT32_C(0xBB4952B5), ++ UINT32_C(0xAD1DE754), UINT32_C(0xA121F6C8), UINT32_C(0x7ACF1B93) } }, ++ { { UINT32_C(0x325C9B9A), UINT32_C(0x7A56867C), UINT32_C(0xF3DC3D6A), ++ UINT32_C(0x1A143999), UINT32_C(0x03F5BCB8), UINT32_C(0xCE109590), ++ UINT32_C(0xD6EEE5B7), UINT32_C(0x034E9035), UINT32_C(0x495DF1BC), ++ UINT32_C(0x2AFA81C8), UINT32_C(0x08924D02), UINT32_C(0x5EAB52DC) }, ++ { UINT32_C(0xAA181904), UINT32_C(0xEE6AA014), UINT32_C(0x310AD621), ++ UINT32_C(0xE62DEF09), UINT32_C(0xC7538A03), UINT32_C(0x6C9792FC), ++ UINT32_C(0x3E41D789), UINT32_C(0xA89D3E88), UINT32_C(0x9F94AE83), ++ UINT32_C(0xD60FA11C), UINT32_C(0xE0D6234A), UINT32_C(0x5E16A8C2) } }, ++ { { UINT32_C(0xA9242F3B), UINT32_C(0x87EC053D), UINT32_C(0xF0E03545), ++ UINT32_C(0x99544637), UINT32_C(0x6B7019E9), UINT32_C(0xEA0633FF), ++ UINT32_C(0x68DDDB5B), UINT32_C(0x8CB8AE07), UINT32_C(0x1A811AC7), ++ UINT32_C(0x892E7C84), UINT32_C(0x73664249), UINT32_C(0xC7EF19EB) }, ++ { UINT32_C(0xCD1489E3), UINT32_C(0xD1B5819A), UINT32_C(0xDE45D24A), ++ UINT32_C(0xF9C80FB0), UINT32_C(0x83BB7491), UINT32_C(0x045C21A6), ++ UINT32_C(0x73F7A47D), UINT32_C(0xA65325BE), UINT32_C(0x9C394F0C), ++ UINT32_C(0x08D09F0E), UINT32_C(0x268D4F08), UINT32_C(0xE7FB21C6) } }, ++ { { UINT32_C(0x6CA95C18), UINT32_C(0xC4CCAB95), UINT32_C(0xBC42E040), ++ UINT32_C(0x563FFD56), UINT32_C(0xE701C604), UINT32_C(0xFA3C64D8), ++ UINT32_C(0xB0ABAFEE), UINT32_C(0xC88D4426), UINT32_C(0x8542E4C3), ++ UINT32_C(0x1A353E5E), UINT32_C(0xED726186), UINT32_C(0x9A2D8B7C) }, ++ { UINT32_C(0x42D097FA), UINT32_C(0xD61CE190), UINT32_C(0x799A748B), ++ UINT32_C(0x6A63E280), UINT32_C(0x3225486B), UINT32_C(0x0F48D063), ++ UINT32_C(0x42A3C443), UINT32_C(0x848F8FE1), UINT32_C(0x8493CEF4), ++ UINT32_C(0x2CCDE250), UINT32_C(0x45E77E7C), UINT32_C(0x5450A508) } }, ++ { { UINT32_C(0x03112816), UINT32_C(0xD0F4E248), UINT32_C(0xCCBE9E16), ++ UINT32_C(0xFCAD9DDB), UINT32_C(0x5AE01EA0), UINT32_C(0x177999BF), ++ UINT32_C(0xCE832DCE), UINT32_C(0xD20C78B9), UINT32_C(0x50C8C646), ++ UINT32_C(0x3CC694FB), UINT32_C(0xC93D4887), UINT32_C(0x24D75968) }, ++ { UINT32_C(0x87BC08AF), UINT32_C(0x9F06366A), UINT32_C(0x7FD0DF2A), ++ UINT32_C(0x59FAB50E), UINT32_C(0x6C4CC234), UINT32_C(0x5FFCC7F7), ++ UINT32_C(0x65F52D86), UINT32_C(0x87198DD7), UINT32_C(0xA855DF04), ++ UINT32_C(0x5B9C94B0), UINT32_C(0x8A067AD7), UINT32_C(0xD8BA6C73) } }, ++ }, ++ { ++ { { UINT32_C(0x1C4C9D90), UINT32_C(0x9E9AF315), UINT32_C(0xD12E0A89), ++ UINT32_C(0x8665C5A9), UINT32_C(0x58286493), UINT32_C(0x204ABD92), ++ UINT32_C(0xB2E09205), UINT32_C(0x79959889), UINT32_C(0xFE56B101), ++ UINT32_C(0x0C727A3D), UINT32_C(0x8B657F26), UINT32_C(0xF366244C) }, ++ { UINT32_C(0xCCA65BE2), UINT32_C(0xDE35D954), UINT32_C(0xB0FD41CE), ++ UINT32_C(0x52EE1230), UINT32_C(0x36019FEE), UINT32_C(0xFA03261F), ++ UINT32_C(0x66511D8F), UINT32_C(0xAFDA42D9), UINT32_C(0x821148B9), ++ UINT32_C(0xF63211DD), UINT32_C(0x6F13A3E1), UINT32_C(0x7B56AF7E) } }, ++ { { UINT32_C(0x5913E184), UINT32_C(0x47FE4799), UINT32_C(0x82145900), ++ UINT32_C(0x5BBE584C), UINT32_C(0x9A867173), UINT32_C(0xB76CFA8B), ++ UINT32_C(0x514BF471), UINT32_C(0x9BC87BF0), UINT32_C(0x71DCF1FC), ++ UINT32_C(0x37392DCE), UINT32_C(0x3AD1EFA8), UINT32_C(0xEC3EFAE0) }, ++ { UINT32_C(0x14876451), UINT32_C(0xBBEA5A34), UINT32_C(0x6217090F), ++ UINT32_C(0x96E5F543), UINT32_C(0x9B1665A9), UINT32_C(0x5B3D4ECD), ++ UINT32_C(0xE329DF22), UINT32_C(0xE7B0DF26), UINT32_C(0x0BAA808D), ++ UINT32_C(0x18FB438E), UINT32_C(0xDD516FAF), UINT32_C(0x90757EBF) } }, ++ { { UINT32_C(0xD5A98D68), UINT32_C(0x1E6F9A95), UINT32_C(0x849DA828), ++ UINT32_C(0x759EA7DF), UINT32_C(0x6E8B4198), UINT32_C(0x365D5625), ++ UINT32_C(0x7A4A53F9), UINT32_C(0xE1B9C53B), UINT32_C(0xE32B9B16), ++ UINT32_C(0x55DC1D50), UINT32_C(0xBB6D5701), UINT32_C(0xA4657EBB) }, ++ { UINT32_C(0xEACC76E2), UINT32_C(0x4C270249), UINT32_C(0x162B1CC7), ++ UINT32_C(0xBE49EC75), UINT32_C(0x0689902B), UINT32_C(0x19A95B61), ++ UINT32_C(0xA4CFC5A8), UINT32_C(0xDD5706BF), UINT32_C(0x14E5B424), ++ UINT32_C(0xD33BDB73), UINT32_C(0xE69EBA87), UINT32_C(0x21311BD1) } }, ++ { { UINT32_C(0x72A21ACC), UINT32_C(0x75BA2F9B), UINT32_C(0xA28EDB4C), ++ UINT32_C(0x356688D4), UINT32_C(0x610D080F), UINT32_C(0x3C339E0B), ++ UINT32_C(0x33A99C2F), UINT32_C(0x614AC293), UINT32_C(0xAA580AFF), ++ UINT32_C(0xA5E23AF2), UINT32_C(0xE1FDBA3A), UINT32_C(0xA6BCB860) }, ++ { UINT32_C(0xB43F9425), UINT32_C(0xAA603365), UINT32_C(0xF7EE4635), ++ UINT32_C(0xAE8D7126), UINT32_C(0x56330A32), UINT32_C(0xA2B25244), ++ UINT32_C(0x9E025AA3), UINT32_C(0xC396B5BB), UINT32_C(0xF8A0D5CF), ++ UINT32_C(0xABBF77FA), UINT32_C(0xEA31C83B), UINT32_C(0xB322EE30) } }, ++ { { UINT32_C(0x7890E234), UINT32_C(0x04881384), UINT32_C(0x672E70C6), ++ UINT32_C(0x387F1159), UINT32_C(0x7B307F75), UINT32_C(0x1468A614), ++ UINT32_C(0xED85EC96), UINT32_C(0x56335B52), UINT32_C(0xD45BCAE9), ++ UINT32_C(0xDA1BB60F), UINT32_C(0xF9FAEADD), UINT32_C(0x4D94F3F0) }, ++ { UINT32_C(0xFC78D86B), UINT32_C(0x6C6A7183), UINT32_C(0x3018DEC6), ++ UINT32_C(0xA425B5C7), UINT32_C(0x2D877399), UINT32_C(0xB1549C33), ++ UINT32_C(0x92B2BC37), UINT32_C(0x6C41C50C), UINT32_C(0x83EE0DDB), ++ UINT32_C(0x3A9F380C), UINT32_C(0xC4599E73), UINT32_C(0xDED5FEB6) } }, ++ { { UINT32_C(0x0B7F8354), UINT32_C(0x14D34C21), UINT32_C(0x9177CE45), ++ UINT32_C(0x1475A1CD), UINT32_C(0x9B926E4B), UINT32_C(0x9F5F764A), ++ UINT32_C(0x05DD21FE), UINT32_C(0x77260D1E), UINT32_C(0xC4B937F7), ++ UINT32_C(0x3C882480), UINT32_C(0x722372F2), UINT32_C(0xC92DCD39) }, ++ { UINT32_C(0xEC6F657E), UINT32_C(0xF636A1BE), UINT32_C(0x1D30DD35), ++ UINT32_C(0xB0E6C312), UINT32_C(0xE4654EFE), UINT32_C(0xFE4B0528), ++ UINT32_C(0x21D230D2), UINT32_C(0x1C4A6820), UINT32_C(0x98FA45AB), ++ UINT32_C(0x615D2E48), UINT32_C(0x01FDBABF), UINT32_C(0x1F35D6D8) } }, ++ { { UINT32_C(0x3A7B10D1), UINT32_C(0xA636EEB8), UINT32_C(0xF4A29E73), ++ UINT32_C(0x4E1AE352), UINT32_C(0xE6BB1EC7), UINT32_C(0x01704F5F), ++ UINT32_C(0x0EF020AE), UINT32_C(0x75C04F72), UINT32_C(0x5A31E6A6), ++ UINT32_C(0x448D8CEE), UINT32_C(0x208F994B), UINT32_C(0xE40A9C29) }, ++ { UINT32_C(0xFD8F9D5D), UINT32_C(0x69E09A30), UINT32_C(0x449BAB7E), ++ UINT32_C(0xE6A5F7EB), UINT32_C(0x2AA1768B), UINT32_C(0xF25BC18A), ++ UINT32_C(0x3C841234), UINT32_C(0x9449E404), UINT32_C(0x016A7BEF), ++ UINT32_C(0x7A3BF43E), UINT32_C(0x2A150B60), UINT32_C(0xF25803E8) } }, ++ { { UINT32_C(0xB215F9E0), UINT32_C(0xE44A2A57), UINT32_C(0x19066F0A), ++ UINT32_C(0x38B34DCE), UINT32_C(0x40BB1BFB), UINT32_C(0x8BB91DAD), ++ UINT32_C(0xE67735FC), UINT32_C(0x64C9F775), UINT32_C(0x88D613CD), ++ UINT32_C(0xDE142417), UINT32_C(0x1901D88D), UINT32_C(0xC5014FF5) }, ++ { UINT32_C(0xF38116B0), UINT32_C(0xA250341D), UINT32_C(0x9D6CBCB2), ++ UINT32_C(0xF96B9DD4), UINT32_C(0x76B3FAC2), UINT32_C(0x15EC6C72), ++ UINT32_C(0x8124C1E9), UINT32_C(0x88F1952F), UINT32_C(0x975BE4F5), ++ UINT32_C(0x6B72F8EA), UINT32_C(0x061F7530), UINT32_C(0x23D288FF) } }, ++ { { UINT32_C(0xAFB96CE3), UINT32_C(0xEBFE3E5F), UINT32_C(0xB1979537), ++ UINT32_C(0x2275EDFB), UINT32_C(0xC97BA741), UINT32_C(0xC37AB9E8), ++ UINT32_C(0x63D7C626), UINT32_C(0x446E4B10), UINT32_C(0xD025EB02), ++ UINT32_C(0xB73E2DCE), UINT32_C(0x7669EEA7), UINT32_C(0x1F952B51) }, ++ { UINT32_C(0x6069A424), UINT32_C(0xABDD00F6), UINT32_C(0xDC298BFB), ++ UINT32_C(0x1C0F9D9B), UINT32_C(0xEB757B33), UINT32_C(0x831B1FD3), ++ UINT32_C(0x59D60B32), UINT32_C(0xD7DBE183), UINT32_C(0x9EF094B3), ++ UINT32_C(0x663D1F36), UINT32_C(0x67F7F11A), UINT32_C(0x1BD5732E) } }, ++ { { UINT32_C(0xC75D8892), UINT32_C(0x3C7FB3F5), UINT32_C(0xBA68DA69), ++ UINT32_C(0x2CFF9A0C), UINT32_C(0x60EC740B), UINT32_C(0x76455E8B), ++ UINT32_C(0x167B88F0), UINT32_C(0x4B8D67FF), UINT32_C(0x5A4186B1), ++ UINT32_C(0xEDEC0C02), UINT32_C(0xBEBF35AB), UINT32_C(0x127C462D) }, ++ { UINT32_C(0x049430FC), UINT32_C(0x9159C67E), UINT32_C(0xE7747320), ++ UINT32_C(0x86B21DD2), UINT32_C(0x0CF27B89), UINT32_C(0x0E0E0152), ++ UINT32_C(0xCD1316B6), UINT32_C(0x705F28F5), UINT32_C(0xBEAEA8A8), ++ UINT32_C(0x76751691), UINT32_C(0x360C5B69), UINT32_C(0x4C73E282) } }, ++ { { UINT32_C(0xFD7B3D74), UINT32_C(0x46BCC0D5), UINT32_C(0x0DC4F410), ++ UINT32_C(0x6F13C20E), UINT32_C(0x72F11CDF), UINT32_C(0x98A1AF7D), ++ UINT32_C(0x7928881C), UINT32_C(0x6099FD83), UINT32_C(0x371BB94B), ++ UINT32_C(0x66976356), UINT32_C(0x19B945AB), UINT32_C(0x673FBA72) }, ++ { UINT32_C(0xAED00700), UINT32_C(0xE4D8FA6E), UINT32_C(0x5C71A9F7), ++ UINT32_C(0xEA2313EC), UINT32_C(0xF99D4AEA), UINT32_C(0xF9ED8268), ++ UINT32_C(0x42AB59C7), UINT32_C(0xADD89164), UINT32_C(0x3F3A2D45), ++ UINT32_C(0xB37EB26F), UINT32_C(0xA924841E), UINT32_C(0x0B39BD7A) } }, ++ { { UINT32_C(0xE03CDBBB), UINT32_C(0xD811EB32), UINT32_C(0x7CC3610E), ++ UINT32_C(0x12055F1D), UINT32_C(0xA9046E3F), UINT32_C(0x6B23A1A0), ++ UINT32_C(0x9DD4A749), UINT32_C(0x4D712122), UINT32_C(0xB1BF0AC3), ++ UINT32_C(0xB0C2ACA1), UINT32_C(0xC1B0432F), UINT32_C(0x71EFF575) }, ++ { UINT32_C(0x2B44E285), UINT32_C(0x6CD81492), UINT32_C(0xD87E8D20), ++ UINT32_C(0x3088BD9C), UINT32_C(0xF567E8FA), UINT32_C(0xACE218E5), ++ UINT32_C(0xCF90CBBB), UINT32_C(0xB3FA0424), UINT32_C(0x770734D3), ++ UINT32_C(0xADBDA751), UINT32_C(0x5AD6569A), UINT32_C(0xBCD78BAD) } }, ++ { { UINT32_C(0x7F39641F), UINT32_C(0xCADB31FA), UINT32_C(0x825E5562), ++ UINT32_C(0x3EF3E295), UINT32_C(0xF4094C64), UINT32_C(0x4893C633), ++ UINT32_C(0x8ADDF432), UINT32_C(0x52F685F1), UINT32_C(0x7FDC9373), ++ UINT32_C(0x9FD887AB), UINT32_C(0xE8680E8B), UINT32_C(0x47A9ADA0) }, ++ { UINT32_C(0xF0CD44F6), UINT32_C(0x579313B7), UINT32_C(0xE188AE2E), ++ UINT32_C(0xAC4B8668), UINT32_C(0x8FB145BD), UINT32_C(0x648F4369), ++ UINT32_C(0x74629E31), UINT32_C(0xE0460AB3), UINT32_C(0x8FF2B05F), ++ UINT32_C(0xC25F2875), UINT32_C(0x2D31EAEA), UINT32_C(0x4720C2B6) } }, ++ { { UINT32_C(0x13D48F80), UINT32_C(0x4603CDF4), UINT32_C(0xA49725DA), ++ UINT32_C(0x9ADB50E2), UINT32_C(0x65DF63F0), UINT32_C(0x8CD33050), ++ UINT32_C(0xCD643003), UINT32_C(0x58D8B3BB), UINT32_C(0xB739826B), ++ UINT32_C(0x170A4F4A), UINT32_C(0x1EAD0E17), UINT32_C(0x857772B5) }, ++ { UINT32_C(0xE65320F1), UINT32_C(0x01B78152), UINT32_C(0xB7503FC0), ++ UINT32_C(0xA6B4D845), UINT32_C(0x3DD50798), UINT32_C(0x0F5089B9), ++ UINT32_C(0x5690B6BE), UINT32_C(0x488F200F), UINT32_C(0x9E096F36), ++ UINT32_C(0x220B4ADF), UINT32_C(0x8CE5BC7C), UINT32_C(0x474D7C9F) } }, ++ { { UINT32_C(0xC745F8C9), UINT32_C(0xFED8C058), UINT32_C(0x291262D1), ++ UINT32_C(0xB683179E), UINT32_C(0xD15EE88C), UINT32_C(0x26ABD367), ++ UINT32_C(0xF60A6249), UINT32_C(0x29E8EED3), UINT32_C(0x1E02D6E1), ++ UINT32_C(0xED6008BB), UINT32_C(0xA6B12B8D), UINT32_C(0xD82ECF4C) }, ++ { UINT32_C(0xAAE4FA22), UINT32_C(0x9929D021), UINT32_C(0x336A1AB3), ++ UINT32_C(0xBE4DEF14), UINT32_C(0x8C80A312), UINT32_C(0x529B7E09), ++ UINT32_C(0xEE0EB0CE), UINT32_C(0xB059188D), UINT32_C(0x16DEAB7F), ++ UINT32_C(0x1E42979A), UINT32_C(0x84EE9477), UINT32_C(0x24110349) } }, ++ { { UINT32_C(0x2BE579CC), UINT32_C(0xD6524685), UINT32_C(0xC456FDED), ++ UINT32_C(0x849316F1), UINT32_C(0x2D1B67DA), UINT32_C(0xC51B7DA4), ++ UINT32_C(0x41BC6D6A), UINT32_C(0xC25B539E), UINT32_C(0xA9BF8BED), ++ UINT32_C(0xE3B7CCA3), UINT32_C(0x045C15E4), UINT32_C(0x813EF18C) }, ++ { UINT32_C(0x697982C4), UINT32_C(0x5F3789A1), UINT32_C(0x8C435566), ++ UINT32_C(0x4C125369), UINT32_C(0xDC0A92C6), UINT32_C(0x00A7AE6E), ++ UINT32_C(0x2F64A053), UINT32_C(0x1ABC929B), UINT32_C(0x38666B44), ++ UINT32_C(0xF4925C4C), UINT32_C(0x0F3DE7F6), UINT32_C(0xA81044B0) } }, ++ }, ++ { ++ { { UINT32_C(0xC2EC3731), UINT32_C(0xBCC88422), UINT32_C(0x10DC4EC2), ++ UINT32_C(0x78A3E4D4), UINT32_C(0x2571D6B1), UINT32_C(0x745DA1EF), ++ UINT32_C(0x739A956E), UINT32_C(0xF01C2921), UINT32_C(0xE4BFFC16), ++ UINT32_C(0xEFFD8065), UINT32_C(0xF36FE72C), UINT32_C(0x6EFE62A1) }, ++ { UINT32_C(0x0F4629A4), UINT32_C(0xF49E90D2), UINT32_C(0x8CE646F4), ++ UINT32_C(0xADD1DCC7), UINT32_C(0xB7240D91), UINT32_C(0xCB78B583), ++ UINT32_C(0x03F8387F), UINT32_C(0x2E1A7C3C), UINT32_C(0x3200F2D9), ++ UINT32_C(0x16566C22), UINT32_C(0xAAF80A84), UINT32_C(0x2361B14B) } }, ++ { { UINT32_C(0xB5733309), UINT32_C(0xDB1CFFD2), UINT32_C(0x0F9DD939), ++ UINT32_C(0x24BC250B), UINT32_C(0xA3C1DB85), UINT32_C(0xA4181E5A), ++ UINT32_C(0xAC55D391), UINT32_C(0xE5183E51), UINT32_C(0xEFD270D0), ++ UINT32_C(0x2793D5EF), UINT32_C(0xC0631546), UINT32_C(0x7D56F63D) }, ++ { UINT32_C(0x0C1EE59D), UINT32_C(0xECB40A59), UINT32_C(0xBB5BFA2C), ++ UINT32_C(0xE613A9E4), UINT32_C(0x6C5830F9), UINT32_C(0xA89B14AB), ++ UINT32_C(0xA03F201E), UINT32_C(0x4DC477DC), UINT32_C(0xC88C54F6), ++ UINT32_C(0x5604F5DA), UINT32_C(0x2ACFC66E), UINT32_C(0xD49264DC) } }, ++ { { UINT32_C(0x1C4DFA95), UINT32_C(0x283DD7F0), UINT32_C(0x62C0B160), ++ UINT32_C(0xB898CC2C), UINT32_C(0x870282AA), UINT32_C(0xBA08C095), ++ UINT32_C(0xF4E36324), UINT32_C(0xB02B00D8), UINT32_C(0x604CECF2), ++ UINT32_C(0x53AADDC0), UINT32_C(0x84DDD24E), UINT32_C(0xF1F927D3) }, ++ { UINT32_C(0xE2ABC9E1), UINT32_C(0x34BC00A0), UINT32_C(0x60289F88), ++ UINT32_C(0x2DA1227D), UINT32_C(0xCEF68F74), UINT32_C(0x5228EAAA), ++ UINT32_C(0x3C029351), UINT32_C(0x40A790D2), UINT32_C(0x8442E3B7), ++ UINT32_C(0xE0E9AF5C), UINT32_C(0xA9F141E0), UINT32_C(0xA3214142) } }, ++ { { UINT32_C(0xF9A58E3D), UINT32_C(0x72F4949E), UINT32_C(0xA48660A6), ++ UINT32_C(0x738C700B), UINT32_C(0x092A5805), UINT32_C(0x71B04726), ++ UINT32_C(0x0F5CDB72), UINT32_C(0xAD5C3C11), UINT32_C(0x554BFC49), ++ UINT32_C(0xD4951F9E), UINT32_C(0x6131EBE7), UINT32_C(0xEE594EE5) }, ++ { UINT32_C(0x3C1AF0A9), UINT32_C(0x37DA59F3), UINT32_C(0xCB040A63), ++ UINT32_C(0xD7AFC73B), UINT32_C(0x4D89FA65), UINT32_C(0xD020962A), ++ UINT32_C(0x71D824F5), UINT32_C(0x2610C61E), UINT32_C(0x3C050E31), ++ UINT32_C(0x9C917DA7), UINT32_C(0xE6E7EBFB), UINT32_C(0x3840F92F) } }, ++ { { UINT32_C(0x8D8B8CED), UINT32_C(0x50FBD7FE), UINT32_C(0x47D240AE), ++ UINT32_C(0xC7282F75), UINT32_C(0x1930FF73), UINT32_C(0x79646A47), ++ UINT32_C(0x2F7F5A77), UINT32_C(0x2E0BAC4E), UINT32_C(0x26127E0B), ++ UINT32_C(0x0EE44FA5), UINT32_C(0x82BC2AA7), UINT32_C(0x678881B7) }, ++ { UINT32_C(0x67F5F497), UINT32_C(0xB9E5D384), UINT32_C(0xA9B7106B), ++ UINT32_C(0x8F94A7D4), UINT32_C(0x9D329F68), UINT32_C(0xBF7E0B07), ++ UINT32_C(0x45D192FB), UINT32_C(0x169B93EA), UINT32_C(0x20DBE8C0), ++ UINT32_C(0xCCAA9467), UINT32_C(0x938F9574), UINT32_C(0xD4513A50) } }, ++ { { UINT32_C(0x054CB874), UINT32_C(0x841C96B4), UINT32_C(0xA3C26834), ++ UINT32_C(0xD75B1AF1), UINT32_C(0xEE6575F0), UINT32_C(0x7237169D), ++ UINT32_C(0x0322AADC), UINT32_C(0xD71FC7E5), UINT32_C(0x949E3A8E), ++ UINT32_C(0xD7A23F1E), UINT32_C(0xDD31D8C7), UINT32_C(0x77E2D102) }, ++ { UINT32_C(0xD10F5A1F), UINT32_C(0x5AD69D09), UINT32_C(0xB99D9A0B), ++ UINT32_C(0x526C9CB4), UINT32_C(0x972B237D), UINT32_C(0x521BB10B), ++ UINT32_C(0xA326F342), UINT32_C(0x1E4CD42F), UINT32_C(0xF0F126CA), ++ UINT32_C(0x5BB6DB27), UINT32_C(0xA4A515AD), UINT32_C(0x587AF22C) } }, ++ { { UINT32_C(0xB12E542F), UINT32_C(0x1123A531), UINT32_C(0xB9EB2811), ++ UINT32_C(0x1D01A64D), UINT32_C(0xF2D70F87), UINT32_C(0xA4A3515B), ++ UINT32_C(0xB4BD0270), UINT32_C(0xFA205234), UINT32_C(0x5EDA26B9), ++ UINT32_C(0x74B81830), UINT32_C(0x56578E75), UINT32_C(0x9305D6E6) }, ++ { UINT32_C(0x9F11BE19), UINT32_C(0xF38E69DE), UINT32_C(0x44DBE89F), ++ UINT32_C(0x1E2A5C23), UINT32_C(0xFD286654), UINT32_C(0x1077E7BC), ++ UINT32_C(0x0FCA4741), UINT32_C(0xD3669894), UINT32_C(0x278F8497), ++ UINT32_C(0x893BF904), UINT32_C(0xEB3E14F4), UINT32_C(0xD6AC5F83) } }, ++ { { UINT32_C(0x488F5F74), UINT32_C(0x327B9DAB), UINT32_C(0xCAB7364F), ++ UINT32_C(0x2B44F4B8), UINT32_C(0x19B6C6BD), UINT32_C(0xB4A6D22D), ++ UINT32_C(0xFC77CD3E), UINT32_C(0xA087E613), UINT32_C(0xB0B49BC7), ++ UINT32_C(0x4558E327), UINT32_C(0xCD835D35), UINT32_C(0x188805BE) }, ++ { UINT32_C(0xC1DC1007), UINT32_C(0x592F293C), UINT32_C(0x6AF02B44), ++ UINT32_C(0xFAEE660F), UINT32_C(0x904035F2), UINT32_C(0x5BFBB3BF), ++ UINT32_C(0x79C07E70), UINT32_C(0xD7C9AE60), UINT32_C(0x234896C2), ++ UINT32_C(0xC5287DD4), UINT32_C(0xCB0E4121), UINT32_C(0xC4CE4523) } }, ++ { { UINT32_C(0x58344831), UINT32_C(0x3626B406), UINT32_C(0x8E55C984), ++ UINT32_C(0xABCCE356), UINT32_C(0x77241602), UINT32_C(0x495CC81C), ++ UINT32_C(0x6D70DF8F), UINT32_C(0x4FB79676), UINT32_C(0x5B071DCA), ++ UINT32_C(0x6354B37C), UINT32_C(0x8C0FC0AD), UINT32_C(0x2CAD80A4) }, ++ { UINT32_C(0xF68739B4), UINT32_C(0x18AADD51), UINT32_C(0x47F09C6C), ++ UINT32_C(0x1BFBB177), UINT32_C(0xA8FD51C4), UINT32_C(0x9355EA19), ++ UINT32_C(0xEE58DB7B), UINT32_C(0x3D512A84), UINT32_C(0xE9237640), ++ UINT32_C(0x70842AFD), UINT32_C(0xACAF858D), UINT32_C(0x36F515CA) } }, ++ { { UINT32_C(0x7E768B23), UINT32_C(0x3DDEC7C4), UINT32_C(0x036D43ED), ++ UINT32_C(0x97E13C53), UINT32_C(0x3A39AB5F), UINT32_C(0x871E5925), ++ UINT32_C(0x07E68E2B), UINT32_C(0x9AF292DE), UINT32_C(0x4A40112E), ++ UINT32_C(0x41158349), UINT32_C(0x3D4D97E6), UINT32_C(0xCDBB46AF) }, ++ { UINT32_C(0x3C0EBE40), UINT32_C(0x2F891293), UINT32_C(0x3EBAD1E5), ++ UINT32_C(0x696C7EEE), UINT32_C(0x33B50D99), UINT32_C(0x8A5F3B69), ++ UINT32_C(0x7ED47DDE), UINT32_C(0xB7BC4840), UINT32_C(0x1E6706D8), ++ UINT32_C(0x3A6F8E6C), UINT32_C(0x3D84BB8F), UINT32_C(0x6A147943) } }, ++ { { UINT32_C(0x603AE8D1), UINT32_C(0xEC3A9C78), UINT32_C(0x228C29E5), ++ UINT32_C(0xBFE07E37), UINT32_C(0x396DBC2B), UINT32_C(0xB0385C5B), ++ UINT32_C(0xDF85F41F), UINT32_C(0x7C14FE83), UINT32_C(0xADFD463E), ++ UINT32_C(0xE2E64676), UINT32_C(0x8BF9F23D), UINT32_C(0x5BEF10AA) }, ++ { UINT32_C(0xF6BAB6DA), UINT32_C(0xFA83EA0D), UINT32_C(0x966BF7E3), ++ UINT32_C(0xCD0C8BA5), UINT32_C(0x98501C2E), UINT32_C(0xD62216B4), ++ UINT32_C(0xC3E69F2D), UINT32_C(0xB7F298A4), UINT32_C(0x9C8740F4), ++ UINT32_C(0x42CEF13B), UINT32_C(0x0DD64307), UINT32_C(0xBB317E52) } }, ++ { { UINT32_C(0x3FFEE775), UINT32_C(0x22B6245C), UINT32_C(0xB37CE7AA), ++ UINT32_C(0x5C3F60BE), UINT32_C(0xE1FEC0DF), UINT32_C(0xDE195D40), ++ UINT32_C(0xA0A82074), UINT32_C(0x3BFAFBC5), UINT32_C(0xC72CA86A), ++ UINT32_C(0xC36EC86A), UINT32_C(0x13FD43EA), UINT32_C(0x56062851) }, ++ { UINT32_C(0x8E0B03A4), UINT32_C(0x8686BE80), UINT32_C(0xD540D440), ++ UINT32_C(0xC3BD1F93), UINT32_C(0xBF96CEC5), UINT32_C(0x13E4EBC0), ++ UINT32_C(0x9190C844), UINT32_C(0xE8E23984), UINT32_C(0x00844802), ++ UINT32_C(0x183593A6), UINT32_C(0x4D206878), UINT32_C(0x46716879) } }, ++ { { UINT32_C(0xB6F63D19), UINT32_C(0x358F394D), UINT32_C(0x6B052194), ++ UINT32_C(0xA75D4849), UINT32_C(0x5C8D7975), UINT32_C(0x58403590), ++ UINT32_C(0x6CBFBD77), UINT32_C(0x86DC9B6B), UINT32_C(0x647A51E5), ++ UINT32_C(0x2DB04D77), UINT32_C(0xF8950D88), UINT32_C(0x5E9A5B02) }, ++ { UINT32_C(0x017168B0), UINT32_C(0xCE69A7E5), UINT32_C(0xC4843AD3), ++ UINT32_C(0x94630FAC), UINT32_C(0x1EFC44FF), UINT32_C(0xB3B9D736), ++ UINT32_C(0xB14D7F93), UINT32_C(0xE729E9B6), UINT32_C(0xE0ED0ABC), ++ UINT32_C(0xA071FC60), UINT32_C(0x8C8D9B83), UINT32_C(0xFC1A9971) } }, ++ { { UINT32_C(0xD138E975), UINT32_C(0x49686031), UINT32_C(0x5A8EF0D1), ++ UINT32_C(0x64864038), UINT32_C(0xE7F7DE49), UINT32_C(0x32679713), ++ UINT32_C(0x29D1CD1D), UINT32_C(0x59132349), UINT32_C(0x20BE9ED2), ++ UINT32_C(0x849AA23A), UINT32_C(0x284B3F33), UINT32_C(0x15D303E1) }, ++ { UINT32_C(0xB63F9FE9), UINT32_C(0x37309475), UINT32_C(0x45B7256A), ++ UINT32_C(0x327BAC8B), UINT32_C(0xD17FC5D3), UINT32_C(0x291CD227), ++ UINT32_C(0xA973EDF1), UINT32_C(0x8291D8CD), UINT32_C(0x437ABA09), ++ UINT32_C(0xF3843562), UINT32_C(0x271D0785), UINT32_C(0x33FFB704) } }, ++ { { UINT32_C(0x47E11E5E), UINT32_C(0x5248D6E4), UINT32_C(0x269C7ED3), ++ UINT32_C(0x0F66FC3C), UINT32_C(0x903E346E), UINT32_C(0x18C0D2B9), ++ UINT32_C(0x4BEAE1B8), UINT32_C(0xD81D9D97), UINT32_C(0xFC30FDF3), ++ UINT32_C(0x610326B0), UINT32_C(0x19A7DFCD), UINT32_C(0x2B136870) }, ++ { UINT32_C(0xB9527676), UINT32_C(0xEC75F70A), UINT32_C(0x29A3D897), ++ UINT32_C(0x90829F51), UINT32_C(0x97980302), UINT32_C(0x92FE1809), ++ UINT32_C(0x68474991), UINT32_C(0xA3F2498E), UINT32_C(0x0F22BBAD), ++ UINT32_C(0x6A66307B), UINT32_C(0x20378557), UINT32_C(0x32014B91) } }, ++ { { UINT32_C(0x3CD98610), UINT32_C(0x72CD7D55), UINT32_C(0x74504ADF), ++ UINT32_C(0xC3D560B0), UINT32_C(0xCEBB5D5D), UINT32_C(0x23F0A982), ++ UINT32_C(0xB839DDB8), UINT32_C(0x1431C15B), UINT32_C(0xCEB72207), ++ UINT32_C(0x7E207CD8), UINT32_C(0xE7EFB28D), UINT32_C(0x28E0A848) }, ++ { UINT32_C(0x1BD96F6E), UINT32_C(0xD22561FE), UINT32_C(0x62A8236B), ++ UINT32_C(0x04812C18), UINT32_C(0x975491FA), UINT32_C(0xA0BF2334), ++ UINT32_C(0x435DF87F), UINT32_C(0x294F42A6), UINT32_C(0xA5D6F4F6), ++ UINT32_C(0x2772B783), UINT32_C(0x2724F853), UINT32_C(0x348F92ED) } }, ++ }, ++ { ++ { { UINT32_C(0x1A42E5E7), UINT32_C(0xC20FB911), UINT32_C(0x81D12863), ++ UINT32_C(0x075A678B), UINT32_C(0x5CC0AA89), UINT32_C(0x12BCBC6A), ++ UINT32_C(0x4FB9F01E), UINT32_C(0x5279C6AB), UINT32_C(0x11AE1B89), ++ UINT32_C(0xBC8E1789), UINT32_C(0xC290003C), UINT32_C(0xAE74A706) }, ++ { UINT32_C(0x79DF3F45), UINT32_C(0x9949D6EC), UINT32_C(0x96C8D37F), ++ UINT32_C(0xBA18E262), UINT32_C(0xDD2275BF), UINT32_C(0x68DE6EE2), ++ UINT32_C(0xC419F1D5), UINT32_C(0xA9E4FFF8), UINT32_C(0xA52B5A40), ++ UINT32_C(0xBC759CA4), UINT32_C(0x63B0996D), UINT32_C(0xFF18CBD8) } }, ++ { { UINT32_C(0xD7DD47E5), UINT32_C(0x73C57FDE), UINT32_C(0xD49A7F5D), ++ UINT32_C(0xB0FE5479), UINT32_C(0xCFB9821E), UINT32_C(0xD25C71F1), ++ UINT32_C(0xCF6A1D68), UINT32_C(0x9427E209), UINT32_C(0xACD24E64), ++ UINT32_C(0xBF3C3916), UINT32_C(0xBDA7B8B5), UINT32_C(0x7E9F5583) }, ++ { UINT32_C(0xCF971E11), UINT32_C(0xE7C5F7C8), UINT32_C(0x3C7F035E), ++ UINT32_C(0xEC16D5D7), UINT32_C(0xE66B277C), UINT32_C(0x818DC472), ++ UINT32_C(0xB2816F1E), UINT32_C(0x4413FD47), UINT32_C(0x48383C6D), ++ UINT32_C(0x40F262AF), UINT32_C(0x4F190537), UINT32_C(0xFB057584) } }, ++ { { UINT32_C(0x08962F6B), UINT32_C(0x487EDC07), UINT32_C(0x190A7E55), ++ UINT32_C(0x6002F1E7), UINT32_C(0x10FDBA0C), UINT32_C(0x7FC62BEA), ++ UINT32_C(0x2C3DBF33), UINT32_C(0xC836BBC5), UINT32_C(0x4F7D2A46), ++ UINT32_C(0x4FDFB5C3), UINT32_C(0xDCA0DF71), UINT32_C(0x824654DE) }, ++ { UINT32_C(0x0C23902B), UINT32_C(0x30A07676), UINT32_C(0x77FBBF37), ++ UINT32_C(0x7F1EBB93), UINT32_C(0xFACC13DB), UINT32_C(0xD307D49D), ++ UINT32_C(0xAE1A261A), UINT32_C(0x148D673A), UINT32_C(0x52D98650), ++ UINT32_C(0xE008F95B), UINT32_C(0x9F558FDE), UINT32_C(0xC7614440) } }, ++ { { UINT32_C(0x9CB16650), UINT32_C(0x17CD6AF6), UINT32_C(0x69F4EEBE), ++ UINT32_C(0x86CC27C1), UINT32_C(0x78822432), UINT32_C(0x7E495B1D), ++ UINT32_C(0x1B974525), UINT32_C(0xFED338E3), UINT32_C(0x86F3CE21), ++ UINT32_C(0x527743D3), UINT32_C(0xB515C896), UINT32_C(0x87948AD3) }, ++ { UINT32_C(0xB17F2FB8), UINT32_C(0x9FDE7039), UINT32_C(0xD9B89D96), ++ UINT32_C(0xA2FA9A5F), UINT32_C(0x36FF74DC), UINT32_C(0x5D46600B), ++ UINT32_C(0x8302C3C9), UINT32_C(0x8EA74B04), UINT32_C(0xF744B5EB), ++ UINT32_C(0xD560F570), UINT32_C(0xFE762402), UINT32_C(0xC921023B) } }, ++ { { UINT32_C(0xFFF4C8ED), UINT32_C(0xA35AB657), UINT32_C(0x8A5FABD7), ++ UINT32_C(0x017C6124), UINT32_C(0x09ACDA28), UINT32_C(0x56463025), ++ UINT32_C(0x14CF238A), UINT32_C(0x6038D361), UINT32_C(0xAF1B9F07), ++ UINT32_C(0x1428B1B6), UINT32_C(0x7482E95C), UINT32_C(0x5827FF44) }, ++ { UINT32_C(0x780FF362), UINT32_C(0xCB997E18), UINT32_C(0xE0BCAC1E), ++ UINT32_C(0x2B89D702), UINT32_C(0xA837DDC8), UINT32_C(0xC632A0B5), ++ UINT32_C(0x59762647), UINT32_C(0xF3EFCF1F), UINT32_C(0x38B0D60A), ++ UINT32_C(0xE9BA309A), UINT32_C(0x20B5FB37), UINT32_C(0x05DEABDD) } }, ++ { { UINT32_C(0xCB8AF047), UINT32_C(0xD44E5DBA), UINT32_C(0x943CFE82), ++ UINT32_C(0x15400CB4), UINT32_C(0x9DF88B67), UINT32_C(0xDBD69575), ++ UINT32_C(0xB2405A7D), UINT32_C(0x8299DB2B), UINT32_C(0x0B1D80CD), ++ UINT32_C(0x46E3BF77), UINT32_C(0xE82BA3D9), UINT32_C(0xC50CF66C) }, ++ { UINT32_C(0xF2F747A9), UINT32_C(0xB2910A07), UINT32_C(0x5ADC89C1), ++ UINT32_C(0xF6B669DB), UINT32_C(0x9052B081), UINT32_C(0x3B5EF1A0), ++ UINT32_C(0xB594ACE2), UINT32_C(0x0F5D5ED3), UINT32_C(0xD5F01320), ++ UINT32_C(0xDA30B8D5), UINT32_C(0xAAFCD58F), UINT32_C(0x0D688C5E) } }, ++ { { UINT32_C(0x2A161074), UINT32_C(0x5EEE3A31), UINT32_C(0xEFE2BE37), ++ UINT32_C(0x6BAAAE56), UINT32_C(0xE3D78698), UINT32_C(0xF9787F61), ++ UINT32_C(0x50630A30), UINT32_C(0xC6836B26), UINT32_C(0x1445DEF1), ++ UINT32_C(0x7445B85D), UINT32_C(0xD568A6A5), UINT32_C(0xD72016A2) }, ++ { UINT32_C(0xE355614F), UINT32_C(0x9DD6F533), UINT32_C(0x91E04588), ++ UINT32_C(0x637E7E5F), UINT32_C(0xB9FB1391), UINT32_C(0x42E142F3), ++ UINT32_C(0x41AFE5DA), UINT32_C(0x0D07C05C), UINT32_C(0x1394EDF1), ++ UINT32_C(0xD7CD25C8), UINT32_C(0xB99288EE), UINT32_C(0xEBE6A0FC) } }, ++ { { UINT32_C(0xBABBAD86), UINT32_C(0xB8E63B7B), UINT32_C(0x90D66766), ++ UINT32_C(0x63226A9F), UINT32_C(0x5CF26666), UINT32_C(0x26381836), ++ UINT32_C(0x4CADD0BF), UINT32_C(0xCCBD142D), UINT32_C(0x9AC29470), ++ UINT32_C(0xA070965E), UINT32_C(0x25FF23ED), UINT32_C(0x6BDCA260) }, ++ { UINT32_C(0x87DCA7B3), UINT32_C(0xD4E00FD4), UINT32_C(0x9E0E8734), ++ UINT32_C(0xA5097833), UINT32_C(0x048173A4), UINT32_C(0xF73F162E), ++ UINT32_C(0x9C3C2FA2), UINT32_C(0xD23F9196), UINT32_C(0xE4AC397A), ++ UINT32_C(0x9AB98B45), UINT32_C(0x543F2D4B), UINT32_C(0x2BAA0300) } }, ++ { { UINT32_C(0xC658C445), UINT32_C(0xBBBE15E7), UINT32_C(0xC28941D1), ++ UINT32_C(0xB8CBCB20), UINT32_C(0x027D6540), UINT32_C(0x65549BE2), ++ UINT32_C(0x1E8EF4F4), UINT32_C(0xEBBCA802), UINT32_C(0xD2ACA397), ++ UINT32_C(0x18214B4B), UINT32_C(0xE31784A3), UINT32_C(0xCBEC7DE2) }, ++ { UINT32_C(0x0116FDF3), UINT32_C(0x96F0533F), UINT32_C(0x5C8F5EE1), ++ UINT32_C(0x68911C90), UINT32_C(0xD568603A), UINT32_C(0x7DE9A3AE), ++ UINT32_C(0x6A3AD7B7), UINT32_C(0x3F56C52C), UINT32_C(0x670B4D0E), ++ UINT32_C(0x5BE9AFCA), UINT32_C(0x375DFE2F), UINT32_C(0x628BFEEE) } }, ++ { { UINT32_C(0xDD4ADDB3), UINT32_C(0x97DAE81B), UINT32_C(0x8704761B), ++ UINT32_C(0x12D2CF4E), UINT32_C(0x3247788D), UINT32_C(0x5E820B40), ++ UINT32_C(0x0051CA80), UINT32_C(0x82234B62), UINT32_C(0x6CB5EA74), ++ UINT32_C(0x0C62704D), UINT32_C(0x23941593), UINT32_C(0xDE560420) }, ++ { UINT32_C(0xF1B04145), UINT32_C(0xB3912A3C), UINT32_C(0xAF93688D), ++ UINT32_C(0xE3967CD7), UINT32_C(0x58DABB4B), UINT32_C(0x2E2DCD2F), ++ UINT32_C(0x0E303911), UINT32_C(0x6564836F), UINT32_C(0xECE07C5C), ++ UINT32_C(0x1F10F19B), UINT32_C(0xD8919126), UINT32_C(0xB47F07EE) } }, ++ { { UINT32_C(0xE9A2EEC9), UINT32_C(0xE3545085), UINT32_C(0x2C8E51FE), ++ UINT32_C(0x81866A97), UINT32_C(0x50027243), UINT32_C(0xD2BA7DB5), ++ UINT32_C(0x4AE87DE4), UINT32_C(0x29DAEAB5), UINT32_C(0x684F9497), ++ UINT32_C(0x5EF3D4B8), UINT32_C(0x9D5D6873), UINT32_C(0xE2DACE3B) }, ++ { UINT32_C(0xFFD29C9C), UINT32_C(0xF012C951), UINT32_C(0xADBADA14), ++ UINT32_C(0x48289445), UINT32_C(0x89558C49), UINT32_C(0x8751F50D), ++ UINT32_C(0x99E35BEE), UINT32_C(0x75511A4F), UINT32_C(0x7D59AA5F), ++ UINT32_C(0xEF802D6E), UINT32_C(0xA2A795E2), UINT32_C(0x14FCAD65) } }, ++ { { UINT32_C(0x08CB8F2C), UINT32_C(0xC8EB00E8), UINT32_C(0x2B45BD86), ++ UINT32_C(0x68607532), UINT32_C(0x59969713), UINT32_C(0x7A29B459), ++ UINT32_C(0xD684201B), UINT32_C(0x5FA15B9B), UINT32_C(0xB9E538EE), ++ UINT32_C(0x1A853190), UINT32_C(0xD573D043), UINT32_C(0x4150605C) }, ++ { UINT32_C(0xEB9FBB68), UINT32_C(0xEF011D3B), UINT32_C(0x66AE32B6), ++ UINT32_C(0x67279982), UINT32_C(0x445DE5EC), UINT32_C(0x861B86EA), ++ UINT32_C(0xA34A50E1), UINT32_C(0x62837D18), UINT32_C(0xBF5F0663), ++ UINT32_C(0x228C006A), UINT32_C(0x396DB36A), UINT32_C(0xE007FDE7) } }, ++ { { UINT32_C(0x5A916A55), UINT32_C(0xDEE4F881), UINT32_C(0xF39C82CB), ++ UINT32_C(0x20DC0370), UINT32_C(0x40F09821), UINT32_C(0xD9A71615), ++ UINT32_C(0xF7273492), UINT32_C(0xD50AD8BF), UINT32_C(0x32E7C4BF), ++ UINT32_C(0xA06F7D12), UINT32_C(0x4C5CEA36), UINT32_C(0xFA0F6154) }, ++ { UINT32_C(0x5FC49CFE), UINT32_C(0xF4FD9BED), UINT32_C(0xC9291678), ++ UINT32_C(0xD8CB45D1), UINT32_C(0x7B92C9F2), UINT32_C(0x94DB86CC), ++ UINT32_C(0x73C81169), UINT32_C(0x09CA5F38), UINT32_C(0xAEED06F0), ++ UINT32_C(0x109F40B0), UINT32_C(0x14DCAA0A), UINT32_C(0x9F0360B2) } }, ++ { { UINT32_C(0xE12AD3E7), UINT32_C(0x4189B70D), UINT32_C(0x10B06607), ++ UINT32_C(0x5208ADB2), UINT32_C(0xEE8497FA), UINT32_C(0xEBD8E2A2), ++ UINT32_C(0xE04F2ECB), UINT32_C(0x61B1BD67), UINT32_C(0x4F3F5F99), ++ UINT32_C(0x0E2DDA72), UINT32_C(0xF747B16D), UINT32_C(0xD5D96740) }, ++ { UINT32_C(0xA6BF397F), UINT32_C(0x308A48F6), UINT32_C(0x23A93595), ++ UINT32_C(0x7021C3E5), UINT32_C(0x36470AA0), UINT32_C(0xF10B0229), ++ UINT32_C(0x4E03295B), UINT32_C(0x7761E8EC), UINT32_C(0x07339770), ++ UINT32_C(0x16EFEF58), UINT32_C(0x5DA5DAA2), UINT32_C(0x0D55D2DD) } }, ++ { { UINT32_C(0x8A22F87A), UINT32_C(0x915EA6A3), UINT32_C(0x2E5A088E), ++ UINT32_C(0x191151C1), UINT32_C(0x7F1D5CBE), UINT32_C(0x190252F1), ++ UINT32_C(0x3B0EC99B), UINT32_C(0xE43F59C3), UINT32_C(0xFF2A6135), ++ UINT32_C(0xBE8588D4), UINT32_C(0x2ECB4B9F), UINT32_C(0x103877CC) }, ++ { UINT32_C(0x023CF92B), UINT32_C(0x8F4147E5), UINT32_C(0x0CC2085B), ++ UINT32_C(0xC24384CC), UINT32_C(0xD082D311), UINT32_C(0x6A2DB4A2), ++ UINT32_C(0xED7BA9AE), UINT32_C(0x06283811), UINT32_C(0x2A8E1592), ++ UINT32_C(0xE9A3F532), UINT32_C(0x5A59E894), UINT32_C(0xAC20F0F4) } }, ++ { { UINT32_C(0x74AAB4B1), UINT32_C(0x788CAA52), UINT32_C(0x2FEAFC7E), ++ UINT32_C(0xEB84ABA1), UINT32_C(0xAC04FF77), UINT32_C(0x31DA71DA), ++ UINT32_C(0x24E4D0BF), UINT32_C(0x39D12EB9), UINT32_C(0x87A34EF8), ++ UINT32_C(0x4F2F292F), UINT32_C(0xA237A8ED), UINT32_C(0x9B324372) }, ++ { UINT32_C(0x2EE3A82D), UINT32_C(0xBB2D04B1), UINT32_C(0xD18D36B2), ++ UINT32_C(0xED4FF367), UINT32_C(0xA6EA0138), UINT32_C(0x99D231EE), ++ UINT32_C(0x4F92E04A), UINT32_C(0x7C2D4F06), UINT32_C(0xCA272FD0), ++ UINT32_C(0x78A82AB2), UINT32_C(0xAB8CDC32), UINT32_C(0x7EC41340) } }, ++ }, ++ { ++ { { UINT32_C(0xD2E15A8C), UINT32_C(0xD23658C8), UINT32_C(0x16BA28CA), ++ UINT32_C(0x23F93DF7), UINT32_C(0x082210F1), UINT32_C(0x6DAB10EC), ++ UINT32_C(0xBFC36490), UINT32_C(0xFB1ADD91), UINT32_C(0x9A4F2D14), ++ UINT32_C(0xEDA8B02F), UINT32_C(0x56560443), UINT32_C(0x9060318C) }, ++ { UINT32_C(0x64711AB2), UINT32_C(0x6C01479E), UINT32_C(0xE337EB85), ++ UINT32_C(0x41446FC7), UINT32_C(0x71888397), UINT32_C(0x4DCF3C1D), ++ UINT32_C(0x13C34FD2), UINT32_C(0x87A9C04E), UINT32_C(0x510C15AC), ++ UINT32_C(0xFE0E08EC), UINT32_C(0xC0F495D2), UINT32_C(0xFC0D0413) } }, ++ { { UINT32_C(0x156636C2), UINT32_C(0xEB05C516), UINT32_C(0x090E93FC), ++ UINT32_C(0x2F613ABA), UINT32_C(0x489576F5), UINT32_C(0xCFD573CD), ++ UINT32_C(0x535A8D57), UINT32_C(0xE6535380), UINT32_C(0x671436C4), ++ UINT32_C(0x13947314), UINT32_C(0x5F0A122D), UINT32_C(0x1172FB0C) }, ++ { UINT32_C(0xC12F58F6), UINT32_C(0xAECC7EC1), UINT32_C(0x8E41AFD2), ++ UINT32_C(0xFE42F957), UINT32_C(0x3D4221AA), UINT32_C(0xDF96F652), ++ UINT32_C(0x2851996B), UINT32_C(0xFEF5649F), UINT32_C(0xD5CFB67E), ++ UINT32_C(0x46FB9F26), UINT32_C(0xEF5C4052), UINT32_C(0xB047BFC7) } }, ++ { { UINT32_C(0xF4484374), UINT32_C(0x5CBDC442), UINT32_C(0xF92452EF), ++ UINT32_C(0x6B156957), UINT32_C(0xC118D02A), UINT32_C(0x58A26886), ++ UINT32_C(0x75AAF276), UINT32_C(0x87FF74E6), UINT32_C(0xF65F6EC1), ++ UINT32_C(0xB133BE95), UINT32_C(0x4B1B8D32), UINT32_C(0xA89B6284) }, ++ { UINT32_C(0x09C81004), UINT32_C(0xDD8A8EF3), UINT32_C(0x0CF21991), ++ UINT32_C(0x7F8225DB), UINT32_C(0x26623FAF), UINT32_C(0xD525A6DB), ++ UINT32_C(0xBAE15453), UINT32_C(0xF2368D40), UINT32_C(0x84F89FC9), ++ UINT32_C(0x55D6A84D), UINT32_C(0x86021A3E), UINT32_C(0xAF38358A) } }, ++ { { UINT32_C(0xFF52E280), UINT32_C(0xBD048BDC), UINT32_C(0x526A1795), ++ UINT32_C(0x8A51D0B2), UINT32_C(0xA985AC0F), UINT32_C(0x40AAA758), ++ UINT32_C(0xF2C7ACE9), UINT32_C(0x6039BCDC), UINT32_C(0x6AEC347D), ++ UINT32_C(0x712092CC), UINT32_C(0x6B5ACAB7), UINT32_C(0x7976D090) }, ++ { UINT32_C(0x6EED9617), UINT32_C(0x1EBCF80D), UINT32_C(0xB0F404A4), ++ UINT32_C(0xB3A63149), UINT32_C(0xD0B610EF), UINT32_C(0x3FDD3D1A), ++ UINT32_C(0x98C28AC7), UINT32_C(0xDD3F6F94), UINT32_C(0x3A59750F), ++ UINT32_C(0x650B7794), UINT32_C(0x2D3991AC), UINT32_C(0xEC59BAB1) } }, ++ { { UINT32_C(0x2E552766), UINT32_C(0x01F40E88), UINT32_C(0x66F5354F), ++ UINT32_C(0x1FE3D509), UINT32_C(0xB3A8EA7F), UINT32_C(0x0E46D006), ++ UINT32_C(0xF831CD6A), UINT32_C(0xF75AB629), UINT32_C(0x91465119), ++ UINT32_C(0xDAD808D7), UINT32_C(0x17EF9B10), UINT32_C(0x442405AF) }, ++ { UINT32_C(0x672BDFCB), UINT32_C(0xD5FE0A96), UINT32_C(0x355DBDEC), ++ UINT32_C(0xA9DFA422), UINT32_C(0x79B25636), UINT32_C(0xFDB79AA1), ++ UINT32_C(0xEECE8AEC), UINT32_C(0xE7F26FFD), UINT32_C(0x7EDD5AA2), ++ UINT32_C(0xB5925550), UINT32_C(0x8EB3A6C2), UINT32_C(0x2C8F6FF0) } }, ++ { { UINT32_C(0x757D6136), UINT32_C(0x88887756), UINT32_C(0x88B92E72), ++ UINT32_C(0xAD9AC183), UINT32_C(0x8785D3EB), UINT32_C(0x92CB2FC4), ++ UINT32_C(0x9319764B), UINT32_C(0xD1A542FE), UINT32_C(0x626A62F8), ++ UINT32_C(0xAF4CC78F), UINT32_C(0x26BFFAAE), UINT32_C(0x7F3F5FC9) }, ++ { UINT32_C(0x40AE2231), UINT32_C(0x0A203D43), UINT32_C(0x387898E8), ++ UINT32_C(0xA8BFD9E0), UINT32_C(0x474B7DDD), UINT32_C(0x1A0C379C), ++ UINT32_C(0x34FD49EA), UINT32_C(0x03855E0A), UINT32_C(0xB3EF4AE1), ++ UINT32_C(0x02B26223), UINT32_C(0xE399E0A3), UINT32_C(0x804BD8CF) } }, ++ { { UINT32_C(0xDE865713), UINT32_C(0x11A9F3D0), UINT32_C(0xBDE98821), ++ UINT32_C(0x81E36B6B), UINT32_C(0x6AA891D0), UINT32_C(0x324996C8), ++ UINT32_C(0x395682B5), UINT32_C(0x7B95BDC1), UINT32_C(0xC1600563), ++ UINT32_C(0x47BF2219), UINT32_C(0x643E38B4), UINT32_C(0x7A473F50) }, ++ { UINT32_C(0xF5738288), UINT32_C(0x0911F50A), UINT32_C(0x6F9C415B), ++ UINT32_C(0xDF947A70), UINT32_C(0x67A067F6), UINT32_C(0xBDB994F2), ++ UINT32_C(0x88BE96CD), UINT32_C(0x3F4BEC1B), UINT32_C(0xE56DD6D9), ++ UINT32_C(0x9820E931), UINT32_C(0x0A80F419), UINT32_C(0xB138F14F) } }, ++ { { UINT32_C(0x0429077A), UINT32_C(0xA11A1A8F), UINT32_C(0x10351C68), ++ UINT32_C(0x2BB1E33D), UINT32_C(0x89459A27), UINT32_C(0x3C25ABFE), ++ UINT32_C(0x6B8AC774), UINT32_C(0x2D0091B8), UINT32_C(0x3B2415D9), ++ UINT32_C(0xDAFC7853), UINT32_C(0x9201680D), UINT32_C(0xDE713CF1) }, ++ { UINT32_C(0x68889D57), UINT32_C(0x8E5F445D), UINT32_C(0x60EABF5B), ++ UINT32_C(0x608B209C), UINT32_C(0xF9CFA408), UINT32_C(0x10EC0ACC), ++ UINT32_C(0x4D1EE754), UINT32_C(0xD5256B9D), UINT32_C(0x0AA6C18D), ++ UINT32_C(0xFF866BAB), UINT32_C(0xACB90A45), UINT32_C(0x9D196DB8) } }, ++ { { UINT32_C(0xB9B081B2), UINT32_C(0xA46D76A9), UINT32_C(0x62163C25), ++ UINT32_C(0xFC743A10), UINT32_C(0x7761C392), UINT32_C(0xCD2A5C8D), ++ UINT32_C(0xBE808583), UINT32_C(0x39BDDE0B), UINT32_C(0xB98E4DFE), ++ UINT32_C(0x7C416021), UINT32_C(0x65913A44), UINT32_C(0xF930E563) }, ++ { UINT32_C(0x7585CF3C), UINT32_C(0xC3555F7E), UINT32_C(0x3D6333D5), ++ UINT32_C(0xC737E383), UINT32_C(0xB430B03D), UINT32_C(0x5B60DBA4), ++ UINT32_C(0xE7555404), UINT32_C(0x42B715EB), UINT32_C(0x7C7796E3), ++ UINT32_C(0x571BDF5B), UINT32_C(0x6DB6331F), UINT32_C(0x33DC62C6) } }, ++ { { UINT32_C(0xE61DEE59), UINT32_C(0x3FB9CCB0), UINT32_C(0x18B14DB9), ++ UINT32_C(0xC5185F23), UINT32_C(0x845EF36C), UINT32_C(0x1B2ADC4F), ++ UINT32_C(0x5C1A33AB), UINT32_C(0x195D5B50), UINT32_C(0x421F59D2), ++ UINT32_C(0x8CEA528E), UINT32_C(0xD2931CEA), UINT32_C(0x7DFCCECF) }, ++ { UINT32_C(0x8CF7E3F7), UINT32_C(0x51FFA1D5), UINT32_C(0xBDC9FB43), ++ UINT32_C(0xF01B7886), UINT32_C(0x261A0D35), UINT32_C(0xD65AB610), ++ UINT32_C(0x7574A554), UINT32_C(0x84BCBAFD), UINT32_C(0xFAD70208), ++ UINT32_C(0x4B119956), UINT32_C(0x4FAB5243), UINT32_C(0xDDC329C2) } }, ++ { { UINT32_C(0x9CE92177), UINT32_C(0x1A08AA57), UINT32_C(0xDC2B5C36), ++ UINT32_C(0x3395E557), UINT32_C(0x394ED04E), UINT32_C(0xFDFE7041), ++ UINT32_C(0xC6DFCDDE), UINT32_C(0xB797EB24), UINT32_C(0xCB9DE5D6), ++ UINT32_C(0x284A6B2A), UINT32_C(0x07222765), UINT32_C(0xE0BD95C8) }, ++ { UINT32_C(0x9FE678A7), UINT32_C(0x114A951B), UINT32_C(0x9E4954EC), ++ UINT32_C(0xE7ECD0BD), UINT32_C(0x79F0B8A9), UINT32_C(0x7D4096FE), ++ UINT32_C(0x09724FE2), UINT32_C(0xBDB26E9A), UINT32_C(0xF787AF95), ++ UINT32_C(0x08741AD8), UINT32_C(0x24045AD8), UINT32_C(0x2BF97272) } }, ++ { { UINT32_C(0xA9451D57), UINT32_C(0xAB1FEDD9), UINT32_C(0x483E38C9), ++ UINT32_C(0xDF4D91DF), UINT32_C(0x24E9CF8E), UINT32_C(0x2D54D311), ++ UINT32_C(0x7A22EEB6), UINT32_C(0x9C2A5AF8), UINT32_C(0x0A43F123), ++ UINT32_C(0xBD9861EF), UINT32_C(0x38A18B7B), UINT32_C(0x581EA6A2) }, ++ { UINT32_C(0x296470A3), UINT32_C(0xAF339C85), UINT32_C(0xAFD8203E), ++ UINT32_C(0xF9603FCD), UINT32_C(0x96763C28), UINT32_C(0x95D05350), ++ UINT32_C(0x860EC831), UINT32_C(0x15445C16), UINT32_C(0x6867A323), ++ UINT32_C(0x2AFB8728), UINT32_C(0x0C4838BF), UINT32_C(0x4B152D6D) } }, ++ { { UINT32_C(0x837CACBA), UINT32_C(0x45BA0E4F), UINT32_C(0xC0725275), ++ UINT32_C(0x7ADB38AE), UINT32_C(0x942D3C28), UINT32_C(0x19C82831), ++ UINT32_C(0x6D0FE7DD), UINT32_C(0x94F4731D), UINT32_C(0x4898F1E6), ++ UINT32_C(0xC3C07E13), UINT32_C(0xED410B51), UINT32_C(0x76350EAC) }, ++ { UINT32_C(0xF99AACFC), UINT32_C(0x0FA8BECA), UINT32_C(0x65FAF9CF), ++ UINT32_C(0x2834D86F), UINT32_C(0x6F3866AF), UINT32_C(0x8E62846A), ++ UINT32_C(0x3DFD6A2B), UINT32_C(0xDAA9BD4F), UINT32_C(0xA6132655), ++ UINT32_C(0xC27115BB), UINT32_C(0xBD5A32C2), UINT32_C(0x83972DF7) } }, ++ { { UINT32_C(0xD513B825), UINT32_C(0xA330CB5B), UINT32_C(0xEE37BEC3), ++ UINT32_C(0xAE18B2D3), UINT32_C(0xF780A902), UINT32_C(0xFC3AB80A), ++ UINT32_C(0xD607DDF1), UINT32_C(0xD7835BE2), UINT32_C(0x5B6E4C2B), ++ UINT32_C(0x8120F767), UINT32_C(0x67E78CCB), UINT32_C(0xAA8C3859) }, ++ { UINT32_C(0xAA0ED321), UINT32_C(0xA8DA8CE2), UINT32_C(0xD766341A), ++ UINT32_C(0xCB8846FD), UINT32_C(0x33DC9D9A), UINT32_C(0xF2A342EE), ++ UINT32_C(0xD0A18A80), UINT32_C(0xA519E0BE), UINT32_C(0xAF48DF4C), ++ UINT32_C(0x9CDAA39C), UINT32_C(0x7E0C19EE), UINT32_C(0xA4B500CA) } }, ++ { { UINT32_C(0x8217001B), UINT32_C(0x83A7FD2F), UINT32_C(0x4296A8BA), ++ UINT32_C(0x4F6FCF06), UINT32_C(0x91619927), UINT32_C(0x7D748643), ++ UINT32_C(0x941E4D41), UINT32_C(0x174C1075), UINT32_C(0xA64F5A6C), ++ UINT32_C(0x037EDEBD), UINT32_C(0x6E29DC56), UINT32_C(0xCF64DB3A) }, ++ { UINT32_C(0x37C0B9F4), UINT32_C(0x150B3ACE), UINT32_C(0x7168178B), ++ UINT32_C(0x1323234A), UINT32_C(0xEF4D1879), UINT32_C(0x1CE47014), ++ UINT32_C(0x17FB4D5C), UINT32_C(0xA22E3742), UINT32_C(0xD985F794), ++ UINT32_C(0x69B81822), UINT32_C(0x081D7214), UINT32_C(0x199C21C4) } }, ++ { { UINT32_C(0x8F04B4D2), UINT32_C(0x160BC7A1), UINT32_C(0xB10DE174), ++ UINT32_C(0x79CA81DD), UINT32_C(0x2DA1E9C7), UINT32_C(0xE2A280B0), ++ UINT32_C(0x1D6A0A29), UINT32_C(0xB4F6BD99), UINT32_C(0x1C5B8F27), ++ UINT32_C(0x57CF3EDD), UINT32_C(0x158C2FD4), UINT32_C(0x7E34FC57) }, ++ { UINT32_C(0xCAC93459), UINT32_C(0x828CFD89), UINT32_C(0xB7AF499F), ++ UINT32_C(0x9E631B6F), UINT32_C(0xDA26C135), UINT32_C(0xF4DC8BC0), ++ UINT32_C(0x37186735), UINT32_C(0x6128ED39), UINT32_C(0x67BF0BA5), ++ UINT32_C(0xBB45538B), UINT32_C(0x0064A3AB), UINT32_C(0x1ADDD4C1) } }, ++ }, ++ { ++ { { UINT32_C(0xDD14D47E), UINT32_C(0xC32730E8), UINT32_C(0xC0F01E0F), ++ UINT32_C(0xCDC1FD42), UINT32_C(0x3F5CD846), UINT32_C(0x2BACFDBF), ++ UINT32_C(0x7272D4DD), UINT32_C(0x45F36416), UINT32_C(0x5EB75776), ++ UINT32_C(0xDD813A79), UINT32_C(0x50997BE2), UINT32_C(0xB57885E4) }, ++ { UINT32_C(0xDB8C9829), UINT32_C(0xDA054E2B), UINT32_C(0xAAB5A594), ++ UINT32_C(0x4161D820), UINT32_C(0x026116A3), UINT32_C(0x4C428F31), ++ UINT32_C(0xDCD85E91), UINT32_C(0x372AF9A0), UINT32_C(0x673ADC2D), ++ UINT32_C(0xFDA6E903), UINT32_C(0xA8DB59E6), UINT32_C(0x4526B8AC) } }, ++ { { UINT32_C(0xE23A8472), UINT32_C(0x68FE359D), UINT32_C(0x4CE3C101), ++ UINT32_C(0x43EB12BD), UINT32_C(0xFC704935), UINT32_C(0x0EC652C3), ++ UINT32_C(0x52E4E22D), UINT32_C(0x1EEFF1F9), UINT32_C(0x083E3ADA), ++ UINT32_C(0xBA6777CB), UINT32_C(0x8BEFC871), UINT32_C(0xAB52D7DC) }, ++ { UINT32_C(0x497CBD59), UINT32_C(0x4EDE689F), UINT32_C(0x27577DD9), ++ UINT32_C(0xC8AE42B9), UINT32_C(0x7AB83C27), UINT32_C(0xE0F08051), ++ UINT32_C(0x2C8C1F48), UINT32_C(0x1F3D5F25), UINT32_C(0xAF241AAC), ++ UINT32_C(0x57991607), UINT32_C(0xB8A337E0), UINT32_C(0xC4458B0A) } }, ++ { { UINT32_C(0x51DD1BA9), UINT32_C(0x3DBB3FA6), UINT32_C(0x545E960B), ++ UINT32_C(0xE53C1C4D), UINT32_C(0x793CE803), UINT32_C(0x35AC6574), ++ UINT32_C(0x83DBCE4F), UINT32_C(0xB2697DC7), UINT32_C(0xE13CF6B0), ++ UINT32_C(0xE35C5BF2), UINT32_C(0xB0C4A164), UINT32_C(0x35034280) }, ++ { UINT32_C(0xD9C0D3C1), UINT32_C(0xAA490908), UINT32_C(0xCB4D2E90), ++ UINT32_C(0x2CCE614D), UINT32_C(0x54D504E4), UINT32_C(0xF646E96C), ++ UINT32_C(0xB73310A3), UINT32_C(0xD74E7541), UINT32_C(0x18BDE5DA), ++ UINT32_C(0xEAD71596), UINT32_C(0xAA09AEF7), UINT32_C(0x96E7F4A8) } }, ++ { { UINT32_C(0x5D6E5F48), UINT32_C(0xA8393A24), UINT32_C(0xF9175CE8), ++ UINT32_C(0x2C8D7EA2), UINT32_C(0x55A20268), UINT32_C(0xD8824E02), ++ UINT32_C(0xA446BCC6), UINT32_C(0x9DD9A272), UINT32_C(0x5351499B), ++ UINT32_C(0xC929CDED), UINT32_C(0xCFE76535), UINT32_C(0xEA5AD9EC) }, ++ { UINT32_C(0xDC32D001), UINT32_C(0x26F3D7D9), UINT32_C(0x43EB9689), ++ UINT32_C(0x51C3BE83), UINT32_C(0x759E6DDB), UINT32_C(0x91FDCC06), ++ UINT32_C(0xE302B891), UINT32_C(0xAC2E1904), UINT32_C(0xC207E1F7), ++ UINT32_C(0xAD25C645), UINT32_C(0xAB3DEB4A), UINT32_C(0x28A70F0D) } }, ++ { { UINT32_C(0x03BEA8F1), UINT32_C(0x922D7F97), UINT32_C(0x584570BE), ++ UINT32_C(0x3AD820D4), UINT32_C(0x3CD46B43), UINT32_C(0x0CE0A850), ++ UINT32_C(0xAE66743D), UINT32_C(0x4C07911F), UINT32_C(0xFDA60023), ++ UINT32_C(0x66519EB9), UINT32_C(0xEC2ACD9C), UINT32_C(0x7F83004B) }, ++ { UINT32_C(0xC3117EAD), UINT32_C(0x001E0B80), UINT32_C(0x0722BA25), ++ UINT32_C(0xBB72D541), UINT32_C(0x6E9A5078), UINT32_C(0x3AF7DB96), ++ UINT32_C(0x701B6B4C), UINT32_C(0x86C5774E), UINT32_C(0x37824DB5), ++ UINT32_C(0xBD2C0E8E), UINT32_C(0xBFAC286D), UINT32_C(0x3AE3028C) } }, ++ { { UINT32_C(0xA33E071B), UINT32_C(0x83D4D4A8), UINT32_C(0x61444BB5), ++ UINT32_C(0x881C0A92), UINT32_C(0x520E3BC3), UINT32_C(0xEEA1E292), ++ UINT32_C(0x2AAAB729), UINT32_C(0x5A5F4C3C), UINT32_C(0xE63C7C94), ++ UINT32_C(0x0B766C5E), UINT32_C(0xBB2CC79C), UINT32_C(0x62BB8A9F) }, ++ { UINT32_C(0xAA5DC49D), UINT32_C(0x97ADC7D2), UINT32_C(0x31718681), ++ UINT32_C(0x30CC26B3), UINT32_C(0x56E86EDE), UINT32_C(0xAC86E6FF), ++ UINT32_C(0xCD52F7F2), UINT32_C(0x37BCA7A2), UINT32_C(0x9CE6D87F), ++ UINT32_C(0x734D2C94), UINT32_C(0xC2F7E0CA), UINT32_C(0x06A71D71) } }, ++ { { UINT32_C(0xC6357D33), UINT32_C(0x559DCF75), UINT32_C(0x652517DE), ++ UINT32_C(0x4616D940), UINT32_C(0x1CCF207B), UINT32_C(0x3D576B98), ++ UINT32_C(0x1979F631), UINT32_C(0x51E2D1EF), UINT32_C(0x06AE8296), ++ UINT32_C(0x57517DDD), UINT32_C(0xD6E7151F), UINT32_C(0x309A3D7F) }, ++ { UINT32_C(0x0E3A6FE5), UINT32_C(0xBA2A23E6), UINT32_C(0xD28B22C3), ++ UINT32_C(0x76CF674A), UINT32_C(0xF8B808C3), UINT32_C(0xD235AD07), ++ UINT32_C(0x6B71213A), UINT32_C(0x7BBF4C58), UINT32_C(0x93271EBB), ++ UINT32_C(0x0676792E), UINT32_C(0x05B1FC31), UINT32_C(0x2CFD2C76) } }, ++ { { UINT32_C(0x37A450F5), UINT32_C(0x4258E5C0), UINT32_C(0x52D2B118), ++ UINT32_C(0xC3245F1B), UINT32_C(0x82BC5963), UINT32_C(0x6DF7B484), ++ UINT32_C(0x9C273D1E), UINT32_C(0xE520DA4D), UINT32_C(0x2C3010E5), ++ UINT32_C(0xED78E012), UINT32_C(0x3C1D4C05), UINT32_C(0x11222948) }, ++ { UINT32_C(0xC692B490), UINT32_C(0xE3DAE5AF), UINT32_C(0xC197F793), ++ UINT32_C(0x3272BD10), UINT32_C(0xE709ACAA), UINT32_C(0xF7EAE411), ++ UINT32_C(0x778270A6), UINT32_C(0x00B0C95F), UINT32_C(0x220D4350), ++ UINT32_C(0x4DA76EE1), UINT32_C(0xAB71E308), UINT32_C(0x521E1461) } }, ++ { { UINT32_C(0x343196A3), UINT32_C(0x7B654323), UINT32_C(0xB0C95250), ++ UINT32_C(0x35D442AD), UINT32_C(0xE264FF17), UINT32_C(0x38AF50E6), ++ UINT32_C(0x2030D2EA), UINT32_C(0x28397A41), UINT32_C(0xF74EEDA1), ++ UINT32_C(0x8F1D84E9), UINT32_C(0xE6FB3C52), UINT32_C(0xD521F92D) }, ++ { UINT32_C(0x95733811), UINT32_C(0xAF358D77), UINT32_C(0x93ABFE94), ++ UINT32_C(0xEBFDDD01), UINT32_C(0xD18D99DE), UINT32_C(0x05D8A028), ++ UINT32_C(0xB5D5BDD9), UINT32_C(0x5A664019), UINT32_C(0x2AA12FE8), ++ UINT32_C(0x3DF17282), UINT32_C(0xB889A28E), UINT32_C(0xB42E006F) } }, ++ { { UINT32_C(0xBC35CB1A), UINT32_C(0xCF10E97D), UINT32_C(0x994DEDC5), ++ UINT32_C(0xC70A7BBD), UINT32_C(0x37D04FB9), UINT32_C(0x76A5327C), ++ UINT32_C(0xA76E0CDA), UINT32_C(0x87539F76), UINT32_C(0xCD60A6B1), ++ UINT32_C(0xE9FE493F), UINT32_C(0x132F01C0), UINT32_C(0xA4574796) }, ++ { UINT32_C(0xDB70B167), UINT32_C(0xC43B85EB), UINT32_C(0x98551DFA), ++ UINT32_C(0x81D5039A), UINT32_C(0x1D979FA4), UINT32_C(0x6B56FBE9), ++ UINT32_C(0x8615098F), UINT32_C(0x49714FD7), UINT32_C(0x94DECAB5), ++ UINT32_C(0xB10E1CEA), UINT32_C(0x480EF6E3), UINT32_C(0x8342EBA3) } }, ++ { { UINT32_C(0xB3677288), UINT32_C(0xE1E030B0), UINT32_C(0x8D5CE3AF), ++ UINT32_C(0x2978174C), UINT32_C(0xF7B2DE98), UINT32_C(0xAFC0271C), ++ UINT32_C(0xB99C20B5), UINT32_C(0x745BC6F3), UINT32_C(0x1E3BB4E5), ++ UINT32_C(0x9F6EDCED), UINT32_C(0x73C8C1FC), UINT32_C(0x58D3EE4E) }, ++ { UINT32_C(0x7FD30124), UINT32_C(0x1F3535F4), UINT32_C(0x5FA62502), ++ UINT32_C(0xF366AC70), UINT32_C(0x965363FE), UINT32_C(0x4C4C1FDD), ++ UINT32_C(0x1DE2CA2B), UINT32_C(0x8B2C7777), UINT32_C(0x882F1173), ++ UINT32_C(0x0CB54743), UINT32_C(0x71343331), UINT32_C(0x94B6B8C0) } }, ++ { { UINT32_C(0x65B8B35B), UINT32_C(0x75AF0141), UINT32_C(0x4670A1F5), ++ UINT32_C(0x6D7B8485), UINT32_C(0xA3B6D376), UINT32_C(0x6EAA3A47), ++ UINT32_C(0xCB3E5B66), UINT32_C(0xD7E673D2), UINT32_C(0x9589AB38), ++ UINT32_C(0xC0338E6C), UINT32_C(0x09440FAA), UINT32_C(0x4BE26CB3) }, ++ { UINT32_C(0x394F9AA3), UINT32_C(0x82CB05E7), UINT32_C(0x7F7792EA), ++ UINT32_C(0xC45C8A8A), UINT32_C(0xB687DC70), UINT32_C(0x37E5E33B), ++ UINT32_C(0xDFE48E49), UINT32_C(0x63853219), UINT32_C(0x6D0E5C8C), ++ UINT32_C(0x087951C1), UINT32_C(0x2BC27310), UINT32_C(0x7696A8C7) } }, ++ { { UINT32_C(0xB67E834A), UINT32_C(0xA05736D5), UINT32_C(0x9098D42A), ++ UINT32_C(0xDD2AA0F2), UINT32_C(0x49C69DDC), UINT32_C(0x09F0C1D8), ++ UINT32_C(0x8FF0F0F3), UINT32_C(0x81F8BC1C), UINT32_C(0x03037775), ++ UINT32_C(0x36FD3A4F), UINT32_C(0x4B06DF5C), UINT32_C(0x8286717D) }, ++ { UINT32_C(0xA9079EA2), UINT32_C(0xB878F496), UINT32_C(0xD7DC796D), ++ UINT32_C(0xA5642426), UINT32_C(0x67FDAC2B), UINT32_C(0x29B9351A), ++ UINT32_C(0x1D543CDE), UINT32_C(0x93774C0E), UINT32_C(0x1A8E31C4), ++ UINT32_C(0x4F8793BA), UINT32_C(0x6C94798A), UINT32_C(0x7C9F3F3A) } }, ++ { { UINT32_C(0xCB8ECDB8), UINT32_C(0x23C5AD11), UINT32_C(0x485A6A02), ++ UINT32_C(0x1E88D25E), UINT32_C(0xF1E268AE), UINT32_C(0xB27CBE84), ++ UINT32_C(0xF4CD0475), UINT32_C(0xDDA80238), UINT32_C(0x49F8EB1B), ++ UINT32_C(0x4F88857B), UINT32_C(0x52FB07F9), UINT32_C(0x91B1221F) }, ++ { UINT32_C(0x8637FA67), UINT32_C(0x7CE97460), UINT32_C(0x632198D8), ++ UINT32_C(0x528B3CF4), UINT32_C(0xF6623769), UINT32_C(0x33365AB3), ++ UINT32_C(0x3A83A30F), UINT32_C(0x6FEBCFFF), UINT32_C(0x9BD341EB), ++ UINT32_C(0x398F4C99), UINT32_C(0xB33A333C), UINT32_C(0x180712BB) } }, ++ { { UINT32_C(0xD93429E7), UINT32_C(0x2B8655A2), UINT32_C(0x75C8B9EE), ++ UINT32_C(0x99D600BB), UINT32_C(0x88FCA6CD), UINT32_C(0x9FC1AF8B), ++ UINT32_C(0x7C311F80), UINT32_C(0x2FB53386), UINT32_C(0xE8A71EEE), ++ UINT32_C(0x20743ECB), UINT32_C(0xE848B49E), UINT32_C(0xEC3713C4) }, ++ { UINT32_C(0xBB886817), UINT32_C(0x5B2037B5), UINT32_C(0x307DBAF4), ++ UINT32_C(0x40EF5AC2), UINT32_C(0x1B3F643D), UINT32_C(0xC2888AF2), ++ UINT32_C(0x9D5A4190), UINT32_C(0x0D8252E1), UINT32_C(0x2DB52A8A), ++ UINT32_C(0x06CC0BEC), UINT32_C(0xAB94E969), UINT32_C(0xB84B98EA) } }, ++ { { UINT32_C(0xA0321E0E), UINT32_C(0x2E7AC078), UINT32_C(0xEF3DAAB6), ++ UINT32_C(0x5C5A1168), UINT32_C(0xADDD454A), UINT32_C(0xD2D573CB), ++ UINT32_C(0x36259CC7), UINT32_C(0x27E149E2), UINT32_C(0xA63F47F1), ++ UINT32_C(0x1EDFD469), UINT32_C(0xF1BD2CFD), UINT32_C(0x039AD674) }, ++ { UINT32_C(0x3077D3CC), UINT32_C(0xBFA633FC), UINT32_C(0x2FD64E9F), ++ UINT32_C(0x14A7C82F), UINT32_C(0x9D824999), UINT32_C(0xAAA65014), ++ UINT32_C(0x21760F2E), UINT32_C(0x41AB113B), UINT32_C(0x1CAE260A), ++ UINT32_C(0x23E646C5), UINT32_C(0x68DC5159), UINT32_C(0x08062C8F) } }, ++ }, ++ { ++ { { UINT32_C(0x204BE028), UINT32_C(0x2E7D0A16), UINT32_C(0xD0E41851), ++ UINT32_C(0x4F1D082E), UINT32_C(0x3EB317F9), UINT32_C(0x15F1DDC6), ++ UINT32_C(0x5ADF71D7), UINT32_C(0xF0275071), UINT32_C(0xEE858BC3), ++ UINT32_C(0x2CE33C2E), UINT32_C(0xDA73B71A), UINT32_C(0xA24C76D1) }, ++ { UINT32_C(0x6C70C483), UINT32_C(0x9EF6A70A), UINT32_C(0x05CF9612), ++ UINT32_C(0xEFCF1705), UINT32_C(0x7502DE64), UINT32_C(0x9F5BF5A6), ++ UINT32_C(0xA4701973), UINT32_C(0xD11122A1), UINT32_C(0xA2EA7B24), ++ UINT32_C(0x82CFAAC2), UINT32_C(0x0A4582E1), UINT32_C(0x6CAD67CC) } }, ++ { { UINT32_C(0xB4DC8600), UINT32_C(0x597A26FF), UINT32_C(0xF9288555), ++ UINT32_C(0x264A09F3), UINT32_C(0x5C27F5F6), UINT32_C(0x0B06AFF6), ++ UINT32_C(0xD8D544E6), UINT32_C(0xCE5AB665), UINT32_C(0x99275C32), ++ UINT32_C(0x92F031BE), UINT32_C(0xF42E0E7C), UINT32_C(0xAF51C5BB) }, ++ { UINT32_C(0x1E37B36D), UINT32_C(0x5BB28B06), UINT32_C(0x8473543A), ++ UINT32_C(0x583FBA6A), UINT32_C(0xF93FB7DC), UINT32_C(0xE73FD299), ++ UINT32_C(0x6E2CCAD9), UINT32_C(0xFCD999A8), UINT32_C(0x334D4F57), ++ UINT32_C(0xB8C8A6DF), UINT32_C(0x9A2ACC9B), UINT32_C(0x5ADB28DD) } }, ++ { { UINT32_C(0x111792B9), UINT32_C(0x5ADF3D9A), UINT32_C(0x4F1E0D09), ++ UINT32_C(0x1C77A305), UINT32_C(0xA82D3736), UINT32_C(0xF9FBCE33), ++ UINT32_C(0x718C8AA3), UINT32_C(0xF307823E), UINT32_C(0x416CCF69), ++ UINT32_C(0x860578CF), UINT32_C(0x1EF8465B), UINT32_C(0xB942ADD8) }, ++ { UINT32_C(0xCD9472E1), UINT32_C(0x9EE0CF97), UINT32_C(0xB01528A8), ++ UINT32_C(0xE6792EEF), UINT32_C(0xC09DA90B), UINT32_C(0xF99B9A8D), ++ UINT32_C(0xCBF3CCB8), UINT32_C(0x1F521C2D), UINT32_C(0x91A62632), ++ UINT32_C(0x6BF66948), UINT32_C(0x854FE9DA), UINT32_C(0xCC7A9CEB) } }, ++ { { UINT32_C(0x491CCB92), UINT32_C(0x46303171), UINT32_C(0x2771235B), ++ UINT32_C(0xA80A8C0D), UINT32_C(0xF172C7CF), UINT32_C(0xD8E497FF), ++ UINT32_C(0x35B193CF), UINT32_C(0x7F7009D7), UINT32_C(0xF19DF4BC), ++ UINT32_C(0x6B9FD3F7), UINT32_C(0xB46F1E37), UINT32_C(0xADA548C3) }, ++ { UINT32_C(0xC7A20270), UINT32_C(0x87C6EAA9), UINT32_C(0xAE78EF99), ++ UINT32_C(0xEF2245D6), UINT32_C(0x539EAB95), UINT32_C(0x2A121042), ++ UINT32_C(0x79B8F5CC), UINT32_C(0x29A6D5D7), UINT32_C(0xB77840DC), ++ UINT32_C(0x33803A10), UINT32_C(0x11A6A30F), UINT32_C(0xFEDD3A70) } }, ++ { { UINT32_C(0x142403D1), UINT32_C(0xFA070E22), UINT32_C(0x15C6F7F5), ++ UINT32_C(0x68FF3160), UINT32_C(0x223A0CE8), UINT32_C(0xE09F04E6), ++ UINT32_C(0x53E14183), UINT32_C(0x22BBD018), UINT32_C(0xCF45B75B), ++ UINT32_C(0x35D9FAFC), UINT32_C(0x7ECEEC88), UINT32_C(0x3A34819D) }, ++ { UINT32_C(0xD33262D2), UINT32_C(0xD9CF7568), UINT32_C(0x841D1505), ++ UINT32_C(0x431036D5), UINT32_C(0x9EB2A79A), UINT32_C(0x0C800565), ++ UINT32_C(0x5F7EDC6A), UINT32_C(0x8E77D9F0), UINT32_C(0x65E800AA), ++ UINT32_C(0x19E12D05), UINT32_C(0xB7784E7C), UINT32_C(0x335C8D36) } }, ++ { { UINT32_C(0x6484FD40), UINT32_C(0x8B2FC4E9), UINT32_C(0xA35D24EA), ++ UINT32_C(0xEE702764), UINT32_C(0xB871C3F3), UINT32_C(0x15B28AC7), ++ UINT32_C(0xE097047F), UINT32_C(0x805B4048), UINT32_C(0x647CAD2F), ++ UINT32_C(0xD6F1B8DF), UINT32_C(0xDC7DD67F), UINT32_C(0xF1D5B458) }, ++ { UINT32_C(0x25148803), UINT32_C(0x324C529C), UINT32_C(0x21274FAF), ++ UINT32_C(0xF6185EBE), UINT32_C(0x95148B55), UINT32_C(0xAF14751E), ++ UINT32_C(0x28F284F4), UINT32_C(0x283ED89D), UINT32_C(0x4CBEBF1A), ++ UINT32_C(0x93AD20E7), UINT32_C(0x882935E1), UINT32_C(0x5F6EC65D) } }, ++ { { UINT32_C(0xA4DCEFE9), UINT32_C(0xE222EBA4), UINT32_C(0xEC1CEB74), ++ UINT32_C(0x63AD235F), UINT32_C(0xE05B18E7), UINT32_C(0x2E0BF749), ++ UINT32_C(0xB48BDD87), UINT32_C(0x547BD050), UINT32_C(0xF5AA2FC4), ++ UINT32_C(0x0490C970), UINT32_C(0x2B431390), UINT32_C(0xCED5E4CF) }, ++ { UINT32_C(0x51D2898E), UINT32_C(0x07D82704), UINT32_C(0x083B57D4), ++ UINT32_C(0x44B72442), UINT32_C(0x5037FCE8), UINT32_C(0xA4ADA230), ++ UINT32_C(0x50510DA6), UINT32_C(0x55F7905E), UINT32_C(0x8D890A98), ++ UINT32_C(0xD8EE724F), UINT32_C(0x11B85640), UINT32_C(0x925A8E7C) } }, ++ { { UINT32_C(0x1CA459ED), UINT32_C(0x5BFA10CD), UINT32_C(0x6DCF56BF), ++ UINT32_C(0x593F085A), UINT32_C(0xC0579C3E), UINT32_C(0xE6F0AD9B), ++ UINT32_C(0x2527C1AD), UINT32_C(0xC11C95A2), UINT32_C(0xCF1CB8B3), ++ UINT32_C(0x7CFA71E1), UINT32_C(0x1D6DC79D), UINT32_C(0xEDCFF833) }, ++ { UINT32_C(0x432521C9), UINT32_C(0x581C4BBE), UINT32_C(0x144E11A0), ++ UINT32_C(0xBF620096), UINT32_C(0xBE3A107B), UINT32_C(0x54C38B71), ++ UINT32_C(0xE2606EC0), UINT32_C(0xED555E37), UINT32_C(0xD721D034), ++ UINT32_C(0x3FB148B8), UINT32_C(0x0091BC90), UINT32_C(0x79D53DAD) } }, ++ { { UINT32_C(0xB7082C80), UINT32_C(0xE32068C5), UINT32_C(0x7A144E22), ++ UINT32_C(0x4140FFD2), UINT32_C(0x9EDD9E86), UINT32_C(0x5811D2F0), ++ UINT32_C(0xC572C465), UINT32_C(0xCDD79B5F), UINT32_C(0xC97BF450), ++ UINT32_C(0x3563FED1), UINT32_C(0xF2CE5C9C), UINT32_C(0x985C1444) }, ++ { UINT32_C(0x99950F1C), UINT32_C(0x260AE797), UINT32_C(0x765E9DED), ++ UINT32_C(0x659F4F40), UINT32_C(0x2E3BC286), UINT32_C(0x2A412D66), ++ UINT32_C(0xF87E0C82), UINT32_C(0xE865E62C), UINT32_C(0x6C05E7D7), ++ UINT32_C(0xD63D3A9A), UINT32_C(0x8686F89A), UINT32_C(0x96725D67) } }, ++ { { UINT32_C(0xAB7EA0F5), UINT32_C(0xC99A5E4C), UINT32_C(0xC5393FA9), ++ UINT32_C(0xC9860A1A), UINT32_C(0x8FDEEFC0), UINT32_C(0x9ED83CEE), ++ UINT32_C(0x5ED6869A), UINT32_C(0xE3EA8B4C), UINT32_C(0xD2EED3A9), ++ UINT32_C(0x89A85463), UINT32_C(0xE421A622), UINT32_C(0x2CD91B6D) }, ++ { UINT32_C(0x2C91C41D), UINT32_C(0x6FEC1EF3), UINT32_C(0x8171037D), ++ UINT32_C(0xB1540D1F), UINT32_C(0x1C010E5B), UINT32_C(0x4FE4991A), ++ UINT32_C(0xFC1C7368), UINT32_C(0x28A3469F), UINT32_C(0xAF118781), ++ UINT32_C(0xE1EEECD1), UINT32_C(0x99EF3531), UINT32_C(0x1BCCB977) } }, ++ { { UINT32_C(0xC4DAB7B8), UINT32_C(0x63D3B638), UINT32_C(0x3F7F5BAB), ++ UINT32_C(0xD92133B6), UINT32_C(0x09FB6069), UINT32_C(0x2573EE20), ++ UINT32_C(0x890A1686), UINT32_C(0x771FABDF), UINT32_C(0xA77AFFF5), ++ UINT32_C(0x1D0BA21F), UINT32_C(0xBA3DD2C0), UINT32_C(0x83145FCC) }, ++ { UINT32_C(0x2D115C20), UINT32_C(0xFA073A81), UINT32_C(0x19176F27), ++ UINT32_C(0x6AB7A9D3), UINT32_C(0x9AC639EE), UINT32_C(0xAF62CF93), ++ UINT32_C(0x2CCD1319), UINT32_C(0xF73848B9), UINT32_C(0x3C71659D), ++ UINT32_C(0x3B613234), UINT32_C(0x10AB3826), UINT32_C(0xF8E0011C) } }, ++ { { UINT32_C(0x0282FFA5), UINT32_C(0x0501F036), UINT32_C(0xD9E0F15A), ++ UINT32_C(0xC39A5CF4), UINT32_C(0x9A3D1F3C), UINT32_C(0x48D8C729), ++ UINT32_C(0x64E18EDA), UINT32_C(0xB5FC136B), UINT32_C(0x7E58FEF0), ++ UINT32_C(0xE81B53D9), UINT32_C(0xF7B0F28D), UINT32_C(0x0D534055) }, ++ { UINT32_C(0x7A80619B), UINT32_C(0x47B8DE12), UINT32_C(0x81F9E55D), ++ UINT32_C(0x60E2A2B3), UINT32_C(0xCF564CC5), UINT32_C(0x6E9624D7), ++ UINT32_C(0x6BDEDFFF), UINT32_C(0xFDF18A21), UINT32_C(0xC0D5FC82), ++ UINT32_C(0x3787DE38), UINT32_C(0x497A6B11), UINT32_C(0xCBCAA347) } }, ++ { { UINT32_C(0xB226465A), UINT32_C(0x6E7EF35E), UINT32_C(0x5F8A2BAF), ++ UINT32_C(0x4B469919), UINT32_C(0x1120D93F), UINT32_C(0x44B3A3CF), ++ UINT32_C(0x68F34AD1), UINT32_C(0xB052C8B6), UINT32_C(0xEF7632DD), ++ UINT32_C(0x27EC574B), UINT32_C(0x685DE26F), UINT32_C(0xAEBEA108) }, ++ { UINT32_C(0xE39424B6), UINT32_C(0xDA33236B), UINT32_C(0xEBCC22AD), ++ UINT32_C(0xB1BD94A9), UINT32_C(0x2CDFB5D5), UINT32_C(0x6DDEE6CC), ++ UINT32_C(0x6F14069A), UINT32_C(0xBDAED927), UINT32_C(0x2A247CB7), ++ UINT32_C(0x2ADE427C), UINT32_C(0xED156A40), UINT32_C(0xCE96B436) } }, ++ { { UINT32_C(0x81F3F819), UINT32_C(0xDDDCA360), UINT32_C(0xD419B96A), ++ UINT32_C(0x4AF4A49F), UINT32_C(0x7CB966B9), UINT32_C(0x746C6525), ++ UINT32_C(0x6F610023), UINT32_C(0x01E39088), UINT32_C(0x98DD33FC), ++ UINT32_C(0x05ECB38D), UINT32_C(0x8F84EDF4), UINT32_C(0x962B971B) }, ++ { UINT32_C(0x6A6F2602), UINT32_C(0xEB32C0A5), UINT32_C(0x562D60F2), ++ UINT32_C(0xF026AF71), UINT32_C(0x84615FAB), UINT32_C(0xA9E246BF), ++ UINT32_C(0x75DBAE01), UINT32_C(0xAD967092), UINT32_C(0x3ECE5D07), ++ UINT32_C(0xBF97C79B), UINT32_C(0x74EAA3D3), UINT32_C(0xE06266C7) } }, ++ { { UINT32_C(0x2E6DBB6E), UINT32_C(0x161A0157), UINT32_C(0x60FA8F47), ++ UINT32_C(0xB8AF4904), UINT32_C(0x00197F22), UINT32_C(0xE4336C44), ++ UINT32_C(0x9CEDCE0E), UINT32_C(0xF811AFFA), UINT32_C(0xF94C2EF1), ++ UINT32_C(0xB1DD7685), UINT32_C(0xCA957BB0), UINT32_C(0xEEDC0F4B) }, ++ { UINT32_C(0x4AA76BB1), UINT32_C(0xD319FD57), UINT32_C(0x16CD7CCB), ++ UINT32_C(0xB3525D7C), UINT32_C(0xA97DD072), UINT32_C(0x7B22DA9C), ++ UINT32_C(0x38A83E71), UINT32_C(0x99DB84BD), UINT32_C(0xC0EDD8BE), ++ UINT32_C(0x4939BC8D), UINT32_C(0x903A932C), UINT32_C(0x06D524EA) } }, ++ { { UINT32_C(0x0E31F639), UINT32_C(0x4BC950EC), UINT32_C(0x6016BE30), ++ UINT32_C(0xB7ABD3DC), UINT32_C(0x6703DAD0), UINT32_C(0x3B0F4473), ++ UINT32_C(0x0AC1C4EA), UINT32_C(0xCC405F8B), UINT32_C(0x176C3FEE), ++ UINT32_C(0x9BED5E57), UINT32_C(0x36AE36C2), UINT32_C(0xF4524810) }, ++ { UINT32_C(0x15D7B503), UINT32_C(0xC1EDBB83), UINT32_C(0xE30F3657), ++ UINT32_C(0x943B1156), UINT32_C(0x98377805), UINT32_C(0x984E9EEF), ++ UINT32_C(0x36CF1DEB), UINT32_C(0x291AE7AC), UINT32_C(0xA9F66DF3), ++ UINT32_C(0xFED8748C), UINT32_C(0xFEA8FA5D), UINT32_C(0xECA758BB) } }, ++ }, ++ { ++ { { UINT32_C(0x2DD1B249), UINT32_C(0xACC787EF), UINT32_C(0xD82976F1), ++ UINT32_C(0x736E1030), UINT32_C(0xA01B3649), UINT32_C(0x0A6940FA), ++ UINT32_C(0xC42341E7), UINT32_C(0xE00B926B), UINT32_C(0xDE8FFD6C), ++ UINT32_C(0x911508D0), UINT32_C(0x5276B0CB), UINT32_C(0x4DCF8D46) }, ++ { UINT32_C(0xCC3CAD8D), UINT32_C(0x23AD0A90), UINT32_C(0xADED962A), ++ UINT32_C(0x2A92E54C), UINT32_C(0xF231BFAF), UINT32_C(0x93FBEC4D), ++ UINT32_C(0x4798987A), UINT32_C(0x9544BC77), UINT32_C(0x08E29F60), ++ UINT32_C(0x48084E25), UINT32_C(0x32DE5869), UINT32_C(0x0C0D2F43) } }, ++ { { UINT32_C(0x3A9ABC13), UINT32_C(0x6778F970), UINT32_C(0x3D2B166B), ++ UINT32_C(0xFD014FAC), UINT32_C(0x3C6FED60), UINT32_C(0x1FE4FC78), ++ UINT32_C(0xAA7C69C5), UINT32_C(0x04295FA8), UINT32_C(0x7C123175), ++ UINT32_C(0xA01DE56D), UINT32_C(0x3D9A713A), UINT32_C(0x0FA0D3A8) }, ++ { UINT32_C(0xE3E08ADD), UINT32_C(0xA7A6E5E3), UINT32_C(0x1AC58F85), ++ UINT32_C(0xBD77E94B), UINT32_C(0xB7321A9C), UINT32_C(0x078F6FD2), ++ UINT32_C(0x911EF6D9), UINT32_C(0x9564601E), UINT32_C(0x415C6BEF), ++ UINT32_C(0x31C5C1B2), UINT32_C(0xD3212C62), UINT32_C(0xE6C0C91E) } }, ++ { { UINT32_C(0x0D16022F), UINT32_C(0xBA7BD23C), UINT32_C(0x198BE288), ++ UINT32_C(0xE9CF4750), UINT32_C(0x47DEEC65), UINT32_C(0x304E3169), ++ UINT32_C(0x96EEB288), UINT32_C(0xCF65B41F), UINT32_C(0x927E9E3B), ++ UINT32_C(0x17E99C17), UINT32_C(0xF6630A80), UINT32_C(0x82225546) }, ++ { UINT32_C(0xCA067BD9), UINT32_C(0x15122B8A), UINT32_C(0xB77B4E98), ++ UINT32_C(0xE2673205), UINT32_C(0x9407CA63), UINT32_C(0x13037565), ++ UINT32_C(0x8B621602), UINT32_C(0x53624F54), UINT32_C(0xEAE4BD06), ++ UINT32_C(0x96AF2CB1), UINT32_C(0x8FA20829), UINT32_C(0x576ECD1C) } }, ++ { { UINT32_C(0x7E02D2D0), UINT32_C(0xA551CE10), UINT32_C(0x9D13DBC7), ++ UINT32_C(0x1584ED24), UINT32_C(0x4DA7B6D8), UINT32_C(0x082017AD), ++ UINT32_C(0xE054BC48), UINT32_C(0x81918A8F), UINT32_C(0x572DC384), ++ UINT32_C(0x677DB48E), UINT32_C(0x6155484C), UINT32_C(0x2EF82296) }, ++ { UINT32_C(0x41B9C231), UINT32_C(0xC3DB14C6), UINT32_C(0x4A766192), ++ UINT32_C(0x910A87D1), UINT32_C(0x10AB8E0F), UINT32_C(0x93D5CC86), ++ UINT32_C(0xAE57CA1B), UINT32_C(0x4194D548), UINT32_C(0x267FC37A), ++ UINT32_C(0xFAF3A1D6), UINT32_C(0x13B87C97), UINT32_C(0x70EC2364) } }, ++ { { UINT32_C(0x5E12756A), UINT32_C(0x064B565B), UINT32_C(0xAE49C98E), ++ UINT32_C(0x953B7BD1), UINT32_C(0xF7001D91), UINT32_C(0xE0CE8284), ++ UINT32_C(0xF31108D0), UINT32_C(0x1546060B), UINT32_C(0x6779B6E2), ++ UINT32_C(0xDBC2C3F4), UINT32_C(0xE0DD07CF), UINT32_C(0x157AA47D) }, ++ { UINT32_C(0xF23B261E), UINT32_C(0xBF4A1C6F), UINT32_C(0x654F4BE5), ++ UINT32_C(0x5B8EED30), UINT32_C(0x6B20CCD8), UINT32_C(0xDF5896D3), ++ UINT32_C(0x559ED23D), UINT32_C(0x56920E2C), UINT32_C(0xFA6E3E27), ++ UINT32_C(0x901F342E), UINT32_C(0x896CA082), UINT32_C(0x745C747C) } }, ++ { { UINT32_C(0x2944EC84), UINT32_C(0xDBCCD575), UINT32_C(0xA5FF65FE), ++ UINT32_C(0x54A2A935), UINT32_C(0x1A1319B6), UINT32_C(0x88C92A5E), ++ UINT32_C(0x82DA96C1), UINT32_C(0x9537C28F), UINT32_C(0x35F93C46), ++ UINT32_C(0xB6836474), UINT32_C(0x65B0846C), UINT32_C(0xEC526A1D) }, ++ { UINT32_C(0xF382C412), UINT32_C(0x6F12AFBD), UINT32_C(0x9E99FA06), ++ UINT32_C(0x5EBC81D8), UINT32_C(0x869B93BD), UINT32_C(0x97B5D672), ++ UINT32_C(0x377E12AA), UINT32_C(0x2983C310), UINT32_C(0x24D681EA), ++ UINT32_C(0x48759681), UINT32_C(0x287FD767), UINT32_C(0x1E0BD106) } }, ++ { { UINT32_C(0x7231247F), UINT32_C(0x0AC75A3E), UINT32_C(0xEF27AD3A), ++ UINT32_C(0x65C20DE6), UINT32_C(0xBD02EEE5), UINT32_C(0x87EB6CF1), ++ UINT32_C(0x00147E03), UINT32_C(0x264ACA7A), UINT32_C(0xAE2A9437), ++ UINT32_C(0xEBC78581), UINT32_C(0x6316BFA5), UINT32_C(0x9929964E) }, ++ { UINT32_C(0x9AF207EF), UINT32_C(0xDC09E040), UINT32_C(0x0C9D8658), ++ UINT32_C(0x3ECFFE2D), UINT32_C(0xDFB43D38), UINT32_C(0x547EA735), ++ UINT32_C(0xD04B1B20), UINT32_C(0x5485247B), UINT32_C(0xBFD8B609), ++ UINT32_C(0xB18D3F02), UINT32_C(0xCCE73705), UINT32_C(0xEEB3E805) } }, ++ { { UINT32_C(0xDB93850F), UINT32_C(0xDAB1A525), UINT32_C(0x8365B7D5), ++ UINT32_C(0x18ADAA23), UINT32_C(0x113FC8C7), UINT32_C(0x58485C90), ++ UINT32_C(0x348AD323), UINT32_C(0x80C3DBB9), UINT32_C(0xE16ADCA1), ++ UINT32_C(0xAF892FB5), UINT32_C(0x979F005A), UINT32_C(0x2183C879) }, ++ { UINT32_C(0x0643A99E), UINT32_C(0x20FA1A94), UINT32_C(0x1A1609CB), ++ UINT32_C(0x2741221C), UINT32_C(0x3C2FBDDC), UINT32_C(0x1C1687E5), ++ UINT32_C(0xD420D6CF), UINT32_C(0xDCCF329E), UINT32_C(0x2B7197D1), ++ UINT32_C(0x75D5577D), UINT32_C(0xC8729D9C), UINT32_C(0x4C3C3875) } }, ++ { { UINT32_C(0xE5CBDCB9), UINT32_C(0x5E79F995), UINT32_C(0xA742FCC7), ++ UINT32_C(0x03139824), UINT32_C(0x239EF4A1), UINT32_C(0x6D0C214A), ++ UINT32_C(0x401A2944), UINT32_C(0x53A27952), UINT32_C(0xC10BCDF0), ++ UINT32_C(0xF42A1B34), UINT32_C(0x7CF38061), UINT32_C(0x426BAA43) }, ++ { UINT32_C(0xA96AD0C8), UINT32_C(0x16A53139), UINT32_C(0x6BAD5301), ++ UINT32_C(0x627F1D31), UINT32_C(0x4ACCD627), UINT32_C(0x5AF74877), ++ UINT32_C(0xB55B0FB8), UINT32_C(0x3C58A1C5), UINT32_C(0xF4399A6A), ++ UINT32_C(0xFAA57B91), UINT32_C(0xC28094B8), UINT32_C(0xBAD283FB) } }, ++ { { UINT32_C(0x83E10A93), UINT32_C(0xBA32AC61), UINT32_C(0xEC06BDB0), ++ UINT32_C(0x1C91F6B4), UINT32_C(0x65F60C93), UINT32_C(0x42E6CFBC), ++ UINT32_C(0x2C0CDCBE), UINT32_C(0xEFE33BC8), UINT32_C(0x4D6414F2), ++ UINT32_C(0xE0FE1D09), UINT32_C(0x76FA5C5B), UINT32_C(0x4C112316) }, ++ { UINT32_C(0x2E26200A), UINT32_C(0x812C1DC6), UINT32_C(0xEE879D25), ++ UINT32_C(0xD6C413C5), UINT32_C(0xBCA8BAFE), UINT32_C(0xBEADE255), ++ UINT32_C(0xCE2BA0E7), UINT32_C(0x0EAF4AE2), UINT32_C(0xC4F4408A), ++ UINT32_C(0x66E9FFB0), UINT32_C(0x9782C7AD), UINT32_C(0xB36A86D7) } }, ++ { { UINT32_C(0xBAD8D1C7), UINT32_C(0x10FCD1F4), UINT32_C(0x4502F645), ++ UINT32_C(0xC903816A), UINT32_C(0xA503B895), UINT32_C(0x7FAC1CC1), ++ UINT32_C(0x0778900C), UINT32_C(0x8BCD6041), UINT32_C(0x5BCF2784), ++ UINT32_C(0x5A5F2202), UINT32_C(0x10EDB896), UINT32_C(0x9B157E87) }, ++ { UINT32_C(0xF602A8B1), UINT32_C(0x4C58DA69), UINT32_C(0x59EC9D7E), ++ UINT32_C(0xD55132F8), UINT32_C(0xA26D4870), UINT32_C(0x155B719A), ++ UINT32_C(0x36441746), UINT32_C(0x25AAFCA3), UINT32_C(0xDD3B6B30), ++ UINT32_C(0x01F83338), UINT32_C(0x551917CC), UINT32_C(0xD52BB5C1) } }, ++ { { UINT32_C(0x6135066A), UINT32_C(0xA0B6207B), UINT32_C(0x2AEC8CBD), ++ UINT32_C(0xB3409F84), UINT32_C(0x19D87DF0), UINT32_C(0x5EBFD436), ++ UINT32_C(0xE8526DE2), UINT32_C(0xCB4C209B), UINT32_C(0x21E1A230), ++ UINT32_C(0xD764085B), UINT32_C(0x0899964A), UINT32_C(0x96F91554) }, ++ { UINT32_C(0xA57D122A), UINT32_C(0xB0BEC8EF), UINT32_C(0x5D9D0B33), ++ UINT32_C(0xC572EC56), UINT32_C(0xCFA7C72C), UINT32_C(0xEBE2A780), ++ UINT32_C(0x9EF3295C), UINT32_C(0x52D40CDB), UINT32_C(0x0DE74DFE), ++ UINT32_C(0x64004584), UINT32_C(0xC0809716), UINT32_C(0xA6846432) } }, ++ { { UINT32_C(0x02C979BC), UINT32_C(0x0D09E8CD), UINT32_C(0x409F4F2A), ++ UINT32_C(0xEC4B21F6), UINT32_C(0x13FB07CA), UINT32_C(0x68125C70), ++ UINT32_C(0x6FDFA72A), UINT32_C(0x1C4CFC17), UINT32_C(0x04539FCD), ++ UINT32_C(0xC9E71B9E), UINT32_C(0x8BA70797), UINT32_C(0x94B7103D) }, ++ { UINT32_C(0xB33FDE83), UINT32_C(0x6B81E82F), UINT32_C(0xEABAFD4B), ++ UINT32_C(0x7CA9A8CA), UINT32_C(0xEAB819CE), UINT32_C(0xADD85A67), ++ UINT32_C(0x98E99FFC), UINT32_C(0xAEC25483), UINT32_C(0x274A07B6), ++ UINT32_C(0x938D6440), UINT32_C(0x564A6AA0), UINT32_C(0x0A5C7097) } }, ++ { { UINT32_C(0x2F4FCEB6), UINT32_C(0x7284FF50), UINT32_C(0x78D0D5CB), ++ UINT32_C(0x0A28715A), UINT32_C(0xBFCE187C), UINT32_C(0xE70B7014), ++ UINT32_C(0x7A17148D), UINT32_C(0xA6B538F5), UINT32_C(0xDD427166), ++ UINT32_C(0x1DAB07C9), UINT32_C(0x149D23CA), UINT32_C(0x5C5578B0) }, ++ { UINT32_C(0x875B5EDE), UINT32_C(0x875E2056), UINT32_C(0x02C893B9), ++ UINT32_C(0xCBF44B6D), UINT32_C(0x5C2993FB), UINT32_C(0x5715A77E), ++ UINT32_C(0x3410597E), UINT32_C(0xAF328146), UINT32_C(0x42DC49DF), ++ UINT32_C(0x65DF418F), UINT32_C(0xA9EE52F6), UINT32_C(0x7AC9C720) } }, ++ { { UINT32_C(0x62955486), UINT32_C(0xB1C9AA07), UINT32_C(0x245061D7), ++ UINT32_C(0xCBF35BE3), UINT32_C(0x8CF4DDC0), UINT32_C(0x811E1BD3), ++ UINT32_C(0x948F7C84), UINT32_C(0xD9D4589C), UINT32_C(0xCB0F996D), ++ UINT32_C(0x30D09A0F), UINT32_C(0x590E7704), UINT32_C(0x1A1B3B7A) }, ++ { UINT32_C(0x2082768D), UINT32_C(0xA848E349), UINT32_C(0x9A249DF4), ++ UINT32_C(0x9FEBD492), UINT32_C(0x5F20439A), UINT32_C(0x503420AF), ++ UINT32_C(0x8E2BFCD4), UINT32_C(0x0CBE52B6), UINT32_C(0x118C91B2), ++ UINT32_C(0xB1D5E261), UINT32_C(0x71D8F2BC), UINT32_C(0x93CFF6DA) } }, ++ { { UINT32_C(0x8AB58944), UINT32_C(0x5F5BC06B), UINT32_C(0x4979882D), ++ UINT32_C(0xE4BED538), UINT32_C(0xD79B0EB1), UINT32_C(0x57C30362), ++ UINT32_C(0xEF7C56D8), UINT32_C(0x391AE2C1), UINT32_C(0xADD98625), ++ UINT32_C(0x28BC2E97), UINT32_C(0x1B257107), UINT32_C(0xFA8E86B8) }, ++ { UINT32_C(0x6118C715), UINT32_C(0x5E4859F8), UINT32_C(0x524C71DD), ++ UINT32_C(0x91C83324), UINT32_C(0x6D2F5E6D), UINT32_C(0xFB209243), ++ UINT32_C(0x2A900A43), UINT32_C(0x6B4FE21F), UINT32_C(0x32A73C1F), ++ UINT32_C(0x241F75D6), UINT32_C(0x5AE89613), UINT32_C(0xF5BC4629) } }, ++ } ++}; ++ ++/*- ++ * Q := 2P, both projective, Q and P same pointers OK ++ * Autogenerated: op3/dbl_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 6 ++ * ASSERT: a = -3 ++ */ ++static void ++point_double(pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X = P->X; ++ const limb_t *Y = P->Y; ++ const limb_t *Z = P->Z; ++ limb_t *X3 = Q->X; ++ limb_t *Y3 = Q->Y; ++ limb_t *Z3 = Q->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_square(t0, X); ++ fiat_secp384r1_square(t1, Y); ++ fiat_secp384r1_square(t2, Z); ++ fiat_secp384r1_mul(t3, X, Y); ++ fiat_secp384r1_add(t3, t3, t3); ++ fiat_secp384r1_mul(t4, Y, Z); ++ fiat_secp384r1_mul(Z3, X, Z); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_mul(Y3, b, t2); ++ fiat_secp384r1_sub(Y3, Y3, Z3); ++ fiat_secp384r1_add(X3, Y3, Y3); ++ fiat_secp384r1_add(Y3, X3, Y3); ++ fiat_secp384r1_sub(X3, t1, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_mul(Y3, X3, Y3); ++ fiat_secp384r1_mul(X3, X3, t3); ++ fiat_secp384r1_add(t3, t2, t2); ++ fiat_secp384r1_add(t2, t2, t3); ++ fiat_secp384r1_mul(Z3, b, Z3); ++ fiat_secp384r1_sub(Z3, Z3, t2); ++ fiat_secp384r1_sub(Z3, Z3, t0); ++ fiat_secp384r1_add(t3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, t3); ++ fiat_secp384r1_add(t3, t0, t0); ++ fiat_secp384r1_add(t0, t3, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t0, t0, Z3); ++ fiat_secp384r1_add(Y3, Y3, t0); ++ fiat_secp384r1_add(t0, t4, t4); ++ fiat_secp384r1_mul(Z3, t0, Z3); ++ fiat_secp384r1_sub(X3, X3, Z3); ++ fiat_secp384r1_mul(Z3, t0, t1); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++ fiat_secp384r1_add(Z3, Z3, Z3); ++} ++ ++/*- ++ * R := Q + P where R and Q are projective, P affine. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_mixed.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 5 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ fe_t X3; ++ fe_t Y3; ++ fe_t Z3; ++ limb_t nz; ++ ++ /* check P for affine inf */ ++ fiat_secp384r1_nonzero(&nz, P->Y); ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_add(t3, X2, Y2); ++ fiat_secp384r1_add(t4, X1, Y1); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_mul(t4, Y2, Z1); ++ fiat_secp384r1_add(t4, t4, Y1); ++ fiat_secp384r1_mul(Y3, X2, Z1); ++ fiat_secp384r1_add(Y3, Y3, X1); ++ fiat_secp384r1_mul(Z3, b, Z1); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, Z1, Z1); ++ fiat_secp384r1_add(t2, t1, Z1); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++ ++ /* if P is inf, throw all that away and take Q */ ++ fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); ++ fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); ++ fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); ++} ++ ++/*- ++ * R := Q + P all projective. ++ * R and Q same pointers OK ++ * R and P same pointers not OK ++ * Autogenerated: op3/add_proj.op3 ++ * https://eprint.iacr.org/2015/1060 Alg 4 ++ * ASSERT: a = -3 ++ */ ++static void ++point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) ++{ ++ /* temporary variables */ ++ fe_t t0, t1, t2, t3, t4, t5; ++ /* constants */ ++ const limb_t *b = const_b; ++ /* set pointers for legacy curve arith */ ++ const limb_t *X1 = Q->X; ++ const limb_t *Y1 = Q->Y; ++ const limb_t *Z1 = Q->Z; ++ const limb_t *X2 = P->X; ++ const limb_t *Y2 = P->Y; ++ const limb_t *Z2 = P->Z; ++ limb_t *X3 = R->X; ++ limb_t *Y3 = R->Y; ++ limb_t *Z3 = R->Z; ++ ++ /* the curve arith formula */ ++ fiat_secp384r1_mul(t0, X1, X2); ++ fiat_secp384r1_mul(t1, Y1, Y2); ++ fiat_secp384r1_mul(t2, Z1, Z2); ++ fiat_secp384r1_add(t3, X1, Y1); ++ fiat_secp384r1_add(t4, X2, Y2); ++ fiat_secp384r1_mul(t3, t3, t4); ++ fiat_secp384r1_add(t4, t0, t1); ++ fiat_secp384r1_sub(t3, t3, t4); ++ fiat_secp384r1_add(t4, Y1, Z1); ++ fiat_secp384r1_add(t5, Y2, Z2); ++ fiat_secp384r1_mul(t4, t4, t5); ++ fiat_secp384r1_add(t5, t1, t2); ++ fiat_secp384r1_sub(t4, t4, t5); ++ fiat_secp384r1_add(X3, X1, Z1); ++ fiat_secp384r1_add(Y3, X2, Z2); ++ fiat_secp384r1_mul(X3, X3, Y3); ++ fiat_secp384r1_add(Y3, t0, t2); ++ fiat_secp384r1_sub(Y3, X3, Y3); ++ fiat_secp384r1_mul(Z3, b, t2); ++ fiat_secp384r1_sub(X3, Y3, Z3); ++ fiat_secp384r1_add(Z3, X3, X3); ++ fiat_secp384r1_add(X3, X3, Z3); ++ fiat_secp384r1_sub(Z3, t1, X3); ++ fiat_secp384r1_add(X3, t1, X3); ++ fiat_secp384r1_mul(Y3, b, Y3); ++ fiat_secp384r1_add(t1, t2, t2); ++ fiat_secp384r1_add(t2, t1, t2); ++ fiat_secp384r1_sub(Y3, Y3, t2); ++ fiat_secp384r1_sub(Y3, Y3, t0); ++ fiat_secp384r1_add(t1, Y3, Y3); ++ fiat_secp384r1_add(Y3, t1, Y3); ++ fiat_secp384r1_add(t1, t0, t0); ++ fiat_secp384r1_add(t0, t1, t0); ++ fiat_secp384r1_sub(t0, t0, t2); ++ fiat_secp384r1_mul(t1, t4, Y3); ++ fiat_secp384r1_mul(t2, t0, Y3); ++ fiat_secp384r1_mul(Y3, X3, Z3); ++ fiat_secp384r1_add(Y3, Y3, t2); ++ fiat_secp384r1_mul(X3, t3, X3); ++ fiat_secp384r1_sub(X3, X3, t1); ++ fiat_secp384r1_mul(Z3, t4, Z3); ++ fiat_secp384r1_mul(t1, t3, t0); ++ fiat_secp384r1_add(Z3, Z3, t1); ++} ++ ++/* constants */ ++#define RADIX 5 ++#define DRADIX (1 << RADIX) ++#define DRADIX_WNAF ((DRADIX) << 1) ++ ++/*- ++ * precomp for wnaf scalar multiplication: ++ * precomp[0] = 1P ++ * precomp[1] = 3P ++ * precomp[2] = 5P ++ * precomp[3] = 7P ++ * precomp[4] = 9P ++ * ... ++ */ ++static void ++precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) ++{ ++ int i; ++ ++ fe_copy(precomp[0].X, P->X); ++ fe_copy(precomp[0].Y, P->Y); ++ fe_copy(precomp[0].Z, const_one); ++ point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); ++ ++ for (i = 1; i < DRADIX / 2; i++) ++ point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); ++} ++ ++/* fetch a scalar bit */ ++static int ++scalar_get_bit(const unsigned char in[48], int idx) ++{ ++ int widx, rshift; ++ ++ widx = idx >> 3; ++ rshift = idx & 0x7; ++ ++ if (idx < 0 || widx >= 48) ++ return 0; ++ ++ return (in[widx] >> rshift) & 0x1; ++} ++ ++/*- ++ * Compute "regular" wnaf representation of a scalar. ++ * See "Exponent Recoding and Regular Exponentiation Algorithms", ++ * Tunstall et al., AfricaCrypt 2009, Alg 6. ++ * It forces an odd scalar and outputs digits in ++ * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} ++ * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". ++ */ ++static void ++scalar_rwnaf(int8_t out[77], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = (in[0] & (DRADIX_WNAF - 1)) | 1; ++ for (i = 0; i < 76; i++) { ++ d = (window & (DRADIX_WNAF - 1)) - DRADIX; ++ out[i] = d; ++ window = (window - d) >> RADIX; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; ++ window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; ++ } ++ out[i] = window; ++} ++ ++/*- ++ * Compute "textbook" wnaf representation of a scalar. ++ * NB: not constant time ++ */ ++static void ++scalar_wnaf(int8_t out[385], const unsigned char in[48]) ++{ ++ int i; ++ int8_t window, d; ++ ++ window = in[0] & (DRADIX_WNAF - 1); ++ for (i = 0; i < 385; i++) { ++ d = 0; ++ if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) ++ d -= DRADIX_WNAF; ++ out[i] = d; ++ window = (window - d) >> 1; ++ window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; ++ } ++} ++ ++/*- ++ * Simulateous scalar multiplication: interleaved "textbook" wnaf. ++ * NB: not constant time ++ */ ++static void ++var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], ++ const unsigned char b[48], const pt_aff_t *P) ++{ ++ int i, d, is_neg, is_inf = 1, flipped = 0; ++ int8_t anaf[385] = { 0 }; ++ int8_t bnaf[385] = { 0 }; ++ pt_prj_t Q; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_wnaf(anaf, a); ++ scalar_wnaf(bnaf, b); ++ ++ for (i = 384; i >= 0; i--) { ++ if (!is_inf) ++ point_double(&Q, &Q); ++ if ((d = bnaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &precomp[d].X); ++ fe_copy(Q.Y, &precomp[d].Y); ++ fe_copy(Q.Z, &precomp[d].Z); ++ is_inf = 0; ++ } else ++ point_add_proj(&Q, &Q, &precomp[d]); ++ } ++ if ((d = anaf[i])) { ++ if ((is_neg = d < 0) != flipped) { ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ flipped ^= 1; ++ } ++ d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; ++ if (is_inf) { ++ /* initialize accumulator */ ++ fe_copy(Q.X, &lut_cmb[0][d].X); ++ fe_copy(Q.Y, &lut_cmb[0][d].Y); ++ fe_copy(Q.Z, const_one); ++ is_inf = 0; ++ } else ++ point_add_mixed(&Q, &Q, &lut_cmb[0][d]); ++ } ++ } ++ ++ if (is_inf) { ++ /* initialize accumulator to inf: all-zero scalars */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ } ++ ++ if (flipped) { ++ /* correct sign */ ++ fiat_secp384r1_opp(Q.Y, Q.Y); ++ } ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Variable point scalar multiplication with "regular" wnaf. ++ */ ++static void ++var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], ++ const pt_aff_t *P) ++{ ++ int i, j, d, diff, is_neg; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, lut; ++ pt_prj_t precomp[DRADIX / 2]; ++ ++ precomp_wnaf(precomp, P); ++ scalar_rwnaf(rnaf, scalar); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ /* initialize accumulator to high digit */ ++ d = (rnaf[76] - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); ++ fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); ++ } ++ ++ for (i = 75; i >= 0; i--) { ++ for (j = 0; j < RADIX; j++) ++ point_double(&Q, &Q); ++ d = rnaf[i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (j = 0; j < DRADIX / 2; j++) { ++ diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); ++ fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_proj(&Q, &Q, &lut); ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, precomp[0].X); ++ fiat_secp384r1_opp(lut.Y, precomp[0].Y); ++ fe_copy(lut.Z, precomp[0].Z); ++ point_add_proj(&lut, &lut, &Q); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++/*- ++ * Fixed scalar multiplication: comb with interleaving. ++ */ ++static void ++fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) ++{ ++ int i, j, k, d, diff, is_neg = 0; ++ int8_t rnaf[77] = { 0 }; ++ pt_prj_t Q, R; ++ pt_aff_t lut; ++ ++ scalar_rwnaf(rnaf, scalar); ++ ++ /* initalize accumulator to inf */ ++ fe_set_zero(Q.X); ++ fe_copy(Q.Y, const_one); ++ fe_set_zero(Q.Z); ++ ++#if defined(_MSC_VER) ++/* result still unsigned: yes we know */ ++#pragma warning(push) ++#pragma warning(disable : 4146) ++#endif ++ ++ for (i = 3; i >= 0; i--) { ++ for (j = 0; i != 3 && j < RADIX; j++) ++ point_double(&Q, &Q); ++ for (j = 0; j < 21; j++) { ++ if (j * 4 + i > 76) ++ continue; ++ d = rnaf[j * 4 + i]; ++ /* is_neg = (d < 0) ? 1 : 0 */ ++ is_neg = (d >> (8 * sizeof(int) - 1)) & 1; ++ /* d = abs(d) */ ++ d = (d ^ -is_neg) + is_neg; ++ d = (d - 1) >> 1; ++ for (k = 0; k < DRADIX / 2; k++) { ++ diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; ++ fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); ++ fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); ++ } ++ /* negate lut point if digit is negative */ ++ fiat_secp384r1_opp(out->Y, lut.Y); ++ fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); ++ point_add_mixed(&Q, &Q, &lut); ++ } ++ } ++ ++#if defined(_MSC_VER) ++#pragma warning(pop) ++#endif ++ ++ /* conditionally subtract P if the scalar was even */ ++ fe_copy(lut.X, lut_cmb[0][0].X); ++ fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); ++ point_add_mixed(&R, &Q, &lut); ++ fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); ++ fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); ++ fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); ++ ++ /* convert to affine -- NB depends on coordinate system */ ++ fiat_secp384r1_inv(Q.Z, Q.Z); ++ fiat_secp384r1_mul(out->X, Q.X, Q.Z); ++ fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); ++} ++ ++static void ++point_mul_two(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char a[48], const unsigned char b[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* simultaneous scalar multiplication */ ++ var_smul_wnaf_two(&P, a, b, &P); ++ ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul_g(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48]) ++{ ++ pt_aff_t P; ++ ++ /* fixed scmul function */ ++ fixed_smul_cmb(&P, scalar); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++static void ++point_mul(unsigned char outx[48], unsigned char outy[48], ++ const unsigned char scalar[48], ++ const unsigned char inx[48], ++ const unsigned char iny[48]) ++{ ++ pt_aff_t P; ++ ++ fiat_secp384r1_from_bytes(P.X, inx); ++ fiat_secp384r1_from_bytes(P.Y, iny); ++ fiat_secp384r1_to_montgomery(P.X, P.X); ++ fiat_secp384r1_to_montgomery(P.Y, P.Y); ++ /* var scmul function */ ++ var_smul_rwnaf(&P, scalar, &P); ++ fiat_secp384r1_from_montgomery(P.X, P.X); ++ fiat_secp384r1_from_montgomery(P.Y, P.Y); ++ fiat_secp384r1_to_bytes(outx, P.X); ++ fiat_secp384r1_to_bytes(outy, P.Y); ++} ++ ++#undef RADIX ++#include "ecp.h" ++#include "mplogic.h" ++ ++/*- ++ * reverse bytes -- total hack ++ */ ++#define MP_BE2LE(a) \ ++ do { \ ++ unsigned char z_bswap; \ ++ z_bswap = a[0]; \ ++ a[0] = a[47]; \ ++ a[47] = z_bswap; \ ++ z_bswap = a[1]; \ ++ a[1] = a[46]; \ ++ a[46] = z_bswap; \ ++ z_bswap = a[2]; \ ++ a[2] = a[45]; \ ++ a[45] = z_bswap; \ ++ z_bswap = a[3]; \ ++ a[3] = a[44]; \ ++ a[44] = z_bswap; \ ++ z_bswap = a[4]; \ ++ a[4] = a[43]; \ ++ a[43] = z_bswap; \ ++ z_bswap = a[5]; \ ++ a[5] = a[42]; \ ++ a[42] = z_bswap; \ ++ z_bswap = a[6]; \ ++ a[6] = a[41]; \ ++ a[41] = z_bswap; \ ++ z_bswap = a[7]; \ ++ a[7] = a[40]; \ ++ a[40] = z_bswap; \ ++ z_bswap = a[8]; \ ++ a[8] = a[39]; \ ++ a[39] = z_bswap; \ ++ z_bswap = a[9]; \ ++ a[9] = a[38]; \ ++ a[38] = z_bswap; \ ++ z_bswap = a[10]; \ ++ a[10] = a[37]; \ ++ a[37] = z_bswap; \ ++ z_bswap = a[11]; \ ++ a[11] = a[36]; \ ++ a[36] = z_bswap; \ ++ z_bswap = a[12]; \ ++ a[12] = a[35]; \ ++ a[35] = z_bswap; \ ++ z_bswap = a[13]; \ ++ a[13] = a[34]; \ ++ a[34] = z_bswap; \ ++ z_bswap = a[14]; \ ++ a[14] = a[33]; \ ++ a[33] = z_bswap; \ ++ z_bswap = a[15]; \ ++ a[15] = a[32]; \ ++ a[32] = z_bswap; \ ++ z_bswap = a[16]; \ ++ a[16] = a[31]; \ ++ a[31] = z_bswap; \ ++ z_bswap = a[17]; \ ++ a[17] = a[30]; \ ++ a[30] = z_bswap; \ ++ z_bswap = a[18]; \ ++ a[18] = a[29]; \ ++ a[29] = z_bswap; \ ++ z_bswap = a[19]; \ ++ a[19] = a[28]; \ ++ a[28] = z_bswap; \ ++ z_bswap = a[20]; \ ++ a[20] = a[27]; \ ++ a[27] = z_bswap; \ ++ z_bswap = a[21]; \ ++ a[21] = a[26]; \ ++ a[26] = z_bswap; \ ++ z_bswap = a[22]; \ ++ a[22] = a[25]; \ ++ a[25] = z_bswap; \ ++ z_bswap = a[23]; \ ++ a[23] = a[24]; \ ++ a[24] = z_bswap; \ ++ } while (0) ++ ++static mp_err ++point_mul_g_secp384r1(const mp_int *n, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_BE2LE(b_n); ++ point_mul_g(b_x, b_y, b_n); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_secp384r1(const mp_int *n, const mp_int *in_x, ++ const mp_int *in_y, mp_int *out_x, ++ mp_int *out_y, const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n[48]; ++ mp_err res; ++ ++ ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && ++ out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n); ++ point_mul(b_x, b_y, b_n, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++static mp_err ++point_mul_two_secp384r1(const mp_int *n1, const mp_int *n2, ++ const mp_int *in_x, const mp_int *in_y, ++ mp_int *out_x, mp_int *out_y, ++ const ECGroup *group) ++{ ++ unsigned char b_x[48]; ++ unsigned char b_y[48]; ++ unsigned char b_n1[48]; ++ unsigned char b_n2[48]; ++ mp_err res; ++ ++ /* If n2 == NULL, this is just a base-point multiplication. */ ++ if (n2 == NULL) ++ return point_mul_g_secp384r1(n1, out_x, out_y, group); ++ ++ /* If n1 == NULL, this is just an arbitary-point multiplication. */ ++ if (n1 == NULL) ++ return point_mul_secp384r1(n2, in_x, in_y, out_x, out_y, group); ++ ++ ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, ++ MP_BADARG); ++ ++ /* fail on out of range scalars */ ++ if (mpl_significant_bits(n1) > 384 || mp_cmp_z(n1) != 1 || ++ mpl_significant_bits(n2) > 384 || mp_cmp_z(n2) != 1) ++ return MP_RANGE; ++ ++ MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); ++ MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_BE2LE(b_n1); ++ MP_BE2LE(b_n2); ++ point_mul_two(b_x, b_y, b_n1, b_n2, b_x, b_y); ++ MP_BE2LE(b_x); ++ MP_BE2LE(b_y); ++ MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); ++ MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); ++ ++CLEANUP: ++ return res; ++} ++ ++mp_err ++ec_group_set_secp384r1(ECGroup *group, ECCurveName name) ++{ ++ if (name == ECCurve_NIST_P384) { ++ group->base_point_mul = &point_mul_g_secp384r1; ++ group->point_mul = &point_mul_secp384r1; ++ group->points_mul = &point_mul_two_secp384r1; ++ } ++ return MP_OKAY; ++} ++ ++#endif /* __SIZEOF_INT128__ */ +diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi +--- a/nss/lib/freebl/freebl_base.gypi ++++ b/nss/lib/freebl/freebl_base.gypi +@@ -30,16 +30,17 @@ + 'ecl/ecp_256.c', + 'ecl/ecp_256_32.c', + 'ecl/ecp_384.c', + 'ecl/ecp_521.c', + 'ecl/ecp_aff.c', + 'ecl/ecp_jac.c', + 'ecl/ecp_jm.c', + 'ecl/ecp_mont.c', ++ 'ecl/ecp_secp384r1.c', + 'fipsfreebl.c', + 'blinit.c', + 'freeblver.c', + 'gcm.c', + 'hmacct.c', + 'jpake.c', + 'ldvector.c', + 'md2.c', +diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn +--- a/nss/lib/freebl/manifest.mn ++++ b/nss/lib/freebl/manifest.mn +@@ -102,17 +102,17 @@ PRIVATE_EXPORTS = \ + MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h + MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c + + + ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h + ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ + ecp_aff.c ecp_jac.c ecp_mont.c \ + ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ +- ecp_256_32.c ecp_25519.c ++ ecp_256_32.c ecp_25519.c ecp_secp384r1.c + SHA_SRCS = sha_fast.c + MPCPU_SRCS = mpcpucache.c + VERIFIED_SRCS = $(NULL) + + CSRCS = \ + freeblver.c \ + ldvector.c \ + sysrand.c \ +diff --git a/nss/tests/ec/ectest.sh b/tests/ec/ectest.sh +old mode 100644 +new mode 100755 + diff --git a/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch new file mode 100644 index 0000000000..cf3ea63cac --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2021-43527.patch @@ -0,0 +1,283 @@ +Description: fix heap overflow when verifying DSA/RSA-PSS DER-encoded signatures +Origin: Provided by Mozilla + +CVE: CVE-2021-43527 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.35-2ubuntu2.13.debian.tar.xz] +Comment: Refreshed hunk 1 and 6 due to fuzz +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +--- a/nss/lib/cryptohi/secvfy.c ++++ b/nss/lib/cryptohi/secvfy.c +@@ -164,6 +164,37 @@ + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); + } + ++static unsigned int ++checkedSignatureLen(const SECKEYPublicKey *pubk) ++{ ++ unsigned int sigLen = SECKEY_SignatureLen(pubk); ++ if (sigLen == 0) { ++ /* Error set by SECKEY_SignatureLen */ ++ return sigLen; ++ } ++ unsigned int maxSigLen; ++ switch (pubk->keyType) { ++ case rsaKey: ++ case rsaPssKey: ++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; ++ break; ++ case dsaKey: ++ maxSigLen = DSA_MAX_SIGNATURE_LEN; ++ break; ++ case ecKey: ++ maxSigLen = 2 * MAX_ECKEY_LEN; ++ break; ++ default: ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); ++ return 0; ++ } ++ if (sigLen > maxSigLen) { ++ PORT_SetError(SEC_ERROR_INVALID_KEY); ++ return 0; ++ } ++ return sigLen; ++} ++ + /* + * decode the ECDSA or DSA signature from it's DER wrapping. + * The unwrapped/raw signature is placed in the buffer pointed +@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, + unsigned int len) + { + SECItem *dsasig = NULL; /* also used for ECDSA */ +- SECStatus rv = SECSuccess; + +- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && +- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { +- if (sig->len != len) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; ++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ ++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { ++ if (len > DSA_MAX_SIGNATURE_LEN) { ++ goto loser; + } +- +- PORT_Memcpy(dsig, sig->data, sig->len); +- return SECSuccess; +- } +- +- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { ++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { + if (len > MAX_ECKEY_LEN * 2) { +- PORT_SetError(SEC_ERROR_BAD_DER); +- return SECFailure; ++ goto loser; + } +- } +- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); +- +- if ((dsasig == NULL) || (dsasig->len != len)) { +- rv = SECFailure; + } else { +- PORT_Memcpy(dsig, dsasig->data, dsasig->len); ++ goto loser; + } + +- if (dsasig != NULL) ++ /* Decode and pad to length */ ++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); ++ if (dsasig == NULL) { ++ goto loser; ++ } ++ if (dsasig->len != len) { + SECITEM_FreeItem(dsasig, PR_TRUE); +- if (rv == SECFailure) +- PORT_SetError(SEC_ERROR_BAD_DER); +- return rv; ++ goto loser; ++ } ++ ++ PORT_Memcpy(dsig, dsasig->data, len); ++ SECITEM_FreeItem(dsasig, PR_TRUE); ++ ++ return SECSuccess; ++ ++loser: ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ return SECFailure; + } + + const SEC_ASN1Template hashParameterTemplate[] = +@@ -231,7 +262,7 @@ SECStatus + sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) + { +- int len; ++ unsigned int len; + PLArenaPool *arena; + SECStatus rv; + SECItem oid; +@@ -458,48 +489,52 @@ vfy_CreateContext(const SECKEYPublicKey + cx->pkcs1RSADigestInfo = NULL; + rv = SECSuccess; + if (sig) { +- switch (type) { +- case rsaKey: +- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, +- &cx->pkcs1RSADigestInfo, +- &cx->pkcs1RSADigestInfoLen, +- cx->key, +- sig, wincx); +- break; +- case rsaPssKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ +- rv = SECFailure; ++ rv = SECFailure; ++ if (type == rsaKey) { ++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, ++ &cx->pkcs1RSADigestInfo, ++ &cx->pkcs1RSADigestInfoLen, ++ cx->key, ++ sig, wincx); ++ } else { ++ sigLen = checkedSignatureLen(key); ++ /* Check signature length is within limits */ ++ if (sigLen == 0) { ++ /* error set by checkedSignatureLen */ ++ rv = SECFailure; ++ goto loser; ++ } ++ if (sigLen > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ switch (type) { ++ case rsaPssKey: ++ if (sig->len != sigLen) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ goto loser; ++ } ++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen); ++ rv = SECSuccess; + break; +- } +- if (sig->len != sigLen) { +- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); +- rv = SECFailure; ++ case ecKey: ++ case dsaKey: ++ /* decodeECorDSASignature will check sigLen == sig->len after padding */ ++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); + break; +- } +- PORT_Memcpy(cx->u.buffer, sig->data, sigLen); +- break; +- case dsaKey: +- case ecKey: +- sigLen = SECKEY_SignatureLen(key); +- if (sigLen == 0) { +- /* error set by SECKEY_SignatureLen */ ++ default: ++ /* Unreachable */ + rv = SECFailure; +- break; +- } +- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); +- break; +- default: +- rv = SECFailure; +- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); +- break; ++ goto loser; ++ } ++ } ++ if (rv != SECSuccess) { ++ goto loser; + } + } + +- if (rv) +- goto loser; +- + /* check hash alg again, RSA may have changed it.*/ + if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { + /* error set by HASH_GetHashTypeByOidTag */ +@@ -634,11 +669,16 @@ VFY_EndWithSignature(VFYContext *cx, SEC + switch (cx->key->keyType) { + case ecKey: + case dsaKey: +- dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { + return SECFailure; + } ++ if (dsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ return SECFailure; ++ } ++ dsasig.data = cx->u.buffer; ++ + if (sig) { + rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, + dsasig.len); +@@ -667,8 +698,13 @@ + } + + rsasig.data = cx->u.buffer; +- rsasig.len = SECKEY_SignatureLen(cx->key); ++ rsasig.len = checkedSignatureLen(cx->key); + if (rsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ return SECFailure; ++ } ++ if (rsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + if (sig) { +@@ -743,7 +788,6 @@ vfy_VerifyDigest(const SECItem *digest, + SECStatus rv; + VFYContext *cx; + SECItem dsasig; /* also used for ECDSA */ +- + rv = SECFailure; + + cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); +@@ -751,19 +795,25 @@ vfy_VerifyDigest(const SECItem *digest, + switch (key->keyType) { + case rsaKey: + rv = verifyPKCS1DigestInfo(cx, digest); ++ /* Error (if any) set by verifyPKCS1DigestInfo */ + break; +- case dsaKey: + case ecKey: ++ case dsaKey: + dsasig.data = cx->u.buffer; +- dsasig.len = SECKEY_SignatureLen(cx->key); ++ dsasig.len = checkedSignatureLen(cx->key); + if (dsasig.len == 0) { ++ /* Error set by checkedSignatureLen */ ++ rv = SECFailure; + break; + } +- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != +- SECSuccess) { ++ if (dsasig.len > sizeof(cx->u)) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ rv = SECFailure; ++ break; ++ } ++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); ++ if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); +- } else { +- rv = SECSuccess; + } + break; + default: diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch new file mode 100644 index 0000000000..cccb73187d --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch @@ -0,0 +1,63 @@ +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1633990165 0 +# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0 +# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f +Bug 1735028 - check for missing signedData field r=keeler + +Differential Revision: https://phabricator.services.mozilla.com/D128112 + +Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0] +CVE: CVE-2022-22747 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc ++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage + unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, + 0x05, 0xa0, 0x02, 0x30, 0x00}; + EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage( + reinterpret_cast<char*>(emptyCertPackage), + sizeof(emptyCertPackage))); + EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); + } ++ ++TEST_F(DecodeCertsTest, EmptySignedData) { ++ // This represents a PKCS#7 ContentInfo of contentType ++ // 1.2.840.113549.1.7.2 (signedData) with missing content. ++ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, ++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, ++ 0x02, 0x00, 0x00, 0x05, 0x00}; ++ ++ EXPECT_EQ(nullptr, ++ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData), ++ sizeof(emptySignedData))); ++ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); ++} +diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c +--- a/nss/lib/pkcs7/certread.c ++++ b/nss/lib/pkcs7/certread.c +@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C + pkcs7Item) != SECSuccess) { + goto done; + } + + if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) { + goto done; + } + ++ if (contentInfo.content.signedData == NULL) { ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ goto done; ++ } ++ + rv = SECSuccess; + + certs = contentInfo.content.signedData->certificates; + if (certs) { + count = 0; + + while (*certs) { + count++; diff --git a/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch new file mode 100644 index 0000000000..ec3b4a092a --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch @@ -0,0 +1,124 @@ + +# HG changeset patch +# User John M. Schanck <jschanck@mozilla.com> +# Date 1675974326 0 +# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18 +# Parent 52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4 +Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D167443 + +CVE: CVE-2023-0767 +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz] +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c +--- a/nss/lib/pkcs12/p12d.c ++++ b/nss/lib/pkcs12/p12d.c +@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind) + { + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + + /* notify function for decoding safeBags. This function is + * used to filter safeBag types which are not supported, + * initiate the decoding of nested safe contents, and decode +diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h +--- a/nss/lib/pkcs12/p12t.h ++++ b/nss/lib/pkcs12/p12t.h +@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr { + /* Dependent upon the type of bag being used. */ + union { + SECKEYPrivateKeyInfo *pkcs8KeyBag; + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ + SECOidData *bagTypeTag; + PLArenaPool *arena; + unsigned int nAttribs; +diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c +--- a/nss/lib/pkcs12/p12tmpl.c ++++ b/nss/lib/pkcs12/p12tmpl.c +@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr + if (src_or_dest == NULL) { + return NULL; + } + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + theTemplate = sec_PKCS12PointerToCertBagTemplate; + break; + case SEC_OID_PKCS12_V1_CRL_BAG_ID: + diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index c00bd34cb2..af842ee67c 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -35,6 +35,16 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://riscv.patch \ file://0001-Enable-uint128-on-mips64.patch \ file://0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch \ + file://CVE-2020-12401.patch \ + file://CVE-2020-6829_12400.patch \ + file://CVE-2020-12403_1.patch \ + file://CVE-2020-12403_2.patch \ + file://CVE-2020-25648.patch \ + file://CVE-2021-43527.patch \ + file://CVE-2022-22747.patch \ + file://CVE-2023-0767.patch \ + file://0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch;patchdir=nss \ + file://0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch;patchdir=nss \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" @@ -54,6 +64,8 @@ TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc TARGET_CC_ARCH += "${LDFLAGS}" +CFLAGS_append_class-native = " -D_XOPEN_SOURCE " + do_configure_prepend_libc-musl () { sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk } @@ -61,7 +73,6 @@ do_configure_prepend_libc-musl () { do_compile_prepend_class-native() { export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} - export NSS_ENABLE_WERROR=0 } do_compile_prepend_class-nativesdk() { @@ -80,6 +91,11 @@ do_compile() { export NATIVE_CC="${BUILD_CC}" # Additional defines needed on Centos 7 export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" + + # POSIX.1-2001 states that the behaviour of getcwd() when passing a null + # pointer as the buf argument, is unspecified. + export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" + export BUILD_OPT=1 export FREEBL_NO_DEPEND=1 @@ -278,3 +294,12 @@ FILES_${PN}-dev = "\ RDEPENDS_${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "network_security_services" + +# CVE-2006-5201 affects only Sun Solaris +CVE_CHECK_WHITELIST += "CVE-2006-5201" + +# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect +# the legacy db (libnssdbm), only compiled with --enable-legacy-db. +CVE_CHECK_WHITELIST += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" diff --git a/meta-oe/recipes-support/numactl/numactl_git.bb b/meta-oe/recipes-support/numactl/numactl_git.bb index 20b7fed862..af082237c3 100644 --- a/meta-oe/recipes-support/numactl/numactl_git.bb +++ b/meta-oe/recipes-support/numactl/numactl_git.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://README.md;beginline=19;endline=32;md5=f8ff2391624f28e SRCREV = "5d9f16722e3df49dc618a9f361bd482559695db7" PV = "2.0.13+git${SRCPV}" -SRC_URI = "git://github.com/numactl/numactl \ +SRC_URI = "git://github.com/numactl/numactl;branch=master;protocol=https \ file://Fix-the-test-output-format.patch \ file://Makefile \ file://run-ptest \ diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch new file mode 100644 index 0000000000..38daa05817 --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch @@ -0,0 +1,35 @@ +From 7f3cced1e140ed36c6f8f66d7f4098323b0463b2 Mon Sep 17 00:00:00 2001 +From: Katy Feng <fkaty@vmware.com> +Date: Fri, 25 Aug 2023 11:58:48 -0700 +Subject: [PATCH] Allow only X509 certs to verify the SAML token signature. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/74b6d0d9000eda1a2c8f31c40c725fb0b8520b16 +CVE: CVE-2023-20900 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +index 2906d29..57db3b8 100644 +--- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c ++++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c +@@ -1275,7 +1275,14 @@ VerifySignature(xmlDocPtr doc, + */ + bRet = RegisterID(xmlDocGetRootElement(doc), "ID"); + if (bRet == FALSE) { +- g_warning("failed to register ID\n"); ++ g_warning("Failed to register ID\n"); ++ goto done; ++ } ++ ++ /* Use only X509 certs to validate the signature */ ++ if (xmlSecPtrListAdd(&(dsigCtx->keyInfoReadCtx.enabledKeyData), ++ BAD_CAST xmlSecKeyDataX509Id) < 0) { ++ g_warning("Failed to limit allowed key data\n"); + goto done; + } + +-- +2.7.4 + diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch new file mode 100644 index 0000000000..1c6657ae9f --- /dev/null +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch @@ -0,0 +1,39 @@ +From d16eda269413bdb04e85c242fa28db264697c45f Mon Sep 17 00:00:00 2001 +From: John Wolfe <jwolfe@vmware.com> +Date: Sun, 21 Aug 2022 07:56:49 -0700 +Subject: [PATCH] Properly check authorization on incoming guestOps requests. + +Fix public pipe request checks. Only a SessionRequest type should +be accepted on the public pipe. + +Upstream-Status: Backport from https://github.com/vmware/open-vm-tools/commit/70a74758bfe0042c27f15ce590fb21a2bc54d745 +CVE: CVE-2022-31676 +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + open-vm-tools/vgauth/serviceImpl/proto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/open-vm-tools/vgauth/serviceImpl/proto.c b/open-vm-tools/vgauth/serviceImpl/proto.c +index f097fb6..0ebaa7b 100644 +--- a/open-vm-tools/vgauth/serviceImpl/proto.c ++++ b/open-vm-tools/vgauth/serviceImpl/proto.c +@@ -1,5 +1,5 @@ + /********************************************************* +- * Copyright (C) 2011-2016,2019 VMware, Inc. All rights reserved. ++ * Copyright (C) 2011-2016,2019-2022 VMware, Inc. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published +@@ -1202,6 +1202,10 @@ Proto_SecurityCheckRequest(ServiceConnection *conn, + VGAuthError err; + gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn); + ++ if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) { ++ return VGAUTH_E_PERMISSION_DENIED; ++ } ++ + switch (req->reqType) { + /* + * This comes over the public connection; alwsys let it through. +-- +2.7.4 diff --git a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb index 34a81d21f0..e3b15e35b6 100644 --- a/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb +++ b/meta-oe/recipes-support/open-vm-tools/open-vm-tools_11.0.1.bb @@ -21,7 +21,7 @@ LICENSE_modules/freebsd/vmxnet = "GPL-2.0" LICENSE_modules/linux = "GPL-2.0" LICENSE_modules/solaris = "CDDL-1.0" -SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \ +SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https;branch=master \ file://tools.conf \ file://vmtoolsd.service \ file://vmtoolsd.init \ @@ -43,6 +43,8 @@ SRC_URI = "git://github.com/vmware/open-vm-tools.git;protocol=https \ file://0002-hgfsServerLinux-Consider-64bit-time_t-possibility.patch;patchdir=.. \ file://0001-utilBacktrace-Ignore-Warray-bounds.patch;patchdir=.. \ file://0001-hgfsmounter-Makefile.am-support-usrmerge.patch;patchdir=.. \ + file://0001-Properly-check-authorization-on-incoming-guestOps-re.patch;patchdir=.. \ + file://0001-Allow-only-X509-certs-to-verify-the-SAML-token-signa.patch;patchdir=.. \ " SRCREV = "d3edfd142a81096f9f58aff17d84219b457f4987" diff --git a/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb b/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb index 9fd88ced95..831b15a455 100644 --- a/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb +++ b/meta-oe/recipes-support/opencl/clinfo_2.2.18.04.06.bb @@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Oblomov/clinfo" LICENSE = "CC0-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=fd8857f774dfb0eefe1e80c8f9240a7e" -SRC_URI = "git://github.com/Oblomov/clinfo.git;protocol=https" +SRC_URI = "git://github.com/Oblomov/clinfo.git;protocol=https;branch=master" SRCREV = "59d0daf898e48d76ccbb788acbba258fa0a8ba7c" diff --git a/meta-oe/recipes-support/opencv/ade_0.1.1f.bb b/meta-oe/recipes-support/opencv/ade_0.1.1f.bb index 3861802158..7e9bbc31c9 100644 --- a/meta-oe/recipes-support/opencv/ade_0.1.1f.bb +++ b/meta-oe/recipes-support/opencv/ade_0.1.1f.bb @@ -4,7 +4,7 @@ and processing framework. ADE Framework is suitable for \ organizing data flow processing and execution." HOMEPAGE = "https://github.com/opencv/ade" -SRC_URI = "git://github.com/opencv/ade.git \ +SRC_URI = "git://github.com/opencv/ade.git;branch=master;protocol=https \ file://0001-use-GNUInstallDirs-for-detecting-install-paths.patch \ " diff --git a/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch b/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch index 5f909c1a8f..896d6ce9dc 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch @@ -1,4 +1,4 @@ -From 85b882b4ceb57fe6538f47af58d0a970923fde0e Mon Sep 17 00:00:00 2001 +From 806de12b95a69572fffea8eb49b4ec3fb722b65f Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com> Date: Thu, 31 Mar 2016 00:20:15 +0200 Subject: [PATCH] 3rdparty/ippicv: Use pre-downloaded ipp @@ -11,7 +11,7 @@ Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/3rdparty/ippicv/ippicv.cmake b/3rdparty/ippicv/ippicv.cmake -index ae8748c..305abdb 100644 +index ae8748c283..305abdb58d 100644 --- a/3rdparty/ippicv/ippicv.cmake +++ b/3rdparty/ippicv/ippicv.cmake @@ -39,18 +39,5 @@ function(download_ippicv root_var) diff --git a/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch b/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch index 40d3f53e1a..a899b7e9a4 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-Dont-use-isystem.patch @@ -1,4 +1,4 @@ -From 9659f5a1e75fc29c9879c301767bba72ecf9042a Mon Sep 17 00:00:00 2001 +From b34a6e8d4582aa13ad4cd58547d8e0f0a0f1c6a6 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Tue, 11 Sep 2018 00:21:18 -0700 Subject: [PATCH] Dont use isystem @@ -14,7 +14,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> 1 file changed, 2 insertions(+) diff --git a/cmake/OpenCVPCHSupport.cmake b/cmake/OpenCVPCHSupport.cmake -index 59bc826..055dfce 100644 +index 59bc826ed0..055dfce251 100644 --- a/cmake/OpenCVPCHSupport.cmake +++ b/cmake/OpenCVPCHSupport.cmake @@ -18,6 +18,8 @@ IF(CV_GCC) diff --git a/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch b/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch index f8ccd1d558..26041e09fb 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-Temporarliy-work-around-deprecated-ffmpeg-RAW-functi.patch @@ -1,4 +1,4 @@ -From fe27d0e2341683606704115949d16250e4cacbfa Mon Sep 17 00:00:00 2001 +From 23425e45f6e26f2b1e387b88e104872b3a1ea5d1 Mon Sep 17 00:00:00 2001 From: Jason Wessel <jason.wessel@windriver.com> Date: Wed, 9 May 2018 13:33:59 -0700 Subject: [PATCH] Temporarliy work around deprecated ffmpeg RAW function @@ -11,7 +11,7 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> 1 file changed, 8 insertions(+) diff --git a/modules/videoio/src/cap_ffmpeg_impl.hpp b/modules/videoio/src/cap_ffmpeg_impl.hpp -index 0d360ad..566df66 100644 +index 0d360ad5d9..566df6664b 100644 --- a/modules/videoio/src/cap_ffmpeg_impl.hpp +++ b/modules/videoio/src/cap_ffmpeg_impl.hpp @@ -736,6 +736,14 @@ struct ImplMutex::Impl diff --git a/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch b/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch index 43d32fbc75..df5bd67460 100644 --- a/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch +++ b/meta-oe/recipes-support/opencv/opencv/0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch @@ -1,13 +1,15 @@ -From 1edc925ecd7fb54d2dc78452069084475fbe2a70 Mon Sep 17 00:00:00 2001 +From d9bdafa95f329f33d829d89a2e51adaf833768cc Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Thu, 16 Jan 2020 08:52:00 -0800 -Subject: [PATCH] carotene: Replace ipcp-unit-growth with ipa-cp-unit-growth on gcc >= 10 +Subject: [PATCH] carotene: Replace ipcp-unit-growth with ipa-cp-unit-growth on + gcc >= 10 gcc 10+ has renamed this option, therefore check for gcc version before deciding which name to use for opt parameter Upstream-Status: Submitted [https://github.com/opencv/opencv/pull/16369] Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- 3rdparty/carotene/CMakeLists.txt | 8 ++++++-- 3rdparty/carotene/hal/CMakeLists.txt | 7 ++++++- @@ -50,6 +52,3 @@ index c4b9acaedd..bbc5b11a80 100644 # set_source_files_properties(impl.cpp $<TARGET_OBJECTS:carotene_objs> COMPILE_FLAGS "--param ipcp-unit-growth=100000 --param inline-unit-growth=100000 --param large-stack-frame-growth=5000") endif() --- -2.25.0 - diff --git a/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch b/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch index 46198fb7be..3dd63829e5 100644 --- a/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch +++ b/meta-oe/recipes-support/opencv/opencv/0002-Make-opencv-ts-create-share-library-intead-of-static.patch @@ -1,4 +1,4 @@ -From 46ffa1f8f443b71673774fcb864eb741bbc26200 Mon Sep 17 00:00:00 2001 +From 6a490df70aadc43ed4f503452c278e334716826d Mon Sep 17 00:00:00 2001 From: Bian Naimeng <biannm@cn.fujitsu.com> Date: Wed, 19 Apr 2017 03:11:37 +0900 Subject: [PATCH] Make opencv-ts create share library intead of static. @@ -10,7 +10,7 @@ Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ts/CMakeLists.txt b/modules/ts/CMakeLists.txt -index f95bed0..ee67858 100644 +index f95bed0793..ee67858df8 100644 --- a/modules/ts/CMakeLists.txt +++ b/modules/ts/CMakeLists.txt @@ -4,7 +4,7 @@ if(NOT BUILD_opencv_ts AND NOT BUILD_TESTS AND NOT BUILD_PERF_TESTS) diff --git a/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch b/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch index 336c2e08e6..77571ead98 100644 --- a/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch +++ b/meta-oe/recipes-support/opencv/opencv/0003-To-fix-errors-as-following.patch @@ -1,4 +1,4 @@ -From 867caccc358266f7021f076fc8c8e41bf048782c Mon Sep 17 00:00:00 2001 +From b3dc5478cb0d2d2b617dc6c5e28d59559edadf36 Mon Sep 17 00:00:00 2001 From: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Date: Fri, 19 May 2017 04:27:50 +0900 Subject: [PATCH] To fix errors as following: @@ -21,7 +21,7 @@ Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com> 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/ts/include/opencv2/ts.hpp b/modules/ts/include/opencv2/ts.hpp -index b9d6b74..f1ee7ee 100644 +index b9d6b74ffc..f1ee7ee429 100644 --- a/modules/ts/include/opencv2/ts.hpp +++ b/modules/ts/include/opencv2/ts.hpp @@ -622,7 +622,7 @@ protected: @@ -43,7 +43,7 @@ index b9d6b74..f1ee7ee 100644 #define CV_TEST_INIT0_NOOP (void)0 diff --git a/modules/ts/include/opencv2/ts/ocl_test.hpp b/modules/ts/include/opencv2/ts/ocl_test.hpp -index 11572e9..438112e 100644 +index 11572e9f48..438112e2aa 100644 --- a/modules/ts/include/opencv2/ts/ocl_test.hpp +++ b/modules/ts/include/opencv2/ts/ocl_test.hpp @@ -82,7 +82,7 @@ inline UMat ToUMat(InputArray src) @@ -56,7 +56,7 @@ index 11572e9..438112e 100644 #define MAX_VALUE 357 diff --git a/modules/ts/include/opencv2/ts/ts_ext.hpp b/modules/ts/include/opencv2/ts/ts_ext.hpp -index b5cea3e..e5b0b4b 100644 +index b5cea3e46d..e5b0b4ba8c 100644 --- a/modules/ts/include/opencv2/ts/ts_ext.hpp +++ b/modules/ts/include/opencv2/ts/ts_ext.hpp @@ -9,7 +9,7 @@ diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch new file mode 100644 index 0000000000..54a553fb38 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14491.patch @@ -0,0 +1,148 @@ +From 5a9628c134a7314e10ea0bcc4e789c935251a7f5 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 25 Jul 2019 17:15:59 +0300 +Subject: [PATCH] objdetect: validate feature rectangle on reading + +CVE: CVE-2019-14491 +CVE: CVE-2019-14492 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/ac425f67e4c1d0da9afb9203f0918d8d57c067ed.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/objdetect/src/cascadedetect.cpp | 43 +++++++++++++++++++++---- + modules/objdetect/src/cascadedetect.hpp | 6 ++-- + 2 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/modules/objdetect/src/cascadedetect.cpp b/modules/objdetect/src/cascadedetect.cpp +index a1865e9062..b7ef04ea7b 100644 +--- a/modules/objdetect/src/cascadedetect.cpp ++++ b/modules/objdetect/src/cascadedetect.cpp +@@ -46,6 +46,10 @@ + #include "cascadedetect.hpp" + #include "opencl_kernels_objdetect.hpp" + ++#if defined(_MSC_VER) ++# pragma warning(disable:4458) // declaration of 'origWinSize' hides class member ++#endif ++ + namespace cv + { + +@@ -536,7 +540,7 @@ bool FeatureEvaluator::setImage( InputArray _image, const std::vector<float>& _s + + //---------------------------------------------- HaarEvaluator --------------------------------------- + +-bool HaarEvaluator::Feature :: read( const FileNode& node ) ++bool HaarEvaluator::Feature::read(const FileNode& node, const Size& origWinSize) + { + FileNode rnode = node[CC_RECTS]; + FileNodeIterator it = rnode.begin(), it_end = rnode.end(); +@@ -548,11 +552,23 @@ bool HaarEvaluator::Feature :: read( const FileNode& node ) + rect[ri].weight = 0.f; + } + ++ const int W = origWinSize.width; ++ const int H = origWinSize.height; ++ + for(ri = 0; it != it_end; ++it, ri++) + { + FileNodeIterator it2 = (*it).begin(); +- it2 >> rect[ri].r.x >> rect[ri].r.y >> +- rect[ri].r.width >> rect[ri].r.height >> rect[ri].weight; ++ Feature::RectWeigth& rw = rect[ri]; ++ it2 >> rw.r.x >> rw.r.y >> rw.r.width >> rw.r.height >> rw.weight; ++ // input validation ++ { ++ CV_CheckGE(rw.r.x, 0, "Invalid HAAR feature"); ++ CV_CheckGE(rw.r.y, 0, "Invalid HAAR feature"); ++ CV_CheckLT(rw.r.x, W, "Invalid HAAR feature"); // necessary for overflow checks ++ CV_CheckLT(rw.r.y, H, "Invalid HAAR feature"); // necessary for overflow checks ++ CV_CheckLE(rw.r.x + rw.r.width, W, "Invalid HAAR feature"); ++ CV_CheckLE(rw.r.y + rw.r.height, H, "Invalid HAAR feature"); ++ } + } + + tilted = (int)node[CC_TILTED] != 0; +@@ -597,7 +613,7 @@ bool HaarEvaluator::read(const FileNode& node, Size _origWinSize) + + for(i = 0; i < n; i++, ++it) + { +- if(!ff[i].read(*it)) ++ if(!ff[i].read(*it, _origWinSize)) + return false; + if( ff[i].tilted ) + hasTiltedFeatures = true; +@@ -758,11 +774,24 @@ int HaarEvaluator::getSquaresOffset() const + } + + //---------------------------------------------- LBPEvaluator ------------------------------------- +-bool LBPEvaluator::Feature :: read(const FileNode& node ) ++bool LBPEvaluator::Feature::read(const FileNode& node, const Size& origWinSize) + { + FileNode rnode = node[CC_RECT]; + FileNodeIterator it = rnode.begin(); + it >> rect.x >> rect.y >> rect.width >> rect.height; ++ ++ const int W = origWinSize.width; ++ const int H = origWinSize.height; ++ // input validation ++ { ++ CV_CheckGE(rect.x, 0, "Invalid LBP feature"); ++ CV_CheckGE(rect.y, 0, "Invalid LBP feature"); ++ CV_CheckLT(rect.x, W, "Invalid LBP feature"); ++ CV_CheckLT(rect.y, H, "Invalid LBP feature"); ++ CV_CheckLE(rect.x + rect.width, W, "Invalid LBP feature"); ++ CV_CheckLE(rect.y + rect.height, H, "Invalid LBP feature"); ++ } ++ + return true; + } + +@@ -796,7 +825,7 @@ bool LBPEvaluator::read( const FileNode& node, Size _origWinSize ) + std::vector<Feature>& ff = *features; + for(int i = 0; it != it_end; ++it, i++) + { +- if(!ff[i].read(*it)) ++ if(!ff[i].read(*it, _origWinSize)) + return false; + } + nchannels = 1; +@@ -1441,6 +1470,8 @@ bool CascadeClassifierImpl::Data::read(const FileNode &root) + origWinSize.width = (int)root[CC_WIDTH]; + origWinSize.height = (int)root[CC_HEIGHT]; + CV_Assert( origWinSize.height > 0 && origWinSize.width > 0 ); ++ CV_CheckLE(origWinSize.width, 1000000, "Invalid window size (too large)"); ++ CV_CheckLE(origWinSize.height, 1000000, "Invalid window size (too large)"); + + // load feature params + FileNode fn = root[CC_FEATURE_PARAMS]; +diff --git a/modules/objdetect/src/cascadedetect.hpp b/modules/objdetect/src/cascadedetect.hpp +index a011ed4804..ffc03af841 100644 +--- a/modules/objdetect/src/cascadedetect.hpp ++++ b/modules/objdetect/src/cascadedetect.hpp +@@ -317,12 +317,12 @@ public: + struct Feature + { + Feature(); +- bool read( const FileNode& node ); ++ bool read(const FileNode& node, const Size& origWinSize); + + bool tilted; + + enum { RECT_NUM = 3 }; +- struct ++ struct RectWeigth + { + Rect r; + float weight; +@@ -412,7 +412,7 @@ public: + Feature( int x, int y, int _block_w, int _block_h ) : + rect(x, y, _block_w, _block_h) {} + +- bool read(const FileNode& node ); ++ bool read(const FileNode& node, const Size& origWinSize); + + Rect rect; // weight and height for block + }; diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch new file mode 100644 index 0000000000..37be12b500 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-14493.patch @@ -0,0 +1,237 @@ +From 0d88c87ed94e89af490c3d882597e034422aa4a5 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 25 Jul 2019 15:14:22 +0300 +Subject: [PATCH] core(persistence): added null ptr checks + +CVE: CVE-2019-14493 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/core/src/persistence_json.cpp | 12 ++++++++++++ + modules/core/src/persistence_xml.cpp | 21 +++++++++++++++++++++ + modules/core/src/persistence_yml.cpp | 21 +++++++++++++++++++++ + 3 files changed, 54 insertions(+) + +diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp +index ae678e1b8b..89914e6534 100644 +--- a/modules/core/src/persistence_json.cpp ++++ b/modules/core/src/persistence_json.cpp +@@ -296,6 +296,8 @@ public: + + while ( is_eof == false && is_completed == false ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + switch ( *ptr ) + { + /* comment */ +@@ -381,6 +383,7 @@ public: + if ( is_eof || !is_completed ) + { + ptr = fs->bufferStart(); ++ CV_Assert(ptr); + *ptr = '\0'; + fs->setEof(); + if( !is_completed ) +@@ -392,6 +395,9 @@ public: + + char* parseKey( char* ptr, FileNode& collection, FileNode& value_placeholder ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + if( *ptr != '"' ) + CV_PARSE_ERROR_CPP( "Key must start with \'\"\'" ); + +@@ -430,6 +436,9 @@ public: + + char* parseValue( char* ptr, FileNode& node ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid value input"); ++ + ptr = skipSpaces( ptr ); + if( !ptr || !*ptr ) + CV_PARSE_ERROR_CPP( "Unexpected End-Of-File" ); +@@ -817,6 +826,9 @@ public: + + bool parse( char* ptr ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + ptr = skipSpaces( ptr ); + if ( !ptr || !*ptr ) + return false; +diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp +index fb30d90896..89876dd3da 100644 +--- a/modules/core/src/persistence_xml.cpp ++++ b/modules/core/src/persistence_xml.cpp +@@ -360,6 +360,9 @@ public: + + char* skipSpaces( char* ptr, int mode ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + int level = 0; + + for(;;) +@@ -441,6 +444,9 @@ public: + + char* parseValue( char* ptr, FileNode& node ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + FileNode new_elem; + bool have_space = true; + int value_type = node.type(); +@@ -456,6 +462,8 @@ public: + (c == '<' && ptr[1] == '!' && ptr[2] == '-') ) + { + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + have_space = true; + c = *ptr; + } +@@ -502,6 +510,8 @@ public: + { + ptr = fs->parseBase64( ptr, 0, new_elem); + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + } + + ptr = parseTag( ptr, key2, type_name, tag_type ); +@@ -645,6 +655,9 @@ public: + char* parseTag( char* ptr, std::string& tag_name, + std::string& type_name, int& tag_type ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid tag input"); ++ + if( *ptr == '\0' ) + CV_PARSE_ERROR_CPP( "Unexpected end of the stream" ); + +@@ -702,6 +715,8 @@ public: + if( *ptr != '=' ) + { + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid attribute"); + if( *ptr != '=' ) + CV_PARSE_ERROR_CPP( "Attribute name should be followed by \'=\'" ); + } +@@ -740,6 +755,8 @@ public: + if( c != '>' ) + { + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + c = *ptr; + } + +@@ -781,6 +798,8 @@ public: + + // CV_XML_INSIDE_TAG is used to prohibit leading comments + ptr = skipSpaces( ptr, CV_XML_INSIDE_TAG ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + if( memcmp( ptr, "<?xml", 5 ) != 0 ) // FIXIT ptr[1..] - out of bounds read without check + CV_PARSE_ERROR_CPP( "Valid XML should start with \'<?xml ...?>\'" ); +@@ -791,6 +810,8 @@ public: + while( ptr && *ptr != '\0' ) + { + ptr = skipSpaces( ptr, 0 ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + if( *ptr != '\0' ) + { +diff --git a/modules/core/src/persistence_yml.cpp b/modules/core/src/persistence_yml.cpp +index 4129ca1dc5..7742e82770 100644 +--- a/modules/core/src/persistence_yml.cpp ++++ b/modules/core/src/persistence_yml.cpp +@@ -330,6 +330,9 @@ public: + + char* skipSpaces( char* ptr, int min_indent, int max_comment_indent ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + for(;;) + { + while( *ptr == ' ' ) +@@ -374,6 +377,9 @@ public: + + bool getBase64Row(char* ptr, int indent, char* &beg, char* &end) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + beg = end = ptr = skipSpaces(ptr, 0, INT_MAX); + if (!ptr || !*ptr) + return false; // end of file +@@ -394,6 +400,9 @@ public: + + char* parseKey( char* ptr, FileNode& map_node, FileNode& value_placeholder ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + char c; + char *endptr = ptr - 1, *saveptr; + +@@ -422,6 +431,9 @@ public: + + char* parseValue( char* ptr, FileNode& node, int min_indent, bool is_parent_flow ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + char* endptr = 0; + char c = ptr[0], d = ptr[1]; + int value_type = FileNode::NONE; +@@ -508,6 +520,8 @@ public: + + *endptr = d; + ptr = skipSpaces( endptr, min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + + c = *ptr; + +@@ -634,6 +648,8 @@ public: + FileNode elem; + + ptr = skipSpaces( ptr, new_min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + if( *ptr == '}' || *ptr == ']' ) + { + if( *ptr != d ) +@@ -647,6 +663,8 @@ public: + if( *ptr != ',' ) + CV_PARSE_ERROR_CPP( "Missing , between the elements" ); + ptr = skipSpaces( ptr + 1, new_min_indent, INT_MAX ); ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); + } + + if( struct_type == FileNode::MAP ) +@@ -746,6 +764,9 @@ public: + + bool parse( char* ptr ) + { ++ if (!ptr) ++ CV_PARSE_ERROR_CPP("Invalid input"); ++ + bool first = true; + bool ok = true; + FileNode root_collection(fs->getFS(), 0, 0); diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch new file mode 100644 index 0000000000..ad61d7c231 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-15939.patch @@ -0,0 +1,73 @@ +From 384c5fa5f09aec5512343340fe65ccaaf83dfc48 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Fri, 23 Aug 2019 16:14:53 +0300 +Subject: [PATCH] objdetect: add input check in HOG detector + +CVE: CVE-2019-15939 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/5a497077f109d543ab86dfdf8add1c76c0e47d29.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/objdetect/src/hog.cpp | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/modules/objdetect/src/hog.cpp b/modules/objdetect/src/hog.cpp +index e3e43bb86e..af814658fe 100644 +--- a/modules/objdetect/src/hog.cpp ++++ b/modules/objdetect/src/hog.cpp +@@ -65,6 +65,7 @@ namespace cv + + static int numPartsWithin(int size, int part_size, int stride) + { ++ CV_Assert(stride != 0); + return (size - part_size + stride) / stride; + } + +@@ -77,13 +78,17 @@ static Size numPartsWithin(cv::Size size, cv::Size part_size, + + static size_t getBlockHistogramSize(Size block_size, Size cell_size, int nbins) + { ++ CV_Assert(!cell_size.empty()); + Size cells_per_block = Size(block_size.width / cell_size.width, +- block_size.height / cell_size.height); ++ block_size.height / cell_size.height); + return (size_t)(nbins * cells_per_block.area()); + } + + size_t HOGDescriptor::getDescriptorSize() const + { ++ CV_Assert(!cellSize.empty()); ++ CV_Assert(!blockStride.empty()); ++ + CV_Assert(blockSize.width % cellSize.width == 0 && + blockSize.height % cellSize.height == 0); + CV_Assert((winSize.width - blockSize.width) % blockStride.width == 0 && +@@ -141,20 +146,20 @@ bool HOGDescriptor::read(FileNode& obj) + if( !obj.isMap() ) + return false; + FileNodeIterator it = obj["winSize"].begin(); +- it >> winSize.width >> winSize.height; ++ it >> winSize.width >> winSize.height; CV_Assert(!winSize.empty()); + it = obj["blockSize"].begin(); +- it >> blockSize.width >> blockSize.height; ++ it >> blockSize.width >> blockSize.height; CV_Assert(!blockSize.empty()); + it = obj["blockStride"].begin(); +- it >> blockStride.width >> blockStride.height; ++ it >> blockStride.width >> blockStride.height; CV_Assert(!blockStride.empty()); + it = obj["cellSize"].begin(); +- it >> cellSize.width >> cellSize.height; +- obj["nbins"] >> nbins; ++ it >> cellSize.width >> cellSize.height; CV_Assert(!cellSize.empty()); ++ obj["nbins"] >> nbins; CV_Assert(nbins > 0); + obj["derivAperture"] >> derivAperture; + obj["winSigma"] >> winSigma; + obj["histogramNormType"] >> histogramNormType; + obj["L2HysThreshold"] >> L2HysThreshold; + obj["gammaCorrection"] >> gammaCorrection; +- obj["nlevels"] >> nlevels; ++ obj["nlevels"] >> nlevels; CV_Assert(nlevels > 0); + if (obj["signedGradient"].empty()) + signedGradient = false; + else diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch new file mode 100644 index 0000000000..3510e1eb98 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-19624.patch @@ -0,0 +1,157 @@ +From 34195a57528a3f2c807bc3eeb8c934b8ea8289bd Mon Sep 17 00:00:00 2001 +From: Thang Tran <TranKimThang279@gmail.com> +Date: Mon, 27 May 2019 08:18:26 +0200 +Subject: [PATCH] video:fixed DISOpticalFlow segfault from small img + +CVE: CVE-2019-19624 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/d1615ba11a93062b1429fce9f0f638d1572d3418.patch] +Comment: No changes in any hunk + +Signed-off-by: Neetika Singh <Neetika.Singh@kpit.com> + +--- + modules/video/src/dis_flow.cpp | 67 ++++++++++++++++++++++++- + modules/video/test/test_OF_accuracy.cpp | 28 +++++++++++ + 2 files changed, 93 insertions(+), 2 deletions(-) + +diff --git a/modules/video/src/dis_flow.cpp b/modules/video/src/dis_flow.cpp +index b86df1564b..adafcc92d8 100644 +--- a/modules/video/src/dis_flow.cpp ++++ b/modules/video/src/dis_flow.cpp +@@ -140,6 +140,8 @@ class DISOpticalFlowImpl CV_FINAL : public DISOpticalFlow + void prepareBuffers(Mat &I0, Mat &I1, Mat &flow, bool use_flow); + void precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, Mat &dst_I0xy, Mat &dst_I0x, Mat &dst_I0y, Mat &I0x, + Mat &I0y); ++ int autoSelectCoarsestScale(int img_width); ++ void autoSelectPatchSizeAndScales(int img_width); + + struct PatchInverseSearch_ParBody : public ParallelLoopBody + { +@@ -435,6 +437,44 @@ void DISOpticalFlowImpl::precomputeStructureTensor(Mat &dst_I0xx, Mat &dst_I0yy, + } + } + ++int DISOpticalFlowImpl::autoSelectCoarsestScale(int img_width) ++{ ++ const int fratio = 5; ++ return std::max(0, (int)std::floor(log2((2.0f*(float)img_width) / ((float)fratio * (float)patch_size)))); ++} ++ ++void DISOpticalFlowImpl::autoSelectPatchSizeAndScales(int img_width) ++{ ++ switch (finest_scale) ++ { ++ case 1: ++ patch_size = 8; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-2, 0); ++ break; ++ ++ case 3: ++ patch_size = 12; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-4, 0); ++ break; ++ ++ case 4: ++ patch_size = 12; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-5, 0); ++ break; ++ ++ // default case, fall-through. ++ case 2: ++ default: ++ patch_size = 8; ++ coarsest_scale = autoSelectCoarsestScale(img_width); ++ finest_scale = std::max(coarsest_scale-2, 0); ++ break; ++ } ++} ++ + DISOpticalFlowImpl::PatchInverseSearch_ParBody::PatchInverseSearch_ParBody(DISOpticalFlowImpl &_dis, int _nstripes, + int _hs, Mat &dst_Sx, Mat &dst_Sy, + Mat &src_Ux, Mat &src_Uy, Mat &_I0, Mat &_I1, +@@ -1313,9 +1353,20 @@ bool DISOpticalFlowImpl::ocl_calc(InputArray I0, InputArray I1, InputOutputArray + else + flow.create(I1Mat.size(), CV_32FC2); + UMat &u_flowMat = flow.getUMatRef(); +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal movement of width/4 */ ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code search for maximal movement of width/4 */ + (int)(log(min(I0Mat.cols, I0Mat.rows) / patch_size) / log(2.0))); /* Deepest pyramid level greater or equal than patch*/ + ++ if (coarsest_scale<0) ++ CV_Error(cv::Error::StsBadSize, "The input image must have either width or height >= 12"); ++ ++ if (coarsest_scale<finest_scale) ++ { ++ // choose the finest level based on coarsest level. ++ // Refs: https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239 ++ int original_img_width = I0.size().width; ++ autoSelectPatchSizeAndScales(original_img_width); ++ } ++ + ocl_prepareBuffers(I0Mat, I1Mat, u_flowMat, use_input_flow); + u_Ux[coarsest_scale].setTo(0.0f); + u_Uy[coarsest_scale].setTo(0.0f); +@@ -1380,8 +1431,20 @@ void DISOpticalFlowImpl::calc(InputArray I0, InputArray I1, InputOutputArray flo + else + flow.create(I1Mat.size(), CV_32FC2); + Mat flowMat = flow.getMat(); +- coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code serach for maximal movement of width/4 */ ++ coarsest_scale = min((int)(log(max(I0Mat.cols, I0Mat.rows) / (4.0 * patch_size)) / log(2.0) + 0.5), /* Original code search for maximal movement of width/4 */ + (int)(log(min(I0Mat.cols, I0Mat.rows) / patch_size) / log(2.0))); /* Deepest pyramid level greater or equal than patch*/ ++ ++ if (coarsest_scale<0) ++ CV_Error(cv::Error::StsBadSize, "The input image must have either width or height >= 12"); ++ ++ if (coarsest_scale<finest_scale) ++ { ++ // choose the finest level based on coarsest level. ++ // Refs: https://github.com/tikroeger/OF_DIS/blob/2c9f2a674f3128d3a41c10e41cc9f3a35bb1b523/run_dense.cpp#L239 ++ int original_img_width = I0.size().width; ++ autoSelectPatchSizeAndScales(original_img_width); ++ } ++ + int num_stripes = getNumThreads(); + + prepareBuffers(I0Mat, I1Mat, flowMat, use_input_flow); +diff --git a/modules/video/test/test_OF_accuracy.cpp b/modules/video/test/test_OF_accuracy.cpp +index affbab6586..b99ffce2a8 100644 +--- a/modules/video/test/test_OF_accuracy.cpp ++++ b/modules/video/test/test_OF_accuracy.cpp +@@ -121,6 +121,34 @@ TEST(DenseOpticalFlow_DIS, ReferenceAccuracy) + } + } + ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanZero) ++{ ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create(); ++ const int mat_size = 10; ++ ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat flow; ++ ++ ASSERT_THROW(of->calc(x, y, flow), cv::Exception); ++} ++ ++// make sure that autoSelectPatchSizeAndScales() works properly. ++TEST(DenseOpticalFlow_DIS, InvalidImgSize_CoarsestLevelLessThanFinestLevel) ++{ ++ cv::Ptr<cv::DISOpticalFlow> of = cv::DISOpticalFlow::create(); ++ const int mat_size = 80; ++ ++ cv::Mat x(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat y(mat_size, mat_size, CV_8UC1, 42); ++ cv::Mat flow; ++ ++ of->calc(x, y, flow); ++ ++ ASSERT_EQ(flow.rows, mat_size); ++ ASSERT_EQ(flow.cols, mat_size); ++} ++ + TEST(DenseOpticalFlow_VariationalRefinement, ReferenceAccuracy) + { + Mat frame1, frame2, GT; diff --git a/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch new file mode 100644 index 0000000000..b4d5e6dc44 --- /dev/null +++ b/meta-oe/recipes-support/opencv/opencv/CVE-2019-5063_and_2019-5064.patch @@ -0,0 +1,78 @@ +From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001 +From: Alexander Alekhin <alexander.alekhin@intel.com> +Date: Thu, 7 Nov 2019 14:01:51 +0300 +Subject: [PATCH] core(persistence): add more checks for implementation + limitations + +Signed-off-by: akash hadke <akash.hadke@kpit.com> +--- + modules/core/src/persistence_json.cpp | 8 ++++++++ + modules/core/src/persistence_xml.cpp | 6 ++++-- + 2 files changed, 12 insertions(+), 2 deletions(-) +--- +CVE: CVE-2019-5063 +CVE: CVE-2019-5064 +Upstream-Status: Backport [https://github.com/opencv/opencv/commit/f42d5399aac80d371b17d689851406669c9b9111.patch] +--- +diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp +index 89914e6534f..2efdf17d3f5 100644 +--- a/modules/core/src/persistence_json.cpp ++++ b/modules/core/src/persistence_json.cpp +@@ -578,10 +578,14 @@ class JSONParser : public FileStorageParser + sz = (int)(ptr - beg); + if( sz > 0 ) + { ++ if (i + sz >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy(buf + i, beg, sz); + i += sz; + } + ptr++; ++ if (i + 1 >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + switch ( *ptr ) + { + case '\\': +@@ -605,6 +609,8 @@ class JSONParser : public FileStorageParser + sz = (int)(ptr - beg); + if( sz > 0 ) + { ++ if (i + sz >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy(buf + i, beg, sz); + i += sz; + } +@@ -620,6 +626,8 @@ class JSONParser : public FileStorageParser + sz = (int)(ptr - beg); + if( sz > 0 ) + { ++ if (i + sz >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy(buf + i, beg, sz); + i += sz; + } +diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp +index 89876dd3da8..52b53744254 100644 +--- a/modules/core/src/persistence_xml.cpp ++++ b/modules/core/src/persistence_xml.cpp +@@ -627,6 +627,8 @@ class XMLParser : public FileStorageParser + c = '\"'; + else + { ++ if (len + 2 + i >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("string is too long"); + memcpy( strbuf + i, ptr-1, len + 2 ); + i += len + 2; + } +@@ -635,9 +637,9 @@ class XMLParser : public FileStorageParser + CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP(); + } + } ++ if (i + 1 >= CV_FS_MAX_LEN) ++ CV_PARSE_ERROR_CPP("Too long string literal"); + strbuf[i++] = c; +- if( i >= CV_FS_MAX_LEN ) +- CV_PARSE_ERROR_CPP( "Too long string literal" ); + } + elem->setValue(FileNode::STRING, strbuf, i); + } diff --git a/meta-oe/recipes-support/opencv/opencv/download.patch b/meta-oe/recipes-support/opencv/opencv/download.patch index fa8db88078..ae01a5edcd 100644 --- a/meta-oe/recipes-support/opencv/opencv/download.patch +++ b/meta-oe/recipes-support/opencv/opencv/download.patch @@ -1,3 +1,8 @@ +From 3b1a69503dea2075d51655a0cea5369c88a67632 Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Thu, 9 Jan 2020 16:24:24 +0000 +Subject: [PATCH] opencv: abort configure if we need to download + This CMake module will download files during do_configure. This is bad as it means we can't do offline builds. @@ -6,6 +11,10 @@ Add an option to disallow downloads by emitting a fatal error. Upstream-Status: Pending Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + cmake/OpenCVDownload.cmake | 6 ++++++ + 1 file changed, 6 insertions(+) + diff --git a/cmake/OpenCVDownload.cmake b/cmake/OpenCVDownload.cmake index cdc47ad2cb..74573f45a2 100644 --- a/cmake/OpenCVDownload.cmake diff --git a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb index d781da6005..d7a0158749 100644 --- a/meta-oe/recipes-support/opencv/opencv_4.1.0.bb +++ b/meta-oe/recipes-support/opencv/opencv_4.1.0.bb @@ -37,12 +37,12 @@ IPP_FILENAME = "${@ipp_filename(d)}" IPP_MD5 = "${@ipp_md5sum(d)}" SRCREV_FORMAT = "opencv_contrib_ipp_boostdesc_vgg" -SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \ - git://github.com/opencv/opencv_contrib.git;destsuffix=contrib;name=contrib \ - git://github.com/opencv/opencv_3rdparty.git;branch=ippicv/master_20180723;destsuffix=ipp;name=ipp \ - git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_boostdesc_20161012;destsuffix=boostdesc;name=boostdesc \ - git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_vgg_20160317;destsuffix=vgg;name=vgg \ - git://github.com/opencv/opencv_3rdparty.git;branch=contrib_face_alignment_20170818;destsuffix=face;name=face \ +SRC_URI = "git://github.com/opencv/opencv.git;name=opencv;branch=master;protocol=https \ + git://github.com/opencv/opencv_contrib.git;destsuffix=contrib;name=contrib;branch=master;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=ippicv/master_20180723;destsuffix=ipp;name=ipp;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_boostdesc_20161012;destsuffix=boostdesc;name=boostdesc;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=contrib_xfeatures2d_vgg_20160317;destsuffix=vgg;name=vgg;protocol=https \ + git://github.com/opencv/opencv_3rdparty.git;branch=contrib_face_alignment_20170818;destsuffix=face;name=face;protocol=https \ file://0001-3rdparty-ippicv-Use-pre-downloaded-ipp.patch \ file://0002-Make-opencv-ts-create-share-library-intead-of-static.patch \ file://0003-To-fix-errors-as-following.patch \ @@ -50,6 +50,11 @@ SRC_URI = "git://github.com/opencv/opencv.git;name=opencv \ file://0001-Dont-use-isystem.patch \ file://0001-carotene-Replace-ipcp-unit-growth-with-ipa-cp-unit-g.patch \ file://download.patch \ + file://CVE-2019-14491.patch \ + file://CVE-2019-14493.patch \ + file://CVE-2019-15939.patch \ + file://CVE-2019-19624.patch \ + file://CVE-2019-5063_and_2019-5064.patch \ " PV = "4.1.0" diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch new file mode 100644 index 0000000000..c6bac80061 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2021-27212.patch @@ -0,0 +1,31 @@ +From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sat, 6 Feb 2021 20:52:06 +0000 +Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck + + +Signed-off-by: Howard Chu <hyc@openldap.org> + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30] +CVE: CVE-2021-27212 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + servers/slapd/schema_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 31be115..8b1e255 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck( + break; + } + } ++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX; ++ + x.bv_val += tu->bv_len + 1; + x.bv_len -= tu->bv_len + 1; + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch new file mode 100644 index 0000000000..2860b95220 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2022-29155.patch @@ -0,0 +1,277 @@ +From 11e136f15085a4bda5701e910988966bed699977 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 18 May 2022 13:57:59 +0530 +Subject: [PATCH] CVE-2022-29155 + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134] +CVE: CVE-2022-29155 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++----- + 1 file changed, 105 insertions(+), 18 deletions(-) + +diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c +index bb0f1e2..1770bde 100644 +--- a/servers/slapd/back-sql/search.c ++++ b/servers/slapd/back-sql/search.c +@@ -63,6 +63,38 @@ static void send_paged_response( + ID *lastid ); + #endif /* ! BACKSQL_ARBITRARY_KEY */ + ++/* Look for chars that need to be escaped, return count of them. ++ * If out is non-NULL, copy escape'd val to it. ++ */ ++static int ++backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) ++{ ++ char *ptr, *end; ++ int q = 0; ++ ++ ptr = in->bv_val; ++ end = ptr + in->bv_len; ++ while (ptr < end) { ++ if ( *ptr == '\'' ) ++ q++; ++ ptr++; ++ } ++ if ( q && out ) { ++ char *dst; ++ out->bv_len = in->bv_len + q; ++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); ++ ptr = in->bv_val; ++ dst = out->bv_val; ++ while (ptr < end ) { ++ if ( *ptr == '\'' ) ++ *dst++ = '\''; ++ *dst++ = *ptr++; ++ } ++ *dst = '\0'; ++ } ++ return q; ++} ++ + static int + backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) + { +@@ -429,6 +461,8 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; + int i; + int casefold = 0; ++ int escaped = 0; ++ struct berval escval, *fvalue; + + if ( !f ) { + return 0; +@@ -462,50 +496,68 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + + BER_BVZERO( &bv ); + if ( f->f_sub_initial.bv_val ) { +- bv.bv_len += f->f_sub_initial.bv_len; ++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); + } + if ( f->f_sub_any != NULL ) { + for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { +- bv.bv_len += f->f_sub_any[ a ].bv_len; ++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); + } + } + if ( f->f_sub_final.bv_val ) { +- bv.bv_len += f->f_sub_final.bv_len; ++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); + } + bv.bv_len = 2 * bv.bv_len - 1; + bv.bv_val = ch_malloc( bv.bv_len + 1 ); + + s = 0; + if ( !BER_BVISNULL( &f->f_sub_initial ) ) { +- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + if ( f->f_sub_any != NULL ) { + for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { +- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { ++ fvalue = &f->f_sub_any[ a ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + } + + if ( !BER_BVISNULL( &f->f_sub_final ) ) { +- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } +- bv.bv_val[ s + 2 * i - 1 ] = '%'; ++ bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + bv.bv_val[ s - 1 ] = '\0'; +@@ -561,11 +613,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + f->f_sub_initial.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_initial ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -586,12 +644,18 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + i, f->f_sub_any[ i ].bv_val ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_any[ i ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "bc", +- &f->f_sub_any[ i ], ++ fvalue, + '%' ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + /* + * Note: toupper('%') = '%' +@@ -611,11 +675,17 @@ backsql_process_sub_filter( backsql_srch_info *bsi, Filter *f, + f->f_sub_final.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_final ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -1183,6 +1253,8 @@ backsql_process_filter_attr( backsql_srch_info *bsi, Filter *f, backsql_at_map_r + struct berval *filter_value = NULL; + MatchingRule *matching_rule = NULL; + struct berval ordering = BER_BVC("<="); ++ struct berval escval; ++ int escaped = 0; + + Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); +@@ -1237,6 +1309,10 @@ equality_match:; + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* FIXME: directoryString filtering should use a similar + * approach to deal with non-prettified values like + * " A non prettified value ", by using a LIKE +@@ -1317,6 +1393,10 @@ equality_match:; + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* + * FIXME: should we uppercase the operands? + */ +@@ -1350,7 +1430,7 @@ equality_match:; + &at->bam_sel_expr, + &ordering, + '\'', +- &f->f_av_value, ++ filter_value, + (ber_len_t)STRLENOF( /* (' */ "')" ), + /* ( */ "')" ); + } +@@ -1374,13 +1454,17 @@ equality_match:; + case LDAP_FILTER_APPROX: + /* we do our best */ + ++ filter_value = &f->f_av_value; ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; + /* + * maybe we should check type of at->sel_expr here somehow, + * to know whether upper_func is applicable, but for now + * upper_func stuff is made for Oracle, where UPPER is + * safely applicable to NUMBER etc. + */ +- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); ++ (void)backsql_process_filter_like( bsi, at, 1, filter_value ); + break; + + default: +@@ -1394,6 +1478,9 @@ equality_match:; + + } + ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); ++ + Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch new file mode 100644 index 0000000000..f4b4eb95d5 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-1.patch @@ -0,0 +1,30 @@ +From 752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 24 Aug 2022 14:40:51 +0100 +Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure + +Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce] +CVE: CVE-2023-2953 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libraries/libldap/fetch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c +index 9e426dc647..536871bcfe 100644 +--- a/libraries/libldap/fetch.c ++++ b/libraries/libldap/fetch.c +@@ -69,6 +69,8 @@ ldif_open_url( + } + + p = ber_strdup( urlstr ); ++ if ( p == NULL ) ++ return NULL; + + /* But we should convert to LDAP_DIRSEP before use */ + if ( LDAP_DIRSEP[0] != '/' ) { +-- +GitLab + diff --git a/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch new file mode 100644 index 0000000000..02c43bc445 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/CVE-2023-2953-2.patch @@ -0,0 +1,76 @@ +From 6563fab9e2feccb0a684d0398e78571d09fb808b Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 25 Aug 2022 16:13:21 +0100 +Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure + +Avoid unnecessary strdup in IPv6 addr parsing, check for strdup +failure when dup'ing scheme. + +Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59 + +Upstream-Status: Backport [https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b] +CVE: CVE-2023-2953 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libraries/libldap/url.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c +index dcf2aac9e8..493fd7ce47 100644 +--- a/libraries/libldap/url.c ++++ b/libraries/libldap/url.c +@@ -1385,24 +1385,22 @@ ldap_url_parsehosts( + } + ludp->lud_port = port; + ludp->lud_host = specs[i]; +- specs[i] = NULL; + p = strchr(ludp->lud_host, ':'); + if (p != NULL) { + /* more than one :, IPv6 address */ + if ( strchr(p+1, ':') != NULL ) { + /* allow [address] and [address]:port */ + if ( *ludp->lud_host == '[' ) { +- p = LDAP_STRDUP(ludp->lud_host+1); +- /* copied, make sure we free source later */ +- specs[i] = ludp->lud_host; +- ludp->lud_host = p; +- p = strchr( ludp->lud_host, ']' ); ++ p = strchr( ludp->lud_host+1, ']' ); + if ( p == NULL ) { + LDAP_FREE(ludp); + ldap_charray_free(specs); + return LDAP_PARAM_ERROR; + } +- *p++ = '\0'; ++ /* Truncate trailing ']' and shift hostname down 1 char */ ++ *p = '\0'; ++ AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host ); ++ p++; + if ( *p != ':' ) { + if ( *p != '\0' ) { + LDAP_FREE(ludp); +@@ -1428,14 +1426,19 @@ ldap_url_parsehosts( + } + } + } +- ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_scheme = LDAP_STRDUP("ldap"); ++ if ( ludp->lud_scheme == NULL ) { ++ LDAP_FREE(ludp); ++ ldap_charray_free(specs); ++ return LDAP_NO_MEMORY; ++ } ++ specs[i] = NULL; ++ ldap_pvt_hex_unescape(ludp->lud_host); + ludp->lud_next = *ludlist; + *ludlist = ludp; + } + + /* this should be an array of NULLs now */ +- /* except entries starting with [ */ + ldap_charray_free(specs); + return LDAP_SUCCESS; + } +-- +GitLab + diff --git a/meta-oe/recipes-support/openldap/openldap_2.4.50.bb b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb index 3a130f970c..7c2ea7c452 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.4.50.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.4.57.bb @@ -7,7 +7,7 @@ HOMEPAGE = "http://www.OpenLDAP.org/license.html" # basically BSD. opensource.org does not record this license # at present (so it is apparently not OSI certified). LICENSE = "OpenLDAP" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=5391b559d23a2237bdb21e7a62dae7c3 \ +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b6dea6c170362fc46381fe3690c722cb \ file://LICENSE;md5=153d07ef052c4a37a8fac23bc6031972 \ " SECTION = "libs" @@ -23,10 +23,13 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$ file://thread_stub.patch \ file://openldap-CVE-2015-3276.patch \ file://remove-user-host-pwd-from-version.patch \ + file://CVE-2022-29155.patch \ + file://CVE-2023-2953-1.patch \ + file://CVE-2023-2953-2.patch \ + file://CVE-2021-27212.patch \ " - -SRC_URI[md5sum] = "f9ed44ef373abed04c9e4c8586260f9e" -SRC_URI[sha256sum] = "5cb57d958bf5c55a678c6a0f06821e0e5504d5a92e6a33240841fbca1db586b8" +SRC_URI[md5sum] = "e3349456c3a66e5e6155be7ddc3f042c" +SRC_URI[sha256sum] = "c7ba47e1e6ecb5b436f3d43281df57abeffa99262141aec822628bc220f6b45a" DEPENDS = "util-linux groff-native" diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch new file mode 100644 index 0000000000..74e547298f --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40660.patch @@ -0,0 +1,55 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Wed, 21 Jun 2023 12:27:23 +0200 +Subject: Fixed PIN authentication bypass + +If two processes are accessing a token, then one process may leave the +card usable with an authenticated PIN so that a key may sign/decrypt any +data. This is especially the case if the token does not support a way of +resetting the authentication status (logout). + +We have some tracking of the authentication status in software via +PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a +PIN-prompt will appear even though the card may technically be unlocked +as described in the above example. However, before this change, an empty +PIN was not verified (likely yielding an error during PIN-verification), +but it was just checked whether the PIN is authenticated. This defeats +the purpose of the PIN verification, because an empty PIN is not the +correct one. Especially during OS Logon, we don't want that kind of +shortcut, but we want the user to verify the correct PIN (even though +the token was left unattended and authentication at the computer). + +This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864. + +CVE: CVE-2023-40660 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/940e8bc764047c873f88bb1396933a5368d03533] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + src/libopensc/pkcs15-pin.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c +index 80a185fecd..393234efe4 100644 +--- a/src/libopensc/pkcs15-pin.c ++++ b/src/libopensc/pkcs15-pin.c +@@ -307,19 +307,6 @@ + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); + auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; + +- /* +- * if pin cache is disabled, we can get here with no PIN data. +- * in this case, to avoid error or unnecessary pin prompting on pinpad, +- * check if the PIN has been already verified and the access condition +- * is still open on card. +- */ +- if (pinlen == 0) { +- r = sc_pkcs15_get_pin_info(p15card, pin_obj); +- +- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN) +- LOG_FUNC_RETURN(ctx, r); +- } +- + r = _validate_pin(p15card, auth_info, pinlen); + + if (r) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch new file mode 100644 index 0000000000..3ecff558cf --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch @@ -0,0 +1,47 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 17 Aug 2023 13:54:42 +0200 +Subject: pkcs15: Avoid buffer overflow when getting last update + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 + +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. + +--- + src/libopensc/pkcs15.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c +index eb7fc6afcd..4215b733a8 100644 +--- a/src/libopensc/pkcs15.c ++++ b/src/libopensc/pkcs15.c +@@ -528,7 +528,7 @@ + struct sc_context *ctx = p15card->card->ctx; + struct sc_file *file = NULL; + struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; +- unsigned char *content, last_update[32]; ++ unsigned char *content, last_update[32] = {0}; + size_t lupdate_len = sizeof(last_update) - 1; + int r, content_len; + size_t size; +@@ -564,9 +564,11 @@ + if (r < 0) + return NULL; + +- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); +- if (!p15card->tokeninfo->last_update.gtime) +- return NULL; ++ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) { ++ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); ++ if (!p15card->tokeninfo->last_update.gtime) ++ return NULL; ++ } + done: + sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime); + return p15card->tokeninfo->last_update.gtime; + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch new file mode 100644 index 0000000000..39e729c5a9 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch @@ -0,0 +1,32 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651 +From: Jakub Jelen <jjelen@redhat.com> +Date: Thu, 17 Aug 2023 13:41:36 +0200 +Subject: setcos: Avoid buffer underflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-setcos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c +index 1b56afe6d9..1907b47f9d 100644 +--- a/src/pkcs15init/pkcs15-setcos.c ++++ b/src/pkcs15init/pkcs15-setcos.c +@@ -346,6 +346,10 @@ + + /* Replace the path of instantiated key template by the path from the object data. */ + memcpy(&file->path, &key_info->path, sizeof(file->path)); ++ if (file->path.len < 2) { ++ sc_file_free(file); ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path"); ++ } + file->id = file->path.value[file->path.len - 2] * 0x100 + + file->path.value[file->path.len - 1]; + + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch new file mode 100644 index 0000000000..7950cf91df --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch @@ -0,0 +1,31 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e +From: Jakub Jelen <jjelen@redhat.com> +Date: Wed, 20 Sep 2023 10:13:57 +0200 +Subject: oberthur: Avoid buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-oberthur.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c +index ad2cabd530..c441ab1e76 100644 +--- a/src/pkcs15init/pkcs15-oberthur.c ++++ b/src/pkcs15init/pkcs15-oberthur.c +@@ -688,6 +688,9 @@ + if (object->type != SC_PKCS15_TYPE_PRKEY_RSA) + LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported"); + ++ if (key_info->path.len < 2) ++ LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long"); ++ + sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id)); + /* Here, the path of private key file should be defined. + * Nevertheless, we need to instantiate private key to get the ACLs. */ + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch new file mode 100644 index 0000000000..797f8ad3b1 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch @@ -0,0 +1,28 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec +From: Frank Morgner <frankmorgner@gmail.com> +Date: Thu, 8 Dec 2022 00:27:18 +0100 +Subject: sc_pkcs15init_rmdir: prevent out of bounds write + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index 91cee37310..3df03c6e1f 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -666,6 +666,8 @@ + + path = df->path; + path.len += 2; ++ if (path.len > SC_MAX_PATH_SIZE) ++ return SC_ERROR_INTERNAL; + + nfids = r / 2; + while (r >= 0 && nfids--) { + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch new file mode 100644 index 0000000000..e173e65575 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch @@ -0,0 +1,30 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> +Date: Mon, 19 Jun 2023 16:14:51 +0200 +Subject: pkcs15-cflex: check path length to prevent underflow + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/pkcs15-cflex.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c +index d06568073d..ce1d48e62c 100644 +--- a/src/pkcs15init/pkcs15-cflex.c ++++ b/src/pkcs15init/pkcs15-cflex.c +@@ -56,6 +56,9 @@ + int r = 0; + /* Select the parent DF */ + path = df->path; ++ if (path.len < 2) { ++ return SC_ERROR_INVALID_ARGUMENTS; ++ } + path.len -= 2; + r = sc_select_file(p15card->card, &path, &parent); + if (r < 0) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch new file mode 100644 index 0000000000..abb524de29 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch @@ -0,0 +1,30 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 +From: Veronika Hanulikova <xhanulik@fi.muni.cz> +Date: Fri, 10 Feb 2023 11:47:34 +0100 +Subject: Check array bounds + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/libopensc/muscle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c +index 61a4ec24d8..9d01e0c113 100644 +--- a/src/libopensc/muscle.c ++++ b/src/libopensc/muscle.c +@@ -183,6 +183,9 @@ + sc_apdu_t apdu; + int r; + ++ if (dataLength + 9 > MSC_MAX_APDU) ++ return SC_ERROR_INVALID_ARGUMENTS; ++ + sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00); + apdu.lc = dataLength + 9; + if (card->ctx->debug >= 2) + diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch new file mode 100644 index 0000000000..858a996ed7 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch @@ -0,0 +1,40 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959 +From: Veronika Hanulikova <xhanulik@fi.muni.cz> +Date: Fri, 3 Mar 2023 16:07:38 +0100 +Subject: Check length of string before making copy + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 +CVE: CVE-2023-40661 +Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +Comment: Hunk refreshed based on codebase. +--- + src/pkcs15init/profile.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c +index 2b793b0282..3bad1e8536 100644 +--- a/src/pkcs15init/profile.c ++++ b/src/pkcs15init/profile.c +@@ -1465,6 +1465,8 @@ + while (argc--) { + unsigned int op, method, id; + ++ if (strlen(*argv) >= sizeof(oper)) ++ goto bad; + strlcpy(oper, *argv++, sizeof(oper)); + if ((what = strchr(oper, '=')) == NULL) + goto bad; +@@ -2128,6 +2130,9 @@ + return get_uint(cur, value, type); + } + ++ if (strlen(value) >= sizeof(temp)) ++ return 1; ++ + n = strcspn(value, "0123456789x"); + strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp)); + + diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb index a815980c4f..3eb0c1e558 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb @@ -13,7 +13,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" #v0.19.0 SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" -SRC_URI = "git://github.com/OpenSC/OpenSC \ +SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ + file://CVE-2023-40660.patch \ + file://CVE-2023-40661-1.patch \ + file://CVE-2023-40661-2.patch \ + file://CVE-2023-40661-3.patch \ + file://CVE-2023-40661-4.patch \ + file://CVE-2023-40661-5.patch \ + file://CVE-2023-40661-6.patch \ + file://CVE-2023-40661-7.patch \ " DEPENDS = "virtual/libiconv openssl" diff --git a/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb b/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb index 91d77ac938..04989fb740 100644 --- a/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb +++ b/meta-oe/recipes-support/pcsc-lite/pcsc-lite_1.8.26.bb @@ -36,6 +36,7 @@ PACKAGES = "${PN} ${PN}-dbg ${PN}-dev ${PN}-lib ${PN}-doc ${PN}-spy ${PN}-spy-de RRECOMMENDS_${PN} = "ccid" RRECOMMENDS_${PN}_class-native = "" +RPROVIDES_${PN}_class-native += "pcsc-lite-lib-native" FILES_${PN} = "${sbindir}/pcscd" FILES_${PN}-lib = "${libdir}/libpcsclite*${SOLIBS}" diff --git a/meta-oe/recipes-support/picocom/picocom_git.bb b/meta-oe/recipes-support/picocom/picocom_git.bb index 3d26b9364b..801300e707 100644 --- a/meta-oe/recipes-support/picocom/picocom_git.bb +++ b/meta-oe/recipes-support/picocom/picocom_git.bb @@ -9,7 +9,7 @@ PV = "${BASEPV}+git${SRCPV}" SRCREV = "90385aabe2b51f39fa130627d46b377569f82d4a" -SRC_URI = "git://github.com/npat-efault/picocom \ +SRC_URI = "git://github.com/npat-efault/picocom;branch=master;protocol=https \ file://0001-Fix-building-with-musl.patch \ " diff --git a/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb b/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb index 3a437659e7..0e3e5ff733 100644 --- a/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb +++ b/meta-oe/recipes-support/pidgin/funyahoo-plusplus_git.bb @@ -7,7 +7,7 @@ DEPENDS = "pidgin json-glib glib-2.0" inherit pkgconfig -SRC_URI = "git://github.com/EionRobb/funyahoo-plusplus;branch=master;protocol=git" +SRC_URI = "git://github.com/EionRobb/funyahoo-plusplus;branch=master;protocol=https" SRCREV = "fbbd9c591100aa00a0487738ec7b6acd3d924b3f" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/pidgin/icyque_git.bb b/meta-oe/recipes-support/pidgin/icyque_git.bb index 0f32dc3a39..2905e16fcc 100644 --- a/meta-oe/recipes-support/pidgin/icyque_git.bb +++ b/meta-oe/recipes-support/pidgin/icyque_git.bb @@ -9,7 +9,7 @@ PV = "0.1+gitr${SRCPV}" inherit pkgconfig -SRC_URI = "git://github.com/EionRobb/icyque" +SRC_URI = "git://github.com/EionRobb/icyque;branch=master;protocol=https" SRCREV = "513fc162d5d1a201c2b044e2b42941436d1069d5" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb b/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb index 092e6059b8..854920d2ee 100644 --- a/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb +++ b/meta-oe/recipes-support/pidgin/purple-skypeweb_git.bb @@ -7,7 +7,7 @@ DEPENDS = "pidgin json-glib glib-2.0 zlib" inherit pkgconfig -SRC_URI = "git://github.com/EionRobb/skype4pidgin;branch=master;protocol=git" +SRC_URI = "git://github.com/EionRobb/skype4pidgin;branch=master;protocol=https" SRCREV = "14f1b69b6292bbdc98cca484b050ec8359394c4e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/poco/poco_1.9.4.bb b/meta-oe/recipes-support/poco/poco_1.9.4.bb index fcd5219759..1c3a4ebb03 100644 --- a/meta-oe/recipes-support/poco/poco_1.9.4.bb +++ b/meta-oe/recipes-support/poco/poco_1.9.4.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=4267f48fc738f50380cbeeb76f95cebc" DEPENDS = "libpcre zlib" SRC_URI = " \ - git://github.com/pocoproject/poco.git;branch=poco-${PV} \ + git://github.com/pocoproject/poco.git;branch=poco-${PV};protocol=https \ file://0001-Don-t-try-to-install-non-existing-Encodings-testsuit.patch \ file://0001-riscv-Enable-double-operations-when-using-double-flo.patch \ file://run-ptest \ diff --git a/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb b/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb index c8baa5d9ca..5b53587745 100644 --- a/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb +++ b/meta-oe/recipes-support/pps-tools/pps-tools_1.0.2.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "cb48b7ecf7079ceba7081c78d4e61e507b0e8d2d" -SRC_URI = "git://github.com/ago/pps-tools.git" +SRC_URI = "git://github.com/ago/pps-tools.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/remmina/remmina_1.3.6.bb b/meta-oe/recipes-support/remmina/remmina_1.3.6.bb index 5b663489f8..3b1e8706ce 100644 --- a/meta-oe/recipes-support/remmina/remmina_1.3.6.bb +++ b/meta-oe/recipes-support/remmina/remmina_1.3.6.bb @@ -9,12 +9,11 @@ DEPENDS += "openssl freerdp gtk+3 gdk-pixbuf atk libgcrypt avahi-ui libsodium li DEPENDS_append_libc-musl = " libexecinfo" LDFLAGS_append_libc-musl = " -lexecinfo" -SRC_URI = "https://gitlab.com/Remmina/Remmina/-/archive/v${PV}/Remmina-v${PV}.tar.bz2 \ +SRCREV = "cc391370d8b4c07597617e0a771a9732f0802411" +SRC_URI = "git://gitlab.com/Remmina/Remmina;protocol=https;branch=master \ " -SRC_URI[md5sum] = "6da599c3a5cab2df37a70f8fba2f5438" -SRC_URI[sha256sum] = "fbed745438bb0c21467b60cbd67c8148a9289b5ebc7482d06db443bea556af1a" -S = "${WORKDIR}/Remmina-v${PV}" +S = "${WORKDIR}/git" inherit cmake features_check mime-xdg REQUIRED_DISTRO_FEATURES = "x11" diff --git a/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb b/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb index dcadede0ed..6fe8aa76f2 100644 --- a/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb +++ b/meta-oe/recipes-support/rsnapshot/rsnapshot_git.bb @@ -13,17 +13,19 @@ RDEPENDS_${PN} = "rsync \ perl-module-getopt-std \ perl-module-file-path \ perl-module-file-stat \ + perl-module-file-spec \ perl-module-posix \ perl-module-fcntl \ perl-module-io-file \ perl-module-constant \ perl-module-overloading \ + perl-module-ipc-open3 \ " SRCREV = "a9e29850fc33c503c289e245c7bad350eed746d9" PV = "1.4.3+git${SRCPV}" -SRC_URI = "git://github.com/DrHyde/${BPN};branch=master;protocol=git \ +SRC_URI = "git://github.com/DrHyde/${BPN};branch=master;protocol=https \ file://configure-fix-cmd_rsync.patch \ " diff --git a/meta-oe/recipes-support/sass/libsass_3.6.3.bb b/meta-oe/recipes-support/sass/libsass_3.6.3.bb index d893be2231..4b4fe55669 100644 --- a/meta-oe/recipes-support/sass/libsass_3.6.3.bb +++ b/meta-oe/recipes-support/sass/libsass_3.6.3.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=8f34396ca205f5e119ee77aae91fa27d" inherit autotools -SRC_URI = "git://github.com/sass/libsass.git;branch=master" +SRC_URI = "git://github.com/sass/libsass.git;branch=master;protocol=https" SRCREV = "e1c16e09b4a953757a15149deaaf28a3fd81dc97" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/sass/sassc_git.bb b/meta-oe/recipes-support/sass/sassc_git.bb index 3c7a55cc3d..985d519f93 100644 --- a/meta-oe/recipes-support/sass/sassc_git.bb +++ b/meta-oe/recipes-support/sass/sassc_git.bb @@ -6,7 +6,7 @@ DEPENDS = "libsass" inherit autotools pkgconfig -SRC_URI = "git://github.com/sass/sassc.git" +SRC_URI = "git://github.com/sass/sassc.git;branch=master;protocol=https" SRCREV = "46748216ba0b60545e814c07846ca10c9fefc5b6" S = "${WORKDIR}/git" PV = "3.6.1" diff --git a/meta-oe/recipes-support/satyr/satyr_0.28.bb b/meta-oe/recipes-support/satyr/satyr_0.28.bb index fbf018d7f5..a928681ae8 100644 --- a/meta-oe/recipes-support/satyr/satyr_0.28.bb +++ b/meta-oe/recipes-support/satyr/satyr_0.28.bb @@ -7,7 +7,7 @@ LICENSE = "GPLv2" inherit autotools-brokensep python3native pkgconfig -SRC_URI = "git://github.com/abrt/satyr.git \ +SRC_URI = "git://github.com/abrt/satyr.git;branch=master;protocol=https \ file://0002-fix-compile-failure-against-musl-C-library.patch \ " SRCREV = "8b5547b89b712b39a59f1d8b366e7de0f5f46108" diff --git a/meta-oe/recipes-support/serial-utils/pty-forward-native.bb b/meta-oe/recipes-support/serial-utils/pty-forward-native.bb index 7f59b3ecad..87d9c52903 100644 --- a/meta-oe/recipes-support/serial-utils/pty-forward-native.bb +++ b/meta-oe/recipes-support/serial-utils/pty-forward-native.bb @@ -6,7 +6,7 @@ SECTION = "console/network" SRCREV = "00dbec2636ae0385ad028587e20e446272ff97ec" PV = "1.1+gitr${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/cornucopia.git;protocol=https" +SRC_URI = "git://github.com/freesmartphone/cornucopia.git;protocol=https;branch=master" S = "${WORKDIR}/git/tools/serial_forward" inherit autotools native diff --git a/meta-oe/recipes-support/serial-utils/serial-forward_git.bb b/meta-oe/recipes-support/serial-utils/serial-forward_git.bb index 0ef829856c..dcad8f7104 100644 --- a/meta-oe/recipes-support/serial-utils/serial-forward_git.bb +++ b/meta-oe/recipes-support/serial-utils/serial-forward_git.bb @@ -6,7 +6,7 @@ SECTION = "console/devel" SRCREV = "07c6fdede0870edc37a8d51d033b6e7e29aa7c91" PV = "1.1+gitr${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/cornucopia.git \ +SRC_URI = "git://github.com/freesmartphone/cornucopia.git;branch=master;protocol=https \ file://0001-serial_forward-Disable-default-static-linking.patch;striplevel=3 \ " S = "${WORKDIR}/git/tools/serial_forward" diff --git a/meta-oe/recipes-support/span-lite/span-lite_git.bb b/meta-oe/recipes-support/span-lite/span-lite_git.bb index 96ec829b74..abb3ec2f36 100644 --- a/meta-oe/recipes-support/span-lite/span-lite_git.bb +++ b/meta-oe/recipes-support/span-lite/span-lite_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/martinmoene/span-lite" LICENSE = "BSL-1.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" -SRC_URI += "git://github.com/martinmoene/span-lite" +SRC_URI += "git://github.com/martinmoene/span-lite;branch=master;protocol=https" SRCREV = "e03d1166ccc8481d993dc02aae703966301a5e6e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb index 39629cce0d..9294d1a70e 100644 --- a/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb +++ b/meta-oe/recipes-support/spdlog/spdlog_1.5.0.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" SRCREV = "cf6f1dd01e660d5865d68bf5fa78f6376b89470a" -SRC_URI = "git://github.com/gabime/spdlog.git;protocol=git;branch=v1.x;" +SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x;" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/spitools/spitools_git.bb b/meta-oe/recipes-support/spitools/spitools_git.bb index 625756873b..b9ed1bcd7b 100644 --- a/meta-oe/recipes-support/spitools/spitools_git.bb +++ b/meta-oe/recipes-support/spitools/spitools_git.bb @@ -10,7 +10,7 @@ SRCREV = "4a36a84f7df291ddaebd397aecf0c8515256a8e0" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/cpb-/spi-tools.git;protocol=git" +SRC_URI = "git://github.com/cpb-/spi-tools.git;protocol=https;branch=master" inherit autotools diff --git a/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch new file mode 100644 index 0000000000..4a09c8c7fa --- /dev/null +++ b/meta-oe/recipes-support/syslog-ng/files/CVE-2022-38725.patch @@ -0,0 +1,629 @@ +From 73b5c300b8fde5e7a4824baa83a04931279abb37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= + <laszlo.varady@protonmail.com> +Date: Sat, 20 Aug 2022 12:42:38 +0200 +Subject: [PATCH] CVE-2022-38725 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: László Várady <laszlo.varady@protonmail.com> +Signed-off-by: Balazs Scheidler <bazsi77@gmail.com> + +Upstream-Status: Backport from [https://github.com/syslog-ng/syslog-ng/commit/b5a060f2ebb8d794f508436a12e4d4163f94b1b8 && https://github.com/syslog-ng/syslog-ng/commit/81a07263f1e522a376d3a30f96f51df3f2879f8a && https://github.com/syslog-ng/syslog-ng/commit/4b8dc56ca8eaeac4c8751a305eb7eeefab8dc89d && https://github.com/syslog-ng/syslog-ng/commit/73b5c300b8fde5e7a4824baa83a04931279abb37 && https://github.com/syslog-ng/syslog-ng/commit/45f051239312e43bd4f92b9339fe67c6798a0321 && https://github.com/syslog-ng/syslog-ng/commit/09f489c89c826293ff8cbd282cfc866ab56054c4 && https://github.com/syslog-ng/syslog-ng/commit/8c6e2c1c41b0fcc5fbd464c35f4dac7102235396 && https://github.com/syslog-ng/syslog-ng/commit/56f881c5eaa3d8c02c96607c4b9e4eaf959a044d] +CVE: CVE-2022-38725 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/timeutils/scan-timestamp.c | 68 +++++---- + lib/timeutils/tests/test_scan-timestamp.c | 133 ++++++++++++++++-- + modules/syslogformat/CMakeLists.txt | 2 + + modules/syslogformat/Makefile.am | 2 + + modules/syslogformat/syslog-format.c | 12 +- + modules/syslogformat/tests/CMakeLists.txt | 1 + + modules/syslogformat/tests/Makefile.am | 9 ++ + .../syslogformat/tests/test_syslog_format.c | 104 ++++++++++++++ + 8 files changed, 284 insertions(+), 47 deletions(-) + create mode 100644 modules/syslogformat/tests/CMakeLists.txt + create mode 100644 modules/syslogformat/tests/Makefile.am + create mode 100644 modules/syslogformat/tests/test_syslog_format.c + +diff --git a/lib/timeutils/scan-timestamp.c b/lib/timeutils/scan-timestamp.c +index 41ead1a..ec9746b 100644 +--- a/lib/timeutils/scan-timestamp.c ++++ b/lib/timeutils/scan-timestamp.c +@@ -34,41 +34,43 @@ scan_day_abbrev(const gchar **buf, gint *left, gint *wday) + { + *wday = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'S': +- if (strncasecmp(*buf, "Sun", 3) == 0) ++ if (strncasecmp(*buf, "Sun", abbrev_length) == 0) + *wday = 0; +- else if (strncasecmp(*buf, "Sat", 3) == 0) ++ else if (strncasecmp(*buf, "Sat", abbrev_length) == 0) + *wday = 6; + break; + case 'M': +- if (strncasecmp(*buf, "Mon", 3) == 0) ++ if (strncasecmp(*buf, "Mon", abbrev_length) == 0) + *wday = 1; + break; + case 'T': +- if (strncasecmp(*buf, "Tue", 3) == 0) ++ if (strncasecmp(*buf, "Tue", abbrev_length) == 0) + *wday = 2; +- else if (strncasecmp(*buf, "Thu", 3) == 0) ++ else if (strncasecmp(*buf, "Thu", abbrev_length) == 0) + *wday = 4; + break; + case 'W': +- if (strncasecmp(*buf, "Wed", 3) == 0) ++ if (strncasecmp(*buf, "Wed", abbrev_length) == 0) + *wday = 3; + break; + case 'F': +- if (strncasecmp(*buf, "Fri", 3) == 0) ++ if (strncasecmp(*buf, "Fri", abbrev_length) == 0) + *wday = 5; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -77,57 +79,59 @@ scan_month_abbrev(const gchar **buf, gint *left, gint *mon) + { + *mon = -1; + +- if (*left < 3) ++ const gsize abbrev_length = 3; ++ ++ if (*left < abbrev_length) + return FALSE; + + switch (**buf) + { + case 'J': +- if (strncasecmp(*buf, "Jan", 3) == 0) ++ if (strncasecmp(*buf, "Jan", abbrev_length) == 0) + *mon = 0; +- else if (strncasecmp(*buf, "Jun", 3) == 0) ++ else if (strncasecmp(*buf, "Jun", abbrev_length) == 0) + *mon = 5; +- else if (strncasecmp(*buf, "Jul", 3) == 0) ++ else if (strncasecmp(*buf, "Jul", abbrev_length) == 0) + *mon = 6; + break; + case 'F': +- if (strncasecmp(*buf, "Feb", 3) == 0) ++ if (strncasecmp(*buf, "Feb", abbrev_length) == 0) + *mon = 1; + break; + case 'M': +- if (strncasecmp(*buf, "Mar", 3) == 0) ++ if (strncasecmp(*buf, "Mar", abbrev_length) == 0) + *mon = 2; +- else if (strncasecmp(*buf, "May", 3) == 0) ++ else if (strncasecmp(*buf, "May", abbrev_length) == 0) + *mon = 4; + break; + case 'A': +- if (strncasecmp(*buf, "Apr", 3) == 0) ++ if (strncasecmp(*buf, "Apr", abbrev_length) == 0) + *mon = 3; +- else if (strncasecmp(*buf, "Aug", 3) == 0) ++ else if (strncasecmp(*buf, "Aug", abbrev_length) == 0) + *mon = 7; + break; + case 'S': +- if (strncasecmp(*buf, "Sep", 3) == 0) ++ if (strncasecmp(*buf, "Sep", abbrev_length) == 0) + *mon = 8; + break; + case 'O': +- if (strncasecmp(*buf, "Oct", 3) == 0) ++ if (strncasecmp(*buf, "Oct", abbrev_length) == 0) + *mon = 9; + break; + case 'N': +- if (strncasecmp(*buf, "Nov", 3) == 0) ++ if (strncasecmp(*buf, "Nov", abbrev_length) == 0) + *mon = 10; + break; + case 'D': +- if (strncasecmp(*buf, "Dec", 3) == 0) ++ if (strncasecmp(*buf, "Dec", abbrev_length) == 0) + *mon = 11; + break; + default: + return FALSE; + } + +- (*buf) += 3; +- (*left) -= 3; ++ (*buf) += abbrev_length; ++ (*left) -= abbrev_length; + return TRUE; + } + +@@ -302,7 +306,7 @@ __parse_usec(const guchar **data, gint *length) + src++; + (*length)--; + } +- while (isdigit(*src)) ++ while (*length > 0 && isdigit(*src)) + { + src++; + (*length)--; +@@ -316,19 +320,21 @@ __parse_usec(const guchar **data, gint *length) + static gboolean + __has_iso_timezone(const guchar *src, gint length) + { +- return (length >= 5) && ++ return (length >= 6) && + (*src == '+' || *src == '-') && + isdigit(*(src+1)) && + isdigit(*(src+2)) && + *(src+3) == ':' && + isdigit(*(src+4)) && + isdigit(*(src+5)) && +- !isdigit(*(src+6)); ++ (length < 7 || !isdigit(*(src+6))); + } + + static guint32 + __parse_iso_timezone(const guchar **data, gint *length) + { ++ g_assert(*length >= 6); ++ + gint hours, mins; + const guchar *src = *data; + guint32 tz = 0; +@@ -338,8 +344,10 @@ __parse_iso_timezone(const guchar **data, gint *length) + hours = (*(src + 1) - '0') * 10 + *(src + 2) - '0'; + mins = (*(src + 4) - '0') * 10 + *(src + 5) - '0'; + tz = sign * (hours * 3600 + mins * 60); ++ + src += 6; + (*length) -= 6; ++ + *data = src; + return tz; + } +@@ -393,7 +401,7 @@ __parse_bsd_timestamp(const guchar **data, gint *length, WallClockTime *wct) + if (!scan_pix_timestamp((const gchar **) &src, &left, wct)) + return FALSE; + +- if (*src == ':') ++ if (left && *src == ':') + { + src++; + left--; +@@ -444,7 +452,7 @@ scan_rfc3164_timestamp(const guchar **data, gint *length, WallClockTime *wct) + * looking at you, skip that as well, so we can reliably detect IPv6 + * addresses as hostnames, which would be using ":" as well. */ + +- if (*src == ':') ++ if (left && *src == ':') + { + ++src; + --left; +diff --git a/lib/timeutils/tests/test_scan-timestamp.c b/lib/timeutils/tests/test_scan-timestamp.c +index 4508139..ad657c6 100644 +--- a/lib/timeutils/tests/test_scan-timestamp.c ++++ b/lib/timeutils/tests/test_scan-timestamp.c +@@ -49,17 +49,21 @@ fake_time_add(time_t diff) + } + + static gboolean +-_parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc3164(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + +- ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc3164_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -70,16 +74,21 @@ _parse_rfc3164(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) ++_parse_rfc5424(const gchar *ts, gint len, gchar isotimestamp[32]) + { + UnixTime stamp; +- const guchar *data = (const guchar *) ts; +- gint length = strlen(ts); ++ const guchar *tsu = (const guchar *) ts; ++ gint tsu_len = len < 0 ? strlen(ts) : len; + GString *result = g_string_new(""); + WallClockTime wct = WALL_CLOCK_TIME_INIT; + ++ const guchar *data = tsu; ++ gint length = tsu_len; + gboolean success = scan_rfc5424_timestamp(&data, &length, &wct); + ++ cr_assert(length >= 0); ++ cr_assert(data == &tsu[tsu_len - length]); ++ + unix_time_unset(&stamp); + convert_wall_clock_time_to_unix_time(&wct, &stamp); + +@@ -90,31 +99,60 @@ _parse_rfc5424(const gchar *ts, gchar isotimestamp[32]) + } + + static gboolean +-_rfc3164_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc3164_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc3164(ts, converted)); ++ cr_assert(_parse_rfc3164(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + static gboolean +-_rfc5424_timestamp_eq(const gchar *ts, const gchar *expected, gchar converted[32]) ++_rfc5424_timestamp_eq(const gchar *ts, gint len, const gchar *expected, gchar converted[32]) + { +- cr_assert(_parse_rfc5424(ts, converted)); ++ cr_assert(_parse_rfc5424(ts, len, converted)); + return strcmp(converted, expected) == 0; + } + + #define _expect_rfc3164_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc3164_timestamp_eq(ts, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc3164_timestamp_eq(ts, -1, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc3164_timestamp_eq(ts, len, expected, converted), "Parsed RFC3164 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc3164_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc3164_timestamp(&data, &length, &wct)); \ + }) + + #define _expect_rfc5424_timestamp_eq(ts, expected) \ + ({ \ + gchar converted[32]; \ +- cr_expect(_rfc5424_timestamp_eq(ts, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ cr_expect(_rfc5424_timestamp_eq(ts, -1, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ ++ }) ++ ++#define _expect_rfc5424_timestamp_len_eq(ts, len, expected) \ ++ ({ \ ++ gchar converted[32]; \ ++ cr_expect(_rfc5424_timestamp_eq(ts, len, expected, converted), "Parsed RFC5424 timestamp does not equal expected, ts=%s, converted=%s, expected=%s", ts, converted, expected); \ + }) + ++#define _expect_rfc5424_fails(ts, len) \ ++ ({ \ ++ WallClockTime wct = WALL_CLOCK_TIME_INIT; \ ++ const guchar *data = (guchar *) ts; \ ++ gint length = len < 0 ? strlen(ts) : len; \ ++ cr_assert_not(scan_rfc5424_timestamp(&data, &length, &wct)); \ ++ }) ++ ++ + Test(parse_timestamp, standard_bsd_format) + { + _expect_rfc3164_timestamp_eq("Oct 1 17:46:12", "2017-10-01T17:46:12.000+02:00"); +@@ -148,6 +186,75 @@ Test(parse_timestamp, standard_bsd_format_year_in_the_past) + _expect_rfc3164_timestamp_eq("Dec 31 17:46:12", "2017-12-31T17:46:12.000+01:00"); + } + ++Test(parse_timestamp, non_zero_terminated_rfc3164_iso_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc3164_bsd_pix_or_asa_input_is_handled_properly) ++{ ++ gchar *ts = "Aug 17 2022 05:02:28: whatever"; ++ gint ts_len = 21; ++ ++ _expect_rfc3164_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc3164_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.000+02:00"); ++ ++ /* no ":" at the end, that's a problem, unrecognized */ ++ _expect_rfc3164_fails(ts, ts_len - 1); ++ ++ for (gint i = 1; i < ts_len; i++) ++ _expect_rfc3164_fails(ts, ts_len - i); ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_input_is_handled_properly) ++{ ++ gchar *ts = "2022-08-17T05:02:28.417Z whatever"; ++ gint ts_len = 24; ++ ++ _expect_rfc5424_timestamp_len_eq(ts, strlen(ts), "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len + 5, "2022-08-17T05:02:28.417+00:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, "2022-08-17T05:02:28.417+00:00"); ++ ++ /* no "Z" parsed, timezone defaults to local, forced CET */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 1, "2022-08-17T05:02:28.417+02:00"); ++ ++ /* msec is partially parsed as we trim the string from the right */ ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 2, "2022-08-17T05:02:28.410+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 3, "2022-08-17T05:02:28.400+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 4, "2022-08-17T05:02:28.000+02:00"); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len - 5, "2022-08-17T05:02:28.000+02:00"); ++ ++ for (gint i = 6; i < ts_len; i++) ++ _expect_rfc5424_fails(ts, ts_len - i); ++ ++} ++ ++Test(parse_timestamp, non_zero_terminated_rfc5424_timestamp_only) ++{ ++ const gchar *ts = "2022-08-17T05:02:28.417+03:00"; ++ gint ts_len = strlen(ts); ++ _expect_rfc5424_timestamp_len_eq(ts, ts_len, ts); ++} ++ + + Test(parse_timestamp, daylight_saving_behavior_at_spring_with_explicit_timezones) + { +diff --git a/modules/syslogformat/CMakeLists.txt b/modules/syslogformat/CMakeLists.txt +index fb55ea4..a2a92bb 100644 +--- a/modules/syslogformat/CMakeLists.txt ++++ b/modules/syslogformat/CMakeLists.txt +@@ -24,4 +24,6 @@ target_include_directories(syslogformat + ) + target_link_libraries(syslogformat PRIVATE syslog-ng) + ++add_test_subdirectory(tests) ++ + install(TARGETS syslogformat LIBRARY DESTINATION lib/syslog-ng/) +diff --git a/modules/syslogformat/Makefile.am b/modules/syslogformat/Makefile.am +index f13f88c..14cdf58 100644 +--- a/modules/syslogformat/Makefile.am ++++ b/modules/syslogformat/Makefile.am +@@ -31,3 +31,5 @@ modules_syslogformat_libsyslogformat_la_DEPENDENCIES = \ + modules/syslogformat modules/syslogformat/ mod-syslogformat: \ + modules/syslogformat/libsyslogformat.la + .PHONY: modules/syslogformat/ mod-syslogformat ++ ++include modules/syslogformat/tests/Makefile.am +diff --git a/modules/syslogformat/syslog-format.c b/modules/syslogformat/syslog-format.c +index 6d53a32..a69f39f 100644 +--- a/modules/syslogformat/syslog-format.c ++++ b/modules/syslogformat/syslog-format.c +@@ -200,7 +200,7 @@ log_msg_parse_cisco_sequence_id(LogMessage *self, const guchar **data, gint *len + + /* if the next char is not space, then we may try to read a date */ + +- if (*src != ' ') ++ if (!left || *src != ' ') + return; + + log_msg_set_value(self, handles.cisco_seqid, (gchar *) *data, *length - left - 1); +@@ -216,6 +216,9 @@ log_msg_parse_cisco_timestamp_attributes(LogMessage *self, const guchar **data, + const guchar *src = *data; + gint left = *length; + ++ if (!left) ++ return; ++ + /* Cisco timestamp extensions, the first '*' indicates that the clock is + * unsynced, '.' if it is known to be synced */ + if (G_UNLIKELY(src[0] == '*')) +@@ -564,7 +567,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + open_sd++; + do + { +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + /* read sd_id */ + pos = 0; +@@ -598,7 +601,8 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + strcpy(sd_value_name, logmsg_sd_prefix); + /* this strcat is safe, as sd_id_name is at most 32 chars */ + strncpy(sd_value_name + logmsg_sd_prefix_len, sd_id_name, sizeof(sd_value_name) - logmsg_sd_prefix_len); +- if (*src == ']') ++ ++ if (left && *src == ']') + { + log_msg_set_value_by_name(self, sd_value_name, "", 0); + } +@@ -615,7 +619,7 @@ log_msg_parse_sd(LogMessage *self, const guchar **data, gint *length, const MsgF + else + goto error; + +- if (!isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') ++ if (!left || !isascii(*src) || *src == '=' || *src == ' ' || *src == ']' || *src == '"') + goto error; + + /* read sd-param */ +diff --git a/modules/syslogformat/tests/CMakeLists.txt b/modules/syslogformat/tests/CMakeLists.txt +new file mode 100644 +index 0000000..2e45b71 +--- /dev/null ++++ b/modules/syslogformat/tests/CMakeLists.txt +@@ -0,0 +1 @@ ++add_unit_test(CRITERION TARGET test_syslog_format DEPENDS syslogformat) +diff --git a/modules/syslogformat/tests/Makefile.am b/modules/syslogformat/tests/Makefile.am +new file mode 100644 +index 0000000..7ee66a5 +--- /dev/null ++++ b/modules/syslogformat/tests/Makefile.am +@@ -0,0 +1,9 @@ ++modules_syslogformat_tests_TESTS = \ ++ modules/syslogformat/tests/test_syslog_format ++ ++check_PROGRAMS += ${modules_syslogformat_tests_TESTS} ++ ++EXTRA_DIST += modules/syslogformat/tests/CMakeLists.txt ++ ++modules_syslogformat_tests_test_syslog_format_CFLAGS = $(TEST_CFLAGS) -I$(top_srcdir)/modules/syslogformat ++modules_syslogformat_tests_test_syslog_format_LDADD = $(TEST_LDADD) $(PREOPEN_SYSLOGFORMAT) +diff --git a/modules/syslogformat/tests/test_syslog_format.c b/modules/syslogformat/tests/test_syslog_format.c +new file mode 100644 +index 0000000..d0f5b40 +--- /dev/null ++++ b/modules/syslogformat/tests/test_syslog_format.c +@@ -0,0 +1,104 @@ ++/* ++ * Copyright (c) 2022 One Identity ++ * Copyright (c) 2022 László Várady ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 as published ++ * by the Free Software Foundation, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ * As an additional exemption you are allowed to compile & link against the ++ * OpenSSL libraries as published by the OpenSSL project. See the file ++ * COPYING for details. ++ * ++ */ ++ ++#include <criterion/criterion.h> ++ ++#include "apphook.h" ++#include "cfg.h" ++#include "syslog-format.h" ++#include "logmsg/logmsg.h" ++#include "msg-format.h" ++#include "scratch-buffers.h" ++ ++#include <string.h> ++ ++GlobalConfig *cfg; ++MsgFormatOptions parse_options; ++ ++static void ++setup(void) ++{ ++ app_startup(); ++ syslog_format_init(); ++ ++ cfg = cfg_new_snippet(); ++ msg_format_options_defaults(&parse_options); ++} ++ ++static void ++teardown(void) ++{ ++ scratch_buffers_explicit_gc(); ++ app_shutdown(); ++ cfg_free(cfg); ++} ++ ++TestSuite(syslog_format, .init = setup, .fini = teardown); ++ ++Test(syslog_format, parser_should_not_spin_on_non_zero_terminated_input, .timeout = 10) ++{ ++ const gchar *data = "<182>2022-08-17T05:02:28.217 mymachine su: 'su root' failed for lonvick on /dev/pts/8"; ++ /* chosen carefully to reproduce a bug */ ++ gsize data_length = 27; ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, cisco_sequence_id_non_zero_termination) ++{ ++ const gchar *data = "<189>65536: "; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, ".SDATA.meta.sequenceId", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} ++ ++Test(syslog_format, minimal_non_zero_terminated_numeric_message_is_parsed_as_program_name) ++{ ++ const gchar *data = "<189>65536"; ++ gsize data_length = strlen(data); ++ ++ msg_format_options_init(&parse_options, cfg); ++ LogMessage *msg = msg_format_construct_message(&parse_options, (const guchar *) data, data_length); ++ ++ gsize problem_position; ++ cr_assert(syslog_format_handler(&parse_options, msg, (const guchar *) data, data_length, &problem_position)); ++ cr_assert_str_eq(log_msg_get_value_by_name(msg, "PROGRAM", NULL), "65536"); ++ ++ msg_format_options_destroy(&parse_options); ++ log_msg_unref(msg); ++} +-- +2.25.1 + diff --git a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb index 10bf00fdce..6e90dabd14 100644 --- a/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb +++ b/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb @@ -9,6 +9,7 @@ SRC_URI += " \ file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \ file://shebang.patch \ file://syslog-ng-tmp.conf \ + file://CVE-2022-38725.patch \ " SRC_URI[md5sum] = "ef9de066793f7358af7312b964ac0450" diff --git a/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb b/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb index 9f89bac22a..5bcbea4600 100644 --- a/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb +++ b/meta-oe/recipes-support/thin-provisioning-tools/thin-provisioning-tools_0.8.5.bb @@ -7,7 +7,7 @@ SECTION = "devel" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/jthornber/thin-provisioning-tools \ +SRC_URI = "git://github.com/jthornber/thin-provisioning-tools;branch=main;protocol=https \ file://0001-do-not-strip-pdata_tools-at-do_install.patch \ file://use-sh-on-path.patch \ " diff --git a/meta-oe/recipes-support/toscoterm/toscoterm_git.bb b/meta-oe/recipes-support/toscoterm/toscoterm_git.bb index aba485e1a4..4dddd54c5f 100644 --- a/meta-oe/recipes-support/toscoterm/toscoterm_git.bb +++ b/meta-oe/recipes-support/toscoterm/toscoterm_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://main.c;start_line=5;end_line=16;md5=9ae4bf20caf291afa # 0.2 version SRCREV = "8586d617aed19fc75f5ae1e07270752c1b2f9a30" -SRC_URI = "git://github.com/OSSystems/toscoterm.git" +SRC_URI = "git://github.com/OSSystems/toscoterm.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch new file mode 100644 index 0000000000..0189833b49 --- /dev/null +++ b/meta-oe/recipes-support/udisks/udisks2/CVE-2021-3802.patch @@ -0,0 +1,63 @@ +From 2517b8feb13919c382e53ab5f9b63c5b5ee5b063 Mon Sep 17 00:00:00 2001 +From: Emilio Pozuelo Monfort <pochu@debian.org> +Date: Fri, 5 Nov 2021 09:29:13 +0100 +Subject: [PATCH] udisks2 security update + +mount options: Always use errors=remount-ro for ext filesystems + +Stefan Walter found that udisks2, a service to access and manipulate +storage devices, could cause denial of service via system crash if a +corrupted or specially crafted ext2/3/4 device or image was mounted, +which could happen automatically on certain environments. + +For Debian 9 stretch, this problem has been fixed in version +2.1.8-1+deb9u1. + +Default mount options are focused primarily on data safety, mounting +damaged ext2/3/4 filesystem as readonly would indicate something's wrong. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/u/udisks2/udisks2_2.1.8-1+deb9u1.debian.tar.xz] +CVE: CVE-2021-3802 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/udiskslinuxfilesystem.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/udiskslinuxfilesystem.c b/src/udiskslinuxfilesystem.c +index a5a3898c..eac8cab3 100644 +--- a/src/udiskslinuxfilesystem.c ++++ b/src/udiskslinuxfilesystem.c +@@ -421,6 +421,21 @@ static const gchar *hfsplus_allow[] = { "creator", "type", "umask", "session", " + static const gchar *hfsplus_allow_uid_self[] = { "uid", NULL }; + static const gchar *hfsplus_allow_gid_self[] = { "gid", NULL }; + ++/* ---------------------- ext2 -------------------- */ ++ ++static const gchar *ext2_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext2_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext3 -------------------- */ ++ ++static const gchar *ext3_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext3_allow[] = { "errors=remount-ro", NULL }; ++ ++/* ---------------------- ext4 -------------------- */ ++ ++static const gchar *ext4_defaults[] = { "errors=remount-ro", NULL }; ++static const gchar *ext4_allow[] = { "errors=remount-ro", NULL }; ++ + /* ------------------------------------------------ */ + /* TODO: support context= */ + +@@ -434,6 +449,9 @@ static const FSMountOptions fs_mount_options[] = + { "udf", udf_defaults, udf_allow, udf_allow_uid_self, udf_allow_gid_self }, + { "exfat", exfat_defaults, exfat_allow, exfat_allow_uid_self, exfat_allow_gid_self }, + { "hfsplus", hfsplus_defaults, hfsplus_allow, hfsplus_allow_uid_self, hfsplus_allow_gid_self }, ++ { "ext2", ext2_defaults, ext2_allow, NULL, NULL }, ++ { "ext3", ext3_defaults, ext3_allow, NULL, NULL }, ++ { "ext4", ext4_defaults, ext4_allow, NULL, NULL }, + }; + + /* ------------------------------------------------ */ diff --git a/meta-oe/recipes-support/udisks/udisks2_git.bb b/meta-oe/recipes-support/udisks/udisks2_git.bb index ecaf01e71d..58c8a9899a 100644 --- a/meta-oe/recipes-support/udisks/udisks2_git.bb +++ b/meta-oe/recipes-support/udisks/udisks2_git.bb @@ -17,7 +17,8 @@ DEPENDS += "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" RDEPENDS_${PN} = "acl" SRC_URI = " \ - git://github.com/storaged-project/udisks.git;branch=master \ + git://github.com/storaged-project/udisks.git;branch=master;protocol=https \ + file://CVE-2021-3802.patch \ " PV = "2.8.4+git${SRCREV}" SRCREV = "db5f487345da2eaa87976450ea51c2c465d9b82e" diff --git a/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb b/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb index b294d77bad..0bb48412a9 100644 --- a/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb +++ b/meta-oe/recipes-support/uhubctl/uhubctl_2.1.0.bb @@ -7,7 +7,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRCREV = "c9fa3c68a1b2c9790c731602b8bae2b513e80605" -SRC_URI = "git://github.com/mvp/${BPN}" +SRC_URI = "git://github.com/mvp/${BPN};branch=master;protocol=https" S = "${WORKDIR}/git" # uhubctl gets its program version from "git describe". As we use the source diff --git a/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch-data_20191128.bb b/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch-data_20191128.bb index 938c0f9c26..ca970e59bb 100644 --- a/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch-data_20191128.bb +++ b/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch-data_20191128.bb @@ -11,9 +11,9 @@ SRC_URI[md5sum] = "e8fce7eb949cbe16c61fb71bade4cc17" SRC_URI[sha256sum] = "3f039b60791c21c7cb15c7986cac89650f076dc274798fa242231b910785eaf9" do_install() { - oe_runmake install DESTDIR=${D} + oe_runmake install DESTDIR=${D} RULESDIR=${D}/${nonarch_base_libdir}/udev/rules.d } RDEPENDS_${PN} = "usb-modeswitch (>= 2.4.0)" -FILES_${PN} += "${base_libdir}/udev/rules.d/ \ +FILES_${PN} += "${nonarch_base_libdir}/udev/rules.d/ \ ${datadir}/usb_modeswitch" diff --git a/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch_2.6.0.bb b/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch_2.6.0.bb index baad340908..6a5287af49 100644 --- a/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch_2.6.0.bb +++ b/meta-oe/recipes-support/usb-modeswitch/usb-modeswitch_2.6.0.bb @@ -19,7 +19,7 @@ RDEPENDS_${PN} = "tcl" RRECOMMENDS_${PN} = "usb-modeswitch-data" do_install() { - oe_runmake DESTDIR=${D} install + oe_runmake DESTDIR=${D} UDEVDIR=${D}/${nonarch_base_libdir}/udev install if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then install -d ${D}/${systemd_unitdir}/system install -m 644 ${S}/usb_modeswitch@.service ${D}/${systemd_unitdir}/system diff --git a/meta-oe/recipes-support/uthash/uthash_2.1.0.bb b/meta-oe/recipes-support/uthash/uthash_2.1.0.bb index 09cef44a85..3f4529e1a0 100644 --- a/meta-oe/recipes-support/uthash/uthash_2.1.0.bb +++ b/meta-oe/recipes-support/uthash/uthash_2.1.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a2513f7d2291df840527b76b2a8f9718" SRCREV = "8b214aefcb81df86a7e5e0d4fa20e59a6c18bc02" SRC_URI = "\ - git://github.com/troydhanson/${BPN}.git \ + git://github.com/troydhanson/${BPN}.git;branch=master;protocol=https \ file://run-ptest \ " diff --git a/meta-oe/recipes-support/utouch/utouch-evemu_git.bb b/meta-oe/recipes-support/utouch/utouch-evemu_git.bb index 7c5a734394..e1ec1fda8b 100644 --- a/meta-oe/recipes-support/utouch/utouch-evemu_git.bb +++ b/meta-oe/recipes-support/utouch/utouch-evemu_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" inherit autotools -SRC_URI = "git://bitmath.org/git/evemu.git;protocol=http \ +SRC_URI = "git://bitmath.org/git/evemu.git;protocol=http;branch=master \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ " SRCREV = "9752b50e922572e4cd214ac45ed95e4ee410fe24" diff --git a/meta-oe/recipes-support/utouch/utouch-frame_git.bb b/meta-oe/recipes-support/utouch/utouch-frame_git.bb index 1ebebfa9f5..5993956353 100644 --- a/meta-oe/recipes-support/utouch/utouch-frame_git.bb +++ b/meta-oe/recipes-support/utouch/utouch-frame_git.bb @@ -9,7 +9,7 @@ DEPENDS += "mtdev utouch-evemu" inherit autotools pkgconfig -SRC_URI = "git://bitmath.org/git/frame.git;protocol=http \ +SRC_URI = "git://bitmath.org/git/frame.git;protocol=http;branch=master \ file://remove-man-page-creation.patch \ file://0001-include-sys-stat.h-for-fixing-build-issue-on-musl.patch \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ diff --git a/meta-oe/recipes-support/utouch/utouch-mtview_git.bb b/meta-oe/recipes-support/utouch/utouch-mtview_git.bb index 5f07bf28ee..65edaf1e5b 100644 --- a/meta-oe/recipes-support/utouch/utouch-mtview_git.bb +++ b/meta-oe/recipes-support/utouch/utouch-mtview_git.bb @@ -9,7 +9,7 @@ inherit autotools pkgconfig features_check # depends on virtual/libx11 REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI = "git://bitmath.org/git/mtview.git;protocol=http" +SRC_URI = "git://bitmath.org/git/mtview.git;protocol=http;branch=master" SRCREV = "ad437c38dc111cf3990a03abf14efe1b5d89604b" DEPENDS += "mtdev utouch-frame utouch-evemu libx11" diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch new file mode 100644 index 0000000000..e95e240492 --- /dev/null +++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/40-linux-5.13-support.patch @@ -0,0 +1,276 @@ +Subject: Fix build errors with linux 5.13 +Origin: upstream, https://www.virtualbox.org/browser/vbox/trunk +Bug: https://bugs.launchpad.net/bugs/1929193 + +diff -urpN virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_drv.h virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_drv.h +--- virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_drv.h 2021-04-28 16:24:47.000000000 +0000 ++++ virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_drv.h 2021-06-23 10:08:44.431714404 +0000 +@@ -46,20 +41,20 @@ + * Evaluates to true if the linux kernel version is equal or higher to the + * one specfied. */ + #define RTLNX_VER_MIN(a_Major, a_Minor, a_Patch) \ +- (LINUX_VERSION_CODE >= KERNEL_VERSION(a_Major, a_Minor, a_Patch)) ++ (LINUX_VERSION_CODE >= KERNEL_VERSION(a_Major, a_Minor, a_Patch)) + + /** @def RTLNX_VER_MAX + * Evaluates to true if the linux kernel version is less to the one specfied + * (exclusive). */ + #define RTLNX_VER_MAX(a_Major, a_Minor, a_Patch) \ +- (LINUX_VERSION_CODE < KERNEL_VERSION(a_Major, a_Minor, a_Patch)) ++ (LINUX_VERSION_CODE < KERNEL_VERSION(a_Major, a_Minor, a_Patch)) + + /** @def RTLNX_VER_RANGE + * Evaluates to true if the linux kernel version is equal or higher to the given + * minimum version and less (but not equal) to the maximum version (exclusive). */ + #define RTLNX_VER_RANGE(a_MajorMin, a_MinorMin, a_PatchMin, a_MajorMax, a_MinorMax, a_PatchMax) \ +- ( LINUX_VERSION_CODE >= KERNEL_VERSION(a_MajorMin, a_MinorMin, a_PatchMin) \ +- && LINUX_VERSION_CODE < KERNEL_VERSION(a_MajorMax, a_MinorMax, a_PatchMax) ) ++ ( LINUX_VERSION_CODE >= KERNEL_VERSION(a_MajorMin, a_MinorMin, a_PatchMin) \ ++ && LINUX_VERSION_CODE < KERNEL_VERSION(a_MajorMax, a_MinorMax, a_PatchMax) ) + + + /** @def RTLNX_RHEL_MIN +@@ -70,7 +65,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_MIN(a_iMajor, a_iMinor) \ +- ((RHEL_MAJOR) > (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) >= (a_iMinor))) ++ ((RHEL_MAJOR) > (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) >= (a_iMinor))) + #else + # define RTLNX_RHEL_MIN(a_iMajor, a_iMinor) (0) + #endif +@@ -83,7 +78,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_MAX(a_iMajor, a_iMinor) \ +- ((RHEL_MAJOR) < (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) < (a_iMinor))) ++ ((RHEL_MAJOR) < (a_iMajor) || ((RHEL_MAJOR) == (a_iMajor) && (RHEL_MINOR) < (a_iMinor))) + #else + # define RTLNX_RHEL_MAX(a_iMajor, a_iMinor) (0) + #endif +@@ -95,7 +90,7 @@ + */ + #if defined(RHEL_MAJOR) && defined(RHEL_MINOR) + # define RTLNX_RHEL_RANGE(a_iMajorMin, a_iMinorMin, a_iMajorMax, a_iMinorMax) \ +- (RTLNX_RHEL_MIN(a_iMajorMin, a_iMinorMin) && RTLNX_RHEL_MAX(a_iMajorMax, a_iMinorMax)) ++ (RTLNX_RHEL_MIN(a_iMajorMin, a_iMinorMin) && RTLNX_RHEL_MAX(a_iMajorMax, a_iMinorMax)) + #else + # define RTLNX_RHEL_RANGE(a_iMajorMin, a_iMinorMin, a_iMajorMax, a_iMinorMax) (0) + #endif +@@ -173,7 +168,9 @@ + #include <drm/ttm/ttm_bo_api.h> + #include <drm/ttm/ttm_bo_driver.h> + #include <drm/ttm/ttm_placement.h> ++#if RTLNX_VER_MAX(5,13,0) + #include <drm/ttm/ttm_memory.h> ++#endif + #if RTLNX_VER_MAX(5,12,0) + # include <drm/ttm/ttm_module.h> + #endif +@@ -222,7 +219,7 @@ static inline void drm_gem_object_put(st + VBVA_ADAPTER_INFORMATION_SIZE) + #define GUEST_HEAP_SIZE VBVA_ADAPTER_INFORMATION_SIZE + #define GUEST_HEAP_USABLE_SIZE (VBVA_ADAPTER_INFORMATION_SIZE - \ +- sizeof(HGSMIHOSTFLAGS)) ++ sizeof(struct hgsmi_host_flags)) + #define HOST_FLAGS_OFFSET GUEST_HEAP_USABLE_SIZE + + /** How frequently we refresh if the guest is not providing dirty rectangles. */ +@@ -232,7 +229,7 @@ static inline void drm_gem_object_put(st + static inline void *devm_kcalloc(struct device *dev, size_t n, size_t size, + gfp_t flags) + { +- return devm_kzalloc(dev, n * size, flags); ++ return devm_kzalloc(dev, n * size, flags); + } + #endif + +@@ -244,7 +241,7 @@ struct vbox_private { + u8 __iomem *guest_heap; + u8 __iomem *vbva_buffers; + struct gen_pool *guest_pool; +- struct VBVABUFFERCONTEXT *vbva_info; ++ struct vbva_buf_context *vbva_info; + bool any_pitch; + u32 num_crtcs; + /** Amount of available VRAM, including space used for buffers. */ +@@ -252,7 +249,7 @@ struct vbox_private { + /** Amount of available VRAM, not including space used for buffers. */ + u32 available_vram_size; + /** Array of structures for receiving mode hints. */ +- VBVAMODEHINT *last_mode_hints; ++ struct vbva_modehint *last_mode_hints; + + struct vbox_fbdev *fbdev; + +@@ -263,7 +260,11 @@ struct vbox_private { + struct drm_global_reference mem_global_ref; + struct ttm_bo_global_ref bo_global_ref; + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ struct ttm_device bdev; ++#else + struct ttm_bo_device bdev; ++#endif + bool mm_initialised; + } ttm; + +diff -urpN virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_ttm.c virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_ttm.c +--- virtualbox-6.1.22-dfsg.orig/src/VBox/Additions/linux/drm/vbox_ttm.c 2021-04-28 16:24:47.000000000 +0000 ++++ virtualbox-6.1.22-dfsg/src/VBox/Additions/linux/drm/vbox_ttm.c 2021-06-23 10:08:07.164057918 +0000 +@@ -48,7 +43,11 @@ + #endif + + ++#if RTLNX_VER_MIN(5,13,0) ++static inline struct vbox_private *vbox_bdev(struct ttm_device *bd) ++#else + static inline struct vbox_private *vbox_bdev(struct ttm_bo_device *bd) ++#endif + { + return container_of(bd, struct vbox_private, ttm.bdev); + } +@@ -188,7 +187,7 @@ static int vbox_ttm_io_mem_reserve(struc + mem->bus.size = mem->num_pages << PAGE_SHIFT; + mem->bus.base = 0; + mem->bus.is_iomem = false; +- if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) ++ if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) + return -EINVAL; + switch (mem->mem_type) { + case TTM_PL_SYSTEM: +@@ -205,8 +204,13 @@ static int vbox_ttm_io_mem_reserve(struc + return 0; + } + #else ++# if RTLNX_VER_MAX(5,13,0) + static int vbox_ttm_io_mem_reserve(struct ttm_bo_device *bdev, + struct ttm_resource *mem) ++# else /* > 5.13.0 */ ++static int vbox_ttm_io_mem_reserve(struct ttm_device *bdev, ++ struct ttm_resource *mem) ++# endif /* > 5.13.0 */ + { + struct vbox_private *vbox = vbox_bdev(bdev); + mem->bus.addr = NULL; +@@ -241,7 +245,12 @@ static int vbox_ttm_io_mem_reserve(struc + + + +-#if RTLNX_VER_MIN(5,10,0) ++#if RTLNX_VER_MIN(5,13,0) ++static void vbox_ttm_io_mem_free(struct ttm_device *bdev, ++ struct ttm_resource *mem) ++{ ++} ++#elif RTLNX_VER_MIN(5,10,0) + static void vbox_ttm_io_mem_free(struct ttm_bo_device *bdev, + struct ttm_resource *mem) + { +@@ -253,7 +262,13 @@ static void vbox_ttm_io_mem_free(struct + } + #endif + +-#if RTLNX_VER_MIN(5,10,0) ++#if RTLNX_VER_MIN(5,13,0) ++static void vbox_ttm_tt_destroy(struct ttm_device *bdev, struct ttm_tt *tt) ++{ ++ ttm_tt_fini(tt); ++ kfree(tt); ++} ++#elif RTLNX_VER_MIN(5,10,0) + static void vbox_ttm_tt_destroy(struct ttm_bo_device *bdev, struct ttm_tt *tt) + { + ttm_tt_fini(tt); +@@ -333,7 +348,11 @@ static int vbox_bo_move(struct ttm_buffe + } + #endif + ++#if RTLNX_VER_MIN(5,13,0) ++static struct ttm_device_funcs vbox_bo_driver = { ++#else /* < 5.13.0 */ + static struct ttm_bo_driver vbox_bo_driver = { ++#endif /* < 5.13.0 */ + .ttm_tt_create = vbox_ttm_tt_create, + #if RTLNX_VER_MIN(5,10,0) + .ttm_tt_destroy = vbox_ttm_tt_destroy, +@@ -370,14 +389,22 @@ int vbox_mm_init(struct vbox_private *vb + { + int ret; + struct drm_device *dev = vbox->dev; ++#if RTLNX_VER_MIN(5,13,0) ++ struct ttm_device *bdev = &vbox->ttm.bdev; ++#else + struct ttm_bo_device *bdev = &vbox->ttm.bdev; ++#endif + + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + ret = vbox_ttm_global_init(vbox); + if (ret) + return ret; + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ ret = ttm_device_init(&vbox->ttm.bdev, ++#else + ret = ttm_bo_device_init(&vbox->ttm.bdev, ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + vbox->ttm.bo_global_ref.ref.object, + #endif +@@ -429,7 +456,11 @@ int vbox_mm_init(struct vbox_private *vb + return 0; + + err_device_release: ++#if RTLNX_VER_MIN(5,13,0) ++ ttm_device_fini(&vbox->ttm.bdev); ++#else + ttm_bo_device_release(&vbox->ttm.bdev); ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + err_ttm_global_release: + vbox_ttm_global_release(vbox); +@@ -446,7 +477,11 @@ void vbox_mm_fini(struct vbox_private *v + #else + arch_phys_wc_del(vbox->fb_mtrr); + #endif ++#if RTLNX_VER_MIN(5,13,0) ++ ttm_device_fini(&vbox->ttm.bdev); ++#else + ttm_bo_device_release(&vbox->ttm.bdev); ++#endif + #if RTLNX_VER_MAX(5,0,0) && !RTLNX_RHEL_MAJ_PREREQ(7,7) && !RTLNX_RHEL_MAJ_PREREQ(8,1) + vbox_ttm_global_release(vbox); + #endif +@@ -528,7 +563,9 @@ int vbox_bo_create(struct drm_device *de + { + struct vbox_private *vbox = dev->dev_private; + struct vbox_bo *vboxbo; ++#if RTLNX_VER_MAX(5,13,0) + size_t acc_size; ++#endif + int ret; + + vboxbo = kzalloc(sizeof(*vboxbo), GFP_KERNEL); +@@ -551,16 +588,20 @@ int vbox_bo_create(struct drm_device *de + + vbox_ttm_placement(vboxbo, VBOX_MEM_TYPE_VRAM | VBOX_MEM_TYPE_SYSTEM); + ++#if RTLNX_VER_MAX(5,13,0) + acc_size = ttm_bo_dma_acc_size(&vbox->ttm.bdev, size, + sizeof(struct vbox_bo)); ++#endif + + ret = ttm_bo_init(&vbox->ttm.bdev, &vboxbo->bo, size, + ttm_bo_type_device, &vboxbo->placement, + #if RTLNX_VER_MAX(4,17,0) && !RTLNX_RHEL_MAJ_PREREQ(7,6) && !RTLNX_SUSE_MAJ_PREREQ(15,1) && !RTLNX_SUSE_MAJ_PREREQ(12,5) + align >> PAGE_SHIFT, false, NULL, acc_size, +-#else ++#elif RTLNX_VER_MAX(5,13,0) /* < 5.13.0 */ + align >> PAGE_SHIFT, false, acc_size, +-#endif ++#else /* > 5.13.0 */ ++ align >> PAGE_SHIFT, false, ++#endif /* > 5.13.0 */ + #if RTLNX_VER_MIN(3,18,0) || RTLNX_RHEL_MAJ_PREREQ(7,2) + NULL, NULL, vbox_bo_ttm_destroy); + #else diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch new file mode 100644 index 0000000000..8dd30a20ef --- /dev/null +++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch @@ -0,0 +1,36 @@ +add __divmoddi4 builtin + +GCC 11 will generate it in code + +void foo(unsigned char *u8Second, unsigned int *u32Nanosecond, long long timeSpec) +{ + long long i64Div; + int i32Div; + int i32Rem; + i64Div = timeSpec; + i32Rem = (int)(i64Div % 1000000000); + i64Div /= 1000000000; + *u32Nanosecond = i32Rem; + i32Rem = (int)(i64Div % 60); + *u8Second = i32Rem; +} + + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/src/VBox/Runtime/common/math/gcc/divdi3.c ++++ b/src/VBox/Runtime/common/math/gcc/divdi3.c +@@ -68,3 +68,12 @@ __divdi3(a, b) + uq = - uq; + return uq; + } ++ ++quad_t ++__divmoddi4(quad_t a, quad_t b, quad_t* rem) ++{ ++ quad_t d = __divdi3(a,b); ++ *rem = a - (d*b); ++ return d; ++} ++ diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.6.bb b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.22.bb index 89b1ee11e2..19b8f8f46e 100644 --- a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.6.bb +++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.22.bb @@ -13,11 +13,14 @@ VBOX_NAME = "VirtualBox-${PV}" SRC_URI = "http://download.virtualbox.org/virtualbox/${PV}/${VBOX_NAME}.tar.bz2 \ file://Makefile.utils \ + file://40-linux-5.13-support.patch \ + file://add__divmoddi4.patch \ " -SRC_URI[md5sum] = "fe6328d22dfb20ea372daa4b58b12374" -SRC_URI[sha256sum] = "b031c30d770f28c5f884071ad933e8c1f83e65b93aaba03a4012077c1d90a54f" +SRC_URI[md5sum] = "abb1a20021e5915fe38c666e8c11cf80" +SRC_URI[sha256sum] = "99816d2a15205d49362a31e8ffeb8262d2fa0678c751dfd0a7c43b2faca8be49" -S = "${WORKDIR}/vbox_module" +S ?= "${WORKDIR}/vbox_module" +S_task-patch = "${WORKDIR}/${VBOX_NAME}" export BUILD_TARGET_ARCH="${ARCH}" export BUILD_TARGET_ARCH_x86-64="amd64" diff --git a/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb b/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb index 79a5ac5c4e..673fc5899b 100644 --- a/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb +++ b/meta-oe/recipes-support/websocketpp/websocketpp_0.8.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=4d168d763c111f4ffc62249870e4e0ea" DEPENDS = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'openssl boost zlib', '', d)} " -SRC_URI = "git://github.com/zaphoyd/websocketpp.git;protocol=https \ +SRC_URI = "git://github.com/zaphoyd/websocketpp.git;protocol=https;branch=master \ file://0001-cmake-Use-GNUInstallDirs.patch \ file://855.patch \ file://857.patch \ diff --git a/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb b/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb index d100030f9b..c161781989 100644 --- a/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb +++ b/meta-oe/recipes-support/xdelta/xdelta3_3.1.0.bb @@ -7,7 +7,7 @@ SECTION = "console/utils" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI = "git://github.com/jmacd/xdelta.git;branch=release3_1_apl" +SRC_URI = "git://github.com/jmacd/xdelta.git;branch=release3_1_apl;protocol=https" SRCREV = "4b4aed71a959fe11852e45242bb6524be85d3709" S = "${WORKDIR}/git/xdelta3" diff --git a/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch b/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch new file mode 100644 index 0000000000..a5a298af0d --- /dev/null +++ b/meta-oe/recipes-support/xmlsec1/xmlsec1/ensure-search-path-non-host.patch @@ -0,0 +1,22 @@ +xmlsec1: Fix configure QA error caused by host lookup path + +ERROR: mc:my-sdk:xmlsec1-1.2.30-r0 do_configure: QA Issue: This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities. + +It will eventually arise after the configure QA as the configure script should only look at the staging sysroot dir, not at the host. + +Upstream-Status: Inappropriate [embedded specific] +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +--- a/configure.ac.orig 2021-01-13 14:37:42.254991177 +0000 ++++ b/configure.ac 2021-01-13 14:40:56.546269330 +0000 +@@ -250,8 +250,8 @@ + dnl ========================================================================== + dnl Common installation locations + dnl ========================================================================== +-COMMON_INCLUDE_DIR="/usr/include /usr/local/include" +-COMMON_LIB_DIR="/usr/lib /usr/lib64 /usr/local/lib" ++COMMON_INCLUDE_DIR="${STAGING_INCDIR}" ++COMMON_LIB_DIR="${STAGING_LIBDIR}" + case $host in + i*86-*-linux-gnu) COMMON_LIB_DIR="$COMMON_LIB_DIR /usr/lib/i386-linux-gnu" ;; + x86_64-*-linux-gnu) COMMON_LIB_DIR="$COMMON_LIB_DIR /usr/lib/x86_64-linux-gnu" ;; diff --git a/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb b/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb index 20c7b2d371..391614b5f2 100644 --- a/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb +++ b/meta-oe/recipes-support/xmlsec1/xmlsec1_1.2.30.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://xmlsec1-examples-allow-build-in-separate-dir.patch \ file://0001-nss-nspr-fix-for-multilib.patch \ file://run-ptest \ + file://ensure-search-path-non-host.patch \ " SRC_URI[md5sum] = "b66ec21e0a0ac331afb4b1bc5c9ef966" diff --git a/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb b/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb index 481e7303b3..1ba4a32ba6 100644 --- a/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb +++ b/meta-oe/recipes-support/xorg-xrdp/xorgxrdp_0.2.5.bb @@ -10,7 +10,7 @@ DEPENDS = "virtual/libx11 xserver-xorg xrdp nasm-native" inherit features_check REQUIRED_DISTRO_FEATURES = "x11 pam" -SRC_URI = "git://github.com/neutrinolabs/xorgxrdp.git" +SRC_URI = "git://github.com/neutrinolabs/xorgxrdp.git;branch=master;protocol=https" SRCREV = "c122544f184d4031bbae1ad80fbab554c34a9427" diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb index deda0fd1b5..36184705bc 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.11.bb @@ -10,7 +10,7 @@ DEPENDS = "openssl virtual/libx11 libxfixes libxrandr libpam nasm-native" REQUIRED_DISTRO_FEATURES = "x11 pam" -SRC_URI = "git://github.com/neutrinolabs/xrdp.git \ +SRC_URI = "git://github.com/neutrinolabs/xrdp.git;branch=master;protocol=https \ file://xrdp.sysconfig \ file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \ file://0001-Fix-the-compile-error.patch \ diff --git a/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb b/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb index 865adc5a1b..783af89bed 100644 --- a/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb +++ b/meta-oe/recipes-support/xxhash/xxhash_0.7.3.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://www.xxhash.com/" LICENSE = "BSD-2-Clause & GPL-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=01a7eba4212ef1e882777a38585e7a9b" -SRC_URI = "git://github.com/Cyan4973/xxHash.git" +SRC_URI = "git://github.com/Cyan4973/xxHash.git;branch=master;protocol=https" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" SRCREV = "d408e9b0606d07b1ddc5452ffc0ec8512211b174" diff --git a/meta-oe/recipes-support/zbar/zbar_git.bb b/meta-oe/recipes-support/zbar/zbar_git.bb index 935e09cd53..46ca549c5c 100644 --- a/meta-oe/recipes-support/zbar/zbar_git.bb +++ b/meta-oe/recipes-support/zbar/zbar_git.bb @@ -10,7 +10,7 @@ PV = "0.10+git${SRCPV}" # iPhoneSDK-1.3.1 tag SRCREV = "67003d2a985b5f9627bee2d8e3e0b26d0c474b57" -SRC_URI = "git://github.com/ZBar/Zbar \ +SRC_URI = "git://github.com/ZBar/Zbar;branch=master;protocol=https \ file://0001-make-relies-GNU-extentions.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb b/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb index e041132b1c..e4c0232bd9 100644 --- a/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb +++ b/meta-oe/recipes-support/zchunk/zchunk_1.1.6.bb @@ -4,7 +4,7 @@ AUTHOR = "Jonathan Dieter" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=cd6e590282010ce90a94ef25dd31410f" -SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https" +SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=master" SRCREV = "f5593aa11584faa691c81b4898f0aaded47f8bf7" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/bats/bats_1.1.0.bb b/meta-oe/recipes-test/bats/bats_1.1.0.bb index a8179744ae..7ee0205766 100644 --- a/meta-oe/recipes-test/bats/bats_1.1.0.bb +++ b/meta-oe/recipes-test/bats/bats_1.1.0.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://github.com/bats-core/bats-core" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=2970203aedf9e829edb96a137a4fe81b" -SRC_URI = "git://github.com/bats-core/bats-core.git \ +SRC_URI = "git://github.com/bats-core/bats-core.git;branch=master;protocol=https \ " # v1.1.0 SRCREV = "c706d1470dd1376687776bbe985ac22d09780327" diff --git a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb index 57fc935f77..50188937d5 100644 --- a/meta-oe/recipes-test/catch2/catch2_2.9.2.bb +++ b/meta-oe/recipes-test/catch2/catch2_2.9.2.bb @@ -5,7 +5,7 @@ HOMEPAGE = "https://github.com/catchorg/Catch2" LICENSE = "BSL-1.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=e4224ccaecb14d942c71d31bef20d78c" -SRC_URI = "git://github.com/catchorg/Catch2.git" +SRC_URI = "git://github.com/catchorg/Catch2.git;branch=v2.x;protocol=https" SRCREV = "2c869e17e4803d30b3d5ca5b0d76387b9db97fa5" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/evtest/evtest_1.34.bb b/meta-oe/recipes-test/evtest/evtest_1.34.bb index a3a23c8951..eb6a34f301 100644 --- a/meta-oe/recipes-test/evtest/evtest_1.34.bb +++ b/meta-oe/recipes-test/evtest/evtest_1.34.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "libxml2" SRCREV = "16e5104127a620686bdddc4a9ad62881134d6c69" -SRC_URI = "git://gitlab.freedesktop.org/libevdev/evtest.git;protocol=https \ +SRC_URI = "git://gitlab.freedesktop.org/libevdev/evtest.git;protocol=https;branch=master \ file://add_missing_limits_h_include.patch \ file://0001-Fix-build-on-32bit-arches-with-64bit-time_t.patch \ " diff --git a/meta-oe/recipes-test/fbtest/fb-test_git.bb b/meta-oe/recipes-test/fbtest/fb-test_git.bb index 6a9d4b2787..2992135726 100644 --- a/meta-oe/recipes-test/fbtest/fb-test_git.bb +++ b/meta-oe/recipes-test/fbtest/fb-test_git.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" SRCREV = "063ec650960c2d79ac51f5c5f026cb05343a33e2" -SRC_URI = "git://github.com/prpplague/fb-test-app.git" +SRC_URI = "git://github.com/prpplague/fb-test-app.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-test/googletest/googletest_git.bb b/meta-oe/recipes-test/googletest/googletest_git.bb index 354e7de337..35fe1bed00 100644 --- a/meta-oe/recipes-test/googletest/googletest_git.bb +++ b/meta-oe/recipes-test/googletest/googletest_git.bb @@ -11,7 +11,7 @@ PROVIDES += "gmock gtest" S = "${WORKDIR}/git" SRCREV = "703bd9caab50b139428cea1aaff9974ebee5742e" -SRC_URI = "git://github.com/google/googletest.git" +SRC_URI = "git://github.com/google/googletest.git;branch=main;protocol=https" inherit cmake diff --git a/meta-oe/recipes-test/pm-qa/pm-qa_git.bb b/meta-oe/recipes-test/pm-qa/pm-qa_git.bb index 7e9971ea4c..bb641437c9 100644 --- a/meta-oe/recipes-test/pm-qa/pm-qa_git.bb +++ b/meta-oe/recipes-test/pm-qa/pm-qa_git.bb @@ -42,6 +42,7 @@ do_install () { do # Remove hardcoded relative paths sed -i -e 's#..\/utils\/##' ${script} + sed -i -e 's#. ..\/Switches#${bindir}#g' ${script} script_basename=`basename ${script}` install -m 0755 $script ${D}${libdir}/${BPN}/${script_basename} @@ -54,7 +55,7 @@ do_install () { # if the script includes any helper scripts from the $libdir # directory then change the source path to the absolute path # to reflect the install location of the helper scripts. - sed -i -e "s#source ../include#source ${libdir}/${BPN}#g" ${script} + sed -i -e "s#. ../include#. ${libdir}/${BPN}#g" ${script} # Remove hardcoded relative paths sed -i -e 's#..\/utils\/##' ${script} diff --git a/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb b/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb index afd26fa1c4..40bb586449 100644 --- a/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb +++ b/meta-perl/recipes-perl/libconfig/libconfig-autoconf-perl_0.318.bb @@ -38,4 +38,4 @@ S = "${WORKDIR}/Config-AutoConf-${PV}" inherit cpan ptest-perl -BBCLASSEXTEND = "native nativesdk" +BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb b/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb index fc9786beca..9322db4085 100644 --- a/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb +++ b/meta-perl/recipes-perl/libio/libio-socket-ssl-perl_2.068.bb @@ -43,5 +43,3 @@ do_install_ptest () { cp -r ${B}/t ${D}${PTEST_PATH} cp -r ${B}/certs ${D}${PTEST_PATH} } - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb b/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb index 8994f692b4..6d300ea9f5 100644 --- a/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb +++ b/meta-perl/recipes-perl/libnet/libnet-dns-perl_1.24.bb @@ -62,5 +62,3 @@ python __anonymous () { raise bb.parse.SkipRecipe("incompatible with %s C library" % d.getVar('TCLIBC')) } - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb b/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb index 26c7c389d8..77c91c86cc 100644 --- a/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb +++ b/meta-perl/recipes-perl/libnet/libnet-ldap-perl_0.66.bb @@ -41,5 +41,3 @@ RDEPENDS_${PN}-ptest += " \ perl-module-perlio \ perl-module-test-more \ " - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb b/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb index a1bb4a399e..c281dfa5fe 100644 --- a/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb +++ b/meta-perl/recipes-perl/libstatgrab/libunix-statgrab_0.112.bb @@ -34,5 +34,3 @@ SRC_URI[sha256sum] = "16a29f7acaeec081bf0e7303ba5ee24fda1d21a1104669b837745f3ea6 S = "${WORKDIR}/Unix-Statgrab-${PV}" inherit cpan pkgconfig ptest-perl - -BBCLASSEXTEND = "native" diff --git a/meta-perl/recipes-perl/po4a/po4a_0.49.bb b/meta-perl/recipes-perl/po4a/po4a_0.49.bb index 5db5b8f8bc..d6c1d14f21 100644 --- a/meta-perl/recipes-perl/po4a/po4a_0.49.bb +++ b/meta-perl/recipes-perl/po4a/po4a_0.49.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://po4a.alioth.debian.org" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=a96fc9b4cc36d80659e694ea109f0325" -SRC_URI = "git://alioth.debian.org/anonscm/git/po4a/po4a.git;protocol=https" +SRC_URI = "git://alioth.debian.org/anonscm/git/po4a/po4a.git;protocol=https;branch=master" # v0.49 SRCREV = "79ed87a577a543538fe39c7b60079981f5997072" diff --git a/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb b/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb index e235682cf4..7910fcd18a 100644 --- a/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb +++ b/meta-python/recipes-connectivity/python-txws/python3-txws_0.9.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=76699830db7fa9e897f6a1ad05f98ec8" DEPENDS = "python3-twisted python3-six python3-vcversioner python3-six-native python3-vcversioner-native" -SRC_URI = "git://github.com/MostAwesomeDude/txWS.git" +SRC_URI = "git://github.com/MostAwesomeDude/txWS.git;branch=master;protocol=https" SRCREV= "88cf6d9b9b685ffa1720644bd53c742afb10a414" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-core/images/meta-python-image.bb b/meta-python/recipes-core/images/meta-python-image.bb index cc75fe6e4b..6353d389b5 100644 --- a/meta-python/recipes-core/images/meta-python-image.bb +++ b/meta-python/recipes-core/images/meta-python-image.bb @@ -2,5 +2,4 @@ require meta-python-image-base.bb SUMMARY = "meta-python build test image" -IMAGE_INSTALL += "packagegroup-meta-python \ - packagegroup-meta-python3" +IMAGE_INSTALL += "packagegroup-meta-python3" diff --git a/meta-python/recipes-core/images/meta-python-ptest-image.bb b/meta-python/recipes-core/images/meta-python-ptest-image.bb index 7ee15354a2..d497016d41 100644 --- a/meta-python/recipes-core/images/meta-python-ptest-image.bb +++ b/meta-python/recipes-core/images/meta-python-ptest-image.bb @@ -2,4 +2,4 @@ require meta-python-image-base.bb SUMMARY = "meta-python ptest test image" -IMAGE_INSTALL += "packagegroup-meta-python-ptest" +IMAGE_INSTALL += "packagegroup-meta-python3-ptest" diff --git a/meta-python/recipes-devtools/gyp/gyp.inc b/meta-python/recipes-devtools/gyp/gyp.inc index 98ed42cc90..1415b41623 100644 --- a/meta-python/recipes-devtools/gyp/gyp.inc +++ b/meta-python/recipes-devtools/gyp/gyp.inc @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=ab828cb8ce4c62ee82945a11247b6bbd" SECTION = "devel" -SRC_URI = "git://chromium.googlesource.com/external/gyp;protocol=https" +SRC_URI = "git://chromium.googlesource.com/external/gyp;protocol=https;branch=master" SRCREV = "fcd686f1880fa52a1ee78d3e98af1b88cb334528" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python-feedformatter.inc b/meta-python/recipes-devtools/python/python-feedformatter.inc index 6ddcaa98ec..d1669977a9 100644 --- a/meta-python/recipes-devtools/python/python-feedformatter.inc +++ b/meta-python/recipes-devtools/python/python-feedformatter.inc @@ -5,7 +5,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=258e3f39e2383fbd011035d04311008d" SRCREV = "7391193c83e10420b5a2d8ef846d23fc368c6d85" -SRC_URI = "git://github.com/marianoguerra/feedformatter.git" +SRC_URI = "git://github.com/marianoguerra/feedformatter.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python-grpcio-tools.inc b/meta-python/recipes-devtools/python/python-grpcio-tools.inc index 1a15c48de0..6675f904c1 100644 --- a/meta-python/recipes-devtools/python/python-grpcio-tools.inc +++ b/meta-python/recipes-devtools/python/python-grpcio-tools.inc @@ -2,7 +2,7 @@ DESCRIPTION = "Google gRPC tools" HOMEPAGE = "http://www.grpc.io/" SECTION = "devel/python" -DEPENDS_append = "${PYTHON_PN}-grpcio" +DEPENDS_append = " ${PYTHON_PN}-grpcio" RDEPENDS_${PN} = "${PYTHON_PN}-grpcio" LICENSE = "Apache-2.0" diff --git a/meta-python/recipes-devtools/python/python-lxml.inc b/meta-python/recipes-devtools/python/python-lxml.inc index 05b5eae462..0276a3e81a 100644 --- a/meta-python/recipes-devtools/python/python-lxml.inc +++ b/meta-python/recipes-devtools/python/python-lxml.inc @@ -18,6 +18,8 @@ LIC_FILES_CHKSUM = "file://LICENSES.txt;md5=e4c045ebad958ead4b48008f70838403 \ DEPENDS += "libxml2 libxslt" +SRC_URI += "file://CVE-2022-2309.patch" + SRC_URI[md5sum] = "f088e452ed45b030b6f84269f1e84d11" SRC_URI[sha256sum] = "8620ce80f50d023d414183bf90cc2576c2837b88e00bea3f33ad2630133bbb60" diff --git a/meta-python/recipes-devtools/python/python-pint.inc b/meta-python/recipes-devtools/python/python-pint.inc index d022c41a57..5d880a0397 100644 --- a/meta-python/recipes-devtools/python/python-pint.inc +++ b/meta-python/recipes-devtools/python/python-pint.inc @@ -14,8 +14,6 @@ SRC_URI[sha256sum] = "308f1070500e102f83b6adfca6db53debfce2ffc5d3cbe3f6c367da359 DEPENDS += "python3-setuptools-scm-native" -BBCLASSEXTEND = "native nativesdk" - SRC_URI += " \ file://run-ptest \ " diff --git a/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb b/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb index c65a6d7da4..9811c3b9c9 100644 --- a/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb +++ b/meta-python/recipes-devtools/python/python3-absl_0.7.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI = "git://github.com/abseil/abseil-py.git" +SRC_URI = "git://github.com/abseil/abseil-py.git;branch=master;protocol=https" SRCREV ?= "e3ce504183c57fc4eca52fe84732c11cda99d131" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.6.2.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.6.2.bb index 121447cdb7..24eb021de8 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.6.2.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.6.2.bb @@ -13,9 +13,11 @@ RDEPENDS_${PN} = "\ ${PYTHON_PN}-async-timeout \ ${PYTHON_PN}-attrs \ ${PYTHON_PN}-chardet \ + ${PYTHON_PN}-html \ ${PYTHON_PN}-idna-ssl \ + ${PYTHON_PN}-json \ ${PYTHON_PN}-misc \ ${PYTHON_PN}-multidict \ - ${PYTHON_PN}-typing \ + ${PYTHON_PN}-netserver \ ${PYTHON_PN}-yarl \ " diff --git a/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb b/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb index 125a0236ec..5b3c73c923 100644 --- a/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb +++ b/meta-python/recipes-devtools/python/python3-astor_0.8.1.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=561205fdabc3ec52cae2d30815b8ade7" -SRC_URI = "git://github.com/berkerpeksag/astor.git " +SRC_URI = "git://github.com/berkerpeksag/astor.git;branch=master;protocol=https" SRCREV ?= "c7553c79f9222e20783fe9bd8a553f932e918072" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb b/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb index 803ca4a404..24e38cfb4e 100644 --- a/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb +++ b/meta-python/recipes-devtools/python/python3-cmd2_0.9.23.bb @@ -16,5 +16,3 @@ RDEPENDS_${PN} += "\ ${PYTHON_PN}-pyperclip \ ${PYTHON_PN}-wcwidth \ " - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch new file mode 100644 index 0000000000..c5d7ca3860 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch @@ -0,0 +1,99 @@ +From 7dee5927eb528f7ddebd62fbab31232d505acc22 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Sun, 23 Aug 2020 23:41:33 -0500 +Subject: [PATCH] chunked update_into (#5419) + +* chunked update_into + +* all pointer arithmetic all the time + +* review feedback + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/f90ba1808ee9bd9a13c5673b776484644f29d7ba] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + .../hazmat/backends/openssl/ciphers.py | 31 +++++++++++++------ + tests/hazmat/primitives/test_ciphers.py | 17 ++++++++++ + 2 files changed, 38 insertions(+), 10 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 94b48f52..86bc94b3 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 ++ _MAX_CHUNK_SIZE = 2 ** 31 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +@@ -125,22 +126,32 @@ class _CipherContext(object): + return bytes(buf[:n]) + + def update_into(self, data, buf): +- if len(buf) < (len(data) + self._block_size_bytes - 1): ++ total_data_len = len(data) ++ if len(buf) < (total_data_len + self._block_size_bytes - 1): + raise ValueError( + "buffer must be at least {} bytes for this " + "payload".format(len(data) + self._block_size_bytes - 1) + ) + +- buf = self._backend._ffi.cast( +- "unsigned char *", self._backend._ffi.from_buffer(buf) +- ) ++ data_processed = 0 ++ total_out = 0 + outlen = self._backend._ffi.new("int *") +- res = self._backend._lib.EVP_CipherUpdate( +- self._ctx, buf, outlen, +- self._backend._ffi.from_buffer(data), len(data) +- ) +- self._backend.openssl_assert(res != 0) +- return outlen[0] ++ baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseinbuf = self._backend._ffi.from_buffer(data) ++ ++ while data_processed != total_data_len: ++ outbuf = baseoutbuf + total_out ++ inbuf = baseinbuf + data_processed ++ inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed) ++ ++ res = self._backend._lib.EVP_CipherUpdate( ++ self._ctx, outbuf, outlen, inbuf, inlen ++ ) ++ self._backend.openssl_assert(res != 0) ++ data_processed += inlen ++ total_out += outlen[0] ++ ++ return total_out + + def finalize(self): + # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions) +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index f29ba9a9..b88610e7 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object): + buf = bytearray(5) + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) ++ ++ def test_update_into_auto_chunking(self, backend, monkeypatch): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ # Lower max chunk size so we can test chunking ++ monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40) ++ buf = bytearray(527) ++ pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes ++ processed = encryptor.update_into(pt, buf) ++ assert processed == 512 ++ decryptor = c.decryptor() ++ # Change max chunk size to verify alternate boundaries don't matter ++ monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73) ++ decbuf = bytearray(527) ++ decprocessed = decryptor.update_into(buf[:processed], decbuf) ++ assert decbuf[:decprocessed] == pt diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch new file mode 100644 index 0000000000..f28f414197 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch @@ -0,0 +1,43 @@ +From 7c72190620c3ccaeeab53fdd93547ca4d37b2f6b Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Sun, 25 Oct 2020 06:15:18 -0700 +Subject: [PATCH] chunking didn't actually work (#5499) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 86bc94b3..2b7da80c 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 ++ _MAX_CHUNK_SIZE = 2 ** 31 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index b88610e7..fd9048b7 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -326,3 +326,12 @@ class TestCipherUpdateInto(object): + decbuf = bytearray(527) + decprocessed = decryptor.update_into(buf[:processed], decbuf) + assert decbuf[:decprocessed] == pt ++ ++ def test_max_chunk_size_fits_in_int32(self, backend): ++ # max chunk must fit in signed int32 or else a call large enough to ++ # cause chunking will result in the very OverflowError we want to ++ # avoid with chunking. ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE) diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch new file mode 100644 index 0000000000..449dd692e6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch @@ -0,0 +1,37 @@ +From 6d0a76521abe287f5ddb5cd1cfbc799d35f08cf9 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Sun, 7 Feb 2021 11:36:56 -0500 +Subject: [PATCH] correct buffer overflows cause by integer overflow in openssl + (#5747) + +* correct buffer overflows cause by integer overflow in openssl + +frustratingly, there is no test for this -- that's because testing this +requires allocating more memory than is available in CI. + +fixes #5615. + +* backport CI fixes + +* another CI backport + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae] + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 2b7da80c..7ef5f1ea 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend diff --git a/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch new file mode 100644 index 0000000000..6ef50a0084 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch @@ -0,0 +1,45 @@ +From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696] +CVE: CVE-2023-23931 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch new file mode 100644 index 0000000000..c0acb9066b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch @@ -0,0 +1,66 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't +match (#10423) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55] +CVE: CVE-2024-26130 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 7e9fa20..ce3fc8c 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1046,6 +1046,15 @@ class Backend(object): + raise NotImplementedError( + 'Extension not supported: {}'.format(extension.oid) + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + ext_struct = encode(self, extension.value) + nid = self._lib.OBJ_txt2nid( +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index f084d57..c4160b0 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -17,6 +17,24 @@ from cryptography.hazmat.primitives.serialization.pkcs12 import ( + + from .utils import load_vectors_from_file + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + + @pytest.mark.requires_backend_interface(interface=DERSerializationBackend) + class TestPKCS12(object): +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb b/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb index c75dabb974..63bc0e0d6d 100644 --- a/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb +++ b/meta-python/recipes-devtools/python/python3-cryptography_2.8.bb @@ -11,6 +11,11 @@ SRC_URI[sha256sum] = "3cda1f0ed8747339bbdf71b9f38ca74c7b592f24f65cdb3ab3765e4b02 SRC_URI += " \ file://run-ptest \ + file://0001-chunked-update_into-5419.patch \ + file://0002-chunking-didn-t-actually-work-5499.patch \ + file://0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch \ + file://CVE-2023-23931.patch \ + file://CVE-2024-26130.patch \ " inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb b/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb index ac4b8c2aa6..c33c0f110f 100644 --- a/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-dbussy_1.2.1.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/ldo/dbussy" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=a916467b91076e631dd8edb7424769c7" -SRC_URI = "git://github.com/ldo/dbussy.git" +SRC_URI = "git://github.com/ldo/dbussy.git;branch=master;protocol=https" SRCREV = "d0ec0223f3797e1612d835e71694a1083881149f" diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.24.bb b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb new file mode 100644 index 0000000000..964ca6ba03 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb @@ -0,0 +1,9 @@ +require python-django.inc +inherit setuptools3 + +SRC_URI[md5sum] = "ebf3bbb7716a7b11029e860475b9a122" +SRC_URI[sha256sum] = "3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7" + +RDEPENDS_${PN} += "\ + ${PYTHON_PN}-sqlparse \ +" diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.7.bb b/meta-python/recipes-devtools/python/python3-django_2.2.7.bb deleted file mode 100644 index e56453abc1..0000000000 --- a/meta-python/recipes-devtools/python/python3-django_2.2.7.bb +++ /dev/null @@ -1,9 +0,0 @@ -require python-django.inc -inherit setuptools3 - -SRC_URI[md5sum] = "b0833024aac4c8240467e4dc91a12e9b" -SRC_URI[sha256sum] = "16040e1288c6c9f68c6da2fe75ebde83c0a158f6f5d54f4c5177b0c1478c5b86" - -RDEPENDS_${PN} += "\ - ${PYTHON_PN}-sqlparse \ -" diff --git a/meta-python/recipes-devtools/python/python3-dt-schema_git.bb b/meta-python/recipes-devtools/python/python3-dt-schema_git.bb index 06a9012ca4..d14b7de62a 100644 --- a/meta-python/recipes-devtools/python/python3-dt-schema_git.bb +++ b/meta-python/recipes-devtools/python/python3-dt-schema_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://setup.py;beginline=2;endline=3;md5=c795d4924c5f739424 inherit setuptools3 -SRC_URI = "git://github.com/robherring/dt-schema.git" +SRC_URI = "git://github.com/robherring/dt-schema.git;branch=master;protocol=https" SRCREV = "5009e47c1c76e48871f5988e08dad61f3c91196b" PV = "0.1+git${SRCPV}" diff --git a/meta-python/recipes-devtools/python/python3-fasteners_0.15.bb b/meta-python/recipes-devtools/python/python3-fasteners_0.16.3.bb index 8786a14842..1ba2c6f200 100644 --- a/meta-python/recipes-devtools/python/python3-fasteners_0.15.bb +++ b/meta-python/recipes-devtools/python/python3-fasteners_0.16.3.bb @@ -3,7 +3,12 @@ HOMEPAGE = "https://github.com/harlowja/fasteners" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=4476c4be31402271e101d9a4a3430d52" -SRC_URI[md5sum] = "440f8ab461c8fed941355860d8669556" -SRC_URI[sha256sum] = "3a176da6b70df9bb88498e1a18a9e4a8579ed5b9141207762368a1017bf8f5ef" +SRC_URI[md5sum] = "243188fe770ad60e9da722bef9dc7a78" +SRC_URI[sha256sum] = "b1ab4e5adfbc28681ce44b3024421c4f567e705cc3963c732bf1cba3348307de" inherit pypi setuptools3 + +RDEPENDS:${PN} += "\ + ${PYTHON_PN}-logging \ + ${PYTHON_PN}-fcntl \ +" diff --git a/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb b/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb index 6e08a19949..caf80c7621 100644 --- a/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb +++ b/meta-python/recipes-devtools/python/python3-gast_0.2.2.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=a3ad9b6802e713fc5e307e1230f1ea90" -SRC_URI = "git://github.com/serge-sans-paille/gast.git" +SRC_URI = "git://github.com/serge-sans-paille/gast.git;branch=master;protocol=https" SRCREV ?= "ed82e2a507505c6b18eb665d3738b6c0602da5e7" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb b/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb index 7822e463ee..711ced022e 100644 --- a/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb +++ b/meta-python/recipes-devtools/python/python3-h5py_2.9.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://setup.py;beginline=107;endline=107;md5=795ecad0d261c998cc526c84a822dff6" -SRC_URI = "git://github.com/h5py/h5py.git \ +SRC_URI = "git://github.com/h5py/h5py.git;branch=master;protocol=https \ file://0001-cross-compiling-support.patch \ " SRCREV ?= "8d96a14c3508de1bde77aec5db302e478dc5dbc4" diff --git a/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb b/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb index 8fe4b988db..4d8af17209 100644 --- a/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb +++ b/meta-python/recipes-devtools/python/python3-imageio_2.6.0.bb @@ -5,7 +5,7 @@ SECTION = "devel/python" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d8b7fdd0dff0fd18f35c05365d3d7bf7" -SRC_URI = "git://github.com/imageio/imageio.git;protocol=https" +SRC_URI = "git://github.com/imageio/imageio.git;protocol=https;branch=master" SRCREV = "0b161649b3ee108f80bd99466aeab2e65cf82cd8" S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-jinja2/run-ptest b/meta-python/recipes-devtools/python/python3-jinja2/run-ptest deleted file mode 100644 index 5cec711696..0000000000 --- a/meta-python/recipes-devtools/python/python3-jinja2/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -pytest diff --git a/meta-python/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta-python/recipes-devtools/python/python3-jinja2_2.11.2.bb deleted file mode 100644 index 681acf8f1c..0000000000 --- a/meta-python/recipes-devtools/python/python3-jinja2_2.11.2.bb +++ /dev/null @@ -1,43 +0,0 @@ -DESCRIPTION = "Python Jinja2: A small but fast and easy to use stand-alone template engine written in pure python." - -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" - -SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0" - -PYPI_PACKAGE = "Jinja2" - -CLEANBROKEN = "1" - -inherit pypi setuptools3 ptest - -SRC_URI += " \ - file://run-ptest \ -" - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/ -} - -RDEPENDS_${PN}-ptest += " \ - ${PYTHON_PN}-pytest \ - ${PYTHON_PN}-unixadmin \ -" - -RDEPENDS_${PN} += " \ - ${PYTHON_PN}-asyncio \ - ${PYTHON_PN}-crypt \ - ${PYTHON_PN}-io \ - ${PYTHON_PN}-json \ - ${PYTHON_PN}-markupsafe \ - ${PYTHON_PN}-math \ - ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-numbers\ - ${PYTHON_PN}-pickle \ - ${PYTHON_PN}-pprint \ - ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading \ -" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb b/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb index 4293a63c1e..a124dd9f5b 100644 --- a/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb +++ b/meta-python/recipes-devtools/python/python3-keras-applications_1.0.8.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=366e2fd3c9714f162d3663b6f97cfe41" -SRC_URI = "git://github.com/keras-team/keras-applications.git" +SRC_URI = "git://github.com/keras-team/keras-applications.git;branch=master;protocol=https" SRCREV ?= "3b180cb10eda683dda7913ecee2e6487288d292d" diff --git a/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb b/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb index eacb3402d6..feb872e0a7 100644 --- a/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb +++ b/meta-python/recipes-devtools/python/python3-keras-preprocessing_1.1.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=1744b320500cc2e3112964d00cce7aa4" -SRC_URI = "git://github.com/keras-team/keras-preprocessing.git" +SRC_URI = "git://github.com/keras-team/keras-preprocessing.git;branch=master;protocol=https" SRCREV ?= "ff90696c0416b74344b91df097b228e694339b88" inherit setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb b/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb index eb42fe978c..fd39e0fdb7 100644 --- a/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb +++ b/meta-python/recipes-devtools/python/python3-langtable_0.0.38.bb @@ -11,7 +11,7 @@ B = "${S}" SRCREV = "35687ca957b746f153a6872139462b1443f8cad1" PV = "0.0.38+git${SRCPV}" -SRC_URI = "git://github.com/mike-fabian/langtable.git;branch=master \ +SRC_URI = "git://github.com/mike-fabian/langtable.git;branch=master;protocol=https \ " inherit setuptools3 python3native diff --git a/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch new file mode 100644 index 0000000000..ff3fcee6e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-lxml/CVE-2022-2309.patch @@ -0,0 +1,94 @@ +From ccbda4b0669f418b2f00c4f099733cebe633eb47 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Fri, 29 Jul 2022 10:16:59 +0530 +Subject: [PATCH] CVE-2022-2309 + +Upstream-Status: Backport [https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f] +CVE: CVE-2022-2309 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lxml/apihelpers.pxi | 7 ++++--- + src/lxml/iterparse.pxi | 11 ++++++----- + src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 8 deletions(-) + +diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi +index 5eb3416..88a031d 100644 +--- a/src/lxml/apihelpers.pxi ++++ b/src/lxml/apihelpers.pxi +@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node): + while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE: + c_ns = c_node.nsDef + while c_ns is not NULL: +- prefix = funicodeOrNone(c_ns.prefix) +- if prefix not in nsmap: +- nsmap[prefix] = funicodeOrNone(c_ns.href) ++ if c_ns.prefix or c_ns.href: ++ prefix = funicodeOrNone(c_ns.prefix) ++ if prefix not in nsmap: ++ nsmap[prefix] = funicodeOrNone(c_ns.href) + c_ns = c_ns.next + c_node = c_node.parent + return nsmap +diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi +index 4c20506..3da7485 100644 +--- a/src/lxml/iterparse.pxi ++++ b/src/lxml/iterparse.pxi +@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node): + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- count += 1 ++ count += (c_ns.href is not NULL) + c_ns = c_ns.next + return count + +@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1: + count = 0 + c_ns = c_node.nsDef + while c_ns is not NULL: +- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '', +- funicode(c_ns.href)) +- event_list.append( (u"start-ns", ns_tuple) ) +- count += 1 ++ if c_ns.href: ++ ns_tuple = (funicodeOrEmpty(c_ns.prefix), ++ funicode(c_ns.href)) ++ event_list.append( (u"start-ns", ns_tuple) ) ++ count += 1 + c_ns = c_ns.next + return count +diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py +index b997e4d..69e1bf1 100644 +--- a/src/lxml/tests/test_etree.py ++++ b/src/lxml/tests/test_etree.py +@@ -1448,6 +1448,26 @@ class ETreeOnlyTestCase(HelperTestCase): + [1,2,1,4], + counts) + ++ def test_walk_after_parse_failure(self): ++ # This used to be an issue because libxml2 can leak empty namespaces ++ # between failed parser runs. iterwalk() failed to handle such a tree. ++ try: ++ etree.XML('''<anot xmlns="1">''') ++ except etree.XMLSyntaxError: ++ pass ++ else: ++ assert False, "invalid input did not fail to parse" ++ ++ et = etree.XML('''<root> </root>''') ++ try: ++ ns = next(etree.iterwalk(et, events=('start-ns',))) ++ except StopIteration: ++ # This would be the expected result, because there was no namespace ++ pass ++ else: ++ # This is a bug in libxml2 ++ assert not ns, repr(ns) ++ + def test_itertext_comment_pi(self): + # https://bugs.launchpad.net/lxml/+bug/1844674 + XML = self.etree.XML +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-markupsafe/run-ptest b/meta-python/recipes-devtools/python/python3-markupsafe/run-ptest deleted file mode 100644 index 5cec711696..0000000000 --- a/meta-python/recipes-devtools/python/python3-markupsafe/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -pytest diff --git a/meta-python/recipes-devtools/python/python3-markupsafe_1.1.1.bb b/meta-python/recipes-devtools/python/python3-markupsafe_1.1.1.bb deleted file mode 100644 index 765e3c906b..0000000000 --- a/meta-python/recipes-devtools/python/python3-markupsafe_1.1.1.bb +++ /dev/null @@ -1,2 +0,0 @@ -inherit setuptools3 -require python-markupsafe.inc diff --git a/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb b/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb index f6d8c53d05..57d38e60ba 100644 --- a/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-matplotlib_3.2.1.bb @@ -32,6 +32,5 @@ RDEPENDS_${PN} = "\ python3-dateutil \ python3-kiwisolver \ python3-pytz \ + python3-pillow \ " - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch b/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch new file mode 100644 index 0000000000..0f0cfa7804 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/0001-CVE-2022-45198.patch @@ -0,0 +1,26 @@ +From 7df88fc2319852ace202a650703d631200080e3b Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Thu, 30 Jun 2022 12:47:35 +1000 +Subject: [PATCH] Added GIF decompression bomb check + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/884437f8a2b953a0abd2a3b130a87fcfb438092e] +CVE: CVE-2022-45198 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/PIL/GifImagePlugin.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/PIL/GifImagePlugin.py b/src/PIL/GifImagePlugin.py +index 9d8e96f..c477fdd 100644 +--- a/src/PIL/GifImagePlugin.py ++++ b/src/PIL/GifImagePlugin.py +@@ -238,6 +238,7 @@ class GifImageFile(ImageFile.ImageFile): + x1, y1 = x0 + i16(s[4:]), y0 + i16(s[6:]) + if x1 > self.size[0] or y1 > self.size[1]: + self._size = max(x1, self.size[0]), max(y1, self.size[1]) ++ Image._decompression_bomb_check(self._size) + self.dispose_extent = x0, y0, x1, y1 + flags = i8(s[8]) + +-- +2.7.4 diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch new file mode 100644 index 0000000000..f9e3c49505 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-1.patch @@ -0,0 +1,31 @@ +From 45c726fd4daa63236a8f3653530f297dc87b160a Mon Sep 17 00:00:00 2001 +From: Eric Soroos <eric-github@soroos.net> +Date: Fri, 27 Oct 2023 11:21:18 +0200 +Subject: [PATCH] Don't allow __ or builtins in env dictionarys for + ImageMath.eval + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/PIL/ImageMath.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 392151c10..4cea3855e 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -261,6 +261,10 @@ def eval(expression, _dict={}, **kw): + args.update(_dict) + args.update(kw) + for k, v in list(args.items()): ++ if '__' in k or hasattr(__builtins__, k): ++ msg = f"'{k}' not allowed" ++ raise ValueError(msg) ++ + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch new file mode 100644 index 0000000000..9c5d3fbcdc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-2.patch @@ -0,0 +1,54 @@ +From 0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 28 Oct 2023 15:58:52 +1100 +Subject: [PATCH] Allow ops + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/0ca3c33c59927e1c7e0c14dbc1eea1dfb2431a80] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Tests/test_imagemath.py | 4 ++++ + src/PIL/ImageMath.py | 9 +++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index da41b3a12..14a58a532 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -56,6 +56,10 @@ class TestImageMath(PillowTestCase): + pixel(ImageMath.eval("float(B)**33", images)), "F 8589934592.0" + ) + ++ def test_prevent_double_underscores(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("1", {"__": None}) ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 4cea3855e..776604e3f 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -258,13 +258,14 @@ def eval(expression, _dict={}, **kw): + + # build execution namespace + args = ops.copy() +- args.update(_dict) +- args.update(kw) +- for k, v in list(args.items()): +- if '__' in k or hasattr(__builtins__, k): ++ for k in list(_dict.keys()) + list(kw.keys()): ++ if "__" in k or hasattr(__builtins__, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + ++ args.update(_dict) ++ args.update(kw) ++ for k, v in list(args.items()): + if hasattr(v, "im"): + args[k] = _Operand(v) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch new file mode 100644 index 0000000000..b93425ee58 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pillow/CVE-2023-50447-3.patch @@ -0,0 +1,44 @@ +From 557ba59d13de919d04b3fd4cdef8634f7d4b3348 Mon Sep 17 00:00:00 2001 +From: Andrew Murray <radarhere@users.noreply.github.com> +Date: Sat, 30 Dec 2023 09:30:12 +1100 +Subject: [PATCH] Include further builtins + +Upstream-Status: Backport [https://github.com/python-pillow/Pillow/commit/557ba59d13de919d04b3fd4cdef8634f7d4b3348] +CVE: CVE-2023-50447 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Tests/test_imagemath.py | 4 ++++ + src/PIL/ImageMath.py | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Tests/test_imagemath.py b/Tests/test_imagemath.py +index 14a58a532..5bba832e2 100644 +--- a/Tests/test_imagemath.py ++++ b/Tests/test_imagemath.py +@@ -60,6 +60,10 @@ class TestImageMath(PillowTestCase): + with pytest.raises(ValueError): + ImageMath.eval("1", {"__": None}) + ++ def test_prevent_builtins(): ++ with pytest.raises(ValueError): ++ ImageMath.eval("(lambda: exec('exit()'))()", {"exec": None}) ++ + def test_logical(self): + self.assertEqual(pixel(ImageMath.eval("not A", images)), 0) + self.assertEqual(pixel(ImageMath.eval("A and B", images)), "L 2") +diff --git a/src/PIL/ImageMath.py b/src/PIL/ImageMath.py +index 776604e3f..c6bc22180 100644 +--- a/src/PIL/ImageMath.py ++++ b/src/PIL/ImageMath.py +@@ -259,7 +259,7 @@ def eval(expression, _dict={}, **kw): + # build execution namespace + args = ops.copy() + for k in list(_dict.keys()) + list(kw.keys()): +- if "__" in k or hasattr(__builtins__, k): ++ if "__" in k or hasattr(builtins, k): + msg = f"'{k}' not allowed" + raise ValueError(msg) + +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb index a383a3ff91..6567b32d0d 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_6.2.1.bb @@ -5,9 +5,13 @@ HOMEPAGE = "https://pillow.readthedocs.io" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=55c0f320370091249c1755c0d2b48e89" -SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x \ +SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=6.2.x;protocol=https \ file://0001-support-cross-compiling.patch \ file://0001-explicitly-set-compile-options.patch \ + file://0001-CVE-2022-45198.patch \ + file://CVE-2023-50447-1.patch \ + file://CVE-2023-50447-2.patch \ + file://CVE-2023-50447-3.patch \ " SRCREV ?= "6e0f07bbe38def22d36ee176b2efd9ea74b453a6" @@ -34,5 +38,3 @@ CVE_PRODUCT = "pillow" S = "${WORKDIR}/git" RPROVIDES_${PN} += "python3-imaging" - -BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb b/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb index fc7a47a43d..53f4db14ae 100644 --- a/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb +++ b/meta-python/recipes-devtools/python/python3-pkgconfig_1.4.0.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=faa7f82be8f220bff6156be4790344fc" -SRC_URI = "git://github.com/matze/pkgconfig.git" +SRC_URI = "git://github.com/matze/pkgconfig.git;branch=master;protocol=https" SRCREV ?= "8af0102346847e8873af8e76ab3f34ba9da806e2" RDEPENDS_${PN} = "pkgconfig \ diff --git a/meta-python/recipes-devtools/python/python3-prctl_1.7.bb b/meta-python/recipes-devtools/python/python3-prctl_1.7.bb index 54620a0661..1f179852ca 100644 --- a/meta-python/recipes-devtools/python/python3-prctl_1.7.bb +++ b/meta-python/recipes-devtools/python/python3-prctl_1.7.bb @@ -13,7 +13,7 @@ B = "${S}" SRCREV = "57cd0a7cad76e8f8792eea22ee5b5d17bae0a90f" PV = "1.7+git${SRCPV}" -SRC_URI = "git://github.com/seveas/python-prctl;branch=master \ +SRC_URI = "git://github.com/seveas/python-prctl;branch=master;protocol=https \ file://0001-support-cross-complication.patch \ " inherit setuptools3 python3native diff --git a/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb b/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb index c138822400..6636fda839 100644 --- a/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-pyflakes_2.1.1.bb @@ -12,5 +12,3 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-prettytable \ ${PYTHON_PN}-cmd2 \ ${PYTHON_PN}-pyparsing" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb index ab33953174..049c3c3cf7 100644 --- a/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb +++ b/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb @@ -3,11 +3,12 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382" RDEPENDS_${PN} += "\ - ${PYTHON_PN}-threading \ + ${PYTHON_PN}-ctypes \ ${PYTHON_PN}-io \ ${PYTHON_PN}-misc \ ${PYTHON_PN}-shell \ ${PYTHON_PN}-smtpd \ + ${PYTHON_PN}-threading \ " SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406" diff --git a/meta-python/recipes-devtools/python/python3-pykwalify/0001-rule.py-fix-missing-comma.patch b/meta-python/recipes-devtools/python/python3-pykwalify/0001-rule.py-fix-missing-comma.patch new file mode 100644 index 0000000000..689355eeaf --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pykwalify/0001-rule.py-fix-missing-comma.patch @@ -0,0 +1,34 @@ +From f96b76efb810d7d559254d0ec58de628e09f525a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mart=C3=AD=20Bol=C3=ADvar?= <marti.f.bolivar@gmail.com> +Date: Mon, 13 Jan 2020 08:42:05 -0800 +Subject: [PATCH] rule.py: fix missing comma +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A line in the defined_keywords list is missing a comma. Add it. + +Signed-off-by: Martà BolÃvar <marti.f.bolivar@gmail.com> + +Upstream-Status: Backport [https://github.com/Grokzen/pykwalify.git] +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + pykwalify/rule.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pykwalify/rule.py b/pykwalify/rule.py +index 7ac2c9e..f044b69 100644 +--- a/pykwalify/rule.py ++++ b/pykwalify/rule.py +@@ -340,7 +340,7 @@ class Rule(object): + ('matching', 'matching'), + ('matching_rule', 'matching_rule'), + ('name', 'name'), +- ('nullable', 'nullable') ++ ('nullable', 'nullable'), + ('parent', 'parent'), + ('pattern', 'pattern'), + ('pattern_regexp', 'pattern_regexp'), +-- +2.18.2 + diff --git a/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb b/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb index 5d029bd761..9251eccebe 100644 --- a/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb +++ b/meta-python/recipes-devtools/python/python3-pykwalify_1.7.0.bb @@ -7,9 +7,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a72ea5159364a2cd7f45c6dcbee37872" SRC_URI[md5sum] = "58357f1d0f77de976e73dbd3660af75b" SRC_URI[sha256sum] = "7e8b39c5a3a10bc176682b3bd9a7422c39ca247482df198b402e8015defcceb2" +SRC_URI += "file://0001-rule.py-fix-missing-comma.patch" + PYPI_PACKAGE = "pykwalify" + inherit setuptools3 pypi -unset _PYTHON_SYSCONFIGDATA_NAME RDEPENDS_${PN} = "\ ${PYTHON_PN}-dateutil \ diff --git a/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb b/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb index b6de42f7c1..60a26f58bc 100644 --- a/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb +++ b/meta-python/recipes-devtools/python/python3-robotframework-seriallibrary_0.3.1.bb @@ -16,5 +16,3 @@ RDEPENDS_${PN} += " \ ${PYTHON_PN}-pyserial \ ${PYTHON_PN}-robotframework \ " - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch new file mode 100644 index 0000000000..3cc8bcd02a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-26137.patch @@ -0,0 +1,72 @@ +From 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <sethmichaellarson@gmail.com> +Date: Mon, 17 Feb 2020 15:34:48 -0600 +Subject: [PATCH] Raise ValueError if method contains control characters + (#1800) + +CVE: CVE-2020-26137 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b.patch] +Signed-off-by: Nikhil R <nikhil.r@kpit.com> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Removed one hunk in CHANGES.rst and refresh other to remove +patch fuzz warnings + +--- + src/urllib3/connection.py | 14 ++++++++++++++ + test/with_dummyserver/test_connectionpool.py | 6 ++++++ + 2 files changed, 20 insertions(+) + +diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py +index 71e6790b1b..f7b1760938 100644 +--- a/src/urllib3/connection.py ++++ b/src/urllib3/connection.py +@@ -1,4 +1,5 @@ + from __future__ import absolute_import ++import re + import datetime + import logging + import os +@@ -58,6 +59,8 @@ port_by_scheme = {"http": 80, "https": 443} + # (ie test_recent_date is failing) update it to ~6 months before the current date. + RECENT_DATE = datetime.date(2019, 1, 1) + ++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") ++ + + class DummyConnection(object): + """Used to detect a failed ConnectionCls import.""" +@@ -184,6 +187,17 @@ class HTTPConnection(_HTTPConnection, object): + conn = self._new_conn() + self._prepare_conn(conn) + ++ def putrequest(self, method, url, *args, **kwargs): ++ """Send a request to the server""" ++ match = _CONTAINS_CONTROL_CHAR_RE.search(method) ++ if match: ++ raise ValueError( ++ "Method cannot contain non-token characters %r (found at least %r)" ++ % (method, match.group()) ++ ) ++ ++ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) ++ + def request_chunked(self, method, url, body=None, headers=None): + """ + Alternative to the common request method, which sends the +diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py +index 57f0dbd2f4..79cbd27185 100644 +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -677,6 +677,12 @@ class TestConnectionPool(HTTPDummyServerTestCase): + with pytest.raises(MaxRetryError): + pool.request("GET", "/test", retries=2) + ++ @pytest.mark.parametrize("char", [" ", "\r", "\n", "\x00"]) ++ def test_invalid_method_not_allowed(self, char): ++ with pytest.raises(ValueError): ++ with HTTPConnectionPool(self.host, self.port) as pool: ++ pool.request("GET" + char, "/") ++ + def test_percent_encode_invalid_target_chars(self): + with HTTPConnectionPool(self.host, self.port) as pool: + r = pool.request("GET", "/echo_params?q=\r&k=\n \n") diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch new file mode 100644 index 0000000000..df234e442b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch @@ -0,0 +1,55 @@ +From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet <quentin.pradet@gmail.com> +Date: Tue, 21 Jan 2020 22:32:56 +0400 +Subject: [PATCH] Optimize _encode_invalid_chars (#1787) + +Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com> + +Upstream-Status: Backport +[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b] +CVE: CVE-2020-7212 +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/urllib3/util/url.py | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 9675f74..e353937 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"): + + component = six.ensure_text(component) + ++ # Normalize existing percent-encoded bytes. + # Try to see if the component we're encoding is already percent-encoded + # so we can skip all '%' characters but still encode all others. +- percent_encodings = PERCENT_RE.findall(component) +- +- # Normalize existing percent-encoded bytes. +- for enc in percent_encodings: +- if not enc.isupper(): +- component = component.replace(enc, enc.upper()) ++ component, percent_encodings = PERCENT_RE.subn( ++ lambda match: match.group(0).upper(), component ++ ) + + uri_bytes = component.encode("utf-8", "surrogatepass") +- is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%") +- ++ is_percent_encoded = percent_encodings == uri_bytes.count(b"%") + encoded_component = bytearray() + + for i in range(0, len(uri_bytes)): +@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"): + if (is_percent_encoded and byte == b"%") or ( + byte_ord < 128 and byte.decode() in allowed_chars + ): +- encoded_component.extend(byte) ++ encoded_component += byte + continue + encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper())) + +-- +2.23.0 + diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch new file mode 100644 index 0000000000..838add9555 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2021-33503.patch @@ -0,0 +1,67 @@ +From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001 +From: Seth Michael Larson <sethmichaellarson@gmail.com> +Date: Wed, 26 May 2021 10:43:12 -0500 +Subject: [PATCH] Improve performance of sub-authority splitting in URL + +CVE: CVE-2021-33503 +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec.patch] +Signed-off-by: Nikhil R <nikhil.r@kpit.com> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comment: Refresh hunks to remove patch fuzz warnings + +--- + src/urllib3/util/url.py | 8 +++++--- + test/test_util.py | 10 ++++++++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py +index 6ff238fe3c..81a03da9e3 100644 +--- a/src/urllib3/util/url.py ++++ b/src/urllib3/util/url.py +@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$") + BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$") + ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$") + +-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( ++_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % ( + REG_NAME_PAT, + IPV4_PAT, + IPV6_ADDRZ_PAT, + ) +-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL) ++_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL) + + UNRESERVED_CHARS = set( + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~" +@@ -368,7 +368,9 @@ def parse_url(url): + scheme = scheme.lower() + + if authority: +- auth, host, port = SUBAUTHORITY_RE.match(authority).groups() ++ auth, _, host_port = authority.rpartition("@") ++ auth = auth or None ++ host, port = _HOST_PORT_RE.match(host_port).groups() + if auth and normalize_uri: + auth = _encode_invalid_chars(auth, USERINFO_CHARS) + if port == "": +diff --git a/test/test_util.py b/test/test_util.py +index a5b68a084b..88409e2d6c 100644 +--- a/test/test_util.py ++++ b/test/test_util.py +@@ -425,6 +425,16 @@ class TestUtil(object): + query="%0D%0ASET%20test%20failure12%0D%0A:8080/test/?test=a", + ), + ), ++ # Tons of '@' causing backtracking ++ ("https://" + ("@" * 10000) + "[", False), ++ ( ++ "https://user:" + ("@" * 10000) + "example.com", ++ Url( ++ scheme="https", ++ auth="user:" + ("%40" * 9999), ++ host="example.com", ++ ), ++ ), + ] + + @pytest.mark.parametrize("url, expected_url", url_vulnerabilities) diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb index 34c15b6c24..73399d9439 100644 --- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb +++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.7.bb @@ -8,6 +8,10 @@ SRC_URI[sha256sum] = "f3c5fd51747d450d4dcf6f923c81f78f811aab8205fda64b0aba34a4e4 inherit pypi setuptools3 +SRC_URI += "file://CVE-2020-7212.patch \ + file://CVE-2020-26137.patch \ + file://CVE-2021-33503.patch \ + " RDEPENDS_${PN} += "\ ${PYTHON_PN}-certifi \ ${PYTHON_PN}-cryptography \ diff --git a/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb b/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb index 025b2eea9d..af7f49fdcb 100644 --- a/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb +++ b/meta-python/recipes-devtools/python/python3-wheel_0.33.6.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9d66b41bc2a080e7174acc5dffecd752" -SRC_URI = "git://github.com/pypa/wheel.git" +SRC_URI = "git://github.com/pypa/wheel.git;branch=master;protocol=https" SRCREV ?= "b227ddd5beaba49294017d061d501f6d433393b0" diff --git a/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb b/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb index 2b5b253b5d..52ae91484a 100644 --- a/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb +++ b/meta-python/recipes-extended/python-blivet/python3-blivet_3.1.4.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "9b5ad2d5b5df159963e1c6c24523e1dfe1f71435" -SRC_URI = "git://github.com/rhinstaller/blivet;branch=3.1-release \ +SRC_URI = "git://github.com/rhinstaller/blivet;branch=3.1-release;protocol=https \ file://0001-comment-out-selinux.patch \ file://0002-run_program-support-timeout.patch \ file://0003-support-infinit-timeout.patch \ diff --git a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb index 92402bee56..809d09e3ad 100644 --- a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb +++ b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.10.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" B = "${S}" SRCREV = "67ec0b7a0e065ba24ab87963409bfb21b2aac6dd" -SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master \ +SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master;protocol=https \ file://0001-Fix-return-type-of-BlivetUtils.get_disks-1658893.patch \ " diff --git a/meta-python/recipes-extended/python-cson/python3-cson_git.bb b/meta-python/recipes-extended/python-cson/python3-cson_git.bb index 5c74c7a307..8e8f3fb2a6 100644 --- a/meta-python/recipes-extended/python-cson/python3-cson_git.bb +++ b/meta-python/recipes-extended/python-cson/python3-cson_git.bb @@ -8,12 +8,11 @@ SECTION = "devel/python" LIC_FILES_CHKSUM = "file://LICENSE;md5=7709d2635e63ab96973055a23c2a4cac" SRCREV = "f3f2898c44bb16b951d3e9f2fbf6d1c4158edda2" -SRC_URI = "git://github.com/gt3389b/python-cson.git" +SRC_URI = "git://github.com/gt3389b/python-cson.git;branch=master;protocol=https" S = "${WORKDIR}/git" -RDEPENDS_${PN}_class-native = "" -DEPENDS_append_class-native = " python-native " +RDEPENDS_${PN} = "python3-json" inherit setuptools3 diff --git a/meta-python/recipes-extended/python-pyparted/python-pyparted.inc b/meta-python/recipes-extended/python-pyparted/python-pyparted.inc index 97054487f9..2322cf1092 100644 --- a/meta-python/recipes-extended/python-pyparted/python-pyparted.inc +++ b/meta-python/recipes-extended/python-pyparted/python-pyparted.inc @@ -12,7 +12,7 @@ DEPENDS += "parted" # upstream only publishes releases in github archives which are discouraged SRCREV = "481510c10866851844b19f3d2ffcdaa37efc0cf8" -SRC_URI = "git://github.com/rhinstaller/pyparted.git;protocol=https" +SRC_URI = "git://github.com/rhinstaller/pyparted.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb b/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb index f5d5debe11..d83a4a20b1 100644 --- a/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb +++ b/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb @@ -19,7 +19,7 @@ RDEPENDS_packagegroup-meta-webserver = "\ " RDEPENDS_packagegroup-meta-webserver-http = "\ - nginx monkey hiawatha nostromo apache-websocket \ + nginx monkey hiawatha apache-websocket \ apache2 sthttpd \ ${@bb.utils.contains("BBFILE_COLLECTIONS", "meta-python2", "cherokee", "", d)} \ " diff --git a/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb b/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb index 3cbab22c3d..0b4bab5753 100644 --- a/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb +++ b/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb @@ -11,7 +11,7 @@ RDEPENDS_${PN} += "apache2" # Original (github.com/disconnect/apache-websocket) is dead since 2012, the # fork contains patches from the modules ML and fixes CVE compliance issues -SRC_URI = "git://github.com/jchampio/apache-websocket.git" +SRC_URI = "git://github.com/jchampio/apache-websocket.git;branch=master;protocol=https" SRCREV = "6968083264b90b89b1b9597a4ca03ba29e7ea2e1" diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch index 6c0286457c..50775be533 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch @@ -1,44 +1,43 @@ -From d2cedfa3394365689a3f7c8cfe8e0dd56b29bed9 Mon Sep 17 00:00:00 2001 +From ba9015386cbc044e111d7c266f13e2be045e4bf1 Mon Sep 17 00:00:00 2001 From: Koen Kooi <koen.kooi@linaro.org> Date: Tue, 17 Jun 2014 09:10:57 +0200 Subject: [PATCH] configure: use pkg-config for PCRE detection -Upstream-Status: Pending +Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Koen Kooi <koen.kooi@linaro.org> --- - configure.in | 27 +++++---------------------- - 1 file changed, 5 insertions(+), 22 deletions(-) + configure.in | 26 +++++--------------------- + 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/configure.in b/configure.in -index 9feaceb..dc6ea15 100644 +index 38c1d0a..c799aec 100644 --- a/configure.in +++ b/configure.in -@@ -215,28 +215,11 @@ fi - AC_ARG_WITH(pcre, - APACHE_HELP_STRING(--with-pcre=PATH,Use external PCRE library)) +@@ -221,27 +221,11 @@ else if which $with_pcre 2>/dev/null; then :; else + fi + fi --AC_PATH_PROG(PCRE_CONFIG, pcre-config, false) --if test -d "$with_pcre" && test -x "$with_pcre/bin/pcre-config"; then -- PCRE_CONFIG=$with_pcre/bin/pcre-config --elif test -x "$with_pcre"; then -- PCRE_CONFIG=$with_pcre --fi +-AC_CHECK_TARGET_TOOLS(PCRE_CONFIG, [pcre2-config pcre-config], +- [`which $with_pcre 2>/dev/null`], $with_pcre) - --if test "$PCRE_CONFIG" != "false"; then +-if test "x$PCRE_CONFIG" != "x"; then - if $PCRE_CONFIG --version >/dev/null 2>&1; then :; else -- AC_MSG_ERROR([Did not find pcre-config script at $PCRE_CONFIG]) +- AC_MSG_ERROR([Did not find working script at $PCRE_CONFIG]) - fi - case `$PCRE_CONFIG --version` in +- [1[0-9].*]) +- AC_DEFINE(HAVE_PCRE2, 1, [Detected PCRE2]) +- ;; - [[1-5].*]) - AC_MSG_ERROR([Need at least pcre version 6.0]) - ;; - esac - AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) - APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) -- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) +- APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) -else -- AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) +- AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) -fi +PKG_CHECK_MODULES([PCRE], [libpcre], [ + AC_DEFINE([HAVE_PCRE], [1], [Define if you have PCRE library]) @@ -49,5 +48,5 @@ index 9feaceb..dc6ea15 100644 AC_MSG_NOTICE([]) -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch index 85fe6ae4bd..bbe8b325b5 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch @@ -1,8 +1,8 @@ -From 7df207ad4d0dcda2ad36e5642296e0dec7e13647 Mon Sep 17 00:00:00 2001 +From 5074ab3425e5f1e01fd9cfa2d9b7300ea1b3f38f Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory - is configured +Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory is + configured Bump up the core size limit if CoreDumpDirectory is configured. @@ -11,16 +11,15 @@ Upstream-Status: Pending Note: upstreaming was discussed but there are competing desires; there are portability oddities here too. - --- server/core.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/server/core.c b/server/core.c -index eacb54f..7aa841f 100644 +index 090e397..3020090 100644 --- a/server/core.c +++ b/server/core.c -@@ -4965,6 +4965,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte +@@ -5107,6 +5107,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper, apr_pool_cleanup_null); @@ -47,5 +46,5 @@ index eacb54f..7aa841f 100644 } -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch index 081a02baa3..adb728ba31 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch @@ -1,8 +1,8 @@ -From ddd560024a6d526187fd126f306b59533ca3f7e2 Mon Sep 17 00:00:00 2001 +From 9c03ed909b8da0e1a288f53fda535a3f15bcf791 Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 -Subject: [PATCH] apache2: do not export apr/apr-util symbols when using - shared libapr +Subject: [PATCH] apache2: do not export apr/apr-util symbols when using shared + libapr There is no need to "suck in" the apr/apr-util symbols when using a shared libapr{,util}, it just bloats the symbol table; so don't. @@ -10,13 +10,12 @@ a shared libapr{,util}, it just bloats the symbol table; so don't. Upstream-Status: Pending Note: EXPORT_DIRS change is conditional on using shared apr - --- server/Makefile.in | 3 --- 1 file changed, 3 deletions(-) diff --git a/server/Makefile.in b/server/Makefile.in -index 1fa3344..f635d76 100644 +index 8111877..8c0c396 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -60,9 +60,6 @@ export_files: @@ -30,5 +29,5 @@ index 1fa3344..f635d76 100644 exports.c: export_files -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch index 78a04d9af4..3b080f54f6 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch @@ -1,4 +1,4 @@ -From dfa834ebd449df299f54e98f0fb3a7bb4008fb03 Mon Sep 17 00:00:00 2001 +From e47cc405eadcbe37a579c375e824e20a5c53bfad Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] Log the SELinux context at startup. @@ -15,10 +15,10 @@ Note: unlikely to be any interest in this upstream 2 files changed, 31 insertions(+) diff --git a/configure.in b/configure.in -index dc6ea15..caa6f54 100644 +index ea6cec3..92b74b7 100644 --- a/configure.in +++ b/configure.in -@@ -466,6 +466,11 @@ getloadavg +@@ -491,6 +491,11 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -31,10 +31,10 @@ index dc6ea15..caa6f54 100644 [AC_TRY_RUN(#define _GNU_SOURCE #include <unistd.h> diff --git a/server/core.c b/server/core.c -index 7aa841f..79f34db 100644 +index 4da7209..d3ca25b 100644 --- a/server/core.c +++ b/server/core.c -@@ -59,6 +59,10 @@ +@@ -65,6 +65,10 @@ #include <unistd.h> #endif @@ -44,8 +44,8 @@ index 7aa841f..79f34db 100644 + /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4984,6 +4988,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ +@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } #endif @@ -74,6 +74,3 @@ index 7aa841f..79f34db 100644 return OK; } --- -2.7.4 - diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch index 47320a9ee5..7b4a1b932b 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch @@ -1,4 +1,4 @@ -From 7db1b650bb4b01a5194a34cd7573f915656a595b Mon Sep 17 00:00:00 2001 +From e59aab44a28c654e518080693d573ca472ca5a08 Mon Sep 17 00:00:00 2001 From: Yulong Pei <Yulong.pei@windriver.com> Date: Thu, 1 Sep 2011 01:03:14 +0800 Subject: [PATCH] replace lynx to curl in apachectl script @@ -48,5 +48,5 @@ index 3281c2e..6ab4ba5 100644 *) $HTTPD "$@" -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch index 227d04064b..dbaf01d2c5 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch @@ -1,4 +1,4 @@ -From 4f4d7d6b88b6e440263ebeb22dfb40c52bb30fd8 Mon Sep 17 00:00:00 2001 +From fb09f1fe4525058b16b3d4edb2e3ae693154026e Mon Sep 17 00:00:00 2001 From: Zhenhua Luo <zhenhua.luo@freescale.com> Date: Fri, 25 Jan 2013 18:10:50 +0800 Subject: [PATCH] apache2: fix the race issue of parallel installation @@ -31,5 +31,5 @@ index e2d5bb6..dde5ae0 100755 pathcomp="$pathcomp/" done -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch index fed6b5010b..3ff6894409 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch @@ -1,4 +1,4 @@ -From 964ef2c1af74984602f46e7db938d3b95b148385 Mon Sep 17 00:00:00 2001 +From 0686564f64130f230870db8b4846973e3edbd646 Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Mon, 1 Dec 2014 02:08:27 -0500 Subject: [PATCH] apache2: allow to disable selinux support @@ -11,10 +11,10 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index caa6f54..eab2090 100644 +index 76811e7..4df3ff3 100644 --- a/configure.in +++ b/configure.in -@@ -466,10 +466,16 @@ getloadavg +@@ -491,10 +491,16 @@ getloadavg dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -36,5 +36,5 @@ index caa6f54..eab2090 100644 AC_CACHE_CHECK([for gettid()], ac_cv_gettid, [AC_TRY_RUN(#define _GNU_SOURCE -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch index 61669e3641..dc5b5c88f2 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0008-Fix-perl-install-directory-to-usr-bin.patch @@ -1,4 +1,4 @@ -From 5412077c398dec74321388fe6e593a44c4c80de6 Mon Sep 17 00:00:00 2001 +From 443d15b91d4e4979d92405610303797663f31102 Mon Sep 17 00:00:00 2001 From: echo <fei.geng@windriver.com> Date: Tue, 28 Apr 2009 03:11:06 +0000 Subject: [PATCH] Fix perl install directory to /usr/bin @@ -11,16 +11,15 @@ error: bad interpreter: No such file or directory Signed-off-by: Changqing Li <changqing.li@windriver.com> - --- configure.in | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index d828512..be7bd25 100644 +index 4df3ff3..4eeb609 100644 --- a/configure.in +++ b/configure.in -@@ -855,10 +855,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", +@@ -903,10 +903,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", [Location of the MIME types config file, relative to the Apache root directory]) @@ -32,3 +31,6 @@ index d828512..be7bd25 100644 AC_SUBST(perlbin) dnl If we are running on BSD/OS, we need to use the BSD .include syntax. +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch b/meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch index bdedd146c2..d1f9bb0f43 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0001-support-apxs.in-force-destdir-to-be-empty-string.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0009-support-apxs.in-force-destdir-to-be-empty-string.patch @@ -1,10 +1,10 @@ -From 705c0a7e9d9c1e64ee09fc0b54f6b5a4e27de1ca Mon Sep 17 00:00:00 2001 +From 43a4ad04e0d8771267a73f98b5918bcd10b167ec Mon Sep 17 00:00:00 2001 From: Trevor Gamblin <trevor.gamblin@windriver.com> Date: Fri, 17 Apr 2020 06:31:35 -0700 Subject: [PATCH] support/apxs.in: force destdir to be empty string -If destdir is assigned to anything other than the empty string, the -search path for apache2 config files is appended to itself, and +If destdir is assigned to anything other than the empty string, the +search path for apache2 config files is appended to itself, and related packages like apache-websocket will be unable to locate them: | cannot open @@ -24,7 +24,7 @@ Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/support/apxs.in b/support/apxs.in -index 65e1288527..9d96e33728 100644 +index b2705fa..781f2ab 100644 --- a/support/apxs.in +++ b/support/apxs.in @@ -28,10 +28,12 @@ package apxs; @@ -45,5 +45,5 @@ index 65e1288527..9d96e33728 100644 my %config_vars = (); -- -2.17.1 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch b/meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch index 82e9e8c35f..ced8469f3a 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0010-apache2-do-not-use-relative-path-for-gen_test_char.patch @@ -1,16 +1,15 @@ -From b62c4cd2295c98b2ebe12641e5f01590bd96ae94 Mon Sep 17 00:00:00 2001 +From d9993cbc33565c0acd29b0127d651dafa2a16975 Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] apache2: do not use relative path for gen_test_char Upstream-Status: Inappropriate [embedded specific] - --- server/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/Makefile.in b/server/Makefile.in -index f635d76..0d48924 100644 +index 8c0c396..3544f55 100644 --- a/server/Makefile.in +++ b/server/Makefile.in @@ -29,7 +29,7 @@ gen_test_char: $(gen_test_char_OBJECTS) @@ -23,5 +22,5 @@ index f635d76..0d48924 100644 util.lo: test_char.h -- -2.7.4 +2.25.1 diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.58.bb index a7083d80e9..746db4ac0a 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.43.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.58.bb @@ -13,12 +13,12 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0005-replace-lynx-to-curl-in-apachectl-script.patch \ file://0006-apache2-fix-the-race-issue-of-parallel-installation.patch \ file://0007-apache2-allow-to-disable-selinux-support.patch \ - file://apache-configure_perlbin.patch \ - file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ + file://0008-Fix-perl-install-directory-to-usr-bin.patch \ + file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \ " -SRC_URI_append_class-target = " \ - file://0008-apache2-do-not-use-relative-path-for-gen_test_char.patch \ +SRC_URI:append:class-target = " \ + file://0010-apache2-do-not-use-relative-path-for-gen_test_char.patch \ file://init \ file://apache2-volatile.conf \ file://apache2.service \ @@ -26,8 +26,7 @@ SRC_URI_append_class-target = " \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" -SRC_URI[md5sum] = "791c986b1e70fe61eb44060aacc89a64" -SRC_URI[sha256sum] = "a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43" +SRC_URI[sha256sum] = "fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5" S = "${WORKDIR}/httpd-${PV}" diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb index 7424467946..864e3ac7b1 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb @@ -9,7 +9,7 @@ DEPENDS = "unzip-native libpcre openssl mysql5 ${@bb.utils.contains('DISTRO_FEAT SRCREV = "9a75e65b876bcc376cb6b379dca1f7ce4a055c59" PV = "1.2.104+git${SRCPV}" -SRC_URI = "git://github.com/cherokee/webserver \ +SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \ file://cherokee.init \ file://cherokee.service \ file://cherokee-install-configured.py-once.patch \ diff --git a/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb b/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb index ed3df19390..2503f53166 100644 --- a/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb +++ b/meta-webserver/recipes-httpd/hiawatha/hiawatha_10.10.bb @@ -6,7 +6,7 @@ DEPENDS = "libxml2 libxslt virtual/crypt" SECTION = "net" -SRC_URI = "http://hiawatha-webserver.org/files/${BP}.tar.gz \ +SRC_URI = "http://hiawatha-webserver.org/files/hiawatha-10/${BP}.tar.gz \ file://hiawatha-init \ file://hiawatha.service " diff --git a/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch b/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch new file mode 100644 index 0000000000..7dd1e721c0 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/0001-HTTP-2-per-iteration-stream-handling-limit.patch @@ -0,0 +1,92 @@ +From 2b9667f36551406169e3e2a6a774466ac70a83c0 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Tue, 10 Oct 2023 15:13:39 +0300 +Subject: [PATCH] HTTP/2: per-iteration stream handling limit. + +To ensure that attempts to flood servers with many streams are detected +early, a limit of no more than 2 * max_concurrent_streams new streams per one +event loop iteration was introduced. This limit is applied even if +max_concurrent_streams is not yet reached - for example, if corresponding +streams are handled synchronously or reset. + +Further, refused streams are now limited to maximum of max_concurrent_streams +and 100, similarly to priority_limit initial value, providing some tolerance +to clients trying to open several streams at the connection start, yet +low tolerance to flooding attempts. + +Upstream-Status: Backport +[https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9] + +Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product +(CVE-2023-44487). + +See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ + +This patch only reduces the impact and does not completely mitigate the CVE +in question, the latter being due to a design flaw in the HTTP/2 protocol +itself. For transparancy reasons I therefore opted to not mark the +CVE as resolved, so that integrators can decide for themselves, wheither to +enable HTTP/2 support or allow HTTP/1.1 connections only. + +Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> +--- + src/http/v2/ngx_http_v2.c | 15 +++++++++++++++ + src/http/v2/ngx_http_v2.h | 2 ++ + 2 files changed, 17 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 3611a2e50..291677aca 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { + c->close = 0; +@@ -1320,6 +1321,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + goto rst_stream; + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) + && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) +@@ -1385,6 +1394,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + + rst_stream: + ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } ++ + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 349229711..6a7aaa62c 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -125,6 +125,8 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + + ngx_uint_t pushing; +-- +2.42.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch new file mode 100644 index 0000000000..45653e422e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch @@ -0,0 +1,39 @@ +From 6511195c023bf03e0fb19a36f41f42f4edde6e88 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. + +Upstream-Status: Backport +CVE: CVE-2019-20372 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 4ffb2cc8..76e67058 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.17.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch new file mode 100644 index 0000000000..a708033775 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch @@ -0,0 +1,46 @@ +From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Tue, 25 May 2021 15:17:36 +0300 +Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy(). + +Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. + +Upstream-Status: Backport +CVE: CVE-2021-23017 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/core/ngx_resolver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index 79390701..63b26193 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { +-- +2.17.1 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 0000000000..3fab8bac6c --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch @@ -0,0 +1,89 @@ +From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Wed, 19 May 2021 03:13:31 +0300 +Subject: [PATCH 1/1] Mail: max_errors directive. + +Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands +in Exim, specifies the number of errors after which the connection is closed. +Index: nginx-1.16.1/src/mail/ngx_mail.h +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail.h ++++ nginx-1.16.1/src/mail/ngx_mail.h +@@ -113,6 +113,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -225,6 +227,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c ++++ nginx-1.16.1/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_comm + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +Index: nginx-1.16.1/src/mail/ngx_mail_handler.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c ++++ nginx-1.16.1/src/mail/ngx_mail_handler.c +@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch new file mode 100644 index 0000000000..8a8a35b2dd --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2022-41741-CVE-2022-41742.patch @@ -0,0 +1,319 @@ +From 9563a2a08c007d78a6796b0232201bf7dc4a8103 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 16 Nov 2022 10:28:24 +0530 +Subject: [PATCH] CVE-2022-41741, CVE-2022-41742 + +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea] +CVE: CVE-2022-41741, CVE-2022-41742 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Mp4: disabled duplicate atoms. + +Most atoms should not appear more than once in a container. Previously, +this was not enforced by the module, which could result in worker process +crash, memory corruption and disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 618bf78..7b7184d 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_ERROR; + } + ++ if (mp4->ftyp_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); +@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_DECLINED; + } + ++ if (mp4->moov_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); + + if (atom_data_size > mp4->buffer_size) { +@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); + ++ if (mp4->mdat_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + data = &mp4->mdat_data_buf; + data->file = &mp4->file; + data->in_file = 1; +@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); + ++ if (mp4->mvhd_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_header = ngx_mp4_atom_header(mp4); + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; +@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->tkhd_size = atom_size; + + ngx_mp4_set_32value(tkhd_atom->size, atom_size); +@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->mdia_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->mdhd_size = atom_size; + trak->timescale = timescale; + +@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->hdlr_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->minf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->vmhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->smhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->dinf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stbl_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stsd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->time_to_sample_entries = entries; + + atom = &trak->stts_atom_buf; +@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sync sample entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sync_samples_entries = entries; + + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); +@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "composition offset entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->composition_offset_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); +@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_to_chunk_entries = entries; + + atom = &trak->stsc_atom_buf; +@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample uniform size:%uD, entries:%uD", size, entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_sizes_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); +@@ -3199,6 +3326,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint32_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->stco_atom_buf; +@@ -3383,6 +3520,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint64_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->co64_atom_buf; +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index de080a2b01..903a62b3d7 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -22,6 +22,8 @@ SRC_URI = " \ file://nginx-volatile.conf \ file://nginx.service \ file://nginx-fix-pidfile.patch \ + file://CVE-2021-23017.patch \ + file://CVE-2021-3618.patch \ " inherit siteinfo update-rc.d useradd systemd diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb index 207642575b..39cfd3a67b 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb @@ -4,3 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "45a80f75336c980d240987badc3dcf60" SRC_URI[sha256sum] = "f11c2a6dd1d3515736f0324857957db2de98be862461b5a542a3ac6188dbe32b" + +SRC_URI += "file://CVE-2019-20372.patch \ + file://CVE-2022-41741-CVE-2022-41742.patch \ + file://0001-HTTP-2-per-iteration-stream-handling-limit.patch \ + " diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb index 3d2a5edd26..9fd6d73428 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.17.8.bb @@ -8,3 +8,5 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "29cd861a13aae69a058cbabaae86177b" SRC_URI[sha256sum] = "97d23ecf6d5150b30e284b40e8a6f7e3bb5be6b601e373a4d013768d5a25965b" + +SRC_URI += "file://0001-HTTP-2-per-iteration-stream-handling-limit.patch" diff --git a/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb b/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb index d13ef74feb..deb76ac95c 100644 --- a/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb +++ b/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.7.bb @@ -62,3 +62,6 @@ pkg_postinst_${PN} () { fi fi } + +PNBLACKLIST[nostromo] ?= "Host site for URI is dead" +EXCLUDE_FROM_WORLD = "1" diff --git a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb index 560dd9b6e4..ab479d9ce5 100644 --- a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb +++ b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://src/thttpd.c;beginline=1;endline=26;md5=0c5762c2c34dc DEPENDS += "base-passwd virtual/crypt" SRCREV = "2845bf5bff2b820d2336c8c8061cbfc5f271e720" -SRC_URI = "git://github.com/blueness/${BPN} \ +SRC_URI = "git://github.com/blueness/${BPN};branch=master;protocol=https \ file://thttpd.service \ file://thttpd.conf \ file://init" diff --git a/meta-webserver/recipes-support/fcgi/fcgi_git.bb b/meta-webserver/recipes-support/fcgi/fcgi_git.bb index 6df58ad3c4..61ef6073e0 100644 --- a/meta-webserver/recipes-support/fcgi/fcgi_git.bb +++ b/meta-webserver/recipes-support/fcgi/fcgi_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TERMS;md5=e3aacac3a647af6e7e31f181cda0a06a" SRCREV = "382aa2b0d53a87c27f2f647dfaf670375ba0b85f" PV = "2.4.2" -SRC_URI = "git://github.com/FastCGI-Archives/fcgi2.git;protocol=https \ +SRC_URI = "git://github.com/FastCGI-Archives/fcgi2.git;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_git.bb b/meta-webserver/recipes-webadmin/netdata/netdata_git.bb index d6a5ce0662..ab9de70b3b 100644 --- a/meta-webserver/recipes-webadmin/netdata/netdata_git.bb +++ b/meta-webserver/recipes-webadmin/netdata/netdata_git.bb @@ -3,7 +3,7 @@ SUMMARY = "Real-time performance monitoring" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://LICENSE;md5=fc9b848046ef54b5eaee6071947abd24" -SRC_URI = "git://github.com/firehol/netdata.git;protocol=https \ +SRC_URI = "git://github.com/firehol/netdata.git;protocol=https;branch=master \ file://0002-Makefiles-does-not-build-contrib-dir.patch \ " SRCREV = "588ce5a7b18999dfa66698cd3a2f005f7a3c31cf" diff --git a/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb b/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb index 64582f28f2..d76b0835fb 100644 --- a/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb +++ b/meta-xfce/recipes-apps/xarchiver/xarchiver_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "gtk+3 glib-2.0 xfce4-dev-tools-native intltool-native" -SRC_URI = "git://github.com/ib/xarchiver.git" +SRC_URI = "git://github.com/ib/xarchiver.git;branch=master;protocol=https" SRCREV = "9ab958a4023b62b43972c55a3143ff0722bd88a6" PV = "0.5.4.14" S = "${WORKDIR}/git" diff --git a/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb b/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb index 2ef81f286d..58e628deca 100644 --- a/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb +++ b/meta-xfce/recipes-apps/xfce-polkit/xfce-polkit_0.3.bb @@ -8,7 +8,7 @@ inherit xfce-app features_check REQUIRED_DISTRO_FEATURES = "polkit" SRC_URI = " \ - git://github.com/ncopa/${BPN}.git \ + git://github.com/ncopa/${BPN}.git;branch=master;protocol=https \ " SRCREV = "6d3282cc1734c305850d48f5bf4b4d94e88885e9" S = "${WORKDIR}/git" diff --git a/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb b/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb index 2dd3f01d8c..145a9cc400 100644 --- a/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb +++ b/meta-xfce/recipes-apps/xfce4-datetime-setter/xfce4-datetime-setter_3.32.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=75859989545e37968a99b631ef42722e" DEPENDS = "glib-2.0-native libxfce4ui" -SRC_URI = "git://github.com/schnitzeltony/xfce4-datetime-setter.git;protocol=https \ +SRC_URI = "git://github.com/schnitzeltony/xfce4-datetime-setter.git;protocol=https;branch=master \ file://fix-inner-dependency.patch \ " SRCREV = "5c7a73a3824b03b91719e05e2604b97c7a72d50f" diff --git a/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb b/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb index 8dfb2e626d..531f3d5cd0 100644 --- a/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb +++ b/meta-xfce/recipes-panel-plugins/closebutton/xfce4-closebutton-plugin_git.bb @@ -9,7 +9,7 @@ DEPENDS += "exo-native libwnck3 xfconf" PV = "0.1.0+gitr${SRCPV}" -SRC_URI = "git://github.com/schnitzeltony/xfce4-closebutton-plugin.git;branch=master" +SRC_URI = "git://github.com/schnitzeltony/xfce4-closebutton-plugin.git;branch=master;protocol=https" SRCREV = "6ed5c3ee1ba7103ca854c5e81fb2c1220b913a40" S = "${WORKDIR}/git" |